Skip to content

gh-99108: add HACL*-based 1-shot HMAC implementation #126359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 38 commits into from
Closed

gh-99108: add HACL*-based 1-shot HMAC implementation #126359

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
6336160
Pull HACL* HMAC.
picnixz Nov 3, 2024
5a410f8
Update SBOM files
picnixz Nov 3, 2024
c1c7c92
Update HACL (CPython) namespace
picnixz Nov 3, 2024
2901987
Update HACL (CPython) README
picnixz Nov 3, 2024
92a1e76
Update `configure` script
picnixz Nov 3, 2024
027964b
Update Makefile scripts
picnixz Nov 3, 2024
17a2e46
Update MSVC project
picnixz Nov 3, 2024
186094b
Implement HACL* HMAC module
picnixz Nov 3, 2024
b10c729
fix blake2b digest size
picnixz Nov 7, 2024
6a3515f
drop un-necessary `@critical_section`
picnixz Nov 7, 2024
612974e
Improve 1-shot macro
picnixz Nov 7, 2024
e714135
Define HMAC static information
picnixz Nov 7, 2024
9fb6300
reduce the possibility of typos
picnixz Nov 8, 2024
755d6c0
update names
picnixz Nov 8, 2024
89c5f89
cleanup
picnixz Nov 8, 2024
755aca6
cleanup
picnixz Nov 8, 2024
1ddbe26
improve naming
picnixz Nov 8, 2024
12fbfc4
Update HACL* project.
picnixz Nov 8, 2024
448b0ba
Merge remote-tracking branch 'upstream/main' into hacl/HMAC-99108
picnixz Nov 8, 2024
39be4b1
update SBOM files
picnixz Nov 9, 2024
5ae6b6d
cosmetic cleanups
picnixz Nov 9, 2024
49083aa
unconditionally build `_hmac` extension module
picnixz Nov 11, 2024
dd80600
implement hash algorithm resolution
picnixz Nov 11, 2024
542738c
raise OverflowError instead of ValueError in 1-shot HMAC
picnixz Nov 11, 2024
09c631a
reduce import time
picnixz Nov 11, 2024
9bee955
expose 1-shot HMAC
picnixz Nov 11, 2024
d36977f
ensure that openssl is linked
picnixz Nov 11, 2024
b3aa599
update globals
picnixz Nov 11, 2024
49a1294
fix LN_* macro values
picnixz Nov 12, 2024
06b012d
improve OpenSSL name resolution
picnixz Nov 12, 2024
82c610c
update comment
picnixz Nov 12, 2024
ff8cf2f
fix configure?
picnixz Nov 12, 2024
7af7eb6
Merge remote-tracking branch 'upstream/main' into hacl/HMAC-99108
picnixz Nov 15, 2024
fba3778
sbom
picnixz Nov 15, 2024
5c3cbfd
remove unused imports
picnixz Nov 15, 2024
379cbef
cosmetic changes for future resolution
picnixz Nov 19, 2024
960aa73
fix memory leak
picnixz Nov 28, 2024
074f9ab
add #define for error messages
picnixz Nov 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion Lib/hmac.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
Implements the HMAC algorithm as described by RFC 2104.
"""

import warnings as _warnings
try:
import _hashlib as _hashopenssl
except ImportError:
Expand All @@ -14,6 +13,14 @@
compare_digest = _hashopenssl.compare_digest
_functype = type(_hashopenssl.openssl_sha256) # builtin type

try:
import _hmac
except ImportError:
_hmac = None
_functype = None
else:
_functype = type(_hmac.compute_md5) # builtin type

import hashlib as _hashlib

trans_5C = bytes((x ^ 0x5C) for x in range(256))
Expand Down Expand Up @@ -84,11 +91,15 @@ def _init_old(self, key, msg, digestmod):
if hasattr(self._inner, 'block_size'):
blocksize = self._inner.block_size
if blocksize < 16:
import warnings as _warnings

_warnings.warn('block_size of %d seems too small; using our '
'default of %d.' % (blocksize, self.blocksize),
RuntimeWarning, 2)
blocksize = self.blocksize
else:
import warnings as _warnings

