From f9ad715107c72ecbd84924fa7268f4d4686c9e43 Mon Sep 17 00:00:00 2001
From: dlg <>
Date: Tue, 22 Jan 2019 00:59:21 +0000
Subject: [PATCH] add support for xchacha20 and xchacha20-poly1305

xchacha is a chacha stream that allows for an extended nonce, which
in turn makes it feasible to use random nonces.

ok tb@
---
 src/lib/libcrypto/Symbols.list                |   3 +
 src/lib/libcrypto/chacha/chacha-merged.c      |  48 ++++-
 src/lib/libcrypto/chacha/chacha.c             |  12 +-
 src/lib/libcrypto/chacha/chacha.h             |   6 +-
 src/lib/libcrypto/evp/e_chacha20poly1305.c    | 123 ++++++++++++-
 src/lib/libcrypto/evp/evp.h                   |   4 +-
 src/lib/libcrypto/man/EVP_AEAD_CTX_init.3     |  20 +-
 src/regress/lib/libcrypto/aead/aeadtest.c     |  11 +-
 src/regress/lib/libcrypto/aead/aeadtests.txt  |  11 +-
 src/regress/lib/libcrypto/chacha/chachatest.c | 172 +++++++++++++++++-
 10 files changed, 399 insertions(+), 11 deletions(-)

diff --git a/src/lib/libcrypto/Symbols.list b/src/lib/libcrypto/Symbols.list
index 4836a3ff9f0..d367b93cd42 100644
--- a/src/lib/libcrypto/Symbols.list
+++ b/src/lib/libcrypto/Symbols.list
@@ -667,6 +667,7 @@ CRYPTO_get_mem_ex_functions
 CRYPTO_get_mem_functions
 CRYPTO_get_new_dynlockid
 CRYPTO_get_new_lockid
+CRYPTO_hchacha_20
 CRYPTO_is_mem_check_on
 CRYPTO_lock
 CRYPTO_malloc
@@ -708,6 +709,7 @@ CRYPTO_set_mem_ex_functions
 CRYPTO_set_mem_functions
 CRYPTO_strdup
 CRYPTO_thread_id
+CRYPTO_xchacha_20
 CRYPTO_xts128_encrypt
 Camellia_cbc_encrypt
 Camellia_cfb128_encrypt
@@ -1493,6 +1495,7 @@ EVP_add_digest
 EVP_aead_aes_128_gcm
 EVP_aead_aes_256_gcm
 EVP_aead_chacha20_poly1305
+EVP_aead_xchacha20_poly1305
 EVP_aes_128_cbc
 EVP_aes_128_cbc_hmac_sha1
 EVP_aes_128_ccm
diff --git a/src/lib/libcrypto/chacha/chacha-merged.c b/src/lib/libcrypto/chacha/chacha-merged.c
index 08511ed2736..67508f208de 100644
--- a/src/lib/libcrypto/chacha/chacha-merged.c
+++ b/src/lib/libcrypto/chacha/chacha-merged.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha-merged.c,v 1.8 2017/08/13 16:55:31 jsing Exp $ */
+/* $OpenBSD: chacha-merged.c,v 1.9 2019/01/22 00:59:21 dlg Exp $ */
 /*
 chacha-merged.c version 20080118
 D. J. Bernstein
@@ -277,3 +277,49 @@ chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
 		m += 64;
 	}
 }
+
+void
+CRYPTO_hchacha_20(unsigned char subkey[32], const unsigned char key[32],
+    const unsigned char nonce[16])
+{
+	uint32_t x[16];
+	int i;
+
+	x[0] = U8TO32_LITTLE(sigma + 0);
+	x[1] = U8TO32_LITTLE(sigma + 4);
+	x[2] = U8TO32_LITTLE(sigma + 8);
+	x[3] = U8TO32_LITTLE(sigma + 12);
+	x[4] = U8TO32_LITTLE(key + 0);
+	x[5] = U8TO32_LITTLE(key + 4);
+	x[6] = U8TO32_LITTLE(key + 8);
+	x[7] = U8TO32_LITTLE(key + 12);
+	x[8] = U8TO32_LITTLE(key + 16);
+	x[9] = U8TO32_LITTLE(key + 20);
+	x[10] = U8TO32_LITTLE(key + 24);
+	x[11] = U8TO32_LITTLE(key + 28);
+	x[12] = U8TO32_LITTLE(nonce + 0);
+	x[13] = U8TO32_LITTLE(nonce + 4);
+	x[14] = U8TO32_LITTLE(nonce + 8);
+	x[15] = U8TO32_LITTLE(nonce + 12);
+
+	for (i = 20; i > 0; i -= 2) {
+		QUARTERROUND(x[0], x[4], x[8], x[12])
+		QUARTERROUND(x[1], x[5], x[9], x[13])
+		QUARTERROUND(x[2], x[6], x[10], x[14])
+		QUARTERROUND(x[3], x[7], x[11], x[15])
+		QUARTERROUND(x[0], x[5], x[10], x[15])
+		QUARTERROUND(x[1], x[6], x[11], x[12])
+		QUARTERROUND(x[2], x[7], x[8], x[13])
+		QUARTERROUND(x[3], x[4], x[9], x[14])
+	}
+
+	U32TO8_LITTLE(subkey + 0, x[0]);
+	U32TO8_LITTLE(subkey + 4, x[1]);
+	U32TO8_LITTLE(subkey + 8, x[2]);
+	U32TO8_LITTLE(subkey + 12, x[3]);
+
+	U32TO8_LITTLE(subkey + 16, x[12]);
+	U32TO8_LITTLE(subkey + 20, x[13]);
+	U32TO8_LITTLE(subkey + 24, x[14]);
+	U32TO8_LITTLE(subkey + 28, x[15]);
+}
diff --git a/src/lib/libcrypto/chacha/chacha.c b/src/lib/libcrypto/chacha/chacha.c
index 0c384ab88af..6a2dddf0556 100644
--- a/src/lib/libcrypto/chacha/chacha.c
+++ b/src/lib/libcrypto/chacha/chacha.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha.c,v 1.7 2015/12/09 14:07:55 bcook Exp $ */
+/* $OpenBSD: chacha.c,v 1.8 2019/01/22 00:59:21 dlg Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -75,3 +75,13 @@ CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len,
 
