Commit Graph

24 Commits (7cda052bacfa63ff2bbe1f450986101e2d3e76e6)

Author SHA1 Message Date
Ray 7a84c71e80 Release 1.2.0 Preparation
* README.txt -> README.md: renamed
	* dtls/sslconnection.py: Reduce the default MTU in effect while
    handshaking to 576, suitable for various path MTUs and PPPoE
	* dtls/prebuilt/win32-x86[_64]: Rebuilt with Visual C++ 2008 to
    eliminate requirement to install a C++ redistributable package
	* dtls/prebuilt/mingw-x86: mingw support is deprecated
	* dtls/__init__.py: VERSION introduced
	* setup.py: Version incremented to 1.2.0
2017-04-03 14:52:50 -07:00
mcfreis 083554e9e0 Minor fixes and "hopefully" compatible to Ubuntu 16.04
* dtls/__init__.py: Removed wrapper import
* dtls/openssl.py: Fixed line endings to LF
* dtls/patch.py: Removed PROTOCOL_SSLv3 import and fixed line endings to LF
* dtls/sslconnection.py: Fixed line endings to LF
* dtls/test/certs/*_ec.pem: Fixed line endings to LF
* dtls/test/echo_seq.py: Fixed line endings to LF
* dtls/test/simple_client.py: Fixed line endings to LF
* dtls/test/unit.py: Fixed line endings to LF
* dtls/test/unit_wrapper.py: Corrected wrapper import and fixed line endings to LF
* dtls/util.py: Fixed line endings to LF
* dtls/wrapper.py: Corrected function naming to wrap_client() and wrap_server(); Fixed line endings to LF
* dtls/x509.py: Fixed line endings to LF
2017-03-28 07:59:03 +02:00
mcfreis ff509e0724 Added more on error evaluation and a method to get the peer certificate chain
* dtls/__init__.py: import error codes from err.py as error_codes for external access
* dtls/err.py: Added errors for ERR_WRONG_SSL_VERSION, ERR_CERTIFICATE_VERIFY_FAILED, ERR_NO_SHARED_CIPHER and ERR_SSL_HANDSHAKE_FAILURE
* dtls/openssl.py:
	- Added constant SSL_BUILD_CHAIN_FLAG_NONE for SSL_CTX_build_cert_chain()
	- Added method SSL_get_peer_cert_chain()
* dtls/patch.py: Added getpeercertchain() as method to ssl.SSLSocket()
* dtls/sslconnection.py:
	- Bugfix SSLContext.set_ecdh_curve() returns 1 for success and 0 for failure
	- SSLContext.build_cert_chain() changed default flags to SSL_BUILD_CHAIN_FLAG_NONE
	- In SSLConnection() the mtu size gets only set if no user config function is given
	- SSLConnection.listen() raises an exception for ERR_WRONG_VERSION_NUMBER, ERR_COOKIE_MISMATCH, ERR_NO_SHARED_CIPHER and all other unknown errors
	- SSLConnection.read() and write() now can also raise ERR_PORT_UNREACHABLE
	- If SSLConnection.write() successfully writes bytes to the peer, then the handshake is assumed to be okay
	- Added method SSLConnection.getpeercertchain()
* dtls/test/unit.py: ThreadedEchoServer() with an extra exception branch for the newly raised exceptions in SSLConnection.listen()
2017-03-20 16:39:50 +01:00
mcfreis 60f76fac83 Added an interface in SSLConnection() to access SSLContext() and SSL() for manipulating settings during creation
* dtls/openssl.py:
	- Added utility fucntions EC_curve_nist2nid() and EC_curve_nid2nist()
* dtls/patch.py:
	- Extended wrap_socket() arguments with callbacks for user config functions of ssl context and ssl session values
	- Extended SSLSocket() arguments with callbacks for user config functions of ssl context and ssl session values
* dtls/sslconnection.py:
	- Extended SSLConnection() arguments with callbacks for user config functions of ssl context and ssl session values
	- During the init of client and server the corresponding user config functions are called (if given)
	- Added new classes SSLContext() [set_ciphers(), set_sigalgs(), set_curves(), set_ecdh_curve(), build_cert_chain(),
	set_ssl_logging()] and SSL() [set_mtu(), set_link_mtu()]
2017-03-20 16:00:11 +01:00
mcfreis f5b88155fd Added methods getting the curves supported by the runtime openSSL lib
* dtls/openssl.py:
	- Added class _EllipticCurve() for easy handling of the builtin curves
	- Added wrapper get_elliptic_curves() - which uses _EllipticCurve()
	- Added EC_get_builtin_curves(), EC_KEY_new_by_curve_name() and EC_KEY_free()
	- Added OBJ_nid2sn() for translating numeric ids to names
* dtls/util.py: Added _EC_KEY() derived from _Rsrc() with own free/del method
2017-03-20 15:15:14 +01:00
mcfreis 75a01ed528 Added methods for setting and getting the curves used during negotiation and encryption
* dtls/openssl.py:
	- Added SSL_CTX_set1_curves() and SSL_CTX_set1_curves_list()
