RubyGems - rbnacl-libsodium - Versions diffs - 1.0.8 → 1.0.9 - Mend

rbnacl-libsodium 1.0.8 → 1.0.9

Files changed (204) hide show

data/vendor/libsodium/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c CHANGED

@@ -3,6 +3,7 @@
  * AES256-GCM, based on original code by Romain Dolbeau
  */
+#include <errno.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
@@ -21,6 +22,10 @@
 #include <immintrin.h>
+#ifndef ENOSYS
+# define ENOSYS ENXIO
+#endif
 #if defined(__INTEL_COMPILER) || defined(_bswap64)
 #elif defined(_MSC_VER)
 # define _bswap64(a) _byteswap_uint64(a)
@@ -124,8 +129,8 @@ aesni_encrypt1(unsigned char *out, __m128i nv, const __m128i *rkeys)
 }
 /** multiple-blocks-at-once AES encryption with AES-NI ;
-    on Haswell, aesenc as a latency of 7 and a througput of 1
-    so the sequence of aesenc should be bubble-free, if you
+    on Haswell, aesenc as a latency of 7 and a throughput of 1
+    so the sequence of aesenc should be bubble-free if you
     have at least 8 blocks. Let's build an arbitratry-sized
     function */
 /* Step 1 : loading the nonce */
@@ -504,12 +509,13 @@ crypto_aead_aes256gcm_beforenm(crypto_aead_aes256gcm_state *ctx_,
 }
 int
-crypto_aead_aes256gcm_encrypt_afternm(unsigned char *c, unsigned long long *clen,
-                                      const unsigned char *m, unsigned long long mlen,
-                                      const unsigned char *ad, unsigned long long adlen,
-                                      const unsigned char *nsec,
-                                      const unsigned char *npub,
-                                      const crypto_aead_aes256gcm_state *ctx_)
+crypto_aead_aes256gcm_encrypt_detached_afternm(unsigned char *c,
+                                               unsigned char *mac, unsigned long long *maclen_p,
+                                               const unsigned char *m, unsigned long long mlen,
+                                               const unsigned char *ad, unsigned long long adlen,
+                                               const unsigned char *nsec,
+                                               const unsigned char *npub,
+                                               const crypto_aead_aes256gcm_state *ctx_)
 {
     const __m128i       rev = _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15);
     const context      *ctx = (const context *) ctx_;
@@ -526,7 +532,7 @@ crypto_aead_aes256gcm_encrypt_afternm(unsigned char *c, unsigned long long *clen
     (void) nsec;
     memcpy(H, ctx->H, sizeof H);
-    if (mlen > 16ULL * (1ULL << 32)) {
+    if (mlen > 16ULL * ((1ULL << 32) - 2)) {
         abort(); /* LCOV_EXCL_LINE */
     }
     memcpy(&n2[0], npub, 3 * 4);
@@ -614,21 +620,40 @@ crypto_aead_aes256gcm_encrypt_afternm(unsigned char *c, unsigned long long *clen
     addmul(accum, fb, 16, H);
     for (i = 0; i < 16; ++i) {
-        c[i + mlen] = T[i] ^ accum[15 - i];
+        mac[i] = T[i] ^ accum[15 - i];
     }
-    if (clen != NULL) {
-        *clen = mlen + 16;
+    if (maclen_p != NULL) {
+        *maclen_p = 16;
     }
     return 0;
 }
 int
-crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen_p,
-                                      unsigned char *nsec,
-                                      const unsigned char *c, unsigned long long clen,
+crypto_aead_aes256gcm_encrypt_afternm(unsigned char *c, unsigned long long *clen_p,
+                                      const unsigned char *m, unsigned long long mlen,
                                       const unsigned char *ad, unsigned long long adlen,
+                                      const unsigned char *nsec,
                                       const unsigned char *npub,
                                       const crypto_aead_aes256gcm_state *ctx_)
+{
+    int ret = crypto_aead_aes256gcm_encrypt_detached_afternm(c,
+                                                             c + mlen, NULL,
+                                                             m, mlen,
+                                                             ad, adlen,
+                                                             nsec, npub, ctx_);
+    if (clen_p != NULL) {
+        *clen_p = mlen + crypto_aead_aes256gcm_ABYTES;
+    }
+    return ret;
