From b1931d432f4b53ceb2e2eacec09c2e32e043830b Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 10 Dec 2015 10:44:30 +0000
Subject: [PATCH] Simplify calling of the OCSP callback

Move all calls of the OCSP callback into one place, rather than repeating it
in two different places.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
---
 ssl/statem/statem_clnt.c |  2 +-
 ssl/t1_lib.c             | 25 ++++---------------------
 2 files changed, 5 insertions(+), 22 deletions(-)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index d170ad121d..b14e6edf28 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2211,7 +2211,7 @@ MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
      * |tlsext_ocsp_resplen| values will be set if we actually received a status
      * message, or NULL and -1 otherwise
      */
-    if (s->tlsext_status_expected && s->ctx->tlsext_status_cb != NULL) {
+    if (s->tlsext_status_type != -1 && s->ctx->tlsext_status_cb != NULL) {
         int ret;
         ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
         if (ret == 0) {
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index df62a136f4..73ad6048d3 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2847,30 +2847,13 @@ int ssl_check_serverhello_tlsext(SSL *s)
                                                        s->
                                                        initial_ctx->tlsext_servername_arg);
 
+    /*
+     * Ensure we get sensible values passed to tlsext_status_cb in the event
+     * that we don't receive a status message
+     */
     OPENSSL_free(s->tlsext_ocsp_resp);
     s->tlsext_ocsp_resp = NULL;
     s->tlsext_ocsp_resplen = -1;
-    /*
-     * If we've requested certificate status and we wont get one tell the
-     * callback
-     */
-    if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
-        && !(s->hit) && s->ctx && s->ctx->tlsext_status_cb) {
-        int r;
-        /*
-         * Call callback with resp == NULL and resplen == -1 so callback
-         * knows there is no response
-         */
-        r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
-        if (r == 0) {
-            al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
-            ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-        }
-        if (r < 0) {
-            al = SSL_AD_INTERNAL_ERROR;
-            ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-        }
-    }
 
     switch (ret) {
     case SSL_TLSEXT_ERR_ALERT_FATAL:
-- 
2.25.1