gh-136306: Address additional review comments

Author: ronf

Doc/library/ssl.rst

@@ -1289,6 +1289,8 @@ SSL sockets also have the following additional methods and attributes:
    Return the group used for doing key agreement on this connection. If no
    connection has been established, returns ``None``.
 
+   .. versionadded:: next
+
 .. method:: SSLSocket.compression()
 
    Return the compression algorithm being used as a string, or ``None``
@@ -1653,10 +1655,10 @@ to speed up repeated connections from the same clients.
    values.  For example::
 
        >>> ctx = ssl.create_default_context()
-       >>> ctx.minimum_version=ssl.TLSVersion.TLSv1_3
-       >>> ctx.maximum_version=ssl.TLSVersion.TLSv1_3
-       >>> ctx.get_groups()
-       ['secp256r1', 'secp384r1', 'secp521r1', 'x25519', 'x448', 'brainpoolP256r1tls13', 'brainpoolP384r1tls13', 'brainpoolP512r1tls13', 'ffdhe2048', 'ffdhe3072', 'ffdhe4096', 'ffdhe6144', 'ffdhe8192', 'MLKEM512', 'MLKEM768', 'MLKEM1024', 'SecP256r1MLKEM768', 'X25519MLKEM768', 'SecP384r1MLKEM1024']
+       >>> ctx.minimum_version = ssl.TLSVersion.TLSv1_3
+       >>> ctx.maximum_version = ssl.TLSVersion.TLSv1_3
+       >>> ctx.get_groups() # doctest: +SKIP
+       ['secp256r1', 'secp384r1', 'secp521r1', 'x25519', 'x448', ...]
 
    By default, this method returns only the preferred IANA names for the
    available groups. However, if the ``include_aliases`` parameter is set to
@@ -1700,7 +1702,7 @@ to speed up repeated connections from the same clients.
       When connected, the :meth:`SSLSocket.group` method of SSL sockets will
       return the group used for key agreement on that connection.
 
-   .. versionadded:: 3.15
+   .. versionadded:: next
 
 .. method:: SSLContext.set_alpn_protocols(protocols)
 

Modules/_ssl.c

@@ -2157,12 +2157,10 @@ _ssl__SSLSocket_group_impl(PySSLSocket *self)
     if (self->ssl == NULL) {
         Py_RETURN_NONE;
     }
-
     group_name = SSL_get0_group_name(self->ssl);
     if (group_name == NULL) {
         Py_RETURN_NONE;
     }
-
     return PyUnicode_DecodeFSDefault(group_name);
 #else
     PyErr_SetString(PyExc_NotImplementedError,
@@ -3467,18 +3465,13 @@ _ssl__SSLContext_get_groups_impl(PySSLContext *self, int include_aliases)
     size_t i, num;
     PyObject *item, *result = NULL;
 
+    // This "groups" object is dynamically allocated, but the strings inside
+    // it are internal constants which shouldn't ever be modified or freed.
     if ((groups = sk_OPENSSL_CSTRING_new_null()) == NULL) {
         _setSSLError(get_state_ctx(self), "Can't allocate stack", 0, __FILE__, __LINE__);
-	goto error;
+        goto error;
     }
 
-    /*
-     * Note: The "groups" stack is dynamically allocated, but the strings
-     * returned in the stack are references to internal constants which
-     * should NOT be modified or freed. They should also be plain ASCII,
-     * so there should be no decoding issue when converting to Unicode.
-     */
-
     if (!SSL_CTX_get0_implemented_groups(self->ctx, include_aliases, groups)) {
         _setSSLError(get_state_ctx(self), "Can't get groups", 0, __FILE__, __LINE__);
         goto error;
@@ -3492,11 +3485,14 @@ _ssl__SSLContext_get_groups_impl(PySSLContext *self, int include_aliases)
     }
 
     for (i = 0; i < num; ++i) {
+        // There's no allocation here, so group won't ever be NULL.
         group = sk_OPENSSL_CSTRING_value(groups, i);
-	assert(group != NULL);
+        assert(group != NULL);
 
+        // Group names are plain ASCII, so there's no chance of a decoding
+        // error here. However, an allocation failure could occur when
+        // constructing the Unicode version of the names.
         item = PyUnicode_DecodeFSDefault(group);
-
         if (item == NULL) {
             _setSSLError(get_state_ctx(self), "Can't allocate group name", 0, __FILE__, __LINE__);
             goto error;