From 5838a64bff4a4f0e48b65a24ba0ff2ad494fe86c Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Mon, 9 Sep 2024 10:57:01 +0200
Subject: [PATCH] Improve some comments

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/ssl-opt.sh | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 706f1e86b9..b0646b829a 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -614,6 +614,10 @@ for c in $CONFIGS_ENABLED; do
         MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_*_ENABLED) PSK_ONLY="NO";;
     esac
 done
+# At this stage, $PSK_ONLY is empty if we haven't detected a non-PSK
+# key exchange, i.e. if we're in a PSK-only build or a build with no
+# key exchanges at all. We avoid triggering PSK-only adaptation code in
+# the edge case of no key exchangs.
 : ${PSK_ONLY:=$PSK_PRESENT}
 unset c
 
@@ -817,8 +821,8 @@ requires_openssl_tls1_3() {
     fi
 }
 
-# OpenSSL 3 servers forbid client renegotiation by default.
-# Older versions always alow it.
+# OpenSSL servers forbid client renegotiation by default since OpenSSL 3.0.
+# Older versions always allow it and have no command-line option.
 OPENSSL_S_SERVER_CLIENT_RENEGOTIATION=
 case $($OPENSSL s_server -help 2>&1) in
     *-client_renegotiation*)