XChaCha20 / XChaCha20-Poly1305

doc/crypt.tex

@@ -1305,14 +1305,28 @@ \chapter{Stream Ciphers}
 
 Note: You shouldn't use the keystream interface as a PRNG, as it doesn't allow to re-seed the internal state.
 
-\mysection{ChaCha}
+\mysection{ChaCha and XChaCha20}
 
 \textit{ChaCha} is currently the most modern stream cipher included in LibTomCrypt, so use this one unless you
 have a reason for using some of the older algorithms.
+\vspace{1mm}
+
+\textit{XChaCha20} is a variant of \textit{ChaCha20} designed to accept only a 256-bit key and a
+longer 192-bit nonce (24 bytes), which dramatically reduces the risk of nonce collisions when
+generating nonces randomly.  Initialization is the only difference between \textit{XChaCha20}
+and \textit{ChaCha20}.  Even the \textit{chacha\_state} is the same.  Thereafter,
+chacha\_crypt(), chacha\_keystream(), and chacha\_done() are used unaltered.
+chacha\_ivctr32() and chacha\_ivctr64() are NOT used with xchacha20\_setup().
+\vspace{1mm}
 
 For more information about ChaCha see \url{https://en.wikipedia.org/wiki/ChaCha_(cipher)}.
+\vspace{1mm}
 
-Supported key size: 16 or 32 bytes (128 or 256 bits).
+For more information about XChaCha20 see
+\url{https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha}.
+\vspace{1mm}
+
+Supported key size: 16 or 32 bytes (128 or 256 bits) for ChaCha, 32 bytes only for XChaCha20.
 
 You can initialize ChaCha with 96bit \textit{nonce} + 32bit \textit{counter}:
 \begin{verbatim}
@@ -1328,9 +1342,17 @@ \chapter{Stream Ciphers}
 err = chacha_ivctr64(&st, nonce, 8, initial_64bit_ctr);
 \end{verbatim}
 
+To initialize \textit{XChaCha20} for the recommended 20 rounds with a 256-bit
+key (32 bytes) and a 192-bit nonce (24 bytes), use:
+\begin{verbatim}
+chacha_state st;
+err = xchacha20_setup(&st, key, key_len, nonce, nonce_len, rounds);
+\end{verbatim}
+
 The \textit{chacha\_setup} takes the number of rounds as a parameter -- choose 20 if you are not sure.
 As always never ever use the same key + nonce pair more than once.
 
+Both \textit{ChaCha} and \textit{XChaCha20} use the following functions.
 For the actual encryption or decryption you have to call:
 \begin{verbatim}
 err = chacha_crypt(&st, in_buffer, in_len, out_buffer);
@@ -1354,6 +1376,39 @@ \chapter{Stream Ciphers}
 err = chacha_memory(key, keylen, iv, ivlen, datain, datalen, rounds, dataout);
 \end{verbatim}
 
+To encrypt plaintext (or decrypt ciphertext) using XChaCha20 for data already in
+memory with a single function call, the following function may be used.
+\begin{verbatim}
+err = xchacha20_memory(key, keylen, rounds, nonce, nonce_len, datain, datalen, dataout);
+\end{verbatim}
+
+For both \textit{ChaCha} and \textit{XChaCha20} rounds must be an even number
+and if set to 0 the default number of rounds, 20, will be used.
+\vspace{1mm}
+
+\subsection{HChaCha20}
+
+\textit{HChaCha20} is the key derivation function underlying \textit{XChaCha20}.  It applies the
+ChaCha20 block function (without the final addition step) to a 256-bit key and a 128-bit input,
+producing a 256-bit derived key.  It is also useful as a standalone KDF, for example in NaCl-style
+\textit{crypto\_box} constructions.
+
+\index{xchacha20\_hchacha20()}
+\begin{verbatim}
+int xchacha20_hchacha20(unsigned char *out,  unsigned long outlen,
+                        const unsigned char *key, unsigned long keylen,
+                        const unsigned char *in,  unsigned long inlen,
+                        int rounds);
+\end{verbatim}
+This derives a 32-byte subkey from a 32-byte \textit{key} and a 16-byte \textit{in} using
+\textit{rounds} ChaCha20 rounds (0 = default 20).  The output is stored in \textit{out}
+(\textit{outlen} must be 32, \textit{keylen} must be 32, \textit{inlen} must be 16).
+\vspace{1mm}
+
+If you define \textit{LTC\_XCHACHA20} to include \textit{XChaCha20} and \textit{HChaCha20} in a
+minimal \textit{libtomcrypt} library build, you must also define \textit{LTC\_CHACHA}.
+\vspace{1mm}
+
 \mysection{Salsa20 and XSalsa20}
 
