pyca · Oct 26, 2020 · Oct 26, 2020 · Oct 26, 2020 · Oct 26, 2020 · Oct 26, 2020
diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml
@@ -0,0 +1,19 @@
+name: Upload Coverage
+description: Upload coverage to codecov
+
+inputs:
+  name:
+    description: "Job name"
+    required: true
+
+runs:
+  using: "composite"
+
+  steps:
+    - run: |
+        curl -o codecov.sh -f https://codecov.io/bash || \
+          curl -o codecov.sh -f https://codecov.io/bash || \
+          curl -o codecov.sh -f https://codecov.io/bash
+
+        bash codecov.sh -n "${{ inputs.name }}"
+      shell: bash
diff --git a/.travis/downstream.d/aws-encryption-sdk.sh → .github/downstream.d/aws-encryption-sdk.sh b/.travis/downstream.d/aws-encryption-sdk.sh → .github/downstream.d/aws-encryption-sdk.sh
diff --git a/.travis/downstream.d/certbot-josepy.sh → .github/downstream.d/certbot-josepy.sh b/.travis/downstream.d/certbot-josepy.sh → .github/downstream.d/certbot-josepy.sh
diff --git a/.travis/downstream.d/certbot.sh → .github/downstream.d/certbot.sh b/.travis/downstream.d/certbot.sh → .github/downstream.d/certbot.sh
diff --git a/...s/downstream.d/dynamodb-encryption-sdk.sh → ...b/downstream.d/dynamodb-encryption-sdk.sh b/...s/downstream.d/dynamodb-encryption-sdk.sh → ...b/downstream.d/dynamodb-encryption-sdk.sh
diff --git a/.travis/downstream.d/paramiko.sh → .github/downstream.d/paramiko.sh b/.travis/downstream.d/paramiko.sh → .github/downstream.d/paramiko.sh
diff --git a/.travis/downstream.d/pyopenssl.sh → .github/downstream.d/pyopenssl.sh b/.travis/downstream.d/pyopenssl.sh → .github/downstream.d/pyopenssl.sh
diff --git a/.travis/downstream.d/twisted.sh → .github/downstream.d/twisted.sh b/.travis/downstream.d/twisted.sh → .github/downstream.d/twisted.sh
diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+set -e
+set -x
+
+shlib_sed() {
+  # modify the shlib version to a unique one to make sure the dynamic
+  # linker doesn't load the system one.
+  sed -i "s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=100/" Makefile
+  sed -i "s/^SHLIB_MINOR=.*/SHLIB_MINOR=0.0/" Makefile
+  sed -i "s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=100.0.0/" Makefile
+}
+
+if [[ "${TYPE}" == "openssl" ]]; then
+  curl -O "https://www.openssl.org/source/openssl-${VERSION}.tar.gz"
+  tar zxf "openssl-${VERSION}.tar.gz"
+  pushd "openssl-${VERSION}"
+  # CONFIG_FLAGS is a global coming from a previous step
+  ./config ${CONFIG_FLAGS} -fPIC --prefix="${OSSL_PATH}"
+  shlib_sed
+  make depend
+  make -j"$(nproc)"
+  # avoid installing the docs (for performance)
+  # https://github.com/openssl/openssl/issues/6685#issuecomment-403838728
+  make install_sw install_ssldirs
+  popd
+elif [[ "${TYPE}" == "libressl" ]]; then
+  curl -O "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${VERSION}.tar.gz"
+  tar zxf "libressl-${VERSION}.tar.gz"
+  pushd "libressl-${VERSION}"
+  ./config -Wl -Wl,-Bsymbolic-functions -fPIC shared --prefix="${OSSL_PATH}"
+  shlib_sed
+  make -j"$(nproc)" install
+  popd
+fi
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,13 +10,118 @@ on:
       - '*.*.*'
 
