diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index a9ce4ed061..252c217acb 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1901,14 +1901,20 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret. * - * TODO: We don't have to do this in case we offered 0-RTT and the - * server accepted it. In this case, we could skip generating - * the early secret. */ - ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_key_schedule_stage_early", - ret); - goto cleanup; + * We do this in case we didn't offer 0-RTT or even we offered 0-RTT but + * server selected ephemeral mode. In other cases, we could skip generating + * the early secret. + */ + if ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) + || ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) + && handshake->key_exchange_mode == + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)) { + ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET( + 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret); + goto cleanup; + } } ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);