From f4bad42670c60dbbd7c16ce16e91c0e377536941 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Thu, 30 Nov 2023 15:36:43 +0800 Subject: [PATCH] itls13: early_data: cli: improve comment Signed-off-by: Yanray Wang --- library/ssl_tls13_client.c | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index d9a4b3e09..bdb34247d 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2184,9 +2184,14 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl) * - The selected cipher suite * - The selected ALPN [RFC7301] protocol, if any * - * We check here that when early data is involved the server - * selected the cipher suite associated to the pre-shared key - * as it must have. + * When parsing EncryptedExtensions, the client does not know if + * the server will accept early data and select the first proposed + * pre-shared key with a cipher suite that is different from the + * cipher suite associated to the selected pre-shared key. To address + * aforementioned case, when early data is involved, we check: + * - the selected pre-shared key is the first proposed one + * - the selected cipher suite same as the one associated with the + * pre-shared key. */ if (handshake->selected_identity != 0 || handshake->ciphersuite_info->id != @@ -2203,16 +2208,14 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl) #endif /* - * When early_data extension is enabled and sent in ClientHello, the client - * does not know if the server will accept early data and select the first - * proposed pre-shared key with a ciphersuite that is different from the - * ciphersuite associated to the selected pre-shared key. To address - * aforementioned case, we do associated verification when parsing - * early_data ext in EncryptedExtensions. Therefore we have to assign - * the ciphersuite in current handshake to session_negotiate later than - * the associated verification. This won't impact decryption of - * EncryptedExtensions since we compute handshake keys by the ciphersuite - * in handshake not via the one in session_negotiate. + * Move `session_negotiate->ciphersuite` assignment here which after + * early data cipher suite check when receiving "early_data" extension + * in EncryptedExtensions. + * + * We compute transform_handshake by the cipher suite chosen from + * the server in `handshake`. `session_negotiate->ciphersuite` is the + * cipher suite negotiated in previous connection and it is not used for + * computing transform_handshake. */ ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;