mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-07-07 19:35:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

gh-131423: Update to OpenSSL 3.0.16. (GH-131839)

Browse source 
The bin tag is 3.0.16.1 because we rebuilt without uplink support to fix gh-131804.
This PR also prevents making calls that are now unsafe without uplink, and updates
the tests to property interpret these failures as unsupported.
This commit is contained in:
Steve Dower 2025-03-28 15:07:57 +00:00 committed by GitHub
parent ce77da5871
commit d260631be0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
12 changed files with 74 additions and 53 deletions
Download patch file Download diff file Expand all files Collapse all files

10
Lib/test/audit-tests.py
View file

@ -208,7 +208,15 @@ def test_open(testfn):
if not fn: if not fn:
continue continue
with assertRaises(RuntimeError): with assertRaises(RuntimeError):
fn(*args) try:
fn(*args)
except NotImplementedError:
if fn == load_dh_params:
# Not callable in some builds
load_dh_params = None
raise RuntimeError
else:
raise
actual_mode = [(a[0], a[1]) for e, a in hook.seen if e == "open" and a[1]] actual_mode = [(a[0], a[1]) for e, a in hook.seen if e == "open" and a[1]]
actual_flag = [(a[0], a[2]) for e, a in hook.seen if e == "open" and not a[1]] actual_flag = [(a[0], a[2]) for e, a in hook.seen if e == "open" and not a[1]]

1
Lib/test/test_audit.py
View file

@ -23,6 +23,7 @@ class AuditTest(unittest.TestCase):
with subprocess.Popen( with subprocess.Popen(
[sys.executable, "-X utf8", AUDIT_TESTS_PY, *args], [sys.executable, "-X utf8", AUDIT_TESTS_PY, *args],
encoding="utf-8", encoding="utf-8",
errors="backslashreplace",
stdout=subprocess.PIPE, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, stderr=subprocess.PIPE,
) as p: ) as p:

