[Bug]: `ticket_lifetime = 0` and Immediate Discard Semantics

[LiD0209]

Contact Details

lxd_dong@bupt.edu.cn

Version

V5.9.1

Description

ticket_lifetime = 0 and Immediate Discard Semantics

Problem Summary

This issue concerns the TLS 1.3 NewSessionTicket.ticket_lifetime field when its value is 0.

The relevant rule is:

• Variable: ticket_lifetime
• Action: indicates immediate discard
• Condition: ticket_lifetime is zero

The core question is whether wolfSSL discards such a ticket immediately, as required by the TLS 1.3 specification, or whether it still stores the ticket and only rejects it later during session resumption.

RFC 8446 Original Text

RFC 8446 Section 4.6.1, "New Session Ticket Message":
https://www.rfc-editor.org/rfc/rfc8446.html#section-4.6.1

Relevant text:

ticket_lifetime: Indicates the lifetime in seconds as a 32-bit
unsigned integer in network byte order. The value of zero
indicates that the ticket should be discarded immediately.

Additional surrounding text from the same section:

Clients MUST NOT cache tickets for longer than 7 days, regardless
of the ticket_lifetime, and MAY delete tickets earlier based on
local policy. A server MAY treat a ticket as valid for a shorter
period of time than what is stated in the ticket_lifetime.

The important point here is that the specification does not say "reject later if used".
It says the ticket should be discarded immediately.

wolfSSL Code Behavior

1. Ticket is stored first

When a TLS 1.3 NewSessionTicket is received, wolfSSL parses the ticket and stores it into the session object:

• src/tls13.c:12201 calls SetTicket(...)
• src/tls13.c:12209 sets ssl->timeout = lifetime
• src/tls13.c:12210 sets ssl->session->timeout = lifetime
• src/tls13.c:12212 sets ssl->session->ticketSeen = now
• src/tls13.c:12250 calls SetupSession(ssl)
• src/tls13.c:12252 calls AddSession(ssl)

This means that even when lifetime == 0, the ticket is still copied into the session and inserted into the cache.

2. No explicit immediate-discard branch

The ticket copy path itself does not contain a special lifetime == 0 discard branch:

• src/internal.c:35030

That path stores the ticket data and prepares the session for caching.
There is no logic there that says "if lifetime is zero, free the ticket and skip caching".

3. Rejection happens later during resumption checks

wolfSSL performs timeout validation when the ticket is later used for resumption:

• src/tls13.c:6195 calls DoClientTicketCheck(...)
• src/internal.c:39520 checks:

if (diff > timeout * 1000 ||
    diff > (sword64)TLS13_MAX_TICKET_AGE * 1000)
    return WOLFSSL_FATAL_ERROR;

So the practical behavior is:

• receive ticket
• store ticket
• cache session
• only later, when resumption is attempted, reject it because timeout == 0

This is not the same as immediate discard at receive time.

Why This Is Inconsistent with the RFC

The inconsistency is not about whether wolfSSL can eventually reject the ticket.
It can.

The inconsistency is about when the invalidation happens.

RFC 8446 expectation:

• ticket_lifetime = 0
• ticket should be discarded immediately
• ticket should not remain as a cached resumable object

wolfSSL behavior:

• ticket_lifetime = 0
• ticket is still stored and cached
• invalidation is deferred until a later resumption check

So the implementation matches the intent only partially:

• it does make the ticket unusable later
• but it does not immediately discard it when received

Practical Security Impact

By itself, this is not a high-severity cryptographic break.
The more realistic impact is cache pollution and resumption interference.

Because the ticket is cached first, a server that keeps issuing new tickets can consume shared session-cache capacity and push out other cached resumptions.

In other words, the problem is not only a wording mismatch with the RFC.
It can also become a resource-management problem.

Runtime Reproduction

To validate the practical impact, a small reproduction program was added:

• repro_ticket_eviction.c

The test logic is:

1. Create a resumable session for logical server A
2. Confirm that A can resume normally
3. Repeatedly connect using logical server B and keep obtaining fresh tickets
4. Test whether A can still resume

Observed results:

• with flood=0, A resumed successfully in all rounds
• with flood=20, some A resumptions were lost
• with flood=50, loss became more frequent
• with flood=100, A resumption was lost in all tested rounds
• with flood=200, A resumption was lost in all tested rounds

This shows that cached resumptions for one logical server can be displaced by repeated new tickets associated with another logical server.

Root Cause

The root cause is the combination of two behaviors:

1. ticket_lifetime = 0 does not trigger an explicit discard at receive time
2. session tickets are inserted into shared cache structures before later timeout validation removes them from actual use

Because of this, zero-lifetime tickets and aggressively refreshed tickets can still occupy cache entries for some period of time.

Recommended Fixes

Implementation

The clearest fix is to discard the ticket immediately when parsing NewSessionTicket if ticket_lifetime == 0.

That means:

• do not keep the ticket in the session object
• do not call the normal cache insertion path for that ticket
• treat it as non-resumable as soon as it is received

Defensive improvement

Even if the receive-time fix is not applied immediately, a second-best improvement would be:

• refuse to insert timeout == 0 tickets into the cache
• or evict them immediately after parsing

This would still align much better with the RFC than the current deferred invalidation model.

Testing

Regression tests should cover at least these cases:

1. ticket_lifetime = 0 must not leave a resumable cached ticket
2. repeated zero-lifetime or short-lifetime tickets should not pollute the cache
3. one logical server's repeated ticket refresh should not trivially evict unrelated resumptions without bounds

Conclusion

The RFC requires that a ticket with ticket_lifetime = 0 should be discarded immediately.

wolfSSL currently stores such a ticket first and only rejects it later during resumption checks.
Therefore, the implementation is not fully consistent with the TLS 1.3 semantic requirement.

This inconsistency is small at the pure protocol-wording level, but it has a concrete operational consequence: cached resumption state can be polluted or displaced before the ticket is eventually rejected.

Reproduction steps

No response

Relevant log output

[cpsource]

Took a crack at this. Root-cause analysis, proposed fix, a self-contained reproducer, and an automated BEFORE/AFTER verification script are all below. (Queried gh first — no existing PR references this issue, and keyword searches for ticket_lifetime / NewSessionTicket / session ticket lifetime only surface adjacent work: PR #9881 added the > 604800 upper-bound check, but the lower edge — lifetime == 0 — was never addressed.)

---

The bug

RFC 8446 Section 4.6.1 says:

ticket_lifetime: ... The value of zero indicates that the ticket
should be discarded immediately.

A wolfSSL client receiving a TLS 1.3 NewSessionTicket whose
ticket_lifetime field is 0 does not discard the ticket
immediately. The ticket is parsed, copied into ssl->session, and
inserted into the session cache; only later, at resumption time, does
the timeout check reject it.

Observable from wolfSSL_SESSION_is_resumable() on the client right
after the ticket arrives: it returns 1 (the session reports as
resumable) even though wolfSSL_SESSION_get_timeout() returns 0.

Upstream status

Checked on 2026-04-27 with gh:

• Issue opened 2026-04-27 by LiD0209 (Li Xiangdong); 0 comments,
  no assignee, label bug.
• gh pr list --repo wolfSSL/wolfssl --state all --search "10322" →
  no PRs reference this issue.
• gh search issues --repo wolfSSL/wolfssl --include-prs "10322" →
  only the issue itself.
• Keyword searches ticket_lifetime, NewSessionTicket,
  session ticket lifetime → three adjacent merged PRs:
  • Make sure session ticket lifetime is in allowed range #9881 "Make sure session ticket lifetime is in allowed range"
    (src/ssl.c, +5 lines): rejects negative or > 604800 for
    wolfSSL_CTX_set_TicketHint. Server-side hint setter only.
    hint = 0 is still accepted.
  • additional sanity check with session ticket size #9858 "additional sanity check with session ticket size":
    size bounds, not lifetime semantics.
  • Error out in case of unknown extensions in response message in TLS 1.3 #10186 "Error out in case of unknown extensions in response
    message in TLS 1.3": unrelated.
• Adjacent open PRs: TLS 1.3: gate 0-RTT on a cache-backed resumption ticket #10289 "TLS 1.3: gate 0-RTT on a cache-backed
  resumption ticket" — different concern (0-RTT decision side, not
  ticket admission).

Conclusion: no upstream PR or issue addresses the client-side
immediate-discard requirement of RFC 8446 §4.6.1. The fix landscape
to date concerns upper-bound validation only.

