AES-CCM ciphers don't interoperate any more

[tomato42]

When running against openssl-1.1.1g-1.fc30.x86_64 on fedora:

openssl req -x509 -newkey rsa -keyout /tmp/localhost.key -out /tmp/localhost.crt -subj /CN=localhost -nodes -batch -days 3650
openssl s_server -key /tmp/localhost.key -cert /tmp/localhost.crt -www

the client aborts the connection with bad_record_mac alert:

$ PYTHONPATH=. python scripts/tls.py client --cipherlist aes128ccm localhost:4433
Traceback (most recent call last):
  File "scripts/tls.py", line 675, in <module>
    clientCmd(sys.argv[2:])
  File "scripts/tls.py", line 414, in clientCmd
    settings=settings, serverName=address[0], alpn=alpn)
  File "/home/hkario/dev/tlslite-1/tlslite/utils/deprecations.py", line 94, in wrapper
    return func(*args, **kwargs)
  File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 394, in handshakeClientCert
    for result in handshaker:
  File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 412, in _handshakeClientAsync
    for result in self._handshakeWrapperAsync(handshaker, checker):
  File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 4178, in _handshakeWrapperAsync
    for result in handshaker:
  File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 531, in _handshakeClientAsyncHelper
    serverHello):
  File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 1241, in _clientTLS13Handshake
    CertificateType.x509):
  File "/home/hkario/dev/tlslite-1/tlslite/tlsrecordlayer.py", line 998, in _getMsg
    for result in self._getNextRecord():
  File "/home/hkario/dev/tlslite-1/tlslite/tlsrecordlayer.py", line 1240, in _getNextRecord
    for result in self._getNextRecordFromSocket():
  File "/home/hkario/dev/tlslite-1/tlslite/tlsrecordlayer.py", line 1296, in _getNextRecordFromSocket
    "MAC failure (or padding failure)"):
  File "/home/hkario/dev/tlslite-1/tlslite/tlsrecordlayer.py", line 877, in _sendError
    raise TLSLocalAlert(alert, errorStr)
tlslite.errors.TLSLocalAlert: bad_record_mac: MAC failure (or padding failure)

git bisect indicated 84c57db as the offending commit, v0.8.0-alpha37 tag is good

[inikolchev]

@tomato42 I'm trying to reproduce the issue but I'm not able to. Can you help me if I'm missing something?
I'm on tlslite master with openssl 1.1.1.g-1 and it seems to be working as expected.

[inikolch@ggwp tlslite-ng]$ pacman -Q openssl
openssl 1.1.1.g-1
[inikolch@ggwp tlslite-ng]$ git branch
* master
[inikolch@ggwp tlslite-ng]$ git fetch upstream 
[inikolch@ggwp tlslite-ng]$ git merge upstream/master 
Already up to date.

[inikolch@ggwp tlslite-ng]$ openssl s_server -key ~/dev/certs/server-key.pem -cert ~/dev/certs/server-cert.pem -www
Using default temp DH parameters
ACCEPT

[inikolch@ggwp tlslite-ng]$ PYTHONPATH=. python scripts/tls.py client --cipherlist aes128ccm localhost:4433
Unable to negotiate mutually acceptable parameters

Which is correct since openssl doesn't offer CCM ciphers by default (at least for TLS1.3, not sure about 1.2). Which is also weird to me how the connection even came to that point.
Adding -ciphersuites TLS_AES_128_CCM_SHA256 to s_server and I get:

[inikolch@ggwp tlslite-ng]$ PYTHONPATH=. python scripts/tls.py client --cipherlist aes128ccm localhost:4433
Handshake success
  Handshake time: 0.032 seconds
  Version: TLS 1.3
  Cipher: aes128ccm python
  Ciphersuite: TLS_AES_128_CCM_SHA256
  No client certificate provided by peer
  Server X.509 SHA1 fingerprint: 98dd31120ab4624dfee6c11fe24c58a11580ee05
  Key exchange signature: rsa_pss_rsae_sha512
  Group used for key exchange: secp256r1
  SNI: localhost
  Next-Protocol Negotiated: None
  Encrypt-then-MAC: False
  Extended Master Secret: True
Received 2 ticket[s]

[inikolchev]

It looks like TLS_AES_128_CCM_SHA256 is allowed by crypto-policies on Fedora but I still can't reproduce the issue.

[tomato42]

  Cipher: aes128ccm python

It doesn't look like it picked up the m2crypto/openssl implementation, check if you have it installed for the version of python you're using