[hcoop/debian/exim4.git] / debian / patches / 75_11-GnuTLS-fix-tls_out_ocsp-under-hosts_request_ocsp.patch

From 5e64b73ef7cdaf20b998b3345a588b462fd30bfb Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Tue, 7 May 2019 22:55:41 +0100
Subject: [PATCH] GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp

(cherry picked from commit 7a501c874f028f689c44999ab05bb0d39da46941)
---
 doc/ChangeLog |  3 +++
 src/tls-gnu.c     | 12 ++++++++----
 test/log/5651         |  2 +-
 test/log/5730         |  8 ++++----
 4 files changed, 16 insertions(+), 9 deletions(-)

--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -39,6 +39,9 @@ JH/11 Harden plaintext authenticator aga
       library routine (usually a crash).  Found by "zerons".
 
 
+JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
+      verification result was not updated unless hosts_require_ocsp applied.
+
 
 Exim version 4.92
 -----------------
--- a/src/tls-gnu.c
+++ b/src/tls-gnu.c
@@ -2450,7 +2450,7 @@ if (!verify_certificate(state, errstr))
   }
 
 #ifndef DISABLE_OCSP
-if (require_ocsp)
+if (request_ocsp)
   {
   DEBUG(D_tls)
     {
@@ -2474,10 +2474,14 @@ if (require_ocsp)
     {
     tlsp->ocsp = OCSP_FAILED;
     tls_error(US"certificate status check failed", NULL, state->host, errstr);
-    return NULL;
+    if (require_ocsp)
+      return FALSE;
+    }
+  else
+    {
+    DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
+    tlsp->ocsp = OCSP_VFIED;
     }
-  DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
-  tlsp->ocsp = OCSP_VFIED;
   }
 #endif
Commit	Line	Data
01e60269 AM	1	From 5e64b73ef7cdaf20b998b3345a588b462fd30bfb Mon Sep 17 00:00:00 2001
	2	From: Jeremy Harris <jgh146exb@wizmail.org>
	3	Date: Tue, 7 May 2019 22:55:41 +0100
	4	Subject: [PATCH] GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp
	5
	6	(cherry picked from commit 7a501c874f028f689c44999ab05bb0d39da46941)
	7	---
	8	doc/ChangeLog \| 3 +++
	9	src/tls-gnu.c \| 12 ++++++++----
	10	test/log/5651 \| 2 +-
	11	test/log/5730 \| 8 ++++----
	12	4 files changed, 16 insertions(+), 9 deletions(-)
	13
	14	--- a/doc/ChangeLog
	15	+++ b/doc/ChangeLog
	16	@@ -39,6 +39,9 @@ JH/11 Harden plaintext authenticator aga
	17	library routine (usually a crash). Found by "zerons".
	18
	19
	20	+JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
	21	+ verification result was not updated unless hosts_require_ocsp applied.
	22	+
	23
	24	Exim version 4.92
	25	-----------------
	26	--- a/src/tls-gnu.c
	27	+++ b/src/tls-gnu.c
	28	@@ -2450,7 +2450,7 @@ if (!verify_certificate(state, errstr))
	29	}
	30
	31	#ifndef DISABLE_OCSP
	32	-if (require_ocsp)
	33	+if (request_ocsp)
	34	{
	35	DEBUG(D_tls)
	36	{
	37	@@ -2474,10 +2474,14 @@ if (require_ocsp)
	38	{
	39	tlsp->ocsp = OCSP_FAILED;
	40	tls_error(US"certificate status check failed", NULL, state->host, errstr);
	41	- return NULL;
	42	+ if (require_ocsp)
	43	+ return FALSE;
	44	+ }
	45	+ else
	46	+ {
	47	+ DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
	48	+ tlsp->ocsp = OCSP_VFIED;
	49	}
	50	- DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
	51	- tlsp->ocsp = OCSP_VFIED;
	52	}
	53	#endif
	54