Different values of "tag" in cifra and libsodium for the same function

[monicaphalswal]

I am using void cf_chacha20poly1305_encrypt(const uint8_t key[32], const uint8_t nonce[12], const uint8_t *header, size_t nheader, const uint8_t *plaintext, size_t nbytes, uint8_t *ciphertext, uint8_t tag[16]) from cifra and
int crypto_aead_chacha20poly1305_ietf_encrypt_detached(unsigned char *c, unsigned char *mac, unsigned long long *maclen_p, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, const unsigned char *nsec, const unsigned char *npub, const unsigned char *k); from libsodium. Both of them are suppossed to produce the same ciphertext which they are doing but the tag is coming out to be different. I am not able to understand why this is happening. Please help.

[MalteJ]

same problem here

[ctz]

Could you post some code or test vectors?

I just tried:

key: 6b65792e6b65792e6b65792e6b65792e6b65792e6b65792e6b65792e6b65792e
nonce: 6e6f6e63652e6e6f6e63652e
aad: 616164
msg: 6d657373616765
cipher: 5d9c0a9fe7d5e5
tag: 2824af504fdce6e85fc9d80c7c2a9f38

And both libsodium/cifra agree. Cifra also passes the known answer tests in the RFC (though it's possible those are poorly designed and not exhaustive).

[ctz]

Actually, the test vectors from the RFC don't cover |aad| == 0, and cifra gets this case wrong. Fix incoming.

[ctz]

Fixed in b6cdf9f. Sorry for the inconvenience and thanks for the report.

[MalteJ]

Great!
Thank you! :)