I'll post a full patch at some point - but in the interim. This isn't so much a bug as something I forgot to go back and fix when I coded it originally. CCM will fail with AAD > 0xff00 bytes as I forgot to add the formatting bytes for the larger AAD's. Note that it still hasn't been tested with AAD's > 2^32 bytes .
With normal use of CCM this was probably harmless, as it's typically used with small packets. --- openssl-0.9.8e.orig/crypto/aes/aes_ccm.c 2009-12-18 08:38:39.000000000 +1000 +++ openssl-0.9.8e/crypto/aes/aes_ccm.c 2009-12-18 10:29:51.000000000 +1000 @@ -180,7 +180,8 @@ unsigned int aadbytes = 0; unsigned int offset = 0; int outl = 0; - unsigned int i,j; + unsigned int i,j,k; + int aadenc = 2; #if defined(AES_CCM_DEBUG) int b = 0; /* Index counters to aid formatting during debug */ int s = 0; @@ -283,15 +284,22 @@ if(aad != NULL && aadlen > 0) { if(aadlen < (0x10000L - 0x100L)) { aadbytes = 2; + aadenc = 2; } else if(aadlen <= 0xFFFFFFFF) { aadbytes = 6; + aadenc = 4; + A0[0] = 0xff; + A0[1] = 0xfe; } else { aadbytes = 10; + aadenc = 8; + A0[0] = 0xff; + A0[1] = 0xff; } j = aadlen; - for(i = aadbytes-1; i > 0; i--) { - A0[i] = j & 0xff; - j >>= 8; + for(i = 0, k = aadbytes-1; i < aadenc; i++,k--) { + A0[k] = j & 0xff; + j = j / 256; } /* Now roll through the aad ? */ } @@ -364,7 +372,7 @@ /* AES_encrypt(CTR,A0,akey); */ EVP_EncryptUpdate(ctx,A0,&outl,CTR,AES_BLOCK_SIZE); printbinCTR("S",&s,A0,AES_BLOCK_SIZE); - /* Increment the ounter */ + /* Increment the counter */ AES_CCM_inc(CTR,q); /* XOR the encrypted counter with the incoming data */ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org