pyca
diff --git a/‎.github/actions/fetch-vectors/action.yml
+2-2 b/‎.github/actions/fetch-vectors/action.yml
+2-2
diff --git a/‎.github/downstream.d/mitmproxy.sh
+2-1 b/‎.github/downstream.d/mitmproxy.sh
+2-1
diff --git a/‎.github/workflows/ci.yml
+2 b/‎.github/workflows/ci.yml
+2
diff --git a/‎CHANGELOG.rst
+7 b/‎CHANGELOG.rst
+7
diff --git a/‎Cargo.lock
+2-2 b/‎Cargo.lock
+2-2
diff --git a/‎Cargo.toml
+2 b/‎Cargo.toml
+2
diff --git a/‎pyproject.toml
+2-2 b/‎pyproject.toml
+2-2
diff --git a/‎src/cryptography/__about__.py
+1-1 b/‎src/cryptography/__about__.py
+1-1
diff --git a/‎src/cryptography/hazmat/backends/openssl/backend.py
+10-7 b/‎src/cryptography/hazmat/backends/openssl/backend.py
+10-7
diff --git a/‎src/rust/cryptography-cffi/build.rs
+1-1 b/‎src/rust/cryptography-cffi/build.rs
+1-1
diff --git a/‎src/rust/cryptography-keepalive/src/lib.rs
+2-1 b/‎src/rust/cryptography-keepalive/src/lib.rs
+2-1
diff --git a/‎src/rust/cryptography-openssl/src/aead.rs
+2-1 b/‎src/rust/cryptography-openssl/src/aead.rs
+2-1
diff --git a/‎src/rust/cryptography-openssl/src/fips.rs
+3-2 b/‎src/rust/cryptography-openssl/src/fips.rs
+3-2
diff --git a/‎src/rust/cryptography-x509-verification/src/lib.rs
+8-12 b/‎src/rust/cryptography-x509-verification/src/lib.rs
+8-12
diff --git a/‎src/rust/cryptography-x509-verification/src/ops.rs
+2-1 b/‎src/rust/cryptography-x509-verification/src/ops.rs
+2-1
diff --git a/‎src/rust/cryptography-x509-verification/src/policy/extension.rs
+23-37 b/‎src/rust/cryptography-x509-verification/src/policy/extension.rs
+23-37
diff --git a/‎src/rust/cryptography-x509-verification/src/policy/mod.rs
+6-10 b/‎src/rust/cryptography-x509-verification/src/policy/mod.rs
+6-10
diff --git a/‎src/rust/cryptography-x509-verification/src/trust_store.rs
+1-2 b/‎src/rust/cryptography-x509-verification/src/trust_store.rs
+1-2
diff --git a/‎src/rust/cryptography-x509-verification/src/types.rs
+1-2 b/‎src/rust/cryptography-x509-verification/src/types.rs
+1-2
diff --git a/‎src/rust/cryptography-x509/src/certificate.rs
+2-5 b/‎src/rust/cryptography-x509/src/certificate.rs
+2-5
@@ -9,8 +9,8 @@ runs:
       with:
         repository: "C2SP/wycheproof"
         path: "wycheproof"
-        # Latest commit on the wycheproof master branch, as of Apr 09, 2024.
-        ref: "cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca" # wycheproof-ref
+        # Latest commit on the wycheproof master branch, as of May 02, 2025.
+        ref: "df4e933efef449fc88af0c06e028d425d84a9495" # wycheproof-ref
 
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
 
@@ -2,10 +2,11 @@
 
 case "${1}" in
     install)
+        pip install uv
         git clone --depth=1 https://github.com/mitmproxy/mitmproxy
         cd mitmproxy
         git rev-parse HEAD
-        pip install -e ".[dev]"
+        uv pip install --system --group dev -e .
         ;;
     run)
         cd mitmproxy
 
