Skip to content

Add definitions that help with hostname checking#4492

Merged
alex merged 6 commits intopyca:masterfrom
kaie:master
Oct 10, 2018
Merged

Add definitions that help with hostname checking#4492
alex merged 6 commits intopyca:masterfrom
kaie:master

Conversation

@kaie
Copy link
Contributor

@kaie kaie commented Oct 9, 2018

This is related to pyca/pyopenssl#795

@kaie kaie mentioned this pull request Oct 9, 2018
Open
alex
alex reviewed Oct 9, 2018
View reviewed changes
src/_cffi_src/openssl/ssl.py Outdated
X509 *SSL_get_peer_certificate(const SSL *);
int SSL_get_ex_data_X509_STORE_CTX_idx(void);

X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
Copy link
Member

@alex alex Oct 9, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove the ssl name, we don't include parameter names.

@alex alex added the bindings label Oct 9, 2018
@alex alex added this to the Twenty fourth release milestone Oct 9, 2018
@alex
Copy link
Member

alex commented Oct 9, 2018

It looks like some of these symbols do not exist in older OpenSSLs, so you'll need to make them conditional bindings.

You can see #4476 for an example of a PR adding optional bindings

@kaie
Copy link
Contributor Author

kaie commented Oct 9, 2018

Thanks for the review, will do that tomorrow.

@reaperhulk
Copy link
Member

reaperhulk commented Oct 10, 2018

This LGTM other than the need for conditionally binding it so the symbols aren't exposed on < 1.0.2.

@reaperhulk
Copy link
Member

reaperhulk commented Oct 10, 2018

As @tiran pointed out on the pyopenssl PR we'll also need to make sure the check covers LibreSSL < 2.7.1 as X509_VERIFY_PARAM_set1_host is not available until 2.7.1.

@kaie
Copy link
Contributor Author

kaie commented Oct 10, 2018

As @tiran pointed out on the pyopenssl PR we'll also need to make sure the check covers LibreSSL < 2.7.1 as X509_VERIFY_PARAM_set1_host is not available until 2.7.1.

x509_vfy.py already contains:

#if CRYPTOGRAPHY_OPENSSL_102_OR_GREATER
#else
#if !CRYPTOGRAPHY_LIBRESSL_27_OR_GREATER
int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const char *,
                                   size_t) = NULL;
#endif
#endif

I assume you want the equivalent for SSL_get0_param, as it seems to be a direct helper function for the set1_host API.

Besides X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, I'm adding a couple of additional related X509_CHECK_FLAG_* flags.

I noticed you have a couple of #ifndef checks like the following:

/* These 3 defines are unavailable in LibreSSL 2.5.x, but may be added
   in the future... */
#ifndef X509_V_ERR_HOSTNAME_MISMATCH
static const long X509_V_ERR_HOSTNAME_MISMATCH = 0;
#endif

I see the X509_CHECK_FLAG_* aren't available in old libressel either, so you probably want to protect these flags in the same way.

@kaie
Copy link
Contributor Author

kaie commented Oct 10, 2018

I notice that _conditional.py needs to get updated, too. Is it acceptable to extend existing cryptography_has_102_verification_params?

@reaperhulk
Copy link
Member

reaperhulk commented Oct 10, 2018

Yes, cryptography_has_102_verification_params is appropriate for this binding so you can reuse that!

@alex
Copy link
Member

alex commented Oct 10, 2018

X509_CHECK_FLAG_NEVER_CHECK_SUBJECT is new in 1.1.0, so it'll need slightly seperate handling.

@kaie
Copy link
Contributor Author

kaie commented Oct 10, 2018

Thanks for the thorough review. The symbol also isn't supported by any libressl versions.

@alex alex merged commit ef18e61 into pyca:master Oct 10, 2018
@mhils mhils mentioned this pull request Jul 11, 2020
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 6, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@alex alex alex approved these changes

Assignees

No one assigned

Labels

bindings

Milestone

Twenty fourth release

Development

Successfully merging this pull request may close these issues.

3 participants

@kaie @alex @reaperhulk