OpenSSL 3.0.0: Test with latest OpenSSL versions

* 1.0.2u (EOL)
* 1.1.0l (EOL)
* 1.1.1g
* 3.0.0-alpha2 (disabled for now)

Build the FIPS provider and create a FIPS configuration file for
OpenSSL 3.0.0.

(cherry picked from commit gh#python/cpython@5e6b491)

Fixes: bpo-40479
From-PR: gh#python/cpython!20108
Patch: openssl-300-test-with-latest-openssl.patch
Released-in: 3.7.8
Signed-off-by: Christian Heimes <[email protected]>

Author: miss-islington

Misc/NEWS.d/next/Tools-Demos/2020-05-15-17-48-25.bpo-40479.B1gBl-.rst

@@ -0,0 +1,2 @@
+Update multissltest helper to test with latest OpenSSL 1.0.2, 1.1.0, 1.1.1,
+and 3.0.0-alpha.

Tools/ssl/multissltests.py

@@ -43,14 +43,13 @@
 OPENSSL_OLD_VERSIONS = [
     "0.9.8zh",
     "1.0.1u",
-    "1.0.2",
 ]
 
 OPENSSL_RECENT_VERSIONS = [
-    "1.0.2p",
-    "1.1.0i",
-    "1.1.1k",
-    "3.0.3",
+    "1.0.2u",
+    "1.1.0l",
+    "1.1.1g",
+    # "3.0.0-alpha2"
 ]
 
 LIBRESSL_OLD_VERSIONS = [
@@ -148,6 +147,23 @@
     help="Keep original sources for debugging."
 )
 
+OPENSSL_FIPS_CNF = """\
+openssl_conf = openssl_init
+
+.include {self.install_dir}/ssl/fipsinstall.cnf
+# .include {self.install_dir}/ssl/openssl.cnf
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+fips = fips_sect
+default = default_sect
+
+[default_sect]
+activate = 1
+"""
+
 
 class AbstractBuilder(object):
     library = None
@@ -296,9 +312,13 @@ def _make_install(self):
             ["make", "-j1", self.install_target],
             cwd=self.build_dir
         )
+        self._post_install()
         if not self.args.keep_sources:
             shutil.rmtree(self.build_dir)
 
+    def _post_install(self):
+        pass
+
     def install(self):
         log.info(self.openssl_cli)
         if not self.has_openssl or self.args.force:
@@ -370,6 +390,40 @@ class BuildOpenSSL(AbstractBuilder):
     # only install software, skip docs
     install_target = 'install_sw'
 
+    def _post_install(self):
+        if self.version.startswith("3.0"):
+            self._post_install_300()
+
+    def _post_install_300(self):
+        # create ssl/ subdir with example configs
+        self._subprocess_call(
+            ["make", "-j1", "install_ssldirs"],
+            cwd=self.build_dir
+        )
+        # Install FIPS module
+        # https://wiki.openssl.org/index.php/OpenSSL_3.0#Completing_the_installation_of_the_FIPS_Module
+        fipsinstall_cnf = os.path.join(
+            self.install_dir, "ssl", "fipsinstall.cnf"
+        )
+        openssl_fips_cnf = os.path.join(
+            self.install_dir, "ssl", "openssl-fips.cnf"
+        )
+        fips_mod = os.path.join(self.lib_dir, "ossl-modules/fips.so")
+        self._subprocess_call(
+            [
+                self.openssl_cli, "fipsinstall",
+                "-out", fipsinstall_cnf,
+                "-module", fips_mod,
+                "-provider_name", "fips",
+                "-mac_name", "HMAC",
+                "-macopt", "digest:SHA256",
+                "-macopt", "hexkey:00",
+                "-section_name", "fips_sect"
+            ]
+        )
+        with open(openssl_fips_cnf, "w") as f:
+            f.write(OPENSSL_FIPS_CNF.format(self=self))
+
 
 class BuildLibreSSL(AbstractBuilder):
     library = "LibreSSL"