Inline ssl_clear_tls13_state.
The function has exactly one caller. Also add some comments.
Change-Id: I1566aed625449c91f25a777f5a4232d236019ed7
Reviewed-on: https://boringssl-review.googlesource.com/20673
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index 2c42698..b2d5384 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -600,14 +600,19 @@
return ssl_hs_ok;
}
+ // Clear some TLS 1.3 state that no longer needs to be retained.
+ hs->key_share.reset();
+ hs->key_share_bytes.Reset();
+
+ // A TLS 1.2 server would not know to skip the early data we offered. Report
+ // an error code sooner. The caller may use this error code to implement the
+ // fallback described in draft-ietf-tls-tls13-18 appendix C.3.
if (hs->early_data_offered) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
return ssl_hs_error;
}
- ssl_clear_tls13_state(hs);
-
if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
return ssl_hs_error;
}
diff --git a/ssl/internal.h b/ssl/internal.h
index b83cf9a..13e6655 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -1517,10 +1517,6 @@
int ssl_write_client_hello(SSL_HANDSHAKE *hs);
-// ssl_clear_tls13_state releases client state only needed for TLS 1.3. It
-// should be called once the version is known to be TLS 1.2 or earlier.
-void ssl_clear_tls13_state(SSL_HANDSHAKE *hs);
-
enum ssl_cert_verify_context_t {
ssl_cert_verify_server,
ssl_cert_verify_client,
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index b6ff840..7ed9fad 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -839,9 +839,4 @@
return 1;
}
-void ssl_clear_tls13_state(SSL_HANDSHAKE *hs) {
- hs->key_share.reset();
- hs->key_share_bytes.Reset();
-}
-
} // namespace bssl