From 8d9389697204ac965cc36761fafd9fbdd22affe2 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Tue, 10 Oct 2017 17:17:33 +0000
Subject: [PATCH] Merge r1736186 from trunk:

mod_ssl: return non ambiguous value in ssl_callback_SessionTicket() for
encryption mode (we used to return 0, OpenSSL documents returning 1 instead).

Practically this does not change anything since OpenSSL will only check for
>= 0 return value (non error) for encryption mode (the other possible return
values are only relevant for decryption mode).

However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
states:
"
The return value of the cb function is used by OpenSSL to determine what
further processing will occur. The following return values have meaning:

2
    This indicates that the ctx and hctx have been set and the session can
    continue on those parameters. Additionally it indicates that the session
    ticket is in a renewal period and should be replaced. The OpenSSL library
    will call cb again with an enc argument of 1 to set the new ticket (see
    RFC5077 3.3 paragraph 2).

1
    This indicates that the ctx and hctx have been set and the session can
    continue on those parameters.

0
    This indicates that it was not possible to set/retrieve a session ticket
    and the SSL/TLS session will continue by by negotiating a set of
    cryptographic parameters or using the alternate SSL/TLS resumption
    mechanism, session ids.
    If called with enc equal to 0 the library will call the cb again to get a
    new set of parameters.

less than 0
    This indicates an error.
"

So 0 is not appropriate in our code, 1 is what we really want (and it won't
break if OpenSSL later changes its checks on the callback return value).

Reported/Proposed by: oknet on github, pull request #18.
Reviewed by: jorton, ylavic, wrowe
[Closes #18]


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1811742 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                         | 2 ++
 STATUS                          | 6 ------
 modules/ssl/ssl_engine_kernel.c | 2 +-
 3 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index bcca2b9f82..c20f69336c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.29
 
+  *) mod_ssl: Fix SessionTicket callback return value, which does seem to
+     matter with OpenSSL 1.1. [Yann Ylavic]
 
 Changes with Apache 2.4.28
 
diff --git a/STATUS b/STATUS
index 4619ebbb78..6abbd367ff 100644
--- a/STATUS
+++ b/STATUS
@@ -145,12 +145,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
       2.4.x patch: svn merge -c 1808746,1809028 ^/httpd/httpd/trunk .
       +1: elukey, ylavic, wrowe
 
-   *) mod_ssl: Fix SessionTicket callback return value, which does
-      seem to matter with OpenSSL 1.1.
-      trunk: https://svn.apache.org/r1736186
-      2.4.x patch: trunk works
-      +1: jorton, ylavic, wrowe
-
   *) mod_rewrite: Add support for running external mapping programs
      as non-root user.
      trunk patch: https://svn.apache.org/r1664565
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index e402c2fe23..7c00123088 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2301,7 +2301,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
                       "TLS session ticket key for %s successfully set, "
                       "creating new session ticket", sc->vhost_id);
 
-        return 0;
+        return 1;
     }
     else if (mode == 0) {
         /* 
-- 
2.40.0