From 57209feb97f438217f199c291dcbbd14bb0f4550 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Wed, 11 Jun 2025 16:17:42 +0000 Subject: [PATCH 01/18] First cut, minimal testing --- .github/workflows/build.yml | 72 ++++++++++++++++++++++++++++- .github/workflows/posix-deps-apt.sh | 1 + Tools/ssl/multissltests.py | 69 +++++++++++++++++++++++---- 3 files changed, 131 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 54ebc914b46821..ae646d3e6a2b29 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -260,7 +260,7 @@ jobs: free-threading: ${{ matrix.free-threading }} os: ${{ matrix.os }} - build-ubuntu-ssltests: + build-ubuntu-ssltests-openssl: name: 'Ubuntu SSL tests with OpenSSL' runs-on: ${{ matrix.os }} timeout-minutes: 60 @@ -322,6 +322,76 @@ jobs: - name: SSL tests run: ./python Lib/test/ssltests.py + build-ubuntu-ssltests-awslc: + name: 'Ubuntu SSL tests with AWS-LC' + runs-on: ${{ matrix.os }} + timeout-minutes: 60 + needs: build-context + if: needs.build-context.outputs.run-tests == 'true' + strategy: + fail-fast: false + matrix: + os: [ubuntu-24.04] + awslc_ver: [1.52.2] + env: + AWSLC_VER: ${{ matrix.awslc_ver}} + MULTISSL_DIR: ${{ github.workspace }}/multissl + OPENSSL_DIR: ${{ github.workspace }}/multissl/awslc/${{ matrix.awslc_ver }} + LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/awslc/${{ matrix.awslc_ver }}/lib + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Runner image version + run: echo "IMAGE_OS_VERSION=${ImageOS}-${ImageVersion}" >> "$GITHUB_ENV" + - name: Restore config.cache + uses: actions/cache@v4 + with: + path: config.cache + key: ${{ github.job }}-${{ env.IMAGE_OS_VERSION }}-${{ needs.build-context.outputs.config-hash }} + - name: Register gcc problem matcher + run: echo "::add-matcher::.github/problem-matchers/gcc.json" + - name: Install dependencies + run: sudo ./.github/workflows/posix-deps-apt.sh + - name: Configure SSL lib env vars + # TODO [childw] do we need to re-specify the env vars here after L330's configuration? + run: | + echo "MULTISSL_DIR=${GITHUB_WORKSPACE}/multissl" >> "$GITHUB_ENV" + echo "OPENSSL_DIR=${GITHUB_WORKSPACE}/multissl/awslc/${AWSLC_VER}" >> "$GITHUB_ENV" + echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/awslc/${AWSLC_VER}/lib" >> "$GITHUB_ENV" + - name: 'Restore AWS-LC build' + id: cache-awslc + uses: actions/cache@v4 + with: + path: ./multissl/awslc/${{ matrix.awslc_ver }} + key: ${{ matrix.os }}-multissl-awslc-${{ matrix.awslc_ver }} + # TODO [childw] can we use env.* instead of env vars here? + - name: Install AWS-LC + if: steps.cache-awslc.outputs.cache-hit != 'true' + run: python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --awslc ${{ matrix.awslc_ver }} --system Linux + - name: Add ccache to PATH + run: | + echo "PATH=/usr/lib/ccache:$PATH" >> "$GITHUB_ENV" + - name: Configure ccache action + uses: hendrikmuhs/ccache-action@v1.2 + with: + save: false + - name: Configure CPython + run: | + ./configure CFLAGS="-fdiagnostics-format=json" + --config-cache + --enable-slower-safety + --with-pydebug + --with-openssl="$OPENSSL_DIR" + --with-builtin-hashlib-hashes=blake2 + --with-ssl-default-suites=openssl + - name: Build CPython + run: make -j + - name: Display build info + run: make pythoninfo + - name: SSL tests + run: ./python Lib/test/ssltests.py + build-wasi: name: 'WASI' needs: build-context diff --git a/.github/workflows/posix-deps-apt.sh b/.github/workflows/posix-deps-apt.sh index 7773222af5d26f..01cb78eaaa9897 100755 --- a/.github/workflows/posix-deps-apt.sh +++ b/.github/workflows/posix-deps-apt.sh @@ -5,6 +5,7 @@ apt-get -yq install \ build-essential \ pkg-config \ ccache \ + cmake \ gdb \ lcov \ libb2-dev \ diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py index b1a5df91901fc6..348071386ddf66 100755 --- a/Tools/ssl/multissltests.py +++ b/Tools/ssl/multissltests.py @@ -1,12 +1,12 @@ #!./python -"""Run Python tests against multiple installations of OpenSSL and LibreSSL +"""Run Python tests against multiple installations of crypto libraries The script - (1) downloads OpenSSL / LibreSSL tar bundle + (1) downloads OpenSSL / LibreSSL / AWS-LC tar bundle (2) extracts it to ./src - (3) compiles OpenSSL / LibreSSL - (4) installs OpenSSL / LibreSSL into ../multissl/$LIB/$VERSION/ + (3) compiles OpenSSL / LibreSSL / AWS-LC + (4) installs the crypto library into ../multissl/$LIB/$VERSION/ (5) forces a recompilation of Python modules using the header and library files from ../multissl/$LIB/$VERSION/ (6) runs Python's test suite @@ -61,6 +61,10 @@ LIBRESSL_RECENT_VERSIONS = [ ] +AWSLC_RECENT_VERSIONS = [ + "1.52.2", +] + # store files in ../multissl HERE = os.path.dirname(os.path.abspath(__file__)) PYTHONROOT = os.path.abspath(os.path.join(HERE, '..', '..')) @@ -70,7 +74,7 @@ parser = argparse.ArgumentParser( prog='multissl', description=( - "Run CPython tests with multiple OpenSSL and LibreSSL " + "Run CPython tests with multiple crypto libraries" "versions." ) ) @@ -102,6 +106,14 @@ "OpenSSL and LibreSSL versions are given." ).format(LIBRESSL_RECENT_VERSIONS, LIBRESSL_OLD_VERSIONS) ) +parser.add_argument( + '--awslc', + nargs='+', + default=(), + help=( + "AWS-LC versions, defaults to '{}'." + ).format(AWSLC_RECENT_VERSIONS) +) parser.add_argument( '--tests', nargs='*', @@ -111,7 +123,7 @@ parser.add_argument( '--base-directory', default=MULTISSL_DIR, - help="Base directory for OpenSSL / LibreSSL sources and builds." + help="Base directory for crypto library sources and builds." ) parser.add_argument( '--no-network', @@ -124,8 +136,8 @@ choices=['library', 'modules', 'tests'], default='tests', help=( - "Which steps to perform. 'library' downloads and compiles OpenSSL " - "or LibreSSL. 'module' also compiles Python modules. 'tests' builds " + "Which steps to perform. 'library' downloads and compiles a crypto" + "library. 'module' also compiles Python modules. 'tests' builds " "all and runs the test suite." ) ) @@ -453,6 +465,34 @@ class BuildLibreSSL(AbstractBuilder): build_template = "libressl-{}" +class BuildAWSLC(AbstractBuilder): + library = "AWS-LC" + url_templates = ( + "https://github.com/aws/aws-lc/archive/refs/tags/v{v}.tar.gz", + ) + src_template = "awslc-{}.tar.gz" + build_template = "awslc-{}" + + def _build_src(self, config_args=()): + cwd = self.build_dir + log.info("Running build in {}".format(cwd)) + env = os.environ.copy() + env["LD_RUN_PATH"] = self.lib_dir # set rpath + if self.system: + env['SYSTEM'] = self.system + cmd = [ + "cmake", + "-DCMAKE_BUILD_TYPE=RelWithDebInfo", + "-DCMAKE_PREFIX_PATH={}".format(self.install_dir), + "-DCMAKE_INSTALL_PREFIX={}".format(self.install_dir), + "-DBUILD_SHARED_LIBS=ON", + "-DFIPS=OFF", + self.src_dir, + ] + self._subprocess_call(cmd, cwd=cwd, env=env) + self._subprocess_call(["make", f"-j{self.jobs}"], cwd=cwd, env=env) + + def configure_make(): if not os.path.isfile('Makefile'): log.info('Running ./configure') @@ -467,9 +507,10 @@ def configure_make(): def main(): args = parser.parse_args() - if not args.openssl and not args.libressl: + if not args.openssl and not args.libressl and not args.awslc: args.openssl = list(OPENSSL_RECENT_VERSIONS) args.libressl = list(LIBRESSL_RECENT_VERSIONS) + args.awslc = list(AWSLC_RECENT_VERSIONS) if not args.disable_ancient: args.openssl.extend(OPENSSL_OLD_VERSIONS) args.libressl.extend(LIBRESSL_OLD_VERSIONS) @@ -513,6 +554,14 @@ def main(): build.install() builds.append(build) + for version in args.awslc: + biuld = BuildAWSLC( + version, + args + ) + build.install() + builds.append(build) + if args.steps in {'modules', 'tests'}: for build in builds: try: @@ -539,7 +588,7 @@ def main(): else: print('Executed all SSL tests.') - print('OpenSSL / LibreSSL versions:') + print('OpenSSL / LibreSSL / AWS-LC versions:') for build in builds: print(" * {0.library} {0.version}".format(build)) From 8fb1016e1f552c0f0c83cd38458d3b0af0911fe4 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Wed, 11 Jun 2025 16:33:22 +0000 Subject: [PATCH 02/18] Various fixups, multissl.py works to build AWS-LC --- .github/workflows/build.yml | 14 +++++++------- Tools/ssl/multissltests.py | 9 ++++----- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ae646d3e6a2b29..79d80c21c7f905 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -332,12 +332,12 @@ jobs: fail-fast: false matrix: os: [ubuntu-24.04] - awslc_ver: [1.52.2] + awslc_ver: [1.52.1] env: AWSLC_VER: ${{ matrix.awslc_ver}} MULTISSL_DIR: ${{ github.workspace }}/multissl - OPENSSL_DIR: ${{ github.workspace }}/multissl/awslc/${{ matrix.awslc_ver }} - LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/awslc/${{ matrix.awslc_ver }}/lib + OPENSSL_DIR: ${{ github.workspace }}/multissl/aws-lc/${{ matrix.awslc_ver }} + LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/aws-lc/${{ matrix.awslc_ver }}/lib steps: - uses: actions/checkout@v4 with: @@ -360,14 +360,14 @@ jobs: echo "OPENSSL_DIR=${GITHUB_WORKSPACE}/multissl/awslc/${AWSLC_VER}" >> "$GITHUB_ENV" echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/awslc/${AWSLC_VER}/lib" >> "$GITHUB_ENV" - name: 'Restore AWS-LC build' - id: cache-awslc + id: cache-aws-lc uses: actions/cache@v4 with: - path: ./multissl/awslc/${{ matrix.awslc_ver }} - key: ${{ matrix.os }}-multissl-awslc-${{ matrix.awslc_ver }} + path: ./multissl/aws-lc/${{ matrix.awslc_ver }} + key: ${{ matrix.os }}-multissl-aws-lc-${{ matrix.awslc_ver }} # TODO [childw] can we use env.* instead of env vars here? - name: Install AWS-LC - if: steps.cache-awslc.outputs.cache-hit != 'true' + if: steps.cache-aws-lc.outputs.cache-hit != 'true' run: python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --awslc ${{ matrix.awslc_ver }} --system Linux - name: Add ccache to PATH run: | diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py index 348071386ddf66..9baf9a76b022be 100755 --- a/Tools/ssl/multissltests.py +++ b/Tools/ssl/multissltests.py @@ -62,7 +62,7 @@ ] AWSLC_RECENT_VERSIONS = [ - "1.52.2", + "1.52.1", ] # store files in ../multissl @@ -470,8 +470,8 @@ class BuildAWSLC(AbstractBuilder): url_templates = ( "https://github.com/aws/aws-lc/archive/refs/tags/v{v}.tar.gz", ) - src_template = "awslc-{}.tar.gz" - build_template = "awslc-{}" + src_template = "aws-lc-{}.tar.gz" + build_template = "aws-lc-{}" def _build_src(self, config_args=()): cwd = self.build_dir @@ -487,7 +487,6 @@ def _build_src(self, config_args=()): "-DCMAKE_INSTALL_PREFIX={}".format(self.install_dir), "-DBUILD_SHARED_LIBS=ON", "-DFIPS=OFF", - self.src_dir, ] self._subprocess_call(cmd, cwd=cwd, env=env) self._subprocess_call(["make", f"-j{self.jobs}"], cwd=cwd, env=env) @@ -555,7 +554,7 @@ def main(): builds.append(build) for version in args.awslc: - biuld = BuildAWSLC( + build = BuildAWSLC( version, args ) From 67fd836ddca2a30ebf87ceeabf05baafc019665b Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Wed, 11 Jun 2025 16:37:30 +0000 Subject: [PATCH 03/18] Add linkage check --- .github/workflows/build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 79d80c21c7f905..1436eaae0d06bb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -389,6 +389,9 @@ jobs: run: make -j - name: Display build info run: make pythoninfo + - name: Verify python is linked to AWS-LC + run: | + ./python -c 'import ssl; print(ssl.OPENSSL_VERSION)' | grep AWS-LC - name: SSL tests run: ./python Lib/test/ssltests.py From 4f0928b67a031364336a69609e8fa0cd6ec51498 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Wed, 11 Jun 2025 16:42:45 +0000 Subject: [PATCH 04/18] Fix line break in configure command --- .github/workflows/build.yml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1436eaae0d06bb..716deb142266b8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -376,15 +376,14 @@ jobs: uses: hendrikmuhs/ccache-action@v1.2 with: save: false - - name: Configure CPython - run: | - ./configure CFLAGS="-fdiagnostics-format=json" - --config-cache - --enable-slower-safety - --with-pydebug - --with-openssl="$OPENSSL_DIR" - --with-builtin-hashlib-hashes=blake2 - --with-ssl-default-suites=openssl + - name: Configure CPython build + run: ./configure CFLAGS="-fdiagnostics-format=json" + --config-cache + --enable-slower-safety + --with-pydebug + --with-openssl="$OPENSSL_DIR" + --with-builtin-hashlib-hashes=blake2 + --with-ssl-default-suites=openssl - name: Build CPython run: make -j - name: Display build info From b65d662f00e33eb19b3faca2569ed94fa56f3707 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Wed, 11 Jun 2025 16:44:58 +0000 Subject: [PATCH 05/18] Fix more formatting --- .github/workflows/build.yml | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 716deb142266b8..439e2370c4e625 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -368,7 +368,12 @@ jobs: # TODO [childw] can we use env.* instead of env vars here? - name: Install AWS-LC if: steps.cache-aws-lc.outputs.cache-hit != 'true' - run: python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --awslc ${{ matrix.awslc_ver }} --system Linux + run: > + python3 Tools/ssl/multissltests.py + --steps=library + --base-directory "$MULTISSL_DIR" + --awslc ${{ matrix.awslc_ver }} + --system Linux - name: Add ccache to PATH run: | echo "PATH=/usr/lib/ccache:$PATH" >> "$GITHUB_ENV" @@ -376,21 +381,21 @@ jobs: uses: hendrikmuhs/ccache-action@v1.2 with: save: false - - name: Configure CPython build - run: ./configure CFLAGS="-fdiagnostics-format=json" - --config-cache - --enable-slower-safety - --with-pydebug - --with-openssl="$OPENSSL_DIR" - --with-builtin-hashlib-hashes=blake2 - --with-ssl-default-suites=openssl + - name: Configure CPython + run: > + ./configure CFLAGS="-fdiagnostics-format=json" + --config-cache + --enable-slower-safety + --with-pydebug + --with-openssl="$OPENSSL_DIR" + --with-builtin-hashlib-hashes=blake2 + --with-ssl-default-suites=openssl - name: Build CPython run: make -j - name: Display build info run: make pythoninfo - name: Verify python is linked to AWS-LC - run: | - ./python -c 'import ssl; print(ssl.OPENSSL_VERSION)' | grep AWS-LC + run: ./python -c 'import ssl; print(ssl.OPENSSL_VERSION)' | grep AWS-LC - name: SSL tests run: ./python Lib/test/ssltests.py From 679147306206b2f58f7d1b6583966b43aaa78ae5 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Wed, 11 Jun 2025 16:51:07 +0000 Subject: [PATCH 06/18] Fix more formatting --- .github/workflows/build.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 439e2370c4e625..bf2ae151643cb8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -368,11 +368,11 @@ jobs: # TODO [childw] can we use env.