Mercurial > hg > nginx

changeset 9209:1bf1b423f268

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: trial packet decryption in response to invalid key update. Inspired by RFC 9001, Section 6.3, trial packet decryption with the current keys is now used to avoid a timing side-channel signal. Further, this fixes segfault while accessing missing next keys (ticket #2585).
author Sergey Kandaurov <pluknet@nginx.com>
date Wed, 14 Feb 2024 15:55:34 +0400
parents 2ed3f57dca0a
children 4ed4e1e7f115
files src/event/quic/ngx_event_quic_protection.c
diffstat 1 files changed, 13 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/quic/ngx_event_quic_protection.c
+++ b/src/event/quic/ngx_event_quic_protection.c
@@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt,
         key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0;
 
         if (key_phase != pkt->key_phase) {
-            secret = &pkt->keys->next_key.client;
-            pkt->key_update = 1;
+            if (pkt->keys->next_key.client.ctx != NULL) {
+                secret = &pkt->keys->next_key.client;
+                pkt->key_update = 1;
+
+            } else {
+                /*
+                 * RFC 9001,  6.3. Timing of Receive Key Generation.
+                 *
+                 * Trial decryption to avoid timing side-channel.
+                 */
+                ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
+                               "quic next key missing");
+            }
         }
     }