Refine the comment about generating early secrects in post server hello

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2025-01-26 12:35:20 +00:00 · 2023-02-02 06:05:48 +00:00 · 2023-02-02 06:05:48 +00:00 · 7892b6caad
commit 7892b6caad
parent bd0ab06d50
1 changed files with 7 additions and 4 deletions
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@ -1935,11 +1935,14 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
                          ("Selected key exchange mode: %s",
                           ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));

-    /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret.
+    /* Start the TLS 1.3 key scheduling if not already done.
     *
-     * We do this in case we didn't offer 0-RTT or even we offered 0-RTT but
-     * server selected ephemeral mode. In other cases, we could skip generating
-     * the early secret.
+     * If we proposed early data then we have already derived an
+     * early secret using the selected PSK and its associated hash.
+     * It means that if the negotiated key exchange mode is psk or
+     * psk_ephemeral, we have already correctly computed the
+     * early secret and thus we do not do it again. In all other
+     * cases we compute it here.
     */
 #if defined(MBEDTLS_SSL_EARLY_DATA)
    if ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) ||