Add M=8 L=2 AES-128-CCM as well.

The Bluetooth Mesh spec uses both apparently. Also extract a pile of
test vectors from that document (thanks to Kyle Lund for showing me
which to extract).

Change-Id: I04a04fafb7386ca28adfe1446fa388e841778931
Reviewed-on: https://boringssl-review.googlesource.com/26324
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/crypto/cipher_extra/aead_test.cc b/crypto/cipher_extra/aead_test.cc
index dbd8428..b5bbe88 100644
--- a/crypto/cipher_extra/aead_test.cc
+++ b/crypto/cipher_extra/aead_test.cc
@@ -95,6 +95,8 @@
      "aes_256_ctr_hmac_sha256.txt", false, true, 0},
     {"AES_128_CCM_BLUETOOTH", EVP_aead_aes_128_ccm_bluetooth,
      "aes_128_ccm_bluetooth_tests.txt", false, false, 0},
+    {"AES_128_CCM_BLUETOOTH_8", EVP_aead_aes_128_ccm_bluetooth_8,
+     "aes_128_ccm_bluetooth_8_tests.txt", false, false, 0},
 };
 
 class PerAEADTest : public testing::TestWithParam<KnownAEAD> {
diff --git a/crypto/cipher_extra/e_aesccm.c b/crypto/cipher_extra/e_aesccm.c
index 93678e0..87f16dc 100644
--- a/crypto/cipher_extra/e_aesccm.c
+++ b/crypto/cipher_extra/e_aesccm.c
@@ -23,9 +23,6 @@
 #include "../fipsmodule/cipher/internal.h"
 
 
-#define EVP_AEAD_AES_CCM_BLUETOOTH_TAG_LEN 4
-#define EVP_AEAD_AES_CCM_BLUETOOTH_NONCE_LEN 13
-
 #define EVP_AEAD_AES_CCM_MAX_TAG_LEN 16
 
 struct aead_aes_ccm_ctx {
@@ -36,18 +33,23 @@
   CCM128_CONTEXT ccm;
 };
 
-static int aead_aes_ccm_bluetooth_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                       size_t key_len, size_t tag_len) {
-  if (key_len != 16) {
+static int aead_aes_ccm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
+                             size_t key_len, size_t tag_len, unsigned M,
+                             unsigned L) {
+  assert(M == EVP_AEAD_max_overhead(ctx->aead));
+  assert(M == EVP_AEAD_max_tag_len(ctx->aead));
+  assert(15 - L == EVP_AEAD_nonce_length(ctx->aead));
+
+  if (key_len != EVP_AEAD_key_length(ctx->aead)) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
     return 0;  // EVP_AEAD_CTX_init should catch this.
   }
 
   if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
-    tag_len = EVP_AEAD_AES_CCM_BLUETOOTH_TAG_LEN;
+    tag_len = M;
   }
 
-  if (tag_len != EVP_AEAD_AES_CCM_BLUETOOTH_TAG_LEN) {
+  if (tag_len != M) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);
     return 0;
   }
@@ -62,8 +64,7 @@
   block128_f block;
   ctr128_f ctr = aes_ctr_set_key(&ccm_ctx->ks.ks, NULL, &block, key, key_len);
   ctx->tag_len = tag_len;
-  if (!CRYPTO_ccm128_init(&ccm_ctx->ccm, &ccm_ctx->ks.ks, block, ctr, tag_len,
-                          15 - EVP_AEAD_AES_CCM_BLUETOOTH_NONCE_LEN)) {
+  if (!CRYPTO_ccm128_init(&ccm_ctx->ccm, &ccm_ctx->ks.ks, block, ctr, M, L)) {
     OPENSSL_PUT_ERROR(CIPHER, ERR_R_INTERNAL_ERROR);
     OPENSSL_free(ccm_ctx);
     return 0;
@@ -149,12 +150,17 @@
   return 1;
 }
 
