Skip to content

Commit 4459bc1

Browse files
ramikgramikg
committed
Remove hostflags from PySSLContext
1 parent a29a9c0 commit 4459bc1

File tree

2 files changed

+30
-27
lines changed

2 files changed

+30
-27
lines changed

Misc/NEWS.d/next/Core and Builtins/2022-12-29-19-10-36.gh-issue-89562.g8m8RC.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Remove ``hostflags`` member from ``PySSLContext`` struct.

Modules/_ssl.c

Lines changed: 29 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -293,10 +293,6 @@ typedef struct {
293293
unsigned int alpn_protocols_len;
294294
PyObject *set_sni_cb;
295295
int check_hostname;
296-
/* OpenSSL has no API to get hostflags from X509_VERIFY_PARAM* struct.
297-
* We have to maintain our own copy. OpenSSL's hostflags default to 0.
298-
*/
299-
unsigned int hostflags;
300296
int protocol;
301297
#if defined(PySSL_HAVE_POST_HS_AUTH)
302298
int post_handshake_auth;
@@ -815,15 +811,15 @@ _ssl_configure_hostname(PySSLSocket *self, const char* server_hostname)
815811
}
816812
}
817813
if (self->ctx->check_hostname) {
818-
X509_VERIFY_PARAM *param = SSL_get0_param(self->ssl);
814+
X509_VERIFY_PARAM *ssl_verification_params = SSL_get0_param(self->ssl);
819815
if (ip == NULL) {
820-
if (!X509_VERIFY_PARAM_set1_host(param, server_hostname,
816+
if (!X509_VERIFY_PARAM_set1_host(ssl_verification_params, server_hostname,
821817
strlen(server_hostname))) {
822818
_setSSLError(get_state_sock(self), NULL, 0, __FILE__, __LINE__);
823819
goto error;
824820
}
825821
} else {
826-
if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_get0_data(ip),
822+
if (!X509_VERIFY_PARAM_set1_ip(ssl_verification_params, ASN1_STRING_get0_data(ip),
827823
ASN1_STRING_length(ip))) {
828824
_setSSLError(get_state_sock(self), NULL, 0, __FILE__, __LINE__);
829825
goto error;
@@ -900,8 +896,11 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
900896

901897
/* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */
902898
#if OPENSSL_VERSION < 0x101010cf
903-
X509_VERIFY_PARAM *ssl_params = SSL_get0_param(self->ssl);
904-
X509_VERIFY_PARAM_set_hostflags(ssl_params, sslctx->hostflags);
899+
X509_VERIFY_PARAM *ssl_verification_params = SSL_get0_param(self->ssl);
900+
X509_VERIFY_PARAM *ssl_ctx_verification_params = SSL_CTX_get0_param(ctx);
901+
902+
unsigned int ssl_ctx_host_flags = X509_VERIFY_PARAM_get_hostflags(ssl_ctx_verification_params);
903+
X509_VERIFY_PARAM_set_hostflags(ssl_verification_params, ssl_ctx_host_flags);
905904
#endif
906905
SSL_set_app_data(self->ssl, self);
907906
if (sock) {
@@ -3085,7 +3084,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
30853084
uint64_t options;
30863085
const SSL_METHOD *method = NULL;
30873086
SSL_CTX *ctx = NULL;
3088-
X509_VERIFY_PARAM *params;
3087+
X509_VERIFY_PARAM *ssl_verification_params;
30893088
int result;
30903089

30913090
/* slower approach, walk MRO and get borrowed reference to module.
@@ -3169,7 +3168,6 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
31693168
return NULL;
31703169
}
31713170
self->ctx = ctx;
3172-
self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
31733171
self->protocol = proto_version;
31743172
self->msg_cb = NULL;
31753173
self->keylog_filename = NULL;
@@ -3259,11 +3257,11 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
32593257
usage for no cost at all. */
32603258
SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS);
32613259

3262-
params = SSL_CTX_get0_param(self->ctx);
3260+
ssl_verification_params = SSL_CTX_get0_param(self->ctx);
32633261
/* Improve trust chain building when cross-signed intermediate
32643262
certificates are present. See https://bugs.python.org/issue23476. */
3265-
X509_VERIFY_PARAM_set_flags(params, X509_V_FLAG_TRUSTED_FIRST);
3266-
X509_VERIFY_PARAM_set_hostflags(params, self->hostflags);
3263+
X509_VERIFY_PARAM_set_flags(ssl_verification_params, X509_V_FLAG_TRUSTED_FIRST);
3264+
X509_VERIFY_PARAM_set_hostflags(ssl_verification_params, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
32673265

