From 6267ebb5e40a6860f33ec384140c5573b9aef7c8 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@davidben.net>
Date: Sat, 22 Nov 2025 22:47:45 +0530
Subject: [PATCH] gh-141801: Use accessors for ASN1_STRING fields in libssl
 (GH-141802)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* gh-141801: Use accessors for ASN1_STRING fields

While ASN1_STRING is currently exposed, it is better to use the
accessors. See https://github.com/openssl/openssl/issues/29117 where, if
the type were opaque, OpenSSL's X509 objects could be much more
memory-efficient.

* Update Modules/_ssl.c

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>

* Update Modules/_ssl.c

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>

---------
(cherry picked from commit c41fce08a5d7aae8fd9e3fa25e0ba521600e097c)

Co-authored-by: David Benjamin <davidben@davidben.net>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
---
 Modules/_ssl.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 051efce4cfaa99..417d5ca593158f 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1410,14 +1410,14 @@ _get_peer_alt_names (_sslmodulestate *state, X509 *certificate) {
                 }
                 PyTuple_SET_ITEM(t, 0, v);
 
-                if (name->d.ip->length == 4) {
-                    unsigned char *p = name->d.ip->data;
+                if (ASN1_STRING_length(name->d.ip) == 4) {
+                    const unsigned char *p = ASN1_STRING_get0_data(name->d.ip);
                     v = PyUnicode_FromFormat(
                         "%d.%d.%d.%d",
                         p[0], p[1], p[2], p[3]
                     );
-                } else if (name->d.ip->length == 16) {
-                    unsigned char *p = name->d.ip->data;
+                } else if (ASN1_STRING_length(name->d.ip) == 16) {
+                    const unsigned char *p = ASN1_STRING_get0_data(name->d.ip);
                     v = PyUnicode_FromFormat(
                         "%X:%X:%X:%X:%X:%X:%X:%X",
                         p[0] << 8 | p[1],
@@ -1548,8 +1548,9 @@ _get_aia_uri(X509 *certificate, int nid) {
             continue;
         }
         uri = ad->location->d.uniformResourceIdentifier;
-        ostr = PyUnicode_FromStringAndSize((char *)uri->data,
-                                           uri->length);
+        ostr = PyUnicode_FromStringAndSize(
+                   (const char *)ASN1_STRING_get0_data(uri),
+                   ASN1_STRING_length(uri));
         if (ostr == NULL) {
             goto fail;
         }
@@ -1615,8 +1616,9 @@ _get_crl_dp(X509 *certificate) {
                 continue;
             }
             uri = gn->d.uniformResourceIdentifier;
-            ouri = PyUnicode_FromStringAndSize((char *)uri->data,
-                                               uri->length);
+            ouri = PyUnicode_FromStringAndSize(
+                       (const char *)ASN1_STRING_get0_data(uri),
+                       ASN1_STRING_length(uri));
             if (ouri == NULL)
                 goto done;