Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_protection.c @ 9209:1bf1b423f268
QUIC: trial packet decryption in response to invalid key update.
Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
keys is now used to avoid a timing side-channel signal. Further, this fixes
segfault while accessing missing next keys (ticket #2585).
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 14 Feb 2024 15:55:34 +0400 |
parents | b74f891053c7 |
children |
comparison
equal
deleted
inserted
replaced
9208:2ed3f57dca0a | 9209:1bf1b423f268 |
---|---|
1142 | 1142 |
1143 if (ngx_quic_short_pkt(pkt->flags)) { | 1143 if (ngx_quic_short_pkt(pkt->flags)) { |
1144 key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0; | 1144 key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0; |
1145 | 1145 |
1146 if (key_phase != pkt->key_phase) { | 1146 if (key_phase != pkt->key_phase) { |
1147 secret = &pkt->keys->next_key.client; | 1147 if (pkt->keys->next_key.client.ctx != NULL) { |
1148 pkt->key_update = 1; | 1148 secret = &pkt->keys->next_key.client; |
1149 pkt->key_update = 1; | |
1150 | |
1151 } else { | |
1152 /* | |
1153 * RFC 9001, 6.3. Timing of Receive Key Generation. | |
1154 * | |
1155 * Trial decryption to avoid timing side-channel. | |
1156 */ | |
1157 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0, | |
1158 "quic next key missing"); | |
1159 } | |
1149 } | 1160 } |
1150 } | 1161 } |
1151 | 1162 |
1152 lpn = *largest_pn; | 1163 lpn = *largest_pn; |
1153 | 1164 |