From 1ba757f0abfb9e4dcc770ae581b19c5b575ed37a Mon Sep 17 00:00:00 2001 From: Alban Diquet Date: Sat, 23 Sep 2023 18:14:14 +0200 Subject: [PATCH 1/3] [#95]Fix seg faults on Red Hat Linux --- setup.py | 4 ++++ tasks.py | 6 ++++++ tests/build_config_test.py | 22 ++++++++++++++++++++++ 3 files changed, 32 insertions(+) create mode 100644 tests/build_config_test.py diff --git a/setup.py b/setup.py index de7db9f..7980e3b 100644 --- a/setup.py +++ b/setup.py @@ -84,6 +84,10 @@ else: BASE_NASSL_EXT_SETUP["extra_compile_args"].append("-Wall") + # Hide internal OpenSSL symbols to avoid "symbol confusion" when Python loads the system's OpenSSL libraries + # https://github.com/nabla-c0d3/nassl/issues/95 + BASE_NASSL_EXT_SETUP["extra_link_args"].append("-Wl,--exclude-libs=ALL") + if CURRENT_PLATFORM == SupportedPlatformEnum.LINUX_64: # Explicitly disable executable stack on Linux 64 to address issues with Ubuntu on Windows # https://github.com/nabla-c0d3/nassl/issues/28 diff --git a/tasks.py b/tasks.py index 95e5ebc..b5c2208 100644 --- a/tasks.py +++ b/tasks.py @@ -28,6 +28,11 @@ def test(ctx): ctx.run("python sample_client.py") +@task +def autoformat(ctx): + ctx.run("black .") + + @task def package_linux_wheels(ctx): """Build the Linux 32 and 64 bit wheels using Docker.""" @@ -81,6 +86,7 @@ def release(ctx): ns = Collection() ns.add_task(release) ns.add_task(test) +ns.add_task(autoformat) package = Collection("package") diff --git a/tests/build_config_test.py b/tests/build_config_test.py new file mode 100644 index 0000000..1a77f43 --- /dev/null +++ b/tests/build_config_test.py @@ -0,0 +1,22 @@ +import subprocess +from sys import platform +from nassl import _nassl, _nassl_legacy +import pytest + +can_only_run_on_linux_64 = pytest.mark.skipif( + condition=platform not in ["linux", "linux2"], reason="The test suite it not being run on Linux" +) + + +class TestBuildConfig: + @can_only_run_on_linux_64 + @pytest.mark.parametrize("nassl_module", [_nassl, _nassl_legacy]) + def test_internal_openssl_symbols_are_hidden(self, nassl_module): + # Given the compiled _nassl module + # When looking at the module's shared library's symbol table + symbol_table = subprocess.run(["nm", "-gD", f"{nassl_module.__file__}"], capture_output=True).stdout + + # Then internal symbols from the statically linked OpenSSL libraries are not present, so that no + # "symbol confusion" can occur when Python loads the system's OpenSSL libraries (which are incompatible with + # nassl). See also https://github.com/nabla-c0d3/nassl/issues/95 + assert "RSA_verify" not in symbol_table.decode("ascii") From 19bd94f939cfad77d6e22997478219a7eb5f5a0a Mon Sep 17 00:00:00 2001 From: Alban Diquet Date: Sat, 23 Sep 2023 18:35:51 +0200 Subject: [PATCH 2/3] Fix test --- tests/cert_chain_verifier_test.py | 107 ++++++++---------------------- 1 file changed, 27 insertions(+), 80 deletions(-) diff --git a/tests/cert_chain_verifier_test.py b/tests/cert_chain_verifier_test.py index a76b1aa..dfa80c6 100644 --- a/tests/cert_chain_verifier_test.py +++ b/tests/cert_chain_verifier_test.py @@ -1,3 +1,4 @@ +import ssl from pathlib import Path from typing import List @@ -9,87 +10,33 @@ @pytest.fixture def certificate_chain_as_x509() -> List[X509]: - leaf_pem = """-----BEGIN CERTIFICATE----- -MIII1TCCBr2gAwIBAgITEgAuYwQ424geTx2LkgAAAC5jBDANBgkqhkiG9w0BAQsF -ADBPMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u -MSAwHgYDVQQDExdNaWNyb3NvZnQgUlNBIFRMUyBDQSAwMTAeFw0yMjA3MDgxODIy -NDdaFw0yMzA3MDgxODIyNDdaMGgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQ -MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u -MRowGAYDVQQDExF3d3cubWljcm9zb2Z0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD -ggEPADCCAQoCggEBALHvvOC2sqJPFX0e3ggRvsY0+o1PQIyBiap6CEWY/gX3G1Np -qML6T/JcYw7o41h5fr2/a6v4SR5at0bfPPp/MRKG+ojDe2C2m2h68aRqAVDfIUaX -Y6LTRwmhljEs7zxYV/I4HLShed4gHEuG8c4nvRS3e1QAodshKpMq0permXvZFOUo -q5BJVAwkdmLHhBuXBPvkBleC2sNgFZCQuYqMqc2BW/Gn6/2w+41CvatbArAMDzSm -Xqn7SCbgu80biBGdPROh4uUbhjdud5K76NQiz4MBGfRTf2l78sKu2SEVY5r3Lwlb -1IoH8rQbMvAncQEFsQICyuUevNyiOc5jnX31sEMCAwEAAaOCBI8wggSLMIIBfgYK -KwYBBAHWeQIEAgSCAW4EggFqAWgAdwDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp -4Xd9bQa9bgAAAYHfFgzPAAAEAwBIMEYCIQDA0Ih9duSk2UN9tK2G8DLNwgXofm3D -ifMFT3dvdyD/IgIhAKhoeljT/hRgjxkQbngfBrxcW2JwdxZFd3rLQlbZacxeAHYA -VYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAGB3xYN3QAABAMARzBF -AiEAypJYputrztw5Xw9xFhzI/lmPjrYNX0gA6flPLfrFP94CIDty944wlUfoe1NO -YJsdZyn/JfzcqQCjp8OsEHHN6A3sAHUArfe++nz/EMiLnT2cHj4YarRnKV3PsQwk -yoWGNOvcgooAAAGB3xYMoQAABAMARjBEAiBQzrF42TDdtpYjopg1PFZW4KGNMoOs -oNBzH8PM40yQugIgBGgHH939IuGj/xVQfFlAFKjcyXXjrs6OK0SyY+0NDU4wJwYJ -KwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDATA9BgkrBgEEAYI3 -FQcEMDAuBiYrBgEEAYI3FQiH2oZ1g+7ZAYLJhRuBtZ5hhfTrYIFdufgQhpHQeAIB -ZAIBJTCBhwYIKwYBBQUHAQEEezB5MFMGCCsGAQUFBzAChkdodHRwOi8vd3d3Lm1p -Y3Jvc29mdC5jb20vcGtpL21zY29ycC9NaWNyb3NvZnQlMjBSU0ElMjBUTFMlMjBD -QSUyMDAxLmNydDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AubXNvY3NwLmNvbTAd -BgNVHQ4EFgQUX+VxYNvuT/HUdyJefr/RaVr27BAwDgYDVR0PAQH/BAQDAgSwMIGZ -BgNVHREEgZEwgY6CEXd3dy5taWNyb3NvZnQuY29tghN3d3dxYS5taWNyb3NvZnQu -Y29tghhzdGF0aWN2aWV3Lm1pY3Jvc29mdC5jb22CEWkucy1taWNyb3NvZnQuY29t -gg1taWNyb3NvZnQuY29tghFjLnMtbWljcm9zb2Z0LmNvbYIVcHJpdmFjeS5taWNy -b3NvZnQuY29tMIGwBgNVHR8EgagwgaUwgaKggZ+ggZyGTWh0dHA6Ly9tc2NybC5t -aWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMFJTQSUyMFRM -UyUyMENBJTIwMDEuY3JshktodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL21z -Y29ycC9jcmwvTWljcm9zb2Z0JTIwUlNBJTIwVExTJTIwQ0ElMjAwMS5jcmwwVwYD -VR0gBFAwTjBCBgkrBgEEAYI3KgEwNTAzBggrBgEFBQcCARYnaHR0cDovL3d3dy5t -aWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3BzMAgGBmeBDAECAjAfBgNVHSMEGDAW -gBS1dgwwEc7HkkJNTMdcLMipDOgLZDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYB -BQUHAwEwDQYJKoZIhvcNAQELBQADggIBAJdKRDgb+/aEASI+6HAPyjFCEQgPg3C7 -1Ifensq0oV2wN9HoVo6zbTsVxaJ6im/zWJcyM1fu/4NCnKASHYcdxvzU1U0zZ/v0 -oS+Asa7Cra89Ov9Yu52Hjb1glDH4gsww/IQ8NhYdpJp+24c+RuvOWwEbq6TGu2HQ -CdWfBNL9kigbt2Oq72DXY3mjoEKCSsIgbGyo/7F3FCXu8sngLicLu7g4rhOavNq/ -Kcj8a9ZcSo2WjlwblpiX4XapyD5Psf5SkEGsEB3vax7VhLFcgp2Tn7emIHTsuFsx -FTQvZyG5XpjFWbLLUH3NgBVoN5mqjyI4s0BQaP41BwxR79JTo6mBwMhXDFc2+lli -8T7wV1+xpvzHncEd6LRn3jHeKoh+1qZlyaFhViMMoEAxqEoIZQrj84BPuBKty6b4 -1MSdRaRZ0GSW8sD0uXwynbUk/bvXYTeUelqlcTaPHIseivRXJ8kgA2MDk0i6x3Sk -v/NZfY+Gx/gSmup8RlozDUVhMfdmqe16/wLkAs2OAVQG3YGjVCJD7Yn3TonZgmG4 -ZeI1WaR1feVWB+bpoXjn+FUMppE5wcA9BLTLzka774eZ4kIbrAUUPEgf+TNHZC/o -DPGqHOumffCWs35If0qFH6ppyrzkj0CTak5jguRvpYdDDi04jfPDtFsm/PvupneX -JLY4eLGRgCgL ------END CERTIFICATE----- -""" + leaf_pem = ssl.get_server_certificate(("www.github.com", 443)) + + # DigiCert TLS Hybrid ECC SHA384 2020 CA1 intermediate_pem = """-----BEGIN CERTIFICATE----- -MIIFWjCCBEKgAwIBAgIQDxSWXyAgaZlP1ceseIlB4jANBgkqhkiG9w0BAQsFADBa -MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl -clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTIw -MDcyMTIzMDAwMFoXDTI0MTAwODA3MDAwMFowTzELMAkGA1UEBhMCVVMxHjAcBgNV -BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEgMB4GA1UEAxMXTWljcm9zb2Z0IFJT -QSBUTFMgQ0EgMDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCqYnfP -mmOyBoTzkDb0mfMUUavqlQo7Rgb9EUEf/lsGWMk4bgj8T0RIzTqk970eouKVuL5R -IMW/snBjXXgMQ8ApzWRJCZbar879BV8rKpHoAW4uGJssnNABf2n17j9TiFy6BWy+ -IhVnFILyLNK+W2M3zK9gheiWa2uACKhuvgCca5Vw/OQYErEdG7LBEzFnMzTmJcli -W1iCdXby/vI/OxbfqkKD4zJtm45DJvC9Dh+hpzqvLMiK5uo/+aXSJY+SqhoIEpz+ -rErHw+uAlKuHFtEjSeeku8eR3+Z5ND9BSqc6JtLqb0bjOHPm5dSRrgt4nnil75bj -c9j3lWXpBb9PXP9Sp/nPCK+nTQmZwHGjUnqlO9ebAVQD47ZisFonnDAmjrZNVqEX -F3p7laEHrFMxttYuD81BdOzxAbL9Rb/8MeFGQjE2Qx65qgVfhH+RsYuuD9dUw/3w -ZAhq05yO6nk07AM9c+AbNtRoEcdZcLCHfMDcbkXKNs5DJncCqXAN6LhXVERCw/us -G2MmCMLSIx9/kwt8bwhUmitOXc6fpT7SmFvRAtvxg84wUkg4Y/Gx++0j0z6StSeN -0EJz150jaHG6WV4HUqaWTb98Tm90IgXAU4AW2GBOlzFPiU5IY9jt+eXC2Q6yC/Zp -TL1LAcnL3Qa/OgLrHN0wiw1KFGD51WRPQ0Sh7QIDAQABo4IBJTCCASEwHQYDVR0O -BBYEFLV2DDARzseSQk1Mx1wsyKkM6AtkMB8GA1UdIwQYMBaAFOWdWTCCR1jMrPoI -VDaGezq1BE3wMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYI -KwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQoMCYwJAYI -KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA6BgNVHR8EMzAxMC+g -LaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vT21uaXJvb3QyMDI1LmNybDAq -BgNVHSAEIzAhMAgGBmeBDAECATAIBgZngQwBAgIwCwYJKwYBBAGCNyoBMA0GCSqG -SIb3DQEBCwUAA4IBAQCfK76SZ1vae4qt6P+dTQUO7bYNFUHR5hXcA2D59CJWnEj5 -na7aKzyowKvQupW4yMH9fGNxtsh6iJswRqOOfZYC4/giBO/gNsBvwr8uDW7t1nYo -DYGHPpvnpxCM2mYfQFHq576/TmeYu1RZY29C4w8xYBlkAA8mDJfRhMCmehk7cN5F -JtyWRj2cZj/hOoI45TYDBChXpOlLZKIYiG1giY16vhCRi6zmPzEwv+tk156N6cGS -Vm44jTQ/rs1sa0JSYjzUaYngoFdZC4OfxnIkQvUIA4TOFmPzNPEFdjcZsgbeEz4T -cGHTBPK4R28F44qIMCtHRV55VMX53ev6P3hRddJb +MIIEQzCCAyugAwIBAgIQCidf5wTW7ssj1c1bSxpOBDANBgkqhkiG9w0BAQwFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD +QTAeFw0yMDA5MjMwMDAwMDBaFw0zMDA5MjIyMzU5NTlaMFYxCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMDAuBgNVBAMTJ0RpZ2lDZXJ0IFRMUyBI +eWJyaWQgRUNDIFNIQTM4NCAyMDIwIENBMTB2MBAGByqGSM49AgEGBSuBBAAiA2IA +BMEbxppbmNmkKaDp1AS12+umsmxVwP/tmMZJLwYnUcu/cMEFesOxnYeJuq20ExfJ +qLSDyLiQ0cx0NTY8g3KwtdD3ImnI8YDEe0CPz2iHJlw5ifFNkU3aiYvkA8ND5b8v +c6OCAa4wggGqMB0GA1UdDgQWBBQKvAgpF4ylOW16Ds4zxy6z7fvDejAfBgNVHSME +GDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l +BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwdgYI +KwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j +b20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdp +Q2VydEdsb2JhbFJvb3RDQS5jcnQwewYDVR0fBHQwcjA3oDWgM4YxaHR0cDovL2Ny +bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA3oDWgM4Yx +aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNy +bDAwBgNVHSAEKTAnMAcGBWeBDAEBMAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EM +AQIDMA0GCSqGSIb3DQEBDAUAA4IBAQDeOpcbhb17jApY4+PwCwYAeq9EYyp/3YFt +ERim+vc4YLGwOWK9uHsu8AjJkltz32WQt960V6zALxyZZ02LXvIBoa33llPN1d9R +JzcGRvJvPDGJLEoWKRGC5+23QhST4Nlg+j8cZMsywzEXJNmvPlVv/w+AbxsBCMqk +BGPI2lNM8hkmxPad31z6n58SXqJdH/bYF462YvgdgbYKOytobPAyTgr3mYI5sUje +CzqJx1+NLyc8nAK8Ib2HxnC+IrrWzfRLvVNve8KaN9EtBH7TuMwNW4SpDCmGr6fY +1h3tDjHhkTb9PA36zoaJzu0cIw265vZt6hCmYWJC+/j+fgZwcPwL -----END CERTIFICATE----- """ return [X509(leaf_pem), X509(intermediate_pem)] From b77c847bdf491e56d5dfee5e9174223efb5c5075 Mon Sep 17 00:00:00 2001 From: Alban Diquet Date: Sat, 23 Sep 2023 19:30:32 +0200 Subject: [PATCH 3/3] [#95]Fix build for macOS --- build_tasks.py | 11 ++++++++++- setup.py | 7 ++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/build_tasks.py b/build_tasks.py index 64233f9..6047698 100644 --- a/build_tasks.py +++ b/build_tasks.py @@ -6,7 +6,7 @@ from tempfile import TemporaryFile from platform import architecture, machine from sys import platform -from typing import Optional, Any +from typing import Optional, Any, List from urllib.request import urlopen # Monkeypatch for Python 3.11 @@ -45,6 +45,15 @@ class SupportedPlatformEnum(Enum): LINUX_ARM64 = 8 LINUX_ARM32 = 9 + @classmethod + def all_linux_platforms(cls) -> List["SupportedPlatformEnum"]: + return [ + cls.LINUX_32, + cls.LINUX_64, + cls.LINUX_ARM32, + cls.LINUX_ARM64, + ] + CURRENT_PLATFORM = None if architecture()[0] == "64bit": diff --git a/setup.py b/setup.py index 7980e3b..8a967c6 100644 --- a/setup.py +++ b/setup.py @@ -84,9 +84,10 @@ else: BASE_NASSL_EXT_SETUP["extra_compile_args"].append("-Wall") - # Hide internal OpenSSL symbols to avoid "symbol confusion" when Python loads the system's OpenSSL libraries - # https://github.com/nabla-c0d3/nassl/issues/95 - BASE_NASSL_EXT_SETUP["extra_link_args"].append("-Wl,--exclude-libs=ALL") + if CURRENT_PLATFORM in SupportedPlatformEnum.all_linux_platforms(): + # Hide internal OpenSSL symbols to avoid "symbol confusion" when Python loads the system's OpenSSL libraries + # https://github.com/nabla-c0d3/nassl/issues/95 + BASE_NASSL_EXT_SETUP["extra_link_args"].append("-Wl,--exclude-libs=ALL") if CURRENT_PLATFORM == SupportedPlatformEnum.LINUX_64: # Explicitly disable executable stack on Linux 64 to address issues with Ubuntu on Windows