 \textit{Salsa20} was Daniel Bernstein's submission to the EU eSTREAM
@@ -2462,6 +2517,9 @@ \subsection{Example Usage}
 
 This authenticated encryption is based on the ChaCha20 stream cipher and Poly1305 authenticator.
 It is defined by \url{https://tools.ietf.org/html/rfc8439}.
+When \textit{LTC\_XCHACHA20} is enabled, this mode also supports 24-byte IVs for
+\textit{XChaCha20--Poly1305} as defined by
+\url{https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha}.
 
 IMPORTANT NOTICE: The Chacha20--Poly1305 implementation of LibTomCrypt is compliant to \textbf{RFC8439}, which differs slightly
 to what OpenSSH defined as \textbf{[email protected]}. The OpenSSH compatibility mode can be enabled
@@ -2489,8 +2547,10 @@ \subsection{Initialization Vector}
                               const unsigned char *iv,
                                     unsigned long  ivlen);
 \end{verbatim}
-This adds the initialization vector from \textit{iv} of length \textit{ivlen} octects (valid lengths: 8 or 12) to
-the ChaCha20--Poly1305 state \textit{st}.
+This adds the initialization vector from \textit{iv} of length \textit{ivlen} octects (valid lengths: 8, 12,
+or 24 when \textit{LTC\_XCHACHA20} is enabled) to the ChaCha20--Poly1305 state \textit{st}.
+When \textit{ivlen} is 24, this operates as \textit{XChaCha20--Poly1305}, internally deriving
+a subkey via HChaCha20 before proceeding.
 
 \index{chacha20poly1305\_setiv\_rfc7905()}
 \begin{verbatim}

libtomcrypt_VS2008.vcproj

@@ -2910,6 +2910,18 @@
 					RelativePath="src\stream\chacha\chacha_test.c"
 					>
 				</File>
+				<File
+					RelativePath="src\stream\chacha\xchacha20_memory.c"
+					>
+				</File>
+				<File
+					RelativePath="src\stream\chacha\xchacha20_setup.c"
+					>
+				</File>
+				<File
+					RelativePath="src\stream\chacha\xchacha20_test.c"
+					>
+				</File>
 			</Filter>
 			<Filter
 				Name="rabbit"

makefile.mingw

@@ -226,7 +226,8 @@ src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o src/prn
 src/prngs/yarrow.o src/stream/chacha/chacha_crypt.o src/stream/chacha/chacha_done.o \
 src/stream/chacha/chacha_ivctr32.o src/stream/chacha/chacha_ivctr64.o \
 src/stream/chacha/chacha_keystream.o src/stream/chacha/chacha_memory.o \
-src/stream/chacha/chacha_setup.o src/stream/chacha/chacha_test.o src/stream/rabbit/rabbit.o \
+src/stream/chacha/chacha_setup.o src/stream/chacha/chacha_test.o src/stream/chacha/xchacha20_memory.o \
+src/stream/chacha/xchacha20_setup.o src/stream/chacha/xchacha20_test.o src/stream/rabbit/rabbit.o \
 src/stream/rabbit/rabbit_memory.o src/stream/rc4/rc4_stream.o src/stream/rc4/rc4_stream_memory.o \
 src/stream/rc4/rc4_test.o src/stream/salsa20/salsa20_crypt.o src/stream/salsa20/salsa20_done.o \
 src/stream/salsa20/salsa20_ivctr64.o src/stream/salsa20/salsa20_keystream.o \

