Decreate the length after decryption for the stitched ciphers

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12288)

providers/implementations/ciphers/cipher_aes_cbc_hmac_sha1_hw.c

@@ -60,6 +60,8 @@ static int aesni_cbc_hmac_sha1_init_key(PROV_CIPHER_CTX *vctx,
 
     ctx->payload_length = NO_PAYLOAD_LENGTH;
 
+    vctx->removetlspad = SHA_DIGEST_LENGTH + AES_BLOCK_SIZE;
+
     return ret < 0 ? 0 : 1;
 }
 

providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c

@@ -62,6 +62,8 @@ static int aesni_cbc_hmac_sha256_init_key(PROV_CIPHER_CTX *vctx,
 
     ctx->payload_length = NO_PAYLOAD_LENGTH;
 
+    vctx->removetlspad = SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE;
+
     return ret < 0 ? 0 : 1;
 }
 

providers/implementations/ciphers/ciphercommon.c

@@ -358,6 +358,18 @@ int cipher_generic_stream_update(void *vctx, unsigned char *out, size_t *outl,
     }
 
     *outl = inl;
+    /*
+     * Remove any TLS padding. Only used by cipher_aes_cbc_hmac_sha1_hw.c and
+     * cipher_aes_cbc_hmac_sha256_hw.c
+     */
+    if (!ctx->enc && ctx->removetlspad > 0) {
+        /* The actual padding length */
+        *outl -= out[inl - 1] + 1;
+
+        /* MAC and explicit IV */
+        *outl -= ctx->removetlspad;
+    }
+
     return 1;
 }
 int cipher_generic_stream_final(void *vctx, unsigned char *out, size_t *outl,

providers/implementations/include/prov/ciphercommon.h

@@ -58,6 +58,11 @@ struct prov_cipher_ctx_st {
                               * points into the user buffer.
                               */
     size_t tlsmacsize;       /* Size of the TLS MAC */
+    size_t removetlspad;     /*
+                              * Length of the fixed size data to remove when
+                              * removing TLS padding (equals mac size plus
+                              * IV size if applicable)
+                              */
 
     /*
      * num contains the number of bytes of |iv| which are valid for modes that