Skip to content

Fix Android AEAD tag mismatch exceptions #128889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Copilot wants to merge 12 commits into from
Closed

Fix Android AEAD tag mismatch exceptions #128889

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
c655fa0
Initial plan
Copilot Jun 2, 2026
dd90fd1
Fix Android ChaCha20Poly1305 tag mismatch exception
Copilot Jun 2, 2026
dc6a5dd
Update Android AES AEAD tag handling
Copilot Jun 2, 2026
b28e258
Use spans for Android AEAD update interop
Copilot Jun 2, 2026
ce2449d
Check AEAD update exceptions before copying output
Copilot Jun 3, 2026
7bee398
Simplify AEAD update exception cleanup
Copilot Jun 3, 2026
462cfb1
Reduce code duplication and avoid uncaught exception crashes
simonrozsival Jun 3, 2026
68f232a
Do not change the behavior of printing exceptions
simonrozsival Jun 3, 2026
0737497
Treat GeneralSecurityException as auth tag mismatch for Android AEAD …
simonrozsival Jun 3, 2026
2a59360
Log original exception when reclassifying Android AEAD decrypt failure
simonrozsival Jun 3, 2026
2409f7c
Harden JNI exception handling in Android AEAD breadcrumb path
simonrozsival Jun 4, 2026
02cad94
Replace native AEAD heuristic with managed retry-and-observe on Android
simonrozsival Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions .../Common/src/Interop/Android/System.Security.Cryptography.Native.Android/Interop.Cipher.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,32 @@ ref MemoryMarshal.GetReference(input),
input.Length);
}

[LibraryImport(Libraries.AndroidCryptoNative, EntryPoint = "AndroidCryptoNative_AeadCipherUpdate")]
[return: MarshalAs(UnmanagedType.Bool)]
private static partial bool EvpAeadCipherUpdate(
SafeEvpCipherCtxHandle ctx,
Span<byte> output,
out int outl,
ReadOnlySpan<byte> input,
int inl,
[MarshalAs(UnmanagedType.Bool)] out bool authTagMismatch);

internal static bool EvpAeadCipherUpdate(
SafeEvpCipherCtxHandle ctx,
Span<byte> output,
out int bytesWritten,
ReadOnlySpan<byte> input,
out bool authTagMismatch)
{
return EvpAeadCipherUpdate(
ctx,
output,
out bytesWritten,
input,
input.Length,
out authTagMismatch);
}

[LibraryImport(Libraries.AndroidCryptoNative, EntryPoint = "AndroidCryptoNative_CipherUpdateAAD")]
[return: MarshalAs(UnmanagedType.Bool)]
private static partial bool CipherUpdateAAD(
Expand Down
39 changes: 37 additions & 2 deletions ...libraries/System.Security.Cryptography/src/System/Security/Cryptography/AesCcm.Android.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,30 @@ private void DecryptCore(
ReadOnlySpan<byte> tag,
Span<byte> plaintext,
ReadOnlySpan<byte> associatedData)
{
try
{
DecryptCoreOnce(nonce, ciphertext, tag, plaintext, associatedData);
}
catch (CryptographicException ex) when (ex is not AuthenticationTagMismatchException)
{
// Work around a transient Android/Conscrypt issue: an AEAD authentication
// failure can surface with the wrong exception type because the provider
// derives it from BoringSSL's thread-local error queue, which may still hold
// a stale error from an unrelated prior operation on the same thread. The
// failed attempt clears that queue, so an immediate same-thread retry observes
// the true result. A valid ciphertext cannot reach this path, so the retry can
// never turn an authentication failure into unauthenticated plaintext.
DecryptCoreOnce(nonce, ciphertext, tag, plaintext, associatedData);

@vcsjones vcsjones Jun 4, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am very suspicious about this fix. Here is what we know about the failure.

  1. There is one consistent test failure: EncryptTamperAADDecrypt(dataLength: 0, additionalDataLength: 1). This is a bit of an edge-case test. All failures are for an empty ciphertext with AAD.
  2. All failures are for ARM32, not ARM64 or XArch.

"Retry" logic here generally feels very wrong to me. I'd sooner mark this one test case (not the whole test!) as ActiveIssue to better understand it first.