makefile.msvc

@@ -219,7 +219,8 @@ src/prngs/rng_get_bytes.obj src/prngs/rng_make_prng.obj src/prngs/sober128.obj s
 src/prngs/yarrow.obj src/stream/chacha/chacha_crypt.obj src/stream/chacha/chacha_done.obj \
 src/stream/chacha/chacha_ivctr32.obj src/stream/chacha/chacha_ivctr64.obj \
 src/stream/chacha/chacha_keystream.obj src/stream/chacha/chacha_memory.obj \
-src/stream/chacha/chacha_setup.obj src/stream/chacha/chacha_test.obj src/stream/rabbit/rabbit.obj \
+src/stream/chacha/chacha_setup.obj src/stream/chacha/chacha_test.obj src/stream/chacha/xchacha20_memory.obj \
+src/stream/chacha/xchacha20_setup.obj src/stream/chacha/xchacha20_test.obj src/stream/rabbit/rabbit.obj \
 src/stream/rabbit/rabbit_memory.obj src/stream/rc4/rc4_stream.obj src/stream/rc4/rc4_stream_memory.obj \
 src/stream/rc4/rc4_test.obj src/stream/salsa20/salsa20_crypt.obj src/stream/salsa20/salsa20_done.obj \
 src/stream/salsa20/salsa20_ivctr64.obj src/stream/salsa20/salsa20_keystream.obj \

makefile.unix

@@ -240,7 +240,8 @@ src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o src/prn
 src/prngs/yarrow.o src/stream/chacha/chacha_crypt.o src/stream/chacha/chacha_done.o \
 src/stream/chacha/chacha_ivctr32.o src/stream/chacha/chacha_ivctr64.o \
 src/stream/chacha/chacha_keystream.o src/stream/chacha/chacha_memory.o \
-src/stream/chacha/chacha_setup.o src/stream/chacha/chacha_test.o src/stream/rabbit/rabbit.o \
+src/stream/chacha/chacha_setup.o src/stream/chacha/chacha_test.o src/stream/chacha/xchacha20_memory.o \
+src/stream/chacha/xchacha20_setup.o src/stream/chacha/xchacha20_test.o src/stream/rabbit/rabbit.o \
 src/stream/rabbit/rabbit_memory.o src/stream/rc4/rc4_stream.o src/stream/rc4/rc4_stream_memory.o \
 src/stream/rc4/rc4_test.o src/stream/salsa20/salsa20_crypt.o src/stream/salsa20/salsa20_done.o \
 src/stream/salsa20/salsa20_ivctr64.o src/stream/salsa20/salsa20_keystream.o \

makefile_include.mk

@@ -411,7 +411,8 @@ src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o src/prn
 src/prngs/yarrow.o src/stream/chacha/chacha_crypt.o src/stream/chacha/chacha_done.o \
 src/stream/chacha/chacha_ivctr32.o src/stream/chacha/chacha_ivctr64.o \
 src/stream/chacha/chacha_keystream.o src/stream/chacha/chacha_memory.o \
-src/stream/chacha/chacha_setup.o src/stream/chacha/chacha_test.o src/stream/rabbit/rabbit.o \
+src/stream/chacha/chacha_setup.o src/stream/chacha/chacha_test.o src/stream/chacha/xchacha20_memory.o \
+src/stream/chacha/xchacha20_setup.o src/stream/chacha/xchacha20_test.o src/stream/rabbit/rabbit.o \
 src/stream/rabbit/rabbit_memory.o src/stream/rc4/rc4_stream.o src/stream/rc4/rc4_stream_memory.o \
 src/stream/rc4/rc4_test.o src/stream/salsa20/salsa20_crypt.o src/stream/salsa20/salsa20_done.o \
 src/stream/salsa20/salsa20_ivctr64.o src/stream/salsa20/salsa20_keystream.o \

sources.cmake

@@ -518,6 +518,9 @@ src/stream/chacha/chacha_keystream.c
 src/stream/chacha/chacha_memory.c
 src/stream/chacha/chacha_setup.c
 src/stream/chacha/chacha_test.c
+src/stream/chacha/xchacha20_memory.c
+src/stream/chacha/xchacha20_setup.c
+src/stream/chacha/xchacha20_test.c
 src/stream/rabbit/rabbit.c
 src/stream/rabbit/rabbit_memory.c
 src/stream/rc4/rc4_stream.c

src/encauth/chachapoly/chacha20poly1305_setiv.c

@@ -9,7 +9,7 @@
   Set IV + counter data to the ChaCha20Poly1305 state and reset the context
   @param st     The ChaCha20Poly1305 state
   @param iv     The IV data to add
-  @param ivlen  The length of the IV (must be 12 or 8)
+  @param ivlen  The length of the IV (must be 12 or 8, or 24 when LTC_XCHACHA20 is enabled)
   @return CRYPT_OK on success
  */
 int chacha20poly1305_setiv(chacha20poly1305_state *st, const unsigned char *iv, unsigned long ivlen)
@@ -20,7 +20,62 @@ int chacha20poly1305_setiv(chacha20poly1305_state *st, const unsigned char *iv,
 
