Only accept early data if using the first PSK

From TLS 1.3 RFC 8446 section 4.2.10: The PSK used to encrypt the early data MUST be the first PSK listed in the client's "pre_shared_key" extension. I noticed that later on in the code it only sets up the tls->pending_handshake_secret when accept_early_data && tls->ctx->max_early_data_size != 0 && psk_index == 0, so perhaps we don't need to do a check here, but I think it is still good to check it in the psk handshake.
sshock · Jul 26, 2023 · 415f5c4 · 415f5c4
1 parent ea44c61
commit 415f5c4
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/picotls.c b/lib/picotls.c
@@ -4068,7 +4068,7 @@ static int try_psk_handshake(ptls_t *tls, size_t *psk_index, int *accept_early_d
         if (external_psk != NULL) {
             if (identity->identity.len == external_psk->identity.len &&
                 memcmp(identity->identity.base, external_psk->identity.base, identity->identity.len) == 0) {
-                *accept_early_data = ch->psk.early_data_indication;
+                *accept_early_data = ch->psk.early_data_indication && *psk_index == 0;
                 tls->key_share = NULL;
                 ticket_psk = external_psk->key;
                 goto Found;
@@ -4078,7 +4078,7 @@ static int try_psk_handshake(ptls_t *tls, size_t *psk_index, int *accept_early_d
         /* decrypt ticket and decode */
         if (tls->ctx->encrypt_ticket == NULL || tls->ctx->key_exchanges == NULL)
             continue;
-        int can_accept_early_data = 1;
+        int can_accept_early_data = *psk_index == 0;
         decbuf.off = 0;
         switch (tls->ctx->encrypt_ticket->cb(tls->ctx->encrypt_ticket, tls, 0, &decbuf, identity->identity)) {
         case 0: /* decrypted */