From f61bc950c147754984d0d231e2a73213da616a17 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Mon, 8 Sep 2003 16:49:37 +0000
Subject: [PATCH] Recent changes from 0.9.7-stable.

---
 CHANGES               | 14 ++++++++++++++
 apps/ocsp.c           |  5 +++++
 apps/openssl.c        |  2 +-
 crypto/asn1/a_mbstr.c |  2 +-
 ssl/s3_srvr.c         |  9 +++++----
 ssl/ssl_sess.c        |  4 ++--
 ssl/ssltest.c         |  2 +-
 7 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index 591f5cf6d9..4997509f20 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,15 @@
 
  Changes between 0.9.7b and 0.9.7c  [xx XXX 2003]
 
+  *) New -ignore_err option in ocsp application to stop the server
+     exiting on the first error in a request.
+     [Steve Henson]
+
+  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+     if the server requested one: as stated in TLS 1.0 and SSL 3.0
+     specifications.
+     [Steve Henson]
+
   *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
      extra data after the compression methods not only for TLS 1.0
      but also for SSL 3.0 (as required by the specification).
@@ -1973,6 +1982,11 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
 
  Changes between 0.9.6j and 0.9.6k  [xx XXX 2003]
 
+  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+     if the server requested one: as stated in TLS 1.0 and SSL 3.0
+     specifications.
+     [Steve Henson]
+
   *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
      extra data after the compression methods not only for TLS 1.0
      but also for SSL 3.0 (as required by the specification).
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 17e84366d9..e5f186fd5e 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -136,6 +136,7 @@ int MAIN(int argc, char **argv)
 	int accept_count = -1;
 	int badarg = 0;
 	int i;
+	int ignore_err = 0;
 	STACK *reqnames = NULL;
 	STACK_OF(OCSP_CERTID) *ids = NULL;
 
@@ -195,6 +196,8 @@ int MAIN(int argc, char **argv)
 				}
 			else badarg = 1;
 			}
+		else if (!strcmp(*args, "-ignore_err"))
+			ignore_err = 1;
 		else if (!strcmp(*args, "-noverify"))
 			noverify = 1;
 		else if (!strcmp(*args, "-nonce"))
@@ -809,6 +812,8 @@ int MAIN(int argc, char **argv)
 		{
 		BIO_printf(out, "Responder Error: %s (%ld)\n",
 				OCSP_response_status_str(i), i);
+		if (ignore_err)
+			goto redo_accept;
 		ret = 0;
 		goto end;
 		}
diff --git a/apps/openssl.c b/apps/openssl.c
index 45af2ba7f9..e0d89d4ab4 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -163,7 +163,7 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
 		goto err;
 		}
 
-	if (type < 0 || type > CRYPTO_NUM_LOCKS)
+	if (type < 0 || type >= CRYPTO_NUM_LOCKS)
 		{
 		errstr = "type out of bounds";
 		goto err;
diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
index 5d981c6553..e8a26af521 100644
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -296,7 +296,7 @@ static int in_utf8(unsigned long value, void *arg)
 
 static int out_utf8(unsigned long value, void *arg)
 {
-	long *outlen;
+	int *outlen;
 	outlen = arg;
 	*outlen += UTF8_putc(NULL, -1, value);
 	return 1;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index bb029cfa1d..37cf730d0e 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -431,10 +431,11 @@ int ssl3_accept(SSL *s)
 			if (ret == 2)
 				s->state = SSL3_ST_SR_CLNT_HELLO_C;
 			else {
-				/* could be sent for a DH cert, even if we
-				 * have not asked for it :-) */
-				ret=ssl3_get_client_certificate(s);
-				if (ret <= 0) goto end;
+				if (s->s3->tmp.cert_request)
+					{
+					ret=ssl3_get_client_certificate(s);
+					if (ret <= 0) goto end;
+					}
 				s->init_num=0;
 				s->state=SSL3_ST_SR_KEY_EXCH_A;
 			}
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index fbc30b94e6..fabcdefa6e 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -79,11 +79,11 @@ SSL_SESSION *SSL_get1_session(SSL *ssl)
 	/* Need to lock this all up rather than just use CRYPTO_add so that
 	 * somebody doesn't free ssl->session between when we check it's
 	 * non-null and when we up the reference count. */
-	CRYPTO_r_lock(CRYPTO_LOCK_SSL_SESSION);
+	CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
 	sess = ssl->session;
 	if(sess)
 		sess->references++;
-	CRYPTO_r_unlock(CRYPTO_LOCK_SSL_SESSION);
+	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
 	return(sess);
 	}
 
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index 47c383200a..42289c255b 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -290,7 +290,7 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
 		goto err;
 		}
 
-	if (type < 0 || type > CRYPTO_NUM_LOCKS)
+	if (type < 0 || type >= CRYPTO_NUM_LOCKS)
 		{
 		errstr = "type out of bounds";
 		goto err;
-- 
2.25.1