From ludo at ASIATICA.ORG Thu Jul 1 12:27:07 2004 From: ludo at ASIATICA.ORG (Ludovico Magnocavallo) Date: Thu, 1 Jul 2004 12:27:07 +0200 Subject: [PYTHON-CRYPTO] SMIME signing bug Message-ID: <40E3E6FB.7050607@asiatica.org> Clear signing large (>3Mb) SMIME messages from M2Crypto hangs python. 1. A test run with debug print statements in my code and in M2Crypto.SMIME.py: time ./signer.py newreq_nopass.pem newcert.pem 21131.eml 21131_signed.eml setup BIO.MemoryBuffer(text) self._smime.sign m2.pkcs7_sign0 called [1] Terminated ./signer.py newreq_nopass.pem newcert.pem 21131.eml 21131_signed.eml [2]+ Stopped ./signer.py newreq_nopass.pem newcert.pem 21131.eml 21131_signed.eml real 0m26.028s user 0m0.000s sys 0m0.000s I had to kill %1 the backgrounded job, as ^C did nothing. I have tried leaving the process running for 15 minutes, and it just stays there eating a bit more memory each second. 2. If I sign the same messages from openssl: time openssl smime -sign -in 21131.eml -out 21131_signed.eml -signer newcert.pem -inkey newreq_nopass.pem real 0m0.671s user 0m0.538s sys 0m0.100s 3. My same code using M2Crypto on a small message: time ./signer.py newreq_nopass.pem newcert.pem test.eml test_signed.eml setup BIO.MemoryBuffer(text) self._smime.sign m2.pkcs7_sign0 called BIO.MemoryBuffer(text) self._smime.write self._parser.parsestr real 0m0.390s user 0m0.197s sys 0m0.030s the message sizes are: ls -l *eml -rw-r--r-- 1 ludo ludo 4777277 Jul 1 11:52 21131.eml -rw-r--r-- 1 ludo ludo 4841919 Jul 1 12:20 21131_signed.eml -rw-r--r-- 1 ludo ludo 6026 Jun 23 00:27 test.eml -rw-r--r-- 1 ludo ludo 8730 Jul 1 12:21 test_signed.eml I really need smime signing to work, should I wrap openssl's smime command from python or is there a chance this will be fixed in M2Crypto? Thanks Ludo From hadara at BSD.EE Wed Jul 7 21:25:08 2004 From: hadara at BSD.EE (Sven Petai) Date: Wed, 7 Jul 2004 22:25:08 +0300 Subject: [PYTHON-CRYPTO] m2crypto - interface for EVP_VerifyFinal [PATCH] Message-ID: <200407072225.09069.hadara@bsd.ee> hi here's a patch against m2crypto 0.13 for accessing openssl's EVP_VerifyFinal function: http://bsd.ee/~hadara/patch/m2crypto_evp_verify_final.diff Is there any hope of getting it into the future releases of m2crypto ? From ngps at POST1.COM Thu Jul 8 03:52:48 2004 From: ngps at POST1.COM (Ng Pheng Siong) Date: Thu, 8 Jul 2004 09:52:48 +0800 Subject: [PYTHON-CRYPTO] m2crypto - interface for EVP_VerifyFinal [PATCH] In-Reply-To: <200407072225.09069.hadara@bsd.ee> References: <200407072225.09069.hadara@bsd.ee> Message-ID: <20040708015248.GB40455@vista.netmemetic.com> On Wed, Jul 07, 2004 at 10:25:08PM +0300, Sven Petai wrote: > here's a patch against m2crypto 0.13 for accessing openssl's EVP_VerifyFinal > function: > http://bsd.ee/~hadara/patch/m2crypto_evp_verify_final.diff Thanks. > Is there any hope of getting it into the future releases of m2crypto ? I'd imagine so. But I'll have to read patches more carefully from now onwards. An earlier patch (from someone else) gave me a bit of grief because I applied it without thinking it thru fully and it came back to bite me. So this might mean even slower turnaround time for patches and releases, sorry. -- Ng Pheng Siong http://firewall.rulemaker.net -+- Cisco PIX & Netscreen Config Version Control http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL/Zope, Blog From terry at BIZARSOFTWARE.COM.AU Thu Jul 15 10:41:25 2004 From: terry at BIZARSOFTWARE.COM.AU (Terry Kerr) Date: Thu, 15 Jul 2004 10:41:25 +0200 Subject: [PYTHON-CRYPTO] httpslib.HTTPSConnection problem. Message-ID: Hi, I have a python app that posts info to a cc payment gateway. The code is very simple, and works fine with with M2Crypto 0.07 and python 2.1.3. from M2Crypto import httpslib, SSL X-Mozilla-Status: 8000 X-Mozilla-Status2: 00000000 ctx = SSL.Context('sslv3') h = httpslib.HTTPSConnection("merchant.ematters.com.au", 443, ssl_context=ctx) h.request('POST', path, params, headers) resp = h.getresponse() f = resp.fp resp = resp.read() f.close() h.close() Now I have upgraded to M2Crypto 0.13 and python 2.3.3 and the code no longer works. I am running with exactly the same path, params and headers, but the response I get now is: Error