@@ -42,9 +42,11 @@ jobs:
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}}
           - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.7"}}
           - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.3"}}
+          - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.5.0"}}
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.4.0"}}
           - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}}
           - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.0.0"}}
+          - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.1.0"}}
           - {VERSION: "3.12", NOXSESSION: "tests-randomorder"}
           # Latest commit on the BoringSSL master branch, as of Nov 27, 2024.
           - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fcef13a49852397a0d39c00be8d7bc2ba1ab6fb9"}}
 
@@ -1,6 +1,13 @@
 Changelog
 =========
 
+.. _v44-0-3:
+
+44.0.3 - 2025-05-02
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed compilation when using LibreSSL 4.1.0.
+
 .. _v44-0-2:
 
 44.0.2 - 2025-03-01
 
@@ -21,6 +21,8 @@ rust-version = "1.65.0"
 [workspace.dependencies]
 asn1 = { version = "0.20.0", default-features = false }
 pyo3 = { version = "0.23.5", features = ["abi3"] }
+openssl = "0.10.72"
+openssl-sys = "0.9.108"
 
 [profile.release]
 overflow-checks = true
@@ -14,7 +14,7 @@ build-backend = "maturin"
 
 [project]
 name = "cryptography"
-version = "44.0.2"
+version = "44.0.3"
 authors = [
     {name = "The Python Cryptographic Authority and individual contributors", email = "[email protected]"}
 ]
@@ -65,7 +65,7 @@ ssh = ["bcrypt >=3.1.5"]
 # All the following are used for our own testing.
 nox = ["nox >=2024.04.15", "nox[uv] >=2024.03.02; python_version >= '3.8'"]
 test = [
-    "cryptography_vectors==44.0.2",
+    "cryptography_vectors==44.0.3",
     "pytest >=7.4.0",
     "pytest-benchmark >=4.0",
     "pytest-cov >=2.10.1",
 
@@ -10,7 +10,7 @@
     "__version__",
 ]
 
-__version__ = "44.0.2"
+__version__ = "44.0.3"
 
 
 __author__ = "The Python Cryptographic Authority and individual contributors"
 
@@ -169,14 +169,17 @@ def rsa_padding_supported(self, padding: AsymmetricPadding) -> bool:
         if isinstance(padding, PKCS1v15):
             return True
         elif isinstance(padding, PSS) and isinstance(padding._mgf, MGF1):
-            # SHA1 is permissible in MGF1 in FIPS even when SHA1 is blocked
-            # as signature algorithm.
-            if self._fips_enabled and isinstance(
-                padding._mgf._algorithm, hashes.SHA1
+            # FIPS 186-4 only allows salt length == digest length for PSS
+            # It is technically acceptable to set an explicit salt length
+            # equal to the digest length and this will incorrectly fail, but
+            # since we don't do that in the tests and this method is
+            # private, we'll ignore that until we need to do otherwise.
+            if (
+                self._fips_enabled
+                and padding._salt_length != PSS.DIGEST_LENGTH
             ):
-                return True
-            else:
-                return self.hash_supported(padding._mgf._algorithm)
+                return False
+            return self.hash_supported(padding._mgf._algorithm)
         elif isinstance(padding, OAEP) and isinstance(padding._mgf, MGF1):
             return self._oaep_hash_supported(
                 padding._mgf._algorithm
 
@@ -71,7 +71,7 @@ fn main() {
     // This is because we don't want a potentially random build path to end up in the binary because
     // CFFI generated code uses the __FILE__ macro in its debug messages.
     if let Some(out_dir_str) = Path::new(&out_dir).to_str() {
-        build.flag_if_supported(format!("-fmacro-prefix-map={}=.", out_dir_str).as_str());
+        build.flag_if_supported(format!("-fmacro-prefix-map={out_dir_str}").as_str());
     }
 
     for python_include in env::split_paths(&python_includes) {
 
@@ -4,10 +4,11 @@
 
 #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)]
 
-use pyo3::pybacked::{PyBackedBytes, PyBackedStr};
 use std::cell::UnsafeCell;
 use std::ops::Deref;
 
+use pyo3::pybacked::{PyBackedBytes, PyBackedStr};
+
 pub struct KeepAlive<T: StableDeref> {
     values: UnsafeCell<Vec<T>>,
 }
 
@@ -2,9 +2,10 @@
 // 2.0, and the BSD License. See the LICENSE file in the root of this repository
 // for complete details.
 
