traverseda
/
cpython
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

bpo-40479: Test with latest OpenSSL versions (GH-20108) 

* 1.0.2u (EOL)
* 1.1.0l (EOL)
* 1.1.1g
* 3.0.0-alpha2 (disabled for now)

Build the FIPS provider and create a FIPS configuration file for OpenSSL
3.0.0.

Signed-off-by: Christian Heimes <christian@python.org>

Automerge-Triggered-By: @tiran
This commit is contained in:
Christian Heimes 2020-05-15 18:48:25 +02:00 committed by GitHub
parent 16d4e6f6f5
commit 62d618c06b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 60 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Misc/NEWS.d/next/Tools-Demos/2020-05-15-17-48-25.bpo-40479.B1gBl-.rst Normal file
View File

@ -0,0 +1,2 @@
Update multissltest helper to test with latest OpenSSL 1.0.2, 1.1.0, 1.1.1,
and 3.0.0-alpha.

61
Tools/ssl/multissltests.py
View File

@ -41,13 +41,13 @@ import tarfile
log = logging.getLogger("multissl") log = logging.getLogger("multissl")
OPENSSL_OLD_VERSIONS = [ OPENSSL_OLD_VERSIONS = [
"1.0.2",
] ]
OPENSSL_RECENT_VERSIONS = [ OPENSSL_RECENT_VERSIONS = [
"1.0.2t", "1.0.2u",
"1.1.0l", "1.1.0l",
"1.1.1f", "1.1.1g",
# "3.0.0-alpha2"
] ]
LIBRESSL_OLD_VERSIONS = [ LIBRESSL_OLD_VERSIONS = [
@ -143,6 +143,23 @@ parser.add_argument(
help="Keep original sources for debugging." help="Keep original sources for debugging."
) )
OPENSSL_FIPS_CNF = """\
openssl_conf = openssl_init
.include {self.install_dir}/ssl/fipsinstall.cnf
# .include {self.install_dir}/ssl/openssl.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
default = default_sect
[default_sect]
activate = 1
"""
class AbstractBuilder(object): class AbstractBuilder(object):
library = None library = None
@ -291,9 +308,13 @@ class AbstractBuilder(object):
["make", "-j1", self.install_target], ["make", "-j1", self.install_target],
cwd=self.build_dir cwd=self.build_dir
) )
self._post_install()
if not self.args.keep_sources: if not self.args.keep_sources:
shutil.rmtree(self.build_dir) shutil.rmtree(self.build_dir)
def _post_install(self):
pass
def install(self): def install(self):
log.info(self.openssl_cli) log.info(self.openssl_cli)
if not self.has_openssl or self.args.force: if not self.has_openssl or self.args.force:
@ -365,6 +386,40 @@ class BuildOpenSSL(AbstractBuilder):
# only install software, skip docs # only install software, skip docs
install_target = 'install_sw' install_target = 'install_sw'
def _post_install(self):
if self.version.startswith("3.0"):
self._post_install_300()
def _post_install_300(self):
# create ssl/ subdir with example configs
self._subprocess_call(
["make", "-j1", "install_ssldirs"],
cwd=self.build_dir
)
# Install FIPS module
# https://wiki.openssl.org/index.php/OpenSSL_3.0#Completing_the_installation_of_the_FIPS_Module
fipsinstall_cnf = os.path.join(
self.install_dir, "ssl", "fipsinstall.cnf"
)
openssl_fips_cnf = os.path.join(
self.install_dir, "ssl", "openssl-fips.cnf"
)
fips_mod = os.path.join(self.lib_dir, "ossl-modules/fips.so")
self._subprocess_call(
[
self.openssl_cli, "fipsinstall",
"-out", fipsinstall_cnf,
"-module", fips_mod,
"-provider_name", "fips",
"-mac_name", "HMAC",
"-macopt", "digest:SHA256",
"-macopt", "hexkey:00",
"-section_name", "fips_sect"
]
)
with open(openssl_fips_cnf, "w") as f:
f.write(OPENSSL_FIPS_CNF.format(self=self))
class BuildLibreSSL(AbstractBuilder): class BuildLibreSSL(AbstractBuilder):
library = "LibreSSL" library = "LibreSSL"