+
+ /*
+ * If set, the decrypt_ticket_cb() is always called regardless of the
+ * return value determined above. The callback is responsible for checking
+ * |ret| before it performs any action
+ */
+ if (s->session_ctx->decrypt_ticket_cb != NULL) {
+ size_t keyname_len = eticklen;
+
+ if (keyname_len > TLSEXT_KEYNAME_LENGTH)
+ keyname_len = TLSEXT_KEYNAME_LENGTH;
+ ret = s->session_ctx->decrypt_ticket_cb(s, *psess, etick, keyname_len,
+ ret,
+ s->session_ctx->ticket_cb_data);
+ }
+
+ switch (ret) {
+ case SSL_TICKET_NO_DECRYPT:
+ case SSL_TICKET_SUCCESS_RENEW:
+ case SSL_TICKET_EMPTY:
+ s->ext.ticket_expected = 1;
+ /* Fall through */
+ case SSL_TICKET_SUCCESS:
+ case SSL_TICKET_NONE:
+ return ret;
+ }
+
+ return SSL_TICKET_FATAL_ERR_OTHER;