Add ssl_data

Author: youknowone

Cargo.lock

@@ -1715,7 +1715,6 @@ def test_str(self):
         self.assertEqual(str(e), "foo")
         self.assertEqual(e.errno, 1)
 
-    @unittest.expectedFailure  # TODO: RUSTPYTHON
     def test_lib_reason(self):
         # Test the library and reason attributes
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
@@ -4760,6 +4759,7 @@ def test_pha_optional_nocert(self):
                 s.write(b'HASCERT')
                 self.assertEqual(s.recv(1024), b'FALSE\n')
 
+    @unittest.expectedFailure  # TODO: RUSTPYTHON
     def test_pha_no_pha_client(self):
         client_context, server_context, hostname = testing_context()
         server_context.post_handshake_auth = True

Lib/test/test_ssl.py

@@ -0,0 +1,167 @@
+#!/usr/bin/env python3
+
+"""
+Generate Rust SSL error mapping code from OpenSSL sources.
+
+This is based on CPython's Tools/ssl/make_ssl_data.py but generates
+Rust code instead of C headers.
+
+It takes two arguments:
+- the path to the OpenSSL source tree (e.g. git checkout)
+- the path to the Rust file to be generated (e.g. stdlib/src/ssl/ssl_data.rs)
+- error codes are version specific
+"""
+
+import argparse
+import datetime
+import operator
+import os
+import re
+import sys
+
+
+parser = argparse.ArgumentParser(
+    description="Generate ssl_data.rs from OpenSSL sources"
+)
+parser.add_argument("srcdir", help="OpenSSL source directory")
+parser.add_argument(
+    "output", nargs="?", default=None
+)
+
+
+def _file_search(fname, pat):
+    with open(fname, encoding="utf-8") as f:
+        for line in f:
+            match = pat.search(line)
+            if match is not None:
+                yield match
+
+
+def parse_err_h(args):
+    """Parse err codes, e.g. ERR_LIB_X509: 11"""
+    pat = re.compile(r"#\s*define\W+ERR_LIB_(\w+)\s+(\d+)")
+    lib2errnum = {}
+    for match in _file_search(args.err_h, pat):
+        libname, num = match.groups()
+        lib2errnum[libname] = int(num)
+
+    return lib2errnum
+
+
+def parse_openssl_error_text(args):
+    """Parse error reasons, X509_R_AKID_MISMATCH"""
+    # ignore backslash line continuation for now
+    pat = re.compile(r"^((\w+?)_R_(\w+)):(\d+):")
+    for match in _file_search(args.errtxt, pat):
+        reason, libname, errname, num = match.groups()
+        if "_F_" in reason:
+            # ignore function codes
+            continue
+        num = int(num)
+        yield reason, libname, errname, num
+
+
+def parse_extra_reasons(args):
+    """Parse extra reasons from openssl.ec"""
+    pat = re.compile(r"^R\s+((\w+)_R_(\w+))\s+(\d+)")
+    for match in _file_search(args.errcodes, pat):
+        reason, libname, errname, num = match.groups()
+        num = int(num)
+        yield reason, libname, errname, num
+
+
+def gen_library_codes_rust(args):
+    """Generate Rust phf map for library codes"""
+    yield "// Maps lib_code -> library name"
+    yield "// Example: 20 -> \"SSL\""
+    yield "pub static LIBRARY_CODES: phf::Map<u32, &'static str> = phf_map! {"
+
+    # Deduplicate: keep the last one if there are duplicates
+    seen = {}
+    for libname in sorted(args.lib2errnum):
+        lib_num = args.lib2errnum[libname]
+        seen[lib_num] = libname
+
+    for lib_num in sorted(seen.keys()):
+        libname = seen[lib_num]
+        yield f'    {lib_num}u32 => "{libname}",'
+    yield "};"
+    yield ""
+
+
+def gen_error_codes_rust(args):
+    """Generate Rust phf map for error codes"""
+    yield "// Maps encoded (lib, reason) -> error mnemonic"
+    yield "// Example: encode_error_key(20, 134) -> \"CERTIFICATE_VERIFY_FAILED\""
+    yield "// Key encoding: (lib << 32) | reason"
+    yield "pub static ERROR_CODES: phf::Map<u64, &'static str> = phf_map! {"
+    for reason, libname, errname, num in args.reasons:
+        if libname not in args.lib2errnum:
+            continue
+        lib_num = args.lib2errnum[libname]
+        # Encode (lib, reason) as single u64
+        key = (lib_num << 32) | num
+        yield f'    {key}u64 => "{errname}",'
+    yield "};"
+    yield ""
+
+
+def main():
+    args = parser.parse_args()
+
+    args.err_h = os.path.join(args.srcdir, "include", "openssl", "err.h")
+    if not os.path.isfile(args.err_h):
+        # Fall back to infile for OpenSSL 3.0.0
+        args.err_h += ".in"
+    args.errcodes = os.path.join(args.srcdir, "crypto", "err", "openssl.ec")
+    args.errtxt = os.path.join(args.srcdir, "crypto", "err", "openssl.txt")
+
+    if not os.path.isfile(args.errtxt):
+        parser.error(f"File {args.errtxt} not found in srcdir\n.")
+
+    # {X509: 11, ...}
+    args.lib2errnum = parse_err_h(args)
+
+    # [('X509_R_AKID_MISMATCH', 'X509', 'AKID_MISMATCH', 110), ...]
+    reasons = []
+    reasons.extend(parse_openssl_error_text(args))
+    reasons.extend(parse_extra_reasons(args))
+    # sort by libname, numeric error code
+    args.reasons = sorted(reasons, key=operator.itemgetter(0, 3))
+
+    lines = [
+        "// File generated by tools/make_ssl_data_rs.py",
+        f"// Generated on {datetime.datetime.now(datetime.timezone.utc).isoformat()}",
+        f"// Source: OpenSSL from {args.srcdir}",
+        "",
+        "use phf::phf_map;",
+        "",
+    ]
+    lines.extend(gen_library_codes_rust(args))
+    lines.extend(gen_error_codes_rust(args))
+
+    # Add helper function
+    lines.extend([
+        "/// Helper function to create encoded key from (lib, reason) pair",
+        "#[inline]",
+        "pub fn encode_error_key(lib: i32, reason: i32) -> u64 {",
+        "    ((lib as u64) << 32) | (reason as u64 & 0xFFFFFFFF)",
+        "}",
+        "",
+    ])
+
+    if args.output is None:
+        for line in lines:
+            print(line)
+    else:
+        with open(args.output, 'w') as output:
+            for line in lines:
+                print(line, file=output)
+
+        print(f"Generated {args.output}")
+        print(f"Found {len(args.lib2errnum)} library codes")
+        print(f"Found {len(args.reasons)} error codes")
+
+
+if __name__ == "__main__":
+    main()

