Closed LoupVaillant closed 2 years ago
This is voluntary.
crypto_aead_chacha20poly1305
predates the RFC. It was originally called secretbox_chacha20poly1305
, and was later renamed crypto_aead_chacha20poly1305
.
The RFC doesn't cover the DJB variant, so crypto_aead_chacha20poly1305
is not meant to be compatible with anything but by how it was originally implemented.
Hi,
I was trying to use
crypto_aead_chacha20poly1305_encrypt_detached()
crypto_aead_chacha20poly1305_ietf_encrypt_detached()
, andcrypto_aead_xchacha20poly1305_ietf_encrypt_detached()
, to generate various test vectors, and I noticed an inconsistency in the way they handle the authentication tag: while the latter two follow RFC 8439 to the letter, the first one omits the padding from the authentication step.This discrepancy does not look voluntary. It may have been caused by a copy pasta fumble.
When removing everything except the authentication code, here's what we get for the original chacha20:
No padding there. The other two functions however authenticate the padding, just like RFC 8439:
I see three way this could be fixed: