diff --git a/cpython-unix/Makefile b/cpython-unix/Makefile index 7e5641458..577f44fd0 100644 --- a/cpython-unix/Makefile +++ b/cpython-unix/Makefile @@ -174,8 +174,8 @@ $(OUTDIR)/ncurses-$(NCURSES_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS $(OUTDIR)/openssl-1.1-$(OPENSSL_1.1_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-1.1.sh $(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-1.1 -$(OUTDIR)/openssl-3.0-$(OPENSSL_3.0_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-3.0.sh - $(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-3.0 +$(OUTDIR)/openssl-3.5-$(OPENSSL_3.5_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-3.5.sh + $(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-3.5 LIBEDIT_DEPENDS = \ $(PYTHON_DEP_DEPENDS) \ @@ -262,7 +262,7 @@ PYTHON_DEPENDS_$(1) := \ $$(if $$(NEED_MPDECIMAL),$$(OUTDIR)/mpdecimal-$$(MPDECIMAL_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_NCURSES),$$(OUTDIR)/ncurses-$$(NCURSES_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_OPENSSL_1_1),$$(OUTDIR)/openssl-1.1-$$(OPENSSL_1.1_VERSION)-$$(PACKAGE_SUFFIX).tar) \ - $$(if $$(NEED_OPENSSL_3_0),$$(OUTDIR)/openssl-3.0-$$(OPENSSL_3.0_VERSION)-$$(PACKAGE_SUFFIX).tar) \ + $$(if $$(NEED_OPENSSL_3_5),$$(OUTDIR)/openssl-3.5-$$(OPENSSL_3.5_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_PATCHELF),$$(OUTDIR)/patchelf-$$(PATCHELF_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_SQLITE),$$(OUTDIR)/sqlite-$$(SQLITE_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_TCL),$$(OUTDIR)/tcl-$$(TCL_VERSION)-$$(PACKAGE_SUFFIX).tar) \ diff --git a/cpython-unix/build-openssl-3.0.sh b/cpython-unix/build-openssl-3.5.sh similarity index 76% rename from cpython-unix/build-openssl-3.0.sh rename to cpython-unix/build-openssl-3.5.sh index 1d1f91348..ea7d5c60b 100755 --- a/cpython-unix/build-openssl-3.0.sh +++ b/cpython-unix/build-openssl-3.5.sh @@ -9,9 +9,15 @@ ROOT=`pwd` export PATH=${TOOLS_PATH}/${TOOLCHAIN}/bin:${TOOLS_PATH}/host/bin:$PATH -tar -xf openssl-${OPENSSL_3_0_VERSION}.tar.gz +tar -xf openssl-${OPENSSL_3_5_VERSION}.tar.gz -pushd openssl-${OPENSSL_3_0_VERSION} +pushd openssl-${OPENSSL_3_5_VERSION} + +# hardcode the vlenb CSR address (0xc22) as our GCC version doesn't know it +# https://github.com/riscv/riscv-isa-manual/blob/c001fa237cdd8b6079384044462a89eb0e3fd9cf/src/v-st-ext.adoc?plain=1#L74 +if [[ "${TARGET_TRIPLE}" = "riscv64-unknown-linux-gnu" ]]; then + patch -p1 -i "${ROOT}/patch-openssl-3.5-riscv-vlenb-register.patch" +fi # Otherwise it gets set to /tools/deps/ssl by default. case "${TARGET_TRIPLE}" in diff --git a/cpython-unix/build.cross-riscv64.Dockerfile b/cpython-unix/build.cross-riscv64.Dockerfile index 740a098b2..27106896b 100644 --- a/cpython-unix/build.cross-riscv64.Dockerfile +++ b/cpython-unix/build.cross-riscv64.Dockerfile @@ -48,6 +48,15 @@ RUN apt-get install \ # Cross-building. RUN apt-get install \ + g++-aarch64-linux-gnu \ + g++-arm-linux-gnueabi \ + g++-arm-linux-gnueabihf \ + g++-mips-linux-gnu \ + g++-mips64el-linux-gnuabi64 \ + g++-mipsel-linux-gnu \ + g++-powerpc64le-linux-gnu \ + g++-riscv64-linux-gnu \ + g++-s390x-linux-gnu \ gcc-aarch64-linux-gnu \ gcc-arm-linux-gnueabi \ gcc-arm-linux-gnueabihf \ diff --git a/cpython-unix/build.cross.Dockerfile b/cpython-unix/build.cross.Dockerfile index aa17d6c18..efef3b904 100644 --- a/cpython-unix/build.cross.Dockerfile +++ b/cpython-unix/build.cross.Dockerfile @@ -51,6 +51,14 @@ RUN apt-get install \ # Cross-building. RUN apt-get install \ + g++-aarch64-linux-gnu \ + g++-arm-linux-gnueabi \ + g++-arm-linux-gnueabihf \ + g++-mips-linux-gnu \ + g++-mips64el-linux-gnuabi64 \ + g++-mipsel-linux-gnu \ + g++-powerpc64le-linux-gnu \ + g++-s390x-linux-gnu \ gcc-aarch64-linux-gnu \ gcc-arm-linux-gnueabi \ gcc-arm-linux-gnueabihf \ diff --git a/cpython-unix/build.py b/cpython-unix/build.py index c5d73a1c0..1fbb019bd 100755 --- a/cpython-unix/build.py +++ b/cpython-unix/build.py @@ -274,9 +274,13 @@ def simple_build( add_target_env(env, host_platform, target_triple, build_env) - if entry in ("openssl-1.1", "openssl-3.0"): + # for OpenSSL, set the OPENSSL_TARGET environment variable and copy in patches + if entry.startswith("openssl-"): settings = get_targets(TARGETS_CONFIG)[target_triple] env["OPENSSL_TARGET"] = settings["openssl_target"] + build_env.copy_file( + SUPPORT / "patch-openssl-3.5-riscv-vlenb-register.patch" + ) build_env.run("build-%s.sh" % entry, environment=env) @@ -1113,7 +1117,7 @@ def main(): "mpdecimal", "ncurses", "openssl-1.1", - "openssl-3.0", + "openssl-3.5", "patchelf", "sqlite", "tcl", diff --git a/cpython-unix/patch-openssl-3.5-riscv-vlenb-register.patch b/cpython-unix/patch-openssl-3.5-riscv-vlenb-register.patch new file mode 100644 index 000000000..dacedeef6 --- /dev/null +++ b/cpython-unix/patch-openssl-3.5-riscv-vlenb-register.patch @@ -0,0 +1,15 @@ +diff --git a/crypto/riscv64cpuid.pl b/crypto/riscv64cpuid.pl +index 5dcdc5c584..7751ad50d9 100644 +--- a/crypto/riscv64cpuid.pl ++++ b/crypto/riscv64cpuid.pl +@@ -94,8 +94,8 @@ $code .= <<___; + .globl riscv_vlen_asm + .type riscv_vlen_asm,\@function + riscv_vlen_asm: +- csrr $ret, vlenb +- slli $ret, $ret, 3 ++ csrr a0, 0xc22 ++ slli a0, a0, 3 + ret + .size riscv_vlen_asm,.-riscv_vlen_asm + ___ diff --git a/cpython-unix/targets.yml b/cpython-unix/targets.yml index 451b9840b..b1efbae97 100644 --- a/cpython-unix/targets.yml +++ b/cpython-unix/targets.yml @@ -102,7 +102,7 @@ aarch64-apple-darwin: - libffi - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - tcl - tk @@ -149,7 +149,7 @@ aarch64-apple-ios: - libffi - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -190,7 +190,7 @@ aarch64-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -244,7 +244,7 @@ arm64-apple-tvos: - expat - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -279,7 +279,7 @@ armv7-unknown-linux-gnueabi: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -320,7 +320,7 @@ armv7-unknown-linux-gnueabihf: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -361,7 +361,7 @@ mips-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -402,7 +402,7 @@ mipsel-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -443,7 +443,7 @@ ppc64le-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -484,7 +484,7 @@ riscv64-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -511,6 +511,9 @@ s390x-unknown-linux-gnu: host_cxx: /usr/bin/x86_64-linux-gnu-g++ target_cc: /usr/bin/s390x-linux-gnu-gcc target_cxx: /usr/bin/s390x-linux-gnu-g++ + target_cflags: + # set the minimum compatibility level to z10 (released 2008) + - '-march=z10' needs: - autoconf - bdb @@ -525,7 +528,7 @@ s390x-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -574,7 +577,7 @@ thumb7k-apple-watchos: - expat - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -627,7 +630,7 @@ x86_64-apple-darwin: - libffi - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - tcl - tk @@ -674,7 +677,7 @@ x86_64-apple-ios: - libffi - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -717,7 +720,7 @@ x86_64-apple-tvos: - expat - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -760,7 +763,7 @@ x86_64-apple-watchos: - expat - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -799,7 +802,7 @@ x86_64-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -846,7 +849,7 @@ x86_64_v2-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -893,7 +896,7 @@ x86_64_v3-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -940,7 +943,7 @@ x86_64_v4-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -985,7 +988,7 @@ x86_64-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -1030,7 +1033,7 @@ x86_64_v2-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -1075,7 +1078,7 @@ x86_64_v3-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -1120,7 +1123,7 @@ x86_64_v4-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -1167,7 +1170,7 @@ aarch64-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl diff --git a/cpython-windows/build.py b/cpython-windows/build.py index 5fce1abfb..26023247f 100644 --- a/cpython-windows/build.py +++ b/cpython-windows/build.py @@ -470,7 +470,7 @@ def hack_props( raise Exception("unhandled architecture: %s" % arch) try: - # CPython 3.11+ builds with OpenSSL 3.0 by default. + # CPython 3.11+ builds with OpenSSL 3.x by default. static_replace_in_file( openssl_props, b"<_DLLSuffix>-3", @@ -720,11 +720,11 @@ def build_openssl_for_arch( log("extracting %s to %s" % (openssl_archive, build_root)) extract_tar_to_directory(openssl_archive, build_root) log("extracting %s to %s" % (nasm_archive, build_root)) - extract_tar_to_directory(nasm_archive, build_root) + extract_zip_to_directory(nasm_archive, build_root) log("extracting %s to %s" % (jom_archive, build_root)) extract_zip_to_directory(jom_archive, build_root / "jom") - nasm_path = build_root / ("cpython-bin-deps-nasm-%s" % nasm_version) + nasm_path = build_root / ("nasm-%s" % nasm_version) jom_path = build_root / "jom" env = dict(os.environ) @@ -1874,7 +1874,7 @@ def main() -> None: if args.python in ("cpython-3.9", "cpython-3.10"): openssl_entry = "openssl-1.1" else: - openssl_entry = "openssl-3.0" + openssl_entry = "openssl-3.5" openssl_archive = BUILD / ( "%s-%s-%s.tar" % (openssl_entry, target_triple, build_options) diff --git a/pythonbuild/downloads.py b/pythonbuild/downloads.py index 4332d6806..1df70a45a 100644 --- a/pythonbuild/downloads.py +++ b/pythonbuild/downloads.py @@ -247,24 +247,21 @@ "licenses": ["OpenSSL"], "license_file": "LICENSE.openssl-1.1.txt", }, - # We use OpenSSL 3.0 because it is an LTS release and has a longer support - # window. If CPython ends up gaining support for 3.1+ releases, we can consider - # using the latest available. # Remember to update OPENSSL_VERSION_INFO in verify_distribution.py whenever upgrading. - "openssl-3.0": { - "url": "https://www.openssl.org/source/openssl-3.0.16.tar.gz", - "size": 15334967, - "sha256": "57e03c50feab5d31b152af2b764f10379aecd8ee92f16c985983ce4a99f7ef86", - "version": "3.0.16", + "openssl-3.5": { + "url": "https://github.com/openssl/openssl/releases/download/openssl-3.5.2/openssl-3.5.2.tar.gz", + "size": 53180161, + "sha256": "c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec", + "version": "3.5.2", "library_names": ["crypto", "ssl"], "licenses": ["Apache-2.0"], "license_file": "LICENSE.openssl-3.txt", }, "nasm-windows-bin": { - "url": "https://github.com/python/cpython-bin-deps/archive/nasm-2.11.06.tar.gz", - "size": 384826, - "sha256": "8af0ae5ceed63fa8a2ded611d44cc341027a91df22aaaa071efedc81437412a5", - "version": "2.11.06", + "url": "https://www.nasm.us/pub/nasm/releasebuilds/2.16.03/win64/nasm-2.16.03-win64.zip", + "size": 513543, + "sha256": "3ee4782247bcb874378d02f7eab4e294a84d3d15f3f6ee2de2f47a46aa7226e6", + "version": "2.16.03", }, "patchelf": { "url": "https://github.com/NixOS/patchelf/releases/download/0.13.1/patchelf-0.13.1.tar.bz2", diff --git a/src/verify_distribution.py b/src/verify_distribution.py index 2a9abda1d..2c44c2568 100644 --- a/src/verify_distribution.py +++ b/src/verify_distribution.py @@ -147,12 +147,12 @@ def test_ssl(self): self.assertTrue(ssl.HAS_TLSv1_2) self.assertTrue(ssl.HAS_TLSv1_3) - # OpenSSL 1.1 on older CPython versions on Windows. 3.0 everywhere + # OpenSSL 1.1 on older CPython versions on Windows. 3.5 everywhere # else. if os.name == "nt" and sys.version_info[0:2] < (3, 11): wanted_version = (1, 1, 1, 23, 15) else: - wanted_version = (3, 0, 0, 16, 0) + wanted_version = (3, 5, 0, 2, 0) self.assertEqual(ssl.OPENSSL_VERSION_INFO, wanted_version)