1 files changed, 43 insertions, 39 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 2421227c8a..75c936abc7 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.156 2019/04/21 14:38:32 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.157 2019/04/21 14:41:30 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -790,7 +790,9 @@ int
 tls1_process_ticket(SSL *s, const unsigned char *session_id, int session_id_len,
    CBS *ext_block, SSL_SESSION **ret)
 {
-        CBS extensions;
+        CBS extensions, ext_data;
+        uint16_t ext_type = 0;
+        int r;
        s->internal->tlsext_ticket_expected = 0;
        *ret = NULL;
@@ -813,48 +815,50 @@ tls1_process_ticket(SSL *s, const unsigned char *session_id, int session_id_len,
                return -1;
        while (CBS_len(&extensions) > 0) {
-                uint16_t ext_type;
-                CBS ext_data;
                if (!CBS_get_u16(&extensions, &ext_type) ||
                    !CBS_get_u16_length_prefixed(&extensions, &ext_data))
                        return -1;
-                if (ext_type == TLSEXT_TYPE_session_ticket) {
+                if (ext_type == TLSEXT_TYPE_session_ticket)
-                        int r;
+                        break;
-                        if (CBS_len(&ext_data) == 0) {
+        }
-                                /* The client will accept a ticket but doesn't
-                                 * currently have one. */
+        if (ext_type != TLSEXT_TYPE_session_ticket)
-                                s->internal->tlsext_ticket_expected = 1;
+                return 0;
-                                return 1;
-                        }
+        if (CBS_len(&ext_data) == 0) {
-                        if (s->internal->tls_session_secret_cb != NULL) {
+                /*
-                                /* Indicate that the ticket couldn't be
+                 * The client will accept a ticket but does not currently
-                                 * decrypted rather than generating the session
+                 * have one.
-                                 * from ticket now, trigger abbreviated
+                 */
-                                 * handshake based on external mechanism to
+                s->internal->tlsext_ticket_expected = 1;
-                                 * calculate the master secret later. */
+                return 1;
-                                return 2;
+        }
-                        }
+        if (s->internal->tls_session_secret_cb != NULL) {
-                        r = tls_decrypt_ticket(s, CBS_data(&ext_data),
+                /*
-                            CBS_len(&ext_data), session_id, session_id_len, ret);
+                 * Indicate that the ticket could not be decrypted rather than
+                 * generating the session from ticket now, trigger abbreviated
-                        switch (r) {
+                 * handshake based on external mechanism to calculate the master
-                        case 2: /* ticket couldn't be decrypted */
+                 * secret later.
-                                s->internal->tlsext_ticket_expected = 1;
+                 */
-                                return 2;
+                return 2;
-                        case 3: /* ticket was decrypted */
+        }
-                                return r;
-                        case 4: /* ticket decrypted but need to renew */
+        r = tls_decrypt_ticket(s, CBS_data(&ext_data), CBS_len(&ext_data),
-                                s->internal->tlsext_ticket_expected = 1;
+            session_id, session_id_len, ret);
-                                return 3;
+        switch (r) {
-                        default: /* fatal error */
+        case 2: /* ticket couldn't be decrypted */
-                                return -1;
+                s->internal->tlsext_ticket_expected = 1;
-                        }
+                return 2;
-                }
+        case 3: /* ticket was decrypted */
+                return r;
+        case 4: /* ticket decrypted but need to renew */
+                s->internal->tlsext_ticket_expected = 1;
+                return 3;
+        default: /* fatal error */
+                return -1;
        }
-        return 0;
 }
 /* tls_decrypt_ticket attempts to decrypt a session ticket.

diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 2421227c8a..75c936abc7 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.156 2019/04/21 14:38:32 jsing Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.157 2019/04/21 14:41:30 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -790,7 +790,9 @@ int
790	tls1_process_ticket(SSL s, const unsigned char session_id, int session_id_len,	790	tls1_process_ticket(SSL s, const unsigned char session_id, int session_id_len,
791	CBS ext_block, SSL_SESSION *ret)	791	CBS ext_block, SSL_SESSION *ret)
792	{	792	{
793	CBS extensions;	793	CBS extensions, ext_data;
		794	uint16_t ext_type = 0;
		795	int r;
794		796
795	s->internal->tlsext_ticket_expected = 0;	797	s->internal->tlsext_ticket_expected = 0;
796	*ret = NULL;	798	*ret = NULL;
@@ -813,48 +815,50 @@ tls1_process_ticket(SSL s, const unsigned char session_id, int session_id_len,
813	return -1;	815	return -1;
814		816
815	while (CBS_len(&extensions) > 0) {	817	while (CBS_len(&extensions) > 0) {
816	uint16_t ext_type;
817	CBS ext_data;
818
819	if (!CBS_get_u16(&extensions, &ext_type) \|\|	818	if (!CBS_get_u16(&extensions, &ext_type) \|\|
820	!CBS_get_u16_length_prefixed(&extensions, &ext_data))	819	!CBS_get_u16_length_prefixed(&extensions, &ext_data))
821	return -1;	820	return -1;
822		821
823	if (ext_type == TLSEXT_TYPE_session_ticket) {	822	if (ext_type == TLSEXT_TYPE_session_ticket)
824	int r;	823	break;
825	if (CBS_len(&ext_data) == 0) {	824	}
826	/* The client will accept a ticket but doesn't	825
827	* currently have one. */	826	if (ext_type != TLSEXT_TYPE_session_ticket)
828	s->internal->tlsext_ticket_expected = 1;	827	return 0;
829	return 1;	828
830	}	829	if (CBS_len(&ext_data) == 0) {
831	if (s->internal->tls_session_secret_cb != NULL) {	830	/*
832	/* Indicate that the ticket couldn't be	831	* The client will accept a ticket but does not currently
833	* decrypted rather than generating the session	832	* have one.
834	* from ticket now, trigger abbreviated	833	*/
835	* handshake based on external mechanism to	834	s->internal->tlsext_ticket_expected = 1;
836	* calculate the master secret later. */	835	return 1;
837	return 2;	836	}
838	}	837
839		838	if (s->internal->tls_session_secret_cb != NULL) {
840	r = tls_decrypt_ticket(s, CBS_data(&ext_data),	839	/*
841	CBS_len(&ext_data), session_id, session_id_len, ret);	840	* Indicate that the ticket could not be decrypted rather than
842		841	* generating the session from ticket now, trigger abbreviated
843	switch (r) {	842	* handshake based on external mechanism to calculate the master
844	case 2: /* ticket couldn't be decrypted */	843	* secret later.
845	s->internal->tlsext_ticket_expected = 1;	844	*/
846	return 2;	845	return 2;
847	case 3: /* ticket was decrypted */	846	}
848	return r;	847
849	case 4: /* ticket decrypted but need to renew */	848	r = tls_decrypt_ticket(s, CBS_data(&ext_data), CBS_len(&ext_data),
850	s->internal->tlsext_ticket_expected = 1;	849	session_id, session_id_len, ret);
851	return 3;	850	switch (r) {
852	default: /* fatal error */	851	case 2: /* ticket couldn't be decrypted */
853	return -1;	852	s->internal->tlsext_ticket_expected = 1;
854	}	853	return 2;
855	}	854	case 3: /* ticket was decrypted */
		855	return r;
		856	case 4: /* ticket decrypted but need to renew */
		857	s->internal->tlsext_ticket_expected = 1;
		858	return 3;
		859	default: /* fatal error */
		860	return -1;
856	}	861	}
857	return 0;
858	}	862	}
859		863
860	/* tls_decrypt_ticket attempts to decrypt a session ticket.	864	/* tls_decrypt_ticket attempts to decrypt a session ticket.