Amaury Denoyelle | f3c40f8 | 2022-09-30 17:37:38 +0200 | [diff] [blame] | 1 | #include <haproxy/quic_tls.h> |
| 2 | |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 3 | #include <string.h> |
| 4 | |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 5 | #include <openssl/evp.h> |
| 6 | #include <openssl/kdf.h> |
Amaury Denoyelle | 5c25dc5 | 2022-09-30 17:44:15 +0200 | [diff] [blame] | 7 | #include <openssl/ssl.h> |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 8 | |
| 9 | #include <haproxy/buf.h> |
| 10 | #include <haproxy/chunk.h> |
Amaury Denoyelle | 5c25dc5 | 2022-09-30 17:44:15 +0200 | [diff] [blame] | 11 | #include <haproxy/pool.h> |
Amaury Denoyelle | 92fa63f | 2022-09-30 18:11:13 +0200 | [diff] [blame] | 12 | #include <haproxy/quic_conn-t.h> |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 13 | |
| 14 | |
Frédéric Lécaille | fc768ec | 2021-11-23 21:02:04 +0100 | [diff] [blame] | 15 | DECLARE_POOL(pool_head_quic_tls_secret, "quic_tls_secret", QUIC_TLS_SECRET_LEN); |
| 16 | DECLARE_POOL(pool_head_quic_tls_iv, "quic_tls_iv", QUIC_TLS_IV_LEN); |
| 17 | DECLARE_POOL(pool_head_quic_tls_key, "quic_tls_key", QUIC_TLS_KEY_LEN); |
| 18 | |
Amaury Denoyelle | a19bb6f | 2022-09-30 17:31:18 +0200 | [diff] [blame] | 19 | /* Initial salt depending on QUIC version to derive client/server initial secrets. |
| 20 | * This one is for draft-29 QUIC version. |
| 21 | */ |
| 22 | const unsigned char initial_salt_draft_29[20] = { |
| 23 | 0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2, 0x4c, |
| 24 | 0x9e, 0x97, 0x86, 0xf1, 0x9c, 0x61, 0x11, 0xe0, |
| 25 | 0x43, 0x90, 0xa8, 0x99 |
| 26 | }; |
| 27 | |
| 28 | const unsigned char initial_salt_v1[20] = { |
| 29 | 0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, |
| 30 | 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, |
| 31 | 0xcc, 0xbb, 0x7f, 0x0a |
| 32 | }; |
| 33 | |
Frédéric Lécaille | 21c4c9b | 2023-01-13 16:37:02 +0100 | [diff] [blame] | 34 | const unsigned char initial_salt_v2[20] = { |
| 35 | 0x0d, 0xed, 0xe3, 0xde, 0xf7, 0x00, 0xa6, 0xdb, |
| 36 | 0x81, 0x93, 0x81, 0xbe, 0x6e, 0x26, 0x9d, 0xcb, |
| 37 | 0xf9, 0xbd, 0x2e, 0xd9 |
Amaury Denoyelle | a19bb6f | 2022-09-30 17:31:18 +0200 | [diff] [blame] | 38 | }; |
| 39 | |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 40 | /* Dump the RX/TX secrets of <secs> QUIC TLS secrets. */ |
Amaury Denoyelle | 4fd53d7 | 2021-12-21 14:28:26 +0100 | [diff] [blame] | 41 | void quic_tls_keys_hexdump(struct buffer *buf, |
| 42 | const struct quic_tls_secrets *secs) |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 43 | { |
| 44 | int i; |
Frédéric Lécaille | 8fbabea | 2023-10-11 09:28:36 +0200 | [diff] [blame^] | 45 | size_t aead_keylen; |
| 46 | size_t aead_ivlen; |
| 47 | size_t hp_len; |
| 48 | |
| 49 | if (!secs->aead || !secs->hp) |
| 50 | return; |
| 51 | |
| 52 | aead_keylen = (size_t)EVP_CIPHER_key_length(secs->aead); |
| 53 | aead_ivlen = (size_t)EVP_CIPHER_iv_length(secs->aead); |
| 54 | hp_len = (size_t)EVP_CIPHER_key_length(secs->hp); |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 55 | |
| 56 | chunk_appendf(buf, "\n key="); |
| 57 | for (i = 0; i < aead_keylen; i++) |
| 58 | chunk_appendf(buf, "%02x", secs->key[i]); |
| 59 | chunk_appendf(buf, "\n iv="); |
| 60 | for (i = 0; i < aead_ivlen; i++) |
| 61 | chunk_appendf(buf, "%02x", secs->iv[i]); |
| 62 | chunk_appendf(buf, "\n hp="); |
| 63 | for (i = 0; i < hp_len; i++) |
| 64 | chunk_appendf(buf, "%02x", secs->hp_key[i]); |
| 65 | } |
| 66 | |
Frédéric Lécaille | 51a7caf | 2023-02-23 20:38:23 +0100 | [diff] [blame] | 67 | /* Dump the RX/TX secrets of <kp> QUIC TLS key phase */ |
| 68 | void quic_tls_kp_keys_hexdump(struct buffer *buf, |
| 69 | const struct quic_tls_kp *kp) |
| 70 | { |
| 71 | int i; |
| 72 | |
| 73 | chunk_appendf(buf, "\n secret="); |
| 74 | for (i = 0; i < kp->secretlen; i++) |
| 75 | chunk_appendf(buf, "%02x", kp->secret[i]); |
| 76 | chunk_appendf(buf, "\n key="); |
| 77 | for (i = 0; i < kp->keylen; i++) |
| 78 | chunk_appendf(buf, "%02x", kp->key[i]); |
| 79 | chunk_appendf(buf, "\n iv="); |
| 80 | for (i = 0; i < kp->ivlen; i++) |
| 81 | chunk_appendf(buf, "%02x", kp->iv[i]); |
| 82 | } |
| 83 | |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 84 | /* Dump <secret> TLS secret. */ |