_warnings.warn('No block_size attribute on given digest object; '
'Assuming %d.' % (self.blocksize),
RuntimeWarning, 2)
Expand Down Expand Up @@ -193,6 +204,12 @@ def digest(key, msg, digest):
A hashlib constructor returning a new hash object. *OR*
A module supporting PEP 247.
"""
if _hmac is not None and isinstance(digest, (str, _functype)):
try:
return _hmac.compute_digest(key, msg, digest)
except (OverflowError, _hashopenssl.UnsupportedDigestmodError):
pass

if _hashopenssl is not None and isinstance(digest, (str, _functype)):
try:
return _hashopenssl.hmac_digest(key, msg, digest)
Expand Down
112 changes: 94 additions & 18 deletions Makefile.pre.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,8 +227,12 @@ ENSUREPIP= @ENSUREPIP@
# Internal static libraries
LIBMPDEC_A= Modules/_decimal/libmpdec/libmpdec.a
LIBEXPAT_A= Modules/expat/libexpat.a
LIBHACL_MD5_A= Modules/_hacl/libHacl_Hash_MD5.a
LIBHACL_SHA1_A= Modules/_hacl/libHacl_Hash_SHA1.a
LIBHACL_SHA2_A= Modules/_hacl/libHacl_Hash_SHA2.a
LIBHACL_SHA3_A= Modules/_hacl/libHacl_Hash_SHA3.a
LIBHACL_BLAKE2_A= Modules/_hacl/libHacl_Hash_Blake2.a
LIBHACL_HMAC_A= Modules/_hacl/libHacl_HMAC.a
LIBHACL_CFLAGS=@LIBHACL_CFLAGS@
LIBHACL_SIMD128_FLAGS=@LIBHACL_SIMD128_FLAGS@
LIBHACL_SIMD256_FLAGS=@LIBHACL_SIMD256_FLAGS@
Expand Down Expand Up @@ -658,29 +662,61 @@ LIBEXPAT_HEADERS= \
##########################################################################
# hashlib's HACL* library

LIBHACL_MD5_OBJS= \
Modules/_hacl/Hacl_Hash_MD5.o

LIBHACL_SHA1_OBJS= \
Modules/_hacl/Hacl_Hash_SHA1.o

LIBHACL_SHA2_OBJS= \
Modules/_hacl/Hacl_Hash_SHA2.o
Modules/_hacl/Hacl_Hash_SHA2.o

LIBHACL_SHA3_OBJS= \
Modules/_hacl/Hacl_Hash_SHA3.o

LIBHACL_BLAKE2_OBJS= \
Modules/_hacl/Hacl_Hash_Blake2s.o \
Modules/_hacl/Hacl_Hash_Blake2b.o \
Modules/_hacl/Lib_Memzero0.o \
Modules/_hacl/Hacl_Hash_Blake2s.o \
Modules/_hacl/Hacl_Hash_Blake2b.o \
Modules/_hacl/Lib_Memzero0.o \
$(LIBHACL_SIMD128_OBJS) \
$(LIBHACL_SIMD256_OBJS)

LIBHACL_HMAC_OBJS= \
Modules/_hacl/Hacl_HMAC.o \
$(LIBHACL_MD5_OBJS) \
$(LIBHACL_SHA1_OBJS) \
$(LIBHACL_SHA2_OBJS) \
$(LIBHACL_SHA3_OBJS) \
$(LIBHACL_BLAKE2_OBJS)

LIBHACL_HEADERS= \
Modules/_hacl/include/krml/FStar_UInt128_Verified.h \
Modules/_hacl/include/krml/FStar_UInt_8_16_32_64.h \
Modules/_hacl/include/krml/fstar_uint128_struct_endianness.h \
Modules/_hacl/include/krml/internal/target.h \
Modules/_hacl/include/krml/lowstar_endianness.h \
Modules/_hacl/include/krml/types.h \
Modules/_hacl/include/krml/FStar_UInt128_Verified.h \
Modules/_hacl/include/krml/FStar_UInt_8_16_32_64.h \
Modules/_hacl/include/krml/fstar_uint128_struct_endianness.h \
Modules/_hacl/include/krml/internal/target.h \
Modules/_hacl/include/krml/lowstar_endianness.h \
Modules/_hacl/include/krml/types.h \
Modules/_hacl/Hacl_Streaming_Types.h \
Modules/_hacl/python_hacl_namespaces.h
Modules/_hacl/python_hacl_namespaces.h

LIBHACL_MD5_HEADERS= \
Modules/_hacl/Hacl_Hash_MD5.h \
Modules/_hacl/internal/Hacl_Hash_MD5.h \
$(LIBHACL_HEADERS)

