I'm trying to implement parts of the QUIC RFC and they note:
initial_salt = 0xc3eef712c72ebb5a11a7d2432bb46365bef9f502
initial_secret = HKDF-Extract(initial_salt,
client_dst_connection_id)
I was just wondering, how does one map this to here: https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_CTX_set_hkdf_md.html
I get this:
EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY In this mode calling EVP_PKEY_derive(3) will just perform the extract operation. The value returned will be the intermediate fixed-length pseudorandom key K.
The digest, key and salt values must be set before a key is derived or an error occurs.
But I'm confused here. I can see how to set the mode, the algorithm, the salt but I'm lost which where to set the client_dst_connection_id.
HKDF is described in RFC5869 which defines the HKDF-Extract operation like this:
HKDF-Extract(salt, IKM) -> PRK
Options: Hash a hash function; HashLen denotes the length of the hash function output in octets
Inputs: salt optional salt value (a non-secret random value); if not provided, it is set to a string of HashLen zeros. IKM input keying material
Output: PRK a pseudorandom key (of HashLen octets)
So, the second parameter (client_dst_connection_id in this case) is the "input keying material".
On the OpenSSL man page you linked to you can see that the keying material can be set using EVP_PKEY_CTX_set1_hkdf_key().
Note that the man page also says the following for EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY:
The digest, key and salt values must be set before a key is derived or an error occurs.
So, the key and salt values are clear. You will also need to specify the digest in use via EVP_PKEY_CTX_set_hkdf_md()