[Python-checkins] cpython: Fix ssl module compilation if ECDH support was disabled in the OpenSSL build.

Wed Dec 21 09:28:24 CET 2011

http://hg.python.org/cpython/rev/ec44f2e82707
changeset: 74103:ec44f2e82707
user: Antoine Pitrou <solipsis at pitrou.net>
date: Wed Dec 21 09:27:41 2011 +0100
summary:
 Fix ssl module compilation if ECDH support was disabled in the OpenSSL build.
(followup to issue #13627)
files:
 Doc/library/ssl.rst | 10 ++++++++++
 Lib/ssl.py | 2 +-
 Lib/test/test_ssl.py | 2 ++
 Modules/_ssl.c | 12 ++++++++++++
 4 files changed, 25 insertions(+), 1 deletions(-)

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -445,6 +445,14 @@
 
 .. versionadded:: 3.3
 
+.. data:: HAS_ECDH
+
+ Whether the OpenSSL library has built-in support for Elliptic Curve-based
+ Diffie-Hellman key exchange. This should be true unless the feature was
+ explicitly disabled by the distributor.
+
+ .. versionadded:: 3.3
+
 .. data:: HAS_SNI
 
 Whether the OpenSSL library has built-in support for the *Server Name
@@ -711,6 +719,8 @@
 This setting doesn't apply to client sockets. You can also use the
 :data:`OP_SINGLE_ECDH_USE` option to further improve security.
 
+ This method is not available if :data:`HAS_ECDH` is False.
+
 .. versionadded:: 3.3
 
 .. seealso::
diff --git a/Lib/ssl.py b/Lib/ssl.py
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -86,7 +86,7 @@
 SSL_ERROR_EOF,
 SSL_ERROR_INVALID_ERROR_CODE,
 )
-from _ssl import HAS_SNI
+from _ssl import HAS_SNI, HAS_ECDH
 from _ssl import (PROTOCOL_SSLv3, PROTOCOL_SSLv23,
 PROTOCOL_TLSv1)
 from _ssl import _OPENSSL_API_VERSION
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -103,6 +103,7 @@
 if ssl.OPENSSL_VERSION_INFO >= (1, 0):
 ssl.OP_NO_COMPRESSION
 self.assertIn(ssl.HAS_SNI, {True, False})
+ self.assertIn(ssl.HAS_ECDH, {True, False})
 
 def test_random(self):
 v = ssl.RAND_status()
@@ -561,6 +562,7 @@
 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
 ctx.set_default_verify_paths()
 
+ @unittest.skipUnless(ssl.HAS_ECDH, "ECDH disabled on this OpenSSL build")
 def test_set_ecdh_curve(self):
 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
 ctx.set_ecdh_curve("prime256v1")
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2006,6 +2006,7 @@
 Py_RETURN_NONE;
 }
 
+#ifndef OPENSSL_NO_ECDH
 static PyObject *
 set_ecdh_curve(PySSLContext *self, PyObject *name)
 {
@@ -2032,6 +2033,7 @@
 EC_KEY_free(key);
 Py_RETURN_NONE;
 }
+#endif
 
 static PyGetSetDef context_getsetlist[] = {
 {"options", (getter) get_options,
@@ -2054,8 +2056,10 @@
 METH_NOARGS, NULL},
 {"set_default_verify_paths", (PyCFunction) set_default_verify_paths,
 METH_NOARGS, NULL},
+#ifndef OPENSSL_NO_ECDH
 {"set_ecdh_curve", (PyCFunction) set_ecdh_curve,
 METH_O, NULL},
+#endif
 {NULL, NULL} /* sentinel */
 };
 
@@ -2523,6 +2527,14 @@
 Py_INCREF(r);
 PyModule_AddObject(m, "HAS_TLS_UNIQUE", r);
 
+#ifdef OPENSSL_NO_ECDH
+ r = Py_False;
+#else
+ r = Py_True;
+#endif
+ Py_INCREF(r);
+ PyModule_AddObject(m, "HAS_ECDH", r);
+
 /* OpenSSL version */
 /* SSLeay() gives us the version of the library linked against,
 which could be different from the headers version.
-- 
Repository URL: http://hg.python.org/cpython
