From: Kurt Mosiejczuk Subject: Re: python/2.7: treat ASN1_STRING as opaque To: Theo Buehler Cc: ports@openbsd.org Date: Wed, 10 Dec 2025 00:21:45 -0500 On Sat, Dec 06, 2025 at 12:49:09PM +0100, Theo Buehler wrote: > This is in preparation for a future libcrypto change that will make > ASN1_STRING opaque. Not sure if that will land in this cycle, but > seeing as 2.7 is dead we might as well fix it now. Sounds reasonable to me. ok kmos --Kurt > Python 3.13 will fix itself with the next patch update: > https://github.com/python/cpython/issues/141801 > Index: files/CHANGES.OpenBSD > =================================================================== > RCS file: /cvs/ports/lang/python/2.7/files/CHANGES.OpenBSD,v > diff -u -p -r1.9 CHANGES.OpenBSD > --- files/CHANGES.OpenBSD 27 Jun 2025 04:03:27 -0000 1.9 > +++ files/CHANGES.OpenBSD 6 Dec 2025 11:42:51 -0000 > @@ -12,5 +12,7 @@ of changes made to this version of Pytho > > 5. Removed calls to the CRYPTO_THREADID noops. > > +6. Treat ASN1_STRING as opaque > + > These changes are available in the OpenBSD CVS repository > in ports/lang/python/2.7. > Index: patches/patch-Modules__ssl_c > =================================================================== > RCS file: /cvs/ports/lang/python/2.7/patches/patch-Modules__ssl_c,v > diff -u -p -r1.12 patch-Modules__ssl_c > --- patches/patch-Modules__ssl_c 27 Jun 2025 04:03:27 -0000 1.12 > +++ patches/patch-Modules__ssl_c 6 Dec 2025 11:42:51 -0000 > @@ -3,7 +3,9 @@ what python's lock protects > > #2: ERR_get_state is no longer used in OpenSSL 3.0 or libressl as of 20240303 > > -#3, #4: Drop CRYPTO_THREADID noops > +#3 - #6: treat ASN1_STRING as opaque > + > +#7, #8: Drop CRYPTO_THREADID noops > > Index: Modules/_ssl.c > --- Modules/_ssl.c.orig > @@ -26,6 +28,59 @@ Index: Modules/_ssl.c > ERR_clear_error(); > > PySSL_BEGIN_ALLOW_THREADS > +@@ -956,18 +958,18 @@ _get_peer_alt_names (X509 *certificate) { > + goto fail; > + } > + > +- p = X509_EXTENSION_get_data(ext)->data; > ++ p = ASN1_STRING_get0_data(X509_EXTENSION_get_data(ext)); > + if (method->it) > + names = (GENERAL_NAMES*) > + (ASN1_item_d2i(NULL, > + &p, > +- X509_EXTENSION_get_data(ext)->length, > ++ ASN1_STRING_length(X509_EXTENSION_get_data(ext)), > + ASN1_ITEM_ptr(method->it))); > + else > + names = (GENERAL_NAMES*) > + (method->d2i(NULL, > + &p, > +- X509_EXTENSION_get_data(ext)->length)); > ++ ASN1_STRING_length(X509_EXTENSION_get_data(ext)))); > + > + for(j = 0; j < sk_GENERAL_NAME_num(names); j++) { > + /* get a rendering of each name in the set of names */ > +@@ -1028,7 +1030,7 @@ _get_peer_alt_names (X509 *certificate) { > + goto fail; > + } > + PyTuple_SET_ITEM(t, 0, v); > +- v = PyString_FromStringAndSize((char *)ASN1_STRING_data(as), > ++ v = PyString_FromStringAndSize((char *)ASN1_STRING_get0_data(as), > + ASN1_STRING_length(as)); > + if (v == NULL) { > + Py_DECREF(t); > +@@ -1173,8 +1175,8 @@ _get_aia_uri(X509 *certificate, int nid) { > + continue; > + } > + uri = ad->location->d.uniformResourceIdentifier; > +- ostr = PyUnicode_FromStringAndSize((char *)uri->data, > +- uri->length); > ++ ostr = PyUnicode_FromStringAndSize((char *)ASN1_STRING_get0_data(uri), > ++ ASN1_STRING_length(uri)); > + if (ostr == NULL) { > + goto fail; > + } > +@@ -1240,8 +1242,8 @@ _get_crl_dp(X509 *certificate) { > + continue; > + } > + uri = gn->d.uniformResourceIdentifier; > +- ouri = PyUnicode_FromStringAndSize((char *)uri->data, > +- uri->length); > ++ ouri = PyUnicode_FromStringAndSize((char *)ASN1_STRING_get0_data(uri), > ++ ASN1_STRING_length(uri)); > + if (ouri == NULL) > + goto done; > + > @@ -4078,15 +4080,7 @@ static PyMethodDef PySSL_methods[] = { > > static PyThread_type_lock *_ssl_locks = NULL;