From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Thu, 12 May 2022 12:44:51 +0000 (+0200)
Subject: MINOR: quic_tls: Add quic_tls_derive_retry_token_secret()
X-Git-Tag: v2.6-dev11~39
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a9c5d8da58c02d58097b8d7b592255c9fead5110;p=thirdparty%2Fhaproxy.git

MINOR: quic_tls: Add quic_tls_derive_retry_token_secret()

This function must be used to derive strong secrets from a non pseudo-random
secret (cluster-secret setting in our case) and an IV. First it call
quic_hkdf_extract_and_expand() to do that for a temporary strong secret (tmpkey)
then two calls to quic_hkdf_expand() reusing this strong temporary secret
to derive the final strong secret and IV.
---

diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h
index 4f850b1ed0..18a9a04756 100644
--- a/include/haproxy/quic_tls.h
+++ b/include/haproxy/quic_tls.h
@@ -79,6 +79,12 @@ int quic_tls_derive_keys(const EVP_CIPHER *aead, const EVP_CIPHER *hp,
                          unsigned char *hp_key, size_t hp_keylen,
                          const unsigned char *secret, size_t secretlen);
 
+int quic_tls_derive_retry_token_secret(const EVP_MD *md,
+                                       unsigned char *key, size_t keylen,
+                                       unsigned char *iv, size_t ivlen,
+                                       const unsigned char *salt, size_t saltlen,
+                                       const unsigned char *secret, size_t secretlen);
+
 int quic_hkdf_extract_and_expand(const EVP_MD *md,
                                  unsigned char *buf, size_t buflen,
                                  const unsigned char *key, size_t keylen,
diff --git a/src/quic_tls.c b/src/quic_tls.c
index 15650eaf77..8f17b23715 100644
--- a/src/quic_tls.c
+++ b/src/quic_tls.c
@@ -490,6 +490,33 @@ int quic_tls_decrypt(unsigned char *buf, size_t len,
 	return 1;
 }
 
+/* Derive <key> and <iv> key and IV to be used to encrypt a retry token
+ * with <secret> which is not pseudo-random.
+ * Return 1 if succeeded, 0 if not.
+ */
+int quic_tls_derive_retry_token_secret(const EVP_MD *md,
+                                       unsigned char *key, size_t keylen,
+                                       unsigned char *iv, size_t ivlen,
+                                       const unsigned char *salt, size_t saltlen,
+                                       const unsigned char *secret, size_t secretlen)
+{
+	unsigned char tmpkey[QUIC_TLS_KEY_LEN];
+	const unsigned char tmpkey_label[] = "retry token";
+	const unsigned char key_label[] = "retry token key";
+	const unsigned char iv_label[] = "retry token iv";
+
+	if (!quic_hkdf_extract_and_expand(md, tmpkey, sizeof tmpkey,
+	                                  secret, secretlen, salt, saltlen,
+	                                  tmpkey_label, sizeof tmpkey_label - 1) ||
+	    !quic_hkdf_expand(md, key, keylen, tmpkey, sizeof tmpkey,
+	                      key_label, sizeof key_label - 1) ||
+	    !quic_hkdf_expand(md, iv, ivlen, secret, secretlen,
+	                      iv_label, sizeof iv_label - 1))
+		return 0;
+
+	return 1;
+}
+
 /* Generate the AEAD tag for the Retry packet <pkt> of <pkt_len> bytes and
  * write it to <tag>. The tag is written just after the <pkt> area. It should
  * be at least 16 bytes longs. <odcid> is the CID of the Initial packet