diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2020-05-15 17:10:15 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-05-15 17:10:15 (GMT) |
| commit | 5a06cf01ecb6a048fb47c086adc1336f54fe8789 (patch) | |
| tree | a3074c7a0b9ef6eff16d0a850f9ed14afde53483 | |
| parent | 4e6545b002dd4d068b2538ffca60830d0e7fd369 (diff) | |
| download | cpython-5a06cf01ecb6a048fb47c086adc1336f54fe8789.zip cpython-5a06cf01ecb6a048fb47c086adc1336f54fe8789.tar.gz cpython-5a06cf01ecb6a048fb47c086adc1336f54fe8789.tar.bz2 | |
bpo-40479: Test with latest OpenSSL versions (GH-20108)
* 1.0.2u (EOL)
* 1.1.0l (EOL)
* 1.1.1g
* 3.0.0-alpha2 (disabled for now)
Build the FIPS provider and create a FIPS configuration file for OpenSSL
3.0.0.
Signed-off-by: Christian Heimes <christian@python.org>
Automerge-Triggered-By: @tiran
(cherry picked from commit 62d618c06bd395308b7163dbcb26c7e6d0922033)
Co-authored-by: Christian Heimes <christian@python.org>
| -rw-r--r-- | Misc/NEWS.d/next/Tools-Demos/2020-05-15-17-48-25.bpo-40479.B1gBl-.rst | 2 | ||||
| -rwxr-xr-x | Tools/ssl/multissltests.py | 61 |
2 files changed, 60 insertions, 3 deletions
diff --git a/Misc/NEWS.d/next/Tools-Demos/2020-05-15-17-48-25.bpo-40479.B1gBl-.rst b/Misc/NEWS.d/next/Tools-Demos/2020-05-15-17-48-25.bpo-40479.B1gBl-.rst new file mode 100644 index 0000000..b590359 --- /dev/null +++ b/Misc/NEWS.d/next/Tools-Demos/2020-05-15-17-48-25.bpo-40479.B1gBl-.rst @@ -0,0 +1,2 @@ +Update multissltest helper to test with latest OpenSSL 1.0.2, 1.1.0, 1.1.1, +and 3.0.0-alpha. diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py index 05d6d7d..7aa28bd 100755 --- a/Tools/ssl/multissltests.py +++ b/Tools/ssl/multissltests.py @@ -41,13 +41,13 @@ import tarfile log = logging.getLogger("multissl") OPENSSL_OLD_VERSIONS = [ - "1.0.2", ] OPENSSL_RECENT_VERSIONS = [ - "1.0.2t", + "1.0.2u", "1.1.0l", - "1.1.1f", + "1.1.1g", + # "3.0.0-alpha2" ] LIBRESSL_OLD_VERSIONS = [ @@ -143,6 +143,23 @@ parser.add_argument( help="Keep original sources for debugging." ) +OPENSSL_FIPS_CNF = """\ +openssl_conf = openssl_init + +.include {self.install_dir}/ssl/fipsinstall.cnf +# .include {self.install_dir}/ssl/openssl.cnf + +[openssl_init] +providers = provider_sect + +[provider_sect] +fips = fips_sect +default = default_sect + +[default_sect] +activate = 1 +""" + class AbstractBuilder(object): library = None @@ -291,9 +308,13 @@ class AbstractBuilder(object): ["make", "-j1", self.install_target], cwd=self.build_dir ) + self._post_install() if not self.args.keep_sources: shutil.rmtree(self.build_dir) + def _post_install(self): + pass + def install(self): log.info(self.openssl_cli) if not self.has_openssl or self.args.force: @@ -365,6 +386,40 @@ class BuildOpenSSL(AbstractBuilder): # only install software, skip docs install_target = 'install_sw' + def _post_install(self): + if self.version.startswith("3.0"): + self._post_install_300() + + def _post_install_300(self): + # create ssl/ subdir with example configs + self._subprocess_call( + ["make", "-j1", "install_ssldirs"], + cwd=self.build_dir + ) + # Install FIPS module + # https://wiki.openssl.org/index.php/OpenSSL_3.0#Completing_the_installation_of_the_FIPS_Module + fipsinstall_cnf = os.path.join( + self.install_dir, "ssl", "fipsinstall.cnf" + ) + openssl_fips_cnf = os.path.join( + self.install_dir, "ssl", "openssl-fips.cnf" + ) + fips_mod = os.path.join(self.lib_dir, "ossl-modules/fips.so") + self._subprocess_call( + [ + self.openssl_cli, "fipsinstall", + "-out", fipsinstall_cnf, + "-module", fips_mod, + "-provider_name", "fips", + "-mac_name", "HMAC", + "-macopt", "digest:SHA256", + "-macopt", "hexkey:00", + "-section_name", "fips_sect" + ] + ) + with open(openssl_fips_cnf, "w") as f: + f.write(OPENSSL_FIPS_CNF.format(self=self)) + class BuildLibreSSL(AbstractBuilder): library = "LibreSSL" |