1 /*
2 * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /* Dispatch functions for gcm mode */
11
12 #include <openssl/rand.h>
13 #include <openssl/proverr.h>
14 #include "prov/ciphercommon.h"
15 #include "prov/ciphercommon_gcm.h"
16 #include "prov/providercommon.h"
17 #include "prov/provider_ctx.h"
18 #include "internal/param_names.h"
19
20 static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len);
21 static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
22 size_t len);
23 static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
24 const unsigned char *in, size_t len);
25 static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
26 size_t *padlen, const unsigned char *in,
27 size_t len);
28
29 /*
30 * Called from EVP_CipherInit when there is currently no context via
31 * the new_ctx() function
32 */
ossl_gcm_initctx(void * provctx,PROV_GCM_CTX * ctx,size_t keybits,const PROV_GCM_HW * hw)33 void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
34 const PROV_GCM_HW *hw)
35 {
36 ctx->pad = 1;
37 ctx->mode = EVP_CIPH_GCM_MODE;
38 ctx->taglen = UNINITIALISED_SIZET;
39 ctx->tls_aad_len = UNINITIALISED_SIZET;
40 ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN);
41 ctx->keylen = keybits / 8;
42 ctx->hw = hw;
43 ctx->libctx = PROV_LIBCTX_OF(provctx);
44 }
45
46 /*
47 * Called by EVP_CipherInit via the _einit and _dinit functions
48 */
gcm_init(void * vctx,const unsigned char * key,size_t keylen,const unsigned char * iv,size_t ivlen,const OSSL_PARAM params[],int enc)49 static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
50 const unsigned char *iv, size_t ivlen,
51 const OSSL_PARAM params[], int enc)
52 {
53 PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
54
55 if (!ossl_prov_is_running())
56 return 0;
57
58 ctx->enc = enc;
59
60 if (iv != NULL) {
61 if (ivlen == 0 || ivlen > sizeof(ctx->iv)) {
62 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
63 return 0;
64 }
65 ctx->ivlen = ivlen;
66 memcpy(ctx->iv, iv, ivlen);
67 ctx->iv_state = IV_STATE_BUFFERED;
68 }
69
70 if (key != NULL) {
71 if (keylen != ctx->keylen) {
72 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
73 return 0;
74 }
75 if (!ctx->hw->setkey(ctx, key, ctx->keylen))
76 return 0;
77 ctx->tls_enc_records = 0;
78 }
79 return ossl_gcm_set_ctx_params(ctx, params);
80 }
81
ossl_gcm_einit(void * vctx,const unsigned char * key,size_t keylen,const unsigned char * iv,size_t ivlen,const OSSL_PARAM params[])82 int ossl_gcm_einit(void *vctx, const unsigned char *key, size_t keylen,
83 const unsigned char *iv, size_t ivlen,
84 const OSSL_PARAM params[])
85 {
86 return gcm_init(vctx, key, keylen, iv, ivlen, params, 1);
87 }
88
ossl_gcm_dinit(void * vctx,const unsigned char * key,size_t keylen,const unsigned char * iv,size_t ivlen,const OSSL_PARAM params[])89 int ossl_gcm_dinit(void *vctx, const unsigned char *key, size_t keylen,
90 const unsigned char *iv, size_t ivlen,
91 const OSSL_PARAM params[])
92 {
93 return gcm_init(vctx, key, keylen, iv, ivlen, params, 0);
94 }
95
96 /* increment counter (64-bit int) by 1 */
ctr64_inc(unsigned char * counter)97 static void ctr64_inc(unsigned char *counter)
98 {
99 int n = 8;
100 unsigned char c;
101
102 do {
103 --n;
104 c = counter[n];
105 ++c;
106 counter[n] = c;
107 if (c > 0)
108 return;
109 } while (n > 0);
110 }
111
getivgen(PROV_GCM_CTX * ctx,unsigned char * out,size_t olen)112 static int getivgen(PROV_GCM_CTX *ctx, unsigned char *out, size_t olen)
113 {
114 if (!ctx->iv_gen
115 || !ctx->key_set
116 || !ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
117 return 0;
118 if (olen == 0 || olen > ctx->ivlen)
119 olen = ctx->ivlen;
120 memcpy(out, ctx->iv + ctx->ivlen - olen, olen);
121 /*
122 * Invocation field will be at least 8 bytes in size and so no need
123 * to check wrap around or increment more than last 8 bytes.