scripts/make_ssl_data_rs.py

@@ -40,6 +40,7 @@ num-integer = { workspace = true }
 num-traits = { workspace = true }
 num_enum = { workspace = true }
 parking_lot = { workspace = true }
+phf = { version = "0.11", features = ["macros"] }
 
 memchr = { workspace = true }
 base64 = "0.22"

stdlib/Cargo.toml

@@ -2,6 +2,23 @@
 
 mod cert;
 
+// Conditional compilation for OpenSSL version-specific error codes
+cfg_if::cfg_if! {
+    if #[cfg(ossl310)] {
+        // OpenSSL 3.1.0+
+        #[path = "ssl/ssl_data_31.rs"]
+        mod ssl_data;
+    } else if #[cfg(ossl300)] {
+        // OpenSSL 3.0.0+
+        #[path = "ssl/ssl_data_300.rs"]
+        mod ssl_data;
+    } else {
+        // OpenSSL 1.1.1+ (fallback)
+        #[path = "ssl/ssl_data_111.rs"]
+        mod ssl_data;
+    }
+}
+
 use crate::vm::{PyRef, VirtualMachine, builtins::PyModule};
 use openssl_probe::ProbeResult;
 
@@ -48,7 +65,7 @@ mod _ssl {
                 ArgBytesLike, ArgCallable, ArgMemoryBuffer, ArgStrOrBytesLike, Either, FsPath,
                 OptionalArg, PyComparisonValue,
             },
-            types::{Comparable, Constructor, PyComparisonOp, PyTypeFlags},
+            types::{Comparable, Constructor, PyComparisonOp},
             utils::ToCString,
         },
     };
@@ -726,16 +743,16 @@ mod _ssl {
                 let ctx_ptr = builder.as_ptr();
                 match proto {
                     SslVersion::Tls1 => {
-                        sys::SSL_CTX_set_min_proto_version(ctx_ptr, sys::TLS1_VERSION as i32);
-                        sys::SSL_CTX_set_max_proto_version(ctx_ptr, sys::TLS1_VERSION as i32);
+                        sys::SSL_CTX_set_min_proto_version(ctx_ptr, sys::TLS1_VERSION);
+                        sys::SSL_CTX_set_max_proto_version(ctx_ptr, sys::TLS1_VERSION);
                     }
                     SslVersion::Tls1_1 => {
-                        sys::SSL_CTX_set_min_proto_version(ctx_ptr, sys::TLS1_1_VERSION as i32);
-                        sys::SSL_CTX_set_max_proto_version(ctx_ptr, sys::TLS1_1_VERSION as i32);
+                        sys::SSL_CTX_set_min_proto_version(ctx_ptr, sys::TLS1_1_VERSION);
+                        sys::SSL_CTX_set_max_proto_version(ctx_ptr, sys::TLS1_1_VERSION);
                     }
                     SslVersion::Tls1_2 => {
-                        sys::SSL_CTX_set_min_proto_version(ctx_ptr, sys::TLS1_2_VERSION as i32);
-                        sys::SSL_CTX_set_max_proto_version(ctx_ptr, sys::TLS1_2_VERSION as i32);
+                        sys::SSL_CTX_set_min_proto_version(ctx_ptr, sys::TLS1_2_VERSION);
+                        sys::SSL_CTX_set_max_proto_version(ctx_ptr, sys::TLS1_2_VERSION);
                     }
                     _ => {
                         // For Tls, TlsClient, TlsServer, use default (no restrictions)
@@ -987,12 +1004,12 @@ mod _ssl {
             let proto_version = match value {
                 -2 => {
                     // PY_PROTO_MINIMUM_SUPPORTED -> use minimum available (TLS 1.2)
-                    sys::TLS1_2_VERSION as i32
+                    sys::TLS1_2_VERSION
                 }
                 -1 => {
                     // PY_PROTO_MAXIMUM_SUPPORTED -> use maximum available
                     // For max on min_proto_version, we use the newest available
-                    sys::TLS1_3_VERSION as i32
+                    sys::TLS1_3_VERSION
                 }
                 _ => value,
             };
@@ -1025,7 +1042,7 @@ mod _ssl {
                 }
                 -2 => {
                     // PY_PROTO_MINIMUM_SUPPORTED -> use minimum available (TLS 1.2)
-                    sys::TLS1_2_VERSION as i32
+                    sys::TLS1_2_VERSION
                 }
                 _ => value,
             };
@@ -3033,21 +3050,33 @@ mod _ssl {
