gh-131298: eliminate HACL* static libraries for cryptographic modules (GH-132438)

* simplify HACL* build for MD5, SHA1, SHA2 and SHA3 modules * remove statically linked libraries for HACL* implementation * is it better now? * is it better now? * fixup * Present HACL* as a static or shared library. On WASI, extension modules based on HACL* require the HACL* library to be linked statically. On other platforms, it can be built dynamically. * amend whitespace * remove temporary .so file as it requires more symlinks * avoid smelly symbols * fixup checksums * regen sbom * fixup shell warnings and comments * it *should* work
2026-01-06 15:32:22 +00:00 · 2025-04-20 19:40:17 +02:00 · 2025-04-20 19:40:17 +02:00 · 5f2ba152a0
commit 5f2ba152a0
parent 492e3e6976
9 changed files with 717 additions and 511 deletions
--- a/Modules/Setup.stdlib.in
+++ b/Modules/Setup.stdlib.in
@ -16,6 +16,9 @@
 #   generated by PY_STDLIB_MOD macro.
 # * All source files automatically depend on $(PYTHON_HEADERS) and
 #   $(MODULE_{NAME}_DEPS).
+# * ${NAME}$(EXT_SUFFIX) rules automatically depend on $(MODULE_{NAME}_LDEPS),
+#   thus $(MODULE_{NAME}_LDEPS) must only contain Makefile rule names. To pass
+#   specific values to the linker, use $(MODULE_{NAME}_LDFLAGS) instead.
 #
 # See Modules/Setup and Modules/makesetup
 #
@ -76,13 +79,23 @@
 # needs -lreadline or -ledit, sometimes termcap, termlib, or tinfo
@MODULE_READLINE_TRUE@readline readline.c

-# hashing builtins, can be disabled with --without-builtin-hashlib-hashes
-@MODULE__MD5_TRUE@_md5 md5module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_MD5.a -D_BSD_SOURCE -D_DEFAULT_SOURCE
-@MODULE__SHA1_TRUE@_sha1 sha1module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_SHA1.a -D_BSD_SOURCE -D_DEFAULT_SOURCE
-@MODULE__SHA2_TRUE@_sha2 sha2module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_SHA2.a -D_BSD_SOURCE -D_DEFAULT_SOURCE
-@MODULE__SHA3_TRUE@_sha3 sha3module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_SHA3.a -D_BSD_SOURCE -D_DEFAULT_SOURCE
-@MODULE__BLAKE2_TRUE@_blake2 blake2module.c -I$(srcdir)/Modules/_hacl/include Modules/_hacl/libHacl_Hash_Blake2.a -D_BSD_SOURCE -D_DEFAULT_SOURCE
+############################################################################
+# HACL*-based Cryptographic Primitives
+#
+# Since the compilation of the built-in cryptographic modules depends
+# on whether we are building on WASI or not, rules will be explicitly
+# written. In the future, it should be preferrable to be able to setup
+# the relevant bits here instead of in Makefile.pre.in or configure.ac.

+# Hash functions can be disabled with --without-builtin-hashlib-hashes.
+@MODULE__MD5_TRUE@_md5 md5module.c
+@MODULE__SHA1_TRUE@_sha1 sha1module.c
+@MODULE__SHA2_TRUE@_sha2 sha2module.c
+@MODULE__SHA3_TRUE@_sha3 sha3module.c
+@MODULE__BLAKE2_TRUE@_blake2 blake2module.c
+
+# Since HMAC is always supported, the HACL* implementation modules must
+# be built unconditionally.
@MODULE__HMAC_TRUE@_hmac hmacmodule.c

 ############################################################################