124 */
125 ctr64_inc(ctx->iv + ctx->ivlen - 8);
126 ctx->iv_state = IV_STATE_COPIED;
127 return 1;
128 }
129
setivinv(PROV_GCM_CTX * ctx,unsigned char * in,size_t inl)130 static int setivinv(PROV_GCM_CTX *ctx, unsigned char *in, size_t inl)
131 {
132 if (!ctx->iv_gen
133 || !ctx->key_set
134 || ctx->enc)
135 return 0;
136
137 memcpy(ctx->iv + ctx->ivlen - inl, in, inl);
138 if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
139 return 0;
140 ctx->iv_state = IV_STATE_COPIED;
141 return 1;
142 }
143
ossl_gcm_get_ctx_params(void * vctx,OSSL_PARAM params[])144 int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
145 {
146 PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
147 OSSL_PARAM *p;
148 size_t sz;
149 int type;
150
151 for (p = params; p->key != NULL; p++) {
152 type = ossl_param_find_pidx(p->key);
153 switch (type) {
154 default:
155 break;
156
157 case PIDX_CIPHER_PARAM_IVLEN:
158 if (!OSSL_PARAM_set_size_t(p, ctx->ivlen)) {
159 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
160 return 0;
161 }
162 break;
163
164 case PIDX_CIPHER_PARAM_KEYLEN:
165 if (!OSSL_PARAM_set_size_t(p, ctx->keylen)) {
166 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
167 return 0;
168 }
169 break;
170
171 case PIDX_CIPHER_PARAM_AEAD_TAGLEN:
172 {
173 size_t taglen = (ctx->taglen != UNINITIALISED_SIZET) ? ctx->taglen :
174 GCM_TAG_MAX_SIZE;
175
176 if (!OSSL_PARAM_set_size_t(p, taglen)) {
177 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
178 return 0;
179 }
180 }
181 break;
182
183 case PIDX_CIPHER_PARAM_IV:
184 if (ctx->iv_state == IV_STATE_UNINITIALISED)
185 return 0;
186 if (ctx->ivlen > p->data_size) {
187 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
188 return 0;
189 }
190 if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
191 && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
192 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
193 return 0;
194 }
195 break;
196
197 case PIDX_CIPHER_PARAM_UPDATED_IV:
198 if (ctx->iv_state == IV_STATE_UNINITIALISED)
199 return 0;
200 if (ctx->ivlen > p->data_size) {
201 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
202 return 0;
203 }
204 if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
205 && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
206 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
207 return 0;
208 }
209 break;
210
211 case PIDX_CIPHER_PARAM_AEAD_TLS1_AAD_PAD:
212 if (!OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
213 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
214 return 0;
215 }
216 break;
217
218 case PIDX_CIPHER_PARAM_AEAD_TAG:
219 sz = p->data_size;
220 if (sz == 0
221 || sz > EVP_GCM_TLS_TAG_LEN
222 || !ctx->enc
223 || ctx->taglen == UNINITIALISED_SIZET) {
224 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
225 return 0;
226 }
227 if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) {
228 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
229 return 0;
230 }
231 break;
232
233 case PIDX_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN:
234 if (p->data == NULL
235 || p->data_type != OSSL_PARAM_OCTET_STRING
236 || !getivgen(ctx, p->data, p->data_size))
237 return 0;
238 break;
239 case PIDX_CIPHER_PARAM_AEAD_IV_GENERATED:
240 if (!OSSL_PARAM_set_uint(p, ctx->iv_gen_rand))
241 return 0;
242 }
243 }
244 return 1;
245 }
246
ossl_gcm_set_ctx_params(void * vctx,const OSSL_PARAM params[])247 int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
248 {
249 PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
250 const OSSL_PARAM *p;
251 size_t sz;
252 void *vp;
253 int type;
254
255 if (ossl_param_is_empty(params))
256 return 1;
257
258 for (p = params; p->key != NULL; p++) {
259 type = ossl_param_find_pidx(p->key);
260 switch (type) {
261 default:
262 break;
263
264 case PIDX_CIPHER_PARAM_AEAD_TAG:
265 vp = ctx->buf;
266 if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) {
267 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
268 return 0;
269 }
270 if (sz == 0 || ctx->enc) {
271 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
272 return 0;
273 }
274 ctx->taglen = sz;
275 break;
276
277 case PIDX_CIPHER_PARAM_AEAD_IVLEN:
278 if (!OSSL_PARAM_get_size_t(p, &sz)) {
279 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
280 return 0;
281 }
282 if (sz == 0 || sz > sizeof(ctx->iv)) {
283 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
284 return 0;
285 }
286 if (ctx->ivlen != sz) {
