bugfix: backport fixes for CVE-2024-24989 and CVE-2024-24990.

patches/nginx-CVE-2024-24989.patch

@@ -0,0 +1,36 @@
+commit 5902baf680609f884a1e11ff2b82a0bffb3724cc
+Author: Sergey Kandaurov <pluknet@nginx.com>
+Date:   Wed Feb 14 15:55:34 2024 +0400
+
+    QUIC: trial packet decryption in response to invalid key update.
+    
+    Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
+    keys is now used to avoid a timing side-channel signal.  Further, this fixes
+    segfault while accessing missing next keys (ticket #2585).
+
+diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
+index 88e6954cf..8223626b6 100644
+--- a/src/event/quic/ngx_event_quic_protection.c
++++ b/src/event/quic/ngx_event_quic_protection.c
+@@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
+         key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0;
+ 
+         if (key_phase != pkt->key_phase) {
+-            secret = &pkt->keys->next_key.client;
+-            pkt->key_update = 1;
++            if (pkt->keys->next_key.client.ctx != NULL) {
++                secret = &pkt->keys->next_key.client;
++                pkt->key_update = 1;
++
++            } else {
++                /*
++                 * RFC 9001,  6.3. Timing of Receive Key Generation.
++                 *
++                 * Trial decryption to avoid timing side-channel.
++                 */
++                ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
++                               "quic next key missing");
++            }
+         }
+     }
+