Skip to content

Add AWS-LC support for XOFHash#15129

Merged
alex merged 3 commits into
mainfrom
claude/shake256-openssl-support-ok6cpi
Jul 1, 2026
Merged

Add AWS-LC support for XOFHash#15129
alex merged 3 commits into
mainfrom
claude/shake256-openssl-support-ok6cpi

Conversation

@reaperhulk

Copy link
Copy Markdown
Member

This PR extends XOFHash (Extendable Output Function) support to AWS-LC, in addition to the existing OpenSSL 3.3.0+ support.

Summary

Previously, XOFHash was only supported on OpenSSL 3.3.0 or greater. This change adds support for AWS-LC while maintaining backward compatibility with existing backends.

Key Changes

  • Rust backend (src/rust/src/backend/hashes.rs):

    • Updated the XOF support check to include AWS-LC alongside OpenSSL 3.3.0+
    • Simplified the conditional compilation logic by inverting the check: now enables XOF when CRYPTOGRAPHY_OPENSSL_330_OR_GREATER OR CRYPTOGRAPHY_IS_AWSLC is true
    • Updated error message to be backend-agnostic ("not supported on this backend" instead of specifically mentioning LibreSSL/BoringSSL)
  • Python tests (tests/hazmat/primitives/test_xofhash.py):

    • Extracted XOF support detection into a reusable _xof_supported() helper function
    • Updated all test markers to use the new helper function for consistency
    • Renamed test_unsupported_boring_libre to test_unsupported_xof to reflect the more general nature of the test
  • Hash tests (tests/hazmat/primitives/test_hashes.py):

    • Updated test_hash_xof to use the backend's hash_supported() method instead of directly checking OpenSSL version
    • Removed direct dependency on rust_openssl module in this test file
  • Changelog: Added entry documenting XOFHash support for AWS-LC

Implementation Details

The changes consolidate the XOF support logic by using a positive check (backends that support XOF) rather than a negative check (backends that don't support it). This makes the code more maintainable and easier to extend to additional backends in the future.

https://claude.ai/code/session_01SCjKRh9sZ4qXDfoVm5YAJ3

claude added 2 commits July 1, 2026 20:06
AWS-LC provides EVP_DigestSqueeze, so XOFHash no longer needs to be
gated to OpenSSL 3.3+ only. rust-openssl already exposes
Hasher::squeeze_xof on AWS-LC.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SCjKRh9sZ4qXDfoVm5YAJ3
Squeeze is supported iff OpenSSL >= 3.3.0 or AWS-LC. The version cfgs
are only ever set for real OpenSSL, so the LibreSSL/BoringSSL guards
were redundant.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SCjKRh9sZ4qXDfoVm5YAJ3
Comment thread tests/hazmat/primitives/test_hashes.py Outdated
skip_message="Requires backend with XOF support",
)
def test_hash_xof(self):
def test_hash_xof(self, backend):

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't htink the backend arg is required, is it?

The backend fixture is autouse, so the supported marker is checked
without it.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SCjKRh9sZ4qXDfoVm5YAJ3
@alex alex merged commit eb90de5 into main Jul 1, 2026
69 checks passed
@alex alex deleted the claude/shake256-openssl-support-ok6cpi branch July 1, 2026 20:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants