1 files changed, 29 insertions, 24 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 2bae50f5b3..3cde388d6d 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.162 2019/04/25 04:48:56 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.163 2019/04/25 04:54:35 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -875,19 +875,17 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, SSL_SESSION **psess)
 {
        CBS ticket_name, ticket_iv, ticket_encdata, ticket_hmac;
        SSL_SESSION *sess = NULL;
-        size_t session_id_len = 0;
+        size_t session_id_len;
        unsigned char *sdec = NULL;
        const unsigned char *p;
-        int slen, hlen, renew_ticket = 0;
        unsigned char hmac[EVP_MAX_MD_SIZE];
-        HMAC_CTX hctx;
+        HMAC_CTX *hctx = NULL;
-        EVP_CIPHER_CTX cctx;
+        EVP_CIPHER_CTX *cctx = NULL;
        SSL_CTX *tctx = s->initial_ctx;
+        int slen, hlen;
+        int renew_ticket = 0;
        int ret = -1;
-        HMAC_CTX_init(&hctx);
-        EVP_CIPHER_CTX_init(&cctx);
        *psess = NULL;
        if (!CBS_get_bytes(ticket, &ticket_name, 16))
@@ -896,6 +894,11 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, SSL_SESSION **psess)
        /*
         * Initialize session ticket encryption and HMAC contexts.
         */
+        if ((cctx = EVP_CIPHER_CTX_new()) == NULL)
+                goto err;
+        if ((hctx = HMAC_CTX_new()) == NULL)
+                goto err;
        if (tctx->internal->tlsext_ticket_key_cb != NULL) {
                int rv;
@@ -910,7 +913,7 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, SSL_SESSION **psess)
                if ((rv = tctx->internal->tlsext_ticket_key_cb(s,
                    (unsigned char *)CBS_data(&ticket_name),
-                    (unsigned char *)CBS_data(ticket), &cctx, &hctx, 0)) < 0)
+                    (unsigned char *)CBS_data(ticket), cctx, hctx, 0)) < 0)
                        goto err;
                if (rv == 0)
                        goto derr;
@@ -922,7 +925,7 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, SSL_SESSION **psess)
                 * the IV since its length is known.
                 */
                if (!CBS_get_bytes(ticket, &ticket_iv,
-                    EVP_CIPHER_CTX_iv_length(&cctx)))
+                    EVP_CIPHER_CTX_iv_length(cctx)))
                        goto derr;
        } else {
                /* Check that the key name matches. */
@@ -930,21 +933,23 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, SSL_SESSION **psess)
                    tctx->internal->tlsext_tick_key_name,
                    sizeof(tctx->internal->tlsext_tick_key_name)))
                        goto derr;
-                HMAC_Init_ex(&hctx, tctx->internal->tlsext_tick_hmac_key,
-                    sizeof(tctx->internal->tlsext_tick_hmac_key), EVP_sha256(),
-                    NULL);
                if (!CBS_get_bytes(ticket, &ticket_iv,
                    EVP_CIPHER_iv_length(EVP_aes_128_cbc())))
                        goto derr;
-                EVP_DecryptInit_ex(&cctx, EVP_aes_128_cbc(), NULL,
+                if (!EVP_DecryptInit_ex(cctx, EVP_aes_128_cbc(), NULL,
-                    tctx->internal->tlsext_tick_aes_key, CBS_data(&ticket_iv));
+                    tctx->internal->tlsext_tick_aes_key, CBS_data(&ticket_iv)))
+                        goto err;
+                if (!HMAC_Init_ex(hctx, tctx->internal->tlsext_tick_hmac_key,
+                    sizeof(tctx->internal->tlsext_tick_hmac_key), EVP_sha256(),
+                    NULL))
+                        goto err;
        }
        /*
         * Attempt to process session ticket.
         */
-        if ((hlen = HMAC_size(&hctx)) < 0)
+        if ((hlen = HMAC_size(hctx)) < 0)
                goto err;
        if (hlen > CBS_len(ticket))
@@ -957,16 +962,16 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, SSL_SESSION **psess)
                goto err;
        /* Check HMAC of encrypted ticket. */
-        if (HMAC_Update(&hctx, CBS_data(&ticket_name),
+        if (HMAC_Update(hctx, CBS_data(&ticket_name),
            CBS_len(&ticket_name)) <= 0)
                goto err;
-        if (HMAC_Update(&hctx, CBS_data(&ticket_iv),
+        if (HMAC_Update(hctx, CBS_data(&ticket_iv),
            CBS_len(&ticket_iv)) <= 0)
                goto err;
-        if (HMAC_Update(&hctx, CBS_data(&ticket_encdata),
+        if (HMAC_Update(hctx, CBS_data(&ticket_encdata),
            CBS_len(&ticket_encdata)) <= 0)
                goto err;
-        if (HMAC_Final(&hctx, hmac, &hlen) <= 0)
+        if (HMAC_Final(hctx, hmac, &hlen) <= 0)
                goto err;
        if (!CBS_mem_equal(&ticket_hmac, hmac, hlen))
@@ -975,10 +980,10 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, SSL_SESSION **psess)
        /* Attempt to decrypt session data. */
        if ((sdec = malloc(CBS_len(&ticket_encdata))) == NULL)
                goto err;
-        if (EVP_DecryptUpdate(&cctx, sdec, &slen, CBS_data(&ticket_encdata),
+        if (EVP_DecryptUpdate(cctx, sdec, &slen, CBS_data(&ticket_encdata),
            CBS_len(&ticket_encdata)) <= 0)
                goto derr;
-        if (EVP_DecryptFinal_ex(&cctx, sdec + slen, &hlen) <= 0)
+        if (EVP_DecryptFinal_ex(cctx, sdec + slen, &hlen) <= 0)
                goto derr;
        slen += hlen;
@@ -1021,8 +1026,8 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, SSL_SESSION **psess)
 done:
        free(sdec);
-        HMAC_CTX_cleanup(&hctx);
+        EVP_CIPHER_CTX_free(cctx);
-        EVP_CIPHER_CTX_cleanup(&cctx);
+        HMAC_CTX_free(hctx);
        SSL_SESSION_free(sess);
        if (ret == 2)