    LTC_ARGCHK(st != NULL);
    LTC_ARGCHK(iv != NULL);
+#ifdef LTC_XCHACHA20
+   LTC_ARGCHK(ivlen == 12 || ivlen == 8 || ivlen == 24);
+#else
    LTC_ARGCHK(ivlen == 12 || ivlen == 8);
+#endif
+
+#ifdef LTC_XCHACHA20
+   if (ivlen == 24) {
+      unsigned char orig_key[32];
+
+      /* extract the original key from state (stored by chacha_setup via chacha20poly1305_init) */
+      STORE32L(st->chacha.input[4],  orig_key +  0);
+      STORE32L(st->chacha.input[5],  orig_key +  4);
+      STORE32L(st->chacha.input[6],  orig_key +  8);
+      STORE32L(st->chacha.input[7],  orig_key + 12);
+      STORE32L(st->chacha.input[8],  orig_key + 16);
+      STORE32L(st->chacha.input[9],  orig_key + 20);
+      STORE32L(st->chacha.input[10], orig_key + 24);
+      STORE32L(st->chacha.input[11], orig_key + 28);
+
+      /* derive subkey via HChaCha20 and set up state with counter=0 */
+      if ((err = xchacha20_setup(&st->chacha, orig_key, 32, iv, 24, 20)) != CRYPT_OK) {
+         zeromem(orig_key, sizeof(orig_key));
+         return err;
+      }
+
+      /* copy state to temporary for Poly1305 key derivation (counter=0) */
+      for (i = 0; i < 16; i++) tmp_st.input[i] = st->chacha.input[i];
+      tmp_st.input[12] = 0;
+      tmp_st.rounds = st->chacha.rounds;
+      tmp_st.ksleft = 0;
+      tmp_st.ivlen  = 12;  /* use IETF counter mode for keystream generation */
+
+      /* generate Poly1305 key from block 0 */
+      if ((err = chacha_keystream(&tmp_st, polykey, 32)) != CRYPT_OK) {
+         zeromem(orig_key, sizeof(orig_key));
+         return err;
+      }
+
+      /* set main state counter to 1 for encryption */
+      st->chacha.input[12] = 1;
+      st->chacha.ksleft = 0;
+
+      /* initialize Poly1305 */
+      if ((err = poly1305_init(&st->poly, polykey, 32)) != CRYPT_OK) {
+         zeromem(orig_key, sizeof(orig_key));
+         return err;
+      }
+      st->ctlen  = 0;
+      st->aadlen = 0;
+      st->aadflg = 1;
+
+      zeromem(orig_key, sizeof(orig_key));
+      return CRYPT_OK;
+   }
+#endif
 
