greg/cpython
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

gh-135401: Test AWS-LC as a cryptography library in CI (GH-135402)

Browse Source 
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Zachary Ware <zach@python.org>
This commit is contained in:
Will Childs-Klein
2025-07-11 18:24:11 -04:00
committed by GitHub
parent 7f1e66ae0e
commit db47f4d844
6 changed files with 147 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
.github/workflows/build.yml vendored
View File

@@ -260,7 +260,7 @@ jobs:
free-threading: ${{ matrix.free-threading }} free-threading: ${{ matrix.free-threading }}
os: ${{ matrix.os }} os: ${{ matrix.os }}
build-ubuntu-ssltests: build-ubuntu-ssltests-openssl:
name: 'Ubuntu SSL tests with OpenSSL' name: 'Ubuntu SSL tests with OpenSSL'
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
timeout-minutes: 60 timeout-minutes: 60
@@ -322,6 +322,81 @@ jobs:
- name: SSL tests - name: SSL tests
run: ./python Lib/test/ssltests.py run: ./python Lib/test/ssltests.py
build-ubuntu-ssltests-awslc:
name: 'Ubuntu SSL tests with AWS-LC'
runs-on: ${{ matrix.os }}
timeout-minutes: 60
needs: build-context
if: needs.build-context.outputs.run-tests == 'true'
strategy:
fail-fast: false
matrix:
os: [ubuntu-24.04]
awslc_ver: [1.55.0]
env:
AWSLC_VER: ${{ matrix.awslc_ver}}
MULTISSL_DIR: ${{ github.workspace }}/multissl
OPENSSL_DIR: ${{ github.workspace }}/multissl/aws-lc/${{ matrix.awslc_ver }}
LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/aws-lc/${{ matrix.awslc_ver }}/lib
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Runner image version
run: echo "IMAGE_OS_VERSION=${ImageOS}-${ImageVersion}" >> "$GITHUB_ENV"
- name: Restore config.cache
uses: actions/cache@v4
with:
path: config.cache
key: ${{ github.job }}-${{ env.IMAGE_OS_VERSION }}-${{ needs.build-context.outputs.config-hash }}
- name: Register gcc problem matcher
run: echo "::add-matcher::.github/problem-matchers/gcc.json"
- name: Install dependencies
run: sudo ./.github/workflows/posix-deps-apt.sh
- name: Configure SSL lib env vars
run: |
echo "MULTISSL_DIR=${GITHUB_WORKSPACE}/multissl" >> "$GITHUB_ENV"
echo "OPENSSL_DIR=${GITHUB_WORKSPACE}/multissl/aws-lc/${AWSLC_VER}" >> "$GITHUB_ENV"
echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/aws-lc/${AWSLC_VER}/lib" >> "$GITHUB_ENV"
- name: 'Restore AWS-LC build'
id: cache-aws-lc
uses: actions/cache@v4
with:
path: ./multissl/aws-lc/${{ matrix.awslc_ver }}
key: ${{ matrix.os }}-multissl-aws-lc-${{ matrix.awslc_ver }}
- name: Install AWS-LC
if: steps.cache-aws-lc.outputs.cache-hit != 'true'
run: |
python3 Tools/ssl/multissltests.py \
--steps=library \
--base-directory "$MULTISSL_DIR" \
--awslc ${{ matrix.awslc_ver }} \
--system Linux
- name: Add ccache to PATH
run: |
echo "PATH=/usr/lib/ccache:$PATH" >> "$GITHUB_ENV"
- name: Configure ccache action
uses: hendrikmuhs/ccache-action@v1.2
with:
save: false
- name: Configure CPython
run: |
./configure CFLAGS="-fdiagnostics-format=json" \
--config-cache \
--enable-slower-safety \
--with-pydebug \
--with-openssl="$OPENSSL_DIR" \
--with-builtin-hashlib-hashes=blake2 \
--with-ssl-default-suites=openssl
- name: Build CPython
run: make -j
- name: Display build info
run: make pythoninfo
- name: Verify python is linked to AWS-LC
run: ./python -c 'import ssl; print(ssl.OPENSSL_VERSION)' | grep AWS-LC
- name: SSL tests
run: ./python Lib/test/ssltests.py
build-wasi: build-wasi:
name: 'WASI' name: 'WASI'
needs: build-context needs: build-context
@@ -628,7 +703,8 @@ jobs:
- build-windows-msi - build-windows-msi
- build-macos - build-macos
- build-ubuntu - build-ubuntu
- build-ubuntu-ssltests - build-ubuntu-ssltests-awslc
- build-ubuntu-ssltests-openssl
- build-wasi - build-wasi
- test-hypothesis - test-hypothesis
- build-asan - build-asan
@@ -643,7 +719,8 @@ jobs:
with: with:
allowed-failures: >- allowed-failures: >-
build-windows-msi, build-windows-msi,
build-ubuntu-ssltests, build-ubuntu-ssltests-awslc,
build-ubuntu-ssltests-openssl,
test-hypothesis, test-hypothesis,
cifuzz, cifuzz,
allowed-skips: >- allowed-skips: >-
@@ -661,7 +738,8 @@ jobs:
check-generated-files, check-generated-files,
build-macos, build-macos,
build-ubuntu, build-ubuntu,
build-ubuntu-ssltests, build-ubuntu-ssltests-awslc,
build-ubuntu-ssltests-openssl,
build-wasi, build-wasi,
test-hypothesis, test-hypothesis,
build-asan, build-asan,

