New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add AF_ALG (Linux Kernel crypto) to socket module #71931
Comments
Linux has a netlink-based user-space interface for Kernel cryptography. Kernel based crypto has a couple of advantages that are explained at http://www.chronox.de/libkcapi/html/ch01s02.html . The document doesn't mention that a crypto socket also supports splicing and sendfile. Files no longer have to be copied to user-space. My experimental branch https://github.com/tiran/cpython/commits/feature/af_alg implements af_alg support. Example: from socket import socket, AF_ALG, SOCK_SEQPACKET, SOL_ALG, ALG_SET_KEY
from binascii import hexlify
with socket(AF_ALG, SOCK_SEQPACKET, 0) as alg:
alg.bind(('hash', 'hmac(sha512)'))
alg.setsockopt(SOL_ALG, ALG_SET_KEY, b'key')
op, _ = alg.accept()
with open('/etc/passwd', 'rb') as f:
op.sendfile(f)
print(hexlify(op.recv(64)))
op.close() |
Working patch with tests and documentation. socket.algset() isn't strictly necessary but makes the feature much more pleasant to use. I accept ideas for a better name, though. |
I reviewed AF_ALG-kernel-crypto-support-for-socket-module.patch. |
Thanks for your review, Victor. I have addressed most of your remarks.
|
New patch with setsockopt(socket.SOL_ALG, socket.ALG_SET_AEAD_AUTHSIZE, None, taglen) instead of (None, taglen). |
I have removed binascii.(un)hexlify(). |
New changeset 74ce062a0397 by Christian Heimes in branch 'default': |
New changeset 52404f9596b5 by Christian Heimes in branch 'default': |
New changeset ee32af890e27 by Christian Heimes in branch 'default': |
New changeset 4ebe3ade6922 by Christian Heimes in branch 'default': |
Despite the last changes, test_aes_cbc() hangs for fifteen minutes: |
Also, the Gentoo buildbots fail: Traceback (most recent call last):
File "/buildbot/buildarea/3.x.ware-gentoo-x86.nondebug/build/Lib/test/support/__init__.py", line 523, in wrapper
return func(*args, **kw)
File "/buildbot/buildarea/3.x.ware-gentoo-x86.nondebug/build/Lib/test/test_socket.py", line 5428, in test_aead_aes_gcm
with self.create_alg('aead', 'gcm(aes)') as algo:
File "/buildbot/buildarea/3.x.ware-gentoo-x86.nondebug/build/Lib/test/test_socket.py", line 5346, in create_alg
sock.bind((typ, name))
FileNotFoundError: [Errno 2] No such file or directory Similar failures for test_aes_cbc test_drbg_pr_sha256 test_hmac_sha1 test_sha256. |
It's Linux 4.4.6. configure says "checking for sockaddr_alg... yes". |
New changeset e3b83bfa02c5 by Christian Heimes in branch 'default': |
Some distributions mess with the Kernel or disable user-space crypto. I have added some tweaks and fixed a couple of buildbots. I don't know what is going on with x86-64 Ubuntu 15.10 Skylake CPU. It's a Kernel 4.2 machine and should support AES-CBC. |
My PC is Ubuntu15.10, kernel 4.2, though CPU not Skylake. Everything works fine. test_aead_aes_gcm (test.test_socket.LinuxKernelCryptoAPI) ... skipped "('[Errno 2] No such file or directory', 'aead', 'gcm(aes)')" |
x86-64 Ubuntu 15.10 Skylake CPU 3.x is still blocking. It looks like I have to add another workaround for a Ubuntu quirk. |
New changeset 55d77f5a7cb3 by Christian Heimes in branch 'default': |
New changeset a951f8f30922 by Victor Stinner in branch 'default': New changeset 3a6917c73857 by Victor Stinner in branch 'default': |
What is the status of this issue? test_aead_aes_gcm() fails on my Fedora 25 (Python: default branch). haypo@selma$ cat /etc/fedora-release test test_socket failed -- Traceback (most recent call last):
File "/home/haypo/prog/python/default/Lib/test/support/__init__.py", line 556, in wrapper
return func(*args, **kw)
File "/home/haypo/prog/python/default/Lib/test/test_socket.py", line 5515, in test_aead_aes_gcm
res = op.recv(assoclen + len(plain) + taglen)
OSError: [Errno 22] Invalid argument |
I'll look into the matter and push a fix after the migration to github today. |
By the way problem with AES-GCM is tracked in https://bugs.python.org/issue29324 . It was caused in a Kernel API change. Jan has provided a fix. I need to find some spare time to dig into Kernel sources and verify the patch. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: