From 9a896a8c68a5bbc7e0c50b709ff9c34e5453473e Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 1 Sep 2020 05:32:11 +0000
Subject: simplify tls1_process_ticket() exit path

tls1_process_ticket() - the only caller of tls_decrypt_ticket() - ends
in a switch over the return value of tls_decrypt_ticket() to decide
whether or not to set s->internal->tlsext_ticket_expected = 1.

Since tls_decrypt_ticket() already knows what it will return and
partly bases its decision on what to return on whether or not the
ticket needs to be renewed, it can also take care of setting this flag.
This way we don't need to have a confusing switch that conflates some
return values and sets this flag. Moreover, we can get rid of the ugly
TLS1_TICKET_DECRYPTED_RENEW whose only purpose is to signal that the
flag should be set.

ok jsing
---
 src/lib/libssl/ssl_locl.h |  3 +--
 src/lib/libssl/t1_lib.c   | 23 ++++++-----------------
 2 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 18ff5b0c30..2f8ba1fc09 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.286 2020/08/31 14:34:01 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.287 2020/09/01 05:32:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1402,7 +1402,6 @@ int ssl_check_serverhello_tlsext(SSL *s);
 #define TLS1_TICKET_EMPTY		 1
 #define TLS1_TICKET_NOT_DECRYPTED	 2
 #define TLS1_TICKET_DECRYPTED		 3
-#define TLS1_TICKET_DECRYPTED_RENEW	 4
 
 int tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block,
     int *alert, SSL_SESSION **ret);
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index b0fc630236..64e64bf902 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.171 2020/08/31 14:34:01 tb Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.172 2020/09/01 05:32:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -844,18 +844,7 @@ tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, int *alert,
 		return TLS1_TICKET_NOT_DECRYPTED;
 	}
 
-	switch (tls_decrypt_ticket(s, session_id, &ext_data, alert, ret)) {
-	case TLS1_TICKET_NOT_DECRYPTED:
-		s->internal->tlsext_ticket_expected = 1;
-		return TLS1_TICKET_NOT_DECRYPTED;
-	case TLS1_TICKET_DECRYPTED:
-		return TLS1_TICKET_DECRYPTED;
-	case TLS1_TICKET_DECRYPTED_RENEW:
-		s->internal->tlsext_ticket_expected = 1;
-		return TLS1_TICKET_DECRYPTED;
-	default:
-		return TLS1_TICKET_FATAL_ERROR;
-	}
+	return tls_decrypt_ticket(s, session_id, &ext_data, alert, ret);
 }
 
 /* tls_decrypt_ticket attempts to decrypt a session ticket.
@@ -869,7 +858,6 @@ tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, int *alert,
  *    TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket.
  *    TLS1_TICKET_NOT_DECRYPTED: the ticket couldn't be decrypted.
  *    TLS1_TICKET_DECRYPTED: a ticket was decrypted and *psess was set.
- *    TLS1_TICKET_DECRYPTED_RENEW: same as 3, but the ticket needs to be renewed.
  */
 static int
 tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, int *alert,
@@ -1017,13 +1005,14 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, int *alert,
 	sess = NULL;
 
 	if (renew_ticket)
-		ret = TLS1_TICKET_DECRYPTED_RENEW;
-	else
-		ret = TLS1_TICKET_DECRYPTED;
+		s->internal->tlsext_ticket_expected = 1;
+
+	ret = TLS1_TICKET_DECRYPTED;
 
 	goto done;
 
  derr:
+	s->internal->tlsext_ticket_expected = 1;
 	ret = TLS1_TICKET_NOT_DECRYPTED;
 	goto done;
 
-- 
cgit v1.2.3-55-g6feb