Skip to content

Commit 6d3649f

Browse files
Edward-Knightgeofft
Edward-Knight
authored and
geofft
committed
Add OpenSSL 3.5, build with instead of 3.0
This means all supported Unix platforms (CPython 3.9+), and Windows from CPython 3.11+. This initial attempt copies what we did for OpenSSL 3.0.
1 parent 8138f8f commit 6d3649f

File tree

7 files changed

+96
-34
lines changed

7 files changed

+96
-34
lines changed

cpython-unix/Makefile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -177,6 +177,9 @@ $(OUTDIR)/openssl-1.1-$(OPENSSL_1.1_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP
177177
$(OUTDIR)/openssl-3.0-$(OPENSSL_3.0_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-3.0.sh
178178
$(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-3.0
179179

180+
$(OUTDIR)/openssl-3.5-$(OPENSSL_3.5_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-3.5.sh
181+
$(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-3.5
182+
180183
LIBEDIT_DEPENDS = \
181184
$(PYTHON_DEP_DEPENDS) \
182185
$(OUTDIR)/ncurses-$(NCURSES_VERSION)-$(PACKAGE_SUFFIX).tar \
@@ -263,6 +266,7 @@ PYTHON_DEPENDS_$(1) := \
263266
$$(if $$(NEED_NCURSES),$$(OUTDIR)/ncurses-$$(NCURSES_VERSION)-$$(PACKAGE_SUFFIX).tar) \
264267
$$(if $$(NEED_OPENSSL_1_1),$$(OUTDIR)/openssl-1.1-$$(OPENSSL_1.1_VERSION)-$$(PACKAGE_SUFFIX).tar) \
265268
$$(if $$(NEED_OPENSSL_3_0),$$(OUTDIR)/openssl-3.0-$$(OPENSSL_3.0_VERSION)-$$(PACKAGE_SUFFIX).tar) \
269+
$$(if $$(NEED_OPENSSL_3_5),$$(OUTDIR)/openssl-3.5-$$(OPENSSL_3.5_VERSION)-$$(PACKAGE_SUFFIX).tar) \
266270
$$(if $$(NEED_PATCHELF),$$(OUTDIR)/patchelf-$$(PATCHELF_VERSION)-$$(PACKAGE_SUFFIX).tar) \
267271
$$(if $$(NEED_SQLITE),$$(OUTDIR)/sqlite-$$(SQLITE_VERSION)-$$(PACKAGE_SUFFIX).tar) \
268272
$$(if $$(NEED_TCL),$$(OUTDIR)/tcl-$$(TCL_VERSION)-$$(PACKAGE_SUFFIX).tar) \

cpython-unix/build-openssl-3.5.sh

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
#!/usr/bin/env bash
2+
# This Source Code Form is subject to the terms of the Mozilla Public
3+
# License, v. 2.0. If a copy of the MPL was not distributed with this
4+
# file, You can obtain one at https://mozilla.org/MPL/2.0/.
5+
6+
set -ex
7+
8+
ROOT=`pwd`
9+
10+
export PATH=${TOOLS_PATH}/${TOOLCHAIN}/bin:${TOOLS_PATH}/host/bin:$PATH
11+
12+
tar -xf openssl-${OPENSSL_3_5_VERSION}.tar.gz
13+
14+
pushd openssl-${OPENSSL_3_5_VERSION}
15+
16+
# Otherwise it gets set to /tools/deps/ssl by default.
17+
case "${TARGET_TRIPLE}" in
18+
*apple*)
19+
EXTRA_FLAGS="--openssldir=/private/etc/ssl"
20+
;;
21+
*)
22+
EXTRA_FLAGS="--openssldir=/etc/ssl"
23+
;;
24+
esac
25+
26+
# musl is missing support for various primitives.
27+
# TODO disable secure memory is a bit scary. We should look into a proper
28+
# workaround.
29+
if [ "${CC}" = "musl-clang" ]; then
30+
EXTRA_FLAGS="${EXTRA_FLAGS} no-async -DOPENSSL_NO_ASYNC -D__STDC_NO_ATOMICS__=1 no-engine -DOPENSSL_NO_SECURE_MEMORY"
31+
fi
32+
33+
# The -arch cflags confuse Configure. And OpenSSL adds them anyway.
34+
# Strip them.
35+
EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS/\-arch arm64/}
36+
EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS/\-arch x86_64/}
37+
38+
EXTRA_FLAGS="${EXTRA_FLAGS} ${EXTRA_TARGET_CFLAGS}"
39+
40+
/usr/bin/perl ./Configure \
41+
--prefix=/tools/deps \
42+
--libdir=lib \
43+
${OPENSSL_TARGET} \
44+
no-legacy \
45+
no-shared \
46+
no-tests \
47+
${EXTRA_FLAGS}
48+
49+
make -j ${NUM_CPUS}
50+
make -j ${NUM_CPUS} install_sw install_ssldirs DESTDIR=${ROOT}/out

