Remove peer_pkeys from SSL_SESSION.

peer_pkeys comes from some world where peers can send multiple certificates
- in fact, one of each known type. Since we do not live in such a world,
get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2
and TLSv1.3, both clients and servers can only send a single leaf
(aka end-entity) certificate).

ok inoguchi@ tb@

1 files changed, 1 insertions, 5 deletions

diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index a49076be74..44c2e846ba 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.108 2022/01/11 18:39:28 jsing Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.109 2022/01/11 19:03:15 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -230,8 +230,6 @@ SSL_SESSION_new(void)
         ss->next = NULL;
         ss->tlsext_hostname = NULL;
 
-        ss->peer_key = &ss->peer_pkeys[SSL_PKEY_RSA];
-
         ss->tlsext_ecpointformatlist_length = 0;
         ss->tlsext_ecpointformatlist = NULL;
         ss->tlsext_supportedgroups_length = 0;
@@ -763,8 +761,6 @@ SSL_SESSION_free(SSL_SESSION *ss)
         explicit_bzero(ss->session_id, sizeof ss->session_id);
 
         sk_X509_pop_free(ss->cert_chain, X509_free);
-        for (i = 0; i < SSL_PKEY_NUM; i++)
-                X509_free(ss->peer_pkeys[i].x509);
 
         X509_free(ss->peer_cert);