Remove peer_pkeys from SSL_SESSION.

peer_pkeys comes from some world where peers can send multiple certificates
- in fact, one of each known type. Since we do not live in such a world,
get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2
and TLSv1.3, both clients and servers can only send a single leaf
(aka end-entity) certificate).

ok inoguchi@ tb@

1 files changed, 3 insertions, 10 deletions

diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 36823d6462..546854b462 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.382 2022/01/11 18:39:28 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.383 2022/01/11 19:03:15 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -475,8 +475,9 @@ struct ssl_session_st {
         unsigned int sid_ctx_length;
         unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
 
-        /* This is the cert for the other end. */
+        /* Peer provided leaf (end-entity) certificate. */
         X509 *peer_cert;
+        int peer_cert_type;
 
         /* when app_verify_callback accepts a session where the peer's certificate
          * is not ok, we must remember the error for session reuse: */
@@ -513,14 +514,6 @@ struct ssl_session_st {
 
         STACK_OF(X509) *cert_chain; /* as received from peer */
 
-        /* The 'peer_...' members are used only by clients. */
-        int peer_cert_type;
-
-        /* Obviously we don't have the private keys of these,
-         * so maybe we shouldn't even use the SSL_CERT_PKEY type here. */
-        SSL_CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */
-        SSL_CERT_PKEY peer_pkeys[SSL_PKEY_NUM];
-
         size_t tlsext_ecpointformatlist_length;
         uint8_t *tlsext_ecpointformatlist; /* peer's list */
         size_t tlsext_supportedgroups_length;