Remove psk_identity_hint from SSL_SESSION.
There's not much point in retaining the identity hint in the SSL_SESSION. This
avoids the complexity around setting psk_identity hint on either the SSL or the
SSL_SESSION. Introduce a peer_psk_identity_hint for the client to store the one
received from the server.
This changes the semantics of SSL_get_psk_identity_hint; it now only returns
the value configured for the server. The client learns the hint through the
callback. This is compatible with the one use of this API in conscrypt (it
pulls the hint back out to pass to a callback).
Change-Id: I6d9131636b47f13ac5800b4451436a057021054a
Reviewed-on: https://boringssl-review.googlesource.com/2213
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 28c75fc..bf13620 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -360,7 +360,7 @@
* in sync.
*/
if (ssl_cipher_requires_server_key_exchange(s->s3->tmp.new_cipher) ||
- ((alg_a & SSL_aPSK) && s->session->psk_identity_hint))
+ ((alg_a & SSL_aPSK) && s->psk_identity_hint))
{
dtls1_start_timer(s);
ret=ssl3_send_server_key_exchange(s);
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 34043a4..aeb2604 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1208,10 +1208,13 @@
* |sess_cert|. */
if (s->session->sess_cert == NULL)
s->session->sess_cert = ssl_sess_cert_new();
- if (s->session->psk_identity_hint)
+
+ /* TODO(davidben): This should be reset in one place
+ * with the rest of the handshake state. */
+ if (s->s3->tmp.peer_psk_identity_hint)
{
- OPENSSL_free(s->session->psk_identity_hint);
- s->session->psk_identity_hint = NULL;
+ OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
+ s->s3->tmp.peer_psk_identity_hint = NULL;
}
}
s->s3->tmp.reuse_message=1;
@@ -1275,9 +1278,9 @@
}
/* Save the identity hint as a C string. */
- if (!CBS_strdup(&psk_identity_hint, &s->session->psk_identity_hint))
+ if (!CBS_strdup(&psk_identity_hint, &s->s3->tmp.peer_psk_identity_hint))
{
- al = SSL_AD_HANDSHAKE_FAILURE;
+ al = SSL_AD_INTERNAL_ERROR;
OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_MALLOC_FAILURE);
goto f_err;
}
@@ -1874,7 +1877,7 @@
}
memset(identity, 0, sizeof(identity));
- psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
+ psk_len = s->psk_client_callback(s, s->s3->tmp.peer_psk_identity_hint,
identity, sizeof(identity), psk, sizeof(psk));
if (psk_len > PSK_MAX_PSK_LEN)
{
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 29e40fc..fc92b8a 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1029,6 +1029,8 @@
OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
if (s->s3->tmp.peer_ellipticcurvelist)
OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
+ if (s->s3->tmp.peer_psk_identity_hint)
+ OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
if (s->s3->handshake_buffer) {
BIO_free(s->s3->handshake_buffer);
}
@@ -1064,6 +1066,9 @@
if (s->s3->tmp.peer_ellipticcurvelist)
OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
s->s3->tmp.peer_ellipticcurvelist = NULL;
+ if (s->s3->tmp.peer_psk_identity_hint)
+ OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
+ s->s3->tmp.peer_psk_identity_hint = NULL;
if (s->s3->tmp.dh != NULL)
{
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index da1dc9f..01cff64 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -406,7 +406,7 @@
* in sync.
*/
if (ssl_cipher_requires_server_key_exchange(s->s3->tmp.new_cipher) ||
- ((alg_a & SSL_aPSK) && s->session->psk_identity_hint))
+ ((alg_a & SSL_aPSK) && s->psk_identity_hint))
{
ret=ssl3_send_server_key_exchange(s);
if (ret <= 0) goto end;
@@ -1314,7 +1314,7 @@
if (alg_a & SSL_aPSK)
{
/* size for PSK identity hint */
- psk_identity_hint = s->session->psk_identity_hint;
+ psk_identity_hint = s->psk_identity_hint;
if (psk_identity_hint)
psk_identity_hint_len = strlen(psk_identity_hint);
else
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index ef7ebdc..28d5988 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -105,7 +105,6 @@
* verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes
* hostName [6] OCTET STRING OPTIONAL,
* -- from server_name extension
- * pskIdentityHint [7] OCTET STRING OPTIONAL,
* pskIdentity [8] OCTET STRING OPTIONAL,
* ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only
* ticket [10] OCTET STRING OPTIONAL, -- client-only
@@ -118,8 +117,13 @@
* extendedMasterSecret [17] BOOLEAN OPTIONAL,
* }
*
- * Note: When the relevant features were #ifdef'd out, support for
- * parsing compressionMethod [11] and srpUsername [12] was lost. */
+ * Note: historically this serialization has included other optional
+ * fields. Their presense is currently treated as a parse error:
+ *
+ * keyArg [0] IMPLICIT OCTET STRING OPTIONAL,
+ * pskIdentityHint [7] OCTET STRING OPTIONAL,
+ * compressionMethod [11] OCTET STRING OPTIONAL,
+ * srpUsername [12] OCTET STRING OPTIONAL, */
static const int kTimeTag =
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1;
@@ -133,8 +137,6 @@
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 5;
static const int kHostNameTag =
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 6;
-static const int kPSKIdentityHintTag =
- CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 7;
static const int kPSKIdentityTag =
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 8;
static const int kTicketLifetimeHintTag =
@@ -247,16 +249,6 @@
}
}
- if (in->psk_identity_hint) {
- if (!CBB_add_asn1(&session, &child, kPSKIdentityHintTag) ||
- !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
- !CBB_add_bytes(&child2, (const uint8_t *)in->psk_identity_hint,
- strlen(in->psk_identity_hint))) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- }
-
if (in->psk_identity) {
if (!CBB_add_asn1(&session, &child, kPSKIdentityTag) ||
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
@@ -460,8 +452,6 @@
}
if (!d2i_SSL_SESSION_get_string(&session, &ret->tlsext_hostname,
kHostNameTag) ||
- !d2i_SSL_SESSION_get_string(&session, &ret->psk_identity_hint,
- kPSKIdentityHintTag) ||
!d2i_SSL_SESSION_get_string(&session, &ret->psk_identity,
kPSKIdentityTag)) {
goto err;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 8357ff9..550080b 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2928,35 +2928,18 @@
return 0;
}
- /* Clear hint in SSL and associated SSL_SESSION (if any). */
+ /* Clear currently configured hint, if any. */
if (s->psk_identity_hint != NULL)
{
OPENSSL_free(s->psk_identity_hint);
s->psk_identity_hint = NULL;
}
- if (s->session != NULL && s->session->psk_identity_hint != NULL)
- {
- OPENSSL_free(s->session->psk_identity_hint);
- s->session->psk_identity_hint = NULL;
- }
if (identity_hint != NULL)
{
- /* The hint is stored in SSL and SSL_SESSION with the one in
- * SSL_SESSION taking precedence. Thus, if SSL_SESSION is avaiable,
- * we store the hint there, otherwise we store it in SSL. */
- if (s->session != NULL)
- {
- s->session->psk_identity_hint = BUF_strdup(identity_hint);
