(original) (raw)

changeset: 74103:ec44f2e82707 user: Antoine Pitrou solipsis@pitrou.net date: Wed Dec 21 09:27:41 2011 +0100 files: Doc/library/ssl.rst Lib/ssl.py Lib/test/test_ssl.py Modules/_ssl.c description: Fix ssl module compilation if ECDH support was disabled in the OpenSSL build. (followup to issue #13627) diff -r ac29dc61873c -r ec44f2e82707 Doc/library/ssl.rst --- a/Doc/library/ssl.rst Tue Dec 20 13:32:50 2011 -0600 +++ b/Doc/library/ssl.rst Wed Dec 21 09:27:41 2011 +0100 @@ -445,6 +445,14 @@ .. versionadded:: 3.3 +.. data:: HAS_ECDH + + Whether the OpenSSL library has built-in support for Elliptic Curve-based + Diffie-Hellman key exchange. This should be true unless the feature was + explicitly disabled by the distributor. + + .. versionadded:: 3.3 + .. data:: HAS_SNI Whether the OpenSSL library has built-in support for the *Server Name @@ -711,6 +719,8 @@ This setting doesn't apply to client sockets. You can also use the :data:`OP_SINGLE_ECDH_USE` option to further improve security. + This method is not available if :data:`HAS_ECDH` is False. + .. versionadded:: 3.3 .. seealso:: diff -r ac29dc61873c -r ec44f2e82707 Lib/ssl.py --- a/Lib/ssl.py Tue Dec 20 13:32:50 2011 -0600 +++ b/Lib/ssl.py Wed Dec 21 09:27:41 2011 +0100 @@ -86,7 +86,7 @@ SSL_ERROR_EOF, SSL_ERROR_INVALID_ERROR_CODE, ) -from _ssl import HAS_SNI +from _ssl import HAS_SNI, HAS_ECDH from _ssl import (PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1) from _ssl import _OPENSSL_API_VERSION diff -r ac29dc61873c -r ec44f2e82707 Lib/test/test_ssl.py --- a/Lib/test/test_ssl.py Tue Dec 20 13:32:50 2011 -0600 +++ b/Lib/test/test_ssl.py Wed Dec 21 09:27:41 2011 +0100 @@ -103,6 +103,7 @@ if ssl.OPENSSL_VERSION_INFO >= (1, 0): ssl.OP_NO_COMPRESSION self.assertIn(ssl.HAS_SNI, {True, False}) + self.assertIn(ssl.HAS_ECDH, {True, False}) def test_random(self): v = ssl.RAND_status() @@ -561,6 +562,7 @@ ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ctx.set_default_verify_paths() + @unittest.skipUnless(ssl.HAS_ECDH, "ECDH disabled on this OpenSSL build") def test_set_ecdh_curve(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ctx.set_ecdh_curve("prime256v1") diff -r ac29dc61873c -r ec44f2e82707 Modules/_ssl.c --- a/Modules/_ssl.c Tue Dec 20 13:32:50 2011 -0600 +++ b/Modules/_ssl.c Wed Dec 21 09:27:41 2011 +0100 @@ -2006,6 +2006,7 @@ Py_RETURN_NONE; } +#ifndef OPENSSL_NO_ECDH static PyObject * set_ecdh_curve(PySSLContext *self, PyObject *name) { @@ -2032,6 +2033,7 @@ EC_KEY_free(key); Py_RETURN_NONE; } +#endif static PyGetSetDef context_getsetlist[] = { {"options", (getter) get_options, @@ -2054,8 +2056,10 @@ METH_NOARGS, NULL}, {"set_default_verify_paths", (PyCFunction) set_default_verify_paths, METH_NOARGS, NULL}, +#ifndef OPENSSL_NO_ECDH {"set_ecdh_curve", (PyCFunction) set_ecdh_curve, METH_O, NULL}, +#endif {NULL, NULL} /* sentinel */ }; @@ -2523,6 +2527,14 @@ Py_INCREF(r); PyModule_AddObject(m, "HAS_TLS_UNIQUE", r); +#ifdef OPENSSL_NO_ECDH + r = Py_False; +#else + r = Py_True; +#endif + Py_INCREF(r); + PyModule_AddObject(m, "HAS_ECDH", r); + /* OpenSSL version */ /* SSLeay() gives us the version of the library linked against, which could be different from the headers version. /solipsis@pitrou.net