* instead of env vars here? - name: Install AWS-LC if: steps.cache-aws-lc.outputs.cache-hit != 'true' - run: > - python3 Tools/ssl/multissltests.py - --steps=library - --base-directory "$MULTISSL_DIR" - --awslc ${{ matrix.awslc_ver }} + run: | + python3 Tools/ssl/multissltests.py \ + --steps=library \ + --base-directory "$MULTISSL_DIR" \ + --awslc ${{ matrix.awslc_ver }} \ --system Linux - name: Add ccache to PATH run: | @@ -382,13 +382,13 @@ jobs: with: save: false - name: Configure CPython - run: > - ./configure CFLAGS="-fdiagnostics-format=json" - --config-cache - --enable-slower-safety - --with-pydebug - --with-openssl="$OPENSSL_DIR" - --with-builtin-hashlib-hashes=blake2 + run: | + ./configure CFLAGS="-fdiagnostics-format=json" \ + --config-cache \ + --enable-slower-safety \ + --with-pydebug \ + --with-openssl="$OPENSSL_DIR" \ + --with-builtin-hashlib-hashes=blake2 \ --with-ssl-default-suites=openssl - name: Build CPython run: make -j From 269dc10db4aefd41f51a660dde2339363f865688 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Wed, 11 Jun 2025 16:52:53 +0000 Subject: [PATCH 07/18] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20b?= =?UTF-8?q?lurb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst diff --git a/Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst b/Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst new file mode 100644 index 00000000000000..79d2e67ca91e60 --- /dev/null +++ b/Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst @@ -0,0 +1 @@ +Add a new GitHub CI job to test python's ssl module with AWS-LC as the backing cryptography and TLS library. From cd74e2ba29fce8b205ecf9d3ed5270838bbc77f7 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Wed, 11 Jun 2025 16:57:35 +0000 Subject: [PATCH 08/18] Fix all-required-greed target --- .github/workflows/build.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bf2ae151643cb8..5691f856bc1ca5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -697,7 +697,8 @@ jobs: - build-windows-msi - build-macos - build-ubuntu - - build-ubuntu-ssltests + - build-ubuntu-ssltests-awslc + - build-ubuntu-ssltests-openssl - build-wasi - test-hypothesis - build-asan @@ -712,7 +713,8 @@ jobs: with: allowed-failures: >- build-windows-msi, - build-ubuntu-ssltests, + build-ubuntu-ssltests-awslc + build-ubuntu-ssltests-openssl test-hypothesis, cifuzz, allowed-skips: >- @@ -730,7 +732,8 @@ jobs: check-generated-files, build-macos, build-ubuntu, - build-ubuntu-ssltests, + build-ubuntu-ssltests-awslc, + build-ubuntu-ssltests-openssl, build-wasi, test-hypothesis, build-asan, From 24fbecfffc900ba466e06f4905549fd8ac433bd0 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Wed, 11 Jun 2025 17:14:34 +0000 Subject: [PATCH 09/18] Fix aws-lc build dir path --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5691f856bc1ca5..4588883052b91f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -357,8 +357,8 @@ jobs: # TODO [childw] do we need to re-specify the env vars here after L330's configuration? run: | echo "MULTISSL_DIR=${GITHUB_WORKSPACE}/multissl" >> "$GITHUB_ENV" - echo "OPENSSL_DIR=${GITHUB_WORKSPACE}/multissl/awslc/${AWSLC_VER}" >> "$GITHUB_ENV" - echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/awslc/${AWSLC_VER}/lib" >> "$GITHUB_ENV" + echo "OPENSSL_DIR=${GITHUB_WORKSPACE}/multissl/aws-lc/${AWSLC_VER}" >> "$GITHUB_ENV" + echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/aws-lc/${AWSLC_VER}/lib" >> "$GITHUB_ENV" - name: 'Restore AWS-LC build' id: cache-aws-lc uses: actions/cache@v4 From fa08737dbcfc69617fa7814313ca6db466ecd852 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Wed, 11 Jun 2025 17:42:56 +0000 Subject: [PATCH 10/18] Remove NID_blake2b512 from hashlib dependency test in ./configure --- configure | 1 - 1 file changed, 1 deletion(-) diff --git a/configure b/configure index 029bf527da4e3d..3fada482bd40e7 100755 --- a/configure +++ b/configure @@ -30873,7 +30873,6 @@ main (void) OBJ_nid2sn(NID_md5); OBJ_nid2sn(NID_sha1); OBJ_nid2sn(NID_sha3_512); - OBJ_nid2sn(NID_blake2b512); EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0); ; From 3f3a70bf91b5208a8ffc2b06d33320b6b465544c Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Wed, 11 Jun 2025 17:45:27 +0000 Subject: [PATCH 11/18] Remove NID_blake2b512 from configure.ac --- configure.ac | 1 - 1 file changed, 1 deletion(-) diff --git a/configure.ac b/configure.ac index 371b2e8ed73525..d2cac8107840c2 100644 --- a/configure.ac +++ b/configure.ac @@ -7545,7 +7545,6 @@ WITH_SAVE_ENV([ OBJ_nid2sn(NID_md5); OBJ_nid2sn(NID_sha1); OBJ_nid2sn(NID_sha3_512); - OBJ_nid2sn(NID_blake2b512); EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0); ])], [ac_cv_working_openssl_hashlib=yes], [ac_cv_working_openssl_hashlib=no]) ]) From 7d37e6afe3f81ec8749ae85189eb5b32c63b7541 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Wed, 11 Jun 2025 18:27:15 +0000 Subject: [PATCH 12/18] Tryi setting --with-openssl-rpath in configure invocation --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4588883052b91f..afc96260fbdc10 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -388,6 +388,7 @@ jobs: --enable-slower-safety \ --with-pydebug \ --with-openssl="$OPENSSL_DIR" \ + --with-openssl-rpath="$OPENSSL_DIR"/lib \ --with-builtin-hashlib-hashes=blake2 \ --with-ssl-default-suites=openssl - name: Build CPython From 6eb1190cb79f0a2b295b6c805a0e2f087b1d3476 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Wed, 11 Jun 2025 18:54:04 +0000 Subject: [PATCH 13/18] Revert "Tryi setting --with-openssl-rpath in configure invocation" This reverts commit 7d37e6afe3f81ec8749ae85189eb5b32c63b7541. --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index afc96260fbdc10..4588883052b91f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -388,7 +388,6 @@ jobs: --enable-slower-safety \ --with-pydebug \ --with-openssl="$OPENSSL_DIR" \ - --with-openssl-rpath="$OPENSSL_DIR"/lib \ --with-builtin-hashlib-hashes=blake2 \ --with-ssl-default-suites=openssl - name: Build CPython From 8f4a0eb739713b5baf28aefa9d561873a70e25ef Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Wed, 11 Jun 2025 21:22:37 +0000 Subject: [PATCH 14/18] Guard new hashlib ctor test --- Lib/test/test_hashlib.py | 5 ++++- Tools/ssl/multissltests.py | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py index b83ae181718b7a..ff52e73100e373 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -274,7 +274,10 @@ def test_clinic_signature(self): with self.assertWarnsRegex(DeprecationWarning, DEPRECATED_STRING_PARAMETER): hashlib.new(digest_name, string=b'') - if self._hashlib: + # when using a combination of libcrypto and interned hash + # implementations, we need to make sure that _hashlib contains + # the constructor we're testing + if self._hashlib and digest_name in self._hashlib._constructors: self._hashlib.new(digest_name, b'') self._hashlib.new(digest_name, data=b'') with self.assertWarnsRegex(DeprecationWarning, diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py index 9baf9a76b022be..21d801ac453947 100755 --- a/Tools/ssl/multissltests.py +++ b/Tools/ssl/multissltests.py @@ -486,6 +486,7 @@ def _build_src(self, config_args=()): "-DCMAKE_PREFIX_PATH={}".format(self.install_dir), "-DCMAKE_INSTALL_PREFIX={}".format(self.install_dir), "-DBUILD_SHARED_LIBS=ON", + "-DBUILD_TESTING=OFF", "-DFIPS=OFF", ] self._subprocess_call(cmd, cwd=cwd, env=env) From 7ebee26d8ef098f142b8677e19d6b391d2a7ac67 Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Wed, 11 Jun 2025 18:15:41 -0400 Subject: [PATCH 15/18] Update Tools/ssl/multissltests.py Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> --- Tools/ssl/multissltests.