68 lines
2.6 KiB
Diff
68 lines
2.6 KiB
Diff
|
# HG changeset patch
|
||
|
# User Daiki Ueno <dueno@redhat.com>
|
||
|
# Date 1481108447 -3600
|
||
|
# Wed Dec 07 12:00:47 2016 +0100
|
||
|
# Branch wip/dueno/ec-session-ticket
|
||
|
# Node ID 86c3a4cb4eb55f50f80904796f0664e11d9b5d73
|
||
|
# Parent 5796201e791e6cbffc3615cb0c894cf1b0fc09a1
|
||
|
Bug 1320695 - Using SessionTicket extension along with any ECDHE-ECDSA ciphersuite renders selfserv unusable
|
||
|
|
||
|
When session ticket is used and wrapping key pair (for caching
|
||
|
generated keys at server side) is not available, disable caching
|
||
|
instead of returning an error.
|
||
|
|
||
|
diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
|
||
|
--- a/lib/ssl/ssl3exthandle.c
|
||
|
+++ b/lib/ssl/ssl3exthandle.c
|
||
|
@@ -99,21 +99,22 @@ ssl3_GenerateSessionTicketKeys(void *dat
|
||
|
sslSocket *ss = (sslSocket *)data;
|
||
|
sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL };
|
||
|
const sslServerCert *sc;
|
||
|
- SECKEYPrivateKey *svrPrivKey;
|
||
|
- SECKEYPublicKey *svrPubKey;
|
||
|
+ SECKEYPrivateKey *svrPrivKey = NULL;
|
||
|
+ SECKEYPublicKey *svrPubKey = NULL;
|
||
|
|
||
|
sc = ssl_FindServerCert(ss, &certType);
|
||
|
if (!sc || !sc->serverKeyPair) {
|
||
|
SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair",
|
||
|
SSL_GETPID(), ss->fd));
|
||
|
- goto loser;
|
||
|
- }
|
||
|
- svrPrivKey = sc->serverKeyPair->privKey;
|
||
|
- svrPubKey = sc->serverKeyPair->pubKey;
|
||
|
- if (svrPrivKey == NULL || svrPubKey == NULL) {
|
||
|
- SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
|
||
|
- SSL_GETPID(), ss->fd));
|
||
|
- goto loser;
|
||
|
+ } else {
|
||
|
+ svrPrivKey = sc->serverKeyPair->privKey;
|
||
|
+ svrPubKey = sc->serverKeyPair->pubKey;
|
||
|
+ if (svrPrivKey == NULL || svrPubKey == NULL) {
|
||
|
+ SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
|
||
|
+ SSL_GETPID(), ss->fd));
|
||
|
+ svrPrivKey = NULL;
|
||
|
+ svrPubKey = NULL;
|
||
|
+ }
|
||
|
}
|
||
|
|
||
|
/* Get a copy of the session keys from shared memory. */
|
||
|
diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c
|
||
|
--- a/lib/ssl/sslsnce.c
|
||
|
+++ b/lib/ssl/sslsnce.c
|
||
|
@@ -1831,9 +1831,11 @@ ssl_GetSessionTicketKeys(SECKEYPrivateKe
|
||
|
PRBool keysGenerated = PR_FALSE;
|
||
|
cacheDesc *cache = &globalCache;
|
||
|
|
||
|
- if (!cache->cacheMem) {
|
||
|
- /* cache is uninitialized. Generate keys and return them
|
||
|
- * without caching. */
|
||
|
+ if (!cache->cacheMem || !svrPrivKey || !svrPubKey) {
|
||
|
+ /* Generated keys cannot be cached, because:
|
||
|
+ * - the cache is not initialized, or
|
||
|
+ * - key pairs to wrap them are not available
|
||
|
+ * Generate keys and return them without caching. */
|
||
|
return GenerateTicketKeys(pwArg, keyName, aesKey, macKey);
|
||
|
}
|
||
|
|