4 files changed, 71 insertions, 48 deletions

diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
index 6a189d277..b3a20ecf1 100644
--- a/src/event/quic/ngx_event_quic.c
+++ b/src/event/quic/ngx_event_quic.c
@@ -225,6 +225,8 @@ static ngx_quic_connection_t *ngx_quic_new_connection(ngx_connection_t *c,
     ngx_quic_conf_t *conf, ngx_quic_header_t *pkt);
 static ngx_int_t ngx_quic_send_stateless_reset(ngx_connection_t *c,
     ngx_quic_conf_t *conf, ngx_quic_header_t *pkt);
+static ngx_int_t ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid,
+    u_char *secret, u_char *token);
 static ngx_int_t ngx_quic_process_stateless_reset(ngx_connection_t *c,
     ngx_quic_header_t *pkt);
 static ngx_int_t ngx_quic_negotiate_version(ngx_connection_t *c,
@@ -1245,7 +1247,7 @@ ngx_quic_send_stateless_reset(ngx_connection_t *c, ngx_quic_conf_t *conf,
 
     token = &buf[len - NGX_QUIC_SR_TOKEN_LEN];
 
-    if (ngx_quic_new_sr_token(c, &pkt->dcid, &conf->sr_token_key, token)
+    if (ngx_quic_new_sr_token(c, &pkt->dcid, conf->sr_token_key, token)
         != NGX_OK)
     {
         return NGX_ERROR;
@@ -1258,6 +1260,32 @@ ngx_quic_send_stateless_reset(ngx_connection_t *c, ngx_quic_conf_t *conf,
 
 
 static ngx_int_t
+ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid, u_char *secret,
+    u_char *token)
+{
+    ngx_str_t tmp;
+
+    tmp.data = secret;
+    tmp.len = NGX_QUIC_SR_KEY_LEN;
+
+    if (ngx_quic_derive_key(c->log, "sr_token_key", &tmp, cid, token,
+                            NGX_QUIC_SR_TOKEN_LEN)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+#if (NGX_DEBUG)
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic stateless reset token %*xs",
+                    (size_t) NGX_QUIC_SR_TOKEN_LEN, token);
+#endif
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
 ngx_quic_process_stateless_reset(ngx_connection_t *c, ngx_quic_header_t *pkt)
 {
     u_char                 *tail, ch;
@@ -1391,9 +1419,10 @@ ngx_quic_send_retry(ngx_connection_t *c, ngx_quic_conf_t *conf,
     u_char             buf[NGX_QUIC_RETRY_BUFFER_SIZE];
     u_char             dcid[NGX_QUIC_SERVER_CID_LEN];
 
-    expires = ngx_time() + NGX_QUIC_RETRY_LIFETIME;
+    expires = ngx_time() + NGX_QUIC_RETRY_TOKEN_LIFETIME;
 
-    if (ngx_quic_new_token(c, conf->token_key, &token, &inpkt->dcid, expires, 1)
+    if (ngx_quic_new_token(c, conf->av_token_key, &token, &inpkt->dcid,
+                           expires, 1)
         != NGX_OK)
     {
         return NGX_ERROR;
@@ -1723,7 +1752,7 @@ ngx_quic_init_connection(ngx_connection_t *c)
     }
 #endif
 
-    if (ngx_quic_new_sr_token(c, &qc->dcid, &qc->conf->sr_token_key,
+    if (ngx_quic_new_sr_token(c, &qc->dcid, qc->conf->sr_token_key,
                               qc->tp.sr_token)
         != NGX_OK)
     {
@@ -2235,7 +2264,7 @@ ngx_quic_process_packet(ngx_connection_t *c, ngx_quic_conf_t *conf,
 
     if (pkt->level == ssl_encryption_initial) {
         ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                       "quic token len:%uz %xV",
+                       "quic address validation token len:%uz %xV",
                        pkt->token.len, &pkt->token);
     }
 #endif
@@ -2306,7 +2335,7 @@ ngx_quic_process_packet(ngx_connection_t *c, ngx_quic_conf_t *conf,
 
