Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_openssl_compat.c @ 9178:b74f891053c7
QUIC: explicitly zero out unused keying material.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Fri, 20 Oct 2023 18:05:07 +0400 |
| parents | 22d110af473c |
| children |
comparison
equal
deleted
inserted
replaced
| 9177:22d110af473c | 9178:b74f891053c7 |
|---|---|
| 216 com->read_record = 0; | 216 com->read_record = 0; |
| 217 | 217 |
| 218 (void) ngx_quic_compat_set_encryption_secret(c, &com->keys, level, | 218 (void) ngx_quic_compat_set_encryption_secret(c, &com->keys, level, |
| 219 cipher, secret, n); | 219 cipher, secret, n); |
| 220 } | 220 } |
| 221 | |
| 222 ngx_explicit_memzero(secret, n); | |
| 221 } | 223 } |
| 222 | 224 |
| 223 | 225 |
| 224 static ngx_int_t | 226 static ngx_int_t |
| 225 ngx_quic_compat_set_encryption_secret(ngx_connection_t *c, | 227 ngx_quic_compat_set_encryption_secret(ngx_connection_t *c, |
| 244 if (key_len == NGX_ERROR) { | 246 if (key_len == NGX_ERROR) { |
| 245 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); | 247 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); |
| 246 return NGX_ERROR; | 248 return NGX_ERROR; |
| 247 } | 249 } |
| 248 | 250 |
| 249 if (sizeof(peer_secret->secret.data) < secret_len) { | |
| 250 ngx_log_error(NGX_LOG_ALERT, c->log, 0, | |
| 251 "unexpected secret len: %uz", secret_len); | |
| 252 return NGX_ERROR; | |
| 253 } | |
| 254 | |
| 255 peer_secret->secret.len = secret_len; | |
| 256 ngx_memcpy(peer_secret->secret.data, secret, secret_len); | |
| 257 | |
| 258 key.len = key_len; | 251 key.len = key_len; |
| 259 | 252 |
| 260 peer_secret->iv.len = NGX_QUIC_IV_LEN; | 253 peer_secret->iv.len = NGX_QUIC_IV_LEN; |
| 261 | 254 |
| 262 secret_str.len = secret_len; | 255 secret_str.len = secret_len; |
| 289 if (ngx_quic_crypto_init(ciphers.c, peer_secret, &key, 1, c->log) | 282 if (ngx_quic_crypto_init(ciphers.c, peer_secret, &key, 1, c->log) |
| 290 == NGX_ERROR) | 283 == NGX_ERROR) |
| 291 { | 284 { |
| 292 return NGX_ERROR; | 285 return NGX_ERROR; |
| 293 } | 286 } |
| 287 | |
| 288 ngx_explicit_memzero(key.data, key.len); | |
| 294 | 289 |
| 295 return NGX_OK; | 290 return NGX_OK; |
| 296 } | 291 } |
| 297 | 292 |
| 298 | 293 |