+}
+int
+crypto_aead_aes256gcm_decrypt_detached_afternm(unsigned char *m, unsigned char *nsec,
+                                               const unsigned char *c, unsigned long long clen,
+                                               const unsigned char *mac,
+                                               const unsigned char *ad, unsigned long long adlen,
+                                               const unsigned char *npub,
+                                               const crypto_aead_aes256gcm_state *ctx_)
 {
     const __m128i       rev = _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15);
     const context      *ctx = (const context *) ctx_;
@@ -645,20 +670,15 @@ crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen
     CRYPTO_ALIGN(16) unsigned char fb[16];
     (void) nsec;
-    if (clen > 16ULL * (1ULL << 32) - 16ULL) {
+    if (clen > 16ULL * (1ULL << 32)) {
         abort(); /* LCOV_EXCL_LINE */
     }
-    if (mlen_p != NULL) {
-        *mlen_p = 0U;
-    }
-    if (clen < 16) {
-        return -1;
-    }
-    mlen = clen - 16;
+    mlen = clen;
     memcpy(&n2[0], npub, 3 * 4);
     n2[3] = 0x01000000;
     aesni_encrypt1(T, _mm_load_si128((const __m128i *) n2), rkeys);
     {
         uint64_t x;
         x = _bswap64((uint64_t)(8 * adlen));
@@ -666,6 +686,7 @@ crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen
         x = _bswap64((uint64_t)(8 * mlen));
         memcpy(&fb[8], &x, sizeof x);
     }
     memcpy(H, ctx->H, sizeof H);
     Hv = _mm_shuffle_epi8(_mm_load_si128((const __m128i *) H), rev);
     _mm_store_si128((__m128i *) H, Hv);
@@ -752,6 +773,7 @@ crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen
             }                                                \
         }                                                    \
     } while(0)
     n2[3] &= 0x00ffffff;
     COUNTER_INC2(n2);
@@ -762,9 +784,10 @@ crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen
         unsigned char d = 0;
         for (i = 0; i < 16; i++) {
-            d |= (c[i + mlen] ^ (T[i] ^ accum[15 - i]));
+            d |= (mac[i] ^ (T[i] ^ accum[15 - i]));
         }
         if (d != 0) {
+            memset(m, 0, mlen);
             return -1;
         }
     }
@@ -773,10 +796,54 @@ crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen
     LOOPDRND128;
     LOOPDRMD128;
+    return 0;
+}
+int
+crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen_p,
+                                      unsigned char *nsec,
+                                      const unsigned char *c, unsigned long long clen,
+                                      const unsigned char *ad, unsigned long long adlen,
+                                      const unsigned char *npub,
+                                      const crypto_aead_aes256gcm_state *ctx_)
+{
+    unsigned long long mlen = 0ULL;
+    int                ret = -1;
+    if (clen >= crypto_aead_aes256gcm_ABYTES) {
+        ret = crypto_aead_aes256gcm_decrypt_detached_afternm
+            (m, nsec, c, clen - crypto_aead_aes256gcm_ABYTES,
+             c + clen - crypto_aead_aes256gcm_ABYTES,
+             ad, adlen, npub, ctx_);
+    }
     if (mlen_p != NULL) {
+        if (ret == 0) {
+            mlen = clen - crypto_aead_aes256gcm_ABYTES;
+        }
         *mlen_p = mlen;
     }
-    return 0;
+    return ret;
+}
+int
+crypto_aead_aes256gcm_encrypt_detached(unsigned char *c,
+                                       unsigned char *mac,
+                                       unsigned long long *maclen_p,
+                                       const unsigned char *m,
+                                       unsigned long long mlen,
+                                       const unsigned char *ad,
+                                       unsigned long long adlen,
+                                       const unsigned char *nsec,
+                                       const unsigned char *npub,
+                                       const unsigned char *k)
+{
+    CRYPTO_ALIGN(16) crypto_aead_aes256gcm_state ctx;
+    crypto_aead_aes256gcm_beforenm(&ctx, k);
+    return crypto_aead_aes256gcm_encrypt_detached_afternm
+        (c, mac, maclen_p, m, mlen, ad, adlen, nsec, npub,
