Add some more accessors to SSL_SESSION.

Hopefully this is the last of it before we can hide the struct. We're
missing peer_sha256 accessors, and some test wants to mutate the ticket
in a test client.

Change-Id: I1a30fcc0a1e866d42acbc07a776014c9257f7c86
Reviewed-on: https://boringssl-review.googlesource.com/28268
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>

ssl/ssl_session.cc

diff --git a/ssl/ssl_session.cc b/ssl/ssl_session.cc
index 9ecadcf..d8f3bbd 100644
--- a/ssl/ssl_session.cc
+++ b/ssl/ssl_session.cc
@@ -988,6 +988,18 @@
   *out_len = session->tlsext_ticklen;
 }
 
+int SSL_SESSION_set_ticket(SSL_SESSION *session, const uint8_t *ticket,
+                           size_t ticket_len) {
+  uint8_t *copy = (uint8_t *)BUF_memdup(ticket, ticket_len);
+  if (copy == nullptr) {
+    return 0;
+  }
+  OPENSSL_free(session->tlsext_tick);
+  session->tlsext_tick = copy;
+  session->tlsext_ticklen = ticket_len;
+  return 1;
+}
+
 uint32_t SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *session) {
   return session->tlsext_tick_lifetime_hint;
 }
@@ -996,6 +1008,21 @@
   return session->cipher;
 }
 
+int SSL_SESSION_has_peer_sha256(const SSL_SESSION *session) {
+  return session->peer_sha256_valid;
+}
+
+void SSL_SESSION_get0_peer_sha256(const SSL_SESSION *session,
+                                  const uint8_t **out_ptr, size_t *out_len) {
+  if (session->peer_sha256_valid) {
+    *out_ptr = session->peer_sha256;
+    *out_len = sizeof(session->peer_sha256);
+  } else {
+    *out_ptr = nullptr;
+    *out_len = 0;
+  }
+}
+
 SSL_SESSION *SSL_magic_pending_session_ptr(void) {
   return (SSL_SESSION *)&g_pending_session_magic;
 }

ssl/ssl_test.cc

diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 4a1497c..347f9da 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -1949,9 +1949,12 @@
   EXPECT_FALSE(peer);
 
   SSL_SESSION *session = SSL_get_session(server_.get());
-  EXPECT_TRUE(session->peer_sha256_valid);
+  EXPECT_TRUE(SSL_SESSION_has_peer_sha256(session));
 
-  EXPECT_EQ(Bytes(cert_sha256), Bytes(session->peer_sha256));
+  const uint8_t *peer_sha256;
+  size_t peer_sha256_len;
+  SSL_SESSION_get0_peer_sha256(session, &peer_sha256, &peer_sha256_len);
+  EXPECT_EQ(Bytes(cert_sha256), Bytes(peer_sha256, peer_sha256_len));
 }
 
 // Tests that our ClientHellos do not change unexpectedly. These are purely

ssl/test/bssl_shim.cc

diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
index ae0d2a1..cd9b770 100644
--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc
@@ -1591,7 +1591,7 @@
     }
   }
 
-  if (SSL_get_session(ssl)->peer_sha256_valid !=
+  if (!!SSL_SESSION_has_peer_sha256(SSL_get_session(ssl)) !=
       config->expect_sha256_client_cert) {
     fprintf(stderr,
             "Unexpected SHA-256 client cert state: expected:%d is_resume:%d.\n",
@@ -1600,12 +1600,30 @@
   }
 
   if (config->expect_sha256_client_cert &&
-      SSL_get_session(ssl)->certs != nullptr) {
+      SSL_SESSION_get0_peer_certificates(SSL_get_session(ssl)) != nullptr) {
     fprintf(stderr, "Have both client cert and SHA-256 hash: is_resume:%d.\n",
             is_resume);
     return false;
   }
 
+  const uint8_t *peer_sha256;
+  size_t peer_sha256_len;
+  SSL_SESSION_get0_peer_sha256(SSL_get_session(ssl), &peer_sha256,
+                               &peer_sha256_len);
+  if (SSL_SESSION_has_peer_sha256(SSL_get_session(ssl))) {
+    if (peer_sha256_len != 32) {
+      fprintf(stderr, "Peer SHA-256 hash had length %zu instead of 32\n",
+              peer_sha256_len);
+      return false;
+    }
+  } else {
+    if (peer_sha256_len != 0) {
+      fprintf(stderr, "Unexpected peer SHA-256 hash of length %zu\n",
+              peer_sha256_len);
+      return false;
+    }
+  }
+
   return true;
 }