+static int aead_aes_ccm_bluetooth_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
+                                       size_t key_len, size_t tag_len) {
+  return aead_aes_ccm_init(ctx, key, key_len, tag_len, 4, 2);
+}
+
 static const EVP_AEAD aead_aes_128_ccm_bluetooth = {
-    16,
-    EVP_AEAD_AES_CCM_BLUETOOTH_NONCE_LEN,  // nonce length
-    EVP_AEAD_AES_CCM_BLUETOOTH_TAG_LEN,    // overhead
-    EVP_AEAD_AES_CCM_BLUETOOTH_TAG_LEN,    // max tag length
-    0,                                     // seal_scatter_supports_extra_in
+    16,  // key length (AES-128)
+    13,  // nonce length
+    4,   // overhead
+    4,   // max tag length
+    0,   // seal_scatter_supports_extra_in
 
     aead_aes_ccm_bluetooth_init,
     NULL /* init_with_direction */,
@@ -169,3 +175,29 @@
 const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth(void) {
   return &aead_aes_128_ccm_bluetooth;
 }
+
+static int aead_aes_ccm_bluetooth_8_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
+                                         size_t key_len, size_t tag_len) {
+  return aead_aes_ccm_init(ctx, key, key_len, tag_len, 8, 2);
+}
+
+static const EVP_AEAD aead_aes_128_ccm_bluetooth_8 = {
+    16,  // key length (AES-128)
+    13,  // nonce length
+    8,   // overhead
+    8,   // max tag length
+    0,   // seal_scatter_supports_extra_in
+
+    aead_aes_ccm_bluetooth_8_init,
+    NULL /* init_with_direction */,
+    aead_aes_ccm_cleanup,
+    NULL /* open */,
+    aead_aes_ccm_seal_scatter,
+    aead_aes_ccm_open_gather,
+    NULL /* get_iv */,
+    NULL /* tag_len */,
+};
+
+const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth_8(void) {
+  return &aead_aes_128_ccm_bluetooth_8;
+}
diff --git a/crypto/cipher_extra/test/aes_128_ccm_bluetooth_8_tests.txt b/crypto/cipher_extra/test/aes_128_ccm_bluetooth_8_tests.txt
new file mode 100644
index 0000000..70ce305
--- /dev/null
+++ b/crypto/cipher_extra/test/aes_128_ccm_bluetooth_8_tests.txt
@@ -0,0 +1,105 @@
+# From the Bluetooth Mesh Profile Specification v1.0.
+#
+# The relevant AES-CCM calls are:
+#
+# KEY: EncryptionKey
+# NONCE: Network Nonce
+# IN: DST || TransportPDU
+# AD: (none)
+# CT: EncTransportPDU
+# TAG: NetMIC
+#
+# KEY: DevKey if present, otherwise AppKey
+# NONCE: Application Nonce
+# IN: Access Payload
+# AD: Label UUID, if present
+# CT: EncAccessPayload
+# TAG: TransMIC
+
+# Section 8.3.1.
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00800000011201000012345678
+IN: fffd034b50057e400000010000
+AD:
+CT: b5e5bfdacbaf6cb7fb6bff871f
+TAG: 035444ce83a670df
+
+# Section 8.3.2
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00800148202345000012345678
+IN: 120104320308ba072f
+AD:
+CT: 79d7dbc0c9b4d43eeb
+TAG: ec129d20a620d01e
+
+# Section 8.3.3.
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00802b38322fe3000012345678
+IN: 120104fa0205a6000a
+AD:
+CT: 53273086b8c5ee00bd
+TAG: d9cfcc62a2ddf572
+
+# Section 8.3.4.
+KEY: be635105434859f484fc798e043ce40e
+NONCE: 00800000021201000012345678
+IN: 23450100
+AD:
+CT: b0e5d0ad
+TAG: 970d579a4e88051c
+
+# Section 8.3.5.
+KEY: be635105434859f484fc798e043ce40e
+NONCE: 00800148342345000012345678
+IN: 120102001234567800
+AD:
+CT: 5c39da1792b1fee9ec
+TAG: 74b786c56d3a9dee
+
+# Section 8.3.7.
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 008b0148352345000012345678
+IN: 000300a6ac00000002
+AD:
+CT: 0d0d730f94d7f3509d
+TAG: f987bb417eb7c05f
+
+# Section 8.3.9.
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 008b0148362345000012345678
+IN: 000300a6ac00000003
+AD:
+CT: d85d806bbed248614f
+TAG: 938067b0d983bb7b
+
+# Section 8.3.10.
+KEY: be635105434859f484fc798e043ce40e
+NONCE: 00800000031201000012345678
+IN: 23450101
+AD:
+CT: 7777ed35
+TAG: 5afaf66d899c1e3d
+
+# Section 8.3.12.
+KEY: be635105434859f484fc798e043ce40e
+NONCE: 00800000041201000012345678
+IN: 23450101
+AD:
+CT: ae214660
+TAG: 87599c2426ce9a35
+
+# Section 8.3.14.
+KEY: be635105434859f484fc798e043ce40e
+NONCE: 00800000051201000012345678
+IN: 23450100
+AD:
+CT: 7d3ae62a
+TAG: 3c75dff683dce24e
+
+# Section 8.3.24.
+KEY: 63964771734fbd76e3b40519d1d94a48
+NONCE: 010007080d1234973612345677
+IN: ea0a00576f726c64
+AD: f4a002c7fb1e4ca0a469a021de0db875
+CT: de1547118463123e
+TAG: 5f6a17b99dbca387
diff --git a/crypto/cipher_extra/test/aes_128_ccm_bluetooth_tests.txt b/crypto/cipher_extra/test/aes_128_ccm_bluetooth_tests.txt
index 98c134d..7543ec0 100644
--- a/crypto/cipher_extra/test/aes_128_ccm_bluetooth_tests.txt
+++ b/crypto/cipher_extra/test/aes_128_ccm_bluetooth_tests.txt
@@ -18,3 +18,191 @@
 AD:
 CT: 69915dad1e84c6376a68c2967e4dab61
 TAG: c4630026
+
