+#ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+/* Make a note that we saw a status-request */
+static int
+tls_server_clienthello_ext(void * ctx, unsigned tls_id,
+ const unsigned char *data, unsigned size)
+{
+/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
+if (tls_id == 5) /* status_request */
+ {
+ DEBUG(D_tls) debug_printf("Seen status_request extension\n");
+ tls_in.ocsp = OCSP_NOT_RESP;
+ }
+return 0;
+}
+
+/* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
+static int
+tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
+ unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+/* Call fn for each extension seen. 3.6.3 onwards */
+return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
+ GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
+}
+#endif
+
+/* Callback for certificate-status, on server. We sent stapled OCSP. */
+static int
+tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
+ unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+DEBUG(D_tls) debug_printf("Sending certificate-status\n");
+#ifdef SUPPORT_SRV_OCSP_STACK
+tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
+ ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
+#else
+tls_in.ocsp = OCSP_VFY_NOT_TRIED;
+#endif
+return 0;
+}
+
+/* Callback for handshake messages, on server */
+static int
+tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
+ unsigned incoming, const gnutls_datum_t * msg)
+{
+switch (htype)
+ {
+#ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+ case GNUTLS_HANDSHAKE_CLIENT_HELLO:
+ return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
+#endif
+ case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
+ return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
+#ifdef EXPERIMENTAL_TLS_RESUME
+ case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
+ return tls_server_ticket_cb(sess, htype, when, incoming, msg);
+#endif
+ default:
+ return 0;
+ }
+}
+
+
+static void
+tls_server_testharness_ocsp_fiddle(void)
+{
+extern char ** environ;
+if (environ) for (uschar ** p = USS environ; *p; p++)
+ if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
+ {
+ DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
+ exim_testharness_disable_ocsp_validity_check = TRUE;
+ }
+}
+