HKDF-Expand-Label in MSQUIC #4420
slightlyfloating
started this conversation in
General
Replies: 1 comment 1 reply
-
Hello,
In the RFC where HKDF is defined, https://datatracker.ietf.org/doc/html/rfc5869#section-2.3, you'll see that it specifies a constant single-byte "counter" appended to the end of input in each iteration of HMAC-Hash. It's always 0x01 here because we only need one iteration of HMAC-Hash to get the required amount of output.
Let me know if you have any further questions
From: slightlyfloating ***@***.***>
Sent: Sunday, July 28, 2024 4:48 PM
To: microsoft/msquic ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [microsoft/msquic] HKDF-Expand-Label in MSQUIC (Discussion #4420)
RFC9001 defines the "client in" label to be expanded as:
The labels generated during the execution of the HKDF-Expand-Label function (that is, HkdfLabel.label)
and part of the value given to the HKDF-Expand function in order to produce its output are:
client in:
00200f746c73313320636c69656e7420696e00
My issue is when I pass this byte array to my HKDF-Expand function I don't get the expected 32-byte client initial secret as specified in the RFC:
client_initial_secret
= HKDF-Expand-Label(initial_secret, "client in", "", 32)
= c00cf151ca5be075ed0ebfb5c80323c4
2d6b7db67881289af4008f1f6c357aea
But if I append a 0x01 to this Label string (e.g. 00200f746c73313320636c69656e7420696e0001, I get the desired output.
Looking at the MSQUIC implementation I see that a 0x01 suffix is added there too:
void CxPlatHkdfFormatLabel(
_In_z_ const char* const Label,
_In_ uint16_t HashLength,
_Out_writes_all_(5 + CXPLAT_HKDF_PREFIX_LEN + strlen(Label))
uint8_t* const Data,
_Inout_ uint32_t* const DataLength
)
{
CXPLAT_DBG_ASSERT(strlen(Label) <= UINT8_MAX - CXPLAT_HKDF_PREFIX_LEN);
uint8_t LabelLength = (uint8_t)strlen(Label);
Data[0] = HashLength >> 8;
Data[1] = HashLength & 0xff;
Data[2] = CXPLAT_HKDF_PREFIX_LEN + LabelLength;
memcpy(Data + 3, CXPLAT_HKDF_PREFIX, CXPLAT_HKDF_PREFIX_LEN);
memcpy(Data + 3 + CXPLAT_HKDF_PREFIX_LEN, Label, LabelLength);
Data[3 + CXPLAT_HKDF_PREFIX_LEN + LabelLength] = 0; <-- No context
*DataLength = 3 + CXPLAT_HKDF_PREFIX_LEN + LabelLength + 1;
*Data[*DataLength] = 0x1; <--- Why?
*DataLength += 1; <---
}
And HKDFLabel is defined in RFC 8446 as :
HKDF-Expand-Label(Secret, Label, Context, Length) =
HKDF-Expand(Secret, HkdfLabel, Length)
Where HkdfLabel is specified as:
struct {
uint16 length = Length;
opaque label<7..255> = "tls13 " + Label;
opaque context<0..255> = Context;
} HkdfLabel;
So when I call HKDF-Expand-Label() with "client in" I'd get the Label would be formatted to be 00200f746c73313320636c69656e7420696e00 as given in the RFC9001 and it would be decoded as:
0x0020 -> length, 32 (0x20) bytes, as passed into HKDF-Expand-Label()
0x0f -> length of "tls13 client in" that follows --+\
0x746c73313320 -> "tls13 " --------------------------+- opaque label
0x636c69656e7420696e -> "client in"------------------+/
0x00 -> opaque context (no context, in this case)
I'd appreciate it if anyone with some insight could shed light some light into why that 0x01 byte is appended. I can't seem find any references to it anywhere. Thanks!
-
Reply to this email directly, view it on GitHub<#4420>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJ3Z7EAKDQQ4BNASW7HRIRDZOV7LVAVCNFSM6AAAAABLTGY3I6VHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZWHE4DQOBUGQ>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.******@***.***>>
|
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
RFC9001 defines the "client in" label to be expanded as:
My issue is when I pass this byte array to my HKDF-Expand function I don't get the expected 32-byte client initial secret as specified in the RFC:
But if I append a 0x01 to this Label string (e.g. 00200f746c73313320636c69656e7420696e0001, I get the desired output.
Looking at the MSQUIC implementation I see that a 0x01 suffix is added there too:
And HKDFLabel is defined in RFC 8446 as :
So when I call HKDF-Expand-Label() with "client in" the label would be formatted to be 00200f746c73313320636c69656e7420696e00 as given in the RFC9001. It would be decoded as:
I'd appreciate it if anyone with some insight could shed some light as to why that 0x01 byte is appended. I can't seem find any reference to it anywhere. Thanks!
Beta Was this translation helpful? Give feedback.
All reactions