| 85 | void quic_tls_secret_hexdump(struct buffer *buf, |
| 86 | const unsigned char *secret, size_t secret_len) |
| 87 | { |
| 88 | int i; |
| 89 | |
| 90 | chunk_appendf(buf, " secret="); |
| 91 | for (i = 0; i < secret_len; i++) |
| 92 | chunk_appendf(buf, "%02x", secret[i]); |
| 93 | } |
| 94 | |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 95 | int quic_hkdf_extract(const EVP_MD *md, |
Frédéric Lécaille | 4ba3b4e | 2022-05-10 18:40:19 +0200 | [diff] [blame] | 96 | unsigned char *buf, size_t buflen, |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 97 | const unsigned char *key, size_t keylen, |
Frédéric Lécaille | 2fc76cf | 2021-08-31 19:10:40 +0200 | [diff] [blame] | 98 | const unsigned char *salt, size_t saltlen) |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 99 | { |
| 100 | EVP_PKEY_CTX *ctx; |
| 101 | |
| 102 | ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); |
| 103 | if (!ctx) |
| 104 | return 0; |
| 105 | |
| 106 | if (EVP_PKEY_derive_init(ctx) <= 0 || |
| 107 | EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0 || |
| 108 | EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 || |
| 109 | EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, saltlen) <= 0 || |
| 110 | EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 || |
Frédéric Lécaille | 4ba3b4e | 2022-05-10 18:40:19 +0200 | [diff] [blame] | 111 | EVP_PKEY_derive(ctx, buf, &buflen) <= 0) |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 112 | goto err; |
| 113 | |
| 114 | EVP_PKEY_CTX_free(ctx); |
| 115 | return 1; |
| 116 | |
| 117 | err: |
| 118 | EVP_PKEY_CTX_free(ctx); |
| 119 | return 0; |
| 120 | } |
| 121 | |
| 122 | int quic_hkdf_expand(const EVP_MD *md, |
| 123 | unsigned char *buf, size_t buflen, |
| 124 | const unsigned char *key, size_t keylen, |
| 125 | const unsigned char *label, size_t labellen) |
| 126 | { |
| 127 | EVP_PKEY_CTX *ctx; |
| 128 | |
| 129 | ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); |
| 130 | if (!ctx) |
| 131 | return 0; |
| 132 | |
| 133 | if (EVP_PKEY_derive_init(ctx) <= 0 || |
| 134 | EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0 || |
| 135 | EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 || |
| 136 | EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 || |
| 137 | EVP_PKEY_CTX_add1_hkdf_info(ctx, label, labellen) <= 0 || |
| 138 | EVP_PKEY_derive(ctx, buf, &buflen) <= 0) |
| 139 | goto err; |
| 140 | |
| 141 | EVP_PKEY_CTX_free(ctx); |
| 142 | return 1; |
| 143 | |
| 144 | err: |
| 145 | EVP_PKEY_CTX_free(ctx); |
| 146 | return 0; |
| 147 | } |
Frédéric Lécaille | 7b92c81 | 2022-05-06 09:54:48 +0200 | [diff] [blame] | 148 | |
| 149 | /* Extracts a peudo-random secret key from <key> which is eventually not |
| 150 | * pseudo-random and expand it to a new pseudo-random key into |
| 151 | * <buf> with <buflen> as key length according to HKDF specifications |
| 152 | * (https://datatracker.ietf.org/doc/html/rfc5869). |
| 153 | * According to this specifications it is highly recommended to use |
| 154 | * a salt, even if optional (NULL value). |
| 155 | * Return 1 if succeeded, 0 if not. |
| 156 | */ |
| 157 | int quic_hkdf_extract_and_expand(const EVP_MD *md, |
| 158 | unsigned char *buf, size_t buflen, |
| 159 | const unsigned char *key, size_t keylen, |
| 160 | const unsigned char *salt, size_t saltlen, |
| 161 | const unsigned char *label, size_t labellen) |
| 162 | { |
| 163 | EVP_PKEY_CTX *ctx; |
| 164 | |
| 165 | ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); |
| 166 | if (!ctx) |
| 167 | return 0; |
| 168 | |
| 169 | if (EVP_PKEY_derive_init(ctx) <= 0 || |
| 170 | EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND) <= 0 || |
| 171 | EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 || |
| 172 | EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, saltlen) <= 0 || |
| 173 | EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 || |
| 174 | EVP_PKEY_CTX_add1_hkdf_info(ctx, label, labellen) <= 0 || |
| 175 | EVP_PKEY_derive(ctx, buf, &buflen) <= 0) |
| 176 | goto err; |
| 177 | |
| 178 | EVP_PKEY_CTX_free(ctx); |
| 179 | return 1; |
| 180 | |
| 181 | err: |
| 182 | EVP_PKEY_CTX_free(ctx); |
| 183 | return 0; |
| 184 | } |
| 185 | |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 186 | /* https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#protection-keys |
