From: Frédéric Lécaille Date: Tue, 30 Nov 2021 09:10:24 +0000 (+0100) Subject: MINOR: quic: Add a function to derive the key update secrets X-Git-Tag: v2.6-dev1~352 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=39484de813a8cb2e33eacd7799065ee51ddf5e66;p=thirdparty%2Fhaproxy.git MINOR: quic: Add a function to derive the key update secrets This is the function used to derive an n+1th secret from the nth one as described in RFC9001 par. 6.1. --- diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h index bf23823dd5..5a736110be 100644 --- a/include/haproxy/quic_tls.h +++ b/include/haproxy/quic_tls.h @@ -75,6 +75,10 @@ int quic_tls_derive_keys(const EVP_CIPHER *aead, const EVP_CIPHER *hp, unsigned char *hp_key, size_t hp_keylen, const unsigned char *secret, size_t secretlen); +int quic_tls_sec_update(const EVP_MD *md, + unsigned char *new_sec, size_t new_seclen, + const unsigned char *sec, size_t seclen); + int quic_aead_iv_build(unsigned char *iv, size_t ivlen, unsigned char *aead_iv, size_t aead_ivlen, uint64_t pn); diff --git a/src/quic_tls.c b/src/quic_tls.c index 491a1bcd79..2e354430c8 100644 --- a/src/quic_tls.c +++ b/src/quic_tls.c @@ -261,6 +261,19 @@ int quic_tls_derive_initial_secrets(const EVP_MD *md, return 1; } +/* Update secret key into according to RFC 9001 6.1. + * Always succeeds. + */ +int quic_tls_sec_update(const EVP_MD *md, + unsigned char *new_sec, size_t new_seclen, + const unsigned char *sec, size_t seclen) +{ + const unsigned char ku_label[] = "quic ku"; + + return quic_hkdf_expand_label(md, new_sec, new_seclen, sec, seclen, + ku_label, sizeof ku_label - 1); +} + /* * Build an IV into buffer with as size from with * as size depending on packet number.