From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Fri, 6 May 2022 07:54:48 +0000 (+0200)
Subject: MINOR: quic-tls: Add quic_hkdf_extract_and_expand() for HKDF
X-Git-Tag: v2.6-dev10~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b92c81e4381cdf00c8ab1cda8323a1b1215eb38;p=thirdparty%2Fhaproxy.git

MINOR: quic-tls: Add quic_hkdf_extract_and_expand() for HKDF

This is a wrapper function around OpenSSL HKDF API functions to
use the "extract-then-expand" HKDF mode as defined by rfc5869.
This function will be used to derived stateless reset tokens
from secrets ("cluster-secret" conf. keyword) and CIDs (as salts).
---

diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h
index 8616aa31fa..0a0483d78b 100644
--- a/include/haproxy/quic_tls.h
+++ b/include/haproxy/quic_tls.h
@@ -79,6 +79,12 @@ int quic_tls_derive_keys(const EVP_CIPHER *aead, const EVP_CIPHER *hp,
                          unsigned char *hp_key, size_t hp_keylen,
                          const unsigned char *secret, size_t secretlen);
 
+int quic_hkdf_extract_and_expand(const EVP_MD *md,
+                                 unsigned char *buf, size_t buflen,
+                                 const unsigned char *key, size_t keylen,
+                                 const unsigned char *salt, size_t saltlen,
+                                 const unsigned char *label, size_t labellen);
+
 int quic_tls_rx_ctx_init(EVP_CIPHER_CTX **rx_ctx,
                          const EVP_CIPHER *aead, unsigned char *key);
 int quic_tls_tx_ctx_init(EVP_CIPHER_CTX **tx_ctx,
diff --git a/src/quic_tls.c b/src/quic_tls.c
index f8d11a305e..12a2133e4b 100644
--- a/src/quic_tls.c
+++ b/src/quic_tls.c
@@ -123,6 +123,44 @@ int quic_hkdf_expand(const EVP_MD *md,
     EVP_PKEY_CTX_free(ctx);
     return 0;
 }
+
+/* Extracts a peudo-random secret key from <key> which is eventually not
+ * pseudo-random and expand it to a new pseudo-random key into
+ * <buf> with <buflen> as key length according to HKDF specifications
+ * (https://datatracker.ietf.org/doc/html/rfc5869).
+ * According to this specifications it is highly recommended to use
+ * a salt, even if optional (NULL value).
+ * Return 1 if succeeded, 0 if not.
+ */
+int quic_hkdf_extract_and_expand(const EVP_MD *md,
+                                 unsigned char *buf, size_t buflen,
+                                 const unsigned char *key, size_t keylen,
+                                 const unsigned char *salt, size_t saltlen,
+                                 const unsigned char *label, size_t labellen)
+{
+	EVP_PKEY_CTX *ctx;
+
+	ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
+	if (!ctx)
+		return 0;
+
+	if (EVP_PKEY_derive_init(ctx) <= 0 ||
+	    EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND) <= 0 ||
+	    EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 ||
+	    EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, saltlen) <= 0 ||
+	    EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 ||
+	    EVP_PKEY_CTX_add1_hkdf_info(ctx, label, labellen) <= 0 ||
+	    EVP_PKEY_derive(ctx, buf, &buflen) <= 0)
+		goto err;
+
+	EVP_PKEY_CTX_free(ctx);
+	return 1;
+
+ err:
+	EVP_PKEY_CTX_free(ctx);
+	return 0;
+}
+
 #endif
 
 /* https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#protection-keys