From d95313eb794f13bf43af3f0cbcc31491a5091fd2 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 7 Apr 2022 21:16:48 +0100
Subject: [PATCH] Openssl client: ocsp stapling on resumed seesion

---
 doc/doc-txt/ChangeLog |  5 +++++
 src/src/tls-openssl.c | 25 +++++++++++++------------
 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 3b1aa2664..239731436 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -121,6 +121,11 @@ JH/27 Support the PIPECONNECT facility in the smtp transport when the helo_data
       Previously any use of the local address in the EHLO name disabled
       PIPECONNECT, the common case being to use the rDNS of it.
 
+JH/28 OpenSSL: fix transport-required OCSP stapling verification under session
+      resumption. Previously verify failed because no certificate status is
+      passed on the wire for the restarted session. Fix by using the recorded
+      ocsp status of the stored session for the new connection.
+
 
 Exim version 4.95
 -----------------
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 7bf62f504..ab3b636a3 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2417,8 +2417,12 @@ int i;
 DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
 if(!p)
- {
-  /* Expect this when we requested ocsp but got none */
+ {				/* Expect this when we requested ocsp but got none */
+  if (SSL_session_reused(s) && tls_out.ocsp == OCSP_VFIED)
+    {
+    DEBUG(D_tls) debug_printf(" null, but resumed; ocsp vfy stored with session is good\n");
+    return 1;
+    }
   if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
     log_write(0, LOG_MAIN, "Required TLS certificate status not received");
   else
@@ -3658,22 +3662,19 @@ if (tlsp->host_resumable)
 	  DEBUG(D_tls) debug_printf("session expired\n");
 	  dbfn_delete(dbm_file, key);
 	  }
-	else if (!SSL_set_session(ssl, ss))
-	  {
-	  DEBUG(D_tls)
-	    {
-	    ERR_error_string_n(ERR_get_error(),
-	      ssl_errstring, sizeof(ssl_errstring));
-	    debug_printf("applying session to ssl: %s\n", ssl_errstring);
-	    }
-	  }
-	else
+	else if (SSL_set_session(ssl, ss))
 	  {
 	  DEBUG(D_tls) debug_printf("good session\n");
 	  tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
 	  tlsp->verify_override = dt->verify_override;
 	  tlsp->ocsp = dt->ocsp;
 	  }
+	else DEBUG(D_tls)
+	  {
+	  ERR_error_string_n(ERR_get_error(),
+	    ssl_errstring, sizeof(ssl_errstring));
+	  debug_printf("applying session to ssl: %s\n", ssl_errstring);
+	  }
 	}
       }
     else
-- 
2.30.2