Fijxu/nginx-quic
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

SSL: explicitly zero out session ticket keys.

Browse source
This commit is contained in:
Ruslan Ermilov 2019-01-31 19:28:07 +03:00
parent 67b0aa25bb
commit 8af47e3138
1 changed files with 24 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
src/event/ngx_event_openssl.c
View file

@ -68,6 +68,7 @@ static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx,
HMAC_CTX *hctx, int enc); HMAC_CTX *hctx, int enc);
static void ngx_ssl_session_ticket_keys_cleanup(void *data);
#endif #endif
#ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
@ -3455,6 +3456,7 @@ ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths)
ngx_uint_t i; ngx_uint_t i;
ngx_array_t *keys; ngx_array_t *keys;
ngx_file_info_t fi; ngx_file_info_t fi;
ngx_pool_cleanup_t *cln;
ngx_ssl_session_ticket_key_t *key; ngx_ssl_session_ticket_key_t *key;
if (paths == NULL) { if (paths == NULL) {
@ -3467,6 +3469,14 @@ ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths)
return NGX_ERROR; return NGX_ERROR;
} }
cln = ngx_pool_cleanup_add(cf->pool, 0);
if (cln == NULL) {
return NGX_ERROR;
}
cln->handler = ngx_ssl_session_ticket_keys_cleanup;
cln->data = keys;
path = paths->elts; path = paths->elts;
for (i = 0; i < paths->nelts; i++) { for (i = 0; i < paths->nelts; i++) {
@ -3538,6 +3548,8 @@ ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths)
ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
ngx_close_file_n " \"%V\" failed", &file.name); ngx_close_file_n " \"%V\" failed", &file.name);
} }
ngx_explicit_memzero(&buf, 80);
} }
if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys) if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys)
@ -3568,6 +3580,8 @@ failed:
ngx_close_file_n " \"%V\" failed", &file.name); ngx_close_file_n " \"%V\" failed", &file.name);
} }
ngx_explicit_memzero(&buf, 80);
return NGX_ERROR; return NGX_ERROR;
} }
@ -3696,6 +3710,16 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
} }
} }
static void
ngx_ssl_session_ticket_keys_cleanup(void *data)
{
ngx_array_t *keys = data;
ngx_explicit_memzero(keys->elts,
keys->nelts * sizeof(ngx_ssl_session_ticket_key_t));
}
#else #else
ngx_int_t ngx_int_t