From heikki at OSAFOUNDATION.ORG Thu Jun 2 00:32:48 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Wed, 1 Jun 2005 15:32:48 -0700 Subject: [PYTHON-CRYPTO] Custom SSL verification callbacks should now work Message-ID: <429E3790.4060300@osafoundation.org> Phew, this turned out to be more complicated than I originally thought. Anyway, now you should be able to set a custom SSL verification callback with def verify_cb(ok, store): # Do my custom verification return ok ctx = SSL.Context() ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9, verify_cb) Previously that crashed on me every time. Both the new style callback and the old style callback with 5 arguments are supported, and everything should be backwards compatible. The 5 argument version is deprecated. I would be interested to hear if: 1) You experience any problems with this 2) You were actually using the custom callback successfully before -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From heikki at OSAFOUNDATION.ORG Thu Jun 9 05:17:27 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Wed, 8 Jun 2005 20:17:27 -0700 Subject: [PYTHON-CRYPTO] SSL.Context.load_verify_locations In-Reply-To: <42A7AF32.3010206@mcs.anl.gov> References: <42A797CE.9000705@mcs.anl.gov> <42A7A984.5070805@osafoundation.org> <42A7AF32.3010206@mcs.anl.gov> Message-ID: <42A7B4C7.8010309@osafoundation.org> Thomas D. Uram wrote: > Strange. I'm using m2crypto-0.13, and I get this: [...] > return m2.ssl_ctx_load_verify_locations(self.ctx, cafile, capath or '') > TypeError: ssl_ctx_load_verify_locations() argument 2 must be string, not None Ah, I'm working on the latest from Subversion, and I fixed that weeks ago. I don't know why that was introduced either. The problem in 0.13 is that last part of the call to m2.ssl_ctx_load_verify_locations - it should say |capath|, not |capath or ''|. > I think re-enabling the cafile/capath assertion makes the most sense. Done. Thanks for the report, -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From turam at MCS.ANL.GOV Thu Jun 9 03:13:50 2005 From: turam at MCS.ANL.GOV (Thomas D. Uram) Date: Wed, 8 Jun 2005 20:13:50 -0500 Subject: [PYTHON-CRYPTO] SSL.Context.load_verify_locations Message-ID: <42A797CE.9000705@mcs.anl.gov> I have two problems with SSL.Context.load_verify_locations: - OpenSSL regards each of the args cafile and capath as optional, but m2crypto requires the cafile arg to be present (via an assertion). Is there a reason for this? - Since these are string args, SWIG requires that they be so, and doesn't allow None to be passed in (for mapping to NULL in the C code). A SWIG typemap to map from Py_None to NULL for 'char *' args would do the trick (and, in fact, seems like the right thing for SWIG to do in general). Is there another way round this problem? I can easily make these changes myself, but wanted to mail the list first and see if I missed something. Tom From heikki at OSAFOUNDATION.ORG Thu Jun 9 04:29:24 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Wed, 8 Jun 2005 19:29:24 -0700 Subject: [PYTHON-CRYPTO] SSL.Context.load_verify_locations In-Reply-To: <42A797CE.9000705@mcs.anl.gov> References: <42A797CE.9000705@mcs.anl.gov> Message-ID: <42A7A984.5070805@osafoundation.org> Thomas D. Uram wrote: > I have two problems with SSL.Context.load_verify_locations: > > - OpenSSL regards each of the args cafile and capath as optional, but m2crypto requires > the cafile arg to be present (via an assertion). Is there a reason for this? I don't know, but I think that assertion is actually bogus. I think it would make more sense to enable the commented out assertion above. I don't see why you would want to call this with both cafile and capath as None. In that case the underlying OpenSSL function returns 0 (for failure). > - Since these are string args, SWIG requires that they be so, and doesn't allow None to be > passed in (for mapping to NULL in the C code). A SWIG typemap to map from Py_None to NULL > for 'char *' args would do the trick (and, in fact, seems like the right thing for SWIG to > do in general). Is there another way round this problem? I think you are