Topic: Unexpected behaviour with wrong authentication tag AES CGM

When the authentication tag made with wc_AesGcmEncrypt is different when trying to decrypt with wc_AesGcmDecryp I expect some kind of error result.


In aes.c function wc_AesGcmDecrypt with WOLFSSL_STM32_CUBEMX define:

 if (ret == 0 && ConstantCompare(authTag, tag, authTagSz) == 0) {
        /* Only keep the decrypted data if authTag success. */
        XMEMCPY(out, inPadded, sz);
        ret = 0; /* success */
    }

If the result of ConstantCompare is not zero ret will still be zero. I expect that ret will be negative because the given auth tag does not match with the calculated one in the decrypt function. The data is successfully decrypted but the additional data could be compromised.

Share

Re: Unexpected behaviour with wrong authentication tag AES CGM

Hi leroyk2,

We have a fix pushed for this here:
https://github.com/wolfSSL/wolfssl/pull/1505

Specifically this line:
https://github.com/wolfSSL/wolfssl/pull … d4937R8575

You may find some of the other improvements in that PR useful as well for the STM32 with CubeMX.

Thanks,
David Garske, wolfSSL

Share