diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-05-07 22:17:28 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2019-05-07 22:45:51 +0100 |
| commit | c82de233a9bf264bb0db7ae72b2aa6da62ade2f0 (patch) | |
| tree | f948f9d9a66ced5f493f1e381394834fde2d614d /src | |
| parent | f4e62a871680af98f14beb5f21dbe3b85c5c35ff (diff) | |
OpenSSL: fix tls_out_ocsp under resumption
Diffstat (limited to 'src')
| -rw-r--r-- | src/src/dbstuff.h | 3 | ||||
| -rw-r--r-- | src/src/tls-openssl.c | 24 |
2 files changed, 15 insertions, 12 deletions
diff --git a/src/src/dbstuff.h b/src/src/dbstuff.h index 227de39e5..58154d7ef 100644 --- a/src/src/dbstuff.h +++ b/src/src/dbstuff.h @@ -807,7 +807,8 @@ typedef struct { typedef struct { time_t time_stamp; /*************/ - uschar verify_override; + uschar verify_override:1; + uschar ocsp:3; uschar session[1]; } dbdata_tls_session; diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 39e7fc8f4..4cf9863d2 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1715,17 +1715,17 @@ if(!p) return cbinfo->u_ocsp.client.verify_required ? 0 : 1; } -if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len))) - { - tls_out.ocsp = OCSP_FAILED; +if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len))) + { + tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */ if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN, "Received TLS cert status response, parse error"); else DEBUG(D_tls) debug_printf(" parse error\n"); return 0; - } + } -if(!(bs = OCSP_response_get1_basic(rsp))) +if (!(bs = OCSP_response_get1_basic(rsp))) { tls_out.ocsp = OCSP_FAILED; if (LOGGING(tls_cipher)) @@ -2759,6 +2759,7 @@ if (tlsp->host_resumable) DEBUG(D_tls) debug_printf("good session\n"); tlsp->resumption |= RESUME_CLIENT_SUGGESTED; tlsp->verify_override = dt->verify_override; + tlsp->ocsp = dt->ocsp; } } else @@ -2795,6 +2796,7 @@ if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */ tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */ dt->verify_override = tlsp->verify_override; + dt->ocsp = tlsp->ocsp; (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */ if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE))) @@ -3024,12 +3026,6 @@ if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx))) } SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx)); -#ifdef EXPERIMENTAL_TLS_RESUME -if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host, - errstr)) - return FALSE; -#endif - SSL_set_fd(exim_client_ctx->ssl, cctx->sock); SSL_set_connect_state(exim_client_ctx->ssl); @@ -3089,6 +3085,12 @@ if (request_ocsp) } #endif +#ifdef EXPERIMENTAL_TLS_RESUME +if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host, + errstr)) + return FALSE; +#endif + #ifndef DISABLE_EVENT client_static_cbinfo->event_action = tb ? tb->event_action : NULL; #endif |