SSL: explicit clearing of expired sessions.

This reduces lifetime of session keying material in server's memory, and therefore can be beneficial from forward secrecy point of view.
author: Maxim Dounin <mdounin@mdounin.ru> 2022-10-12 20:14:43 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2022-10-12 20:14:43 +0300
commit: 3057e6e9ad3ccb0be5cd1546697871cfec4d1fa3 (patch)
tree: 51ca1a7f4881b241b61fb0417c14324cbdf60129
parent: 76876c160f6f66a1f906a74649f1242844d2b910 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 24b17f985..ec4aa8f59 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -4031,6 +4031,8 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
 
             ngx_rbtree_delete(&cache->session_rbtree, node);
 
+            ngx_explicit_memzero(sess_id->session, sess_id->len);
+
 #if (NGX_PTR_SIZE == 8)
             ngx_slab_free_locked(shpool, sess_id->session);
 #endif
@@ -4120,6 +4122,8 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
 
             ngx_rbtree_delete(&cache->session_rbtree, node);
 
+            ngx_explicit_memzero(sess_id->session, sess_id->len);
+
 #if (NGX_PTR_SIZE == 8)
             ngx_slab_free_locked(shpool, sess_id->session);
 #endif
@@ -4168,6 +4172,8 @@ ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
 
         ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node);
 
+        ngx_explicit_memzero(sess_id->session, sess_id->len);
+
 #if (NGX_PTR_SIZE == 8)
         ngx_slab_free_locked(shpool, sess_id->session);
 #endif
author	Maxim Dounin <mdounin@mdounin.ru>	2022-10-12 20:14:43 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2022-10-12 20:14:43 +0300
commit	3057e6e9ad3ccb0be5cd1546697871cfec4d1fa3 (patch)
tree	51ca1a7f4881b241b61fb0417c14324cbdf60129
parent	76876c160f6f66a1f906a74649f1242844d2b910 (diff)