From MKRodriguez at LBL.GOV  Mon Nov  7 19:59:29 2005
From: MKRodriguez at LBL.GOV (Matthew Rodriguez DSD staff)
Date: Mon, 7 Nov 2005 10:59:29 -0800
Subject: [PYTHON-CRYPTO] added feature to setup.py
Message-ID: <436FA411.1090608@lbl.gov>

I added a feature to setup.py in m2crypto, so that it would take an 
--openssl argument.
This would point to the prefix of the openssl installation. This is 
useful for me, because I'm compiling against openssl-0.9.8a libraries 
which are installed in a non standard location.

I'm using the 0.15 branch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: setup.py.patch
Type: text/x-patch
Size: 1461 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20051107/e2b5594d/attachment.bin>

From MKRodriguez at LBL.GOV  Mon Nov  7 20:20:07 2005
From: MKRodriguez at LBL.GOV (Matthew Rodriguez DSD staff)
Date: Mon, 7 Nov 2005 11:20:07 -0800
Subject: [PYTHON-CRYPTO] use this patch instead
Message-ID: <436FA8E7.5000408@lbl.gov>

There was problem with my last patch. I hadn't removed of all 
occurrences to the deprecated string module.

Matt Rodriguez


-------------- next part --------------
A non-text attachment was scrubbed...
Name: setup.py.patch
Type: text/x-patch
Size: 1453 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20051107/5e9a402d/attachment.bin>

From MKRodriguez at LBL.GOV  Mon Nov  7 20:50:46 2005
From: MKRodriguez at LBL.GOV (Matthew Rodriguez DSD staff)
Date: Mon, 7 Nov 2005 11:50:46 -0800
Subject: [PYTHON-CRYPTO] patch to fix some compiler warnings
Message-ID: <436FB016.2020403@lbl.gov>

This patch fixes these warnings. The SSL_CTX_set_tmp_dh/rsa are macros, 
which expand to SSL_CTX_ctrl. If we add a return statement the compiler 
shuts up.

SWIG/_m2crypto.c: In function `ssl_ctx_set_tmp_rsa':
SWIG/_m2crypto.c:4182: warning: control reaches end of non-void function
SWIG/_m2crypto.c: In function `ssl_ctx_set_tmp_dh':
SWIG/_m2crypto.c:4171: warning: control reaches end of non-void function

This patch was made using the 0.15 branch

Matt Rodriguez

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch._ssl.i
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20051107/e397d21f/attachment.ksh>

From guido at PYTHON.ORG  Mon Nov  7 21:32:32 2005
From: guido at PYTHON.ORG (Guido van Rossum)
Date: Mon, 7 Nov 2005 12:32:32 -0800
Subject: [PYTHON-CRYPTO] added feature to setup.py
In-Reply-To: <436FA411.1090608@lbl.gov>
References: <436FA411.1090608@lbl.gov>
Message-ID: <ca471dc20511071232x51e853a8td044508b5e7bd463@mail.gmail.com>

On 11/7/05, Matthew Rodriguez DSD staff <MKRodriguez at lbl.gov> wrote:
> I added a feature to setup.py in m2crypto, so that it would take an
> --openssl argument.
> This would point to the prefix of the openssl installation. This is
> useful for me, because I'm compiling against openssl-0.9.8a libraries
> which are installed in a non standard location.
>
> I'm using the 0.15 branch.

I forwarded this to a local user who's been dealing with the same
issue. His comments:

"""
Actually I think he missed the the -I argument that gets passed to swig,
since the .i file has an include directive for one of the openssl
headers.  Either the build has changed since the 0.15 release so that
this is no longer required or he didn't realize that this was necessary
because he has an openssl in /usr, just not the version he's trying to
build against.
"""

What's your response to that?