Error 500

HTTP Web Server: Invalid POST Request Exception I placed a debug print in SSL/Connection.py::Connection._write_bio() and verified that the data being send is the same for both python/M2Crypto versions, so I am not sure what else could be incorrect. Does anyone have an suggestions? terry From fu at CS.DUKE.EDU Tue Jul 20 04:32:48 2004 From: fu at CS.DUKE.EDU (Yun Fu) Date: Tue, 20 Jul 2004 04:32:48 +0200 Subject: [PYTHON-CRYPTO] TimeoutConnection Message-ID: Hi All, I wrote a TimeoutConnection.py to support timeout on a SSL connection. I decided to wrap it up as a package with demo to share with everybody. You can download it from http://www.cs.duke.edu/~fu/m2crypto/timeoutm2crypto-0.01.tar.gz Basically, I borrowed lots of ideas from Timothy O'Malley timeoutsocket.py. However, nonblocking SSL is more complicated and weird. The code was built for my own research purpose. I notice there were quite a lot of questions on this list for nonblocking sockets and select() usage for SSL connections. So I decide to release my implementation to listen for opinions. Hopefully, it can be added into M2Crypto in the future. To use it, you need to apply _ssl.diff patch, which is basically dave.patch, and copy TimeoutConnection.py to your own code. I have a README in the package. Thanks! Yun Fu From ngps at POST1.COM Wed Jul 21 11:35:52 2004 From: ngps at POST1.COM (Ng Pheng Siong) Date: Wed, 21 Jul 2004 17:35:52 +0800 Subject: [PYTHON-CRYPTO] httpslib.HTTPSConnection problem. In-Reply-To: <40FE3053.2040707@bizarsoftware.com.au> References: <40FE3053.2040707@bizarsoftware.com.au> Message-ID: <20040721093552.GB304@vista.netmemetic.com> On Wed, Jul 21, 2004 at 06:58:59PM +1000, Terry Kerr wrote: > I have discovered that this problem is related to a work around > implemented in openssl 0.9.6d and the work around can be switched on/off > in openssl-0.9.6e and above. To do this, I need to be able to > SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option in the ssl context of the > socket created my HTTPSConnection. > > I don't see a way of doing this using the current API? I think I > essentially need access to the openssl methods SSL_set_options() or > maybe SSL_CTX_set_options(). Does anyone know how I can set this context > option from python? M2Crypto.SSL.Context has method "set_options(self, op)". The option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS isn't in M2Crypto yet, so you'll have to pass its actual integer value as the "op" parameter. To add the label to M2Crypto, modify SWIG/_ssl.i. I will add this to my code base. Public repository should be up RSN, which should make keeping all this stuff updated easier. Cheers. -- Ng Pheng Siong http://firewall.rulemaker.net -+- Cisco PIX & Netscreen Config Version Control http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog From terry at BIZARSOFTWARE.COM.AU Wed Jul 21 10:58:59 2004 From: terry at BIZARSOFTWARE.COM.AU (Terry Kerr) Date: Wed, 21 Jul 2004 18:58:59 +1000 Subject: [PYTHON-CRYPTO] httpslib.HTTPSConnection problem. In-Reply-To: References: Message-ID: <40FE3053.2040707@bizarsoftware.com.au> Hi, I have discovered that this problem is related to a work around implemented in openssl 0.9.6d and the work around can be switched on/off in openssl-0.9.6e and above. To do this, I need to be able to SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option in the ssl context of the socket created my HTTPSConnection. I don't see a way of doing this using the current API? I think I essentially need access to the openssl methods SSL_set_options() or maybe SSL_CTX_set_options(). Does anyone know how I can set this context option from python? terry Terry Kerr wrote: > Hi, > > I have a python app that posts info to a cc payment gateway. The code is > very simple, and works fine with with M2Crypto 0.07 and python 2.1.3. > > from M2Crypto import httpslib, SSL > ctx = SSL.Context('sslv3') > h = httpslib.HTTPSConnection("merchant.ematters.com.au", 443, > ssl_context=ctx) > h.request('POST', path, params, headers) > resp = h.getresponse() > f = resp.fp > resp = resp.read() > f.close() > h.close() > > Now I have upgraded to M2Crypto 0.13 and python 2.3.3 and the code no longer > works. I am running with exactly the same path, params and headers, but the > response I get now is: > > > > Error > >