LIBHACL_SHA1_HEADERS= \
Modules/_hacl/Hacl_Hash_SHA1.h \
Modules/_hacl/internal/Hacl_Hash_SHA1.h \
$(LIBHACL_HEADERS)

LIBHACL_SHA2_HEADERS= \
Modules/_hacl/Hacl_Hash_SHA2.h \
Modules/_hacl/internal/Hacl_Hash_SHA2.h \
Modules/_hacl/Hacl_Hash_SHA2.h \
Modules/_hacl/internal/Hacl_Hash_SHA2.h \
$(LIBHACL_HEADERS)

LIBHACL_SHA3_HEADERS= \
Modules/_hacl/Hacl_Hash_SHA3.h \
Modules/_hacl/internal/Hacl_Hash_SHA3.h \
$(LIBHACL_HEADERS)

LIBHACL_BLAKE2_HEADERS= \
Expand All @@ -695,6 +731,16 @@ LIBHACL_BLAKE2_HEADERS= \
Modules/_hacl/internal/Hacl_Hash_Blake2b_Simd256.h \
$(LIBHACL_HEADERS)

LIBHACL_HMAC_HEADERS= \
Modules/_hacl/Hacl_HMAC.h \
Modules/_hacl/internal/Hacl_HMAC.h \
$(LIBHACL_MD5_HEADERS) \
$(LIBHACL_SHA1_HEADERS) \
$(LIBHACL_SHA2_HEADERS) \
$(LIBHACL_SHA3_HEADERS) \
$(LIBHACL_BLAKE2_HEADERS) \
$(LIBHACL_HEADERS)

#########################################################################
# Rules

Expand Down Expand Up @@ -1380,17 +1426,39 @@ $(LIBEXPAT_A): $(LIBEXPAT_OBJS)
$(AR) $(ARFLAGS) $@ $(LIBEXPAT_OBJS)

##########################################################################
# Build HACL* static libraries for hashlib: libHacl_Hash_SHA2.a, and
# libHacl_Blake2.a -- the contents of the latter vary depending on whether we
# Build HACL* static libraries for hashlib and HACL* HMAC.
#
# The contents of libHacl_Blake2.a vary depending on whether we
# have the ability to compile vectorized versions

Modules/_hacl/Hacl_Hash_MD5.o: $(srcdir)/Modules/_hacl/Hacl_Hash_MD5.c $(LIBHACL_MD5_HEADERS)
$(CC) -c $(LIBHACL_CFLAGS) -o $@ $(srcdir)/Modules/_hacl/Hacl_Hash_MD5.c

$(LIBHACL_MD5_A): $(LIBHACL_MD5_OBJS)
-rm -f $@
$(AR) $(ARFLAGS) $@ $(LIBHACL_MD5_OBJS)

Modules/_hacl/Hacl_Hash_SHA1.o: $(srcdir)/Modules/_hacl/Hacl_Hash_SHA1.c $(LIBHACL_SHA1_HEADERS)
$(CC) -c $(LIBHACL_CFLAGS) -o $@ $(srcdir)/Modules/_hacl/Hacl_Hash_SHA1.c

$(LIBHACL_SHA1_A): $(LIBHACL_SHA1_OBJS)
-rm -f $@
$(AR) $(ARFLAGS) $@ $(LIBHACL_SHA1_OBJS)

Modules/_hacl/Hacl_Hash_SHA2.o: $(srcdir)/Modules/_hacl/Hacl_Hash_SHA2.c $(LIBHACL_SHA2_HEADERS)
$(CC) -c $(LIBHACL_CFLAGS) -o $@ $(srcdir)/Modules/_hacl/Hacl_Hash_SHA2.c

$(LIBHACL_SHA2_A): $(LIBHACL_SHA2_OBJS)
-rm -f $@
$(AR) $(ARFLAGS) $@ $(LIBHACL_SHA2_OBJS)

Modules/_hacl/Hacl_Hash_SHA3.o: $(srcdir)/Modules/_hacl/Hacl_Hash_SHA3.c $(LIBHACL_SHA3_HEADERS)
$(CC) -c $(LIBHACL_CFLAGS) -o $@ $(srcdir)/Modules/_hacl/Hacl_Hash_SHA3.c

$(LIBHACL_SHA3_A): $(LIBHACL_SHA3_OBJS)
-rm -f $@
$(AR) $(ARFLAGS) $@ $(LIBHACL_SHA3_OBJS)