 jobs:
+  linux:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        PYTHON:
+          - {VERSION: "3.9", TOXENV: "pep8,packaging,docs", COVERAGE: "false"}
+          - {VERSION: "pypy2", TOXENV: "pypy-nocoverage", COVERAGE: "false"}
+          - {VERSION: "pypy3", TOXENV: "pypy3-nocoverage", COVERAGE: "false"}
+          - {VERSION: "2.7", TOXENV: "py27", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
+          - {VERSION: "2.7", TOXENV: "py27-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
+          - {VERSION: "2.7", TOXENV: "py27", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h"}}
+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h"}}
+          - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h"}}
+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}}
+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}}
+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}}
+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.4"}}
+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.2.2"}}
+    name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}"
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup python
+        uses: actions/setup-python@v2
+        with:
+          python-version: ${{ matrix.PYTHON.VERSION }}
+      - run: git clone --depth=1 https://github.com/google/wycheproof
+      - run: python -m pip install tox requests coverage
+      - name: Compute config hash and set config vars
+        run: |
+          DEFAULT_CONFIG_FLAGS="shared no-ssl2 no-ssl3"
+          CONFIG_FLAGS="$DEFAULT_CONFIG_FLAGS $CONFIG_FLAGS"
+          CONFIG_HASH=$(echo "$CONFIG_FLAGS" | sha1sum | sed 's/ .*$//')
+          echo "CONFIG_FLAGS=${CONFIG_FLAGS}" >> $GITHUB_ENV
+          echo "CONFIG_HASH=${CONFIG_HASH}" >> $GITHUB_ENV
+          echo "OSSL_INFO=${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${CONFIG_FLAGS}" >> $GITHUB_ENV
+          echo "OSSL_PATH=${{ github.workspace }}/osslcache/${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${CONFIG_HASH}" >> $GITHUB_ENV
+        env:
+          CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}
+        if: matrix.PYTHON.OPENSSL
+      - name: Load cache
+        uses: actions/cache@v2
+        id: ossl-cache
+        with:
+          path: ${{ github.workspace }}/osslcache
+          # When altering the openssl build process you may need to increment the value on the end of this cache key
+          # so that you can prevent it from fetching the cache and skipping the build step.
+          key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.CONFIG_HASH }}-1
+        if: matrix.PYTHON.OPENSSL
+      - name: Build custom OpenSSL/LibreSSL
+        run: .github/workflows/build_openssl.sh
+        env:
+          TYPE: ${{ matrix.PYTHON.OPENSSL.TYPE }}
+          VERSION: ${{ matrix.PYTHON.OPENSSL.VERSION }}
+        if: matrix.PYTHON.OPENSSL && steps.ossl-cache.outputs.cache-hit != 'true'
+      - name: Set CFLAGS/LDFLAGS
+        run: |
+          echo "CFLAGS=${CFLAGS} -I${OSSL_PATH}/include" >> $GITHUB_ENV
+          echo "LDFLAGS=${LDFLAGS} -L${OSSL_PATH}/lib -Wl,-rpath=${OSSL_PATH}/lib" >> $GITHUB_ENV
+        if: matrix.PYTHON.OPENSSL
+      - name: Tests
+        run: |
+            tox -r --  --color=yes --wycheproof-root=wycheproof
+        env:
+          TOXENV: ${{ matrix.PYTHON.TOXENV }}
+      - uses: ./.github/actions/upload-coverage
+        with:
+          name: "tox -e ${{ matrix.PYTHON.TOXENV }} ${{ env.OSSL_INFO }}"
+        if: matrix.PYTHON.COVERAGE != 'false'
+
+  linux-distros:
+    runs-on: ubuntu-latest
+    container: ${{ matrix.IMAGE.IMAGE }}
+    strategy:
+      matrix:
+        IMAGE:
+          - {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py27"}
+          - {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py36"}
+          - {IMAGE: "pyca/cryptography-runner-centos8-fips", TOXENV: "py36", FIPS: true}
+          - {IMAGE: "pyca/cryptography-runner-stretch", TOXENV: "py27"}
+          - {IMAGE: "pyca/cryptography-runner-buster", TOXENV: "py37"}
+          - {IMAGE: "pyca/cryptography-runner-bullseye", TOXENV: "py38"}
+          - {IMAGE: "pyca/cryptography-runner-sid", TOXENV: "py39"}
+          - {IMAGE: "pyca/cryptography-runner-ubuntu-bionic", TOXENV: "py36"}
+          - {IMAGE: "pyca/cryptography-runner-ubuntu-focal", TOXENV: "py38"}
+          - {IMAGE: "pyca/cryptography-runner-ubuntu-rolling", TOXENV: "py27"}
+          - {IMAGE: "pyca/cryptography-runner-ubuntu-rolling", TOXENV: "py38"}
+          - {IMAGE: "pyca/cryptography-runner-ubuntu-rolling", TOXENV: "py38-randomorder"}
+          - {IMAGE: "pyca/cryptography-runner-fedora", TOXENV: "py39"}
+          - {IMAGE: "pyca/cryptography-runner-alpine", TOXENV: "py38"}
+    name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}"
+    steps:
+      - uses: actions/checkout@v2
+      - run: 'git clone --depth=1 https://github.com/google/wycheproof "$HOME/wycheproof"'
+      - run: |
+          echo "OPENSSL_FORCE_FIPS_MODE=1" >> $GITHUB_ENV
+          echo "CFLAGS=-DUSE_OSRANDOM_RNG_FOR_TESTING" >> $GITHUB_ENV
+        if: matrix.IMAGE.FIPS
+      - run: 'tox -- --wycheproof-root="$HOME/wycheproof"'
+        env:
+          TOXENV: ${{ matrix.IMAGE.TOXENV }}
+      - uses: ./.github/actions/upload-coverage
+        with:
+          name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}"
+
   macos:
     runs-on: macos-latest
     strategy:
       matrix:
         PYTHON:
           - {VERSION: "2.7", TOXENV: "py27", EXTRA_CFLAGS: ""}
-          - {VERSION: "3.5", TOXENV: "py35", EXTRA_CFLAGS: ""}
+          - {VERSION: "3.6", TOXENV: "py36", EXTRA_CFLAGS: ""}
           - {VERSION: "3.9", TOXENV: "py39", EXTRA_CFLAGS: "-DUSE_OSRANDOM_RNG_FOR_TESTING"}
     name: "Python ${{ matrix.PYTHON.VERSION }} on macOS"
     steps:
@@ -32,23 +137,22 @@ jobs:
 
