gh-89562: Remove hostflags from PySSLContext (GH-28602)

author Rami <72725910+ramikg@users.noreply.github.com>

Fri, 18 Apr 2025 22:27:32 +0000 (01:27 +0300)

committer GitHub <noreply@github.com>

Fri, 18 Apr 2025 22:27:32 +0000 (15:27 -0700)
author Rami <72725910+ramikg@users.noreply.github.com>
Fri, 18 Apr 2025 22:27:32 +0000 (01:27 +0300)
committer GitHub <noreply@github.com>
Fri, 18 Apr 2025 22:27:32 +0000 (15:27 -0700)
diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2022-12-29-19-10-36.gh-issue-89562.g8m8RC.rst b/Misc/NEWS.d/next/Core_and_Builtins/2022-12-29-19-10-36.gh-issue-89562.g8m8RC.rst

new file mode 100644 (file)

index 0000000..41e87c0
--- /dev/null
+++ b/Misc/NEWS.d/next/Core_and_Builtins/2022-12-29-19-10-36.gh-issue-89562.g8m8RC.rst
@@ -0,0 +1 @@
+Remove ``hostflags`` member from ``PySSLContext`` struct.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c

index 03165ec1f3c71f696ed4194189cdb5a71a793e9b..d5bd3affb5eb46d6470726c4a03de7830f845aa4 100644 (file)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -293,10 +293,6 @@ typedef struct {
      unsigned int alpn_protocols_len;
      PyObject *set_sni_cb;
      int check_hostname;
-    /* OpenSSL has no API to get hostflags from X509_VERIFY_PARAM* struct.
-     * We have to maintain our own copy. OpenSSL's hostflags default to 0.
-     */
-    unsigned int hostflags;
      int protocol;
  #if defined(PySSL_HAVE_POST_HS_AUTH)
      int post_handshake_auth;
@@ -824,15 +820,15 @@ _ssl_configure_hostname(PySSLSocket *self, const char* server_hostname)
          }
      }
      if (self->ctx->check_hostname) {
-        X509_VERIFY_PARAM *param = SSL_get0_param(self->ssl);
+        X509_VERIFY_PARAM *ssl_verification_params = SSL_get0_param(self->ssl);
          if (ip == NULL) {
-            if (!X509_VERIFY_PARAM_set1_host(param, server_hostname,
+            if (!X509_VERIFY_PARAM_set1_host(ssl_verification_params, server_hostname,
                                               strlen(server_hostname))) {
                  _setSSLError(get_state_sock(self), NULL, 0, __FILE__, __LINE__);
                  goto error;
              }
          } else {
-            if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_get0_data(ip),
+            if (!X509_VERIFY_PARAM_set1_ip(ssl_verification_params, ASN1_STRING_get0_data(ip),
                                             ASN1_STRING_length(ip))) {
                  _setSSLError(get_state_sock(self), NULL, 0, __FILE__, __LINE__);
                  goto error;
@@ -909,8 +905,11 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
  
      /* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */
  #if OPENSSL_VERSION < 0x101010cf
-    X509_VERIFY_PARAM *ssl_params = SSL_get0_param(self->ssl);
-    X509_VERIFY_PARAM_set_hostflags(ssl_params, sslctx->hostflags);
+    X509_VERIFY_PARAM *ssl_verification_params = SSL_get0_param(self->ssl);
+    X509_VERIFY_PARAM *ssl_ctx_verification_params = SSL_CTX_get0_param(ctx);
+
+    unsigned int ssl_ctx_host_flags = X509_VERIFY_PARAM_get_hostflags(ssl_ctx_verification_params);
+    X509_VERIFY_PARAM_set_hostflags(ssl_verification_params, ssl_ctx_host_flags);
  #endif
      SSL_set_app_data(self->ssl, self);
      if (sock) {
@@ -3097,7 +3096,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
      uint64_t options;
      const SSL_METHOD *method = NULL;
      SSL_CTX *ctx = NULL;
-    X509_VERIFY_PARAM *params;
+    X509_VERIFY_PARAM *ssl_verification_params;
      int result;
  
     /* slower approach, walk MRO and get borrowed reference to module.
@@ -3181,7 +3180,6 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
          return NULL;
      }
      self->ctx = ctx;
-    self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
      self->protocol = proto_version;
      self->msg_cb = NULL;
      self->keylog_filename = NULL;
@@ -3271,11 +3269,11 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
         usage for no cost at all. */
      SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS);
  
