This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: explore hashlib use of the Linux Kernel CryptoAPI
Type: enhancement Stage: patch review
Components: Versions:
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, gregory.p.smith
Priority: normal Keywords: patch

Created on 2022-03-23 19:30 by gregory.p.smith, last changed 2022-04-11 14:59 by admin.

Pull Requests
URL Status Linked Edit
PR 32173 open christian.heimes, 2022-03-29 10:29
PR 32176 open christian.heimes, 2022-03-29 15:34
Messages (6)
msg415896 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2022-03-23 19:30
Linux kernels provide a CryptoAPI. This is a common place for platform specific hardware accelerated hash algorithms to be exposed to the user (especially on SoCs which often have non-standard hardware).

hashlib currently uses OpenSSL when possible for performance.  We could also look at querying the kernel API.  How to decide between the two implementations when both are present is something TBD.

This would probably be best done via a configure time check for libkcapi?
msg415899 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2022-03-23 19:45
We don't need libkcapi. I added AF_ALG support a while ago:

import binascii
import os
import socket

with socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0) as cfgsock:
    cfgsock.bind(("hash", "sha256"))
    opsock, _ = cfgsock.accept()
    with opsock:
        with open("/etc/os-release") as f:
            st = os.fstat(f.fileno())
            # blindly assumes that sendfile() exhausts the fd.
                opsock.fileno(), f.fileno(), offset=0, count=st.st_size
            res = opsock.recv(512)
msg415901 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2022-03-23 19:49
Neat. I've never used the API, just filing a breadcrumb suggesting we see if it makes sense. Being I/O based, that even takes care of GIL releasing from Python. :)
msg415903 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2022-03-23 19:54
test_socket has examples for HMAC, AES-CBC, and AES-GCM.

with self.create_alg('hash', 'hmac(sha1)') as algo:
    algo.setsockopt(socket.SOL_ALG, socket.ALG_SET_KEY, b"Jefe")
    op, _ = algo.accept()
    with op:
        op.sendall(b"what do ya want for nothing?")
        self.assertEqual(op.recv(512), expected)
msg415904 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2022-03-23 19:55
And sendfile() is zero-copy. Data does not have to leave Kernel space.
msg416251 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2022-03-29 10:38
I figured out how to implement copy(). dup() does not work as expected, but accept() on an AF_ALG client socket creates an independent copy.
Date User Action Args
2022-04-11 14:59:57adminsetgithub: 91258
2022-03-29 15:34:13christian.heimessetpull_requests: + pull_request30253
2022-03-29 10:38:52christian.heimessetmessages: + msg416251
2022-03-29 10:29:36christian.heimessetkeywords: + patch
stage: patch review
pull_requests: + pull_request30251
2022-03-23 19:55:18christian.heimessetmessages: + msg415904
2022-03-23 19:54:20christian.heimessetmessages: + msg415903
2022-03-23 19:49:29gregory.p.smithsetmessages: + msg415901
2022-03-23 19:45:38christian.heimessetmessages: + msg415899
2022-03-23 19:30:13gregory.p.smithcreate