| 187 | * refers to: |
| 188 | * |
| 189 | * https://tools.ietf.org/html/rfc8446#section-7.1: |
| 190 | * 7.1. Key Schedule |
| 191 | * |
| 192 | * The key derivation process makes use of the HKDF-Extract and |
| 193 | * HKDF-Expand functions as defined for HKDF [RFC5869], as well as the |
| 194 | * functions defined below: |
| 195 | * |
| 196 | * HKDF-Expand-Label(Secret, Label, Context, Length) = |
| 197 | * HKDF-Expand(Secret, HkdfLabel, Length) |
| 198 | * |
| 199 | * Where HkdfLabel is specified as: |
| 200 | * |
| 201 | * struct { |
| 202 | * uint16 length = Length; |
| 203 | * opaque label<7..255> = "tls13 " + Label; |
| 204 | * opaque context<0..255> = Context; |
| 205 | * } HkdfLabel; |
| 206 | * |
| 207 | * Derive-Secret(Secret, Label, Messages) = |
| 208 | * HKDF-Expand-Label(Secret, Label, |
| 209 | * Transcript-Hash(Messages), Hash.length) |
| 210 | * |
| 211 | */ |
| 212 | int quic_hkdf_expand_label(const EVP_MD *md, |
| 213 | unsigned char *buf, size_t buflen, |
| 214 | const unsigned char *key, size_t keylen, |
| 215 | const unsigned char *label, size_t labellen) |
| 216 | { |
| 217 | unsigned char hdkf_label[256], *pos; |
| 218 | const unsigned char hdkf_label_label[] = "tls13 "; |
| 219 | size_t hdkf_label_label_sz = sizeof hdkf_label_label - 1; |
| 220 | |
| 221 | pos = hdkf_label; |
| 222 | *pos++ = buflen >> 8; |
| 223 | *pos++ = buflen & 0xff; |
| 224 | *pos++ = hdkf_label_label_sz + labellen; |
| 225 | memcpy(pos, hdkf_label_label, hdkf_label_label_sz); |
| 226 | pos += hdkf_label_label_sz; |
| 227 | memcpy(pos, label, labellen); |
| 228 | pos += labellen; |
| 229 | *pos++ = '\0'; |
| 230 | |
| 231 | return quic_hkdf_expand(md, buf, buflen, |
| 232 | key, keylen, hdkf_label, pos - hdkf_label); |
| 233 | } |
| 234 | |
| 235 | /* |
| 236 | * This function derives two keys from <secret> is <ctx> as TLS cryptographic context. |
| 237 | * ->key is the TLS key to be derived to encrypt/decrypt data at TLS level. |
| 238 | * ->iv is the initialization vector to be used with ->key. |
| 239 | * ->hp_key is the key to be derived for header protection. |
| 240 | * Obviouly these keys have the same size becaused derived with the same TLS cryptographic context. |
| 241 | */ |
| 242 | int quic_tls_derive_keys(const EVP_CIPHER *aead, const EVP_CIPHER *hp, |
Frédéric Lécaille | 86845c5 | 2022-06-08 19:28:36 +0200 | [diff] [blame] | 243 | const EVP_MD *md, const struct quic_version *qv, |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 244 | unsigned char *key, size_t keylen, |
| 245 | unsigned char *iv, size_t ivlen, |
| 246 | unsigned char *hp_key, size_t hp_keylen, |
| 247 | const unsigned char *secret, size_t secretlen) |
| 248 | { |
| 249 | size_t aead_keylen = (size_t)EVP_CIPHER_key_length(aead); |
| 250 | size_t aead_ivlen = (size_t)EVP_CIPHER_iv_length(aead); |
Frédéric Lécaille | 6e351d6 | 2021-11-30 11:06:41 +0100 | [diff] [blame] | 251 | size_t hp_len = hp ? (size_t)EVP_CIPHER_key_length(hp) : 0; |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 252 | |
| 253 | if (aead_keylen > keylen || aead_ivlen > ivlen || hp_len > hp_keylen) |
| 254 | return 0; |
| 255 | |
| 256 | if (!quic_hkdf_expand_label(md, key, aead_keylen, secret, secretlen, |
Frédéric Lécaille | 86845c5 | 2022-06-08 19:28:36 +0200 | [diff] [blame] | 257 | qv->key_label,qv->key_label_len) || |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 258 | !quic_hkdf_expand_label(md, iv, aead_ivlen, secret, secretlen, |
Frédéric Lécaille | 86845c5 | 2022-06-08 19:28:36 +0200 | [diff] [blame] | 259 | qv->iv_label, qv->iv_label_len) || |
Frédéric Lécaille | 6e351d6 | 2021-11-30 11:06:41 +0100 | [diff] [blame] | 260 | (hp_key && !quic_hkdf_expand_label(md, hp_key, hp_len, secret, secretlen, |
Frédéric Lécaille | 86845c5 | 2022-06-08 19:28:36 +0200 | [diff] [blame] | 261 | qv->hp_label, qv->hp_label_len))) |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 262 | return 0; |
| 263 | |
| 264 | return 1; |
| 265 | } |
| 266 | |
| 267 | /* |
| 268 | * Derive the initial secret from <secret> and QUIC version dependent salt. |
| 269 | * Returns the size of the derived secret if succeeded, 0 if not. |
| 270 | */ |
| 271 | int quic_derive_initial_secret(const EVP_MD *md, |
