* Update to 2.7.4
* update expat license copyright year to match and a pedantic #define
* include COPYING update in refresh.sh
* Update checksum for copying
---------
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Bumps the HACL* revision to include recent revisions that corrects issues
building with legacy/cross-platform macOS SDKs.
Signed-off-by: aeiouaeiouaeiouaeiouaeiouaeiou <aeioudev@outlook.com>
* simplify HACL* build for MD5, SHA1, SHA2 and SHA3 modules
* remove statically linked libraries for HACL* implementation
* is it better now?
* is it better now?
* fixup
* Present HACL* as a static or shared library.
On WASI, extension modules based on HACL* require the HACL*
library to be linked statically. On other platforms, it can
be built dynamically.
* amend whitespace
* remove temporary .so file as it requires more symlinks
* avoid smelly symbols
* fixup checksums
* regen sbom
* fixup shell warnings and comments
* it *should* work
A new extension module, `_hmac`, now exposes the HACL* HMAC (formally verified) implementation.
The HACL* implementation is used as a fallback implementation when the OpenSSL implementation of HMAC
is not available or disabled. For now, only named hash algorithms are recognized and SIMD support provided
by HACL* for the BLAKE2 hash functions is not yet used.
gh-127897: Update HACL* module from upstream sources to get:
- Lib_Memzero0.c: don't use memset_s() on macOS <10.9
- Use _mm_malloc() for KRML_ALIGNED_MALLOC on macOS <10.15
- Add LEGACY_MACOS macros, use _mm_free() for KRML_ALIGNED_FREE on macOS <10.15
This replaces the existing hashlib Blake2 module with a single implementation that uses HACL\*'s Blake2b/Blake2s implementations. We added support for all the modes exposed by the Python API, including tree hashing, leaf nodes, and so on. We ported and merged all of these changes upstream in HACL\*, added test vectors based on Python's existing implementation, and exposed everything needed for hashlib.
This was joint work done with @R1kM.
See the PR for much discussion and benchmarking details. TL;DR: On many systems, 8-50% faster (!) than `libb2`, on some systems it appeared 10-20% slower than `libb2`.
If awailable, enable -fstrict-overflow for libmpdec. Also
shut off false positive warnings (-Warray-bounds).
The later was backported from mpdecimal-4.0.0.
Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:
- `xml.etree.ElementTree.XMLParser.flush`
- `xml.etree.ElementTree.XMLPullParser.flush`
- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`
- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`
- `xml.sax.expatreader.ExpatParser.flush`
Based on the "flush" idea from https://github.com/python/cpython/pull/115138#issuecomment-1932444270 .
### Notes
- Please treat as a security fix related to CVE-2023-52425.
Includes code suggested-by: Snild Dolkow <snild@sony.com>
and by core dev Serhiy Storchaka.