Modules/_hacl/Hacl_Hash_Blake2s.o: $(srcdir)/Modules/_hacl/Hacl_Hash_Blake2s.c $(LIBHACL_BLAKE2_HEADERS)
$(CC) -c $(LIBHACL_CFLAGS) -o $@ $(srcdir)/Modules/_hacl/Hacl_Hash_Blake2s.c

Expand All @@ -1416,6 +1484,13 @@ $(LIBHACL_BLAKE2_A): $(LIBHACL_BLAKE2_OBJS)
-rm -f $@
$(AR) $(ARFLAGS) $@ $(LIBHACL_BLAKE2_OBJS)

Modules/_hacl/Hacl_HMAC.o: $(srcdir)/Modules/_hacl/Hacl_HMAC.c $(LIBHACL_HMAC_HEADERS)
$(CC) -c $(LIBHACL_CFLAGS) -o $@ $(srcdir)/Modules/_hacl/Hacl_HMAC.c

$(LIBHACL_HMAC_A): $(LIBHACL_HMAC_OBJS)
-rm -f $@
$(AR) $(ARFLAGS) $@ $(LIBHACL_HMAC_OBJS)

# create relative links from build/lib.platform/egg.so to Modules/egg.so
# pybuilddir.txt is created too late. We cannot use it in Makefile
# targets. ln --relative is not portable.
Expand Down Expand Up @@ -3204,11 +3279,12 @@ MODULE__DECIMAL_DEPS=$(srcdir)/Modules/_decimal/docstrings.h @LIBMPDEC_INTERNAL@
MODULE__ELEMENTTREE_DEPS=$(srcdir)/Modules/pyexpat.c @LIBEXPAT_INTERNAL@
MODULE__HASHLIB_DEPS=$(srcdir)/Modules/hashlib.h
MODULE__IO_DEPS=$(srcdir)/Modules/_io/_iomodule.h
MODULE__MD5_DEPS=$(srcdir)/Modules/hashlib.h $(LIBHACL_HEADERS) Modules/_hacl/Hacl_Hash_MD5.h Modules/_hacl/internal/Hacl_Hash_MD5.h Modules/_hacl/Hacl_Hash_MD5.c
MODULE__SHA1_DEPS=$(srcdir)/Modules/hashlib.h $(LIBHACL_HEADERS) Modules/_hacl/Hacl_Hash_SHA1.h Modules/_hacl/internal/Hacl_Hash_SHA1.h Modules/_hacl/Hacl_Hash_SHA1.c
MODULE__MD5_DEPS=$(srcdir)/Modules/hashlib.h $(LIBHACL_MD5_HEADERS) $(LIBHACL_MD5_A)
MODULE__SHA1_DEPS=$(srcdir)/Modules/hashlib.h $(LIBHACL_SHA1_HEADERS) $(LIBHACL_SHA1_A)
MODULE__SHA2_DEPS=$(srcdir)/Modules/hashlib.h $(LIBHACL_SHA2_HEADERS) $(LIBHACL_SHA2_A)
MODULE__SHA3_DEPS=$(srcdir)/Modules/hashlib.h $(LIBHACL_HEADERS) Modules/_hacl/Hacl_Hash_SHA3.h Modules/_hacl/internal/Hacl_Hash_SHA3.h Modules/_hacl/Hacl_Hash_SHA3.c
MODULE__SHA3_DEPS=$(srcdir)/Modules/hashlib.h $(LIBHACL_SHA3_HEADERS) $(LIBHACL_SHA3_A)
MODULE__BLAKE2_DEPS=$(srcdir)/Modules/hashlib.h $(LIBHACL_BLAKE2_HEADERS) $(LIBHACL_BLAKE2_A)
MODULE__HMAC_DEPS=$(srcdir)/Modules/hashlib.h $(LIBHACL_HMAC_HEADERS) $(LIBHACL_HMAC_A)
MODULE__SOCKET_DEPS=$(srcdir)/Modules/socketmodule.h $(srcdir)/Modules/addrinfo.h $(srcdir)/Modules/getaddrinfo.c $(srcdir)/Modules/getnameinfo.c
MODULE__SSL_DEPS=$(srcdir)/Modules/_ssl.h $(srcdir)/Modules/_ssl/cert.c $(srcdir)/Modules/_ssl/debughelpers.c $(srcdir)/Modules/_ssl/misc.c $(srcdir)/Modules/_ssl_data_111.h $(srcdir)/Modules/_ssl_data_300.h $(srcdir)/Modules/socketmodule.h
MODULE__TESTCAPI_DEPS=$(srcdir)/Modules/_testcapi/parts.h $(srcdir)/Modules/_testcapi/util.h
Expand Down
61 changes: 59 additions & 2 deletions Misc/sbom.spdx.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 6 additions & 5 deletions Modules/Setup
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,11 +165,12 @@ PYTHONPATH=$(COREPYTHONPATH)
#pyexpat pyexpat.c

