This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Prefer libb2 over vendored copy of blake2
Type: behavior Stage: resolved
Components: Extension Modules Versions: Python 3.11
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, gregory.p.smith
Priority: normal Keywords: patch

Created on 2022-03-22 19:51 by christian.heimes, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 32059 merged christian.heimes, 2022-03-23 01:04
Messages (3)
msg415807 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2022-03-22 19:51
Python's blake2 implementation provides hashing, MAC (key, salt, personalization), variable length output, and tree hashing [1]. All features except for tree hashing are provided by OpenSSL 3.0.0 and newer [2]. It is unlikely that OpenSSL will get tree hashing any time soon, if all. [3]

I would like to remove our vendored copy of blake2 eventually and just rely on OpenSSL. Therefore I propose to deprecate tree hashing feature so we can drop it in Python 3.13. The tree hashing parameters are: fanout, depth, leaf_size, node_offset, node_depth, inner_size, last_node

Note: OpenSSL 3.0 might impose additional restrictions on the parameter. It might be possible that OpenSSL does not support salt and personalization (OSSL_MAC_PARAM_CUSTOM) without a MAC key.

Alternatively we could replace our copy of blake2 and depend on libb2 from https://blake2.net/. libb2 is available in Fedora.

[1] https://docs.python.org/3/library/hashlib.html#hashlib.blake2b
[2] https://www.openssl.org/docs/manmaster/man7/EVP_MAC-BLAKE2.html
[3] https://github.com/openssl/openssl/issues/980
msg415833 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2022-03-22 22:30
In the short term we should prefer libb2 linkage when available.

As for deprecation, it'd be useful to research how often the options going away are used in code in PyPI packages and in Github repos to understand the deprecation impact.

The PyPI landscape for blake2 modules is not great because we've had it in hashlib for a while. One of those, or a new one, would need to be created by someone who needs the non openssl features.

ultimate goal: simplify what's in Modules/_blake2/impl/ if it cannot be removed. Use an external library for the implementation when possible (and in all our binary releases. Those are better maintained to take advantage of performance or hw features over time.
msg416085 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2022-03-26 19:52
New changeset b16b6bb8dacc41e9e569783890b0c88fcd3b24e8 by Christian Heimes in branch 'main':
bpo-47095: Use libb2 to provide blake2 implementation (GH-32059)
https://github.com/python/cpython/commit/b16b6bb8dacc41e9e569783890b0c88fcd3b24e8
History
Date User Action Args
2022-04-11 14:59:57adminsetgithub: 91251
2022-03-26 20:05:29christian.heimessetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2022-03-26 19:52:30christian.heimessetmessages: + msg416085
2022-03-23 12:17:49christian.heimessettitle: Deprecate blake2's tree hashing feature -> Prefer libb2 over vendored copy of blake2
2022-03-23 01:04:17christian.heimessetkeywords: + patch
stage: patch review
pull_requests: + pull_request30153
2022-03-22 22:30:09gregory.p.smithsetmessages: + msg415833
2022-03-22 19:51:17christian.heimescreate