Hi, I have 7 patches for 3.6 ready for merging. The new features were discussed on Security-SIG and reviewed by Victor or GPS. The patches just need one final review and an ACK. The first three patches should land in 2.7, 3.4 and 3.5, too. http://bugs.python.org/issue26470 Make OpenSSL module compatible with OpenSSL 1.1.0 https://bugs.python.org/issue27850 Remove 3DES from cipher list (sweet32 CVE-2016-2183) Also adds ChaCha20 Poly1305 http://bugs.python.org/issue27691 X509 cert with GEN_RID subject alt name causes SytemError http://bugs.python.org/issue27866 ssl: get list of enabled ciphers https://bugs.python.org/issue27744 Add AF_ALG (Linux Kernel crypto) to socket module http://bugs.python.org/issue16113 Add SHA-3 and SHAKE (Keccak) support http://bugs.python.org/issue26798 add BLAKE2 to hashlib Christian
On 2016-08-31 22:31, Christian Heimes wrote:
Hi,
I have 7 patches for 3.6 ready for merging. The new features were discussed on Security-SIG and reviewed by Victor or GPS. The patches just need one final review and an ACK. The first three patches should land in 2.7, 3.4 and 3.5, too.
http://bugs.python.org/issue26470 Make OpenSSL module compatible with OpenSSL 1.1.0
https://bugs.python.org/issue27850 Remove 3DES from cipher list (sweet32 CVE-2016-2183) Also adds ChaCha20 Poly1305
http://bugs.python.org/issue27691 X509 cert with GEN_RID subject alt name causes SytemError
http://bugs.python.org/issue27866 ssl: get list of enabled ciphers
https://bugs.python.org/issue27744 Add AF_ALG (Linux Kernel crypto) to socket module
http://bugs.python.org/issue16113 Add SHA-3 and SHAKE (Keccak) support
http://bugs.python.org/issue26798 add BLAKE2 to hashlib
And another one: http://bugs.python.org/issue27928 Add hashlib.scrypt Christian
2016-08-31 22:31 GMT+02:00 Christian Heimes
https://bugs.python.org/issue27744 Add AF_ALG (Linux Kernel crypto) to socket module
This patch adds a new socket.sendmsg_afalg() method on Linux. "afalg" comes from AF_ALG which means "Address Family Algorithm". It's documented as "af_alg: User-space algorithm interface" in crypto/af_alg.c. IHMO the method should be just "sendmsg_alg()", beacuse "afalg" is redundant. The AF_ prefix is only used to workaround a C limitation: there is no namespace in the language, all symbols are in one single giant namespace. I don't expect that a platform will add a new sendmsg_alg() C function. If it's the case, we will see how to handle the name conflict ;-) Victor
On 2016-09-01 23:15, Victor Stinner wrote:
2016-08-31 22:31 GMT+02:00 Christian Heimes
: https://bugs.python.org/issue27744 Add AF_ALG (Linux Kernel crypto) to socket module
This patch adds a new socket.sendmsg_afalg() method on Linux.
"afalg" comes from AF_ALG which means "Address Family Algorithm". It's documented as "af_alg: User-space algorithm interface" in crypto/af_alg.c.
IHMO the method should be just "sendmsg_alg()", beacuse "afalg" is redundant. The AF_ prefix is only used to workaround a C limitation: there is no namespace in the language, all symbols are in one single giant namespace.
I don't expect that a platform will add a new sendmsg_alg() C function. If it's the case, we will see how to handle the name conflict ;-)
Hi, afalg is pretty much the standard name for Linux Kernel crypto. For example OpenSSL 1.1.0 introduced a crypto engine to offload AES. The engine is called 'afalg' [1]. Other documentations refer to the interface as either afalg or AF_ALG, too. I prefer to use an established name for the method. Christian [1] https://github.com/openssl/openssl/blob/master/engines/afalg/e_afalg.c#L88
On 4 September 2016 at 20:57, Christian Heimes
On 2016-09-01 23:15, Victor Stinner wrote:
2016-08-31 22:31 GMT+02:00 Christian Heimes
: https://bugs.python.org/issue27744 Add AF_ALG (Linux Kernel crypto) to socket module
This patch adds a new socket.sendmsg_afalg() method on Linux.
"afalg" comes from AF_ALG which means "Address Family Algorithm". It's documented as "af_alg: User-space algorithm interface" in crypto/af_alg.c.
IHMO the method should be just "sendmsg_alg()", beacuse "afalg" is redundant. The AF_ prefix is only used to workaround a C limitation: there is no namespace in the language, all symbols are in one single giant namespace.
I don't expect that a platform will add a new sendmsg_alg() C function. If it's the case, we will see how to handle the name conflict ;-)
Hi,
afalg is pretty much the standard name for Linux Kernel crypto. For example OpenSSL 1.1.0 introduced a crypto engine to offload AES. The engine is called 'afalg' [1]. Other documentations refer to the interface as either afalg or AF_ALG, too. I prefer to use an established name for the method.
Right, there's a confusability problem here not just at the API level, but at a general terminology level: "alg" is just short for "algorithm", which is way to generic to be meaningful. Once you put the "af" qualifier in front though, it's clear you're not just talking about algorithms in general, you're referring to AF_ALG in particular. Putting the alternatives into Google and seeing which one gives more relevant results also suggests afalg as the clear winner, since the first link returned is the OpenSSL engine for it, while even qualifying "alg" with "ssl" doesn't get you relevant information: * https://www.google.com.au/search?q=afalg * https://www.google.com.au/search?q=alg * https://www.google.com.au/search?q=alg#q=alg+ssl (that afalg repo unfortunately doesn't have a useful README, but at least the first link is relevant, unlike the results for "alg" and "alg ssl") Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
participants (3)
-
Christian Heimes
-
Nick Coghlan
-
Victor Stinner