https://github.com/python/cpython/commit/6801bd32cb9bd2bfa87b52d46fb453557d9568ed
commit: 6801bd32cb9bd2bfa87b52d46fb453557d9568ed
branch: main
author: Will Childs-Klein <[email protected]>
committer: picnixz <[email protected]>
date: 2025-05-09T09:09:09+02:00
summary:
gh-133623: Add `ssl.HAS_PSK_TLS13` to detect external TLS 1.3 PSK support
(#133624)
files:
A Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst
M Doc/library/ssl.rst
M Doc/whatsnew/3.15.rst
M Lib/ssl.py
M Lib/test/test_ssl.py
M Modules/_ssl.c
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index c0dcecf737ef76..ae2e324d0abaa4 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -934,6 +934,13 @@ Constants
.. versionadded:: 3.13
+.. data:: HAS_PSK_TLS13
+
+ Whether the OpenSSL library has built-in support for External PSKs in TLS
+ 1.3 as described in :rfc:`9258`.
+
+ .. versionadded:: next
+
.. data:: HAS_PHA
Whether the OpenSSL library has built-in support for TLS-PHA.
diff --git a/Doc/whatsnew/3.15.rst b/Doc/whatsnew/3.15.rst
index 7131eeb697eb69..070d9b38e137d0 100644
--- a/Doc/whatsnew/3.15.rst
+++ b/Doc/whatsnew/3.15.rst
@@ -86,10 +86,13 @@ New modules
Improved modules
================
-module_name
------------
+ssl
+---
+
+* Indicate through :data:`ssl.HAS_PSK_TLS13` whether the :mod:`ssl` module
+ supports "External PSKs" in TLSv1.3, as described in RFC 9258.
+ (Contributed by Will Childs-Klein in :gh:`133624`.)
-* TODO
.. Add improved modules above alphabetically, not here at the end.
diff --git a/Lib/ssl.py b/Lib/ssl.py
index 05df4ad7f0f05c..7e3c4cbd6bbf8e 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -116,7 +116,7 @@
from _ssl import (
HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1,
- HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PHA
+ HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PSK_TLS13, HAS_PHA
)
from _ssl import _DEFAULT_CIPHERS, _OPENSSL_API_VERSION
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 395b2ef88ab622..06460d6047cac8 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -4488,6 +4488,7 @@ def server_callback(identity):
@requires_tls_version('TLSv1_3')
@unittest.skipUnless(ssl.HAS_PSK, 'TLS-PSK disabled on this OpenSSL build')
+ @unittest.skipUnless(ssl.HAS_PSK_TLS13, 'TLS 1.3 PSK disabled on this
OpenSSL build')
def test_psk_tls1_3(self):
psk = bytes.fromhex('deadbeef')
identity_hint = 'identity-hint'
diff --git
a/Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst
b/Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst
new file mode 100644
index 00000000000000..09279bbfb4fd58
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst
@@ -0,0 +1 @@
+Indicate through :data:`ssl.HAS_PSK_TLS13` whether the :mod:`ssl` module
supports "External PSKs" in TLSv1.3, as described in RFC 9258. Patch by Will
Childs-Klein.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 1b26f503e73827..976da1340ecf1e 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -6626,6 +6626,12 @@ sslmodule_init_constants(PyObject *m)
addbool(m, "HAS_PSK", 1);
#endif
+#ifdef OPENSSL_NO_EXTERNAL_PSK_TLS13
+ addbool(m, "HAS_PSK_TLS13", 0);
+#else
+ addbool(m, "HAS_PSK_TLS13", 1);
+#endif
+
#ifdef SSL_VERIFY_POST_HANDSHAKE
addbool(m, "HAS_PHA", 1);
#else
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3/lists/python-checkins.python.org/
Member address: [email protected]
