diff --git a/ChangeLog b/ChangeLog
index 22a26b2ed8c72444b774de427c075cd3ab65e26f..0c454a7e3519602c9cdb43ca1bae8901beac1f4a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,19 @@
 2014-02-12  Niels Möller  <nisse@lysator.liu.se>
 
+	* chacha-poly1305.h: New file.
+	* chacha-poly1305.c: New file.
+	* chacha-poly1305-meta.c (nettle_chacha_poly1305): New file, new
+	aead algorithm.
+	* nettle-meta.h (nettle_chacha_poly1305): Declare.
+
+	* Makefile.in (nettle_SOURCES): Added chacha-poly1305.c and
+	chacha-poly1305-meta.c.
+	(HEADERS): Added chacha-poly1305.h.
+
+	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added
+	chacha-poly1305-test.c.
+	* testsuite/chacha-poly1305-test.c: New file.
+
 	* nettle-meta.h (struct nettle_aead): New generalized version
 	if this struct.
 	(nettle_gcm_aes128, nettle_gcm_aes192, nettle_gcm_aes256)
diff --git a/Makefile.in b/Makefile.in
index f5319c1bccdc916dce7dc6dfdb9cf865511b31ef..dbb07aa6a389a5d4827d30cb10dad4d418bf65ea 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -88,6 +88,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
 		 camellia256-meta.c \
 		 cast128.c cast128-meta.c cbc.c \
 		 chacha-crypt.c chacha-core-internal.c \
+		 chacha-poly1305.c chacha-poly1305-meta.c \
 		 chacha-set-key.c chacha-set-nonce.c \
 		 chacha128-set-key.c chacha256-set-key.c \
 		 ctr.c des.c des3.c des-compat.c eax.c \
@@ -164,7 +165,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
 
