HKDF-Expand-Label in MSQUIC

[slightlyfloating]

RFC9001 defines the "client in" label to be expanded as:

The labels generated during the execution of the HKDF-Expand-Label function (that is, HkdfLabel.label)
and part of the value given to the HKDF-Expand function in order to produce its output are:

client in:
00200f746c73313320636c69656e7420696e00

My issue is when I pass this byte array to my HKDF-Expand function I don't get the expected 32-byte client initial secret as specified in the RFC:

client_initial_secret
    = HKDF-Expand-Label(initial_secret, "client in", "", 32)
    = c00cf151ca5be075ed0ebfb5c80323c4
      2d6b7db67881289af4008f1f6c357aea

But if I append a 0x01 to this Label string (e.g. 00200f746c73313320636c69656e7420696e0001, I get the desired output.

Looking at the MSQUIC implementation I see that a 0x01 suffix is added there too:

void CxPlatHkdfFormatLabel(
    _In_z_ const char* const Label,
    _In_ uint16_t HashLength,
    _Out_writes_all_(5 + CXPLAT_HKDF_PREFIX_LEN + strlen(Label))
        uint8_t* const Data,
    _Inout_ uint32_t* const DataLength
    )
{
    CXPLAT_DBG_ASSERT(strlen(Label) <= UINT8_MAX - CXPLAT_HKDF_PREFIX_LEN);
    uint8_t LabelLength = (uint8_t)strlen(Label);
    Data[0] = HashLength >> 8;
    Data[1] = HashLength & 0xff;
    Data[2] = CXPLAT_HKDF_PREFIX_LEN + LabelLength;
    memcpy(Data + 3, CXPLAT_HKDF_PREFIX, CXPLAT_HKDF_PREFIX_LEN);
    memcpy(Data + 3 + CXPLAT_HKDF_PREFIX_LEN, Label, LabelLength);
    Data[3 + CXPLAT_HKDF_PREFIX_LEN + LabelLength] = 0;  <-- No context
    *DataLength = 3 + CXPLAT_HKDF_PREFIX_LEN + LabelLength + 1;
    *Data[*DataLength] = 0x1;   <--- Why?
    *DataLength += 1;  <---
}

And HKDFLabel is defined in RFC 8446 as :

HKDF-Expand-Label(Secret, Label, Context, Length) =
            HKDF-Expand(Secret, HkdfLabel, Length)

       Where HkdfLabel is specified as:

       struct {
           uint16 length = Length;
           opaque label<7..255> = "tls13 " + Label;
           opaque context<0..255> = Context;
       } HkdfLabel;

So when I call HKDF-Expand-Label() with "client in" the label would be formatted to be 00200f746c73313320636c69656e7420696e00 as given in the RFC9001. It would be decoded as:

0x0020 -> length, 32 (0x20) bytes, as passed into HKDF-Expand-Label()
0x0f   -> length of "tls13 client in" that follows --+\
0x746c73313320 -> "tls13 " --------------------------+- opaque label
0x636c69656e7420696e -> "client in"------------------+/
0x00 -> opaque context (no context, in this case)

I'd appreciate it if anyone with some insight could shed some light as to why that 0x01 byte is appended. I can't seem find any reference to it anywhere. Thanks!

[anrossi]

Hello, In the RFC where HKDF is defined, https://datatracker.ietf.org/doc/html/rfc5869#section-2.3, you'll see that it specifies a constant single-byte "counter" appended to the end of input in each iteration of HMAC-Hash. It's always 0x01 here because we only need one iteration of HMAC-Hash to get the required amount of output. Let me know if you have any further questions From: slightlyfloating ***@***.***> Sent: Sunday, July 28, 2024 4:48 PM To: microsoft/msquic ***@***.***> Cc: Subscribed ***@***.***> Subject: [microsoft/msquic] HKDF-Expand-Label in MSQUIC (Discussion #4420) RFC9001 defines the "client in" label to be expanded as: The labels generated during the execution of the HKDF-Expand-Label function (that is, HkdfLabel.label) and part of the value given to the HKDF-Expand function in order to produce its output are: client in: 00200f746c73313320636c69656e7420696e00 My issue is when I pass this byte array to my HKDF-Expand function I don't get the expected 32-byte client initial secret as specified in the RFC: client_initial_secret = HKDF-Expand-Label(initial_secret, "client in", "", 32) = c00cf151ca5be075ed0ebfb5c80323c4 2d6b7db67881289af4008f1f6c357aea But if I append a 0x01 to this Label string (e.g. 00200f746c73313320636c69656e7420696e0001, I get the desired output. Looking at the MSQUIC implementation I see that a 0x01 suffix is added there too: void CxPlatHkdfFormatLabel( _In_z_ const char* const Label, _In_ uint16_t HashLength, _Out_writes_all_(5 + CXPLAT_HKDF_PREFIX_LEN + strlen(Label)) uint8_t* const Data, _Inout_ uint32_t* const DataLength ) { CXPLAT_DBG_ASSERT(strlen(Label) <= UINT8_MAX - CXPLAT_HKDF_PREFIX_LEN); uint8_t LabelLength = (uint8_t)strlen(Label); Data[0] = HashLength >> 8; Data[1] = HashLength & 0xff; Data[2] = CXPLAT_HKDF_PREFIX_LEN + LabelLength; memcpy(Data + 3, CXPLAT_HKDF_PREFIX, CXPLAT_HKDF_PREFIX_LEN); memcpy(Data + 3 + CXPLAT_HKDF_PREFIX_LEN, Label, LabelLength); Data[3 + CXPLAT_HKDF_PREFIX_LEN + LabelLength] = 0; <-- No context *DataLength = 3 + CXPLAT_HKDF_PREFIX_LEN + LabelLength + 1; *Data[*DataLength] = 0x1; <--- Why? *DataLength += 1; <--- } And HKDFLabel is defined in RFC 8446 as : HKDF-Expand-Label(Secret, Label, Context, Length) = HKDF-Expand(Secret, HkdfLabel, Length) Where HkdfLabel is specified as: struct { uint16 length = Length; opaque label<7..255> = "tls13 " + Label; opaque context<0..255> = Context; } HkdfLabel; So when I call HKDF-Expand-Label() with "client in" I'd get the Label would be formatted to be 00200f746c73313320636c69656e7420696e00 as given in the RFC9001 and it would be decoded as: 0x0020 -> length, 32 (0x20) bytes, as passed into HKDF-Expand-Label() 0x0f -> length of "tls13 client in" that follows --+\ 0x746c73313320 -> "tls13 " --------------------------+- opaque label 0x636c69656e7420696e -> "client in"------------------+/ 0x00 -> opaque context (no context, in this case) I'd appreciate it if anyone with some insight could shed light some light into why that 0x01 byte is appended. I can't seem find any references to it anywhere. Thanks! - Reply to this email directly, view it on GitHub<#4420>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJ3Z7EAKDQQ4BNASW7HRIRDZOV7LVAVCNFSM6AAAAABLTGY3I6VHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZWHE4DQOBUGQ>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.******@***.***>>

[slightlyfloating]

Thank you!!