From f9adec13b2d7f472486707fe62a0e82fed187c26 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 7 Jun 2022 17:39:16 +0000
Subject: Add missing error check call in ssl3_get_new_session_ticket()

EVP_Digest() can fail, so handle failure appropriately and prepare
switch of session_id_length to a size_t.

ok jsing
---
 src/lib/libssl/ssl_clnt.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 281865aaea..f8a80eea2e 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.144 2022/06/07 17:35:49 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.145 2022/06/07 17:39:16 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1605,6 +1605,7 @@ ssl3_get_new_session_ticket(SSL *s)
 {
 	uint32_t lifetime_hint;
 	CBS cbs, session_ticket;
+	unsigned int session_id_length = 0;
 	int al, ret;
 
 	if ((ret = ssl3_get_message(s, SSL3_ST_CR_SESSION_TICKET_A,
@@ -1658,9 +1659,13 @@ ssl3_get_new_session_ticket(SSL *s)
 	 * assumptions elsewhere in OpenSSL. The session ID is set
 	 * to the SHA256 hash of the ticket.
 	 */
-	EVP_Digest(CBS_data(&session_ticket), CBS_len(&session_ticket),
-	    s->session->session_id, &s->session->session_id_length,
-	    EVP_sha256(), NULL);
+	if (!EVP_Digest(CBS_data(&session_ticket), CBS_len(&session_ticket),
+	    s->session->session_id, &session_id_length, EVP_sha256(), NULL)) {
+		al = SSL_AD_INTERNAL_ERROR;
+		SSLerror(s, ERR_R_EVP_LIB);
+		goto fatal_err;
+	}
+	s->session->session_id_length = session_id_length;
 
 	return (1);
 
-- 
cgit v1.2.3-55-g6feb