crypto: use the FIPS-compliant AEAD from BoringCrypto

The main difference is that the _tls13() AEAD follows the FIPS
requirements, the main one being that AEAD counters are strictly
monotonically incresing for each seal operation.

Author: ghedo

quiche/src/crypto/boringssl.rs

@@ -18,8 +18,8 @@ struct EVP_AEAD_CTX {
 impl Algorithm {
     fn get_evp_aead(self) -> *const EVP_AEAD {
         match self {
-            Algorithm::AES128_GCM => unsafe { EVP_aead_aes_128_gcm() },
-            Algorithm::AES256_GCM => unsafe { EVP_aead_aes_256_gcm() },
+            Algorithm::AES128_GCM => unsafe { EVP_aead_aes_128_gcm_tls13() },
+            Algorithm::AES256_GCM => unsafe { EVP_aead_aes_256_gcm_tls13() },
             Algorithm::ChaCha20_Poly1305 => unsafe {
                 EVP_aead_chacha20_poly1305()
             },
@@ -227,9 +227,9 @@ pub(crate) fn hkdf_expand(
 }
 
 extern {
-    fn EVP_aead_aes_128_gcm() -> *const EVP_AEAD;
+    fn EVP_aead_aes_128_gcm_tls13() -> *const EVP_AEAD;
 
-    fn EVP_aead_aes_256_gcm() -> *const EVP_AEAD;
+    fn EVP_aead_aes_256_gcm_tls13() -> *const EVP_AEAD;
 
     fn EVP_aead_chacha20_poly1305() -> *const EVP_AEAD;
 

quiche/src/crypto/mod.rs

@@ -238,15 +238,25 @@ impl Seal {
     }
 
     pub fn from_secret(aead: Algorithm, secret: &[u8]) -> Result<Seal> {
-        Ok(Seal {
+        let seal = Seal {
             alg: aead,
 
             secret: secret.to_vec(),
 
             header: HeaderProtectionKey::from_secret(aead, secret)?,
 
             packet: PacketKey::from_secret(aead, secret, Self::ENCRYPT)?,
-        })
+        };
+
+        // Dummy seal operation to prime the AEAD context with the nonce mask.
+        //
+        // This is needed because BoringCrypto requires the first counter (i.e.
+        // packet number) to be zero, which would not be the case for packet
+        // number spaces after Initial as the same packet number sequence is
+        // shared.
+        let _ = seal.seal_with_u64_counter(0, b"", &mut [0_u8; 16], 0, None);
+
+        Ok(seal)
     }
 
     pub fn new_mask(&self, sample: &[u8]) -> Result<[u8; 5]> {