MINOR: quic: Implement quic_tls_derive_token_secret().

This is function is similar to quic_tls_derive_retry_token_secret().
Its aim is to derive the secret used to cipher the token to be used
for future connections.

This patch renames quic_tls_derive_retry_token_secret() to a more
and reuses its code to produce a more generic one: quic_do_tls_derive_token_secret().
Two arguments are added to this latter to produce both quic_tls_derive_retry_token_secret()
and quic_tls_derive_token_secret() new function which calls
quic_do_tls_derive_token_secret().

diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h
index 757b78fb46d2e9659c20edc950594cd99119fb1e..d8bdf7134c85f149a27dc37624fec0c938b7f3ed 100644 (file)
--- a/include/haproxy/quic_tls.h
+++ b/include/haproxy/quic_tls.h
@@ -90,6 +90,12 @@ int quic_tls_derive_retry_token_secret(const EVP_MD *md,
                                        const unsigned char *salt, size_t saltlen,
                                        const unsigned char *secret, size_t secretlen);
 
+int quic_tls_derive_token_secret(const EVP_MD *md,
+                                 unsigned char *key, size_t keylen,
+                                 unsigned char *iv, size_t ivlen,
+                                 const unsigned char *salt, size_t saltlen,
+                                 const unsigned char *secret, size_t secretlen);
+
 int quic_hkdf_expand(const EVP_MD *md,
                      unsigned char *buf, size_t buflen,
                      const unsigned char *key, size_t keylen,

diff --git a/src/quic_tls.c b/src/quic_tls.c
index e1f5f21755b22a64c8b560f8a27281d5a3b5d0ab..af087dc76a3954fa874729403a6a89b45c31e19f 100644 (file)
--- a/src/quic_tls.c
+++ b/src/quic_tls.c
@@ -950,27 +950,56 @@ int quic_tls_decrypt2(unsigned char *out,
  * with <secret> which is not pseudo-random.
  * Return 1 if succeeded, 0 if not.
  */
-int quic_tls_derive_retry_token_secret(const EVP_MD *md,
-                                       unsigned char *key, size_t keylen,
-                                       unsigned char *iv, size_t ivlen,
-                                       const unsigned char *salt, size_t saltlen,
-                                       const unsigned char *secret, size_t secretlen)
+static inline int quic_do_tls_derive_token_secret(const EVP_MD *md, unsigned char *key, size_t keylen,
+                                                  unsigned char *iv, size_t ivlen,
+                                                  const unsigned char *salt, size_t saltlen,
+                                                  const unsigned char *secret, size_t secretlen,
+                                                  const unsigned char *klabel, size_t klabellen,
+                                                  const unsigned char *ivlabel, size_t ivlabellen)
 {
        unsigned char tmpkey[QUIC_TLS_KEY_LEN];
-       const unsigned char key_label[] = "retry token key";
-       const unsigned char iv_label[] = "retry token iv";
 
        if (!quic_hkdf_extract(md, tmpkey, sizeof tmpkey,
                               secret, secretlen, salt, saltlen) ||
            !quic_hkdf_expand(md, key, keylen, tmpkey, sizeof tmpkey,
-                             key_label, sizeof key_label - 1) ||
+                             klabel, klabellen) ||
            !quic_hkdf_expand(md, iv, ivlen, tmpkey, sizeof tmpkey,
-                             iv_label, sizeof iv_label - 1))
+                             ivlabel, ivlabellen))
                return 0;
 
        return 1;
 }
 
+int quic_tls_derive_retry_token_secret(const EVP_MD *md,
+                                       unsigned char *key, size_t keylen,
+                                       unsigned char *iv, size_t ivlen,
+                                       const unsigned char *salt, size_t saltlen,
+                                       const unsigned char *secret, size_t secretlen)
+{
+       const unsigned char key_label[] = "retry token key";
+       const unsigned char iv_label[] = "retry token iv";
+
+       return quic_do_tls_derive_token_secret(md, key, keylen, iv, ivlen,
+                                              salt, saltlen, secret, secretlen,
+                                              key_label, sizeof(key_label) - 1,
+                                              iv_label, sizeof(iv_label) -1);
+}
+
+int quic_tls_derive_token_secret(const EVP_MD *md,
+                                 unsigned char *key, size_t keylen,
+                                 unsigned char *iv, size_t ivlen,
+                                 const unsigned char *salt, size_t saltlen,
+                                 const unsigned char *secret, size_t secretlen)
+{
+       const unsigned char key_label[] = "token key";
+       const unsigned char iv_label[] = "token iv";
+
+       return quic_do_tls_derive_token_secret(md, key, keylen, iv, ivlen,
+                                              salt, saltlen, secret, secretlen,
+                                              key_label, sizeof(key_label) - 1,
+                                              iv_label, sizeof(iv_label) -1);
+}
+
 /* Generate the AEAD tag for the Retry packet <pkt> of <pkt_len> bytes and
  * write it to <tag>. The tag is written just after the <pkt> area. It should
  * be at least 16 bytes longs. <odcid> is the CID of the Initial packet