From 3208fc59dbc31c58ab1eb1e631e43a2cfa886c7e Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 3 Jul 2012 14:53:27 +0000
Subject: [PATCH 1/1] add support for client certificate callbak, fix memory
 leak

---
 apps/s_cb.c     | 13 +++++++++----
 apps/s_client.c | 16 ++++++++++++++++
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/apps/s_cb.c b/apps/s_cb.c
index 34c0185559..6c4c405792 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -1192,11 +1192,16 @@ int args_excert(char ***pargs, int *pargc,
 	{
 	char *arg = **pargs, *argn = (*pargs)[1];
 	SSL_EXCERT *exc = *pexc;
-	if (!exc && !ssl_excert_prepend(&exc))
+	if (!exc)
 		{
-		BIO_printf(err, "Error initialising xcert\n");
-		*badarg = 1;
-		goto err;
+		if (ssl_excert_prepend(&exc))
+			*pexc = exc;
+		else
+			{
+			BIO_printf(err, "Error initialising xcert\n");
+			*badarg = 1;
+			goto err;
+			}
 		}
 	if (strcmp(arg, "-xcert") == 0)
 		{
diff --git a/apps/s_client.c b/apps/s_client.c
index b7809c5baf..60776480de 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -558,6 +558,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	unsigned int off=0, clr=0;
+	int cert_flags=0;
 	SSL *con=NULL;
 #ifndef OPENSSL_NO_KRB5
 	KSSL_CTX *kctx;
@@ -628,6 +629,7 @@ int MAIN(int argc, char **argv)
 	int srp_lateuser = 0;
 	SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
 #endif
+	SSL_EXCERT *exc = NULL;
 
 	meth=SSLv23_client_method();
 
@@ -715,6 +717,12 @@ int MAIN(int argc, char **argv)
 			}
 		else if (strcmp(*argv,"-verify_return_error") == 0)
 			verify_return_error = 1;
+		else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
+			{
+			if (badarg)
+				goto bad;
+			continue;
+			}
 		else if	(strcmp(*argv,"-prexit") == 0)
 			prexit=1;
 		else if	(strcmp(*argv,"-crlf") == 0)
@@ -994,6 +1002,8 @@ int MAIN(int argc, char **argv)
 			keymatexportlen=atoi(*(++argv));
 			if (keymatexportlen == 0) goto bad;
 			}
+		else if (strcmp(*argv, "-cert_strict") == 0)
+			cert_flags |= SSL_CERT_FLAG_TLS_STRICT;
                 else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -1099,6 +1109,9 @@ bad:
 			}
 		}
 
+	if (!load_excert(&exc, bio_err))
+		goto end;
+
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
 		{
@@ -1174,6 +1187,8 @@ bad:
 
 	if (clr)
 		SSL_CTX_clear_options(ctx, clr);
+	if (cert_flags) SSL_CTX_set_cert_flags(ctx, cert_flags);
+	if (exc) ssl_ctx_set_excert(ctx, exc);
 	/* DTLS: partial reads end up discarding unread UDP bytes :-( 
 	 * Setting read ahead solves this problem.
 	 */
@@ -1957,6 +1972,7 @@ end:
 		EVP_PKEY_free(key);
 	if (pass)
 		OPENSSL_free(pass);
+	ssl_excert_free(exc);
 	if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
 	if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
 	if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
-- 
2.34.1