    /* set IV for chacha20 */
    if (ivlen == 12) {

src/encauth/chachapoly/chacha20poly1305_test.c

@@ -152,6 +152,71 @@ int chacha20poly1305_test(void)
       }
    }
 
+#ifdef LTC_XCHACHA20
+   /* XChaCha20-Poly1305 AEAD test (draft-irtf-cfrg-xchacha, Appendix A.3.1) */
+   {
+      unsigned char xk[]   = { 0x80,0x81,0x82,0x83,0x84,0x85,0x86,0x87,0x88,0x89,0x8a,0x8b,0x8c,0x8d,0x8e,0x8f,
+                               0x90,0x91,0x92,0x93,0x94,0x95,0x96,0x97,0x98,0x99,0x9a,0x9b,0x9c,0x9d,0x9e,0x9f };
+      unsigned char xi24[] = { 0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,
+                               0x4c,0x4d,0x4e,0x4f,0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57 };
+      unsigned char xaad[] = { 0x50,0x51,0x52,0x53,0xc0,0xc1,0xc2,0xc3,0xc4,0xc5,0xc6,0xc7 };
+      unsigned char xpt[]  = { 0x4c,0x61,0x64,0x69,0x65,0x73,0x20,0x61,0x6e,0x64,0x20,0x47,0x65,0x6e,0x74,0x6c,
+                               0x65,0x6d,0x65,0x6e,0x20,0x6f,0x66,0x20,0x74,0x68,0x65,0x20,0x63,0x6c,0x61,0x73,
+                               0x73,0x20,0x6f,0x66,0x20,0x27,0x39,0x39,0x3a,0x20,0x49,0x66,0x20,0x49,0x20,0x63,
+                               0x6f,0x75,0x6c,0x64,0x20,0x6f,0x66,0x66,0x65,0x72,0x20,0x79,0x6f,0x75,0x20,0x6f,
+                               0x6e,0x6c,0x79,0x20,0x6f,0x6e,0x65,0x20,0x74,0x69,0x70,0x20,0x66,0x6f,0x72,0x20,
+                               0x74,0x68,0x65,0x20,0x66,0x75,0x74,0x75,0x72,0x65,0x2c,0x20,0x73,0x75,0x6e,0x73,
+                               0x63,0x72,0x65,0x65,0x6e,0x20,0x77,0x6f,0x75,0x6c,0x64,0x20,0x62,0x65,0x20,0x69,
+                               0x74,0x2e };
+      unsigned char xenc[] = { 0xbd,0x6d,0x17,0x9d,0x3e,0x83,0xd4,0x3b,0x95,0x76,0x57,0x94,0x93,0xc0,0xe9,0x39,
+                               0x57,0x2a,0x17,0x00,0x25,0x2b,0xfa,0xcc,0xbe,0xd2,0x90,0x2c,0x21,0x39,0x6c,0xbb,
+                               0x73,0x1c,0x7f,0x1b,0x0b,0x4a,0xa6,0x44,0x0b,0xf3,0xa8,0x2f,0x4e,0xda,0x7e,0x39,
+                               0xae,0x64,0xc6,0x70,0x8c,0x54,0xc2,0x16,0xcb,0x96,0xb7,0x2e,0x12,0x13,0xb4,0x52,
+                               0x2f,0x8c,0x9b,0xa4,0x0d,0xb5,0xd9,0x45,0xb1,0x1b,0x69,0xb9,0x82,0xc1,0xbb,0x9e,
+                               0x3f,0x3f,0xac,0x2b,0xc3,0x69,0x48,0x8f,0x76,0xb2,0x38,0x35,0x65,0xd3,0xff,0xf9,
+                               0x21,0xf9,0x66,0x4c,0x97,0x63,0x7d,0xa9,0x76,0x88,0x12,0xf6,0x15,0xc6,0x8b,0x13,
+                               0xb5,0x2e };
+      unsigned char xtag[] = { 0xc0,0x87,0x59,0x24,0xc1,0xc7,0x98,0x79,0x47,0xde,0xaf,0xd8,0x78,0x0a,0xcf,0x49 };
+      unsigned long xptlen = sizeof(xpt);
+
+      /* encrypt with incremental API */
+      if ((err = chacha20poly1305_init(&st1, xk, sizeof(xk))) != CRYPT_OK) return err;
+      if ((err = chacha20poly1305_setiv(&st1, xi24, sizeof(xi24))) != CRYPT_OK) return err;
+      if ((err = chacha20poly1305_add_aad(&st1, xaad, sizeof(xaad))) != CRYPT_OK) return err;
+      if ((err = chacha20poly1305_encrypt(&st1, xpt, xptlen, ct)) != CRYPT_OK) return err;
+      len = sizeof(emac);
+      if ((err = chacha20poly1305_done(&st1, emac, &len)) != CRYPT_OK) return err;
+
+      if (ltc_compare_testvector(ct, xptlen, xenc, sizeof(xenc), "XCHACHA20POLY1305-ENC-CT", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
+      if (ltc_compare_testvector(emac, len, xtag, sizeof(xtag), "XCHACHA20POLY1305-ENC-TAG", 2) != 0) return CRYPT_FAIL_TESTVECTOR;
+
+      /* decrypt with incremental API */
+      if ((err = chacha20poly1305_init(&st2, xk, sizeof(xk))) != CRYPT_OK) return err;
+      if ((err = chacha20poly1305_setiv(&st2, xi24, sizeof(xi24))) != CRYPT_OK) return err;
+      if ((err = chacha20poly1305_add_aad(&st2, xaad, sizeof(xaad))) != CRYPT_OK) return err;
+      if ((err = chacha20poly1305_decrypt(&st2, ct, xptlen, pt)) != CRYPT_OK) return err;
+      len = sizeof(dmac);
+      if ((err = chacha20poly1305_done(&st2, dmac, &len)) != CRYPT_OK) return err;
+
+      if (ltc_compare_testvector(pt, xptlen, xpt, xptlen, "XCHACHA20POLY1305-DEC-PT", 3) != 0) return CRYPT_FAIL_TESTVECTOR;
+      if (ltc_compare_testvector(dmac, len, xtag, sizeof(xtag), "XCHACHA20POLY1305-DEC-TAG", 4) != 0) return CRYPT_FAIL_TESTVECTOR;
+
+      /* chacha20poly1305_memory - encrypt with 24-byte IV */
+      len = sizeof(emac);
+      if ((err = chacha20poly1305_memory(xk, sizeof(xk), xi24, sizeof(xi24), xaad, sizeof(xaad), xpt,
+                                         xptlen, ct, emac, &len, CHACHA20POLY1305_ENCRYPT)) != CRYPT_OK) return err;
+      if (ltc_compare_testvector(ct, xptlen, xenc, sizeof(xenc), "XCHACHA20POLY1305-MEM-CT", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
+      if (ltc_compare_testvector(emac, len, xtag, sizeof(xtag), "XCHACHA20POLY1305-MEM-TAG", 2) != 0) return CRYPT_FAIL_TESTVECTOR;
+
+      /* chacha20poly1305_memory - decrypt with 24-byte IV */
+      len = sizeof(dmac);
+      XMEMCPY(dmac, xtag, sizeof(xtag));
+      if ((err = chacha20poly1305_memory(xk, sizeof(xk), xi24, sizeof(xi24), xaad, sizeof(xaad),
+                                         ct, xptlen, pt, dmac, &len, CHACHA20POLY1305_DECRYPT)) != CRYPT_OK) return err;
+      if (ltc_compare_testvector(pt, xptlen, xpt, xptlen, "XCHACHA20POLY1305-MEM-PT", 3) != 0) return CRYPT_FAIL_TESTVECTOR;
+   }
+#endif
+
    return CRYPT_OK;
 #endif
 }

