Implement more SSL methods by youknowone · Pull Request #6210 · RustPython/RustPython

youknowone

29-29: LGTM - OpenSSL 1.1.1 feature enabled.

The pymodule attribute now includes ossl111, enabling OpenSSL 1.1.1+ features like TLS 1.3 support and post-handshake authentication.

125-128: LGTM - TLS 1.1/1.2 and ECDH support enabled.

The new protocol constants and ECDH flag properly expose additional TLS versions and ECDH support to Python code.

Also applies to: 159-159

393-440: LGTM - Efficient lazy caching of certificate paths.

The lazy static initialization properly caches OpenSSL certificate paths and environment variable names. The unsafe CStr conversions are safe because they operate on static strings from OpenSSL.

624-653: LGTM - Proper cipher enumeration.

The method correctly iterates over OpenSSL's cipher stack and converts each cipher to a Python dictionary with name, protocol, and secret_bits fields.

655-680: LGTM - Correct ECDH curve configuration.

The method properly validates the curve name, looks up the NID, creates the EC key, and sets it on the context using a write lock.

888-901: LGTM - Correct CA certificate filtering.

The method now properly filters certificates to include only those with CA=TRUE in Basic Constraints using X509_check_ca().

934-947: LGTM - Important protocol/socket type validation.

These checks prevent creating a client socket with a server-only context (and vice versa), which would lead to confusing handshake failures.

1208-1237: LGTM - Proper verified chain extraction.

The method correctly retrieves the verified certificate chain using SSL_get0_verified_chain() and converts each certificate to DER format. The borrowed pointer handling is safe.

1254-1315: LGTM - Correct shared cipher computation.

The pointer comparison approach is correct for OpenSSL cipher suites, as cipher objects are cached globally. This matches CPython's implementation.

1317-1340: LGTM - Proper ALPN protocol retrieval.

The method correctly retrieves the negotiated ALPN protocol using SSL_get0_alpn_selected() and handles the case where no protocol was negotiated.

1342-1383: LGTM - Correct TLS channel binding implementation.

The XOR logic for determining which finished message to use matches CPython's implementation and correctly handles both session resumption and client/server roles.

1385-1406: LGTM - Proper post-handshake authentication.

The method correctly implements post-handshake client verification for TLS 1.3, with appropriate version checks and error handling.

1408-1435: LGTM - Proper SSL shutdown handling.

The method correctly performs SSL shutdown and gracefully handles non-blocking operations by treating WANT_READ/WANT_WRITE as acceptable states.

1744-1763: LGTM - Correct OpenSSL function shims.

These extern C declarations properly expose OpenSSL functions that aren't yet in openssl-sys, with appropriate version guards.

1970-2002: LGTM - Enhanced SSL error information.

The error conversion now properly exposes library and reason attributes on SSL exceptions, matching CPython's behavior. The downcast().unwrap() on line 2002 is safe because we just created the exception from ssl_error(vm).

2099-2100: LGTM - Correct X.509 version normalization.

The fix properly converts OpenSSL's 0-based version numbering (0=v1, 1=v2, 2=v3) to Python's 1-based numbering (1=v1, 2=v2, 3=v3).

2313-2313: LGTM - Improved error propagation.

The changes properly propagate errors from valid_uses() and collection operations instead of potentially panicking, improving robustness.

Also applies to: 2318-2324