From 3453683042d9ac4f0f4f476534a5f4f14ba5bd63 Mon Sep 17 00:00:00 2001 From: sam blenny <68084116+samblenny@users.noreply.github.com> Date: Fri, 5 Dec 2025 19:39:52 +0000 Subject: [PATCH 1/7] implement hashlib.new('sha256') support --- py/circuitpy_mpconfig.mk | 3 +++ shared-module/hashlib/Hash.c | 20 ++++++++++++++++++++ shared-module/hashlib/Hash.h | 6 ++++++ shared-module/hashlib/__init__.c | 8 ++++++++ shared-module/hashlib/__init__.h | 7 +++++++ 5 files changed, 44 insertions(+) diff --git a/py/circuitpy_mpconfig.mk b/py/circuitpy_mpconfig.mk index 9bbe5691dfb3b..dbd9de2b3f8ac 100644 --- a/py/circuitpy_mpconfig.mk +++ b/py/circuitpy_mpconfig.mk @@ -343,6 +343,9 @@ CFLAGS += -DCIRCUITPY_HASHLIB_MBEDTLS=$(CIRCUITPY_HASHLIB_MBEDTLS) CIRCUITPY_HASHLIB_MBEDTLS_ONLY ?= $(call enable-if-all,$(CIRCUITPY_HASHLIB_MBEDTLS) $(call enable-if-not,$(CIRCUITPY_SSL))) CFLAGS += -DCIRCUITPY_HASHLIB_MBEDTLS_ONLY=$(CIRCUITPY_HASHLIB_MBEDTLS_ONLY) +CIRCUITPY_HASHLIB_SHA256 ?= 0 +CFLAGS += -DCIRCUITPY_HASHLIB_SHA256=$(CIRCUITPY_HASHLIB_SHA256) + CIRCUITPY_I2CTARGET ?= $(CIRCUITPY_FULL_BUILD) CFLAGS += -DCIRCUITPY_I2CTARGET=$(CIRCUITPY_I2CTARGET) diff --git a/shared-module/hashlib/Hash.c b/shared-module/hashlib/Hash.c index a454966d99361..a4e21c7a06f0d 100644 --- a/shared-module/hashlib/Hash.c +++ b/shared-module/hashlib/Hash.c @@ -14,6 +14,12 @@ void common_hal_hashlib_hash_update(hashlib_hash_obj_t *self, const uint8_t *dat mbedtls_sha1_update_ret(&self->sha1, data, datalen); return; } + #if CIRCUITPY_HASHLIB_SHA256 + else if (self->hash_type == MBEDTLS_SSL_HASH_SHA256) { + mbedtls_sha256_update_ret(&self->sha256, data, datalen); + return; + } + #endif } void common_hal_hashlib_hash_digest(hashlib_hash_obj_t *self, uint8_t *data, size_t datalen) { @@ -28,11 +34,25 @@ void common_hal_hashlib_hash_digest(hashlib_hash_obj_t *self, uint8_t *data, siz mbedtls_sha1_finish_ret(&self->sha1, data); mbedtls_sha1_clone(&self->sha1, ©); } + #if CIRCUITPY_HASHLIB_SHA256 + else if (self->hash_type == MBEDTLS_SSL_HASH_SHA256) { + mbedtls_sha256_context copy; + mbedtls_sha256_clone(©, &self->sha256); + mbedtls_sha256_finish_ret(&self->sha256, data); + mbedtls_sha256_clone(&self->sha256, ©); + } + #endif } size_t common_hal_hashlib_hash_get_digest_size(hashlib_hash_obj_t *self) { if (self->hash_type == MBEDTLS_SSL_HASH_SHA1) { return 20; } + #if CIRCUITPY_HASHLIB_SHA256 + else if (self->hash_type == MBEDTLS_SSL_HASH_SHA256) { + return 32; + } + #endif + return 0; } diff --git a/shared-module/hashlib/Hash.h b/shared-module/hashlib/Hash.h index ccc82037cb7aa..0c33b4876c19c 100644 --- a/shared-module/hashlib/Hash.h +++ b/shared-module/hashlib/Hash.h @@ -7,11 +7,17 @@ #pragma once #include "mbedtls/sha1.h" +#if CIRCUITPY_HASHLIB_SHA256 +#include "mbedtls/sha256.h" +#endif typedef struct { mp_obj_base_t base; union { mbedtls_sha1_context sha1; + #if CIRCUITPY_HASHLIB_SHA256 + mbedtls_sha256_context sha256; + #endif }; // Of MBEDTLS_SSL_HASH_* uint8_t hash_type; diff --git a/shared-module/hashlib/__init__.c b/shared-module/hashlib/__init__.c index be3a9f1895964..ebf9d1700eab6 100644 --- a/shared-module/hashlib/__init__.c +++ b/shared-module/hashlib/__init__.c @@ -17,5 +17,13 @@ bool common_hal_hashlib_new(hashlib_hash_obj_t *self, const char *algorithm) { mbedtls_sha1_starts_ret(&self->sha1); return true; } + #if CIRCUITPY_HASHLIB_SHA256 + else if (strcmp(algorithm, "sha256") == 0) { + self->hash_type = MBEDTLS_SSL_HASH_SHA256; + mbedtls_sha256_init(&self->sha256); + mbedtls_sha256_starts_ret(&self->sha256, 0); + return true; + } + #endif return false; } diff --git a/shared-module/hashlib/__init__.h b/shared-module/hashlib/__init__.h index f72882a1c03b3..50125595ab53a 100644 --- a/shared-module/hashlib/__init__.h +++ b/shared-module/hashlib/__init__.h @@ -13,4 +13,11 @@ #define mbedtls_sha1_starts_ret mbedtls_sha1_starts #define mbedtls_sha1_update_ret mbedtls_sha1_update #define mbedtls_sha1_finish_ret mbedtls_sha1_finish + +#if CIRCUITPY_HASHLIB_SHA256 +#define mbedtls_sha256_starts_ret mbedtls_sha256_starts +#define mbedtls_sha256_update_ret mbedtls_sha256_update +#define mbedtls_sha256_finish_ret mbedtls_sha256_finish +#endif + #endif From f80d99297009428ed6c65a67be6b234bfaa71f7b Mon Sep 17 00:00:00 2001 From: sam blenny <68084116+samblenny@users.noreply.github.com> Date: Fri, 5 Dec 2025 19:40:49 +0000 Subject: [PATCH 2/7] enable hashlib sha1 & sha256 for CLUE board --- ports/nordic/boards/clue_nrf52840_express/mpconfigboard.mk | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ports/nordic/boards/clue_nrf52840_express/mpconfigboard.mk b/ports/nordic/boards/clue_nrf52840_express/mpconfigboard.mk index e1a25137a1924..c835621547a0a 100644 --- a/ports/nordic/boards/clue_nrf52840_express/mpconfigboard.mk +++ b/ports/nordic/boards/clue_nrf52840_express/mpconfigboard.mk @@ -7,3 +7,6 @@ MCU_CHIP = nrf52840 QSPI_FLASH_FILESYSTEM = 1 EXTERNAL_FLASH_DEVICES = "GD25Q16C, W25Q16JVxQ" + +CIRCUITPY_HASHLIB = 1 +CIRCUITPY_HASHLIB_SHA256 = 1 From 30c8dd626f543c2927a08f8c5797aa0e0cf79ba7 Mon Sep 17 00:00:00 2001 From: sam blenny <68084116+samblenny@users.noreply.github.com> Date: Mon, 8 Dec 2025 18:37:33 +0000 Subject: [PATCH 3/7] default to enabling SHA256 when hashlib is enabled --- py/circuitpy_mpconfig.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/py/circuitpy_mpconfig.mk b/py/circuitpy_mpconfig.mk index dbd9de2b3f8ac..61344a86f9e75 100644 --- a/py/circuitpy_mpconfig.mk +++ b/py/circuitpy_mpconfig.mk @@ -343,7 +343,7 @@ CFLAGS += -DCIRCUITPY_HASHLIB_MBEDTLS=$(CIRCUITPY_HASHLIB_MBEDTLS) CIRCUITPY_HASHLIB_MBEDTLS_ONLY ?= $(call enable-if-all,$(CIRCUITPY_HASHLIB_MBEDTLS) $(call enable-if-not,$(CIRCUITPY_SSL))) CFLAGS += -DCIRCUITPY_HASHLIB_MBEDTLS_ONLY=$(CIRCUITPY_HASHLIB_MBEDTLS_ONLY) -CIRCUITPY_HASHLIB_SHA256 ?= 0 +CIRCUITPY_HASHLIB_SHA256 ?= $(CIRCUITPY_HASHLIB) CFLAGS += -DCIRCUITPY_HASHLIB_SHA256=$(CIRCUITPY_HASHLIB_SHA256) CIRCUITPY_I2CTARGET ?= $(CIRCUITPY_FULL_BUILD) From f9d5778aa706e9094161d603b828443be627057c Mon Sep 17 00:00:00 2001 From: sam blenny <68084116+samblenny@users.noreply.github.com> Date: Mon, 8 Dec 2025 20:36:18 +0000 Subject: [PATCH 4/7] turn on hashlib for all nrf52840 boards This turns on hashlib at the port level, but only for nrf52840 boards. There's a comment in mpconfigport.mk suggesting that space is already tight on nrf52833 boards. --- ports/nordic/mpconfigport.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ports/nordic/mpconfigport.mk b/ports/nordic/mpconfigport.mk index 502e71ae4ae16..48536ec2acd7b 100644 --- a/ports/nordic/mpconfigport.mk +++ b/ports/nordic/mpconfigport.mk @@ -63,6 +63,8 @@ CIRCUITPY_MEMORYMAP ?= 1 CIRCUITPY_RGBMATRIX ?= 1 CIRCUITPY_FRAMEBUFFERIO ?= 1 +CIRCUITPY_HASHLIB ?= 1 + CIRCUITPY_COUNTIO ?= 1 CIRCUITPY_WATCHDOG ?= 1 From fabe72b40e623f5504342e712d16aa9b131a4937 Mon Sep 17 00:00:00 2001 From: sam blenny <68084116+samblenny@users.noreply.github.com> Date: Mon, 8 Dec 2025 20:38:31 +0000 Subject: [PATCH 5/7] remove redundant hashlib enable for CLUE This is enabled at the port level now. --- ports/nordic/boards/clue_nrf52840_express/mpconfigboard.mk | 3 --- 1 file changed, 3 deletions(-) diff --git a/ports/nordic/boards/clue_nrf52840_express/mpconfigboard.mk b/ports/nordic/boards/clue_nrf52840_express/mpconfigboard.mk index c835621547a0a..e1a25137a1924 100644 --- a/ports/nordic/boards/clue_nrf52840_express/mpconfigboard.mk +++ b/ports/nordic/boards/clue_nrf52840_express/mpconfigboard.mk @@ -7,6 +7,3 @@ MCU_CHIP = nrf52840 QSPI_FLASH_FILESYSTEM = 1 EXTERNAL_FLASH_DEVICES = "GD25Q16C, W25Q16JVxQ" - -CIRCUITPY_HASHLIB = 1 -CIRCUITPY_HASHLIB_SHA256 = 1 From c1bd53d40ae5aa5f655522d58fafa8c8dce45343 Mon Sep 17 00:00:00 2001 From: sam blenny <68084116+samblenny@users.noreply.github.com> Date: Mon, 8 Dec 2025 21:54:30 +0000 Subject: [PATCH 6/7] remove CIRCUITPY_HASHLIB_SHA256 ifdef guards --- py/circuitpy_mpconfig.mk | 3 --- shared-module/hashlib/Hash.c | 16 +++------------- shared-module/hashlib/Hash.h | 4 ---- shared-module/hashlib/__init__.c | 5 +---- shared-module/hashlib/__init__.h | 2 -- 5 files changed, 4 insertions(+), 26 deletions(-) diff --git a/py/circuitpy_mpconfig.mk b/py/circuitpy_mpconfig.mk index 61344a86f9e75..9bbe5691dfb3b 100644 --- a/py/circuitpy_mpconfig.mk +++ b/py/circuitpy_mpconfig.mk @@ -343,9 +343,6 @@ CFLAGS += -DCIRCUITPY_HASHLIB_MBEDTLS=$(CIRCUITPY_HASHLIB_MBEDTLS) CIRCUITPY_HASHLIB_MBEDTLS_ONLY ?= $(call enable-if-all,$(CIRCUITPY_HASHLIB_MBEDTLS) $(call enable-if-not,$(CIRCUITPY_SSL))) CFLAGS += -DCIRCUITPY_HASHLIB_MBEDTLS_ONLY=$(CIRCUITPY_HASHLIB_MBEDTLS_ONLY) -CIRCUITPY_HASHLIB_SHA256 ?= $(CIRCUITPY_HASHLIB) -CFLAGS += -DCIRCUITPY_HASHLIB_SHA256=$(CIRCUITPY_HASHLIB_SHA256) - CIRCUITPY_I2CTARGET ?= $(CIRCUITPY_FULL_BUILD) CFLAGS += -DCIRCUITPY_I2CTARGET=$(CIRCUITPY_I2CTARGET) diff --git a/shared-module/hashlib/Hash.c b/shared-module/hashlib/Hash.c index a4e21c7a06f0d..b7e966e951b5c 100644 --- a/shared-module/hashlib/Hash.c +++ b/shared-module/hashlib/Hash.c @@ -13,13 +13,10 @@ void common_hal_hashlib_hash_update(hashlib_hash_obj_t *self, const uint8_t *dat if (self->hash_type == MBEDTLS_SSL_HASH_SHA1) { mbedtls_sha1_update_ret(&self->sha1, data, datalen); return; - } - #if CIRCUITPY_HASHLIB_SHA256 - else if (self->hash_type == MBEDTLS_SSL_HASH_SHA256) { + } else if (self->hash_type == MBEDTLS_SSL_HASH_SHA256) { mbedtls_sha256_update_ret(&self->sha256, data, datalen); return; } - #endif } void common_hal_hashlib_hash_digest(hashlib_hash_obj_t *self, uint8_t *data, size_t datalen) { @@ -33,26 +30,19 @@ void common_hal_hashlib_hash_digest(hashlib_hash_obj_t *self, uint8_t *data, siz mbedtls_sha1_clone(©, &self->sha1); mbedtls_sha1_finish_ret(&self->sha1, data); mbedtls_sha1_clone(&self->sha1, ©); - } - #if