[TLS] init STEK even if time is 1970 (fixes #3075)

(thx DamienT) x-ref: "TLS 1.3 with SessionTicket fail for the first 8 hours of 1970" https://redmine.lighttpd.net/issues/3075
9 months ago · d50d4dc0e5
4 changed files with 7 additions and 4 deletions
--- a/src/mod_gnutls.c
+++ b/src/mod_gnutls.c
@ -407,7 +407,8 @@ mod_gnutls_session_ticket_key_check (server *srv, const plugin_data *p, const ti
        if (stek->expire_ts < cur_ts)
            mod_gnutls_session_ticket_key_free();
    }
-    else if (cur_ts - 86400 >= stek_rotate_ts) {  /*(24 hours)*/
+    else if (cur_ts - 86400 >= stek_rotate_ts     /*(24 hours)*/
+             || 0 == stek_rotate_ts) {
        mod_gnutls_session_ticket_key_rotate(srv);
        stek_rotate_ts = cur_ts;
    }
--- a/src/mod_mbedtls.c
+++ b/src/mod_mbedtls.c
@ -361,7 +361,9 @@ mod_mbedtls_session_ticket_key_check (plugin_data *p, const time_t cur_ts)
                                       mbedtls_cipher_get_key_bitlen(&key->ctx),
                                       MBEDTLS_ENCRYPT);
        if (0 != rc) { /* expire key immediately if error occurs */
-            key->generation_time = cur_ts - ctx->ticket_lifetime - 1;
+            key->generation_time = cur_ts > ctx->ticket_lifetime
+              ? cur_ts - ctx->ticket_lifetime - 1
+              : 0;
            ctx->active = 1 - ctx->active;
        }
        mbedtls_platform_zeroize(stek, sizeof(tlsext_ticket_key_t));
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@ -446,7 +446,7 @@ mod_openssl_session_ticket_key_check (const plugin_data *p, const time_t cur_ts)
            rotate = mod_openssl_session_ticket_key_file(p->ssl_stek_file);
        tlsext_ticket_wipe_expired(cur_ts);
    }
-    else if (cur_ts - 28800 >= stek_rotate_ts)     /*(8 hours)*/
+    else if (cur_ts - 28800 >= stek_rotate_ts || 0 == stek_rotate_ts)/*(8 hrs)*/
        rotate = mod_openssl_session_ticket_key_generate(cur_ts, cur_ts+86400);

    if (rotate) {
--- a/src/mod_wolfssl.c
+++ b/src/mod_wolfssl.c
@ -432,7 +432,7 @@ mod_openssl_session_ticket_key_check (const plugin_data *p, const time_t cur_ts)
            rotate = mod_openssl_session_ticket_key_file(p->ssl_stek_file);
        tlsext_ticket_wipe_expired(cur_ts);
    }
-    else if (cur_ts - 28800 >= stek_rotate_ts)     /*(8 hours)*/
+    else if (cur_ts - 28800 >= stek_rotate_ts || 0 == stek_rotate_ts)/*(8 hrs)*/
        rotate = mod_openssl_session_ticket_key_generate(cur_ts, cur_ts+86400);

    if (rotate) {