Error 500

HTTP Web Server: Invalid POST Request Exception > > > I placed a debug print in SSL/Connection.py::Connection._write_bio() and > verified that the data being send is the same for both python/M2Crypto > versions, so I am not sure what else could be incorrect. > > Does anyone have an suggestions? > > terry -- Terry Kerr (terry at bizarsoftware.com.au) Chief Technical Officer Bizar Software Pty Ltd (www.bizarsoftware.com.au) +61 3 9530 9182 From terry at BIZARSOFTWARE.COM.AU Thu Jul 22 03:54:40 2004 From: terry at BIZARSOFTWARE.COM.AU (Terry Kerr) Date: Thu, 22 Jul 2004 11:54:40 +1000 Subject: [PYTHON-CRYPTO] httpslib.HTTPSConnection problem. In-Reply-To: <20040721093552.GB304@vista.netmemetic.com> References: <40FE3053.2040707@bizarsoftware.com.au> <20040721093552.GB304@vista.netmemetic.com> Message-ID: <40FF1E60.1050003@bizarsoftware.com.au> > M2Crypto.SSL.Context has method "set_options(self, op)". The option > SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS isn't in M2Crypto yet, so you'll have to > pass its actual integer value as the "op" parameter. To add the label to > M2Crypto, modify SWIG/_ssl.i. I don't see set_options() in 0.13? Is there a newer CVS snapshot that I can download? > > I will add this to my code base. Public repository should be up RSN, which > should make keeping all this stuff updated easier. -- Terry Kerr (terry at bizarsoftware.com.au) Chief Technical Officer Bizar Software Pty Ltd (www.bizarsoftware.com.au) +61 3 9530 9182 From ngps at POST1.COM Fri Jul 23 00:47:24 2004 From: ngps at POST1.COM (Ng Pheng Siong) Date: Fri, 23 Jul 2004 06:47:24 +0800 Subject: [PYTHON-CRYPTO] httpslib.HTTPSConnection problem. In-Reply-To: <40FF1E60.1050003@bizarsoftware.com.au> References: <40FE3053.2040707@bizarsoftware.com.au> <20040721093552.GB304@vista.netmemetic.com> <40FF1E60.1050003@bizarsoftware.com.au> Message-ID: <20040722224724.GG848@vista.netmemetic.com> On Thu, Jul 22, 2004 at 11:54:40AM +1000, Terry Kerr wrote: > I don't see set_options() in 0.13? Is there a newer CVS snapshot that I > can download? Responded offline. Cheers. -- Ng Pheng Siong http://firewall.rulemaker.net -+- Cisco PIX & Netscreen Config Version Control http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog From ngps at POST1.COM Thu Jul 29 18:03:57 2004 From: ngps at POST1.COM (Ng Pheng Siong) Date: Fri, 30 Jul 2004 00:03:57 +0800 Subject: [PYTHON-CRYPTO] TimeoutConnection In-Reply-To: References: Message-ID: <20040729160357.GB308@vista.netmemetic.com> On Tue, Jul 20, 2004 at 04:32:48AM +0200, Yun Fu wrote: > I wrote a TimeoutConnection.py to support timeout on a SSL > connection. I decided to wrap it up as a package with demo > to share with everybody. You can download it from > > http://www.cs.duke.edu/~fu/m2crypto/timeoutm2crypto-0.01.tar.gz Thanks. I'll take a look at it. I've been toying with the idea of some kind of Pythonic access to FreeBSD's dummynet facility to support testing M2Crypto's SSL socket timeouts. Just haven't had the time to get to it. Dummynet is a traffic shaper, bandwidth manager and delay emulator for FreeBSD. I have no doubt there exist three or seven implementations of same on Linux. Cheers. -- Ng Pheng Siong http://firewall.rulemaker.net -+- Cisco PIX & Netscreen Config Version Control http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog From ngps at POST1.COM Thu Jul 29 17:55:07 2004 From: ngps at POST1.COM (Ng Pheng Siong) Date: Thu, 29 Jul 2004 23:55:07 +0800 Subject: [PYTHON-CRYPTO] M2Crypto.SSL.SSLServer, handle_error should take 2 arguments In-Reply-To: <4102E308.3090203@johnmeinel.com> References: <4102E308.3090203@johnmeinel.com> Message-ID: <20040729155507.GA308@vista.netmemetic.com> On Sat, Jul 24, 2004 at 05:30:32PM -0500, John Meinel wrote: > I noticed that the standard SocketServer has an overrideable function > called "handle_error", if you look in the python documentation, this > takes 2 arguments (plus self). The SSLServer only takes one. > [...] > Attached is a small patch that I think fixes this problem. Thanks. M2Crypto started with Python 1.5, so it is possible that the handle_error interface was like that once upon a time. ;-) > It would also be nice if the SSLError object could contain information > about what client is connecting. That way you could figure out if there > was a specific machine that was trying to connect and was having > difficulty negotiating the connection. Ah, I see error signalling is a bit mixed up. M2Crypto/SSL/Error.py says: class SSLError(Exception): pass whereas M2Crypto/Err.py says: class SSLError(Exception): def __init__(self, err, client_addr): self.err = err self.client_addr = client_addr def __str__(self): return "%s: %s: %s" % \ (m2.err_func_error_string(self.err), \ self.client_addr, \ m2.err_reason_error_string(self.err)) Should be unified, after which, the SSLError instance should carry the info you want. Cheers. -- Ng Pheng Siong http://firewall.rulemaker.net -+- Cisco PIX & Netscreen Config Version Control http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog From heikki at OSAFOUNDATION.ORG Thu Jul 29 22:29:39 2004 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Thu, 29 Jul 2004 13:29:39 -0700 Subject: [PYTHON-CRYPTO] M2Crypto has public Subversion repository and Bugzilla database Message-ID: <41095E33.2010501@osafoundation.org> Open Source Applications Foundation (OSAF) is providing limited hosting for the M2Crypto project in the form of a public Subversion source repository and public Bugzilla bug database. Until now there were no public source control systems nor bug databases for M2Crypto. We invite everyone to take advantage of these tools to file bugs, track feature work, create and track patches, do code reviews and so forth. We hope these tools will help us collaborate better on M2Crypto development. Details on how to pull the source, file and browse bugs and so forth can be found here: http://wiki.osafoundation.org/twiki/bin/view/Chandler/MeTooCrypto If you have any issues or improvement suggestions with any of these tools, please let me know. Enjoy, -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From ajay.brar at GMAIL.COM Fri Jul 30 00:54:52 2004 From: ajay.brar at GMAIL.COM (Ajay Brar) Date: Fri, 30 Jul 2004 08:54:52 +1000 Subject: [PYTHON-CRYPTO] Python cryptography toolkit Message-ID: <4450c49f040729155413dcfb51@mail.gmail.com> hi! can someone tell me which implementation of RSA is used in the python cryptography toolkit? thanks cheers ajay From ngps at POST1.COM Fri Jul 30 16:52:15 2004 From: ngps at POST1.COM (Ng Pheng Siong) Date: Fri, 30 Jul 2004 22:52:15 +0800 Subject: [PYTHON-CRYPTO] M2Crypto has public Subversion repository and Bugzilla database In-Reply-To: <41095E33.2010501@osafoundation.org> References: <41095E33.2010501@osafoundation.org> Message-ID: <20040730145215.GA316@vista.netmemetic.com> On Thu, Jul 29, 2004 at 01:29:39PM -0700, Heikki Toivonen wrote: > Open Source Applications Foundation (OSAF) is providing limited hosting > for the M2Crypto project in the form of a public Subversion source > repository and public Bugzilla bug database. Many thanks to Heikki and OSAF for setting this up. -- Ng Pheng Siong http://firewall.rulemaker.net -+- Cisco PIX & Netscreen Config Version Control http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog From dberger at CS.UCR.EDU Fri Jul 30 23:10:31 2004 From: dberger at CS.UCR.EDU (Dan Berger) Date: Fri, 30 Jul 2004 14:10:31 -0700 Subject: [PYTHON-CRYPTO] m2crypto patch - DSA pub key handling Message-ID: <1091221831.3102.4.camel@walkabout.cs.ucr.edu> I've added the ability to explicitly set the public key member of a DSA_pub key object (I needed to reconstruct a DSA key from it's parameters and