Commit ccd8451428 for openssl.org
commit ccd8451428814ddbbed486f957a507b3cd7aa251
Author: Ryan Hooper <ryhooper@cisco.com>
Date: Thu Nov 13 11:08:42 2025 -0500
tls_process_cert_status_body(): Reject invalid cert status
When a CertStatus message is received and the length of the
OCSP response is zero error out.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29207)
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 5639048a8e..d8d6ad48ee 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2942,29 +2942,30 @@ int tls_process_cert_status_body(SSL_CONNECTION *s, size_t chainidx, PACKET *pkt
return 0;
}
- if (resplen > 0) {
- respder = OPENSSL_malloc(resplen);
+ if (resplen == 0) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
+ return 0;
+ }
- if (respder == NULL) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
- return 0;
- }
+ if ((respder = OPENSSL_malloc(resplen)) == NULL) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
+ return 0;
+ }
- if (!PACKET_copy_bytes(pkt, respder, resplen)) {
- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
- OPENSSL_free(respder);
- return 0;
- }
- p = respder;
- resp = d2i_OCSP_RESPONSE(NULL, &p, (long)resplen);
+ if (!PACKET_copy_bytes(pkt, respder, resplen)) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
OPENSSL_free(respder);
- if (resp == NULL) {
- SSLfatal(s, TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE,
- SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE);
- return 0;
- }
- sk_OCSP_RESPONSE_insert(s->ext.ocsp.resp_ex, resp, (int)chainidx);
+ return 0;
+ }
+ p = respder;
+ resp = d2i_OCSP_RESPONSE(NULL, &p, (long)resplen);
+ OPENSSL_free(respder);
+ if (resp == NULL) {
+ SSLfatal(s, TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE,
+ SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE);
+ return 0;
}
+ sk_OCSP_RESPONSE_insert(s->ext.ocsp.resp_ex, resp, (int)chainidx);
}
#endif