mistaken. When I comment out the assert I can call the method with both capath and cafile as None and it will work as expected (returns 0). So, do you want me to take out the assert, or re-enable the assert above when both of these are None? -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From turam at MCS.ANL.GOV Thu Jun 9 04:53:38 2005 From: turam at MCS.ANL.GOV (Thomas D. Uram) Date: Wed, 8 Jun 2005 21:53:38 -0500 Subject: [PYTHON-CRYPTO] SSL.Context.load_verify_locations In-Reply-To: <42A7A984.5070805@osafoundation.org> References: <42A797CE.9000705@mcs.anl.gov> <42A7A984.5070805@osafoundation.org> Message-ID: <42A7AF32.3010206@mcs.anl.gov> On 06/08/05 21:29, Heikki Toivonen wrote: > Thomas D. Uram wrote: > >>I have two problems with SSL.Context.load_verify_locations: >> >>- OpenSSL regards each of the args cafile and capath as optional, but m2crypto requires >>the cafile arg to be present (via an assertion). Is there a reason for this? > > > I don't know, but I think that assertion is actually bogus. I think it > would make more sense to enable the commented out assertion above. I agree; that's what I've done locally. > > I don't see why you would want to call this with both cafile and capath > as None. In that case the underlying OpenSSL function returns 0 (for > failure). I was unclear. I want to call with only the capath keyword arg. > > >>- Since these are string args, SWIG requires that they be so, and doesn't allow None to be >>passed in (for mapping to NULL in the C code). A SWIG typemap to map from Py_None to NULL >>for 'char *' args would do the trick (and, in fact, seems like the right thing for SWIG to >>do in general). Is there another way round this problem? > > > I think you are mistaken. When I comment out the assert I can call the > method with both capath and cafile as None and it will work as expected > (returns 0). Strange. I'm using m2crypto-0.13, and I get this: Traceback (most recent call last): File "echod-iterative.py", line 26, in ? capath='/home/turam/.AccessGrid/Config/trustedCACerts') File "/home/turam/lib/python2.3/site-packages/M2Crypto/SSL/Context.py", line 115, in load_verify_locations return m2.ssl_ctx_load_verify_locations(self.ctx, cafile, capath or '') TypeError: ssl_ctx_load_verify_locations() argument 2 must be string, not None Are you using 0.13? Should I be working from CVS? > > > So, do you want me to take out the assert, or re-enable the assert above > when both of these are None? I think re-enabling the cafile/capath assertion makes the most sense. Tom From turam at MCS.ANL.GOV Thu Jun 9 19:07:38 2005 From: turam at MCS.ANL.GOV (Thomas D. Uram) Date: Thu, 9 Jun 2005 12:07:38 -0500 Subject: [PYTHON-CRYPTO] SSL.Context.load_verify_locations In-Reply-To: <42A7B4C7.8010309@osafoundation.org> References: <42A797CE.9000705@mcs.anl.gov> <42A7A984.5070805@osafoundation.org> <42A7AF32.3010206@mcs.anl.gov> <42A7B4C7.8010309@osafoundation.org> Message-ID: <42A8775A.9090103@mcs.anl.gov> Okay, I'm using code from subversion now, and the problem persists when passing cafile=None and capath="/path/to/ca/certs". I seem to need to define a typemap to go from None to NULL in _lib.i: Index: SWIG/_lib.i =================================================================== --- SWIG/_lib.i (revision 295) +++ SWIG/_lib.i (working copy) @@ -462,6 +462,15 @@ $1=$input; } +%typemap(python, in) char * { + if ($input == Py_None) { + $1 = NULL; + } + else { + $1 = PyString_AsString($input); + } +} + %typemap(python, in) PyObject * { $1=$input; } Also, fwiw, I needed to make this change to make the build, else PyCodeObject was not found: Index: SWIG/_m2crypto.i =================================================================== --- SWIG/_m2crypto.i (revision 295) +++ SWIG/_m2crypto.i (working copy) @@ -15,6 +15,8 @@ #include #include <_lib.h> +#include "compile.h" + static PyObject *ssl_verify_cb_func; static PyObject *ssl_info_cb_func; static PyObject *ssl_set_tmp_dh_cb_func; I'm not sure if that's where the include should be added. On 06/08/05 22:17, Heikki Toivonen wrote: > Thomas D. Uram wrote: > >>Strange. I'm using m2crypto-0.13, and I get