- if (s->session->psk_identity_hint == NULL)
- return 0;
- }
- else
- {
- s->psk_identity_hint = BUF_strdup(identity_hint);
- if (s->psk_identity_hint == NULL)
- return 0;
- }
+ s->psk_identity_hint = BUF_strdup(identity_hint);
+ if (s->psk_identity_hint == NULL)
+ return 0;
}
return 1;
}
@@ -2965,11 +2948,7 @@
{
if (s == NULL)
return NULL;
- /* The hint is stored in SSL and SSL_SESSION with the one in SSL_SESSION
- * taking precedence. */
- if (s->session != NULL)
- return(s->session->psk_identity_hint);
- return(s->psk_identity_hint);
+ return s->psk_identity_hint;
}
const char *SSL_get_psk_identity(const SSL *s)
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 0cccbc7..6b5f8c2 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -377,16 +377,6 @@
return 0;
}
}
- if (s->psk_identity_hint)
- {
- ss->psk_identity_hint = BUF_strdup(s->psk_identity_hint);
- if (ss->psk_identity_hint == NULL)
- {
- OPENSSL_PUT_ERROR(SSL, ssl_get_new_session, ERR_R_MALLOC_FAILURE);
- SSL_SESSION_free(ss);
- return 0;
- }
- }
}
else
{
@@ -712,8 +702,6 @@
OPENSSL_free(ss->tlsext_signed_cert_timestamp_list);
if (ss->ocsp_response != NULL)
OPENSSL_free(ss->ocsp_response);
- if (ss->psk_identity_hint != NULL)
- OPENSSL_free(ss->psk_identity_hint);
if (ss->psk_identity != NULL)
OPENSSL_free(ss->psk_identity);
OPENSSL_cleanse(ss,sizeof(*ss));
diff --git a/ssl/ssl_test.c b/ssl/ssl_test.c
index da9ba4b..ee83693 100644
--- a/ssl/ssl_test.c
+++ b/ssl/ssl_test.c
@@ -271,51 +271,50 @@
/* kOpenSSLSession is a serialized SSL_SESSION generated from openssl
* s_client -sess_out. */
static const char kOpenSSLSession[] =
- "MIIFpQIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
- "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
- "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
- "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
- "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
- "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
- "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
- "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
- "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
- "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
- "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
- "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
- "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
- "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
- "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
- "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
- "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
- "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
- "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
- "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
- "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
- "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
- "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
- "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
- "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
- "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
- "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
- "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
- "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
- "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
- "i4gv7Y5oliyn";
+ "MIIFpQIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
+ "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
+ "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
+ "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
+ "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
+ "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
+ "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
+ "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
+ "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
+ "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
+ "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
+ "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
+ "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
+ "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
+ "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
+ "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
+ "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
+ "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
+ "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
+ "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
+ "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
+ "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
+ "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
+ "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
+ "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
+ "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
+ "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
+ "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
+ "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
+ "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
+ "i4gv7Y5oliyn";
/* kCustomSession is a custom serialized SSL_SESSION generated by
* filling in missing fields from |kOpenSSLSession|. This includes
* providing |peer_sha256|, so |peer| is not serialized. */
static const char kCustomSession[] =
- "MIIBfwIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
- "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
- "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tpwcE"
- "BWhlbGxvqAcEBXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOB"
- "fF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY2"
- "7GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inb"
- "MaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliyn"
- "rSIEIAYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLAD"
- "BAEF";
+ "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
+ "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
+ "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
+ "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
+ "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
+ "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
+ "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
+ "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
static int decode_base64(uint8_t **out, size_t *out_len, const char *in) {
size_t len;
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index c83f589..a341901 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -158,8 +158,6 @@
}
if (BIO_puts(bp,"\n PSK identity: ") <= 0) goto err;
if (BIO_printf(bp, "%s", x->psk_identity ? x->psk_identity : "None") <= 0) goto err;
- if (BIO_puts(bp,"\n PSK identity hint: ") <= 0) goto err;
- if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") <= 0) goto err;
if (x->tlsext_tick_lifetime_hint)
{
if (BIO_printf(bp,