# hashing builtins
#_blake2 blake2module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_Blake2.a
#_md5 md5module.c -I$(srcdir)/Modules/_hacl/include _hacl/Hacl_Hash_MD5.c -D_BSD_SOURCE -D_DEFAULT_SOURCE
#_sha1 sha1module.c -I$(srcdir)/Modules/_hacl/include _hacl/Hacl_Hash_SHA1.c -D_BSD_SOURCE -D_DEFAULT_SOURCE
#_sha2 sha2module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_SHA2.a
#_sha3 sha3module.c -I$(srcdir)/Modules/_hacl/include _hacl/Hacl_Hash_SHA3.c -D_BSD_SOURCE -D_DEFAULT_SOURCE
#_blake2 blake2module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_Blake2.a -D_BSD_SOURCE -D_DEFAULT_SOURCE
#_md5 md5module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_MD5.a -D_BSD_SOURCE -D_DEFAULT_SOURCE
#_sha1 sha1module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_SHA1.a -D_BSD_SOURCE -D_DEFAULT_SOURCE
#_sha2 sha2module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_SHA2.a -D_BSD_SOURCE -D_DEFAULT_SOURCE
#_sha3 sha3module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_SHA3.a -D_BSD_SOURCE -D_DEFAULT_SOURCE
#_hmac hmacmodule.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_HMAC.a -D_BSD_SOURCE -D_DEFAULT_SOURCE

# text encodings and unicode
#_codecs_cn cjkcodecs/_codecs_cn.c
Expand Down
11 changes: 6 additions & 5 deletions Modules/Setup.stdlib.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,11 +78,11 @@
@MODULE_READLINE_TRUE@readline readline.c

# hashing builtins, can be disabled with --without-builtin-hashlib-hashes
@MODULE__MD5_TRUE@_md5 md5module.c -I$(srcdir)/Modules/_hacl/include _hacl/Hacl_Hash_MD5.c -D_BSD_SOURCE -D_DEFAULT_SOURCE
@MODULE__SHA1_TRUE@_sha1 sha1module.c -I$(srcdir)/Modules/_hacl/include _hacl/Hacl_Hash_SHA1.c -D_BSD_SOURCE -D_DEFAULT_SOURCE
@MODULE__SHA2_TRUE@_sha2 sha2module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_SHA2.a
@MODULE__SHA3_TRUE@_sha3 sha3module.c -I$(srcdir)/Modules/_hacl/include _hacl/Hacl_Hash_SHA3.c -D_BSD_SOURCE -D_DEFAULT_SOURCE
@MODULE__BLAKE2_TRUE@_blake2 blake2module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_Blake2.a
@MODULE__MD5_TRUE@_md5 md5module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_MD5.a -D_BSD_SOURCE -D_DEFAULT_SOURCE
@MODULE__SHA1_TRUE@_sha1 sha1module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_SHA1.a -D_BSD_SOURCE -D_DEFAULT_SOURCE
@MODULE__SHA2_TRUE@_sha2 sha2module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_SHA2.a -D_BSD_SOURCE -D_DEFAULT_SOURCE
@MODULE__SHA3_TRUE@_sha3 sha3module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_SHA3.a -D_BSD_SOURCE -D_DEFAULT_SOURCE
@MODULE__BLAKE2_TRUE@_blake2 blake2module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_Blake2.a -D_BSD_SOURCE -D_DEFAULT_SOURCE

############################################################################
# XML and text
Expand Down Expand Up @@ -142,6 +142,7 @@
@MODULE__SSL_TRUE@_ssl _ssl.c
# needs -lcrypt
@MODULE__HASHLIB_TRUE@_hashlib _hashopenssl.c
@MODULE__HMAC_TRUE@_hmac hmacmodule.c

# Linux: -luuid, BSD/AIX: libc's uuid_create()
@MODULE__UUID_TRUE@_uuid _uuidmodule.c
Expand Down
Loading
Loading