Commit 70fa179635 for openssl.org

commit 70fa179635fb3daf2e1b1e0d2888f1f8bf79ff16
Author: Neil Horman <nhorman@openssl.org>
Date:   Thu Jun 25 17:42:05 2026 -0400

    eliminate use of CRYPTO_GET_REF in sslapitest

    CRYPTO_GET_REF is almost by definition a TOCTOU race, and we shouldn't
    use it.

    As part of the effort to deprecate it, eliminate its use from
    sslapitest.

    Avoid the use-after-free possibility by getting a session with
    SSL_get1_session (which increments the refcount) and freeing it after
    we're done with it.

    Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Norbert Pocs <norbertp@openssl.org>
    Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
    Reviewed-by: Bob Beck <beck@openssl.org>
    MergeDate: Sat Jul  4 16:47:10 2026
    (Merged from https://github.com/openssl/openssl/pull/31750)

diff --git a/test/sslapitest.c b/test/sslapitest.c
index 91a2181b61..c5517016c5 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -10601,7 +10601,8 @@ static int test_session_cache_overflow(int idx)
     SSL *serverssl = NULL, *clientssl = NULL;
     int testresult = 0;
     SSL_SESSION *sess = NULL;
-    int references;
+
+    get_sess_val = NULL;

 #ifdef OSSL_NO_USABLE_TLS1_3
     /* If no TLSv1.3 available then do nothing in this case */
@@ -10672,18 +10673,9 @@ static int test_session_cache_overflow(int idx)
      * The session we just negotiated may have been already removed from the
      * internal cache - but we will return it anyway from our external cache.
      */
-    get_sess_val = SSL_get_session(serverssl);
+    get_sess_val = SSL_get1_session(serverssl);
     if (!TEST_ptr(get_sess_val))
         goto end;
-    /*
-     * Normally the session is also stored in the cache, thus we have more than
-     * one reference, but due to an out-of-memory error it can happen that this
-     * is the only reference, and in that case the SSL_free(serverssl) below
-     * would free the get_sess_val, causing a use-after-free error.
-     */
-    if (!TEST_true(CRYPTO_GET_REF(&get_sess_val->references, &references))
-        || !TEST_int_ge(references, 2))
-        goto end;
     sess = SSL_get1_session(clientssl);
     if (!TEST_ptr(sess))
         goto end;
@@ -10707,6 +10699,8 @@ static int test_session_cache_overflow(int idx)
     testresult = 1;

 end:
+    SSL_SESSION_free(get_sess_val);
+    get_sess_val = NULL;
     SSL_free(serverssl);
     SSL_free(clientssl);
     SSL_CTX_free(sctx);