[TLS] init STEK even if time is 1970 (fixes #3075)

(thx DamienT) x-ref: "TLS 1.3 with SessionTicket fail for the first 8 hours of 1970" https://redmine.lighttpd.net/issues/3075
author: Glenn Strauss <gstrauss@gluelogic.com> 2021-03-17 06:11:00 -0400
committer: Glenn Strauss <gstrauss@gluelogic.com> 2021-03-26 07:33:42 -0400
commit: d50d4dc0e557d582a0da4f3116ef1c4ab7a0bd78 (patch)
tree: a95ce2aa75f47e8129f479933cab8a683c6cd32f /src/mod_mbedtls.c
parent: dde9df431088697b0a29b71b1f4b68023118468f (diff)
download: lighttpd-git-d50d4dc0e557d582a0da4f3116ef1c4ab7a0bd78.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/src/mod_mbedtls.c b/src/mod_mbedtls.c
index 6352c733..e29f040f 100644
--- a/src/mod_mbedtls.c
+++ b/src/mod_mbedtls.c
@@ -361,7 +361,9 @@ mod_mbedtls_session_ticket_key_check (plugin_data *p, const time_t cur_ts)
                                        mbedtls_cipher_get_key_bitlen(&key->ctx),
                                        MBEDTLS_ENCRYPT);
         if (0 != rc) { /* expire key immediately if error occurs */
-            key->generation_time = cur_ts - ctx->ticket_lifetime - 1;
+            key->generation_time = cur_ts > ctx->ticket_lifetime
+              ? cur_ts - ctx->ticket_lifetime - 1
+              : 0;
             ctx->active = 1 - ctx->active;
         }
         mbedtls_platform_zeroize(stek, sizeof(tlsext_ticket_key_t));
author	Glenn Strauss <gstrauss@gluelogic.com>	2021-03-17 06:11:00 -0400
committer	Glenn Strauss <gstrauss@gluelogic.com>	2021-03-26 07:33:42 -0400
commit	d50d4dc0e557d582a0da4f3116ef1c4ab7a0bd78 (patch)
tree	a95ce2aa75f47e8129f479933cab8a683c6cd32f /src/mod_mbedtls.c
parent	dde9df431088697b0a29b71b1f4b68023118468f (diff)
download	lighttpd-git-d50d4dc0e557d582a0da4f3116ef1c4ab7a0bd78.tar.gz