src/internal.c: defer ticket SNI/ALPN binding check until after parsing

The early checks in DoClientTicketCheck and DoClientTicket ran before
the corresponding extensions were parsed, so the computed current hash
was zero while the ticket's stored hash was non-zero, rejecting valid
resumptions in the nginx, haproxy, grpc and CPython integration tests.

* TLS 1.3: DoTls13ClientHello processes pre_shared_key before
  ALPN_Select, so TLSX_ALPN_GetRequest returned WOLFSSL_ALPN_NOT_FOUND.
* TLS 1.2: ClientHello extensions are parsed in wire order; clients
  that put SessionTicket before server_name / ALPN hit the same
  problem with both bindings.

Consolidate the verification into a single VerifyTicketBinding()
function, called once on the server after ALPN_Select (in both
DoTls13ClientHello and DoClientHello). DoClientTicketFinalize copies
the ticket's stored bindings onto ssl->session so the deferred check
has the values to compare. The early per-call sites are removed.

VerifyTicketBinding returns WOLFSSL_FATAL_ERROR on mismatch; the
caller currently aborts the handshake. Behaviour on mismatch (error
vs fallback to a fresh handshake) can be revisited from this single
point.

Author: julek-wolfssl

src/internal.c

@@ -38468,6 +38468,11 @@ static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
                 if((ret=ALPN_Select(ssl)))
                     goto out;
     #endif
+    #if defined(HAVE_SESSION_TICKET) && \
+        (defined(HAVE_SNI) || defined(HAVE_ALPN))
+                if((ret=VerifyTicketBinding(ssl)))
+                    goto out;
+    #endif
 
                 i += totalExtSz;
 #else
@@ -39250,8 +39255,7 @@ static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
     }
 
 #ifdef HAVE_SNI
-    /* Hash the server-selected SNI into dst (TICKET_BINDING_HASH_SZ bytes).
-     * Zeros dst when no SNI is present. */
+    /* Hash server-selected SNI; zeros dst when none. */
     static int TicketSniHash(WOLFSSL* ssl, byte* dst)
     {
         char* name = NULL;
@@ -39271,8 +39275,7 @@ static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
 #endif
 
 #ifdef HAVE_ALPN
-    /* Hash the negotiated ALPN protocol into dst (TICKET_BINDING_HASH_SZ
-     * bytes).  Zeros dst when no ALPN was negotiated. */
+    /* Hash negotiated ALPN; zeros dst when none. */
     static int TicketAlpnHash(WOLFSSL* ssl, byte* dst)
     {
         char* proto = NULL;
@@ -39290,6 +39293,38 @@ static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
     }
 #endif
 
+#if defined(HAVE_SNI) || defined(HAVE_ALPN)
+    /* Server-side: verify the SNI/ALPN bindings carried on a resumed
+     * session match what was negotiated for the current connection.
+     * Must be called after extension parsing and ALPN_Select.
+     * Returns 0 on match, WOLFSSL_FATAL_ERROR on mismatch. */
+    int VerifyTicketBinding(WOLFSSL* ssl)
+    {
+        byte curHash[TICKET_BINDING_HASH_SZ];
+
+        if (!ssl->options.resuming || !ssl->options.useTicket)
+            return 0;
+
+#ifdef HAVE_SNI
+        if (TicketSniHash(ssl, curHash) != 0 ||
+                XMEMCMP(curHash, ssl->session->sniHash,
+                        TICKET_BINDING_HASH_SZ) != 0) {
+            WOLFSSL_MSG("Ticket SNI mismatch");
+            return WOLFSSL_FATAL_ERROR;
+        }
+#endif
+#ifdef HAVE_ALPN
+        if (TicketAlpnHash(ssl, curHash) != 0 ||
+                XMEMCMP(curHash, ssl->session->alpnHash,
+                        TICKET_BINDING_HASH_SZ) != 0) {
+            WOLFSSL_MSG("Ticket ALPN mismatch");
+            return WOLFSSL_FATAL_ERROR;
+        }
+#endif
+        return 0;
+    }
+#endif
+
     /* create a new session ticket, 0 on success
      * Do any kind of setup in SetupTicket */
     int CreateTicket(WOLFSSL* ssl)
@@ -39755,28 +39790,8 @@ static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
                         ssl->sessionCtxSz) != 0))
             return WOLFSSL_FATAL_ERROR;
 #endif
-#ifdef HAVE_SNI
-        {
-            byte curHash[TICKET_BINDING_HASH_SZ];
-            if (TicketSniHash((WOLFSSL*)ssl, curHash) != 0 ||
-                    XMEMCMP(curHash, psk->it->sniHash,
-                            TICKET_BINDING_HASH_SZ) != 0) {
-                WOLFSSL_MSG("Ticket SNI mismatch");
-                return WOLFSSL_FATAL_ERROR;
-            }
-        }
-#endif
-#ifdef HAVE_ALPN
-        {
-            byte curHash[TICKET_BINDING_HASH_SZ];
-            if (TicketAlpnHash((WOLFSSL*)ssl, curHash) != 0 ||
-                    XMEMCMP(curHash, psk->it->alpnHash,
-                            TICKET_BINDING_HASH_SZ) != 0) {
-                WOLFSSL_MSG("Ticket ALPN mismatch");
-                return WOLFSSL_FATAL_ERROR;
-            }
-        }
-#endif
+        /* SNI/ALPN binding is verified after ALPN_Select via
+         * VerifyTicketBinding(). */
         return 0;
     }
 #endif /* WOLFSSL_SLT13 */
@@ -39872,6 +39887,14 @@ static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
             }
         }
 #endif
+        /* Carry the ticket bindings on the session for the deferred
+         * VerifyTicketBinding() check. */
+#ifdef HAVE_SNI
+        XMEMCPY(ssl->session->sniHash, it->sniHash, TICKET_BINDING_HASH_SZ);
+#endif
+#ifdef HAVE_ALPN
+        XMEMCPY(ssl->session->alpnHash, it->alpnHash, TICKET_BINDING_HASH_SZ);
+#endif
 
