[issue27768] ssl: add public API for IA-32 processor capabilities vector

2016-08-25 Thread Gregory P. Smith 

Gregory P. Smith added the comment:

The processor capabilities vector is not the API you want.

What you want is an API to ask the ssl library about characteristics of 
algorithm implementations it will be using.

Those are not the same thing.

If we want to expose processor capabilities as a library function it should not 
be done in the ssl module.  That information belongs in the platform module.  
And doing so should not require a third party library such as OpenSSL.  
Querying capabilities is a very simple instruction and every platform 
architecture specific C macros to do it.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27768] ssl: add public API for IA-32 processor capabilities vector

2016-08-25 Thread Antoine Pitrou 

Antoine Pitrou added the comment:

If we wanted to expose such information, we would need to do it in a dedicated 
module (or in `os`) and provide something that doesn't restrict itself to two 
particular x86 flags.

requests can rely on a private attribute if they really want to.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27768] ssl: add public API for IA-32 processor capabilities vector

2016-08-25 Thread Christian Heimes 

Christian Heimes added the comment:

Why? Other libraries like requests like to use the information, too.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27768] ssl: add public API for IA-32 processor capabilities vector

2016-08-25 Thread Antoine Pitrou 

Antoine Pitrou added the comment:

The constants would have to be private, too. We really don't want to encourage 
other users to rely on them.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27768] ssl: add public API for IA-32 processor capabilities vector

2016-08-25 Thread Christian Heimes 

Christian Heimes added the comment:

GPS, sure it is simple enough under Linux. But what about other operating 
systems? OPENSSL_ia32cap_loc() works under Windows, too.

Antoine, AES-GCM is still faster and performs better than ChaCha20 Poly1305. 
NSS and Mozilla's recommended cipher suite list prefers AES-GCM over ChaCha20, 
too. https://wiki.mozilla.org/Security/Server_Side_TLS

It's reasonable and simple to provide the best cipher suite that matches the 
systems' capabilities. As Alex stated, performance is security.

To provide the CPU capabilities to the ssl module and 3rd party authors (e.g. 
Cory asked on behalf of requests), let's keep ssl._ia32cap() a private function 
and just add two constants: HAVE_AESNI = True/False/None, HAVE_PCLMULQDQ = 
True/False/None (None: ia32cap is not available on the system). Is that ok with 
you?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27768] ssl: add public API for IA-32 processor capabilities vector

2016-08-22 Thread Antoine Pitrou 

Antoine Pitrou added the comment:

I still think it's a slippery slope to include such specialized APIs that most 
people don't know what to make of.  This reminds me of `RAND_egd()`.

If ChaCha20-Poly1305 is always /at least/ as secure as AES-GCM (and sometimes 
more), then we should simply prioritize it in the cipher list, regardless of a 
potentially poorer performance that probably never has an actual impact on the 
Python-written application (correct me if I'm wrong here).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27768] ssl: add public API for IA-32 processor capabilities vector

2016-08-22 Thread Alex Gaynor 

Alex Gaynor added the comment:

In this case, performance is security. Both AES-GCM and ChaCha20-Poly1305 are 
secure. Modulo one thing: GCM in software is hard to implement in 
constant-time, so it's strongly preferable to use it only when there's a 
hardware implementation. It works out nicely that in addition to being 
constant-time, the hardware implementation of GCM is faster.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27768] ssl: add public API for IA-32 processor capabilities vector

2016-08-22 Thread Antoine Pitrou 

Antoine Pitrou added the comment:

Agreed with Gregory.

I'm also surprised you consider selecting a cipher suite based on performance 
considerations rather than security. I'm not sure that's something we want to 
promote.

(btw, AES speed is usually not a critical factor except in very specific 
situations)

--
nosy: +pitrou

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27768] ssl: add public API for IA-32 processor capabilities vector

2016-08-16 Thread Gregory P. Smith 

Gregory P. Smith added the comment:

This is very architecture specific and focused on low level information that 
you can also already get from places like /proc/cpuinfo on Linux.

Also, regardless of what capability bits a CPU exposes that has nothing to do 
with what accelerations the underlying library implementation itself actually 
supports.

For your example purpose of choosing which algorithm to use, testing the actual 
performance of each option in your code at startup time seems more foolproof in 
any application running long enough for performance to be an issue.

I expect in most common situations you can just use ctypes to call this 
function from openssl if you feel you must use it.

I'm not convinced it belongs in the stdlib.

--
nosy: +gregory.p.smith

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27768] ssl: add public API for IA-32 processor capabilities vector

2016-08-15 Thread Christian Heimes 

New submission from Christian Heimes:

OpenSSL has a function called OPENSSL_ia32cap_loc() to get the processor's 
capability vector in X86 and X86_64 systems. The information is useful to 
decide which cipher suite to prefer. For example on machines without AES-NI and 
CLMUL CPU instructions, ChaCha20 should be prefered over AES-GCM. 

https://www.openssl.org/docs/man1.0.2/crypto/OPENSSL_ia32cap_loc.html

#27766 just exposes the plain OPENSSL_ia32cap_loc(). A richer API should parse 
the bit field and expose the bits as structure.

--
components: Extension Modules
messages: 272763
nosy: alex, christian.heimes, dstufft, giampaolo.rodola, janssen
priority: normal
severity: normal
status: open
title: ssl: add public API for IA-32 processor capabilities vector
type: enhancement
versions: Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com