From heikki at OSAFOUNDATION.ORG Fri May 6 20:03:56 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Fri, 6 May 2005 11:03:56 -0700 Subject: [PYTHON-CRYPTO] OpenSSL const changes in public APIs Message-ID: <427BB18C.204@osafoundation.org> I just realized that latest M2Crypto does not compile against latest OpenSSL due to const changes in OpenSSL public APIs. I'd like to get your opinions on how to solve this: a) change M2Crypto to expect the latest OpenSSL 0.9.7g APIs b) #ifdef all the const differences based on OpenSSL version (I think they have trickled the changes in several versions, so this would get really messy and I don't especially like to test against several OpenSSL versions) c) something else -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From gvanrossum at GMAIL.COM Sun May 8 06:42:41 2005 From: gvanrossum at GMAIL.COM (Guido van Rossum) Date: Sat, 7 May 2005 21:42:41 -0700 Subject: [PYTHON-CRYPTO] OpenSSL const changes in public APIs In-Reply-To: <427BB18C.204@osafoundation.org> References: <427BB18C.204@osafoundation.org> Message-ID: I think it's important not to force one particular version of OpenSSL. On 5/6/05, Heikki Toivonen wrote: > I just realized that latest M2Crypto does not compile against latest > OpenSSL due to const changes in OpenSSL public APIs. > > I'd like to get your opinions on how to solve this: > > a) change M2Crypto to expect the latest OpenSSL 0.9.7g APIs > b) #ifdef all the const differences based on OpenSSL version (I think > they have trickled the changes in several versions, so this would get > really messy and I don't especially like to test against several OpenSSL > versions) > c) something else > > -- > Heikki Toivonen > > > -- --Guido van Rossum (home page: http://www.python.org/~guido/) From magnus at THERNING.ORG Fri May 6 08:46:19 2005 From: magnus at THERNING.ORG (Magnus Therning) Date: Fri, 6 May 2005 07:46:19 +0100 Subject: [PYTHON-CRYPTO] Advice on deriving a symmetric key from a password in Python Message-ID: <20050506064619.GA7680@chello.nl> I hope I'm not entirely out of line posting this question to this mailing list :-) I am looking for a good way to convert a password entered by a user into a key usable for a symmetric encryption algorithm. First I was thinking of just hashing the password but that puts limitations on the length of the keys that I can use for encryption later on. My next thought was to use some sort of chained hashing, e.g.: h = SHA.new(pwd) symmetric_key = '' while len(symmentric_key) < desired_len: symmetric_key = symmetric_key + h.digest()[:10] h.update(h.digest()[10:]) return symmetric_key[:desired_len] However, I'm not sure that's a good thing to do, from a cryptographical point of view. My "Secure Programming Cookbook for C and C++" suggests using PKCS5 (PBKDF2) but Google didn't turn up any Python implentation of it :( The password won't be stored anywhere, it will only be used for encrypting text, which will be stored. (So, if I'm thinking correctly I don't really need to use a salt when constructing the symmetric key. Am I right?) Any suggestion/pointers? /M -- Magnus Therning (OpenPGP: 0xAB4DFBA4) magnus at therning.org http://magnus.therning.org/ Software is not manufactured, it is something you write and publish. Keep Europe free from software patents, we do not want censorship by patent law on written works. Found in comp.lang.scheme: > What's so great about the lambda calculus? In a profession plagued by, "when all you have is a hammer, everything looks like a nail," we get really excited when someone is able to come along and prove that everything really *is* a nail if lambda is the hammer. -- brlewis at my-deja.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From heikki at OSAFOUNDATION.ORG Sat May 14 02:41:23 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Fri, 13 May 2005 17:41:23 -0700 Subject: [PYTHON-CRYPTO] M2Crypto changes, please test Message-ID: <42854933.6050800@osafoundation.org> I just checked in a bunch of changes to M2Crypto, including the OpenSSL const changes (tested with OpenSSL 0.9.7 d, e, g), some memory leak fixes in *.i files, and patches submitted by others for some additional functionality. Currently open bugs: https://bugzilla.osafoundation.org/buglist.cgi?product=M2Crypto&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED Please let me know if I broke something, if you have more feature requests, or patches lying around. -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From bugbee at SEANET.COM Sun May 22 09:50:02 2005 From: bugbee at SEANET.COM (Larry Bugbee) Date: Sun, 22 May 2005 09:50:02 +0200 Subject: [PYTHON-CRYPTO] SSL/Context.py Message-ID: I needed to change line 41 to read map()['self.ctx'] = self # added tics Also, the demo test certs have expired. Just thot you should know. Larry From heikki at OSAFOUNDATION.ORG Sun May 22 23:14:26 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Sun, 22 May 2005 14:14:26 -0700 Subject: [PYTHON-CRYPTO] SSL/Context.py In-Reply-To: References: Message-ID: <4290F632.4030100@osafoundation.org> Larry Bugbee