Skip to content

gtls: fix ignored return and uninitialized status in OCSP check#21679

Closed
MegaManSec wants to merge 1 commit into
curl:masterfrom
MegaManSec:gtls-ocsp-get-single
Closed

gtls: fix ignored return and uninitialized status in OCSP check#21679
MegaManSec wants to merge 1 commit into
curl:masterfrom
MegaManSec:gtls-ocsp-get-single

Conversation

@MegaManSec

@MegaManSec MegaManSec commented May 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Two correctness bugs in gtls_verify_ocsp_status (lib/vtls/gtls.c), both introduced by aeb1a28:

  • gnutls_ocsp_resp_get_single() was called with (void), silently discarding its return value. An OCSP response with zero SingleResponse entries (or any other parse failure) went undetected.
  • gnutls_ocsp_cert_status_t status was declared but never initialised. When gnutls_ocsp_resp_get_single() failed, the subsequent switch(status) read uninitialised memory — undefined behaviour that could yield GNUTLS_OCSP_CERT_GOOD (0) depending on stack contents, causing the function to return CURLE_OK for a response that was never successfully parsed.

These bugs only affect the verifypeer=OFF, verifystatus=ON configuration; with verifypeer=ON, gnutls_certificate_verify_peers2() validates the OCSP response before this function is reached. They are correctness/robustness bugs, not security vulnerabilities.

Fix

  • Initialise status to GNUTLS_OCSP_CERT_UNKNOWN so the switch always has a defined, safe value.
  • Check the return value of gnutls_ocsp_resp_get_single() and treat failure as CURLE_SSL_INVALIDCERTSTATUS, consistent with all other error checks in the function.

Test plan

  • Build with GnuTLS backend and verify compilation is clean
  • Confirm existing OCSP tests pass

@MegaManSec
gtls: fix ignored return and uninitialized status in OCSP check
8d879a2 
gnutls_ocsp_resp_get_single() was called with (void) discarding its
return value, so a failure (e.g. an OCSP response with no
SingleResponse entries) went undetected.  The following switch() then
read an uninitialized gnutls_ocsp_cert_status_t, which is undefined
behaviour and could yield GNUTLS_OCSP_CERT_GOOD (0) depending on
stack contents, causing gtls_verify_ocsp_status to return CURLE_OK for
a response that was never successfully parsed.

Fix by initializing status to GNUTLS_OCSP_CERT_UNKNOWN and treating a
negative return from gnutls_ocsp_resp_get_single as an error.
@github-actions github-actions Bot added the TLS label May 19, 2026
@bagder

bagder commented May 22, 2026

Copy link
Copy Markdown
Member

Seeing as the two checkboxes are still not checked, do you want to wait for some further confirmation or should we merge this as-is?

@MegaManSec

MegaManSec commented May 22, 2026

Copy link
Copy Markdown
Contributor Author

@bagder checked the checkboxes

@bagder bagder closed this in f21b5d4 May 27, 2026
@bagder

bagder commented May 27, 2026

Copy link
Copy Markdown
Member

Thanks!

outcast36 pushed a commit to greearb/curl that referenced this pull request Jun 3, 2026
@MegaManSec
gtls: fix ignored return and uninitialized status in OCSP check
d9eeeef 
gnutls_ocsp_resp_get_single() was called with (void) discarding its
return value, so a failure (e.g. an OCSP response with no
SingleResponse entries) went undetected.  The following switch() then
read an uninitialized gnutls_ocsp_cert_status_t, which is undefined
behaviour and could yield GNUTLS_OCSP_CERT_GOOD (0) depending on
stack contents, causing gtls_verify_ocsp_status to return CURLE_OK for
a response that was never successfully parsed.

Fix by initializing status to GNUTLS_OCSP_CERT_UNKNOWN and treating a
negative return from gnutls_ocsp_resp_get_single as an error.

Closes curl#21679
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bagder bagder bagder approved these changes

Assignees

No one assigned

Labels

TLS

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MegaManSec @bagder