0
0
mirror of https://github.com/python/cpython.git synced 2024-11-30 18:51:15 +01:00
cpython/Modules/_hacl/README.md
Jonathan Protzenko 1fcc0efdaa
gh-99108: Replace SHA2-224 & 256 with verified code from HACL* (#99109)
replacing hashlib primitives (for the non-OpenSSL case) with verified implementations from HACL*. This is the first PR in the series, and focuses specifically on SHA2-256 and SHA2-224.

This PR imports Hacl_Streaming_SHA2 into the Python tree. This is the HACL* implementation of SHA2, which combines a core implementation of SHA2 along with a layer of buffer management that allows updating the digest with any number of bytes. This supersedes the previous implementation in the tree.

@franziskuskiefer was kind enough to benchmark the changes: in addition to being verified (thus providing significant safety and security improvements), this implementation also provides a sizeable performance boost!

```
---------------------------------------------------------------
Benchmark                     Time             CPU   Iterations
---------------------------------------------------------------
Sha2_256_Streaming            3163 ns      3160 ns       219353     // this PR
LibTomCrypt_Sha2_256          5057 ns      5056 ns       136234     // library used by Python currently
``` 

The changes in this PR are as follows:
- import the subset of HACL* that covers SHA2-256/224 into `Modules/_hacl`
- rewire sha256module.c to use the HACL* implementation

Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
2023-02-06 18:11:01 -08:00

1000 B

Algorithm implementations used by the hashlib module.

This code comes from the HACL* project.

HACL* is a cryptographic library that has been formally verified for memory safety, functional correctness, and secret independence.

Updating HACL*

Use the refresh.sh script in this directory to pull in a new upstream code version. The upstream git hash used for the most recent code pull is recorded in the script. Modify the script as needed to bring in more if changes are needed based on upstream code refactoring.

Never manually edit HACL* files. Always add transformation shell code to the refresh.sh script to perform any necessary edits. If there are serious code changes needed, work with the upstream repository.

Local files

  1. ./include/python_hacl_namespaces.h
  2. ./README.md
  3. ./refresh.sh

ACKS