From: Brenda So <bso@netflix.com>
Date: Mon, 30 Mar 2026 21:32:47 +0000 (-0700)
Subject: Skip parsing OCSP status_request when no status call is registered
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ebb51594d1bbcf9ead93ec42cef4ceb9b2f98dba;p=thirdparty%2Fopenssl.git

Skip parsing OCSP status_request when no status call is registered

When no ext.status_cb is set, the server will not produce a stapled
OCSP response. This patch returns early from tls_parse_ctos_status_request
before parsing the extension body to save memory.

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Mon Apr 13 09:40:08 2026
(Merged from https://github.com/openssl/openssl/pull/30630)
---

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 679b5de92c..85727825c4 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -347,6 +347,15 @@ int tls_parse_ctos_status_request(SSL_CONNECTION *s, PACKET *pkt,
     if (x != NULL)
         return 1;
 
+    /*
+     * We only care about this extension if the application
+     * registered a callback. Otherwise, there is nothing to
+     * tell us that a response is needed.
+     */
+    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
+    if (sctx == NULL || sctx->ext.status_cb == NULL)
+        return 1;
+
     if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
         return 0;