From 9b0443b578e06499ffb31e56ee785aac3ea65d06 Mon Sep 17 00:00:00 2001 From: Radu Marias Date: Sun, 2 Jun 2024 06:16:28 +0300 Subject: [PATCH 01/12] Update tests.yml --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 2e2d329..34d8168 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -31,7 +31,7 @@ jobs: pip install maturin maturin develop --release pip install pytest - pip install -r requirements.txt + if [ -f requirements.txt ]; then pip install -r requirements.txt; fi - name: Run tests run: | From e099c57ed835460ac54027e593a47285be0a540c Mon Sep 17 00:00:00 2001 From: Radu Marias Date: Sun, 2 Jun 2024 06:19:34 +0300 Subject: [PATCH 02/12] Update tests.yml --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 34d8168..3250fba 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -13,7 +13,7 @@ jobs: strategy: matrix: - python-version: [3.7, 3.8, 3.9] + python-version: [3.7, 3.8, 3.9, "3.10"] steps: - name: Check out repository code From 9286c9b305a4722b2dbe32a8a52a9b5601b78b2c Mon Sep 17 00:00:00 2001 From: Radu Marias Date: Sun, 2 Jun 2024 06:22:42 +0300 Subject: [PATCH 03/12] Update PyPI.yml --- .github/workflows/PyPI.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.github/workflows/PyPI.yml b/.github/workflows/PyPI.yml index a89f22b..715f33f 100644 --- a/.github/workflows/PyPI.yml +++ b/.github/workflows/PyPI.yml @@ -19,19 +19,6 @@ permissions: contents: read jobs: - tests: - runs-on: ubuntu-latest - steps: - - name: Trigger target workflow - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - curl -X POST \ - -H "Accept: application/vnd.github.v3+json" \ - -H "Authorization: token $GITHUB_TOKEN" \ - https://api.github.com/repos/${{ github.repository }}/actions/workflows/tests.yml/dispatches \ - -d '{"ref":"main"}' - linux: runs-on: ${{ matrix.platform.runner }} strategy: From ae6709950c3632e646785d5d99e903053ba47ed4 Mon Sep 17 00:00:00 2001 From: Radu Marias Date: Sun, 2 Jun 2024 06:24:13 +0300 Subject: [PATCH 04/12] Update and rename PyPI.yml to CI.yml --- .github/workflows/{PyPI.yml => CI.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename .github/workflows/{PyPI.yml => CI.yml} (99%) diff --git a/.github/workflows/PyPI.yml b/.github/workflows/CI.yml similarity index 99% rename from .github/workflows/PyPI.yml rename to .github/workflows/CI.yml index 715f33f..7f5a682 100644 --- a/.github/workflows/PyPI.yml +++ b/.github/workflows/CI.yml @@ -3,7 +3,7 @@ # # maturin generate-ci github # -name: PyPI +name: CI on: push: From 1993d23a3c38d908be701e231d909e38cbd1a326 Mon Sep 17 00:00:00 2001 From: Radu Marias Date: Sun, 2 Jun 2024 06:24:39 +0300 Subject: [PATCH 05/12] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8a990e9..951ba7c 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Zeroize [![PyPI version](https://badge.fury.io/py/rencrypt.svg)](https://badge.fury.io/py/rencrypt) -[![PyPI](https://github.com/radumarias/zeroize-python/actions/workflows/PyPI.yml/badge.svg)](https://github.com/radumarias/zeroize-python/actions/workflows/PyPI.yml) +[![CI](https://github.com/radumarias/zeroize-python/actions/workflows/CI.yml/badge.svg)](https://github.com/radumarias/zeroize-python/actions/workflows/CI.yml) [![tests](https://github.com/radumarias/zeroize-python/actions/workflows/tests.yml/badge.svg)](https://github.com/radumarias/zeroize-python/actions/workflows/tests.yml) Securely clear secrets from memory. Built on stable Rust primitives which guarantee memory is zeroed using an operation will not be 'optimized away' by the compiler. From 61719605a15092e4bb12a3c2c85eba26c3c9271b Mon Sep 17 00:00:00 2001 From: Radu Marias Date: Sun, 2 Jun 2024 06:26:26 +0300 Subject: [PATCH 06/12] Update CI.yml --- .github/workflows/CI.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index 7f5a682..f884711 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -126,7 +126,7 @@ jobs: name: Release runs-on: ubuntu-latest if: "startsWith(github.ref, 'refs/tags/')" - needs: [tests, linux, windows, macos, sdist] + needs: [linux, windows, macos, sdist] steps: - uses: actions/download-artifact@v4 - name: Publish to PyPI From 93fc58117e6422d2e9b0869aae87821c751488dd Mon Sep 17 00:00:00 2001 From: Radu Marias Date: Sun, 2 Jun 2024 06:30:03 +0300 Subject: [PATCH 07/12] Update CI.yml --- .github/workflows/CI.yml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index f884711..ac91812 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -3,17 +3,11 @@ # # maturin generate-ci github # -name: CI +name: PyPI on: - push: - branches: - - main - - master - tags: - - '*' - pull_request: - workflow_dispatch: + release: + types: [published] permissions: contents: read From 