cpython-unix/build.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -274,7 +274,7 @@ def simple_build(
274274

275275
add_target_env(env, host_platform, target_triple, build_env)
276276

277-
if entry in ("openssl-1.1", "openssl-3.0"):
277+
if entry.startswith("openssl-"):
278278
settings = get_targets(TARGETS_CONFIG)[target_triple]
279279
env["OPENSSL_TARGET"] = settings["openssl_target"]
280280

@@ -1114,6 +1114,7 @@ def main():
11141114
"ncurses",
11151115
"openssl-1.1",
11161116
"openssl-3.0",
1117+
"openssl-3.5",
11171118
"patchelf",
11181119
"sqlite",
11191120
"tcl",

cpython-unix/targets.yml

Lines changed: 26 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -102,7 +102,7 @@ aarch64-apple-darwin:
102102
- libffi
103103
- m4
104104
- mpdecimal
105-
- openssl-3.0
105+
- openssl-3.5
106106
- sqlite
107107
- tcl
108108
- tk
@@ -149,7 +149,7 @@ aarch64-apple-ios:
149149
- libffi
150150
- m4
151151
- mpdecimal
152-
- openssl-3.0
152+
- openssl-3.5
153153
- sqlite
154154
- xz
155155
- zstd
@@ -190,7 +190,7 @@ aarch64-unknown-linux-gnu:
190190
- m4
191191
- mpdecimal
192192
- ncurses
193-
- openssl-3.0
193+
- openssl-3.5
194194
- patchelf
195195
- sqlite
196196
- tcl
@@ -244,7 +244,7 @@ arm64-apple-tvos:
244244
- expat
245245
- m4
246246
- mpdecimal
247-
- openssl-3.0
247+
- openssl-3.5
248248
- sqlite
249249
- xz
250250
- zstd
@@ -279,7 +279,7 @@ armv7-unknown-linux-gnueabi:
279279
- m4
280280
- mpdecimal
281281
- ncurses
282-
- openssl-3.0
282+
- openssl-3.5
283283
- patchelf
284284
- sqlite
285285
- tcl
@@ -320,7 +320,7 @@ armv7-unknown-linux-gnueabihf:
320320
- m4
321321
- mpdecimal
322322
- ncurses
323-
- openssl-3.0
323+
- openssl-3.5
324324
- patchelf
325325
- sqlite
326326
- tcl
@@ -361,7 +361,7 @@ loongarch64-unknown-linux-gnu:
361361
- m4
362362
- mpdecimal
363363
- ncurses
364-
- openssl-3.0
364+
- openssl-3.5
365365
- patchelf
366366
- sqlite
367367
- tcl
@@ -402,7 +402,7 @@ mips-unknown-linux-gnu:
402402
- m4
403403
- mpdecimal
404404
- ncurses
405-
- openssl-3.0
405+
- openssl-3.5
406406
- patchelf
407407
- sqlite
408408
- tcl
@@ -443,7 +443,7 @@ mipsel-unknown-linux-gnu:
443443
- m4
444444
- mpdecimal
445445
- ncurses
446-
- openssl-3.0
446+
- openssl-3.5
447447
- patchelf
448448
- sqlite
449449
- tcl
@@ -484,7 +484,7 @@ ppc64le-unknown-linux-gnu:
484484
- m4
485485
- mpdecimal
486486
- ncurses
487-
- openssl-3.0
487+
- openssl-3.5
488488
- patchelf
489489
- sqlite
490490
- tcl
@@ -525,7 +525,7 @@ riscv64-unknown-linux-gnu:
525525
- m4
526526
- mpdecimal
527527
- ncurses
528-
- openssl-3.0
528+
- openssl-3.5
529529
- patchelf
530530
- sqlite
531531
- tcl
@@ -566,7 +566,7 @@ s390x-unknown-linux-gnu:
566566
- m4
567567
- mpdecimal
568568
- ncurses
569-
- openssl-3.0
569+
- openssl-3.5
570570
- patchelf
571571
- sqlite
572572
- tcl
@@ -615,7 +615,7 @@ thumb7k-apple-watchos:
615615
- expat
616616
- m4
617617
- mpdecimal
618-
- openssl-3.0
618+
- openssl-3.5
619619
- sqlite
620620
- xz
621621
- zstd
@@ -668,7 +668,7 @@ x86_64-apple-darwin:
668668
- libffi
669669
- m4
670670
- mpdecimal
671-
- openssl-3.0
671+
- openssl-3.5
672672
- sqlite
673673
- tcl
674674
- tk
@@ -715,7 +715,7 @@ x86_64-apple-ios:
715715
- libffi
716716
- m4
717717
- mpdecimal
718-
- openssl-3.0
718+
- openssl-3.5
719719
- sqlite
720720
- xz
721721
- zstd
@@ -758,7 +758,7 @@ x86_64-apple-tvos:
758758
- expat
759759
- m4
760760
- mpdecimal
761-
- openssl-3.0
761+
- openssl-3.5
762762
- sqlite
763763
- xz
764764
- zstd
@@ -801,7 +801,7 @@ x86_64-apple-watchos:
801801
- expat
802802
- m4
803803
- mpdecimal
804-
- openssl-3.0
804+
- openssl-3.5
805805
- sqlite
806806
- xz
807807
- zstd
@@ -840,7 +840,7 @@ x86_64-unknown-linux-gnu:
840840
- m4
841841
- mpdecimal
842842
- ncurses
843-
- openssl-3.0
843+
- openssl-3.5
844844
- patchelf
845845
- sqlite
846846
- tcl
@@ -887,7 +887,7 @@ x86_64_v2-unknown-linux-gnu:
887887
- m4
888888
- mpdecimal
889889
- ncurses
890-
- openssl-3.0
890+
- openssl-3.5
891891
- patchelf
892892
- sqlite
893893
- tcl
@@ -934,7 +934,7 @@ x86_64_v3-unknown-linux-gnu:
934934
- m4
935935
- mpdecimal
936936
- ncurses
937-
- openssl-3.0
937+
- openssl-3.5
938938
- patchelf
939939
- sqlite
940940
- tcl
@@ -981,7 +981,7 @@ x86_64_v4-unknown-linux-gnu:
981981
- m4
982982
- mpdecimal
983983
- ncurses
984-
- openssl-3.0
984+
- openssl-3.5
985985
- patchelf
986986
- sqlite
987987
- tcl
@@ -1026,7 +1026,7 @@ x86_64-unknown-linux-musl:
10261026
- mpdecimal
10271027
- musl
10281028
- ncurses
1029-
- openssl-3.0
1029+
- openssl-3.5
10301030
- patchelf
10311031
- sqlite
10321032
- tcl
@@ -1071,7 +1071,7 @@ x86_64_v2-unknown-linux-musl:
10711071
- mpdecimal
10721072
- musl
10731073
- ncurses
1074-
- openssl-3.0
1074+
- openssl-3.5
10751075
- patchelf
10761076
- sqlite
10771077
- tcl
@@ -1116,7 +1116,7 @@ x86_64_v3-unknown-linux-musl:
11161116
- mpdecimal
11171117
- musl
11181118
- ncurses
1119-
- openssl-3.0
1119+
- openssl-3.5
11201120
- patchelf
11211121
- sqlite
11221122
- tcl
@@ -1161,7 +1161,7 @@ x86_64_v4-unknown-linux-musl:
11611161
- mpdecimal
11621162
- musl
11631163
- ncurses
1164-
- openssl-3.0
1164+
- openssl-3.5
11651165
- patchelf
11661166
- sqlite
11671167
- tcl
@@ -1208,7 +1208,7 @@ aarch64-unknown-linux-musl:
12081208
- mpdecimal
12091209
- musl
12101210
- ncurses
1211-
- openssl-3.0
1211+
- openssl-3.5
12121212
- patchelf
12131213
- sqlite
12141214
- tcl

