add session ticket key returns for reject and use but create

examples/server/server.c

@@ -791,7 +791,7 @@ while (1) {  /* allow resume option */
             XMEMCPY(key_name, myKey_ctx.name, WOLFSSL_TICKET_NAME_SZ);
 
             ret = wc_RNG_GenerateBlock(&rng, iv, WOLFSSL_TICKET_IV_SZ);
-            if (ret != 0) return ret;
+            if (ret != 0) return WOLFSSL_TICKET_RET_REJECT;
 
             /* build aad from key name, iv, and length */
             XMEMCPY(tmp, key_name, WOLFSSL_TICKET_NAME_SZ);
@@ -805,7 +805,7 @@ while (1) {  /* allow resume option */
                                               ticket, inLen,
                                               ticket,
                                               mac);
-            if (ret != 0) return ret;
+            if (ret != 0) return WOLFSSL_TICKET_RET_REJECT;
             *outLen = inLen;  /* no padding in this mode */
         } else {
             /* decrypt */
@@ -821,11 +821,11 @@ while (1) {  /* allow resume option */
                                               ticket, inLen,
                                               mac,
                                               ticket);
-            if (ret != 0) return ret;
+            if (ret != 0) return WOLFSSL_TICKET_RET_REJECT;
             *outLen = inLen;  /* no padding in this mode */
         }
 
-        return 0;
+        return WOLFSSL_TICKET_RET_OK;
     }
 
 #endif

src/internal.c

@@ -9337,8 +9337,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
 #endif
 
 #ifdef HAVE_SESSION_TICKET
-        ret = ret ||
-              (!ssl->expect_session_ticket && ssl->session.ticketLen > 0);
+        /* server may send blank ticket which may not be expected to indicate
+         * exisiting one ok but will also be sending a new one */
+        ret = ret || (ssl->session.ticketLen > 0);
 #endif
 
         ret = ret ||
@@ -13746,7 +13747,7 @@ int DoSessionTicket(WOLFSSL* ssl,
         ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, et->mac, 1,
                                     et->enc_ticket, sizeof(InternalTicket),
                                     &encLen);
-        if (ret == 0) {
+        if (ret == WOLFSSL_TICKET_RET_OK) {
             if (encLen < (int)sizeof(InternalTicket) ||
                 encLen > WOLFSSL_TICKET_ENC_SZ) {
                 WOLFSSL_MSG("Bad user ticket encrypt size");
@@ -13790,14 +13791,15 @@ int DoSessionTicket(WOLFSSL* ssl,
         ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv,
                                     et->enc_ticket + inLen, 0,
                                     et->enc_ticket, inLen, &outLen);
-        if (ret != 0) return ret;
+        if (ret == WOLFSSL_TICKET_RET_FATAL || ret < 0) return ret;
         if (outLen > inLen || outLen < (int)sizeof(InternalTicket)) {
             WOLFSSL_MSG("Bad user ticket decrypt len");
             return BAD_TICKET_KEY_CB_SZ;
         }
 
         /* get master secret */
-        XMEMCPY(ssl->arrays->masterSecret, it->msecret, SECRET_LEN);
+        if (ret == WOLFSSL_TICKET_RET_OK || ret == WOLFSSL_TICKET_RET_CREATE)
+            XMEMCPY(ssl->arrays->masterSecret, it->msecret, SECRET_LEN);
 
         return ret;
     }

src/tls.c

@@ -1844,15 +1844,32 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length,
             if (ret == SSL_SUCCESS) {
                 ret = 0;
                 TLSX_SetResponse(ssl, SESSION_TICKET);  /* send blank ticket */
-                ssl->options.createTicket    = 1;  /* will send ticket msg */
-                ssl->options.useTicket       = 1;
+                ssl->options.createTicket = 1;  /* will send ticket msg */
+                ssl->options.useTicket    = 1;
             }
         } else {
             /* got actual ticket from client */
             ret = DoClientTicket(ssl, input, length);
-            if (ret == 0) {    /* use ticket to resume */
+            if (ret == WOLFSSL_TICKET_RET_OK) {    /* use ticket to resume */
+                WOLFSSL_MSG("Using exisitng client ticket");
                 ssl->options.useTicket = 1;
-                ssl->options.resuming = 1;
+                ssl->options.resuming  = 1;
+            } else if (ret == WOLFSSL_TICKET_RET_CREATE) {
+                WOLFSSL_MSG("Using existing client ticket, creating new one");
+                ret = TLSX_UseSessionTicket(&ssl->extensions, NULL);
+                if (ret == SSL_SUCCESS) {
+                    ret = 0;
+                    TLSX_SetResponse(ssl, SESSION_TICKET);
+                                                    /* send blank ticket */
+                    ssl->options.createTicket = 1;  /* will send ticket msg */
+                    ssl->options.useTicket    = 1;
+                    ssl->options.resuming     = 1;
+                }
+            } else if (ret == WOLFSSL_TICKET_RET_REJECT) {
+                WOLFSSL_MSG("Process client ticket rejected, not using");
+                ret = 0;  /* not fatal */
+            } else if (ret == WOLFSSL_TICKET_RET_FATAL || ret < 0) {
+                WOLFSSL_MSG("Process client ticket fatal error, not using");
             }
         }
     }

wolfssl/ssl.h

@@ -1376,6 +1376,13 @@ WOLFSSL_API int wolfSSL_set_SessionTicket_cb(WOLFSSL*,
 #define WOLFSSL_TICKET_IV_SZ   16
 #define WOLFSSL_TICKET_MAC_SZ  32
 
+enum TicketEncRet {
+    WOLFSSL_TICKET_RET_FATAL  = -1,  /* fatal error, don't use ticket */
+    WOLFSSL_TICKET_RET_OK     =  0,  /* ok, use ticket */
+    WOLFSSL_TICKET_RET_REJECT,       /* don't use ticket, but not fatal */
+    WOLFSSL_TICKET_RET_CREATE        /* existing ticket ok and create new one */
+};
+
 typedef int (*SessionTicketEncCb)(WOLFSSL*,
                                  unsigned char key_name[WOLFSSL_TICKET_NAME_SZ],
                                  unsigned char iv[WOLFSSL_TICKET_IV_SZ],