diff options
| author | Ruslan Ermilov <ru@nginx.com> | 2019-01-31 19:28:07 +0300 |
|---|---|---|
| committer | Ruslan Ermilov <ru@nginx.com> | 2019-01-31 19:28:07 +0300 |
| commit | 80f105b054b6d7da2da8650f763471f27b47a562 (patch) | |
| tree | 1ad98d86b16f2260ecef3ff1e52ccff294033515 /src | |
| parent | 94fa2bb4cb4ab6140607e129ff1609378e379a09 (diff) | |
| download | nginx-80f105b054b6d7da2da8650f763471f27b47a562.tar.gz nginx-80f105b054b6d7da2da8650f763471f27b47a562.zip | |
SSL: explicitly zero out session ticket keys.
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/ngx_event_openssl.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index 37a4b72b6..7002059c6 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -68,6 +68,7 @@ static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc); +static void ngx_ssl_session_ticket_keys_cleanup(void *data); #endif #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT @@ -3455,6 +3456,7 @@ ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) ngx_uint_t i; ngx_array_t *keys; ngx_file_info_t fi; + ngx_pool_cleanup_t *cln; ngx_ssl_session_ticket_key_t *key; if (paths == NULL) { @@ -3467,6 +3469,14 @@ ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) return NGX_ERROR; } + cln = ngx_pool_cleanup_add(cf->pool, 0); + if (cln == NULL) { + return NGX_ERROR; + } + + cln->handler = ngx_ssl_session_ticket_keys_cleanup; + cln->data = keys; + path = paths->elts; for (i = 0; i < paths->nelts; i++) { @@ -3538,6 +3548,8 @@ ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, ngx_close_file_n " \"%V\" failed", &file.name); } + + ngx_explicit_memzero(&buf, 80); } if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys) @@ -3568,6 +3580,8 @@ failed: ngx_close_file_n " \"%V\" failed", &file.name); } + ngx_explicit_memzero(&buf, 80); + return NGX_ERROR; } @@ -3696,6 +3710,16 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, } } + +static void +ngx_ssl_session_ticket_keys_cleanup(void *data) +{ + ngx_array_t *keys = data; + + ngx_explicit_memzero(keys->elts, + keys->nelts * sizeof(ngx_ssl_session_ticket_key_t)); +} + #else ngx_int_t |