[rpms/python-awscrt] rawhide: Fix build with OpenSSL 4.0

[Simo Sorce <simo@redhat.com>]

            A new commit has been pushed.

            Repo   : rpms/python-awscrt
            Branch : rawhide
            Commit : 1329d2a6e56b65fce6077e8ebf562a4e0359bad0
            Author : Simo Sorce <simo@redhat.com>
            Date   : 2026-06-11T06:17:40+00:00
            Stats  : +167/-0 in 2 file(s)
            URL    : https://src.fedoraproject.org/rpms/python-awscrt/c/1329d2a6e56b65fce6077e8ebf562a4e0359bad0?branch=rawhide

            Log:
            Fix build with OpenSSL 4.0

Signed-off-by: Simo Sorce <simo@redhat.com>

---
diff --git a/0001-Update-OpenSSL-accessors-and-const-qualifiers.patch b/0001-Update-OpenSSL-accessors-and-const-qualifiers.patch
new file mode 100644
index 0000000..79546be
--- /dev/null
+++ b/0001-Update-OpenSSL-accessors-and-const-qualifiers.patch
@@ -0,0 +1,165 @@
+From 58a94d95bc277b999e838111bdbc2295245b6e91 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 4 May 2026 15:37:32 -0400
+Subject: [PATCH] Update OpenSSL accessors and const qualifiers
+
+This replaces direct struct field accesses with standard OpenSSL accessor
+functions (such as ASN1_STRING_data and ASN1_STRING_length) to ensure
+compatibility with modern OpenSSL versions where these structs are opaque.
+Additionally, it adds 'const' qualifiers to various X509 and ASN1 pointer
+declarations and switches to ASN1_STRING_get0_data to enforce proper const
+correctness when handling internal OpenSSL data.
+
+Assisted-by: Gemini <gemini@google.com>
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ crt/s2n/crypto/s2n_certificate.c | 20 ++++++++++----------
+ crt/s2n/tls/s2n_x509_validator.c | 14 +++++++-------
+ 2 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/crt/s2n/crypto/s2n_certificate.c b/crt/s2n/crypto/s2n_certificate.c
+index 01afc8e..ea89d06 100644
+--- a/crt/s2n/crypto/s2n_certificate.c
++++ b/crt/s2n/crypto/s2n_certificate.c
+@@ -227,8 +227,8 @@ int s2n_cert_chain_and_key_load_sans(struct s2n_cert_chain_and_key *chain_and_ke
+ 
+         if (san_name->type == GEN_DNS) {
+             /* Decoding isn't necessary here since a DNS SAN name is ASCII(type V_ASN1_IA5STRING) */
+-            unsigned char *san_str = san_name->d.dNSName->data;
+-            const size_t san_str_len = san_name->d.dNSName->length;
++            const unsigned char *san_str = ASN1_STRING_get0_data(san_name->d.dNSName);
++            const size_t san_str_len = ASN1_STRING_length(san_name->d.dNSName);
+             struct s2n_blob *san_blob = NULL;
+             POSIX_GUARD_RESULT(s2n_array_pushback(chain_and_key->san_names, (void **) &san_blob));
+             if (!san_blob) {
+@@ -265,19 +265,19 @@ int s2n_cert_chain_and_key_load_cns(struct s2n_cert_chain_and_key *chain_and_key
+     POSIX_ENSURE_REF(chain_and_key->cn_names);
+     POSIX_ENSURE_REF(x509_cert);
+ 
+-    X509_NAME *subject = X509_get_subject_name(x509_cert);
++    const X509_NAME *subject = X509_get_subject_name(x509_cert);
+     if (!subject) {
+         return 0;
+     }
+ 
+     int lastpos = -1;
+     while ((lastpos = X509_NAME_get_index_by_NID(subject, NID_commonName, lastpos)) >= 0) {
+-        X509_NAME_ENTRY *name_entry = X509_NAME_get_entry(subject, lastpos);
