On Sun, Dec 13, 2020 at 03:39:29PM +0100, Ard Biesheuvel wrote: > This violates the skcipher API, which requires that the output IV is suitable > for handling more input as long as the preceding input has been presented in > round multiples of the block size. This part doesn't seem to be true, since the chacha implementations don't implement the "output IV" thing. It's only cbc and ctr that do (or at least those are the only algorithms it's tested for). - Eric