-use crate::{cvt, cvt_p, OpenSSLResult};
 use foreign_types_shared::{ForeignType, ForeignTypeRef};
 
+use crate::{cvt, cvt_p, OpenSSLResult};
+
 pub enum AeadType {
     ChaCha20Poly1305,
 }
 
@@ -2,14 +2,15 @@
 // 2.0, and the BSD License. See the LICENSE file in the root of this repository
 // for complete details.
 
-#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)]
-use crate::{cvt, OpenSSLResult};
 #[cfg(all(
     CRYPTOGRAPHY_OPENSSL_300_OR_GREATER,
     not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))
 ))]
 use std::ptr;
 
+#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)]
+use crate::{cvt, OpenSSLResult};
+
 pub fn is_enabled() -> bool {
     cfg_if::cfg_if! {
         if #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] {
 
@@ -16,21 +16,19 @@ use std::fmt::Display;
 use std::vec;
 
 use asn1::ObjectIdentifier;
-use cryptography_x509::extensions::{DuplicateExtensionsError, Extensions};
-use cryptography_x509::{
-    common::Asn1Read,
-    extensions::{NameConstraints, SubjectAlternativeName},
-    name::GeneralName,
-    oid::{NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID},
+use cryptography_x509::common::Asn1Read;
+use cryptography_x509::extensions::{
+    DuplicateExtensionsError, Extensions, NameConstraints, SubjectAlternativeName,
 };
+use cryptography_x509::name::GeneralName;
+use cryptography_x509::oid::{NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID};
 use types::{RFC822Constraint, RFC822Name};
 
 use crate::certificate::cert_is_self_issued;
 use crate::ops::{CryptoOps, VerificationCertificate};
 use crate::policy::Policy;
 use crate::trust_store::Store;
-use crate::types::DNSName;
-use crate::types::{DNSConstraint, IPAddress, IPConstraint};
+use crate::types::{DNSConstraint, DNSName, IPAddress, IPConstraint};
 use crate::ApplyNameConstraintStatus::{Applied, Skipped};
 
 pub enum ValidationErrorKind<'chain, B: CryptoOps> {
@@ -175,12 +173,10 @@ impl<'a, 'chain> NameChain<'a, 'chain> {
                 ) {
                     (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))),
                     (_, None) => Err(ValidationError::new(ValidationErrorKind::Other(format!(
-                        "unsatisfiable IP name constraint: malformed SAN {:?}",
-                        name,
+                        "unsatisfiable IP name constraint: malformed SAN {name:?}",
                     )))),
                     (None, _) => Err(ValidationError::new(ValidationErrorKind::Other(format!(
-                        "malformed IP name constraints: {:?}",
-                        pattern
+                        "malformed IP name constraints: {pattern:?}",
                     )))),
                 }
             }
 
@@ -90,9 +90,10 @@ pub trait CryptoOps {
 
 #[cfg(test)]
 pub(crate) mod tests {
+    use cryptography_x509::certificate::Certificate;
+
     use super::VerificationCertificate;
     use crate::certificate::tests::PublicKeyErrorOps;
-    use cryptography_x509::certificate::Certificate;
 
     pub(crate) fn v1_cert_pem() -> pem::Pem {
         pem::parse(
 
@@ -2,19 +2,17 @@
 // 2.0, and the BSD License. See the LICENSE file in the root of this repository
 // for complete details.
 
