[nginx] QUIC: trial packet decryption in response to invalid key...
Maxim Dounin
mdounin at mdounin.ru
Tue Feb 20 14:07:34 UTC 2024
details: http://freenginx.org/hg/nginx/rev/1bf1b423f268
branches:
changeset: 9209:1bf1b423f268
user: Sergey Kandaurov <pluknet at nginx.com>
date: Wed Feb 14 15:55:34 2024 +0400
description:
QUIC: trial packet decryption in response to invalid key update.
Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
keys is now used to avoid a timing side-channel signal. Further, this fixes
segfault while accessing missing next keys (ticket #2585).
diffstat:
src/event/quic/ngx_event_quic_protection.c | 15 +++++++++++++--
1 files changed, 13 insertions(+), 2 deletions(-)
diffs (25 lines):
diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
--- a/src/event/quic/ngx_event_quic_protection.c
+++ b/src/event/quic/ngx_event_quic_protection.c
@@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt,
key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0;
if (key_phase != pkt->key_phase) {
- secret = &pkt->keys->next_key.client;
- pkt->key_update = 1;
+ if (pkt->keys->next_key.client.ctx != NULL) {
+ secret = &pkt->keys->next_key.client;
+ pkt->key_update = 1;
+
+ } else {
+ /*
+ * RFC 9001, 6.3. Timing of Receive Key Generation.
+ *
+ * Trial decryption to avoid timing side-channel.
+ */
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
+ "quic next key missing");
+ }
}
}
More information about the nginx-devel
mailing list