https://github.com/python/cpython/commit/db47f4d844acf2b6e52e44f7f3d5f7566b1e402c
commit: db47f4d844acf2b6e52e44f7f3d5f7566b1e402c
branch: main
author: Will Childs-Klein <willc...@gmail.com>
committer: zware <zachary.w...@gmail.com>
date: 2025-07-11T17:24:11-05:00
summary:
gh-135401: Test AWS-LC as a cryptography library in CI (GH-135402)
Co-authored-by: Adam Turner <9087854+aa-tur...@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picn...@users.noreply.github.com>
Co-authored-by: Hugo van Kemenade <1324225+hug...@users.noreply.github.com>
Co-authored-by: Zachary Ware <z...@python.org>
files:
A Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst
M .github/workflows/build.yml
M .github/workflows/posix-deps-apt.sh
M Tools/ssl/multissltests.py
M configure
M configure.ac
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c6171571857af6..05f20e12f4653d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -260,7 +260,7 @@ jobs:
free-threading: ${{ matrix.free-threading }}
os: ${{ matrix.os }}
- build-ubuntu-ssltests:
+ build-ubuntu-ssltests-openssl:
name: 'Ubuntu SSL tests with OpenSSL'
runs-on: ${{ matrix.os }}
timeout-minutes: 60
@@ -322,6 +322,81 @@ jobs:
- name: SSL tests
run: ./python Lib/test/ssltests.py
+ build-ubuntu-ssltests-awslc:
+ name: 'Ubuntu SSL tests with AWS-LC'
+ runs-on: ${{ matrix.os }}
+ timeout-minutes: 60
+ needs: build-context
+ if: needs.build-context.outputs.run-tests == 'true'
+ strategy:
+ fail-fast: false
+ matrix:
+ os: [ubuntu-24.04]
+ awslc_ver: [1.55.0]
+ env:
+ AWSLC_VER: ${{ matrix.awslc_ver}}
+ MULTISSL_DIR: ${{ github.workspace }}/multissl
+ OPENSSL_DIR: ${{ github.workspace }}/multissl/aws-lc/${{
matrix.awslc_ver }}
+ LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/aws-lc/${{
matrix.awslc_ver }}/lib
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ persist-credentials: false
+ - name: Runner image version
+ run: echo "IMAGE_OS_VERSION=${ImageOS}-${ImageVersion}" >> "$GITHUB_ENV"
+ - name: Restore config.cache
+ uses: actions/cache@v4
+ with:
+ path: config.cache
+ key: ${{ github.job }}-${{ env.IMAGE_OS_VERSION }}-${{
needs.build-context.outputs.config-hash }}
+ - name: Register gcc problem matcher
+ run: echo "::add-matcher::.github/problem-matchers/gcc.json"
+ - name: Install dependencies
+ run: sudo ./.github/workflows/posix-deps-apt.sh
+ - name: Configure SSL lib env vars
+ run: |
+ echo "MULTISSL_DIR=${GITHUB_WORKSPACE}/multissl" >> "$GITHUB_ENV"
+ echo "OPENSSL_DIR=${GITHUB_WORKSPACE}/multissl/aws-lc/${AWSLC_VER}" >>
"$GITHUB_ENV"
+ echo
"LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/aws-lc/${AWSLC_VER}/lib" >>
"$GITHUB_ENV"
+ - name: 'Restore AWS-LC build'
+ id: cache-aws-lc
+ uses: actions/cache@v4
+ with:
+ path: ./multissl/aws-lc/${{ matrix.awslc_ver }}
+ key: ${{ matrix.os }}-multissl-aws-lc-${{ matrix.awslc_ver }}
+ - name: Install AWS-LC
+ if: steps.cache-aws-lc.outputs.cache-hit != 'true'
+ run: |
+ python3 Tools/ssl/multissltests.py \
+ --steps=library \
+ --base-directory "$MULTISSL_DIR" \
+ --awslc ${{ matrix.awslc_ver }} \
+ --system Linux
+ - name: Add ccache to PATH
+ run: |
+ echo "PATH=/usr/lib/ccache:$PATH" >> "$GITHUB_ENV"
+ - name: Configure ccache action
+ uses: hendrikmuhs/ccache-action@v1.2
+ with:
+ save: false
+ - name: Configure CPython
+ run: |
+ ./configure CFLAGS="-fdiagnostics-format=json" \
+ --config-cache \
+ --enable-slower-safety \
+ --with-pydebug \
+ --with-openssl="$OPENSSL_DIR" \
+ --with-builtin-hashlib-hashes=blake2 \
+ --with-ssl-default-suites=openssl
