SSL_free(conn_ssl) for a QCSO enters ossl_quic_free, which calls qc_cleanup.
qc_cleanup already frees qc->tls via SSL_free(qc->tls) and then frees qc->ch.
The additional SSL_free(ossl_quic_channel_get0_tls(new_ch)) releases the same
TLS a second time, which is redundant.
We also replace some of the pure condition checks with ossl_assert() checks
as these conditions cannot really fail.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 12 18:54:07 2026
(Merged from https://github.com/openssl/openssl/pull/28920)
recvfrom() may return WSAECONNRESET when the destination port
used in a previous sendto() call is no longer available. This
causes QUIC PORT to swich from running state. This behavior
is not desired for QUIC protocol. The trick is to disable
SIO_UDP_CONNRESET flag on UDP port used by QUIC.
The issue was kindly reported and root caused by goforit22123-netizen@
Fixes: #29530
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Mon Jan 12 10:27:25 2026
(Merged from https://github.com/openssl/openssl/pull/29538)
This resulted in some source reformatting becoming a bit less trippy
This is the script I used to run clang-format appropriately enough:
#! /bin/bash
include_re=$(yq -r '.repos.[].hooks.[] | select(.id == "clang-format") | .files' < .pre-commit-config.yaml)
known_generated=( crypto/bn/bn_prime.h
crypto/objects/obj_dat.h
crypto/objects/obj_xref.h
include/openssl/obj_mac.h
crypto/conf/conf_def.h
crypto/asn1/charmap.h
'*_err.c'
'*err.h' )
exclusions=()
for g in "${known_generated[@]}"; do
# Convert pattern to a regex
g=${g//\./\\.}
g=${g//\*/.\*}
exclusions+=( "^${g}\$" )
done
# Join all exclusions into one regex
exclude_re=$(IFS='|'; echo "${exclusions[*]}")
(set -x; git ls-files | grep -E $include_re | grep -Ev $exclude_re | xargs clang-format -i)
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29383)
Its been reported that, when using SSL_listen_ex to obtain a new
connection from a listener, that, if the listener is freed prior to the
obtained connection, we get use-after-free conditions when freeing said
obtained connections.
This occurs because SSL_listen_ex fails to take a reference on the
parent listener SSL object (in the same way that SSL_new_from_listener
does). If the listener is freed first, then several listener resources
are freed, which the obtained connection still makes use of, hence the
use-after-free.
The fix is to do what SSL_new_from_listener does, namely:
1) Increase the reference count on the listener SSL object.
2) Ensure that the connection qc->listener points to the listener object
so that, when the connection is freed, we call SSL_free on the
listener object, dropping the reference count we take in
SSL_listen_ex.
While we're at it, this PR also modifies the quicapi test for testing
the SSL_listen_ex call, freeing the listener first to ensure that the
increased refcount holds the SSL object data stable until the connection
is freed.
Thanks to Stanislav Fort at Asile Research for pointing out this issue.
fixesopenssl/project#1766
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29398)
Custom cipher methods are considered legacy and have been deprecated
since 3.0. With the removal of ENGINEs they become a lot less useful
and add significant complexity to the code. We should therefore remove
them in 4.0.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29299)
DTLSv1_listen built the HelloVerifyRequest in wbuf but invoked
msg_callback with buf and DTLS1_RT_HEADER_LENGTH, and version 0.
That caused incorrect logging and could disclose the ClientHello
to write callbacks. Use wbuf and the actual record version for the
record header, and add a second callback that reports the handshake
message bytes. No change to on-wire behavior.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28916)
Changes for SSL_listen_ex squashed creation of qlog objects even when
configured.
Fix that up so qlog objects are created regardless of weather we use
SSL_accept_connection or SSL_listen_ex
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27397)
Fortunately due to the initial size of the allocated
buffer and the limit for unfragmented DTLS record size
the use-after-realloc cannot be triggered.
But we fix the potentially problematic code anyway.
Reported Joshua Rogers. It was found with the ZeroPath security
tooling.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29278)
tls1_set_groups(), which is used by SSL_CTX_set1_groups() does not check
whether the NIDs passed as argument actually have an implementation
available in any of the currently loaded providers. It is not simple to
add this check, either, because it would require access to the SSL_CTX,
which this function does not receive. There are legacy callers that do
not have an SSL_CTX pointer and are public API.
This becomes a problem, when an application sets the first group to one
that is not supported by the current configuration, and can trigger
sending of an empty key share.
Set the first entry of the key share list to 0 (and the key share list
length to 1) to signal to tls1_construct_ctos_key_share that it should
pick the first supported group and generate a key share for that. See
also tls1_get_requested_keyshare_groups, which documents this special
case.
See: https://issues.redhat.com/browse/RHEL-128018
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29192)
QUIC connections always pad data at the packet level during packet
encryption, and so have no ability to do padding at the record level.
We want to be able to inform the user of this condition when
applications call SSL_set_block_padding_ex directly by returning an
error, we have no idea of what kind of SSL objects are created when the
config file is written.
As such, silently ignore this config file option when QUIC objects are created.
Fixes#28953
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28992)
The SSL_CERT_LOOKUP NID should be for the public key algorithm (what is
often called the "key type". Yet, when populating the SSL_CERT_LOOKUP
table with 'ssl_load_sigalgs', only the sigalg name is used to find a
NID.
This is perfectly OK to do, *if* the sigalg and the associated key type
share the same name. However, that's not always the case.
This change infers the key type name in 'ssl_load_sigalgs' the same way
as it was already done in 'add_provider_sigalgs'.
Related-to: https://github.com/openssl/openssl/pull/29019#discussion_r2472219647
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29027)