I am going to try to open a throw-away pull request with some better diagnostics to see what is going on since I cannot reproduce this locally.

If we want to get CI back to green, I would sooner disable that one very-specific test case for Android as an ActiveIssue.

}
}

private void DecryptCoreOnce(
ReadOnlySpan<byte> nonce,
ReadOnlySpan<byte> ciphertext,
ReadOnlySpan<byte> tag,
Span<byte> plaintext,
ReadOnlySpan<byte> associatedData)
{
bool acquired = false;

Expand Down Expand Up @@ -159,9 +183,20 @@ private void DecryptCore(
throw new CryptographicException();
}

if (!Interop.Crypto.EvpCipherUpdate(ctx, plaintext.Slice(plaintextBytesWritten), out int bytesWritten, tag))
if (!Interop.Crypto.EvpAeadCipherUpdate(
ctx,
plaintext.Slice(plaintextBytesWritten),
out int bytesWritten,
tag,
out bool authTagMismatch))
{
CryptographicOperations.ZeroMemory(plaintext);

if (authTagMismatch)
{
throw new AuthenticationTagMismatchException();
}

throw new CryptographicException();
}

Expand All @@ -171,7 +206,7 @@ private void DecryptCore(
ctx,
plaintext.Slice(plaintextBytesWritten),
out bytesWritten,
out bool authTagMismatch))
out authTagMismatch))
{
CryptographicOperations.ZeroMemory(plaintext);

Expand Down
39 changes: 37 additions & 2 deletions ...libraries/System.Security.Cryptography/src/System/Security/Cryptography/AesGcm.Android.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,30 @@ private partial void DecryptCore(
ReadOnlySpan<byte> tag,
Span<byte> plaintext,
ReadOnlySpan<byte> associatedData)
{
try
{
DecryptCoreOnce(nonce, ciphertext, tag, plaintext, associatedData);
}
catch (CryptographicException ex) when (ex is not AuthenticationTagMismatchException)
{
// Work around a transient Android/Conscrypt issue: an AEAD authentication
// failure can surface with the wrong exception type because the provider
// derives it from BoringSSL's thread-local error queue, which may still hold
// a stale error from an unrelated prior operation on the same thread. The
// failed attempt clears that queue, so an immediate same-thread retry observes
// the true result. A valid ciphertext cannot reach this path, so the retry can
// never turn an authentication failure into unauthenticated plaintext.
DecryptCoreOnce(nonce, ciphertext, tag, plaintext, associatedData);
}
}

private void DecryptCoreOnce(
ReadOnlySpan<byte> nonce,
ReadOnlySpan<byte> ciphertext,
ReadOnlySpan<byte> tag,
Span<byte> plaintext,
ReadOnlySpan<byte> associatedData)
{
if (!Interop.Crypto.CipherSetTagLength(_ctxHandle, tag.Length))
{
Expand All @@ -137,9 +161,20 @@ private partial void DecryptCore(
throw new CryptographicException();
}

if (!Interop.Crypto.EvpCipherUpdate(_ctxHandle, plaintext.Slice(plaintextBytesWritten), out int bytesWritten, tag))
if (!Interop.Crypto.EvpAeadCipherUpdate(
_ctxHandle,
plaintext.Slice(plaintextBytesWritten),
out int bytesWritten,
tag,
out bool authTagMismatch))
{
CryptographicOperations.ZeroMemory(plaintext);

if (authTagMismatch)
{
throw new AuthenticationTagMismatchException();
}

throw new CryptographicException();
}

Expand All @@ -149,7 +184,7 @@ private partial void DecryptCore(
_ctxHandle,
plaintext.Slice(plaintextBytesWritten),
out bytesWritten,
out bool authTagMismatch))
out authTagMismatch))
{
CryptographicOperations.ZeroMemory(plaintext);

