From b9e6d360100bc1184a96f98231d096238e8e2df4 Mon Sep 17 00:00:00 2001
From: Daniel Kubec <kubec@openssl.org>
Date: Sat, 11 Oct 2025 12:45:42 +0200
Subject: [PATCH] AEAD: Raise an error on EVP_DecryptFinal_ex() without the tag
 being set

In AEAD cipher providers raise an error when EVP_DecryptFinal_ex()
is called without the authentication tag being set.

Fixes #28730

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28872)
---
 .../implementations/ciphers/cipher_chacha20_poly1305.c.in     | 4 +++-
 providers/implementations/ciphers/ciphercommon_ccm.c.in       | 4 +++-
 providers/implementations/ciphers/ciphercommon_gcm.c.in       | 4 +++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305.c.in b/providers/implementations/ciphers/cipher_chacha20_poly1305.c.in
index bfb54d7f841..4ef3ed5e060 100644
--- a/providers/implementations/ciphers/cipher_chacha20_poly1305.c.in
+++ b/providers/implementations/ciphers/cipher_chacha20_poly1305.c.in
@@ -338,8 +338,10 @@ static int chacha20_poly1305_final(void *vctx, unsigned char *out, size_t *outl,
         return 0;
 
     /* The tag must be set before actually decrypting data */
-    if (!ctx->base.enc && ctx->tag_len == 0)
+    if (!ctx->base.enc && ctx->tag_len == 0) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOT_SET);
         return 0;
+    }
 
     if (hw->aead_cipher((PROV_CIPHER_CTX *)ctx, out, outl, NULL, 0) <= 0)
         return 0;
diff --git a/providers/implementations/ciphers/ciphercommon_ccm.c.in b/providers/implementations/ciphers/ciphercommon_ccm.c.in
index 56bfb6d3dc2..922312773c5 100644
--- a/providers/implementations/ciphers/ciphercommon_ccm.c.in
+++ b/providers/implementations/ciphers/ciphercommon_ccm.c.in
@@ -442,8 +442,10 @@ static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out,
             ctx->tag_set = 1;
         } else {
             /* The tag must be set before actually decrypting data */
-            if (!ctx->tag_set)
+            if (!ctx->tag_set) {
+                ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOT_SET);
                 goto err;
+            }
 
             if (!hw->auth_decrypt(ctx, in, out, len, ctx->buf, ctx->m))
                 goto err;
diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c.in b/providers/implementations/ciphers/ciphercommon_gcm.c.in
index 4964f15e67d..08417687eba 100644
--- a/providers/implementations/ciphers/ciphercommon_gcm.c.in
+++ b/providers/implementations/ciphers/ciphercommon_gcm.c.in
@@ -465,8 +465,10 @@ static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
         }
     } else {
         /* The tag must be set before actually decrypting data */
-        if (!ctx->enc && ctx->taglen == UNINITIALISED_SIZET)
+        if (!ctx->enc && ctx->taglen == UNINITIALISED_SIZET) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOT_SET);
             goto err;
+        }
         if (!hw->cipherfinal(ctx, ctx->buf))
             goto err;
         ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
-- 
2.47.3