Implement hashlib.new('sha256') and enable it for CLUE

[samblenny]

The point of this is to:

1. Make it possible to use a CLUE board as a TOTP token that supports the SHA1 and SHA256 hash algorithm options for fast updating (pure python hashes take 2+ seconds)
2. Add optional SHA256 support to hashlib that can be used by other things that need it (e.g. CircuitMatter)

List of specific changes:

1. Implement 'sha256' option for hashlib.new()
2. Gate SHA256 stuff behind #ifdef CIRCUITPY_HASHLIB_SHA256
3. Enable hashlib with 'sha1' and 'sha256' for ports/nordic/clue_nrf52840_express

Checklist:

• pre-commit passed
• builds without errors
• test code runs on CLUE board with same results as CPython

Test Code:

Adafruit CircuitPython 10.1.0-beta.1-5-g108860a837-dirty on 2025-12-05; Adafruit CLUE nRF52840 Express with nRF52840
>>> import hashlib
>>> s1 = hashlib.new('sha1', b'SHA1 Hash')
>>> s2 = hashlib.new('sha256', b'SHA256 Hash')
>>> s1.digest().hex()
'a28191ff62cce66838e67c16dd48ab118c27b417'
>>> s2.digest().hex()
'2023b38445ae586b672848c31e3e13883f17fd07531c9aa2b8f212b3b7a0d11f'

[samblenny]

Open question: Should this be turned on for other boards/ports? Dan suggested on discord that it might be useful to try turning on the SHA256 option for stuff that already enables hashlib to see if it fits.

[dhalbert]

Open question: Should this be turned on for other boards/ports? Dan suggested on discord that it might be useful to try turning on the SHA256 option for stuff that already enables hashlib to see if it fits.

Go ahead and try it. Just set CIRCUITPY_HASHLIB_SHA256 = $(CIRCUITPY_HASHLIB) in circuitpy_mpconfig.mk, I think, and re-run the PR. If it doesn't fit we'll see failures. That's how we check in general.

[samblenny]

Just pushed a commit to have the SHA256 option take its default from CIRCUITPY_HASHLIB.

[samblenny]

Also tried local builds for a couple more nordic boards (nordic port defaults to hashlib off), and they fit fine:

• clue_nrf52840_express FLASH_FIRMWARE %age Used: 76.93%
• feather_nrf52840_express FLASH_FIRMWARE %age Used: 75.87%
• feather_bluefruit_sense FLASH_FIRMWARE %age Used: 75.49%

[samblenny]

checks passed. I guess SHA256 fits fine then.

[tannewt]

One small thing. Looks great otherwise!

[tannewt]

Need this still? Looks like it fit everywhere.

[dhalbert]

I agree maybe just take this out and take out the guards

[samblenny]

That's the bit that lets me actually use it on the board I'm implementing this for as the nordic port doesn't turn hashlib on by default. Are you suggesting maybe do a CIRCUITPY_HASHLIB = 1 at the port level for nordic?

[tannewt]

Ah, ok. This is fine then.

[tannewt]

Ah, maybe @dhalbert is saying to remove CIRCUITPY_HASHLIB_SHA256 which you also don't need. So, leave CIRCUITPY_HASHLIB here but remove the new _SHA256 define.

[samblenny]

Looking at ports/nordic/mpconfigport.mk, I see a comment suggesting that space is tight on nrf52833. What if I just enable hashlib in the ifeq ($(MCU_CHIP),nrf52840) section for the nrf52840 boards?

[samblenny]

I just pushed a couple commits to enable hashlib at the port level for nrf52840 boards (not nrf52833 though) and remove the redundant hashlib enable for CLUE.

[dhalbert]

Ah, maybe @dhalbert is saying to remove CIRCUITPY_HASHLIB_SHA256 which you also don't need. So, leave CIRCUITPY_HASHLIB here but remove the new _SHA256 define.

This is one of the things I was saying. If hashlib is enabled, don't do finegrain choices on the algorithms right now. I think if there's room for SHA1, there'd be room for SHA256.

[samblenny]

so, should I remove the ifdef guard for CIRCUITPY_HASHLIB_SHA256?

[dhalbert]

yes, I think you can just get rid of it, if it fits on the Espressif and Pico W.

[dhalbert]

There is some minor formatting thing to fix in the doc:

The algorithm is unsupported should not be on the next line like that.

Also maybe now list the algorithms available. That would be a good addition.

[samblenny]

@dhalbert I've got changes queued up to make the docs look like this:

If that looks acceptable, I'll commit and push them.

[samblenny]

okay, I went ahead and pushed the commit with the docs fix

[samblenny]

now Build CI / docs check is failing, but it looks unrelated, probably?

From the build log:

...
zephyr_i2c/__init__.pyi:127: error: Incompatible default for argument "in_end" (default has type "None", argument has type "int")  [assignment]
zephyr_i2c/__init__.pyi:127: note: PEP 484 prohibits implicit Optional. Accordingly, mypy has changed its default to no_implicit_optional=True
zephyr_i2c/__init__.pyi:127: note: Use https://github.com/hauntsaninja/no_implicit_optional to automatically upgrade your codebase
Found 2 errors in 1 file (checked 121 source files)
make: *** [Makefile:292: check-stubs] Error 1
Error: Process completed with exit code 2.

[samblenny]

Dan, you've mentioned turning hashlib on for boards that have wifi. From ripgrepping for CIRCUITPY_HASHLIB and CIRCUITPY_WEB_WORKFLOW, cross checked with circuitpython.org included modules lists, it seems the only ports which currently enable hashlib for at least some boards are:

• ports/espressif
• ports/nordic (after this PR)
• ports/raspberrypi

So, that would seem to leave out:

• M4 based PyPortal boards
• M4/M7 AirLift boards
• Various non-rp2/ESP32/nordic Feather boards (potentially to be combined with AirLift FeatherWing)
• Various non-rp2/ESP32/nordic ItsyBitsy boards (potentially to be combined with AirLift Bitsy Add-On)
• Metro M0 Express + AirLift Shield (but this might not have space for it)

[dhalbert]

@samblenny This is fine for now. I mean boards with native wifi. The current ones with hashlib depend on mbedtls. So what you did was add the SHA256 calls. It's consistent.

I am adding wifi/socketpool/ssl for boards that could support AirLift. I don't think I will need hashlib for those boards, because the cryptography is done in the co-processor. Right now PyPortal doesn't need or have hashlib, for instance.

@tannewt #10740 (comment) looks like some kind of type annotation nit in zephyr_i2c.

[tannewt]

@tannewt #10740 (comment) looks like some kind of type annotation nit in zephyr_i2c.

Fixed in #10746

[tannewt]

Looks good! I've fixed the docs issue in a separate PR.