OpenSSL / zlib security updates. (#163)

* Updated zlib sources to version 1.2.12.

* Updated zlib version to build.

* Updated OpenSSL 1.1.1 sources to version 1.1.1m.

* Updated OpenSSL 1.0.2 sources to version 1.0.2v-chevah4.

* Updated OpenSSL versions to build and test for.

* Ignore safety warning for click, it's only used for testing.

* Build win32 package on Windows Server 2019 from now on.

* Bring over brink.sh updates from server repo.

* Also bring over brink.conf updates from server repo.

* Updated libffi sources to version 3.4.2.

* Updated libffi versions to build.

* Skip OpenSSL tests on arm64 for now.

* Removed AIX workaround for installing libffi.

* Try building libffi with no workarounds.

* Give macOS 11 a try.

* Back to building on macOS 10.15.

Author: dumol

.github/workflows/bare.yaml

@@ -167,7 +167,7 @@ jobs:
       # Workflow won't be cancelled at the first failed job.
       fail-fast: false
       matrix:
-        runs-on: [ windows-2019, windows-2016 ]
+        runs-on: [ windows-2022, windows-2019 ]
     timeout-minutes: 60
     steps:
     # Add packages needed to build OpenSSL, cryptography, etc.

brink.conf

@@ -1,11 +1,11 @@
-BASE_REQUIREMENTS='pip==20.2.4 chevah-brink==0.79.0 paver==1.2.4'
-PYTHON_CONFIGURATION='default@2.7.18.ad5a0e1'
+BASE_REQUIREMENTS='pip==20.3.4chevah chevah-brink==0.79.0 paver==1.2.4'
+PYTHON_CONFIGURATION='default@2.7.18.241e9fe'
 # For production packages there are 2 options:
 BINARY_DIST_URI='https://github.com/chevah/python-package/releases/download'
 #BINARY_DIST_URI='https://bin.chevah.com:20443/production'
 # For testing packages, make sure this one is the last uncommented instance:
 #BINARY_DIST_URI='https://bin.chevah.com:20443/testing'
-PIP_INDEX='https://bin.chevah.com:20443/pypi/simple'
+PIP_INDEX_URL='https://bin.chevah.com:20443/pypi/simple'
 
 # There are 2 build directories used in this repo:
 #   * 'build' is a sub-dir used for building libffi / OpenSSL / Python / etc.

brink.sh

@@ -87,7 +87,7 @@ PYTHON_VERSION='not.defined.yet'
 PYTHON_PLATFORM='unknown-os-and-arch'
 PYTHON_NAME='python2.7'
 BINARY_DIST_URI='https://github.com/chevah/python-package/releases/download'
-PIP_INDEX='https://pypi.org/simple'
+PIP_INDEX_URL='https://pypi.org/simple'
 BASE_REQUIREMENTS=''
 
 #
@@ -258,6 +258,7 @@ update_path_variables() {
     export CHEVAH_OS=${OS}
     export CHEVAH_ARCH=${ARCH}
     export CHEVAH_CACHE=${CACHE_FOLDER}
+    export PIP_INDEX_URL=${PIP_INDEX_URL}
 
 }
 
@@ -315,8 +316,8 @@ pip_install() {
     ${PYTHON_BIN} -m \
         pip install \
             --trusted-host bin.chevah.com \
-            --trusted-host deag.chevah.com \
-            --index-url=$PIP_INDEX \
+            --trusted-host pypi-internal.chevah.com \
+            --index-url=$PIP_INDEX_URL \
             --build=${BUILD_FOLDER}/pip-build \
             $1
 
@@ -811,11 +812,11 @@ detect_os() {
             ARCH="x64"
             case "$OS" in
                 win)
-                    # 32bit build on Windows 2016, 64bit otherwise.
+                    # 32bit build on Windows 2019, 64bit otherwise.
                     # Should work with a l10n pack too (tested with French).
                     win_ver=$(systeminfo.exe | head -n 3 | tail -n 1 \
                         | cut -d ":" -f 2)
-                    if [[ "$win_ver" =~ "Microsoft Windows Server 2016" ]]; then
+                    if [[ "$win_ver" =~ "Microsoft Windows Server 2019" ]]; then
                         ARCH="x86"
                     fi
                     ;;

chevah_build

@@ -11,13 +11,13 @@ set -o errexit
 set -o pipefail
 
 PYTHON_BUILD_VERSION="2.7.18"
-LIBFFI_VERSION="3.2.1"
-ZLIB_VERSION="1.2.11"
+LIBFFI_VERSION="3.4.2"
+ZLIB_VERSION="1.2.12"
 BZIP2_VERSION="1.0.8"
 # We statically build the BSD libedit on selected platforms to get the
 # readline module available without linking to the GPL-only readline libs.
 LIBEDIT_VERSION="20170329-3.1"
-OPENSSL_VERSION="1.1.1m"
+OPENSSL_VERSION="1.1.1n"
 SQLITE_VERSION="3.37.2"
 
