Download raw body.
python/2.7: treat ASN1_STRING as opaque
On Sat, Dec 06, 2025 at 12:49:09PM +0100, Theo Buehler wrote:
> This is in preparation for a future libcrypto change that will make
> ASN1_STRING opaque. Not sure if that will land in this cycle, but
> seeing as 2.7 is dead we might as well fix it now.
Sounds reasonable to me. ok kmos
--Kurt
> Python 3.13 will fix itself with the next patch update:
> https://github.com/python/cpython/issues/141801
> Index: files/CHANGES.OpenBSD
> ===================================================================
> RCS file: /cvs/ports/lang/python/2.7/files/CHANGES.OpenBSD,v
> diff -u -p -r1.9 CHANGES.OpenBSD
> --- files/CHANGES.OpenBSD 27 Jun 2025 04:03:27 -0000 1.9
> +++ files/CHANGES.OpenBSD 6 Dec 2025 11:42:51 -0000
> @@ -12,5 +12,7 @@ of changes made to this version of Pytho
>
> 5. Removed calls to the CRYPTO_THREADID noops.
>
> +6. Treat ASN1_STRING as opaque
> +
> These changes are available in the OpenBSD CVS repository
> <http://www.openbsd.org/anoncvs.html> in ports/lang/python/2.7.
> Index: patches/patch-Modules__ssl_c
> ===================================================================
> RCS file: /cvs/ports/lang/python/2.7/patches/patch-Modules__ssl_c,v
> diff -u -p -r1.12 patch-Modules__ssl_c
> --- patches/patch-Modules__ssl_c 27 Jun 2025 04:03:27 -0000 1.12
> +++ patches/patch-Modules__ssl_c 6 Dec 2025 11:42:51 -0000
> @@ -3,7 +3,9 @@ what python's lock protects
>
> #2: ERR_get_state is no longer used in OpenSSL 3.0 or libressl as of 20240303
>
> -#3, #4: Drop CRYPTO_THREADID noops
> +#3 - #6: treat ASN1_STRING as opaque
> +
> +#7, #8: Drop CRYPTO_THREADID noops
>
> Index: Modules/_ssl.c
> --- Modules/_ssl.c.orig
> @@ -26,6 +28,59 @@ Index: Modules/_ssl.c
> ERR_clear_error();
>
> PySSL_BEGIN_ALLOW_THREADS
> +@@ -956,18 +958,18 @@ _get_peer_alt_names (X509 *certificate) {
> + goto fail;
> + }
> +
> +- p = X509_EXTENSION_get_data(ext)->data;
> ++ p = ASN1_STRING_get0_data(X509_EXTENSION_get_data(ext));
> + if (method->it)
> + names = (GENERAL_NAMES*)
> + (ASN1_item_d2i(NULL,
> + &p,
> +- X509_EXTENSION_get_data(ext)->length,
> ++ ASN1_STRING_length(X509_EXTENSION_get_data(ext)),
> + ASN1_ITEM_ptr(method->it)));
> + else
> + names = (GENERAL_NAMES*)
> + (method->d2i(NULL,
> + &p,
> +- X509_EXTENSION_get_data(ext)->length));
> ++ ASN1_STRING_length(X509_EXTENSION_get_data(ext))));
> +
> + for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {
> + /* get a rendering of each name in the set of names */
> +@@ -1028,7 +1030,7 @@ _get_peer_alt_names (X509 *certificate) {
> + goto fail;
> + }
> + PyTuple_SET_ITEM(t, 0, v);
> +- v = PyString_FromStringAndSize((char *)ASN1_STRING_data(as),
> ++ v = PyString_FromStringAndSize((char *)ASN1_STRING_get0_data(as),
> + ASN1_STRING_length(as));
> + if (v == NULL) {
> + Py_DECREF(t);
> +@@ -1173,8 +1175,8 @@ _get_aia_uri(X509 *certificate, int nid) {
> + continue;
> + }
> + uri = ad->location->d.uniformResourceIdentifier;
> +- ostr = PyUnicode_FromStringAndSize((char *)uri->data,
> +- uri->length);
> ++ ostr = PyUnicode_FromStringAndSize((char *)ASN1_STRING_get0_data(uri),
> ++ ASN1_STRING_length(uri));
> + if (ostr == NULL) {
> + goto fail;
> + }
> +@@ -1240,8 +1242,8 @@ _get_crl_dp(X509 *certificate) {
> + continue;
> + }
> + uri = gn->d.uniformResourceIdentifier;
> +- ouri = PyUnicode_FromStringAndSize((char *)uri->data,
> +- uri->length);
> ++ ouri = PyUnicode_FromStringAndSize((char *)ASN1_STRING_get0_data(uri),
> ++ ASN1_STRING_length(uri));
> + if (ouri == NULL)
> + goto done;
> +
> @@ -4078,15 +4080,7 @@ static PyMethodDef PySSL_methods[] = {
>
> static PyThread_type_lock *_ssl_locks = NULL;
python/2.7: treat ASN1_STRING as opaque