ciphercommon_gcm.c 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591
  1. /*
  2. * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /* Dispatch functions for gcm mode */
  10. #include <openssl/rand.h>
  11. #include <openssl/proverr.h>
  12. #include "prov/ciphercommon.h"
  13. #include "prov/ciphercommon_gcm.h"
  14. #include "prov/providercommon.h"
  15. #include "prov/provider_ctx.h"
  16. #include "internal/param_names.h"
  17. static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len);
  18. static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
  19. size_t len);
  20. static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
  21. const unsigned char *in, size_t len);
  22. static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
  23. size_t *padlen, const unsigned char *in,
  24. size_t len);
  25. /*
  26. * Called from EVP_CipherInit when there is currently no context via
  27. * the new_ctx() function
  28. */
  29. void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
  30. const PROV_GCM_HW *hw)
  31. {
  32. ctx->pad = 1;
  33. ctx->mode = EVP_CIPH_GCM_MODE;
  34. ctx->taglen = UNINITIALISED_SIZET;
  35. ctx->tls_aad_len = UNINITIALISED_SIZET;
  36. ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN);
  37. ctx->keylen = keybits / 8;
  38. ctx->hw = hw;
  39. ctx->libctx = PROV_LIBCTX_OF(provctx);
  40. }
  41. /*
  42. * Called by EVP_CipherInit via the _einit and _dinit functions
  43. */
  44. static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
  45. const unsigned char *iv, size_t ivlen,
  46. const OSSL_PARAM params[], int enc)
  47. {
  48. PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
  49. if (!ossl_prov_is_running())
  50. return 0;
  51. ctx->enc = enc;
  52. if (iv != NULL) {
  53. if (ivlen == 0 || ivlen > sizeof(ctx->iv)) {
  54. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
  55. return 0;
  56. }
  57. ctx->ivlen = ivlen;
  58. memcpy(ctx->iv, iv, ivlen);
  59. ctx->iv_state = IV_STATE_BUFFERED;
  60. }
  61. if (key != NULL) {
  62. if (keylen != ctx->keylen) {
  63. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
  64. return 0;
  65. }
  66. if (!ctx->hw->setkey(ctx, key, ctx->keylen))
  67. return 0;
  68. ctx->tls_enc_records = 0;
  69. }
  70. return ossl_gcm_set_ctx_params(ctx, params);
  71. }
  72. int ossl_gcm_einit(void *vctx, const unsigned char *key, size_t keylen,
  73. const unsigned char *iv, size_t ivlen,
  74. const OSSL_PARAM params[])
  75. {
  76. return gcm_init(vctx, key, keylen, iv, ivlen, params, 1);
  77. }
  78. int ossl_gcm_dinit(void *vctx, const unsigned char *key, size_t keylen,
  79. const unsigned char *iv, size_t ivlen,
  80. const OSSL_PARAM params[])
  81. {
  82. return gcm_init(vctx, key, keylen, iv, ivlen, params, 0);
  83. }
  84. /* increment counter (64-bit int) by 1 */
  85. static void ctr64_inc(unsigned char *counter)
  86. {
  87. int n = 8;
  88. unsigned char c;
  89. do {
  90. --n;
  91. c = counter[n];
  92. ++c;
  93. counter[n] = c;
  94. if (c > 0)
  95. return;
  96. } while (n > 0);
  97. }
  98. static int getivgen(PROV_GCM_CTX *ctx, unsigned char *out, size_t olen)
  99. {
  100. if (!ctx->iv_gen
  101. || !ctx->key_set
  102. || !ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
  103. return 0;
  104. if (olen == 0 || olen > ctx->ivlen)
  105. olen = ctx->ivlen;
  106. memcpy(out, ctx->iv + ctx->ivlen - olen, olen);
  107. /*
  108. * Invocation field will be at least 8 bytes in size and so no need
  109. * to check wrap around or increment more than last 8 bytes.
