policy and pylib/packet cmac/160 bit hmac support

Hal Murray hmurray at megapathdsl.net
Sun Nov 24 08:12:34 UTC 2019

Mark Atwood said:
> On the other other other hand, can we have a Python binding on the C crypto
> routines that ntpd uses? 

The ntpd code gets crypto from OpenSSL's libcrypto.

We could write a wrapper for libcrypto.  The API is reasonably clean.  (or at 
least the parts we use.)  I'm a bit surprised that one doesn't already exist 
but I didn't find one with more than a little poking around.

The code we use is in: libntp/macencrypt.c

There are separate routines for old digest mode and new CMAC mode using AES.

Looks like the current python code gets crypto from hashlib which is part of 
python libs.  It doesn't include AES.  Since AES has been out for ages, I 
assume that lack of support is an indication that hashlib is (somewhat?) 


pyca/pyopenssl seems like the python way to get to OpenSSL

That suggests pyca/crytography

I looked a little, but didn't see exactly what I was looking for.  I'm pretty 
sure I could make it work.


pycryptodome seems like a reasonable choice.  It's a bit more complicated that 
a simple pip install.  We should be able to write the code so that AES doesn't 
work if not installed.

One must avoid having both PyCrypto and PyCryptodome installed at the same 
time, as they will interfere with each other.

Then it goes on with the alternate recipe.

I think this is will be the first/only use of pip in buildprep.  Somebody 
smarter than me will have to sort that out.

These are my opinions.  I hate spam.

More information about the devel mailing list