TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / f4bad42670c60dbbd7c16ce16e91c0e377536941^! / . / library / ssl_tls13_client.c
commitf4bad42670c60dbbd7c16ce16e91c0e377536941[log] [tgz]
authorYanray Wang <yanray.wang@arm.com>Thu Nov 30 15:36:43 2023 +0800
committerYanray Wang <yanray.wang@arm.com>Thu Nov 30 15:58:07 2023 +0800
treee7cde5c52d02e2c9b4c127d3c3849d183c80a505
parenta29db7da2ee19ba2b8d43c114fdb69af3780d730 [diff] [blame]
itls13: early_data: cli: improve comment

Signed-off-by: Yanray Wang <yanray.wang@arm.com>

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index d9a4b3e..bdb3424 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c

@@ -2184,9 +2184,14 @@
          * - The selected cipher suite
          * - The selected ALPN [RFC7301] protocol, if any
          *
-         * We check here that when early data is involved the server
-         * selected the cipher suite associated to the pre-shared key
-         * as it must have.
+         * When parsing EncryptedExtensions, the client does not know if
+         * the server will accept early data and select the first proposed
+         * pre-shared key with a cipher suite that is different from the
+         * cipher suite associated to the selected pre-shared key. To address
+         * aforementioned case, when early data is involved, we check:
+         * - the selected pre-shared key is the first proposed one
+         * - the selected cipher suite same as the one associated with the
+         *   pre-shared key.
          */
         if (handshake->selected_identity != 0 ||
             handshake->ciphersuite_info->id !=
@@ -2203,16 +2208,14 @@
 #endif
 
     /*
-     * When early_data extension is enabled and sent in ClientHello, the client
-     * does not know if the server will accept early data and select the first
-     * proposed pre-shared key with a ciphersuite that is different from the
-     * ciphersuite associated to the selected pre-shared key. To address
-     * aforementioned case, we do associated verification when parsing
-     * early_data ext in EncryptedExtensions. Therefore we have to assign
-     * the ciphersuite in current handshake to session_negotiate later than
-     * the associated verification. This won't impact decryption of
-     * EncryptedExtensions since we compute handshake keys by the ciphersuite
-     * in handshake not via the one in session_negotiate.
+     * Move `session_negotiate->ciphersuite` assignment here which after
+     * early data cipher suite check when receiving "early_data" extension
+     * in EncryptedExtensions.
+     *
+     * We compute transform_handshake by the cipher suite chosen from
+     * the server in `handshake`. `session_negotiate->ciphersuite` is the
+     * cipher suite negotiated in previous connection and it is not used for
+     * computing transform_handshake.
      */
     ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;