32683266
#if defined(PySSL_HAVE_POST_HS_AUTH)
32693267
self->post_handshake_auth = 0;
@@ -3515,11 +3513,11 @@ static PyObject *
35153513
_ssl__SSLContext_verify_flags_get_impl(PySSLContext *self)
35163514
/*[clinic end generated code: output=fbbf8ba28ad6e56e input=c1ec36d610b3f391]*/
35173515
{
3518-
X509_VERIFY_PARAM *param;
3516+
X509_VERIFY_PARAM *ssl_verification_params;
35193517
unsigned long flags;
35203518

3521-
param = SSL_CTX_get0_param(self->ctx);
3522-
flags = X509_VERIFY_PARAM_get_flags(param);
3519+
ssl_verification_params = SSL_CTX_get0_param(self->ctx);
3520+
flags = X509_VERIFY_PARAM_get_flags(ssl_verification_params);
35233521
return PyLong_FromUnsignedLong(flags);
35243522
}
35253523

@@ -3533,23 +3531,23 @@ static int
35333531
_ssl__SSLContext_verify_flags_set_impl(PySSLContext *self, PyObject *value)
35343532
/*[clinic end generated code: output=a3e3b2a0ce6c2e99 input=b2a0c42583d4f34e]*/
35353533
{
3536-
X509_VERIFY_PARAM *param;
3534+
X509_VERIFY_PARAM *ssl_verification_params;
35373535
unsigned long new_flags, flags, set, clear;
35383536

35393537
if (!PyArg_Parse(value, "k", &new_flags))
35403538
return -1;
3541-
param = SSL_CTX_get0_param(self->ctx);
3542-
flags = X509_VERIFY_PARAM_get_flags(param);
3539+
ssl_verification_params = SSL_CTX_get0_param(self->ctx);
3540+
flags = X509_VERIFY_PARAM_get_flags(ssl_verification_params);
35433541
clear = flags & ~new_flags;
35443542
set = ~flags & new_flags;
35453543
if (clear) {
3546-
if (!X509_VERIFY_PARAM_clear_flags(param, clear)) {
3544+
if (!X509_VERIFY_PARAM_clear_flags(ssl_verification_params, clear)) {
35473545
_setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
35483546
return -1;
35493547
}
35503548
}
35513549
if (set) {
3552-
if (!X509_VERIFY_PARAM_set_flags(param, set)) {
3550+
if (!X509_VERIFY_PARAM_set_flags(ssl_verification_params, set)) {
35533551
_setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
35543552
return -1;
35553553
}
@@ -3844,7 +3842,12 @@ static PyObject *
38443842
_ssl__SSLContext__host_flags_get_impl(PySSLContext *self)
38453843
/*[clinic end generated code: output=0f9db6654ce32582 input=8e3c49499eefd0e5]*/
38463844
{
3847-
return PyLong_FromUnsignedLong(self->hostflags);
3845+
X509_VERIFY_PARAM *ssl_verification_params;
3846+
unsigned int host_flags;
3847+
3848+
ssl_verification_params = SSL_CTX_get0_param(self->ctx);
3849+
host_flags = X509_VERIFY_PARAM_get_hostflags(ssl_verification_params);
3850+
return PyLong_FromUnsignedLong(host_flags);
38483851
}
38493852

38503853
/*[clinic input]
@@ -3857,15 +3860,14 @@ static int
38573860
_ssl__SSLContext__host_flags_set_impl(PySSLContext *self, PyObject *value)
38583861
/*[clinic end generated code: output=1ed6f4027aaf2e3e input=28caf1fb9c32f6cb]*/
38593862
{
3860-
X509_VERIFY_PARAM *param;
3863+
X509_VERIFY_PARAM *ssl_verification_params;
38613864
unsigned int new_flags = 0;
38623865

38633866
if (!PyArg_Parse(value, "I", &new_flags))
38643867
return -1;
38653868

3866-
param = SSL_CTX_get0_param(self->ctx);
3867-
self->hostflags = new_flags;
3868-
X509_VERIFY_PARAM_set_hostflags(param, new_flags);
3869+
ssl_verification_params = SSL_CTX_get0_param(self->ctx);
3870+
X509_VERIFY_PARAM_set_hostflags(ssl_verification_params, new_flags);
38693871
return 0;
38703872
}
38713873

0 commit comments

Comments
 (0)