--
--Guido van Rossum (home page: http://www.python.org/~guido/)


From MKRodriguez at LBL.GOV  Mon Nov  7 22:39:21 2005
From: MKRodriguez at LBL.GOV (Matthew Rodriguez DSD staff)
Date: Mon, 7 Nov 2005 13:39:21 -0800
Subject: [PYTHON-CRYPTO] added feature to setup.py
In-Reply-To: <ca471dc20511071232x51e853a8td044508b5e7bd463@mail.gmail.com>
References: <436FA411.1090608@lbl.gov>
            <ca471dc20511071232x51e853a8td044508b5e7bd463@mail.gmail.com>
Message-ID: <436FC989.2090309@lbl.gov>

Guido van Rossum wrote:

>On 11/7/05, Matthew Rodriguez DSD staff <MKRodriguez at lbl.gov> wrote:
>  
>
>>I added a feature to setup.py in m2crypto, so that it would take an
>>--openssl argument.
>>This would point to the prefix of the openssl installation. This is
>>useful for me, because I'm compiling against openssl-0.9.8a libraries
>>which are installed in a non standard location.
>>
>>I'm using the 0.15 branch.
>>    
>>
>
>I forwarded this to a local user who's been dealing with the same
>issue. His comments:
>
>"""
>Actually I think he missed the the -I argument that gets passed to swig,
>since the .i file has an include directive for one of the openssl
>headers.  Either the build has changed since the 0.15 release so that
>this is no longer required or he didn't realize that this was necessary
>because he has an openssl in /usr, just not the version he's trying to
>build against.
>"""
>
>What's your response to that?
>
>--
>--Guido van Rossum (home page: http://www.python.org/~guido/)
>  
>
Here is what gets passed to swig
swig -python -ISWIG -o SWIG/_m2crypto.c SWIG/_m2crypto.i.

So the SWIG directory is included. I believe that is the only directory 
that needs to
be included. If I need to pass anything else to swig, let me know.

My patch does not affect what arguments are passed to swig, it only 
affects the arguments
for building the extension specifically the -I argument for the library 
headers and -L to link
in the libraries.

Here's how gcc builds the extension.

gcc -pthread -fno-strict-aliasing -DNDEBUG -O2 -march=i586 -mcpu=i686 
-fmessage-length=0 -Wall -fPIC 
-I/home/portnoy/u5/mateo/Python/M2Crypto/branches/0.15/SWIG 
-I/home/dsd/openssl/openssl-0.9.8a/include -I/usr/include/python2.3 -c 
SWIG/_m2crypto.c -o build/temp.linux-i686-2.3/SWIG/_m2crypto.o -DTHREADING
SWIG/_m2crypto.c:1422: warning: `RCS_id' defined but not used
gcc -pthread -shared build/temp.linux-i686-2.3/SWIG/_m2crypto.o 
-L/home/dsd/openssl/openssl-0.9.8a/lib -lssl -lcrypto -o 
build/lib.linux-i686-2.3/M2Crypto/__m2crypto.so

I know this is building against the openssl 0.9.8 libraries, because 
there are compiler errors when you build against 0.9.8 openssl using the 
latest subversion version of m2crypto. This is due to changes to the 
openssl API that added const to parameters of several functions. People 
have mentioned this on this list before. We need a solution so that 
m2crypto works
with 0.9.7 and 0.9.8 openssl.

I've got 2 ideas:

1. #ifdef,  Not elegant, and it will require more work each time a new 
version of openssl modifies its APIs.
2. use the %rename directive so that it doesn't include the function 
declaration. I've been able to get m2crypto
to compile against 0.9.7 and 0.9.8 openssl using this technique, but I 
haven't tested any of the functions that
I've renamed. So I'm not sure if this a good solution.


Matt Rodriguez


From heikki at OSAFOUNDATION.ORG  Tue Nov  8 00:07:43 2005
From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen)
Date: Mon, 7 Nov 2005 15:07:43 -0800
Subject: [PYTHON-CRYPTO] added feature to setup.py
In-Reply-To: <436FC989.2090309@lbl.gov>
References: <436FA411.1090608@lbl.gov>           
            <ca471dc20511071232x51e853a8td044508b5e7bd463@mail.gmail.com>
            <436FC989.2090309@lbl.gov>
Message-ID: <436FDE3F.60809@osafoundation.org>

>> On 11/7/05, Matthew Rodriguez DSD staff <MKRodriguez at lbl.gov> wrote:
>>>
>>> I'm using the 0.15 branch.