+            (const crypto_aead_aes256gcm_state *) &ctx);
 }
 int
@@ -790,7 +857,7 @@ crypto_aead_aes256gcm_encrypt(unsigned char *c,
                               const unsigned char *npub,
                               const unsigned char *k)
 {
-    crypto_aead_aes256gcm_state ctx;
+    CRYPTO_ALIGN(16) crypto_aead_aes256gcm_state ctx;
     crypto_aead_aes256gcm_beforenm(&ctx, k);
@@ -799,6 +866,26 @@ crypto_aead_aes256gcm_encrypt(unsigned char *c,
             (const crypto_aead_aes256gcm_state *) &ctx);
 }
+int
+crypto_aead_aes256gcm_decrypt_detached(unsigned char *m,
+                                       unsigned char *nsec,
+                                       const unsigned char *c,
+                                       unsigned long long clen,
+                                       const unsigned char *mac,
+                                       const unsigned char *ad,
+                                       unsigned long long adlen,
+                                       const unsigned char *npub,
+                                       const unsigned char *k)
+{
+    CRYPTO_ALIGN(16) crypto_aead_aes256gcm_state ctx;
+    crypto_aead_aes256gcm_beforenm(&ctx, k);
+    return crypto_aead_aes256gcm_decrypt_detached_afternm
+        (m, nsec, c, clen, mac, ad, adlen, npub,
+            (const crypto_aead_aes256gcm_state *) &ctx);
+}
 int
 crypto_aead_aes256gcm_decrypt(unsigned char *m,
                               unsigned long long *mlen_p,
@@ -810,13 +897,13 @@ crypto_aead_aes256gcm_decrypt(unsigned char *m,
                               const unsigned char *npub,
                               const unsigned char *k)
 {
-    crypto_aead_aes256gcm_state ctx;
+    CRYPTO_ALIGN(16) crypto_aead_aes256gcm_state ctx;
     crypto_aead_aes256gcm_beforenm(&ctx, k);
     return crypto_aead_aes256gcm_decrypt_afternm
         (m, mlen_p, nsec, c, clen, ad, adlen, npub,
-            (const crypto_aead_aes256gcm_state *) &ctx);
+         (const crypto_aead_aes256gcm_state *) &ctx);
 }
 int
@@ -825,6 +912,125 @@ crypto_aead_aes256gcm_is_available(void)
     return sodium_runtime_has_pclmul() & sodium_runtime_has_aesni();
 }
+#else
+int
+crypto_aead_aes256gcm_encrypt_detached(unsigned char *c,
+                                       unsigned char *mac,
+                                       unsigned long long *maclen_p,
+                                       const unsigned char *m,
+                                       unsigned long long mlen,
+                                       const unsigned char *ad,
+                                       unsigned long long adlen,
+                                       const unsigned char *nsec,
+                                       const unsigned char *npub,
+                                       const unsigned char *k)
+{
+    errno = ENOSYS;
+    return -1;
+}
+int
+crypto_aead_aes256gcm_encrypt(unsigned char *c, unsigned long long *clen_p,
+                              const unsigned char *m, unsigned long long mlen,
+                              const unsigned char *ad, unsigned long long adlen,
+                              const unsigned char *nsec, const unsigned char *npub,
+                              const unsigned char *k)
+{
+    errno = ENOSYS;
+    return -1;
+}
+int
+crypto_aead_aes256gcm_decrypt_detached(unsigned char *m,
+                                       unsigned char *nsec,
+                                       const unsigned char *c,
+                                       unsigned long long clen,
+                                       const unsigned char *mac,
+                                       const unsigned char *ad,
+                                       unsigned long long adlen,
+                                       const unsigned char *npub,
+                                       const unsigned char *k)
+{
+    errno = ENOSYS;
+    return -1;
+}
+int
+crypto_aead_aes256gcm_decrypt(unsigned char *m, unsigned long long *mlen_p,
+                              unsigned char *nsec, const unsigned char *c,
+                              unsigned long long clen, const unsigned char *ad,
+                              unsigned long long adlen, const unsigned char *npub,
+                              const unsigned char *k)
