Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update cryptography to 3.4.6 #566

Closed
wants to merge 1 commit into from

Conversation

pyup-bot
Copy link
Collaborator

This PR updates cryptography from 2.8 to 3.4.6.

Changelog

3.4.6

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1j.

.. _v3-4-5:

3.4.5

~~~~~~~~~~~~~~~~~~

* Various improvements to type hints.
* Lower the minimum supported Rust version (MSRV) to >=1.41.0. This change
improves compatibility with system-provided Rust on several Linux
distributions.
* ``cryptography`` will be switching to a new versioning scheme with its next
feature release. More information is available in our
:doc:`/api-stability` documentation.

.. _v3-4-4:

3.4.4

~~~~~~~~~~~~~~~~~~

* Added a ``py.typed`` file so that ``mypy`` will know to use our type
annotations.
* Fixed an import cycle that could be triggered by certain import sequences.

.. _v3-4-3:

3.4.3

~~~~~~~~~~~~~~~~~~

* Specify our supported Rust version (>=1.45.0) in our ``setup.py`` so users
on older versions will get a clear error message.

.. _v3-4-2:

3.4.2

~~~~~~~~~~~~~~~~~~

* Improvements to make the rust transition a bit easier. This includes some
better error messages and small dependency fixes. If you experience
installation problems **Be sure to update pip** first, then check the
:doc:`FAQ </faq>`.

.. _v3-4-1:

3.4.1

~~~~~~~~~~~~~~~~~~

* Fixed a circular import issue.
* Added additional debug output to assist users seeing installation errors
due to outdated ``pip`` or missing ``rustc``.

.. _v3-4:

3.4

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 2 has been removed.
* We now ship ``manylinux2014`` wheels and no longer ship ``manylinux1``
wheels. Users should upgrade to the latest ``pip`` to ensure this doesn't
cause issues downloading wheels on their platform.
* ``cryptography`` now incorporates Rust code. Users building ``cryptography``
themselves will need to have the Rust toolchain installed. Users who use an
officially produced wheel will not need to make any changes. The minimum
supported Rust version is 1.45.0.
* ``cryptography`` now has :pep:`484` type hints on nearly all of of its public
APIs. Users can begin using them to type check their code with ``mypy``.

.. _v3-3-2:

3.3.2

~~~~~~~~~~~~~~~~~~

* **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls
when symmetrically encrypting very large payloads (>2GB) could result in an
integer overflow, leading to buffer overflows. *CVE-2020-36242* **Update:**
This fix is a workaround for *CVE-2021-23840* in OpenSSL, fixed in OpenSSL
1.1.1j.

.. _v3-3-1:

3.3.1

~~~~~~~~~~~~~~~~~~

* Re-added a legacy symbol causing problems for older ``pyOpenSSL`` users.

.. _v3-3:

3.3

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.5 has been removed due to
low usage and maintenance burden.
* **BACKWARDS INCOMPATIBLE:** The
:class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` and
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM` now require
64-bit to 1024-bit (8 byte to 128 byte) initialization vectors. This change
is to conform with an upcoming OpenSSL release that will no longer support
sizes outside this window.
* **BACKWARDS INCOMPATIBLE:** When deserializing asymmetric keys we now
raise ``ValueError`` rather than ``UnsupportedAlgorithm`` when an
unsupported cipher is used. This change is to conform with an upcoming
OpenSSL release that will no longer distinguish between error types.
* **BACKWARDS INCOMPATIBLE:** We no longer allow loading of finite field
Diffie-Hellman parameters of less than 512 bits in length. This change is to
conform with an upcoming OpenSSL release that no longer supports smaller
sizes. These keys were already wildly insecure and should not have been used
in any application outside of testing.
* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1i.
* Python 2 support is deprecated in ``cryptography``. This is the last release
that will support Python 2.
* Added the
:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.recover_data_from_signature`
function to
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
for recovering the signed data from an RSA signature.

.. _v3-2-1:

3.2.1

~~~~~~~~~~~~~~~~~~

* Disable blinding on RSA public keys to address an error with some versions
of OpenSSL.