I have been really puzzled by people claiming to use 0.15 and having
const problems with various OpenSSL versions, when I believe I fixed all
of them up to OpenSSL 0.9.8 in 0.15.

Now I think found the reason.

The 0.15 *branch* in the Subversion repository is not the same as the
0.15 *tag*. In fact, 0.15 development happened on the trunk exclusively,
and the *tag* was created from the *trunk*. Or in other words, 0.15
development was never on the 0.15 *branch*.

This is partly a fault of mine. When I release 0.15 I forgot there was
this misleading branch that was not even used and I should have deleted
it and created the correct 0.15 branch.

Could you please confirm if you were using the bad branch or the correct
tag?

Correct: http://svn.osafoundation.org/m2crypto/tags/0.15/
Bad:     http://svn.osafoundation.org/m2crypto/branches/0.15/


Also, if I won't hear any objections I will be nuking the current bad
branch and creating a correct one from the 0.15 tag within the next
couple of days.

-- 
  Heikki Toivonen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20051107/d81c0bfc/attachment.pgp>

From MKRodriguez at LBL.GOV  Tue Nov  8 00:52:13 2005
From: MKRodriguez at LBL.GOV (Matthew Rodriguez DSD staff)
Date: Mon, 7 Nov 2005 15:52:13 -0800
Subject: [PYTHON-CRYPTO] setup.py patch
Message-ID: <436FE8AD.7030108@lbl.gov>

Here is the patch to pass an openssl location.

Matt Rodriguez
-------------- next part --------------
A non-text attachment was scrubbed...
Name: setup.py.3rd.patch
Type: text/x-patch
Size: 1873 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20051107/091e3ce8/attachment.bin>

From MKRodriguez at LBL.GOV  Tue Nov  8 00:54:08 2005
From: MKRodriguez at LBL.GOV (Matthew Rodriguez DSD staff)
Date: Mon, 7 Nov 2005 15:54:08 -0800
Subject: [PYTHON-CRYPTO] [Fwd: Re: added feature to setup.py]
Message-ID: <436FE920.7050400@lbl.gov>


-------------- next part --------------
An embedded message was scrubbed...
From: Matthew Rodriguez DSD staff <MKRodriguez at lbl.gov>
Subject: Re: added feature to setup.py
Date: Mon, 07 Nov 2005 15:49:52 -0800
Size: 2108
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20051107/fd7652f8/attachment.mht>

From mbagai at ARSLEGAL.COM  Tue Nov 29 21:04:35 2005
From: mbagai at ARSLEGAL.COM (Morten Bagai)
Date: Tue, 29 Nov 2005 12:04:35 -0800
Subject: [PYTHON-CRYPTO] [newbie] encyption/decryption and padding
Message-ID: <FE31EE2B-72BD-4349-8C82-124DEDCB8D10@ARSLEGAL.COM>

Hi,

I'm new to pycrypto. I'm trying to do something really basic, which  
is to decrypt an ASCII-HEX block of ciphertext with Blowfish using a  
simple key. Here's how i do it:

from Crypto.Cipher import Blowfish
from binascii import hexlify,unhexlify

# some ascii-hex cipher text
ciphertext =  
'AE930CE7794D7EFE80D30D0EC79243F99DB7C3FC5D19048D86724EA945FD8E47'
# not a real key
key = 'blah'

mycipher = Blowfish.new(pwd,Blowfish.MODE_ECB)
cleartext =  mycipher.decrypt(unhexlify(ciphertext))

This works fine, except in addition to the original cleartext, i also  
get the padding as a result of the "decrypt" method call. Is this  
normal? If so, what's the standard way to get rid of the padding?  
Also, when encrypting with a symmetric algorithm like Blowfish, are  
there any convenience functions in the toolkit for applying padding,  
say PKCS#5, automatically?

