diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2020-10-04 12:37:12 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2020-10-04 12:37:12 +0100 |
commit | ea19ad2276a93548c8a799b1466fd7996c48be04 (patch) | |
tree | bc61884bbe8ff4d8ed8abda272eb91b77819d1db | |
parent | 23f0be23f8887007b5b9aae5219a2f7fc34f1cf9 (diff) |
Fix non-OCSP build
Broken-by: 6a9cf7f890
-rw-r--r-- | src/src/tls-gnu.c | 36 | ||||
-rw-r--r-- | src/src/tls-openssl.c | 11 |
2 files changed, 33 insertions, 14 deletions
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 71115edf5..4a3e1651e 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1078,6 +1078,7 @@ return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg, } +# ifdef notdef_crashes /* Make a note that we saw a status-response */ static int tls_server_servercerts_ext(void * ctx, unsigned tls_id, @@ -1093,6 +1094,7 @@ if (FALSE && tls_id == 5) /* status_request */ } return 0; } +# endif /* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */ static int @@ -1100,12 +1102,12 @@ tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype, unsigned when, unsigned int incoming, const gnutls_datum_t * msg) { /* Call fn for each extension seen. 3.6.3 onwards */ -#ifdef notdef -/*XXX crashes */ +# ifdef notdef_crashes + /*XXX crashes */ return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0); -#endif +# endif } -#endif +#endif /*SUPPORT_GNUTLS_EXT_RAW_PARSE*/ /*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the "Handshake Protocol: Certificate" record. @@ -1439,22 +1441,30 @@ to handle selfsign generation for now (tls_certificate null/empty; XXX will want to do that later though) due to the lifetime/expiry issue. */ if ( opt_set_and_noexpand(tls_certificate) - && opt_unset_or_noexpand(tls_privatekey) - && opt_unset_or_noexpand(tls_ocsp_file)) +# ifndef DISABLE_OCSP + && opt_unset_or_noexpand(tls_ocsp_file) +# endif + && opt_unset_or_noexpand(tls_privatekey)) { /* Set watches on the filenames. The implementation does de-duplication so we can just blindly do them all. */ if ( tls_set_watch(tls_certificate, TRUE) - && tls_set_watch(tls_privatekey, TRUE) +# ifndef DISABLE_OCSP && tls_set_watch(tls_ocsp_file, TRUE) - ) +# endif + && tls_set_watch(tls_privatekey, TRUE)) { DEBUG(D_tls) debug_printf("TLS: preloading server certs\n"); if (creds_load_server_certs(&state_server, tls_certificate, tls_privatekey && *tls_privatekey ? tls_privatekey : tls_certificate, - tls_ocsp_file, &dummy_errstr) == 0) +# ifdef DISABLE_OCSP + NULL, +# else + tls_ocsp_file, +# endif + &dummy_errstr) == 0) state_server.lib_state.conn_certs = TRUE; } } @@ -1750,7 +1760,13 @@ if (!state->lib_state.conn_certs) ? creds_load_client_certs(state, host, state->exp_tls_certificate, state->exp_tls_privatekey, errstr) : creds_load_server_certs(state, state->exp_tls_certificate, - state->exp_tls_privatekey, tls_ocsp_file, errstr) + state->exp_tls_privatekey, +#ifdef DISABLE_OCSP + NULL, +#else + tls_ocsp_file, +#endif + errstr) ) ) return rc; } } diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 80485a44f..b8466ee22 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1866,17 +1866,20 @@ if (opt_unset_or_noexpand(tls_eccurve)) /* If we can, preload the server-side cert, key and ocsp */ if ( opt_set_and_noexpand(tls_certificate) - && opt_unset_or_noexpand(tls_privatekey) - && opt_unset_or_noexpand(tls_ocsp_file)) +# ifndef DISABLE_OCSP + && opt_unset_or_noexpand(tls_ocsp_file) +#endif + && opt_unset_or_noexpand(tls_privatekey)) { /* Set watches on the filenames. The implementation does de-duplication so we can just blindly do them all. */ if ( tls_set_watch(tls_certificate, TRUE) - && tls_set_watch(tls_privatekey, TRUE) +# ifndef DISABLE_OCSP && tls_set_watch(tls_ocsp_file, TRUE) - ) +#endif + && tls_set_watch(tls_privatekey, TRUE)) { state_server.certificate = tls_certificate; state_server.privatekey = tls_privatekey; |