287 /* If the iv was already set or autogenerated, it is invalid. */
288 if (ctx->iv_state != IV_STATE_UNINITIALISED)
289 ctx->iv_state = IV_STATE_FINISHED;
290 ctx->ivlen = sz;
291 }
292 break;
293
294 case PIDX_CIPHER_PARAM_AEAD_TLS1_AAD:
295 if (p->data_type != OSSL_PARAM_OCTET_STRING) {
296 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
297 return 0;
298 }
299 sz = gcm_tls_init(ctx, p->data, p->data_size);
300 if (sz == 0) {
301 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD);
302 return 0;
303 }
304 ctx->tls_aad_pad_sz = sz;
305 break;
306
307 case PIDX_CIPHER_PARAM_AEAD_TLS1_IV_FIXED:
308 if (p->data_type != OSSL_PARAM_OCTET_STRING) {
309 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
310 return 0;
311 }
312 if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
313 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
314 return 0;
315 }
316 break;
317
318 case PIDX_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV:
319 if (p->data == NULL
320 || p->data_type != OSSL_PARAM_OCTET_STRING
321 || !setivinv(ctx, p->data, p->data_size))
322 return 0;
323 break;
324 }
325 }
326
327 return 1;
328 }
329
ossl_gcm_stream_update(void * vctx,unsigned char * out,size_t * outl,size_t outsize,const unsigned char * in,size_t inl)330 int ossl_gcm_stream_update(void *vctx, unsigned char *out, size_t *outl,
331 size_t outsize, const unsigned char *in, size_t inl)
332 {
333 PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
334
335 if (inl == 0) {
336 *outl = 0;
337 return 1;
338 }
339
340 if (outsize < inl) {
341 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
342 return 0;
343 }
344
345 if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) {
346 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
347 return 0;
348 }
349 return 1;
350 }
351
ossl_gcm_stream_final(void * vctx,unsigned char * out,size_t * outl,size_t outsize)352 int ossl_gcm_stream_final(void *vctx, unsigned char *out, size_t *outl,
353 size_t outsize)
354 {
355 PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
356 int i;
357
358 if (!ossl_prov_is_running())
359 return 0;
360
361 i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
362 if (i <= 0)
363 return 0;
364
365 *outl = 0;
366 return 1;
367 }
368
ossl_gcm_cipher(void * vctx,unsigned char * out,size_t * outl,size_t outsize,const unsigned char * in,size_t inl)369 int ossl_gcm_cipher(void *vctx,
370 unsigned char *out, size_t *outl, size_t outsize,
371 const unsigned char *in, size_t inl)
372 {
373 PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
374
375 if (!ossl_prov_is_running())
376 return 0;
377
378 if (outsize < inl) {
379 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
380 return 0;
381 }
382
383 if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0)
384 return 0;
385
386 *outl = inl;
387 return 1;
388 }
389
390 /*
391 * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
392 *
393 * See also 8.2.2 RBG-based construction.
394 * Random construction consists of a free field (which can be NULL) and a
395 * random field which will use a DRBG that can return at least 96 bits of
396 * entropy strength. (The DRBG must be seeded by the FIPS module).
397 */
gcm_iv_generate(PROV_GCM_CTX * ctx,int offset)398 static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset)
399 {
400 int sz = ctx->ivlen - offset;
401
402 /* Must be at least 96 bits */
403 if (sz <= 0 || ctx->ivlen < GCM_IV_DEFAULT_SIZE)
404 return 0;
405
406 /* Use DRBG to generate random iv */
407 if (RAND_bytes_ex(ctx->libctx, ctx->iv + offset, sz, 0) <= 0)
408 return 0;
409 ctx->iv_state = IV_STATE_BUFFERED;
410 ctx->iv_gen_rand = 1;
411 return 1;
412 }
413
gcm_cipher_internal(PROV_GCM_CTX * ctx,unsigned char * out,size_t * padlen,const unsigned char * in,size_t len)414 static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
415 size_t *padlen, const unsigned char *in,
416 size_t len)
417 {
418 size_t olen = 0;
419 int rv = 0;
420 const PROV_GCM_HW *hw = ctx->hw;
421
422 if (ctx->tls_aad_len != UNINITIALISED_SIZET)
423 return gcm_tls_cipher(ctx, out, padlen, in, len);
424
425 if (!ctx->key_set || ctx->iv_state == IV_STATE_FINISHED)
426 goto err;
427
428 /*
429 * FIPS requires generation of AES-GCM IV's inside the FIPS module.
430 * The IV can still be set externally (the security policy will state that
431 * this is not FIPS compliant). There are some applications
432 * where setting the IV externally is the only option available.
