doc: document the change to the security level of CCM8 cipher suites

Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16652)
author: Pauli <pauli@openssl.org> 2021-09-22 10:32:49 +1000
committer: Pauli <pauli@openssl.org> 2021-09-24 17:38:23 +1000
commit: 56ffcce492ffc6f36b2f0d9431e23febe054dd04 (patch)
tree: c49c830dbe307257dfdc9ceeeb05a713311035c5
parent: 1a473d1cc67e04ae9fea517b36dc332143250cf5 (diff)
2 files changed, 14 insertions, 13 deletions
diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod
index 292d6a2333..13109c89a4 100644
--- a/doc/man3/SSL_CTX_set_security_level.pod
+++ b/doc/man3/SSL_CTX_set_security_level.pod
@@ -83,8 +83,9 @@ using MD5 for the MAC is also prohibited.
 
 Security level set to 112 bits of security. As a result RSA, DSA and DH keys
 shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
-In addition to the level 1 exclusions any cipher suite using RC4 is also
-prohibited. SSL version 3 is also not allowed. Compression is disabled.
+In addition to the level 1 exclusions any cipher suite using RC4 and any
+cipher suite using CCM with a 64 bit authentication tag are also prohibited.
+SSL version 3 is also not allowed. Compression is disabled.
 
 =item B<Level 3>
 
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 88565a7000..9a53e6af20 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -110,7 +110,7 @@ static SSL_CIPHER tls13_ciphers[] = {
         0, 0,
         SSL_NOT_DEFAULT | SSL_MEDIUM,
         SSL_HANDSHAKE_MAC_SHA256,
-        64, /* CCM8 uses a short tag, so we have a low security strength */
+        80, /* CCM8 uses a short tag, so we have a low security strength */
         128,
     }
 };
@@ -701,7 +701,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     64, /* CCM8 uses a short tag, so we have a low security strength */
+     80, /* CCM8 uses a short tag, so we have a low security strength */
      128,
      },
     {
@@ -717,7 +717,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     64, /* CCM8 uses a short tag, so we have a low security strength */
+     80, /* CCM8 uses a short tag, so we have a low security strength */
      256,
      },
     {
@@ -733,7 +733,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     64, /* CCM8 uses a short tag, so we have a low security strength */
+     80, /* CCM8 uses a short tag, so we have a low security strength */
      128,
      },
     {
@@ -749,7 +749,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     64, /* CCM8 uses a short tag, so we have a low security strength */
+     80, /* CCM8 uses a short tag, so we have a low security strength */
      256,
      },
     {
@@ -829,7 +829,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     64, /* CCM8 uses a short tag, so we have a low security strength */
+     80, /* CCM8 uses a short tag, so we have a low security strength */
      128,
      },
     {
@@ -845,7 +845,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     64, /* CCM8 uses a short tag, so we have a low security strength */
+     80, /* CCM8 uses a short tag, so we have a low security strength */
      256,
      },
     {
@@ -861,7 +861,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     64, /* CCM8 uses a short tag, so we have a low security strength */
+     80, /* CCM8 uses a short tag, so we have a low security strength */
      128,
      },
     {
@@ -877,7 +877,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     64, /* CCM8 uses a short tag, so we have a low security strength */
+     80, /* CCM8 uses a short tag, so we have a low security strength */
      256,
      },
     {
@@ -925,7 +925,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     64, /* CCM8 uses a short tag, so we have a low security strength */
+     80, /* CCM8 uses a short tag, so we have a low security strength */
      128,
      },
     {
@@ -941,7 +941,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     64, /* CCM8 uses a short tag, so we have a low security strength */
+     80, /* CCM8 uses a short tag, so we have a low security strength */
      256,
      },
     {
author	Pauli <pauli@openssl.org>	2021-09-22 10:32:49 +1000
committer	Pauli <pauli@openssl.org>	2021-09-24 17:38:23 +1000
commit	56ffcce492ffc6f36b2f0d9431e23febe054dd04 (patch)
tree	c49c830dbe307257dfdc9ceeeb05a713311035c5
parent	1a473d1cc67e04ae9fea517b36dc332143250cf5 (diff)