From 7a501c874f028f689c44999ab05bb0d39da46941 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Tue, 7 May 2019 22:42:18 +0100
Subject: [PATCH] GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp

---
 doc/doc-txt/ChangeLog |  3 +++
 src/src/tls-gnu.c     | 12 ++++++++----
 test/log/5651         |  2 +-
 test/log/5730         |  8 ++++----
 test/log/5890         | 32 ++++++++++++++++----------------
 5 files changed, 32 insertions(+), 25 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 59a025b2a..05f2545bc 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -91,6 +91,9 @@ JH/16 GnuTLS: rework ciphersuite strings under recent library versions.  Thanks
 
 JH/17 OpenSSL: the default openssl_options now disables ssl_v3.
 
+JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
+      verification result was not updated unless hosts_require_ocsp applied.
+
 
 Exim version 4.92
 -----------------
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index df07c536c..dc8cdab5c 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -2757,7 +2757,7 @@ if (!verify_certificate(state, errstr))
   }
 
 #ifndef DISABLE_OCSP
-if (require_ocsp)
+if (request_ocsp)
   {
   DEBUG(D_tls)
     {
@@ -2781,10 +2781,14 @@ if (require_ocsp)
     {
     tlsp->ocsp = OCSP_FAILED;
     tls_error(US"certificate status check failed", NULL, state->host, errstr);
-    return FALSE;
+    if (require_ocsp)
+      return FALSE;
+    }
+  else
+    {
+    DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
+    tlsp->ocsp = OCSP_VFIED;
     }
-  DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
-  tlsp->ocsp = OCSP_VFIED;
   }
 #endif
 