     if (pkt->token.len) {
 
-        rc = ngx_quic_validate_token(c, conf->token_key, pkt);
+        rc = ngx_quic_validate_token(c, conf->av_token_key, pkt);
 
         if (rc == NGX_ERROR) {
             /* internal error */
@@ -2321,10 +2350,10 @@ ngx_quic_process_packet(ngx_connection_t *c, ngx_quic_conf_t *conf,
             /* token is invalid */
 
             if (pkt->retried) {
-                /* invalid Retry token */
+                /* invalid address validation token */
                 return ngx_quic_send_early_cc(c, pkt,
                                           NGX_QUIC_ERR_INVALID_TOKEN,
-                                          "invalid token");
+                                          "invalid address validation token");
             } else if (conf->retry) {
                 /* invalid NEW_TOKEN */
                 return ngx_quic_send_retry(c, conf, pkt);
@@ -3286,7 +3315,7 @@ ngx_quic_send_new_token(ngx_connection_t *c)
 
     expires = ngx_time() + NGX_QUIC_NEW_TOKEN_LIFETIME;
 
-    if (ngx_quic_new_token(c, qc->conf->token_key, &token, NULL, expires, 0)
+    if (ngx_quic_new_token(c, qc->conf->av_token_key, &token, NULL, expires, 0)
         != NGX_OK)
     {
         return NGX_ERROR;
@@ -4667,7 +4696,7 @@ ngx_quic_issue_server_ids(ngx_connection_t *c)
         frame->u.ncid.len = NGX_QUIC_SERVER_CID_LEN;
         ngx_memcpy(frame->u.ncid.cid, id, NGX_QUIC_SERVER_CID_LEN);
 
-        if (ngx_quic_new_sr_token(c, &dcid, &qc->conf->sr_token_key,
+        if (ngx_quic_new_sr_token(c, &dcid, qc->conf->sr_token_key,
                                   frame->u.ncid.srt)
             != NGX_OK)
         {
diff --git a/src/event/quic/ngx_event_quic.h b/src/event/quic/ngx_event_quic.h
index 0c94707a5..fd99321d1 100644
--- a/src/event/quic/ngx_event_quic.h
+++ b/src/event/quic/ngx_event_quic.h
@@ -27,9 +27,11 @@
 
 #define NGX_QUIC_DEFAULT_ACK_DELAY_EXPONENT  3
 #define NGX_QUIC_DEFAULT_MAX_ACK_DELAY       25
-#define NGX_QUIC_DEFAULT_SRT_KEY_LEN         32
+#define NGX_QUIC_DEFAULT_HOST_KEY_LEN        32
+#define NGX_QUIC_SR_KEY_LEN                  32
+#define NGX_QUIC_AV_KEY_LEN                  32
 
-#define NGX_QUIC_RETRY_LIFETIME              3   /* seconds */
+#define NGX_QUIC_RETRY_TOKEN_LIFETIME          3 /* seconds */
 #define NGX_QUIC_NEW_TOKEN_LIFETIME          600 /* seconds */
 #define NGX_QUIC_RETRY_BUFFER_SIZE           256
     /* 1 flags + 4 version + 3 x (1 + 20) s/o/dcid + itag + token(64) */
@@ -96,8 +98,9 @@ typedef struct {
     ngx_quic_tp_t              tp;
     ngx_flag_t                 retry;
     ngx_flag_t                 require_alpn;
-    u_char                     token_key[32]; /* AES 256 */
-    ngx_str_t                  sr_token_key; /* stateless reset token key */
+    ngx_str_t                  host_key;
+    u_char                     av_token_key[NGX_QUIC_AV_KEY_LEN];
+    u_char                     sr_token_key[NGX_QUIC_SR_KEY_LEN];
 } ngx_quic_conf_t;
 
 
diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
index 253f43482..130637aaf 100644
--- a/src/event/quic/ngx_event_quic_protection.c
+++ b/src/event/quic/ngx_event_quic_protection.c
@@ -942,58 +942,49 @@ ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, ngx_str_t *res)
 
 
 ngx_int_t
-ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid, ngx_str_t *secret,
-    u_char *token)
+ngx_quic_derive_key(ngx_log_t *log, const char *label, ngx_str_t *secret,
+    ngx_str_t *salt, u_char *out, size_t len)
 {
+    size_t         is_len, info_len;
     uint8_t       *p;
-    size_t         is_len, key_len, info_len;
-    ngx_str_t      label;
     const EVP_MD  *digest;
-    uint8_t       info[20];
-    uint8_t       is[SHA256_DIGEST_LENGTH];
-    uint8_t       key[SHA256_DIGEST_LENGTH];
 
