From 0a92f87f7d62bb4f83fef5b8b10513cdd923fc2e Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Mon, 21 Apr 2014 16:34:01 +0100
Subject: [PATCH] Fix testcase "server missing/empty certificate file"

GnuTLS early versions (pre 3.0.0 ?) fail to send a reasonable
client-cert request when tls_verify_certificates is an empty file.
Since the test is for missing *server* certs (tls_certificate)
avoid this by pointing to a real (if non-verifying) cert in
tls_verify_certificates.
---
 src/src/tls-gnu.c | 14 ++++++--------
 test/confs/2024   |  3 ++-
 test/log/2024     |  2 +-
 test/stdout/2024  |  2 +-
 4 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 7c3625216..cbd44d6f2 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1228,25 +1228,23 @@ unsigned int verify;
 
 *error = NULL;
 
-rc = peer_status(state);
-if (rc != OK)
+if ((rc = peer_status(state)) != OK)
   {
   verify = GNUTLS_CERT_INVALID;
-  *error = "not supplied";
+  *error = "certificate not supplied";
   }
 else
-  {
   rc = gnutls_certificate_verify_peers2(state->session, &verify);
-  }
 
 /* Handle the result of verification. INVALID seems to be set as well
 as REVOKED, but leave the test for both. */
 
-if ((rc < 0) || (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0)
+if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
   {
   state->peer_cert_verified = FALSE;
-  if (*error == NULL)
-    *error = ((verify & GNUTLS_CERT_REVOKED) != 0) ? "revoked" : "invalid";
+  if (!*error)
+    *error = verify & GNUTLS_CERT_REVOKED
+      ? "certificate revoked" : "certificate invalid";
 
   DEBUG(D_tls)
     debug_printf("TLS certificate verification failed (%s): peerdn=%s\n",
diff --git a/test/confs/2024 b/test/confs/2024
index a677c4c86..c59e975de 100644
--- a/test/confs/2024
+++ b/test/confs/2024
@@ -24,6 +24,7 @@ tls_certificate = CERT
 tls_privatekey = CERT
 
 tls_verify_hosts = HOSTIPV4
-tls_verify_certificates = TVC
+#tls_verify_certificates = TVC
+tls_verify_certificates = CERT
 
 # End
diff --git a/test/log/2024 b/test/log/2024
index c45da6e89..117382b5a 100644
--- a/test/log/2024
+++ b/test/log/2024
@@ -1,4 +1,4 @@
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (cert/key setup: cert=/non/exist key=/non/exist): Error while reading file.
diff --git a/test/stdout/2024 b/test/stdout/2024
index 2e30f7dd6..ecedd4193 100644
--- a/test/stdout/2024
+++ b/test/stdout/2024
@@ -20,7 +20,7 @@ Key file = aux-fixed/cert2
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-Failed to start TLS
+Succeeded in starting TLS
 End of script
 Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
 Certificate file = aux-fixed/cert2
-- 
2.30.2