Skip to content

gh-136306: Add support for SSL groups #136307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
gh-136306: Address additional review comments
  • Loading branch information
ronf committed Jul 6, 2025
commit 304c223cbd6f4e04225b6e9e1b103722f40be9f7
12 changes: 7 additions & 5 deletions Doc/library/ssl.rst
Original file line number Diff line number Diff line change
Expand Up @@ -1289,6 +1289,8 @@ SSL sockets also have the following additional methods and attributes:
Return the group used for doing key agreement on this connection. If no
connection has been established, returns ``None``.

.. versionadded:: next

.. method:: SSLSocket.compression()

Return the compression algorithm being used as a string, or ``None``
Expand Down Expand Up @@ -1653,10 +1655,10 @@ to speed up repeated connections from the same clients.
values. For example::

>>> ctx = ssl.create_default_context()
>>> ctx.minimum_version=ssl.TLSVersion.TLSv1_3
>>> ctx.maximum_version=ssl.TLSVersion.TLSv1_3
>>> ctx.get_groups()
['secp256r1', 'secp384r1', 'secp521r1', 'x25519', 'x448', 'brainpoolP256r1tls13', 'brainpoolP384r1tls13', 'brainpoolP512r1tls13', 'ffdhe2048', 'ffdhe3072', 'ffdhe4096', 'ffdhe6144', 'ffdhe8192', 'MLKEM512', 'MLKEM768', 'MLKEM1024', 'SecP256r1MLKEM768', 'X25519MLKEM768', 'SecP384r1MLKEM1024']
>>> ctx.minimum_version = ssl.TLSVersion.TLSv1_3
>>> ctx.maximum_version = ssl.TLSVersion.TLSv1_3
>>> ctx.get_groups() # doctest: +SKIP
['secp256r1', 'secp384r1', 'secp521r1', 'x25519', 'x448', ...]

By default, this method returns only the preferred IANA names for the
available groups. However, if the ``include_aliases`` parameter is set to
Expand Down Expand Up @@ -1700,7 +1702,7 @@ to speed up repeated connections from the same clients.
When connected, the :meth:`SSLSocket.group` method of SSL sockets will
return the group used for key agreement on that connection.

.. versionadded:: 3.15
.. versionadded:: next

.. method:: SSLContext.set_alpn_protocols(protocols)

Expand Down
20 changes: 8 additions & 12 deletions Modules/_ssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -2157,12 +2157,10 @@ _ssl__SSLSocket_group_impl(PySSLSocket *self)
if (self->ssl == NULL) {
Py_RETURN_NONE;
}

group_name = SSL_get0_group_name(self->ssl);
if (group_name == NULL) {
Py_RETURN_NONE;
}

return PyUnicode_DecodeFSDefault(group_name);
#else
PyErr_SetString(PyExc_NotImplementedError,
Expand Down Expand Up @@ -3467,18 +3465,13 @@ _ssl__SSLContext_get_groups_impl(PySSLContext *self, int include_aliases)
size_t i, num;
PyObject *item, *result = NULL;

// This "groups" object is dynamically allocated, but the strings inside
// it are internal constants which shouldn't ever be modified or freed.
if ((groups = sk_OPENSSL_CSTRING_new_null()) == NULL) {
_setSSLError(get_state_ctx(self), "Can't allocate stack", 0, __FILE__, __LINE__);
goto error;
goto error;
}

/*
* Note: The "groups" stack is dynamically allocated, but the strings
* returned in the stack are references to internal constants which
* should NOT be modified or freed. They should also be plain ASCII,
* so there should be no decoding issue when converting to Unicode.
*/

if (!SSL_CTX_get0_implemented_groups(self->ctx, include_aliases, groups)) {
_setSSLError(get_state_ctx(self), "Can't get groups", 0, __FILE__, __LINE__);
goto error;
Expand All @@ -3492,11 +3485,14 @@ _ssl__SSLContext_get_groups_impl(PySSLContext *self, int include_aliases)
}

for (i = 0; i < num; ++i) {
// There's no allocation here, so group won't ever be NULL.
group = sk_OPENSSL_CSTRING_value(groups, i);
assert(group != NULL);
assert(group != NULL);

// Group names are plain ASCII, so there's no chance of a decoding
// error here. However, an allocation failure could occur when
// constructing the Unicode version of the names.
item = PyUnicode_DecodeFSDefault(group);

if (item == NULL) {
_setSSLError(get_state_ctx(self), "Can't allocate group name", 0, __FILE__, __LINE__);
goto error;
Expand Down
Loading
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy