MINOR: quic_tls: Add quic_tls_derive_retry_token_secret()

This function must be used to derive strong secrets from a non pseudo-random secret (cluster-secret setting in our case) and an IV. First it call quic_hkdf_extract_and_expand() to do that for a temporary strong secret (tmpkey) then two calls to quic_hkdf_expand() reusing this strong temporary secret to derive the final strong secret and IV.
2025-09-21 22:01:31 +02:00 · 2022-05-12 14:44:51 +02:00 · 2022-05-12 14:44:51 +02:00 · a9c5d8da58
commit a9c5d8da58
parent 359d877f73
2 changed files with 33 additions and 0 deletions
--- a/include/haproxy/quic_tls.h
+++ b/include/haproxy/quic_tls.h
@ -79,6 +79,12 @@ int quic_tls_derive_keys(const EVP_CIPHER *aead, const EVP_CIPHER *hp,
                         unsigned char *hp_key, size_t hp_keylen,
                         const unsigned char *secret, size_t secretlen);

+int quic_tls_derive_retry_token_secret(const EVP_MD *md,
+                                       unsigned char *key, size_t keylen,
+                                       unsigned char *iv, size_t ivlen,
+                                       const unsigned char *salt, size_t saltlen,
+                                       const unsigned char *secret, size_t secretlen);
+
 int quic_hkdf_extract_and_expand(const EVP_MD *md,
                                 unsigned char *buf, size_t buflen,
                                 const unsigned char *key, size_t keylen,
--- a/src/quic_tls.c
+++ b/src/quic_tls.c
@ -490,6 +490,33 @@ int quic_tls_decrypt(unsigned char *buf, size_t len,
 	return 1;
 }

+/* Derive <key> and <iv> key and IV to be used to encrypt a retry token
+ * with <secret> which is not pseudo-random.
+ * Return 1 if succeeded, 0 if not.
+ */
+int quic_tls_derive_retry_token_secret(const EVP_MD *md,
+                                       unsigned char *key, size_t keylen,
+                                       unsigned char *iv, size_t ivlen,
+                                       const unsigned char *salt, size_t saltlen,
+                                       const unsigned char *secret, size_t secretlen)
+{
+	unsigned char tmpkey[QUIC_TLS_KEY_LEN];
+	const unsigned char tmpkey_label[] = "retry token";
+	const unsigned char key_label[] = "retry token key";
+	const unsigned char iv_label[] = "retry token iv";
+
+	if (!quic_hkdf_extract_and_expand(md, tmpkey, sizeof tmpkey,
+	                                  secret, secretlen, salt, saltlen,
+	                                  tmpkey_label, sizeof tmpkey_label - 1) ||
+	    !quic_hkdf_expand(md, key, keylen, tmpkey, sizeof tmpkey,
+	                      key_label, sizeof key_label - 1) ||
+	    !quic_hkdf_expand(md, iv, ivlen, secret, secretlen,
+	                      iv_label, sizeof iv_label - 1))
+		return 0;
+
+	return 1;
+}
+
 /* Generate the AEAD tag for the Retry packet <pkt> of <pkt_len> bytes and
 * write it to <tag>. The tag is written just after the <pkt> area. It should
 * be at least 16 bytes longs. <odcid> is the CID of the Initial packet