+use cryptography_x509::certificate::Certificate;
+use cryptography_x509::extensions::{Extension, Extensions};
 use cryptography_x509::oid::{
     AUTHORITY_INFORMATION_ACCESS_OID, AUTHORITY_KEY_IDENTIFIER_OID, BASIC_CONSTRAINTS_OID,
     EXTENDED_KEY_USAGE_OID, KEY_USAGE_OID, NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID,
     SUBJECT_KEY_IDENTIFIER_OID,
 };
-use cryptography_x509::{
-    certificate::Certificate,
-    extensions::{Extension, Extensions},
-};
 
-use crate::{
-    ops::CryptoOps, policy::Policy, ValidationError, ValidationErrorKind, ValidationResult,
-};
+use crate::ops::CryptoOps;
+use crate::policy::Policy;
+use crate::{ValidationError, ValidationErrorKind, ValidationResult};
 
 pub(crate) struct ExtensionPolicy<B: CryptoOps> {
     pub(crate) authority_information_access: ExtensionValidator<B>,
@@ -266,17 +264,13 @@ impl<B: CryptoOps> ExtensionValidator<B> {
 }
 
 pub(crate) mod ee {
-    use cryptography_x509::{
-        certificate::Certificate,
-        extensions::{
-            BasicConstraints, ExtendedKeyUsage, Extension, KeyUsage, SubjectAlternativeName,
-        },
+    use cryptography_x509::certificate::Certificate;
+    use cryptography_x509::extensions::{
+        BasicConstraints, ExtendedKeyUsage, Extension, KeyUsage, SubjectAlternativeName,
     };
 
-    use crate::{
-        ops::CryptoOps,
-        policy::{Policy, ValidationError, ValidationErrorKind, ValidationResult},
-    };
+    use crate::ops::CryptoOps;
+    use crate::policy::{Policy, ValidationError, ValidationErrorKind, ValidationResult};
 
     pub(crate) fn basic_constraints<'chain, B: CryptoOps>(
         _policy: &Policy<'_, B>,
@@ -379,20 +373,16 @@ pub(crate) mod ee {
 }
 
 pub(crate) mod ca {
-    use cryptography_x509::{
-        certificate::Certificate,
-        common::Asn1Read,
-        extensions::{
-            AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, Extension, KeyUsage,
-            NameConstraints,
-        },
-        oid::EKU_ANY_KEY_USAGE_OID,
+    use cryptography_x509::certificate::Certificate;
+    use cryptography_x509::common::Asn1Read;
+    use cryptography_x509::extensions::{
+        AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, Extension, KeyUsage,
+        NameConstraints,
     };
+    use cryptography_x509::oid::EKU_ANY_KEY_USAGE_OID;
 
-    use crate::{
-        ops::CryptoOps,
-        policy::{Policy, ValidationError, ValidationErrorKind, ValidationResult},
-    };
+    use crate::ops::CryptoOps;
+    use crate::policy::{Policy, ValidationError, ValidationErrorKind, ValidationResult};
 
     pub(crate) fn authority_key_identifier<'chain, B: CryptoOps>(
         _policy: &Policy<'_, B>,
@@ -529,16 +519,12 @@ pub(crate) mod ca {
 }
 
 pub(crate) mod common {
-    use cryptography_x509::{
-        certificate::Certificate,
-        common::Asn1Read,
-        extensions::{Extension, SequenceOfAccessDescriptions},
-    };
+    use cryptography_x509::certificate::Certificate;
+    use cryptography_x509::common::Asn1Read;
+    use cryptography_x509::extensions::{Extension, SequenceOfAccessDescriptions};
 
-    use crate::{
-        ops::CryptoOps,
-        policy::{Policy, ValidationResult},
-    };
+    use crate::ops::CryptoOps;
+    use crate::policy::{Policy, ValidationResult};
 
     pub(crate) fn authority_information_access<'chain, B: CryptoOps>(
         _policy: &Policy<'_, B>,
 
