From 29dd08f9d36c1e143430c23b6c134c873648b8f4 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Tue, 11 Jan 2022 19:03:15 +0000
Subject: Remove peer_pkeys from SSL_SESSION.

peer_pkeys comes from some world where peers can send multiple certificates
- in fact, one of each known type. Since we do not live in such a world,
get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2
and TLSv1.3, both clients and servers can only send a single leaf
(aka end-entity) certificate).

ok inoguchi@ tb@
---
 src/lib/libssl/ssl_sess.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

(limited to 'src/lib/libssl/ssl_sess.c')

diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index a49076be74..44c2e846ba 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.108 2022/01/11 18:39:28 jsing Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.109 2022/01/11 19:03:15 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -230,8 +230,6 @@ SSL_SESSION_new(void)
 	ss->next = NULL;
 	ss->tlsext_hostname = NULL;
 
-	ss->peer_key = &ss->peer_pkeys[SSL_PKEY_RSA];
-
 	ss->tlsext_ecpointformatlist_length = 0;
 	ss->tlsext_ecpointformatlist = NULL;
 	ss->tlsext_supportedgroups_length = 0;
@@ -763,8 +761,6 @@ SSL_SESSION_free(SSL_SESSION *ss)
 	explicit_bzero(ss->session_id, sizeof ss->session_id);
 
 	sk_X509_pop_free(ss->cert_chain, X509_free);
-	for (i = 0; i < SSL_PKEY_NUM; i++)
-		X509_free(ss->peer_pkeys[i].x509);
 
 	X509_free(ss->peer_cert);
 
-- 
cgit v1.2.3-55-g6feb