MINOR: quic_tls: Add quic_tls_derive_retry_token_secret()
This function must be used to derive strong secrets from a non pseudo-random
secret (cluster-secret setting in our case) and an IV. First it call
quic_hkdf_extract_and_expand() to do that for a temporary strong secret (tmpkey)
then two calls to quic_hkdf_expand() reusing this strong temporary secret
to derive the final strong secret and IV.
diff --git a/src/quic_tls.c b/src/quic_tls.c
index 15650ea..8f17b23 100644
--- a/src/quic_tls.c
+++ b/src/quic_tls.c
@@ -490,6 +490,33 @@
return 1;
}
+/* Derive <key> and <iv> key and IV to be used to encrypt a retry token
+ * with <secret> which is not pseudo-random.
+ * Return 1 if succeeded, 0 if not.
+ */
+int quic_tls_derive_retry_token_secret(const EVP_MD *md,
+ unsigned char *key, size_t keylen,
+ unsigned char *iv, size_t ivlen,
+ const unsigned char *salt, size_t saltlen,
+ const unsigned char *secret, size_t secretlen)
+{
+ unsigned char tmpkey[QUIC_TLS_KEY_LEN];
+ const unsigned char tmpkey_label[] = "retry token";
+ const unsigned char key_label[] = "retry token key";
+ const unsigned char iv_label[] = "retry token iv";
+
+ if (!quic_hkdf_extract_and_expand(md, tmpkey, sizeof tmpkey,
+ secret, secretlen, salt, saltlen,
+ tmpkey_label, sizeof tmpkey_label - 1) ||
+ !quic_hkdf_expand(md, key, keylen, tmpkey, sizeof tmpkey,
+ key_label, sizeof key_label - 1) ||
+ !quic_hkdf_expand(md, iv, ivlen, secret, secretlen,
+ iv_label, sizeof iv_label - 1))
+ return 0;
+
+ return 1;
+}
+
/* Generate the AEAD tag for the Retry packet <pkt> of <pkt_len> bytes and
* write it to <tag>. The tag is written just after the <pkt> area. It should
* be at least 16 bytes longs. <odcid> is the CID of the Initial packet