[3.8] [3.9] pythongh-103142: Upgrade binary builds and CI to OpenSSL …

…1.1.1u (pythonGH-105174) (pythonGH-105200) (pythonGH-105205) Upgrade builds to OpenSSL 1.1.1u. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af) (cherry picked from commit e15de14) Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Ned Deily <nad@python.org>
ambv · Jun 6, 2023 · 4bc744f · 4bc744f
1 parent 9c2ff15
commit 4bc744f
Show file tree

Hide file tree

Showing 12 changed files with 186 additions and 18 deletions.
diff --git a/.azure-pipelines/ci.yml b/.azure-pipelines/ci.yml
@@ -57,7 +57,7 @@ jobs:
   variables:
     testRunTitle: '$(build.sourceBranchName)-linux'
     testRunPlatform: linux
-    openssl_version: 1.1.1t
+    openssl_version: 1.1.1u
 
   steps:
   - template: ./posix-steps.yml
@@ -83,7 +83,7 @@ jobs:
   variables:
     testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
     testRunPlatform: linux-coverage
-    openssl_version: 1.1.1t
+    openssl_version: 1.1.1u
 
   steps:
   - template: ./posix-steps.yml

diff --git a/.azure-pipelines/pr.yml b/.azure-pipelines/pr.yml
@@ -57,7 +57,7 @@ jobs:
   variables:
     testRunTitle: '$(system.pullRequest.TargetBranch)-linux'
     testRunPlatform: linux
-    openssl_version: 1.1.1t
+    openssl_version: 1.1.1u
 
   steps:
   - template: ./posix-steps.yml
@@ -83,7 +83,7 @@ jobs:
   variables:
     testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
     testRunPlatform: linux-coverage
-    openssl_version: 1.1.1t
+    openssl_version: 1.1.1u
 
   steps:
   - template: ./posix-steps.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -157,7 +157,7 @@ jobs:
     needs: check_source
     if: needs.check_source.outputs.run_tests == 'true'
     env:
-      OPENSSL_VER: 1.1.1t
+      OPENSSL_VER: 1.1.1u
     steps:
     - uses: actions/checkout@v2
     - name: Install Dependencies
@@ -198,7 +198,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        openssl_ver: [1.0.2u, 1.1.0l, 1.1.1t, 3.0.8, 3.1.0-beta1]
+        openssl_ver: [1.0.2u, 1.1.1u, 3.0.9, 3.1.1]
     env:
       OPENSSL_VER: ${{ matrix.openssl_ver }}
       MULTISSL_DIR: ${{ github.workspace }}/multissl

diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py
@@ -242,9 +242,9 @@ def library_recipes():
 
     result.extend([
           dict(
-              name="OpenSSL 1.1.1t",
-              url="https://www.openssl.org/source/openssl-1.1.1t.tar.gz",
-              checksum='1cfee919e0eac6be62c88c5ae8bcd91e',
+              name="OpenSSL 1.1.1u",
+              url="https://www.openssl.org/source/openssl-1.1.1u.tar.gz",
+              checksum='72f7ba7395f0f0652783ba1089aa0dcc',
               buildrecipe=build_universal_openssl,
               configure=None,
               install=None,

diff --git a/Misc/NEWS.d/next/Security/2023-06-01-03-24-58.gh-issue-103142.GLWDMX.rst b/Misc/NEWS.d/next/Security/2023-06-01-03-24-58.gh-issue-103142.GLWDMX.rst
@@ -0,0 +1,2 @@
+The version of OpenSSL used in our binary builds has been upgraded to 1.1.1u
+to address several CVEs.
diff --git a/Misc/NEWS.d/next/macOS/2023-05-30-23-30-46.gh-issue-103142.55lMXQ.rst b/Misc/NEWS.d/next/macOS/2023-05-30-23-30-46.gh-issue-103142.55lMXQ.rst
@@ -0,0 +1 @@
+Update macOS installer to use OpenSSL 1.1.1u.
diff --git a/Modules/_ssl_data_111.h b/Modules/_ssl_data_111.h
@@ -1,4 +1,4 @@
-/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2021-04-09T09:36:21.493286 */
+/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2023-06-01T02:58:04.081473 */
 static struct py_ssl_library_code library_codes[] = {
 #ifdef ERR_LIB_ASN1
     {"ASN1", ERR_LIB_ASN1},
@@ -1375,6 +1375,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"UNSUPPORTED_COMPRESSION_ALGORITHM", 46, 151},
   #endif
+  #ifdef CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM
+    {"UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM},
+  #else
+    {"UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM", 46, 194},
+  #endif
   #ifdef CMS_R_UNSUPPORTED_CONTENT_TYPE
     {"UNSUPPORTED_CONTENT_TYPE", ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_TYPE},
   #else
@@ -4860,6 +4865,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"MISSING_PARAMETERS", 20, 290},
   #endif
+  #ifdef SSL_R_MISSING_PSK_KEX_MODES_EXTENSION
+    {"MISSING_PSK_KEX_MODES_EXTENSION", ERR_LIB_SSL, SSL_R_MISSING_PSK_KEX_MODES_EXTENSION},
+  #else
+    {"MISSING_PSK_KEX_MODES_EXTENSION", 20, 310},
+  #endif
   #ifdef SSL_R_MISSING_RSA_CERTIFICATE
     {"MISSING_RSA_CERTIFICATE", ERR_LIB_SSL, SSL_R_MISSING_RSA_CERTIFICATE},
   #else
@@ -5065,6 +5075,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"NULL_SSL_METHOD_PASSED", 20, 196},
   #endif
+  #ifdef SSL_R_OCSP_CALLBACK_FAILURE
+    {"OCSP_CALLBACK_FAILURE", ERR_LIB_SSL, SSL_R_OCSP_CALLBACK_FAILURE},
+  #else
+    {"OCSP_CALLBACK_FAILURE", 20, 294},
+  #endif
   #ifdef SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED
     {"OLD_SESSION_CIPHER_NOT_RETURNED", ERR_LIB_SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED},
   #else