Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork32k
gh-99108: Implement HACL* HMAC#130157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
eb4fd4a to62abfacCompare62abfac to3381ac7Compare21fcd9a to583c1f4Compare@msprotz I'm not sure if it's an HACL issue or not, but |
You are correct -- there is one additional step to do to handle this case. Note that HMAC is the first time we havea file that contains references to vec128/vec256yet may be compiled on a system that has no such types. (Previously, Blake2b_256 was only ever built if vec256 was known at build-time to exist, and likewise with Blake2s_128.) One option is to conditional includes, but that leads to other difficulties, such as having to hide cases of the agile hmac state union behind #ifdef, and then propagating #ifdefs everywhere in this file. This is error-prone and a lot of maintenance. The other option we've done is simply to What I don't understand / remember, though, is why this isn't done directly inside libintvector.h. (We currently do it in our mini-configure for CI purposes and emit those #ifdefs in config.h.) I'd be curious to see if you could manually patch libintvector.h to define those types to void* (in the #else case of #ifdef HACL_CAN_COMPILE_VEC256, and likewise for VEC128) and then see if we get a good build? I would then be happy to upstream this fix. Thank you! |
a993e69 to8ce1524Comparepicnixz commentedMar 12, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
I'll wait for#130960 to be merged so that I don't need to re-update the SBOMs etc. |
22e3003 to56b3c8fCompareAgreed that SIMD can be left for later -- this should be transparent from the point of view of the clients. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
LGTM. Thank you@picnixz!
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
- add two blank lines for separating functions- use consistent truthy checks
bedevere-bot commentedApr 1, 2025
🤖 New build scheduled with the buildbot fleet by@picnixz for commit258aa20 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F130157%2Fmerge If you want to schedule another build, you need to add the🔨 test-with-buildbots label again. |
bedevere-bot commentedApr 1, 2025
🤖 New build scheduled with the buildbot fleet by@picnixz for commit258aa20 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F130157%2Fmerge If you want to schedule another build, you need to add the🔨 test-with-refleak-buildbots label again. |
picnixz commentedApr 1, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
I expect failures on some FIPS-only build bots but that's fine because the test suite is already failing on them. And some failures on other build bots as well (like aarch64 which is known to be flaky these past days). Once all build bots are fine, I'll merge it (but only on Friday, as I'm leaving in a few hours) [so please don't merge it since I want to write the commit message, TiA] |
0a97427 intopython:mainUh oh!
There was an error while loading.Please reload this page.
Thank you all for the feedback, especially@msprotz for the upstream work! The next step is to enable the SIMD support. |
A new extension module, `_hmac`, now exposes the HACL* HMAC (formally verified) implementation.The HACL* implementation is used as a fallback implementation when the OpenSSL implementation of HMACis not available or disabled. For now, only named hash algorithms are recognized and SIMD support providedby HACL* for the BLAKE2 hash functions is not yet used.
A new extension module, `_hmac`, now exposes the HACL* HMAC (formally verified) implementation.The HACL* implementation is used as a fallback implementation when the OpenSSL implementation of HMACis not available or disabled. For now, only named hash algorithms are recognized and SIMD support providedby HACL* for the BLAKE2 hash functions is not yet used.
The big changes here are:- Switching to zlib-ng on Windows(python/cpython#131438)- Using hmac for hashing functions(python/cpython#130157)---------Co-authored-by: Geoffrey Thomas <geofft@ldpreload.com>
Uh oh!
There was an error while loading.Please reload this page.
This supersedes#126359.
Ideally, I'd like this to be part of 3.14 but we only have two alpha releases until the first beta.
Note that the HACL* HMAC implementation doesnot support truncated SHA-2-512/224 (which is different from SHA-2/224) so we need to either ask HACL* to do it or document it in the
hmacmodule documentation.For reviews, I would strongly advise review commit by commit instead of the entire file. Each commit should compile separately (assuming preceeding ones are present, maybe except the first few commits are not compiling due to some configure/build I forgot to put it at that time, but otherwise the interface was written incrementally).
cc@msprotz@gpshead
📚 Documentation preview 📚:https://cpython-previews--130157.org.readthedocs.build/