Dear mbed TLS team,

We used the mbedtls_gcm_self_test function from mbed TLS version 3.6.1, located in the mbedtls\library\gcm.c file. When key_len is 128 and pt_len_test_data is 16, the mbedtls_gcm_crypt_and_tag function returns a result of 0, but the computed tag does not match the expected tag.

Has anybody encountered the same issue in mbed TLS version 3.6.1?

Best regards,
Elva Huang
From: "Elva Huang"<elva.huang@robosense.cn>
Date: Thu, Jan 23, 2025, 19:52
Subject: Use mbedtls_gcm_auth_decrypt get wrong tag
To: <mcr@sandelman.ca>
Cc: "Ryder Hu"<ryder.hu@robosense.cn>, <mbed-tls@lists.trustedfirmware.org>
Dear mbed TLS team,
Recently, while debugging my code, I encountered an issue when using the AES-GCM algorithm. I found that when calling the mbedtls_gcm_auth_decrypt interface in version 3.6.1, the calculated tag consistently does not match the input tag. However, when using the same interface in version 2.28.2, the tag is successfully calculated as expected. Below is the demo code we are using:

tstSecKeyList g_stPreInterKey = 
{   .u8KeyNum = 5U,
    .u8IsUse = 1U,
    .u16KeyLen = 16U,
    .u16IVLen = 12U,
    .u16AddLen = 16U,
    .enuSecType = SEC_AES_GCM,
    .au8Key =
    {
        0x68U, 0xffU, 0xb7U, 0xffU, 0x5eU, 0xffU, 0x10U, 0xffU, 0x9eU, 0xffU, 0xb8U, 0xffU, 0x01U, 0xffU, 
        0xb9U, 0xffU, 0xa0U, 0xffU, 0x1cU, 0xffU, 0xdfU, 0xffU, 0x0aU, 0xffU, 0xe6U, 0xffU, 0xc8U, 0xffU, 
        0xc5U, 0xffU, 0x39U, 0xffU
    },
    .au8Iv =
    {
        0x3, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x0, 0x1, 0x2, 0x3
    },
    .au8Add =
    {
        0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0
    }
    .u16AddLen = 0,
};

static uint8_t s_au8SecMemoryBuffer[6*1024];
mbedtls_gcm_context aesGcmContext;
uint8_t *pau8EncryptedPlain = inParam0;
(note: inParam0=434421d30c9abf31b96d2d28d00b5cb4e6fe84033999d53d3a50674b3aedd81f)
uint8_t *pau8AesTag = inParam0 + 16; (e6fe84033999d53d3a50674b3aedd81f)
uint8_t u8EncryptedPlainLen = 16;
uint8_t u8AesTagKeyLen = 16;

mbedtls_gcm_init(&aesGcmContext);
mbedtls_memory_buffer_alloc_init(s_au8SecMemoryBuffer, 6*1024);
vidPreInterKeyget(g_stPreInterKey.au8Key, au8preInterKey);
mbedtls_gcm_setkey(&aesGcmContext, MBEDTLS_CIPHER_ID_AES, au8preInterKey, 16*8);
s32Ret = mbedtls_gcm_auth_decrypt(&aesGcmContext, u8EncryptedPlainLen, g_stPreInterKey.au8Iv,
                     g_stPreInterKey.u16IVLen, g_stPreInterKey.au8Add, g_stPreInterKey.u16AddLen,
                     pau8AesTag, u8AesTagKeyLen, pau8EncryptedPlain, s_au8DecryptKey);

Best regards,
---- Email Disclaimer ----
This email, and any files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error, please reply to advise the sender of the error. If not, you are receiving this email because you have either subscribed,
purchased or have been in contact with Suteng Innovation Technology Co., LTD (RoboSense).