Add cpython integration test

[WillChilds-Klein]

Issues:

Addresses i/CryptoAlg-2136

Description of changes:

This change adds an integration test for CPython versions 3.10 through tip-of-main. Running all 3.10 python module tests on my AL2 dev machine takes ~5m:

$ time ./tests/ci/integration/run_python_integration.sh
...
== Tests result: FAILURE then SUCCESS ==

404 tests OK.

21 tests skipped:
    test_bz2 test_ctypes test_devpoll test_idle test_ioctl test_kqueue
    test_msilib test_ossaudiodev test_readline test_sqlite
    test_startfile test_tcl test_tix test_tk test_ttk_guionly
    test_ttk_textonly test_turtle test_winconsoleio test_winreg
    test_winsound test_zipfile64

1 re-run test:
    test___all__

However, in CI testing, I found that some tests (unrelated to our ssl module integration) failed on our ubuntu 22.02 docker image:

== Tests result: FAILURE then FAILURE ==

395 tests OK.

9 tests failed:
    test_email test_generators test_multiprocessing_fork
    test_multiprocessing_forkserver test_multiprocessing_spawn
    test_pdb test_regrtest test_signal test_threading

21 tests skipped:
    test_bz2 test_dbm_gnu test_dbm_ndbm test_devpoll test_gdb
    test_idle test_ioctl test_kqueue test_msilib test_ossaudiodev
    test_startfile test_tcl test_tix test_tk test_ttk_guionly
    test_ttk_textonly test_turtle test_winconsoleio test_winreg
    test_winsound test_zipfile64

10 re-run tests:
    test___all__ test_email test_generators test_multiprocessing_fork
    test_multiprocessing_forkserver test_multiprocessing_spawn
    test_pdb test_regrtest test_signal test_threading

As a result, I've narrowed down our python test suite to only the modules that actually use our libssl (this list was discovered by calling abort() in SSL_CTX_new and seeing which module tests failed) as well as hashlib, which is the only other module other than ssl to include libcrypto. From the CPython 3.10 source to discover which modules use libcrypto:

$ ag -l 'include.+crypto' Modules/
Modules/_hashopenssl.c
Modules/_ssl.c

Call-outs:

As we add support for further versions, we may want to parallelize the build and test processes.

Testing:

• see description section above
• CI integration tests

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (67d3e50) 76.83% compared to head (49d9b22) 76.82%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1359      +/-   ##
==========================================
- Coverage   76.83%   76.82%   -0.01%     
==========================================
  Files         425      425              
  Lines       71527    71527              
==========================================
- Hits        54959    54952       -7     
- Misses      16568    16575       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[samuel40791765]

Is this diff needed or was this auto-generated

[WillChilds-Klein]

it's needed. the diff for each branch is slightly different. each branch's changeset was constructed manually on the relevant branch of my cpython fork, tested, and then git diffed into these patch files.

[andrewhop]

Is this on by default in OpenSSL?

[WillChilds-Klein]

As of 1.1.1, yes.

[andrewhop]

Is this a difference in support of channel binding between AWS-LC and OpenSSL, or how OpenSSL and AWS-LC report a failure in attempting to enable channel binding?

[WillChilds-Klein]

I believe it's a difference in channel binding "support" between AWS-LC and OpenSSL. I re-built my python fork against OSSL 3.0, reverted changes to this test, and dumped the return value of get_channel_binding(). On a TLSv1.3 connection OSSL will actually return a byte array, which is surprising given that channel bindings aren't defined for TLSv1.3. The CPython team has been made aware of this oddity.

[Neustradamus]

Dear @andrewhop, @WillChilds-Klein, I am happy to see your comments.

It is possible to talk on the CPython specified tickets, the problems with missing "tls-exporter" RFC9266 support, and "tls-server-end-point" support too?

I have done several tickets here without security solutions:

• https://github.com/python/cpython/issues?q=is%3Aissue+author%3A%40me+

-> 2 years, no security solutions...

Several projects are impacted, I do not know all, example Slixmpp project has done a recent annnouncement:

• https://blog.mathieui.net/en/slixmpp-1.8.5.html
• https://codeberg.org/poezio/slixmpp/issues/3498

Thanks a lot in advance.

[andrewhop]

Why not add a find that doesn't take an out index that wraps the existing sk_find for better compatibility? Also can our version of find ever return a negative number?

[WillChilds-Klein]

Why not add a find that doesn't take an out index that wraps the existing sk_find for better compatibility?

I don't think we can do this, as (to my knowledge) C doesn't support function overloading. Or are you proposing that we create a new funciton/symbol altogether that wraps our existing sk_SSL_CIPHER_find implementation and use that here?

I suppose we could also just change the signature to match OpenSSL's, but that might risk breaking any consumers that already use that function.

Also can our version of find ever return a negative number?

Not according to our documentation, no. Good catch! I'll update this.

[andrewhop]

I was thinking we could have sk_SSL_CIPHER_find_internal which is our current implementation and sk_SSL_CIPHER_find which matches OpenSSL. I don't have a sense for how common OpenSSL stack usage outside of libcrypto/libssl is.

[WillChilds-Klein]

I don't have a sense for how common OpenSSL stack usage outside of libcrypto/libssl is.

It looks like it's non-zero. What percentage of those projects depend on OSSL's signature vs. BSSL's signature? I don't know, but I would guess it would skew towards OSSL given its ubiquity. If we change the signature of sk_SSL_CIPHER_find, though, it would necessarily become a point of build incompatibility with BSSL. If our ultimate goal is OSSL compatibility, that's probably a trade worth making.