 	chacha_encrypt_bytes(&ctx, in, out, (uint32_t)len);
 }
+
+void
+CRYPTO_xchacha_20(unsigned char *out, const unsigned char *in, size_t len,
+    const unsigned char key[32], const unsigned char iv[24])
+{
+	uint8_t subkey[32];
+
+	CRYPTO_hchacha_20(subkey, key, iv);
+	CRYPTO_chacha_20(out, in, len, subkey, iv + 16, 0);
+}
diff --git a/src/lib/libcrypto/chacha/chacha.h b/src/lib/libcrypto/chacha/chacha.h
index 8d94e626f8c..e2345b21994 100644
--- a/src/lib/libcrypto/chacha/chacha.h
+++ b/src/lib/libcrypto/chacha/chacha.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha.h,v 1.7 2015/12/09 14:07:55 bcook Exp $ */
+/* $OpenBSD: chacha.h,v 1.8 2019/01/22 00:59:21 dlg Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -46,6 +46,10 @@ void ChaCha(ChaCha_ctx *ctx, unsigned char *out, const unsigned char *in,
 
 void CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len,
     const unsigned char key[32], const unsigned char iv[8], uint64_t counter);
+void CRYPTO_xchacha_20(unsigned char *out, const unsigned char *in, size_t len,
+    const unsigned char key[32], const unsigned char iv[24]);
+void CRYPTO_hchacha_20(unsigned char out[32],
+    const unsigned char key[32], const unsigned char iv[16]);
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/evp/e_chacha20poly1305.c b/src/lib/libcrypto/evp/e_chacha20poly1305.c
index 089ef12fb3e..a5cf8a19f20 100644
--- a/src/lib/libcrypto/evp/e_chacha20poly1305.c
+++ b/src/lib/libcrypto/evp/e_chacha20poly1305.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_chacha20poly1305.c,v 1.18 2017/08/28 17:48:02 jsing Exp $ */
+/* $OpenBSD: e_chacha20poly1305.c,v 1.19 2019/01/22 00:59:21 dlg Exp $ */
 