Root cause

DoTls13NewSessionTicket() in src/tls13.c (line 12317) only
guards the upper bound, then unconditionally commits the ticket and
inserts it into the cache:

ato32(input + *inOutIdx, &lifetime);
*inOutIdx += SESSION_HINT_SZ;
if (lifetime > MAX_LIFETIME) {                       /* tls13.c:12342 */
    WOLFSSL_ERROR_VERBOSE(SERVER_HINT_ERROR);
    return SERVER_HINT_ERROR;
}
... /* parse age_add, nonce, ticket, extensions */
if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0) /* tls13.c:12379 */
    return ret;
ssl->timeout                  = lifetime;            /* tls13.c:12387 */
ssl->session->timeout         = lifetime;            /* tls13.c:12388 */
ssl->session->ticketSeen      = now;                 /* tls13.c:12391 */
...
SetupSession(ssl);                                   /* tls13.c:12428 */
#ifndef NO_SESSION_CACHE
    AddSession(ssl);                                 /* tls13.c:12430 */
#endif

There is no lifetime == 0 branch. Two consequences:

1. ssl->session->ticket is now populated with the zero-lifetime
   ticket. wolfSSL_SESSION_is_resumable() returns 1 (its predicate
   is s->ticketLen > 0, see src/ssl_sess.c:4615), so the session
   advertises itself as resumable until the next timeout check.
2. AddSession() inserts the entry into the shared session cache,
   where it can displace genuinely-resumable entries before
   DoClientTicketCheck() (src/internal.c:39636) eventually rejects
   it on diff > timeout * 1000 at resumption time.

If a previous, valid NewSessionTicket had populated ssl->session,
the unconditional commit also overwrites the prior good ticket — a
zero-lifetime "discard" effectively erases earlier resumable state.

Why the current design exists

The upper-bound check was the late-2025 hardening (PR #9881) for the
"MUST NOT > 7 days" rule. The lower edge — lifetime == 0 — was not
addressed; the parser simply accepts anything <= MAX_LIFETIME and
commits. The deferred-rejection model relies on DoClientTicketCheck
catching the zero timeout, which works at resumption but not at
admission, and not for cache pollution.

Proposed fix

Add a single zero-lifetime branch in DoTls13NewSessionTicket(),
right after the existing upper-bound check, that:

1. Walks past the remaining message bytes to keep the parser
   cursor consistent.
2. Skips SetTicket(), the ssl->session mutation block, the
   SessionTicketNoncePopulate() / nonce copy, the TLSX_Parse() of
   ticket extensions, SetupSession() and AddSession().
3. Clears ssl->expect_session_ticket and returns 0.

After the fix, the following invariants hold:

• A zero-lifetime ticket is never written to ssl->session->ticket.
• A zero-lifetime ticket is never inserted into the session cache.
• A previously-cached resumable session in ssl->session is not
  overwritten by a subsequent zero-lifetime ticket.
• wolfSSL_SESSION_is_resumable() after parsing the ticket reflects
  reality: 0 for a session that received only a zero-lifetime
  ticket.

The patch is +57 lines, all additions, no changes to existing
control flow.

Caveats and risks

• Memory: no new allocations. The branch only advances inOutIdx
  and reads existing fields.
• Build-config guards: the branch lives inside the existing
  #ifdef HAVE_SESSION_TICKET block, so non-ticket builds are
  unaffected.
• Backward compatibility: a server that sends lifetime = 0
  today will see the client's session-cache miss differently: the
  client no longer pretends to have a resumable ticket, then fail at
  resumption. Net behavioural difference is "fail earlier, fail
  cleaner" — strictly closer to the RFC.
• Async-crypto path: DoTls13NewSessionTicket is not on the
  async key-schedule path; no WC_PENDING_E to handle here.
• Threading: the function runs on the SSL state machine, which
  is single-threaded per-WOLFSSL already.
• Out-of-scope (companion concern from the reporter): cache
  pollution by non-zero short-lifetime tickets remains. That is a
  cache-eviction-policy question, not a ticket-admission one. This
  patch addresses §4.6.1 directly; a future patch can address bulk
  short-lifetime ticket churn separately.

Tests to add

1. Included in this review — issue-10322-test.c drives an
   in-process TLS 1.3 client/server pair with custom I/O callbacks,
   server wolfSSL_CTX_set_TicketHint(0), and asserts post-handshake
   that the client's session is is_resumable() == 0.
2. Suggested follow-up — add an analogous case to
   tests/api.c (or tests/suites.c) under
   HAVE_SESSION_TICKET && WOLFSSL_TLS13, exercising the same
   admission/non-admission contract.
3. Suggested follow-up — a regression that asserts a
   previously-cached resumable session in ssl->session is not
   overwritten by a subsequent zero-lifetime ticket from the same
   server.

