# HG changeset patch # User Daiki Ueno # Date 1481108447 -3600 # Wed Dec 07 12:00:47 2016 +0100 # Branch wip/dueno/ec-session-ticket # Node ID 86c3a4cb4eb55f50f80904796f0664e11d9b5d73 # Parent 5796201e791e6cbffc3615cb0c894cf1b0fc09a1 Bug 1320695 - Using SessionTicket extension along with any ECDHE-ECDSA ciphersuite renders selfserv unusable When session ticket is used and wrapping key pair (for caching generated keys at server side) is not available, disable caching instead of returning an error. diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c --- a/lib/ssl/ssl3exthandle.c +++ b/lib/ssl/ssl3exthandle.c @@ -99,21 +99,22 @@ ssl3_GenerateSessionTicketKeys(void *dat sslSocket *ss = (sslSocket *)data; sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL }; const sslServerCert *sc; - SECKEYPrivateKey *svrPrivKey; - SECKEYPublicKey *svrPubKey; + SECKEYPrivateKey *svrPrivKey = NULL; + SECKEYPublicKey *svrPubKey = NULL; sc = ssl_FindServerCert(ss, &certType); if (!sc || !sc->serverKeyPair) { SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair", SSL_GETPID(), ss->fd)); - goto loser; - } - svrPrivKey = sc->serverKeyPair->privKey; - svrPubKey = sc->serverKeyPair->pubKey; - if (svrPrivKey == NULL || svrPubKey == NULL) { - SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", - SSL_GETPID(), ss->fd)); - goto loser; + } else { + svrPrivKey = sc->serverKeyPair->privKey; + svrPubKey = sc->serverKeyPair->pubKey; + if (svrPrivKey == NULL || svrPubKey == NULL) { + SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", + SSL_GETPID(), ss->fd)); + svrPrivKey = NULL; + svrPubKey = NULL; + } } /* Get a copy of the session keys from shared memory. */ diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c --- a/lib/ssl/sslsnce.c +++ b/lib/ssl/sslsnce.c @@ -1831,9 +1831,11 @@ ssl_GetSessionTicketKeys(SECKEYPrivateKe PRBool keysGenerated = PR_FALSE; cacheDesc *cache = &globalCache; - if (!cache->cacheMem) { - /* cache is uninitialized. Generate keys and return them - * without caching. */ + if (!cache->cacheMem || !svrPrivKey || !svrPubKey) { + /* Generated keys cannot be cached, because: + * - the cache is not initialized, or + * - key pairs to wrap them are not available + * Generate keys and return them without caching. */ return GenerateTicketKeys(pwArg, keyName, aesKey, macKey); }