CIRCUITPY_HASHLIB_SHA256 - else if (self->hash_type == MBEDTLS_SSL_HASH_SHA256) { + } else if (self->hash_type == MBEDTLS_SSL_HASH_SHA256) { mbedtls_sha256_context copy; mbedtls_sha256_clone(©, &self->sha256); mbedtls_sha256_finish_ret(&self->sha256, data); mbedtls_sha256_clone(&self->sha256, ©); } - #endif } size_t common_hal_hashlib_hash_get_digest_size(hashlib_hash_obj_t *self) { if (self->hash_type == MBEDTLS_SSL_HASH_SHA1) { return 20; - } - #if CIRCUITPY_HASHLIB_SHA256 - else if (self->hash_type == MBEDTLS_SSL_HASH_SHA256) { + } else if (self->hash_type == MBEDTLS_SSL_HASH_SHA256) { return 32; } - #endif - return 0; } diff --git a/shared-module/hashlib/Hash.h b/shared-module/hashlib/Hash.h index 0c33b4876c19c..f3c2979e59c85 100644 --- a/shared-module/hashlib/Hash.h +++ b/shared-module/hashlib/Hash.h @@ -7,17 +7,13 @@ #pragma once #include "mbedtls/sha1.h" -#if CIRCUITPY_HASHLIB_SHA256 #include "mbedtls/sha256.h" -#endif typedef struct { mp_obj_base_t base; union { mbedtls_sha1_context sha1; - #if CIRCUITPY_HASHLIB_SHA256 mbedtls_sha256_context sha256; - #endif }; // Of MBEDTLS_SSL_HASH_* uint8_t hash_type; diff --git a/shared-module/hashlib/__init__.c b/shared-module/hashlib/__init__.c index ebf9d1700eab6..f9bc787d49f16 100644 --- a/shared-module/hashlib/__init__.c +++ b/shared-module/hashlib/__init__.c @@ -16,14 +16,11 @@ bool common_hal_hashlib_new(hashlib_hash_obj_t *self, const char *algorithm) { mbedtls_sha1_init(&self->sha1); mbedtls_sha1_starts_ret(&self->sha1); return true; - } - #if CIRCUITPY_HASHLIB_SHA256 - else if (strcmp(algorithm, "sha256") == 0) { + } else if (strcmp(algorithm, "sha256") == 0) { self->hash_type = MBEDTLS_SSL_HASH_SHA256; mbedtls_sha256_init(&self->sha256); mbedtls_sha256_starts_ret(&self->sha256, 0); return true; } - #endif return false; } diff --git a/shared-module/hashlib/__init__.h b/shared-module/hashlib/__init__.h index 50125595ab53a..847bd8a834728 100644 --- a/shared-module/hashlib/__init__.h +++ b/shared-module/hashlib/__init__.h @@ -14,10 +14,8 @@ #define mbedtls_sha1_update_ret mbedtls_sha1_update #define mbedtls_sha1_finish_ret mbedtls_sha1_finish -#if CIRCUITPY_HASHLIB_SHA256 #define mbedtls_sha256_starts_ret mbedtls_sha256_starts #define mbedtls_sha256_update_ret mbedtls_sha256_update #define mbedtls_sha256_finish_ret mbedtls_sha256_finish -#endif #endif From 39332eb957b274d66fae4575eaeea1ee446070a9 Mon Sep 17 00:00:00 2001 From: sam blenny <68084116+samblenny@users.noreply.github.com> Date: Mon, 8 Dec 2025 22:43:10 +0000 Subject: [PATCH 7/7] fix hashlib.new() documentation comment --- shared-bindings/hashlib/__init__.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared-bindings/hashlib/__init__.c b/shared-bindings/hashlib/__init__.c index bfe19dee10794..2a6517791be95 100644 --- a/shared-bindings/hashlib/__init__.c +++ b/shared-bindings/hashlib/__init__.c @@ -20,7 +20,7 @@ //| //| def new(name: str, data: bytes = b"") -> hashlib.Hash: //| """Returns a Hash object setup for the named algorithm. Raises ValueError when the named -//| algorithm is unsupported. +//| algorithm is unsupported. Supported algorithms for ``name`` are ``'sha1`` and ``'sha256'``. //| //| :return: a hash object for the given algorithm //| :rtype: hashlib.Hash"""