+{
+    errno = ENOSYS;
+    return -1;
+}
+int
+crypto_aead_aes256gcm_beforenm(crypto_aead_aes256gcm_state *ctx_,
+                               const unsigned char *k)
+{
+    errno = ENOSYS;
+    return -1;
+}
+int
+crypto_aead_aes256gcm_encrypt_detached_afternm(unsigned char *c,
+                                               unsigned char *mac, unsigned long long *maclen_p,
+                                               const unsigned char *m, unsigned long long mlen,
+                                               const unsigned char *ad, unsigned long long adlen,
+                                               const unsigned char *nsec,
+                                               const unsigned char *npub,
+                                               const crypto_aead_aes256gcm_state *ctx_)
+{
+    errno = ENOSYS;
+    return -1;
+}
+int
+crypto_aead_aes256gcm_encrypt_afternm(unsigned char *c, unsigned long long *clen_p,
+                                      const unsigned char *m, unsigned long long mlen,
+                                      const unsigned char *ad, unsigned long long adlen,
+                                      const unsigned char *nsec, const unsigned char *npub,
+                                      const crypto_aead_aes256gcm_state *ctx_)
+{
+    errno = ENOSYS;
+    return -1;
+}
+int
+crypto_aead_aes256gcm_decrypt_detached_afternm(unsigned char *m, unsigned char *nsec,
+                                               const unsigned char *c, unsigned long long clen,
+                                               const unsigned char *mac,
+                                               const unsigned char *ad, unsigned long long adlen,
+                                               const unsigned char *npub,
+                                               const crypto_aead_aes256gcm_state *ctx_)
+{
+    errno = ENOSYS;
+    return -1;
+}
+int
+crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen_p,
+                                      unsigned char *nsec,
+                                      const unsigned char *c, unsigned long long clen,
+                                      const unsigned char *ad, unsigned long long adlen,
+                                      const unsigned char *npub,
+                                      const crypto_aead_aes256gcm_state *ctx_)
+{
+    errno = ENOSYS;
+    return -1;
+}
+int
+crypto_aead_aes256gcm_is_available(void)
+{
+    return 0;
+}
+#endif
 size_t
 crypto_aead_aes256gcm_keybytes(void)
 {
@@ -854,13 +1060,3 @@ crypto_aead_aes256gcm_statebytes(void)
 {
     return (sizeof(crypto_aead_aes256gcm_state) + (size_t) 15U) & ~(size_t) 15U;
 }
-#else
-int
-crypto_aead_aes256gcm_is_available(void)
-{
-    return 0;
-}
-#endif

data/vendor/libsodium/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c CHANGED

@@ -1,4 +1,5 @@
+#include <stdint.h>
 #include <stdlib.h>
 #include <limits.h>
 #include <string.h>
@@ -9,98 +10,98 @@
 #include "crypto_verify_16.h"
 #include "utils.h"
-static unsigned char _pad0[16];
+#include "../../sodium/common.h"
-static inline void
-_u64_le_from_ull(unsigned char out[8U], unsigned long long x)
-{
-    out[0] = (unsigned char) (x & 0xff); x >>= 8;
-    out[1] = (unsigned char) (x & 0xff); x >>= 8;
-    out[2] = (unsigned char) (x & 0xff); x >>= 8;
-    out[3] = (unsigned char) (x & 0xff); x >>= 8;
-    out[4] = (unsigned char) (x & 0xff); x >>= 8;
-    out[5] = (unsigned char) (x & 0xff); x >>= 8;
-    out[6] = (unsigned char) (x & 0xff); x >>= 8;
-    out[7] = (unsigned char) (x & 0xff);
-}
+static const unsigned char _pad0[16] = { 0 };
 int
-crypto_aead_chacha20poly1305_encrypt(unsigned char *c,
-                                     unsigned long long *clen_p,
-                                     const unsigned char *m,
-                                     unsigned long long mlen,
-                                     const unsigned char *ad,
-                                     unsigned long long adlen,
-                                     const unsigned char *nsec,
-                                     const unsigned char *npub,
-                                     const unsigned char *k)
+crypto_aead_chacha20poly1305_encrypt_detached(unsigned char *c,
