Neil Horman [Thu, 29 Feb 2024 17:01:31 +0000 (12:01 -0500)]
Dump out qlog json if it is malformed
We're still seeing periodic failures in qlog from malformed json output,
so lets try to catch it.
Modify the verify-qlog.py script to, in the event of an exception in
json.loads, to replay the entire json file to the console, followed by
an exception indicating what line it died trying to parse.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23715)
demos/http3: Use `SSL_write_ex2()` together with `SSL_WRITE_FLAG_CONCLUDE`
These calls were introduced by PR #23343.
Change also does a minor tweak to Makefile so CFLAGS and LDFLAGS variables
from the environment are respected.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23602)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23404)
Job Snijders [Wed, 21 Feb 2024 21:26:50 +0000 (21:26 +0000)]
Add appropriate lower bound checks for GeneralizedTime and UTCTime
ITU-T X.690 / ISO/IEC 8825-1 section 11.7 and section 11.8
impose specific constraints on how GeneralizedTime and UTCTime
can be encoded in BER/CER/DER. Following from these constraints
a minimum length can be derived.
Checking the length in this context can potentially help prevent
applications from interpreting an invalid GeneralizedTime as a
valid UTCTime.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23483)
Hamilton Chapman [Wed, 21 Feb 2024 13:47:19 +0000 (13:47 +0000)]
Ensure `$(MAKE)` commands and `CFLAGS` are appropriately quoted in the Makefile.
If a user's `make` command came from a path that contained a space then both the
`$(MAKE)` variable (and parts of the generated `CFLAGS`, when building for iOS)
would not be properly quoted and the build would fail.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23663)
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23651)
响马 [Sat, 17 Feb 2024 22:57:57 +0000 (06:57 +0800)]
chachap10-ppc.pl: Fix truncated relocation
Fix error: relocation truncated to fit: R_PPC64_REL14 (stub)
against symbol `ChaCha20_ctr32_vsx_8x'
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23618)
Michael Baentsch [Mon, 19 Feb 2024 05:41:35 +0000 (06:41 +0100)]
SSL_set1_groups_list(): Fix memory corruption with 40 groups and more
Fixes #23624
The calculation of the size for gid_arr reallocation was wrong.
A multiplication by gid_arr array item size was missing.
Testcase is added.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23625)
MrRurikov [Wed, 21 Feb 2024 08:11:34 +0000 (11:11 +0300)]
s_cb.c: Add missing return value checks
Return value of function 'SSL_CTX_ctrl', that is called from
SSL_CTX_set1_verify_cert_store() and SSL_CTX_set1_chain_cert_store(),
is not checked, but it is usually checked for this function.
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23647)
Matt Caswell [Tue, 20 Feb 2024 15:11:26 +0000 (15:11 +0000)]
Don't print excessively long ASN1 items in fuzzer
Prevent spurious fuzzer timeouts by not printing ASN1 which is excessively
long.
