From cdaa8e2523acf7f6a3b592400e4cc566bebdc3ec Mon Sep 17 00:00:00 2001
From: Artem Konev <artem.konev@nginx.com>
Date: Fri, 8 Oct 2021 13:44:14 +0100
Subject: Fixed invalid call sequence in nxt_tls_ticket_key_callback().

The bug has been introduced in 0bca988e9541.
---
 src/nxt_openssl.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c
index f11ad719..d57928a4 100644
--- a/src/nxt_openssl.c
+++ b/src/nxt_openssl.c
@@ -776,6 +776,13 @@ nxt_tls_ticket_key_callback(SSL *s, unsigned char *name, unsigned char *iv,
 
         nxt_memcpy(name, ticket[0].name, 16);
 
+        if (EVP_EncryptInit_ex(ectx, cipher, NULL, ticket[0].aes_key, iv) != 1)
+        {
+            nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT,
+                                  "EVP_EncryptInit_ex() failed");
+            return -1;
+        }
+
     } else {
         /* decrypt session ticket */
 
@@ -798,12 +805,13 @@ nxt_tls_ticket_key_callback(SSL *s, unsigned char *name, unsigned char *iv,
         enc = (i == 0) ? 1 : 2 /* renew */;
 
         cipher = (ticket[i].size == 16) ? EVP_aes_128_cbc() : EVP_aes_256_cbc();
-    }
 
-    if (EVP_DecryptInit_ex(ectx, cipher, NULL, ticket[i].aes_key, iv) != 1) {
-        nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT,
-                              "EVP_DecryptInit_ex() failed");
-        return -1;
+        if (EVP_DecryptInit_ex(ectx, cipher, NULL, ticket[i].aes_key, iv) != 1)
+        {
+            nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT,
+                                  "EVP_DecryptInit_ex() failed");
+            return -1;
+        }
     }
 
 #ifdef OPENSSL_NO_SHA256
-- 
cgit