Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

gh-89562: Remove hostflags from PySSLContext #28602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gpshead merged 1 commit into from
Apr 18, 2025
Merged

gh-89562: Remove hostflags from PySSLContext #28602

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions 1 Misc/NEWS.d/next/Core_and_Builtins/2022-12-29-19-10-36.gh-issue-89562.g8m8RC.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Remove ``hostflags`` member from ``PySSLContext`` struct.
56 changes: 29 additions & 27 deletions 56 Modules/_ssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -293,10 +293,6 @@ typedef struct {
unsigned int alpn_protocols_len;
PyObject *set_sni_cb;
int check_hostname;
/* OpenSSL has no API to get hostflags from X509_VERIFY_PARAM* struct.
* We have to maintain our own copy. OpenSSL's hostflags default to 0.
*/
unsigned int hostflags;
int protocol;
#if defined(PySSL_HAVE_POST_HS_AUTH)
int post_handshake_auth;
Expand Down Expand Up @@ -824,15 +820,15 @@ _ssl_configure_hostname(PySSLSocket *self, const char* server_hostname)
}
}
if (self->ctx->check_hostname) {
X509_VERIFY_PARAM *param = SSL_get0_param(self->ssl);
X509_VERIFY_PARAM *ssl_verification_params = SSL_get0_param(self->ssl);
if (ip == NULL) {
if (!X509_VERIFY_PARAM_set1_host(param, server_hostname,
if (!X509_VERIFY_PARAM_set1_host(ssl_verification_params, server_hostname,
strlen(server_hostname))) {
_setSSLError(get_state_sock(self), NULL, 0, __FILE__, __LINE__);
goto error;
}
} else {
if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_get0_data(ip),
if (!X509_VERIFY_PARAM_set1_ip(ssl_verification_params, ASN1_STRING_get0_data(ip),
ASN1_STRING_length(ip))) {
_setSSLError(get_state_sock(self), NULL, 0, __FILE__, __LINE__);
goto error;
Expand Down Expand Up @@ -909,8 +905,11 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,

/* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */
#if OPENSSL_VERSION < 0x101010cf
X509_VERIFY_PARAM *ssl_params = SSL_get0_param(self->ssl);
X509_VERIFY_PARAM_set_hostflags(ssl_params, sslctx->hostflags);
X509_VERIFY_PARAM *ssl_verification_params = SSL_get0_param(self->ssl);
X509_VERIFY_PARAM *ssl_ctx_verification_params = SSL_CTX_get0_param(ctx);

unsigned int ssl_ctx_host_flags = X509_VERIFY_PARAM_get_hostflags(ssl_ctx_verification_params);
X509_VERIFY_PARAM_set_hostflags(ssl_verification_params, ssl_ctx_host_flags);
#endif
SSL_set_app_data(self->ssl, self);
if (sock) {
Expand Down Expand Up @@ -3097,7 +3096,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
uint64_t options;
const SSL_METHOD *method = NULL;
SSL_CTX *ctx = NULL;
X509_VERIFY_PARAM *params;
X509_VERIFY_PARAM *ssl_verification_params;
int result;

/* slower approach, walk MRO and get borrowed reference to module.
Expand Down Expand Up @@ -3181,7 +3180,6 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
return NULL;
}
self->ctx = ctx;
self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
self->protocol = proto_version;
self->msg_cb = NULL;
self->keylog_filename = NULL;
Expand Down Expand Up @@ -3271,11 +3269,11 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
usage for no cost at all. */
SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS);

params = SSL_CTX_get0_param(self->ctx);
ssl_verification_params = SSL_CTX_get0_param(self->ctx);
/* Improve trust chain building when cross-signed intermediate
certificates are present. See https://bugs.python.org/issue23476. */
X509_VERIFY_PARAM_set_flags(params, X509_V_FLAG_TRUSTED_FIRST);
X509_VERIFY_PARAM_set_hostflags(params, self->hostflags);
X509_VERIFY_PARAM_set_flags(ssl_verification_params, X509_V_FLAG_TRUSTED_FIRST);
X509_VERIFY_PARAM_set_hostflags(ssl_verification_params, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);