1
.github/workflows/posix-deps-apt.sh vendored
View File

@@ -5,6 +5,7 @@ apt-get -yq install \
build-essential \ build-essential \
pkg-config \ pkg-config \
ccache \ ccache \
cmake \
gdb \ gdb \
lcov \ lcov \
libb2-dev \ libb2-dev \

1
Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst Normal file
View File

@@ -0,0 +1 @@
Add a new GitHub CI job to test the :mod:`ssl` module with `AWS-LC <https://github.com/aws/aws-lc>`_ as the backing cryptography and TLS library.

88
Tools/ssl/multissltests.py
View File

@@ -1,12 +1,12 @@
#!./python #!./python
"""Run Python tests against multiple installations of OpenSSL and LibreSSL """Run Python tests against multiple installations of cryptography libraries
The script The script
(1) downloads OpenSSL / LibreSSL tar bundle (1) downloads the tar bundle
(2) extracts it to ./src (2) extracts it to ./src
(3) compiles OpenSSL / LibreSSL (3) compiles the relevant library
(4) installs OpenSSL / LibreSSL into ../multissl/$LIB/$VERSION/ (4) installs that library into ../multissl/$LIB/$VERSION/
(5) forces a recompilation of Python modules using the (5) forces a recompilation of Python modules using the
header and library files from ../multissl/$LIB/$VERSION/ header and library files from ../multissl/$LIB/$VERSION/
(6) runs Python's test suite (6) runs Python's test suite
@@ -61,6 +61,10 @@ LIBRESSL_OLD_VERSIONS = [
LIBRESSL_RECENT_VERSIONS = [ LIBRESSL_RECENT_VERSIONS = [
] ]
AWSLC_RECENT_VERSIONS = [
"1.55.0",
]
# store files in ../multissl # store files in ../multissl
HERE = os.path.dirname(os.path.abspath(__file__)) HERE = os.path.dirname(os.path.abspath(__file__))
PYTHONROOT = os.path.abspath(os.path.join(HERE, '..', '..')) PYTHONROOT = os.path.abspath(os.path.join(HERE, '..', '..'))
@@ -70,9 +74,9 @@ MULTISSL_DIR = os.path.abspath(os.path.join(PYTHONROOT, '..', 'multissl'))
parser = argparse.ArgumentParser( parser = argparse.ArgumentParser(
prog='multissl', prog='multissl',
description=( description=(
"Run CPython tests with multiple OpenSSL and LibreSSL " "Run CPython tests with multiple cryptography libraries"
"versions." "versions."
) ),
) )
parser.add_argument( parser.add_argument(
'--debug', '--debug',
@@ -102,6 +106,14 @@ parser.add_argument(
"OpenSSL and LibreSSL versions are given." "OpenSSL and LibreSSL versions are given."
).format(LIBRESSL_RECENT_VERSIONS, LIBRESSL_OLD_VERSIONS) ).format(LIBRESSL_RECENT_VERSIONS, LIBRESSL_OLD_VERSIONS)
) )
parser.add_argument(
'--awslc',
nargs='+',
default=(),
help=(
"AWS-LC versions, defaults to '{}' if no crypto library versions are given."
).format(AWSLC_RECENT_VERSIONS)
)
parser.add_argument( parser.add_argument(
'--tests', '--tests',
nargs='*', nargs='*',
@@ -111,7 +123,7 @@ parser.add_argument(
parser.add_argument( parser.add_argument(
'--base-directory', '--base-directory',
default=MULTISSL_DIR, default=MULTISSL_DIR,
help="Base directory for OpenSSL / LibreSSL sources and builds." help="Base directory for crypto library sources and builds."
) )
parser.add_argument( parser.add_argument(
'--no-network', '--no-network',
@@ -124,8 +136,8 @@ parser.add_argument(
choices=['library', 'modules', 'tests'], choices=['library', 'modules', 'tests'],
default='tests', default='tests',
help=( help=(
"Which steps to perform. 'library' downloads and compiles OpenSSL " "Which steps to perform. 'library' downloads and compiles a crypto"
"or LibreSSL. 'module' also compiles Python modules. 'tests' builds " "library. 'module' also compiles Python modules. 'tests' builds "
"all and runs the test suite." "all and runs the test suite."
) )
) )
@@ -453,6 +465,34 @@ class BuildLibreSSL(AbstractBuilder):
build_template = "libressl-{}" build_template = "libressl-{}"
class BuildAWSLC(AbstractBuilder):
library = "AWS-LC"
url_templates = (
"https://github.com/aws/aws-lc/archive/refs/tags/v{v}.tar.gz",
)
src_template = "aws-lc-{}.tar.gz"
build_template = "aws-lc-{}"
def _build_src(self, config_args=()):
cwd = self.build_dir
log.info("Running build in {}".format(cwd))
env = os.environ.copy()
env["LD_RUN_PATH"] = self.lib_dir # set rpath
if self.system:
env['SYSTEM'] = self.system
cmd = [
"cmake",
"-DCMAKE_BUILD_TYPE=RelWithDebInfo",
"-DCMAKE_PREFIX_PATH={}".format(self.install_dir),
"-DCMAKE_INSTALL_PREFIX={}".format(self.install_dir),
"-DBUILD_SHARED_LIBS=ON",
"-DBUILD_TESTING=OFF",
"-DFIPS=OFF",
]
self._subprocess_call(cmd, cwd=cwd, env=env)
self._subprocess_call(["make", "-j{}".format(self.jobs)], cwd=cwd, env=env)
def configure_make(): def configure_make():
if not os.path.isfile('Makefile'): if not os.path.isfile('Makefile'):
log.info('Running ./configure') log.info('Running ./configure')
@@ -467,9 +507,10 @@ def configure_make():
def main(): def main():
args = parser.parse_args() args = parser.parse_args()
if not args.openssl and not args.libressl: if not args.openssl and not args.libressl and not args.awslc:
args.openssl = list(OPENSSL_RECENT_VERSIONS) args.openssl = list(OPENSSL_RECENT_VERSIONS)
args.libressl = list(LIBRESSL_RECENT_VERSIONS) args.libressl = list(LIBRESSL_RECENT_VERSIONS)
args.awslc = list(AWSLC_RECENT_VERSIONS)
if not args.disable_ancient: if not args.disable_ancient:
args.openssl.extend(OPENSSL_OLD_VERSIONS) args.openssl.extend(OPENSSL_OLD_VERSIONS)
args.libressl.extend(LIBRESSL_OLD_VERSIONS) args.libressl.extend(LIBRESSL_OLD_VERSIONS)
@@ -496,22 +537,15 @@ def main():
# download and register builder # download and register builder
builds = [] builds = []
for build_class, versions in [
for version in args.openssl: (BuildOpenSSL, args.openssl),
build = BuildOpenSSL( (BuildLibreSSL, args.libressl),
version, (BuildAWSLC, args.awslc),
args ]:
) for version in versions:
build.install() build = build_class(version, args)
builds.append(build) build.install()
builds.append(build)
for version in args.libressl:
build = BuildLibreSSL(
version,
args
)
build.install()
builds.append(build)
if args.steps in {'modules', 'tests'}: if args.steps in {'modules', 'tests'}:
for build in builds: for build in builds:
@@ -539,7 +573,7 @@ def main():
else: else:
print('Executed all SSL tests.') print('Executed all SSL tests.')
print('OpenSSL / LibreSSL versions:') print('OpenSSL / LibreSSL / AWS-LC versions:')
for build in builds: for build in builds:
print(" * {0.library} {0.version}".format(build)) print(" * {0.library} {0.version}".format(build))

2
configure generated vendored
View File

@@ -30848,8 +30848,8 @@ main (void)
OBJ_nid2sn(NID_md5); OBJ_nid2sn(NID_md5);
OBJ_nid2sn(NID_sha1); OBJ_nid2sn(NID_sha1);
OBJ_nid2sn(NID_sha512);
OBJ_nid2sn(NID_sha3_512); OBJ_nid2sn(NID_sha3_512);
OBJ_nid2sn(NID_blake2b512);
EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0); EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0);
; ;

2
configure.ac
View File

@@ -7529,8 +7529,8 @@ WITH_SAVE_ENV([
], [ ], [
OBJ_nid2sn(NID_md5); OBJ_nid2sn(NID_md5);
OBJ_nid2sn(NID_sha1); OBJ_nid2sn(NID_sha1);
OBJ_nid2sn(NID_sha512);
OBJ_nid2sn(NID_sha3_512); OBJ_nid2sn(NID_sha3_512);
OBJ_nid2sn(NID_blake2b512);
EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0); EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0);
])], [ac_cv_working_openssl_hashlib=yes], [ac_cv_working_openssl_hashlib=no]) ])], [ac_cv_working_openssl_hashlib=yes], [ac_cv_working_openssl_hashlib=no])
]) ])