From dccabc60a5b956758f65012e1448c26148279b9f Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Fri, 16 Dec 2022 09:29:44 +0100
Subject: [PATCH 1/2] Disabling TLSv1.2 session tickets when
 WOLFSSL_OP_NO_TICKET is being set.

There seems to have been a misunderstanding that WOLFSSL_OP_NO_TICKET would only disable tickets
for TLS version lower than 1.2. But it includes 1.2 as well.
---
 src/internal.c |  2 +-
 src/ssl.c      | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index f6becb47c..c58ae3a1e 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -34194,7 +34194,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         if (ssl->ctx->ticketEncCb == NULL
 #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
                 ||
-                /* SSL_OP_NO_TICKET turns off tickets in < 1.2. Forces
+                /* SSL_OP_NO_TICKET turns off tickets in <= 1.2. Forces
                  * "stateful" tickets for 1.3 so just use the regular
                  * stateless ones. */
                 (!IsAtLeastTLSv1_3(ssl->version) &&
diff --git a/src/ssl.c b/src/ssl.c
index 61d60b583..3398bdcdf 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -13354,6 +13354,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
 #ifdef HAVE_SESSION_TICKET
             if (ssl->options.createTicket && !ssl->options.noTicketTls12) {
                 if ( (ssl->error = SendTicket(ssl)) != 0) {
+                    WOLFSSL_MSG("Thought we need ticket but failed");
                     WOLFSSL_ERROR(ssl->error);
                     return WOLFSSL_FATAL_ERROR;
                 }
@@ -16771,6 +16772,12 @@ cleanup:
 
         ctx->mask = wolf_set_options(ctx->mask, opt);
 
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
+        if ((ctx->mask & WOLFSSL_OP_NO_TICKET) == WOLFSSL_OP_NO_TICKET) {
+          ctx->noTicketTls12 = 1;
+        }
+#endif
+
         return ctx->mask;
     }
 
@@ -23552,6 +23559,13 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
     #endif
     }
 
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
+    if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) == WOLFSSL_OP_NO_TICKET) {
+      ssl->options.noTicketTls12 = 1;
+    }
+#endif
+
+
     /* in the case of a version change the cipher suites should be reset */
 #ifndef NO_PSK
     havePSK = ssl->options.havePSK;

From 9d0b16097ec6b60f9ea135226557178f532d5d41 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Fri, 16 Dec 2022 09:40:51 +0100
Subject: [PATCH 2/2] Fix builds without session tickets.

---
 src/ssl.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 3398bdcdf..1b04601b4 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -16771,8 +16771,8 @@ cleanup:
             return BAD_FUNC_ARG;
 
         ctx->mask = wolf_set_options(ctx->mask, opt);
-
-#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
+#if defined(HAVE_SESSION_TICKET) && (defined(OPENSSL_EXTRA) \
+        || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL))
         if ((ctx->mask & WOLFSSL_OP_NO_TICKET) == WOLFSSL_OP_NO_TICKET) {
           ctx->noTicketTls12 = 1;
         }
@@ -23559,7 +23559,8 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
     #endif
     }
 
-#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
+#if defined(HAVE_SESSION_TICKET) && (defined(OPENSSL_EXTRA) \
+        || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL))
     if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) == WOLFSSL_OP_NO_TICKET) {
       ssl->options.noTicketTls12 = 1;
     }