Skip to content

Commit

Permalink
[3.9] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-1…
Browse files Browse the repository at this point in the history
…05174) (GH-105200) (#105205)

Upgrade builds to OpenSSL 1.1.1u.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.

Manual edits to the _ssl_data_300.h file prevent it from removing any
existing definitions in case those exist in some peoples builds and were
important (avoiding regressions during backporting).

(cherry picked from commit ede89af)

Co-authored-by: Ned Deily <nad@python.org>
  • Loading branch information
gpshead and ned-deily authored Jun 5, 2023
1 parent c9bf00b commit e15de14
Show file tree
Hide file tree
Showing 12 changed files with 186 additions and 18 deletions.
4 changes: 2 additions & 2 deletions .azure-pipelines/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
variables:
testRunTitle: '$(build.sourceBranchName)-linux'
testRunPlatform: linux
openssl_version: 1.1.1t
openssl_version: 1.1.1u

steps:
- template: ./posix-steps.yml
Expand All @@ -83,7 +83,7 @@ jobs:
variables:
testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
testRunPlatform: linux-coverage
openssl_version: 1.1.1t
openssl_version: 1.1.1u

steps:
- template: ./posix-steps.yml
Expand Down
4 changes: 2 additions & 2 deletions .azure-pipelines/pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
variables:
testRunTitle: '$(system.pullRequest.TargetBranch)-linux'
testRunPlatform: linux
openssl_version: 1.1.1t
openssl_version: 1.1.1u

steps:
- template: ./posix-steps.yml
Expand All @@ -83,7 +83,7 @@ jobs:
variables:
testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
testRunPlatform: linux-coverage
openssl_version: 1.1.1t
openssl_version: 1.1.1u

steps:
- template: ./posix-steps.yml
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@ jobs:
needs: check_source
if: needs.check_source.outputs.run_tests == 'true'
env:
OPENSSL_VER: 1.1.1t
OPENSSL_VER: 1.1.1u
PYTHONSTRICTEXTENSIONBUILD: 1
steps:
- uses: actions/checkout@v3
Expand Down Expand Up @@ -219,7 +219,7 @@ jobs:
strategy:
fail-fast: false
matrix:
openssl_ver: [1.0.2u, 1.1.0l, 1.1.1t, 3.0.8, 3.1.0-beta1]
openssl_ver: [1.0.2u, 1.1.0l, 1.1.1u, 3.0.9, 3.1.1]
env:
OPENSSL_VER: ${{ matrix.openssl_ver }}
MULTISSL_DIR: ${{ github.workspace }}/multissl
Expand Down
6 changes: 3 additions & 3 deletions Mac/BuildScript/build-installer.py
Original file line number Diff line number Diff line change
Expand Up @@ -244,9 +244,9 @@ def library_recipes():

result.extend([
dict(
name="OpenSSL 1.1.1t",
url="https://www.openssl.org/source/openssl-1.1.1t.tar.gz",
checksum='1cfee919e0eac6be62c88c5ae8bcd91e',
name="OpenSSL 1.1.1u",
url="https://www.openssl.org/source/openssl-1.1.1u.tar.gz",
checksum='72f7ba7395f0f0652783ba1089aa0dcc',
buildrecipe=build_universal_openssl,
configure=None,
install=None,
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
The version of OpenSSL used in our binary builds has been upgraded to 1.1.1u
to address several CVEs.
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Update macOS installer to use OpenSSL 1.1.1u.
17 changes: 16 additions & 1 deletion Modules/_ssl_data_111.h
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2021-04-09T09:36:21.493286 */
/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2023-06-01T02:58:04.081473 */
static struct py_ssl_library_code library_codes[] = {
#ifdef ERR_LIB_ASN1
{"ASN1", ERR_LIB_ASN1},
Expand Down Expand Up @@ -1375,6 +1375,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"UNSUPPORTED_COMPRESSION_ALGORITHM", 46, 151},
#endif
#ifdef CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM
{"UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM},
#else
{"UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM", 46, 194},
#endif
#ifdef CMS_R_UNSUPPORTED_CONTENT_TYPE
{"UNSUPPORTED_CONTENT_TYPE", ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_TYPE},
#else
Expand Down Expand Up @@ -4860,6 +4865,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"MISSING_PARAMETERS", 20, 290},
#endif
#ifdef SSL_R_MISSING_PSK_KEX_MODES_EXTENSION
{"MISSING_PSK_KEX_MODES_EXTENSION", ERR_LIB_SSL, SSL_R_MISSING_PSK_KEX_MODES_EXTENSION},
#else
{"MISSING_PSK_KEX_MODES_EXTENSION", 20, 310},
#endif
#ifdef SSL_R_MISSING_RSA_CERTIFICATE
{"MISSING_RSA_CERTIFICATE", ERR_LIB_SSL, SSL_R_MISSING_RSA_CERTIFICATE},
#else
Expand Down Expand Up @@ -5065,6 +5075,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"NULL_SSL_METHOD_PASSED", 20, 196},
#endif
#ifdef SSL_R_OCSP_CALLBACK_FAILURE
{"OCSP_CALLBACK_FAILURE", ERR_LIB_SSL, SSL_R_OCSP_CALLBACK_FAILURE},
#else
{"OCSP_CALLBACK_FAILURE", 20, 294},
#endif
#ifdef SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED
{"OLD_SESSION_CIPHER_NOT_RETURNED", ERR_LIB_SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED},
#else
Expand Down
Loading

0 comments on commit e15de14

Please sign in to comment.