Remove certificates from sess_cert

               SSL_R_WRONG_CERTIFICATE_TYPE);

        goto f_err;

    }

    sc->peer_cert_type = i;

    CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);

    /*

     * Why would the following ever happen? We just created sc a couple

     * of lines ago.

     */

    X509_free(sc->peer_pkeys[i].x509);

    sc->peer_pkeys[i].x509 = x;

    sc->peer_key = &(sc->peer_pkeys[i]);

    s->session->peer_type = i;

    X509_free(s->session->peer);

    CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);

/* We must check if there is a certificate */

# ifndef OPENSSL_NO_RSA

        if (alg_a & SSL_aRSA)

            pkey =

                X509_get_pubkey(s->session->

                                sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);

            pkey = X509_get_pubkey(s->session->peer);

# else

        if (0) ;

# endif

# ifndef OPENSSL_NO_DSA

        else if (alg_a & SSL_aDSS)

            pkey =

                X509_get_pubkey(s->session->

                                sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].

                                x509);

            pkey = X509_get_pubkey(s->session->peer);

# endif

    } else

#endif                          /* !OPENSSL_NO_SRP */

        /* this should be because we are using an export cipher */

        if (alg_a & SSL_aRSA)

            pkey =

                X509_get_pubkey(s->session->

                                sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);

            pkey = X509_get_pubkey(s->session->peer);

        else {

            SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);

            goto err;

        }

# ifndef OPENSSL_NO_RSA

        if (alg_a & SSL_aRSA)

            pkey =

                X509_get_pubkey(s->session->

                                sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);

            pkey = X509_get_pubkey(s->session->peer);

# else

        if (0) ;

# endif

# ifndef OPENSSL_NO_DSA

        else if (alg_a & SSL_aDSS)

            pkey =

                X509_get_pubkey(s->session->

                                sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].

                                x509);

            pkey = X509_get_pubkey(s->session->peer);

# endif

        /* else anonymous DH, so no certificate or pkey. */

        if (0) ;

# ifndef OPENSSL_NO_RSA

        else if (alg_a & SSL_aRSA)

            pkey =

                X509_get_pubkey(s->session->

                                sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);

            pkey = X509_get_pubkey(s->session->peer);

# endif

# ifndef OPENSSL_NO_EC

        else if (alg_a & SSL_aECDSA)

            pkey =

                X509_get_pubkey(s->session->

                                sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);

            pkey = X509_get_pubkey(s->session->peer);

# endif

        /* else anonymous ECDH, so no certificate or pkey. */

        EC_KEY_set_public_key(ecdh, srvr_ecpoint);

            if (s->s3->peer_rsa_tmp != NULL)

                rsa = s->s3->peer_rsa_tmp;

            else {

                pkey =

                    X509_get_pubkey(s->session->

                                    sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].

                                    x509);

                pkey = X509_get_pubkey(s->session->peer);

                if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA)

                    || (pkey->pkey.rsa == NULL)) {

                    SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,

                dh_srvr = s->s3->peer_dh_tmp;

            else {

                /* we get them from the cert */

                int idx = scert->peer_cert_type;

                EVP_PKEY *spkey = NULL;

                dh_srvr = NULL;

                if (idx >= 0)

                    spkey = X509_get_pubkey(scert->peer_pkeys[idx].x509);

                spkey = X509_get_pubkey(s->session->peer);

                if (spkey) {

                    dh_srvr = EVP_PKEY_get1_DH(spkey);

                    EVP_PKEY_free(spkey);

                tkey = s->s3->peer_ecdh_tmp;

            } else {

                /* Get the Server Public Key from Cert */

                srvr_pub_pkey =

                    X509_get_pubkey(s->session->

                                    sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);

                srvr_pub_pkey = X509_get_pubkey(s->session->peer);

                if ((srvr_pub_pkey == NULL)

                    || (srvr_pub_pkey->type != EVP_PKEY_EC)

                    || (srvr_pub_pkey->pkey.ec == NULL)) {

            X509 *peer_cert;

            size_t msglen;

            unsigned int md_len;

            int keytype;

            unsigned char shared_ukm[32], tmp[256];

            EVP_MD_CTX *ukm_hash;

            EVP_PKEY *pub_key;

