From 29dd08f9d36c1e143430c23b6c134c873648b8f4 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Tue, 11 Jan 2022 19:03:15 +0000
Subject: Remove peer_pkeys from SSL_SESSION.

peer_pkeys comes from some world where peers can send multiple certificates
- in fact, one of each known type. Since we do not live in such a world,
get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2
and TLSv1.3, both clients and servers can only send a single leaf
(aka end-entity) certificate).

ok inoguchi@ tb@
---
 src/lib/libssl/ssl_srvr.c | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

(limited to 'src/lib/libssl/ssl_srvr.c')

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 786362ea02..30545320b3 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.139 2022/01/11 18:39:28 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.140 2022/01/11 19:03:15 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1905,7 +1905,7 @@ ssl3_get_cert_verify(SSL *s)
 	CBS cbs, signature;
 	const struct ssl_sigalg *sigalg = NULL;
 	uint16_t sigalg_value = SIGALG_NONE;
-	EVP_PKEY *pkey = NULL;
+	EVP_PKEY *pkey;
 	X509 *peer_cert = NULL;
 	EVP_MD_CTX *mctx = NULL;
 	int al, verify;
@@ -1928,11 +1928,9 @@ ssl3_get_cert_verify(SSL *s)
 
 	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
 
-	if (s->session->peer_cert != NULL) {
-		peer_cert = s->session->peer_cert;
-		pkey = X509_get_pubkey(peer_cert);
-		type = X509_certificate_type(peer_cert, pkey);
-	}
+	peer_cert = s->session->peer_cert;
+	pkey = X509_get0_pubkey(peer_cert);
+	type = X509_certificate_type(peer_cert, pkey);
 
 	if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
 		S3I(s)->hs.tls12.reuse_message = 1;
@@ -2131,7 +2129,7 @@ ssl3_get_cert_verify(SSL *s)
 	tls1_transcript_free(s);
  err:
 	EVP_MD_CTX_free(mctx);
-	EVP_PKEY_free(pkey);
+
 	return (ret);
 }
 
-- 
cgit v1.2.3-55-g6feb