       - name: Download OpenSSL
         run: |
-          python .github/workflows/download_openssl.py macos openssl-macos
+          python .github/workflows/download_openssl.py macos openssl-macos-x86-64
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Tests
         run: |
           CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1 \
-            LDFLAGS="${HOME}/openssl-macos/lib/libcrypto.a ${HOME}/openssl-macos/lib/libssl.a" \
-            CFLAGS="-I${HOME}/openssl-macos/include -Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -Wno-error=unused-command-line-argument -mmacosx-version-min=10.10 -march=core2 $EXTRA_CFLAGS" \
+            LDFLAGS="${HOME}/openssl-macos-x86-64/lib/libcrypto.a ${HOME}/openssl-macos-x86-64/lib/libssl.a" \
+            CFLAGS="-I${HOME}/openssl-macos-x86-64/include -Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -Wno-error=unused-command-line-argument -mmacosx-version-min=10.10 -march=core2 $EXTRA_CFLAGS" \
             tox -r --  --color=yes --wycheproof-root=wycheproof
         env:
           TOXENV: ${{ matrix.PYTHON.TOXENV }}
           EXTRA_CFLAGS: ${{ matrix.PYTHON.EXTRA_CFLAGS }}
 
-      - name: Upload coverage
-        run: |
-          curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash
-          bash codecov.sh -n "Python ${{ matrix.PYTHON.VERSION }} on macOS"
+      - uses: ./.github/actions/upload-coverage
+        with:
+          name: "Python ${{ matrix.PYTHON.VERSION }} on macOS"
 
   windows:
     runs-on: windows-latest
@@ -59,7 +163,6 @@ jobs:
           - {ARCH: 'x64', WINDOWS: 'win64'}
         PYTHON:
           - {VERSION: "2.7", TOXENV: "py27", MSVC_VERSION: "2010", CL_FLAGS: ""}
-          - {VERSION: "3.5", TOXENV: "py35", MSVC_VERSION: "2019", CL_FLAGS: ""}
           - {VERSION: "3.6", TOXENV: "py36", MSVC_VERSION: "2019", CL_FLAGS: ""}
           - {VERSION: "3.7", TOXENV: "py37", MSVC_VERSION: "2019", CL_FLAGS: ""}
           - {VERSION: "3.8", TOXENV: "py38", MSVC_VERSION: "2019", CL_FLAGS: ""}
@@ -96,7 +199,46 @@ jobs:
         env:
           TOXENV: ${{ matrix.PYTHON.TOXENV }}
 