 # Python modules versions to be used everywhere possible.
@@ -33,8 +33,8 @@ PYOPENSSL_VERSION="21.0.0"
 # Backported fix for https://github.com/pypa/pip/issues/9827
 # at https://github.com/chevah/pip/tree/20.3.4chevah.
 PIP_VERSION="20.3.4chevah1"
-# For pip <21.1.
-SAFETY_IGNORED_OPTS="-i 40291"
+# For pip <21.1 and click <8.0.0.
+SAFETY_IGNORED_OPTS="-i 40291 -i 47833"
 # setuptools 44.x is the last series to support Python 2.7.
 # More at https://github.com/pypa/setuptools/pull/1955.
 SETUPTOOLS_VERSION="44.1.1"
@@ -196,7 +196,7 @@ case $OS in
         # As of January 2021, OpenSSL 1.0.2u is the latest version from IBM.
         export BUILD_OPENSSL="yes"
         # 1.1.1 tests fail on AIX, use 1.0.2 with patches from Ubuntu 16.04 LTS.
-        OPENSSL_VERSION="1.0.2v-chevah3"
+        OPENSSL_VERSION="1.0.2v-chevah4"
         # Perl's Test::Simple and its deps are required for building OpenSSL.
         execute perl -MTest::Simple -e 1
         # cryptography 3.2.x, last version to support OpenSSL 1.0.2.

python-modules/chevah-python-test/test_python_binary_dist.py

@@ -504,10 +504,10 @@ def main():
         openssl_version = backend.openssl_version_text()
         if CHEVAH_OS.startswith(("win", "lnx", "macos", "aix")):
             # On some OS'es we build against our own OpenSSL.
-            expecting = u'OpenSSL 1.1.1m  14 Dec 2021'
+            expecting = u'OpenSSL 1.1.1n  15 Mar 2022'
             if CHEVAH_OS.startswith("aix"):
                 # On AIX we are stuck with a patched 1.0.2.
-                expecting = u'OpenSSL 1.0.2v-chevah3  15 Sep 2021'
+                expecting = u'OpenSSL 1.0.2v-chevah4  06 Apr 2022'
             if openssl_version != expecting:
                 sys.stderr.write('Expecting %s, got %s.\n' % (
                     expecting, openssl_version))

src/libffi/chevahbs

@@ -2,8 +2,7 @@
 #
 # Chevah Build Script for libffi.
 #
-# For now it is supported only on AIX, Solaris and ArchLinux.
-#
+
 # Import shared code.
 . ./functions.sh
 
@@ -21,30 +20,7 @@ chevahbs_compile() {
 
 chevahbs_install() {
     install_folder=$1
-
-    # Installing fails on some OS'es.
-    # Following workarounds should cover all 32/64bit cases for all arches.
-    case $OS in
-        aix*)
-            execute ln -s ../install-sh powerpc-ibm-aix"$(oslevel)"/install-sh
-            ;;
-    esac
-
     execute $MAKE install DESTDIR=$INSTALL_FOLDER
-
-    if [ -z "$(ls -A $INSTALL_FOLDER/include)" ]; then
-        # 3.2.1 installs its headers in $PREFIX/lib/libffi-$VERSION/include,
-        # instead of $PREFIX/include, so we move them to the default location.
-        execute mkdir -p $INSTALL_FOLDER/include
-        execute mv $INSTALL_FOLDER/lib*/libffi-*/include/* \
-            $INSTALL_FOLDER/include/
-        execute rm -rf libffi-*
-        # On some systems libffi is installed in lib64/ and then cffi is
-        # searching for it in lib/ (this affects RHEL 5-7 and SLES 11-12).
-        if [ -d $INSTALL_FOLDER/lib64 ]; then
-            execute cp $INSTALL_FOLDER/lib64/* $INSTALL_FOLDER/lib/
-        fi
-    fi
 }