bpo-33062: Add SSL renegotiation and key update #8620
Conversation
Lib/ssl.py
Outdated
| class SSLObject: | ||
| class _KeyUpdateMixin: | ||
| if HAS_TLSv1_3: | ||
| def key_update(self, updatetype): |
There was a problem hiding this comment.
Do we want an else branch with these methods raising a NotImplementedError?
Modules/_ssl.c
Outdated
| @@ -1050,6 +1050,107 @@ _ssl__SSLSocket_do_handshake_impl(PySSLSocket *self) | |||
| return NULL; | |||
| } | |||
|
|
|||
| #if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) | |||
There was a problem hiding this comment.
I think you need to provide alternative implementations of these functions raising NotImplementedError for the #else branch (otherwise this might not compile at all).
There was a problem hiding this comment.
Actually the #if should be inside the function, otherwise argument clinic will have hard time figuring out what you are doing.
There was a problem hiding this comment.
Yeah it'll be safer that way, will do (currently it seems clinic is clever enough to copy the ifdef to .h file, and make it an empty METHODDEF macro if false, so that the same ifdef won't be necessary when using the METHODDEF).
There was a problem hiding this comment.
currently it seems clinic is clever enough to copy the ifdef to .h file, and make it an empty METHODDEF macro if false, so that the same ifdef won't be necessary when using the METHODDEF
That's cool, I didn't know it's that smart :) Then feel free to keep your code as is.
Modules/_ssl.c
Outdated
| _PySSL_UPDATE_ERRNO_IF(ret == 0, self, ret); | ||
| PySSL_END_ALLOW_THREADS | ||
|
|
||
| if (PyErr_CheckSignals()) |
There was a problem hiding this comment.
Use { even for single statement ifs (as per updated PEP 7)
There was a problem hiding this comment.
OK! Thanks for the comments.
|
@tiran Christian, this is a WIP, but would be great to get a green light from you in general. |
|
Hi @fantix thanks for your patch! It's a promising start. I'm currently travelling and will look into your PR next week. |
|
Thanks @tiran Christian! In the meanwhile I'll get the remaining TODOs done. |
fantix
force-pushed
the
bpo-33062/ssl-renegotiation
branch
from
bbf733e
to
45a906a
Compare
fantix
changed the title
|
@tiran a gentle friendly ping :) |
|
Thanks! I’m working on a rebase and update here, shall commit in 18 hours. |
fantix
force-pushed
the
bpo-33062/ssl-renegotiation
branch
from
45a906a
to
1f6d47b
Compare
|
I'm not a fan of mixin classes... The functions don't do much work, so it should be easy to move the common code to C. |
|
Ah yes, that looks a bit duplicate, will fix, thanks! |
fantix
force-pushed
the
bpo-33062/ssl-renegotiation
branch
from
1f6d47b
to
6bc07a9
Compare
fantix
force-pushed
the
bpo-33062/ssl-renegotiation
branch
from
6bc07a9
to
a953365
Compare
|
@tiran any other comments please? |
| Raises NotImplementedError if the TLS implementation doesn't support | ||
| TLS 1.3.) | ||
|
|
||
| :param updatetype: KeyUpdateTypes |
There was a problem hiding this comment.
In Python we don't use sphinx markup in docstrings, documentation is not authogenerated but written manually.
There was a problem hiding this comment.
Ah, thanks for this one! I'll update docs too.
There was a problem hiding this comment.
This approach looks strange and uncommon to me. I opened #9972, which I believe is a better approach to handle common doc strings.
There was a problem hiding this comment.
Yes it is! I'll rebase up to #9972 once it is merged. Thanks!
| Raises NotImplementedError if the TLS implementation doesn't support | ||
| TLS 1.3.) | ||
|
|
||
| :param updatetype: KeyUpdateTypes |
There was a problem hiding this comment.
This approach looks strange and uncommon to me. I opened #9972, which I believe is a better approach to handle common doc strings.
| @@ -780,6 +785,23 @@ def version(self): | |||
| def verify_client_post_handshake(self): | |||
| return self._sslobj.verify_client_post_handshake() | |||
|
|
|||
| def key_update(self, updatetype): | |||
There was a problem hiding this comment.
With TLS 1.3, you can also force an immediate rekey. From the documentation, https://www.openssl.org/docs/man1.1.1/man3/SSL_key_update.html
Alternatively SSL_do_handshake() can be called to force the update to take place immediately.
There was a problem hiding this comment.
Yeah I also found that during writing docs,
Alternatively do_handshake() can be called to force the update to take place immediately.
Do you think it a better approach to wrap OpenSSL API into high level API like this:
def key_update(self, updatetype, *, deferred=False):
self._sslobj.key_update(updatetype)
if not deferred:
self._sslobj.do_handshake()Or stay with OpenSSL-style API and document the details? Now I prefer the high-level one, leaving the low-level API with the _ssl module.
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
|
@fantix, please resolve the merge conflict. Thanks! |
|
@csabella oh right, yes will do! |
|
@fantix, please resolve the merge conflict. Thanks! |
|
@csabella @fantix I went ahead and resolved the merge conflicts. The conflicts were only in auto-generated files, so I just regenerated them and also fixed one test that had broken in the interim since these changes were made. You can see the diff here, although I didn't open a new PR; I'm not sure whether I should, or what I should do next, for that matter: main...jdevries3133:[bpo-33063](https://bugs.python.org/issue33063)-ssl-renegotiation I did have a few notes about how I fixed a broken test, including a question:
|
@1st1 This PR is for testing new
asyncio/sslproto.py.TODOs:
https://bugs.python.org/issue33062