Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 7453:873150addfeb
SSL: explicitly zero out session ticket keys.
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Thu, 31 Jan 2019 19:28:07 +0300 |
parents | 294162223c7c |
children | e72c8a8a8b10 |
comparison
equal
deleted
inserted
replaced
7452:570d8c626eea | 7453:873150addfeb |
---|---|
66 | 66 |
67 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB | 67 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB |
68 static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, | 68 static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, |
69 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, | 69 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, |
70 HMAC_CTX *hctx, int enc); | 70 HMAC_CTX *hctx, int enc); |
71 static void ngx_ssl_session_ticket_keys_cleanup(void *data); | |
71 #endif | 72 #endif |
72 | 73 |
73 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT | 74 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
74 static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str); | 75 static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str); |
75 #endif | 76 #endif |
3453 ngx_str_t *path; | 3454 ngx_str_t *path; |
3454 ngx_file_t file; | 3455 ngx_file_t file; |
3455 ngx_uint_t i; | 3456 ngx_uint_t i; |
3456 ngx_array_t *keys; | 3457 ngx_array_t *keys; |
3457 ngx_file_info_t fi; | 3458 ngx_file_info_t fi; |
3459 ngx_pool_cleanup_t *cln; | |
3458 ngx_ssl_session_ticket_key_t *key; | 3460 ngx_ssl_session_ticket_key_t *key; |
3459 | 3461 |
3460 if (paths == NULL) { | 3462 if (paths == NULL) { |
3461 return NGX_OK; | 3463 return NGX_OK; |
3462 } | 3464 } |
3464 keys = ngx_array_create(cf->pool, paths->nelts, | 3466 keys = ngx_array_create(cf->pool, paths->nelts, |
3465 sizeof(ngx_ssl_session_ticket_key_t)); | 3467 sizeof(ngx_ssl_session_ticket_key_t)); |
3466 if (keys == NULL) { | 3468 if (keys == NULL) { |
3467 return NGX_ERROR; | 3469 return NGX_ERROR; |
3468 } | 3470 } |
3471 | |
3472 cln = ngx_pool_cleanup_add(cf->pool, 0); | |
3473 if (cln == NULL) { | |
3474 return NGX_ERROR; | |
3475 } | |
3476 | |
3477 cln->handler = ngx_ssl_session_ticket_keys_cleanup; | |
3478 cln->data = keys; | |
3469 | 3479 |
3470 path = paths->elts; | 3480 path = paths->elts; |
3471 for (i = 0; i < paths->nelts; i++) { | 3481 for (i = 0; i < paths->nelts; i++) { |
3472 | 3482 |
3473 if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) { | 3483 if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) { |
3536 | 3546 |
3537 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { | 3547 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { |
3538 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, | 3548 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, |
3539 ngx_close_file_n " \"%V\" failed", &file.name); | 3549 ngx_close_file_n " \"%V\" failed", &file.name); |
3540 } | 3550 } |
3551 | |
3552 ngx_explicit_memzero(&buf, 80); | |
3541 } | 3553 } |
3542 | 3554 |
3543 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys) | 3555 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys) |
3544 == 0) | 3556 == 0) |
3545 { | 3557 { |
3565 | 3577 |
3566 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { | 3578 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { |
3567 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, | 3579 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, |
3568 ngx_close_file_n " \"%V\" failed", &file.name); | 3580 ngx_close_file_n " \"%V\" failed", &file.name); |
3569 } | 3581 } |
3582 | |
3583 ngx_explicit_memzero(&buf, 80); | |
3570 | 3584 |
3571 return NGX_ERROR; | 3585 return NGX_ERROR; |
3572 } | 3586 } |
3573 | 3587 |
3574 | 3588 |
3694 | 3708 |
3695 return (i == 0) ? 1 : 2 /* renew */; | 3709 return (i == 0) ? 1 : 2 /* renew */; |
3696 } | 3710 } |
3697 } | 3711 } |
3698 | 3712 |
3713 | |
3714 static void | |
3715 ngx_ssl_session_ticket_keys_cleanup(void *data) | |
3716 { | |
3717 ngx_array_t *keys = data; | |
3718 | |
3719 ngx_explicit_memzero(keys->elts, | |
3720 keys->nelts * sizeof(ngx_ssl_session_ticket_key_t)); | |
3721 } | |
3722 | |
3699 #else | 3723 #else |
3700 | 3724 |
3701 ngx_int_t | 3725 ngx_int_t |
3702 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) | 3726 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) |
3703 { | 3727 { |