433 */
434 if (ctx->iv_state == IV_STATE_UNINITIALISED) {
435 if (!ctx->enc || !gcm_iv_generate(ctx, 0))
436 goto err;
437 }
438
439 if (ctx->iv_state == IV_STATE_BUFFERED) {
440 if (!hw->setiv(ctx, ctx->iv, ctx->ivlen))
441 goto err;
442 ctx->iv_state = IV_STATE_COPIED;
443 }
444
445 if (in != NULL) {
446 /* The input is AAD if out is NULL */
447 if (out == NULL) {
448 if (!hw->aadupdate(ctx, in, len))
449 goto err;
450 } else {
451 /* The input is ciphertext OR plaintext */
452 if (!hw->cipherupdate(ctx, in, len, out))
453 goto err;
454 }
455 } else {
456 /* The tag must be set before actually decrypting data */
457 if (!ctx->enc && ctx->taglen == UNINITIALISED_SIZET)
458 goto err;
459 if (!hw->cipherfinal(ctx, ctx->buf))
460 goto err;
461 ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
462 goto finish;
463 }
464 olen = len;
465 finish:
466 rv = 1;
467 err:
468 *padlen = olen;
469 return rv;
470 }
471
gcm_tls_init(PROV_GCM_CTX * dat,unsigned char * aad,size_t aad_len)472 static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len)
473 {
474 unsigned char *buf;
475 size_t len;
476
477 if (!ossl_prov_is_running() || aad_len != EVP_AEAD_TLS1_AAD_LEN)
478 return 0;
479
480 /* Save the aad for later use. */
481 buf = dat->buf;
482 memcpy(buf, aad, aad_len);
483 dat->tls_aad_len = aad_len;
484
485 len = buf[aad_len - 2] << 8 | buf[aad_len - 1];
486 /* Correct length for explicit iv. */
487 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
488 return 0;
489 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
490
491 /* If decrypting correct for tag too. */
492 if (!dat->enc) {
493 if (len < EVP_GCM_TLS_TAG_LEN)
494 return 0;
495 len -= EVP_GCM_TLS_TAG_LEN;
496 }
497 buf[aad_len - 2] = (unsigned char)(len >> 8);
498 buf[aad_len - 1] = (unsigned char)(len & 0xff);
499 /* Extra padding: tag appended to record. */
500 return EVP_GCM_TLS_TAG_LEN;
501 }
502
gcm_tls_iv_set_fixed(PROV_GCM_CTX * ctx,unsigned char * iv,size_t len)503 static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
504 size_t len)
505 {
506 /* Special case: -1 length restores whole IV */
507 if (len == (size_t)-1) {
508 memcpy(ctx->iv, iv, ctx->ivlen);
509 ctx->iv_gen = 1;
510 ctx->iv_state = IV_STATE_BUFFERED;
511 return 1;
512 }
513 /* Fixed field must be at least 4 bytes and invocation field at least 8 */
514 if ((len < EVP_GCM_TLS_FIXED_IV_LEN)
515 || (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN)
516 return 0;
517 if (len > 0)
518 memcpy(ctx->iv, iv, len);
519 if (ctx->enc) {
520 if (RAND_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len, 0) <= 0)
521 return 0;
522 ctx->iv_gen_rand = 1;
523 }
524 ctx->iv_gen = 1;
525 ctx->iv_state = IV_STATE_BUFFERED;
526 return 1;
527 }
528
529 /*
530 * Handle TLS GCM packet format. This consists of the last portion of the IV
531 * followed by the payload and finally the tag. On encrypt generate IV,
532 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
533 * and verify tag.
534 */
gcm_tls_cipher(PROV_GCM_CTX * ctx,unsigned char * out,size_t * padlen,const unsigned char * in,size_t len)535 static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
536 const unsigned char *in, size_t len)
537 {
538 int rv = 0;
539 size_t arg = EVP_GCM_TLS_EXPLICIT_IV_LEN;
540 size_t plen = 0;
541 unsigned char *tag = NULL;
542
543 if (!ossl_prov_is_running() || !ctx->key_set)
544 goto err;
545
546 /* Encrypt/decrypt must be performed in place */
547 if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
548 goto err;
549
550 /*
551 * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
552 * Requirements from SP 800-38D". The requirements is for one party to the
553 * communication to fail after 2^64 - 1 keys. We do this on the encrypting
554 * side only.
555 */
556 if (ctx->enc && ++ctx->tls_enc_records == 0) {
557 ERR_raise(ERR_LIB_PROV, PROV_R_TOO_MANY_RECORDS);
558 goto err;
559 }
560
561 /*
562 * Set IV from start of buffer or generate IV and write to start of
563 * buffer.
564 */
565 if (ctx->enc) {
566 if (!getivgen(ctx, out, arg))
567 goto err;
568 } else {
569 if (!setivinv(ctx, out, arg))
570 goto err;
571 }
572
573 /* Fix buffer and length to point to payload */
574 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
575 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
576 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
577
578 tag = ctx->enc ? out + len : (unsigned char *)in + len;
579 if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag,
580 EVP_GCM_TLS_TAG_LEN)) {
581 if (!ctx->enc)
582 OPENSSL_cleanse(out, len);
583 goto err;
584 }
585 if (ctx->enc)
586 plen = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
587 else
588 plen = len;
589
590 rv = 1;
591 err:
592 ctx->iv_state = IV_STATE_FINISHED;
593 ctx->tls_aad_len = UNINITIALISED_SIZET;
594 *padlen = plen;
595 return rv;
596 }
597
