From 94f98a9019e1c0a3be4ca904b2c27c7af3d937c0 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 30 Nov 2015 10:38:54 +0000 Subject: [PATCH] Remove cookie validation return value trick In the DTLS ClientHello processing the return value is stored in |ret| which by default is -1. |ret| is only updated to a positive value once we are past all points where we could hit an error. We wish to return 1 on success or 2 on success *and* we have validated the DTLS cookie. Previously on successful validation of the cookie we were setting |ret| to -2, and then once we were past all error points we set |ret = -ret|. This is non-obvious behaviour and could be error prone. This commit tries to make this a bit more intuitive. Reviewed-by: Andy Polyakov --- ssl/s3_srvr.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 424e50d13..ee83105b7 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -901,7 +901,7 @@ int ssl3_send_hello_request(SSL *s) int ssl3_get_client_hello(SSL *s) { - int i, j, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1; + int i, j, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1, cookie_valid = 0; unsigned int cookie_len; long n; unsigned long id; @@ -1094,8 +1094,7 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); goto f_err; } - /* Set to -2 so if successful we return 2 */ - ret = -2; + cookie_valid = 1; } p += cookie_len; @@ -1465,8 +1464,7 @@ int ssl3_get_client_hello(SSL *s) } } - if (ret < 0) - ret = -ret; + ret = cookie_valid ? 2 : 1; if (0) { f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); @@ -1476,7 +1474,7 @@ int ssl3_get_client_hello(SSL *s) if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); - return ret < 0 ? -1 : ret; + return ret; } int ssl3_send_server_hello(SSL *s)