+ - name: Build CPython
+ run: make -j
+ - name: Display build info
+ run: make pythoninfo
+ - name: Verify python is linked to AWS-LC
+ run: ./python -c 'import ssl; print(ssl.OPENSSL_VERSION)' | grep AWS-LC
+ - name: SSL tests
+ run: ./python Lib/test/ssltests.py
+
build-wasi:
name: 'WASI'
needs: build-context
@@ -628,7 +703,8 @@ jobs:
- build-windows-msi
- build-macos
- build-ubuntu
- - build-ubuntu-ssltests
+ - build-ubuntu-ssltests-awslc
+ - build-ubuntu-ssltests-openssl
- build-wasi
- test-hypothesis
- build-asan
@@ -643,7 +719,8 @@ jobs:
with:
allowed-failures: >-
build-windows-msi,
- build-ubuntu-ssltests,
+ build-ubuntu-ssltests-awslc,
+ build-ubuntu-ssltests-openssl,
test-hypothesis,
cifuzz,
allowed-skips: >-
@@ -661,7 +738,8 @@ jobs:
check-generated-files,
build-macos,
build-ubuntu,
- build-ubuntu-ssltests,
+ build-ubuntu-ssltests-awslc,
+ build-ubuntu-ssltests-openssl,
build-wasi,
test-hypothesis,
build-asan,
diff --git a/.github/workflows/posix-deps-apt.sh
b/.github/workflows/posix-deps-apt.sh
index 44e6a9ce2d0cd1..0b64367e6c4562 100755
--- a/.github/workflows/posix-deps-apt.sh
+++ b/.github/workflows/posix-deps-apt.sh
@@ -5,6 +5,7 @@ apt-get -yq install \
build-essential \
pkg-config \
ccache \
+ cmake \
gdb \
lcov \
libb2-dev \
diff --git
a/Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst
b/Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst
new file mode 100644
index 00000000000000..6885fba30dbab0
--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst
@@ -0,0 +1 @@
+Add a new GitHub CI job to test the :mod:`ssl` module with `AWS-LC
<https://github.com/aws/aws-lc>`_ as the backing cryptography and TLS library.
diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index b1a5df91901fc6..f4c8fde8346fd9 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -1,12 +1,12 @@
#!./python
-"""Run Python tests against multiple installations of OpenSSL and LibreSSL
+"""Run Python tests against multiple installations of cryptography libraries
The script
- (1) downloads OpenSSL / LibreSSL tar bundle
+ (1) downloads the tar bundle
(2) extracts it to ./src
- (3) compiles OpenSSL / LibreSSL
- (4) installs OpenSSL / LibreSSL into ../multissl/$LIB/$VERSION/
+ (3) compiles the relevant library
+ (4) installs that library into ../multissl/$LIB/$VERSION/
(5) forces a recompilation of Python modules using the
header and library files from ../multissl/$LIB/$VERSION/
(6) runs Python's test suite
@@ -61,6 +61,10 @@
LIBRESSL_RECENT_VERSIONS = [
]
+AWSLC_RECENT_VERSIONS = [
+ "1.55.0",
+]
+
# store files in ../multissl
HERE = os.path.dirname(os.path.abspath(__file__))
PYTHONROOT = os.path.abspath(os.path.join(HERE, '..', '..'))
@@ -70,9 +74,9 @@
parser = argparse.ArgumentParser(
prog='multissl',
description=(
- "Run CPython tests with multiple OpenSSL and LibreSSL "
+ "Run CPython tests with multiple cryptography libraries"
"versions."
- )
+ ),
)
parser.add_argument(
'--debug',
@@ -102,6 +106,14 @@
"OpenSSL and LibreSSL versions are given."
).format(LIBRESSL_RECENT_VERSIONS, LIBRESSL_OLD_VERSIONS)
)
+parser.add_argument(
+ '--awslc',
+ nargs='+',
+ default=(),
+ help=(
+ "AWS-LC versions, defaults to '{}' if no crypto library versions are
given."
+ ).format(AWSLC_RECENT_VERSIONS)
+)
parser.add_argument(
'--tests',
nargs='*',
@@ -111,7 +123,7 @@
parser.add_argument(
'--base-directory',
default=MULTISSL_DIR,
- help="Base directory for OpenSSL / LibreSSL sources and builds."
+ help="Base directory for crypto library sources and builds."