#if defined(PySSL_HAVE_POST_HS_AUTH)
self->post_handshake_auth = 0;
Expand Down Expand Up @@ -3530,11 +3528,11 @@ static PyObject *
_ssl__SSLContext_verify_flags_get_impl(PySSLContext *self)
/*[clinic end generated code: output=fbbf8ba28ad6e56e input=c1ec36d610b3f391]*/
{
X509_VERIFY_PARAM *param;
X509_VERIFY_PARAM *ssl_verification_params;
unsigned long flags;

param = SSL_CTX_get0_param(self->ctx);
flags = X509_VERIFY_PARAM_get_flags(param);
ssl_verification_params = SSL_CTX_get0_param(self->ctx);
flags = X509_VERIFY_PARAM_get_flags(ssl_verification_params);
return PyLong_FromUnsignedLong(flags);
}

Expand All @@ -3548,23 +3546,23 @@ static int
_ssl__SSLContext_verify_flags_set_impl(PySSLContext *self, PyObject *value)
/*[clinic end generated code: output=a3e3b2a0ce6c2e99 input=b2a0c42583d4f34e]*/
{
X509_VERIFY_PARAM *param;
X509_VERIFY_PARAM *ssl_verification_params;
unsigned long new_flags, flags, set, clear;

if (!PyArg_Parse(value, "k", &new_flags))
return -1;
param = SSL_CTX_get0_param(self->ctx);
flags = X509_VERIFY_PARAM_get_flags(param);
ssl_verification_params = SSL_CTX_get0_param(self->ctx);
flags = X509_VERIFY_PARAM_get_flags(ssl_verification_params);
clear = flags & ~new_flags;
set = ~flags & new_flags;
if (clear) {
if (!X509_VERIFY_PARAM_clear_flags(param, clear)) {
if (!X509_VERIFY_PARAM_clear_flags(ssl_verification_params, clear)) {
_setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
return -1;
}
}
if (set) {
if (!X509_VERIFY_PARAM_set_flags(param, set)) {
if (!X509_VERIFY_PARAM_set_flags(ssl_verification_params, set)) {
_setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
return -1;
}
Expand Down Expand Up @@ -3859,7 +3857,12 @@ static PyObject *
_ssl__SSLContext__host_flags_get_impl(PySSLContext *self)
/*[clinic end generated code: output=0f9db6654ce32582 input=8e3c49499eefd0e5]*/
{
return PyLong_FromUnsignedLong(self->hostflags);
X509_VERIFY_PARAM *ssl_verification_params;
unsigned int host_flags;

ssl_verification_params = SSL_CTX_get0_param(self->ctx);
host_flags = X509_VERIFY_PARAM_get_hostflags(ssl_verification_params);
return PyLong_FromUnsignedLong(host_flags);
}

/*[clinic input]
Expand All @@ -3872,15 +3875,14 @@ static int
_ssl__SSLContext__host_flags_set_impl(PySSLContext *self, PyObject *value)
/*[clinic end generated code: output=1ed6f4027aaf2e3e input=28caf1fb9c32f6cb]*/
{
X509_VERIFY_PARAM *param;
X509_VERIFY_PARAM *ssl_verification_params;
unsigned int new_flags = 0;

if (!PyArg_Parse(value, "I", &new_flags))
return -1;

param = SSL_CTX_get0_param(self->ctx);
self->hostflags = new_flags;
X509_VERIFY_PARAM_set_hostflags(param, new_flags);
ssl_verification_params = SSL_CTX_get0_param(self->ctx);
X509_VERIFY_PARAM_set_hostflags(ssl_verification_params, new_flags);
return 0;
}

Expand Down
Morty Proxy This is a proxified and sanitized view of the page, visit original site.