Frédéric Lécaille | 2fc76cf | 2021-08-31 19:10:40 +0200 | [diff] [blame] | 272 | const unsigned char *initial_salt, size_t initial_salt_sz, |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 273 | unsigned char *initial_secret, size_t initial_secret_sz, |
| 274 | const unsigned char *secret, size_t secret_sz) |
| 275 | { |
Frédéric Lécaille | 4ba3b4e | 2022-05-10 18:40:19 +0200 | [diff] [blame] | 276 | if (!quic_hkdf_extract(md, initial_secret, initial_secret_sz, secret, secret_sz, |
Frédéric Lécaille | 2fc76cf | 2021-08-31 19:10:40 +0200 | [diff] [blame] | 277 | initial_salt, initial_salt_sz)) |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 278 | return 0; |
| 279 | |
| 280 | return 1; |
| 281 | } |
| 282 | |
| 283 | /* |
| 284 | * Derive the client initial secret from the initial secret. |
| 285 | * Returns the size of the derived secret if succeeded, 0 if not. |
| 286 | */ |
| 287 | int quic_tls_derive_initial_secrets(const EVP_MD *md, |
| 288 | unsigned char *rx, size_t rx_sz, |
| 289 | unsigned char *tx, size_t tx_sz, |
| 290 | const unsigned char *secret, size_t secret_sz, |
| 291 | int server) |
| 292 | { |
| 293 | const unsigned char client_label[] = "client in"; |
| 294 | const unsigned char server_label[] = "server in"; |
| 295 | const unsigned char *tx_label, *rx_label; |
| 296 | size_t rx_label_sz, tx_label_sz; |
| 297 | |
| 298 | if (server) { |
| 299 | rx_label = client_label; |
| 300 | rx_label_sz = sizeof client_label; |
| 301 | tx_label = server_label; |
| 302 | tx_label_sz = sizeof server_label; |
| 303 | } |
| 304 | else { |
| 305 | rx_label = server_label; |
| 306 | rx_label_sz = sizeof server_label; |
| 307 | tx_label = client_label; |
| 308 | tx_label_sz = sizeof client_label; |
| 309 | } |
| 310 | |
| 311 | if (!quic_hkdf_expand_label(md, rx, rx_sz, secret, secret_sz, |
| 312 | rx_label, rx_label_sz - 1) || |
| 313 | !quic_hkdf_expand_label(md, tx, tx_sz, secret, secret_sz, |
| 314 | tx_label, tx_label_sz - 1)) |
| 315 | return 0; |
| 316 | |
| 317 | return 1; |
| 318 | } |
| 319 | |
Frédéric Lécaille | 39484de | 2021-11-30 10:10:24 +0100 | [diff] [blame] | 320 | /* Update <sec> secret key into <new_sec> according to RFC 9001 6.1. |
| 321 | * Always succeeds. |
| 322 | */ |
Frédéric Lécaille | 86845c5 | 2022-06-08 19:28:36 +0200 | [diff] [blame] | 323 | int quic_tls_sec_update(const EVP_MD *md, const struct quic_version *qv, |
Frédéric Lécaille | 39484de | 2021-11-30 10:10:24 +0100 | [diff] [blame] | 324 | unsigned char *new_sec, size_t new_seclen, |
| 325 | const unsigned char *sec, size_t seclen) |
| 326 | { |
Frédéric Lécaille | 39484de | 2021-11-30 10:10:24 +0100 | [diff] [blame] | 327 | return quic_hkdf_expand_label(md, new_sec, new_seclen, sec, seclen, |
Frédéric Lécaille | 86845c5 | 2022-06-08 19:28:36 +0200 | [diff] [blame] | 328 | qv->ku_label, qv->ku_label_len); |
Frédéric Lécaille | 39484de | 2021-11-30 10:10:24 +0100 | [diff] [blame] | 329 | } |
| 330 | |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 331 | /* |
| 332 | * Build an IV into <iv> buffer with <ivlen> as size from <aead_iv> with |
| 333 | * <aead_ivlen> as size depending on <pn> packet number. |
| 334 | * This is the function which must be called to build an AEAD IV for the AEAD cryptographic algorithm |
| 335 | * used to encrypt/decrypt the QUIC packet payloads depending on the packet number <pn>. |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 336 | */ |
Amaury Denoyelle | 5eadc27 | 2023-05-16 18:11:01 +0200 | [diff] [blame] | 337 | void quic_aead_iv_build(unsigned char *iv, size_t ivlen, |
| 338 | unsigned char *aead_iv, size_t aead_ivlen, uint64_t pn) |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 339 | { |
| 340 | int i; |
| 341 | unsigned int shift; |
| 342 | unsigned char *pos = iv; |
| 343 | |
Amaury Denoyelle | 5eadc27 | 2023-05-16 18:11:01 +0200 | [diff] [blame] | 344 | /* Input buffers must have the same size. */ |
| 345 | BUG_ON(ivlen != aead_ivlen); |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 346 | |
| 347 | for (i = 0; i < ivlen - sizeof pn; i++) |
| 348 | *pos++ = *aead_iv++; |
| 349 | |
| 350 | /* Only the remaining (sizeof pn) bytes are XOR'ed. */ |
| 351 | shift = 56; |
| 352 | for (i = aead_ivlen - sizeof pn; i < aead_ivlen ; i++, shift -= 8) |
| 353 | *pos++ = *aead_iv++ ^ (pn >> shift); |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 354 | } |
