apply review

youknowone · youknowone · commit 2bb523a7f609 · 2025-11-15T22:21:33.000+09:00
diff --git a/src/lib.rs b/src/lib.rs
@@ -59,6 +59,14 @@ pub use rustpython_vm as vm;
 pub use settings::{InstallPipMode, RunMode, parse_opts};
 pub use shell::run_shell;
 
+#[cfg(all(
+    feature = "ssl",
+    not(any(feature = "ssl-rustls", feature = "ssl-openssl"))
+))]
+compile_error!(
+    "Feature \"ssl\" is now enabled by either \"ssl-rustls\" or \"ssl-openssl\" to be enabled. Do not manually pass \"ssl\" feature. To enable ssl-openssl, use --no-default-features to disable ssl-rustls"
+);
+
 /// The main cli of the `rustpython` interpreter. This function will return `std::process::ExitCode`
 /// based on the return code of the python code ran through the cli.
 pub fn run(init: impl FnOnce(&mut VirtualMachine) + 'static) -> ExitCode {
@@ -141,12 +149,7 @@ __import__("io").TextIOWrapper(
 }
 
 fn install_pip(installer: InstallPipMode, scope: Scope, vm: &VirtualMachine) -> PyResult<()> {
-    if cfg!(feature = "ssl") {
-        #[cfg(not(any(feature = "ssl-rustls", feature = "ssl-openssl")))]
-        compile_error!(
-            "Feature \"ssl\" is now enabled by either \"ssl-rustls\" or \"ssl-openssl\" to be enabled. Do not manually pass \"ssl\" feature. To enable ssl-openssl, use --no-default-features to disable ssl-rustls"
-        );
-    } else {
+    if !cfg!(feature = "ssl") {
         return Err(vm.new_exception_msg(
             vm.ctx.exceptions.system_error.to_owned(),
             "install-pip requires rustpython be build with '--features=ssl'".to_owned(),
diff --git a/stdlib/src/openssl.rs b/stdlib/src/openssl.rs
@@ -834,8 +834,6 @@ mod _ssl {
         post_handshake_auth: PyMutex<bool>,
         sni_callback: PyMutex<Option<PyObjectRef>>,
         msg_callback: PyMutex<Option<PyObjectRef>>,
-        psk_client_callback: PyMutex<Option<PyObjectRef>>,
-        psk_server_callback: PyMutex<Option<PyObjectRef>>,
     }
 
     impl fmt::Debug for PySslContext {
@@ -940,8 +938,6 @@ mod _ssl {
                 post_handshake_auth: PyMutex::new(false),
                 sni_callback: PyMutex::new(None),
                 msg_callback: PyMutex::new(None),
-                psk_client_callback: PyMutex::new(None),
-                psk_server_callback: PyMutex::new(None),
             }
             .into_ref_with_type(vm, cls)
             .map(Into::into)
@@ -1670,8 +1666,6 @@ mod _ssl {
             ctx_ref: PyRef<PySslContext>,
             server_side: bool,
             server_hostname: Option<PyStrRef>,
-            owner: Option<PyObjectRef>,
-            session: Option<PyObjectRef>,
             vm: &VirtualMachine,
         ) -> PyResult<(ssl::Ssl, SslServerOrClient, Option<PyStrRef>)> {
             // Validate socket type and context protocol
@@ -1778,14 +1772,8 @@ mod _ssl {
             vm: &VirtualMachine,
         ) -> PyResult<PyObjectRef> {
             // Use common helper function
-            let (ssl, socket_type, server_hostname) = Self::new_py_ssl_socket(
-                zelf.clone(),
-                args.server_side,
-                args.server_hostname,
-                args.owner.clone(),
-                args.session.clone(),
-                vm,
-            )?;
+            let (ssl, socket_type, server_hostname) =
+                Self::new_py_ssl_socket(zelf.clone(), args.server_side, args.server_hostname, vm)?;
 
             // Create SslStream with socket
             let stream = ssl::SslStream::new(ssl, SocketStream(args.sock.clone()))
@@ -1838,14 +1826,8 @@ mod _ssl {
             vm: &VirtualMachine,
         ) -> PyResult<PyObjectRef> {
             // Use common helper function
-            let (ssl, socket_type, server_hostname) = Self::new_py_ssl_socket(
-                zelf.clone(),
-                args.server_side,
-                args.server_hostname,
-                args.owner.clone(),
-                args.session.clone(),
-                vm,
-            )?;
+            let (ssl, socket_type, server_hostname) =
+                Self::new_py_ssl_socket(zelf.clone(), args.server_side, args.server_hostname, vm)?;
 
