Welcome! Log In Create A New Profile

Advanced

[nginx] QUIC: added safety belt to prevent using discarded keys.

Sergey Kandaurov
October 20, 2023 10:44AM
details: https://hg.nginx.org/nginx/rev/60c4e8d3151f
branches:
changeset: 9169:60c4e8d3151f
user: Sergey Kandaurov <pluknet@nginx.com>
date: Fri Oct 20 18:05:07 2023 +0400
description:
QUIC: added safety belt to prevent using discarded keys.

In addition to triggering alert, it ensures that such packets won't be sent.

With the previous change that marks server keys as discarded by zeroing the
key lengh, it is now an error to send packets with discarded keys. OpenSSL
based stacks tolerate such behaviour because key length isn't used in packet
protection, but BoringSSL will raise the UNSUPPORTED_KEY_SIZE cipher error.
It won't be possible to use discarded keys with reused crypto contexts as it
happens in subsequent changes.

diffstat:

src/event/quic/ngx_event_quic_output.c | 15 +++++++++++++++
1 files changed, 15 insertions(+), 0 deletions(-)

diffs (25 lines):

diff -r ff98ae7d261e -r 60c4e8d3151f src/event/quic/ngx_event_quic_output.c
--- a/src/event/quic/ngx_event_quic_output.c Thu Aug 31 19:54:10 2023 +0400
+++ b/src/event/quic/ngx_event_quic_output.c Fri Oct 20 18:05:07 2023 +0400
@@ -519,6 +519,21 @@ ngx_quic_output_packet(ngx_connection_t

qc = ngx_quic_get_connection(c);

+ if (!ngx_quic_keys_available(qc->keys, ctx->level, 1)) {
+ ngx_log_error(NGX_LOG_ALERT, c->log, 0, "quic %s write keys discarded",
+ ngx_quic_level_name(ctx->level));
+
+ while (!ngx_queue_empty(&ctx->frames)) {
+ q = ngx_queue_head(&ctx->frames);
+ ngx_queue_remove(q);
+
+ f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+ ngx_quic_free_frame(c, f);
+ }
+
+ return 0;
+ }
+
ngx_quic_init_packet(c, ctx, &pkt, qc->path);

min_payload = ngx_quic_payload_size(&pkt, min);
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] QUIC: added safety belt to prevent using discarded keys.

Sergey Kandaurov 266 October 20, 2023 10:44AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 85
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready