fix: ChaCha20-Poly1305 Final() allow empty plaintext

MarkAtwood · MarkAtwood · commit 5e899a1d3e46 · 2026-04-17T14:32:34.000-07:00
wc_ChaCha20Poly1305_Final() rejected CHACHA20_POLY1305_STATE_READY,
blocking use when no data or AAD was ever provided. RFC 8439 §2.8
permits empty plaintext and produces a well-defined authentication tag.

Found via Wycheproof test vectors.
diff --git a/wolfcrypt/src/chacha20_poly1305.c b/wolfcrypt/src/chacha20_poly1305.c
@@ -275,7 +275,8 @@ int wc_ChaCha20Poly1305_Final(ChaChaPoly_Aead* aead,
     if (aead == NULL || outAuthTag == NULL) {
         return BAD_FUNC_ARG;
     }
-    if (aead->state != CHACHA20_POLY1305_STATE_AAD &&
+    if (aead->state != CHACHA20_POLY1305_STATE_READY &&
+        aead->state != CHACHA20_POLY1305_STATE_AAD &&
         aead->state != CHACHA20_POLY1305_STATE_DATA) {
         return BAD_STATE_E;
     }

Original file line number	Diff line number	Diff line change
`@@ -275,7 +275,8 @@ int wc_ChaCha20Poly1305_Final(ChaChaPoly_Aead* aead,`
`275`	`275`	`if (aead == NULL \|\| outAuthTag == NULL) {`
`276`	`276`	`return BAD_FUNC_ARG;`
`277`	`277`	`}`
`278`		`- if (aead->state != CHACHA20_POLY1305_STATE_AAD &&`
	`278`	`+ if (aead->state != CHACHA20_POLY1305_STATE_READY &&`
	`279`	`+ aead->state != CHACHA20_POLY1305_STATE_AAD &&`
`279`	`280`	`aead->state != CHACHA20_POLY1305_STATE_DATA) {`
`280`	`281`	`return BAD_STATE_E;`
`281`	`282`	`}`