Get rid of CERT_PKEY slots in SESS_CERT.

This doesn't even change behavior. Unlike local configuration, the peer
can never have multiple certificates anyway. (Even with a renego, the
SESS_CERT is created anew.)

This does lose the implicit certificate type check, but the certificate
type is already checked in ssl3_get_server_certificate and later checked
post-facto in ssl3_check_cert_and_algorithm (except that one seems to
have some bugs like it accepts ECDSA certificates for RSA cipher suites,
to be cleaned up in a follow-up). Either way, we have the certificate
mismatch tests for this.

BUG=486295

Change-Id: I437bb723bb310ad54ee4150eda67c1cfe43377b3
Reviewed-on: https://boringssl-review.googlesource.com/5044
Reviewed-by: Adam Langley <agl@google.com>

1 files changed, 1 insertions, 13 deletions

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index f1fd6751..f27685d1 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -409,35 +409,23 @@ SESS_CERT *ssl_sess_cert_new(void) {
   }
 
   memset(ret, 0, sizeof *ret);
-  ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
 
   return ret;
 }
 
 void ssl_sess_cert_free(SESS_CERT *sc) {
-  int i;
-
   if (sc == NULL) {
     return;
   }
 
   sk_X509_pop_free(sc->cert_chain, X509_free);
-
-  for (i = 0; i < SSL_PKEY_NUM; i++) {
-    X509_free(sc->peer_pkeys[i].x509);
-  }
-
+  X509_free(sc->peer_cert);
   DH_free(sc->peer_dh_tmp);
   EC_KEY_free(sc->peer_ecdh_tmp);
 
   OPENSSL_free(sc);
 }
 
-int ssl_set_peer_cert_type(SESS_CERT *sc, int type) {
-  sc->peer_cert_type = type;
-  return 1;
-}
-
 int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) {
   X509 *x;
   int i;