         if (!IsAtLeastTLSv1_3(ssl->version)) {
             if (ssl->arrays == NULL)
@@ -40231,31 +40254,8 @@ static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
             goto cleanup;
         }
 
-#ifdef HAVE_SNI
-        {
-            byte curHash[TICKET_BINDING_HASH_SZ];
-            if (TicketSniHash(ssl, curHash) != 0 ||
-                    XMEMCMP(curHash, it->sniHash,
-                            TICKET_BINDING_HASH_SZ) != 0) {
-                WOLFSSL_MSG("Ticket SNI mismatch");
-                decryptRet = WOLFSSL_TICKET_RET_REJECT;
-                goto cleanup;
-            }
-        }
-#endif
-#ifdef HAVE_ALPN
-        {
-            byte curHash[TICKET_BINDING_HASH_SZ];
-            if (TicketAlpnHash(ssl, curHash) != 0 ||
-                    XMEMCMP(curHash, it->alpnHash,
-                            TICKET_BINDING_HASH_SZ) != 0) {
-                WOLFSSL_MSG("Ticket ALPN mismatch");
-                decryptRet = WOLFSSL_TICKET_RET_REJECT;
-                goto cleanup;
-            }
-        }
-#endif
-
+        /* SNI/ALPN binding is verified after ALPN_Select via
+         * VerifyTicketBinding(). */
         DoClientTicketFinalize(ssl, it, NULL);
 
 cleanup:

src/tls13.c

@@ -7555,6 +7555,10 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
      * select the ALPN protocol, if so requested */
     if ((ret = ALPN_Select(ssl)) != 0)
         goto exit_dch;
+#endif
+#if defined(HAVE_SESSION_TICKET) && (defined(HAVE_SNI) || defined(HAVE_ALPN))
+    if ((ret = VerifyTicketBinding(ssl)) != 0)
+        goto exit_dch;
 #endif
     } /* case TLS_ASYNC_BEGIN */
     FALL_THROUGH;

wolfssl/internal.h

@@ -6790,6 +6790,9 @@ WOLFSSL_LOCAL int DoClientTicket_ex(const WOLFSSL* ssl, PreSharedKey* psk,
 #endif
 
 WOLFSSL_LOCAL int DoClientTicket(WOLFSSL* ssl, const byte* input, word32 len);
+#if defined(HAVE_SNI) || defined(HAVE_ALPN)
+WOLFSSL_LOCAL int VerifyTicketBinding(WOLFSSL* ssl);
+#endif
 #endif /* HAVE_SESSION_TICKET */
 WOLFSSL_LOCAL int SendData(WOLFSSL* ssl, const void* data, size_t sz);
 #ifdef WOLFSSL_THREADED_CRYPT