gh-133623: Add `ssl.HAS_PSK_TLS13` to detect external TLS 1.3 PSK support (#133624)

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index c0dcecf737ef7650df2ef8bd4285c24a1805b4e6..ae2e324d0abaa4412411265b532dddd62a57e7ba 100644 (file)
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -934,6 +934,13 @@ Constants
 
    .. versionadded:: 3.13
 
+.. data:: HAS_PSK_TLS13
+
+   Whether the OpenSSL library has built-in support for External PSKs in TLS
+   1.3 as described in :rfc:`9258`.
+
+   .. versionadded:: next
+
 .. data:: HAS_PHA
 
    Whether the OpenSSL library has built-in support for TLS-PHA.

diff --git a/Doc/whatsnew/3.15.rst b/Doc/whatsnew/3.15.rst
index 7131eeb697eb6909abc6bde6725efb484b9a4a75..070d9b38e137d0d872fb4ab58c436a8c4cf3d611 100644 (file)
--- a/Doc/whatsnew/3.15.rst
+++ b/Doc/whatsnew/3.15.rst
@@ -86,10 +86,13 @@ New modules
 Improved modules
 ================
 
-module_name
------------
+ssl
+---
+
+* Indicate through :data:`ssl.HAS_PSK_TLS13` whether the :mod:`ssl` module
+  supports "External PSKs" in TLSv1.3, as described in RFC 9258.
+  (Contributed by Will Childs-Klein in :gh:`133624`.)
 
-* TODO
 
 .. Add improved modules above alphabetically, not here at the end.
 

diff --git a/Lib/ssl.py b/Lib/ssl.py
index 05df4ad7f0f05cfb987b064eea3fbe236e9ff01c..7e3c4cbd6bbf8ef470a0cd361f49ad4fdf2f3d31 100644 (file)
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -116,7 +116,7 @@ except ImportError:
 
 from _ssl import (
     HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1,
-    HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PHA
+    HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PSK_TLS13, HAS_PHA
 )
 from _ssl import _DEFAULT_CIPHERS, _OPENSSL_API_VERSION
 

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 395b2ef88ab6220c62689a34eaceb0e5927aaf9c..06460d6047cac8f60dcb70437949815abe4d054a 100644 (file)
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -4488,6 +4488,7 @@ class ThreadedTests(unittest.TestCase):
 
     @requires_tls_version('TLSv1_3')
     @unittest.skipUnless(ssl.HAS_PSK, 'TLS-PSK disabled on this OpenSSL build')
+    @unittest.skipUnless(ssl.HAS_PSK_TLS13, 'TLS 1.3 PSK disabled on this OpenSSL build')
     def test_psk_tls1_3(self):
         psk = bytes.fromhex('deadbeef')
         identity_hint = 'identity-hint'

diff --git a/Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst b/Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst
new file mode 100644 (file)
index 0000000..09279bb
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst
@@ -0,0 +1 @@
+Indicate through :data:`ssl.HAS_PSK_TLS13` whether the :mod:`ssl` module supports "External PSKs" in TLSv1.3, as described in RFC 9258. Patch by Will Childs-Klein.

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 1b26f503e738272da3d47d3cc0eae9cfa31613eb..976da1340ecf1ee118554c182808f509cb022362 100644 (file)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -6626,6 +6626,12 @@ sslmodule_init_constants(PyObject *m)
     addbool(m, "HAS_PSK", 1);
 #endif
 
+#ifdef OPENSSL_NO_EXTERNAL_PSK_TLS13
+    addbool(m, "HAS_PSK_TLS13", 0);
+#else
+    addbool(m, "HAS_PSK_TLS13", 1);
+#endif
+
 #ifdef SSL_VERIFY_POST_HANDSHAKE
     addbool(m, "HAS_PHA", 1);
 #else