public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/python-awscrt] rawhide: Fix build with OpenSSL 4.0
@ 2026-06-11 6:17 Simo Sorce
0 siblings, 0 replies; only message in thread
From: Simo Sorce @ 2026-06-11 6:17 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/python-awscrt
Branch : rawhide
Commit : 1329d2a6e56b65fce6077e8ebf562a4e0359bad0
Author : Simo Sorce <simo@redhat.com>
Date : 2026-06-11T06:17:40+00:00
Stats : +167/-0 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/python-awscrt/c/1329d2a6e56b65fce6077e8ebf562a4e0359bad0?branch=rawhide
Log:
Fix build with OpenSSL 4.0
Signed-off-by: Simo Sorce <simo@redhat.com>
---
diff --git a/0001-Update-OpenSSL-accessors-and-const-qualifiers.patch b/0001-Update-OpenSSL-accessors-and-const-qualifiers.patch
new file mode 100644
index 0000000..79546be
--- /dev/null
+++ b/0001-Update-OpenSSL-accessors-and-const-qualifiers.patch
@@ -0,0 +1,165 @@
+From 58a94d95bc277b999e838111bdbc2295245b6e91 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 4 May 2026 15:37:32 -0400
+Subject: [PATCH] Update OpenSSL accessors and const qualifiers
+
+This replaces direct struct field accesses with standard OpenSSL accessor
+functions (such as ASN1_STRING_data and ASN1_STRING_length) to ensure
+compatibility with modern OpenSSL versions where these structs are opaque.
+Additionally, it adds 'const' qualifiers to various X509 and ASN1 pointer
+declarations and switches to ASN1_STRING_get0_data to enforce proper const
+correctness when handling internal OpenSSL data.
+
+Assisted-by: Gemini <gemini@google.com>
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ crt/s2n/crypto/s2n_certificate.c | 20 ++++++++++----------
+ crt/s2n/tls/s2n_x509_validator.c | 14 +++++++-------
+ 2 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/crt/s2n/crypto/s2n_certificate.c b/crt/s2n/crypto/s2n_certificate.c
+index 01afc8e..ea89d06 100644
+--- a/crt/s2n/crypto/s2n_certificate.c
++++ b/crt/s2n/crypto/s2n_certificate.c
+@@ -227,8 +227,8 @@ int s2n_cert_chain_and_key_load_sans(struct s2n_cert_chain_and_key *chain_and_ke
+
+ if (san_name->type == GEN_DNS) {
+ /* Decoding isn't necessary here since a DNS SAN name is ASCII(type V_ASN1_IA5STRING) */
+- unsigned char *san_str = san_name->d.dNSName->data;
+- const size_t san_str_len = san_name->d.dNSName->length;
++ const unsigned char *san_str = ASN1_STRING_get0_data(san_name->d.dNSName);
++ const size_t san_str_len = ASN1_STRING_length(san_name->d.dNSName);
+ struct s2n_blob *san_blob = NULL;
+ POSIX_GUARD_RESULT(s2n_array_pushback(chain_and_key->san_names, (void **) &san_blob));
+ if (!san_blob) {
+@@ -265,19 +265,19 @@ int s2n_cert_chain_and_key_load_cns(struct s2n_cert_chain_and_key *chain_and_key
+ POSIX_ENSURE_REF(chain_and_key->cn_names);
+ POSIX_ENSURE_REF(x509_cert);
+
+- X509_NAME *subject = X509_get_subject_name(x509_cert);
++ const X509_NAME *subject = X509_get_subject_name(x509_cert);
+ if (!subject) {
+ return 0;
+ }
+
+ int lastpos = -1;
+ while ((lastpos = X509_NAME_get_index_by_NID(subject, NID_commonName, lastpos)) >= 0) {
+- X509_NAME_ENTRY *name_entry = X509_NAME_get_entry(subject, lastpos);
++ const X509_NAME_ENTRY *name_entry = X509_NAME_get_entry(subject, lastpos);
+ if (!name_entry) {
+ continue;
+ }
+
+- ASN1_STRING *asn1_str = X509_NAME_ENTRY_get_data(name_entry);
++ const ASN1_STRING *asn1_str = X509_NAME_ENTRY_get_data(name_entry);
+ if (!asn1_str) {
+ continue;
+ }
+@@ -721,7 +721,7 @@ static int s2n_utf8_string_from_extension_data(const uint8_t *extension_data, ui
+ * Since this is an internal pointer it should not be freed or modified in any way.