 /*
  * Copyright (c) 2015 Reyk Floter <reyk@openbsd.org>
@@ -36,6 +36,7 @@
 #define CHACHA20_CONSTANT_LEN 4
 #define CHACHA20_IV_LEN 8
 #define CHACHA20_NONCE_LEN (CHACHA20_CONSTANT_LEN + CHACHA20_IV_LEN)
+#define XCHACHA20_NONCE_LEN 24
 
 struct aead_chacha20_poly1305_ctx {
 	unsigned char key[32];
@@ -246,6 +247,108 @@ aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out,
 	return 1;
 }
 
+static int
+aead_xchacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, unsigned char *out,
+    size_t *out_len, size_t max_out_len, const unsigned char *nonce,
+    size_t nonce_len, const unsigned char *in, size_t in_len,
+    const unsigned char *ad, size_t ad_len)
+{
+	const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
+	unsigned char poly1305_key[32];
+	unsigned char subkey[32];
+	poly1305_state poly1305;
+
+	if (max_out_len < in_len + c20_ctx->tag_len) {
+		EVPerror(EVP_R_BUFFER_TOO_SMALL);
+		return 0;
+	}
+
+	if (nonce_len != ctx->aead->nonce_len) {
+		EVPerror(EVP_R_IV_TOO_LARGE);
+		return 0;
+	}
+
+	CRYPTO_hchacha_20(subkey, c20_ctx->key, nonce);
+
+	CRYPTO_chacha_20(out, in, in_len, subkey, nonce + 16, 1);
+
+	memset(poly1305_key, 0, sizeof(poly1305_key));
+	CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),
+	    subkey, nonce + 16, 0);
+
+	CRYPTO_poly1305_init(&poly1305, poly1305_key);
+	poly1305_update_with_pad16(&poly1305, ad, ad_len);
+	poly1305_update_with_pad16(&poly1305, out, in_len);
+	poly1305_update_with_length(&poly1305, NULL, ad_len);
+	poly1305_update_with_length(&poly1305, NULL, in_len);
+
+	if (c20_ctx->tag_len != POLY1305_TAG_LEN) {
+		unsigned char tag[POLY1305_TAG_LEN];
+		CRYPTO_poly1305_finish(&poly1305, tag);
+		memcpy(out + in_len, tag, c20_ctx->tag_len);
+		*out_len = in_len + c20_ctx->tag_len;
+		return 1;
+	}
+
+	CRYPTO_poly1305_finish(&poly1305, out + in_len);
+	*out_len = in_len + POLY1305_TAG_LEN;
+	return 1;
+}
+
+static int
+aead_xchacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out,
+    size_t *out_len, size_t max_out_len, const unsigned char *nonce,
+    size_t nonce_len, const unsigned char *in, size_t in_len,
+    const unsigned char *ad, size_t ad_len)
+{
+	const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
+	unsigned char mac[POLY1305_TAG_LEN];
+	unsigned char poly1305_key[32];
+	unsigned char subkey[32];
+	poly1305_state poly1305;
+	size_t plaintext_len;
+
+	if (in_len < c20_ctx->tag_len) {
+		EVPerror(EVP_R_BAD_DECRYPT);
+		return 0;
+	}
+
+	if (nonce_len != ctx->aead->nonce_len) {
+		EVPerror(EVP_R_IV_TOO_LARGE);
+		return 0;
+	}
+
+	plaintext_len = in_len - c20_ctx->tag_len;
+
+	if (max_out_len < plaintext_len) {
+		EVPerror(EVP_R_BUFFER_TOO_SMALL);
+		return 0;
+	}
+
+	CRYPTO_hchacha_20(subkey, c20_ctx->key, nonce);
+
+	memset(poly1305_key, 0, sizeof(poly1305_key));
+	CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),
+	    subkey, nonce + 16, 0);
+
+	CRYPTO_poly1305_init(&poly1305, poly1305_key);
+	poly1305_update_with_pad16(&poly1305, ad, ad_len);
+	poly1305_update_with_pad16(&poly1305, in, plaintext_len);
+	poly1305_update_with_length(&poly1305, NULL, ad_len);
+	poly1305_update_with_length(&poly1305, NULL, plaintext_len);
+
+	CRYPTO_poly1305_finish(&poly1305, mac);
+	if (timingsafe_memcmp(mac, in + plaintext_len, c20_ctx->tag_len) != 0) {
+		EVPerror(EVP_R_BAD_DECRYPT);
+		return 0;
+	}
+
+	CRYPTO_chacha_20(out, in, plaintext_len, subkey, nonce + 16, 1);
+
+	*out_len = plaintext_len;
+	return 1;
+}
+
 /* RFC 7539 */
 static const EVP_AEAD aead_chacha20_poly1305 = {
 	.key_len = 32,
@@ -265,4 +368,22 @@ EVP_aead_chacha20_poly1305()
 	return &aead_chacha20_poly1305;
 }
 
