From 57504353febc61533e637f16ec6f933870b68ec9 Mon Sep 17 00:00:00 2001
From: Michael Brown
Date: Sun, 12 Oct 2025 22:29:33 +0100
Subject: [tls] Refuse to resume sessions with mismatched master secret methods

RFC 7627 section 5.3 states that the client must abort the handshake
if the server attempts to resume a session where the master secret
calculation method stored in the session does not match the method
used for the connection being resumed.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/include/ipxe/tls.h | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/include')

diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h
index 658a008f8..8ddc9c1be 100644
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -353,6 +353,8 @@ struct tls_session {
 	size_t ticket_len;
 	/** Master secret */
 	uint8_t master_secret[48];
+	/** Extended master secret flag */
+	int extended_master_secret;
 
 	/** List of connections */
 	struct list_head conn;
-- 
cgit v1.2.3-55-g7522