Skip to content

gh-135401: Test AWS-LC as a cryptography library in CI #135402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 25 commits into
base: main
Choose a base branch
from

Conversation

WillChilds-Klein
Copy link
Contributor

@WillChilds-Klein WillChilds-Klein commented Jun 11, 2025

Notes

Currently in draft status to test the new workflow. Building AWS-LC, linking the interpreter to it dynamically, and running the ssl tests all appear to work fine. I'm still working on remaining issues in test_hmac.

TODO


@AA-Turner AA-Turner changed the title gh-135401 Add AWS-LC-backed ssl module CI job gh-135401: Test AWS-LC SSL in CI Jun 11, 2025
with:
path: ./multissl/aws-lc/${{ matrix.awslc_ver }}
key: ${{ matrix.os }}-multissl-aws-lc-${{ matrix.awslc_ver }}
# TODO [childw] can we use env.* instead of env vars here?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest for the initial version, keep as similar to the OpenSSL job/workflow, and then perhaps update both at once afterwards?

Copy link
Contributor Author

@WillChilds-Klein WillChilds-Klein Jun 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough. I'll remove the TODOs. Perhaps we can leave this comment unresolved as a reminder for me to clean up both (if tenable) if/after this PR has been merged.

@WillChilds-Klein WillChilds-Klein changed the title gh-135401: Test AWS-LC SSL in CI gh-135401: Test AWS-LC as a cryptography library in CI Jun 11, 2025
@picnixz
Copy link
Member

picnixz commented Jun 13, 2025

Can you cherry-pick 8f4a0eb and make a separate PR please? TiA.

@WillChilds-Klein WillChilds-Klein requested a review from picnixz June 16, 2025 19:27
@picnixz
Copy link
Member

picnixz commented Jun 27, 2025

Ok, the failure is because HMAC-SHA3 isn't supported in AWS-LC. I don't know if the ValueError is actually on my side or fired from OpenSSL and I'm just converting the message, but improving that message would be nice.

@WillChilds-Klein
Copy link
Contributor Author

Looks like it's coming from python. This ValueError will be fixed once PR 2484 has been merged.

@picnixz
Copy link
Member

picnixz commented Jun 27, 2025

Ok so it fell back to the default error message (i.e. there was no reason we could extract)

WillChilds-Klein added a commit to aws/aws-lc that referenced this pull request Jun 30, 2025
This PR implements HMAC over truncated SHA3 variants as specified in
[NIST SP
800-224](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-224.ipd.pdf#section.3).
We do so without externalizing any SHA3/keccak internals, including its
context struct. This is done intentionally, as OpenSSL [has not yet
externalized its SHA3/keccak context
struct](https://github.com/openssl/openssl/blob/be7467f5a0aa098531597b95a71be6d7c2a463c7/include/internal/sha3.h#L40)
and we want to leave the door open to future interoperability. To work
around this in `hmac.h`'s `md_ctx_union`, we hard-code the context
struct size and add a compile-time assertion that it does not grow
larger than the hard-coded value.

SHA3 is unique in supported HMAC digests in that, due to differences
between its sponge construction and others' Merkle-Dåmgard
constructions, it does not support pre-computed keys. To accommodate
this difference, we refactor the relevant code generation macros and
relevant unit tests.

The HMAC-SHA3 feature gap was discovered in a somewhat roundabout way.
While preparing a [pull
request](python/cpython#135402) to add AWS-LC to
upstream CPython's CI, I discovered that CPython's `./configure`
script's compile probe failed to detect `libcrypto` support for linking
`hashlib`. The compile probe
[referenced](https://github.com/python/cpython/blob/59963e866a1bb8128a50cd53d1b13eeab03df06e/configure#L30869)
`NID_blake2b512`, which AWS-LC does not support. The consequence of this
was that CPython used its HACL implementations for `hashlib` instead of
linking AWS-LC. This did not affect our `ssl` integration, as AWS-LC
always uses its own hash functions for TLS.
@picnixz
Copy link
Member

picnixz commented Jul 1, 2025

Ah yes the error is due to multissltests. We only use tags but the script could be extended to support exact commits maybe?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants