unix: remove support for building with LibreSSL

Python 3.10 goes all in on requiring OpenSSL 1.1.1 and it requires some
patches to build with LibreSSL due to newer functionality from 1.1.1 not
yet present in LibreSSL.

The main reason we introduced support for LibreSSL in the first place
was because we couldn't get an older version to compile against musl
libc. It appears the latest OpenSSL now compiles fine.

We were only using LibreSSL on the musl builds: everything else was
using OpenSSL. (Way back when we shipped LibreSSL as the default SSL
implementation but reverted this when it was clear CPython really
wanted OpenSSL.)

So the practical impact of this change is musl libc distributions
switch from LibreSSL to OpenSSL.

Author: indygreg

.github/workflows/linux.yml

@@ -298,13 +298,7 @@ jobs:
 
       - name: Build
         run: |
-          if [ "${{ matrix.build.target_triple }}" = "x86_64-unknown-linux-musl" ]; then
-            EXTRA_ARGS=--libressl
-          else
-            EXTRA_ARGS=
-          fi
-
-          ./build-linux.py --skip-toolchain --target-triple ${{ matrix.build.target_triple }} --python ${{ matrix.build.py }} --optimizations ${{ matrix.build.optimizations }} ${EXTRA_ARGS}
+          ./build-linux.py --skip-toolchain --target-triple ${{ matrix.build.target_triple }} --python ${{ matrix.build.py }} --optimizations ${{ matrix.build.optimizations }}
 
       - name: Validate Distribution
         run: |

LICENSE.libressl.txt

@@ -184,9 +184,6 @@ LIBEDIT_DEPENDS = \
 $(OUTDIR)/libedit-$(LIBEDIT_VERSION)-$(PACKAGE_SUFFIX).tar: $(LIBEDIT_DEPENDS)
 	$(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) libedit
 
-$(OUTDIR)/libressl-$(LIBRESSL_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-libressl.sh
-	$(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) libressl
-
 $(OUTDIR)/patchelf-$(PATCHELF_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-patchelf.sh
 	$(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) patchelf
 
@@ -258,7 +255,6 @@ PYTHON_DEPENDS := \
     $(if $(NEED_GETTEXT),$(OUTDIR)/gettext-$(GETTEXT_VERSION)-$(PACKAGE_SUFFIX).tar) \
     $(if $(NEED_LIBEDIT),$(OUTDIR)/libedit-$(LIBEDIT_VERSION)-$(PACKAGE_SUFFIX).tar) \
     $(if $(NEED_LIBFFI),$(OUTDIR)/libffi-$(LIBFFI_VERSION)-$(PACKAGE_SUFFIX).tar) \
-    $(if $(NEED_LIBRESSL),$(OUTDIR)/libressl-$(LIBRESSL_VERSION)-$(PACKAGE_SUFFIX).tar) \
     $(if $(NEED_NCURSES),$(OUTDIR)/ncurses-$(NCURSES_VERSION)-$(PACKAGE_SUFFIX).tar) \
     $(if $(NEED_OPENSSL),$(OUTDIR)/openssl-$(OPENSSL_VERSION)-$(PACKAGE_SUFFIX).tar) \
     $(if $(NEED_PATCHELF),$(OUTDIR)/patchelf-$(PATCHELF_VERSION)-$(PACKAGE_SUFFIX).tar) \

cpython-unix/Makefile

@@ -536,27 +536,6 @@ EOF
 sed s/__APPLE__/USE_LIBEDIT/g Modules/readline-libedit.c > tmp
 mv tmp Modules/readline-libedit.c
 
-# Modules/_hashopenssl.c redefines some libcrypto symbols on Python 3.9 and
-# this makes the linker unhappy. So rename the symbols to work around.
-# https://bugs.python.org/issue41949.
-if [ "${PYTHON_MAJMIN_VERSION}" = "3.9" ]; then
-    patch -p1 <<EOF
-diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
-index adc8653773..fc9070fc21 100644
---- a/Modules/_hashopenssl.c
-+++ b/Modules/_hashopenssl.c
-@@ -32,7 +32,7 @@
- #  error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
- #endif
-
--#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
- /* OpenSSL < 1.1.0 */
- #define EVP_MD_CTX_new EVP_MD_CTX_create
- #define EVP_MD_CTX_free EVP_MD_CTX_destroy
-EOF
-fi
-
 # iOS doesn't have system(). Teach posixmodule.c about that.
 if [ "${PYTHON_MAJMIN_VERSION}" != "3.8" ]; then
     patch -p1 <<EOF

cpython-unix/build-cpython.sh

@@ -58,10 +58,6 @@ def main():
         default="noopt",
         help="Optimizations to apply when compiling Python",
     )
-
-    parser.add_argument(
-        "--libressl", action="store_true", help="Build LibreSSL instead of OpenSSL"
-    )
     parser.add_argument(
         "--python",
         choices={"cpython-3.8", "cpython-3.9", "cpython-3.10"},
@@ -113,8 +109,6 @@ def main():
     env["PYBUILD_HOST_PLATFORM"] = host_platform
     env["PYBUILD_TARGET_TRIPLE"] = target_triple
     env["PYBUILD_OPTIMIZATIONS"] = args.optimizations
-    if args.libressl or musl:
-        env["PYBUILD_LIBRESSL"] = "1"
     if musl:
         env["PYBUILD_MUSL"] = "1"
     if args.break_on_failure:

cpython-unix/build-libressl.sh

@@ -499,7 +499,6 @@ def python_build_info(
     config_c_in,
     setup_dist,
     setup_local,
-    libressl=False,
 ):
     """Obtain build metadata for the Python distribution."""
 
@@ -626,12 +625,7 @@ def process_setup_line(line, variant=None):
             "variant": d["variant"],
         }
 
-        if libressl:
-            ignore_keys = {"openssl"}
-        else:
-            ignore_keys = {"libressl"}
-
-        add_licenses_to_extension_entry(entry, ignore_keys=ignore_keys)
+        add_licenses_to_extension_entry(entry)
 
         bi["extensions"].setdefault(extension, []).append(entry)
 
@@ -713,7 +707,6 @@ def build_cpython(
     target_triple,
     optimizations,
     dest_archive,
-    libressl=False,
     version=None,
 ):
     """Build CPython in a Docker image'"""
@@ -867,7 +860,6 @@ def build_cpython(
                 config_c_in,
                 setup_dist_content,
                 setup_local_content,
-                libressl=libressl,
             ),
             "licenses": entry["licenses"],
             "license_path": "licenses/LICENSE.cpython.txt",
@@ -1046,7 +1038,6 @@ def main():
             "kbproto",
             "libffi",
             "libpthread-stubs",
-            "libressl",
             "ncurses",
             "openssl",
             "patchelf",
@@ -1180,7 +1171,6 @@ def main():
                 target_triple=target_triple,
                 optimizations=optimizations,
                 dest_archive=dest_archive,
-                libressl="PYBUILD_LIBRESSL" in os.environ,
                 version=action.split("-")[1],
             )