+static const EVP_AEAD aead_xchacha20_poly1305 = {
+	.key_len = 32,
+	.nonce_len = XCHACHA20_NONCE_LEN,
+	.overhead = POLY1305_TAG_LEN,
+	.max_tag_len = POLY1305_TAG_LEN,
+
+	.init = aead_chacha20_poly1305_init,
+	.cleanup = aead_chacha20_poly1305_cleanup,
+	.seal = aead_xchacha20_poly1305_seal,
+	.open = aead_xchacha20_poly1305_open,
+};
+
+const EVP_AEAD *
+EVP_aead_xchacha20_poly1305()
+{
+	return &aead_xchacha20_poly1305;
+}
+
 #endif  /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index 35f2b3281b1..0645303686d 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp.h,v 1.71 2019/01/19 01:24:18 tb Exp $ */
+/* $OpenBSD: evp.h,v 1.72 2019/01/22 00:59:21 dlg Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1243,6 +1243,8 @@ const EVP_AEAD *EVP_aead_aes_256_gcm(void);
 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
 /* EVP_aead_chacha20_poly1305 is ChaCha20 with a Poly1305 authenticator. */
 const EVP_AEAD *EVP_aead_chacha20_poly1305(void);
+/* EVP_aead_xchacha20_poly1305 is XChaCha20 with a Poly1305 authenticator. */
+const EVP_AEAD *EVP_aead_xchacha20_poly1305(void);
 #endif
 