	- Added SSL_CTX_set_ecdh_auto() and SSL_CTX_set_tmp_ecdh()
	- Added SSL_get1_curves(), SSL_get_shared_curve(), SSL_set1_curves() and SSL_set1_curves_list()
2017-03-20 15:09:18 +01:00
mcfreis 59391e401c Added methods for setting the signature algorithms
* dtls/openssl.py:
	- Added SSL_CTX_set1_client_sigalgs_list(), SSL_CTX_set1_client_sigalgs(), SSL_CTX_set1_sigalgs_list() and SSL_CTX_set1_sigalgs()
	- Added SSL_set1_client_sigalgs_list(), SSL_set1_client_sigalgs(), SSL_set1_sigalgs_list() and SSL_set1_sigalgs()
2017-03-20 14:57:42 +01:00
mcfreis c9b614b7e8 Added method SSL_CTX_build_cert_chain()
* dtls/openssl.py: Added SSL_CTX_build_cert_chain() and corresponding constants
2017-03-20 14:53:53 +01:00
mcfreis dd55dffb0c Added methods *_clear_options() and *_get_options()
* dtls/openssl.py:
	- Added SSL_CTX_clear_options() and SSL_CTX_get_options()
	- Added SSL_clear_options() and SSL_get_options()
2017-03-20 14:51:50 +01:00
mcfreis 83204e8c4d Added new methods for DTLSv1.2
* dtls/err.py: Added error code ERR_WRONG_VERSION_NUMBER
* dtls/openssl.py: Added DTLS_server_method(), DTLSv1_2_server_method() and DTLSv1_2_client_method()
* dtls/patch.py: Default protocol DTLS for ssl.wrap_socket() and ssl.SSLSocket()
* dtls/sslconnection.py:
	- Introduced PROTOCOL_DTLSv1_2 and PROTOCOL_DTLS (the latter one is a synonym for the "higher" version)
	- Updated _init_client() and _init_server() with the new protocol methods
	- Default protocol DTLS for SSLConnection()
	- Return on ERR_WRONG_VERSION_NUMBER if client and server cannot agree on protocol version
* dtls/test/unit.py:
	- Extended test_get_server_certificate() to iterate over the different protocol combinations
	- Extended test_protocol_dtlsv1() to try the different protocol combinations between client and server
2017-03-20 14:48:42 +01:00
mcfreis 8b07f3f46d Updating openSSL libs to v1.0.2l-dev
* dtls/openssl.py: Added mtu-functions SSL_set_mtu() and DTLS_set_link_mtu()
* dtls/prebuilt/win32-*: Updated libs for x86 and x86_64 to version 1.0.2l-dev
* dtls/sslconnection.py: mtu size set hardcoded to 1500 - otherwise the windows implementation has problems
2017-03-20 14:36:33 +01:00
mcfreis 70e78b97cb Added interface for SSL_CTX_set_info_callback()
* dtls/openssl.py:
	- Added methods SSL_CTX_set_info_callback(), SSL_state_string_long(), SSL_alert_type_string_long() and SSL_alert_desc_string_long()
	- Added constants for state and error evaluation during callback
* dtls/sslconnection.py: Added _ssl_logging_cb() as default callback function - only outputs messages when logger is active
2017-03-20 14:27:23 +01:00
mcfreis d601774e24 SSL_write() extended to handle ctypes.Array as data
* dtls/openssl.py: SSL_write() can handle ctypes.Array data
* dtls/sslconnection.py: Added missing import ERR_BOTH_KEY_CERT_FILES
* dtls/test/simple_client.py: Added basic test client to use with dtls/test/echo_seq.py
2017-03-20 14:19:02 +01:00
mcfreis b4911f4949 Beautified lists and maps, grouped imports for easy merges in the future - no changed functionality!
* dtls/openssl.py:
	- Ordered constants according to header file from openSSL
	- Beautified __all__-list and map for _make_function() in order to easy merges in the future
	- Added a few returns in order to evaluate the success of the called methods
* dtls/patch.py: Grouped imports in the following order - system, local
* dtls/sslconnection.py: ssl protocol not hardcoded anymore for forked objects
* dtls/x509.py: logger messages working again
2017-03-20 14:14:14 +01:00
Ray 622f58358e Compatibility Updates for Python 2.7.12
* dtls/openssl.py: support reading directly into given buffer instead
                     of forcing buffer copy (for ssl module compatibility)
	* dtls/sslconnection.py: in-situ receive support, as above
	* dtls/patch.py: various changes for compatibility with the ssl module
                   of Python 2.7.12; note that the ssl module's new
                   SSLContext is not supported
	* dtls/test/unit.py: changes to support the updated ssl module,
                       including fix of deprecation warnings
	* setup.py: increase version to 1.0.2
2017-02-27 22:37:50 -08:00
Ray Brown 9add480710 Licensing
This project is now licensed under the Apache license. Individual files
now have a license reference header.

