From 73d42e614c21b3ec173c839bf1f687f1654b4265 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Thu, 21 Sep 2017 03:05:35 -0400
Subject: [PATCH] Inline ssl_clear_tls13_state.

The function has exactly one caller. Also add some comments.

Change-Id: I1566aed625449c91f25a777f5a4232d236019ed7
Reviewed-on: https://boringssl-review.googlesource.com/20673
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
---
 ssl/handshake_client.cc | 9 +++++++--
 ssl/internal.h          | 4 ----
 ssl/tls13_client.cc     | 5 -----
 3 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index 2c426989..b2d53848 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -600,14 +600,19 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
     return ssl_hs_ok;
   }
 
+  // Clear some TLS 1.3 state that no longer needs to be retained.
+  hs->key_share.reset();
+  hs->key_share_bytes.Reset();
+
+  // A TLS 1.2 server would not know to skip the early data we offered. Report
+  // an error code sooner. The caller may use this error code to implement the
+  // fallback described in draft-ietf-tls-tls13-18 appendix C.3.
   if (hs->early_data_offered) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA);
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
     return ssl_hs_error;
   }
 
-  ssl_clear_tls13_state(hs);
-
   if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
     return ssl_hs_error;
   }
diff --git a/ssl/internal.h b/ssl/internal.h
index b83cf9ac..13e66550 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -1517,10 +1517,6 @@ int ssl_is_sct_list_valid(const CBS *contents);
 
 int ssl_write_client_hello(SSL_HANDSHAKE *hs);
 
-// ssl_clear_tls13_state releases client state only needed for TLS 1.3. It
-// should be called once the version is known to be TLS 1.2 or earlier.
-void ssl_clear_tls13_state(SSL_HANDSHAKE *hs);
-
 enum ssl_cert_verify_context_t {
   ssl_cert_verify_server,
   ssl_cert_verify_client,
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index b6ff8403..7ed9fada 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -839,9 +839,4 @@ int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
   return 1;
 }
 
-void ssl_clear_tls13_state(SSL_HANDSHAKE *hs) {
-  hs->key_share.reset();
-  hs->key_share_bytes.Reset();
-}
-
 }  // namespace bssl