[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Tue Dec 1 15:29:26 UTC 2015

The branch OpenSSL_1_0_2-stable has been updated
       via  94f98a9019e1c0a3be4ca904b2c27c7af3d937c0 (commit)
      from  301a6dcd4590fb2f69d08259577e215b4cc3caa3 (commit)


- Log -----------------------------------------------------------------
commit 94f98a9019e1c0a3be4ca904b2c27c7af3d937c0
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Nov 30 10:38:54 2015 +0000

    Remove cookie validation return value trick
    
    In the DTLS ClientHello processing the return value is stored in |ret| which
    by default is -1. |ret| is only updated to a positive value once we are past
    all points where we could hit an error. We wish to return 1 on success or 2
    on success *and* we have validated the DTLS cookie. Previously on successful
    validation of the cookie we were setting |ret| to -2, and then once we were
    past all error points we set |ret = -ret|. This is non-obvious behaviour and
    could be error prone. This commit tries to make this a bit more intuitive.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_srvr.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 424e50d..ee83105 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -901,7 +901,7 @@ int ssl3_send_hello_request(SSL *s)
 
 int ssl3_get_client_hello(SSL *s)
 {
-    int i, j, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1;
+    int i, j, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1, cookie_valid = 0;
     unsigned int cookie_len;
     long n;
     unsigned long id;
@@ -1094,8 +1094,7 @@ int ssl3_get_client_hello(SSL *s)
                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
                 goto f_err;
             }
-            /* Set to -2 so if successful we return 2 */
-            ret = -2;
+            cookie_valid = 1;
         }
 
         p += cookie_len;
@@ -1465,8 +1464,7 @@ int ssl3_get_client_hello(SSL *s)
         }
     }
 
-    if (ret < 0)
-        ret = -ret;
+    ret = cookie_valid ? 2 : 1;
     if (0) {
  f_err:
         ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -1476,7 +1474,7 @@ int ssl3_get_client_hello(SSL *s)
 
     if (ciphers != NULL)
         sk_SSL_CIPHER_free(ciphers);
-    return ret < 0 ? -1 : ret;
+    return ret;
 }
 
 int ssl3_send_server_hello(SSL *s)
