Ensure Stream ciphers know how to remove a TLS MAC

We previously updated the block ciphers to know how to remove a TLS
MAC when using Encrypt-then-MAC. We also need to do the same for stream
ciphers.

Fixes #13363

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13378)

diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
index 8d45d7a7d732b9c1836513ca502cc2ed64df03cb..23f191fbbff00589787d2b662e1e72c51d258038 100644 (file)
--- a/providers/implementations/ciphers/ciphercommon.c
+++ b/providers/implementations/ciphers/ciphercommon.c
@@ -429,16 +429,27 @@ int ossl_cipher_generic_stream_update(void *vctx, unsigned char *out,
     }
 
     *outl = inl;
-    /*
-     * Remove any TLS padding. Only used by cipher_aes_cbc_hmac_sha1_hw.c and
-     * cipher_aes_cbc_hmac_sha256_hw.c
-     */
-    if (!ctx->enc && ctx->removetlspad > 0) {
-        /* The actual padding length */
-        *outl -= out[inl - 1] + 1;
+    if (!ctx->enc) {
+        /*
+        * Remove any TLS padding. Only used by cipher_aes_cbc_hmac_sha1_hw.c and
+        * cipher_aes_cbc_hmac_sha256_hw.c
+        */
+        if (ctx->removetlspad > 0) {
+            /* The actual padding length */
+            *outl -= out[inl - 1] + 1;
+
+            /* MAC and explicit IV */
+            *outl -= ctx->removetlspad;
+        }
 
-        /* MAC and explicit IV */
-        *outl -= ctx->removetlspad;
+        /* Extract the MAC if there is one */
+        if (ctx->tlsmacsize > 0) {
+            if (*outl < ctx->tlsmacsize)
+                return 0;
+
+            ctx->tlsmac = out + *outl - ctx->tlsmacsize;
+            *outl -= ctx->tlsmacsize;
+        }
     }
 
     return 1;