+                                              unsigned char *mac,
+                                              unsigned long long *maclen_p,
+                                              const unsigned char *m,
+                                              unsigned long long mlen,
+                                              const unsigned char *ad,
+                                              unsigned long long adlen,
+                                              const unsigned char *nsec,
+                                              const unsigned char *npub,
+                                              const unsigned char *k)
 {
     crypto_onetimeauth_poly1305_state state;
     unsigned char                     block0[64U];
     unsigned char                     slen[8U];
     (void) nsec;
-/* LCOV_EXCL_START */
-#ifdef ULONG_LONG_MAX
-    if (mlen > ULONG_LONG_MAX - crypto_aead_chacha20poly1305_ABYTES) {
-        if (clen_p != NULL) {
-            *clen_p = 0ULL;
-        }
-        return -1;
-    }
-#endif
-/* LCOV_EXCL_STOP */
     crypto_stream_chacha20(block0, sizeof block0, npub, k);
     crypto_onetimeauth_poly1305_init(&state, block0);
     sodium_memzero(block0, sizeof block0);
     crypto_onetimeauth_poly1305_update(&state, ad, adlen);
-    _u64_le_from_ull(slen, adlen);
+    STORE64_LE(slen, (uint64_t) adlen);
     crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
     crypto_stream_chacha20_xor_ic(c, m, mlen, npub, 1U, k);
     crypto_onetimeauth_poly1305_update(&state, c, mlen);
-    _u64_le_from_ull(slen, mlen);
+    STORE64_LE(slen, (uint64_t) mlen);
     crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
-    crypto_onetimeauth_poly1305_final(&state, c + mlen);
+    crypto_onetimeauth_poly1305_final(&state, mac);
     sodium_memzero(&state, sizeof state);
-    if (clen_p != NULL) {
-        *clen_p = mlen + crypto_aead_chacha20poly1305_ABYTES;
+    if (maclen_p != NULL) {
+        *maclen_p = crypto_aead_chacha20poly1305_ABYTES;
     }
     return 0;
 }
 int
-crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c,
-                                          unsigned long long *clen_p,
-                                          const unsigned char *m,
-                                          unsigned long long mlen,
-                                          const unsigned char *ad,
-                                          unsigned long long adlen,
-                                          const unsigned char *nsec,
-                                          const unsigned char *npub,
-                                          const unsigned char *k)
+crypto_aead_chacha20poly1305_encrypt(unsigned char *c,
+                                     unsigned long long *clen_p,
+                                     const unsigned char *m,
+                                     unsigned long long mlen,
+                                     const unsigned char *ad,
+                                     unsigned long long adlen,
+                                     const unsigned char *nsec,
+                                     const unsigned char *npub,
+                                     const unsigned char *k)
+{
+    unsigned long long clen = 0ULL;
+    int                ret;
+    if (mlen > UINT64_MAX - crypto_aead_chacha20poly1305_ABYTES) {
+        abort(); /* LCOV_EXCL_LINE */
+    }
+    ret = crypto_aead_chacha20poly1305_encrypt_detached(c,
+                                                        c + mlen, NULL,
+                                                        m, mlen,
+                                                        ad, adlen,
+                                                        nsec, npub, k);
+    if (clen_p != NULL) {
+        if (ret == 0) {
+            clen = mlen + crypto_aead_chacha20poly1305_ABYTES;
+        }
+        *clen_p = clen;
+    }
+    return ret;
+}
+int
+crypto_aead_chacha20poly1305_ietf_encrypt_detached(unsigned char *c,
+                                                   unsigned char *mac,
+                                                   unsigned long long *maclen_p,
+                                                   const unsigned char *m,
+                                                   unsigned long long mlen,
