Skip to content

gh-94199: Remove hashlib.pbkdf2_hmac() Python implementation #94200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ambv merged 2 commits into from
Jun 28, 2022
Merged

gh-94199: Remove hashlib.pbkdf2_hmac() Python implementation #94200

ambv merged 2 commits into from
Jun 28, 2022

Conversation

@vstinner
Copy link
Member

@vstinner vstinner commented Jun 24, 2022
edited
Loading

Remove the pure Python implementation of hashlib.pbkdf2_hmac(),
deprecated in Python 3.10. Python 3.10 and newer requires OpenSSL
1.1.1 or newer (PEP 644), this OpenSSL version provides a C
implementation of pbkdf2_hmac() which is faster.

@vstinner vstinner marked this pull request as ready for review June 24, 2022 08:20
@vstinner vstinner requested a review from tiran as a code owner June 24, 2022 08:20
@vstinner
Copy link
Member Author

vstinner commented Jun 24, 2022

@tiran: I'm not sure about what I wrote: "the C implementation is safer". I don't know the rationale for removing the pure Python implementation. The docstring says that the Python implement is faster for long passwords. The deprecation message seems to say that the OpenSSL implementation is faster. So the removal is about performance, not safety?

@vstinner
Copy link
Member Author

vstinner commented Jun 24, 2022

@tiran: I'm not sure about what I wrote: "the C implementation is safer".

I replaced it with: "is faster" :-)

@tiran
Copy link
Member

tiran commented Jun 24, 2022

In this case faster is safer!

tiran
tiran reviewed Jun 24, 2022
View reviewed changes
@tiran
Copy link
Member

tiran commented Jun 24, 2022

Please update documentation, too.

@vstinner
Copy link
Member Author

vstinner commented Jun 24, 2022

Please update documentation, too.

I updated the doc and I included your test change. Please review again.

@vstinner
Copy link
Member Author

vstinner commented Jun 24, 2022

PR rebased to fix a conflict on Doc/whatsnew/3.12.rst.

@vstinner vstinner mentioned this pull request Jun 24, 2022
Closed
@vstinner
Copy link
Member Author

vstinner commented Jun 26, 2022

@tiran: Would you mind to review the completed PR? (updated doc)

tiran
tiran reviewed Jun 26, 2022
View reviewed changes
@rhettinger
Copy link
Contributor

rhettinger commented Jun 26, 2022
edited
Loading

PEP 399 says that we should have a pure python version when possible. That said if there is bona fide security risk, then it should be removed.

Also, do you know if PyPy relies on the pure python version or does it too build with OpenSSL?

@rhettinger rhettinger requested a review from brettcannon June 26, 2022 15:00
vstinner added 2 commits June 27, 2022 02:14
@vstinner
gh-94199: Remove hashlib.pbkdf2_hmac() Python implementation
4584fdf 
Remove the pure Python implementation of hashlib.pbkdf2_hmac(),
deprecated in Python 3.10. Python 3.10 and newer requires OpenSSL
1.1.1 or newer (PEP 644), this OpenSSL version provides a C
implementation of pbkdf2_hmac() which is faster.
@vstinner
Rephase versionchanged note in the doc
d78c578
@vstinner
Copy link
Member Author

vstinner commented Jun 27, 2022

PEP 399 says that we should have a pure python version when possible. That said if there is bona fide security risk, then it should be removed.

PyPy gets the C implementation of pbkdf2_hmac() from OpenSSL: https://foss.heptapod.net/pypy/pypy/-/blob/branch/py3.9/lib_pypy/_hashlib/__init__.py#L205

It has the same Python fallack implementation if the C implementation is missing: https://foss.heptapod.net/pypy/pypy/-/blob/branch/py3.9/lib-python/3/hashlib.py#L192

But I guess that the C implementaiton is always available on OpenSSL 1.1.1 and newer.

@ambv ambv merged commit 71d5299 into python:main Jun 28, 2022
@vstinner vstinner deleted the pbkdf2_hmac_py branch June 28, 2022 10:32
gvanrossum pushed a commit to gvanrossum/cpython that referenced this pull request Jun 30, 2022
@vstinner @gvanrossum
pythongh-94199: Remove hashlib.pbkdf2_hmac() Python implementation (p…
8603119 
…ythonGH-94200)

Remove the pure Python implementation of hashlib.pbkdf2_hmac(),
deprecated in Python 3.10. Python 3.10 and newer requires OpenSSL
1.1.1 or newer (PEP 644), this OpenSSL version provides a C
implementation of pbkdf2_hmac() which is faster.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tiran tiran tiran left review comments

@brettcannon brettcannon brettcannon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@vstinner @tiran @rhettinger @brettcannon @ambv @bedevere-bot