gamzinav/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MINOR: quic: Implement quic_tls_derive_token_secret().

Browse Source 
This is function is similar to quic_tls_derive_retry_token_secret().
Its aim is to derive the secret used to cipher the token to be used
for future connections.

This patch renames quic_tls_derive_retry_token_secret() to a more
and reuses its code to produce a more generic one: quic_do_tls_derive_token_secret().
Two arguments are added to this latter to produce both quic_tls_derive_retry_token_secret()
and quic_tls_derive_token_secret() new function which calls
quic_do_tls_derive_token_secret().

(cherry picked from commit 74caa0eece1cc3a8b35f1d34674ea5f357819314)
Signed-off-by: Frederic Lecaille <flecaille@haproxy.com>
This commit is contained in:
Frederic Lecaille 2024-08-30 14:14:24 +02:00
parent ee7ad6615d
commit d074491bd4
2 changed files with 44 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
include/haproxy/quic_tls.h
View File

@ -90,6 +90,12 @@ int quic_tls_derive_retry_token_secret(const EVP_MD *md,
const unsigned char *salt, size_t saltlen,
const unsigned char *secret, size_t secretlen);
int quic_tls_derive_token_secret(const EVP_MD *md,
unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen,
const unsigned char *salt, size_t saltlen,
const unsigned char *secret, size_t secretlen);
int quic_hkdf_expand(const EVP_MD *md,
unsigned char *buf, size_t buflen,
const unsigned char *key, size_t keylen,

47
src/quic_tls.c
View File

@ -845,25 +845,54 @@ int quic_tls_decrypt2(unsigned char *out,
* with <secret> which is not pseudo-random.
* Return 1 if succeeded, 0 if not.
*/
static inline int quic_do_tls_derive_token_secret(const EVP_MD *md, unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen,
const unsigned char *salt, size_t saltlen,
const unsigned char *secret, size_t secretlen,
const unsigned char *klabel, size_t klabellen,
const unsigned char *ivlabel, size_t ivlabellen)
{
unsigned char tmpkey[QUIC_TLS_KEY_LEN];
if (!quic_hkdf_extract(md, tmpkey, sizeof tmpkey,
secret, secretlen, salt, saltlen) ||
!quic_hkdf_expand(md, key, keylen, tmpkey, sizeof tmpkey,
klabel, klabellen) ||
!quic_hkdf_expand(md, iv, ivlen, tmpkey, sizeof tmpkey,
ivlabel, ivlabellen))
return 0;
return 1;
}
int quic_tls_derive_retry_token_secret(const EVP_MD *md,
unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen,
const unsigned char *salt, size_t saltlen,
const unsigned char *secret, size_t secretlen)
{
unsigned char tmpkey[QUIC_TLS_KEY_LEN];
const unsigned char key_label[] = "retry token key";
const unsigned char iv_label[] = "retry token iv";
if (!quic_hkdf_extract(md, tmpkey, sizeof tmpkey,
secret, secretlen, salt, saltlen) ||
!quic_hkdf_expand(md, key, keylen, tmpkey, sizeof tmpkey,
key_label, sizeof key_label - 1) ||
!quic_hkdf_expand(md, iv, ivlen, tmpkey, sizeof tmpkey,
iv_label, sizeof iv_label - 1))
return 0;
return quic_do_tls_derive_token_secret(md, key, keylen, iv, ivlen,
salt, saltlen, secret, secretlen,
key_label, sizeof(key_label) - 1,
iv_label, sizeof(iv_label) -1);
}
return 1;
int quic_tls_derive_token_secret(const EVP_MD *md,
unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen,
const unsigned char *salt, size_t saltlen,
const unsigned char *secret, size_t secretlen)
{
const unsigned char key_label[] = "token key";
const unsigned char iv_label[] = "token iv";
return quic_do_tls_derive_token_secret(md, key, keylen, iv, ivlen,
salt, saltlen, secret, secretlen,
key_label, sizeof(key_label) - 1,
iv_label, sizeof(iv_label) -1);
}
/* Generate the AEAD tag for the Retry packet <pkt> of <pkt_len> bytes and