+                                                   const unsigned char *ad,
+                                                   unsigned long long adlen,
+                                                   const unsigned char *nsec,
+                                                   const unsigned char *npub,
+                                                   const unsigned char *k)
 {
     crypto_onetimeauth_poly1305_state state;
     unsigned char                     block0[64U];
     unsigned char                     slen[8U];
     (void) nsec;
-/* LCOV_EXCL_START */
-#ifdef ULONG_LONG_MAX
-    if (mlen > ULONG_LONG_MAX - crypto_aead_chacha20poly1305_ABYTES) {
-        if (clen_p != NULL) {
-            *clen_p = 0ULL;
-        }
-        return -1;
-    }
-#endif
-/* LCOV_EXCL_STOP */
     crypto_stream_chacha20_ietf(block0, sizeof block0, npub, k);
     crypto_onetimeauth_poly1305_init(&state, block0);
     sodium_memzero(block0, sizeof block0);
@@ -113,102 +114,148 @@ crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c,
     crypto_onetimeauth_poly1305_update(&state, c, mlen);
     crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - mlen) & 0xf);
-    _u64_le_from_ull(slen, adlen);
+    STORE64_LE(slen, (uint64_t) adlen);
     crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
-    _u64_le_from_ull(slen, mlen);
+    STORE64_LE(slen, (uint64_t) mlen);
     crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
-    crypto_onetimeauth_poly1305_final(&state, c + mlen);
+    crypto_onetimeauth_poly1305_final(&state, mac);
     sodium_memzero(&state, sizeof state);
-    if (clen_p != NULL) {
-        *clen_p = mlen + crypto_aead_chacha20poly1305_ABYTES;
+    if (maclen_p != NULL) {
+        *maclen_p = crypto_aead_chacha20poly1305_ietf_ABYTES;
     }
     return 0;
 }
 int
-crypto_aead_chacha20poly1305_decrypt(unsigned char *m,
-                                     unsigned long long *mlen_p,
-                                     unsigned char *nsec,
-                                     const unsigned char *c,
-                                     unsigned long long clen,
-                                     const unsigned char *ad,
-                                     unsigned long long adlen,
-                                     const unsigned char *npub,
-                                     const unsigned char *k)
+crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c,
+                                          unsigned long long *clen_p,
+                                          const unsigned char *m,
+                                          unsigned long long mlen,
+                                          const unsigned char *ad,
+                                          unsigned long long adlen,
+                                          const unsigned char *nsec,
+                                          const unsigned char *npub,
+                                          const unsigned char *k)
+{
+    unsigned long long clen = 0ULL;
+    int                ret;
+    if (mlen > UINT64_MAX - crypto_aead_chacha20poly1305_ietf_ABYTES) {
+        abort(); /* LCOV_EXCL_LINE */
+    }
+    ret = crypto_aead_chacha20poly1305_ietf_encrypt_detached(c,
+                                                             c + mlen, NULL,
+                                                             m, mlen,
+                                                             ad, adlen,
+                                                             nsec, npub, k);
+    if (clen_p != NULL) {
+        if (ret == 0) {
+            clen = mlen + crypto_aead_chacha20poly1305_ietf_ABYTES;
+        }
+        *clen_p = clen;
+    }
+    return ret;
+}
+int
+crypto_aead_chacha20poly1305_decrypt_detached(unsigned char *m,
+                                              unsigned char *nsec,
+                                              const unsigned char *c,
+                                              unsigned long long clen,
+                                              const unsigned char *mac,
+                                              const unsigned char *ad,
+                                              unsigned long long adlen,