++        const X509_NAME_ENTRY *name_entry = X509_NAME_get_entry(subject, lastpos);
+         if (!name_entry) {
+             continue;
+         }
+ 
+-        ASN1_STRING *asn1_str = X509_NAME_ENTRY_get_data(name_entry);
++        const ASN1_STRING *asn1_str = X509_NAME_ENTRY_get_data(name_entry);
+         if (!asn1_str) {
+             continue;
+         }
+@@ -721,7 +721,7 @@ static int s2n_utf8_string_from_extension_data(const uint8_t *extension_data, ui
+         * Since this is an internal pointer it should not be freed or modified in any way.
+         * Ref: https://www.openssl.org/docs/man1.0.2/man3/ASN1_STRING_data.html.
+         */
+-        unsigned char *internal_data = ASN1_STRING_data(asn1_str);
++        const unsigned char *internal_data = ASN1_STRING_get0_data(asn1_str);
+         POSIX_ENSURE_REF(internal_data);
+         POSIX_CHECKED_MEMCPY(out_data, internal_data, len);
+     }
+@@ -784,7 +784,7 @@ static int s2n_parse_x509_extension(struct s2n_cert *cert, const uint8_t *oid,
+     POSIX_ENSURE_REF(asn1_obj_in);
+ 
+     for (size_t loc = 0; loc < ext_count; loc++) {
+-        ASN1_OCTET_STRING *asn1_str = NULL;
++        const ASN1_OCTET_STRING *asn1_str = NULL;
+         bool match_found = false;
+ 
+         /* Retrieve the x509 extension at location loc.
+@@ -793,7 +793,7 @@ static int s2n_parse_x509_extension(struct s2n_cert *cert, const uint8_t *oid,
+          * The returned extension is an internal pointer which must not be freed up by the application.
+          * Ref: https://www.openssl.org/docs/man1.1.0/man3/X509_get_ext.html.
+          */
+-        X509_EXTENSION *x509_ext = X509_get_ext(x509_cert, loc);
++        const X509_EXTENSION *x509_ext = X509_get_ext(x509_cert, loc);
+         POSIX_ENSURE_REF(x509_ext);
+ 
+         /* Retrieve the extension object/OID/extnId.
+@@ -801,7 +801,7 @@ static int s2n_parse_x509_extension(struct s2n_cert *cert, const uint8_t *oid,
+          * The returned pointer is an internal value which must not be freed up.
+          * Ref: https://www.openssl.org/docs/man1.1.0/man3/X509_EXTENSION_get_object.html.
+          */
+-        ASN1_OBJECT *asn1_obj = X509_EXTENSION_get_object(x509_ext);
++        const ASN1_OBJECT *asn1_obj = X509_EXTENSION_get_object(x509_ext);
+         POSIX_ENSURE_REF(asn1_obj);
+ 
+         /* OBJ_cmp() compares two ASN1_OBJECT objects. If the two are identical 0 is returned.
+@@ -827,7 +827,7 @@ static int s2n_parse_x509_extension(struct s2n_cert *cert, const uint8_t *oid,
+                  * Since this is an internal pointer it should not be freed or modified in any way.
+                  * Ref: https://www.openssl.org/docs/man1.0.2/man3/ASN1_STRING_data.html.
+                  */
+-                unsigned char *internal_data = ASN1_STRING_data(asn1_str);
++                const unsigned char *internal_data = ASN1_STRING_get0_data(asn1_str);
+                 POSIX_ENSURE_REF(internal_data);
+                 POSIX_CHECKED_MEMCPY(ext_value, internal_data, len);
+             }
+diff --git a/crt/s2n/tls/s2n_x509_validator.c b/crt/s2n/tls/s2n_x509_validator.c
+index 26d36bf..5c72d7b 100644
+--- a/crt/s2n/tls/s2n_x509_validator.c
++++ b/crt/s2n/tls/s2n_x509_validator.c
+@@ -1,6 +1,6 @@
+ /*
