From 7892b6caada80328e1588555e22c7f277ab2dca6 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Thu, 2 Feb 2023 06:05:48 +0000
Subject: [PATCH] Refine the comment about generating early secrects in post
 server hello

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 library/ssl_tls13_client.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index ae51bd337..add9f6c8f 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1935,11 +1935,14 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
                           ("Selected key exchange mode: %s",
                            ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
 
-    /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret.
+    /* Start the TLS 1.3 key scheduling if not already done.
      *
-     * We do this in case we didn't offer 0-RTT or even we offered 0-RTT but
-     * server selected ephemeral mode. In other cases, we could skip generating
-     * the early secret.
+     * If we proposed early data then we have already derived an
+     * early secret using the selected PSK and its associated hash.
+     * It means that if the negotiated key exchange mode is psk or
+     * psk_ephemeral, we have already correctly computed the
+     * early secret and thus we do not do it again. In all other
+     * cases we compute it here.
      */
 #if defined(MBEDTLS_SSL_EARLY_DATA)
     if ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) ||