this: > > [...] > >> return m2.ssl_ctx_load_verify_locations(self.ctx, cafile, capath or '') >>TypeError: ssl_ctx_load_verify_locations() argument 2 must be string, not None > > > Ah, I'm working on the latest from Subversion, and I fixed that weeks > ago. I don't know why that was introduced either. The problem in 0.13 is > that last part of the call to m2.ssl_ctx_load_verify_locations - it > should say |capath|, not |capath or ''|. > > >>I think re-enabling the cafile/capath assertion makes the most sense. > > > Done. > > Thanks for the report, > > -- > Heikki Toivonen > From heikki at OSAFOUNDATION.ORG Thu Jun 9 20:51:13 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Thu, 9 Jun 2005 11:51:13 -0700 Subject: [PYTHON-CRYPTO] SSL.Context.load_verify_locations In-Reply-To: <42A8775A.9090103@mcs.anl.gov> References: <42A797CE.9000705@mcs.anl.gov> <42A7A984.5070805@osafoundation.org> <42A7AF32.3010206@mcs.anl.gov> <42A7B4C7.8010309@osafoundation.org> <42A8775A.9090103@mcs.anl.gov> Message-ID: <42A88FA1.2020204@osafoundation.org> Thomas D. Uram wrote: > Okay, I'm using code from subversion now, and the problem persists when passing > cafile=None and capath="/path/to/ca/certs". I seem to need to define a typemap to go from > None to NULL in _lib.i: OS version? Python version? SWIG version? Anything else? -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From heikki at OSAFOUNDATION.ORG Fri Jun 10 00:48:37 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Thu, 9 Jun 2005 15:48:37 -0700 Subject: [PYTHON-CRYPTO] SSL.Context.load_verify_locations In-Reply-To: <42A8A220.5030304@mcs.anl.gov> References: <42A797CE.9000705@mcs.anl.gov> <42A7A984.5070805@osafoundation.org> <42A7AF32.3010206@mcs.anl.gov> <42A7B4C7.8010309@osafoundation.org> <42A8775A.9090103@mcs.anl.gov> <42A88FA1.2020204@osafoundation.org> <42A8A220.5030304@mcs.anl.gov> Message-ID: <42A8C745.2080607@osafoundation.org> Thomas D. Uram wrote: > swig 1.3.21 > > Maybe a later swig adds the typemap I need? Yes, please try 1.3.24. But if it turns out 1.3.21 would be easy to support (gotta take a more careful look at your patches) then I think it would make sense to do so as well. -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From turam at MCS.ANL.GOV Thu Jun 9 22:10:08 2005 From: turam at MCS.ANL.GOV (Thomas D. Uram) Date: Thu, 9 Jun 2005 15:10:08 -0500 Subject: [PYTHON-CRYPTO] SSL.Context.load_verify_locations In-Reply-To: <42A88FA1.2020204@osafoundation.org> References: <42A797CE.9000705@mcs.anl.gov> <42A7A984.5070805@osafoundation.org> <42A7AF32.3010206@mcs.anl.gov> <42A7B4C7.8010309@osafoundation.org> <42A8775A.9090103@mcs.anl.gov> <42A88FA1.2020204@osafoundation.org> Message-ID: <42A8A220.5030304@mcs.anl.gov> Relevant versions: Gentoo Linux 2.6.8 openssl 0.9.7g python 2.3.3 swig 1.3.21 Maybe a later swig adds the typemap I need? Tom On 06/09/05 13:51, Heikki Toivonen wrote: > Thomas D. Uram wrote: > >>Okay, I'm using code from subversion now, and the problem persists when passing >>cafile=None and capath="/path/to/ca/certs". I seem to need to define a typemap to go from >>None to NULL in _lib.i: > > > OS version? > Python version? > SWIG version? > > Anything else? > > -- > Heikki Toivonen > From turam at MCS.ANL.GOV Mon Jun 13 19:44:14 2005 From: turam at MCS.ANL.GOV (Thomas D. Uram) Date: Mon, 13 Jun 2005 12:44:14 -0500 Subject: [PYTHON-CRYPTO] Custom SSL verification callbacks should now work In-Reply-To: <429E3790.4060300@osafoundation.org> References: <429E3790.4060300@osafoundation.org> Message-ID: <42ADC5EE.60008@mcs.anl.gov> I'm running the latest m2crypto source from subversion with swig 1.3.24, using the echo demos, and SSL.cb.ssl_verify_callback, which is of the older five-argument form, does not work. I'm running demo/ssl/echo.py against demo/ssl/echod-iterative.py. echo.py calls set_verify to set SSL.cb.ssl_verify_callback, and fails like so: LOOP: SSL connect: before/connect initialization LOOP: SSL connect: SSLv3 write client hello A LOOP: SSL connect: SSLv3 read server hello A /home/turam/lib/python2.3/site-packages/M2Crypto/SSL/Connection.py:124: DeprecationWarning: Old style