 /* EVP_AEAD_key_length returns the length of the keys used. */
diff --git a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
index debcc773c46..a4d759a2edc 100644
--- a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
+++ b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.6 2017/08/28 17:43:43 jsing Exp $
+.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.7 2019/01/22 00:59:21 dlg Exp $
 .\"
 .\" Copyright (c) 2014, Google Inc.
 .\" Parts of the text were written by Adam Langley and David Benjamin.
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 28 2017 $
+.Dd $Mdocdate: January 22 2019 $
 .Dt EVP_AEAD_CTX_INIT 3
 .Os
 .Sh NAME
@@ -30,7 +30,8 @@
 .Nm EVP_AEAD_nonce_length ,
 .Nm EVP_aead_aes_128_gcm ,
 .Nm EVP_aead_aes_256_gcm ,
-.Nm EVP_aead_chacha20_poly1305
+.Nm EVP_aead_chacha20_poly1305,
+.Nm EVP_aead_xchacha20_poly1305
 .Nd authenticated encryption with additional data
 .Sh SYNOPSIS
 .In openssl/evp.h
@@ -101,6 +102,10 @@
 .Fo EVP_aead_chacha20_poly1305
 .Fa void
 .Fc
+.Ft const EVP_AEAD *
+.Fo EVP_aead_xchacha20_poly1305
+.Fa void
+.Fc
 .Sh DESCRIPTION
 AEAD (Authenticated Encryption with Additional Data) couples
 confidentiality and integrity in a single primitive.
@@ -219,6 +224,8 @@ AES-128 in Galois Counter Mode.
 AES-256 in Galois Counter Mode.
 .It Fn EVP_aead_chacha20_poly1305
 ChaCha20 with a Poly1305 authenticator.
+.It Fn EVP_aead_xchacha20_poly1305
+XChaCha20 with a Poly1305 authenticator.
 .El
 .Pp
 Where possible the
@@ -285,6 +292,13 @@ EVP_AEAD_CTX_cleanup(&ctx);
 .%R RFC 7539
 .%T ChaCha20 and Poly1305 for IETF Protocols
 .Re
+.Pp
+.Rs
+.%A S. Arciszewski
+.%D October 2018
+.%R draft-arciszewski-xchacha-02
+.%T XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305
+.Re
 .Sh HISTORY
 AEAD is based on the implementation by
 .An Adam Langley
diff --git a/src/regress/lib/libcrypto/aead/aeadtest.c b/src/regress/lib/libcrypto/aead/aeadtest.c
index 4f0ab9fa3ab..1b144c26158 100644
--- a/src/regress/lib/libcrypto/aead/aeadtest.c
+++ b/src/regress/lib/libcrypto/aead/aeadtest.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: aeadtest.c,v 1.11 2018/07/17 17:06:49 tb Exp $	*/
+/*	$OpenBSD: aeadtest.c,v 1.12 2019/01/22 00:59:21 dlg Exp $	*/
 /* ====================================================================
  * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
  *
@@ -52,8 +52,11 @@
 #include <stdlib.h>
 #include <string.h>
 #include <stdint.h>
+#include <unistd.h>
+#include <ctype.h>
 
 #include <openssl/evp.h>
+#include <openssl/err.h>
 
 /* This program tests an AEAD against a series of test vectors from a file. The
  * test vector file consists of key-value lines where the key and value are
@@ -134,6 +137,12 @@ aead_from_name(const EVP_AEAD **aead, const char *name)
 		*aead = EVP_aead_chacha20_poly1305();
 #else
 		fprintf(stderr, "No chacha20-poly1305 support.\n");
+#endif
+	} else if (strcmp(name, "xchacha20-poly1305") == 0) {
+#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+		*aead = EVP_aead_xchacha20_poly1305();
+#else
+		fprintf(stderr, "No xchacha20-poly1305 support.\n");
 #endif
 	} else {
 		fprintf(stderr, "Unknown AEAD: %s\n", name);
diff --git a/src/regress/lib/libcrypto/aead/aeadtests.txt b/src/regress/lib/libcrypto/aead/aeadtests.txt
index 18cee7e5790..4ca47303b20 100644
--- a/src/regress/lib/libcrypto/aead/aeadtests.txt
+++ b/src/regress/lib/libcrypto/aead/aeadtests.txt
@@ -1,4 +1,4 @@
-#	$OpenBSD: aeadtests.txt,v 1.7 2018/07/17 17:06:49 tb Exp $
+#	$OpenBSD: aeadtests.txt,v 1.8 2019/01/22 00:59:21 dlg Exp $
 #
 # MACsec GCM-AES Test Vectors (bn-randall-test-vectors-0511-v1.pdf)
 #
@@ -75,3 +75,12 @@ AD: c0c1c2c3c4c5c6c7d0d1d2d3d4d5d6d72e202500000000090000004529000029
 CT: 610394701f8d017f7c12924889
 TAG: 6b71bfe25236efd7cdc67066906315b2
 
+# Test vector from draft-arciszewski-xchacha-02
+AEAD: xchacha20-poly1305
+KEY: 808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f
+NONCE: 404142434445464748494a4b4c4d4e4f5051525354555657
+IN: 4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e
+AD: 50515253c0c1c2c3c4c5c6c7
+CT: bd6d179d3e83d43b9576579493c0e939572a1700252bfaccbed2902c21396cbb731c7f1b0b4aa6440bf3a82f4eda7e39ae64c6708c54c216cb96b72e1213b4522f8c9ba40db5d945b11b69b982c1bb9e3f3fac2bc369488f76b2383565d3fff921f9664c97637da9768812f615c68b13b52e
+TAG: c0875924c1c7987947deafd8780acf49
+
diff --git a/src/regress/lib/libcrypto/chacha/chachatest.c b/src/regress/lib/libcrypto/chacha/chachatest.c
index fe4cc409524..4e159746173 100644
--- a/src/regress/lib/libcrypto/chacha/chachatest.c
+++ b/src/regress/lib/libcrypto/chacha/chachatest.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: chachatest.c,v 1.5 2018/07/17 17:06:49 tb Exp $	*/
+/*	$OpenBSD: chachatest.c,v 1.6 2019/01/22 00:59:21 dlg Exp $	*/
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -292,6 +292,170 @@ struct chacha_test_function chacha_test_functions[] = {
 
 #define N_FUNCS (sizeof(chacha_test_functions) / sizeof(*chacha_test_functions))
 
