Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 7453:873150addfeb

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: explicitly zero out session ticket keys.
author Ruslan Ermilov <ru@nginx.com>
date Thu, 31 Jan 2019 19:28:07 +0300
parents 294162223c7c
children e72c8a8a8b10
comparison
equal deleted inserted replaced
7452:570d8c626eea 7453:873150addfeb
66 66
67 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 67 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
68 static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, 68 static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
69 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, 69 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx,
70 HMAC_CTX *hctx, int enc); 70 HMAC_CTX *hctx, int enc);
71 static void ngx_ssl_session_ticket_keys_cleanup(void *data);
71 #endif 72 #endif
72 73
73 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 74 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
74 static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str); 75 static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str);
75 #endif 76 #endif
3453 ngx_str_t *path; 3454 ngx_str_t *path;
3454 ngx_file_t file; 3455 ngx_file_t file;
3455 ngx_uint_t i; 3456 ngx_uint_t i;
3456 ngx_array_t *keys; 3457 ngx_array_t *keys;
3457 ngx_file_info_t fi; 3458 ngx_file_info_t fi;
3459 ngx_pool_cleanup_t *cln;
3458 ngx_ssl_session_ticket_key_t *key; 3460 ngx_ssl_session_ticket_key_t *key;
3459 3461
3460 if (paths == NULL) { 3462 if (paths == NULL) {
3461 return NGX_OK; 3463 return NGX_OK;
3462 } 3464 }
3464 keys = ngx_array_create(cf->pool, paths->nelts, 3466 keys = ngx_array_create(cf->pool, paths->nelts,
3465 sizeof(ngx_ssl_session_ticket_key_t)); 3467 sizeof(ngx_ssl_session_ticket_key_t));
3466 if (keys == NULL) { 3468 if (keys == NULL) {
3467 return NGX_ERROR; 3469 return NGX_ERROR;
3468 } 3470 }
3471
3472 cln = ngx_pool_cleanup_add(cf->pool, 0);
3473 if (cln == NULL) {
3474 return NGX_ERROR;
3475 }
3476
3477 cln->handler = ngx_ssl_session_ticket_keys_cleanup;
3478 cln->data = keys;
3469 3479
3470 path = paths->elts; 3480 path = paths->elts;
3471 for (i = 0; i < paths->nelts; i++) { 3481 for (i = 0; i < paths->nelts; i++) {
3472 3482
3473 if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) { 3483 if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) {
3536 3546
3537 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { 3547 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
3538 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, 3548 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
3539 ngx_close_file_n " \"%V\" failed", &file.name); 3549 ngx_close_file_n " \"%V\" failed", &file.name);
3540 } 3550 }
3551
3552 ngx_explicit_memzero(&buf, 80);
3541 } 3553 }
3542 3554
3543 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys) 3555 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys)
3544 == 0) 3556 == 0)
3545 { 3557 {
3565 3577
3566 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { 3578 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
3567 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, 3579 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
3568 ngx_close_file_n " \"%V\" failed", &file.name); 3580 ngx_close_file_n " \"%V\" failed", &file.name);
3569 } 3581 }
3582
3583 ngx_explicit_memzero(&buf, 80);
3570 3584
3571 return NGX_ERROR; 3585 return NGX_ERROR;
3572 } 3586 }
3573 3587
3574 3588
3694 3708
3695 return (i == 0) ? 1 : 2 /* renew */; 3709 return (i == 0) ? 1 : 2 /* renew */;
3696 } 3710 }
3697 } 3711 }
3698 3712
3713
3714 static void
3715 ngx_ssl_session_ticket_keys_cleanup(void *data)
3716 {
3717 ngx_array_t *keys = data;
3718
3719 ngx_explicit_memzero(keys->elts,
3720 keys->nelts * sizeof(ngx_ssl_session_ticket_key_t));
3721 }
3722
3699 #else 3723 #else
3700 3724
3701 ngx_int_t 3725 ngx_int_t
3702 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) 3726 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths)
3703 { 3727 {