[nginx] SSL: explicit clearing of expired sessions.
Sergey Kandaurov
pluknet at nginx.com
Thu Oct 13 10:57:10 UTC 2022
details: https://hg.nginx.org/nginx/rev/f106f4a68faf
branches:
changeset: 8079:f106f4a68faf
user: Maxim Dounin <mdounin at mdounin.ru>
date: Wed Oct 12 20:14:43 2022 +0300
description:
SSL: explicit clearing of expired sessions.
This reduces lifetime of session keying material in server's memory, and
therefore can be beneficial from forward secrecy point of view.
diffstat:
src/event/ngx_event_openssl.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diffs (30 lines):
diff -r 5244d3b165ff -r f106f4a68faf src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Wed Oct 12 20:14:40 2022 +0300
+++ b/src/event/ngx_event_openssl.c Wed Oct 12 20:14:43 2022 +0300
@@ -4031,6 +4031,8 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_
ngx_rbtree_delete(&cache->session_rbtree, node);
+ ngx_explicit_memzero(sess_id->session, sess_id->len);
+
#if (NGX_PTR_SIZE == 8)
ngx_slab_free_locked(shpool, sess_id->session);
#endif
@@ -4120,6 +4122,8 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx
ngx_rbtree_delete(&cache->session_rbtree, node);
+ ngx_explicit_memzero(sess_id->session, sess_id->len);
+
#if (NGX_PTR_SIZE == 8)
ngx_slab_free_locked(shpool, sess_id->session);
#endif
@@ -4168,6 +4172,8 @@ ngx_ssl_expire_sessions(ngx_ssl_session_
ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node);
+ ngx_explicit_memzero(sess_id->session, sess_id->len);
+
#if (NGX_PTR_SIZE == 8)
ngx_slab_free_locked(shpool, sess_id->session);
#endif
More information about the nginx-devel
mailing list