-
-
Notifications
You must be signed in to change notification settings - Fork 32.2k
gh-135401: Test AWS-LC as a cryptography library in CI #135402
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
This reverts commit 7d37e6a.
Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst
Outdated
Show resolved
Hide resolved
.github/workflows/build.yml
Outdated
with: | ||
path: ./multissl/aws-lc/${{ matrix.awslc_ver }} | ||
key: ${{ matrix.os }}-multissl-aws-lc-${{ matrix.awslc_ver }} | ||
# TODO [childw] can we use env.* instead of env vars here? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd suggest for the initial version, keep as similar to the OpenSSL job/workflow, and then perhaps update both at once afterwards?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough. I'll remove the TODOs. Perhaps we can leave this comment unresolved as a reminder for me to clean up both (if tenable) if/after this PR has been merged.
Co-authored-by: Adam Turner <[email protected]>
Co-authored-by: Adam Turner <[email protected]>
…XmL.rst Co-authored-by: Adam Turner <[email protected]>
Can you cherry-pick 8f4a0eb and make a separate PR please? TiA. |
Ok, the failure is because HMAC-SHA3 isn't supported in AWS-LC. I don't know if the ValueError is actually on my side or fired from OpenSSL and I'm just converting the message, but improving that message would be nice. |
Looks like it's coming from python. This |
Ok so it fell back to the default error message (i.e. there was no reason we could extract) |
This PR implements HMAC over truncated SHA3 variants as specified in [NIST SP 800-224](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-224.ipd.pdf#section.3). We do so without externalizing any SHA3/keccak internals, including its context struct. This is done intentionally, as OpenSSL [has not yet externalized its SHA3/keccak context struct](https://github.com/openssl/openssl/blob/be7467f5a0aa098531597b95a71be6d7c2a463c7/include/internal/sha3.h#L40) and we want to leave the door open to future interoperability. To work around this in `hmac.h`'s `md_ctx_union`, we hard-code the context struct size and add a compile-time assertion that it does not grow larger than the hard-coded value. SHA3 is unique in supported HMAC digests in that, due to differences between its sponge construction and others' Merkle-Dåmgard constructions, it does not support pre-computed keys. To accommodate this difference, we refactor the relevant code generation macros and relevant unit tests. The HMAC-SHA3 feature gap was discovered in a somewhat roundabout way. While preparing a [pull request](python/cpython#135402) to add AWS-LC to upstream CPython's CI, I discovered that CPython's `./configure` script's compile probe failed to detect `libcrypto` support for linking `hashlib`. The compile probe [referenced](https://github.com/python/cpython/blob/59963e866a1bb8128a50cd53d1b13eeab03df06e/configure#L30869) `NID_blake2b512`, which AWS-LC does not support. The consequence of this was that CPython used its HACL implementations for `hashlib` instead of linking AWS-LC. This did not affect our `ssl` integration, as AWS-LC always uses its own hash functions for TLS.
Ah yes the error is due to multissltests. We only use tags but the script could be extended to support exact commits maybe? |
Notes
Currently in draft status to test the new workflow. Building AWS-LC, linking the interpreter to it dynamically, and running the
ssl
tests all appear to work fine. I'm still working on remaining issues intest_hmac
.TODO
test_hmac
failures in AWS-LC PR 2484