From: Will Childs-Klein <willck93@gmail.com>
Date: Fri, 9 May 2025 07:09:09 +0000 (-0400)
Subject: gh-133623: Add `ssl.HAS_PSK_TLS13` to detect external TLS 1.3 PSK support (#133624)
X-Git-Tag: v3.15.0a1~1809
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6801bd32cb9bd2bfa87b52d46fb453557d9568ed;p=thirdparty%2FPython%2Fcpython.git

gh-133623: Add `ssl.HAS_PSK_TLS13` to detect external TLS 1.3 PSK support (#133624)
---

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index c0dcecf737ef..ae2e324d0aba 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -934,6 +934,13 @@ Constants
 
    .. versionadded:: 3.13
 
+.. data:: HAS_PSK_TLS13
+
+   Whether the OpenSSL library has built-in support for External PSKs in TLS
+   1.3 as described in :rfc:`9258`.
+
+   .. versionadded:: next
+
 .. data:: HAS_PHA
 
    Whether the OpenSSL library has built-in support for TLS-PHA.
diff --git a/Doc/whatsnew/3.15.rst b/Doc/whatsnew/3.15.rst
index 7131eeb697eb..070d9b38e137 100644
--- a/Doc/whatsnew/3.15.rst
+++ b/Doc/whatsnew/3.15.rst
@@ -86,10 +86,13 @@ New modules
 Improved modules
 ================
 
-module_name
------------
+ssl
+---
+
+* Indicate through :data:`ssl.HAS_PSK_TLS13` whether the :mod:`ssl` module
+  supports "External PSKs" in TLSv1.3, as described in RFC 9258.
+  (Contributed by Will Childs-Klein in :gh:`133624`.)
 
-* TODO
 
 .. Add improved modules above alphabetically, not here at the end.
 
diff --git a/Lib/ssl.py b/Lib/ssl.py
index 05df4ad7f0f0..7e3c4cbd6bbf 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -116,7 +116,7 @@ except ImportError:
 
 from _ssl import (
     HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1,
-    HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PHA
+    HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PSK_TLS13, HAS_PHA
 )
 from _ssl import _DEFAULT_CIPHERS, _OPENSSL_API_VERSION
 
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 395b2ef88ab6..06460d6047ca 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -4488,6 +4488,7 @@ class ThreadedTests(unittest.TestCase):
 
     @requires_tls_version('TLSv1_3')
     @unittest.skipUnless(ssl.HAS_PSK, 'TLS-PSK disabled on this OpenSSL build')
+    @unittest.skipUnless(ssl.HAS_PSK_TLS13, 'TLS 1.3 PSK disabled on this OpenSSL build')
     def test_psk_tls1_3(self):
         psk = bytes.fromhex('deadbeef')
         identity_hint = 'identity-hint'
diff --git a/Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst b/Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst
new file mode 100644
index 000000000000..09279bbfb4fd
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-05-07-22-49-27.gh-issue-133623.fgWkBm.rst
@@ -0,0 +1 @@
+Indicate through :data:`ssl.HAS_PSK_TLS13` whether the :mod:`ssl` module supports "External PSKs" in TLSv1.3, as described in RFC 9258. Patch by Will Childs-Klein.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 1b26f503e738..976da1340ecf 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -6626,6 +6626,12 @@ sslmodule_init_constants(PyObject *m)
     addbool(m, "HAS_PSK", 1);
 #endif
 
+#ifdef OPENSSL_NO_EXTERNAL_PSK_TLS13
+    addbool(m, "HAS_PSK_TLS13", 0);
+#else
+    addbool(m, "HAS_PSK_TLS13", 1);
+#endif
+
 #ifdef SSL_VERIFY_POST_HANDSHAKE
     addbool(m, "HAS_PHA", 1);
 #else