Don't retain T in PMBTOKEN_PRETOKEN.

We only need r, t, and T'.

Change-Id: I736c5638c73e80c99036182fa3cd30397c33d923
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/40884
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
diff --git a/crypto/trust_token/internal.h b/crypto/trust_token/internal.h
index 3154077..582dc49 100644
--- a/crypto/trust_token/internal.h
+++ b/crypto/trust_token/internal.h
@@ -67,7 +67,6 @@
 typedef struct pmb_pretoken_st {
   uint8_t t[PMBTOKEN_NONCE_SIZE];
   EC_SCALAR r;
-  EC_RAW_POINT T;
   EC_RAW_POINT Tp;
 } PMBTOKEN_PRETOKEN;
 
diff --git a/crypto/trust_token/pmbtoken.c b/crypto/trust_token/pmbtoken.c
index 080368a..4b9451d 100644
--- a/crypto/trust_token/pmbtoken.c
+++ b/crypto/trust_token/pmbtoken.c
@@ -351,8 +351,9 @@
   ec_scalar_from_montgomery(group, &pretoken->r, &pretoken->r);
   ec_scalar_from_montgomery(group, &rinv, &rinv);
 
-  if (!hash_t(group, &pretoken->T, pretoken->t) ||
-      !ec_point_mul_scalar(group, &pretoken->Tp, &pretoken->T, &rinv)) {
+  EC_RAW_POINT T;
+  if (!hash_t(group, &T, pretoken->t) ||
+      !ec_point_mul_scalar(group, &pretoken->Tp, &T, &rinv)) {
     goto err;
   }