-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add definitions that help with hostname checking #4492
Conversation
src/_cffi_src/openssl/ssl.py
Outdated
@@ -185,6 +185,8 @@ | |||
X509 *SSL_get_peer_certificate(const SSL *); | |||
int SSL_get_ex_data_X509_STORE_CTX_idx(void); | |||
|
|||
X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove the ssl
name, we don't include parameter names.
It looks like some of these symbols do not exist in older OpenSSLs, so you'll need to make them conditional bindings. You can see #4476 for an example of a PR adding optional bindings |
Thanks for the review, will do that tomorrow. |
This LGTM other than the need for conditionally binding it so the symbols aren't exposed on < 1.0.2. |
As @tiran pointed out on the pyopenssl PR we'll also need to make sure the check covers LibreSSL < 2.7.1 as |
x509_vfy.py already contains:
I assume you want the equivalent for SSL_get0_param, as it seems to be a direct helper function for the set1_host API. Besides X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, I'm adding a couple of additional related X509_CHECK_FLAG_* flags. I noticed you have a couple of #ifndef checks like the following:
I see the X509_CHECK_FLAG_* aren't available in old libressel either, so you probably want to protect these flags in the same way. |
I notice that _conditional.py needs to get updated, too. Is it acceptable to extend existing cryptography_has_102_verification_params? |
Yes, |
|
Thanks for the thorough review. The symbol also isn't supported by any libressl versions. |
This is related to pyca/pyopenssl#795