This fixes a false positive encountered by OSS-Fuzz.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23640)
Ijtaba Hussain [Fri, 9 Jun 2023 06:04:53 +0000 (11:04 +0500)]
Extended SSL_SESSION functions using time_t
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21206)
Hugo Landau [Wed, 14 Feb 2024 10:06:45 +0000 (10:06 +0000)]
Minor updates
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23535)
Hugo Landau [Mon, 12 Feb 2024 11:31:18 +0000 (11:31 +0000)]
Fix warning
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23535)
Hugo Landau [Mon, 12 Feb 2024 10:06:23 +0000 (10:06 +0000)]
JSON_ENC: Ensure ossl_json_flush() really flushes the BIO
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23535)
Hugo Landau [Mon, 12 Feb 2024 09:50:59 +0000 (09:50 +0000)]
QUIC CHANNEL: Defer QLOG instantiation until first event
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23535)
Hugo Landau [Mon, 12 Feb 2024 09:50:42 +0000 (09:50 +0000)]
QUIC TXP: Allow QLOG instance retrieval via callback
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23535)
Hugo Landau [Mon, 12 Feb 2024 09:49:58 +0000 (09:49 +0000)]
QUIC QTX: Allow QLOG instance retrieval via callback
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23535)
Hugo Landau [Mon, 12 Feb 2024 09:49:32 +0000 (09:49 +0000)]
QUIC FIFD: Allow QLOG instance retrieval via callback
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23535)
Hugo Landau [Fri, 9 Feb 2024 14:22:51 +0000 (14:22 +0000)]
Add entry to CHANGES.md
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23535)
Hugo Landau [Fri, 9 Feb 2024 14:08:52 +0000 (14:08 +0000)]
QUIC MULTISTREAM TEST: Test explicit event handling mode
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23535)
Hugo Landau [Fri, 9 Feb 2024 12:52:49 +0000 (12:52 +0000)]
QUIC APL: Add implementation of SSL_VALUE_EVENT_HANDLING_MODE
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23535)
Hugo Landau [Fri, 9 Feb 2024 12:52:33 +0000 (12:52 +0000)]
QUIC: Add API for SSL_VALUE_EVENT_HANDLING_MODE
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23535)
Hugo Landau [Fri, 9 Feb 2024 12:52:09 +0000 (12:52 +0000)]
QUIC: Add docs for SSL_VALUE_EVENT_HANDLING_MODE
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23535)
Shakti Shah [Tue, 13 Feb 2024 19:03:19 +0000 (00:33 +0530)]
OpenSSL License is applied for some source files, change to Apache 2
The following files
include/openssl/hpke.h
crypto/hpke/hpke.c
crypto/ec/asm/ecp_sm2p256-armv8.pl
crypto/chacha/asm/chacha-loongarch64.pl
still seem to be released under the OpenSSL License instead of the Apache 2 license.
Fixes #23570
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23576)
Hugo Landau [Wed, 14 Feb 2024 08:08:01 +0000 (08:08 +0000)]
QUIC: Test that SSL_ctrl, SSL_set_mode are routed correctly on QSSOs
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23581)
Hugo Landau [Wed, 14 Feb 2024 08:04:12 +0000 (08:04 +0000)]
QUIC: Fix SSL_ctrl operation for QSSOs
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23581)
Neil Horman [Sat, 16 Dec 2023 20:32:48 +0000 (15:32 -0500)]
Check for NULL cleanup function before using it in encoder_process
encoder_process assumes a cleanup function has been set in the currently
in-use encoder during processing, which can lead to segfaults if said
function hasn't been set
Add a NULL check for this condition, returning -1 if it is not set
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23069)
Neil Horman [Thu, 8 Feb 2024 14:17:44 +0000 (09:17 -0500)]
Skip shlibload tests if no-atexit is configured
the shared library load tests fail if no-atexit is configured. The
entire test suite relies on atexit handling to indicate an at exit
handler has run, by producing a file that the test recipe then reads.
With no-atexit that never happens, and the test fails
If no-atexit is specified, skip all the tests
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23523)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23545)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23545)
test_cmp_http: decrease risk of timeouts due to delays caused by the underlying system running tests
Fixes #22870
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23502)
Tomas Mraz [Mon, 12 Feb 2024 09:59:27 +0000 (10:59 +0100)]
os-zoo.yml: Do not add enable-unstable-qlog as this CI tests all branches
The enable-unstable-qlog is enabled in windows.yml,
which is sufficient for testing it on Windows.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23550)
Remove unused function arguments from tls_int_new_record_layer
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23514)
Hugo Landau [Thu, 8 Feb 2024 10:27:56 +0000 (10:27 +0000)]
THREADING: Make CRYPTO_MUTEX and CRYPTO_CONDVAR typesafe
There was really no need for this to be void and it made bugs very easy
to introduce accidentally, especially given that the free functions
needed to be passed a pointer to the pointer.
Also fix some bugs in the QUIC code detected immediately by this change.
