Remove peer_cert from SESS_CERT.
It's completely redundant with the copy in the SSL_SESSION except it
isn't serialized.
Change-Id: I1d95a14cae064c599e4bab576df1dd156da4b81c
Reviewed-on: https://boringssl-review.googlesource.com/5757
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 50fe9bd..65fa4a5 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1045,10 +1045,9 @@
* probably not be retained across resumptions. */
struct sess_cert_st /* SESS_CERT */ *sess_cert;
- /* This is the cert for the other end. On clients, it will be the same as
- * sess_cert->peer_key->x509 (the latter is not enough as sess_cert is not
- * retained in the external representation of sessions, see ssl_asn1.c). */
+ /* peer is the peer's certificate. */
X509 *peer;
+
/* when app_verify_callback accepts a session where the peer's certificate is
* not ok, we must remember the error for session reuse: */
long verify_result; /* only for servers */
diff --git a/ssl/internal.h b/ssl/internal.h
index fdcb31c..7d9edd0 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -783,9 +783,6 @@
* this does includes the server's leaf certificate, but, for a server, this
* does NOT include the client's leaf. */
STACK_OF(X509) *cert_chain;
-
- /* peer_cert, on a client, is the leaf certificate of the peer. */
- X509 *peer_cert;
} SESS_CERT;
/* SSL_METHOD is a compatibility structure to support the legacy version-locked
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index b81b914..576a861 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1032,9 +1032,6 @@
sc->cert_chain = sk;
sk = NULL;
- X509_free(sc->peer_cert);
- sc->peer_cert = X509_up_ref(leaf);
-
X509_free(s->session->peer);
s->session->peer = X509_up_ref(leaf);
@@ -1261,7 +1258,7 @@
/* ServerKeyExchange should be signed by the server's public key. */
if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
- pkey = X509_get_pubkey(s->session->sess_cert->peer_cert);
+ pkey = X509_get_pubkey(s->session->peer);
if (pkey == NULL) {
goto err;
}
@@ -1686,7 +1683,7 @@
goto err;
}
- pkey = X509_get_pubkey(s->session->sess_cert->peer_cert);
+ pkey = X509_get_pubkey(s->session->peer);
if (pkey == NULL ||
pkey->type != EVP_PKEY_RSA ||
pkey->pkey.rsa == NULL) {
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 68a6dbe..66ef342 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -324,9 +324,6 @@
return NULL;
}
}
- if (sess_cert->peer_cert != NULL) {
- ret->peer_cert = X509_up_ref(sess_cert->peer_cert);
- }
return ret;
}
@@ -336,8 +333,6 @@
}
sk_X509_pop_free(sess_cert->cert_chain, X509_free);
- X509_free(sess_cert->peer_cert);
-
OPENSSL_free(sess_cert);
}