callback, use cb_func(ok, store) instead return m2.ssl_connect(self.ssl) in ssl_verify_callback Traceback (most recent call last): File "echo.py", line 39, in ? s.connect((host, port)) File "/home/turam/lib/python2.3/site-packages/M2Crypto/SSL/Connection.py", line 131, in connect ret = self.connect_ssl() File "/home/turam/lib/python2.3/site-packages/M2Crypto/SSL/Connection.py", line 124, in connect_ssl return m2.ssl_connect(self.ssl) M2Crypto.SSL.SSLError: certificate verify failed Examining the exception that occurs in ssl_verify_callback, I found that the map in Context.py from C objects to python objects doesn't include the C context object passed into the verify callback (as ssl_ctx_ptr). That's as far as I chased it. If I replace ssl_verify_callback with my own custom verify_callback, of either the two-arg or five-arg form: def verify_callback(ok,store): return ok def fiveargs_verify_callback(ctx_ptr,x509_ptr,errnum,errdrpth,ok): return ok it works fine. Tom On 06/01/05 17:32, Heikki Toivonen wrote: > Phew, this turned out to be more complicated than I originally thought. > Anyway, now you should be able to set a custom SSL verification callback > with > > def verify_cb(ok, store): > # Do my custom verification > return ok > > ctx = SSL.Context() > ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9, > verify_cb) > > Previously that crashed on me every time. Both the new style callback > and the old style callback with 5 arguments are supported, and > everything should be backwards compatible. The 5 argument version is > deprecated. > > I would be interested to hear if: > > 1) You experience any problems with this > 2) You were actually using the custom callback successfully before > > -- > Heikki Toivonen > > From turam at MCS.ANL.GOV Mon Jun 13 19:48:19 2005 From: turam at MCS.ANL.GOV (Thomas D. Uram) Date: Mon, 13 Jun 2005 12:48:19 -0500 Subject: [PYTHON-CRYPTO] SSL.Context.load_verify_locations In-Reply-To: <42A8C745.2080607@osafoundation.org> References: <42A797CE.9000705@mcs.anl.gov> <42A7A984.5070805@osafoundation.org> <42A7AF32.3010206@mcs.anl.gov> <42A7B4C7.8010309@osafoundation.org> <42A8775A.9090103@mcs.anl.gov> <42A88FA1.2020204@osafoundation.org> <42A8A220.5030304@mcs.anl.gov> <42A8C745.2080607@osafoundation.org> Message-ID: <42ADC6E3.4000507@mcs.anl.gov> Okay, the type mapping problem I was having is resolved by using swig 1.3.24 with latest m2crypto (from subversion). The following two issues remain: - The build still requires the inclusion of compile.h as I indicated earlier in this thread. - swig 1.3.24 emits many deprecation warnings (complaining that %name has changed to %rename) So, it looks like I would want to use the development code instead of the 0.13 release. Is there a timeline for the next release? Tom On 06/09/05 17:48, Heikki Toivonen wrote: > Thomas D. Uram wrote: > >>swig 1.3.21 >> >>Maybe a later swig adds the typemap I need? > > > Yes, please try 1.3.24. > > But if it turns out 1.3.21 would be easy to support (gotta take a more > careful look at your patches) then I think it would make sense to do so > as well. > > -- > Heikki Toivonen > From heikki at OSAFOUNDATION.ORG Tue Jun 14 19:19:58 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Tue, 14 Jun 2005 10:19:58 -0700 Subject: [PYTHON-CRYPTO] Custom SSL verification callbacks should now work In-Reply-To: <42ADC5EE.60008@mcs.anl.gov> References: <429E3790.4060300@osafoundation.org> <42ADC5EE.60008@mcs.anl.gov> Message-ID: <42AF11BE.7020101@osafoundation.org> Thomas D. Uram wrote: > I'm running demo/ssl/echo.py against demo/ssl/echod-iterative.py. echo.py calls > set_verify to set SSL.cb.ssl_verify_callback, and fails like so: Thanks, filed as http://bugzilla.osafoundation.org/show_bug.cgi?id=3257 -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From heikki at OSAFOUNDATION.ORG Tue Jun 14 19:26:51 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Tue, 14 Jun 2005 10:26:51 -0700 Subject: [PYTHON-CRYPTO] SSL.Context.load_verify_locations In-Reply-To: <42ADC6E3.4000507@mcs.anl.gov> References: <42A797CE.9000705@mcs.anl.gov> <42A7A984.5070805@osafoundation.org> <42A7AF32.3010206@mcs.anl.gov> <42A7B4C7.8010309@osafoundation.org> <42A8775A.9090103@mcs.anl.gov> <42A88FA1.2020204@osafoundation.org> <42A8A220.5030304@mcs.anl.gov> <42A8C745.2080607@osafoundation.org> <42ADC6E3.4000507@mcs.anl.gov> Message-ID: <42AF135B.1040108@osafoundation.org> Thomas D. Uram wrote: > Okay, the type mapping problem I was having is resolved by using swig 1.3.24 with latest Cool. > m2crypto (from subversion). The following two issues remain: > > - The build still requires the inclusion of compile.h as I indicated earlier in this thread. Ok, filed as https://bugzilla.osafoundation.org/show_bug.cgi?id=3258 > - swig 1.3.24 emits many deprecation warnings (complaining that %name has changed to %rename) Yes, this is known. I'd like to keep it as it is until %name won't be supported anymore, and then bump the required swig version number appropriately. > So, it looks like I would want to use the development code instead of the 0.13 release. > Is there a timeline for the next release? I haven't heard from Ng in a while, but I plan to make a first release candidate during the M2Crypto sprint in Europython in three weeks or so. I'd like to use similar process as OpenSSL does, to gather reports of successful builds, regressions, problems etc. and then do the actual release when things seem good. I will go on vacation after Europython, so unless Ng picks things up, the release probably won't happen until late July the earliest. -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From greg at ELECTRICRAIN.COM Wed Jun 15 10:03:53 2005 From: greg at ELECTRICRAIN.COM (Gregory P. Smith) Date: Wed, 15 Jun 2005 01:03:53 -0700 Subject: [PYTHON-CRYPTO] hashlib - faster md5/sha, adds sha256/512 support Message-ID: <20050615080353.GB25592@zot.electricrain.com> I sent this to python-dev but forgot to cc it here. (no response so far). Anyways this proposes a hashlib module for a future python standard library that sports md5, sha1, sha224-sha512 using openssl's optimized implementations when available but including its own (existing or libtomcrypt derived) otherwise so that all python installations have the hashes available. ----- Forwarded message from "Gregory P. Smith" ----- From: "Gregory P. Smith" Subject: [Python-Dev] hashlib - faster md5/sha, adds sha256/512 support To: python-dev at python.org Date: Sat, 11 Jun 2005 20:47:23 -0700 I have finished up the hashlib work I started on in feb/march for patch 1121611 and 935454 after some discussion on this list. The full patch including tests and module documentation has been posted in the sf patch 1121611 as hashlib-008. I believe it is done and ready and would like to commit it after a review. Let the reviewing begin! For easy viewing, here's what the module documentation looks like: http://electricrain.com/greg/hashlib-py25-doc/module-hashlib.html The code is in the hashlib-008.patch file: http://redirx.com/?3e19 hashlib incorporates both the 1121611 openssl hash support and the 935454 sha256+sha512 module support into a single hashlib module that picks the fastest implementation of each algorithm to use. OpenSSLs implementations of md5 and sha1 are nearly 2x as fast as the existing python builtin versions. The (now legacy) md5 and sha modules are turned into simple stubs that use hashlib. The actual sourceforge patch tracker entries: https://sourceforge.net/tracker/?func=detail&aid=1121611&group_id=5470&atid=305470 https://sourceforge.net/tracker/?func=detail&aid=935454&group_id=5470&atid=305470 Greg ----- End forwarded message ----- From m.bizzarri at ICUBE.IT Thu Jun 16 15:42:04 2005 From: m.bizzarri at ICUBE.IT (Marco Bizzarri) Date: Thu, 16 Jun 2005 15:42:04 +0200 Subject: [PYTHON-CRYPTO] Small patch to SMIME.py Message-ID: <42B181AC.4090601@icube.it> Hi all. I don't know if you will find it useful... we added this method to SMIME.py since it was not available: def load_pkcs7_bio_der(p7_bio): p7_ptr = m2.pkcs7_read_bio_der(p7_bio._ptr()) if p7_ptr is None: raise Err.get_error() return SMIME.PKCS7(p7_ptr, 1) This is because load_pcks7_bio loads a PEM encoded file, but, of course, chokes on a DER file. Regards Marco