[Python-checkins] bpo-40479: Test with latest OpenSSL versions (GH-20108)
Miss Islington (bot)
webhook-mailer at python.org
Fri May 15 13:06:02 EDT 2020
https://github.com/python/cpython/commit/5e6b491403d7211588dcd399167f5bc21781c69c
commit: 5e6b491403d7211588dcd399167f5bc21781c69c
branch: 3.7
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: GitHub <noreply at github.com>
date: 2020-05-15T10:05:57-07:00
summary:
bpo-40479: Test with latest OpenSSL versions (GH-20108)
* 1.0.2u (EOL)
* 1.1.0l (EOL)
* 1.1.1g
* 3.0.0-alpha2 (disabled for now)
Build the FIPS provider and create a FIPS configuration file for OpenSSL
3.0.0.
Signed-off-by: Christian Heimes <christian at python.org>
Automerge-Triggered-By: @tiran
(cherry picked from commit 62d618c06bd395308b7163dbcb26c7e6d0922033)
Co-authored-by: Christian Heimes <christian at python.org>
files:
A Misc/NEWS.d/next/Tools-Demos/2020-05-15-17-48-25.bpo-40479.B1gBl-.rst
M Tools/ssl/multissltests.py
diff --git a/Misc/NEWS.d/next/Tools-Demos/2020-05-15-17-48-25.bpo-40479.B1gBl-.rst b/Misc/NEWS.d/next/Tools-Demos/2020-05-15-17-48-25.bpo-40479.B1gBl-.rst
new file mode 100644
index 0000000000000..b59035971d7b0
--- /dev/null
+++ b/Misc/NEWS.d/next/Tools-Demos/2020-05-15-17-48-25.bpo-40479.B1gBl-.rst
@@ -0,0 +1,2 @@
+Update multissltest helper to test with latest OpenSSL 1.0.2, 1.1.0, 1.1.1,
+and 3.0.0-alpha.
diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index 05d6d7de296db..7aa28bd2157fb 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -41,13 +41,13 @@
log = logging.getLogger("multissl")
OPENSSL_OLD_VERSIONS = [
- "1.0.2",
]
OPENSSL_RECENT_VERSIONS = [
- "1.0.2t",
+ "1.0.2u",
"1.1.0l",
- "1.1.1f",
+ "1.1.1g",
+ # "3.0.0-alpha2"
]
LIBRESSL_OLD_VERSIONS = [
@@ -143,6 +143,23 @@
help="Keep original sources for debugging."
)
+OPENSSL_FIPS_CNF = """\
+openssl_conf = openssl_init
+
+.include {self.install_dir}/ssl/fipsinstall.cnf
+# .include {self.install_dir}/ssl/openssl.cnf
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+fips = fips_sect
+default = default_sect
+
+[default_sect]
+activate = 1
+"""
+
class AbstractBuilder(object):
library = None
@@ -291,9 +308,13 @@ def _make_install(self):
["make", "-j1", self.install_target],
cwd=self.build_dir
)
+ self._post_install()
if not self.args.keep_sources:
shutil.rmtree(self.build_dir)
+ def _post_install(self):
+ pass
+
def install(self):
log.info(self.openssl_cli)
if not self.has_openssl or self.args.force:
@@ -365,6 +386,40 @@ class BuildOpenSSL(AbstractBuilder):
# only install software, skip docs
install_target = 'install_sw'
+ def _post_install(self):
+ if self.version.startswith("3.0"):
+ self._post_install_300()
+
+ def _post_install_300(self):
+ # create ssl/ subdir with example configs
+ self._subprocess_call(
+ ["make", "-j1", "install_ssldirs"],
+ cwd=self.build_dir
+ )
+ # Install FIPS module
+ # https://wiki.openssl.org/index.php/OpenSSL_3.0#Completing_the_installation_of_the_FIPS_Module
+ fipsinstall_cnf = os.path.join(
+ self.install_dir, "ssl", "fipsinstall.cnf"
+ )
+ openssl_fips_cnf = os.path.join(
+ self.install_dir, "ssl", "openssl-fips.cnf"
+ )
+ fips_mod = os.path.join(self.lib_dir, "ossl-modules/fips.so")
+ self._subprocess_call(
+ [
+ self.openssl_cli, "fipsinstall",
+ "-out", fipsinstall_cnf,
+ "-module", fips_mod,
+ "-provider_name", "fips",
+ "-mac_name", "HMAC",
+ "-macopt", "digest:SHA256",
+ "-macopt", "hexkey:00",
+ "-section_name", "fips_sect"
+ ]
+ )
+ with open(openssl_fips_cnf, "w") as f:
+ f.write(OPENSSL_FIPS_CNF.format(self=self))
+
class BuildLibreSSL(AbstractBuilder):
library = "LibreSSL"
More information about the Python-checkins
mailing list