| 355 | |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 356 | /* Initialize the cipher context for RX part of <tls_ctx> QUIC TLS context. |
| 357 | * Return 1 if succeeded, 0 if not. |
| 358 | */ |
| 359 | int quic_tls_rx_ctx_init(EVP_CIPHER_CTX **rx_ctx, |
| 360 | const EVP_CIPHER *aead, unsigned char *key) |
| 361 | { |
| 362 | EVP_CIPHER_CTX *ctx; |
| 363 | int aead_nid = EVP_CIPHER_nid(aead); |
| 364 | |
| 365 | ctx = EVP_CIPHER_CTX_new(); |
| 366 | if (!ctx) |
| 367 | return 0; |
| 368 | |
| 369 | if (!EVP_DecryptInit_ex(ctx, aead, NULL, NULL, NULL) || |
Frédéric Lécaille | f2f4a4e | 2022-04-05 12:18:46 +0200 | [diff] [blame] | 370 | !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, QUIC_TLS_IV_LEN, NULL) || |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 371 | (aead_nid == NID_aes_128_ccm && |
| 372 | !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, QUIC_TLS_TAG_LEN, NULL)) || |
| 373 | !EVP_DecryptInit_ex(ctx, NULL, NULL, key, NULL)) |
| 374 | goto err; |
| 375 | |
| 376 | *rx_ctx = ctx; |
| 377 | |
| 378 | return 1; |
| 379 | |
| 380 | err: |
| 381 | EVP_CIPHER_CTX_free(ctx); |
| 382 | return 0; |
| 383 | } |
| 384 | |
Frédéric Lécaille | 86a53c5 | 2022-08-19 18:18:13 +0200 | [diff] [blame] | 385 | /* Initialize <*aes_ctx> AES cipher context with <key> as key for encryption */ |
| 386 | int quic_tls_enc_aes_ctx_init(EVP_CIPHER_CTX **aes_ctx, |
| 387 | const EVP_CIPHER *aes, unsigned char *key) |
| 388 | { |
| 389 | EVP_CIPHER_CTX *ctx; |
| 390 | |
| 391 | ctx = EVP_CIPHER_CTX_new(); |
| 392 | if (!ctx) |
| 393 | return 0; |
| 394 | |
| 395 | if (!EVP_EncryptInit_ex(ctx, aes, NULL, key, NULL)) |
| 396 | goto err; |
| 397 | |
| 398 | *aes_ctx = ctx; |
| 399 | return 1; |
| 400 | |
| 401 | err: |
| 402 | EVP_CIPHER_CTX_free(ctx); |
| 403 | return 0; |
| 404 | } |
| 405 | |
| 406 | /* Encrypt <inlen> bytes from <in> buffer into <out> with <ctx> as AES |
cui fliter | a94bedc | 2022-08-29 14:42:57 +0800 | [diff] [blame] | 407 | * cipher context. This is the responsibility of the caller to check there |
Frédéric Lécaille | 86a53c5 | 2022-08-19 18:18:13 +0200 | [diff] [blame] | 408 | * is at least <inlen> bytes of available space in <out> buffer. |
| 409 | * Return 1 if succeeded, 0 if not. |
| 410 | */ |
| 411 | int quic_tls_aes_encrypt(unsigned char *out, |
| 412 | const unsigned char *in, size_t inlen, |
| 413 | EVP_CIPHER_CTX *ctx) |
| 414 | { |
| 415 | int ret = 0; |
| 416 | |
| 417 | if (!EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, in) || |
| 418 | !EVP_EncryptUpdate(ctx, out, &ret, out, inlen) || |
| 419 | !EVP_EncryptFinal_ex(ctx, out, &ret)) |
| 420 | return 0; |
| 421 | |
| 422 | return 1; |
| 423 | } |
| 424 | |
| 425 | /* Initialize <*aes_ctx> AES cipher context with <key> as key for decryption */ |
| 426 | int quic_tls_dec_aes_ctx_init(EVP_CIPHER_CTX **aes_ctx, |
| 427 | const EVP_CIPHER *aes, unsigned char *key) |
| 428 | { |
| 429 | EVP_CIPHER_CTX *ctx; |
| 430 | |
| 431 | ctx = EVP_CIPHER_CTX_new(); |
| 432 | if (!ctx) |
| 433 | return 0; |
| 434 | |
| 435 | if (!EVP_DecryptInit_ex(ctx, aes, NULL, key, NULL)) |
| 436 | goto err; |
| 437 | |
| 438 | *aes_ctx = ctx; |
| 439 | return 1; |
| 440 | |
| 441 | err: |
| 442 | EVP_CIPHER_CTX_free(ctx); |
| 443 | return 0; |
| 444 | } |
| 445 | |
| 446 | /* Decrypt <in> data into <out> with <ctx> as AES cipher context. |
cui fliter | a94bedc | 2022-08-29 14:42:57 +0800 | [diff] [blame] | 447 | * This is the responsibility of the caller to check there is at least |
Frédéric Lécaille | 86a53c5 | 2022-08-19 18:18:13 +0200 | [diff] [blame] | 448 | * <outlen> bytes into <in> buffer. |
| 449 | * Return 1 if succeeded, 0 if not. |
| 450 | */ |
| 451 | int quic_tls_aes_decrypt(unsigned char *out, |
| 452 | const unsigned char *in, size_t inlen, |
| 453 | EVP_CIPHER_CTX *ctx) |
| 454 | { |
| 455 | int ret = 0; |
| 456 | |
| 457 | if (!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, in) || |
| 458 | !EVP_DecryptUpdate(ctx, out, &ret, out, inlen) || |
| 459 | !EVP_DecryptFinal_ex(ctx, out, &ret)) |
| 460 | return 0; |
| 461 | |
| 462 | return 1; |
| 463 | } |
| 464 | |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 465 | /* Initialize the cipher context for TX part of <tls_ctx> QUIC TLS context. |