                 let file = file
                     .rsplit_once(&['/', '\\'][..])
                     .map_or(file, |(_, basename)| basename);
-                // TODO: finish map
-                let default_errstr = e.reason().unwrap_or("unknown error");
-                let (errstr, is_cert_verify_error) = match default_errstr {
-                    "certificate verify failed" => ("CERTIFICATE_VERIFY_FAILED", true),
-                    "no shared cipher" => ("NO_SHARED_CIPHER", false),
-                    "sslv3 alert handshake failure" => ("SSLV3_ALERT_HANDSHAKE_FAILURE", false),
-                    "tlsv1 alert internal error" => ("TLSV1_ALERT_INTERNAL_ERROR", false),
-                    "tlsv1 alert access denied" => ("TLSV1_ALERT_ACCESS_DENIED", false),
-                    "tlsv1 alert unknown ca" => ("TLSV1_ALERT_UNKNOWN_CA", false),
-                    "sslv3 alert certificate revoked" => ("SSLV3_ALERT_CERTIFICATE_REVOKED", false),
-                    "sslv3 alert certificate expired" => ("SSLV3_ALERT_CERTIFICATE_EXPIRED", false),
-                    "wrong version number" => ("WRONG_VERSION_NUMBER", false),
-                    "wrong ssl version" => ("WRONG_SSL_VERSION", false),
-                    _ => (default_errstr, false),
-                };
+
+                // Get error codes - same approach as CPython
+                // CPython: Modules/_ssl.c:474-496
+                let lib = sys::ERR_GET_LIB(e.code());
+                let reason = sys::ERR_GET_REASON(e.code());
+
+                // Look up error mnemonic from our static tables
+                // CPython uses dict lookup: err_codes_to_names[(lib, reason)]
+                let key = super::ssl_data::encode_error_key(lib, reason);
+                let errstr = super::ssl_data::ERROR_CODES
+                    .get(&key)
+                    .copied()
+                    .or_else(|| {
+                        // Fallback: use OpenSSL's error string
+                        e.reason()
+                    })
+                    .unwrap_or("unknown error");
+
+                // Check if this is a certificate verification error
+                // CPython: Modules/_ssl.c:663-666, 683-686
+                // ERR_LIB_SSL = 20 (from _ssl_data_300.h)
+                // SSL_R_CERTIFICATE_VERIFY_FAILED = 134 (from _ssl_data_300.h)
+                let is_cert_verify_error = lib == 20 && reason == 134;
+
+                // Look up library name from our static table
+                // CPython uses: lib_codes_to_names[lib]
+                let lib_name = super::ssl_data::LIBRARY_CODES.get(&(lib as u32)).copied();
 
                 // Use SSLCertVerificationError for certificate verification failures
                 let cls = if is_cert_verify_error {
@@ -3057,9 +3086,9 @@ mod _ssl {
                 };
 
                 // Build message
-                let lib_obj = e.library();
-                let msg = if let Some(lib) = lib_obj {
-                    format!("[{lib}] {errstr} ({file}:{line})")
+                // CPython: Modules/_ssl.c:539-549
+                let msg = if let Some(lib_str) = lib_name {
+                    format!("[{lib_str}] {errstr} ({file}:{line})")
                 } else {
                     format!("{errstr} ({file}:{line})")
                 };
@@ -3079,8 +3108,8 @@ mod _ssl {
                 let _ = exc_obj.set_attr("reason", reason_value, vm);
 
                 // Set library attribute (None if not available)
-                let library_value: PyObjectRef = if let Some(lib) = lib_obj {
-                    vm.ctx.new_str(lib).into()
+                let library_value: PyObjectRef = if let Some(lib_str) = lib_name {
+                    vm.ctx.new_str(lib_str).into()
                 } else {
                     vm.ctx.none()
                 };