diff --git a/test/log/5651 b/test/log/5651
index bdba648f2..2b2af41c9 100644
--- a/test/log/5651
+++ b/test/log/5651
@@ -16,7 +16,7 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp)
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 3 (failed)
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/5730 b/test/log/5730
index ad14fe47f..6582d7591 100644
--- a/test/log/5730
+++ b/test/log/5730
@@ -1,10 +1,10 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp)
+1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 3 (failed)
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 1 (notresp)
+1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 4 (verified)
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbB-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
@@ -26,12 +26,12 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp)
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 3 (failed)
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: OCSP status 1 (notresp)
+1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: OCSP status 4 (verified)
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <norequire@test.ex> R=server
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/log/5890 b/test/log/5890
index 17ae49497..324e5a4a7 100644
--- a/test/log/5890
+++ b/test/log/5890
@@ -4,7 +4,7 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmaX-0005vi-00 peer cert verified	1
 1999-03-02 09:44:33 10HmaX-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmaX-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmaX-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmaX-0005vi-00 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmaX-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmaX-0005vi-00 => getticket@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
@@ -15,7 +15,7 @@
 1999-03-02 09:44:33 10HmaZ-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmaZ-0005vi-00 peer cert verified	1
 1999-03-02 09:44:33 10HmaZ-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmaZ-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmaZ-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmaZ-0005vi-00 cipher	TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmaZ-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmaZ-0005vi-00 tls_out_resumption not requested or offered
@@ -23,7 +23,7 @@
 1999-03-02 09:44:33 10HmaZ-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmaZ-0005vi-00 peer cert verified	1
 1999-03-02 09:44:33 10HmaZ-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmaZ-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmaZ-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmaZ-0005vi-00 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmaZ-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
@@ -36,7 +36,7 @@
 1999-03-02 09:44:33 10HmbC-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmbC-0005vi-00 peer cert verified	1
 1999-03-02 09:44:33 10HmbC-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmbC-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmbC-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmbC-0005vi-00 cipher	TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbC-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmbC-0005vi-00 => renewal@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
@@ -47,7 +47,7 @@
 1999-03-02 09:44:33 10HmbE-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmbE-0005vi-00 peer cert verified	1
 1999-03-02 09:44:33 10HmbE-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmbE-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmbE-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmbE-0005vi-00 cipher	TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbE-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmbE-0005vi-00 => postrenewal@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbF-0005vi-00"
@@ -58,7 +58,7 @@
 1999-03-02 09:44:33 10HmbG-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmbG-0005vi-00 peer cert verified	1
 1999-03-02 09:44:33 10HmbG-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmbG-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmbG-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmbG-0005vi-00 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbG-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmbG-0005vi-00 => timeout@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
@@ -69,7 +69,7 @@
 1999-03-02 09:44:33 10HmbI-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmbI-0005vi-00 peer cert verified	1
 1999-03-02 09:44:33 10HmbI-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmbI-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmbI-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmbI-0005vi-00 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbI-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmbI-0005vi-00 => notreq@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbJ-0005vi-00"
@@ -80,7 +80,7 @@
 1999-03-02 09:44:33 10HmbK-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmbK-0005vi-00 peer cert verified	0
 1999-03-02 09:44:33 10HmbK-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmbK-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmbK-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmbK-0005vi-00 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbK-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmbK-0005vi-00 => noverify_getticket@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="CN=server1.example.com" C="250 OK id=10HmbL-0005vi-00"
@@ -91,7 +91,7 @@
 1999-03-02 09:44:33 10HmbM-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmbM-0005vi-00 peer cert verified	0
 1999-03-02 09:44:33 10HmbM-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmbM-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmbM-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmbM-0005vi-00 cipher	TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbM-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmbM-0005vi-00 => noverify_resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no DN="CN=server1.example.com" C="250 OK id=10HmbN-0005vi-00"
@@ -102,7 +102,7 @@
 1999-03-02 09:44:33 10HmbO-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmbO-0005vi-00 peer cert verified	1
 1999-03-02 09:44:33 10HmbO-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmbO-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmbO-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmbO-0005vi-00 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbO-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmbO-0005vi-00 => getticket@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbP-0005vi-00"
@@ -113,7 +113,7 @@
 1999-03-02 09:44:33 10HmbQ-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmbQ-0005vi-00 peer cert verified	1
 1999-03-02 09:44:33 10HmbQ-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmbQ-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmbQ-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmbQ-0005vi-00 cipher	TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbQ-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmbQ-0005vi-00 tls_out_resumption not requested or offered
@@ -121,7 +121,7 @@
 1999-03-02 09:44:33 10HmbQ-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmbQ-0005vi-00 peer cert verified	1
 1999-03-02 09:44:33 10HmbQ-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmbQ-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmbQ-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmbQ-0005vi-00 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbQ-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmbQ-0005vi-00 => resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbR-0005vi-00"
@@ -134,7 +134,7 @@
 1999-03-02 09:44:33 10HmbT-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmbT-0005vi-00 peer cert verified	1
 1999-03-02 09:44:33 10HmbT-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmbT-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmbT-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmbT-0005vi-00 cipher	TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbT-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmbT-0005vi-00 => renewal@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbU-0005vi-00"
@@ -145,7 +145,7 @@
 1999-03-02 09:44:33 10HmbV-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmbV-0005vi-00 peer cert verified	1
 1999-03-02 09:44:33 10HmbV-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmbV-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmbV-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmbV-0005vi-00 cipher	TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbV-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmbV-0005vi-00 => postrenewal@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbW-0005vi-00"
@@ -156,7 +156,7 @@
 1999-03-02 09:44:33 10HmbX-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmbX-0005vi-00 peer cert verified	1
 1999-03-02 09:44:33 10HmbX-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmbX-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmbX-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmbX-0005vi-00 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbX-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmbX-0005vi-00 => timeout@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbY-0005vi-00"
@@ -167,7 +167,7 @@
 1999-03-02 09:44:33 10HmbZ-0005vi-00 peer cert subject	CN=server1.example.com
 1999-03-02 09:44:33 10HmbZ-0005vi-00 peer cert verified	1
 1999-03-02 09:44:33 10HmbZ-0005vi-00 peer dn	CN=server1.example.com
-1999-03-02 09:44:33 10HmbZ-0005vi-00 ocsp	1
+1999-03-02 09:44:33 10HmbZ-0005vi-00 ocsp	4
 1999-03-02 09:44:33 10HmbZ-0005vi-00 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbZ-0005vi-00 bits	256
 1999-03-02 09:44:33 10HmbZ-0005vi-00 => notreq@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcA-0005vi-00"
-- 
2.25.1