Fix ssl module compilation if ECDH support was disabled in the OpenSSL build.

(followup to issue #13627)
2011-12-21 09:27:41 +01:00 · 2011-12-21 09:27:41 +01:00 · 501da61671
parent 822c790527
commit 501da61671
4 changed files with 25 additions and 1 deletions
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@ -445,6 +445,14 @@ Constants

   .. versionadded:: 3.3

+.. data:: HAS_ECDH
+
+   Whether the OpenSSL library has built-in support for Elliptic Curve-based
+   Diffie-Hellman key exchange.  This should be true unless the feature was
+   explicitly disabled by the distributor.
+
+   .. versionadded:: 3.3
+
 .. data:: HAS_SNI

   Whether the OpenSSL library has built-in support for the *Server Name
@ -711,6 +719,8 @@ to speed up repeated connections from the same clients.
   This setting doesn't apply to client sockets.  You can also use the
   :data:`OP_SINGLE_ECDH_USE` option to further improve security.

+   This method is not available if :data:`HAS_ECDH` is False.
+
   .. versionadded:: 3.3

   .. seealso::
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@ -86,7 +86,7 @@ from _ssl import (
    SSL_ERROR_EOF,
    SSL_ERROR_INVALID_ERROR_CODE,
    )
-from _ssl import HAS_SNI
+from _ssl import HAS_SNI, HAS_ECDH
 from _ssl import (PROTOCOL_SSLv3, PROTOCOL_SSLv23,
                  PROTOCOL_TLSv1)
 from _ssl import _OPENSSL_API_VERSION
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@ -103,6 +103,7 @@ class BasicSocketTests(unittest.TestCase):
        if ssl.OPENSSL_VERSION_INFO >= (1, 0):
            ssl.OP_NO_COMPRESSION
        self.assertIn(ssl.HAS_SNI, {True, False})
+        self.assertIn(ssl.HAS_ECDH, {True, False})

    def test_random(self):
        v = ssl.RAND_status()
@ -561,6 +562,7 @@ class ContextTests(unittest.TestCase):
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
        ctx.set_default_verify_paths()

+    @unittest.skipUnless(ssl.HAS_ECDH, "ECDH disabled on this OpenSSL build")
    def test_set_ecdh_curve(self):
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
        ctx.set_ecdh_curve("prime256v1")
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@ -2006,6 +2006,7 @@ set_default_verify_paths(PySSLContext *self, PyObject *unused)
    Py_RETURN_NONE;
 }

+#ifndef OPENSSL_NO_ECDH
 static PyObject *
 set_ecdh_curve(PySSLContext *self, PyObject *name)
 {
@ -2032,6 +2033,7 @@ set_ecdh_curve(PySSLContext *self, PyObject *name)
    EC_KEY_free(key);
    Py_RETURN_NONE;
 }
+#endif

 static PyGetSetDef context_getsetlist[] = {
    {"options", (getter) get_options,
@ -2054,8 +2056,10 @@ static struct PyMethodDef context_methods[] = {
                      METH_NOARGS, NULL},
    {"set_default_verify_paths", (PyCFunction) set_default_verify_paths,
                                 METH_NOARGS, NULL},
+#ifndef OPENSSL_NO_ECDH
    {"set_ecdh_curve", (PyCFunction) set_ecdh_curve,
                       METH_O, NULL},
+#endif
    {NULL, NULL}        /* sentinel */
 };

@ -2523,6 +2527,14 @@ PyInit__ssl(void)
    Py_INCREF(r);
    PyModule_AddObject(m, "HAS_TLS_UNIQUE", r);

+#ifdef OPENSSL_NO_ECDH
+    r = Py_False;
+#else
+    r = Py_True;
+#endif
+    Py_INCREF(r);
+    PyModule_AddObject(m, "HAS_ECDH", r);
+
    /* OpenSSL version */
    /* SSLeay() gives us the version of the library linked against,
       which could be different from the headers version.