)
parser.add_argument(
'--no-network',
@@ -124,8 +136,8 @@
choices=['library', 'modules', 'tests'],
default='tests',
help=(
- "Which steps to perform. 'library' downloads and compiles OpenSSL "
- "or LibreSSL. 'module' also compiles Python modules. 'tests' builds "
+ "Which steps to perform. 'library' downloads and compiles a crypto"
+ "library. 'module' also compiles Python modules. 'tests' builds "
"all and runs the test suite."
)
)
@@ -453,6 +465,34 @@ class BuildLibreSSL(AbstractBuilder):
build_template = "libressl-{}"
+class BuildAWSLC(AbstractBuilder):
+ library = "AWS-LC"
+ url_templates = (
+ "https://github.com/aws/aws-lc/archive/refs/tags/v{v}.tar.gz";,
+ )
+ src_template = "aws-lc-{}.tar.gz"
+ build_template = "aws-lc-{}"
+
+ def _build_src(self, config_args=()):
+ cwd = self.build_dir
+ log.info("Running build in {}".format(cwd))
+ env = os.environ.copy()
+ env["LD_RUN_PATH"] = self.lib_dir # set rpath
+ if self.system:
+ env['SYSTEM'] = self.system
+ cmd = [
+ "cmake",
+ "-DCMAKE_BUILD_TYPE=RelWithDebInfo",
+ "-DCMAKE_PREFIX_PATH={}".format(self.install_dir),
+ "-DCMAKE_INSTALL_PREFIX={}".format(self.install_dir),
+ "-DBUILD_SHARED_LIBS=ON",
+ "-DBUILD_TESTING=OFF",
+ "-DFIPS=OFF",
+ ]
+ self._subprocess_call(cmd, cwd=cwd, env=env)
+ self._subprocess_call(["make", "-j{}".format(self.jobs)], cwd=cwd,
env=env)
+
+
def configure_make():
if not os.path.isfile('Makefile'):
log.info('Running ./configure')
@@ -467,9 +507,10 @@ def configure_make():
def main():
args = parser.parse_args()
- if not args.openssl and not args.libressl:
+ if not args.openssl and not args.libressl and not args.awslc:
args.openssl = list(OPENSSL_RECENT_VERSIONS)
args.libressl = list(LIBRESSL_RECENT_VERSIONS)
+ args.awslc = list(AWSLC_RECENT_VERSIONS)
if not args.disable_ancient:
args.openssl.extend(OPENSSL_OLD_VERSIONS)
args.libressl.extend(LIBRESSL_OLD_VERSIONS)
@@ -496,22 +537,15 @@ def main():
# download and register builder
builds = []
-
- for version in args.openssl:
- build = BuildOpenSSL(
- version,
- args
- )
- build.install()
- builds.append(build)
-
- for version in args.libressl:
- build = BuildLibreSSL(
- version,
- args
- )
- build.install()
- builds.append(build)
+ for build_class, versions in [
+ (BuildOpenSSL, args.openssl),
+ (BuildLibreSSL, args.libressl),
+ (BuildAWSLC, args.awslc),
+ ]:
+ for version in versions:
+ build = build_class(version, args)
+ build.install()
+ builds.append(build)
if args.steps in {'modules', 'tests'}:
for build in builds:
@@ -539,7 +573,7 @@ def main():
else:
print('Executed all SSL tests.')
- print('OpenSSL / LibreSSL versions:')
+ print('OpenSSL / LibreSSL / AWS-LC versions:')
for build in builds:
print(" * {0.library} {0.version}".format(build))
diff --git a/configure b/configure
index 94a0b810333ce9..4292f33ce21dce 100755
--- a/configure
+++ b/configure
@@ -30848,8 +30848,8 @@ main (void)
OBJ_nid2sn(NID_md5);
OBJ_nid2sn(NID_sha1);
+ OBJ_nid2sn(NID_sha512);
OBJ_nid2sn(NID_sha3_512);
- OBJ_nid2sn(NID_blake2b512);
EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0);
;
diff --git a/configure.ac b/configure.ac
index ade71bc011eb87..cc7a6e9397dded 100644
--- a/configure.ac
+++ b/configure.ac
@@ -7529,8 +7529,8 @@ WITH_SAVE_ENV([
], [
OBJ_nid2sn(NID_md5);
OBJ_nid2sn(NID_sha1);
+ OBJ_nid2sn(NID_sha512);
OBJ_nid2sn(NID_sha3_512);
- OBJ_nid2sn(NID_blake2b512);
EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0);
])], [ac_cv_working_openssl_hashlib=yes],
[ac_cv_working_openssl_hashlib=no])
])
_______________________________________________
Python-checkins mailing list -- python-checkins@python.org
To unsubscribe send an email to python-checkins-le...@python.org
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: arch...@mail-archive.com
