
Reputation: 1

MbedTLS GCM Decryption Error

I have the C program below that tries to use the MbedTLS AES GCM functions to encrypt and decrypt. The encryption is running well but the decryption is abending with rc = -25344 (-0x6300) in mbedtls_cipher_check_tag(). The mbedtls_strerror returns "Last error was: -0x6300 - CIPHER - Authentication failed (for AEAD modes)" for that return code.

Although the documentation says to put it after the mbedtls_cipher_finish(), I've tried to change the function's place (as indicated in the code) without sucess.

What am I doing wrong, any idea ?? Any help is very valuable.

Thanks in advance

Here the code:

 //# AES 128 GCM - MbedTLS

 #include <mbedtls/cipher.h>
 #include <mbedtls/gcm.h>

 #include <stdio.h>
 #include <string.h>
 #include <errno.h>

 #include "etss.h"

 #define PLAIN_SIZE 1024
 #define CRYPT_SIZE 1032

 key128 k;
 iv16   iv;
 aad16  aad;
 tag16  tag;

 int Decrypta (FILE * fInput, FILE * fOutput) 
    int conta = 0, rc = 0;
     int nBytesWorked = 0, nGCMfinal = 0;
     int nBytesRead = 0, nBytesWritten = 0;
     int cIn = 0, cOut = 0, cWorked = 0;

     unsigned char sPureBuff[PLAIN_SIZE] __attribute__((aligned(16))), sCiphBuff[CRYPT_SIZE] __attribute__((aligned(16))); 
     unsigned char *pPureBuff __attribute__((aligned(16)));
     unsigned char *pCiphBuff __attribute__((aligned(16)));

     unsigned char *pTag =;

     pPureBuff = sPureBuff;
     pCiphBuff = sCiphBuff;

     mbedtls_cipher_context_t ctx;

     mbedtls_cipher_init (&ctx);

     rc = mbedtls_cipher_setup (&ctx, mbedtls_cipher_info_from_values(MBEDTLS_CIPHER_ID_AES, k.size*8, MBEDTLS_MODE_GCM));

     if ( rc != 0 )
        printf ("Setup - Context preparation error (rc = %d). \n", rc);
        return rc;

     rc = mbedtls_cipher_setkey (&ctx,, k.size*8, MBEDTLS_DECRYPT);

     if ( rc != 0 )
        printf ("Set Key - Context preparation error (rc = %d). \n", rc);
        return rc;

     rc = mbedtls_cipher_set_iv (&ctx,, iv.size);

     if ( rc != 0 )
        printf ("Set IV - Context preparation error (rc = %d). \n", rc);
        return rc;

 // rc = mbedtls_cipher_check_tag (&ctx, pTag, (size_t) tag.size); 
 // if ( rc != 0 ) 
 // {
 //     printf ("Decryption - Error in check_tag() (rc=%d).\n",rc);
 //     return rc;
 // }

     rc = mbedtls_cipher_reset (&ctx);

     if ( rc != 0 )
        printf ("Reset - Context preparation error (rc = %d). \n", rc);
        return rc;

     rc = mbedtls_cipher_update_ad (&ctx,, aad.size);

     if ( rc != 0 )
        printf ("Set AAD - Context preparation error (rc = %d). \n", rc);
        return rc;

    memset(pCiphBuff, 0, CRYPT_SIZE);
    memset(pPureBuff, 0, PLAIN_SIZE);

    if ( (rc = ReadFile (fInput, &pCiphBuff, 1, CRYPT_SIZE, &nBytesRead)) )
        printf ("Decryption - Input file reading error (rc = %d). \n", rc);
        return rc;

    while ( nBytesRead > 0 )
        cIn += nBytesRead;

        nBytesWorked = 0;

         rc = mbedtls_cipher_update (&ctx, sCiphBuff, nBytesRead, sPureBuff, (size_t *) &nBytesWorked);

         if ( rc != 0 ) 
             printf ("Decryption - Error in DecryptUpdate() (rc = %d).\n", rc);
             return rc;

        cWorked += nBytesWorked;

        // Count decryptions

        if ( nBytesWorked != 0 )
            if ( (rc = WriteFile (fOutput, sPureBuff, 1, cWorked, &nBytesWritten)) )
                printf ("Decryption - Output file writing error (rc = %d).\n", rc);
                return rc;

            pPureBuff = sPureBuff;
            memset(pPureBuff, 0, PLAIN_SIZE);

            cOut += nBytesWritten;

            cWorked = 0;

        if ( (rc = ReadFile (fInput, &pCiphBuff, 1, CRYPT_SIZE, &nBytesRead)) )
            printf ("Decryption - Input file reading error (rc = %d). \n", rc);
            return rc;

 // rc = mbedtls_cipher_check_tag (&ctx, pTag, (size_t) tag.size); 
 // if ( rc != 0 ) 
 // {
 //     printf ("Decryption - Error in check_tag() (rc=%d).\n",rc);
 //     return rc;
 // }

    pPureBuff += cWorked;

     rc = mbedtls_cipher_finish (&ctx, pPureBuff, (size_t *) &nGCMfinal); 

    if ( rc != 0 ) 
        printf ("Decryption - Error in DecryptFinal() (rc=%d).\n",rc);
        return rc;

     // Count decryptions

    rc = mbedtls_cipher_check_tag (&ctx, pTag, (size_t) tag.size); 

    if ( rc != 0 ) 
        printf ("Decryption - Error in check_tag() (rc=%d).\n",rc);
        return rc;

    cWorked += nBytesWorked;

    if ( (rc = WriteFile (fOutput, sPureBuff, 1, cWorked, &nBytesWritten)) )
        printf ("Decryption - Output file writing error (rc = %d).\n", rc);
        return rc;

    cOut += nBytesWritten;

    printf("\tD %d cIn = %d cOut = %d\n\n", conta, cIn, cOut);

     mbedtls_cipher_free (&ctx);

     return 0;

 int Encrypta (FILE * fInput, FILE * fOutput) 
    int conta = 0, rc = 0;
     int nBytesWorked = 0, nGCMfinal = 0;
     int nBytesRead = 0, nBytesWritten = 0;
     int cIn = 0, cOut = 0, cWorked = 0;

     unsigned char sPureBuff[PLAIN_SIZE] __attribute__((aligned(16))), sCiphBuff[CRYPT_SIZE] __attribute__((aligned(16))); 
     unsigned char *pPureBuff __attribute__((aligned(16)));
     unsigned char *pCiphBuff __attribute__((aligned(16)));

     unsigned char *pTag =;

     pPureBuff = sPureBuff;
     pCiphBuff = sCiphBuff;

     mbedtls_cipher_context_t ctx;

     mbedtls_cipher_init (&ctx);

     rc = mbedtls_cipher_setup (&ctx, mbedtls_cipher_info_from_values(MBEDTLS_CIPHER_ID_AES, k.size*8, MBEDTLS_MODE_GCM));

     if ( rc != 0 )
        printf ("Setup - Context preparation error (rc = %d). \n", rc);
        return rc;

     rc = mbedtls_cipher_setkey (&ctx,, k.size*8, MBEDTLS_ENCRYPT);

     if ( rc != 0 )
        printf ("Set Key - Context preparation error (rc = %d). \n", rc);
        return rc;

     rc = mbedtls_cipher_set_iv (&ctx,, iv.size);

     if ( rc != 0 )
        printf ("Set IV - Context preparation error (rc = %d). \n", rc);
        return rc;

     rc = mbedtls_cipher_reset (&ctx);

     if ( rc != 0 )
        printf ("Reset - Context preparation error (rc = %d). \n", rc);
        return rc;

     rc = mbedtls_cipher_update_ad (&ctx,, aad.size);

     if ( rc != 0 )
        printf ("Set AAD - Context preparation error (rc = %d). \n", rc);
        return rc;

    memset(pPureBuff, 0, PLAIN_SIZE);
    memset(pCiphBuff, 0, CRYPT_SIZE);

    if ( (rc = ReadFile (fInput, &pPureBuff, 1, PLAIN_SIZE, &nBytesRead)) )
        printf ("Encryption - Input file reading error (rc = %d). \n", rc);
        return rc;

    while ( nBytesRead > 0 )
        cIn += nBytesRead;

        pCiphBuff += cWorked;

         rc = mbedtls_cipher_update (&ctx, sPureBuff, nBytesRead, sCiphBuff, (size_t *) &nBytesWorked);

         if ( rc != 0 ) 
             printf ("Encryption - Error in EncryptUpdate() (rc = %d).\n", rc);
             return rc;

        cWorked += nBytesWorked;

         // Count encryptions

        if ( nBytesWorked != 0 )
            if ( (rc = WriteFile (fOutput, sCiphBuff, 1, cWorked, &nBytesWritten)) )
                printf ("Encryption - Output file writing error (rc = %d).\n", rc);
                return rc;

            pCiphBuff = sCiphBuff;
            memset(pCiphBuff, 0, CRYPT_SIZE);

            cOut += nBytesWritten;

            cWorked = 0;

        if ( (rc = ReadFile (fInput, &pPureBuff, 1, PLAIN_SIZE, &nBytesRead)) )
            printf ("Encryption - Input file reading error (rc = %d). \n", rc);
            return rc;

    pCiphBuff += cWorked;

     rc = mbedtls_cipher_finish (&ctx, pCiphBuff, (size_t *) &nGCMfinal); 

    if ( rc != 0 ) 
        printf ("Encryption - Error in EncryptFinal() (rc=%d).\n",rc);
        return rc;

     // Count encryptions

    rc = mbedtls_cipher_write_tag (&ctx, pTag, (size_t) tag.size); 

    if ( rc != 0 ) 
        printf ("Encryption - Error in write_tag() (rc=%d).\n",rc);
        return rc;

    cWorked += nBytesWorked;

    if ( (rc = WriteFile (fOutput, sCiphBuff, 1, cWorked, &nBytesWritten)) )
        printf ("Encryption - Output file writing error (rc = %d).\n", rc);
        return rc;

    cOut += nBytesWritten;

    printf("\tE %d cIn = %d cOut = %d\n\n", conta, cIn, cOut);

     mbedtls_cipher_free (&ctx);

     return 0;

 int main (int argc, char *argv[]) 
    FILE *fPlain = NULL, *fEncrypt = NULL, *fDecrypt = NULL;

     k.size = 16;
    unsigned char inKey[16] = {0x9A, 0x59, 0x4E, 0xFA, 0x2C, 0x40, 0xBC, 0xC1, 0x2A, 0x05, 0x64, 0x43, 0xAC, 0x0C, 0xC1, 0xC2};

     iv.size = 16;
    unsigned char inIV[16] = {0x57, 0x1D, 0x32, 0xCE, 0x4F, 0x43, 0x17, 0x38, 0xE5, 0x52, 0x69, 0xE2, 0x18, 0xD1, 0x32, 0x09};

     aad.size = 16; tag.size = 16;
    unsigned char inAAD[16] = {0x9A, 0x1D, 0x4E, 0xCE, 0x2C, 0x43, 0xBC, 0x38, 0x2A, 0x52, 0x64, 0xE2, 0xAC, 0xD1, 0xC1, 0x09};

    strncpy((char *), (const char *) inKey, k.size);

    strncpy((char *), (const char *) inIV, iv.size);

    strncpy((char *), (const char *) inAAD, aad.size);

    int rc = 0;

     if ( (rc = OpenFile (&fPlain, argv[1], "r")) )
         printf ("GCM128-M - Open input plain text file %s error (rc = %d).\n", argv[1], rc);
        return rc;

     fEncrypt = fopen (argv[2], "wb+");
    rc = errno;
     if ( fEncrypt == NULL )
         printf ("GCM128-M - Open output encrypt text file %s error (rc = %d).\n", argv[2], rc);
        return rc;

    printf("\n>> Encrypting AES GCM 128 ...\n\n");
    Encrypta (fPlain, fEncrypt);


     fEncrypt = fopen (argv[2], "rb+");
    rc = errno;
     if ( fEncrypt == NULL )
         printf ("GCM128-M - Open input encrypt text file %s error (rc = %d).\n", argv[2], rc);
        return rc;

     if ( (rc = OpenFile (&fDecrypt, argv[3], "w")) )
         printf ("GCM128-M - Open output decrypt text file %s error (rc = %d).\n", argv[3], rc);
        return rc;

    printf("\n>> Decrypting AES GCM 128 ...\n\n");
    Decrypta (fEncrypt, fDecrypt);


     return 0;

