Hi! I found that in the BUILT_IN implementation of chacha20-poly1305, there is no operation for poly1305 authentication; instead, it directly uses the chacha20 algorithm for decryption. This could lead to a failure to detect if the ciphertext has been tampered with by an attacker.
|
PORTABLE_8439_DECL size_t mg_chacha20_poly1305_decrypt( |
|
uint8_t *restrict plain_text, const uint8_t key[RFC_8439_KEY_SIZE], |
|
const uint8_t nonce[RFC_8439_NONCE_SIZE], |
|
const uint8_t *restrict cipher_text, size_t cipher_text_size) { |
|
// first we calculate the mac and see if it lines up, only then do we decrypt |
|
size_t actual_size = cipher_text_size - RFC_8439_TAG_SIZE; |
|
if (OVERLAPPING(plain_text, actual_size, cipher_text, cipher_text_size)) { |
|
return (size_t) -1; |
|
} |
|
|
|
chacha20_xor_stream(plain_text, cipher_text, actual_size, key, nonce, 1); |
|
return actual_size; |
|
} |
Hi! I found that in the BUILT_IN implementation of chacha20-poly1305, there is no operation for poly1305 authentication; instead, it directly uses the chacha20 algorithm for decryption. This could lead to a failure to detect if the ciphertext has been tampered with by an attacker.
mongoose/src/tls_chacha20.c
Lines 1327 to 1339 in c00962e