| 466 | * Return 1 if succeeded, 0 if not. |
| 467 | */ |
| 468 | int quic_tls_tx_ctx_init(EVP_CIPHER_CTX **tx_ctx, |
| 469 | const EVP_CIPHER *aead, unsigned char *key) |
| 470 | { |
| 471 | EVP_CIPHER_CTX *ctx; |
| 472 | int aead_nid = EVP_CIPHER_nid(aead); |
| 473 | |
| 474 | ctx = EVP_CIPHER_CTX_new(); |
| 475 | if (!ctx) |
| 476 | return 0; |
| 477 | |
| 478 | if (!EVP_EncryptInit_ex(ctx, aead, NULL, NULL, NULL) || |
Frédéric Lécaille | f2f4a4e | 2022-04-05 12:18:46 +0200 | [diff] [blame] | 479 | !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, QUIC_TLS_IV_LEN, NULL) || |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 480 | (aead_nid == NID_aes_128_ccm && |
| 481 | !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, QUIC_TLS_TAG_LEN, NULL)) || |
| 482 | !EVP_EncryptInit_ex(ctx, NULL, NULL, key, NULL)) |
| 483 | goto err; |
| 484 | |
| 485 | *tx_ctx = ctx; |
| 486 | |
| 487 | return 1; |
| 488 | |
| 489 | err: |
| 490 | EVP_CIPHER_CTX_free(ctx); |
| 491 | return 0; |
| 492 | } |
| 493 | |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 494 | /* |
| 495 | * https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#aead |
| 496 | * |
| 497 | * 5.3. AEAD Usage |
| 498 | * |
| 499 | * Packets are protected prior to applying header protection (Section 5.4). |
| 500 | * The unprotected packet header is part of the associated data (A). When removing |
| 501 | * packet protection, an endpoint first removes the header protection. |
| 502 | * (...) |
| 503 | * These ciphersuites have a 16-byte authentication tag and produce an output 16 |
| 504 | * bytes larger than their input. |
| 505 | * The key and IV for the packet are computed as described in Section 5.1. The nonce, |
| 506 | * N, is formed by combining the packet protection IV with the packet number. The 62 |
| 507 | * bits of the reconstructed QUIC packet number in network byte order are left-padded |
| 508 | * with zeros to the size of the IV. The exclusive OR of the padded packet number and |
| 509 | * the IV forms the AEAD nonce. |
| 510 | * |
| 511 | * The associated data, A, for the AEAD is the contents of the QUIC header, starting |
| 512 | * from the flags byte in either the short or long header, up to and including the |
| 513 | * unprotected packet number. |
| 514 | * |
| 515 | * The input plaintext, P, for the AEAD is the payload of the QUIC packet, as described |
| 516 | * in [QUIC-TRANSPORT]. |
| 517 | * |
| 518 | * The output ciphertext, C, of the AEAD is transmitted in place of P. |
| 519 | * |
| 520 | * Some AEAD functions have limits for how many packets can be encrypted under the same |
| 521 | * key and IV (see for example [AEBounds]). This might be lower than the packet number limit. |
| 522 | * An endpoint MUST initiate a key update (Section 6) prior to exceeding any limit set for |
| 523 | * the AEAD that is in use. |
| 524 | */ |
| 525 | |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 526 | /* Encrypt in place <buf> plaintext with <len> as length with QUIC_TLS_TAG_LEN |
| 527 | * included tailing bytes for the tag. |
| 528 | * Note that for CCM mode, we must set the the ciphertext length if AAD data |
| 529 | * are provided from <aad> buffer with <aad_len> as length. This is always the |
| 530 | * case here. So the caller of this function must provide <aad>. |
| 531 | * |
| 532 | * https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption |
| 533 | */ |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 534 | int quic_tls_encrypt(unsigned char *buf, size_t len, |
| 535 | const unsigned char *aad, size_t aad_len, |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 536 | EVP_CIPHER_CTX *ctx, const EVP_CIPHER *aead, |
Emeric Brun | e0190c6 | 2023-07-11 14:53:41 +0200 | [diff] [blame] | 537 | const unsigned char *iv) |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 538 | { |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 539 | int outlen; |
| 540 | int aead_nid = EVP_CIPHER_nid(aead); |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 541 | |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 542 | if (!EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) || |
| 543 | (aead_nid == NID_aes_128_ccm && |
| 544 | !EVP_EncryptUpdate(ctx, NULL, &outlen, NULL, len)) || |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 545 | !EVP_EncryptUpdate(ctx, NULL, &outlen, aad, aad_len) || |
| 546 | !EVP_EncryptUpdate(ctx, buf, &outlen, buf, len) || |
| 547 | !EVP_EncryptFinal_ex(ctx, buf + outlen, &outlen) || |
| 548 | !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, QUIC_TLS_TAG_LEN, buf + len)) |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 549 | return 0; |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 550 | |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 551 | return 1; |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 552 | } |
| 553 | |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 554 | /* Decrypt in place <buf> ciphertext with <len> as length with QUIC_TLS_TAG_LEN |
| 555 | * included tailing bytes for the tag. |
| 556 | * Note that for CCM mode, we must set the the ciphertext length if AAD data |
| 557 | * are provided from <aad> buffer with <aad_len> as length. This is always the |
| 558 | * case here. So the caller of this function must provide <aad>. Also not the |
| 559 | * there is no need to call EVP_DecryptFinal_ex for CCM mode. |
| 560 | * |
| 561 | * https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption |
| 562 | */ |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 563 | int quic_tls_decrypt(unsigned char *buf, size_t len, |
| 564 | unsigned char *aad, size_t aad_len, |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 565 | EVP_CIPHER_CTX *ctx, const EVP_CIPHER *aead, |
| 566 | const unsigned char *key, const unsigned char *iv) |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 567 | { |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 568 | int outlen; |
| 569 | int aead_nid = EVP_CIPHER_nid(aead); |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 570 | |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 571 | if (!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv) || |
| 572 | !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, QUIC_TLS_TAG_LEN, |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 573 | buf + len - QUIC_TLS_TAG_LEN) || |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 574 | (aead_nid == NID_aes_128_ccm && |
| 575 | !EVP_DecryptUpdate(ctx, NULL, &outlen, NULL, len - QUIC_TLS_TAG_LEN)) || |
| 576 | !EVP_DecryptUpdate(ctx, NULL, &outlen, aad, aad_len) || |
| 577 | !EVP_DecryptUpdate(ctx, buf, &outlen, buf, len - QUIC_TLS_TAG_LEN) || |
| 578 | (aead_nid != NID_aes_128_ccm && |
| 579 | !EVP_DecryptFinal_ex(ctx, buf + outlen, &outlen))) |
| 580 | return 0; |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 581 | |
Frédéric Lécaille | f460574 | 2022-04-05 10:28:29 +0200 | [diff] [blame] | 582 | return 1; |
Frédéric Lécaille | a7e7ce9 | 2020-11-23 14:14:04 +0100 | [diff] [blame] | 583 | } |
Amaury Denoyelle | 6efec29 | 2022-01-11 11:57:00 +0100 | [diff] [blame] | 584 | |
Frédéric Lécaille | 55367c8 | 2022-05-16 10:27:57 +0200 | [diff] [blame] | 585 | /* Similar to quic_tls_decrypt(), except that this function does not decrypt |
| 586 | * in place its ciphertest if <out> output buffer ciphertest with <len> as length |
| 587 | * is different from <in> input buffer. This is the responbality of the caller |
| 588 | * to check that the output buffer has at least the same size as the input buffer. |
| 589 | * Note that for CCM mode, we must set the the ciphertext length if AAD data |
| 590 | * are provided from <aad> buffer with <aad_len> as length. This is always the |
| 591 | * case here. So the caller of this function must provide <aad>. Also note that |
| 592 | * there is no need to call EVP_DecryptFinal_ex for CCM mode. |
| 593 | * |
| 594 | * https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption |
| 595 | * |
| 596 | * Return 1 if succeeded, 0 if not. |
| 597 | */ |
| 598 | int quic_tls_decrypt2(unsigned char *out, |
| 599 | unsigned char *in, size_t len, |
| 600 | unsigned char *aad, size_t aad_len, |
| 601 | EVP_CIPHER_CTX *ctx, const EVP_CIPHER *aead, |
| 602 | const unsigned char *key, const unsigned char *iv) |
| 603 | { |
| 604 | int outlen; |
| 605 | int aead_nid = EVP_CIPHER_nid(aead); |
| 606 | |
| 607 | len -= QUIC_TLS_TAG_LEN; |
| 608 | if (!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv) || |
| 609 | !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, QUIC_TLS_TAG_LEN, in + len) || |
| 610 | (aead_nid == NID_aes_128_ccm && |
| 611 | !EVP_DecryptUpdate(ctx, NULL, &outlen, NULL, len)) || |
| 612 | !EVP_DecryptUpdate(ctx, NULL, &outlen, aad, aad_len) || |
| 613 | !EVP_DecryptUpdate(ctx, out, &outlen, in, len) || |
| 614 | (aead_nid != NID_aes_128_ccm && |
| 615 | !EVP_DecryptFinal_ex(ctx, out + outlen, &outlen))) |
| 616 | return 0; |
| 617 | |
| 618 | return 1; |
| 619 | } |
| 620 | |
Frédéric Lécaille | a9c5d8d | 2022-05-12 14:44:51 +0200 | [diff] [blame] | 621 | /* Derive <key> and <iv> key and IV to be used to encrypt a retry token |
| 622 | * with <secret> which is not pseudo-random. |
| 623 | * Return 1 if succeeded, 0 if not. |
| 624 | */ |
| 625 | int quic_tls_derive_retry_token_secret(const EVP_MD *md, |
| 626 | unsigned char *key, size_t keylen, |
| 627 | unsigned char *iv, size_t ivlen, |
| 628 | const unsigned char *salt, size_t saltlen, |
| 629 | const unsigned char *secret, size_t secretlen) |
| 630 | { |
| 631 | unsigned char tmpkey[QUIC_TLS_KEY_LEN]; |
Frédéric Lécaille | a9c5d8d | 2022-05-12 14:44:51 +0200 | [diff] [blame] | 632 | const unsigned char key_label[] = "retry token key"; |
| 633 | const unsigned char iv_label[] = "retry token iv"; |
| 634 | |
Emeric Brun | e397d86 | 2023-07-04 14:56:08 +0200 | [diff] [blame] | 635 | if (!quic_hkdf_extract(md, tmpkey, sizeof tmpkey, |
| 636 | secret, secretlen, salt, saltlen) || |
Frédéric Lécaille | a9c5d8d | 2022-05-12 14:44:51 +0200 | [diff] [blame] | 637 | !quic_hkdf_expand(md, key, keylen, tmpkey, sizeof tmpkey, |
| 638 | key_label, sizeof key_label - 1) || |
Emeric Brun | 28f430c | 2023-07-03 12:14:41 +0200 | [diff] [blame] | 639 | !quic_hkdf_expand(md, iv, ivlen, tmpkey, sizeof tmpkey, |
Frédéric Lécaille | a9c5d8d | 2022-05-12 14:44:51 +0200 | [diff] [blame] | 640 | iv_label, sizeof iv_label - 1)) |
| 641 | return 0; |
| 642 | |
| 643 | return 1; |
| 644 | } |
| 645 | |
Amaury Denoyelle | 6efec29 | 2022-01-11 11:57:00 +0100 | [diff] [blame] | 646 | /* Generate the AEAD tag for the Retry packet <pkt> of <pkt_len> bytes and |
| 647 | * write it to <tag>. The tag is written just after the <pkt> area. It should |
| 648 | * be at least 16 bytes longs. <odcid> is the CID of the Initial packet |
| 649 | * received which triggers the Retry. |
| 650 | * |
| 651 | * Returns non-zero on success else zero. |
| 652 | */ |
Frédéric Lécaille | 3f96a0a | 2022-06-08 08:26:03 +0200 | [diff] [blame] | 653 | int quic_tls_generate_retry_integrity_tag(unsigned char *odcid, unsigned char odcid_len, |
| 654 | unsigned char *pkt, size_t pkt_len, |
Frédéric Lécaille | 86845c5 | 2022-06-08 19:28:36 +0200 | [diff] [blame] | 655 | const struct quic_version *qv) |
Amaury Denoyelle | 6efec29 | 2022-01-11 11:57:00 +0100 | [diff] [blame] | 656 | { |
| 657 | const EVP_CIPHER *evp = EVP_aes_128_gcm(); |
| 658 | EVP_CIPHER_CTX *ctx; |
Amaury Denoyelle | 6efec29 | 2022-01-11 11:57:00 +0100 | [diff] [blame] | 659 | |
| 660 | /* encryption buffer - not used as only AEAD tag generation is proceed */ |
| 661 | unsigned char *out = NULL; |
| 662 | /* address to store the AEAD tag */ |
| 663 | unsigned char *tag = pkt + pkt_len; |
| 664 | int outlen, ret = 0; |
| 665 | |
| 666 | ctx = EVP_CIPHER_CTX_new(); |
| 667 | if (!ctx) |
| 668 | return 0; |
| 669 | |
| 670 | /* rfc9001 5.8. Retry Packet Integrity |
| 671 | * |
| 672 | * AEAD is proceed over a pseudo-Retry packet used as AAD. It contains |
| 673 | * the ODCID len + data and the Retry packet itself. |
| 674 | */ |
Frédéric Lécaille | 86845c5 | 2022-06-08 19:28:36 +0200 | [diff] [blame] | 675 | if (!EVP_EncryptInit_ex(ctx, evp, NULL, qv->retry_tag_key, qv->retry_tag_nonce) || |
Amaury Denoyelle | 6efec29 | 2022-01-11 11:57:00 +0100 | [diff] [blame] | 676 | /* specify pseudo-Retry as AAD */ |
| 677 | !EVP_EncryptUpdate(ctx, NULL, &outlen, &odcid_len, sizeof(odcid_len)) || |
| 678 | !EVP_EncryptUpdate(ctx, NULL, &outlen, odcid, odcid_len) || |
| 679 | !EVP_EncryptUpdate(ctx, NULL, &outlen, pkt, pkt_len) || |
| 680 | /* finalize */ |
| 681 | !EVP_EncryptFinal_ex(ctx, out, &outlen) || |
| 682 | /* store the tag */ |
| 683 | !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, QUIC_TLS_TAG_LEN, tag)) { |
| 684 | goto out; |
| 685 | } |
| 686 | ret = 1; |
| 687 | |
| 688 | out: |
| 689 | EVP_CIPHER_CTX_free(ctx); |
| 690 | return ret; |
| 691 | } |