Garbage collect renew_ticket in tls_decrypt_ticket

This is only set in one place and read in one place to set the badly
named tlsext_ticket_expected flag. It seems preferable to set this
flag directly, thus simplifying the logic. This slightly changes the
behavior in that this flag is now set earlier, but this seems preferable
anyway. Any error between the old and the new position where the flag
is set is either fatal (so the connection will be closed) or a decrypt
error (so the flag will be set).

discussed with jsing

1 files changed, 5 insertions, 8 deletions

diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index dc6ffae4183..2bc830b2ed5 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.174 2020/09/01 12:40:53 tb Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.175 2020/09/07 08:04:29 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -870,7 +870,6 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
 	SSL_CTX *tctx = s->initial_ctx;
 	int slen, hlen;
 	int alert_desc = SSL_AD_INTERNAL_ERROR;
-	int renew_ticket = 0;
 	int ret = TLS1_TICKET_FATAL_ERROR;
 
 	*psess = NULL;
@@ -904,8 +903,10 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
 			goto err;
 		if (rv == 0)
 			goto derr;
-		if (rv == 2)
-			renew_ticket = 1;
+		if (rv == 2) {
+			/* Renew ticket. */
+			s->internal->tlsext_ticket_expected = 1;
+		}
 
 		/*
 		 * Now that the cipher context is initialised, we can extract
@@ -988,11 +989,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
 	*psess = sess;
 	sess = NULL;
 
-	if (renew_ticket)
-		s->internal->tlsext_ticket_expected = 1;
-
 	ret = TLS1_TICKET_DECRYPTED;
-
 	goto done;
 
  derr: