diff --git a/docker/Dockerfile b/docker/Dockerfile index 7e0636bf..1eb12c46 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -90,8 +90,8 @@ RUN export SQLITE_AUTOCONF_ROOT=sqlite-autoconf-3430100 && \ manylinux-entrypoint /build_scripts/build-sqlite3.sh COPY build_scripts/build-openssl.sh /build_scripts/ -RUN export OPENSSL_ROOT=openssl-1.1.1w && \ - export OPENSSL_HASH=cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8 && \ +RUN export OPENSSL_ROOT=openssl-3.0.10 && \ + export OPENSSL_HASH=1761d4f5b13a1028b9b6f3d4b8e17feb0cedc9370f6afe61d7193d2cdce83323 && \ export OPENSSL_DOWNLOAD_URL=https://www.openssl.org/source && \ manylinux-entrypoint /build_scripts/build-openssl.sh diff --git a/docker/build_scripts/build-cpython.sh b/docker/build_scripts/build-cpython.sh index eea89e22..ad92191a 100755 --- a/docker/build_scripts/build-cpython.sh +++ b/docker/build_scripts/build-cpython.sh @@ -39,16 +39,23 @@ if [ "${CPYTHON_VERSION}" == "3.6.15" ]; then CFLAGS_EXTRA="${CFLAGS_EXTRA} -fno-tree-loop-vectorize -fno-tree-slp-vectorize" fi if [ "${AUDITWHEEL_POLICY}" == "manylinux2014" ] ; then - # Python 3.11+ + # Python 3.11+ export TCLTK_LIBS="-ltk8.6 -ltcl8.6" fi +PYVERS="${CPYTHON_VERSION%.*}" +if ! [ -d /usr/local/openssl3 ] || [ "${PYVERS}" == "3.6" ] || [ "${PYVERS}" == "3.7" ]; then + OPENSSL_OPTIONS="" +else + OPENSSL_OPTIONS="--with-openssl=/usr/local/openssl3" +fi # configure with hardening options only for the interpreter & stdlib C extensions # do not change the default for user built extension (yet?) ./configure \ CFLAGS_NODIST="${MANYLINUX_CFLAGS} ${MANYLINUX_CPPFLAGS} ${CFLAGS_EXTRA}" \ LDFLAGS_NODIST="${MANYLINUX_LDFLAGS}" \ - --prefix=${PREFIX} --disable-shared --with-ensurepip=no > /dev/null + --prefix=${PREFIX} --disable-shared --with-ensurepip=no \ + $OPENSSL_OPTIONS > /dev/null make > /dev/null make install > /dev/null popd diff --git a/docker/build_scripts/build-openssl.sh b/docker/build_scripts/build-openssl.sh index 668deb68..01d77ab6 100755 --- a/docker/build_scripts/build-openssl.sh +++ b/docker/build_scripts/build-openssl.sh @@ -29,21 +29,28 @@ if [ "${SMALLEST}" = "${OPENSSL_MIN_VERSION}" ]; then exit 0 fi -if which yum; then - yum erase -y openssl-devel -else - apk del openssl-dev -fi +#if which yum; then +# yum erase -y openssl-devel +#else +# apk del openssl-dev +#fi +# Install a more recent openssl 3.0.x fetch_source ${OPENSSL_ROOT}.tar.gz ${OPENSSL_DOWNLOAD_URL} check_sha256sum ${OPENSSL_ROOT}.tar.gz ${OPENSSL_HASH} tar -xzf ${OPENSSL_ROOT}.tar.gz pushd ${OPENSSL_ROOT} -./config no-shared --prefix=/usr/local/ssl --openssldir=/usr/local/ssl CPPFLAGS="${MANYLINUX_CPPFLAGS}" CFLAGS="${MANYLINUX_CFLAGS} -fPIC" CXXFLAGS="${MANYLINUX_CXXFLAGS} -fPIC" LDFLAGS="${MANYLINUX_LDFLAGS} -fPIC" > /dev/null -make > /dev/null +./config no-shared \ + --prefix=/usr/local/openssl3 --libdir=lib \ + --openssldir=`find /etc/ -name openssl.cnf -printf "%h\n"` \ + CPPFLAGS="${MANYLINUX_CPPFLAGS}" \ + CFLAGS="${MANYLINUX_CFLAGS} -fPIC" \ + CXXFLAGS="${MANYLINUX_CXXFLAGS} -fPIC" \ + LDFLAGS="${MANYLINUX_LDFLAGS} -fPIC" > /dev/null +make -j1 depend > /dev/null +make -j6 > /dev/null make install_sw > /dev/null popd rm -rf ${OPENSSL_ROOT} ${OPENSSL_ROOT}.tar.gz - -/usr/local/ssl/bin/openssl version +/usr/local/openssl3/bin/openssl version diff --git a/docker/build_scripts/install-build-packages.sh b/docker/build_scripts/install-build-packages.sh index 1d566f0d..42ed59d2 100755 --- a/docker/build_scripts/install-build-packages.sh +++ b/docker/build_scripts/install-build-packages.sh @@ -14,7 +14,7 @@ source $MY_DIR/build_utils.sh # make sure the corresponding library is added to RUNTIME_DEPS if applicable if [ "${BASE_POLICY}" == "manylinux" ]; then - COMPILE_DEPS="bzip2-devel ncurses-devel readline-devel gdbm-devel libpcap-devel xz-devel openssl openssl-devel keyutils-libs-devel krb5-devel libcom_err-devel libidn-devel curl-devel uuid-devel libffi-devel kernel-headers libdb-devel" + COMPILE_DEPS="bzip2-devel ncurses-devel readline-devel gdbm-devel libpcap-devel xz-devel openssl openssl-devel keyutils-libs-devel krb5-devel libcom_err-devel libidn-devel curl-devel uuid-devel libffi-devel kernel-headers libdb-devel perl-IPC-Cmd" if [ "${AUDITWHEEL_POLICY}" == "manylinux2014" ]; then PACKAGE_MANAGER=yum COMPILE_DEPS="${COMPILE_DEPS} libXft-devel" diff --git a/tests/run_tests.sh b/tests/run_tests.sh index 0de0e86b..6eed2d2f 100755 --- a/tests/run_tests.sh +++ b/tests/run_tests.sh @@ -35,6 +35,10 @@ for PYTHON in /opt/python/*/bin/python; do $PYTHON -c 'import sqlite3; print(sqlite3.sqlite_version); assert sqlite3.sqlite_version_info[0:2] >= (3, 34)' # Make sure tkinter module can be loaded properly $PYTHON -c 'import tkinter; print(tkinter.TkVersion); assert tkinter.TkVersion >= 8.6' + # Make sure openssl module can be loaded properly + if [ "${PYVERS}" != "3.6" ] && [ "${PYVERS}" != "3.7" ]; then + $PYTHON -c 'import ssl; print(ssl.OPENSSL_VERSION); assert ssl.OPENSSL_VERSION_INFO >= (1, 1, 1)' + fi fi # pythonX.Y / pypyX.Y shall be available directly in PATH LINK_VERSION=$(${LINK_PREFIX}${PYVERS} -V) diff --git a/update_native_dependencies.py b/update_native_dependencies.py index 5c7d404c..a2578267 100644 --- a/update_native_dependencies.py +++ b/update_native_dependencies.py @@ -55,7 +55,7 @@ def _update_with_root(tool, dry_run): "openssl": "openssl/openssl", } major = { - "openssl": "1.1", + "openssl": "3.0", } dockerfile = Path(__file__).parent / "docker" / "Dockerfile" lines = dockerfile.read_text().splitlines() @@ -68,10 +68,6 @@ def _update_with_root(tool, dry_run): latest_version = latest(repo[tool], major=major.get(tool, None)) if latest_version > current_version: root = f"{tool}-{latest_version}" - if root == "openssl-1.1.1r": - # withdrawn version - print(f"Skipping {root}") - break url = re.match(f"^ export {tool.upper()}_DOWNLOAD_URL=(?P\\S+) && \\\\$", lines[i + 2])["url"] url = url.replace(f"${{{tool.upper()}_ROOT}}", root) sha256 = _sha256(f"{url}/{root}.tar.gz")