copyleftie
/
gajim-plural
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[fedor] improve Jingle XTLS security. Fixes #7544

This commit is contained in:
Yann Leboulanger 2013-11-05 11:21:56 +01:00
parent 9076ad8156
commit 0bae08571a
1 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/common/jingle_xtls.py
View File

@ -92,7 +92,10 @@ def get_context(fingerprint, verify_cb=None):
""" """
constructs and returns the context objects constructs and returns the context objects
""" """
ctx = SSL.Context(SSL.TLSv1_METHOD) ctx = SSL.Context(SSL.SSLv23_METHOD)
flags = (SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3 | SSL.OP_SINGLE_DH_USE)
ctx.set_options(flags)
ctx.set_cipher_list('HIGH:!aNULL:!eNULL')
if fingerprint == 'server': # for testing purposes only if fingerprint == 'server': # for testing purposes only
ctx.set_verify(SSL.VERIFY_NONE|SSL.VERIFY_FAIL_IF_NO_PEER_CERT, ctx.set_verify(SSL.VERIFY_NONE|SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
@ -174,12 +177,12 @@ def createKeyPair(type, bits):
pkey.generate_key(type, bits) pkey.generate_key(type, bits)
return pkey return pkey
def createCertRequest(pkey, digest="md5", **name): def createCertRequest(pkey, digest="sha1", **name):
""" """
Create a certificate request. Create a certificate request.
Arguments: pkey - The key to associate with the request Arguments: pkey - The key to associate with the request
digest - Digestion method to use for signing, default is md5 digest - Digestion method to use for signing, default is sha1
**name - The name of the subject of the request, possible **name - The name of the subject of the request, possible
arguments are: arguments are:
C - Country name C - Country name
@ -201,7 +204,7 @@ def createCertRequest(pkey, digest="md5", **name):
req.sign(pkey, digest) req.sign(pkey, digest)
return req return req
def createCertificate(req, (issuerCert, issuerKey), serial, (notBefore, notAfter), digest="md5"): def createCertificate(req, (issuerCert, issuerKey), serial, (notBefore, notAfter), digest="sha1"):
""" """
Generate a certificate given a certificate request. Generate a certificate given a certificate request.
@ -213,7 +216,7 @@ def createCertificate(req, (issuerCert, issuerKey), serial, (notBefore, notAfter
starts being valid starts being valid
notAfter - Timestamp (relative to now) when the certificate notAfter - Timestamp (relative to now) when the certificate
stops being valid stops being valid
digest - Digest method to use for signing, default is md5 digest - Digest method to use for signing, default is sha1
Returns: The signed certificate in an X509 object Returns: The signed certificate in an X509 object
""" """
cert = crypto.X509() cert = crypto.X509()
@ -233,10 +236,12 @@ def make_certs(filepath, CN):
and '.cert' extensions and '.cert' extensions
CN : common name CN : common name
""" """
key = createKeyPair(TYPE_RSA, 1024) key = createKeyPair(TYPE_RSA, 4096)
req = createCertRequest(key, CN=CN) req = createCertRequest(key, CN=CN)
cert = createCertificate(req, (req, key), 0, (0, 60*60*24*365*5)) # five years cert = createCertificate(req, (req, key), 0, (0, 60*60*24*365*5)) # five years
open(filepath + '.pkey', 'w').write(crypto.dump_privatekey( private_key_file = open(filepath + '.pkey', 'w')
os.chmod(filepath + '.pkey', 0600)
private_key_file.write(crypto.dump_privatekey(
crypto.FILETYPE_PEM, key)) crypto.FILETYPE_PEM, key))
open(filepath + '.cert', 'w').write(crypto.dump_certificate( open(filepath + '.cert', 'w').write(crypto.dump_certificate(
crypto.FILETYPE_PEM, cert)) crypto.FILETYPE_PEM, cert))