+ * Ref: https://www.openssl.org/docs/man1.0.2/man3/ASN1_STRING_data.html.
+ */
+- unsigned char *internal_data = ASN1_STRING_data(asn1_str);
++ const unsigned char *internal_data = ASN1_STRING_get0_data(asn1_str);
+ POSIX_ENSURE_REF(internal_data);
+ POSIX_CHECKED_MEMCPY(out_data, internal_data, len);
+ }
+@@ -784,7 +784,7 @@ static int s2n_parse_x509_extension(struct s2n_cert *cert, const uint8_t *oid,
+ POSIX_ENSURE_REF(asn1_obj_in);
+
+ for (size_t loc = 0; loc < ext_count; loc++) {
+- ASN1_OCTET_STRING *asn1_str = NULL;
++ const ASN1_OCTET_STRING *asn1_str = NULL;
+ bool match_found = false;
+
+ /* Retrieve the x509 extension at location loc.
+@@ -793,7 +793,7 @@ static int s2n_parse_x509_extension(struct s2n_cert *cert, const uint8_t *oid,
+ * The returned extension is an internal pointer which must not be freed up by the application.
+ * Ref: https://www.openssl.org/docs/man1.1.0/man3/X509_get_ext.html.
+ */
+- X509_EXTENSION *x509_ext = X509_get_ext(x509_cert, loc);
++ const X509_EXTENSION *x509_ext = X509_get_ext(x509_cert, loc);
+ POSIX_ENSURE_REF(x509_ext);
+
+ /* Retrieve the extension object/OID/extnId.
+@@ -801,7 +801,7 @@ static int s2n_parse_x509_extension(struct s2n_cert *cert, const uint8_t *oid,
+ * The returned pointer is an internal value which must not be freed up.
+ * Ref: https://www.openssl.org/docs/man1.1.0/man3/X509_EXTENSION_get_object.html.
+ */
+- ASN1_OBJECT *asn1_obj = X509_EXTENSION_get_object(x509_ext);
++ const ASN1_OBJECT *asn1_obj = X509_EXTENSION_get_object(x509_ext);
+ POSIX_ENSURE_REF(asn1_obj);
+
+ /* OBJ_cmp() compares two ASN1_OBJECT objects. If the two are identical 0 is returned.
+@@ -827,7 +827,7 @@ static int s2n_parse_x509_extension(struct s2n_cert *cert, const uint8_t *oid,
+ * Since this is an internal pointer it should not be freed or modified in any way.
+ * Ref: https://www.openssl.org/docs/man1.0.2/man3/ASN1_STRING_data.html.