wrote: > I needed to change line 41 to read > map()['self.ctx'] = self # added tics Are you using SWIG 1.3.24? I had that problem when I switched, and I have checked in a fix for that, so if you pull the latest from Subversion it should work without this change. > Also, the demo test certs have expired. Filed a bug, thanks. -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From bugbee at SEANET.COM Mon May 23 01:49:30 2005 From: bugbee at SEANET.COM (Larry Bugbee) Date: Mon, 23 May 2005 01:49:30 +0200 Subject: [PYTHON-CRYPTO] SSL/Context.py Message-ID: Thanks. My build was erroneously trying to hash an instance. Perhaps I applied the wrong fix, there being another cause? Nonetheless, Context.py in revisions 279 and 280 (svn) both are missing the tics, and I am using SWIG 1.3.24 which doesn't seem relevant. From bugbee at SEANET.COM Mon May 23 02:58:29 2005 From: bugbee at SEANET.COM (Larry Bugbee) Date: Mon, 23 May 2005 02:58:29 +0200 Subject: [PYTHON-CRYPTO] SSL/Context.py Message-ID: This didn't seem right, so I pulled revision 280 yet again, rebuilt it, and the tics are indeed NOT necessary. What went wrong I dunno. I'll look some, but for now the only anomaly is the expired certs. Tx, Larry From heikki at OSAFOUNDATION.ORG Fri May 27 01:09:07 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Thu, 26 May 2005 16:09:07 -0700 Subject: [PYTHON-CRYPTO] More on M2Crypto sprint at Europython Message-ID: <42965713.6080101@osafoundation.org> I made a wiki page for the sprint I want to do at Europython. I have reserved June 30, July 1 of my time for the sprint. http://wiki.python.org/moin/M2Crypto Feel free to add things you'd like to fix/do during the sprint. Also, please list yourself on the page if you intend to participate, and if you intend to participate remotely let me know about that as well. I would be fine to have participants over IRC as well as submitting things through bugzilla or email. -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From heikki at OSAFOUNDATION.ORG Sat May 28 02:02:07 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Fri, 27 May 2005 17:02:07 -0700 Subject: [PYTHON-CRYPTO] Anyone depending on M2Crypto and Python < 2.3? Message-ID: <4297B4FF.3000108@osafoundation.org> The reason I am asking is because of the crash bugs with the callbacks used in M2Crypto. For example, I can not use custom SSL verification callback at all, nor dh param generators with callbacks. For example: https://bugzilla.osafoundation.org/show_bug.cgi?id=3120 A colleague spotted a problem with the way M2Crypto currently tries to deal with threads and GIL (it doesn't), and suggested a way to fix this using PyGILState_Ensure/PyGILState_Release. I've confirmed these make the crashes go away and the callbacks to work. However, these Python C API functions were introduced in 2.3. I could make an isolated change to just the callbacks functions, and ifdef things so that callbacks would be just as broken as they are now for Python < 2.3, and make them work for later Python versions. Or I could do a complete overhaul which would make M2Crypto depend on Python >= 2.3. I actually prefer this solution so hoping nobody is depending on old Python. Here's how: First: %exception { PyThreadState *state = PyEval_SaveThread(); $action PyEval_RestoreThread(state); } Then get rid of all the existing SaveThread/RestoreThread code. Then bracket all code that calls Python functions with PyGILState_Ensure()/PyGILState_Release(). -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From scott.moynes at GMAIL.COM Mon May 30 23:14:58 2005 From: scott.moynes at GMAIL.COM (Scott Moynes) Date: Mon, 30 May 2005 17:14:58 -0400 Subject: [PYTHON-CRYPTO] Anyone depending on M2Crypto and Python < 2.3? In-Reply-To: <4297B4FF.3000108@osafoundation.org> References: <4297B4FF.3000108@osafoundation.org> Message-ID: <62a33a05050530141471b92fee@mail.gmail.com> Heikki, I think the most prudent way to decide whether to make Python 2.3 or greater a requirement is to check which platforms have not yet upgraded. I don't see a reason why M2Crypto should maintain support for a release that is not being similarly supported by its vendor. I know that the last SUSE Linux release to ship with Python 2.2 was release 8.2, which has been discontinued and is unsupported. I think that at least FreeBSD and Red Hat's supported releases also have at least Python 2.3; not sure about others, but seeing as Python 2.3 was released almost 2 years ago, I think it is safe to assume that anyone with reason enough to stay with an old release also has reason enough to either patch M2Crypto or build a recent Python release. :) Cheers, -- Scott Moynes "The purpose of computing is insight, not numbers." - Richard W. Hamming On 5/27/05, Heikki Toivonen wrote: > I could make an isolated change to just the callbacks functions, and > ifdef things so that callbacks would be just as broken as they are now > for Python < 2.3, and make them work for later Python versions. > > Or I could do a complete overhaul which would make M2Crypto depend on > Python >= 2.3. I actually