.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/ci.yml

@@ -17,12 +17,12 @@ jobs:
         PYTHON:
           - {VERSION: "2.7", TOXENV: "py27", EXTRA_CFLAGS: ""}
           - {VERSION: "3.5", TOXENV: "py35", EXTRA_CFLAGS: ""}
-          - {VERSION: "3.8", TOXENV: "py38", EXTRA_CFLAGS: "-DUSE_OSRANDOM_RNG_FOR_TESTING"}
+          - {VERSION: "3.9", TOXENV: "py39", EXTRA_CFLAGS: "-DUSE_OSRANDOM_RNG_FOR_TESTING"}
     name: "Python ${{ matrix.PYTHON.VERSION }} on macOS"
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v2
       - name: Setup python
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@v2
         with:
           python-version: ${{ matrix.PYTHON.VERSION }}
 
@@ -62,12 +62,13 @@ jobs:
           - {VERSION: "3.5", TOXENV: "py35", MSVC_VERSION: "2019", CL_FLAGS: ""}
           - {VERSION: "3.6", TOXENV: "py36", MSVC_VERSION: "2019", CL_FLAGS: ""}
           - {VERSION: "3.7", TOXENV: "py37", MSVC_VERSION: "2019", CL_FLAGS: ""}
-          - {VERSION: "3.8", TOXENV: "py38", MSVC_VERSION: "2019", CL_FLAGS: "/D USE_OSRANDOM_RNG_FOR_TESTING"}
+          - {VERSION: "3.8", TOXENV: "py38", MSVC_VERSION: "2019", CL_FLAGS: ""}
+          - {VERSION: "3.9", TOXENV: "py39", MSVC_VERSION: "2019", CL_FLAGS: "/D USE_OSRANDOM_RNG_FOR_TESTING"}
     name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}"
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v2
       - name: Setup python
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@v2
         with:
           python-version: ${{ matrix.PYTHON.VERSION }}
           architecture: ${{ matrix.WINDOWS.ARCH }}
@@ -83,11 +84,12 @@ jobs:
       - name: Download OpenSSL
         run: |
             python .github/workflows/download_openssl.py windows openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}
-            echo "::set-env name=INCLUDE::C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/include;%INCLUDE%"
-            echo "::set-env name=LIB::C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/lib;%LIB%"
-            echo "::set-env name=CL::${{ matrix.PYTHON.CL_FLAGS }}"
+            echo "INCLUDE=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/include;$INCLUDE" >> $GITHUB_ENV
+            echo "LIB=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/lib;$LIB" >> $GITHUB_ENV
+            echo "CL=${{ matrix.PYTHON.CL_FLAGS }}" >> $GITHUB_ENV
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
       - run: git clone https://github.com/google/wycheproof
 
       - run: tox -r -- --color=yes --wycheproof-root=wycheproof

.github/workflows/wheel-builder.yml

@@ -47,7 +47,7 @@ jobs:
           .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
       - run: mkdir cryptography-wheelhouse
       - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/
-      - uses: actions/upload-artifact@v1
+      - uses: actions/upload-artifact@v2.2.0
         with:
           name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON }}"
           path: cryptography-wheelhouse/
@@ -67,7 +67,7 @@ jobs:
             BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.8/bin/python3'
     name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS"
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v2
       - run: |
           curl "$PYTHON_DOWNLOAD_URL" -o python.pkg
           sudo installer -pkg python.pkg -target /
@@ -101,7 +101,7 @@ jobs:
 
       - run: mkdir cryptography-wheelhouse
       - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/
-      - uses: actions/upload-artifact@v1
+      - uses: actions/upload-artifact@v2.2.0
         with:
           name: "cryptography-${{ github.event.inputs.version }}-macOS-${{ matrix.PYTHON.ABI_VERSION }}"
           path: cryptography-wheelhouse/
@@ -122,7 +122,7 @@ jobs:
           - {VERSION: "3.8", MSVC_VERSION: "2019", "USE_ABI3": "true", "ABI_VERSION": "cp36"}
     name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}"
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v2
       - name: Setup python
         uses: actions/setup-python@v2
         with:
@@ -139,10 +139,11 @@ jobs:
       - name: Download OpenSSL
         run: |
             python .github/workflows/download_openssl.py windows openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}
-            echo "::set-env name=INCLUDE::C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/include;%INCLUDE%"
-            echo "::set-env name=LIB::C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/lib;%LIB%"
+            echo "INCLUDE=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/include;$INCLUDE" >> $GITHUB_ENV
+            echo "LIB=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/lib;$LIB" >> $GITHUB_ENV
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
 
       - run: python -m pip install -U pip wheel cffi six ipaddress "enum34; python_version < '3'"
       - run: pip download cryptography==${{ github.event.inputs.version }} --no-deps --no-binary cryptography && tar zxvf cryptography*.tar.gz && mkdir wheelhouse
@@ -158,7 +159,7 @@ jobs:
 
