feat(tls): support py-dynamic-openssl (#700)

* feat(tls): support py-dynamic-openssl

compio-py-dynamic-openssl is a specialized compio-tls implementation
dedicated for the use of compio-py, which loads OpenSSL >= 1.1.1 from
an already-loaded library dynamically at runtime, so it is recommended
against being used for general purposes.

* fix(tls): use real mod

* fix(tls): nit on imports

* ci(tls): test py_ossl

* fix(tls): make pyo3 optional

* ci: test py-dynamic-openssl

* fix(tls,py): bump compio-py-dynamic-openssl to 0.5.0

0.4.0 reexports pyo3 and honors ctx.check_hostname.
0.5.0 fixes Windows support.

---------

Co-authored-by: 王宇逸 <Strawberry_Str@hotmail.com>

Author: fantix

.github/workflows/ci_test.yml

@@ -45,6 +45,8 @@ jobs:
             no_default_features: true
           - os: 'ubuntu-22.04'
             features: 'codec-serde-json'
+          - os: 'ubuntu-22.04'
+            features: 'native-tls,ring,py-dynamic-openssl'
           - os: 'windows-latest'
             target: 'x86_64-pc-windows-msvc'
           - os: 'windows-latest'
@@ -57,8 +59,13 @@ jobs:
           - os: 'windows-latest'
             target: 'x86_64-pc-windows-msvc'
             features: 'iocp-wait-packet'
+          - os: 'windows-latest'
+            target: 'x86_64-pc-windows-msvc'
+            features: 'native-tls,ring,py-dynamic-openssl'
           - os: 'macos-14'
           - os: 'macos-15'
+          - os: 'macos-15'
+            features: 'native-tls,ring,py-dynamic-openssl'
     steps:
       - uses: actions/checkout@v4
       - name: Setup Rust Toolchain

Cargo.toml

@@ -50,6 +50,7 @@ futures-rustls = { version = "0.26.0", default-features = false }
 futures-util = "0.3.29"
 libc = "0.2.175"
 native-tls = "0.2.13"
+compio-py-dynamic-openssl = "0.5.0"
 nix = "0.31.1"
 once_cell = "1.18.0"
 os_pipe = "1.1.4"

compio-tls/Cargo.toml

@@ -23,6 +23,7 @@ rustls = { workspace = true, default-features = false, optional = true, features
     "std",
     "tls12",
 ] }
+compio-py-dynamic-openssl = { workspace = true, optional = true }
 
 futures-rustls = { workspace = true, default-features = false, optional = true, features = [
     "logging",
@@ -47,6 +48,7 @@ default = ["native-tls"]
 all = ["native-tls", "rustls"]
 rustls = ["dep:rustls", "dep:futures-rustls", "dep:futures-util"]
 native-tls-vendored = ["native-tls/vendored"]
+py-dynamic-openssl = ["dep:compio-py-dynamic-openssl"]
 
 ring = ["rustls", "rustls/ring", "futures-rustls/ring"]
 

compio-tls/src/adapter.rs

@@ -13,7 +13,13 @@ enum TlsConnectorInner {
     NativeTls(native_tls::TlsConnector),
     #[cfg(feature = "rustls")]
     Rustls(futures_rustls::TlsConnector),
-    #[cfg(not(any(feature = "native-tls", feature = "rustls")))]
+    #[cfg(feature = "py-dynamic-openssl")]
+    PyDynamicOpenSsl(compio_py_dynamic_openssl::SSLContext),
+    #[cfg(not(any(
+        feature = "native-tls",
+        feature = "rustls",
+        feature = "py-dynamic-openssl"
+    )))]
     None(std::convert::Infallible),
 }
 
@@ -24,7 +30,13 @@ impl Debug for TlsConnectorInner {
             Self::NativeTls(_) => f.debug_tuple("NativeTls").finish(),
             #[cfg(feature = "rustls")]
             Self::Rustls(_) => f.debug_tuple("Rustls").finish(),
-            #[cfg(not(any(feature = "native-tls", feature = "rustls")))]
+            #[cfg(feature = "py-dynamic-openssl")]
+            Self::PyDynamicOpenSsl(_) => f.debug_tuple("PyDynamicOpenSsl").finish(),
+            #[cfg(not(any(
+                feature = "native-tls",
+                feature = "rustls",
+                feature = "py-dynamic-openssl"
+            )))]
             Self::None(f) => match *f {},
         }
     }
@@ -49,6 +61,14 @@ impl From<std::sync::Arc<rustls::ClientConfig>> for TlsConnector {
     }
 }
 
