Lack of poly1305 certification in chacha20-poly1305 BUILT_IN implementation

[He-Jingkai]

Hi! I found that in the BUILT_IN implementation of chacha20-poly1305, there is no operation for poly1305 authentication; instead, it directly uses the chacha20 algorithm for decryption. This could lead to a failure to detect if the ciphertext has been tampered with by an attacker.

mongoose/src/tls_chacha20.c

Lines 1327 to 1339 in c00962e

	PORTABLE_8439_DECL size_t mg_chacha20_poly1305_decrypt(
	uint8_t *restrict plain_text, const uint8_t key[RFC_8439_KEY_SIZE],
	const uint8_t nonce[RFC_8439_NONCE_SIZE],
	const uint8_t *restrict cipher_text, size_t cipher_text_size) {
	// first we calculate the mac and see if it lines up, only then do we decrypt
	size_t actual_size = cipher_text_size - RFC_8439_TAG_SIZE;
	if (OVERLAPPING(plain_text, actual_size, cipher_text, cipher_text_size)) {
	return (size_t) -1;
	}
	chacha20_xor_stream(plain_text, cipher_text, actual_size, key, nonce, 1);
	return actual_size;
	}