[exim-cvs] Fix non-OCSP build

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Fix non-OCSP build
Gitweb: https://git.exim.org/exim.git/commitdiff/ea19ad2276a93548c8a799b1466fd7996c48be04
Commit:     ea19ad2276a93548c8a799b1466fd7996c48be04
Parent:     23f0be23f8887007b5b9aae5219a2f7fc34f1cf9
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Oct 4 12:37:12 2020 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Oct 4 12:37:12 2020 +0100


    Fix non-OCSP build


    Broken-by: 6a9cf7f890
---
 src/src/tls-gnu.c     | 36 ++++++++++++++++++++++++++----------
 src/src/tls-openssl.c | 11 +++++++----
 2 files changed, 33 insertions(+), 14 deletions(-)


diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 71115ed..4a3e165 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1078,6 +1078,7 @@ return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
}


+# ifdef notdef_crashes
 /* Make a note that we saw a status-response */
 static int
 tls_server_servercerts_ext(void * ctx, unsigned tls_id,
@@ -1093,6 +1094,7 @@ if (FALSE && tls_id == 5)    /* status_request */
   }
 return 0;
 }
+# endif


 /* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
 static int
@@ -1100,12 +1102,12 @@ tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
   unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
 {
 /* Call fn for each extension seen.  3.6.3 onwards */
-#ifdef notdef
-/*XXX crashes */
+# ifdef notdef_crashes
+                /*XXX crashes */
 return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
-#endif
+# endif
 }
-#endif
+#endif /*SUPPORT_GNUTLS_EXT_RAW_PARSE*/


/*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
"Handshake Protocol: Certificate" record.
@@ -1439,22 +1441,30 @@ to handle selfsign generation for now (tls_certificate null/empty;
XXX will want to do that later though) due to the lifetime/expiry issue. */

if ( opt_set_and_noexpand(tls_certificate)
- && opt_unset_or_noexpand(tls_privatekey)
- && opt_unset_or_noexpand(tls_ocsp_file))
+# ifndef DISABLE_OCSP
+ && opt_unset_or_noexpand(tls_ocsp_file)
+# endif
+ && opt_unset_or_noexpand(tls_privatekey))
{
/* Set watches on the filenames. The implementation does de-duplication
so we can just blindly do them all.
*/

   if (  tls_set_watch(tls_certificate, TRUE)
-     && tls_set_watch(tls_privatekey, TRUE)
+# ifndef DISABLE_OCSP
      && tls_set_watch(tls_ocsp_file, TRUE)
-     )
+# endif
+     && tls_set_watch(tls_privatekey, TRUE))
     {
     DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
     if (creds_load_server_certs(&state_server, tls_certificate,
       tls_privatekey && *tls_privatekey ? tls_privatekey : tls_certificate,
-      tls_ocsp_file, &dummy_errstr) == 0)
+# ifdef DISABLE_OCSP
+      NULL,
+# else
+      tls_ocsp_file,
+# endif
+      &dummy_errstr) == 0)
       state_server.lib_state.conn_certs = TRUE;
     }
   }
@@ -1750,7 +1760,13 @@ if (!state->lib_state.conn_certs)
       ? creds_load_client_certs(state, host, state->exp_tls_certificate,
                   state->exp_tls_privatekey, errstr)
       : creds_load_server_certs(state, state->exp_tls_certificate,
-                  state->exp_tls_privatekey, tls_ocsp_file, errstr)
+                  state->exp_tls_privatekey,
+#ifdef DISABLE_OCSP
+                  NULL,
+#else
+                  tls_ocsp_file,
+#endif
+                  errstr)
        )  ) return rc;
     }
   }
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 80485a4..b8466ee 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1866,17 +1866,20 @@ if (opt_unset_or_noexpand(tls_eccurve))
 /* If we can, preload the server-side cert, key and ocsp */


if ( opt_set_and_noexpand(tls_certificate)
- && opt_unset_or_noexpand(tls_privatekey)
- && opt_unset_or_noexpand(tls_ocsp_file))
+# ifndef DISABLE_OCSP
+ && opt_unset_or_noexpand(tls_ocsp_file)
+#endif
+ && opt_unset_or_noexpand(tls_privatekey))
{
/* Set watches on the filenames. The implementation does de-duplication
so we can just blindly do them all.
*/

   if (  tls_set_watch(tls_certificate, TRUE)
-     && tls_set_watch(tls_privatekey, TRUE)
+# ifndef DISABLE_OCSP
      && tls_set_watch(tls_ocsp_file, TRUE)
-     )
+#endif
+     && tls_set_watch(tls_privatekey, TRUE))
     {
     state_server.certificate = tls_certificate;
     state_server.privatekey = tls_privatekey;