Cleanup ticket processing and session lookup.
Use more sensible variable names. Also move some work between the helpers and
s3_srvr.c a little; the session lookup functions now only return a new session.
Whether to send a ticket is now an additional output to avoid the enum
explosion around renewal. The actual SSL state is not modified.
This is somewhat cleaner as s3_srvr.c may still reject a session for other
reasons, so we avoid setting ssl->session and ssl->verify_result to a session
that wouldn't be used. (They get fixed up in ssl_get_new_session, so it didn't
actually matter.)
Change-Id: Ib52fabbe993b5e2b7408395a02cdea3dee66df7b
Reviewed-on: https://boringssl-review.googlesource.com/5235
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 5259793..84ce436 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -595,6 +595,10 @@
OPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in,
size_t len);
+/* SSL_TICKET_KEY_NAME_LEN is the length of the key name prefix of a session
+ * ticket. */
+#define SSL_TICKET_KEY_NAME_LEN 16
+
/* SSL_CTX_set_tlsext_ticket_key_cb sets the ticket callback to |callback| and
* returns one. |callback| will be called when encrypting a new ticket and when
* decrypting a ticket from the client.
@@ -1113,7 +1117,7 @@
int (*tlsext_servername_callback)(SSL *, int *, void *);
void *tlsext_servername_arg;
/* RFC 4507 session ticket keys */
- uint8_t tlsext_tick_key_name[16];
+ uint8_t tlsext_tick_key_name[SSL_TICKET_KEY_NAME_LEN];
uint8_t tlsext_tick_hmac_key[16];
uint8_t tlsext_tick_aes_key[16];
/* Callback to support customisation of ticket key setting */