52
Lib/test/test_ssl.py
View file

@ -1321,10 +1321,14 @@ class ContextTests(unittest.TestCase):
with self.assertRaises(ssl.SSLError): with self.assertRaises(ssl.SSLError):
ctx.load_verify_locations(cadata=cacert_der + b"A") ctx.load_verify_locations(cadata=cacert_der + b"A")
@unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
def test_load_dh_params(self): def test_load_dh_params(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ctx.load_dh_params(DHFILE) try:
ctx.load_dh_params(DHFILE)
except RuntimeError:
if Py_DEBUG_WIN32:
self.skipTest("not supported on Win32 debug build")
raise
ctx.load_dh_params(BYTES_DHFILE) ctx.load_dh_params(BYTES_DHFILE)
self.assertRaises(TypeError, ctx.load_dh_params) self.assertRaises(TypeError, ctx.load_dh_params)
self.assertRaises(TypeError, ctx.load_dh_params, None) self.assertRaises(TypeError, ctx.load_dh_params, None)
@ -1648,12 +1652,17 @@ class SSLErrorTests(unittest.TestCase):
self.assertEqual(str(e), "foo") self.assertEqual(str(e), "foo")
self.assertEqual(e.errno, 1) self.assertEqual(e.errno, 1)
@unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
def test_lib_reason(self): def test_lib_reason(self):
# Test the library and reason attributes # Test the library and reason attributes
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
with self.assertRaises(ssl.SSLError) as cm: try:
ctx.load_dh_params(CERTFILE) with self.assertRaises(ssl.SSLError) as cm:
ctx.load_dh_params(CERTFILE)
except RuntimeError:
if Py_DEBUG_WIN32:
self.skipTest("not supported on Win32 debug build")
raise
self.assertEqual(cm.exception.library, 'PEM') self.assertEqual(cm.exception.library, 'PEM')
regex = "(NO_START_LINE|UNSUPPORTED_PUBLIC_KEY_TYPE)" regex = "(NO_START_LINE|UNSUPPORTED_PUBLIC_KEY_TYPE)"
self.assertRegex(cm.exception.reason, regex) self.assertRegex(cm.exception.reason, regex)
@ -4032,13 +4041,17 @@ class ThreadedTests(unittest.TestCase):
chatty=True, connectionchatty=True, chatty=True, connectionchatty=True,
sni_name=hostname) sni_name=hostname)
@unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
def test_dh_params(self): def test_dh_params(self):
# Check we can get a connection with ephemeral Diffie-Hellman # Check we can get a connection with ephemeral Diffie-Hellman
client_context, server_context, hostname = testing_context() client_context, server_context, hostname = testing_context()
# test scenario needs TLS <= 1.2 # test scenario needs TLS <= 1.2
client_context.maximum_version = ssl.TLSVersion.TLSv1_2 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
server_context.load_dh_params(DHFILE) try:
server_context.load_dh_params(DHFILE)
except RuntimeError:
if Py_DEBUG_WIN32:
self.skipTest("not supported on Win32 debug build")
raise
server_context.set_ciphers("kEDH") server_context.set_ciphers("kEDH")
server_context.maximum_version = ssl.TLSVersion.TLSv1_2 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
stats = server_params_test(client_context, server_context, stats = server_params_test(client_context, server_context,
@ -4819,14 +4832,18 @@ class TestSSLDebug(unittest.TestCase):
return len(list(f)) return len(list(f))
@requires_keylog @requires_keylog
@unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
def test_keylog_defaults(self): def test_keylog_defaults(self):
self.addCleanup(os_helper.unlink, os_helper.TESTFN) self.addCleanup(os_helper.unlink, os_helper.TESTFN)
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
self.assertEqual(ctx.keylog_filename, None) self.assertEqual(ctx.keylog_filename, None)
self.assertFalse(os.path.isfile(os_helper.TESTFN)) self.assertFalse(os.path.isfile(os_helper.TESTFN))
ctx.keylog_filename = os_helper.TESTFN try:
ctx.keylog_filename = os_helper.TESTFN
except RuntimeError:
if Py_DEBUG_WIN32:
self.skipTest("not supported on Win32 debug build")
raise
self.assertEqual(ctx.keylog_filename, os_helper.TESTFN) self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
self.assertTrue(os.path.isfile(os_helper.TESTFN)) self.assertTrue(os.path.isfile(os_helper.TESTFN))
self.assertEqual(self.keylog_lines(), 1) self.assertEqual(self.keylog_lines(), 1)
@ -4843,12 +4860,17 @@ class TestSSLDebug(unittest.TestCase):
ctx.keylog_filename = 1 ctx.keylog_filename = 1
@requires_keylog @requires_keylog
@unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
def test_keylog_filename(self): def test_keylog_filename(self):
self.addCleanup(os_helper.unlink, os_helper.TESTFN) self.addCleanup(os_helper.unlink, os_helper.TESTFN)
client_context, server_context, hostname = testing_context() client_context, server_context, hostname = testing_context()
client_context.keylog_filename = os_helper.TESTFN try:
client_context.keylog_filename = os_helper.TESTFN
except RuntimeError:
if Py_DEBUG_WIN32:
self.skipTest("not supported on Win32 debug build")
raise
server = ThreadedEchoServer(context=server_context, chatty=False) server = ThreadedEchoServer(context=server_context, chatty=False)
with server: with server:
with client_context.wrap_socket(socket.socket(), with client_context.wrap_socket(socket.socket(),
@ -4881,7 +4903,6 @@ class TestSSLDebug(unittest.TestCase):
@requires_keylog @requires_keylog
@unittest.skipIf(sys.flags.ignore_environment, @unittest.skipIf(sys.flags.ignore_environment,
"test is not compatible with ignore_environment") "test is not compatible with ignore_environment")
@unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
def test_keylog_env(self): def test_keylog_env(self):
self.addCleanup(os_helper.unlink, os_helper.TESTFN) self.addCleanup(os_helper.unlink, os_helper.TESTFN)
with unittest.mock.patch.dict(os.environ): with unittest.mock.patch.dict(os.environ):
@ -4891,7 +4912,12 @@ class TestSSLDebug(unittest.TestCase):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
self.assertEqual(ctx.keylog_filename, None) self.assertEqual(ctx.keylog_filename, None)
ctx = ssl.create_default_context() try:
ctx = ssl.create_default_context()
except RuntimeError:
if Py_DEBUG_WIN32:
self.skipTest("not supported on Win32 debug build")
raise
self.assertEqual(ctx.keylog_filename, os_helper.TESTFN) self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
ctx = ssl._create_stdlib_context() ctx = ssl._create_stdlib_context()

