Mercurial > hg > nginx

diff src/event/quic/ngx_event_quic_openssl_compat.c @ 9178:b74f891053c7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: explicitly zero out unused keying material.
author Sergey Kandaurov <pluknet@nginx.com>
date Fri, 20 Oct 2023 18:05:07 +0400
parents 22d110af473c
children
line wrap: on
line diff
--- a/src/event/quic/ngx_event_quic_openssl_compat.c
+++ b/src/event/quic/ngx_event_quic_openssl_compat.c
@@ -218,6 +218,8 @@ ngx_quic_compat_keylog_callback(const SS
         (void) ngx_quic_compat_set_encryption_secret(c, &com->keys, level,
                                                      cipher, secret, n);
     }
+
+    ngx_explicit_memzero(secret, n);
 }
 
 
@@ -246,15 +248,6 @@ ngx_quic_compat_set_encryption_secret(ng
         return NGX_ERROR;
     }
 
-    if (sizeof(peer_secret->secret.data) < secret_len) {
-        ngx_log_error(NGX_LOG_ALERT, c->log, 0,
-                      "unexpected secret len: %uz", secret_len);
-        return NGX_ERROR;
-    }
-
-    peer_secret->secret.len = secret_len;
-    ngx_memcpy(peer_secret->secret.data, secret, secret_len);
-
     key.len = key_len;
 
     peer_secret->iv.len = NGX_QUIC_IV_LEN;
@@ -292,6 +285,8 @@ ngx_quic_compat_set_encryption_secret(ng
         return NGX_ERROR;
     }
 
+    ngx_explicit_memzero(key.data, key.len);
+
     return NGX_OK;
 }