-    /* 10.4.2.  Calculating a Stateless Reset Token */
+    uint8_t        is[SHA256_DIGEST_LENGTH];
+    uint8_t        info[20];
 
     digest = EVP_sha256();
-    ngx_str_set(&label, "sr_token_key");
 
     if (ngx_hkdf_extract(is, &is_len, digest, secret->data, secret->len,
-                         cid->data, cid->len)
+                         salt->data, salt->len)
        != NGX_OK)
     {
-        ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
-                      "ngx_hkdf_extract(%V) failed", &label);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0,
+                      "ngx_hkdf_extract(%s) failed", label);
         return NGX_ERROR;
     }
 
-    key_len = SHA256_DIGEST_LENGTH;
+    info[0] = 0;
+    info[1] = len;
+    info[2] = ngx_strlen(label);
 
-    info_len = 2 + 1 + label.len + 1;
+    info_len = 2 + 1 + info[2] + 1;
 
-    info[0] = 0;
-    info[1] = key_len;
-    info[2] = label.len;
+    if (info_len >= 20) {
+        ngx_log_error(NGX_LOG_INFO, log, 0,
+                      "ngx_quic_create_key label \"%s\" too long", label);
+        return NGX_ERROR;
+    }
 
-    p = ngx_cpymem(&info[3], label.data, label.len);
+    p = ngx_cpymem(&info[3], label, info[2]);
     *p = '\0';
 
-    if (ngx_hkdf_expand(key, key_len, digest, is, is_len, info, info_len)
-        != NGX_OK)
+    if (ngx_hkdf_expand(out, len, digest, is, is_len, info, info_len) != NGX_OK)
     {
-        ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
-                      "ngx_hkdf_expand(%V) failed", &label);
+        ngx_ssl_error(NGX_LOG_INFO, log, 0,
+                      "ngx_hkdf_expand(%s) failed", label);
         return NGX_ERROR;
     }
 
-    ngx_memcpy(token, key, NGX_QUIC_SR_TOKEN_LEN);
-
-#if (NGX_DEBUG)
-    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                   "quic stateless reset token %*xs",
-                    (size_t) NGX_QUIC_SR_TOKEN_LEN, token);
-#endif
-
     return NGX_OK;
 }
 
diff --git a/src/event/quic/ngx_event_quic_protection.h b/src/event/quic/ngx_event_quic_protection.h
index 4e39ea57a..60f9b6ae7 100644
--- a/src/event/quic/ngx_event_quic_protection.h
+++ b/src/event/quic/ngx_event_quic_protection.h
@@ -11,6 +11,8 @@
 #include <ngx_config.h>
 #include <ngx_core.h>
 
+#include <ngx_event_quic_transport.h>
+
 
 #define NGX_QUIC_ENCRYPTION_LAST  ((ssl_encryption_application) + 1)
 
@@ -27,10 +29,8 @@ void ngx_quic_keys_discard(ngx_quic_keys_t *keys,
      enum ssl_encryption_level_t level);
 void ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys);
 ngx_int_t ngx_quic_keys_update(ngx_connection_t *c, ngx_quic_keys_t *keys);
-
-ngx_int_t ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid,
-    ngx_str_t *key, u_char *token);
-
+ngx_int_t ngx_quic_derive_key(ngx_log_t *log, const char *label,
+    ngx_str_t *secret, ngx_str_t *salt, u_char *out, size_t len);
 ngx_int_t ngx_quic_encrypt(ngx_quic_header_t *pkt, ngx_str_t *res);
 ngx_int_t ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn);