* dtls/__init__.py: Removed wrapper import
* dtls/openssl.py: Fixed line endings to LF
* dtls/patch.py: Removed PROTOCOL_SSLv3 import and fixed line endings to LF
* dtls/sslconnection.py: Fixed line endings to LF
* dtls/test/certs/*_ec.pem: Fixed line endings to LF
* dtls/test/echo_seq.py: Fixed line endings to LF
* dtls/test/simple_client.py: Fixed line endings to LF
* dtls/test/unit.py: Fixed line endings to LF
* dtls/test/unit_wrapper.py: Corrected wrapper import and fixed line endings to LF
* dtls/util.py: Fixed line endings to LF
* dtls/wrapper.py: Corrected function naming to wrap_client() and wrap_server(); Fixed line endings to LF
* dtls/x509.py: Fixed line endings to LF
* dtls/__init__.py: import error codes from err.py as error_codes for external access
* dtls/err.py: Added errors for ERR_WRONG_SSL_VERSION, ERR_CERTIFICATE_VERIFY_FAILED, ERR_NO_SHARED_CIPHER and ERR_SSL_HANDSHAKE_FAILURE
* dtls/openssl.py:
- Added constant SSL_BUILD_CHAIN_FLAG_NONE for SSL_CTX_build_cert_chain()
- Added method SSL_get_peer_cert_chain()
* dtls/patch.py: Added getpeercertchain() as method to ssl.SSLSocket()
* dtls/sslconnection.py:
- Bugfix SSLContext.set_ecdh_curve() returns 1 for success and 0 for failure
- SSLContext.build_cert_chain() changed default flags to SSL_BUILD_CHAIN_FLAG_NONE
- In SSLConnection() the mtu size gets only set if no user config function is given
- SSLConnection.listen() raises an exception for ERR_WRONG_VERSION_NUMBER, ERR_COOKIE_MISMATCH, ERR_NO_SHARED_CIPHER and all other unknown errors
- SSLConnection.read() and write() now can also raise ERR_PORT_UNREACHABLE
- If SSLConnection.write() successfully writes bytes to the peer, then the handshake is assumed to be okay
- Added method SSLConnection.getpeercertchain()
* dtls/test/unit.py: ThreadedEchoServer() with an extra exception branch for the newly raised exceptions in SSLConnection.listen()
* dtls/err.py: Added error code ERR_WRONG_VERSION_NUMBER
* dtls/openssl.py: Added DTLS_server_method(), DTLSv1_2_server_method() and DTLSv1_2_client_method()
* dtls/patch.py: Default protocol DTLS for ssl.wrap_socket() and ssl.SSLSocket()
* dtls/sslconnection.py:
- Introduced PROTOCOL_DTLSv1_2 and PROTOCOL_DTLS (the latter one is a synonym for the "higher" version)
- Updated _init_client() and _init_server() with the new protocol methods
- Default protocol DTLS for SSLConnection()
- Return on ERR_WRONG_VERSION_NUMBER if client and server cannot agree on protocol version
* dtls/test/unit.py:
- Extended test_get_server_certificate() to iterate over the different protocol combinations
- Extended test_protocol_dtlsv1() to try the different protocol combinations between client and server
* dtls/openssl.py: support reading directly into given buffer instead
of forcing buffer copy (for ssl module compatibility)
* dtls/sslconnection.py: in-situ receive support, as above
* dtls/patch.py: various changes for compatibility with the ssl module
of Python 2.7.12; note that the ssl module's new
SSLContext is not supported
* dtls/test/unit.py: changes to support the updated ssl module,
including fix of deprecation warnings
* setup.py: increase version to 1.0.2
On a 64-bit OS, pointer return values needed to be marked as c_void_p instead
of a user-defined type, which would result in the transfer of 32 bits only.
In order to still return an instance of the user-defined type to the caller,
imported functions are now marked with the return type, and the return
value is converted to that type by a new error checking function used only
with imported functions that create and return user-defined types.
On 64-bit Linux, the long type becomes 8 bytes, whereas the int type remains
4 bytes. The various sockaddr_* fields therefore needed to be changed from
long to int, as did the type signatures of the packed string to array
conversion functions.
On an Ubuntu server installation, it was found that the name "localhost"
does not resolve to an ipv6 address. A name search has therefore been added
to the unit test driver, along with an ip number fallback.
Tested on Ubuntu Server 12.04.1 LTS 64-bit.
Regression tested on Ubuntu 12.04.1 LTS 32-bit.
This change introduces a demux that uses the kernel's network stack for UDP
datagram-to-socket assignment based on packet source address (as opposed to the
forwarding strategy of the routing demux). The osnet demux is used by default
on non-Windows platforms. When possible, use of the osnet demux is preferred
over the routing demux, since it can be expected to perform better.
The unit test suite has been extended to run all tests first with the demux
selected by default for the current platform, and then with the routing demux,
if the latter differs from the former. Tests were already being run twice, first
with IPv4 and then with IPv6, and thus we now run each test four times on
Linux, twice on Windows.
All unit tests pass with both demux types.
With this change all unit tests pass on the Linux platform (tested on
Ubuntu 12.04.1 LTS). demux/__init__.py has been adjusted temporarily so as
to load the routing demux on Linux until the osnet demux is ready.
Testing on Linux exposed an issue where comparison of the ssl object value from
cookie callbacks failed to compare equal to the value stored in the
SSLConnection callback object. This was because the callback function signature
of c_void_p for this parameter produced a 64-bit value if the 32nd bit was set
(as opposed to producing a negative integer 32-bit value). Changing the
signature from c_void_p to c_int for this parameter fixes the issue.
Prior to this change, the unit tests' echo servers' connections would sometimes
linger beyond server termination. A timeout mechanism is now implemented, which
will terminate a connection and clean up its resources when the timeout is
reached. For the purpose of unit testing, test echo servers now assert that
all connections have been terminated when the servers are closed.
For threaded echo servers, the timeout mechanism involves the use of sockets
with timeouts instead of blocking sockets. This required an implementation with
the proper handling of timeout sockets at the sslconnection level.
The unit test suite was previously being run with IPv4 protocol addresses only.
With this change, we run the entire test suite twice: first with v4 addresses,
and then with v6 addresses, for all client and server-side sockets.
A patch implementation is provided, which augments and alters the Python
standard library's ssl module to support passing of datagram sockets, in which
case this package's DTLS protocol support will be activated. The ssl module's
interface is intended to operate identically regardless of whether the DTLS
protocol or another protocol is chosen.
The following features of the ssl module are explicitly supported with
datagram sockets:
* socket wrapping, unwrapping, and re-wrapping
* threaded UDP servers
* asynchronous UDP servers (asyncore integration)
* socket servers (SocketServer integration)
The following modules have been added:
* dtls.patch: standard library module patching code and substitution
functions and methods
* unit.py: this is a port of the standard library's testing module
test_ssl.py for datagram sockets; all tests pass at this time;
a couple of inapplicable tests have been dropped; a few other
tests have been added
Also note that the err module's exception raising mechanism has been
augmented so as to raise exceptions of type ssl.SSLError (as opposed to
dtls.err.SSLError) when instructed to do so through activation of the patching
mechanism. This allows code written against the standard library module's
interface to remain unchanged. In some cases, types derived from
ssl.SSLError are raised.
inpos
mcfreis
Ray