3
Misc/NEWS.d/next/Windows/2025-03-28-13-22-55.gh-issue-131423.vI-LqV.rst Normal file
View file

@ -0,0 +1,3 @@
Update bundled version of OpenSSL to 3.0.16. The new build also disables
uplink support, which may be relevant to embedders but has no impact on
normal use.

8
Misc/externals.spdx.json
View file

@ -70,21 +70,21 @@
"checksums": [ "checksums": [
{ {
"algorithm": "SHA256", "algorithm": "SHA256",
"checksumValue": "1550c87996a0858474a9dd179deab2c55eb73726b9a140b32865b02fd3d8a86b" "checksumValue": "6bb739ecddbd2cfb6d255eb5898437a9b5739277dee931338d3275bac5d96ba2"
} }
], ],
"downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/openssl-3.0.15.tar.gz", "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/openssl-3.0.16.tar.gz",
"externalRefs": [ "externalRefs": [
{ {
"referenceCategory": "SECURITY", "referenceCategory": "SECURITY",
"referenceLocator": "cpe:2.3:a:openssl:openssl:3.0.15:*:*:*:*:*:*:*", "referenceLocator": "cpe:2.3:a:openssl:openssl:3.0.16:*:*:*:*:*:*:*",
"referenceType": "cpe23Type" "referenceType": "cpe23Type"
} }
], ],
"licenseConcluded": "NOASSERTION", "licenseConcluded": "NOASSERTION",
"name": "openssl", "name": "openssl",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "3.0.15" "versionInfo": "3.0.16"
}, },
{ {
"SPDXID": "SPDXRef-PACKAGE-sqlite", "SPDXID": "SPDXRef-PACKAGE-sqlite",

6
Modules/_ssl.c
View file

@ -4427,6 +4427,12 @@ _ssl__SSLContext_load_dh_params_impl(PySSLContext *self, PyObject *filepath)
FILE *f; FILE *f;
DH *dh; DH *dh;
#if defined(MS_WINDOWS) && defined(_DEBUG)
PyErr_SetString(PyExc_NotImplementedError,
"load_dh_params: unavailable on Windows debug build");
return NULL;
#endif
f = Py_fopen(filepath, "rb"); f = Py_fopen(filepath, "rb");
if (f == NULL) if (f == NULL)
return NULL; return NULL;

7
Modules/_ssl/debughelpers.c
View file

@ -174,6 +174,13 @@ _PySSLContext_set_keylog_filename(PyObject *op, PyObject *arg,
{ {
PySSLContext *self = PySSLContext_CAST(op); PySSLContext *self = PySSLContext_CAST(op);
FILE *fp; FILE *fp;
#if defined(MS_WINDOWS) && defined(_DEBUG)
PyErr_SetString(PyExc_NotImplementedError,
"set_keylog_filename: unavailable on Windows debug build");
return -1;
#endif
/* Reset variables and callback first */ /* Reset variables and callback first */
SSL_CTX_set_keylog_callback(self->ctx, NULL); SSL_CTX_set_keylog_callback(self->ctx, NULL);
Py_CLEAR(self->keylog_filename); Py_CLEAR(self->keylog_filename);

3
PCbuild/_ssl.vcxproj
View file

@ -99,9 +99,6 @@
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemGroup> <ItemGroup>
<ClCompile Include="..\Modules\_ssl.c" /> <ClCompile Include="..\Modules\_ssl.c" />
<ClCompile Include="$(opensslIncludeDir)\applink.c">
<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;$(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ResourceCompile Include="..\PC\python_nt.rc" /> <ResourceCompile Include="..\PC\python_nt.rc" />

