From 0efe9a67702e1062521567f7091216b2696777ff Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Wed, 22 Aug 2018 17:46:29 +0000
Subject: Correct session ticket encryption.

The CBB conversion resulted in the ticket encryption being handled
incorrectly, resulting in only the last block being used. Fix this and
restore the previous behaviour.

Issue found by inoguchi@ and sebastia@.

ok inoguchi@ and tb@
---
 src/lib/libssl/ssl_srvr.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 01fe647500..3cf6d9a3cb 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.41 2018/08/19 15:38:03 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.42 2018/08/22 17:46:29 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2532,7 +2532,7 @@ ssl3_send_newsession_ticket(SSL *s)
 	const unsigned char *const_p;
 	unsigned char *p, *hmac;
 	size_t hmac_len;
-	int enc_ticket_len, slen;
+	int enc_ticket_len, len, slen;
 	int slen_full = 0;
 	SSL_SESSION *sess;
 	unsigned int hlen;
@@ -2610,9 +2610,16 @@ ssl3_send_newsession_ticket(SSL *s)
 		/* Encrypt the session ticket. */
 		if ((enc_ticket = calloc(1, slen + EVP_MAX_BLOCK_LENGTH)) == NULL)
 			goto err;
-		if (!EVP_EncryptUpdate(&ctx, enc_ticket, &enc_ticket_len, senc, slen))
+		enc_ticket_len = 0;
+		if (!EVP_EncryptUpdate(&ctx, enc_ticket, &len, senc, slen))
 			goto err;
-		if (!EVP_EncryptFinal_ex(&ctx, enc_ticket, &enc_ticket_len))
+		enc_ticket_len += len;
+		if (!EVP_EncryptFinal_ex(&ctx, enc_ticket + enc_ticket_len, &len))
+			goto err;
+		enc_ticket_len += len;
+
+		if (enc_ticket_len < 0 ||
+		    enc_ticket_len > slen + EVP_MAX_BLOCK_LENGTH)
 			goto err;
 
 		/* Generate the HMAC. */
-- 
cgit v1.2.3-55-g6feb