.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23519)
Amend CHANGES.md/NEWS.md to reflect DN output changes
Fixes #23492
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23507)
Hugo Landau [Thu, 8 Feb 2024 10:36:50 +0000 (10:36 +0000)]
Windows: Add _dclass to the allowed symbols list
We use isnan() and isinf() in JSON_ENC now, which is translated to a
call to Microsoft's standard library function _dclass.
.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23517)
Hugo Landau [Thu, 8 Feb 2024 10:12:45 +0000 (10:12 +0000)]
QUIC QLOG: Fix use of size_t and uint64_t
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23517)
Hugo Landau [Thu, 8 Feb 2024 09:55:24 +0000 (09:55 +0000)]
QUIC QLOG: Retrieve PID correctly on Windows
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23517)
MSVC cannot handle this, presumably because this technically involves a
load from a variable to determine that script_name equals "xxx" and it
is unable to do this during evaluation of a constant initializer list.
Resolve this by changing script_name and script_title to be arrays
instead, allowing the correct pointer values to be filled into
script_info as symbol addresses/relocations rather than dereferences.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23517)
Hugo Landau [Thu, 8 Feb 2024 09:11:46 +0000 (09:11 +0000)]
QUIC qlog: Enable qlog in Windows CI
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23517)
Tomas Mraz [Wed, 7 Feb 2024 09:27:50 +0000 (10:27 +0100)]
Fix memory leaks on error cases during drbg initializations
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23503)
Angel Baez [Wed, 7 Feb 2024 15:34:48 +0000 (10:34 -0500)]
Rearrange terms in gf_mul to prevent segfault
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23512)
Hugo Landau [Wed, 7 Feb 2024 12:43:02 +0000 (12:43 +0000)]
Minor updates
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Hugo Landau [Wed, 7 Feb 2024 08:54:21 +0000 (08:54 +0000)]
QUIC APL: Move NULL pointer check to quic_impl.c
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Hugo Landau [Wed, 7 Feb 2024 08:49:30 +0000 (08:49 +0000)]
QUIC CHANNEL: Optimise struct packing
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Hugo Landau [Fri, 2 Feb 2024 09:14:26 +0000 (09:14 +0000)]
Fixup multistream test
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Hugo Landau [Tue, 30 Jan 2024 08:02:39 +0000 (08:02 +0000)]
Fix error code collision
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Hugo Landau [Mon, 29 Jan 2024 15:39:42 +0000 (15:39 +0000)]
Minor fixes after rebase
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Hugo Landau [Mon, 29 Jan 2024 15:35:24 +0000 (15:35 +0000)]
Minor fix
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Hugo Landau [Mon, 22 Jan 2024 14:29:26 +0000 (14:29 +0000)]
QUIC MULTISTREAM TEST: Make test resilient on stochastic platforms
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Hugo Landau [Mon, 22 Jan 2024 14:17:24 +0000 (14:17 +0000)]
Quiet false warning about uninitialised variable
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Hugo Landau [Mon, 22 Jan 2024 14:08:37 +0000 (14:08 +0000)]
QUIC MULTISTREAM TEST: Test available stream count API
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Hugo Landau [Mon, 22 Jan 2024 14:00:45 +0000 (14:00 +0000)]
QUIC MULTISTREAM TEST: Test idle timeout configuration
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Hugo Landau [Mon, 22 Jan 2024 14:00:05 +0000 (14:00 +0000)]
QUIC CHANNEL: Fix idle timeout computation bug
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Hugo Landau [Mon, 22 Jan 2024 13:53:30 +0000 (13:53 +0000)]
QUIC CHANNEL: Defer transport parameter generation
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Hugo Landau [Mon, 22 Jan 2024 13:31:41 +0000 (13:31 +0000)]
Add CHANGES entry
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)
Hugo Landau [Mon, 22 Jan 2024 13:16:25 +0000 (13:16 +0000)]
QUIC CHANNEL: Add idle timeout configuration and stream count APIs
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23360)