PR: 1794

Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

- remove some unncessary SSL_err and permit
an srp user callback to allow a worker to obtain
a user verifier.

- cleanup and comments in s_server and demonstration
for asynchronous srp user lookup

ssl/s3_srvr.c

@@ -339,23 +339,33 @@ int ssl3_accept(SSL *s)
 		case SSL3_ST_SR_CLNT_HELLO_B:
 		case SSL3_ST_SR_CLNT_HELLO_C:
 
-			s->shutdown=0;
-			ret=ssl3_get_client_hello(s);
-			if (ret <= 0) goto end;
+			if (s->rwstate != SSL_X509_LOOKUP)
+			{
+				ret=ssl3_get_client_hello(s);
+				if (ret <= 0) goto end;
+			}
 #ifndef OPENSSL_NO_SRP
 			{
 			int al;
-
- 			if ((ret = ssl_check_srp_ext_ClientHello(s,&al)) != SSL_ERROR_NONE)
-  				{
-				ssl3_send_alert(s,SSL3_AL_FATAL,al);				
-				SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);			
+			if ((ret = ssl_check_srp_ext_ClientHello(s,&al))  < 0)
+					{
+					/* callback indicates firther work to be done */
+					s->rwstate=SSL_X509_LOOKUP;
+					goto end;
+					}
+			if (ret != SSL_ERROR_NONE)
+				{
+				ssl3_send_alert(s,SSL3_AL_FATAL,al);	
+				/* This is not really an error but the only means to
+                                   for a client to detect whether srp is supported. */
+ 				   if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) 	
+					SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);			
 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;			
 				ret= -1;
 				goto end;	
-  				}
+				}
 			}
-#endif
+#endif		
 			
 			s->renegotiate = 2;
 			s->state=SSL3_ST_SW_SRVR_HELLO_A;