Attempt to fix missing support for setting client sigalgs in AWS-LC

ronf · ronf · commit 2b336edd97de · 2025-08-30T23:11:22.000-07:00
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
@@ -51,6 +51,7 @@
 CAN_GET_SELECTED_OPENSSL_GROUP = ssl.OPENSSL_VERSION_INFO >= (3, 2)
 CAN_IGNORE_UNKNOWN_OPENSSL_GROUPS = ssl.OPENSSL_VERSION_INFO >= (3, 3)
 CAN_GET_AVAILABLE_OPENSSL_GROUPS = ssl.OPENSSL_VERSION_INFO >= (3, 5)
+CAN_SET_CLIENT_SIGALGS = "AWS-LC" not in ssl.OPENSSL_VERSION
 CAN_IGNORE_UNKNOWN_OPENSSL_SIGALGS = ssl.OPENSSL_VERSION_INFO >= (3, 3)
 CAN_GET_SELECTED_OPENSSL_SIGALG = ssl.OPENSSL_VERSION_INFO >= (3, 5)
 PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
@@ -997,20 +998,30 @@ def test_get_groups(self):
         self.assertNotIn('P-256', ctx.get_groups())
         self.assertIn('P-256', ctx.get_groups(include_aliases=True))
 
-    def test_set_sigalgs(self):
+    @unittest.skipUnless(CAN_SET_CLIENT_SIGALGS,
+                         "AWS-LC doesn't support setting client sigalgs")
+    def test_set_client_sigalgs(self):
         ctx = ssl.create_default_context()
 
         self.assertIsNone(ctx.set_client_sigalgs('rsa_pss_rsae_sha256'))
-        self.assertIsNone(ctx.set_server_sigalgs('rsa_pss_rsae_sha256'))
 
         self.assertRaises(ssl.SSLError, ctx.set_client_sigalgs,
                           'rsa_pss_rsae_sha256:foo')
+
+        # Ignoring unknown sigalgs is only supported since OpenSSL 3.3.
+        if CAN_IGNORE_UNKNOWN_OPENSSL_SIGALGS:
+            self.assertIsNone(ctx.set_client_sigalgs('rsa_pss_rsae_sha256:?foo'))
+
+    def test_set_server_sigalgs(self):
+        ctx = ssl.create_default_context()
+
+        self.assertIsNone(ctx.set_server_sigalgs('rsa_pss_rsae_sha256'))
+
         self.assertRaises(ssl.SSLError, ctx.set_server_sigalgs,
                           'rsa_pss_rsae_sha256:foo')
 
         # Ignoring unknown sigalgs is only supported since OpenSSL 3.3.
         if CAN_IGNORE_UNKNOWN_OPENSSL_SIGALGS:
-            self.assertIsNone(ctx.set_client_sigalgs('rsa_pss_rsae_sha256:?foo'))
             self.assertIsNone(ctx.set_server_sigalgs('rsa_pss_rsae_sha256:?foo'))
 
     def test_options(self):
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
@@ -3839,11 +3839,16 @@ _ssl__SSLContext_set_client_sigalgs_impl(PySSLContext *self,
                                          const char *sigalgslist)
 /*[clinic end generated code: output=f4f5be160a29c7d6 input=500d853ce9fd94ff]*/
 {
+#ifdef OPENSSL_IS_AWSLC
+    _setSSLError(get_state_ctx(self), "can't set client sigalgs on AWS-LC", 0, __FILE__, __LINE__);
+    return NULL;
+#else
     if (!SSL_CTX_set1_client_sigalgs_list(self->ctx, sigalgslist)) {
         _setSSLError(get_state_ctx(self), "unrecognized signature algorithm", 0, __FILE__, __LINE__);
         return NULL;
     }
     Py_RETURN_NONE;
+#endif
 }
 
 /*[clinic input]

Original file line number	Diff line number	Diff line change
`@@ -3839,11 +3839,16 @@ _ssl__SSLContext_set_client_sigalgs_impl(PySSLContext *self,`
`3839`	`3839`	`const char *sigalgslist)`
`3840`	`3840`	`/[clinic end generated code: output=f4f5be160a29c7d6 input=500d853ce9fd94ff]/`
`3841`	`3841`	`{`
	`3842`	`+#ifdef OPENSSL_IS_AWSLC`
	`3843`	`+ _setSSLError(get_state_ctx(self), "can't set client sigalgs on AWS-LC", 0, __FILE__, __LINE__);`
	`3844`	`+ return NULL;`
	`3845`	`+#else`
`3842`	`3846`	`if (!SSL_CTX_set1_client_sigalgs_list(self->ctx, sigalgslist)) {`
`3843`	`3847`	`_setSSLError(get_state_ctx(self), "unrecognized signature algorithm", 0, __FILE__, __LINE__);`
`3844`	`3848`	`return NULL;`
`3845`	`3849`	`}`
`3846`	`3850`	`Py_RETURN_NONE;`
	`3851`	`+#endif`
`3847`	`3852`	`}`
`3848`	`3853`
`3849`	`3854`	`/*[clinic input]`