+#[cfg(feature = "py-dynamic-openssl")]
+#[doc(hidden)]
+impl From<compio_py_dynamic_openssl::SSLContext> for TlsConnector {
+    fn from(value: compio_py_dynamic_openssl::SSLContext) -> Self {
+        Self(TlsConnectorInner::PyDynamicOpenSsl(value))
+    }
+}
+
 impl TlsConnector {
     /// Connects the provided stream with this connector, assuming the provided
     /// domain.
@@ -82,7 +102,15 @@ impl TlsConnector {
                     .await?;
                 Ok(TlsStream::from(client))
             }
-            #[cfg(not(any(feature = "native-tls", feature = "rustls")))]
+            #[cfg(feature = "py-dynamic-openssl")]
+            TlsConnectorInner::PyDynamicOpenSsl(c) => {
+                crate::py_ossl::handshake(c.connect(domain, SyncStream::new(stream))).await
+            }
+            #[cfg(not(any(
+                feature = "native-tls",
+                feature = "rustls",
+                feature = "py-dynamic-openssl"
+            )))]
             TlsConnectorInner::None(f) => match *f {},
         }
     }
@@ -94,7 +122,13 @@ enum TlsAcceptorInner {
     NativeTls(native_tls::TlsAcceptor),
     #[cfg(feature = "rustls")]
     Rustls(futures_rustls::TlsAcceptor),
-    #[cfg(not(any(feature = "native-tls", feature = "rustls")))]
+    #[cfg(feature = "py-dynamic-openssl")]
+    PyDynamicOpenSsl(compio_py_dynamic_openssl::SSLContext),
+    #[cfg(not(any(
+        feature = "native-tls",
+        feature = "rustls",
+        feature = "py-dynamic-openssl"
+    )))]
     None(std::convert::Infallible),
 }
 
@@ -120,6 +154,13 @@ impl From<std::sync::Arc<rustls::ServerConfig>> for TlsAcceptor {
     }
 }
 
+#[cfg(feature = "py-dynamic-openssl")]
+impl From<compio_py_dynamic_openssl::SSLContext> for TlsAcceptor {
+    fn from(value: compio_py_dynamic_openssl::SSLContext) -> Self {
+        Self(TlsAcceptorInner::PyDynamicOpenSsl(value))
+    }
+}
+
 impl TlsAcceptor {
     /// Accepts a new client connection with the provided stream.
     ///
@@ -145,7 +186,15 @@ impl TlsAcceptor {
                 let server = c.accept(AsyncStream::new(stream)).await?;
                 Ok(TlsStream::from(server))
             }
-            #[cfg(not(any(feature = "native-tls", feature = "rustls")))]
+            #[cfg(feature = "py-dynamic-openssl")]
+            TlsAcceptorInner::PyDynamicOpenSsl(a) => {
+                crate::py_ossl::handshake(a.accept(SyncStream::new(stream))).await
+            }
+            #[cfg(not(any(
+                feature = "native-tls",
+                feature = "rustls",
+                feature = "py-dynamic-openssl"
+            )))]
             TlsAcceptorInner::None(f) => match *f {},
         }
     }

compio-tls/src/lib.rs

@@ -11,6 +11,8 @@
 #![cfg_attr(feature = "read_buf", feature(read_buf, core_io_borrowed_buf))]
 #![cfg_attr(docsrs, feature(doc_cfg))]
 
+#[cfg(feature = "py-dynamic-openssl")]
+pub use compio_py_dynamic_openssl as py_dynamic_openssl;
 #[cfg(feature = "native-tls")]
 pub use native_tls;
 #[cfg(feature = "rustls")]
@@ -28,3 +30,7 @@ pub use stream::*;
 mod rtls;
 #[cfg(feature = "rustls")]
 pub use rtls::*;
+
+#[cfg(feature = "py-dynamic-openssl")]
+#[doc(hidden)]
+mod py_ossl;