  110. */
  111. ctr64_inc(ctx->iv + ctx->ivlen - 8);
  112. ctx->iv_state = IV_STATE_COPIED;
  113. return 1;
  114. }
  115. static int setivinv(PROV_GCM_CTX *ctx, unsigned char *in, size_t inl)
  116. {
  117. if (!ctx->iv_gen
  118. || !ctx->key_set
  119. || ctx->enc)
  120. return 0;
  121. memcpy(ctx->iv + ctx->ivlen - inl, in, inl);
  122. if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
  123. return 0;
  124. ctx->iv_state = IV_STATE_COPIED;
  125. return 1;
  126. }
  127. int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
  128. {
  129. PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
  130. OSSL_PARAM *p;
  131. size_t sz;
  132. int type;
  133. for (p = params; p->key != NULL; p++) {
  134. type = ossl_param_find_pidx(p->key);
  135. switch (type) {
  136. default:
  137. break;
  138. case PIDX_CIPHER_PARAM_IVLEN:
  139. if (!OSSL_PARAM_set_size_t(p, ctx->ivlen)) {
  140. ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
  141. return 0;
  142. }
  143. break;
  144. case PIDX_CIPHER_PARAM_KEYLEN:
  145. if (!OSSL_PARAM_set_size_t(p, ctx->keylen)) {
  146. ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
  147. return 0;
  148. }
  149. break;
  150. case PIDX_CIPHER_PARAM_AEAD_TAGLEN:
  151. {
  152. size_t taglen = (ctx->taglen != UNINITIALISED_SIZET) ? ctx->taglen :
  153. GCM_TAG_MAX_SIZE;
  154. if (!OSSL_PARAM_set_size_t(p, taglen)) {
  155. ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
  156. return 0;
  157. }
  158. }
  159. break;
  160. case PIDX_CIPHER_PARAM_IV:
  161. if (ctx->iv_state == IV_STATE_UNINITIALISED)
  162. return 0;
  163. if (ctx->ivlen > p->data_size) {
  164. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
  165. return 0;
  166. }
  167. if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
  168. && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
  169. ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
  170. return 0;
  171. }
  172. break;
  173. case PIDX_CIPHER_PARAM_UPDATED_IV:
  174. if (ctx->iv_state == IV_STATE_UNINITIALISED)
  175. return 0;
  176. if (ctx->ivlen > p->data_size) {
  177. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
  178. return 0;
  179. }
  180. if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
  181. && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
  182. ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
  183. return 0;
  184. }
  185. break;
  186. case PIDX_CIPHER_PARAM_AEAD_TLS1_AAD_PAD:
  187. if (!OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
  188. ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
  189. return 0;
  190. }
  191. break;
  192. case PIDX_CIPHER_PARAM_AEAD_TAG:
  193. sz = p->data_size;
  194. if (sz == 0
  195. || sz > EVP_GCM_TLS_TAG_LEN
  196. || !ctx->enc
  197. || ctx->taglen == UNINITIALISED_SIZET) {
  198. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
  199. return 0;
  200. }
  201. if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) {
  202. ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
  203. return 0;
  204. }
  205. break;
  206. case PIDX_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN:
  207. if (p->data == NULL
  208. || p->data_type != OSSL_PARAM_OCTET_STRING
  209. || !getivgen(ctx, p->data, p->data_size))
  210. return 0;
  211. break;
  212. }
  213. }
  214. return 1;
  215. }
  216. int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
  217. {
  218. PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
  219. const OSSL_PARAM *p;
  220. size_t sz;
  221. void *vp;
  222. int type;
  223. if (params == NULL)
  224. return 1;
  225. for (p = params; p->key != NULL; p++) {
  226. type = ossl_param_find_pidx(p->key);
  227. switch (type) {
  228. default:
  229. break;
  230. case PIDX_CIPHER_PARAM_AEAD_TAG:
  231. vp = ctx->buf;
  232. if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) {
  233. ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
  234. return 0;
  235. }
  236. if (sz == 0 || ctx->enc) {
  237. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
  238. return 0;
  239. }
  240. ctx->taglen = sz;
  241. break;
  242. case PIDX_CIPHER_PARAM_AEAD_IVLEN:
  243. if (!OSSL_PARAM_get_size_t(p, &sz)) {
  244. ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
  245. return 0;
  246. }
  247. if (sz == 0 || sz > sizeof(ctx->iv)) {
