Remove psk_identity_hint from SSL_SESSION.

There's not much point in retaining the identity hint in the SSL_SESSION. This
avoids the complexity around setting psk_identity hint on either the SSL or the
SSL_SESSION. Introduce a peer_psk_identity_hint for the client to store the one
received from the server.

This changes the semantics of SSL_get_psk_identity_hint; it now only returns
the value configured for the server. The client learns the hint through the
callback. This is compatible with the one use of this API in conscrypt (it
pulls the hint back out to pass to a callback).

Change-Id: I6d9131636b47f13ac5800b4451436a057021054a
Reviewed-on: https://boringssl-review.googlesource.com/2213
Reviewed-by: Adam Langley <agl@google.com>

1 files changed, 0 insertions, 12 deletions

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 0cccbc73..6b5f8c29 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -377,16 +377,6 @@ int ssl_get_new_session(SSL *s, int session)
 				return 0;
 				}
 			}
-		if (s->psk_identity_hint)
-			{
-			ss->psk_identity_hint = BUF_strdup(s->psk_identity_hint);
-			if (ss->psk_identity_hint == NULL)
-				{
-				OPENSSL_PUT_ERROR(SSL, ssl_get_new_session, ERR_R_MALLOC_FAILURE);
-				SSL_SESSION_free(ss);
-				return 0;
-				}
-			}
 		}
 	else
 		{
@@ -712,8 +702,6 @@ void SSL_SESSION_free(SSL_SESSION *ss)
 		OPENSSL_free(ss->tlsext_signed_cert_timestamp_list);
 	if (ss->ocsp_response != NULL)
 		OPENSSL_free(ss->ocsp_response);
-	if (ss->psk_identity_hint != NULL)
-		OPENSSL_free(ss->psk_identity_hint);
 	if (ss->psk_identity != NULL)
 		OPENSSL_free(ss->psk_identity);
 	OPENSSL_cleanse(ss,sizeof(*ss));