From 6801bd32cb9bd2bfa87b52d46fb453557d9568ed Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Fri, 9 May 2025 03:09:09 -0400 Subject: [PATCH] gh-133623: Add `ssl.HAS_PSK_TLS13` to detect external TLS 1.3 PSK support (#133624) --- Doc/library/ssl.rst | 7 +++++++ Doc/whatsnew/3.15.rst | 9 ++++++--- Lib/ssl.py | 2 +- Lib/test/test_ssl.py | 1 + .../2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst | 1 + Modules/_ssl.c | 6 ++++++ 6 files changed, 22 insertions(+), 4 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index c0dcecf737e..ae2e324d0ab 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -934,6 +934,13 @@ Constants .. versionadded:: 3.13 +.. data:: HAS_PSK_TLS13 + + Whether the OpenSSL library has built-in support for External PSKs in TLS + 1.3 as described in :rfc:`9258`. + + .. versionadded:: next + .. data:: HAS_PHA Whether the OpenSSL library has built-in support for TLS-PHA. diff --git a/Doc/whatsnew/3.15.rst b/Doc/whatsnew/3.15.rst index 7131eeb697e..070d9b38e13 100644 --- a/Doc/whatsnew/3.15.rst +++ b/Doc/whatsnew/3.15.rst @@ -86,10 +86,13 @@ New modules Improved modules ================ -module_name ------------ +ssl +--- + +* Indicate through :data:`ssl.HAS_PSK_TLS13` whether the :mod:`ssl` module + supports "External PSKs" in TLSv1.3, as described in RFC 9258. + (Contributed by Will Childs-Klein in :gh:`133624`.) -* TODO .. Add improved modules above alphabetically, not here at the end. diff --git a/Lib/ssl.py b/Lib/ssl.py index 05df4ad7f0f..7e3c4cbd6bb 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -116,7 +116,7 @@ except ImportError: from _ssl import ( HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1, - HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PHA + HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PSK_TLS13, HAS_PHA ) from _ssl import _DEFAULT_CIPHERS, _OPENSSL_API_VERSION diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 395b2ef88ab..06460d6047c 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -4488,6 +4488,7 @@ class ThreadedTests(unittest.TestCase): @requires_tls_version('TLSv1_3') @unittest.skipUnless(ssl.HAS_PSK, 'TLS-PSK disabled on this OpenSSL build') + @unittest.skipUnless(ssl.HAS_PSK_TLS13, 'TLS 1.3 PSK disabled on this OpenSSL build') def test_psk_tls1_3(self): psk = bytes.fromhex('deadbeef') identity_hint = 'identity-hint' diff --git a/Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst b/Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst new file mode 100644 index 00000000000..09279bbfb4f --- /dev/null +++ b/Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst @@ -0,0 +1 @@ +Indicate through :data:`ssl.HAS_PSK_TLS13` whether the :mod:`ssl` module supports "External PSKs" in TLSv1.3, as described in RFC 9258. Patch by Will Childs-Klein. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 1b26f503e73..976da1340ec 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -6626,6 +6626,12 @@ sslmodule_init_constants(PyObject *m) addbool(m, "HAS_PSK", 1); #endif +#ifdef OPENSSL_NO_EXTERNAL_PSK_TLS13 + addbool(m, "HAS_PSK_TLS13", 0); +#else + addbool(m, "HAS_PSK_TLS13", 1); +#endif + #ifdef SSL_VERIFY_POST_HANDSHAKE addbool(m, "HAS_PHA", 1); #else