Always set IV length for AES CCM ciphers

[lwestlund]

This fixes an issue where the IV length would not be set if the length
was equal to the recommended length. The issue shows up at least when an
IV of length 12 (which is returned by t.iv_len()) is used with the
AES256 CCM cipher, as OpenSSL defaults the IV length to 7 bytes ¹ and it
would not be correctly set to 12.

Closes #2244.

Footnotes

1. https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption ↩

[sfackler]

Yeah it unfortunately looks like we can't just unconditionally do this :(

[lwestlund]

Yeah it unfortunately looks like we can't just unconditionally do this :(

No it looks like it ain't that easy 😞

Based on the OpenSSL wiki on AES with CCM, I still think that a change is warranted to make 12 byte IVs work so I'm gonna self review another proposal!

[lwestlund]

What do we think about this instead? I reintroduced the length check and added specific handling for the AES CCM ciphers, which are the ones with the IV length issue.

Suggested change

	if let (Some(iv), Some(_iv_len)) = (iv, t.iv_len()) {
	ctx.set_iv_length(iv.len())?;
	if let (Some(iv), Some(iv_len)) = (iv, t.iv_len()) {
	if iv.len() != iv_len
	|| matches!(
	t.nid(),
	Nid::AES_128_CCM | Nid::AES_192_CCM | Nid::AES_256_CCM
	)
	{
	ctx.set_iv_length(iv.len())?;
	}

[sfackler]

I think I hate it, but that's just OpenSSL I guess :P

[sfackler]

Looks like boringssl's not happy with it though.

[lwestlund]

I waited for you to give your opinion before pushing and running all of the CI. Now I pushed in 20ce889!

[lwestlund]

Also, agree that it's not very pretty but it should (hopefully!) get the job done!

[lwestlund]

@sfackler please have another look at this!