       - run: mkdir cryptography-wheelhouse
       - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\
-      - uses: actions/upload-artifact@v1
+      - uses: actions/upload-artifact@v2.2.0
         with:
           name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION}}"
           path: cryptography-wheelhouse\

.travis.yml

@@ -13,8 +13,8 @@ cache:
 branches:
     only:
         - master
-        - /\d+\.\d+\.x/
-        - /\d+\.\d+(\.\d+)?/
+        - /^\d+\.\d+\.x$/
+        - /^\d+\.\d+(\.\d+)?$/
 
 matrix:
     include:
@@ -23,6 +23,8 @@ matrix:
         # Setting 'python' is just to make travis's UI a bit prettier
         - python: 3.6
           env: TOXENV=py36
+        - python: 3.9-dev
+          env: TOXENV=py39
           # Travis lists available Pythons (including PyPy) by arch and distro here:
           # https://docs.travis-ci.com/user/languages/python/#python-versions
         - python: pypy2.7-7.3.1
@@ -38,21 +40,21 @@ matrix:
         - python: 3.8
           env: TOXENV=py38 OPENSSL=1.1.0l
         - python: 2.7
-          env: TOXENV=py27 OPENSSL=1.1.1g
+          env: TOXENV=py27 OPENSSL=1.1.1h
         - python: 3.8
-          env: TOXENV=py38 OPENSSL=1.1.1g
+          env: TOXENV=py38 OPENSSL=1.1.1h
         - python: 3.8
-          env: TOXENV=py38 OPENSSL=1.1.1g OPENSSL_CONFIG_FLAGS="no-engine no-rc2 no-srtp no-ct"
+          env: TOXENV=py38 OPENSSL=1.1.1h OPENSSL_CONFIG_FLAGS="no-engine no-rc2 no-srtp no-ct"
         - python: 3.8
-          env: TOXENV=py38-ssh OPENSSL=1.1.1g
+          env: TOXENV=py38-ssh OPENSSL=1.1.1h
         - python: 3.8
           env: TOXENV=py38 LIBRESSL=2.9.2
         - python: 3.8
           env: TOXENV=py38 LIBRESSL=3.0.2
         - python: 3.8
           env: TOXENV=py38 LIBRESSL=3.1.4
         - python: 3.8
-          env: TOXENV=py38 LIBRESSL=3.2.0
+          env: TOXENV=py38 LIBRESSL=3.2.2
 
         - python: 2.7
           services: docker
@@ -104,7 +106,7 @@ matrix:
           env: TOXENV=py38 DOCKER=pyca/cryptography-runner-alpine:latest
 
         - python: 3.8
-          env: TOXENV=docs OPENSSL=1.1.1g
+          env: TOXENV=docs OPENSSL=1.1.1h
           addons:
               apt:
                   packages:
@@ -117,11 +119,9 @@ matrix:
         - python: 3.8
           env: DOWNSTREAM=pyopenssl
         - python: 3.7
-          env: DOWNSTREAM=twisted OPENSSL=1.1.1g
-        # Temporary disabled until
-        # https://github.com/paramiko/paramiko/pull/1723 is merged
-        # - python: 2.7
-        #   env: DOWNSTREAM=paramiko
+          env: DOWNSTREAM=twisted OPENSSL=1.1.1h
+        - python: 3.7
+          env: DOWNSTREAM=paramiko
         - python: 3.7
           env: DOWNSTREAM=aws-encryption-sdk
         - python: 3.7
@@ -132,10 +132,6 @@ matrix:
           env: DOWNSTREAM=certbot
         - python: 3.8
           env: DOWNSTREAM=certbot-josepy
-        - python: 3.8
-          env: DOWNSTREAM=urllib3
-          # Tests hang when run under bionic/focal
-          dist: xenial
 
 install:
     - ./.travis/install.sh

.travis/downstream.d/twisted.sh

@@ -5,7 +5,7 @@ case "${1}" in
         git clone --depth=1 https://github.com/twisted/twisted
         cd twisted
         git rev-parse HEAD
-        pip install ".[tls,conch,http2]"
+        pip install ".[all_non_platform]"
         ;;
     run)
         cd twisted

CHANGELOG.rst

@@ -1,6 +1,30 @@
 Changelog
 =========
 
+.. _v3-2:
+
+3.2 - 2020-10-25
+~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE:** Attempted to make RSA PKCS#1v1.5 decryption more constant
+  time, to protect against Bleichenbacher vulnerabilities. Due to limitations
+  imposed by our API, we cannot completely mitigate this vulnerability and a
+  future release will contain a new API which is designed to be resilient to
+  these for contexts where it is required. Credit to **Hubert Kario** for
+  reporting the issue. *CVE-2020-25659*
+* Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL
+  will need to upgrade.
+* Added basic support for PKCS7 signing (including SMIME) via
+  :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`.
+
+.. _v3-1-1:
+
+3.1.1 - 2020-09-22
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
+  OpenSSL 1.1.1h.
+
 .. _v3-1:
 
 3.1 - 2020-08-26

docs/development/c-bindings.rst

@@ -5,7 +5,7 @@ C bindings are bindings to C libraries, using cffi_ whenever possible.
 
