Fix ChaCha20-Poly1305 Final() to allow empty plaintext and AAD

[MarkAtwood]

Summary

• wc_ChaCha20Poly1305_Final() rejected CHACHA20_POLY1305_STATE_READY with BAD_STATE_E, which occurs when neither UpdateAad nor UpdateData has been called (both AAD and plaintext are empty)
• RFC 8439 Section 2.8 permits this and produces a well-defined authentication tag
• Affects both the streaming API and the one-shot wc_ChaCha20Poly1305_Encrypt/Decrypt functions which call through it

Fixes #10040

Test plan

• Verify existing ChaCha20-Poly1305 tests still pass
• Confirm empty plaintext + empty AAD produces correct authentication tag
• Verify Wycheproof test vectors tc 2 and tc 3 pass through the streaming API

[dgarske]

Many of the CI tests are failing now:

ChaCha20-Poly1305 AEAD test failed!
 error L=10590 code=0 (ok)
 [fiducial line numbers: 11340 31712 53140 66641]
Exiting main with return code: -1

[Copilot]

Pull request overview

Updates the ChaCha20-Poly1305 streaming finalization logic to permit generating an authentication tag when both plaintext and AAD are empty, aligning behavior with RFC 8439 and fixing the reported BAD_STATE_E error path.

Changes:

• Allow wc_ChaCha20Poly1305_Final() to accept the CHACHA20_POLY1305_STATE_READY state (no prior AAD/data updates).
• Preserve existing state validation for AAD and DATA states while continuing to reject other invalid states.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #10046

Scan targets checked: wolfcrypt-bugs, wolfcrypt-src

No new issues found in the changed files. ✅

[MarkAtwood]

/cc @wolfSSL-Fenrir-bot please review

[github-actions]

MemBrowse Memory Report

No memory changes detected for:

• gcc-arm-cortex-m0plus
• gcc-arm-cortex-m3
• gcc-arm-cortex-m4
• gcc-arm-cortex-m4-baremetal
• gcc-arm-cortex-m4-crypto-only
• gcc-arm-cortex-m4-dtls13
• gcc-arm-cortex-m4-min-ecc
• gcc-arm-cortex-m4-openssl-compat
• gcc-arm-cortex-m4-pkcs7
• gcc-arm-cortex-m4-pq
• gcc-arm-cortex-m4-rsa-only
• gcc-arm-cortex-m4-sp-math
• gcc-arm-cortex-m4-tls12
• gcc-arm-cortex-m4-tls13
• gcc-arm-cortex-m7
• gcc-arm-cortex-m7-pq
• gcc-arm-cortex-m7-tls13
• linuxkm-pie
• linuxkm-standard
• stm32-sim-stm32h753

[MarkAtwood]

Fixed the CI failure: the existing bad-state test at line 10987 manually set aead.state = CHACHA20_POLY1305_STATE_READY without calling Init, then expected BAD_STATE_E. Since the fix now accepts READY state, that assertion was wrong.

Replaced it with a positive test using Wycheproof tc2 (key/iv/tag from the test corpus): calls Init properly, then Final with no UpdateAad/UpdateData, and verifies the output tag matches the expected value. This directly tests the RFC 8439 §2.8 empty-plaintext case.

[MarkAtwood]

retest this please

[ColtonWilley]

Jenkins retest this please

[MarkAtwood]

Rebased onto current master to fix the widespread CI failures (stale base branch). Also fixed non-ASCII § → Section in test comments. The ChaCha20-Poly1305 test passes — the original CI failure dgarske flagged was from the first commit before the test was updated. Ready for re-review.