+                                              const unsigned char *npub,
+                                              const unsigned char *k)
 {
     crypto_onetimeauth_poly1305_state state;
     unsigned char                     block0[64U];
     unsigned char                     slen[8U];
-    unsigned char                     mac[crypto_aead_chacha20poly1305_ABYTES];
+    unsigned char                     computed_mac[crypto_aead_chacha20poly1305_ABYTES];
     unsigned long long                mlen;
     int                               ret;
     (void) nsec;
-    if (mlen_p != NULL) {
-        *mlen_p = 0ULL;
-    }
-    if (clen < crypto_aead_chacha20poly1305_ABYTES) {
-        return -1;
-    }
     crypto_stream_chacha20(block0, sizeof block0, npub, k);
     crypto_onetimeauth_poly1305_init(&state, block0);
     sodium_memzero(block0, sizeof block0);
     crypto_onetimeauth_poly1305_update(&state, ad, adlen);
-    _u64_le_from_ull(slen, adlen);
+    STORE64_LE(slen, (uint64_t) adlen);
     crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
-    mlen = clen - crypto_aead_chacha20poly1305_ABYTES;
+    mlen = clen;
     crypto_onetimeauth_poly1305_update(&state, c, mlen);
-    _u64_le_from_ull(slen, mlen);
+    STORE64_LE(slen, (uint64_t) mlen);
     crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
-    crypto_onetimeauth_poly1305_final(&state, mac);
+    crypto_onetimeauth_poly1305_final(&state, computed_mac);
     sodium_memzero(&state, sizeof state);
-    (void) sizeof(int[sizeof mac == 16U ? 1 : -1]);
-    ret = crypto_verify_16(mac, c + mlen);
-    sodium_memzero(mac, sizeof mac);
+    (void) sizeof(int[sizeof computed_mac == 16U ? 1 : -1]);
+    ret = crypto_verify_16(computed_mac, mac);
+    sodium_memzero(computed_mac, sizeof computed_mac);
     if (ret != 0) {
         memset(m, 0, mlen);
         return -1;
     }
-    crypto_stream_chacha20_xor_ic
-        (m, c, mlen, npub, 1U, k);
+    crypto_stream_chacha20_xor_ic(m, c, mlen, npub, 1U, k);
+    return 0;
+}
+int
+crypto_aead_chacha20poly1305_decrypt(unsigned char *m,
+                                     unsigned long long *mlen_p,
+                                     unsigned char *nsec,
+                                     const unsigned char *c,
+                                     unsigned long long clen,
+                                     const unsigned char *ad,
+                                     unsigned long long adlen,
+                                     const unsigned char *npub,
+                                     const unsigned char *k)
+{
+    unsigned long long mlen = 0ULL;
+    int                ret = -1;
+    if (clen >= crypto_aead_chacha20poly1305_ABYTES) {
+        ret = crypto_aead_chacha20poly1305_decrypt_detached
+            (m, nsec,
+             c, clen - crypto_aead_chacha20poly1305_ABYTES,
+             c + clen - crypto_aead_chacha20poly1305_ABYTES,
+             ad, adlen, npub, k);
+    }
     if (mlen_p != NULL) {
+        if (ret == 0) {
+            mlen = clen - crypto_aead_chacha20poly1305_ABYTES;
+        }
         *mlen_p = mlen;
     }
-    return 0;
+    return ret;
 }
 int
-crypto_aead_chacha20poly1305_ietf_decrypt(unsigned char *m,
-                                          unsigned long long *mlen_p,
-                                          unsigned char *nsec,
-                                          const unsigned char *c,
-                                          unsigned long long clen,
-                                          const unsigned char *ad,
-                                          unsigned long long adlen,
-                                          const unsigned char *npub,
-                                          const unsigned char *k)
+crypto_aead_chacha20poly1305_ietf_decrypt_detached(unsigned char *m,
+                                                   unsigned char *nsec,
+                                                   const unsigned char *c,
+                                                   unsigned long long clen,
+                                                   const unsigned char *mac,
+                                                   const unsigned char *ad,
+                                                   unsigned long long adlen,