 .. _cffi: https://cffi.readthedocs.io
 
-Bindings live in :py:mod:`cryptography.hazmat.bindings`.
+Bindings live in ``cryptography.hazmat.bindings``.
 
 When modifying the bindings you will need to recompile the C extensions to
 test the changes. This can be accomplished with ``pip install -e .`` in the

docs/development/custom-vectors/secp256k1/verify_secp256k1.py

@@ -35,12 +35,12 @@ def verify_one_vector(vector):
         signature, ec.ECDSA(CRYPTOGRAPHY_HASH_TYPES[digest_algorithm]())
     )
     verifier.update(message)
-    return verifier.verify()
+    verifier.verify()
 
 
 def verify_vectors(vectors):
     for vector in vectors:
-        assert verify_one_vector(vector)
+        verify_one_vector(vector)
 
 
 vector_path = os.path.join("asymmetric", "ECDSA", "SECP256K1", "SigGen.txt")

docs/development/test-vectors.rst

@@ -109,6 +109,8 @@ Custom asymmetric vectors
 * ``x509/custom/ca/ca_key.pem`` - An unencrypted PCKS8 ``secp256r1`` key. It is
   the private key for the certificate ``x509/custom/ca/ca.pem``. This key is
   encoded in several of the PKCS12 custom vectors.
+* ``x509/custom/ca/rsa_key.pem`` - An unencrypted PCKS8 4096 bit RSA key. It is
+  the private key for the certificate ``x509/custom/ca/rsa_ca.pem``.
 * ``asymmetric/EC/compressed_points.txt`` - Contains compressed public points
   generated using OpenSSL.
 * ``asymmetric/X448/x448-pkcs8-enc.pem`` and
@@ -414,6 +416,8 @@ Custom X.509 Vectors
 * ``rsa_pss.pem`` - A certificate with an RSA PSS signature.
 * ``root-ed448.pem`` - An ``ed448`` self-signed CA certificate
   using ``ed448-pkcs8.pem`` as key.
+* ``ca/rsa_ca.pem`` - A self-signed RSA certificate with ``basicConstraints``
+  set to true. Its private key is ``ca/rsa_key.pem``.
 
 Custom X.509 Request Vectors
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -731,7 +735,7 @@ header format (substituting the correct information):
 .. _`IETF`: https://www.ietf.org/
 .. _`Project Wycheproof`: https://github.com/google/wycheproof
 .. _`NIST CAVP`: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program
-.. _`Bruce Schneier's vectors`: https://www.schneier.com/code/vectors.txt
+.. _`Bruce Schneier's vectors`: https://www.schneier.com/wp-content/uploads/2015/12/vectors-2.txt
 .. _`Camellia page`: https://info.isl.ntt.co.jp/crypt/eng/camellia/
 .. _`CRYPTREC`: https://www.cryptrec.go.jp
 .. _`OpenSSL's test vectors`: https://github.com/openssl/openssl/blob/97cf1f6c2854a3a955fd7dd3a1f113deba00c9ef/crypto/evp/evptests.txt#L232

docs/faq.rst

@@ -109,6 +109,19 @@ Your ``pip`` and/or ``setuptools`` are outdated. Please upgrade to the latest
 versions with ``pip install -U pip setuptools`` (or on Windows
 ``python -m pip install -U pip setuptools``).
 
+Importing cryptography causes a ``RuntimeError`` about OpenSSL 1.0.2
+--------------------------------------------------------------------
+
+The OpenSSL project has dropped support for the 1.0.2 release series. Since it
+is no longer receiving security patches from upstream, ``cryptography`` is also
+dropping support for it. To fix this issue you should upgrade to a newer
+version of OpenSSL (1.1.0 or later). This may require you to upgrade to a newer
+operating system.
+
+For the 3.2 release, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_102``
+environment variable. Please note that this is *temporary* and will be removed
+in ``cryptography`` 3.3.
+
 Installing cryptography with OpenSSL 0.9.8, 1.0.0, 1.0.1 fails
 --------------------------------------------------------------
 

docs/fernet.rst

@@ -229,7 +229,6 @@ password through a key derivation function such as
     >>> import base64
     >>> import os
     >>> from cryptography.fernet import Fernet
-    >>> from cryptography.hazmat.backends import default_backend
     >>> from cryptography.hazmat.primitives import hashes
     >>> from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
     >>> password = b"password"
@@ -239,7 +238,6 @@ password through a key derivation function such as
     ...     length=32,
     ...     salt=salt,
     ...     iterations=100000,
-    ...     backend=default_backend()
     ... )
     >>> key = base64.urlsafe_b64encode(kdf.derive(password))
     >>> f = Fernet(key)