3
PCbuild/_ssl.vcxproj.filters
View file

@ -12,9 +12,6 @@
<ClCompile Include="..\Modules\_ssl.c"> <ClCompile Include="..\Modules\_ssl.c">
<Filter>Source Files</Filter> <Filter>Source Files</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="$(opensslIncludeDir)\applink.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ResourceCompile Include="..\PC\python_nt.rc"> <ResourceCompile Include="..\PC\python_nt.rc">

4
PCbuild/get_externals.bat
View file

@ -53,7 +53,7 @@ echo.Fetching external libraries...
set libraries= set libraries=
set libraries=%libraries% bzip2-1.0.8 set libraries=%libraries% bzip2-1.0.8
if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries% libffi-3.4.4 if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries% libffi-3.4.4
if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-3.0.15 if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-3.0.16
set libraries=%libraries% mpdecimal-4.0.0 set libraries=%libraries% mpdecimal-4.0.0
set libraries=%libraries% sqlite-3.45.3.0 set libraries=%libraries% sqlite-3.45.3.0
if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.15.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.15.0
@ -77,7 +77,7 @@ echo.Fetching external binaries...
set binaries= set binaries=
if NOT "%IncludeLibffi%"=="false" set binaries=%binaries% libffi-3.4.4 if NOT "%IncludeLibffi%"=="false" set binaries=%binaries% libffi-3.4.4
if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-3.0.15 if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-3.0.16.1
if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.15.0 if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.15.0
if NOT "%IncludeSSLSrc%"=="false" set binaries=%binaries% nasm-2.11.06 if NOT "%IncludeSSLSrc%"=="false" set binaries=%binaries% nasm-2.11.06

26
PCbuild/openssl.vcxproj
View file

@ -67,47 +67,23 @@
set VCINSTALLDIR=$(VCInstallDir) set VCINSTALLDIR=$(VCInstallDir)
if not exist "$(IntDir.TrimEnd('\'))" mkdir "$(IntDir.TrimEnd('\'))" if not exist "$(IntDir.TrimEnd('\'))" mkdir "$(IntDir.TrimEnd('\'))"
cd /D "$(IntDir.TrimEnd('\'))" cd /D "$(IntDir.TrimEnd('\'))"
$(Perl) "$(opensslDir)\configure" $(OpenSSLPlatform) no-asm $(Perl) "$(opensslDir)\configure" $(OpenSSLPlatform) no-asm no-uplink
nmake nmake
</NMakeBuildCommandLine> </NMakeBuildCommandLine>
</PropertyGroup> </PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<Target Name="_PatchUplink" BeforeTargets="Build">
<PropertyGroup>
<Uplink>$(opensslDir)\ms\uplink.c</Uplink>
<BeforePatch>((h = GetModuleHandle(NULL)) == NULL)</BeforePatch>
<AfterPatch>((h = GetModuleHandleA("_ssl.pyd")) == NULL) if ((h = GetModuleHandleA("_ssl_d.pyd")) == NULL) if ((h = GetModuleHandle(NULL)) == NULL /*patched*/)</AfterPatch>
</PropertyGroup>
<Error Text="Cannot find $(Uplink)" Condition="!Exists($(Uplink))" />
<PropertyGroup>
<_Original>$([System.IO.File]::ReadAllText($(Uplink)))</_Original>
<_Patched>$(_Original.Replace($(BeforePatch), $(AfterPatch)))</_Patched>
<IsPatched>false</IsPatched>
<IsPatched Condition="$(_Patched) == $(_Original)">true</IsPatched>
</PropertyGroup>
<Message Text="$(Uplink) is already patched" Importance="normal" Condition="$(IsPatched)" />
<Message Text="Patching $(Uplink)" Importance="high" Condition="!$(IsPatched)" />
<WriteLinesToFile File="$(Uplink)"
Lines="$(_Patched)"
Overwrite="true"
Encoding="ASCII"
Condition="!$(IsPatched)" />
</Target>
<Target Name="_CopyToOutput" AfterTargets="Build"> <Target Name="_CopyToOutput" AfterTargets="Build">
<ItemGroup> <ItemGroup>
<_Built Include="$(opensslDir)\LICENSE" /> <_Built Include="$(opensslDir)\LICENSE" />
<_Built Include="$(IntDir)\libcrypto.lib;$(IntDir)\libcrypto-*.dll;$(IntDir)\libcrypto-*.pdb" /> <_Built Include="$(IntDir)\libcrypto.lib;$(IntDir)\libcrypto-*.dll;$(IntDir)\libcrypto-*.pdb" />
<_Built Include="$(IntDir)\libssl.lib;$(IntDir)\libssl-*.dll;$(IntDir)\libssl-*.pdb" /> <_Built Include="$(IntDir)\libssl.lib;$(IntDir)\libssl-*.dll;$(IntDir)\libssl-*.pdb" />
<_AppLink Include="$(opensslDir)\ms\applink.c" />
<_Include Include="$(opensslDir)\Include\openssl\*.h" /> <_Include Include="$(opensslDir)\Include\openssl\*.h" />
<_Include Include="$(IntDir)\include\openssl\*.h" /> <_Include Include="$(IntDir)\include\openssl\*.h" />
</ItemGroup> </ItemGroup>
<MakeDir Directories="$(opensslOutDir)\include\openssl" /> <MakeDir Directories="$(opensslOutDir)\include\openssl" />
<Copy SourceFiles="@(_Built)" DestinationFolder="$(opensslOutDir)" /> <Copy SourceFiles="@(_Built)" DestinationFolder="$(opensslOutDir)" />
<Copy SourceFiles="@(_AppLink)" DestinationFolder="$(opensslOutDir)\include" />
<Copy SourceFiles="@(_Include)" DestinationFolder="$(opensslOutDir)\include\openssl" /> <Copy SourceFiles="@(_Include)" DestinationFolder="$(opensslOutDir)\include\openssl" />
</Target> </Target>