  248. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
  249. return 0;
  250. }
  251. if (ctx->ivlen != sz) {
  252. /* If the iv was already set or autogenerated, it is invalid. */
  253. if (ctx->iv_state != IV_STATE_UNINITIALISED)
  254. ctx->iv_state = IV_STATE_FINISHED;
  255. ctx->ivlen = sz;
  256. }
  257. break;
  258. case PIDX_CIPHER_PARAM_AEAD_TLS1_AAD:
  259. if (p->data_type != OSSL_PARAM_OCTET_STRING) {
  260. ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
  261. return 0;
  262. }
  263. sz = gcm_tls_init(ctx, p->data, p->data_size);
  264. if (sz == 0) {
  265. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD);
  266. return 0;
  267. }
  268. ctx->tls_aad_pad_sz = sz;
  269. break;
  270. case PIDX_CIPHER_PARAM_AEAD_TLS1_IV_FIXED:
  271. if (p->data_type != OSSL_PARAM_OCTET_STRING) {
  272. ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
  273. return 0;
  274. }
  275. if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
  276. ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
  277. return 0;
  278. }
  279. break;
  280. case PIDX_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV:
  281. if (p->data == NULL
  282. || p->data_type != OSSL_PARAM_OCTET_STRING
  283. || !setivinv(ctx, p->data, p->data_size))
  284. return 0;
  285. break;
  286. }
  287. }
  288. return 1;
  289. }
  290. int ossl_gcm_stream_update(void *vctx, unsigned char *out, size_t *outl,
  291. size_t outsize, const unsigned char *in, size_t inl)
  292. {
  293. PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
  294. if (inl == 0) {
  295. *outl = 0;
  296. return 1;
  297. }
  298. if (outsize < inl) {
  299. ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
  300. return 0;
  301. }
  302. if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) {
  303. ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
  304. return 0;
  305. }
  306. return 1;
  307. }
  308. int ossl_gcm_stream_final(void *vctx, unsigned char *out, size_t *outl,
  309. size_t outsize)
  310. {
  311. PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
  312. int i;
  313. if (!ossl_prov_is_running())
  314. return 0;
  315. i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
  316. if (i <= 0)
  317. return 0;
  318. *outl = 0;
  319. return 1;
  320. }
  321. int ossl_gcm_cipher(void *vctx,
  322. unsigned char *out, size_t *outl, size_t outsize,
  323. const unsigned char *in, size_t inl)
  324. {
  325. PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
  326. if (!ossl_prov_is_running())
  327. return 0;
  328. if (outsize < inl) {
  329. ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
  330. return 0;
  331. }
  332. if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0)
  333. return 0;
  334. *outl = inl;
  335. return 1;
  336. }
  337. /*
  338. * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
  339. *
  340. * See also 8.2.2 RBG-based construction.
  341. * Random construction consists of a free field (which can be NULL) and a
  342. * random field which will use a DRBG that can return at least 96 bits of
  343. * entropy strength. (The DRBG must be seeded by the FIPS module).
  344. */
  345. static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset)
  346. {
  347. int sz = ctx->ivlen - offset;
  348. /* Must be at least 96 bits */
  349. if (sz <= 0 || ctx->ivlen < GCM_IV_DEFAULT_SIZE)
  350. return 0;
  351. /* Use DRBG to generate random iv */
  352. if (RAND_bytes_ex(ctx->libctx, ctx->iv + offset, sz, 0) <= 0)
  353. return 0;
  354. ctx->iv_state = IV_STATE_BUFFERED;
  355. ctx->iv_gen_rand = 1;
  356. return 1;
  357. }
  358. static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
  359. size_t *padlen, const unsigned char *in,
  360. size_t len)
  361. {
  362. size_t olen = 0;
  363. int rv = 0;
  364. const PROV_GCM_HW *hw = ctx->hw;
  365. if (ctx->tls_aad_len != UNINITIALISED_SIZET)
  366. return gcm_tls_cipher(ctx, out, padlen, in, len);
  367. if (!ctx->key_set || ctx->iv_state == IV_STATE_FINISHED)
  368. goto err;
  369. /*
  370. * FIPS requires generation of AES-GCM IV's inside the FIPS module.
  371. * The IV can still be set externally (the security policy will state that
  372. * this is not FIPS compliant). There are some applications
  373. * where setting the IV externally is the only option available.