+ */
+- unsigned char *internal_data = ASN1_STRING_data(asn1_str);
++ const unsigned char *internal_data = ASN1_STRING_get0_data(asn1_str);
+ POSIX_ENSURE_REF(internal_data);
+ POSIX_CHECKED_MEMCPY(ext_value, internal_data, len);
+ }
+diff --git a/crt/s2n/tls/s2n_x509_validator.c b/crt/s2n/tls/s2n_x509_validator.c
+index 26d36bf..5c72d7b 100644
+--- a/crt/s2n/tls/s2n_x509_validator.c
++++ b/crt/s2n/tls/s2n_x509_validator.c
+@@ -1,6 +1,6 @@
+ /*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+- *
++ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+@@ -221,7 +221,7 @@ static S2N_RESULT s2n_verify_host_information_san_entry(struct s2n_connection *c
+ if (current_name->type == GEN_DNS || current_name->type == GEN_URI) {
+ *san_found = true;
+
+- const char *name = (const char *) ASN1_STRING_data(current_name->d.ia5);
++ const char *name = (const char *) ASN1_STRING_get0_data(current_name->d.ia5);
+ RESULT_ENSURE_REF(name);
+ int name_len = ASN1_STRING_length(current_name->d.ia5);
+ RESULT_ENSURE_GT(name_len, 0);
+@@ -235,9 +235,9 @@ static S2N_RESULT s2n_verify_host_information_san_entry(struct s2n_connection *c
+ *san_found = true;
+
+ /* try to validate an IP address if it's in the subject alt name. */
+- const unsigned char *ip_addr = current_name->d.iPAddress->data;
++ const unsigned char *ip_addr = ASN1_STRING_get0_data(current_name->d.iPAddress);
+ RESULT_ENSURE_REF(ip_addr);
+- int ip_addr_len = current_name->d.iPAddress->length;
++ int ip_addr_len = ASN1_STRING_length(current_name->d.iPAddress);
+ RESULT_ENSURE_GT(ip_addr_len, 0);
+
+ RESULT_STACK_BLOB(address, INET6_ADDRSTRLEN + 1, INET6_ADDRSTRLEN + 1);
+@@ -302,7 +302,7 @@ static S2N_RESULT s2n_verify_host_information_common_name(struct s2n_connection
+ RESULT_ENSURE_REF(public_cert);
+ RESULT_ENSURE_REF(cn_found);
+
+- X509_NAME *subject_name = X509_get_subject_name(public_cert);
++ const X509_NAME *subject_name = X509_get_subject_name(public_cert);
+ RESULT_ENSURE(subject_name, S2N_ERR_CERT_UNTRUSTED);
+
+ int curr_idx = -1;
+@@ -317,7 +317,7 @@ static S2N_RESULT s2n_verify_host_information_common_name(struct s2n_connection
+
+ RESULT_ENSURE(curr_idx >= 0, S2N_ERR_CERT_UNTRUSTED);
+
+- ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, curr_idx));
++ const ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, curr_idx));
+ RESULT_ENSURE(common_name, S2N_ERR_CERT_UNTRUSTED);
+
+ /* X520CommonName allows the following ANSI string types per RFC 5280 Appendix A.1 */
+@@ -336,7 +336,7 @@ static S2N_RESULT s2n_verify_host_information_common_name(struct s2n_connection
+ RESULT_ENSURE_GT(cn_len, 0);
+ uint32_t len = (uint32_t) cn_len;
+ RESULT_ENSURE_LTE(len, s2n_array_len(peer_cn) - 1);
+- RESULT_CHECKED_MEMCPY(peer_cn, ASN1_STRING_data(common_name), len);
++ RESULT_CHECKED_MEMCPY(peer_cn, ASN1_STRING_get0_data(common_name), len);
+ RESULT_ENSURE(conn->verify_host_fn(peer_cn, len, conn->data_for_verify_host), S2N_ERR_CERT_INVALID_HOSTNAME);
+
+ return S2N_RESULT_OK;
+--
+2.53.0
+
diff --git a/python-awscrt.spec b/python-awscrt.spec
index 02f0312..73b9099 100644
--- a/python-awscrt.spec
+++ b/python-awscrt.spec
@@ -23,6 +23,8 @@ Patch1: skip-SHA1-in-test_crypto.patch
# websockets test fail fix
Patch2: websockets.patch
+Patch3: 0001-Update-OpenSSL-accessors-and-const-qualifiers.patch
+
BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: gcc
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-11 6:17 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-11 6:17 [rpms/python-awscrt] rawhide: Fix build with OpenSSL 4.0 Simo Sorce
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox