diff options
author | Maxim Dounin <mdounin@mdounin.ru> | 2022-10-12 20:14:43 +0300 |
---|---|---|
committer | Maxim Dounin <mdounin@mdounin.ru> | 2022-10-12 20:14:43 +0300 |
commit | 3057e6e9ad3ccb0be5cd1546697871cfec4d1fa3 (patch) | |
tree | 51ca1a7f4881b241b61fb0417c14324cbdf60129 | |
parent | 76876c160f6f66a1f906a74649f1242844d2b910 (diff) |
SSL: explicit clearing of expired sessions.
This reduces lifetime of session keying material in server's memory, and
therefore can be beneficial from forward secrecy point of view.
-rw-r--r-- | src/event/ngx_event_openssl.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index 24b17f985..ec4aa8f59 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -4031,6 +4031,8 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, ngx_rbtree_delete(&cache->session_rbtree, node); + ngx_explicit_memzero(sess_id->session, sess_id->len); + #if (NGX_PTR_SIZE == 8) ngx_slab_free_locked(shpool, sess_id->session); #endif @@ -4120,6 +4122,8 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) ngx_rbtree_delete(&cache->session_rbtree, node); + ngx_explicit_memzero(sess_id->session, sess_id->len); + #if (NGX_PTR_SIZE == 8) ngx_slab_free_locked(shpool, sess_id->session); #endif @@ -4168,6 +4172,8 @@ ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node); + ngx_explicit_memzero(sess_id->session, sess_id->len); + #if (NGX_PTR_SIZE == 8) ngx_slab_free_locked(shpool, sess_id->session); #endif |