Re: Problems verifying sample packet protection in appendix A of Using TLS to Secure QUIC
Nick Harper <nharper@google.com> Tue, 14 July 2020 18:47 UTC
Return-Path: <nharper@google.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FA4D3A086B for <quic@ietfa.amsl.com>; Tue, 14 Jul 2020 11:47:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GscQ0i0ymH69 for <quic@ietfa.amsl.com>; Tue, 14 Jul 2020 11:47:15 -0700 (PDT)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92CA93A0863 for <quic@ietf.org>; Tue, 14 Jul 2020 11:47:15 -0700 (PDT)
Received: by mail-oi1-x22e.google.com with SMTP id r8so14737134oij.5 for <quic@ietf.org>; Tue, 14 Jul 2020 11:47:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DCCRwK5FVCaec4RAtTxXozKEGBaSAuKlmqjx8o+5+B0=; b=pySpn5baIJTAUiOkSnKkm5BMTFun5VzMrSJAxFtvGYAQ2DpGiIMktSxvbLkFQijo53 WwavM3AJ7HN1zTMSUE02th+9bnYVKFdeR6O6yh3T2vlGkQUdZzQLxTLdRpMxrPxOBcBE cuVA48n0tsmT+wwIG0WunyJilxUb9EWy2341mm5HPeR1DBnRcTut+3yK1hza3W/C2cHo tgDTqPflauiKlnaf8DHzvm03Lq8D8vyniiKMX5AHrSSwmXycEd/77b4W3Ud7f9dcQt4L 2yl7PtmcQ8w2n3p30m3NZJRVNzHVgk5z6kqnTSOPiMQGPqhZcGXO2xr6e3bqdpMOgNZu T/vw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DCCRwK5FVCaec4RAtTxXozKEGBaSAuKlmqjx8o+5+B0=; b=BY79/gPj2+7xnKSHoXNz4jUPDYbKxRX4QFTQ6pJYBhopnpUnvzvs9GjGGlY9Gq/dQK TG3kuPxzcqBNB4ypBasU2/kTIHkFeoTGAb45U0e6vJJyeeKb9Lc1+7siGFaXhQhm7C/B IHtoTwx0lz/Y5df+0JO+ypdHObuFeOmBKhp9b/eW+24Gp82BZaTfliM7Re1gAe/1EZUb VQXkI6KoT3PaTx1uzThSboMkjnx07FAZKmwN+DEqL6SfEzV/DrcQE1vf2NrE8H41Quu+ WvtePOGbdwBXKFA2+gUWgb0XHkqVXat+NuNoN1G7Dp3ZWEOvwKm7TvFRV69cRnSAB4p6 EZBQ==
X-Gm-Message-State: AOAM5322RcDHPv1IxPcBzbXVuMD3CfS2pGL11gnaamS5ZN8CKQO45b4g NIaekbFmdBelLJ0Zhq1Z2fOCz3l5/G4nRlweozhf6A==
X-Google-Smtp-Source: ABdhPJx/qKL0KKBdjc5G2r2IV3JabQk2PQBBnTJ43jLgbmuOYTashQHgzjB+f0H71sKjbtiW+9AgjhTi6XqKo72YbqU=
X-Received: by 2002:aca:b187:: with SMTP id a129mr4650565oif.2.1594752434502; Tue, 14 Jul 2020 11:47:14 -0700 (PDT)
MIME-Version: 1.0
References: <LNXP123MB2460833EC5BC592C8D410EDCF2610@LNXP123MB2460.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <LNXP123MB2460833EC5BC592C8D410EDCF2610@LNXP123MB2460.GBRP123.PROD.OUTLOOK.COM>
From: Nick Harper <nharper@google.com>
Date: Tue, 14 Jul 2020 11:47:03 -0700
Message-ID: <CACdeXi+EUWRGoT7pWrqnEbQK9EoT0ERr7pKFmtOQ3pQZc9wfCw@mail.gmail.com>
Subject: Re: Problems verifying sample packet protection in appendix A of Using TLS to Secure QUIC
To: tim.jebb@bt.com
Cc: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005d76d405aa6b3cf6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/2rJ-A9yvyb3Kv6kAJQKk-cM4xT4>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2020 18:47:17 -0000
On Tue, Jul 14, 2020 at 9:06 AM <tim.jebb@bt.com> wrote: > Hi, > > > > I’m working through Appendix A of the QUIC TLS doc to check my > understanding, but am having trouble decrypting the sample client initial > packet. I’m unsure if I’ve made a silly error or two, or if I’ve made one > or more incorrect assumptions. Or both. > > > > The functions I’m using are the OpenSSL EVP ones. I’m attempting to > follow the recipe here: > > > https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Decryption_using_GCM_mode > in conjunction with the draft RFC. > > > > > > EVP_CIPHER_CTX_new() > > > > EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL) > > > > EVP_DecryptInit_ex(ctx, NULL, NULL, client_key, iv) where the > client key is 0x175257a31eb09dea9366d8bb79ad80ba and the iv is > 0x6b26114b9cba2b63a9e8dd4f > You need to compute the nonce from the IV and the packet number. I assume what the openssl documentation refers to as an IV is actually the nonce as described in RFC 5116. > > > EVP_DecryptUpdate(ctx, NULL, &len, pUnprotectedHeader, > headerLength) where the unprotected header is > 0xc3ff00001d088394c8f03e5157080000449e00000002 – this I believe is the > Additional Data required > > > > EVP_DecryptUpdate(ctx, decryptedPayload, &len, pPayload, > payloadLength-16)) here I’m passing in the encrypted payload beginning > 0xfb66bc5f and ending 0xe82a4d919d48, length 1162. I’m assuming that the > final 16 bytes of the payload is the authentication tag so am not passing > it in here. Note that if this assumption about the authentication tag is > correct, I think it could be more clearly stated in the draft RFC. > This is a quirk of the openssl API unfortunately. An AEAD decryption operation should take 4 inputs: the key, the nonce, the associated data, and the ciphertext. The ciphertext, as defined by RFC 5116, includes the tag. There's no requirement on the structure of an AEAD's ciphertext, including that some portion of the ciphertext be able to be identified as a tag. AES-GCM does have this structure where the tag is at the end of the ciphertext, and unfortunately openssl makes that part of the api for the AEAD open operation, even though someone using it should never have to know that detail of the AES-GCM algorithm. > > > EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag) where tag is the > final 16 bytes of the encrypted payload, ie 0x43b1ca70 a2d8d3f7 25ead139 > 1377dcc0 > > > > EVP_DecryptFinal_ex(ctx, decryptedPayload + len, &len) > > > > Everything seems OK until the EVP_DecryptFinal_ex() call which fails. > > > > Is there anything obviously wrong with the above? I’ve not posted the > full source code as I’m not asking people to check my working, I’m really > asking if my assumptions are correct, am I using the correct functions, > input data etc. > > > > Thanks in advance > > > > Tim >
- Problems verifying sample packet protection in ap… tim.jebb
- Re: Problems verifying sample packet protection i… Nick Harper
- RE: Problems verifying sample packet protection i… tim.jebb
- RE: Problems verifying sample packet protection i… tim.jebb
- RE: Problems verifying sample packet protection i… tim.jebb