/** @var string The first block of the chacha20 keystream, used as a poly1305 key */
$block0 = ParagonIE_Sodium_Core32_ChaCha20::
stream( 32,
$nonce,
$key );
/* Recalculate the Poly1305 authentication tag (MAC): */
$state =
new ParagonIE_Sodium_Core32_Poly1305_State($block0);
try { ParagonIE_Sodium_Compat::
memzero($block0);
} catch (SodiumException
$ex) { $block0 = null;
} $state->
update($ad);
$state->
update(ParagonIE_Sodium_Core32_Util::
store64_le($adlen));
$state->
update($ciphertext);
$state->
update(ParagonIE_Sodium_Core32_Util::
store64_le($clen));
$computed_mac =
$state->
finish();
/* Compare the given MAC with the recalculated MAC: */
if (!ParagonIE_Sodium_Core32_Util::
verify_16($computed_mac,
$mac)) {