Always return errors in ssl3_get_client_hello If we successfully match a cookie don't set return value to 2 as this results in other error conditions returning 2 as well. Instead set return value to -2 which can be checked later if everything else is OK.
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 200f495..d915155 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c
@@ -1082,8 +1082,8 @@ SSL_R_COOKIE_MISMATCH); goto f_err; } - - ret = 2; + /* Set to -2 so if successful we return 2 */ + ret = -2; } p += cookie_len; @@ -1461,7 +1461,7 @@ } } - if (ret < 0) ret=1; + if (ret < 0) ret=-ret; if (0) { f_err: @@ -1469,7 +1469,7 @@ } err: if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); - return(ret); + return ret < 0 ? -1 : ret; } int ssl3_send_server_hello(SSL *s)