Thanks,

Morten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20051129/58fc2deb/attachment.pgp>

From MKRodriguez at LBL.GOV  Wed Nov 30 02:45:41 2005
From: MKRodriguez at LBL.GOV (Matt Rodriguez)
Date: Tue, 29 Nov 2005 17:45:41 -0800
Subject: [PYTHON-CRYPTO] patches for X509_EXTENSION and a few other things
Message-ID: <438D0445.6060904@lbl.gov>

I've done a little work with M2Crypto because I've been using it to 
generate proxy certificates. Proxy Certificates need to have a proxy 
certificate info extension for openssl to recognize them. Openssl 
versions 0.9.8 and later have support for proxy certificates. 

So here are the changes that I've made.

1. I added a as_der method to the EVP class in EVP.py. This calls 
i2d_PUBKEY to
get the DER encoding.

2. I changed the new_extensions function in X509. It initializes a LHASH 
and a
X509V3_CTX objects, and passes them into the X509V3_ext_conf function. I 
did this
was because to use the ProxyCertInfo extension it needed an initialized 
context object,
otherwise I would get a segmentation fault. This is because the 
X509_EXTENSION_METHOD object assoctiated with PCI does not contain v2i 
or s2i functions. The method does have an r2i function, but the 
do_ext_nconf  does a check
on the context to see if it has a db or db_meth object. If the context 
is NULL then there is
a segmentation fault.

If there is another way to create a PCI extension using M2Crypto without 
this patch, I'd like
to know about it. 

3. Changes to setup.py. I've mentioned this in previous posts. I added 
an option so that one
could build M2Crypto against openssl that is installed in an arbitrary 
location.

4. I added a quick test to test_evp.py that tests the as_der method.

5. I fixed an obvious memory leak in _x509.i in the x509_extension_get_name.

I've tested these changes with openssl-0.9.8a using valgrind to make 
sure my changes
didn't leak any more memory.


Please let me know if there are any problems with the patches or if 
there is anything I can
do to facilitate adding these patches to M2Crypto.

Matt Rodriguez
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ext.patch
Type: text/x-patch
Size: 5903 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20051129/808e7f67/attachment.bin>

From heikki at OSAFOUNDATION.ORG  Wed Nov 30 21:18:27 2005
From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen)
Date: Wed, 30 Nov 2005 12:18:27 -0800
Subject: [PYTHON-CRYPTO] patches for X509_EXTENSION and a few other things
In-Reply-To: <438D0445.6060904@lbl.gov>
References: <438D0445.6060904@lbl.gov>
Message-ID: <438E0913.9060803@osafoundation.org>

Matt Rodriguez wrote:
> I've done a little work with M2Crypto because I've been using it to
> generate proxy certificates. Proxy Certificates need to have a proxy
> certificate info extension for openssl to recognize them. Openssl
> versions 0.9.8 and later have support for proxy certificates.

Do you have a link to some quick documentation what proxy certificates
are (I think this is the first time I've heard the term)?

I am pretty busy at  the moment with Chandler 0.6 end-game, but I should
have some time for M2Crypto soon.

> 3. Changes to setup.py. I've mentioned this in previous posts. I added
> an option so that one
> could build M2Crypto against openssl that is installed in an arbitrary
> location.

Thanks, I can use this for Chandler as well :) Been too lazy myself, and
just patched hardcoded paths for my environment. Nice to get the right
solution...

> 4. I added a quick test to test_evp.py that tests the as_der method.

Could you provide tests for all the new and changed APIs in unit tests?

I created a new bug to track this work:
https://bugzilla.osafoundation.org/show_bug.cgi?id=4782

I'd appreciate if you could attach enhancements to the patch to the bug
directly.

