From 27baa8317a69dbd05cfc0160bb09ed8014581772 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Sun, 17 Nov 2013 17:48:18 +0000
Subject: [PATCH] Use correct header length in ssl3_send_certifcate_request
 (cherry picked from commit fdeaf55bf95e1e2a1e70cca8b68c7d8bbef7c8f0)

---
 ssl/s3_srvr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 6eaeee3d55..37f3ffb1bf 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2088,12 +2088,12 @@ int ssl3_send_certificate_request(SSL *s)
 				{
 				name=sk_X509_NAME_value(sk,i);
 				j=i2d_X509_NAME(name,NULL);
-				if (!BUF_MEM_grow_clean(buf,4+n+j+2))
+				if (!BUF_MEM_grow_clean(buf,SSL_HM_HEADER_LENGTH(s)+n+j+2))
 					{
 					SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
 					goto err;
 					}
-				p=(unsigned char *)&(buf->data[4+n]);
+				p = ssl_handshake_start(s) + n;
 				if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
 					{
 					s2n(j,p);
-- 
2.25.1