AES-GCM shouldn't keep its own version of the tag length.

There's a |tag_len| in the generic AEAD context now so keeping a second
copy only invites confusion.

Change-Id: I029d8a8ee366e3af7f61408177c950d5b1a740a9
Reviewed-on: https://boringssl-review.googlesource.com/17424
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/fipsmodule/cipher/e_aes.c b/crypto/fipsmodule/cipher/e_aes.c
index 5556ff3..1505001 100644
--- a/crypto/fipsmodule/cipher/e_aes.c
+++ b/crypto/fipsmodule/cipher/e_aes.c
@@ -1144,7 +1144,6 @@
   } ks;
   GCM128_CONTEXT gcm;
   ctr128_f ctr;
-  uint8_t tag_len;
 };
 
 struct aead_aes_gcm_tls12_ctx {
@@ -1153,8 +1152,8 @@
 };
 
 static int aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx *gcm_ctx,
-                                  const uint8_t *key, size_t key_len,
-                                  size_t tag_len) {
+                                  size_t *out_tag_len, const uint8_t *key,
+                                  size_t key_len, size_t tag_len) {
   const size_t key_bits = key_len * 8;
 
   if (key_bits != 128 && key_bits != 256) {
@@ -1173,25 +1172,27 @@
 
   gcm_ctx->ctr =
       aes_ctr_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, NULL, key, key_len);
-  gcm_ctx->tag_len = tag_len;
+  *out_tag_len = tag_len;
   return 1;
 }
 
 static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                             size_t key_len, size_t tag_len) {
+                             size_t key_len, size_t requested_tag_len) {
   struct aead_aes_gcm_ctx *gcm_ctx;
   gcm_ctx = OPENSSL_malloc(sizeof(struct aead_aes_gcm_ctx));
   if (gcm_ctx == NULL) {
     return 0;
   }
 
-  if (!aead_aes_gcm_init_impl(gcm_ctx, key, key_len, tag_len)) {
+  size_t actual_tag_len;
+  if (!aead_aes_gcm_init_impl(gcm_ctx, &actual_tag_len, key, key_len,
+                              requested_tag_len)) {
     OPENSSL_free(gcm_ctx);
     return 0;
   }
 
   ctx->aead_state = gcm_ctx;
-  ctx->tag_len = gcm_ctx->tag_len;
+  ctx->tag_len = actual_tag_len;
   return 1;
 }
 
@@ -1215,7 +1216,7 @@
     return 0;
   }
 
-  if (max_out_tag_len < gcm_ctx->tag_len) {
+  if (max_out_tag_len < ctx->tag_len) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
     return 0;
   }
@@ -1240,8 +1241,8 @@
     }
   }
 
-  CRYPTO_gcm128_tag(&gcm, out_tag, gcm_ctx->tag_len);
-  *out_tag_len = gcm_ctx->tag_len;
+  CRYPTO_gcm128_tag(&gcm, out_tag, ctx->tag_len);
+  *out_tag_len = ctx->tag_len;
   return 1;
 }
 
@@ -1259,7 +1260,7 @@
     return 0;
   }
 
-  if (in_tag_len != gcm_ctx->tag_len) {
+  if (in_tag_len != ctx->tag_len) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
     return 0;
   }
@@ -1284,8 +1285,8 @@
     }
   }
 
-  CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
-  if (CRYPTO_memcmp(tag, in_tag, gcm_ctx->tag_len) != 0) {
+  CRYPTO_gcm128_tag(&gcm, tag, ctx->tag_len);
+  if (CRYPTO_memcmp(tag, in_tag, ctx->tag_len) != 0) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
     return 0;
   }
@@ -1320,7 +1321,7 @@
 }
 
 static int aead_aes_gcm_tls12_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                   size_t key_len, size_t tag_len) {
+                                   size_t key_len, size_t requested_tag_len) {
   struct aead_aes_gcm_tls12_ctx *gcm_ctx;
   gcm_ctx = OPENSSL_malloc(sizeof(struct aead_aes_gcm_tls12_ctx));
   if (gcm_ctx == NULL) {
@@ -1329,13 +1330,15 @@
 
   gcm_ctx->counter = 0;
 
-  if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, key, key_len, tag_len)) {
+  size_t actual_tag_len;
+  if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len,
+                              requested_tag_len)) {
     OPENSSL_free(gcm_ctx);
     return 0;
   }
 
   ctx->aead_state = gcm_ctx;
-  ctx->tag_len = gcm_ctx->gcm_ctx.tag_len;
+  ctx->tag_len = actual_tag_len;
   return 1;
 }