packet: replace ring AEAD API for retry

The ring AEAD API is currently used for authenticating Retry packets, which, again, doesn't seem like something worth pulling a whole dependency for. This may or may not fall under FIPS scope though.
cloudflare · Jan 16, 2025 · 01c5e03 · 01c5e03
1 parent 49318b1
commit 01c5e03
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 13 deletions.
diff --git a/quiche/src/crypto/mod.rs b/quiche/src/crypto/mod.rs
@@ -671,9 +671,9 @@ mod tests {
 #[cfg(not(feature = "openssl"))]
 mod boringssl;
 #[cfg(not(feature = "openssl"))]
-use boringssl::*;
+pub(crate) use boringssl::*;
 
 #[cfg(feature = "openssl")]
 mod openssl_quictls;
 #[cfg(feature = "openssl")]
-use openssl_quictls::*;
+pub(crate) use openssl_quictls::*;
diff --git a/quiche/src/packet.rs b/quiche/src/packet.rs
@@ -30,8 +30,6 @@ use std::ops::IndexMut;
 use std::ops::RangeInclusive;
 use std::time;
 
-use ring::aead;
-
 use crate::Error;
 use crate::Result;
 
@@ -789,8 +787,9 @@ pub fn verify_retry_integrity(
 
 fn compute_retry_integrity_tag(
     b: &octets::OctetsMut, odcid: &[u8], version: u32,
-) -> Result<aead::Tag> {
+) -> Result<Vec<u8>> {
     const KEY_LEN: usize = RETRY_AEAD_ALG.key_len();
+    const TAG_LEN: usize = RETRY_AEAD_ALG.tag_len();
 
     const RETRY_INTEGRITY_KEY_V1: [u8; KEY_LEN] = [
         0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a, 0x1d, 0x76, 0x6b, 0x54,
@@ -818,17 +817,23 @@ fn compute_retry_integrity_tag(
     pb.put_bytes(odcid)?;
     pb.put_bytes(&b.buf()[..hdr_len])?;
 
-    let key = aead::LessSafeKey::new(
-        aead::UnboundKey::new(&aead::AES_128_GCM, key)
-            .map_err(|_| Error::CryptoFail)?,
-    );
+    let key = crypto::PacketKey::new(
+        RETRY_AEAD_ALG,
+        key.to_vec(),
+        nonce.to_vec(),
+        crypto::Seal::ENCRYPT,
+    )?;
 
-    let nonce = aead::Nonce::assume_unique_for_key(nonce);
+    let mut out_tag = vec![0_u8; TAG_LEN];
 
-    let aad = aead::Aad::from(&pseudo);
+    let out_len = key.seal_with_u64_counter(0, &pseudo, &mut out_tag, 0, None)?;
+
+    // Ensure that the output only contains the AEAD tag.
+    if out_len != out_tag.len() {
+        return Err(Error::CryptoFail);
+    }
 
-    key.seal_in_place_separate_tag(nonce, aad, &mut [])
-        .map_err(|_| Error::CryptoFail)
+    Ok(out_tag)
 }
 
 pub struct KeyUpdate {