Inline ssl_clear_tls13_state.

The function has exactly one caller. Also add some comments.

Change-Id: I1566aed625449c91f25a777f5a4232d236019ed7
Reviewed-on: https://boringssl-review.googlesource.com/20673
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/handshake_client.cc

@@ -600,14 +600,19 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
     return ssl_hs_ok;
   }
 
+  // Clear some TLS 1.3 state that no longer needs to be retained.
+  hs->key_share.reset();
+  hs->key_share_bytes.Reset();
+
+  // A TLS 1.2 server would not know to skip the early data we offered. Report
+  // an error code sooner. The caller may use this error code to implement the
+  // fallback described in draft-ietf-tls-tls13-18 appendix C.3.
   if (hs->early_data_offered) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA);
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
     return ssl_hs_error;
   }
 
-  ssl_clear_tls13_state(hs);
-
   if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
     return ssl_hs_error;
   }

ssl/internal.h

@@ -1517,10 +1517,6 @@ int ssl_is_sct_list_valid(const CBS *contents);
 
 int ssl_write_client_hello(SSL_HANDSHAKE *hs);
 
-// ssl_clear_tls13_state releases client state only needed for TLS 1.3. It
-// should be called once the version is known to be TLS 1.2 or earlier.
-void ssl_clear_tls13_state(SSL_HANDSHAKE *hs);
-
 enum ssl_cert_verify_context_t {
   ssl_cert_verify_server,
   ssl_cert_verify_client,

ssl/tls13_client.cc

@@ -839,9 +839,4 @@ int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
   return 1;
 }
 
-void ssl_clear_tls13_state(SSL_HANDSHAKE *hs) {
-  hs->key_share.reset();
-  hs->key_share_bytes.Reset();
-}
-
 }  // namespace bssl