Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_protection.c @ 9178:b74f891053c7
QUIC: explicitly zero out unused keying material.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Fri, 20 Oct 2023 18:05:07 +0400 |
| parents | 22d110af473c |
| children | 1bf1b423f268 |
comparison
equal
deleted
inserted
replaced
| 9177:22d110af473c | 9178:b74f891053c7 |
|---|---|
| 708 | 708 |
| 709 if (ngx_quic_crypto_hp_init(ciphers.hp, peer_secret, log) == NGX_ERROR) { | 709 if (ngx_quic_crypto_hp_init(ciphers.hp, peer_secret, log) == NGX_ERROR) { |
| 710 return NGX_ERROR; | 710 return NGX_ERROR; |
| 711 } | 711 } |
| 712 | 712 |
| 713 ngx_explicit_memzero(key.data, key.len); | |
| 714 | |
| 713 return NGX_OK; | 715 return NGX_OK; |
| 714 } | 716 } |
| 715 | 717 |
| 716 | 718 |
| 717 ngx_uint_t | 719 ngx_uint_t |
| 738 ngx_quic_crypto_cleanup(client); | 740 ngx_quic_crypto_cleanup(client); |
| 739 ngx_quic_crypto_cleanup(server); | 741 ngx_quic_crypto_cleanup(server); |
| 740 | 742 |
| 741 ngx_quic_crypto_hp_cleanup(client); | 743 ngx_quic_crypto_hp_cleanup(client); |
| 742 ngx_quic_crypto_hp_cleanup(server); | 744 ngx_quic_crypto_hp_cleanup(server); |
| 745 | |
| 746 ngx_explicit_memzero(client->secret.data, client->secret.len); | |
| 747 ngx_explicit_memzero(server->secret.data, server->secret.len); | |
| 743 } | 748 } |
| 744 | 749 |
| 745 | 750 |
| 746 void | 751 void |
| 747 ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys) | 752 ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys) |
| 832 == NGX_ERROR) | 837 == NGX_ERROR) |
| 833 { | 838 { |
| 834 goto failed; | 839 goto failed; |
| 835 } | 840 } |
| 836 | 841 |
| 842 ngx_explicit_memzero(current->client.secret.data, | |
| 843 current->client.secret.len); | |
| 844 ngx_explicit_memzero(current->server.secret.data, | |
| 845 current->server.secret.len); | |
| 846 | |
| 847 ngx_explicit_memzero(client_key.data, client_key.len); | |
| 848 ngx_explicit_memzero(server_key.data, server_key.len); | |
| 849 | |
| 837 return; | 850 return; |
| 838 | 851 |
| 839 failed: | 852 failed: |
| 840 | 853 |
| 841 ngx_quic_close_connection(c, NGX_ERROR); | 854 ngx_quic_close_connection(c, NGX_ERROR); |
| 854 | 867 |
| 855 next = &keys->next_key; | 868 next = &keys->next_key; |
| 856 | 869 |
| 857 ngx_quic_crypto_cleanup(&next->client); | 870 ngx_quic_crypto_cleanup(&next->client); |
| 858 ngx_quic_crypto_cleanup(&next->server); | 871 ngx_quic_crypto_cleanup(&next->server); |
| 872 | |
| 873 ngx_explicit_memzero(next->client.secret.data, | |
| 874 next->client.secret.len); | |
| 875 ngx_explicit_memzero(next->server.secret.data, | |
| 876 next->server.secret.len); | |
| 859 } | 877 } |
| 860 | 878 |
| 861 | 879 |
| 862 static ngx_int_t | 880 static ngx_int_t |
| 863 ngx_quic_create_packet(ngx_quic_header_t *pkt, ngx_str_t *res) | 881 ngx_quic_create_packet(ngx_quic_header_t *pkt, ngx_str_t *res) |