Expand Down
39 changes: 37 additions & 2 deletions ...System.Security.Cryptography/src/System/Security/Cryptography/ChaCha20Poly1305.Android.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,30 @@ private void DecryptCore(
ReadOnlySpan<byte> tag,
Span<byte> plaintext,
ReadOnlySpan<byte> associatedData)
{
try
{
DecryptCoreOnce(nonce, ciphertext, tag, plaintext, associatedData);
}
catch (CryptographicException ex) when (ex is not AuthenticationTagMismatchException)
{
// Work around a transient Android/Conscrypt issue: an AEAD authentication
// failure can surface with the wrong exception type because the provider
// derives it from BoringSSL's thread-local error queue, which may still hold
// a stale error from an unrelated prior operation on the same thread. The
// failed attempt clears that queue, so an immediate same-thread retry observes
// the true result. A valid ciphertext cannot reach this path, so the retry can
// never turn an authentication failure into unauthenticated plaintext.
DecryptCoreOnce(nonce, ciphertext, tag, plaintext, associatedData);
}
}

private void DecryptCoreOnce(
ReadOnlySpan<byte> nonce,
ReadOnlySpan<byte> ciphertext,
ReadOnlySpan<byte> tag,
Span<byte> plaintext,
ReadOnlySpan<byte> associatedData)
{
Interop.Crypto.EvpCipherSetKeyAndIV(
_ctxHandle,
Expand All @@ -127,9 +151,20 @@ private void DecryptCore(
throw new CryptographicException();
}

if (!Interop.Crypto.EvpCipherUpdate(_ctxHandle, plaintext.Slice(plaintextBytesWritten), out int bytesWritten, tag))
if (!Interop.Crypto.EvpAeadCipherUpdate(
_ctxHandle,
plaintext.Slice(plaintextBytesWritten),
out int bytesWritten,
tag,
out bool authTagMismatch))
{
CryptographicOperations.ZeroMemory(plaintext);

if (authTagMismatch)
{
throw new AuthenticationTagMismatchException();
}

throw new CryptographicException();
}

Expand All @@ -139,7 +174,7 @@ private void DecryptCore(
_ctxHandle,
plaintext.Slice(plaintextBytesWritten),
out bytesWritten,
out bool authTagMismatch))
out authTagMismatch))
{
CryptographicOperations.ZeroMemory(plaintext);

Expand Down
73 changes: 51 additions & 22 deletions src/native/libs/System.Security.Cryptography.Native.Android/pal_cipher.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,25 @@ ARGS_NON_NULL_ALL static jobject GetAlgorithmName(JNIEnv* env, CipherInfo* type)
return make_java_string(env, type->name);
}

ARGS_NON_NULL_ALL static bool CheckJNIExceptionsForAuthTagMismatch(JNIEnv* env, int32_t* authTagMismatch, bool printException)
{
bool result = false;
INIT_LOCALS(loc, ex);

if (TryGetJNIException(env, &loc[ex], printException))
{
result = true;

if (loc[ex] != NULL && (*env)->IsInstanceOf(env, loc[ex], g_AEADBadTagExceptionClass))
{
*authTagMismatch = 1;
}
}

RELEASE_LOCALS(loc, env);
return result;
}

int32_t AndroidCryptoNative_CipherIsSupported(CipherInfo* type)
{
abort_if_invalid_pointer_argument (type);
Expand Down Expand Up @@ -246,34 +265,56 @@ int32_t AndroidCryptoNative_CipherUpdateAAD(CipherCtx* ctx, uint8_t* in, int32_t
}

int32_t AndroidCryptoNative_CipherUpdate(CipherCtx* ctx, uint8_t* outm, int32_t* outl, uint8_t* in, int32_t inl)
{
int32_t authTagMismatch = 0;
return AndroidCryptoNative_AeadCipherUpdate(ctx, outm, outl, in, inl, &authTagMismatch);
}

int32_t AndroidCryptoNative_AeadCipherUpdate(
CipherCtx* ctx, uint8_t* outm, int32_t* outl, uint8_t* in, int32_t inl, int32_t* authTagMismatch)
{
if (!ctx)
return FAIL;

abort_if_invalid_pointer_argument(authTagMismatch);

*authTagMismatch = 0;

if (!outl && !in)
// it means caller wants us to record "inl" but we don't need it.
return SUCCESS;

abort_if_invalid_pointer_argument(outl);
abort_if_invalid_pointer_argument(in);

int32_t result = FAIL;
INIT_LOCALS(loc, inDataBytes, outDataBytes);

JNIEnv* env = GetJNIEnv();
jbyteArray inDataBytes = make_java_byte_array(env, inl);
(*env)->SetByteArrayRegion(env, inDataBytes, 0, inl, (jbyte*)in);
loc[inDataBytes] = make_java_byte_array(env, inl);
(*env)->SetByteArrayRegion(env, loc[inDataBytes], 0, inl, (jbyte*)in);
ON_EXCEPTION_PRINT_AND_GOTO(cleanup);
Comment on lines 283 to +296

*outl = 0;
jbyteArray outDataBytes = (jbyteArray)(*env)->CallObjectMethod(env, ctx->cipher, g_cipherUpdateMethod, inDataBytes);
loc[outDataBytes] = (jbyteArray)(*env)->CallObjectMethod(env, ctx->cipher, g_cipherUpdateMethod, loc[inDataBytes]);
if (CheckJNIExceptionsForAuthTagMismatch(env, authTagMismatch, /* printException: */ true))
{
goto cleanup;
}

if (outDataBytes && outm)
if (loc[outDataBytes] && outm)
{
jsize outDataBytesLen = (*env)->GetArrayLength(env, outDataBytes);
jsize outDataBytesLen = (*env)->GetArrayLength(env, loc[outDataBytes]);
*outl = outDataBytesLen;
(*env)->GetByteArrayRegion(env, outDataBytes, 0, outDataBytesLen, (jbyte*) outm);
(*env)->DeleteLocalRef(env, outDataBytes);
(*env)->GetByteArrayRegion(env, loc[outDataBytes], 0, outDataBytesLen, (jbyte*) outm);
ON_EXCEPTION_PRINT_AND_GOTO(cleanup);
}

(*env)->DeleteLocalRef(env, inDataBytes);
return CheckJNIExceptions(env) ? FAIL : SUCCESS;
result = SUCCESS;

cleanup:
RELEASE_LOCALS(loc, env);
return result;
}

int32_t AndroidCryptoNative_CipherFinalEx(CipherCtx* ctx, uint8_t* outm, int32_t* outl)
Expand Down Expand Up @@ -315,21 +356,9 @@ int32_t AndroidCryptoNative_AeadCipherFinalEx(CipherCtx* ctx, uint8_t* outm, int
*authTagMismatch = 0;

jbyteArray outBytes = (jbyteArray)(*env)->CallObjectMethod(env, ctx->cipher, g_cipherDoFinalMethod);
jthrowable ex = NULL;

if (TryGetJNIException(env, &ex, false))
if (CheckJNIExceptionsForAuthTagMismatch(env, authTagMismatch, /* printException: */ false))
{
if (ex == NULL)
{
return FAIL;
}

if ((*env)->IsInstanceOf(env, ex, g_AEADBadTagExceptionClass))
{
*authTagMismatch = 1;
}

(*env)->DeleteLocalRef(env, ex);
return FAIL;
}

Expand Down
1 change: 1 addition & 0 deletions src/native/libs/System.Security.Cryptography.Native.Android/pal_cipher.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ PALEXPORT int32_t AndroidCryptoNative_CipherReset(CipherCtx* ctx, uint8_t* pIv,
PALEXPORT int32_t AndroidCryptoNative_CipherCtxSetPadding(CipherCtx* ctx, int32_t padding);
PALEXPORT int32_t AndroidCryptoNative_CipherUpdateAAD(CipherCtx* ctx, uint8_t* in, int32_t inl);
PALEXPORT int32_t AndroidCryptoNative_CipherUpdate(CipherCtx* ctx, uint8_t* out, int32_t* outl, uint8_t* in, int32_t inl);
PALEXPORT int32_t AndroidCryptoNative_AeadCipherUpdate(CipherCtx* ctx, uint8_t* out, int32_t* outl, uint8_t* in, int32_t inl, int32_t* authTagMismatch);
PALEXPORT int32_t AndroidCryptoNative_CipherFinalEx(CipherCtx* ctx, uint8_t* outm, int32_t* outl);
PALEXPORT int32_t AndroidCryptoNative_AeadCipherFinalEx(CipherCtx* ctx, uint8_t* outm, int32_t* outl, int32_t* authTagMismatch);
PALEXPORT CipherInfo* AndroidCryptoNative_Aes128Ecb(void);
Expand Down
Loading