  374. */
  375. if (ctx->iv_state == IV_STATE_UNINITIALISED) {
  376. if (!ctx->enc || !gcm_iv_generate(ctx, 0))
  377. goto err;
  378. }
  379. if (ctx->iv_state == IV_STATE_BUFFERED) {
  380. if (!hw->setiv(ctx, ctx->iv, ctx->ivlen))
  381. goto err;
  382. ctx->iv_state = IV_STATE_COPIED;
  383. }
  384. if (in != NULL) {
  385. /* The input is AAD if out is NULL */
  386. if (out == NULL) {
  387. if (!hw->aadupdate(ctx, in, len))
  388. goto err;
  389. } else {
  390. /* The input is ciphertext OR plaintext */
  391. if (!hw->cipherupdate(ctx, in, len, out))
  392. goto err;
  393. }
  394. } else {
  395. /* The tag must be set before actually decrypting data */
  396. if (!ctx->enc && ctx->taglen == UNINITIALISED_SIZET)
  397. goto err;
  398. if (!hw->cipherfinal(ctx, ctx->buf))
  399. goto err;
  400. ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
  401. goto finish;
  402. }
  403. olen = len;
  404. finish:
  405. rv = 1;
  406. err:
  407. *padlen = olen;
  408. return rv;
  409. }
  410. static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len)
  411. {
  412. unsigned char *buf;
  413. size_t len;
  414. if (!ossl_prov_is_running() || aad_len != EVP_AEAD_TLS1_AAD_LEN)
  415. return 0;
  416. /* Save the aad for later use. */
  417. buf = dat->buf;
  418. memcpy(buf, aad, aad_len);
  419. dat->tls_aad_len = aad_len;
  420. len = buf[aad_len - 2] << 8 | buf[aad_len - 1];
  421. /* Correct length for explicit iv. */
  422. if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
  423. return 0;
  424. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
  425. /* If decrypting correct for tag too. */
  426. if (!dat->enc) {
  427. if (len < EVP_GCM_TLS_TAG_LEN)
  428. return 0;
  429. len -= EVP_GCM_TLS_TAG_LEN;
  430. }
  431. buf[aad_len - 2] = (unsigned char)(len >> 8);
  432. buf[aad_len - 1] = (unsigned char)(len & 0xff);
  433. /* Extra padding: tag appended to record. */
  434. return EVP_GCM_TLS_TAG_LEN;
  435. }
  436. static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
  437. size_t len)
  438. {
  439. /* Special case: -1 length restores whole IV */
  440. if (len == (size_t)-1) {
  441. memcpy(ctx->iv, iv, ctx->ivlen);
  442. ctx->iv_gen = 1;
  443. ctx->iv_state = IV_STATE_BUFFERED;
  444. return 1;
  445. }
  446. /* Fixed field must be at least 4 bytes and invocation field at least 8 */
  447. if ((len < EVP_GCM_TLS_FIXED_IV_LEN)
  448. || (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN)
  449. return 0;
  450. if (len > 0)
  451. memcpy(ctx->iv, iv, len);
  452. if (ctx->enc
  453. && RAND_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len, 0) <= 0)
  454. return 0;
  455. ctx->iv_gen = 1;
  456. ctx->iv_state = IV_STATE_BUFFERED;
  457. return 1;
  458. }
  459. /*
  460. * Handle TLS GCM packet format. This consists of the last portion of the IV
  461. * followed by the payload and finally the tag. On encrypt generate IV,
  462. * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
  463. * and verify tag.
  464. */
  465. static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
  466. const unsigned char *in, size_t len)
  467. {
  468. int rv = 0;
  469. size_t arg = EVP_GCM_TLS_EXPLICIT_IV_LEN;
  470. size_t plen = 0;
  471. unsigned char *tag = NULL;
  472. if (!ossl_prov_is_running() || !ctx->key_set)
  473. goto err;
  474. /* Encrypt/decrypt must be performed in place */
  475. if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
  476. goto err;
  477. /*
  478. * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
  479. * Requirements from SP 800-38D". The requirements is for one party to the
  480. * communication to fail after 2^64 - 1 keys. We do this on the encrypting
  481. * side only.
  482. */
  483. if (ctx->enc && ++ctx->tls_enc_records == 0) {
  484. ERR_raise(ERR_LIB_PROV, PROV_R_TOO_MANY_RECORDS);
  485. goto err;
  486. }
  487. /*
  488. * Set IV from start of buffer or generate IV and write to start of
  489. * buffer.
  490. */
  491. if (ctx->enc) {
  492. if (!getivgen(ctx, out, arg))
  493. goto err;
  494. } else {
  495. if (!setivinv(ctx, out, arg))
  496. goto err;
  497. }
  498. /* Fix buffer and length to point to payload */
  499. in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  500. out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  501. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  502. tag = ctx->enc ? out + len : (unsigned char *)in + len;
  503. if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag,
  504. EVP_GCM_TLS_TAG_LEN)) {
  505. if (!ctx->enc)
  506. OPENSSL_cleanse(out, len);
  507. goto err;
  508. }
  509. if (ctx->enc)
  510. plen = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  511. else
  512. plen = len;
  513. rv = 1;
  514. err:
  515. ctx->iv_state = IV_STATE_FINISHED;
  516. ctx->tls_aad_len = UNINITIALISED_SIZET;
  517. *padlen = plen;
  518. return rv;
  519. }