.. _v3-2:

3.2

~~~~~~~~~~~~~~~~

* **SECURITY ISSUE:** Attempted to make RSA PKCS1v1.5 decryption more constant
time, to protect against Bleichenbacher vulnerabilities. Due to limitations
imposed by our API, we cannot completely mitigate this vulnerability and a
future release will contain a new API which is designed to be resilient to
these for contexts where it is required. Credit to **Hubert Kario** for
reporting the issue. *CVE-2020-25659*
* Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL
will need to upgrade.
* Added basic support for PKCS7 signing (including SMIME) via
:class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`.

.. _v3-1-1:

3.1.1

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1h.

.. _v3-1:

3.1

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based
:term:`U-label` parsing in various X.509 classes. This support was originally
deprecated in version 2.1 and moved to an extra in 2.5.
* Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by
the OpenSSL project. The next version of ``cryptography`` will drop support
for it.
* Deprecated support for Python 3.5. This version sees very little use and will
be removed in the next release.
* ``backend`` arguments to functions are no longer required and the
default backend will automatically be selected if no ``backend`` is provided.
* Added initial support for parsing certificates from PKCS7 files with
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
and
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
.
* Calling ``update`` or ``update_into`` on
:class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data``
longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This
also resolves the same issue in :doc:`/fernet`.

.. _v3-0:

3.0

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Removed support for passing an
:class:`~cryptography.x509.Extension` instance to
:meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`,
as per our deprecation policy.
* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has
been removed (2.9.1+ is still supported).
* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.9, macOS users must
upgrade to 10.10 or newer.
* **BACKWARDS INCOMPATIBLE:** RSA
:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key`
no longer accepts ``public_exponent`` values except 65537 and 3 (the latter
for legacy purposes).
* **BACKWARDS INCOMPATIBLE:** X.509 certificate parsing now enforces that the
``version`` field contains a valid value, rather than deferring this check
until :attr:`~cryptography.x509.Certificate.version` is accessed.
* Deprecated support for Python 2. At the time there is no time table for
actually dropping support, however we strongly encourage all users to upgrade
their Python, as Python 2 no longer receives support from the Python core
team.

If you have trouble suppressing this warning in tests view the :ref:`FAQ
entry addressing this issue <faq-howto-handle-deprecation-warning>`.

* Added support for ``OpenSSH`` serialization format for
``ec``, ``ed25519``, ``rsa`` and ``dsa`` private keys:
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`
for loading and
:attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.OpenSSH`
for writing.
* Added support for ``OpenSSH`` certificates to
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`.
* Added :meth:`~cryptography.fernet.Fernet.encrypt_at_time` and
:meth:`~cryptography.fernet.Fernet.decrypt_at_time` to
:class:`~cryptography.fernet.Fernet`.
* Added support for the :class:`~cryptography.x509.SubjectInformationAccess`
X.509 extension.
* Added support for parsing
:class:`~cryptography.x509.SignedCertificateTimestamps` in OCSP responses.
* Added support for parsing attributes in certificate signing requests via
:meth:`~cryptography.x509.CertificateSigningRequest.get_attribute_for_oid`.
* Added support for encoding attributes in certificate signing requests via
:meth:`~cryptography.x509.CertificateSigningRequestBuilder.add_attribute`.
* On OpenSSL 1.1.1d and higher ``cryptography`` now uses OpenSSL's
built-in CSPRNG instead of its own OS random engine because these versions of
OpenSSL properly reseed on fork.
* Added initial support for creating PKCS12 files with
:func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`.

.. _v2-9-2:

2.9.2

~~~~~~~~~~~~~~~~~~

* Updated the macOS wheel to fix an issue where it would not run on macOS
versions older than 10.15.

.. _v2-9-1:

2.9.1

~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1g.

.. _v2-9:

2.9

~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.4 has been removed due to
low usage and maintenance burden.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.0.1 has been removed.
Users on older version of OpenSSL will need to upgrade.
* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.6.x has been removed.
* Removed support for calling
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes`
with no arguments, as per our deprecation policy. You must now pass
``encoding`` and ``format``.
* **BACKWARDS INCOMPATIBLE:** Reversed the order in which
:meth:`~cryptography.x509.Name.rfc4514_string` returns the RDNs
as required by :rfc:`4514`.
* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1f.
* Added support for parsing
:attr:`~cryptography.x509.ocsp.OCSPResponse.single_extensions` in an OCSP
response.
* :class:`~cryptography.x509.NameAttribute` values can now be empty strings.

.. _v2-8:
Links

@coveralls
Copy link

Coverage Status

Coverage remained the same at 42.065% when pulling 40c47eb on pyup-update-cryptography-2.8-to-3.4.6 into 10a4d82 on master.

@pyup-bot
Copy link
Collaborator Author

Closing this in favor of #582

@pyup-bot pyup-bot closed this Mar 26, 2021
@ronin13 ronin13 deleted the pyup-update-cryptography-2.8-to-3.4.6 branch March 26, 2021 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants