Fix EVP_DecryptFinal() for CCM ciphers

There is an old trap that you must not call EVP_*Final() when
using AES-CCM. While encrypting this happens to be a noop and
succeeds, but when decrypting, the call fails. This behavior
changed in OpenSSL and BoringSSL, making the trap even worse
since we now fail when the others succeed.

This is an adaptation of OpenSSL commit 197421b1 to fix this.
See also https://github.com/sfackler/rust-openssl/pull/1805#issuecomment-2734788336

ok beck kenjiro

1 files changed, 10 insertions, 5 deletions

diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index a0f192905d..74d86c98d8 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.69 2025/06/03 08:42:15 kenjiro Exp $ */
+/* $OpenBSD: e_aes.c,v 1.70 2025/06/06 07:41:01 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -2032,7 +2032,14 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         CCM128_CONTEXT *ccm = &cctx->ccm;
 
         /* If not set up, return error */
-        if (!cctx->iv_set && !cctx->key_set)
+        if (!cctx->key_set)
+                return -1;
+
+        /* EVP_*Final() doesn't return any data */
+        if (in == NULL && out != NULL)
+                return 0;
+
+        if (!cctx->iv_set)
                 return -1;
         if (!ctx->encrypt && !cctx->tag_set)
                 return -1;
@@ -2051,9 +2058,7 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 CRYPTO_ccm128_aad(ccm, in, len);
                 return len;
         }
-        /* EVP_*Final() doesn't return any data */
-        if (!in)
-                return 0;
+
         /* If not set length yet do it */
         if (!cctx->len_set) {
                 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))