+# From the Bluetooth Mesh Profile Specification v1.0.
+#
+# The relevant AES-CCM calls are:
+#
+# KEY: EncryptionKey
+# NONCE: Network Nonce
+# IN: DST || TransportPDU
+# AD: (none)
+# CT: EncTransportPDU
+# TAG: NetMIC
+#
+# KEY: DevKey if present, otherwise AppKey
+# NONCE: Application Nonce
+# IN: Access Payload
+# AD: Label UUID, if present
+# CT: EncAccessPayload
+# TAG: TransMIC
+
+# Section 8.3.6.
+KEY: 9d6dd0e96eb25dc19a40ed9914f8f03f
+NONCE: 02003129ab0003120112345678
+IN: 0056341263964771734fbd76e3b40519d1d94a48
+AD:
+CT: ee9dddfd2169326d23f3afdfcfdc18c52fdef772
+TAG: e0e17308
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00043129ab0003000012345678
+IN: 12018026ac01ee9dddfd2169326d23f3afdf
+AD:
+CT: 0afba8c63d4e686364979deaf4fd40961145
+TAG: 939cda0e
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00043129ac0003000012345678
+IN: 12018026ac21cfdc18c52fdef772e0e17308
+AD:
+CT: 6cae0c032bf0746f44f1b8cc8ce5edc57e55
+TAG: beed49c0
+
+# Section 8.3.8.
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00043129ad0003000012345678
+IN: 12018026ac01ee9dddfd2169326d23f3afdf
+AD:
+CT: 0e2f91add6f06e66006844cec97f973105ae
+TAG: 2534f958
+
+# Section 8.3.11.
+KEY: be635105434859f484fc798e043ce40e
+NONCE: 00033129ad0003000012345678
+IN: 1201c026ac01ee9dddfd2169326d23f3afdf
+AD:
+CT: d5e748a20ecfd98ddfd32de80befb400213d
+TAG: 113813b5
+
+# Section 8.3.13's test vector is identical to 8.3.11.
+
+# Section 8.3.15.
+KEY: be635105434859f484fc798e043ce40e
+NONCE: 00033129ac0003000012345678
+IN: 12018026ac21cfdc18c52fdef772e0e17308
+AD:
+CT: f1d29805664d235eacd707217dedfe78497f
+TAG: efec7391
+
+# Section 8.3.16.
+KEY: 9d6dd0e96eb25dc19a40ed9914f8f03f
+NONCE: 02000000061201000312345678
+IN: 800300563412
+AD:
+CT: 89511bf1d1a8
+TAG: 1c11dcef
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 000b0000061201000012345678
+IN: 00030089511bf1d1a81c11dcef
+AD:
+CT: 6b9be7f5a642f2f98680e61c3a
+TAG: 8b47f228
+
+# Section 8.3.17's test vector is identical to 8.3.16.
+
+# Section 8.3.18.
+KEY: 63964771734fbd76e3b40519d1d94a48
+NONCE: 01000000071201ffff12345678
+IN: 0400000000
+AD:
+CT: 5a8bde6d91
+TAG: 06ea078a
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00030000071201000012345678
+IN: ffff665a8bde6d9106ea078a
+AD:
+CT: 5673728a627fb938535508e2
+TAG: 1a6baf57
+
+# Section 8.3.19.
+KEY: 63964771734fbd76e3b40519d1d94a48
+NONCE: 01000000091201ffff12345678
+IN: 04000000010703
+AD:
+CT: ca6cd88e698d12
+TAG: 65f43fc5
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00030000091201000012345678
+IN: ffff66ca6cd88e698d1265f43fc5
+AD:
+CT: 3010a05e1b23a926023da75d25ba
+TAG: 91793736
+
+# Section 8.3.20.
+KEY: 63964771734fbd76e3b40519d1d94a48
+NONCE: 01000708091234ffff12345677
+IN: 04000000010703
+AD:
+CT: 9c9803e110fea9
+TAG: 29e9542d
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00030708091234000012345677
+IN: ffff669c9803e110fea929e9542d
+AD:
+CT: 8c3dc87344a16c787f6b08cc897c
+TAG: 941a5368
+
+# Section 8.3.21.
+KEY: 63964771734fbd76e3b40519d1d94a48
+NONCE: 010007080a1234810512345677
+IN: d50a0048656c6c6f
+AD:
+CT: 2fa730fd98f6e4bd
+TAG: 120ea9d6
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 000307080a1234000012345677
+IN: 8105662fa730fd98f6e4bd120ea9d6
+AD:
+CT: e4d611358eaf17796a6c98977f69e5
+TAG: 872c4620
+
+# Section 8.3.22.
+KEY: 63964771734fbd76e3b40519d1d94a48
+NONCE: 010007080b1234b52912345677
+IN: d50a0048656c6c6f
+AD: 0073e7e4d8b9440faf8415df4c56c0e1
+CT: 3871b904d4315263
+TAG: 16ca48a0
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 000307080b1234000012345677
+IN: b529663871b904d431526316ca48a0
+AD:
+CT: ed31f3fdcf88a411135fea55df730b
+TAG: 6b28e255
+
+# Section 8.3.23.
+KEY: 63964771734fbd76e3b40519d1d94a48
+NONCE: 010007080c1234973612345677
+IN: d50a0048656c6c6f
+AD: f4a002c7fb1e4ca0a469a021de0db875
+CT: 2456db5e3100eef6
+TAG: 5daa7a38
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 000307080c1234000012345677
+IN: 9736662456db5e3100eef65daa7a38
+AD:
+CT: 7a9d696d3dd16a75489696f0b70c71
+TAG: 1b881385
+
+# Section 8.3.24.
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 000307080d1234000012345677
+IN: 9736e6a03401de1547118463123e5f6a17b9
+AD:
+CT: 94e998b4081f5a7308ce3edbb3b06cdecd02
+TAG: 8e307f1c
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 000307080e1234000012345677
+IN: 9736e6a034219dbca387
+AD:
+CT: dc2f4dd6fb4d32870129
+TAG: 1be4aafe
diff --git a/include/openssl/aead.h b/include/openssl/aead.h
index 2b45d20..1d50197 100644
--- a/include/openssl/aead.h
+++ b/include/openssl/aead.h
@@ -117,10 +117,16 @@
 // https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void);
 