The etss.h (asked by Gilles) is:

 #ifndef ETSS_H_
 #define ETSS_H_

 typedef struct st_key128 { 
    unsigned char data[16];
    int size;
 } key128;

 typedef struct st_key192 { 
    unsigned char data[24];
    int size;
 } key192;

 typedef struct st_key256 { 
    unsigned char data[32];
    int size;
 } key256;

 typedef struct st_iv8 { 
    unsigned char data[8];
    int size;
 } iv8;

 typedef struct st_iv16 { 
    unsigned char data[16];
    int size;
 } iv16;

 typedef struct st_iv32 { 
    unsigned char data[32];
    int size;
 } iv32;

 typedef struct st_aad8 { 
    unsigned char data[8];
    int size;
 } aad8;

 typedef struct st_aad16 { 
    unsigned char data[16];
    int size;
 } aad16;

 typedef struct st_aad32 { 
    unsigned char data[32];
    int size;
 } aad32;

 typedef struct st_tag8 { 
    unsigned char data[8];
    int size;
 } tag8;

 typedef struct st_tag16 { 
    unsigned char data[16];
    int size;
 } tag16;

 int InitKey128(key128 * key);
 int InitKey192(key192 * key);
 int InitKey256(key256 * key);
 int InitIV8(iv8 * iv);
 int InitIV16(iv16 * iv);
 int InitIV32(iv32 * iv);
 int InitAAD8(aad8 * iv);
 int InitAAD16(aad16 * iv);
 int InitAAD32(aad32 * iv);
 int InitTAG8(tag8 * iv);
 int InitTAG16(tag16 * iv);

 int SetKey128(key128 * key, char * keyValue);
 int SetKey192(key192 * key, char * keyValue);
 int SetKey256(key256 * key, char * keyValue);
 int SetIV8(iv8 * iv, char * ivValue);
 int SetIV16(iv16 * iv, char * ivValue);
 int SetIV32(iv32 * iv, char * ivValue);
 int SetAAD8(aad8 * aad, char * aadValue);
 int SetAAD16(aad16 * aad, char * aadValue);
 int SetAAD32(aad32 * aad, char * aadValue);
 int SetTAG8(tag8 * tag, char * tagValue);
 int SetTAG16(tag16 * tag, char * tagValue);

 int OpenFile(FILE ** handler, char * name, char * mode);

 int ReadFile(FILE * handler, unsigned char ** buffer, int regsize, int blocking, int * bytesread); 

 int WriteFile(FILE * handler, unsigned char * buffer, int regsize, int blocking, int * byteswritten);

 int CloseFile(FILE * handler);

 int DisplayChs(unsigned char * buffer, int size); 

 int PrintChs(FILE * handler, unsigned char * buffer, int size, int flag); // flag = 0 => don't DisplayChs

 int DisplayNibbles(unsigned char * buffer, int size); 

 int DisplayHex(unsigned char * buffer, int size); 

 int PrintHex(FILE * handler, unsigned char * buffer, int size, int flag); // flag = 0 => don't DisplayHex

 int Generate_Key128 (key128 *k) ;

 int Generate_Key192 (key192 *k) ;

 int Generate_Key256 (key256 *k) ;

 int Generate_Nonce8 (iv8 *iv) ;

 int Generate_Nonce16 (iv16 *iv) ;

 int Generate_Nonce32 (iv32 *iv) ;

 #endif /* ETSS_H_ */

Notice that the hexcodes are not generate here, just manually set.

Thanks again.

Upvotes: 0

Views: 1543

Answers (1)

Ron Eldor
Ron Eldor

Reputation: 230

On AEAD algorithms, the encrypted buffer includes the tag. This is why CRYPT_SIZE is 8 bytes longer than PLAIN_SIZE. I believe you are trying to decrypt the full cipher buffer, including the tag. In your Decrypta() function, please try the mbedtls_cipher_update() loop only for CRYPT_SIZE - tag.size bytes.
After that, get the tag from the cipher buffer, and use it for mbedtls_cipher_check_tag() function.

Upvotes: 1

Related Questions