policy and pylib/packet cmac/160 bit hmac support
Hal Murray
hmurray at megapathdsl.net
Sun Nov 24 08:12:34 UTC 2019
Mark Atwood said:
> On the other other other hand, can we have a Python binding on the C crypto
> routines that ntpd uses?
The ntpd code gets crypto from OpenSSL's libcrypto.
We could write a wrapper for libcrypto. The API is reasonably clean. (or at
least the parts we use.) I'm a bit surprised that one doesn't already exist
but I didn't find one with more than a little poking around.
The code we use is in: libntp/macencrypt.c
There are separate routines for old digest mode and new CMAC mode using AES.
Looks like the current python code gets crypto from hashlib which is part of
python libs. It doesn't include AES. Since AES has been out for ages, I
assume that lack of support is an indication that hashlib is (somewhat?)
deprecated.
----------
pyca/pyopenssl seems like the python way to get to OpenSSL
https://github.com/pyca/pyopenssl
https://www.pyopenssl.org/en/stable/
That suggests pyca/crytography
https://github.com/pyca/cryptography
https://cryptography.io/en/latest/
I looked a little, but didn't see exactly what I was looking for. I'm pretty
sure I could make it work.
----------
pycryptodome seems like a reasonable choice. It's a bit more complicated that
a simple pip install. We should be able to write the code so that AES doesn't
work if not installed.
From
https://pycryptodome.readthedocs.io/en/latest/src/installation.html
One must avoid having both PyCrypto and PyCryptodome installed at the same
time, as they will interfere with each other.
Then it goes on with the alternate recipe.
I think this is will be the first/only use of pip in buildprep. Somebody
smarter than me will have to sort that out.
--
These are my opinions. I hate spam.
More information about the devel
mailing list