Files touched by the proposed patch

• src/tls13.c — add the immediate-discard branch in
  DoTls13NewSessionTicket() immediately after the existing
  lifetime > MAX_LIFETIME upper-bound check.

See issue-10322.patch alongside this file.

Appendix — end-to-end verification

issue-10322-test.c is a self-contained reproducer that drives both
ends of a TLS 1.3 handshake in one process via custom send/receive
callbacks operating on two byte pipes (s2c, c2s):

1. Initialise wolfSSL.
2. Build a server WOLFSSL_CTX with wolfTLSv1_3_server_method()
   loaded with certs/server-cert.pem + certs/server-key.pem.
3. Build a client WOLFSSL_CTX with wolfTLSv1_3_client_method()
   loaded with certs/ca-cert.pem.
4. Call wolfSSL_CTX_set_TicketHint(sctx, 0) so the server's
   NewSessionTicket carries ticket_lifetime == 0 on the wire.
5. Wire up srv_send/recv_cb and cli_send/recv_cb against the
   in-process pipes.
6. Drive the handshake by alternating wolfSSL_connect /
   wolfSSL_accept until both return WOLFSSL_SUCCESS.
7. Pump the post-handshake message (server wolfSSL_write("x"),
   client wolfSSL_read) so the client parses the NewSessionTicket.
8. Read the client's session via wolfSSL_get1_session(cssl).
9. Print wolfSSL_SESSION_get_timeout(sess) and
   wolfSSL_SESSION_is_resumable(sess).
10. PASS iff the session is not reported as resumable; FAIL iff
    resumable == 1 && timeout == 0.

Observed results

Scenario	Unpatched (BEFORE)	Patched (AFTER)
TLS 1.3 client receives NewSessionTicket with ticket_lifetime == 0	FAIL — client session state: timeout=0 resumable=1 (RFC 8446 §4.6.1 violated)	PASS — client session state: timeout=0 resumable=0 (ticket discarded)

The BEFORE/AFTER distinction shows the bug is at admission time:
unpatched, the zero-lifetime ticket is written into ssl->session
and the session reports as resumable. Patched, the parser walks the
bytes and leaves ssl->session untouched.

Running the test harness

test.sh alongside this README automates the entire BEFORE/AFTER
verification. From this directory:

./test.sh

What it does, in order:

1. Resets src/tls13.c to clean via git checkout.
2. Runs ./configure --enable-harden-tls --enable-session-ticket --enable-tls13 --enable-opensslextra (the last is required so
   wolfSSL_SESSION_is_resumable and
   wolfSSL_SESSION_get_timeout are linked in).
3. Builds wolfSSL, compiles the reproducer.
4. BEFORE pass: runs the reproducer; expected to FAIL.
5. Applies issue-10322.patch and rebuilds.
6. AFTER pass: runs the reproducer; expected to PASS.
7. Prints a colored summary.
8. On exit, restores the tree (via trap) to the state it had
   before the run.

Exit status: 0 only when all outcomes match expectation, 1
otherwise — usable as a regression gate.

---

issue-10322.patch — 57-line fix in src/tls13.c (additions only)

diff --git a/src/tls13.c b/src/tls13.c
index fba9a05ca..8e3ae05cc 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -12343,6 +12343,52 @@ static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input,
         WOLFSSL_ERROR_VERBOSE(SERVER_HINT_ERROR);
         return SERVER_HINT_ERROR;
     }
+    /* RFC 8446 Section 4.6.1: a ticket_lifetime value of zero indicates
+     * that the ticket should be discarded immediately. Walk past the
+     * remaining body bytes without storing the ticket, mutating
+     * ssl->session, or inserting into the session cache. Any
+     * previously-cached resumable session is left intact. */
+    if (lifetime == 0) {
+        word16 tlen = 0;
+        word16 elen = 0;
+        byte   nlen = 0;
+        WOLFSSL_MSG("DoTls13NewSessionTicket: ticket_lifetime=0; "
+                    "discarding per RFC 8446 4.6.1");
+        /* age_add */
+        if ((*inOutIdx - begin) + SESSION_ADD_SZ > size)
+            return BUFFER_ERROR;
+        *inOutIdx += SESSION_ADD_SZ;
+        /* ticket_nonce */
+        if ((*inOutIdx - begin) + 1 > size)
+            return BUFFER_ERROR;
+        nlen = input[*inOutIdx];
+        *inOutIdx += 1;
+        if ((*inOutIdx - begin) + nlen > size)
+            return BUFFER_ERROR;
+        *inOutIdx += nlen;
+        /* ticket */
+        if ((*inOutIdx - begin) + LENGTH_SZ > size)
+            return BUFFER_ERROR;
+        ato16(input + *inOutIdx, &tlen);
+        *inOutIdx += LENGTH_SZ;
+        if ((*inOutIdx - begin) + tlen > size)
+            return BUFFER_ERROR;
+        *inOutIdx += tlen;
+        /* extensions */
+        if ((*inOutIdx - begin) + EXTS_SZ > size)
+            return BUFFER_ERROR;
+        ato16(input + *inOutIdx, &elen);
+        *inOutIdx += EXTS_SZ;
+        if ((*inOutIdx - begin) + elen != size)
+            return BUFFER_ERROR;
+        *inOutIdx += elen;
+        /* Always encrypted. */
+        *inOutIdx += ssl->keys.padSz;
+        ssl->expect_session_ticket = 0;
+        WOLFSSL_LEAVE("DoTls13NewSessionTicket", 0);
+        WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_DO);
+        return 0;
+    }
 
     /* Age add. */
     if ((*inOutIdx - begin) + SESSION_ADD_SZ > size)

issue-10322-test.c — in-process TLS 1.3 reproducer

/* issue-10322-test.c
 *
 * Reproducer for wolfSSL issue #10322:
 *   "[Bug]: ticket_lifetime = 0 and Immediate Discard Semantics"
 *
 * Drives a TLS 1.3 client / server pair entirely in-process with custom
 * I/O callbacks. The server is configured with ticket lifetime hint 0
 * (wolfSSL_CTX_set_TicketHint(sctx, 0)) so the NewSessionTicket carries
 * ticket_lifetime == 0 on the wire. RFC 8446 Section 4.6.1 says the
 * client must discard such a ticket immediately.
 *
 * After the handshake and post-handshake pump:
 *   - BEFORE the patch the client stores the zero-lifetime ticket into
 *     ssl->session and reports wolfSSL_SESSION_is_resumable() == 1 with
 *     timeout 0; the test prints FAIL and exits non-zero.
 *   - AFTER the patch DoTls13NewSessionTicket() walks the bytes without
 *     touching ssl->session, so wolfSSL_SESSION_is_resumable() stays 0;
 *     the test prints PASS and exits 0.
 *
 * The harness (test.sh) invokes this binary in BEFORE and AFTER passes
 * and asserts on the exit code.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <wolfssl/options.h>
#include <wolfssl/ssl.h>
#include <wolfssl/error-ssl.h>

#define PIPE_SZ 32768

typedef struct {
    unsigned char buf[PIPE_SZ];
    int           rd;
    int           wr;
} pipe_t;

static pipe_t s2c;
static pipe_t c2s;

static int pipe_send(pipe_t* p, const char* buf, int sz)
{
    if (p->wr + sz > (int)sizeof(p->buf))
        return WOLFSSL_CBIO_ERR_WANT_WRITE;
    memcpy(p->buf + p->wr, buf, (size_t)sz);
    p->wr += sz;
    return sz;
}

static int pipe_recv(pipe_t* p, char* buf, int sz)
{
    int avail = p->wr - p->rd;
    int n;
    if (avail <= 0)
        return WOLFSSL_CBIO_ERR_WANT_READ;
    n = (avail < sz) ? avail : sz;
    memcpy(buf, p->buf + p->rd, (size_t)n);
    p->rd += n;
    return n;
}

static int srv_send_cb(WOLFSSL* ssl, char* buf, int sz, void* ctx)
{
    (void)ssl; (void)ctx;
    return pipe_send(&s2c, buf, sz);
}
static int srv_recv_cb(WOLFSSL* ssl, char* buf, int sz, void* ctx)
{
    (void)ssl; (void)ctx;
    return pipe_recv(&c2s, buf, sz);
}
static int cli_send_cb(WOLFSSL* ssl, char* buf, int sz, void* ctx)
{
    (void)ssl; (void)ctx;
    return pipe_send(&c2s, buf, sz);
}
static int cli_recv_cb(WOLFSSL* ssl, char* buf, int sz, void* ctx)
{
    (void)ssl; (void)ctx;
    return pipe_recv(&s2c, buf, sz);
}

