clean up ssl

youknowone · youknowone · commit 2f9375a908d7 · 2025-10-24T21:53:50.000+09:00
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
@@ -1280,7 +1280,6 @@ def getpass(self):
         ctx.load_cert_chain(CERTFILE, password=getpass_exception)
 
     @threading_helper.requires_working_threading()
-    @unittest.expectedFailure  # TODO: RUSTPYTHON
     def test_load_cert_chain_thread_safety(self):
         # gh-134698: _ssl detaches the thread state (and as such,
         # releases the GIL and critical sections) around expensive
@@ -1568,7 +1567,6 @@ def _assert_context_options(self, ctx):
         self.assertEqual(ctx.options & ssl.OP_LEGACY_SERVER_CONNECT,
                          0 if IS_OPENSSL_3_0_0 else ssl.OP_LEGACY_SERVER_CONNECT)
 
-    @unittest.expectedFailure  # TODO: RUSTPYTHON
     def test_create_default_context(self):
         ctx = ssl.create_default_context()
 
@@ -3135,7 +3133,6 @@ def test_ecc_cert(self):
 
     @unittest.skipUnless(IS_OPENSSL_3_0_0,
                          "test requires RFC 5280 check added in OpenSSL 3.0+")
-    @unittest.expectedFailure  # TODO: RUSTPYTHON
     def test_verify_strict(self):
         # verification fails by default, since the server cert is non-conforming
         client_context = ssl.create_default_context()
@@ -3567,7 +3564,6 @@ def test_starttls(self):
             else:
                 s.close()
 
-    @unittest.expectedFailure  # TODO: RUSTPYTHON
     def test_socketserver(self):
         """Using socketserver to create and manage SSL connections."""
         server = make_https_server(self, certfile=SIGNED_CERTFILE)
@@ -5343,7 +5339,6 @@ def call_after_accept(conn_to_client):
                 wrap_error = None
             server = None
 
-    @unittest.expectedFailure  # TODO: RUSTPYTHON
     def test_https_client_non_tls_response_ignored(self):
         server_responding = threading.Event()
 
diff --git a/stdlib/src/ssl.rs b/stdlib/src/ssl.rs
@@ -39,7 +39,7 @@ mod _ssl {
         socket::{self, PySocket},
         vm::{
             Py, PyObjectRef, PyPayload, PyRef, PyResult, VirtualMachine,
-            builtins::{PyBaseExceptionRef, PyBytesRef, PyListRef, PyStrRef, PyType, PyTypeRef, PyWeak},
+            builtins::{PyBaseExceptionRef, PyBytesRef, PyListRef, PyStrRef, PyTypeRef, PyWeak},
             class_or_notimplemented,
             convert::{ToPyException, ToPyObject},
             exceptions,
@@ -66,7 +66,8 @@ mod _ssl {
         ffi::CStr,
         fmt,
         io::{Read, Write},
-        path::Path,
+        path::{Path, PathBuf},
+        sync::LazyLock,
         time::Instant,
     };
 
@@ -191,7 +192,8 @@ mod _ssl {
 
     #[pyattr(name = "_OPENSSL_API_VERSION")]
     fn _openssl_api_version(_vm: &VirtualMachine) -> OpensslVersionInfo {
-        let openssl_api_version = i64::from_str_radix(env!("OPENSSL_API_VERSION"), 16).unwrap();
+        let openssl_api_version = i64::from_str_radix(env!("OPENSSL_API_VERSION"), 16)
+            .expect("OPENSSL_API_VERSION is malformed");
         parse_version_info(openssl_api_version)
     }
 
@@ -249,7 +251,8 @@ mod _ssl {
     /// SSL/TLS connection terminated abruptly.
     #[pyattr(name = "SSLEOFError", once)]
     fn ssl_eof_error(vm: &VirtualMachine) -> PyTypeRef {
-        PyType::new_simple_heap("ssl.SSLEOFError", &ssl_error(vm), &vm.ctx).unwrap()
+        vm.ctx
+            .new_exception_type("ssl", "SSLEOFError", Some(vec![ssl_error(vm)]))
     }
 
     type OpensslVersionInfo = (u8, u8, u8, u8, u8);
@@ -350,14 +353,17 @@ mod _ssl {
     }
 
     type PyNid = (libc::c_int, String, String, Option<String>);
-    fn obj2py(obj: &Asn1ObjectRef) -> PyNid {
+    fn obj2py(obj: &Asn1ObjectRef, vm: &VirtualMachine) -> PyResult<PyNid> {
         let nid = obj.nid();
-        (
-            nid.as_raw(),
-            nid.short_name().unwrap().to_owned(),
-            nid.long_name().unwrap().to_owned(),
-            obj2txt(obj, true),
-        )
+        let short_name = nid
+            .short_name()
+            .map_err(|_| vm.new_value_error("NID has no short name".to_owned()))?
+            .to_owned();
+        let long_name = nid
+            .long_name()
+            .map_err(|_| vm.new_value_error("NID has no long name".to_owned()))?
+            .to_owned();
+        Ok((nid.as_raw(), short_name, long_name, obj2txt(obj, true)))
     }
 
     #[derive(FromArgs)]
@@ -371,55 +377,81 @@ mod _ssl {
     fn txt2obj(args: Txt2ObjArgs, vm: &VirtualMachine) -> PyResult<PyNid> {
         _txt2obj(&args.txt.to_cstring(vm)?, !args.name)
             .as_deref()
-            .map(obj2py)
             .ok_or_else(|| vm.new_value_error(format!("unknown object '{}'", args.txt)))
+            .and_then(|obj| obj2py(obj, vm))
     }
 
