From 96a76161020b928e1e01f56826e2cdd5bb4adf3f Mon Sep 17 00:00:00 2001
From: tb <>
Date: Fri, 6 Jun 2025 07:41:01 +0000
Subject: Fix EVP_DecryptFinal() for CCM ciphers

There is an old trap that you must not call EVP_*Final() when
using AES-CCM. While encrypting this happens to be a noop and
succeeds, but when decrypting, the call fails. This behavior
changed in OpenSSL and BoringSSL, making the trap even worse
since we now fail when the others succeed.

This is an adaptation of OpenSSL commit 197421b1 to fix this.
See also https://github.com/sfackler/rust-openssl/pull/1805#issuecomment-2734788336

ok beck kenjiro
---
 src/lib/libcrypto/evp/e_aes.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index a0f192905d..74d86c98d8 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.69 2025/06/03 08:42:15 kenjiro Exp $ */
+/* $OpenBSD: e_aes.c,v 1.70 2025/06/06 07:41:01 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -2032,7 +2032,14 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 	CCM128_CONTEXT *ccm = &cctx->ccm;
 
 	/* If not set up, return error */
-	if (!cctx->iv_set && !cctx->key_set)
+	if (!cctx->key_set)
+		return -1;
+
+	/* EVP_*Final() doesn't return any data */
+	if (in == NULL && out != NULL)
+		return 0;
+
+	if (!cctx->iv_set)
 		return -1;
 	if (!ctx->encrypt && !cctx->tag_set)
 		return -1;
@@ -2051,9 +2058,7 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 		CRYPTO_ccm128_aad(ccm, in, len);
 		return len;
 	}
-	/* EVP_*Final() doesn't return any data */
-	if (!in)
-		return 0;
+
 	/* If not set length yet do it */
 	if (!cctx->len_set) {
 		if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
-- 
cgit v1.2.3-55-g6feb