From bc86e5b81eef00ae610a39c56f1d0810ee2143e8 Mon Sep 17 00:00:00 2001
From: Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>
Date: Wed, 29 Nov 2023 10:05:13 +0100
Subject: [PATCH] Remove obsolete TODO and guards for post handshake
 authentication in DTLS 1.3

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22275)
---
 ssl/statem/statem_clnt.c | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 5a6fed1c446..69db4750561 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -190,19 +190,8 @@ static int ossl_statem_client13_read_transition(SSL_CONNECTION *s, int mt)
             return 1;
         }
         if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
-#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
-            /* Restore digest for PHA before adding message.*/
-# warning Internal DTLS version error
-#endif
-            if (!SSL_CONNECTION_IS_DTLS(s)
-                && s->post_handshake_auth == SSL_PHA_EXT_SENT) {
+            if (s->post_handshake_auth == SSL_PHA_EXT_SENT) {
                 s->post_handshake_auth = SSL_PHA_REQUESTED;
-                /*
-                 * In TLS, this is called before the message is added to the
-                 * digest. In DTLS, this is expected to be called after adding
-                 * to the digest. Either move the digest restore, or add the
-                 * message here after the swap, or do it after the clientFinished?
-                 */
                 if (!tls13_restore_handshake_digest_for_pha(s)) {
                     /* SSLfatal() already called */
                     return 0;
-- 
2.47.2