QUIC: a new constant for AEAD tag length.

Previously used constant EVP_GCM_TLS_TAG_LEN had misleading name since it was
used not only with GCM, but also with CHACHAPOLY.  Now a new constant
NGX_QUIC_TAG_LEN introduced.  Luckily all AEAD algorithms used by QUIC have
the same tag length of 16.

src/event/quic/ngx_event_quic_openssl_compat.c

@@ -445,7 +445,7 @@ SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
     u_char                     in[NGX_QUIC_COMPAT_RECORD_SIZE + 1];
     u_char                     out[NGX_QUIC_COMPAT_RECORD_SIZE + 1
                                    + SSL3_RT_HEADER_LENGTH
-                                   + EVP_GCM_TLS_TAG_LEN];
+                                   + NGX_QUIC_TAG_LEN];
 
     c = ngx_ssl_get_connection(ssl);
 
@@ -528,7 +528,7 @@ ngx_quic_compat_create_header(ngx_quic_compat_record_t *rec, u_char *out,
 
     } else {
         type = SSL3_RT_APPLICATION_DATA;
-        len += EVP_GCM_TLS_TAG_LEN;
+        len += NGX_QUIC_TAG_LEN;
     }
 
     out[0] = type;
@@ -552,7 +552,7 @@ ngx_quic_compat_create_record(ngx_quic_compat_record_t *rec, ngx_str_t *res)
     ad.data = res->data;
     ad.len = ngx_quic_compat_create_header(rec, ad.data, 0);
 
-    out.len = rec->payload.len + EVP_GCM_TLS_TAG_LEN;
+    out.len = rec->payload.len + NGX_QUIC_TAG_LEN;
     out.data = res->data + ad.len;
 
 #ifdef NGX_QUIC_DEBUG_CRYPTO

src/event/quic/ngx_event_quic_protection.c

@@ -406,7 +406,7 @@ ngx_quic_tls_open(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
     }
 
     if (EVP_DecryptUpdate(ctx, out->data, &len, in->data,
-                          in->len - EVP_GCM_TLS_TAG_LEN)
+                          in->len - NGX_QUIC_TAG_LEN)
         != 1)
     {
         EVP_CIPHER_CTX_free(ctx);
@@ -415,9 +415,9 @@ ngx_quic_tls_open(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
     }
 
     out->len = len;
-    tag = in->data + in->len - EVP_GCM_TLS_TAG_LEN;
+    tag = in->data + in->len - NGX_QUIC_TAG_LEN;
 
-    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN, tag)
+    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, NGX_QUIC_TAG_LEN, tag)
         == 0)
     {
         EVP_CIPHER_CTX_free(ctx);
@@ -519,7 +519,7 @@ ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
 
     out->len += len;
 
-    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, EVP_GCM_TLS_TAG_LEN,
+    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, NGX_QUIC_TAG_LEN,
                             out->data + in->len)
         == 0)
     {
@@ -531,7 +531,7 @@ ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
 
     EVP_CIPHER_CTX_free(ctx);
 
-    out->len += EVP_GCM_TLS_TAG_LEN;
+    out->len += NGX_QUIC_TAG_LEN;
 #endif
     return NGX_OK;
 }
@@ -738,7 +738,7 @@ ngx_quic_create_packet(ngx_quic_header_t *pkt, ngx_str_t *res)
     ad.data = res->data;
     ad.len = ngx_quic_create_header(pkt, ad.data, &pnp);
 
-    out.len = pkt->payload.len + EVP_GCM_TLS_TAG_LEN;
+    out.len = pkt->payload.len + NGX_QUIC_TAG_LEN;
     out.data = res->data + ad.len;
 
 #ifdef NGX_QUIC_DEBUG_CRYPTO
@@ -802,7 +802,7 @@ ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, ngx_str_t *res)
     ad.len = ngx_quic_create_retry_itag(pkt, ad.data, &start);
 
     itag.data = ad.data + ad.len;
-    itag.len = EVP_GCM_TLS_TAG_LEN;
+    itag.len = NGX_QUIC_TAG_LEN;
 
 #ifdef NGX_QUIC_DEBUG_CRYPTO
     ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
@@ -979,7 +979,7 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
      * AES and ChaCha20 algorithms sample 16 bytes
      */
 
-    if (len < EVP_GCM_TLS_TAG_LEN + 4) {
+    if (len < NGX_QUIC_TAG_LEN + 4) {
         return NGX_DECLINED;
     }
 
@@ -1039,7 +1039,7 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
                    "quic ad len:%uz %xV", ad.len, &ad);
 #endif
 
-    pkt->payload.len = in.len - EVP_GCM_TLS_TAG_LEN;
+    pkt->payload.len = in.len - NGX_QUIC_TAG_LEN;
     pkt->payload.data = pkt->plaintext + ad.len;
 
     rc = ngx_quic_tls_open(ciphers.c, secret, &pkt->payload,

src/event/quic/ngx_event_quic_protection.h

@@ -16,8 +16,9 @@
 
 #define NGX_QUIC_ENCRYPTION_LAST  ((ssl_encryption_application) + 1)
 
-/* RFC 5116, 5.1 and RFC 8439, 2.3 for all supported ciphers */
+/* RFC 5116, 5.1 and RFC 8439, 2.3/2.5 for all supported ciphers */
 #define NGX_QUIC_IV_LEN               12
+#define NGX_QUIC_TAG_LEN              16
 
 /* largest hash used in TLS is SHA-384 */
 #define NGX_QUIC_MAX_MD_SIZE          48

src/event/quic/ngx_event_quic_transport.c

@@ -578,7 +578,7 @@ ngx_quic_payload_size(ngx_quic_header_t *pkt, size_t pkt_len)
 
     if (ngx_quic_short_pkt(pkt->flags)) {
 
-        len = 1 + pkt->dcid.len + pkt->num_len + EVP_GCM_TLS_TAG_LEN;
+        len = 1 + pkt->dcid.len + pkt->num_len + NGX_QUIC_TAG_LEN;
         if (len > pkt_len) {
             return 0;
         }
@@ -596,7 +596,7 @@ ngx_quic_payload_size(ngx_quic_header_t *pkt, size_t pkt_len)
 
     /* (pkt_len - len) is 'remainder' packet length (see RFC 9000, 17.2) */
     len += ngx_quic_varint_len(pkt_len - len)
-           + pkt->num_len + EVP_GCM_TLS_TAG_LEN;
+           + pkt->num_len + NGX_QUIC_TAG_LEN;
 
     if (len > pkt_len) {
         return 0;
@@ -622,7 +622,7 @@ ngx_quic_create_long_header(ngx_quic_header_t *pkt, u_char *out,
     size_t   rem_len;
     u_char  *p, *start;
 
-    rem_len = pkt->num_len + pkt->payload.len + EVP_GCM_TLS_TAG_LEN;
+    rem_len = pkt->num_len + pkt->payload.len + NGX_QUIC_TAG_LEN;
 
     if (out == NULL) {
         return 5 + 2 + pkt->dcid.len + pkt->scid.len