4b3882496378e9f97d99067ea685c65fb6a94612 Mon Sep 17 00:00:00 2001 From: Radu Marias Date: Sun, 2 Jun 2024 06:30:30 +0300 Subject: [PATCH 08/12] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 951ba7c..1967a2d 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Zeroize [![PyPI version](https://badge.fury.io/py/rencrypt.svg)](https://badge.fury.io/py/rencrypt) -[![CI](https://github.com/radumarias/zeroize-python/actions/workflows/CI.yml/badge.svg)](https://github.com/radumarias/zeroize-python/actions/workflows/CI.yml) +[![PyPI](https://github.com/radumarias/zeroize-python/actions/workflows/CI.yml/badge.svg)](https://github.com/radumarias/zeroize-python/actions/workflows/PyPI.yml) [![tests](https://github.com/radumarias/zeroize-python/actions/workflows/tests.yml/badge.svg)](https://github.com/radumarias/zeroize-python/actions/workflows/tests.yml) Securely clear secrets from memory. Built on stable Rust primitives which guarantee memory is zeroed using an operation will not be 'optimized away' by the compiler. From 53ca8dc10356955ce2c8704df9d13887ce619c61 Mon Sep 17 00:00:00 2001 From: Radu Marias Date: Sun, 2 Jun 2024 06:33:17 +0300 Subject: [PATCH 09/12] Rename CI.yml to PyPI.yml --- .github/workflows/{CI.yml => PyPI.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{CI.yml => PyPI.yml} (100%) diff --git a/.github/workflows/CI.yml b/.github/workflows/PyPI.yml similarity index 100% rename from .github/workflows/CI.yml rename to .github/workflows/PyPI.yml From c7bb3df7186888b365670c7fbf485fab8be81aba Mon Sep 17 00:00:00 2001 From: Radu Marias Date: Sun, 2 Jun 2024 20:04:11 +0300 Subject: [PATCH 10/12] Update README.md --- README.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/README.md b/README.md index 1967a2d..27139aa 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,10 @@ Uses a portable pure Rust implementation that works everywhere. It uses [zeroize](https://crates.io/crates/zeroize) crate under the hood. It can work with `bytearray` and numpy array. +> ⚠️ **Warning** +> **Currently it doens't work in the case of [Copy-on-write fork](https://en.wikipedia.org/wiki/Copy-on-write) +> Also it doesn't work if memory is moved or moved to swap file. You can use `crypes` with `libc.mlockall` to lock the memory from being swapped, see example below.*** + # Example ```python @@ -35,6 +39,40 @@ assert all(arr_np == 0) print("all good, bye!") ``` + +# Use `crypes` with `libc.mlockall` to lock the memory from being swapped + +```python +import ctypes + +MCL_CURRENT = 1 +MCL_FUTURE = 2 + +libc = ctypes.CDLL('libc.so.6', use_errno=True) + +def mlockall(flags=MCL_CURRENT|MCL_FUTURE): + result = libc.mlockall(flags) + if result != 0: + raise Exception("cannot lock memmory, errno=%s" % ctypes.get_errno()) + +def munlockall(): + result = libc.munlockall() + if result != 0: + raise Exception("cannot lock memmory, errno=%s" % ctypes.get_errno()) + + +if __name__ == '__main__': + mlockall() + print("memmory locked") + + # allocate your data here + # ... + # zeroize it + + munlockall() + print("memmory unlocked") +``` + # Building from source ## Browser From a291dd5d3bca3255d15d593a77fa680734b4a470 Mon Sep 17 00:00:00 2001 From: Radu Marias Date: Sun, 2 Jun 2024 20:04:35 +0300 Subject: [PATCH 11/12] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 27139aa..cac8116 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ assert all(arr_np == 0) print("all good, bye!") ``` -# Use `crypes` with `libc.mlockall` to lock the memory from being swapped +# Use `crypes` with `libc.mlockall()` to lock the memory from being swapped ```python import ctypes From 4a6b99620205aea9adf4f772c5863997a143e5d0 Mon Sep 17 00:00:00 2001 From: Radu Marias Date: Sun, 2 Jun 2024 20:05:19 +0300 Subject: [PATCH 12/12] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cac8116..96d0b34 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Zeroize [![PyPI version](https://badge.fury.io/py/rencrypt.svg)](https://badge.fury.io/py/rencrypt) -[![PyPI](https://github.com/radumarias/zeroize-python/actions/workflows/CI.yml/badge.svg)](https://github.com/radumarias/zeroize-python/actions/workflows/PyPI.yml) +[![PyPI](https://github.com/radumarias/zeroize-python/actions/workflows/PyPI.yml/badge.svg)](https://github.com/radumarias/zeroize-python/actions/workflows/PyPI.yml) [![tests](https://github.com/radumarias/zeroize-python/actions/workflows/tests.yml/badge.svg)](https://github.com/radumarias/zeroize-python/actions/workflows/tests.yml) Securely clear secrets from memory. Built on stable Rust primitives which guarantee memory is zeroed using an operation will not be 'optimized away' by the compiler.