static int is_want_io(int err)
{
    return err == WOLFSSL_ERROR_WANT_READ ||
           err == WOLFSSL_ERROR_WANT_WRITE;
}

int main(int argc, char** argv)
{
    int             rc = 1;
    WOLFSSL_CTX*    sctx = NULL;
    WOLFSSL_CTX*    cctx = NULL;
    WOLFSSL*        sssl = NULL;
    WOLFSSL*        cssl = NULL;
    WOLFSSL_SESSION* sess = NULL;
    int             cli_done = 0, srv_done = 0;
    int             ret;
    int             err;
    long            timeout;
    int             resumable;
    char            rbuf[64];
    int             i;

    (void)argc; (void)argv;

    wolfSSL_Init();

    sctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method());
    cctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());
    if (sctx == NULL || cctx == NULL) {
        fprintf(stderr, "ctx alloc failed\n");
        goto out;
    }

    if (wolfSSL_CTX_use_certificate_file(sctx,
            "certs/server-cert.pem", SSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) {
        fprintf(stderr, "server cert load failed\n");
        goto out;
    }
    if (wolfSSL_CTX_use_PrivateKey_file(sctx,
            "certs/server-key.pem", SSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) {
        fprintf(stderr, "server key load failed\n");
        goto out;
    }
    if (wolfSSL_CTX_load_verify_locations(cctx,
            "certs/ca-cert.pem", NULL) != WOLFSSL_SUCCESS) {
        fprintf(stderr, "CA load failed\n");
        goto out;
    }

    /* Configure ticket lifetime hint = 0 on the server.
     * PR #9881 only blocks negative or > 604800; 0 is accepted. */
    if (wolfSSL_CTX_set_TicketHint(sctx, 0) != WOLFSSL_SUCCESS) {
        fprintf(stderr, "set_TicketHint(0) rejected\n");
        goto out;
    }

    wolfSSL_CTX_SetIOSend(sctx, srv_send_cb);
    wolfSSL_CTX_SetIORecv(sctx, srv_recv_cb);
    wolfSSL_CTX_SetIOSend(cctx, cli_send_cb);
    wolfSSL_CTX_SetIORecv(cctx, cli_recv_cb);

    sssl = wolfSSL_new(sctx);
    cssl = wolfSSL_new(cctx);
    if (sssl == NULL || cssl == NULL) {
        fprintf(stderr, "ssl alloc failed\n");
        goto out;
    }

    /* Drive handshake. */
    for (i = 0; i < 64 && !(cli_done && srv_done); i++) {
        if (!cli_done) {
            ret = wolfSSL_connect(cssl);
            if (ret == WOLFSSL_SUCCESS) cli_done = 1;
            else {
                err = wolfSSL_get_error(cssl, ret);
                if (!is_want_io(err)) {
                    fprintf(stderr, "wolfSSL_connect failed: err=%d\n", err);
                    goto out;
                }
            }
        }
        if (!srv_done) {
            ret = wolfSSL_accept(sssl);
            if (ret == WOLFSSL_SUCCESS) srv_done = 1;
            else {
                err = wolfSSL_get_error(sssl, ret);
                if (!is_want_io(err)) {
                    fprintf(stderr, "wolfSSL_accept failed: err=%d\n", err);
                    goto out;
                }
            }
        }
    }
    if (!(cli_done && srv_done)) {
        fprintf(stderr, "handshake stalled\n");
        goto out;
    }

    /* Server may queue NewSessionTicket on first wolfSSL_write; pump it. */
    ret = wolfSSL_write(sssl, "x", 1);
    (void)ret;
    /* Client wolfSSL_read processes any incoming post-handshake message
     * (in particular the NewSessionTicket) before returning. */
    ret = wolfSSL_read(cssl, rbuf, sizeof(rbuf));
    (void)ret;

    sess = wolfSSL_get1_session(cssl);
    if (sess == NULL) {
        fprintf(stderr, "wolfSSL_get1_session returned NULL\n");
        goto out;
    }

    timeout   = wolfSSL_SESSION_get_timeout(sess);
    resumable = wolfSSL_SESSION_is_resumable(sess);

    printf("client session state: timeout=%ld resumable=%d\n",
           timeout, resumable);

