Fix ChaCha20-Poly1305 Final() to allow empty plaintext and AAD

MarkAtwood · claude · MarkAtwood · commit 74a81544de3e · 2026-03-23T07:51:18.000-07:00
wc_ChaCha20Poly1305_Final() rejected CHACHA20_POLY1305_STATE_READY with BAD_STATE_E, which occurs when neither UpdateAad nor UpdateData has been called (both AAD and plaintext are empty). RFC 8439 Section 2.8 permits this and produces a well-defined authentication tag. Add CHACHA20_POLY1305_STATE_READY to the allowed states in Final(). When state is READY, aadLen and dataLen are both 0, so the existing Poly1305_Pad, Poly1305_EncodeSizes, and Poly1305Final calls produce the correct tag. Fixes: #10040 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/wolfcrypt/src/chacha20_poly1305.c b/wolfcrypt/src/chacha20_poly1305.c
@@ -275,7 +275,8 @@ int wc_ChaCha20Poly1305_Final(ChaChaPoly_Aead* aead,
     if (aead == NULL || outAuthTag == NULL) {
         return BAD_FUNC_ARG;
     }
-    if (aead->state != CHACHA20_POLY1305_STATE_AAD &&
+    if (aead->state != CHACHA20_POLY1305_STATE_READY &&
+        aead->state != CHACHA20_POLY1305_STATE_AAD &&
         aead->state != CHACHA20_POLY1305_STATE_DATA) {
         return BAD_STATE_E;
     }

Original file line number	Diff line number	Diff line change
`@@ -275,7 +275,8 @@ int wc_ChaCha20Poly1305_Final(ChaChaPoly_Aead* aead,`
`275`	`275`	`if (aead == NULL \|\| outAuthTag == NULL) {`
`276`	`276`	`return BAD_FUNC_ARG;`
`277`	`277`	`}`
`278`		`- if (aead->state != CHACHA20_POLY1305_STATE_AAD &&`
	`278`	`+ if (aead->state != CHACHA20_POLY1305_STATE_READY &&`
	`279`	`+ aead->state != CHACHA20_POLY1305_STATE_AAD &&`
`279`	`280`	`aead->state != CHACHA20_POLY1305_STATE_DATA) {`
`280`	`281`	`return BAD_STATE_E;`
`281`	`282`	`}`