Replace crypton with botan-low for hashing#79
Closed
jappeace-sloth wants to merge 10 commits intowinterland1989:masterfrom
Closed
Replace crypton with botan-low for hashing#79jappeace-sloth wants to merge 10 commits intowinterland1989:masterfrom
jappeace-sloth wants to merge 10 commits intowinterland1989:masterfrom
Conversation
Swap out the crypton dependency for botan-low in the auth scramble functions. The crypton-x509 packages remain (used by the tls library) but the direct crypton/ram/memory dependencies are removed. Changes: - scrambleSHA1, scrambleSHA256, scrambleForPlugin, mkAuth now return IO since botan-low uses a stateful init/update/finalize hash API - Add botanHash helper wrapping botan-low's hash interface - Remove crypton-1-1 cabal flag and conditional ram/memory deps - Remove ram override from nix/hpkgs.nix - Add SHA1 scramble test module with golden vectors - Add golden vector tests to SHA256 scramble tests - Wire Sha1Scramble into test Main.hs and cabal Golden test vectors verified byte-for-byte identical output between crypton and botan-low implementations. Prompt: look at mysql-haskell, investigate how much work it would be to get rid of crypton and move over to botan, there is a pr already on winterland/mysql-haskell doing something similar but it's incomplete and the wrong library. Then: add those tests on a new branch to replace botan. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Collaborator
|
not sure if this is a good idea, but I was curious if it could work |
Add end-to-end TLS test (TLSConnection.hs) that verifies MySQL authentication and queries over TLS connections. Three test cases: connectDetail with SELECT 1, SSL cipher verification, and prepared statement roundtrip. Tests are gated on MYSQL_TLS_CA_PATH env var. Configure server-side TLS in both NixOS VM tests (MariaDB and MySQL 8.0) using the existing test certificates. Copy cert files to nix output alongside the integration binary. Fix CI cabal jobs by installing Botan 3 (required by botan-bindings) using the haskell-cryptography/botan setup-botan composite action. Add platform-specific configuration for Linux (LD_LIBRARY_PATH), Windows (pkg-config via MSYS2), and cabal configure with pkg-config constraint. Prompt: CI is failing, repair CI Tokens: ~50k input, ~8k output Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The cabal configure step with backslash line continuations fails on Windows because PowerShell interprets `--` as its decrement operator. Force bash shell for this step. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Following haskell-cryptography/botan CI pattern, use MSYS2 bash as the default shell on Windows so pkg-config and botan-3 library resolution work correctly. PowerShell cannot resolve MSYS2 pkg-config paths which causes botan-bindings to fail finding libbotan-3. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
botan-bindings +pkg-config requires pkg-config to find botan-3.pc, which fails on Windows. Without the flag, botan-bindings uses extra-libraries/includes directly, resolved via --extra-lib-dirs and --extra-include-dirs passed to cabal configure. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
cabal configure without a cabal.project file may not persist extra-lib-dirs to cabal.project.local. Pass the flags directly to cabal build and cabal test to ensure botan-3 is found on all platforms. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
botan is C++ so linking needs -lstdc++ which pkg-config provides. Add MSYS2_ARG_CONV_EXCL=* to prevent MSYS2 path translation. Add debug step to verify pkg-config finds botan-3 on all platforms. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
MSYS2_ARG_CONV_EXCL=* was corrupting pkg-config paths. Remove it and add debug steps to show the .pc file contents. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The setup-botan action generates a .pc file with Windows backslash paths (e.g. libdir=C:\msys64\mingw64\lib). MSYS2's pkg-config interprets \l as an escape sequence, producing -LC:/msys64/mingw64lib (missing /) which breaks the build. Sed-replace backslashes with forward slashes after installation. Also removes debug steps that were used to diagnose this issue. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Collaborator
|
I guess the haskell botan bindings have no tls support |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cryptondependency withbotan-lowfor SHA1/SHA256 hashing in MySQL auth scramblescrypton-1-1cabal flag and conditionalram/memorydependenciesSha1Scrambletest module (SHA1 had zero test coverage before)crypton-x509packages remain as transitive deps of thetlslibraryThe scramble functions (
scrambleSHA1,scrambleSHA256,scrambleForPlugin,mkAuth) now returnIOsince botan-low uses a stateful init/update/finalize hash API. All callers were already inIOso the change is minimal.Golden test vectors were computed independently (via Python) and verified identical between crypton and botan-low.
Test plan
nix-build nix/ci.nix -A buildpasses🤖 Generated with Claude Code