Hello jbquick,

Thanks for contacting wolfSSL Support. I have requested a review of this from a colleague.

I am running into the same issue as well just using the httpsget sample from TI.
Below is the debug log from wolfssl for the connection if thats helpful.
The bad record mac comes after the first encrypted handshake message from the client.

For some more context the server is selecting is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and I have disabled peer verification in wolfssl for now.

Sending a HTTPS GET request to 'www.example.com:443'
[2] wolfSSL Entering TLSv1_2_client_method_ex
[2] wolfSSL Entering wolfSSL_CTX_new_ex
[2] wolfSSL Entering wolfSSL_Init
[2] wolfSSL Entering wolfCrypt_Init
[2] wolfSSL Entering wolfSSL_CertManagerNew
[3] wolfSSL Leaving wolfSSL_CTX_new_ex, return 0
[2] wolfSSL Entering wolfSSL_CTX_set_verify
[2] wolfSSL Entering wolfSSL_new
[2] wolfSSL Entering ReinitSSL
[2] wolfSSL Entering SetSSL_CTX
[2] wolfSSL Entering wolfSSL_NewSession
[3] wolfSSL Leaving wolfSSL_new, return 0
[2] wolfSSL Entering wolfSSL_set_fd
[2] wolfSSL Entering wolfSSL_set_read_fd
[3] wolfSSL Leaving wolfSSL_set_read_fd, return 1
[2] wolfSSL Entering wolfSSL_set_write_fd
[3] wolfSSL Leaving wolfSSL_set_write_fd, return 1
[2] wolfSSL Entering wolfSSL_send
[2] wolfSSL Entering wolfSSL_write
[1] handshake not complete, trying to finish
[2] wolfSSL Entering wolfSSL_negotiate
[2] wolfSSL Entering wolfSSL_connect
[2] wolfSSL Entering ReinitSSL
[2] wolfSSL Entering SendClientHello
[1] Adding signature algorithms extension
[1] growing output buffer
[1] Signature Algorithms extension to write
[1] Point Formats extension to write
[1] Supported Groups extension to write
[1] Shrinking output buffer
[3] wolfSSL Leaving SendClientHello, return 0
[1] connect state: CLIENT_HELLO_SENT
[1] growing input buffer
[1] received record layer msg
[1] got HANDSHAKE
[2] wolfSSL Entering DoHandShakeMsg
[2] wolfSSL Entering DoHandShakeMsgType
[1] processing server hello
[2] wolfSSL Entering DoServerHello
[1] Point Formats extension received
[2] wolfSSL Entering wolfSSL_get_options
[2] wolfSSL Entering VerifyClientSuite
[3] wolfSSL Leaving DoServerHello, return 0
[3] wolfSSL Leaving DoHandShakeMsgType(), return 0
[3] wolfSSL Leaving DoHandShakeMsg(), return 0
[1] Shrinking input buffer
[1] growing input buffer
[1] received record layer msg
[1] got HANDSHAKE
[2] wolfSSL Entering DoHandShakeMsg
[2] wolfSSL Entering DoHandShakeMsgType
[1] processing certificate
[2] wolfSSL Entering DoCertificate
[2] wolfSSL Entering ProcessPeerCerts
[1] Loading peer's cert chain
[1]     Put another cert into chain
[1]     Put another cert into chain
[2] wolfSSL Entering GetExplicitVersion
[2] wolfSSL Entering wc_GetSerialNumber
[1] Got Cert Header
[2] wolfSSL Entering GetObjectId
[1] Got Algo ID
[1] Getting Name
[1] Getting Cert Name
[1] Getting Name
[1] Getting Cert Name
[1] Got Subject Name
[2] wolfSSL Entering GetAlgoId
[2] wolfSSL Entering GetObjectId
[1] Got Key
[1] Parsed Past Key
[2] wolfSSL Entering DecodeCertExtensions
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeBasicCaConstraint
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeSubjKeyId
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeAuthKeyId
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeKeyUsage
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeExtKeyUsage
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeAuthInfo
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeCrlDist
[2] wolfSSL Entering GetObjectId
[1] Certificate Policy extension not supported yet.
[2] wolfSSL Entering GetObjectId
[1] Chain cert not verified by option, not adding as CA
[1] Verifying Peer's cert
[2] wolfSSL Entering GetExplicitVersion
[2] wolfSSL Entering wc_GetSerialNumber
[1] Got Cert Header
[2] wolfSSL Entering GetObjectId
[1] Got Algo ID
[1] Getting Name
[1] Getting Cert Name
[1] Getting Name