Thanks,

-- 
  Heikki Toivonen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20051130/2baa3521/attachment.pgp>

From conrad at HEP.CALTECH.EDU  Wed Nov 30 23:19:35 2005
From: conrad at HEP.CALTECH.EDU (Conrad Steenberg)
Date: Wed, 30 Nov 2005 14:19:35 -0800
Subject: [PYTHON-CRYPTO] patches for X509_EXTENSION and a few other things
In-Reply-To: <438D0445.6060904@lbl.gov>
References: <438D0445.6060904@lbl.gov>
Message-ID: <1133389175.26259.22.camel@localhost.localdomain>

Hi Matt

Could you perhaps send a link to the code you use to create the proxy
certificates with M2Crypto?

Thanks!

Conrad

On Tue, 2005-11-29 at 17:45 -0800, Matt Rodriguez wrote:
> I've done a little work with M2Crypto because I've been using it to 
> generate proxy certificates. Proxy Certificates need to have a proxy 
> certificate info extension for openssl to recognize them. Openssl 
> versions 0.9.8 and later have support for proxy certificates. 
> 
> So here are the changes that I've made.
> 
> 1. I added a as_der method to the EVP class in EVP.py. This calls 
> i2d_PUBKEY to
> get the DER encoding.
> 
> 2. I changed the new_extensions function in X509. It initializes a LHASH 
> and a
> X509V3_CTX objects, and passes them into the X509V3_ext_conf function. I 
> did this
> was because to use the ProxyCertInfo extension it needed an initialized 
> context object,
> otherwise I would get a segmentation fault. This is because the 
> X509_EXTENSION_METHOD object assoctiated with PCI does not contain v2i 
> or s2i functions. The method does have an r2i function, but the 
> do_ext_nconf  does a check
> on the context to see if it has a db or db_meth object. If the context 
> is NULL then there is
> a segmentation fault.
> 
> If there is another way to create a PCI extension using M2Crypto without 
> this patch, I'd like
> to know about it. 
> 
> 3. Changes to setup.py. I've mentioned this in previous posts. I added 
> an option so that one
> could build M2Crypto against openssl that is installed in an arbitrary 
> location.
> 
> 4. I added a quick test to test_evp.py that tests the as_der method.
> 
> 5. I fixed an obvious memory leak in _x509.i in the x509_extension_get_name.
> 
> I've tested these changes with openssl-0.9.8a using valgrind to make 
> sure my changes
> didn't leak any more memory.
> 
> 
> Please let me know if there are any problems with the patches or if 
> there is anything I can
> do to facilitate adding these patches to M2Crypto.
> 
> Matt Rodriguez
-- 
Conrad Steenberg <conrad at hep.caltech.edu>
California Institute of Technology
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2531 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20051130/6eb4dfa8/attachment.bin>

From MKRodriguez at LBL.GOV  Wed Nov 30 23:39:31 2005
From: MKRodriguez at LBL.GOV (Matt Rodriguez)
Date: Wed, 30 Nov 2005 14:39:31 -0800
Subject: [PYTHON-CRYPTO] patches for X509_EXTENSION and a few other things
In-Reply-To: <438E0913.9060803@osafoundation.org>
References: <438D0445.6060904@lbl.gov> <438E0913.9060803@osafoundation.org>
Message-ID: <438E2A23.9050407@lbl.gov>

Heikki Toivonen wrote:
> Matt Rodriguez wrote:
>   
>> I've done a little work with M2Crypto because I've been using it to
>> generate proxy certificates. Proxy Certificates need to have a proxy
>> certificate info extension for openssl to recognize them. Openssl
>> versions 0.9.8 and later have support for proxy certificates.
>>     
>
> Do you have a link to some quick documentation what proxy certificates
> are (I think this is the first time I've heard the term)?
>
> I am pretty busy at  the moment with Chandler 0.6 end-game, but I should
> have some time for M2Crypto soon.
>
>   
Proxy certificates a described in RFC 3820.
http://www.ietf.org/rfc/rfc3820.txt?number=3820