-// EVP_aead_aes_128_ccm_bluetooth is AES-128-CCM with M=4 and L=2, as decribed
-// in the Bluetooth Core Specification v5.0, Volume 6, Part E, Section 1.
+// EVP_aead_aes_128_ccm_bluetooth is AES-128-CCM with M=4 and L=2 (4-byte tags
+// and 13-byte nonces), as decribed in the Bluetooth Core Specification v5.0,
+// Volume 6, Part E, Section 1.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth(void);
 
+// EVP_aead_aes_128_ccm_bluetooth_8 is AES-128-CCM with M=8 and L=2 (8-byte tags
+// and 13-byte nonces), as used in the Bluetooth Mesh Networking Specification
+// v1.0.
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth_8(void);
+
 // EVP_has_aes_hardware returns one if we enable hardware support for fast and
 // constant-time AES-GCM.
 OPENSSL_EXPORT int EVP_has_aes_hardware(void);
diff --git a/sources.cmake b/sources.cmake
index f24ba20..5152b31 100644
--- a/sources.cmake
+++ b/sources.cmake
@@ -11,6 +11,7 @@
   crypto/cipher_extra/test/aes_128_cbc_sha1_tls_tests.txt
   crypto/cipher_extra/test/aes_128_cbc_sha256_tls_tests.txt
   crypto/cipher_extra/test/aes_128_ccm_bluetooth_tests.txt
+  crypto/cipher_extra/test/aes_128_ccm_bluetooth_8_tests.txt
   crypto/cipher_extra/test/aes_128_ctr_hmac_sha256.txt
   crypto/cipher_extra/test/aes_128_gcm_siv_tests.txt
   crypto/cipher_extra/test/aes_128_gcm_tests.txt