When attempting to decrypt and verify a ciphertext / auth tag pair using the chacha20_poly1305 cipher, the value of the auth tag is not consulted, and thus the message is not authenticated (even though it is decrypted properly).
1. Encrypt <<1,2,3>> using all-zero key and IV:
2. At first glance, decryption works as expected:
3. However, if the auth tag is changed to anything (all zeroes in this example): the call comes back without error:
One would expect that to return error since the auth tag does not match.
Note that other aead ciphers (aes_128_ccm for example) work as expected, with an invalid auth tag returning error:
(Examples above run on Erlang 22.1.4 linked against OpenSSL 1.1.1d, on macOS 10.14.6).
From what I've been able to find in OpenSSL documentation (see , ), tag verification with the chacha20_poly1305 cipher is similar in structure to CCM ciphers, which Erlang's aead_cipher function cases out at crypto/aead.c:112-118. I think that the enclosing condition should be revised to cipherp->flags & (CCM_MODE | CHACHA_MODE) (and a corresponding flag added to the cipher definition in crypto/c_src/cipher.c:99, but since my momma always told me not to roll my own crypto I'm not about to try and solve this on my own without taking guidance from someone more learned in crypto than myself. If such a someone could vet this approach, I'm happy to submit a patch.