 HEADERS = aes.h arcfour.h arctwo.h asn1.h bignum.h blowfish.h \
 	  base16.h base64.h buffer.h camellia.h cast128.h \
-	  cbc.h chacha.h ctr.h \
+	  cbc.h chacha.h chacha-poly1305.h ctr.h \
 	  des.h des-compat.h dsa.h eax.h ecc-curve.h ecc.h ecdsa.h \
 	  gcm.h gosthash94.h hmac.h \
 	  knuth-lfib.h \
diff --git a/chacha-poly1305-meta.c b/chacha-poly1305-meta.c
new file mode 100644
index 0000000000000000000000000000000000000000..8b46d5b90f9f4dec7665c87eb0a4dc042332a08a
--- /dev/null
+++ b/chacha-poly1305-meta.c
@@ -0,0 +1,44 @@
+/* chacha-poly1305-meta.c */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2014 Niels Möller
+ *  
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ * 
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02111-1301, USA.
+ */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+
+#include "nettle-meta.h"
+
+#include "chacha-poly1305.h"
+
+const struct nettle_aead nettle_chacha_poly1305 =
+  { "chacha_poly1305", sizeof(struct chacha_poly1305_ctx),
+    CHACHA_POLY1305_BLOCK_SIZE, CHACHA_POLY1305_KEY_SIZE,
+    CHACHA_POLY1305_NONCE_SIZE, CHACHA_POLY1305_DIGEST_SIZE,
+    (nettle_set_key_func *) chacha_poly1305_set_key,
+    (nettle_set_key_func *) chacha_poly1305_set_key,
+    (nettle_set_key_func *) chacha_poly1305_set_nonce,
+    (nettle_hash_update_func *) chacha_poly1305_update,
+    (nettle_crypt_func *) chacha_poly1305_encrypt,
+    (nettle_crypt_func *) chacha_poly1305_decrypt,
+    (nettle_hash_digest_func *) chacha_poly1305_digest,
+  };
diff --git a/chacha-poly1305.c b/chacha-poly1305.c
new file mode 100644
index 0000000000000000000000000000000000000000..a5d683fa4b1cfca689c5d91e70eac5d28a0147f6
--- /dev/null
+++ b/chacha-poly1305.c
@@ -0,0 +1,152 @@
+/* chacha-poly1305.h
+ *
+ * AEAD mechanism based on chacha and poly1305.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2014 Niels Möller
+ *
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02111-1301, USA.
+ */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+#include <string.h>
+
+#include "chacha-poly1305.h"
+
+#include "macros.h"
+
+#define CHACHA_ROUNDS 20
+
+void
+chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx,
+			 const uint8_t *key)
+{
+  chacha256_set_key (&ctx->chacha, key);
+}
+
+void
+chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx,
+			   const uint8_t *nonce)
+{
+  union {
+    uint32_t x[_CHACHA_STATE_LENGTH];
+    uint8_t subkey[32];
+  } u;
+
+  chacha_set_nonce (&ctx->chacha, nonce);
+  /* Generate authentication key */
+  _chacha_core (u.x, ctx->chacha.state, CHACHA_ROUNDS);
+  poly1305_set_key (&ctx->poly1305, u.subkey);  
+  /* For final poly1305 processing */
+  memcpy (ctx->s.b, u.subkey + 16, 16);
+  /* Increment block count */
+  ctx->chacha.state[12] = 1;
+
+  ctx->auth_size = ctx->data_size = ctx->index = 0;
+}
+
+/* FIXME: Duplicated in poly1305-aes128.c */
+#define COMPRESS(ctx, data) _poly1305_block(&(ctx)->poly1305, (data), 1)
+
+static void
+poly1305_update (struct chacha_poly1305_ctx *ctx,
+		 size_t length, const uint8_t *data)
+{
+  MD_UPDATE (ctx, length, data, COMPRESS, (void) 0);
+}
+
+void
+chacha_poly1305_update (struct chacha_poly1305_ctx *ctx,
+			size_t length, const uint8_t *data)
+{
+  assert (ctx->data_size == 0);  
+  poly1305_update (ctx, length, data);
+  ctx->auth_size += length;
+}
+
+
+void
+chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx,
+			 size_t length, uint8_t *dst, const uint8_t *src)
+{
+  if (!length)
+    return;
+
+  assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0);
+  if (!ctx->data_size)
+    {
+      uint8_t buf[8];
+      LE_WRITE_UINT64 (buf, ctx->auth_size);
+      poly1305_update (ctx, sizeof(buf), buf);
+    }
+  chacha_crypt (&ctx->chacha, length, dst, src);
+  poly1305_update (ctx, length, dst);
+  ctx->data_size += length;
+}
+			 
+void
+chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx,
+			 size_t length, uint8_t *dst, const uint8_t *src)
+{
+  if (!length)
+    return;
+
+  assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0);
+  if (!ctx->data_size)
+    {
+      uint8_t buf[8];
+      LE_WRITE_UINT64 (buf, ctx->auth_size);
+      poly1305_update (ctx, sizeof(buf), buf);
+    }
+  poly1305_update (ctx, length, src);
+  chacha_crypt (&ctx->chacha, length, dst, src);
+  ctx->data_size += length;
+}
+			 
+void
+chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx,
+			size_t length, uint8_t *digest)
+{
+  uint8_t buf[8];
+  if (!ctx->data_size)
+    {
+      LE_WRITE_UINT64 (buf, ctx->auth_size);
+      poly1305_update (ctx, sizeof(buf), buf);
+    }
+  LE_WRITE_UINT64 (buf, ctx->data_size);
+  poly1305_update (ctx, sizeof(buf), buf);
+
+  /* Final bytes. FIXME: Duplicated in poly1305_aes128.c */
+  if (ctx->index > 0)
+    {
+      assert (ctx->index < POLY1305_BLOCK_SIZE);
+
+      ctx->block[ctx->index] = 1;
+      memset (ctx->block + ctx->index + 1,
+	      0, POLY1305_BLOCK_SIZE - 1 - ctx->index);
+
+      _poly1305_block (&ctx->poly1305, ctx->block, 0);
+    }
+  
+  poly1305_digest (&ctx->poly1305, &ctx->s);
+  memcpy (digest, &ctx->s.b, length);
+}
diff --git a/chacha-poly1305.h b/chacha-poly1305.h
new file mode 100644
index 0000000000000000000000000000000000000000..ffdfd497133136f8b2aca1fca8f41017ade2868e
--- /dev/null
+++ b/chacha-poly1305.h
@@ -0,0 +1,90 @@
+/* chacha-poly1305.h
+ *
+ * AEAD mechanism based on chacha and poly1305.
+ * See draft-agl-tls-chacha20poly1305-04.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2014 Niels Möller
+ *
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02111-1301, USA.
+ */
+
+#ifndef NETTLE_CHACHA_POLY1305_H_INCLUDED
+#define NETTLE_CHACHA_POLY1305_H_INCLUDED
+
+#include "chacha.h"
+#include "poly1305.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define chacha_poly1305_set_key nettle_chacha_poly1305_set_key
+#define chacha_poly1305_set_nonce nettle_chacha_poly1305_set_nonce
+#define chacha_poly1305_update nettle_chacha_poly1305_update
+#define chacha_poly1305_decrypt nettle_chacha_poly1305_decrypt
+#define chacha_poly1305_encrypt nettle_chacha_poly1305_encrypt
+#define chacha_poly1305_digest nettle_chacha_poly1305_digest
+
+#define CHACHA_POLY1305_BLOCK_SIZE 64
+/* FIXME: Any need for 128-bit variant? */
+#define CHACHA_POLY1305_KEY_SIZE 32
+#define CHACHA_POLY1305_NONCE_SIZE CHACHA_NONCE_SIZE
+#define CHACHA_POLY1305_DIGEST_SIZE 16
+
+struct chacha_poly1305_ctx
+{
+  struct chacha_ctx chacha;
+  struct poly1305_ctx poly1305;
+  union nettle_block16 s;
+  uint64_t auth_size;
+  uint64_t data_size;
+  /* poly1305 block */
+  uint8_t block[POLY1305_BLOCK_SIZE];
+  unsigned index;
+};
+
+void
+chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx,
+			 const uint8_t *key);
+void
+chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx,
+			   const uint8_t *nonce);
+
+void
+chacha_poly1305_update (struct chacha_poly1305_ctx *ctx,
+			size_t length, const uint8_t *data);
+
+void
+chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx,
+			 size_t length, uint8_t *dst, const uint8_t *src);
+			 
+void
+chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx,
+			 size_t length, uint8_t *dst, const uint8_t *src);
+			 
+void
+chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx,
+			size_t length, uint8_t *digest);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_CHACHA_POLY1305_H_INCLUDED */
diff --git a/nettle-meta.h b/nettle-meta.h
index 67e75172a26af4df6c3fdc8f8048ca9f0732aad3..f167b54e7ab250ab11cde787c2ee5847841d4a93 100644
--- a/nettle-meta.h
+++ b/nettle-meta.h
@@ -150,6 +150,7 @@ struct nettle_aead
 extern const struct nettle_aead nettle_gcm_aes128;
 extern const struct nettle_aead nettle_gcm_aes192;
 extern const struct nettle_aead nettle_gcm_aes256;
+extern const struct nettle_aead nettle_chacha_poly1305;
 
 struct nettle_armor
 {
diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make
index ccd8e5a9871e590f0a89daed18615f79ec1c6fb5..43079ecb1e77722bfb319f78ba26534b1090a601 100644
--- a/testsuite/.test-rules.make
+++ b/testsuite/.test-rules.make
@@ -112,6 +112,9 @@ eax-test$(EXEEXT): eax-test.$(OBJEXT)
 poly1305-test$(EXEEXT): poly1305-test.$(OBJEXT)
 	$(LINK) poly1305-test.$(OBJEXT) $(TEST_OBJS) -o poly1305-test$(EXEEXT)
 
+chacha-poly1305-test$(EXEEXT): chacha-poly1305-test.$(OBJEXT)
+	$(LINK) chacha-poly1305-test.$(OBJEXT) $(TEST_OBJS) -o chacha-poly1305-test$(EXEEXT)
+
 hmac-test$(EXEEXT): hmac-test.$(OBJEXT)
 	$(LINK) hmac-test.$(OBJEXT) $(TEST_OBJS) -o hmac-test$(EXEEXT)
 
diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in
index 8860ba5cd5e72a5abdfc2e1ef804e92a26e5f81b..d59a2cba858914824e40337a2cc924a878a83097 100644
--- a/testsuite/Makefile.in
+++ b/testsuite/Makefile.in
@@ -26,7 +26,7 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \
 		    serpent-test.c twofish-test.c \
 		    knuth-lfib-test.c \
 		    cbc-test.c ctr-test.c gcm-test.c eax-test.c \
-		    poly1305-test.c \
+		    poly1305-test.c chacha-poly1305-test.c \
 		    hmac-test.c umac-test.c \
 		    meta-hash-test.c meta-cipher-test.c meta-armor-test.c \
 		    buffer-test.c yarrow-test.c pbkdf2-test.c
diff --git a/testsuite/chacha-poly1305-test.c b/testsuite/chacha-poly1305-test.c
new file mode 100644
index 0000000000000000000000000000000000000000..2f320f329d434faea54e25d8c8ebd4f101a65cb1
--- /dev/null
+++ b/testsuite/chacha-poly1305-test.c
@@ -0,0 +1,16 @@
+#include "testutils.h"
+#include "nettle-internal.h"
+
+void
+test_main(void)
+{
+  /* From draft-agl-tls-chacha20poly1305-04 */
+  test_aead (&nettle_chacha_poly1305, NULL,
+	     SHEX("4290bcb154173531f314af57f3be3b50"
+		  "06da371ece272afa1b5dbdd1100a1007"),	/* key */
+	     SHEX("87e229d4500845a079c0"),		/* auth data */
+	     SHEX("86d09974840bded2a5ca"),		/* plain text */
+	     SHEX("e3e446f7ede9a19b62a4"),		/* ciphertext */
+	     SHEX("cd7cf67be39c794a"),			/* nonce */
+	     SHEX("677dabf4e3d24b876bb284753896e1d6"));	/* tag */
+}