[3.11] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-…

…105174) (#105200) Upgrade builds to OpenSSL 1.1.1u. This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t. The Mac/BuildScript/build-installer.py was already updated. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af)
python · Jun 1, 2023 · a5d2b54 · a5d2b54
1 parent 3b0747a
commit a5d2b54
Show file tree

Hide file tree

Showing 11 changed files with 185 additions and 16 deletions.
diff --git a/.azure-pipelines/ci.yml b/.azure-pipelines/ci.yml
@@ -57,7 +57,7 @@ jobs:
   variables:
     testRunTitle: '$(build.sourceBranchName)-linux'
     testRunPlatform: linux
-    openssl_version: 1.1.1t
+    openssl_version: 1.1.1u
 
   steps:
   - template: ./posix-steps.yml
@@ -83,7 +83,7 @@ jobs:
   variables:
     testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
     testRunPlatform: linux-coverage
-    openssl_version: 1.1.1t
+    openssl_version: 1.1.1u
 
   steps:
   - template: ./posix-steps.yml

diff --git a/.azure-pipelines/pr.yml b/.azure-pipelines/pr.yml
@@ -57,7 +57,7 @@ jobs:
   variables:
     testRunTitle: '$(system.pullRequest.TargetBranch)-linux'
     testRunPlatform: linux
-    openssl_version: 1.1.1t
+    openssl_version: 1.1.1u
 
   steps:
   - template: ./posix-steps.yml
@@ -83,7 +83,7 @@ jobs:
   variables:
     testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
     testRunPlatform: linux-coverage
-    openssl_version: 1.1.1t
+    openssl_version: 1.1.1u
 
   steps:
   - template: ./posix-steps.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -250,7 +250,7 @@ jobs:
     needs: check_source
     if: needs.check_source.outputs.run_tests == 'true'
     env:
-      OPENSSL_VER: 1.1.1t
+      OPENSSL_VER: 1.1.1u
       PYTHONSTRICTEXTENSIONBUILD: 1
     steps:
     - uses: actions/checkout@v3
@@ -319,7 +319,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        openssl_ver: [1.1.1t, 3.0.8, 3.1.0-beta1]
+        openssl_ver: [1.1.1u, 3.0.9, 3.1.1]
     env:
       OPENSSL_VER: ${{ matrix.openssl_ver }}
       MULTISSL_DIR: ${{ github.workspace }}/multissl
@@ -371,7 +371,7 @@ jobs:
     needs: check_source
     if: needs.check_source.outputs.run_tests == 'true'
     env:
-      OPENSSL_VER: 1.1.1t
+      OPENSSL_VER: 1.1.1u
       PYTHONSTRICTEXTENSIONBUILD: 1
       ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
     steps:

diff --git a/Misc/NEWS.d/next/Security/2023-06-01-03-24-58.gh-issue-103142.GLWDMX.rst b/Misc/NEWS.d/next/Security/2023-06-01-03-24-58.gh-issue-103142.GLWDMX.rst
@@ -0,0 +1,2 @@
+The version of OpenSSL used in our binary builds has been upgraded to 1.1.1u
+to address several CVEs.
diff --git a/Modules/_ssl_data_111.h b/Modules/_ssl_data_111.h
@@ -1,4 +1,4 @@
-/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2021-04-09T09:36:21.493286 */
+/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2023-06-01T02:58:04.081473 */
 static struct py_ssl_library_code library_codes[] = {
 #ifdef ERR_LIB_ASN1
     {"ASN1", ERR_LIB_ASN1},
@@ -1375,6 +1375,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"UNSUPPORTED_COMPRESSION_ALGORITHM", 46, 151},
   #endif
+  #ifdef CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM
+    {"UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM},
+  #else
+    {"UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM", 46, 194},
+  #endif
   #ifdef CMS_R_UNSUPPORTED_CONTENT_TYPE
     {"UNSUPPORTED_CONTENT_TYPE", ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_TYPE},
   #else
@@ -4860,6 +4865,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"MISSING_PARAMETERS", 20, 290},
   #endif
+  #ifdef SSL_R_MISSING_PSK_KEX_MODES_EXTENSION
+    {"MISSING_PSK_KEX_MODES_EXTENSION", ERR_LIB_SSL, SSL_R_MISSING_PSK_KEX_MODES_EXTENSION},
+  #else
+    {"MISSING_PSK_KEX_MODES_EXTENSION", 20, 310},
+  #endif
   #ifdef SSL_R_MISSING_RSA_CERTIFICATE
     {"MISSING_RSA_CERTIFICATE", ERR_LIB_SSL, SSL_R_MISSING_RSA_CERTIFICATE},
   #else
@@ -5065,6 +5075,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"NULL_SSL_METHOD_PASSED", 20, 196},
   #endif
+  #ifdef SSL_R_OCSP_CALLBACK_FAILURE
+    {"OCSP_CALLBACK_FAILURE", ERR_LIB_SSL, SSL_R_OCSP_CALLBACK_FAILURE},
+  #else
+    {"OCSP_CALLBACK_FAILURE", 20, 294},
+  #endif
   #ifdef SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED
     {"OLD_SESSION_CIPHER_NOT_RETURNED", ERR_LIB_SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED},
   #else