     #[pyfunction]
     fn nid2obj(nid: libc::c_int, vm: &VirtualMachine) -> PyResult<PyNid> {
         _nid2obj(Nid::from_raw(nid))
             .as_deref()
-            .map(obj2py)
             .ok_or_else(|| vm.new_value_error(format!("unknown NID {nid}")))
+            .and_then(|obj| obj2py(obj, vm))
     }
 
-    fn get_cert_file_dir() -> (&'static Path, &'static Path) {
-        let probe = probe();
-        // on windows, these should be utf8 strings
-        fn path_from_bytes(c: &CStr) -> &Path {
+    // Lazily compute and cache cert file/dir paths
+    static CERT_PATHS: LazyLock<(PathBuf, PathBuf)> = LazyLock::new(|| {
+        fn path_from_cstr(c: &CStr) -> PathBuf {
             #[cfg(unix)]
             {
                 use std::os::unix::ffi::OsStrExt;
-                std::ffi::OsStr::from_bytes(c.to_bytes()).as_ref()
+                std::ffi::OsStr::from_bytes(c.to_bytes()).into()
             }
             #[cfg(windows)]
             {
-                c.to_str().unwrap().as_ref()
+                // Use lossy conversion for potential non-UTF8
+                PathBuf::from(c.to_string_lossy().as_ref())
             }
         }
-        let cert_file = probe.cert_file.as_deref().unwrap_or_else(|| {
-            path_from_bytes(unsafe { CStr::from_ptr(sys::X509_get_default_cert_file()) })
-        });
-        let cert_dir = probe.cert_dir.as_deref().unwrap_or_else(|| {
-            path_from_bytes(unsafe { CStr::from_ptr(sys::X509_get_default_cert_dir()) })
-        });
+
+        let probe = probe();
+        let cert_file = probe
+            .cert_file
+            .as_ref()
+            .map(PathBuf::from)
+            .unwrap_or_else(|| {
+                path_from_cstr(unsafe { CStr::from_ptr(sys::X509_get_default_cert_file()) })
+            });
+        let cert_dir = probe
+            .cert_dir
+            .as_ref()
+            .map(PathBuf::from)
+            .unwrap_or_else(|| {
+                path_from_cstr(unsafe { CStr::from_ptr(sys::X509_get_default_cert_dir()) })
+            });
         (cert_file, cert_dir)
+    });
+
+    fn get_cert_file_dir() -> (&'static Path, &'static Path) {
+        let (cert_file, cert_dir) = &*CERT_PATHS;
+        (cert_file.as_path(), cert_dir.as_path())
     }
 
+    // Lazily compute and cache cert environment variable names
+    static CERT_ENV_NAMES: LazyLock<(String, String)> = LazyLock::new(|| {
+        let cert_file_env = unsafe { CStr::from_ptr(sys::X509_get_default_cert_file_env()) }
+            .to_string_lossy()
+            .into_owned();
+        let cert_dir_env = unsafe { CStr::from_ptr(sys::X509_get_default_cert_dir_env()) }
+            .to_string_lossy()
+            .into_owned();
+        (cert_file_env, cert_dir_env)
+    });
+
     #[pyfunction]
     fn get_default_verify_paths(
         vm: &VirtualMachine,
     ) -> PyResult<(&'static str, PyObjectRef, &'static str, PyObjectRef)> {
-        let cert_file_env = unsafe { CStr::from_ptr(sys::X509_get_default_cert_file_env()) }
-            .to_str()
-            .unwrap();
-        let cert_dir_env = unsafe { CStr::from_ptr(sys::X509_get_default_cert_dir_env()) }
-            .to_str()
-            .unwrap();
+        let (cert_file_env, cert_dir_env) = &*CERT_ENV_NAMES;
         let (cert_file, cert_dir) = get_cert_file_dir();
         let cert_file = OsPath::new_str(cert_file).filename(vm);
         let cert_dir = OsPath::new_str(cert_dir).filename(vm);
-        Ok((cert_file_env, cert_file, cert_dir_env, cert_dir))
+        Ok((
+            cert_file_env.as_str(),
+            cert_file,
+            cert_dir_env.as_str(),
+            cert_dir,
+        ))
     }
 
     #[pyfunction(name = "RAND_status")]
@@ -1869,12 +1901,12 @@ mod _ssl {
         }
 
         #[pygetset]
-        fn id(&self, vm: &VirtualMachine) -> PyObjectRef {
+        fn id(&self, vm: &VirtualMachine) -> PyBytesRef {
             unsafe {
                 let mut len: libc::c_uint = 0;
                 let id_ptr = sys::SSL_SESSION_get_id(self.session, &mut len);
                 let id_slice = std::slice::from_raw_parts(id_ptr, len as usize);
-                vm.ctx.new_bytes(id_slice.to_vec()).into()
+                vm.ctx.new_bytes(id_slice.to_vec())
             }
         }
 
@@ -2259,8 +2291,7 @@ mod windows {
                 ValidUses::Oids(oids) => PyFrozenSet::from_iter(
                     vm,
                     oids.into_iter().map(|oid| vm.ctx.new_str(oid).into()),
-                )
-                .unwrap()
+                )?
                 .into_ref(&vm.ctx)
                 .into(),
             };
