Gitweb:
https://git.exim.org/exim.git/commitdiff/ea19ad2276a93548c8a799b1466fd7996c48be04
Commit: ea19ad2276a93548c8a799b1466fd7996c48be04
Parent: 23f0be23f8887007b5b9aae5219a2f7fc34f1cf9
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Oct 4 12:37:12 2020 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Oct 4 12:37:12 2020 +0100
Fix non-OCSP build
Broken-by: 6a9cf7f890
---
src/src/tls-gnu.c | 36 ++++++++++++++++++++++++++----------
src/src/tls-openssl.c | 11 +++++++----
2 files changed, 33 insertions(+), 14 deletions(-)
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 71115ed..4a3e165 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1078,6 +1078,7 @@ return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
}
+# ifdef notdef_crashes
/* Make a note that we saw a status-response */
static int
tls_server_servercerts_ext(void * ctx, unsigned tls_id,
@@ -1093,6 +1094,7 @@ if (FALSE && tls_id == 5) /* status_request */
}
return 0;
}
+# endif
/* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
static int
@@ -1100,12 +1102,12 @@ tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
{
/* Call fn for each extension seen. 3.6.3 onwards */
-#ifdef notdef
-/*XXX crashes */
+# ifdef notdef_crashes
+ /*XXX crashes */
return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
-#endif
+# endif
}
-#endif
+#endif /*SUPPORT_GNUTLS_EXT_RAW_PARSE*/
/*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
"Handshake Protocol: Certificate" record.
@@ -1439,22 +1441,30 @@ to handle selfsign generation for now (tls_certificate null/empty;
XXX will want to do that later though) due to the lifetime/expiry issue. */
if ( opt_set_and_noexpand(tls_certificate)
- && opt_unset_or_noexpand(tls_privatekey)
- && opt_unset_or_noexpand(tls_ocsp_file))
+# ifndef DISABLE_OCSP
+ && opt_unset_or_noexpand(tls_ocsp_file)
+# endif
+ && opt_unset_or_noexpand(tls_privatekey))
{
/* Set watches on the filenames. The implementation does de-duplication
so we can just blindly do them all.
*/
if ( tls_set_watch(tls_certificate, TRUE)
- && tls_set_watch(tls_privatekey, TRUE)
+# ifndef DISABLE_OCSP
&& tls_set_watch(tls_ocsp_file, TRUE)
- )
+# endif
+ && tls_set_watch(tls_privatekey, TRUE))
{
DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
if (creds_load_server_certs(&state_server, tls_certificate,
tls_privatekey && *tls_privatekey ? tls_privatekey : tls_certificate,
- tls_ocsp_file, &dummy_errstr) == 0)
+# ifdef DISABLE_OCSP
+ NULL,
+# else
+ tls_ocsp_file,
+# endif
+ &dummy_errstr) == 0)
state_server.lib_state.conn_certs = TRUE;
}
}
@@ -1750,7 +1760,13 @@ if (!state->lib_state.conn_certs)
? creds_load_client_certs(state, host, state->exp_tls_certificate,
state->exp_tls_privatekey, errstr)
: creds_load_server_certs(state, state->exp_tls_certificate,
- state->exp_tls_privatekey, tls_ocsp_file, errstr)
+ state->exp_tls_privatekey,
+#ifdef DISABLE_OCSP
+ NULL,
+#else
+ tls_ocsp_file,
+#endif
+ errstr)
) ) return rc;
}
}
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 80485a4..b8466ee 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1866,17 +1866,20 @@ if (opt_unset_or_noexpand(tls_eccurve))
/* If we can, preload the server-side cert, key and ocsp */
if ( opt_set_and_noexpand(tls_certificate)
- && opt_unset_or_noexpand(tls_privatekey)
- && opt_unset_or_noexpand(tls_ocsp_file))
+# ifndef DISABLE_OCSP
+ && opt_unset_or_noexpand(tls_ocsp_file)
+#endif
+ && opt_unset_or_noexpand(tls_privatekey))
{
/* Set watches on the filenames. The implementation does de-duplication
so we can just blindly do them all.
*/
if ( tls_set_watch(tls_certificate, TRUE)
- && tls_set_watch(tls_privatekey, TRUE)
+# ifndef DISABLE_OCSP
&& tls_set_watch(tls_ocsp_file, TRUE)
- )
+#endif
+ && tls_set_watch(tls_privatekey, TRUE))
{
state_server.certificate = tls_certificate;
state_server.privatekey = tls_privatekey;