Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_protection.c @ 9178:b74f891053c7
QUIC: explicitly zero out unused keying material.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 20 Oct 2023 18:05:07 +0400 |
parents | 22d110af473c |
children | 1bf1b423f268 |
comparison
equal
deleted
inserted
replaced
9177:22d110af473c | 9178:b74f891053c7 |
---|---|
708 | 708 |
709 if (ngx_quic_crypto_hp_init(ciphers.hp, peer_secret, log) == NGX_ERROR) { | 709 if (ngx_quic_crypto_hp_init(ciphers.hp, peer_secret, log) == NGX_ERROR) { |
710 return NGX_ERROR; | 710 return NGX_ERROR; |
711 } | 711 } |
712 | 712 |
713 ngx_explicit_memzero(key.data, key.len); | |
714 | |
713 return NGX_OK; | 715 return NGX_OK; |
714 } | 716 } |
715 | 717 |
716 | 718 |
717 ngx_uint_t | 719 ngx_uint_t |
738 ngx_quic_crypto_cleanup(client); | 740 ngx_quic_crypto_cleanup(client); |
739 ngx_quic_crypto_cleanup(server); | 741 ngx_quic_crypto_cleanup(server); |
740 | 742 |
741 ngx_quic_crypto_hp_cleanup(client); | 743 ngx_quic_crypto_hp_cleanup(client); |
742 ngx_quic_crypto_hp_cleanup(server); | 744 ngx_quic_crypto_hp_cleanup(server); |
745 | |
746 ngx_explicit_memzero(client->secret.data, client->secret.len); | |
747 ngx_explicit_memzero(server->secret.data, server->secret.len); | |
743 } | 748 } |
744 | 749 |
745 | 750 |
746 void | 751 void |
747 ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys) | 752 ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys) |
832 == NGX_ERROR) | 837 == NGX_ERROR) |
833 { | 838 { |
834 goto failed; | 839 goto failed; |
835 } | 840 } |
836 | 841 |
842 ngx_explicit_memzero(current->client.secret.data, | |
843 current->client.secret.len); | |
844 ngx_explicit_memzero(current->server.secret.data, | |
845 current->server.secret.len); | |
846 | |
847 ngx_explicit_memzero(client_key.data, client_key.len); | |
848 ngx_explicit_memzero(server_key.data, server_key.len); | |
849 | |
837 return; | 850 return; |
838 | 851 |
839 failed: | 852 failed: |
840 | 853 |
841 ngx_quic_close_connection(c, NGX_ERROR); | 854 ngx_quic_close_connection(c, NGX_ERROR); |
854 | 867 |
855 next = &keys->next_key; | 868 next = &keys->next_key; |
856 | 869 |
857 ngx_quic_crypto_cleanup(&next->client); | 870 ngx_quic_crypto_cleanup(&next->client); |
858 ngx_quic_crypto_cleanup(&next->server); | 871 ngx_quic_crypto_cleanup(&next->server); |
872 | |
873 ngx_explicit_memzero(next->client.secret.data, | |
874 next->client.secret.len); | |
875 ngx_explicit_memzero(next->server.secret.data, | |
876 next->server.secret.len); | |
859 } | 877 } |
860 | 878 |
861 | 879 |
862 static ngx_int_t | 880 static ngx_int_t |
863 ngx_quic_create_packet(ngx_quic_header_t *pkt, ngx_str_t *res) | 881 ngx_quic_create_packet(ngx_quic_header_t *pkt, ngx_str_t *res) |