tls/ccm8: reduce the cipher strength for CCM8 ciphers to 64 bits

This is the length of the tag they use and should be considered an upper bound
on their strength.

This lowers their security strength to level 0.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)

diff --git a/CHANGES.md b/CHANGES.md
index cfb6eb0821b31a073f0fc72fa22cbb6314beeefb..84fb4c3f84219f396eda8b72694b09131461a99f 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,8 +24,8 @@ OpenSSL 3.1
 
 ### Changes between 3.0 and 3.1 [xx XXX xxxx]
 
- * CCM8 cipher suites in TLS have been downgraded to security level 1 because
-   they use a short tag which lowers their strength.
+ * CCM8 cipher suites in TLS have been downgraded to security level zero
+   because they use a short authentication tag which lowers their strength.
 
    *Paul Dale*
 

diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod
index 13109c89a44e682931ddb0a3a5e95229a37de40e..d9965572c8e3525d22b4190034546e70ac4ac057 100644 (file)
--- a/doc/man3/SSL_CTX_set_security_level.pod
+++ b/doc/man3/SSL_CTX_set_security_level.pod
@@ -77,15 +77,15 @@ parameters offering below 80 bits of security are excluded. As a result RSA,
 DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits
 are prohibited. All export cipher suites are prohibited since they all offer
 less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite
-using MD5 for the MAC is also prohibited.
+using MD5 for the MAC is also prohibited. Any cipher suites using CCM with
+a 64 bit authentication tag are prohibited.
 
 =item B<Level 2>
 
 Security level set to 112 bits of security. As a result RSA, DSA and DH keys
 shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
-In addition to the level 1 exclusions any cipher suite using RC4 and any
-cipher suite using CCM with a 64 bit authentication tag are also prohibited.
-SSL version 3 is also not allowed. Compression is disabled.
+In addition to the level 1 exclusions any cipher suite using RC4 is also
+prohibited. SSL version 3 is also not allowed. Compression is disabled.
 
 =item B<Level 3>
 

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 9a53e6af202b1447f10cf780208632d4e75f110a..88565a700063e8f8be6f2b82eeb564973627c1b5 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -110,7 +110,7 @@ static SSL_CIPHER tls13_ciphers[] = {
         0, 0,
         SSL_NOT_DEFAULT | SSL_MEDIUM,
         SSL_HANDSHAKE_MAC_SHA256,
-        80, /* CCM8 uses a short tag, so we have a low security strength */
+        64, /* CCM8 uses a short tag, so we have a low security strength */
         128,
     }
 };
@@ -701,7 +701,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     80, /* CCM8 uses a short tag, so we have a low security strength */
+     64, /* CCM8 uses a short tag, so we have a low security strength */
      128,
      },
     {
@@ -717,7 +717,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     80, /* CCM8 uses a short tag, so we have a low security strength */
+     64, /* CCM8 uses a short tag, so we have a low security strength */
      256,
      },
     {
@@ -733,7 +733,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     80, /* CCM8 uses a short tag, so we have a low security strength */
+     64, /* CCM8 uses a short tag, so we have a low security strength */
      128,
      },
     {
@@ -749,7 +749,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     80, /* CCM8 uses a short tag, so we have a low security strength */
+     64, /* CCM8 uses a short tag, so we have a low security strength */
      256,
      },
     {
@@ -829,7 +829,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     80, /* CCM8 uses a short tag, so we have a low security strength */
+     64, /* CCM8 uses a short tag, so we have a low security strength */
      128,
      },
     {
@@ -845,7 +845,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     80, /* CCM8 uses a short tag, so we have a low security strength */
+     64, /* CCM8 uses a short tag, so we have a low security strength */
      256,
      },
     {
@@ -861,7 +861,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     80, /* CCM8 uses a short tag, so we have a low security strength */
+     64, /* CCM8 uses a short tag, so we have a low security strength */
      128,
      },
     {
@@ -877,7 +877,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     80, /* CCM8 uses a short tag, so we have a low security strength */
+     64, /* CCM8 uses a short tag, so we have a low security strength */
      256,
      },
     {
@@ -925,7 +925,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     80, /* CCM8 uses a short tag, so we have a low security strength */
+     64, /* CCM8 uses a short tag, so we have a low security strength */
      128,
      },
     {
@@ -941,7 +941,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      DTLS1_2_VERSION, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
-     80, /* CCM8 uses a short tag, so we have a low security strength */
+     64, /* CCM8 uses a short tag, so we have a low security strength */
      256,
      },
     {

diff --git a/test/sslapitest.c b/test/sslapitest.c
index e95d2657f46c430f1df788c96e050d0ef9e71790..1337698e0dc4bd615e954ccf9ee65c9afd52511d 100644 (file)
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -4112,6 +4112,12 @@ static int test_early_data_psk_with_all_ciphers(int idx)
                                         &serverssl, &sess, 2)))
         goto end;
 
+    if (idx == 4) {
+        /* CCM8 ciphers are considered low security due to their short tag */
+        SSL_set_security_level(clientssl, 0);
+        SSL_set_security_level(serverssl, 0);
+    }
+
     if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
             || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
         goto end;
@@ -4399,9 +4405,11 @@ static int test_ciphersuite_change(void)
                                                    "TLS_AES_256_GCM_SHA384:"
                                                    "TLS_AES_128_CCM_SHA256"))
             || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
-                                                   "TLS_AES_128_GCM_SHA256"))
-            || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
-                                          &clientssl, NULL, NULL))
+                                                   "TLS_AES_128_GCM_SHA256")))
+        goto end;
+
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+                                      NULL, NULL))
             || !TEST_true(create_ssl_connection(serverssl, clientssl,
                                                 SSL_ERROR_NONE)))
         goto end;
@@ -4928,16 +4936,19 @@ static int test_tls13_ciphersuite(int idx)
     static const struct {
         const char *ciphername;
         int fipscapable;
+        int low_security;
     } t13_ciphers[] = {
-        { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
-        { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
-        { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
+        { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
+        { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
+        { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
-        { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
+        { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
         { TLS1_3_RFC_AES_256_GCM_SHA384
-          ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
+          ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
 # endif
-        { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
+        /* CCM8 ciphers are considered low security due to their short tag */
+        { TLS1_3_RFC_AES_128_CCM_8_SHA256
+          ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
     };
     const char *t13_cipher = NULL;
     const char *t12_cipher = NULL;
@@ -4981,6 +4992,11 @@ static int test_tls13_ciphersuite(int idx)
                                                &sctx, &cctx, cert, privkey)))
                 goto end;
 
+            if (t13_ciphers[i].low_security) {
+                SSL_CTX_set_security_level(sctx, 0);
+                SSL_CTX_set_security_level(cctx, 0);
+            }
+
             if (set_at_ctx) {
                 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
                     || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))