From 74a81544de3ef6447eb4260068ef18d0afcc5c0e Mon Sep 17 00:00:00 2001
From: Mark Atwood <mark.atwood@gmail.com>
Date: Mon, 23 Mar 2026 07:51:18 -0700
Subject: [PATCH] Fix ChaCha20-Poly1305 Final() to allow empty plaintext and
 AAD

wc_ChaCha20Poly1305_Final() rejected CHACHA20_POLY1305_STATE_READY
with BAD_STATE_E, which occurs when neither UpdateAad nor UpdateData
has been called (both AAD and plaintext are empty). RFC 8439 Section
2.8 permits this and produces a well-defined authentication tag.

Add CHACHA20_POLY1305_STATE_READY to the allowed states in Final().
When state is READY, aadLen and dataLen are both 0, so the existing
Poly1305_Pad, Poly1305_EncodeSizes, and Poly1305Final calls produce
the correct tag.

Fixes: https://github.com/wolfSSL/wolfssl/issues/10040

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 wolfcrypt/src/chacha20_poly1305.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wolfcrypt/src/chacha20_poly1305.c b/wolfcrypt/src/chacha20_poly1305.c
index a7acd6acfaa..3e96c819651 100644
--- a/wolfcrypt/src/chacha20_poly1305.c
+++ b/wolfcrypt/src/chacha20_poly1305.c
@@ -275,7 +275,8 @@ int wc_ChaCha20Poly1305_Final(ChaChaPoly_Aead* aead,
     if (aead == NULL || outAuthTag == NULL) {
         return BAD_FUNC_ARG;
     }
-    if (aead->state != CHACHA20_POLY1305_STATE_AAD &&
+    if (aead->state != CHACHA20_POLY1305_STATE_READY &&
+        aead->state != CHACHA20_POLY1305_STATE_AAD &&
         aead->state != CHACHA20_POLY1305_STATE_DATA) {
         return BAD_STATE_E;
     }