python 3.14 requires X509_VERIFY_PARAM_get_hostflags()

[orbea]

OS: Gentoo
libressl: 4.1.1
python: 3.14.0

Building python 3.14 with libressl fails because libressl doesn't have X509_VERIFY_PARAM_get_hostflags().

Should this be added in a future LibreSSL version or is there a better method? I got it to build with this patch, but I am not sure its correct.

--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -911,7 +911,11 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
     X509_VERIFY_PARAM *ssl_verification_params = SSL_get0_param(self->ssl);
     X509_VERIFY_PARAM *ssl_ctx_verification_params = SSL_CTX_get0_param(ctx);
 
+#ifdef LIBRESSL_VERSION_NUMBER
+    unsigned int ssl_ctx_host_flags = 0;
+#else
     unsigned int ssl_ctx_host_flags = X509_VERIFY_PARAM_get_hostflags(ssl_ctx_verification_params);
+#endif
     X509_VERIFY_PARAM_set_hostflags(ssl_verification_params, ssl_ctx_host_flags);
 #endif
     SSL_set_app_data(self->ssl, self);
@@ -3859,7 +3863,11 @@ _ssl__SSLContext__host_flags_get_impl(PySSLContext *self)
     unsigned int host_flags;
 
     ssl_verification_params = SSL_CTX_get0_param(self->ctx);
+#ifdef LIBRESSL_VERSION_NUMBER
+    host_flags = 0;
+#else
     host_flags = X509_VERIFY_PARAM_get_hostflags(ssl_verification_params);
+#endif
     return PyLong_FromUnsignedLong(host_flags);
 }
 

For reference this patch is also still needed from python 3.13.

--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -44,7 +44,9 @@
 
 #define MUNCH_SIZE INT_MAX
 
+#ifdef NID_id_scrypt
 #define PY_OPENSSL_HAS_SCRYPT 1
+#endif
 #if defined(NID_sha3_224) && defined(NID_sha3_256) && defined(NID_sha3_384) && defined(NID_sha3_512)
 #define PY_OPENSSL_HAS_SHA3 1
 #endif
@@ -963,11 +965,15 @@ _hashlib_HASH(PyObject *module, const char *digestname, PyObject *data_obj,
         goto exit;
     }
 
+#ifndef EVP_MD_FLAG_XOF
+    type = get_hashlib_state(module)->EVPtype;
+#else
     if ((EVP_MD_flags(digest) & EVP_MD_FLAG_XOF) == EVP_MD_FLAG_XOF) {
         type = get_hashlib_state(module)->EVPXOFtype;
     } else {
         type = get_hashlib_state(module)->EVPtype;
     }
+#endif
 
     self = newEVPobject(type);
     if (self == NULL) {

[botovq]

Thanks.

We do have X509_VERIFY_PARAM_get_hostflags() for a regress test (part of the urllib3 fun a couple years back), but we did not expose it in the public API since nothing was using it at the time:

openbsd/src@e51d4db

It is easy to expose it, but unfortunately it's too late in the to do that for 4.2. I'll fix that in the next cycle.

XOF is an old friend and we'll continue to avoid it.

[botovq]

Oh. In the first diff hunk, disable the entire "copy the hostflags manually" stanza for LibreSSL rather than setting the hostflags to 0 as you currently do:

https://github.com/python/cpython/blob/ff7bb565d836162eed0851c36afa325a107a5a56/Modules/_ssl.c#L939-L946

This is part of what we had to fix for urllib3.

Edit: They should be checking for OPENSSL_VERSION_NUMBER here, not OPENSSL_VERSION:

-#if OPENSSL_VERSION < 0x101010cf
+#if OPENSSL_VERSION_NUMBER < 0x101010cf

[orbea]

Thanks, I missed that they used OPENSSL_VERSION. Here is a revised patch.

--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -907,7 +907,7 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
     }
 
     /* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */
-#if OPENSSL_VERSION < 0x101010cf
+#if OPENSSL_VERSION_NUMBER < 0x101010cf
     X509_VERIFY_PARAM *ssl_verification_params = SSL_get0_param(self->ssl);
     X509_VERIFY_PARAM *ssl_ctx_verification_params = SSL_CTX_get0_param(ctx);
 
@@ -3859,7 +3859,11 @@ _ssl__SSLContext__host_flags_get_impl(PySSLContext *self)
     unsigned int host_flags;
 
     ssl_verification_params = SSL_CTX_get0_param(self->ctx);
+#ifdef LIBRESSL_VERSION_NUMBER
+    host_flags = 0;
+#else
     host_flags = X509_VERIFY_PARAM_get_hostflags(ssl_verification_params);
+#endif
     return PyLong_FromUnsignedLong(host_flags);
 }
 

[botovq]

The OPENSSL_VERSION bit is now fixed upstream and should be in the next 3.14 release: python/cpython#139929

[predators46]

The OPENSSL_VERSION bit is now fixed upstream and should be in the next 3.14 release: python/cpython#139929

This will still fail when building python 3.14 using libressl. The patch created by @orbea solves this problem.

[botovq]

@predators46 Not sure what you're trying to say. The first hunk of the patch (in the second post) will no longer be needed once this is in a Python release. The second hunk will be needed until we expose X509_VERIFY_PARAM_get_hostflags().

[predators46]

@predators46 Not sure what you're trying to say. The first hunk of the patch (in the second post) will no longer be needed once this is in a Python release. The second hunk will be needed until we expose X509_VERIFY_PARAM_get_hostflags().

ok