37 lines
1.4 KiB
C
37 lines
1.4 KiB
C
commit 5902baf680609f884a1e11ff2b82a0bffb3724cc
|
|
Author: Sergey Kandaurov <pluknet@nginx.com>
|
|
Date: Wed Feb 14 15:55:34 2024 +0400
|
|
|
|
QUIC: trial packet decryption in response to invalid key update.
|
|
|
|
Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
|
|
keys is now used to avoid a timing side-channel signal. Further, this fixes
|
|
segfault while accessing missing next keys (ticket #2585).
|
|
|
|
diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
|
|
index 88e6954cf..8223626b6 100644
|
|
--- a/src/event/quic/ngx_event_quic_protection.c
|
|
+++ b/src/event/quic/ngx_event_quic_protection.c
|
|
@@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
|
|
key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0;
|
|
|
|
if (key_phase != pkt->key_phase) {
|
|
- secret = &pkt->keys->next_key.client;
|
|
- pkt->key_update = 1;
|
|
+ if (pkt->keys->next_key.client.ctx != NULL) {
|
|
+ secret = &pkt->keys->next_key.client;
|
|
+ pkt->key_update = 1;
|
|
+
|
|
+ } else {
|
|
+ /*
|
|
+ * RFC 9001, 6.3. Timing of Receive Key Generation.
|
|
+ *
|
|
+ * Trial decryption to avoid timing side-channel.
|
|
+ */
|
|
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
|
|
+ "quic next key missing");
|
|
+ }
|
|
}
|
|
}
|
|
|