Nikos Mavrogiannopoulos nmav@gnutls.org writes:
That makes sense. I was trying to figure that out without putting a conditional into encrypt.
I don't think a conditional on entry to chacha_poly1305_encrypt is a big deal (for high performance, one ought to pass several blocks per call anyway). And you can most likely take out the current check "if (!ctx->data_size)", so it shouldn't really add a conditional.
About alignment, after a quick look, I think chacha_poly1305_*crypt can call _poly1305_block directly, by-passing the buffering logic in poly1305_update / MD_UPDATE. Except that I'm not sure how to handle a final, partial, block.
The poly1305 buffer is then needed only for chacha_poly1305_update, assuming we're going to stick to the convention that _update functions don't impose any block size on the caller.
Regards, /Niels