[1] Getting Cert Name
[1] Got Subject Name
[2] wolfSSL Entering GetAlgoId
[2] wolfSSL Entering GetObjectId
[1] Got Key
[1] Parsed Past Key
[2] wolfSSL Entering DecodeCertExtensions
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeAuthKeyId
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeSubjKeyId
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeAltNames
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeKeyUsage
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeExtKeyUsage
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeCrlDist
[1]     There are more CRL Distribution Point records, but we only use the first one.
[2] wolfSSL Entering GetObjectId
[1] Certificate Policy extension not supported yet.
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeAuthInfo
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering DecodeBasicCaConstraint
[2] wolfSSL Entering GetObjectId
[2] wolfSSL Entering GetObjectId
[1] Verified Peer's cert
[3] wolfSSL Leaving ProcessPeerCerts, return 0
[3] wolfSSL Leaving DoCertificate, return 0
[3] wolfSSL Leaving DoHandShakeMsgType(), return 0
[3] wolfSSL Leaving DoHandShakeMsg(), return 0
[1] Shrinking input buffer
[1] growing input buffer
[1] received record layer msg
[1] got HANDSHAKE
[2] wolfSSL Entering DoHandShakeMsg
[2] wolfSSL Entering DoHandShakeMsgType
[1] processing server key exchange
[2] wolfSSL Entering DoServerKeyExchange
[2] wolfSSL Entering RsaVerify
[3] wolfSSL Leaving RsaVerify, return 51
[3] wolfSSL Leaving DoServerKeyExchange, return 0
[3] wolfSSL Leaving DoHandShakeMsgType(), return 0
[3] wolfSSL Leaving DoHandShakeMsg(), return 0
[1] Shrinking input buffer
[1] received record layer msg
[1] got HANDSHAKE
[2] wolfSSL Entering DoHandShakeMsg
[2] wolfSSL Entering DoHandShakeMsgType
[1] processing server hello done
[3] wolfSSL Leaving DoHandShakeMsgType(), return 0
[3] wolfSSL Leaving DoHandShakeMsg(), return 0
[1] connect state: HELLO_AGAIN
[1] connect state: HELLO_AGAIN_REPLY
[1] connect state: FIRST_REPLY_DONE
[1] connect state: FIRST_REPLY_FIRST
[2] wolfSSL Entering SendClientKeyExchange
[2] wolfSSL Entering EccMakeKey
[3] wolfSSL Leaving EccMakeKey, return 0
[2] wolfSSL Entering EccSharedSecret
[3] wolfSSL Leaving EccSharedSecret, return 0
[1] growing output buffer
[1] Shrinking output buffer
[3] wolfSSL Leaving SendClientKeyExchange, return 0
[1] sent: client key exchange
[1] connect state: FIRST_REPLY_SECOND
[1] connect state: FIRST_REPLY_THIRD
[1] growing output buffer
[1] Shrinking output buffer
[1] sent: change cipher spec
[1] connect state: FIRST_REPLY_FOURTH
[2] wolfSSL Entering SendFinished
[1] growing output buffer
[2] wolfSSL Entering BuildMessage
[3] wolfSSL Leaving BuildMessage, return 0
[2] wolfSSL Entering SetupSession
[2] wolfSSL Entering AddSession
[2] wolfSSL Entering AddSessionToCache
[2] wolfSSL Entering ClientSessionToSession
[2] wolfSSL Entering ClientSessionToSession
[2] wolfSSL Entering ClientSessionToSession
[1] Trying to add client cache entry
[1] Adding client cache entry
[1] Shrinking output buffer
[3] wolfSSL Leaving SendFinished, return 0
[1] sent: finished
[1] connect state: FINISHED_DONE
[1] received record layer msg
[1] got ALERT!
[1] Alert type: bad_record_mac
[0] wolfSSL error occurred, error = 20
[0] wolfSSL error occurred, error = -313
[3] wolfSSL Leaving wolfSSL_negotiate, return -1
[3] wolfSSL Leaving wolfSSL_write, return -1
[3] wolfSSL Leaving wolfSSL_send, return -1
[2] wolfSSL Entering wolfSSL_get_error
[3] wolfSSL Leaving wolfSSL_get_error, return -313
Error! code = -103, desc = httpsTask: send failed

Hi Ethan and John,

Thank you both for the report of the TM4C issues with AES GCM. I've got a TM4C129XL board here and will see if I can reproduce and fix. Hopefully this board has the AES GCM feature (enabled with `WOLFSSL_TI_CRYPT`).

It sounds like the ti-aes.c isn't properly handling the IV.

Thanks,
David Garske, wolfSSL