search

wbond / oscrypto

Compiler-free Python crypto library backed by the OS, supporting CPython and PyPy
MIT License
321 stars 71 forks source link

Tests fail after openssl: 3.0.9 -> 3.0.10 #75

Closed vcunat closed 1 year ago

vcunat commented 1 year ago

Busted parsing when more digits appeared, most likely.

==================================== ERRORS ====================================
__________________ ERROR collecting tests/test_asymmetric.py ___________________
tests/test_asymmetric.py:9: in 
    from oscrypto import asymmetric, errors, backend
oscrypto/asymmetric.py:19: in 
    from ._asymmetric import _unwrap_private_key_info
oscrypto/_asymmetric.py:27: in 
    from .kdf import pbkdf1, pbkdf2, pkcs12_kdf
oscrypto/kdf.py:9: in 
    from .util import rand_bytes
oscrypto/util.py:14: in 
    from ._openssl.util import rand_bytes
oscrypto/_openssl/util.py:6: in 
    from ._libcrypto import libcrypto, libcrypto_version_info, handle_openssl_error
oscrypto/_openssl/_libcrypto.py:15: in 
    from ._libcrypto_ctypes import (
oscrypto/_openssl/_libcrypto_ctypes.py:47: in 
    raise LibraryNotFoundError('Error detecting the version of libcrypto')
E   oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
______________________ ERROR collecting tests/test_kdf.py ______________________
tests/test_kdf.py:7: in 
    from oscrypto import kdf, _pkcs5
oscrypto/kdf.py:9: in 
    from .util import rand_bytes
oscrypto/util.py:14: in 
    from ._openssl.util import rand_bytes
oscrypto/_openssl/util.py:6: in 
    from ._libcrypto import libcrypto, libcrypto_version_info, handle_openssl_error
oscrypto/_openssl/_libcrypto.py:15: in 
    from ._libcrypto_ctypes import (
oscrypto/_openssl/_libcrypto_ctypes.py:47: in 
    raise LibraryNotFoundError('Error detecting the version of libcrypto')
E   oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
_____________________ ERROR collecting tests/test_keys.py ______________________
tests/test_keys.py:9: in 
    from oscrypto import keys, backend
oscrypto/keys.py:5: in 
    from ._asymmetric import parse_certificate, parse_private, parse_public
oscrypto/_asymmetric.py:27: in 
    from .kdf import pbkdf1, pbkdf2, pkcs12_kdf
oscrypto/kdf.py:9: in 
    from .util import rand_bytes
oscrypto/util.py:14: in 
    from ._openssl.util import rand_bytes
oscrypto/_openssl/util.py:6: in 
    from ._libcrypto import libcrypto, libcrypto_version_info, handle_openssl_error
oscrypto/_openssl/_libcrypto.py:15: in 
    from ._libcrypto_ctypes import (
oscrypto/_openssl/_libcrypto_ctypes.py:47: in 
    raise LibraryNotFoundError('Error detecting the version of libcrypto')
E   oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
___________________ ERROR collecting tests/test_symmetric.py ___________________
tests/test_symmetric.py:7: in 
    from oscrypto import symmetric, util, backend
oscrypto/symmetric.py:43: in 
    from ._openssl.symmetric import (
oscrypto/_openssl/symmetric.py:8: in 
    from ._libcrypto import libcrypto, libcrypto_legacy_support, LibcryptoConst, handle_openssl_error
oscrypto/_openssl/_libcrypto.py:15: in 
    from ._libcrypto_ctypes import (
oscrypto/_openssl/_libcrypto_ctypes.py:47: in 
    raise LibraryNotFoundError('Error detecting the version of libcrypto')
E   oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
______________________ ERROR collecting tests/test_tls.py ______________________
tests/test_tls.py:13: in 
    from oscrypto import tls, errors, backend
oscrypto/tls.py:23: in 
    from ._openssl.tls import (
oscrypto/_openssl/tls.py:10: in 
    from ._libssl import libssl, LibsslConst
oscrypto/_openssl/_libssl.py:7: in 
    from ._libcrypto import libcrypto_version_info
oscrypto/_openssl/_libcrypto.py:15: in 
    from ._libcrypto_ctypes import (
oscrypto/_openssl/_libcrypto_ctypes.py:47: in 
    raise LibraryNotFoundError('Error detecting the version of libcrypto')
E   oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
=============================== warnings summary ===============================
tests/__init__.py:4
  /build/source/tests/__init__.py:4: DeprecationWarning: the imp module is deprecated in favour of importlib and slated for removal in Python 3.12; see the module's documentation for alternative uses
    import imp

-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
=========================== short test summary info ============================
ERROR tests/test_asymmetric.py - oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
ERROR tests/test_kdf.py - oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
ERROR tests/test_keys.py - oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
ERROR tests/test_symmetric.py - oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
ERROR tests/test_tls.py - oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
!!!!!!!!!!!!!!!!!!! Interrupted: 5 errors during collection !!!!!!!!!!!!!!!!!!!!
================== 4 deselected, 1 warning, 5 errors in 0.42s ==================
lewinfox commented 1 year ago

👍 for this - I'm using OpenSSL 3.1.10 1 Aug 2023 and I get 

File "/home/.../lib/python3.8/site-packages/oscrypto/_openssl/_libcrypto_cffi.py", line 46, in <module>
    raise LibraryNotFoundError('Error detecting the version of libcrypto')

Looks like the regex on line 42 expects single-digit version components only.

version_match = re.search('\\b(\\d\\.\\d\\.\\d[a-z]*)\\b', version_string)
vcunat commented 1 year ago

So if someone wants a ready full patch (that passes for me), here it is: https://github.com/NixOS/nixpkgs/blob/72b94272c96eef5fe866d10fd76544e54789759c/pkgs/development/python-modules/oscrypto/support-openssl-3.0.10.patch

lewinfox commented 1 year ago

So if someone wants a ready full patch (that passes for me), here it is:

https://github.com/NixOS/nixpkgs/blob/72b94272c96eef5fe866d10fd76544e54789759c/pkgs/development/python-modules/oscrypto/support-openssl-3.0.10.patch

Is it worth accounting for e.g. v10.10.10 as well? I.e. adding + quantifiers to all the version components?

vcunat commented 1 year ago

Based on openssl version history, I don't think it's likely to make any difference in the next decade.

flavico commented 1 year ago

@wbond it is possible throw new version of oscrypto with this patch ? we need this help to fix a kerberos auth.

wbond commented 1 year ago

Thanks for pinging me - GitHub never seems to notify me of new issues even though I have that configured.

LiterallyDad commented 1 year ago

EDIT: Fixed using snippet below, may be useful for others, ty

Sorry for the dumb question @wbond:

How do we actually use this fix? getting this error connecting to snowflake, latest version (1.3.0) installed on OS

using snowflake-connector-python and snowflake-sqlalchemy, python:3.10-slim

Saw that datadog was fixing this way so trying this:

# add after installing requirements
# added below before install as pip freeze in container showed 1.3.0
RUN python -m pip uninstall oscrypto -y
RUN python -m pip install oscrypto @ git+https://github.com/wbond/oscrypto.git@d5f3437ed24257895ae1edd9e503cfb352e635a8
wbond commented 1 year ago

If a bunch of people and companies are dependent on oscrypto, I’d encourage your companies to sponsor development through GitHub sponsors.

Currently the asn1crypto project is sponsored through Tidelift, but oscrypto isn’t “big enough”, hence my request for GitHub sponsors.

ynouri commented 1 year ago

@wbond thanks for your work on this package! We have a dependency on oscrypto via snowflake-connector-python and have been experiencing the issue described in this thread. I'm sure plenty of other Snowflake customers have as well... Maybe Snowflake could be a good sponsor?

This being said, curious what are the current bottlenecks for releasing the latest master branch on PyPI? Depending on what the pain points are, maybe we could help by adding an on-demand Github Actions release workflow

ad-m-ss commented 12 months ago

We have a dependency on oscrypto via snowflake-connector-python and have been experiencing the issue described in this thread. I'm sure plenty of other Snowflake customers have as well... Maybe Snowflake could be a good sponsor?

Snowflake connector is not using oscrypto anymore: https://github.com/snowflakedb/snowflake-connector-python/blob/f323d22bf259a176f6c57510efd4927c52f1abb9/DESCRIPTION.md?plain=1#L37

exFalso commented 9 months ago

Any chance of a release of this fix? We were looking into switching to cryptography, but that project doesn't support generic x509 validation