Fixing the following:
```
error: linking with `/nix/store/l3ca456ppdy8hi9hc0rvyr6mrm76si08-clang-wrapper-11.1.0/bin/cc` failed: exit code: 1
= note: ld: library not found for -liconv
```
Backwards incompatible changes: Support for Python 2 has been removed.
Note: This isn't a problem for Nixpkgs because
pythonPackages.cryptography is frozen at version 3.3.2.
Other important packaging changes: "Cryptography now incorporates Rust
code. Users building cryptography themselves will need to have the Rust
toolchain installed. Users who use an officially produced wheel will not
need to make any changes. The minimum supported Rust version is 1.45.0."
SECURITY ISSUE: Fixed a bug where certain sequences of update() calls
when symmetrically encrypting very large payloads (>2GB) could result in
an integer overflow, leading to buffer overflows. CVE-2020-36242
Note: This also updates {,vectors-}3.3.nix (for Python 2 / nixops)
because of the security issue.
Backward incompatible changes:
- Support for Python 3.5 has been removed due to low usage and
maintenance burden.
- The GCM and AESGCM now require 64-bit to 1024-bit (8 byte to 128 byte)
initialization vectors. This change is to conform with an upcoming
OpenSSL release that will no longer support sizes outside this window.
- When deserializing asymmetric keys we now raise ValueError rather than
UnsupportedAlgorithm when an unsupported cipher is used. This change
is to conform with an upcoming OpenSSL release that will no longer
distinguish between error types.
- We no longer allow loading of finite field Diffie-Hellman parameters
of less than 512 bits in length. This change is to conform with an
upcoming OpenSSL release that no longer supports smaller sizes. These
keys were already wildly insecure and should not have been used in any
application outside of testing.
SECURITY ISSUE: Attempted to make RSA PKCS#1v1.5 decryption more
constant time, to protect against Bleichenbacher vulnerabilities. Due to
limitations imposed by our API, we cannot completely mitigate this
vulnerability and a future release will contain a new API which is
designed to be resilient to these for contexts where it is required.
Credit to Hubert Kario for reporting the issue. CVE-2020-25659
Backwards incompatible changes:
- Removed support for idna based U-label parsing in various X.509
classes. This support was originally deprecated in version 2.1 and
moved to an extra in 2.5.
