Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_openssl_compat.c @ 9178:b74f891053c7
QUIC: explicitly zero out unused keying material.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 20 Oct 2023 18:05:07 +0400 |
parents | 22d110af473c |
children |
comparison
equal
deleted
inserted
replaced
9177:22d110af473c | 9178:b74f891053c7 |
---|---|
216 com->read_record = 0; | 216 com->read_record = 0; |
217 | 217 |
218 (void) ngx_quic_compat_set_encryption_secret(c, &com->keys, level, | 218 (void) ngx_quic_compat_set_encryption_secret(c, &com->keys, level, |
219 cipher, secret, n); | 219 cipher, secret, n); |
220 } | 220 } |
221 | |
222 ngx_explicit_memzero(secret, n); | |
221 } | 223 } |
222 | 224 |
223 | 225 |
224 static ngx_int_t | 226 static ngx_int_t |
225 ngx_quic_compat_set_encryption_secret(ngx_connection_t *c, | 227 ngx_quic_compat_set_encryption_secret(ngx_connection_t *c, |
244 if (key_len == NGX_ERROR) { | 246 if (key_len == NGX_ERROR) { |
245 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); | 247 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); |
246 return NGX_ERROR; | 248 return NGX_ERROR; |
247 } | 249 } |
248 | 250 |
249 if (sizeof(peer_secret->secret.data) < secret_len) { | |
250 ngx_log_error(NGX_LOG_ALERT, c->log, 0, | |
251 "unexpected secret len: %uz", secret_len); | |
252 return NGX_ERROR; | |
253 } | |
254 | |
255 peer_secret->secret.len = secret_len; | |
256 ngx_memcpy(peer_secret->secret.data, secret, secret_len); | |
257 | |
258 key.len = key_len; | 251 key.len = key_len; |
259 | 252 |
260 peer_secret->iv.len = NGX_QUIC_IV_LEN; | 253 peer_secret->iv.len = NGX_QUIC_IV_LEN; |
261 | 254 |
262 secret_str.len = secret_len; | 255 secret_str.len = secret_len; |
289 if (ngx_quic_crypto_init(ciphers.c, peer_secret, &key, 1, c->log) | 282 if (ngx_quic_crypto_init(ciphers.c, peer_secret, &key, 1, c->log) |
290 == NGX_ERROR) | 283 == NGX_ERROR) |
291 { | 284 { |
292 return NGX_ERROR; | 285 return NGX_ERROR; |
293 } | 286 } |
287 | |
288 ngx_explicit_memzero(key.data, key.len); | |
294 | 289 |
295 return NGX_OK; | 290 return NGX_OK; |
296 } | 291 } |
297 | 292 |
298 | 293 |