Backport OCSP Stapling fix.

 Changes between 1.0.0j and 1.0.0k [xx XXX xxxx]

  *) Call OCSP Stapling callback after ciphersuite has been chosen, so

     the right response is stapled. Also change SSL_get_certificate()

     so it returns the certificate actually sent.

     See http://rt.openssl.org/Ticket/Display.html?id=2836.

     (This is a backport)

     [Rob Stradling <rob.stradling@comodo.com>]

  *) Fix possible deadlock when decoding public keys.

     [Steve Henson]

			goto f_err;

			}

		}

		if (ssl_check_clienthello_tlsext(s) <= 0) {

		if (ssl_check_clienthello_tlsext_early(s) <= 0) {

			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);

			goto err;

		}

	 * s->tmp.new_cipher	- the new cipher to use.

	 */

	/* Handles TLS extensions that we couldn't check earlier */

	if (s->version >= SSL3_VERSION)

		{

		if (ssl_check_clienthello_tlsext_late(s) <= 0)

			{

			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);

			goto err;

			}

		}

	if (ret < 0) ret=1;

	if (0)

		{

#endif

/* THIS NEEDS CLEANING UP */

X509 *ssl_get_server_send_cert(SSL *s)

X509 *ssl_get_server_send_cert(const SSL *s)

	{

	unsigned long alg_k,alg_a;

	CERT *c;

/* Fix this function so that it takes an optional type parameter */

X509 *SSL_get_certificate(const SSL *s)

	{

	if (s->cert != NULL)

	if (s->server)

		return(ssl_get_server_send_cert(s));

	else if (s->cert != NULL)

		return(s->cert->key->x509);

	else

		return(NULL);

int ssl_undefined_function(SSL *s);

int ssl_undefined_void_function(void);

int ssl_undefined_const_function(const SSL *s);

X509 *ssl_get_server_send_cert(SSL *);

X509 *ssl_get_server_send_cert(const SSL *);

EVP_PKEY *ssl_get_sign_pkey(SSL *,const SSL_CIPHER *);

int ssl_cert_type(X509 *x,EVP_PKEY *pkey);

void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);

int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);

int ssl_prepare_clienthello_tlsext(SSL *s);

int ssl_prepare_serverhello_tlsext(SSL *s);

int ssl_check_clienthello_tlsext(SSL *s);

int ssl_check_clienthello_tlsext_early(SSL *s);

int ssl_check_clienthello_tlsext_late(SSL *s);

int ssl_check_serverhello_tlsext(SSL *s);

#ifdef OPENSSL_NO_SHA256

	return 1;

	}

int ssl_check_clienthello_tlsext(SSL *s)

int ssl_check_clienthello_tlsext_early(SSL *s)

	{

	int ret=SSL_TLSEXT_ERR_NOACK;

	int al = SSL_AD_UNRECOGNIZED_NAME;

	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 		

		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);

	/* If status request then ask callback what to do.

 	 * Note: this must be called after servername callbacks in case 

 	 * the certificate has changed.

 	 */

	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)

		{

		int r;

		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);

		switch (r)

			{

			/* We don't want to send a status request response */

			case SSL_TLSEXT_ERR_NOACK:

				s->tlsext_status_expected = 0;

				break;

			/* status request response should be sent */

			case SSL_TLSEXT_ERR_OK:

				if (s->tlsext_ocsp_resp)

					s->tlsext_status_expected = 1;

				else

					s->tlsext_status_expected = 0;

				break;

			/* something bad happened */

			case SSL_TLSEXT_ERR_ALERT_FATAL:

				ret = SSL_TLSEXT_ERR_ALERT_FATAL;

				al = SSL_AD_INTERNAL_ERROR;

				goto err;

			}

		}

	else

		s->tlsext_status_expected = 0;

#ifdef TLSEXT_TYPE_opaque_prf_input

 	{

		/* This sort of belongs into ssl_prepare_serverhello_tlsext(),

		 * but we might be sending an alert in response to the client hello,

		 * so this has to happen here in ssl_check_clienthello_tlsext(). */

		 * so this has to happen here in

		 * ssl_check_clienthello_tlsext_early(). */

		int r = 1;

			}

	}

#endif

 err:

#endif

	switch (ret)

		{

		case SSL_TLSEXT_ERR_ALERT_FATAL:

		}

	}

int ssl_check_clienthello_tlsext_late(SSL *s)

	{

	int ret = SSL_TLSEXT_ERR_OK;

	int al;

	/* If status request then ask callback what to do.

 	 * Note: this must be called after servername callbacks in case 

 	 * the certificate has changed, and must be called after the cipher

	 * has been chosen because this may influence which certificate is sent

 	 */

	if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb)

		{

		int r;

		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);

		switch (r)

			{

			/* We don't want to send a status request response */

			case SSL_TLSEXT_ERR_NOACK:

				s->tlsext_status_expected = 0;

				break;

			/* status request response should be sent */

			case SSL_TLSEXT_ERR_OK:

				if (s->tlsext_ocsp_resp)

					s->tlsext_status_expected = 1;

				else

					s->tlsext_status_expected = 0;

				break;

			/* something bad happened */

			case SSL_TLSEXT_ERR_ALERT_FATAL:

				ret = SSL_TLSEXT_ERR_ALERT_FATAL;

				al = SSL_AD_INTERNAL_ERROR;

				goto err;

			}

		}

	else

		s->tlsext_status_expected = 0;

 err:

	switch (ret)

		{

		case SSL_TLSEXT_ERR_ALERT_FATAL:

			ssl3_send_alert(s, SSL3_AL_FATAL, al); 

			return -1;

		case SSL_TLSEXT_ERR_ALERT_WARNING:

			ssl3_send_alert(s, SSL3_AL_WARNING, al);

			return 1; 

		default:

			return 1;

		}

	}

int ssl_check_serverhello_tlsext(SSL *s)

	{

	int ret=SSL_TLSEXT_ERR_NOACK;