Remove psk_identity_hint from SSL_SESSION.

There's not much point in retaining the identity hint in the SSL_SESSION. This
avoids the complexity around setting psk_identity hint on either the SSL or the
SSL_SESSION. Introduce a peer_psk_identity_hint for the client to store the one
received from the server.

This changes the semantics of SSL_get_psk_identity_hint; it now only returns
the value configured for the server. The client learns the hint through the
callback. This is compatible with the one use of this API in conscrypt (it
pulls the hint back out to pass to a callback).

Change-Id: I6d9131636b47f13ac5800b4451436a057021054a
Reviewed-on: https://boringssl-review.googlesource.com/2213
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 34043a4..aeb2604 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1208,10 +1208,13 @@
 			 * |sess_cert|. */
 			if (s->session->sess_cert == NULL)
 				s->session->sess_cert = ssl_sess_cert_new();
-			if (s->session->psk_identity_hint)
+
+			/* TODO(davidben): This should be reset in one place
+			 * with the rest of the handshake state. */
+			if (s->s3->tmp.peer_psk_identity_hint)
 				{
-				OPENSSL_free(s->session->psk_identity_hint);
-				s->session->psk_identity_hint = NULL;
+				OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
+				s->s3->tmp.peer_psk_identity_hint = NULL;
 				}
 			}
 		s->s3->tmp.reuse_message=1;
@@ -1275,9 +1278,9 @@
 			}
 
 		/* Save the identity hint as a C string. */
-		if (!CBS_strdup(&psk_identity_hint, &s->session->psk_identity_hint))
+		if (!CBS_strdup(&psk_identity_hint, &s->s3->tmp.peer_psk_identity_hint))
 			{
-			al = SSL_AD_HANDSHAKE_FAILURE;
+			al = SSL_AD_INTERNAL_ERROR;
 			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_MALLOC_FAILURE);
 			goto f_err;
 			}
@@ -1874,7 +1877,7 @@
 				}
 
 			memset(identity, 0, sizeof(identity));
-			psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
+			psk_len = s->psk_client_callback(s, s->s3->tmp.peer_psk_identity_hint,
 				identity, sizeof(identity), psk, sizeof(psk));
 			if (psk_len > PSK_MAX_PSK_LEN)
 				{