src/headers/tomcrypt_cipher.h

@@ -1056,6 +1056,22 @@ int chacha_memory(const unsigned char *key,    unsigned long keylen,  unsigned l
 
 #endif /* LTC_CHACHA */
 
+#ifdef LTC_XCHACHA20
+
+int xchacha20_hchacha20(unsigned char *out,  unsigned long outlen,
+                        const unsigned char *key, unsigned long keylen,
+                        const unsigned char *in,  unsigned long inlen,
+                        int rounds);
+int xchacha20_setup(chacha_state *st, const unsigned char *key,   unsigned long keylen,
+                                      const unsigned char *nonce, unsigned long noncelen,
+                                      int rounds);
+int xchacha20_test(void);
+int xchacha20_memory(const unsigned char *key,    unsigned long keylen,   unsigned long rounds,
+                     const unsigned char *nonce,  unsigned long noncelen,
+                     const unsigned char *datain, unsigned long datalen,  unsigned char *dataout);
+
+#endif /* LTC_XCHACHA20 */
+
 #ifdef LTC_SALSA20
 
 typedef struct {

src/headers/tomcrypt_custom.h

@@ -218,6 +218,7 @@
 
 /* stream ciphers */
 #define LTC_CHACHA
+#define LTC_XCHACHA20
 #define LTC_SALSA20
 #define LTC_XSALSA20
 #define LTC_SOSEMANUK
@@ -705,6 +706,10 @@
    #error LTC_CHACHA20_PRNG requires LTC_CHACHA
 #endif
 
+#if defined(LTC_XCHACHA20) && !defined(LTC_CHACHA)
+   #error LTC_XCHACHA20 requires LTC_CHACHA
+#endif
+
 #if defined(LTC_XSALSA20) && !defined(LTC_SALSA20)
    #error LTC_XSALSA20 requires LTC_SALSA20
 #endif

src/misc/crypt/crypt.c

@@ -134,6 +134,9 @@ const char *crypt_build_settings =
 #if defined(LTC_CHACHA)
    "   ChaCha\n"
 #endif
+#if defined(LTC_XCHACHA20)
+   "   XChaCha20\n"
+#endif
 #if defined(LTC_SALSA20)
    "   Salsa20\n"
 #endif