prefer this solution so hoping nobody is > depending on old Python. Here's how: From heikki at OSAFOUNDATION.ORG Tue May 31 05:46:21 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Mon, 30 May 2005 20:46:21 -0700 Subject: [PYTHON-CRYPTO] Anyone depending on M2Crypto and Python < 2.3? In-Reply-To: <62a33a05050530141471b92fee@mail.gmail.com> References: <4297B4FF.3000108@osafoundation.org> <62a33a05050530141471b92fee@mail.gmail.com> Message-ID: <429BDE0D.2080904@osafoundation.org> Scott Moynes wrote: > I think the most prudent way to decide whether to make Python 2.3 or > greater a requirement is to check which platforms have not yet > upgraded. I don't see a reason why M2Crypto should maintain support Except there are too many platforms. I could check some major ones of course, but... Anyway, my first cut at doing the complete overhaul resulted in not so great results (basically nothing worked) so I am doing more limited, backwards compatible changes for now. -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From heikki at OSAFOUNDATION.ORG Tue May 31 08:28:27 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Mon, 30 May 2005 23:28:27 -0700 Subject: [PYTHON-CRYPTO] Anyone ever successfully used ssl_verify_callback and other similar callbacks? Message-ID: <429C040B.10703@osafoundation.org> So I have a fix for ssl_verify_callback, but I also noticed the M2Crypto versions calls (or tries to, has always crashed for me) the callback function with different arguments than what OpenSSL uses. In my opinion we should use the OpenSSL format, but if someone is depending on the previous format I'd rather think something else. So far I have never gotten this particular callback to work (crashes Python) as it is. I've seen at least one other callback that also always causes Python crash: Context.set_tmp_dh_callback(). There are probably others but I have't done a search for the pattern yet. So, anyone ever got these things to work? I thought it should be possible to figure out the parameters in the callback function and adjust the code appropriately (so that both old M2Crypto and OpenSSL type callbacks would work automatically), but I haven't yet figured out how to do this. Basically something like: give_me_the_param_count(somefunc) would be needed. -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From gvanrossum at GMAIL.COM Tue May 31 17:46:53 2005 From: gvanrossum at GMAIL.COM (Guido van Rossum) Date: Tue, 31 May 2005 08:46:53 -0700 Subject: [PYTHON-CRYPTO] Anyone ever successfully used ssl_verify_callback and other similar callbacks? In-Reply-To: <429C040B.10703@osafoundation.org> References: <429C040B.10703@osafoundation.org> Message-ID: I'm not sure if this is the same, but we do use the SSL.Context method set_verify() with the argument SSL.verify_fail_if_no_per_cert. AFAIK we haven't had any problems with it; certainly no crashes. This is with Python 2.3.4 and M2Crypto 0.13. On 5/30/05, Heikki Toivonen wrote: > So I have a fix for ssl_verify_callback, but I also noticed the M2Crypto > versions calls (or tries to, has always crashed for me) the callback > function with different arguments than what OpenSSL uses. In my opinion > we should use the OpenSSL format, but if someone is depending on the > previous format I'd rather think something else. > > So far I have never gotten this particular callback to work (crashes > Python) as it is. I've seen at least one other callback that also always > causes Python crash: Context.set_tmp_dh_callback(). There are probably > others but I have't done a search for the pattern yet. So, anyone ever > got these things to work? > > I thought it should be possible to figure out the parameters in the > callback function and adjust the code appropriately (so that both old > M2Crypto and OpenSSL type callbacks would work automatically), but I > haven't yet figured out how to do this. Basically something like: > give_me_the_param_count(somefunc) would be needed. > > -- > Heikki Toivonen > > > > > -- --Guido van Rossum (home page: http://www.python.org/~guido/) From heikki at OSAFOUNDATION.ORG Tue May 31 18:40:25 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Tue, 31 May 2005 09:40:25 -0700 Subject: [PYTHON-CRYPTO] Anyone ever successfully used ssl_verify_callback and other similar callbacks? In-Reply-To: References: <429C040B.10703@osafoundation.org> Message-ID: <429C9379.3040105@osafoundation.org> Guido van Rossum wrote: > I'm not sure if this is the same, but we do use the SSL.Context method > set_verify() with the argument SSL.verify_fail_if_no_per_cert. AFAIK > we haven't had any problems with it; certainly no crashes. This is > with Python 2.3.4 and M2Crypto 0.13. Yes, that works. What causes Python crash for me (sorry for not being totally clear) is this form: def verify_cb(a, b, c, d, e): return 1 ctx = SSL.Context() ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9, verify_cb) s = SSL.Connection(ctx) s.connect(some_addr) # Crash when _lib.i:ssl_verify_callback() calls PyEval_CallObject() -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: