[PATCH 2 of 8] QUIC: added check to prevent packet output with discarded keys

Thu Sep 7 15:13:54 UTC 2023

# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1694041352 -14400
#      Thu Sep 07 03:02:32 2023 +0400
# Node ID 02c86eac80c907adb7790c79ac6892afabcee5f4
# Parent  be1862a28fd8575a88475215ccfce995e392dfab
QUIC: added check to prevent packet output with discarded keys.

In addition to triggering alert, it ensures that such packets won't be sent.

With the previous change that marks server keys as discarded by zeroing the
key lengh, it is now an error to send packets with discarded keys.  OpenSSL
based stacks tolerate such behaviour because key length isn't used in packet
protection, but BoringSSL will raise the UNSUPPORTED_KEY_SIZE cipher error.
It won't be possible to use discarded keys with reused crypto contexts.

diff --git a/src/event/quic/ngx_event_quic_output.c b/src/event/quic/ngx_event_quic_output.c
--- a/src/event/quic/ngx_event_quic_output.c
+++ b/src/event/quic/ngx_event_quic_output.c
@@ -519,6 +519,21 @@ ngx_quic_output_packet(ngx_connection_t 
 
     qc = ngx_quic_get_connection(c);
 
+    if (!ngx_quic_keys_available(qc->keys, ctx->level, 1)) {
+        ngx_log_error(NGX_LOG_ALERT, c->log, 0, "quic %s write keys discarded",
+                      ngx_quic_level_name(ctx->level));
+
+        while (!ngx_queue_empty(&ctx->frames)) {
+            q = ngx_queue_head(&ctx->frames);
+            ngx_queue_remove(q);
+
+            f = ngx_queue_data(q, ngx_quic_frame_t, queue);
+            ngx_quic_free_frame(c, f);
+        }
+
+        return 0;
+    }
+
     ngx_quic_init_packet(c, ctx, &pkt, qc->path);
 
     min_payload = ngx_quic_payload_size(&pkt, min);