            /*

             * Get server sertificate PKEY and create ctx from it

             */

            peer_cert =

                s->session->

                sess_cert->peer_pkeys[(keytype = SSL_PKEY_GOST01)].x509;

            if (!peer_cert)

                peer_cert =

                    s->session->

                    sess_cert->peer_pkeys[(keytype = SSL_PKEY_GOST94)].x509;

            peer_cert = s->session->peer;

            if (!peer_cert) {

                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,

                       SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);

    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /* See if we can use client certificate for fixed DH */

    if (alg_k & (SSL_kDHr | SSL_kDHd)) {

        SESS_CERT *scert = s->session->sess_cert;

        int i = scert->peer_cert_type;

        int i = s->session->peer_type;

        EVP_PKEY *clkey = NULL, *spkey = NULL;

        clkey = s->cert->key->privatekey;

        /* If client key not DH assume it can be used */

        if (EVP_PKEY_id(clkey) != EVP_PKEY_DH)

            return 1;

        if (i >= 0)

            spkey = X509_get_pubkey(scert->peer_pkeys[i].x509);

            spkey = X509_get_pubkey(s->session->peer);

        if (spkey) {

            /* Compare server and client parameters */

            i = EVP_PKEY_cmp_parameters(clkey, spkey);

    /* This is the passed certificate */

    idx = sc->peer_cert_type;

    idx = s->session->peer_type;

#ifndef OPENSSL_NO_EC

    if (idx == SSL_PKEY_ECC) {

        if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, s) == 0) {

        if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s) == 0) {

            /* check failed */

            SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);

            goto f_err;

        goto f_err;

    }

#endif

    pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);

    pkey = X509_get_pubkey(s->session->peer);

    pkey_bits = EVP_PKEY_bits(pkey);

    i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);

    i = X509_certificate_type(s->session->peer, pkey);

    EVP_PKEY_free(pkey);

    /* Check that we have a certificate if we require one */

    }

    memset(ret, 0, sizeof(*ret));

    ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);

    ret->references = 1;

    return ret;

    /* i == 0 */

    sk_X509_pop_free(sc->cert_chain, X509_free);

    for (i = 0; i < SSL_PKEY_NUM; i++) {

        X509_free(sc->peer_pkeys[i].x509);

#if 0

        /*

         * We don't have the peer's private key. This line is just

         * here as a reminder that we're still using a not-quite-appropriate

         *  data structure.

         */

        EVP_PKEY_free(sc->peer_pkeys[i].privatekey);

#endif

    }

    OPENSSL_free(sc);

}

int ssl_set_peer_cert_type(SESS_CERT *sc, int type)

{

    sc->peer_cert_type = type;

    return (1);

}

int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)

{

    X509 *x;

    int not_resumable;

    /* The cert is the certificate used to establish this connection */

    struct sess_cert_st /* SESS_CERT */ *sess_cert;

    /*

     * This is the cert for the other end. On clients, it will be the same as

     * sess_cert->peer_key->x509 (the latter is not enough as sess_cert is

     * not retained in the external representation of sessions, see

     * ssl_asn1.c).

     */

    /* This is the cert and type for the other end. */

    X509 *peer;

    int peer_type;

    /*

     * when app_verify_callback accepts a session where the peer's

     * certificate is not ok, we must remember the error for session reuse:

typedef struct sess_cert_st {

    STACK_OF(X509) *cert_chain; /* as received from peer */

    /* The 'peer_...' members are used only by clients. */

    int peer_cert_type;

    CERT_PKEY *peer_key;        /* points to an element of peer_pkeys (never

                                 * NULL!) */

    CERT_PKEY peer_pkeys[SSL_PKEY_NUM];

    /*

     * Obviously we don't have the private keys of these, so maybe we

     * shouldn't even use the CERT_PKEY type here.

     */

    int references;             /* actually always 1 at the moment */

} SESS_CERT;

/* Structure containing decoded values of signature algorithms extension */

void ssl_cert_free(CERT *c);

__owur SESS_CERT *ssl_sess_cert_new(void);

void ssl_sess_cert_free(SESS_CERT *sc);

__owur int ssl_set_peer_cert_type(SESS_CERT *c, int type);

__owur int ssl_get_new_session(SSL *s, int session);

__owur int ssl_get_prev_session(SSL *s, unsigned char *session, int len,

                         const unsigned char *limit);