Skip to content

Commit e5da9ab

Browse files
msprotzmsprotz
authored
pythongh-99108: Import SHA2-384/512 from HACL* (python#101707)
Replace the builtin hashlib implementations of SHA2-384 and SHA2-512 originally from LibTomCrypt with formally verified, side-channel resistant code from the [HACL*](https://github.com/hacl-star/hacl-star/) project. The builtins remain a fallback only used when OpenSSL does not provide them.
1 parent 8be8101 commit e5da9ab

16 files changed

+1259
-434
lines changed

Makefile.pre.in

+1-1
Original file line numberDiff line numberDiff line change
@@ -2608,7 +2608,7 @@ MODULE__MD5_DEPS=$(srcdir)/Modules/hashlib.h
26082608
MODULE__SHA1_DEPS=$(srcdir)/Modules/hashlib.h
26092609
MODULE__SHA256_DEPS=$(srcdir)/Modules/hashlib.h $(srcdir)/Modules/_hacl/include/krml/FStar_UInt_8_16_32_64.h $(srcdir)/Modules/_hacl/include/krml/lowstar_endianness.h $(srcdir)/Modules/_hacl/include/krml/internal/target.h $(srcdir)/Modules/_hacl/Hacl_Streaming_SHA2.h
26102610
MODULE__SHA3_DEPS=$(srcdir)/Modules/_sha3/sha3.c $(srcdir)/Modules/_sha3/sha3.h $(srcdir)/Modules/hashlib.h
2611-
MODULE__SHA512_DEPS=$(srcdir)/Modules/hashlib.h
2611+
MODULE__SHA512_DEPS=$(srcdir)/Modules/hashlib.h $(srcdir)/Modules/_hacl/include/krml/FStar_UInt_8_16_32_64.h $(srcdir)/Modules/_hacl/include/krml/lowstar_endianness.h $(srcdir)/Modules/_hacl/include/krml/internal/target.h $(srcdir)/Modules/_hacl/Hacl_Streaming_SHA2.h
26122612
MODULE__SOCKET_DEPS=$(srcdir)/Modules/socketmodule.h $(srcdir)/Modules/addrinfo.h $(srcdir)/Modules/getaddrinfo.c $(srcdir)/Modules/getnameinfo.c
26132613
MODULE__SSL_DEPS=$(srcdir)/Modules/_ssl.h $(srcdir)/Modules/_ssl/cert.c $(srcdir)/Modules/_ssl/debughelpers.c $(srcdir)/Modules/_ssl/misc.c $(srcdir)/Modules/_ssl_data.h $(srcdir)/Modules/_ssl_data_111.h $(srcdir)/Modules/_ssl_data_300.h $(srcdir)/Modules/socketmodule.h
26142614
MODULE__TESTCAPI_DEPS=$(srcdir)/Modules/_testcapi/testcapi_long.h $(srcdir)/Modules/_testcapi/parts.h

Misc/NEWS.d/next/Security/2023-02-08-12-57-35.gh-issue-99108.6tnmhA.rst

+4
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
Replace the builtin :mod:`hashlib` implementations of SHA2-384 and SHA2-512
2+
originally from LibTomCrypt with formally verified, side-channel resistant
3+
code from the `HACL* <https://github.com/hacl-star/hacl-star/>`_ project.
4+
The builtins remain a fallback only used when OpenSSL does not provide them.

Modules/Setup.stdlib.in

+1-1
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,7 @@
8080
@MODULE__MD5_TRUE@_md5 md5module.c
8181
@MODULE__SHA1_TRUE@_sha1 sha1module.c
8282
@MODULE__SHA256_TRUE@_sha256 sha256module.c _hacl/Hacl_Streaming_SHA2.c
83-
@MODULE__SHA512_TRUE@_sha512 sha512module.c
83+
@MODULE__SHA512_TRUE@_sha512 sha512module.c _hacl/Hacl_Streaming_SHA2.c
8484
@MODULE__SHA3_TRUE@_sha3 _sha3/sha3module.c
8585
@MODULE__BLAKE2_TRUE@_blake2 _blake2/blake2module.c _blake2/blake2b_impl.c _blake2/blake2s_impl.c
8686

0 commit comments

Comments
 (0)