mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-07-07 19:35:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

gh-133623: Add ssl.HAS_PSK_TLS13 to detect external TLS 1.3 PSK support (#133624)

Browse source
This commit is contained in:
Will Childs-Klein 2025-05-09 03:09:09 -04:00 committed by GitHub
parent f77dac66e1
commit 6801bd32cb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 22 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Doc/library/ssl.rst
View file

@ -934,6 +934,13 @@ Constants
.. versionadded:: 3.13 .. versionadded:: 3.13
.. data:: HAS_PSK_TLS13
Whether the OpenSSL library has built-in support for External PSKs in TLS
1.3 as described in :rfc:`9258`.
.. versionadded:: next
.. data:: HAS_PHA .. data:: HAS_PHA
Whether the OpenSSL library has built-in support for TLS-PHA. Whether the OpenSSL library has built-in support for TLS-PHA.

9
Doc/whatsnew/3.15.rst
View file

@ -86,10 +86,13 @@ New modules
Improved modules Improved modules
================ ================
module_name ssl
----------- ---
* Indicate through :data:`ssl.HAS_PSK_TLS13` whether the :mod:`ssl` module
supports "External PSKs" in TLSv1.3, as described in RFC 9258.
(Contributed by Will Childs-Klein in :gh:`133624`.)
* TODO
.. Add improved modules above alphabetically, not here at the end. .. Add improved modules above alphabetically, not here at the end.

2
Lib/ssl.py
View file

@ -116,7 +116,7 @@ except ImportError:
from _ssl import ( from _ssl import (
HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1, HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1,
HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PHA HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PSK_TLS13, HAS_PHA
) )
from _ssl import _DEFAULT_CIPHERS, _OPENSSL_API_VERSION from _ssl import _DEFAULT_CIPHERS, _OPENSSL_API_VERSION

1
Lib/test/test_ssl.py
View file

@ -4488,6 +4488,7 @@ class ThreadedTests(unittest.TestCase):
@requires_tls_version('TLSv1_3') @requires_tls_version('TLSv1_3')
@unittest.skipUnless(ssl.HAS_PSK, 'TLS-PSK disabled on this OpenSSL build') @unittest.skipUnless(ssl.HAS_PSK, 'TLS-PSK disabled on this OpenSSL build')
@unittest.skipUnless(ssl.HAS_PSK_TLS13, 'TLS 1.3 PSK disabled on this OpenSSL build')
def test_psk_tls1_3(self): def test_psk_tls1_3(self):
psk = bytes.fromhex('deadbeef') psk = bytes.fromhex('deadbeef')
identity_hint = 'identity-hint' identity_hint = 'identity-hint'

1
Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst Normal file
View file

@ -0,0 +1 @@
Indicate through :data:`ssl.HAS_PSK_TLS13` whether the :mod:`ssl` module supports "External PSKs" in TLSv1.3, as described in RFC 9258. Patch by Will Childs-Klein.

6
Modules/_ssl.c
View file

@ -6626,6 +6626,12 @@ sslmodule_init_constants(PyObject *m)
addbool(m, "HAS_PSK", 1); addbool(m, "HAS_PSK", 1);
#endif #endif
#ifdef OPENSSL_NO_EXTERNAL_PSK_TLS13
addbool(m, "HAS_PSK_TLS13", 0);
#else
addbool(m, "HAS_PSK_TLS13", 1);
#endif
#ifdef SSL_VERIFY_POST_HANDSHAKE #ifdef SSL_VERIFY_POST_HANDSHAKE
addbool(m, "HAS_PHA", 1); addbool(m, "HAS_PHA", 1);
#else #else