MINOR: quic_tls: Add quic_tls_derive_retry_token_secret()

This function must be used to derive strong secrets from a non pseudo-random
secret (cluster-secret setting in our case) and an IV. First it call
quic_hkdf_extract_and_expand() to do that for a temporary strong secret (tmpkey)
then two calls to quic_hkdf_expand() reusing this strong temporary secret
to derive the final strong secret and IV.

diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h
index 4f850b1ed0a6be31ebe312db9ad1af258eaf0649..18a9a047560236babe7772b06e62b9bbf6df3a67 100644 (file)
--- a/include/haproxy/quic_tls.h
+++ b/include/haproxy/quic_tls.h
@@ -79,6 +79,12 @@ int quic_tls_derive_keys(const EVP_CIPHER *aead, const EVP_CIPHER *hp,
                          unsigned char *hp_key, size_t hp_keylen,
                          const unsigned char *secret, size_t secretlen);
 
+int quic_tls_derive_retry_token_secret(const EVP_MD *md,
+                                       unsigned char *key, size_t keylen,
+                                       unsigned char *iv, size_t ivlen,
+                                       const unsigned char *salt, size_t saltlen,
+                                       const unsigned char *secret, size_t secretlen);
+
 int quic_hkdf_extract_and_expand(const EVP_MD *md,
                                  unsigned char *buf, size_t buflen,
                                  const unsigned char *key, size_t keylen,

diff --git a/src/quic_tls.c b/src/quic_tls.c
index 15650eaf776e856c851f8483db3fb026d40fcf6d..8f17b237158c9991da71a4db5d5543d38a4c917d 100644 (file)
--- a/src/quic_tls.c
+++ b/src/quic_tls.c
@@ -490,6 +490,33 @@ int quic_tls_decrypt(unsigned char *buf, size_t len,
        return 1;
 }
 
+/* Derive <key> and <iv> key and IV to be used to encrypt a retry token
+ * with <secret> which is not pseudo-random.
+ * Return 1 if succeeded, 0 if not.
+ */
+int quic_tls_derive_retry_token_secret(const EVP_MD *md,
+                                       unsigned char *key, size_t keylen,
+                                       unsigned char *iv, size_t ivlen,
+                                       const unsigned char *salt, size_t saltlen,
+                                       const unsigned char *secret, size_t secretlen)
+{
+       unsigned char tmpkey[QUIC_TLS_KEY_LEN];
+       const unsigned char tmpkey_label[] = "retry token";
+       const unsigned char key_label[] = "retry token key";
+       const unsigned char iv_label[] = "retry token iv";
+
+       if (!quic_hkdf_extract_and_expand(md, tmpkey, sizeof tmpkey,
+                                         secret, secretlen, salt, saltlen,
+                                         tmpkey_label, sizeof tmpkey_label - 1) ||
+           !quic_hkdf_expand(md, key, keylen, tmpkey, sizeof tmpkey,
+                             key_label, sizeof key_label - 1) ||
+           !quic_hkdf_expand(md, iv, ivlen, secret, secretlen,
+                             iv_label, sizeof iv_label - 1))
+               return 0;
+
+       return 1;
+}
+
 /* Generate the AEAD tag for the Retry packet <pkt> of <pkt_len> bytes and
  * write it to <tag>. The tag is written just after the <pkt> area. It should
  * be at least 16 bytes longs. <odcid> is the CID of the Initial packet