SSL: explicit clearing of expired sessions.

This reduces lifetime of session keying material in server's memory, and therefore can be beneficial from forward secrecy point of view.
2026-06-30 13:53:18 +00:00 · 2022-10-12 20:14:43 +03:00 · 2022-10-12 20:14:43 +03:00 · 3057e6e9ad
commit 3057e6e9ad
parent 76876c160f
1 changed files with 6 additions and 0 deletions
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@ -4031,6 +4031,8 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,

            ngx_rbtree_delete(&cache->session_rbtree, node);

+            ngx_explicit_memzero(sess_id->session, sess_id->len);
+
 #if (NGX_PTR_SIZE == 8)
            ngx_slab_free_locked(shpool, sess_id->session);
 #endif
@ -4120,6 +4122,8 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)

            ngx_rbtree_delete(&cache->session_rbtree, node);

+            ngx_explicit_memzero(sess_id->session, sess_id->len);
+
 #if (NGX_PTR_SIZE == 8)
            ngx_slab_free_locked(shpool, sess_id->session);
 #endif
@ -4168,6 +4172,8 @@ ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,

        ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node);

+        ngx_explicit_memzero(sess_id->session, sess_id->len);
+
 #if (NGX_PTR_SIZE == 8)
        ngx_slab_free_locked(shpool, sess_id->session);
 #endif