From 74bc9934f6b7a3975329ebbe4835e2180310b609 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 20 Nov 2025 12:27:15 -0500 Subject: [PATCH 1/3] gh-141801: Use accessors for ASN1_STRING fields While ASN1_STRING is currently exposed, it is better to use the accessors. See https://github.com/openssl/openssl/issues/29117 where, if the type were opaque, OpenSSL's X509 objects could be much more memory-efficient. --- Modules/_ssl.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 4b75e455f402ff..b6a7bd520c8e9c 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1437,14 +1437,14 @@ _get_peer_alt_names (_sslmodulestate *state, X509 *certificate) { } PyTuple_SET_ITEM(t, 0, v); - if (name->d.ip->length == 4) { - unsigned char *p = name->d.ip->data; + if (ASN1_STRING_length(name->d.ip) == 4) { + const unsigned char *p = ASN1_STRING_get0_data(name->d.ip); v = PyUnicode_FromFormat( "%d.%d.%d.%d", p[0], p[1], p[2], p[3] ); - } else if (name->d.ip->length == 16) { - unsigned char *p = name->d.ip->data; + } else if (ASN1_STRING_length(name->d.ip) == 16) { + const unsigned char *p = ASN1_STRING_get0_data(name->d.ip); v = PyUnicode_FromFormat( "%X:%X:%X:%X:%X:%X:%X:%X", p[0] << 8 | p[1], @@ -1575,8 +1575,9 @@ _get_aia_uri(X509 *certificate, int nid) { continue; } uri = ad->location->d.uniformResourceIdentifier; - ostr = PyUnicode_FromStringAndSize((char *)uri->data, - uri->length); + ostr = PyUnicode_FromStringAndSize( + (const char *)ASN1_STRING_get0_data(uri), + ASN1_STRING_length(uri)); if (ostr == NULL) { goto fail; } @@ -1642,8 +1643,9 @@ _get_crl_dp(X509 *certificate) { continue; } uri = gn->d.uniformResourceIdentifier; - ouri = PyUnicode_FromStringAndSize((char *)uri->data, - uri->length); + ouri = PyUnicode_FromStringAndSize( + (const char *)ASN1_STRING_get0_data(uri), + ASN1_STRING_length(uri)); if (ouri == NULL) goto done; From 1ee48984fd4329f790b3311ca3e00e2b927a2073 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 22 Nov 2025 16:54:18 +0530 Subject: [PATCH 2/3] Update Modules/_ssl.c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> --- Modules/_ssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index b6a7bd520c8e9c..02f5df05690b3f 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1576,8 +1576,8 @@ _get_aia_uri(X509 *certificate, int nid) { } uri = ad->location->d.uniformResourceIdentifier; ostr = PyUnicode_FromStringAndSize( - (const char *)ASN1_STRING_get0_data(uri), - ASN1_STRING_length(uri)); + (const char *)ASN1_STRING_get0_data(uri), + ASN1_STRING_length(uri)); if (ostr == NULL) { goto fail; } From 06f63d58e273078f2e5ea3ca7258168f5c88ddc5 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 22 Nov 2025 16:54:31 +0530 Subject: [PATCH 3/3] Update Modules/_ssl.c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> --- Modules/_ssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 02f5df05690b3f..25fcea6aaf128d 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1644,8 +1644,8 @@ _get_crl_dp(X509 *certificate) { } uri = gn->d.uniformResourceIdentifier; ouri = PyUnicode_FromStringAndSize( - (const char *)ASN1_STRING_get0_data(uri), - ASN1_STRING_length(uri)); + (const char *)ASN1_STRING_get0_data(uri), + ASN1_STRING_length(uri)); if (ouri == NULL) goto done;