# HG changeset patch
# User Roman Arutyunyan <arut@nginx.com>
# Date 1686291954 -14400
# Node ID 29a6c0e11f75c2d4871e16ecb8d40c634777d81f
# Parent  31c8c1a713bcc797611014160c0b1fe2a07a73ce
QUIC: a new constant for AEAD tag length.

Previously used constant EVP_GCM_TLS_TAG_LEN had misleading name since it was
used not only with GCM, but also with CHACHAPOLY.  Now a new constant
NGX_QUIC_TAG_LEN introduced.  Luckily all AEAD algorithms used by QUIC have
the same tag length of 16.

diff -r 31c8c1a713bc -r 29a6c0e11f75 src/event/quic/ngx_event_quic_openssl_compat.c
--- a/src/event/quic/ngx_event_quic_openssl_compat.c	Tue Jun 20 17:01:00 2023 +0400
+++ b/src/event/quic/ngx_event_quic_openssl_compat.c	Fri Jun 09 10:25:54 2023 +0400
@@ -445,7 +445,7 @@
     u_char                     in[NGX_QUIC_COMPAT_RECORD_SIZE + 1];
     u_char                     out[NGX_QUIC_COMPAT_RECORD_SIZE + 1
                                    + SSL3_RT_HEADER_LENGTH
-                                   + EVP_GCM_TLS_TAG_LEN];
+                                   + NGX_QUIC_TAG_LEN];
 
     c = ngx_ssl_get_connection(ssl);
 
@@ -528,7 +528,7 @@
 
     } else {
         type = SSL3_RT_APPLICATION_DATA;
-        len += EVP_GCM_TLS_TAG_LEN;
+        len += NGX_QUIC_TAG_LEN;
     }
 
     out[0] = type;
@@ -552,7 +552,7 @@
     ad.data = res->data;
     ad.len = ngx_quic_compat_create_header(rec, ad.data, 0);
 
-    out.len = rec->payload.len + EVP_GCM_TLS_TAG_LEN;
+    out.len = rec->payload.len + NGX_QUIC_TAG_LEN;
     out.data = res->data + ad.len;
 
 #ifdef NGX_QUIC_DEBUG_CRYPTO
diff -r 31c8c1a713bc -r 29a6c0e11f75 src/event/quic/ngx_event_quic_protection.c
--- a/src/event/quic/ngx_event_quic_protection.c	Tue Jun 20 17:01:00 2023 +0400
+++ b/src/event/quic/ngx_event_quic_protection.c	Fri Jun 09 10:25:54 2023 +0400
@@ -406,7 +406,7 @@
     }
 
     if (EVP_DecryptUpdate(ctx, out->data, &len, in->data,
-                          in->len - EVP_GCM_TLS_TAG_LEN)
+                          in->len - NGX_QUIC_TAG_LEN)
         != 1)
     {
         EVP_CIPHER_CTX_free(ctx);
@@ -415,9 +415,9 @@
     }
 
     out->len = len;
-    tag = in->data + in->len - EVP_GCM_TLS_TAG_LEN;
+    tag = in->data + in->len - NGX_QUIC_TAG_LEN;
 
-    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN, tag)
+    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, NGX_QUIC_TAG_LEN, tag)
         == 0)
     {
         EVP_CIPHER_CTX_free(ctx);
@@ -519,7 +519,7 @@
 
     out->len += len;
 
-    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, EVP_GCM_TLS_TAG_LEN,
+    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, NGX_QUIC_TAG_LEN,
                             out->data + in->len)
         == 0)
     {
@@ -531,7 +531,7 @@
 
     EVP_CIPHER_CTX_free(ctx);
 
-    out->len += EVP_GCM_TLS_TAG_LEN;
+    out->len += NGX_QUIC_TAG_LEN;
 #endif
     return NGX_OK;
 }
@@ -738,7 +738,7 @@
     ad.data = res->data;
     ad.len = ngx_quic_create_header(pkt, ad.data, &pnp);
 