pub key, as that's how they're being stored in a system I'm interfacing with). The attached patch builds on Igor Belyi's patch posted to this list 12 April, 2004. Cheers. -- ...Dan Berger [dberger at cs.ucr.edu] Department of Computer Science Surge Building, Room 357 University of California, Riverside http://www.cs.ucr.edu/~dberger Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. - Albert Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: m2crypto.patch Type: text/x-patch Size: 1849 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From ngps at POST1.COM Sat Jul 31 14:26:49 2004 From: ngps at POST1.COM (Ng Pheng Siong) Date: Sat, 31 Jul 2004 20:26:49 +0800 Subject: [PYTHON-CRYPTO] m2crypto patch - DSA pub key handling In-Reply-To: <1091221831.3102.4.camel@walkabout.cs.ucr.edu> References: <1091221831.3102.4.camel@walkabout.cs.ucr.edu> Message-ID: <20040731122649.GC264@vista.netmemetic.com> On Fri, Jul 30, 2004 at 02:10:31PM -0700, Dan Berger wrote: > I've added the ability to explicitly set the public key member of a > DSA_pub key object (I needed to reconstruct a DSA key from it's > parameters and pub key, as that's how they're being stored in a system > I'm interfacing with). Thanks, Dan. Is it possible to add a small demo, to give an idea what the 'pub' param in set_pub_key should look like? Cheers. -- Ng Pheng Siong http://firewall.rulemaker.net -+- Cisco PIX & Netscreen Config Version Control http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog From dberger at CS.UCR.EDU Sat Jul 31 19:35:55 2004 From: dberger at CS.UCR.EDU (Dan Berger) Date: Sat, 31 Jul 2004 10:35:55 -0700 Subject: [PYTHON-CRYPTO] m2crypto patch - DSA pub key handling In-Reply-To: <20040731122649.GC264@vista.netmemetic.com> References: <1091221831.3102.4.camel@walkabout.cs.ucr.edu> <20040731122649.GC264@vista.netmemetic.com> Message-ID: <1091295354.3054.7.camel@walkabout.cs.ucr.edu> Sure: Given a DSA keypair (pub/priv), you can transform it into it's constituent parts; p,q,g,pub(,priv); like this: (in this case, the parts are output as DNS TXT records) dsa = M2Crypto.DSA.load_key(keyfile) # the result of dsa_get_[g|p|q|pub] is an mpi - 4 bytes of length, and # the number in big endian, so loose the first four bytes to get just # the number we care about pub = M2Crypto.m2.dsa_get_pub(dsa.dsa) g = M2Crypto.m2.dsa_get_g(dsa.dsa) p = M2Crypto.m2.dsa_get_p(dsa.dsa) q = M2Crypto.m2.dsa_get_q(dsa.dsa) print 'pub_%s IN TXT "%s"' % (keyname, binascii.b2a_hex(pub[4:])) print 'p_%s IN TXT "%s"' % (keyname, binascii.b2a_hex(p[4:])) print 'q_%s IN TXT "%s"' % (keyname, binascii.b2a_hex(q[4:])) print 'g_%s IN TXT "%s"' % (keyname, binascii.b2a_hex(g[4:])) given hex strings containing the big-endian values of p,q,g, and pub, pub="674301d3901f6e13fb0b60bb35ba55994d23f368155aa87b88e8ac27e23bde576916ac150af1aa4fab88705a457769ccae17dacc5ee7ef65977acb6d738e8a02" p="00d5a3e833e360f439bbef341a2387e49012f42410978dd167e0cc7071518c76f4e1a7c18a254572b6b995040e3ac69e7bb2b2d85569990d3a6a1cd137b24f8d71" q="00e813778c56bb9a4ca6ed43516b3ff51347b7a15d" g="182ffa2f14f9d8c0590a892e772f337f9a2cc0c37c5bc5348bfd6e1000b2e509eb06d2c29967d8361b818e63779bead8b5903311487db7c7bccdc8ecdef9cc78" you can re-create the public half of the key to perform signature verifications like this: dsa = M2Crypto.DSA.DSA_pub(M2Crypto.m2.dsa_new()) dsa.set_params(M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(p)), \ M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(q)), \ M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(g))) dsa.set_pub_key(M2Crypto.m2.bn_to_mpi(M2Crypto.m2.hex_to_bn(pub))) On Sat, 2004-07-31 at 20:26 +0800, Ng Pheng Siong wrote: > Thanks, Dan. > > Is it possible to add a small demo, to give an idea what the 'pub' param > in set_pub_key should look like? -- ...Dan Berger [dberger at cs.ucr.edu] Department of Computer Science Surge Building, Room 357 University of California, Riverside http://www.cs.ucr.edu/~dberger "The best way to predict the future is to invent it." - Alan Kay -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: