Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

early_data and CCM ciphersuite (openssl 3.0.5) #20377

Closed
vitalyk-radware opened this issue Feb 26, 2023 · 3 comments
Closed

early_data and CCM ciphersuite (openssl 3.0.5) #20377

vitalyk-radware opened this issue Feb 26, 2023 · 3 comments
Labels
triaged: bug The issue/pr is/fixes a bug

Comments

@vitalyk-radware
Copy link

vitalyk-radware commented Feb 26, 2023
edited

i get an error

00171B7AA27F0000:error:1C800066:Provider routines:(unknown function):cipher operation failed:providers/implementations/ciphers/ciphercommon_ccm.c:278:

in the following case:

server:

openssl s_server  -key ../conf/keys/server.pem    -cert ../conf/keys/server.pem  -port 7887 -recv_max_early_data  88888  -early_data  -tls1_3  -ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256

client:

openssl s_client -connect 127.0.0.1:7887 -tls1_3 -sess_out ../tmp/sess -ciphersuites TLS_AES_128_CCM_SHA256
openssl s_client -connect 127.0.0.1:7887 -tls1_3 -sess_in ../tmp/sess -ciphersuites TLS_AES_128_CCM_SHA256 -early_data ../tmp/EARLY_DATA
openssl s_client -connect 127.0.0.1:7887 -tls1_3 -sess_in ../tmp/sess -ciphersuites TLS_AES_128_CCM_SHA256 -early_data ../tmp/EARLY_DATA

tmp.zip

on the second reuse of a session with early data, i get this error on server when connection is closed.
it happens only with CCM ciphers, but does not happen with GCM.
it only happens when there is early_data.

with openssl 1.1.1 it worked fine.
please help. thank you.
@vitalyk-radware vitalyk-radware added the issue: bug report The issue was opened to report a bug label Feb 26, 2023
@vitalyk-radware vitalyk-radware changed the title early_data and CCM ciphersuite early_data and CCM ciphersuite (openssl 3.0.5) Feb 26, 2023
@mattcaswell mattcaswell added triaged: bug The issue/pr is/fixes a bug and removed issue: bug report The issue was opened to report a bug labels Feb 27, 2023
@mattcaswell
Copy link
Member

This is an OpenSSL bug. It seems we are leaving a spurious error on the error queue in the event that early data decryption fails (which is a normal event). Investigating further...

mattcaswell added a commit to mattcaswell/openssl that referenced this issue Feb 27, 2023
@mattcaswell
Remove spurious error queue entries on early data
4dbeb17 
Early data decryption is expected to fail sometimes. If it does we should
not leave spurious error entries on the queue.

Fixes openssl#20377
mattcaswell added a commit to mattcaswell/openssl that referenced this issue Feb 27, 2023
@mattcaswell
Remove spurious error queue entries on early data
675a3dd 
Early data decryption is expected to fail sometimes. If it does we should
not leave spurious error entries on the queue.

Fixes openssl#20377
@mattcaswell mattcaswell mentioned this issue Feb 28, 2023
Closed
@mattcaswell
Copy link
Member

PR #20401 provides a fix for this for the master branch. Once I have approval for that PR, I'll create a new PR to backport the fix to 3.1/3.0

mattcaswell added a commit to mattcaswell/openssl that referenced this issue Mar 2, 2023
@mattcaswell
Remove spurious error queue entries on early data
902e59b 
Early data decryption is expected to fail sometimes. If it does we should
not leave spurious error entries on the queue.

Fixes openssl#20377
mattcaswell added a commit to mattcaswell/openssl that referenced this issue Mar 6, 2023
@mattcaswell
Remove spurious error queue entries on early data
3e216c9 
Early data decryption is expected to fail sometimes. If it does we should
not leave spurious error entries on the queue.

Fixes openssl#20377
@mattcaswell mattcaswell mentioned this issue Mar 6, 2023
Closed
@mattcaswell
Copy link
Member

3.1/3.0 backport of this in #20442

openssl-machine pushed a commit that referenced this issue Mar 14, 2023
@mattcaswell @paulidale
Remove spurious error queue entries on early data
d015b50 
Early data decryption is expected to fail sometimes. If it does we should
not leave spurious error entries on the queue.

Fixes #20377

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from #20442)
openssl-machine pushed a commit that referenced this issue Mar 14, 2023
@mattcaswell @paulidale
Remove spurious error queue entries on early data
3520f5a 
Early data decryption is expected to fail sometimes. If it does we should
not leave spurious error entries on the queue.

Fixes #20377

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from #20442)

(cherry picked from commit d015b50)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged: bug The issue/pr is/fixes a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove spurious error queue entries on early data mattcaswell/openssl
2 participants
@mattcaswell @vitalyk-radware