From d896cef5f6f3ff1b7509fd832a4ee66403a7c57f Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 19 Sep 2019 18:41:42 +0100 Subject: [PATCH] tidying --- doc/doc-docbook/spec.xfpt | 2 +- src/exim_monitor/em_menu.c | 4 +- src/src/tls-gnu.c | 61 ++++++++++++++---------------- test/scripts/5650-OCSP-GnuTLS/5650 | 2 + 4 files changed, 34 insertions(+), 35 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index f5c0d3f9e..d7e8fe0c4 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -9377,7 +9377,7 @@ If the ACL returns defer the result is a forced-fail. Otherwise the expansion f .cindex headers "authentication-results:" .cindex authentication "expansion item" This item returns a string suitable for insertion as an -&'Authentication-Results"'& +&'Authentication-Results:'& header line. The given <&'authserv-id'&> is included in the result; typically this will be a domain name identifying the system performing the authentications. diff --git a/src/exim_monitor/em_menu.c b/src/exim_monitor/em_menu.c index 92e0b351b..33b3e0c94 100644 --- a/src/exim_monitor/em_menu.c +++ b/src/exim_monitor/em_menu.c @@ -669,8 +669,8 @@ if (spool_read_header(buffer, TRUE, FALSE) != spool_read_OK) struct stat statbuf; sprintf(CS big_buffer, "%s/input/%s", spool_directory, buffer); if (Ustat(big_buffer, &statbuf) == 0) - text_showf(text, "Format error in spool file %s: size=%d\n", buffer, - statbuf.st_size); + text_showf(text, "Format error in spool file %s: size=%lu\n", buffer, + (ulong)statbuf.st_size); else text_showf(text, "Format error in spool file %s\n", buffer); } else text_showf(text, "Read error for spool file %s\n", buffer); diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 52128b940..22f7fe548 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -296,11 +296,6 @@ static void exim_gnutls_logger_cb(int level, const char *message); static int exim_sni_handling_cb(gnutls_session_t session); -#if !defined(DISABLE_OCSP) -static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, - gnutls_datum_t * ocsp_response); -#endif - #ifdef EXPERIMENTAL_TLS_RESUME static int tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when, @@ -882,6 +877,32 @@ return -rc; } +#if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE) +/* Load an OCSP proof from file for sending by the server. Called +on getting a status-request handshake message, for earlier versions +of GnuTLS. */ + +static int +server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, + gnutls_datum_t * ocsp_response) +{ +int ret; +DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr); + +if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0) + { + DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n", + CS ptr); + tls_in.ocsp = OCSP_NOT_RESP; + return GNUTLS_E_NO_CERTIFICATE_STATUS; + } + +tls_in.ocsp = OCSP_VFY_NOT_TRIED; +return 0; +} +#endif + + #ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE /* Make a note that we saw a status-request */ static int @@ -1209,8 +1230,8 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate) debug_printf("oops; multiple OCSP files not supported\n"); break; } - gnutls_certificate_set_ocsp_status_request_function( - state->x509_cred, server_ocsp_stapling_cb, ofile); + gnutls_certificate_set_ocsp_status_request_function( + state->x509_cred, server_ocsp_stapling_cb, ofile); } # endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */ } @@ -1273,7 +1294,7 @@ else { if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s " + log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' " "(tls_verify_certificates): %s", state->exp_tls_verify_certificates, strerror(errno)); return DEFER; @@ -2158,30 +2179,6 @@ return 0; -#if !defined(DISABLE_OCSP) - -static int -server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, - gnutls_datum_t * ocsp_response) -{ -int ret; -DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr); - -if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0) - { - DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n", - CS ptr); - tls_in.ocsp = OCSP_NOT_RESP; - return GNUTLS_E_NO_CERTIFICATE_STATUS; - } - -tls_in.ocsp = OCSP_VFY_NOT_TRIED; -return 0; -} - -#endif - - #ifndef DISABLE_EVENT /* We use this callback to get observability and detail-level control diff --git a/test/scripts/5650-OCSP-GnuTLS/5650 b/test/scripts/5650-OCSP-GnuTLS/5650 index 99aaa0b7a..bbea625b1 100644 --- a/test/scripts/5650-OCSP-GnuTLS/5650 +++ b/test/scripts/5650-OCSP-GnuTLS/5650 @@ -34,6 +34,7 @@ killdaemon # exim -z '2: Server does not staple an outdated response' **** +# This test fails on older GnuTLS versions, which do not check the resp on the server # exim -bd -oX PORT_D -DSERVER=server \ -DOPTION=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp @@ -58,6 +59,7 @@ killdaemon # exim -z '3: Server does not staple a response for a revoked cert' **** +# This test fails on older GnuTLS versions, which do not check the resp on the server # exim -bd -oX PORT_D -DSERVER=server \ -DOPTION=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp -- 2.30.2