commit c1bbfe64c68dfc9db2dcf760122cfbf701cfe97a
author nharper <nharper@google.com> Fri Sep 27 16:48:40 2019 -0700
committer Copybara-Service <copybara-worker@google.com> Tue Oct 01 12:55:56 2019 -0700
tree 78b4bd094cfd263b9c40f7847bbadf1c49224a2b
parent f1e3e4abecfc2ce6346e981cb5dc8c51336ab2f2

Use 16-byte auth tags when initial obfuscators are used

QuicFramer assumes that the auth tag is the same length for all encryption
levels. In Google QUIC crypto versions where initial obfuscators are used,
we should use IETF style crypters (different nonce/IV construction and 16
byte instead of 12 byte auth tags).

gfe-relnote: Change encryption used in QUIC. Protected by quic_enable_version_99
PiperOrigin-RevId: 271674606
Change-Id: Ic7736908068eeee8077bd3a17ec4f8b4112254f9

quic/core/crypto/aead_base_decrypter.cc

diff --git a/quic/core/crypto/aead_base_decrypter.cc b/quic/core/crypto/aead_base_decrypter.cc
index b5db0db..ab441b7 100644
--- a/quic/core/crypto/aead_base_decrypter.cc
+++ b/quic/core/crypto/aead_base_decrypter.cc
@@ -126,13 +126,18 @@
   }
 
   std::string key, nonce_prefix;
-  size_t prefix_size = nonce_size_ - sizeof(QuicPacketNumber);
+  size_t prefix_size = nonce_size_;
+  if (!use_ietf_nonce_construction_) {
+    prefix_size -= sizeof(QuicPacketNumber);
+  }
   DiversifyPreliminaryKey(
       QuicStringPiece(reinterpret_cast<const char*>(key_), key_size_),
       QuicStringPiece(reinterpret_cast<const char*>(iv_), prefix_size), nonce,
       key_size_, prefix_size, &key, &nonce_prefix);
 
-  if (!SetKey(key) || !SetNoncePrefix(nonce_prefix)) {
+  if (!SetKey(key) ||
+      (!use_ietf_nonce_construction_ && !SetNoncePrefix(nonce_prefix)) ||
+      (use_ietf_nonce_construction_ && !SetIV(nonce_prefix))) {
     DCHECK(false);
     return false;
   }