gh-117233: Detect libcrypto BLAKE2, Shake, SHA3, and Truncated-SHA512 support at hashlib build time #117234
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WillChilds-Klein
force-pushed
the
guard-blake2
branch
from
80094af to
c2e554c
Compare
WillChilds-Klein
force-pushed
the
guard-blake2
branch
from
c2e554c to
cda622d
Compare
|
SSL experts @jackjansen, @tiran, @dstufft, @alex: Please chime in if you have any comments. I plan to start reviewing this next week. |
alex
reviewed
Mar 28, 2024
gpshead
reviewed
Mar 28, 2024
possibly? though the |
gpshead
added
the
🔨 test-with-buildbots
bedevere-bot
removed
the
🔨 test-with-buildbots
gpshead
changed the title
While OpenSSL supports both "b" and "s" variants of the BLAKE2 hash function, other cryptographic libraries may lack support for one or both of the variants. This commit modifies `hashlib`'s C code to detect whether or not the linked libcrypto supports each BLAKE2 variant, and elides references to each variant's NID accordingly. In cases where the underlying libcrypto doesn't fully support BLAKE2, CPython's `./configure` script can be given the following flag to use CPython's interned BLAKE2 implementation: `--with-builtin-hashlib-hashes=blake2`.
Detect BLAKE2, SHA3, Shake, & truncated SHA512 support in the OpenSSL-ish libcrypto library at build time. This helps allow hashlib's \_hashopenssl to be used with libraries that do not to support every algorithm that upstream OpenSSL does. Such as AWS-LC & BoringSSL.
WillChilds-Klein
force-pushed
the
guard-blake2
branch
from
bb38e0e to
5fa77c4
Compare
|
FYI - please try to avoid force-pushing to PR branches in CPython. https://devguide.python.org/getting-started/pull-request-lifecycle/#quick-guide |
encukou
reviewed
Apr 4, 2024
Co-authored-by: Petr Viktorin <[email protected]>
|
@gpshead, please shout if you want to review more. Otherwise I'll merge in a few days |
WillChilds-Klein
added a commit
to WillChilds-Klein/aws-lc
that referenced
this pull request
Apr 11, 2024
This is in light of upstream [PR 117234#][1] being merged. [1]: python/cpython#117234
samuel40791765
pushed a commit
to WillChilds-Klein/aws-lc
that referenced
this pull request
Apr 11, 2024
This is in light of upstream [PR 117234#][1] being merged. [1]: python/cpython#117234
|
Thanks @WillChilds-Klein for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.12. |
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Apr 11, 2024
…ime (pythonGH-117234) Detect libcrypto BLAKE2, Shake, SHA3, and Truncated-SHA512 support at hashlib build time GH-GH- BLAKE2 While OpenSSL supports both "b" and "s" variants of the BLAKE2 hash function, other cryptographic libraries may lack support for one or both of the variants. This commit modifies `hashlib`'s C code to detect whether or not the linked libcrypto supports each BLAKE2 variant, and elides references to each variant's NID accordingly. In cases where the underlying libcrypto doesn't fully support BLAKE2, CPython's `./configure` script can be given the following flag to use CPython's interned BLAKE2 implementation: `--with-builtin-hashlib-hashes=blake2`. GH-GH- SHA3, Shake, & truncated SHA512. Detect BLAKE2, SHA3, Shake, & truncated SHA512 support in the OpenSSL-ish libcrypto library at build time. This helps allow hashlib's `_hashopenssl` to be used with libraries that do not to support every algorithm that upstream OpenSSL does. Such as AWS-LC & BoringSSL. (cherry picked from commit b8eaad3) Co-authored-by: Will Childs-Klein <[email protected]> Co-authored-by: Gregory P. Smith [Google LLC] <[email protected]>
|
GH-117767 is a backport of this pull request to the 3.12 branch. |
gpshead
added a commit
that referenced
this pull request
Apr 11, 2024
…time (GH-117234) (#117767) gh-117233: Detect support for several hashes at hashlib build time (GH-117234) Detect libcrypto BLAKE2, Shake, SHA3, and Truncated-SHA512 support at hashlib build time GH-GH- BLAKE2 While OpenSSL supports both "b" and "s" variants of the BLAKE2 hash function, other cryptographic libraries may lack support for one or both of the variants. This commit modifies `hashlib`'s C code to detect whether or not the linked libcrypto supports each BLAKE2 variant, and elides references to each variant's NID accordingly. In cases where the underlying libcrypto doesn't fully support BLAKE2, CPython's `./configure` script can be given the following flag to use CPython's interned BLAKE2 implementation: `--with-builtin-hashlib-hashes=blake2`. GH-GH- SHA3, Shake, & truncated SHA512. Detect BLAKE2, SHA3, Shake, & truncated SHA512 support in the OpenSSL-ish libcrypto library at build time. This helps allow hashlib's `_hashopenssl` to be used with libraries that do not to support every algorithm that upstream OpenSSL does. Such as AWS-LC & BoringSSL. (cherry picked from commit b8eaad3) Co-authored-by: Will Childs-Klein <[email protected]> Co-authored-by: Gregory P. Smith [Google LLC] <[email protected]>
WillChilds-Klein
added a commit
to WillChilds-Klein/aws-lc
that referenced
this pull request
Apr 11, 2024
This is in light of upstream [PR 117234#][1] being merged. [1]: python/cpython#117234
WillChilds-Klein
added a commit
to WillChilds-Klein/aws-lc
that referenced
this pull request
Apr 11, 2024
This is in light of upstream [PR 117234#][1] being merged. [1]: python/cpython#117234
27 tasks
WillChilds-Klein
added a commit
to aws/aws-lc
that referenced
this pull request
Apr 11, 2024
This is in light of upstream [PR 117234#][1] being merged. [1]: python/cpython#117234
diegorusso
pushed a commit
to diegorusso/cpython
that referenced
this pull request
Apr 17, 2024
…ime (pythonGH-117234) Detect libcrypto BLAKE2, Shake, SHA3, and Truncated-SHA512 support at hashlib build time ## BLAKE2 While OpenSSL supports both "b" and "s" variants of the BLAKE2 hash function, other cryptographic libraries may lack support for one or both of the variants. This commit modifies `hashlib`'s C code to detect whether or not the linked libcrypto supports each BLAKE2 variant, and elides references to each variant's NID accordingly. In cases where the underlying libcrypto doesn't fully support BLAKE2, CPython's `./configure` script can be given the following flag to use CPython's interned BLAKE2 implementation: `--with-builtin-hashlib-hashes=blake2`. ## SHA3, Shake, & truncated SHA512. Detect BLAKE2, SHA3, Shake, & truncated SHA512 support in the OpenSSL-ish libcrypto library at build time. This helps allow hashlib's `_hashopenssl` to be used with libraries that do not to support every algorithm that upstream OpenSSL does. Such as AWS-LC & BoringSSL. Co-authored-by: Gregory P. Smith [Google LLC] <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Notes
While OpenSSL supports both "b" and "s" variants of the BLAKE2 hash
function, other cryptographic libraries may lack support for one or both
of the variants. This commit modifies
hashlib's C code to detectwhether or not the linked libcrypto supports each BLAKE2 variant, and
elides references to each variant's NID accordingly. In cases where the
underlying libcrypto doesn't fully support BLAKE2, CPython's
./configurescript can be given the following flag to use CPython'sinterned BLAKE2 implementation:
--with-builtin-hashlib-hashes=blake2.This pull request implements Issue #117233.