-    out.len = pkt->payload.len + EVP_GCM_TLS_TAG_LEN;
+    out.len = pkt->payload.len + NGX_QUIC_TAG_LEN;
     out.data = res->data + ad.len;
 
 #ifdef NGX_QUIC_DEBUG_CRYPTO
@@ -802,7 +802,7 @@
     ad.len = ngx_quic_create_retry_itag(pkt, ad.data, &start);
 
     itag.data = ad.data + ad.len;
-    itag.len = EVP_GCM_TLS_TAG_LEN;
+    itag.len = NGX_QUIC_TAG_LEN;
 
 #ifdef NGX_QUIC_DEBUG_CRYPTO
     ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
@@ -979,7 +979,7 @@
      * AES and ChaCha20 algorithms sample 16 bytes
      */
 
-    if (len < EVP_GCM_TLS_TAG_LEN + 4) {
+    if (len < NGX_QUIC_TAG_LEN + 4) {
         return NGX_DECLINED;
     }
 
@@ -1039,7 +1039,7 @@
                    "quic ad len:%uz %xV", ad.len, &ad);
 #endif
 
-    pkt->payload.len = in.len - EVP_GCM_TLS_TAG_LEN;
+    pkt->payload.len = in.len - NGX_QUIC_TAG_LEN;
     pkt->payload.data = pkt->plaintext + ad.len;
 
     rc = ngx_quic_tls_open(ciphers.c, secret, &pkt->payload,
diff -r 31c8c1a713bc -r 29a6c0e11f75 src/event/quic/ngx_event_quic_protection.h
--- a/src/event/quic/ngx_event_quic_protection.h	Tue Jun 20 17:01:00 2023 +0400
+++ b/src/event/quic/ngx_event_quic_protection.h	Fri Jun 09 10:25:54 2023 +0400
@@ -16,8 +16,9 @@
 
 #define NGX_QUIC_ENCRYPTION_LAST  ((ssl_encryption_application) + 1)
 
-/* RFC 5116, 5.1 and RFC 8439, 2.3 for all supported ciphers */
+/* RFC 5116, 5.1 and RFC 8439, 2.3/2.5 for all supported ciphers */
 #define NGX_QUIC_IV_LEN               12
+#define NGX_QUIC_TAG_LEN              16
 
 /* largest hash used in TLS is SHA-384 */
 #define NGX_QUIC_MAX_MD_SIZE          48
diff -r 31c8c1a713bc -r 29a6c0e11f75 src/event/quic/ngx_event_quic_transport.c
--- a/src/event/quic/ngx_event_quic_transport.c	Tue Jun 20 17:01:00 2023 +0400
+++ b/src/event/quic/ngx_event_quic_transport.c	Fri Jun 09 10:25:54 2023 +0400
@@ -578,7 +578,7 @@
 
     if (ngx_quic_short_pkt(pkt->flags)) {
 
-        len = 1 + pkt->dcid.len + pkt->num_len + EVP_GCM_TLS_TAG_LEN;
+        len = 1 + pkt->dcid.len + pkt->num_len + NGX_QUIC_TAG_LEN;
         if (len > pkt_len) {
             return 0;
         }
@@ -596,7 +596,7 @@
 
     /* (pkt_len - len) is 'remainder' packet length (see RFC 9000, 17.2) */
     len += ngx_quic_varint_len(pkt_len - len)
-           + pkt->num_len + EVP_GCM_TLS_TAG_LEN;
+           + pkt->num_len + NGX_QUIC_TAG_LEN;
 
     if (len > pkt_len) {
         return 0;
@@ -622,7 +622,7 @@
     size_t   rem_len;
     u_char  *p, *start;
 
-    rem_len = pkt->num_len + pkt->payload.len + EVP_GCM_TLS_TAG_LEN;
+    rem_len = pkt->num_len + pkt->payload.len + NGX_QUIC_TAG_LEN;
 
     if (out == NULL) {
         return 5 + 2 + pkt->dcid.len + pkt->scid.len