RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-22 05:22:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: quic: Implement quic_tls_derive_token_secret().

Browse Source 
This is function is similar to quic_tls_derive_retry_token_secret().
Its aim is to derive the secret used to cipher the token to be used
for future connections.

This patch renames quic_tls_derive_retry_token_secret() to a more
and reuses its code to produce a more generic one: quic_do_tls_derive_token_secret().
Two arguments are added to this latter to produce both quic_tls_derive_retry_token_secret()
and quic_tls_derive_token_secret() new function which calls
quic_do_tls_derive_token_secret().
This commit is contained in:
Frederic Lecaille 2024-08-30 14:14:24 +02:00
parent fb7a092203
commit 74caa0eece
2 changed files with 44 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
include/haproxy/quic_tls.h
View File

@ -90,6 +90,12 @@ int quic_tls_derive_retry_token_secret(const EVP_MD *md,
const unsigned char *salt, size_t saltlen, const unsigned char *salt, size_t saltlen,
const unsigned char *secret, size_t secretlen); const unsigned char *secret, size_t secretlen);
int quic_tls_derive_token_secret(const EVP_MD *md,
unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen,
const unsigned char *salt, size_t saltlen,
const unsigned char *secret, size_t secretlen);
int quic_hkdf_expand(const EVP_MD *md, int quic_hkdf_expand(const EVP_MD *md,
unsigned char *buf, size_t buflen, unsigned char *buf, size_t buflen,
const unsigned char *key, size_t keylen, const unsigned char *key, size_t keylen,

47
src/quic_tls.c
View File

@ -950,25 +950,54 @@ int quic_tls_decrypt2(unsigned char *out,
* with <secret> which is not pseudo-random. * with <secret> which is not pseudo-random.
* Return 1 if succeeded, 0 if not. * Return 1 if succeeded, 0 if not.
*/ */
static inline int quic_do_tls_derive_token_secret(const EVP_MD *md, unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen,
const unsigned char *salt, size_t saltlen,
const unsigned char *secret, size_t secretlen,
const unsigned char *klabel, size_t klabellen,
const unsigned char *ivlabel, size_t ivlabellen)
{
unsigned char tmpkey[QUIC_TLS_KEY_LEN];
if (!quic_hkdf_extract(md, tmpkey, sizeof tmpkey,
secret, secretlen, salt, saltlen) ||
!quic_hkdf_expand(md, key, keylen, tmpkey, sizeof tmpkey,
klabel, klabellen) ||
!quic_hkdf_expand(md, iv, ivlen, tmpkey, sizeof tmpkey,
ivlabel, ivlabellen))
return 0;
return 1;
}
int quic_tls_derive_retry_token_secret(const EVP_MD *md, int quic_tls_derive_retry_token_secret(const EVP_MD *md,
unsigned char *key, size_t keylen, unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen, unsigned char *iv, size_t ivlen,
const unsigned char *salt, size_t saltlen, const unsigned char *salt, size_t saltlen,
const unsigned char *secret, size_t secretlen) const unsigned char *secret, size_t secretlen)
{ {
unsigned char tmpkey[QUIC_TLS_KEY_LEN];
const unsigned char key_label[] = "retry token key"; const unsigned char key_label[] = "retry token key";
const unsigned char iv_label[] = "retry token iv"; const unsigned char iv_label[] = "retry token iv";
if (!quic_hkdf_extract(md, tmpkey, sizeof tmpkey, return quic_do_tls_derive_token_secret(md, key, keylen, iv, ivlen,
secret, secretlen, salt, saltlen) || salt, saltlen, secret, secretlen,
!quic_hkdf_expand(md, key, keylen, tmpkey, sizeof tmpkey, key_label, sizeof(key_label) - 1,
key_label, sizeof key_label - 1) || iv_label, sizeof(iv_label) -1);
!quic_hkdf_expand(md, iv, ivlen, tmpkey, sizeof tmpkey, }
iv_label, sizeof iv_label - 1))
return 0;
return 1; int quic_tls_derive_token_secret(const EVP_MD *md,
unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen,
const unsigned char *salt, size_t saltlen,
const unsigned char *secret, size_t secretlen)
{
const unsigned char key_label[] = "token key";
const unsigned char iv_label[] = "token iv";
return quic_do_tls_derive_token_secret(md, key, keylen, iv, ivlen,
salt, saltlen, secret, secretlen,
key_label, sizeof(key_label) - 1,
iv_label, sizeof(iv_label) -1);
} }
/* Generate the AEAD tag for the Retry packet <pkt> of <pkt_len> bytes and /* Generate the AEAD tag for the Retry packet <pkt> of <pkt_len> bytes and