+/* draft-arciszewski-xchacha-02 test vectors */
+static int
+crypto_hchacha_20_test(void)
+{
+	static const unsigned char key[32] = {
+		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+		0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+		0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
+	};
+	static const unsigned char nonce[16] = {
+		0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x4a,
+		0x00, 0x00, 0x00, 0x00, 0x31, 0x41, 0x59, 0x27,
+	};
+	static const unsigned char result[32] = {
+		0x82, 0x41, 0x3b, 0x42, 0x27, 0xb2, 0x7b, 0xfe,
+		0xd3, 0x0e, 0x42, 0x50, 0x8a, 0x87, 0x7d, 0x73,
+		0xa0, 0xf9, 0xe4, 0xd5, 0x8a, 0x74, 0xa8, 0x53,
+		0xc1, 0x2e, 0xc4, 0x13, 0x26, 0xd3, 0xec, 0xdc,
+	};
+	unsigned char out[32];
+	int failed = 0;
+	size_t k;
+
+	CRYPTO_hchacha_20(out, key, nonce);
+
+	if (memcmp(out, result, sizeof(out)) != 0) {
+		printf("HChaCha20 failed!\n");
+
+		printf("Got:\t");
+		for (k = 0; k < sizeof(out); k++)
+			printf("%2.2x", out[k]);
+		printf("\n");
+
+		printf("Want:\t");
+		for (k = 0; k < sizeof(result); k++)
+			printf("%2.2x", result[k]);
+		printf("\n");
+
+		failed = 1;
+	}
+
+	return (failed);
+}
+
+static int
+crypto_xchacha_20_test(void)
+{
+	static const unsigned char key[32] = {
+		0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+		0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+		0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+		0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
+	};
+	static const unsigned char iv[24] = {
+		0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+		0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
+		0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x58
+	};
+	static const unsigned char plain[] = {
+		0x54, 0x68, 0x65, 0x20, 0x64, 0x68, 0x6f, 0x6c,
+		0x65, 0x20, 0x28, 0x70, 0x72, 0x6f, 0x6e, 0x6f,
+		0x75, 0x6e, 0x63, 0x65, 0x64, 0x20, 0x22, 0x64,
+		0x6f, 0x6c, 0x65, 0x22, 0x29, 0x20, 0x69, 0x73,
+		0x20, 0x61, 0x6c, 0x73, 0x6f, 0x20, 0x6b, 0x6e,
+		0x6f, 0x77, 0x6e, 0x20, 0x61, 0x73, 0x20, 0x74,
+		0x68, 0x65, 0x20, 0x41, 0x73, 0x69, 0x61, 0x74,
+		0x69, 0x63, 0x20, 0x77, 0x69, 0x6c, 0x64, 0x20,
+		0x64, 0x6f, 0x67, 0x2c, 0x20, 0x72, 0x65, 0x64,
+		0x20, 0x64, 0x6f, 0x67, 0x2c, 0x20, 0x61, 0x6e,
+		0x64, 0x20, 0x77, 0x68, 0x69, 0x73, 0x74, 0x6c,
+		0x69, 0x6e, 0x67, 0x20, 0x64, 0x6f, 0x67, 0x2e,
+		0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x61,
+		0x62, 0x6f, 0x75, 0x74, 0x20, 0x74, 0x68, 0x65,
+		0x20, 0x73, 0x69, 0x7a, 0x65, 0x20, 0x6f, 0x66,
+		0x20, 0x61, 0x20, 0x47, 0x65, 0x72, 0x6d, 0x61,
+		0x6e, 0x20, 0x73, 0x68, 0x65, 0x70, 0x68, 0x65,
+		0x72, 0x64, 0x20, 0x62, 0x75, 0x74, 0x20, 0x6c,
+		0x6f, 0x6f, 0x6b, 0x73, 0x20, 0x6d, 0x6f, 0x72,
+		0x65, 0x20, 0x6c, 0x69, 0x6b, 0x65, 0x20, 0x61,
+		0x20, 0x6c, 0x6f, 0x6e, 0x67, 0x2d, 0x6c, 0x65,
+		0x67, 0x67, 0x65, 0x64, 0x20, 0x66, 0x6f, 0x78,
+		0x2e, 0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x68,
+		0x69, 0x67, 0x68, 0x6c, 0x79, 0x20, 0x65, 0x6c,
+		0x75, 0x73, 0x69, 0x76, 0x65, 0x20, 0x61, 0x6e,
+		0x64, 0x20, 0x73, 0x6b, 0x69, 0x6c, 0x6c, 0x65,
+		0x64, 0x20, 0x6a, 0x75, 0x6d, 0x70, 0x65, 0x72,
+		0x20, 0x69, 0x73, 0x20, 0x63, 0x6c, 0x61, 0x73,
+		0x73, 0x69, 0x66, 0x69, 0x65, 0x64, 0x20, 0x77,
+		0x69, 0x74, 0x68, 0x20, 0x77, 0x6f, 0x6c, 0x76,
+		0x65, 0x73, 0x2c, 0x20, 0x63, 0x6f, 0x79, 0x6f,
+		0x74, 0x65, 0x73, 0x2c, 0x20, 0x6a, 0x61, 0x63,
+		0x6b, 0x61, 0x6c, 0x73, 0x2c, 0x20, 0x61, 0x6e,
+		0x64, 0x20, 0x66, 0x6f, 0x78, 0x65, 0x73, 0x20,
+		0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x74,
+		0x61, 0x78, 0x6f, 0x6e, 0x6f, 0x6d, 0x69, 0x63,
+		0x20, 0x66, 0x61, 0x6d, 0x69, 0x6c, 0x79, 0x20,
+		0x43, 0x61, 0x6e, 0x69, 0x64, 0x61, 0x65, 0x2e,
+	};
+	static const unsigned char cipher[] = {
+		0x45, 0x59, 0xab, 0xba, 0x4e, 0x48, 0xc1, 0x61,
+		0x02, 0xe8, 0xbb, 0x2c, 0x05, 0xe6, 0x94, 0x7f,
+		0x50, 0xa7, 0x86, 0xde, 0x16, 0x2f, 0x9b, 0x0b,
+		0x7e, 0x59, 0x2a, 0x9b, 0x53, 0xd0, 0xd4, 0xe9,
+		0x8d, 0x8d, 0x64, 0x10, 0xd5, 0x40, 0xa1, 0xa6,
+		0x37, 0x5b, 0x26, 0xd8, 0x0d, 0xac, 0xe4, 0xfa,
+		0xb5, 0x23, 0x84, 0xc7, 0x31, 0xac, 0xbf, 0x16,
+		0xa5, 0x92, 0x3c, 0x0c, 0x48, 0xd3, 0x57, 0x5d,
+		0x4d, 0x0d, 0x2c, 0x67, 0x3b, 0x66, 0x6f, 0xaa,
+		0x73, 0x10, 0x61, 0x27, 0x77, 0x01, 0x09, 0x3a,
+		0x6b, 0xf7, 0xa1, 0x58, 0xa8, 0x86, 0x42, 0x92,
+		0xa4, 0x1c, 0x48, 0xe3, 0xa9, 0xb4, 0xc0, 0xda,
+		0xec, 0xe0, 0xf8, 0xd9, 0x8d, 0x0d, 0x7e, 0x05,
+		0xb3, 0x7a, 0x30, 0x7b, 0xbb, 0x66, 0x33, 0x31,
+		0x64, 0xec, 0x9e, 0x1b, 0x24, 0xea, 0x0d, 0x6c,
+		0x3f, 0xfd, 0xdc, 0xec, 0x4f, 0x68, 0xe7, 0x44,
+		0x30, 0x56, 0x19, 0x3a, 0x03, 0xc8, 0x10, 0xe1,
+		0x13, 0x44, 0xca, 0x06, 0xd8, 0xed, 0x8a, 0x2b,
+		0xfb, 0x1e, 0x8d, 0x48, 0xcf, 0xa6, 0xbc, 0x0e,
+		0xb4, 0xe2, 0x46, 0x4b, 0x74, 0x81, 0x42, 0x40,
+		0x7c, 0x9f, 0x43, 0x1a, 0xee, 0x76, 0x99, 0x60,
+		0xe1, 0x5b, 0xa8, 0xb9, 0x68, 0x90, 0x46, 0x6e,
+		0xf2, 0x45, 0x75, 0x99, 0x85, 0x23, 0x85, 0xc6,
+		0x61, 0xf7, 0x52, 0xce, 0x20, 0xf9, 0xda, 0x0c,
+		0x09, 0xab, 0x6b, 0x19, 0xdf, 0x74, 0xe7, 0x6a,
+		0x95, 0x96, 0x74, 0x46, 0xf8, 0xd0, 0xfd, 0x41,
+		0x5e, 0x7b, 0xee, 0x2a, 0x12, 0xa1, 0x14, 0xc2,
+		0x0e, 0xb5, 0x29, 0x2a, 0xe7, 0xa3, 0x49, 0xae,
+		0x57, 0x78, 0x20, 0xd5, 0x52, 0x0a, 0x1f, 0x3f,
+		0xb6, 0x2a, 0x17, 0xce, 0x6a, 0x7e, 0x68, 0xfa,
+		0x7c, 0x79, 0x11, 0x1d, 0x88, 0x60, 0x92, 0x0b,
+		0xc0, 0x48, 0xef, 0x43, 0xfe, 0x84, 0x48, 0x6c,
+		0xcb, 0x87, 0xc2, 0x5f, 0x0a, 0xe0, 0x45, 0xf0,
+		0xcc, 0xe1, 0xe7, 0x98, 0x9a, 0x9a, 0xa2, 0x20,
+		0xa2, 0x8b, 0xdd, 0x48, 0x27, 0xe7, 0x51, 0xa2,
+		0x4a, 0x6d, 0x5c, 0x62, 0xd7, 0x90, 0xa6, 0x63,
+		0x93, 0xb9, 0x31, 0x11, 0xc1, 0xa5, 0x5d, 0xd7,
+		0x42, 0x1a, 0x10, 0x18, 0x49, 0x74, 0xc7, 0xc5,
+	};
+	unsigned char out[sizeof(cipher)];
+	int failed = 0;
+	size_t k;
+
+	CRYPTO_xchacha_20(out, plain, sizeof(out), key, iv);
+
+	if (memcmp(out, cipher, sizeof(out)) != 0) {
+		printf("XChaCha20 failed!\n");
+
+		printf("Got:\t");
+		for (k = 0; k < sizeof(out); k++)
+			printf("%2.2x", out[k]);
+		printf("\n");
+
+		printf("Want:\t");
+		for (k = 0; k < sizeof(cipher); k++)
+			printf("%2.2x", cipher[k]);
+		printf("\n");
+
+		failed = 1;
+	}
+
+	return (failed);
+}
+
 int
 main(int argc, char **argv)
 {
@@ -335,5 +499,11 @@ main(int argc, char **argv)
 		}
 	}
 
+	if (crypto_hchacha_20_test() != 0)
+		failed = 1;
+
+	if (crypto_xchacha_20_test() != 0)
+		failed = 1;
+
 	return failed;
 }