+                                                   const unsigned char *npub,
+                                                   const unsigned char *k)
 {
     crypto_onetimeauth_poly1305_state state;
     unsigned char                     block0[64U];
     unsigned char                     slen[8U];
-    unsigned char                     mac[crypto_aead_chacha20poly1305_ABYTES];
+    unsigned char                     computed_mac[crypto_aead_chacha20poly1305_ietf_ABYTES];
     unsigned long long                mlen;
     int                               ret;
     (void) nsec;
-    if (mlen_p != NULL) {
-        *mlen_p = 0ULL;
-    }
-    if (clen < crypto_aead_chacha20poly1305_ABYTES) {
-        return -1;
-    }
     crypto_stream_chacha20_ietf(block0, sizeof block0, npub, k);
     crypto_onetimeauth_poly1305_init(&state, block0);
     sodium_memzero(block0, sizeof block0);
@@ -216,31 +263,79 @@ crypto_aead_chacha20poly1305_ietf_decrypt(unsigned char *m,
     crypto_onetimeauth_poly1305_update(&state, ad, adlen);
     crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - adlen) & 0xf);
-    mlen = clen - crypto_aead_chacha20poly1305_ABYTES;
+    mlen = clen;
     crypto_onetimeauth_poly1305_update(&state, c, mlen);
     crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - mlen) & 0xf);
-    _u64_le_from_ull(slen, adlen);
+    STORE64_LE(slen, (uint64_t) adlen);
     crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
-    _u64_le_from_ull(slen, mlen);
+    STORE64_LE(slen, (uint64_t) mlen);
     crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
-    crypto_onetimeauth_poly1305_final(&state, mac);
+    crypto_onetimeauth_poly1305_final(&state, computed_mac);
     sodium_memzero(&state, sizeof state);
-    (void) sizeof(int[sizeof mac == 16U ? 1 : -1]);
-    ret = crypto_verify_16(mac, c + mlen);
-    sodium_memzero(mac, sizeof mac);
+    (void) sizeof(int[sizeof computed_mac == 16U ? 1 : -1]);
+    ret = crypto_verify_16(computed_mac, mac);
+    sodium_memzero(computed_mac, sizeof computed_mac);
     if (ret != 0) {
         memset(m, 0, mlen);
         return -1;
     }
     crypto_stream_chacha20_ietf_xor_ic(m, c, mlen, npub, 1U, k);
+    return 0;
+}
+int
+crypto_aead_chacha20poly1305_ietf_decrypt(unsigned char *m,
+                                          unsigned long long *mlen_p,
+                                          unsigned char *nsec,
+                                          const unsigned char *c,
+                                          unsigned long long clen,
+                                          const unsigned char *ad,
+                                          unsigned long long adlen,
+                                          const unsigned char *npub,
+                                          const unsigned char *k)
+{
+    unsigned long long mlen = 0ULL;
+    int                ret = -1;
+    if (clen >= crypto_aead_chacha20poly1305_ietf_ABYTES) {
+        ret = crypto_aead_chacha20poly1305_ietf_decrypt_detached
+            (m, nsec,
+             c, clen - crypto_aead_chacha20poly1305_ietf_ABYTES,
+             c + clen - crypto_aead_chacha20poly1305_ietf_ABYTES,
+             ad, adlen, npub, k);
+    }
     if (mlen_p != NULL) {
+        if (ret == 0) {
+            mlen = clen - crypto_aead_chacha20poly1305_ietf_ABYTES;
+        }
         *mlen_p = mlen;
     }
-    return 0;
+    return ret;
+}
+size_t
+crypto_aead_chacha20poly1305_ietf_keybytes(void) {
+    return crypto_aead_chacha20poly1305_ietf_KEYBYTES;
+}
+size_t
+crypto_aead_chacha20poly1305_ietf_npubbytes(void) {
+    return crypto_aead_chacha20poly1305_ietf_NPUBBYTES;
+}
+size_t
+crypto_aead_chacha20poly1305_ietf_nsecbytes(void) {
+    return crypto_aead_chacha20poly1305_ietf_NSECBYTES;
+}
+size_t
+crypto_aead_chacha20poly1305_ietf_abytes(void) {
+    return crypto_aead_chacha20poly1305_ietf_ABYTES;
 }
 size_t
@@ -253,11 +348,6 @@ crypto_aead_chacha20poly1305_npubbytes(void) {
     return crypto_aead_chacha20poly1305_NPUBBYTES;
 }
-size_t
-crypto_aead_chacha20poly1305_ietf_npubbytes(void) {
-    return crypto_aead_chacha20poly1305_IETF_NPUBBYTES;
-}
 size_t
 crypto_aead_chacha20poly1305_nsecbytes(void) {
     return crypto_aead_chacha20poly1305_NSECBYTES;