4
PCbuild/python.props
View file

@ -81,8 +81,8 @@
<libffiOutDir Condition="$(libffiOutDir) == ''">$(libffiDir)$(ArchName)\</libffiOutDir> <libffiOutDir Condition="$(libffiOutDir) == ''">$(libffiDir)$(ArchName)\</libffiOutDir>
<libffiIncludeDir Condition="$(libffiIncludeDir) == ''">$(libffiOutDir)include</libffiIncludeDir> <libffiIncludeDir Condition="$(libffiIncludeDir) == ''">$(libffiOutDir)include</libffiIncludeDir>
<mpdecimalDir Condition="$(mpdecimalDir) == ''">$(ExternalsDir)\mpdecimal-4.0.0\</mpdecimalDir> <mpdecimalDir Condition="$(mpdecimalDir) == ''">$(ExternalsDir)\mpdecimal-4.0.0\</mpdecimalDir>
<opensslDir Condition="$(opensslDir) == ''">$(ExternalsDir)openssl-3.0.15\</opensslDir> <opensslDir Condition="$(opensslDir) == ''">$(ExternalsDir)openssl-3.0.16\</opensslDir>
<opensslOutDir Condition="$(opensslOutDir) == ''">$(ExternalsDir)openssl-bin-3.0.15\$(ArchName)\</opensslOutDir> <opensslOutDir Condition="$(opensslOutDir) == ''">$(ExternalsDir)openssl-bin-3.0.16.1\$(ArchName)\</opensslOutDir>
<opensslIncludeDir Condition="$(opensslIncludeDir) == ''">$(opensslOutDir)include</opensslIncludeDir> <opensslIncludeDir Condition="$(opensslIncludeDir) == ''">$(opensslOutDir)include</opensslIncludeDir>
<nasmDir Condition="$(nasmDir) == ''">$(ExternalsDir)\nasm-2.11.06\</nasmDir> <nasmDir Condition="$(nasmDir) == ''">$(ExternalsDir)\nasm-2.11.06\</nasmDir>
<zlibDir Condition="$(zlibDir) == ''">$(ExternalsDir)\zlib-1.3.1\</zlibDir> <zlibDir Condition="$(zlibDir) == ''">$(ExternalsDir)\zlib-1.3.1\</zlibDir>