Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_protection.c @ 9209:1bf1b423f268
QUIC: trial packet decryption in response to invalid key update.
Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
keys is now used to avoid a timing side-channel signal. Further, this fixes
segfault while accessing missing next keys (ticket #2585).
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Wed, 14 Feb 2024 15:55:34 +0400 |
| parents | b74f891053c7 |
| children |
comparison
equal
deleted
inserted
replaced
| 9208:2ed3f57dca0a | 9209:1bf1b423f268 |
|---|---|
| 1142 | 1142 |
| 1143 if (ngx_quic_short_pkt(pkt->flags)) { | 1143 if (ngx_quic_short_pkt(pkt->flags)) { |
| 1144 key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0; | 1144 key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0; |
| 1145 | 1145 |
| 1146 if (key_phase != pkt->key_phase) { | 1146 if (key_phase != pkt->key_phase) { |
| 1147 secret = &pkt->keys->next_key.client; | 1147 if (pkt->keys->next_key.client.ctx != NULL) { |
| 1148 pkt->key_update = 1; | 1148 secret = &pkt->keys->next_key.client; |
| 1149 pkt->key_update = 1; | |
| 1150 | |
| 1151 } else { | |
| 1152 /* | |
| 1153 * RFC 9001, 6.3. Timing of Receive Key Generation. | |
| 1154 * | |
| 1155 * Trial decryption to avoid timing side-channel. | |
| 1156 */ | |
| 1157 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0, | |
| 1158 "quic next key missing"); | |
| 1159 } | |
| 1149 } | 1160 } |
| 1150 } | 1161 } |
| 1151 | 1162 |
| 1152 lpn = *largest_pn; | 1163 lpn = *largest_pn; |
| 1153 | 1164 |