The Apache 2.0 license text is copied to the file LICENSE. The file
NOTICE, referred to in the license text, has been added. A placeholder
README.txt has been added.

These three new files are integrated into the distribution/installation
machinery, and are placed into the package directory upon installation.
2012-12-18 11:14:31 -08:00
Ray Brown d67f48c050 Interactive performance test suite
The new module test_perf.py can be used to characterize protocol
performance over a particular network link. Two stream protocols
(TCP and SSL) and two datagram protocols (UDP and DTLS) are available
for relative comparison.

The module will run servers in its process, and will spawn clients either
into separate processes, or, depending on command line options, will
expect one or more remote clients to connect to it. In the latter case,
jobs will be sent to such clients via a shared queue whenever the user
selects a test suite.

Stress testing under packet loss conditions revealed that that the
OpenSSL library's compression feature needed to be explicitly disabled
for DTLS: it evidently operates at the stream layer as opposed to the
datagram layer, and packet loss would result in corruption among the
packets that were successfully received, authenticated, and decrypted.

Several performance improvements are included in this patch.
2012-12-10 20:52:49 -08:00
Ray Brown 5f97e81a69 Use ssl module locking when available
Thread locking callbacks into the interpreter impose considerable overhead.
The standard library's ssl module registers its own thread locking and id
callback functions. Registration of the latter can be detected by a call to
the OpenSSL library. In this case, do not set the Python callback function
and therefore keep using the more efficient ssl module functions.
2012-12-02 13:01:45 -08:00
Ray Brown 7c6a512f94 64-bit port
On a 64-bit OS, pointer return values needed to be marked as c_void_p instead
of a user-defined type, which would result in the transfer of 32 bits only.
In order to still return an instance of the user-defined type to the caller,
imported functions are now marked with the return type, and the return
value is converted to that type by a new error checking function used only
with imported functions that create and return user-defined types.

On 64-bit Linux, the long type becomes 8 bytes, whereas the int type remains
4 bytes. The various sockaddr_* fields therefore needed to be changed from
long to int, as did the type signatures of the packed string to array
conversion functions.

On an Ubuntu server installation, it was found that the name "localhost"
does not resolve to an ipv6 address. A name search has therefore been added
to the unit test driver, along with an ip number fallback.

Tested on Ubuntu Server 12.04.1 LTS 64-bit.
Regression tested on Ubuntu 12.04.1 LTS 32-bit.
2012-12-02 10:39:39 -08:00
Ray Brown ca32b91a9c Linux port
With this change all unit tests pass on the Linux platform (tested on
Ubuntu 12.04.1 LTS). demux/__init__.py has been adjusted temporarily so as
to load the routing demux on Linux until the osnet demux is ready.

Testing on Linux exposed an issue where comparison of the ssl object value from
cookie callbacks failed to compare equal to the value stored in the
SSLConnection callback object. This was because the callback function signature
of c_void_p for this parameter produced a 64-bit value if the 32nd bit was set
(as opposed to producing a negative integer 32-bit value). Changing the
signature from c_void_p to c_int for this parameter fixes the issue.
2012-11-26 21:07:56 -08:00
Ray Brown 821952b669 Multi-thread support
The new module tlock provides the locking callback function the OpenSSL library
requires for the case where multiple threads enter it concurrently. tlock is
now automatically initialized by sslconnection's module startup code, and does
nothing if the executing Python environment does not provide threading.

Note that this does introduce some overhead. For example, during the transfer
of CERTFILE by test_socketserver, about 300 locking callbacks are received.
2012-11-22 16:33:27 -08:00
Ray Brown 22083e8221 SSL standard library module wire-in
A patch implementation is provided, which augments and alters the Python
standard library's ssl module to support passing of datagram sockets, in which
case this package's DTLS protocol support will be activated. The ssl module's
interface is intended to operate identically regardless of whether the DTLS
protocol or another protocol is chosen.

The following features of the ssl module are explicitly supported with
datagram sockets:

    * socket wrapping, unwrapping, and re-wrapping
    * threaded UDP servers
    * asynchronous UDP servers (asyncore integration)
    * socket servers (SocketServer integration)

The following modules have been added:

    * dtls.patch: standard library module patching code and substitution
                  functions and methods
    * unit.py:    this is a port of the standard library's testing module
                  test_ssl.py for datagram sockets; all tests pass at this time;
                  a couple of inapplicable tests have been dropped; a few other
                  tests have been added

Also note that the err module's exception raising mechanism has been
augmented so as to raise exceptions of type ssl.SSLError (as opposed to
dtls.err.SSLError) when instructed to do so through activation of the patching
mechanism. This allows code written against the standard library module's
interface to remain unchanged. In some cases, types derived from
ssl.SSLError are raised.
2012-11-21 11:23:03 -08:00
Ray Brown 4464d0bd84 Certificate formatting and retrieval
This change introduces the implementation of the SSLConnection methods
getpeercert and cipher. The following has been added:

    * dtls.util:      utility elements shared by other modules in this package
    * dtls.x509:      a module for X509-certificate-related functionality,
                      including formatting a certificate into a Python
                      dictionary as prescribed by the Python standard
                      library's ssl module; functionality for testing with
                      PEM-encoded certificates in the file system is included
    * yahoo-cert.pem: the current certificate of www.yahoo.com: this is a good
                      testing certificate, since it contains the subject
                      alternate name extension

Other notable changes:

    * sslconnection:  private attributes are now preceded by "_"
    * openssl:        null-ness in opaque FuncParam-derived return values is
                      now properly detected and an exception is raised as
                      expected
2012-11-08 12:04:40 -08:00
Ray Brown 9bb24c5d29 Initial commit: up to and including data exchange functionality
This initial commit for the PyDTLS package includes the following functionality:

    * DTLS cookie exchange, using secure hmac cookies
    * A platform-independent routing UDP demultiplexer
    * SSL handshaking over UDP using the DTLS protocol
    * Datagram exchange using the DTLS protocol
    * SSL shutdown over UDP

The package is structured as follows:

    * dtls:               top-level package
    * dtls.demux:         demultiplexer package; automatically loads a
                          demultiplexer appropriate for the currently executing
                          platform
    * dtls.demux.router:  a routing demux for platforms whose network stacks
                          cannot assign incoming UDP packets to sockets based
                          on the sockets' connection information
    * dtls.demux.osnet:   a demux that uses the operating system's UDP packet
                          routing functionality
    * dtls.err:           package-wide error handling and error definitions
    * dtls.sslconnection: a client and server-side connection class for
                          UDP network connections secured with the DTLS protocol
    * dtls.openssl:       a ctypes-based wrapper for the OpenSSL library
    * dtls.test:          test scripts, utilities, and unit tests

The following binaries are provided:

    * libeay32.dll: cryptographic portion of the OpenSSL library
    * ssleay32.dll: protocol portion of the OpenSSL library (depends on former)
    * cygcrypto-1.0.0.dll: as libeay32.dll, but with debugging symbols
    * cygssl-1.0.0.dll: as ssleay32.dll, but with debugging symbols

All binaries have been built with the MinGW tool chain, targeted for msvcr90.
The unstripped dll's can be debugged on Windows with gdb. Cygwin is not used.
2012-10-29 12:44:24 -07:00