diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2024-08-09 19:12:26 +0400 |
|---|---|---|
| committer | Sergey Kandaurov <pluknet@nginx.com> | 2024-08-09 19:12:26 +0400 |
| commit | 504c78fc6dd9542371b1658c9c8fdac6be20d2f6 (patch) | |
| tree | bca592d2914eb8316b1400e2cc1a6cbe69ad54d9 | |
| parent | 58b92177e7c3c50f77f807ab3846ad5c7bbf0ebe (diff) | |
| download | nginx-504c78fc6dd9542371b1658c9c8fdac6be20d2f6.tar.gz nginx-504c78fc6dd9542371b1658c9c8fdac6be20d2f6.zip | |
QUIC: zero out existing keying material only.
Previously, this used to have extra ngx_explicit_memzero() calls
from within ngx_quic_keys_cleanup(), which might be suboptimal.
| -rw-r--r-- | src/event/quic/ngx_event_quic_protection.c | 29 |
1 files changed, 23 insertions, 6 deletions
diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c index 8223626b6..55f0f6fd7 100644 --- a/src/event/quic/ngx_event_quic_protection.c +++ b/src/event/quic/ngx_event_quic_protection.c @@ -743,8 +743,15 @@ ngx_quic_keys_discard(ngx_quic_keys_t *keys, ngx_quic_crypto_hp_cleanup(client); ngx_quic_crypto_hp_cleanup(server); - ngx_explicit_memzero(client->secret.data, client->secret.len); - ngx_explicit_memzero(server->secret.data, server->secret.len); + if (client->secret.len) { + ngx_explicit_memzero(client->secret.data, client->secret.len); + client->secret.len = 0; + } + + if (server->secret.len) { + ngx_explicit_memzero(server->secret.data, server->secret.len); + server->secret.len = 0; + } } @@ -844,6 +851,9 @@ ngx_quic_keys_update(ngx_event_t *ev) ngx_explicit_memzero(current->server.secret.data, current->server.secret.len); + current->client.secret.len = 0; + current->server.secret.len = 0; + ngx_explicit_memzero(client_key.data, client_key.len); ngx_explicit_memzero(server_key.data, server_key.len); @@ -870,10 +880,17 @@ ngx_quic_keys_cleanup(ngx_quic_keys_t *keys) ngx_quic_crypto_cleanup(&next->client); ngx_quic_crypto_cleanup(&next->server); - ngx_explicit_memzero(next->client.secret.data, - next->client.secret.len); - ngx_explicit_memzero(next->server.secret.data, - next->server.secret.len); + if (next->client.secret.len) { + ngx_explicit_memzero(next->client.secret.data, + next->client.secret.len); + next->client.secret.len = 0; + } + + if (next->server.secret.len) { + ngx_explicit_memzero(next->server.secret.data, + next->server.secret.len); + next->server.secret.len = 0; + } } |