From cea04a616b340838a69b3628b9b7b41f83e3e7a5 Mon Sep 17 00:00:00 2001
From: Will Childs-Klein <childw@amazon.com>
Date: Wed, 26 Jun 2024 12:44:53 -0400
Subject: [PATCH] Replace OPENSSL_NO_TLS_PHA with SSL_VERIFY_POST_HANDSHAKE
 (#1668)

PR #1526 introduced the `OPENSSL_NO_TLS_PHA` directive mostly for the
purposes of AWS-LC's compatibility with CPython, but in [cpython PR
#117785](https://github.com/python/cpython/pull/117785) @encukou points
out that detecting the absence of OpenSSL's own
`SSL_VERIFY_POST_HANDSHAKE` directive is sufficient. This change removes
AWS-LC's `OPENSSL_NO_TLS_PHA` directive in favor of detecting absence of
`SSL_VERIFY_POST_HANDSHAKE`.
---
 include/openssl/opensslconf.h                               | 5 -----
 tests/ci/integration/python_patch/3.13/aws-lc-cpython.patch | 2 +-
 tests/ci/integration/python_patch/main/aws-lc-cpython.patch | 2 +-
 3 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/include/openssl/opensslconf.h b/include/openssl/opensslconf.h
index 56db7f641f..3dd556e1d3 100644
--- a/include/openssl/opensslconf.h
+++ b/include/openssl/opensslconf.h
@@ -53,11 +53,6 @@ extern "C" {
 #define OPENSSL_NO_MD2
 #define OPENSSL_NO_MDC2
 #define OPENSSL_NO_OCB
-
-// OPENSSL_NO_TLS_PHA indicates lack of support for post-handshake
-// authentication (PHA) in TLS >= 1.3
-#define OPENSSL_NO_TLS_PHA
-
 #define OPENSSL_NO_RC2
 #define OPENSSL_NO_RC5
 #define OPENSSL_NO_RFC3779
diff --git a/tests/ci/integration/python_patch/3.13/aws-lc-cpython.patch b/tests/ci/integration/python_patch/3.13/aws-lc-cpython.patch
index 45bf31533f..bc4b358160 100644
--- a/tests/ci/integration/python_patch/3.13/aws-lc-cpython.patch
+++ b/tests/ci/integration/python_patch/3.13/aws-lc-cpython.patch
@@ -147,7 +147,7 @@ index f7fdbf4..204d501 100644
  #endif
 
 
-+#if defined(OPENSSL_NO_TLS_PHA) || !defined(TLS1_3_VERSION) || defined(OPENSSL_NO_TLS1_3)
++#if !defined(SSL_VERIFY_POST_HANDSHAKE) || !defined(TLS1_3_VERSION) || defined(OPENSSL_NO_TLS1_3)
 +  #define PY_SSL_NO_POST_HS_AUTH
 +#endif
 +
diff --git a/tests/ci/integration/python_patch/main/aws-lc-cpython.patch b/tests/ci/integration/python_patch/main/aws-lc-cpython.patch
index 45bf31533f..bc4b358160 100644
--- a/tests/ci/integration/python_patch/main/aws-lc-cpython.patch
+++ b/tests/ci/integration/python_patch/main/aws-lc-cpython.patch
@@ -147,7 +147,7 @@ index f7fdbf4..204d501 100644
  #endif
 
 
-+#if defined(OPENSSL_NO_TLS_PHA) || !defined(TLS1_3_VERSION) || defined(OPENSSL_NO_TLS1_3)
++#if !defined(SSL_VERIFY_POST_HANDSHAKE) || !defined(TLS1_3_VERSION) || defined(OPENSSL_NO_TLS1_3)
 +  #define PY_SSL_NO_POST_HS_AUTH
 +#endif
 +