Skip to content

gh-136968: fortify macro usage in cryptographic modules #136973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

gh-136968: fortify macro usage in cryptographic modules #136973

wants to merge 4 commits into from
+113 −78

Conversation

picnixz
Copy link
Member

@picnixz picnixz commented Jul 22, 2025
edited by bedevere-app bot
Loading

@picnixz picnixz added skip news needs backport to 3.14 bugs and security fixes type-refactor Code refactoring (with no changes in behavior) labels Jul 22, 2025
@bedevere-app bedevere-app bot mentioned this pull request Jul 22, 2025
Open
@picnixz picnixz marked this pull request as ready for review July 22, 2025 09:40
@picnixz picnixz requested review from gpshead and tiran as code owners July 22, 2025 09:40
@picnixz picnixz force-pushed the refactor/cryptography/fortify-macros-136968 branch from ad5b0d0 to aa41a74 Compare July 22, 2025 09:41
@picnixz picnixz added the 🔨 test-with-refleak-buildbots Test PR w/ refleak buildbots; report in status section label Jul 22, 2025
@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @picnixz for commit aa41a74 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F136973%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-refleak-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-refleak-buildbots Test PR w/ refleak buildbots; report in status section label Jul 22, 2025
@picnixz picnixz marked this pull request as draft July 25, 2025 14:44
@picnixz picnixz force-pushed the refactor/cryptography/fortify-macros-136968 branch 2 times, most recently from 8884b4a to aa41a74 Compare July 25, 2025 14:45
@picnixz picnixz marked this pull request as ready for review July 26, 2025 07:03
@picnixz picnixz marked this pull request as draft July 26, 2025 07:04
picnixz
picnixz commented Jul 26, 2025
View reviewed changes
Modules/hmacmodule.c Outdated
(const char *)out, \
Py_hmac_## HACL_HID ##_digest_size \
); \
#define Py_HMAC_HACL_ONESHOT(HACL_HID, KEY, MSG) \
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could have rewritten this macro as well, but I don't really want to trade safety for speed here. By using a function I would need:

  • Over-allocate the digest buffer or still use a macro to pre-allocate the buffer with its exact size or pass it to that function. None of them is satisfying to me because of it would make the function non-reusable due to its signature or the fact that it expects the buffer to be pre-allocated.
  • Use pointer to functions for the dedicated computation functions. This is not optimal. Alternatively, I could use a dispatch mechanism to recover both the function and the digest size dynamically but it's again an overkill when I can directly access them.

At least, the part that made me suffer has been turned into a regular function (namely hmac_get_buffer_views) so I'm happy for now.

picnixz
picnixz commented Jul 26, 2025
View reviewed changes
Modules/_hashopenssl.c
_hashlibstate *state = get_hashlib_state(MODULE); \
return _hashlib_HASH(state, NAME, data_obj, USEDFORSECURITY); \
} while (0)
return _hashlib_HASH_new_impl(MODULE, NAME, DATA, USEDFORSECURITY, STRING)
Copy link
Member Author

@picnixz picnixz Jul 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Python 3.19, we will be able to remove the "STRING" argument. In once it's done, we will also be able to remove the macro as the call to _hashlib_HASH_new_impl() will fit on 80 characters for all hash functions.

Also, when I introduced that macro I should have kept the same parameter order. At runtime, the parameters passed to openssl_* functions are forwarded to _hashlib_HASH_new_impl in the same order so the compiler doesn't need to re-optimize stuff.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you might want to leave this as a comment in the code.

@picnixz picnixz marked this pull request as ready for review July 26, 2025 07:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead gpshead approved these changes

@tiran tiran Awaiting requested review from tiran tiran is a code owner

Assignees
No one assigned
Labels
awaiting merge needs backport to 3.14 bugs and security fixes skip news type-refactor Code refactoring (with no changes in behavior)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@picnixz @bedevere-bot @gpshead
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy