Set the extended master secret status based on resumption data only

That is, don't require a new negotiation with extensions.

diff --git a/lib/ext/ext_master_secret.c b/lib/ext/ext_master_secret.c
index 0d903478457d7644f2e0587bf21b1903abd7e0e9..9610f1207b687fb0f88ad72359f27db670317aaa 100644 (file)
--- a/lib/ext/ext_master_secret.c
+++ b/lib/ext/ext_master_secret.c
@@ -38,7 +38,7 @@ static int _gnutls_ext_master_secret_send_params(gnutls_session_t session,
 extension_entry_st ext_mod_ext_master_secret = {
        .name = "EXT MASTER SECRET",
        .type = GNUTLS_EXTENSION_EXT_MASTER_SECRET,
-       .parse_type = GNUTLS_EXT_MANDATORY,
+       .parse_type = GNUTLS_EXT_TLS,
 
        .recv_func = _gnutls_ext_master_secret_recv_params,
        .send_func = _gnutls_ext_master_secret_send_params,

diff --git a/lib/gnutls_db.c b/lib/gnutls_db.c
index 0196c371f52d23d7b62bd62f3ed4e5b530f09322..82737d2c86ba07fe8168349c2474fc71809b8c68 100644 (file)
--- a/lib/gnutls_db.c
+++ b/lib/gnutls_db.c
@@ -301,11 +301,9 @@ _gnutls_server_restore_session(gnutls_session_t session,
                return ret;
        }
 
-       /* Do not allow the resumption of a session which switches the
-        * state of ext_master_secret */
-       if (session->internals.resumed_security_parameters.ext_master_secret !=
-           session->security_parameters.ext_master_secret)
-           return gnutls_assert_val(GNUTLS_E_INVALID_SESSION);
+       /* Force the state of ext_master_secret based on the resumed parameters */
+       if (session->internals.resumed_security_parameters.ext_master_secret != 0)
+           session->security_parameters.ext_master_secret = 1;
 
        return 0;
 }