    /* RFC 8446 Section 4.6.1: a ticket_lifetime of zero means the
     * ticket should be discarded immediately. After the patch the
     * client's session must NOT report a resumable zero-lifetime
     * ticket. */
    if (resumable && timeout == 0) {
        printf("FAIL  zero-lifetime ticket cached as resumable "
               "(RFC 8446 4.6.1 violated)\n");
        rc = 1;
    }
    else if (!resumable) {
        printf("PASS  zero-lifetime ticket discarded "
               "(RFC 8446 4.6.1 obeyed)\n");
        rc = 0;
    }
    else {
        /* Some build configurations may attach a non-zero default
         * timeout via SetupSession. Only the zero-lifetime
         * resumable-ticket combination is the bug we fix. */
        printf("PASS  no zero-lifetime resumable ticket "
               "(timeout=%ld)\n", timeout);
        rc = 0;
    }

out:
    if (sess != NULL) wolfSSL_SESSION_free(sess);
    if (cssl != NULL) wolfSSL_free(cssl);
    if (sssl != NULL) wolfSSL_free(sssl);
    if (cctx != NULL) wolfSSL_CTX_free(cctx);
    if (sctx != NULL) wolfSSL_CTX_free(sctx);
    wolfSSL_Cleanup();
    return rc;
}

test.sh — BEFORE/AFTER harness

#!/bin/bash
# End-to-end BEFORE/AFTER runner for wolfSSL issue #10322
# ("ticket_lifetime = 0 and Immediate Discard Semantics").
#
# 1. Resets src/tls13.c to its committed state.
# 2. Configures + builds wolfSSL.
# 3. Builds the in-process TLS 1.3 reproducer (issue-10322-test).
# 4. BEFORE: runs the reproducer; expects FAIL (the unpatched
#    DoTls13NewSessionTicket() stores zero-lifetime tickets in
#    ssl->session, leaving the client session reported as resumable).
# 5. Applies issue-10322.patch and rebuilds wolfSSL.
# 6. AFTER: runs the reproducer; expects PASS.
# 7. Restores src/tls13.c to its pre-script state.
#
# Exit code: 0 iff all expected outcomes match.

set -u

ISSUE_N="10322"
SOURCE_FILE_RELATIVE="src/tls13.c"
CFG_FLAGS="--enable-harden-tls --enable-session-ticket --enable-tls13 --enable-opensslextra"
# Patch marker: the unique RFC reference text added by issue-10322.patch.
PATCH_MARKER="RFC 8446 Section 4.6.1: a ticket_lifetime value of zero"

TEST_RUN_1_LABEL="ticket_lifetime=0"
TEST_RUN_1_FLAG=""
TEST_RUN_2_LABEL=""
TEST_RUN_2_FLAG=""

NEEDS_SERVER=0
PORT=11111

HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO="$(cd "$HERE/../.." && pwd)"
cd "$REPO"

TEST_BIN="$HERE/issue-${ISSUE_N}-test"
TEST_SRC="$HERE/issue-${ISSUE_N}-test.c"
PATCH="$HERE/issue-${ISSUE_N}.patch"
LIB_DIR="$REPO/src/.libs"
SRV_LOG="/tmp/wolfsrv-${ISSUE_N}.log"
CFG_LOG="/tmp/wolfssl-cfg-${ISSUE_N}.log"
BLD_LOG="/tmp/wolfssl-build-${ISSUE_N}.log"

red()   { printf '\033[31m%s\033[0m' "$*"; }
green() { printf '\033[32m%s\033[0m' "$*"; }
bold()  { printf '\033[1m%s\033[0m'  "$*"; }
section() { echo; echo "==================== $* ===================="; }

kill_server() {
    [ "$NEEDS_SERVER" = "1" ] || return 0
    pkill -f "examples/server/server" 2>/dev/null || true
    for _ in 1 2 3 4 5; do
        if ! pgrep -f "examples/server/server" >/dev/null; then break; fi
        sleep 0.2
    done
}

PATCH_PREEXISTING=0
if grep -q "$PATCH_MARKER" "$REPO/$SOURCE_FILE_RELATIVE" 2>/dev/null; then
    PATCH_PREEXISTING=1
fi

restore_tree() {
    kill_server
    echo
    echo "Restoring tree to pre-script state..."
    git -C "$REPO" checkout -- "$SOURCE_FILE_RELATIVE"
    if [ "$PATCH_PREEXISTING" = "1" ]; then
        git -C "$REPO" apply "$PATCH" || echo "  WARN: could not re-apply patch"
        make -C "$REPO" -j"$(nproc)" >"$BLD_LOG" 2>&1 \
            || echo "  WARN: final rebuild failed (see $BLD_LOG)"
    else
        make -C "$REPO" -j"$(nproc)" >"$BLD_LOG" 2>&1 || true
    fi
}
trap restore_tree EXIT

section "Reset $SOURCE_FILE_RELATIVE to clean state"
git -C "$REPO" checkout -- "$SOURCE_FILE_RELATIVE"
if grep -q "$PATCH_MARKER" "$REPO/$SOURCE_FILE_RELATIVE"; then
    echo "ERROR: $SOURCE_FILE_RELATIVE still has patch markers after checkout."
    exit 1
fi

section "Configure wolfSSL ($CFG_FLAGS)"
./configure $CFG_FLAGS >"$CFG_LOG" 2>&1 || {
    echo "configure failed; tail of $CFG_LOG:"
    tail -30 "$CFG_LOG"
    exit 1
}

section "Build wolfSSL (unpatched)"
make -j"$(nproc)" >"$BLD_LOG" 2>&1 || {
    echo "build failed; tail of $BLD_LOG:"
    tail -40 "$BLD_LOG"
    exit 1
}
echo "  libwolfssl built: $(ls -la $LIB_DIR/libwolfssl.so* 2>/dev/null | head -1)"

section "Build reproducer"
gcc -Wall -Wextra -I"$REPO" -L"$LIB_DIR" \
    "$TEST_SRC" -lwolfssl -lm -o "$TEST_BIN" || {
    echo "reproducer compile failed"
    exit 1
}
echo "  built $TEST_BIN"

run_case() {
    local label="$1" flag="$2"
    kill_server
    echo; echo "  --- $label ---"
    if [ "$NEEDS_SERVER" = "1" ]; then
        "$REPO/examples/server/server" -v 4 -p "$PORT" >"$SRV_LOG" 2>&1 &
        for _ in 1 2 3 4 5 6 7 8 9 10; do
            grep -q "listening on port" "$SRV_LOG" && break
            sleep 0.2
        done
    fi
    if [ -n "$flag" ]; then
        LD_LIBRARY_PATH="$LIB_DIR" "$TEST_BIN" "$flag" 2>&1
    else
        LD_LIBRARY_PATH="$LIB_DIR" "$TEST_BIN" 2>&1
    fi
    local rc=$?
    echo "  reproducer exit = $rc"
    kill_server
    return $rc
}

section "BEFORE (unpatched / buggy) — expected: FAIL"
run_case "$TEST_RUN_1_LABEL" "$TEST_RUN_1_FLAG"
RC_BEF_1=$?

section "Apply issue-${ISSUE_N}.patch and rebuild"
git -C "$REPO" apply "$PATCH" || {
    echo "git apply failed"
    exit 1
}
echo "  patch markers in $SOURCE_FILE_RELATIVE: $(grep -c "$PATCH_MARKER" "$REPO/$SOURCE_FILE_RELATIVE")"
make -j"$(nproc)" >"$BLD_LOG" 2>&1 || {
    echo "patched build failed; tail of $BLD_LOG:"
    tail -40 "$BLD_LOG"
    exit 1
}

section "AFTER (patched) — expected: PASS"
run_case "$TEST_RUN_1_LABEL" "$TEST_RUN_1_FLAG"
RC_AFT_1=$?

section "Summary"
fmt_expected_fail() { [ "$1" != "0" ] && green "FAIL (expected)" || red "PASS (UNEXPECTED — bug did not trigger)"; }
fmt_expected_pass() { [ "$1"  = "0" ] && green "PASS (expected)" || red "FAIL (UNEXPECTED — fix did not hold)"; }

printf "  BEFORE  %-22s : " "$TEST_RUN_1_LABEL"; fmt_expected_fail "$RC_BEF_1"; echo
printf "  AFTER   %-22s : " "$TEST_RUN_1_LABEL"; fmt_expected_pass "$RC_AFT_1"; echo

OK=1
[ "$RC_BEF_1" = "0" ] && OK=0
[ "$RC_AFT_1" = "0" ] || OK=0

if [ "$OK" = "1" ]; then
    echo; bold "Overall: all outcomes as expected."; echo
    exit 0
else
    echo; bold "Overall: at least one outcome was UNEXPECTED."; echo
    exit 1
fi

Happy to turn this into a PR if useful.