Commit ebb51594d1 for openssl.org

commit ebb51594d1bbcf9ead93ec42cef4ceb9b2f98dba
Author: Brenda So <bso@netflix.com>
Date:   Mon Mar 30 14:32:47 2026 -0700

    Skip parsing OCSP status_request when no status call is registered

    When no ext.status_cb is set, the server will not produce a stapled
    OCSP response. This patch returns early from tls_parse_ctos_status_request
    before parsing the extension body to save memory.

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
    Reviewed-by: Neil Horman <nhorman@openssl.org>
    MergeDate: Mon Apr 13 09:40:08 2026
    (Merged from https://github.com/openssl/openssl/pull/30630)

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 679b5de92c..85727825c4 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -347,6 +347,15 @@ int tls_parse_ctos_status_request(SSL_CONNECTION *s, PACKET *pkt,
     if (x != NULL)
         return 1;

+    /*
+     * We only care about this extension if the application
+     * registered a callback. Otherwise, there is nothing to
+     * tell us that a response is needed.
+     */
+    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
+    if (sctx == NULL || sctx->ext.status_cb == NULL)
+        return 1;
+
     if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
         return 0;