bpo-33062: Add SSL renegotiation and key update

[fantix]

@1st1 This PR is for testing new asyncio/sslproto.py.

TODOs:

• News
• Test renegotiation
• Test key update
• Test errors

https://bugs.python.org/issue33062

[1st1]

Do we want an else branch with these methods raising a NotImplementedError?

[1st1]

I think you need to provide alternative implementations of these functions raising NotImplementedError for the #else branch (otherwise this might not compile at all).

[fantix]

Make sense, will do.

[1st1]

Actually the #if should be inside the function, otherwise argument clinic will have hard time figuring out what you are doing.

[fantix]

Yeah it'll be safer that way, will do (currently it seems clinic is clever enough to copy the ifdef to .h file, and make it an empty METHODDEF macro if false, so that the same ifdef won't be necessary when using the METHODDEF).

[1st1]

currently it seems clinic is clever enough to copy the ifdef to .h file, and make it an empty METHODDEF macro if false, so that the same ifdef won't be necessary when using the METHODDEF

That's cool, I didn't know it's that smart :) Then feel free to keep your code as is.

[1st1]

Use { even for single statement ifs (as per updated PEP 7)

[fantix]

OK! Thanks for the comments.

[1st1]

@tiran Christian, this is a WIP, but would be great to get a green light from you in general.

[tiran]

Hi @fantix

thanks for your patch! It's a promising start. I'm currently travelling and will look into your PR next week.

[fantix]

Thanks @tiran Christian! In the meanwhile I'll get the remaining TODOs done.

[1st1]

@tiran a gentle friendly ping :)

[fantix]

Thanks! I’m working on a rebase and update here, shall commit in 18 hours.

[tiran]

I'm not a fan of mixin classes... The functions don't do much work, so it should be easy to move the common code to C.

[fantix]

Ah yes, that looks a bit duplicate, will fix, thanks!

[fantix]

@tiran any other comments please?

[asvetlov]

In Python we don't use sphinx markup in docstrings, documentation is not authogenerated but written manually.

[fantix]

Ah, thanks for this one! I'll update docs too.

[tiran]

This approach looks strange and uncommon to me. I opened #9972, which I believe is a better approach to handle common doc strings.

[fantix]

Yes it is! I'll rebase up to #9972 once it is merged. Thanks!

[tiran]

Please document the new methods and constants in the module documentation. The doc strings are less relevant and should be shorter. You can also inlcude a whatsnew

[tiran]

This approach looks strange and uncommon to me. I opened #9972, which I believe is a better approach to handle common doc strings.

[tiran]

With TLS 1.3, you can also force an immediate rekey. From the documentation, https://www.openssl.org/docs/man1.1.1/man3/SSL_key_update.html

Alternatively SSL_do_handshake() can be called to force the update to take place immediately.

[fantix]

Yeah I also found that during writing docs,

Alternatively do_handshake() can be called to force the update to take place immediately.

Do you think it a better approach to wrap OpenSSL API into high level API like this:

    def key_update(self, updatetype, *, deferred=False):
        self._sslobj.key_update(updatetype)
        if not deferred:
            self._sslobj.do_handshake()

Or stay with OpenSSL-style API and document the details? Now I prefer the high-level one, leaving the low-level API with the _ssl module.

[bedevere-bot]

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

[csabella]

@fantix, please resolve the merge conflict. Thanks!

[fantix]

@csabella oh right, yes will do!

[csabella]

@fantix, please resolve the merge conflict. Thanks!

[jdevries3133]

@csabella @fantix I went ahead and resolved the merge conflicts. The conflicts were only in auto-generated files, so I just regenerated them and also fixed one test that had broken in the interim since these changes were made. You can see the diff here, although I didn't open a new PR; I'm not sure whether I should, or what I should do next, for that matter:

main...jdevries3133:[bpo-33063](https://bugs.python.org/issue33063)-ssl-renegotiation

I did have a few notes about how I fixed a broken test, including a question:

In one of the new tests, there was a check that the OpenSSL version is 1.1.
I believe that python must be built againt OpenSSL 1.1 now, right? I removed
the check because it was using a variable which is now undefined. Presumably
it was exported from SSL when the test was originally written.

In any case, if we do need to check the version, I can just use
ssl.OPENSSL_VERSION_INFO, but if I understand correctly, the check is not
necessary. If that's not right, just let me know!

[github-actions]

This PR is stale because it has been open for 30 days with no activity.