-      - name: Upload coverage
-        run: |
-          curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash
-          bash codecov.sh -n "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}"
+      - uses: ./.github/actions/upload-coverage
+        with:
+          name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}"
+
+  linux-downstream:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        DOWNSTREAM:
+          - paramiko
+          - pyopenssl
+          - twisted
+          - aws-encryption-sdk
+          - dynamodb-encryption-sdk
+          - certbot
+          - certbot-josepy
+    name: "Downstream tests for ${{ matrix.DOWNSTREAM }}"
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.7
+      - run: python -m pip install -U pip wheel
+      - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install
+      - run: pip uninstall -y enum34
+      - run: pip install .
+      - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh run
+
+  docs-linkcheck:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    runs-on: ubuntu-latest
+    name: "linkcheck"
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.9
+      - run: python -m pip install -U tox
+      - run: tox -r --  --color=yes
+        env:
+          TOXENV: docs-linkcheck
diff --git a/.github/workflows/download_openssl.py b/.github/workflows/download_openssl.py
@@ -67,6 +67,7 @@ def main(platform, target):
                 os.path.join(path, artifact["name"])
             )
             return
+    raise ValueError("Didn't find {} in {}".format(target, response))
 
 
 if __name__ == "__main__":

diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml
@@ -11,7 +11,7 @@ jobs:
     container: ${{ matrix.MANYLINUX.CONTAINER }}
     strategy:
       matrix:
-        PYTHON: ["cp27-cp27m", "cp27-cp27mu", "cp35-cp35m"]
+        PYTHON: ["cp27-cp27m", "cp27-cp27mu", "cp36-cp36m"]
         MANYLINUX:
           - NAME: manylinux1_x86_64
             CONTAINER: "pyca/cryptography-manylinux1:x86_64"
@@ -47,7 +47,7 @@ jobs:
           .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
       - run: mkdir cryptography-wheelhouse
       - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/
-      - uses: actions/upload-artifact@v2.2.0
+      - uses: actions/upload-artifact@v1
         with:
           name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON }}"
           path: cryptography-wheelhouse/
@@ -62,7 +62,7 @@ jobs:
             DOWNLOAD_URL: 'https://www.python.org/ftp/python/2.7.17/python-2.7.17-macosx10.9.pkg'
             BIN_PATH: '/Library/Frameworks/Python.framework/Versions/2.7/bin/python'
           - VERSION: '3.8'
-            ABI_VERSION: '3.5'
+            ABI_VERSION: '3.6'
             DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.8.2/python-3.8.2-macosx10.9.pkg'
             BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.8/bin/python3'
     name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS"
@@ -76,7 +76,7 @@ jobs:
       - run: ${{ matrix.PYTHON.BIN_PATH }} -m pip install -U virtualenv requests
       - name: Download OpenSSL
         run: |
-            ${{ matrix.PYTHON.BIN_PATH }} .github/workflows/download_openssl.py macos openssl-macos
+            ${{ matrix.PYTHON.BIN_PATH }} .github/workflows/download_openssl.py macos openssl-macos-x86-64
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -92,8 +92,8 @@ jobs:
 
           cd cryptography*
           CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS="1" \
-              LDFLAGS="${HOME}/openssl-macos/lib/libcrypto.a ${HOME}/openssl-macos/lib/libssl.a" \
-              CFLAGS="-I${HOME}/openssl-macos/include -mmacosx-version-min=10.10 -march=core2" \
+              LDFLAGS="${HOME}/openssl-macos-x86-64/lib/libcrypto.a ${HOME}/openssl-macos-x86-64/lib/libssl.a" \
+              CFLAGS="-I${HOME}/openssl-macos-x86-64/include -mmacosx-version-min=10.10 -march=core2" \
               ../venv/bin/python setup.py bdist_wheel $PY_LIMITED_API && mv dist/cryptography*.whl ../wheelhouse
       - run: venv/bin/pip install -f wheelhouse --no-index cryptography
       - run: |
@@ -115,10 +115,6 @@ jobs:
           - {ARCH: 'x64', WINDOWS: 'win64'}
         PYTHON:
           - {VERSION: "2.7", MSVC_VERSION: "2010"}
-          - {VERSION: "3.5", MSVC_VERSION: "2019"}
-          - {VERSION: "3.6", MSVC_VERSION: "2019"}
-          - {VERSION: "3.7", MSVC_VERSION: "2019"}
-          - {VERSION: "3.8", MSVC_VERSION: "2019"}
           - {VERSION: "3.8", MSVC_VERSION: "2019", "USE_ABI3": "true", "ABI_VERSION": "cp36"}
     name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}"
     steps:

diff --git a/.readthedocs.yml b/.readthedocs.yml
@@ -0,0 +1,5 @@
+version: 2
+
+build:
+  image: "7.0"
+