@@ -601,24 +601,20 @@ mod tests {
 
     use asn1::{DateTime, SequenceOfWriter};
     use cryptography_x509::common::Time;
-    use cryptography_x509::{
-        extensions::SubjectAlternativeName,
-        name::{GeneralName, UnvalidatedIA5String},
-    };
+    use cryptography_x509::extensions::SubjectAlternativeName;
+    use cryptography_x509::name::{GeneralName, UnvalidatedIA5String};
 
     use super::{
         permits_validity_date, ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256,
         RSASSA_PKCS1V15_SHA384, RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384,
         RSASSA_PSS_SHA512, WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS,
     };
     use crate::certificate::tests::PublicKeyErrorOps;
-    use crate::{
-        policy::{
-            Subject, SPKI_RSA, SPKI_SECP256R1, SPKI_SECP384R1, SPKI_SECP521R1,
-            WEBPKI_PERMITTED_SPKI_ALGORITHMS,
-        },
-        types::{DNSName, IPAddress},
+    use crate::policy::{
+        Subject, SPKI_RSA, SPKI_SECP256R1, SPKI_SECP384R1, SPKI_SECP521R1,
+        WEBPKI_PERMITTED_SPKI_ALGORITHMS,
     };
+    use crate::types::{DNSName, IPAddress};
 
     #[test]
     fn test_webpki_permitted_spki_algorithms_canonical_encodings() {
 
@@ -6,8 +6,7 @@ use std::collections::HashMap;
 
 use cryptography_x509::name::Name;
 
-use crate::CryptoOps;
-use crate::VerificationCertificate;
+use crate::{CryptoOps, VerificationCertificate};
 
 /// A `Store` represents the core state needed for X.509 path validation.
 pub struct Store<'a, B: CryptoOps> {
 
@@ -400,9 +400,8 @@ impl<'a> RFC822Constraint<'a> {
 
 #[cfg(test)]
 mod tests {
-    use crate::types::{DNSConstraint, DNSName, DNSPattern, IPAddress, IPConstraint, RFC822Name};
-
     use super::RFC822Constraint;
+    use crate::types::{DNSConstraint, DNSName, DNSPattern, IPAddress, IPConstraint, RFC822Name};
 
     #[test]
     fn test_dnsname_debug_trait() {
 
@@ -2,12 +2,9 @@
 // 2.0, and the BSD License. See the LICENSE file in the root of this repository
 // for complete details.
 
-use crate::common;
-use crate::extensions;
-use crate::extensions::DuplicateExtensionsError;
-use crate::extensions::Extensions;
-use crate::name;
+use crate::extensions::{DuplicateExtensionsError, Extensions};
 use crate::name::NameReadable;
+use crate::{common, extensions, name};
 
 #[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, PartialEq, Eq, Clone)]
 pub struct Certificate<'a> {
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`"__version__",`
`11`	`11`	`]`
`12`	`12`
`13`		`-__version__ = "44.0.2"`
	`13`	`+__version__ = "44.0.3"`
`14`	`14`
`15`	`15`
`16`	`16`	`__author__ = "The Python Cryptographic Authority and individual contributors"`
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ fn main() {`
`71`	`71`	`// This is because we don't want a potentially random build path to end up in the binary because`
`72`	`72`	`// CFFI generated code uses the __FILE__ macro in its debug messages.`
`73`	`73`	`if let Some(out_dir_str) = Path::new(&out_dir).to_str() {`
`74`		`- build.flag_if_supported(format!("-fmacro-prefix-map={}=.", out_dir_str).as_str());`
	`74`	`+ build.flag_if_supported(format!("-fmacro-prefix-map={out_dir_str}").as_str());`
`75`	`75`	`}`
`76`	`76`
`77`	`77`	`for python_include in env::split_paths(&python_includes) {`