From b48e3be947ddc5da6b5a86db8341081c72b9a4ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Fri, 14 Sep 2018 21:49:34 +0200 Subject: Allow specifying the tag after AAD in CCM mode This change allows to pass the authentication tag after specifying the AAD in CCM mode. This is already true for the other two supported AEAD modes (GCM and OCB) and it seems appropriate to match the behavior. GCM and OCB also support to set the tag at any point before the call to `EVP_*Final`, but this won't work for CCM due to a restriction imposed by section 2.6 of RFC3610: The tag must be set before actually decrypting data. This commit also adds a test case for setting the tag after supplying plaintext length and AAD. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7243) (cherry picked from commit 67c81ec311d696464bdbf4c6d6f8a887a3ddf9f8) --- crypto/evp/e_aes.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'crypto/evp') diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 39eb4f379a..55cc4423a7 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -3643,8 +3643,6 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, if (!cctx->iv_set) return -1; - if (!EVP_CIPHER_CTX_encrypting(ctx) && !cctx->tag_set) - return -1; if (!out) { if (!in) { if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx), @@ -3659,6 +3657,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, CRYPTO_ccm128_aad(ccm, in, len); return len; } + + /* The tag must be set before actually decrypting data */ + if (!EVP_CIPHER_CTX_encrypting(ctx) && !cctx->tag_set) + return -1; + /* If not set length yet do it */ if (!cctx->len_set) { if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx), -- cgit v1.2.3