Fix error when server does not send CertificateStatus message

If a server sends the status_request extension then it may choose to send the CertificateStatus message. However this is optional. We were treating it as mandatory and the connection was failing. Thanks to BoringSSL for reporting this issue. RT#4120 Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-11-05 14:31:11 +00:00
parent ef96e4a28f
commit bb1aaab428
2 changed files with 34 additions and 26 deletions
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2847,6 +2847,9 @@ int ssl_check_serverhello_tlsext(SSL *s)
                                                       s->
                                                       initial_ctx->tlsext_servername_arg);

+    OPENSSL_free(s->tlsext_ocsp_resp);
+    s->tlsext_ocsp_resp = NULL;
+    s->tlsext_ocsp_resplen = -1;
    /*
     * If we've requested certificate status and we wont get one tell the
     * callback
@@ -2855,12 +2858,9 @@ int ssl_check_serverhello_tlsext(SSL *s)
        && s->ctx && s->ctx->tlsext_status_cb) {
        int r;
        /*
-         * Set resp to NULL, resplen to -1 so callback knows there is no
-         * response.
+         * Call callback with resp == NULL and resplen == -1 so callback
+         * knows there is no response
         */
-        OPENSSL_free(s->tlsext_ocsp_resp);
-        s->tlsext_ocsp_resp = NULL;
-        s->tlsext_ocsp_resplen = -1;
        r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
        if (r == 0) {
            al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;