How to check if "aes_gcm_dec_128" failed to decrypt ciphertext into plaintext?

[chenqichang10-10]

We plan to use ISA-L crypto AES_128_GCM in HTTP/3 case. Given that a HTTP/3 endpoint receives a AES_128_GCM AEAD-protected packet whose QUIC short packet header DCID(destionation connection ID) field has been modified by an attacker, how to detect this change or fail the AEAD decryption when using aes_gcm_dec_128()?

For BoringSSL, its AES_128_GCM method EVP_AEAD_CTX_open() returns one on success and zero otherwise. So if it returns 0, then the AEAD decryption failed.

isa-l_crypto-2.24.0/include/aes_gcm.h

/**

• @brief GCM-AES Decryption using 128 bit keys
• @requires SSE4.1 and AESNI / void aes_gcm_dec_128( const struct gcm_key_data key_data, //!< GCM expanded key data struct gcm_context_data context_data, //!< GCM operation context data uint8_t out, //!< Plaintext output. Decrypt in-place is allowed uint8_t const in, //!< Ciphertext input uint64_t len, //!< Length of data in Bytes for decryption uint8_t iv, //!< iv pointer to 12 byte IV structure. //!< Internally, library concates 0x00000001 value to it. uint8_t const aad, //!< Additional Authentication Data (AAD) uint64_t aad_len, //!< Length of AAD uint8_t auth_tag, //!< Authenticated Tag output uint64_t auth_tag_len //!< Authenticated Tag Length in bytes (must be a multiple of 4 bytes). //!< Valid values are 16 (most likely), 12 or 8 );

[chenqichang10-10]

OK. One can compare the aes_gcm_dec_128()'s output authentication tag against the original authentication tag carried in the received packet to check if the decryption has succeeded.

if (check_data(aead_decrypted_gcm_tag, ciphertext + plaintext_length, MAX_TAG_LEN, "auth tag")) { // decryption has failed }