You can find less terse documentation in the 
doc/HOWTO/proxy_certificates.txt file
in the openssl-0.9.8 release.
>> 3. Changes to setup.py. I've mentioned this in previous posts. I added
>> an option so that one
>> could build M2Crypto against openssl that is installed in an arbitrary
>> location.
>>     
>
> Thanks, I can use this for Chandler as well :) Been too lazy myself, and
> just patched hardcoded paths for my environment. Nice to get the right
> solution...
>
>   
>> 4. I added a quick test to test_evp.py that tests the as_der method.
>>     
>
>   
This is the only new addition to the m2crypto API. There are existing 
unittests for the
X509_Extension API, which still work after I've made the changes.

> Could you provide tests for all the new and changed APIs in unit tests?
> I created a new bug to track this work:
> https://bugzilla.osafoundation.org/show_bug.cgi?id=4782
>
> I'd appreciate if you could attach enhancements to the patch to the bug
> directly.
>
>   
Sure thing.
Thanks,
Matt
> Thanks,
>
>   


From MKRodriguez at LBL.GOV  Wed Nov 30 23:52:06 2005
From: MKRodriguez at LBL.GOV (Matt Rodriguez)
Date: Wed, 30 Nov 2005 14:52:06 -0800
Subject: [PYTHON-CRYPTO] patches for X509_EXTENSION and a few other things
In-Reply-To: <1133389175.26259.22.camel@localhost.localdomain>
References: <438D0445.6060904@lbl.gov>
            <1133389175.26259.22.camel@localhost.localdomain>
Message-ID: <438E2D16.7080301@lbl.gov>

Conrad Steenberg wrote:

I'll post a link on Friday. The code is a little too "result oriented" 
right now.

Matt Rodriguez
> Hi Matt
>
> Could you perhaps send a link to the code you use to create the proxy
> certificates with M2Crypto?
>
> Thanks!
>
> Conrad
>
> On Tue, 2005-11-29 at 17:45 -0800, Matt Rodriguez wrote:
>   
>> I've done a little work with M2Crypto because I've been using it to 
>> generate proxy certificates. Proxy Certificates need to have a proxy 
>> certificate info extension for openssl to recognize them. Openssl 
>> versions 0.9.8 and later have support for proxy certificates. 
>>
>> So here are the changes that I've made.
>>
>> 1. I added a as_der method to the EVP class in EVP.py. This calls 
>> i2d_PUBKEY to
>> get the DER encoding.
>>
>> 2. I changed the new_extensions function in X509. It initializes a LHASH 
>> and a
>> X509V3_CTX objects, and passes them into the X509V3_ext_conf function. I 
>> did this
>> was because to use the ProxyCertInfo extension it needed an initialized 
>> context object,
>> otherwise I would get a segmentation fault. This is because the 
>> X509_EXTENSION_METHOD object assoctiated with PCI does not contain v2i 
>> or s2i functions. The method does have an r2i function, but the 
>> do_ext_nconf  does a check
>> on the context to see if it has a db or db_meth object. If the context 
>> is NULL then there is
>> a segmentation fault.
>>
>> If there is another way to create a PCI extension using M2Crypto without 
>> this patch, I'd like
>> to know about it. 
>>
>> 3. Changes to setup.py. I've mentioned this in previous posts. I added 
>> an option so that one
>> could build M2Crypto against openssl that is installed in an arbitrary 
>> location.
>>
>> 4. I added a quick test to test_evp.py that tests the as_der method.
>>
>> 5. I fixed an obvious memory leak in _x509.i in the x509_extension_get_name.
>>
>> I've tested these changes with openssl-0.9.8a using valgrind to make 
>> sure my changes
>> didn't leak any more memory.
>>
>>
>> Please let me know if there are any problems with the patches or if 
>> there is anything I can
>> do to facilitate adding these patches to M2Crypto.
>>
>> Matt Rodriguez
>>