From 49952a97d78682e74a55f39a49748d3b46780b66 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 26 Apr 2024 14:18:40 +0200 Subject: [PATCH 1/2] Fix quic header protect cipher return --- src/quic.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/quic.c b/src/quic.c index 0c902f422..c5e607287 100644 --- a/src/quic.c +++ b/src/quic.c @@ -1038,11 +1038,17 @@ const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_hp(WOLFSSL* ssl) switch (cipher->cipherSuite) { #if !defined(NO_AES) && defined(HAVE_AESGCM) + /* This has to be CTR even though the spec says that ECB is used for + * mask generation. ngtcp2_crypto_hp_mask uses a hack where they pass + * in the "ECB" input as the IV for the CTR cipher and then the input + * is just a cleared buffer. They do this so that the EVP + * init-update-final cycle can be used without the padding that is added + * for EVP_aes_(128|256)_ecb. */ case TLS_AES_128_GCM_SHA256: - evp_cipher = wolfSSL_EVP_aes_128_gcm(); + evp_cipher = wolfSSL_EVP_aes_128_ctr(); break; case TLS_AES_256_GCM_SHA384: - evp_cipher = wolfSSL_EVP_aes_256_gcm(); + evp_cipher = wolfSSL_EVP_aes_256_ctr(); break; #endif #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) @@ -1051,8 +1057,9 @@ const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_hp(WOLFSSL* ssl) break; #endif #if !defined(NO_AES) && defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) + /* This has to be CTR. See comment above. */ case TLS_AES_128_CCM_SHA256: - evp_cipher = wolfSSL_EVP_aes_128_ccm(); + evp_cipher = wolfSSL_EVP_aes_128_ctr(); break; case TLS_AES_128_CCM_8_SHA256: WOLFSSL_MSG("wolfSSL_quic_get_hp: no CCM-8 support in EVP layer"); From 232827022240aa043a791d55fdb4a3a2ca023c08 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 26 Apr 2024 15:56:20 +0200 Subject: [PATCH 2/2] Code review --- src/quic.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/quic.c b/src/quic.c index c5e607287..756d02306 100644 --- a/src/quic.c +++ b/src/quic.c @@ -1037,26 +1037,31 @@ const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_hp(WOLFSSL* ssl) } switch (cipher->cipherSuite) { -#if !defined(NO_AES) && defined(HAVE_AESGCM) +#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_COUNTER) /* This has to be CTR even though the spec says that ECB is used for * mask generation. ngtcp2_crypto_hp_mask uses a hack where they pass * in the "ECB" input as the IV for the CTR cipher and then the input * is just a cleared buffer. They do this so that the EVP * init-update-final cycle can be used without the padding that is added * for EVP_aes_(128|256)_ecb. */ +#if defined(WOLFSSL_AES_128) case TLS_AES_128_GCM_SHA256: evp_cipher = wolfSSL_EVP_aes_128_ctr(); break; +#endif +#if defined(WOLFSSL_AES_256) case TLS_AES_256_GCM_SHA384: evp_cipher = wolfSSL_EVP_aes_256_ctr(); break; #endif +#endif #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) case TLS_CHACHA20_POLY1305_SHA256: evp_cipher = wolfSSL_EVP_chacha20(); break; #endif -#if !defined(NO_AES) && defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) +#if !defined(NO_AES) && defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) && \ + defined(WOLFSSL_AES_COUNTER) /* This has to be CTR. See comment above. */ case TLS_AES_128_CCM_SHA256: evp_cipher = wolfSSL_EVP_aes_128_ctr();