compio-tls/src/py_ossl.rs

@@ -0,0 +1,143 @@
+use std::{borrow::Cow, io};
+
+use compio_io::{AsyncRead, AsyncWrite, compat::SyncStream};
+use compio_py_dynamic_openssl::ssl::{Error, ErrorCode, HandshakeError, ShutdownResult, SslStream};
+
+use crate::TlsStream;
+
+pub(crate) async fn handshake<S: AsyncRead + AsyncWrite>(
+    mut res: Result<SslStream<SyncStream<S>>, HandshakeError<SyncStream<S>>>,
+) -> io::Result<TlsStream<S>> {
+    loop {
+        match res {
+            Ok(mut s) => {
+                let inner = s.get_mut();
+                if inner.has_pending_write() {
+                    inner.flush_write_buf().await?;
+                }
+                return Ok(TlsStream::from(s));
+            }
+            Err(e) => match e {
+                HandshakeError::SetupFailure(e) => return Err(io::Error::other(e)),
+                HandshakeError::Failure(mid_stream) => {
+                    return Err(io::Error::other(mid_stream.into_error()));
+                }
+                HandshakeError::WouldBlock(mut mid_stream) => {
+                    let s = mid_stream.get_mut();
+                    if s.has_pending_write() {
+                        s.flush_write_buf().await?;
+                    } else {
+                        s.fill_read_buf().await?;
+                    }
+                    res = mid_stream.handshake();
+                }
+            },
+        }
+    }
+}
+
+enum DriveResult<T> {
+    WantRead,
+    WantWrite,
+    Ready(io::Result<T>),
+}
+
+impl<T> From<Error> for DriveResult<T> {
+    fn from(e: Error) -> Self {
+        match e.code() {
+            ErrorCode::WANT_READ => DriveResult::WantRead,
+            ErrorCode::WANT_WRITE => DriveResult::WantWrite,
+            _ => DriveResult::Ready(Err(e.into_io_error().unwrap_or_else(io::Error::other))),
+        }
+    }
+}
+
+impl<T> From<Result<T, Error>> for DriveResult<T> {
+    fn from(res: Result<T, Error>) -> Self {
+        match res {
+            Ok(t) => DriveResult::Ready(Ok(t)),
+            Err(e) => e.into(),
+        }
+    }
+}
+
+#[inline]
+async fn drive<S, F, T>(s: &mut SslStream<SyncStream<S>>, mut f: F) -> io::Result<T>
+where
+    S: AsyncRead + AsyncWrite,
+    F: FnMut(&mut SslStream<SyncStream<S>>) -> DriveResult<T>,
+{
+    loop {
+        let res = f(s);
+        let s = s.get_mut();
+        if s.has_pending_write() {
+            s.flush_write_buf().await?;
+        }
+        match res {
+            DriveResult::Ready(res) => break res,
+            DriveResult::WantRead => _ = s.fill_read_buf().await?,
+            DriveResult::WantWrite => {}
+        }
+    }
+}
+
+pub(crate) fn negotiated_alpn<S>(s: &SslStream<SyncStream<S>>) -> Option<Cow<'_, [u8]>> {
+    s.ssl()
+        .selected_alpn_protocol()
+        .map(|alpn| alpn.to_vec())
+        .map(Cow::from)
+}
+
+pub(crate) async fn read<S>(s: &mut SslStream<SyncStream<S>>, slice: &mut [u8]) -> io::Result<usize>
+where
+    S: AsyncRead + AsyncWrite,
+{
+    drive(s, |s| match s.ssl_read(slice) {
+        Ok(n) => DriveResult::Ready(Ok(n)),
+        Err(e) => match e.code() {
+            ErrorCode::ZERO_RETURN => DriveResult::Ready(Ok(0)),
+            ErrorCode::SYSCALL if e.io_error().is_none() => DriveResult::Ready(Ok(0)),
+            _ => e.into(),
+        },
+    })
+    .await
+}
+
+pub(crate) async fn write<S>(s: &mut SslStream<SyncStream<S>>, slice: &[u8]) -> io::Result<usize>
+where
+    S: AsyncRead + AsyncWrite,
+{
+    drive(s, |s| s.ssl_write(slice).into()).await
+}
+
+pub(crate) async fn shutdown<S>(s: &mut SslStream<SyncStream<S>>) -> io::Result<()>
+where
+    S: AsyncRead + AsyncWrite,
+{
+    let res = drive(s, |s| match s.shutdown() {
+        Ok(res) => DriveResult::Ready(Ok(res)),
+        Err(e) => {
+            if e.code() == ErrorCode::ZERO_RETURN {
+                DriveResult::Ready(Ok(ShutdownResult::Received))
+            } else {
+                e.into()
+            }
+        }
+    })
+    .await?;
+    if let Err(e) = s.get_mut().get_mut().shutdown().await
+        && e.kind() != io::ErrorKind::NotConnected
+    {
+        return Err(e);
+    }
+    match res {
+        // If close_notify has been sent but the peer has not responded with
+        // close_notify, we let the caller know by returning Err(WouldBlock).
+        // This behavior is different from the others as a Python-only hack.
+        ShutdownResult::Sent => Err(io::Error::new(
+            io::ErrorKind::WouldBlock,
+            "close_notify sent",
+        )),
+        ShutdownResult::Received => Ok(()),
+    }
+}