debian/patches/75_11-GnuTLS-fix-tls_out_ocsp-under-hosts_request_ocsp.patch

   1 From 5e64b73ef7cdaf20b998b3345a588b462fd30bfb Mon Sep 17 00:00:00 2001
   2 From: Jeremy Harris <jgh146exb@wizmail.org>
   3 Date: Tue, 7 May 2019 22:55:41 +0100
   4 Subject: [PATCH] GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp
   5
   6 (cherry picked from commit 7a501c874f028f689c44999ab05bb0d39da46941)
   7 ---
   8  doc/ChangeLog |  3 +++
   9  src/tls-gnu.c     | 12 ++++++++----
  10  test/log/5651         |  2 +-
  11  test/log/5730         |  8 ++++----
  12  4 files changed, 16 insertions(+), 9 deletions(-)
  13
  14 --- a/doc/ChangeLog
  15 +++ b/doc/ChangeLog
  16 @@ -39,6 +39,9 @@ JH/11 Harden plaintext authenticator aga
  17        library routine (usually a crash).  Found by "zerons".
  18
  19
  20 +JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
  21 +      verification result was not updated unless hosts_require_ocsp applied.
  22 +
  23
  24  Exim version 4.92
  25  -----------------
  26 --- a/src/tls-gnu.c
  27 +++ b/src/tls-gnu.c
  28 @@ -2450,7 +2450,7 @@ if (!verify_certificate(state, errstr))
  29    }
  30
  31  #ifndef DISABLE_OCSP
  32 -if (require_ocsp)
  33 +if (request_ocsp)
  34    {
  35    DEBUG(D_tls)
  36      {
  37 @@ -2474,10 +2474,14 @@ if (require_ocsp)
  38      {
  39      tlsp->ocsp = OCSP_FAILED;
  40      tls_error(US"certificate status check failed", NULL, state->host, errstr);
  41 -    return NULL;
  42 +    if (require_ocsp)
  43 +      return FALSE;
  44 +    }
  45 +  else
  46 +    {
  47 +    DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
  48 +    tlsp->ocsp = OCSP_VFIED;
  49      }
  50 -  DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
  51 -  tlsp->ocsp = OCSP_VFIED;
  52    }
  53  #endif
  54