On Sun, Nov 24, 2019, at 12:12 AM Hal Murray via devel <devel@ntpsec.org> wrote:
> > Mark Atwood said: > > On the other other other hand, can we have a Python binding on the C > crypto > > routines that ntpd uses? > I'd probably prefer a generic FFI module with a ctypes wrapper but yes probably. > The ntpd code gets crypto from OpenSSL's libcrypto. > > We could write a wrapper for libcrypto. The API is reasonably clean. (or > at > least the parts we use.) I'm a bit surprised that one doesn't already > exist > but I didn't find one with more than a little poking around. > > The code we use is in: libntp/macencrypt.c > > There are separate routines for old digest mode and new CMAC mode using > AES. > > Looks like the current python code gets crypto from hashlib which is part > of > python libs. It doesn't include AES. Since AES has been out for ages, I > assume that lack of support is an indication that hashlib is (somewhat?) > deprecated. > > ---------- > > pyca/pyopenssl seems like the python way to get to OpenSSL > https://github.com/pyca/pyopenssl > https://www.pyopenssl.org/en/stable/ > > That suggests pyca/crytography > https://github.com/pyca/cryptography > https://cryptography.io/en/latest/ > > I looked a little, but didn't see exactly what I was looking for. I'm > pretty > sure I could make it work. > I think I might be able to if that is the direction I should have been going in the first place. Cryptography at least has CMAC support unlike pycrypto, ssl, and pyopenssl. > ---------- > > pycryptodome seems like a reasonable choice. It's a bit more complicated > that > a simple pip install. We should be able to write the code so that AES > doesn't > work if not installed. > > From > https://pycryptodome.readthedocs.io/en/latest/src/installation.html > One must avoid having both PyCrypto and PyCryptodome installed at the same > time, as they will interfere with each other. > > Then it goes on with the alternate recipe. > > I think this is will be the first/only use of pip in buildprep. Somebody > smarter than me will have to sort that out. > There is an alternative pycryptodomex which installs the module cryptodome, I just did not use it. I am pretty sure it is, the only things that might have been installable via pip would be gps, curses, and argparse(?). All three options dropped scripts rather than resort to pip. In that case, it will have to be someone else.
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