cpython-windows/build.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -470,7 +470,7 @@ def hack_props(
470470
raise Exception("unhandled architecture: %s" % arch)
471471

472472
try:
473-
# CPython 3.11+ builds with OpenSSL 3.0 by default.
473+
# CPython 3.11+ builds with OpenSSL 3.x by default.
474474
static_replace_in_file(
475475
openssl_props,
476476
b"<_DLLSuffix>-3</_DLLSuffix>",
@@ -1874,7 +1874,7 @@ def main() -> None:
18741874
if args.python in ("cpython-3.9", "cpython-3.10"):
18751875
openssl_entry = "openssl-1.1"
18761876
else:
1877-
openssl_entry = "openssl-3.0"
1877+
openssl_entry = "openssl-3.5"
18781878

18791879
openssl_archive = BUILD / (
18801880
"%s-%s-%s.tar" % (openssl_entry, target_triple, build_options)

pythonbuild/downloads.py

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -247,9 +247,6 @@
247247
"licenses": ["OpenSSL"],
248248
"license_file": "LICENSE.openssl-1.1.txt",
249249
},
250-
# We use OpenSSL 3.0 because it is an LTS release and has a longer support
251-
# window. If CPython ends up gaining support for 3.1+ releases, we can consider
252-
# using the latest available.
253250
# Remember to update OPENSSL_VERSION_INFO in verify_distribution.py whenever upgrading.
254251
"openssl-3.0": {
255252
"url": "https://www.openssl.org/source/openssl-3.0.16.tar.gz",
@@ -260,6 +257,16 @@
260257
"licenses": ["Apache-2.0"],
261258
"license_file": "LICENSE.openssl-3.txt",
262259
},
260+
# Remember to update OPENSSL_VERSION_INFO in verify_distribution.py whenever upgrading.
261+
"openssl-3.5": {
262+
"url": "https://github.com/openssl/openssl/releases/download/openssl-3.5.2/openssl-3.5.2.tar.gz",
263+
"size": 53180161,
264+
"sha256": "c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec",
265+
"version": "3.5.2",
266+
"library_names": ["crypto", "ssl"],
267+
"licenses": ["Apache-2.0"],
268+
"license_file": "LICENSE.openssl-3.txt",
269+
},
263270
"nasm-windows-bin": {
264271
"url": "https://github.com/python/cpython-bin-deps/archive/nasm-2.11.06.tar.gz",
265272
"size": 384826,

src/verify_distribution.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -147,12 +147,12 @@ def test_ssl(self):
147147
self.assertTrue(ssl.HAS_TLSv1_2)
148148
self.assertTrue(ssl.HAS_TLSv1_3)
149149

150-
# OpenSSL 1.1 on older CPython versions on Windows. 3.0 everywhere
150+
# OpenSSL 1.1 on older CPython versions on Windows. 3.5 everywhere
151151
# else.
152152
if os.name == "nt" and sys.version_info[0:2] < (3, 11):
153153
wanted_version = (1, 1, 1, 23, 15)
154154
else:
155-
wanted_version = (3, 0, 0, 16, 0)
155+
wanted_version = (3, 5, 0, 2, 0)
156156

157157
self.assertEqual(ssl.OPENSSL_VERSION_INFO, wanted_version)
158158

0 commit comments

Comments
 (0)