+  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+- *
++ * 
+  * Licensed under the Apache License, Version 2.0 (the "License").
+  * You may not use this file except in compliance with the License.
+  * A copy of the License is located at
+@@ -221,7 +221,7 @@ static S2N_RESULT s2n_verify_host_information_san_entry(struct s2n_connection *c
+     if (current_name->type == GEN_DNS || current_name->type == GEN_URI) {
+         *san_found = true;
+ 
+-        const char *name = (const char *) ASN1_STRING_data(current_name->d.ia5);
++        const char *name = (const char *) ASN1_STRING_get0_data(current_name->d.ia5);
+         RESULT_ENSURE_REF(name);
+         int name_len = ASN1_STRING_length(current_name->d.ia5);
+         RESULT_ENSURE_GT(name_len, 0);
+@@ -235,9 +235,9 @@ static S2N_RESULT s2n_verify_host_information_san_entry(struct s2n_connection *c
+         *san_found = true;
+ 
+         /* try to validate an IP address if it's in the subject alt name. */
+-        const unsigned char *ip_addr = current_name->d.iPAddress->data;
++        const unsigned char *ip_addr = ASN1_STRING_get0_data(current_name->d.iPAddress);
+         RESULT_ENSURE_REF(ip_addr);
+-        int ip_addr_len = current_name->d.iPAddress->length;
++        int ip_addr_len = ASN1_STRING_length(current_name->d.iPAddress);
+         RESULT_ENSURE_GT(ip_addr_len, 0);
+ 
+         RESULT_STACK_BLOB(address, INET6_ADDRSTRLEN + 1, INET6_ADDRSTRLEN + 1);
+@@ -302,7 +302,7 @@ static S2N_RESULT s2n_verify_host_information_common_name(struct s2n_connection
+     RESULT_ENSURE_REF(public_cert);
+     RESULT_ENSURE_REF(cn_found);
+ 
+-    X509_NAME *subject_name = X509_get_subject_name(public_cert);
++    const X509_NAME *subject_name = X509_get_subject_name(public_cert);
+     RESULT_ENSURE(subject_name, S2N_ERR_CERT_UNTRUSTED);
+ 
+     int curr_idx = -1;
+@@ -317,7 +317,7 @@ static S2N_RESULT s2n_verify_host_information_common_name(struct s2n_connection
+ 
+     RESULT_ENSURE(curr_idx >= 0, S2N_ERR_CERT_UNTRUSTED);
+ 
+-    ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, curr_idx));
++    const ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, curr_idx));
+     RESULT_ENSURE(common_name, S2N_ERR_CERT_UNTRUSTED);
+ 
+     /* X520CommonName allows the following ANSI string types per RFC 5280 Appendix A.1 */
+@@ -336,7 +336,7 @@ static S2N_RESULT s2n_verify_host_information_common_name(struct s2n_connection
+     RESULT_ENSURE_GT(cn_len, 0);
+     uint32_t len = (uint32_t) cn_len;
+     RESULT_ENSURE_LTE(len, s2n_array_len(peer_cn) - 1);
+-    RESULT_CHECKED_MEMCPY(peer_cn, ASN1_STRING_data(common_name), len);
++    RESULT_CHECKED_MEMCPY(peer_cn, ASN1_STRING_get0_data(common_name), len);
+     RESULT_ENSURE(conn->verify_host_fn(peer_cn, len, conn->data_for_verify_host), S2N_ERR_CERT_INVALID_HOSTNAME);
+ 
+     return S2N_RESULT_OK;
+-- 
+2.53.0
+

diff --git a/python-awscrt.spec b/python-awscrt.spec
index 02f0312..73b9099 100644
--- a/python-awscrt.spec
+++ b/python-awscrt.spec
@@ -23,6 +23,8 @@ Patch1:         skip-SHA1-in-test_crypto.patch
 # websockets test fail fix
 Patch2:         websockets.patch
 
+Patch3:         0001-Update-OpenSSL-accessors-and-const-qualifiers.patch
+
 BuildRequires:  python%{python3_pkgversion}-devel
 
 BuildRequires:  gcc