From ca930e6435c34fa695c49ef5b3c577e2b4547b48 Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Wed, 22 Aug 2018 17:46:29 +0000
Subject: [PATCH] Correct session ticket encryption.

The CBB conversion resulted in the ticket encryption being handled
incorrectly, resulting in only the last block being used. Fix this and
restore the previous behaviour.

Issue found by inoguchi@ and sebastia@.

ok inoguchi@ and tb@
---
 lib/libssl/ssl_srvr.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index 01fe6475006..3cf6d9a3cb9 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.41 2018/08/19 15:38:03 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.42 2018/08/22 17:46:29 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2532,7 +2532,7 @@ ssl3_send_newsession_ticket(SSL *s)
 	const unsigned char *const_p;
 	unsigned char *p, *hmac;
 	size_t hmac_len;
-	int enc_ticket_len, slen;
+	int enc_ticket_len, len, slen;
 	int slen_full = 0;
 	SSL_SESSION *sess;
 	unsigned int hlen;
@@ -2610,9 +2610,16 @@ ssl3_send_newsession_ticket(SSL *s)
 		/* Encrypt the session ticket. */
 		if ((enc_ticket = calloc(1, slen + EVP_MAX_BLOCK_LENGTH)) == NULL)
 			goto err;
-		if (!EVP_EncryptUpdate(&ctx, enc_ticket, &enc_ticket_len, senc, slen))
+		enc_ticket_len = 0;
+		if (!EVP_EncryptUpdate(&ctx, enc_ticket, &len, senc, slen))
 			goto err;
-		if (!EVP_EncryptFinal_ex(&ctx, enc_ticket, &enc_ticket_len))
+		enc_ticket_len += len;
+		if (!EVP_EncryptFinal_ex(&ctx, enc_ticket + enc_ticket_len, &len))
+			goto err;
+		enc_ticket_len += len;
+
+		if (enc_ticket_len < 0 ||
+		    enc_ticket_len > slen + EVP_MAX_BLOCK_LENGTH)
 			goto err;
 
 		/* Generate the HMAC. */
-- 
2.20.1