[microsoft/release-branch.go1.26] support OpenSSL 3.5.6#2242
Merged
gdams merged 1 commit intomicrosoft/release-branch.go1.26from Apr 20, 2026
Merged
[microsoft/release-branch.go1.26] support OpenSSL 3.5.6#2242gdams merged 1 commit intomicrosoft/release-branch.go1.26from
gdams merged 1 commit intomicrosoft/release-branch.go1.26from
Conversation
gdams
approved these changes
Apr 20, 2026
gdams
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the vendored github.com/golang-fips/openssl/v2 dependency to address OpenSSL 3.5.6 behavior changes (notably NULL-buffer rejection in OSSL_PARAM_BLD_push_octet_string) for GOEXPERIMENT=systemcrypto scenarios.
Changes:
- Bumps the vendored
github.com/golang-fips/openssl/v2pseudo-version insrc/go.mod/src/vendor/modules.txt(within the vendor patch). - Introduces a “never-empty” pointer helper (
pbaseNeverEmpty) and updates parameter building to avoid passing NULL for zero-length octet strings. - Adjusts HKDF/TLS13-KDF parameter construction to call
addOctetStringmore consistently (removing some length guards).
Show a summary per file
| File | Description |
|---|---|
| patches/0001-Vendor-external-dependencies.patch | Updates the vendored OpenSSL bindings and module metadata to avoid OpenSSL 3.5.6 NULL octet-string parameter failures. |
Copilot's findings
Comments suppressed due to low confidence (1)
patches/0001-Vendor-external-dependencies.patch:20712
addOctetStringcurrently returns early for nil slices, which treats nil as “parameter absent”. In Go, nil slices are commonly used to represent an empty value (especially for TLS 1.3 HKDF context), so this can inadvertently omit required/meaningful parameters and potentially change derived outputs. Consider normalizing nil to a zero-length value (so it still gets passed with len==0 viapbaseNeverEmpty) and only omitting parameters at the call sites that are truly optional.
- Files reviewed: 1/1 changed files
- Comments generated: 1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
For #2221