-    params = SSL_CTX_get0_param(self->ctx);
+    ssl_verification_params = SSL_CTX_get0_param(self->ctx);
      /* Improve trust chain building when cross-signed intermediate
         certificates are present. See https://bugs.python.org/issue23476. */
-    X509_VERIFY_PARAM_set_flags(params, X509_V_FLAG_TRUSTED_FIRST);
-    X509_VERIFY_PARAM_set_hostflags(params, self->hostflags);
+    X509_VERIFY_PARAM_set_flags(ssl_verification_params, X509_V_FLAG_TRUSTED_FIRST);
+    X509_VERIFY_PARAM_set_hostflags(ssl_verification_params, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
  
  #if defined(PySSL_HAVE_POST_HS_AUTH)
      self->post_handshake_auth = 0;
@@ -3530,11 +3528,11 @@ static PyObject *
  _ssl__SSLContext_verify_flags_get_impl(PySSLContext *self)
  /*[clinic end generated code: output=fbbf8ba28ad6e56e input=c1ec36d610b3f391]*/
  {
-    X509_VERIFY_PARAM *param;
+    X509_VERIFY_PARAM *ssl_verification_params;
      unsigned long flags;
  
-    param = SSL_CTX_get0_param(self->ctx);
-    flags = X509_VERIFY_PARAM_get_flags(param);
+    ssl_verification_params = SSL_CTX_get0_param(self->ctx);
+    flags = X509_VERIFY_PARAM_get_flags(ssl_verification_params);
      return PyLong_FromUnsignedLong(flags);
  }
  
@@ -3548,23 +3546,23 @@ static int
  _ssl__SSLContext_verify_flags_set_impl(PySSLContext *self, PyObject *value)
  /*[clinic end generated code: output=a3e3b2a0ce6c2e99 input=b2a0c42583d4f34e]*/
  {
-    X509_VERIFY_PARAM *param;
+    X509_VERIFY_PARAM *ssl_verification_params;
      unsigned long new_flags, flags, set, clear;
  
      if (!PyArg_Parse(value, "k", &new_flags))
          return -1;
-    param = SSL_CTX_get0_param(self->ctx);
-    flags = X509_VERIFY_PARAM_get_flags(param);
+    ssl_verification_params = SSL_CTX_get0_param(self->ctx);
+    flags = X509_VERIFY_PARAM_get_flags(ssl_verification_params);
      clear = flags & ~new_flags;
      set = ~flags & new_flags;
      if (clear) {
-        if (!X509_VERIFY_PARAM_clear_flags(param, clear)) {
+        if (!X509_VERIFY_PARAM_clear_flags(ssl_verification_params, clear)) {
              _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
              return -1;
          }
      }
      if (set) {
-        if (!X509_VERIFY_PARAM_set_flags(param, set)) {
+        if (!X509_VERIFY_PARAM_set_flags(ssl_verification_params, set)) {
              _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
              return -1;
          }
@@ -3859,7 +3857,12 @@ static PyObject *
  _ssl__SSLContext__host_flags_get_impl(PySSLContext *self)
  /*[clinic end generated code: output=0f9db6654ce32582 input=8e3c49499eefd0e5]*/
  {
-    return PyLong_FromUnsignedLong(self->hostflags);
+    X509_VERIFY_PARAM *ssl_verification_params;
+    unsigned int host_flags;
+
+    ssl_verification_params = SSL_CTX_get0_param(self->ctx);
+    host_flags = X509_VERIFY_PARAM_get_hostflags(ssl_verification_params);
+    return PyLong_FromUnsignedLong(host_flags);
  }
  
  /*[clinic input]
@@ -3872,15 +3875,14 @@ static int
  _ssl__SSLContext__host_flags_set_impl(PySSLContext *self, PyObject *value)
  /*[clinic end generated code: output=1ed6f4027aaf2e3e input=28caf1fb9c32f6cb]*/
  {
-    X509_VERIFY_PARAM *param;
+    X509_VERIFY_PARAM *ssl_verification_params;
      unsigned int new_flags = 0;
  
      if (!PyArg_Parse(value, "I", &new_flags))
          return -1;
  
-    param = SSL_CTX_get0_param(self->ctx);
-    self->hostflags = new_flags;
-    X509_VERIFY_PARAM_set_hostflags(param, new_flags);
+    ssl_verification_params = SSL_CTX_get0_param(self->ctx);
+    X509_VERIFY_PARAM_set_hostflags(ssl_verification_params, new_flags);
      return 0;
  }
author	Rami <72725910+ramikg@users.noreply.github.com>
	Fri, 18 Apr 2025 22:27:32 +0000 (01:27 +0300)
committer	GitHub <noreply@github.com>
	Fri, 18 Apr 2025 22:27:32 +0000 (15:27 -0700)
Misc/NEWS.d/next/Core_and_Builtins/2022-12-29-19-10-36.gh-issue-89562.g8m8RC.rst	[new file with mode: 0644]	patch \| blob
Modules/_ssl.c		patch \| blob \| blame \| history