             // Create BioStream wrapper
             let bio_stream = BioStream {
@@ -2891,6 +2873,7 @@ mod _ssl {
     }
 
     // Message callback type
+    #[allow(non_camel_case_types)]
     type SSL_CTX_msg_callback = Option<
         unsafe extern "C" fn(
             write_p: libc::c_int,
@@ -3059,18 +3042,12 @@ mod _ssl {
     // These are typically macros in OpenSSL, implemented via BIO_ctrl
     const BIO_CTRL_PENDING: libc::c_int = 10;
     const BIO_CTRL_SET_EOF: libc::c_int = 2;
-    const BIO_CTRL_EOF: libc::c_int = 2;
 
     #[allow(non_snake_case)]
     unsafe fn BIO_ctrl_pending(bio: *mut sys::BIO) -> usize {
         unsafe { sys::BIO_ctrl(bio, BIO_CTRL_PENDING, 0, std::ptr::null_mut()) as usize }
     }
 
-    #[allow(non_snake_case)]
-    unsafe fn BIO_eof(bio: *mut sys::BIO) -> libc::c_int {
-        unsafe { sys::BIO_ctrl(bio, BIO_CTRL_EOF, 0, std::ptr::null_mut()) as libc::c_int }
-    }
-
     #[allow(non_snake_case)]
     unsafe fn BIO_set_mem_eof_return(bio: *mut sys::BIO, eof: libc::c_int) -> libc::c_int {
         unsafe {
diff --git a/stdlib/src/openssl/cert.rs b/stdlib/src/openssl/cert.rs
@@ -74,15 +74,15 @@ pub(crate) mod ssl_cert {
             let format = format.unwrap_or(ENCODING_PEM);
 
             match format {
-                x if x == ENCODING_DER => {
+                ENCODING_DER => {
                     // DER encoding
                     let der = self
                         .cert
                         .to_der()
                         .map_err(|e| convert_openssl_error(vm, e))?;
                     Ok(vm.ctx.new_bytes(der).into())
                 }
-                x if x == ENCODING_PEM => {
+                ENCODING_PEM => {
                     // PEM encoding
                     let pem = self
                         .cert
diff --git a/stdlib/src/ssl/cert.rs b/stdlib/src/ssl/cert.rs
@@ -22,6 +22,8 @@ use std::collections::HashSet;
 use std::sync::Arc;
 use x509_parser::prelude::*;
 
+use super::compat::VERIFY_X509_STRICT;
+
 // Error Handling Utilities
 
 /// Certificate loading error types with specific error messages
@@ -1306,7 +1308,6 @@ impl ServerCertVerifier for StrictCertVerifier {
         )?;
 
         // If VERIFY_X509_STRICT flag is set, perform additional validation
-        const VERIFY_X509_STRICT: i32 = 0x00000020;
         if self.verify_flags & VERIFY_X509_STRICT != 0 {
             // Check end entity certificate for AKI
             // RFC 5280 Section 4.2.1.1: self-signed certificates are exempt from AKI requirement
diff --git a/stdlib/src/ssl/compat.rs b/stdlib/src/ssl/compat.rs
@@ -35,6 +35,11 @@ use super::_ssl::{
     create_ssl_want_read_error, create_ssl_want_write_error, create_ssl_zero_return_error,
 };
 
+// SSL Verification Flags
+/// VERIFY_X509_STRICT flag for RFC 5280 strict compliance
+/// When set, performs additional validation including AKI extension checks
+pub const VERIFY_X509_STRICT: i32 = 0x20;
+
 // CryptoProvider Initialization:
 
 /// Ensure the default CryptoProvider is installed (thread-safe, runs once)
@@ -809,8 +814,8 @@ fn apply_verifier_wrappers(
         verifier
     };
 
-    // Wrap with StrictCertVerifier if other verify_flags are set
-    if verify_flags != 0 {
+    // Wrap with StrictCertVerifier if VERIFY_X509_STRICT flag is set
+    if verify_flags & VERIFY_X509_STRICT != 0 {
         Arc::new(super::cert::StrictCertVerifier::new(verifier, verify_flags))
     } else {
         verifier
