+void AEADChaCha20Poly1305::Encrypt(Span<const std::byte> plain1, Span<const std::byte> plain2, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> cipher) noexcept

+ assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);

+ m_chacha20.Crypt(UCharCast(plain1.data()), UCharCast(cipher.data()), plain1.size());

+ m_chacha20.Crypt(UCharCast(plain2.data()), UCharCast(cipher.data() + plain1.size()), plain2.size());

+ ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), cipher.last(EXPANSION));

+bool AEADChaCha20Poly1305::Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> plain1, Span<std::byte> plain2) noexcept

+ assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);

+ ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), expected_tag);

+ if (timingsafe_bcmp(UCharCast(expected_tag), UCharCast(cipher.data() + cipher.size() - EXPANSION), EXPANSION)) return false;

+ m_chacha20.Crypt(UCharCast(cipher.data()), UCharCast(plain1.data()), plain1.size());

+ m_chacha20.Crypt(UCharCast(cipher.data() + plain1.size()), UCharCast(plain2.data()), plain2.size());

+void FSChaCha20Poly1305::Encrypt(Span<const std::byte> plain1, Span<const std::byte> plain2, Span<const std::byte> aad, Span<std::byte> cipher) noexcept

+ m_aead.Encrypt(plain1, plain2, aad, {m_packet_counter, m_rekey_counter}, cipher);

+bool FSChaCha20Poly1305::Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Span<std::byte> plain1, Span<std::byte> plain2) noexcept

+ bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter}, plain1, plain2);

+ void Encrypt(Span<const std::byte> plain, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> cipher) noexcept

+ {

+ Encrypt(plain, {}, aad, nonce, cipher);

+ }

+

+ /** Encrypt a message (given split into plain1 + plain2) with a specified 96-bit nonce and aad.

+ *

+ * Requires cipher.size() = plain1.size() + plain2.size() + EXPANSION.

+ */

+ void Encrypt(Span<const std::byte> plain1, Span<const std::byte> plain2, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> cipher) noexcept;

+ bool Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> plain) noexcept

+ {

+ return Decrypt(cipher, aad, nonce, plain, {});

+ }

+

+ /** Decrypt a message with a specified 96-bit nonce and aad and split the result. Returns true if valid.

+ *

+ * Requires cipher.size() = plain1.size() + plain2.size() + EXPANSION.

+ */

+ bool Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> plain1, Span<std::byte> plain2) noexcept;

+ void Encrypt(Span<const std::byte> plain, Span<const std::byte> aad, Span<std::byte> cipher) noexcept

+ {

+ Encrypt(plain, {}, aad, cipher);

+ }

+

+ /** Encrypt a message (given split into plain1 + plain2) with a specified aad.

+ *

+ * Requires cipher.size() = plain.size() + EXPANSION.

+ */

+ void Encrypt(Span<const std::byte> plain1, Span<const std::byte> plain2, Span<const std::byte> aad, Span<std::byte> cipher) noexcept;

+ bool Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Span<std::byte> plain) noexcept

+ {

+ return Decrypt(cipher, aad, plain, {});

+ }

+

+ /** Decrypt a message with a specified aad and split the result. Returns true if valid.

+ *

+ * Requires cipher.size() = plain1.size() + plain2.size() + EXPANSION.

+ */

+ bool Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Span<std::byte> plain1, Span<std::byte> plain2) noexcept;

+ for (int i = 0; i < 10; ++i) {

+ // During i=0, use single-plain Encrypt/Decrypt; others use a split at prefix.

+ size_t prefix = i ? InsecureRandRange(plain.size() + 1) : plain.size();

+ // Encrypt.

+ std::vector<std::byte> cipher(plain.size() + AEADChaCha20Poly1305::EXPANSION);

+ AEADChaCha20Poly1305 aead{key};

+ if (i == 0) {

+ aead.Encrypt(plain, aad, nonce, cipher);

+ } else {

+ aead.Encrypt(Span{plain}.first(prefix), Span{plain}.subspan(prefix), aad, nonce, cipher);

+ }

+ BOOST_CHECK(cipher == expected_cipher);

+ // Decrypt.

+ std::vector<std::byte> decipher(cipher.size() - AEADChaCha20Poly1305::EXPANSION);

+ bool ret{false};

+ if (i == 0) {

+ ret = aead.Decrypt(cipher, aad, nonce, decipher);

+ } else {

+ ret = aead.Decrypt(cipher, aad, nonce, Span{decipher}.first(prefix), Span{decipher}.subspan(prefix));

+ }

+ BOOST_CHECK(ret);

+ BOOST_CHECK(decipher == plain);

+ }

+ // Test Keystream output.

+ AEADChaCha20Poly1305 aead{key};

+ BOOST_CHECK_EQUAL(plain[i] ^ keystream[i], expected_cipher[i]);

+ for (int it = 0; it < 10; ++it) {

+ // During it==0 we use the single-plain Encrypt/Decrypt; others use a split at prefix.

+ size_t prefix = it ? InsecureRandRange(plain.size() + 1) : plain.size();

+ // Do msg_idx dummy encryptions to seek to the correct packet.

+ FSChaCha20Poly1305 enc_aead{key, 224};

+ for (uint64_t i = 0; i < msg_idx; ++i) {

+ std::byte dummy_tag[FSChaCha20Poly1305::EXPANSION] = {{}};

+ enc_aead.Encrypt(Span{dummy_tag}.first(0), Span{dummy_tag}.first(0), dummy_tag);

+ }

+ // Invoke single-plain or plain1/plain2 Encrypt.

+ if (it == 0) {

+ enc_aead.Encrypt(plain, aad, cipher);

+ } else {

+ enc_aead.Encrypt(Span{plain}.first(prefix), Span{plain}.subspan(prefix), aad, cipher);

+ }

+ BOOST_CHECK(cipher == expected_cipher);

+ // Do msg_idx dummy decryptions to seek to the correct packet.

+ FSChaCha20Poly1305 dec_aead{key, 224};

+ for (uint64_t i = 0; i < msg_idx; ++i) {

+ std::byte dummy_tag[FSChaCha20Poly1305::EXPANSION] = {{}};

+ dec_aead.Decrypt(dummy_tag, Span{dummy_tag}.first(0), Span{dummy_tag}.first(0));

+ }

+

+ // Invoke single-plain or plain1/plain2 Decrypt.

+ std::vector<std::byte> decipher(cipher.size() - AEADChaCha20Poly1305::EXPANSION);

+ bool ret{false};

+ if (it == 0) {

+ ret = dec_aead.Decrypt(cipher, aad, decipher);

+ } else {

+ ret = dec_aead.Decrypt(cipher, aad, Span{decipher}.first(prefix), Span{decipher}.subspan(prefix));

+ }

+ BOOST_CHECK(ret);

+ BOOST_CHECK(decipher == plain);

+ }