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py index 21d801ac453947..9b517e3dd8b354 100755 --- a/Tools/ssl/multissltests.py +++ b/Tools/ssl/multissltests.py @@ -3,7 +3,7 @@ The script - (1) downloads OpenSSL / LibreSSL / AWS-LC tar bundle + (1) downloads the tar bundle (2) extracts it to ./src (3) compiles OpenSSL / LibreSSL / AWS-LC (4) installs the crypto library into ../multissl/$LIB/$VERSION/ From 840923d09e0861758f71c3e24359664f54ca6d4f Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Wed, 11 Jun 2025 18:15:55 -0400 Subject: [PATCH 16/18] Update Tools/ssl/multissltests.py Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> --- Tools/ssl/multissltests.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py index 9b517e3dd8b354..8c807f81a2ef80 100755 --- a/Tools/ssl/multissltests.py +++ b/Tools/ssl/multissltests.py @@ -5,8 +5,8 @@ (1) downloads the tar bundle (2) extracts it to ./src - (3) compiles OpenSSL / LibreSSL / AWS-LC - (4) installs the crypto library into ../multissl/$LIB/$VERSION/ + (3) compiles the relevant library + (4) installs that library into ../multissl/$LIB/$VERSION/ (5) forces a recompilation of Python modules using the header and library files from ../multissl/$LIB/$VERSION/ (6) runs Python's test suite From 3850ba0003c0c118b2f3e8caef619544f7fbe059 Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Wed, 11 Jun 2025 18:17:47 -0400 Subject: [PATCH 17/18] Update Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> --- .../next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst b/Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst index 79d2e67ca91e60..abc0ae2c26bfa8 100644 --- a/Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst +++ b/Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst @@ -1 +1,3 @@ -Add a new GitHub CI job to test python's ssl module with AWS-LC as the backing cryptography and TLS library. +Add a new GitHub CI job to test the :py:mod:`ssl` module with AWS-LC__ as the backing cryptography and TLS library. + +__ https://github.com/aws/aws-lc From be1b72c13b2d7b7d5d09c5f3a83cfff3f467e302 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Wed, 11 Jun 2025 22:52:33 +0000 Subject: [PATCH 18/18] Remove TODOs per PR feedback, remove this as required CI job --- .github/workflows/build.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4588883052b91f..650e45ac03a60a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -354,7 +354,6 @@ jobs: - name: Install dependencies run: sudo ./.github/workflows/posix-deps-apt.sh - name: Configure SSL lib env vars - # TODO [childw] do we need to re-specify the env vars here after L330's configuration? run: | echo "MULTISSL_DIR=${GITHUB_WORKSPACE}/multissl" >> "$GITHUB_ENV" echo "OPENSSL_DIR=${GITHUB_WORKSPACE}/multissl/aws-lc/${AWSLC_VER}" >> "$GITHUB_ENV" @@ -365,7 +364,6 @@ jobs: with: path: ./multissl/aws-lc/${{ matrix.awslc_ver }} key: ${{ matrix.os }}-multissl-aws-lc-${{ matrix.awslc_ver }} - # TODO [childw] can we use env.* instead of env vars here? - name: Install AWS-LC if: steps.cache-aws-lc.outputs.cache-hit != 'true' run: | @@ -697,7 +695,6 @@ jobs: - build-windows-msi - build-macos - build-ubuntu - - build-ubuntu-ssltests-awslc - build-ubuntu-ssltests-openssl - build-wasi - test-hypothesis @@ -713,7 +710,6 @@ jobs: with: allowed-failures: >- build-windows-msi, - build-ubuntu-ssltests-awslc build-ubuntu-ssltests-openssl test-hypothesis, cifuzz, @@ -732,7 +728,6 @@ jobs: check-generated-files, build-macos, build-ubuntu, - build-ubuntu-ssltests-awslc, build-ubuntu-ssltests-openssl, build-wasi, test-hypothesis,