policy and pylib/packet cmac/160 bit hmac support

James Browning jamesb.fe80 at gmail.com
Sun Nov 24 16:14:03 UTC 2019

On Sun, Nov 24, 2019, at 12:12 AM Hal Murray via devel <devel at ntpsec.org>

> Mark Atwood said:
> > On the other other other hand, can we have a Python binding on the C
> crypto
> > routines that ntpd uses?

I'd probably prefer a generic FFI module with a ctypes wrapper
but yes probably.

> The ntpd code gets crypto from OpenSSL's libcrypto.
> We could write a wrapper for libcrypto.  The API is reasonably clean.  (or
> at
> least the parts we use.)  I'm a bit surprised that one doesn't already
> exist
> but I didn't find one with more than a little poking around.
> The code we use is in: libntp/macencrypt.c
> There are separate routines for old digest mode and new CMAC mode using
> AES.
> Looks like the current python code gets crypto from hashlib which is part
> of
> python libs.  It doesn't include AES.  Since AES has been out for ages, I
> assume that lack of support is an indication that hashlib is (somewhat?)
> deprecated.
> ----------
> pyca/pyopenssl seems like the python way to get to OpenSSL
>   https://github.com/pyca/pyopenssl
>   https://www.pyopenssl.org/en/stable/
> That suggests pyca/crytography
>   https://github.com/pyca/cryptography
>   https://cryptography.io/en/latest/
> I looked a little, but didn't see exactly what I was looking for.  I'm
> pretty
> sure I could make it work.

I think I might be able to if that is the direction I should
have been going in the first place. Cryptography at least has
CMAC support unlike pycrypto, ssl, and pyopenssl.

> ----------
> pycryptodome seems like a reasonable choice.  It's a bit more complicated
> that
> a simple pip install.  We should be able to write the code so that AES
> doesn't
> work if not installed.
> From
>   https://pycryptodome.readthedocs.io/en/latest/src/installation.html
> One must avoid having both PyCrypto and PyCryptodome installed at the same
> time, as they will interfere with each other.
> Then it goes on with the alternate recipe.
> I think this is will be the first/only use of pip in buildprep.  Somebody
> smarter than me will have to sort that out.

There is an alternative pycryptodomex which installs the module
cryptodome, I just did not use it. I am pretty sure it is, the
only things that might have been installable via pip would be
gps, curses, and argparse(?). All three options dropped scripts
rather than resort to pip. In that case, it will have to be
someone else.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20191124/fd3c0d2b/attachment.htm>

More information about the devel mailing list