Recent changes from 0.9.7-stable.

diff --git a/CHANGES b/CHANGES
index 591f5cf6d9bf1086f03b52b69d5f1e04ada69f2d..4997509f20ba2c668567e4855626b33ba7208229 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,15 @@
 
  Changes between 0.9.7b and 0.9.7c  [xx XXX 2003]
 
+  *) New -ignore_err option in ocsp application to stop the server
+     exiting on the first error in a request.
+     [Steve Henson]
+
+  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+     if the server requested one: as stated in TLS 1.0 and SSL 3.0
+     specifications.
+     [Steve Henson]
+
   *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
      extra data after the compression methods not only for TLS 1.0
      but also for SSL 3.0 (as required by the specification).
@@ -1973,6 +1982,11 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
 
  Changes between 0.9.6j and 0.9.6k  [xx XXX 2003]
 
+  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+     if the server requested one: as stated in TLS 1.0 and SSL 3.0
+     specifications.
+     [Steve Henson]
+
   *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
      extra data after the compression methods not only for TLS 1.0
      but also for SSL 3.0 (as required by the specification).

diff --git a/apps/ocsp.c b/apps/ocsp.c
index 17e84366d974c29a55286abfe07e24fd7e09a748..e5f186fd5ea8e1193bb0cae22af2088fe2648aab 100644 (file)
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -136,6 +136,7 @@ int MAIN(int argc, char **argv)
        int accept_count = -1;
        int badarg = 0;
        int i;
+       int ignore_err = 0;
        STACK *reqnames = NULL;
        STACK_OF(OCSP_CERTID) *ids = NULL;
 
@@ -195,6 +196,8 @@ int MAIN(int argc, char **argv)
                                }
                        else badarg = 1;
                        }
+               else if (!strcmp(*args, "-ignore_err"))
+                       ignore_err = 1;
                else if (!strcmp(*args, "-noverify"))
                        noverify = 1;
                else if (!strcmp(*args, "-nonce"))
@@ -809,6 +812,8 @@ int MAIN(int argc, char **argv)
                {
                BIO_printf(out, "Responder Error: %s (%ld)\n",
                                OCSP_response_status_str(i), i);
+               if (ignore_err)
+                       goto redo_accept;
                ret = 0;
                goto end;
                }

diff --git a/apps/openssl.c b/apps/openssl.c
index 45af2ba7f9a8281afcb7ab527a82941deba867b0..e0d89d4ab413fee3c8c22ee62d96b6f687227c2b 100644 (file)
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -163,7 +163,7 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
                goto err;
                }
 
-       if (type < 0 || type > CRYPTO_NUM_LOCKS)
+       if (type < 0 || type >= CRYPTO_NUM_LOCKS)
                {
                errstr = "type out of bounds";
                goto err;

diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
index 5d981c655387c385fcaeb7b44eb75a3a72aabf4b..e8a26af521f23e8895753ed970b250fe7ffd666a 100644 (file)
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -296,7 +296,7 @@ static int in_utf8(unsigned long value, void *arg)
 
 static int out_utf8(unsigned long value, void *arg)
 {
-       long *outlen;
+       int *outlen;
        outlen = arg;
        *outlen += UTF8_putc(NULL, -1, value);
        return 1;

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index bb029cfa1da6202ebc9853473d25db859bb0257c..37cf730d0e112feb6dc5c0ed0a665507e2f8d6bf 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -431,10 +431,11 @@ int ssl3_accept(SSL *s)
                        if (ret == 2)
                                s->state = SSL3_ST_SR_CLNT_HELLO_C;
                        else {
-                               /* could be sent for a DH cert, even if we
-                                * have not asked for it :-) */
-                               ret=ssl3_get_client_certificate(s);
-                               if (ret <= 0) goto end;
+                               if (s->s3->tmp.cert_request)
+                                       {
+                                       ret=ssl3_get_client_certificate(s);
+                                       if (ret <= 0) goto end;
+                                       }
                                s->init_num=0;
                                s->state=SSL3_ST_SR_KEY_EXCH_A;
                        }

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index fbc30b94e63b62b2148f6f474751af6667951dd2..fabcdefa6ed6a1cfc926856ecf6396ac46188ae9 100644 (file)
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -79,11 +79,11 @@ SSL_SESSION *SSL_get1_session(SSL *ssl)
        /* Need to lock this all up rather than just use CRYPTO_add so that
         * somebody doesn't free ssl->session between when we check it's
         * non-null and when we up the reference count. */
-       CRYPTO_r_lock(CRYPTO_LOCK_SSL_SESSION);
+       CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
        sess = ssl->session;
        if(sess)
                sess->references++;
-       CRYPTO_r_unlock(CRYPTO_LOCK_SSL_SESSION);
+       CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
        return(sess);
        }
 

diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index 47c383200ae62cdf3850db1afe6125032346a061..42289c255b27e00328bf2c5e11fac788f801e02d 100644 (file)
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -290,7 +290,7 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
                goto err;
                }
 
-       if (type < 0 || type > CRYPTO_NUM_LOCKS)
+       if (type < 0 || type >= CRYPTO_NUM_LOCKS)
                {
                errstr = "type out of bounds";
                goto err;