From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 31 Oct 2025 16:09:31 +0000 (+0100)
Subject: openssl: fix the ocsp len arg to Curl_vtls_apple_verify
X-Git-Tag: curl-8_17_0~45
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d646d5a130993b8c438aa193463556e5efb2a54b;p=thirdparty%2Fcurl.git

openssl: fix the ocsp len arg to Curl_vtls_apple_verify

If it has no data, pass in a zero.

Fixes #19303
Reported-by: Harry Sintonen
Closes #19305
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 838c024221..a2b2da00e0 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -5129,6 +5129,10 @@ static CURLcode ossl_apple_verify(struct Curl_cfilter *cf,
     if(conn_config->verifystatus && !octx->reused_session)
       ocsp_len = (long)SSL_get_tlsext_status_ocsp_resp(octx->ssl, &ocsp_data);
 
+    /* SSL_get_tlsext_status_ocsp_resp() returns the length of the OCSP
+       response data or -1 if there is no OCSP response data. */
+    if(ocsp_len < 0)
+      ocsp_len = 0; /* no data available */
     result = Curl_vtls_apple_verify(cf, data, peer, chain.num_certs,
                                     ossl_chain_get_der, &chain,
                                     ocsp_data, ocsp_len);