From 77b88b2247bcb0c074683c42916b6580754b574b Mon Sep 17 00:00:00 2001
From: tb <>
Date: Mon, 7 Sep 2020 08:04:29 +0000
Subject: Garbage collect renew_ticket in tls_decrypt_ticket

This is only set in one place and read in one place to set the badly
named tlsext_ticket_expected flag. It seems preferable to set this
flag directly, thus simplifying the logic. This slightly changes the
behavior in that this flag is now set earlier, but this seems preferable
anyway. Any error between the old and the new position where the flag
is set is either fatal (so the connection will be closed) or a decrypt
error (so the flag will be set).

discussed with jsing
---
 src/lib/libssl/t1_lib.c | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index dc6ffae418..2bc830b2ed 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.174 2020/09/01 12:40:53 tb Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.175 2020/09/07 08:04:29 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -870,7 +870,6 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
 	SSL_CTX *tctx = s->initial_ctx;
 	int slen, hlen;
 	int alert_desc = SSL_AD_INTERNAL_ERROR;
-	int renew_ticket = 0;
 	int ret = TLS1_TICKET_FATAL_ERROR;
 
 	*psess = NULL;
@@ -904,8 +903,10 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
 			goto err;
 		if (rv == 0)
 			goto derr;
-		if (rv == 2)
-			renew_ticket = 1;
+		if (rv == 2) {
+			/* Renew ticket. */
+			s->internal->tlsext_ticket_expected = 1;
+		}
 
 		/*
 		 * Now that the cipher context is initialised, we can extract
@@ -988,11 +989,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
 	*psess = sess;
 	sess = NULL;
 
-	if (renew_ticket)
-		s->internal->tlsext_ticket_expected = 1;
-
 	ret = TLS1_TICKET_DECRYPTED;
-
 	goto done;
 
  derr:
-- 
cgit v1.2.3-55-g6feb