Bump hybrid-array from 0.4.11 to 0.4.12 in /src/_bcrypt (#1200)

Bumps [hybrid-array](https://github.com/RustCrypto/hybrid-array) from 0.4.11 to 0.4.12.
- [Changelog](https://github.com/RustCrypto/hybrid-array/blob/master/CHANGELOG.md)
- [Commits](https://github.com/RustCrypto/hybrid-array/compare/v0.4.11...v0.4.12)

---
updated-dependencies:
- dependency-name: hybrid-array
  dependency-version: 0.4.12
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/config/macos-pkg-choices-freethreaded-3.13t.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+    <dict>
+        <key>attributeSetting</key>
+        <integer>1</integer>
+        <key>choiceAttribute</key>
+        <string>selected</string>
+        <key>choiceIdentifier</key>
+        <string>org.python.Python.PythonTFramework-3.13</string>
+    </dict>
+</array>
+</plist>

.github/config/macos-pkg-choices-freethreaded-3.14t.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+    <dict>
+        <key>attributeSetting</key>
+        <integer>1</integer>
+        <key>choiceAttribute</key>
+        <string>selected</string>
+        <key>choiceIdentifier</key>
+        <string>org.python.Python.PythonTFramework-3.14</string>
+    </dict>
+</array>
+</plist>

.github/workflows/ci.yml

@@ -9,136 +9,138 @@ on:
 
 jobs:
   macos:
-    runs-on: macos-latest
+    runs-on: ${{ matrix.MACOS }}
     strategy:
+      fail-fast: false
       matrix:
-         PYTHON:
-          - {VERSION: "3.7", TOXENV: "py37"}
-          - {VERSION: "3.12", TOXENV: "py312"}
-    name: "Python ${{ matrix.PYTHON.VERSION }} on macOS"
+        PYTHON:
+          - {VERSION: "3.8", NOXSESSION: "tests"}
+          - {VERSION: "3.14", NOXSESSION: "tests"}
+          - {VERSION: "3.14t", NOXSESSION: "tests"}
+        MACOS:
+          - macos-15-intel
+          - macos-latest
+    name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.MACOS }}"
     steps:
-      - uses: actions/checkout@v3.6.0
+      - uses: actions/checkout@v6.0.2
       - name: Setup python
         id: setup-python
-        uses: actions/setup-python@v5.0.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: ${{ matrix.PYTHON.VERSION }}
-      - uses: actions/cache@v3.3.2
+      - uses: actions/cache@v5.0.5
         timeout-minutes: 5
         with:
           path: |
             ~/Library/Caches/pip/
-            ~/.cargo/bin/
-            ~/.cargo/registry/cache/
-            ~/.cargo/registry/src/
-            ~/.cargo/git/db/
             src/_bcrypt/target/
-          key: ${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-      - run: pip install tox
-      - run: tox
+          key: ${{ runner.os }}-${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - run: pip install nox
+      - run: nox -v
         env:
-          TOXENV: ${{ matrix.PYTHON.TOXENV }}
+          NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }}
           CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}
 
   windows:
-    runs-on: windows-latest
+    runs-on: ${{ matrix.WINDOWS.RUNNER }}
     strategy:
+      fail-fast: false
       matrix:
         WINDOWS:
-          - {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'}
-          - {ARCH: 'x64', WINDOWS: 'win64', RUST_TRIPLE: 'x86_64-pc-windows-msvc'}
+          - {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc', RUNNER: 'windows-latest'}
+          - {ARCH: 'x64', WINDOWS: 'win64', RUST_TRIPLE: 'x86_64-pc-windows-msvc', RUNNER: 'windows-latest'}
         PYTHON:
-          - {VERSION: "3.7", TOXENV: "py37"}
-          - {VERSION: "3.12", TOXENV: "py312"}
+          - {VERSION: "3.8", NOXSESSION: "tests"}
+          - {VERSION: "3.14", NOXSESSION: "tests"}
+          - {VERSION: "3.14t", NOXSESSION: "tests"}
     name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}"
     steps:
-      - uses: actions/checkout@v3.6.0
+      - uses: actions/checkout@v6.0.2
       - name: Setup python
         id: setup-python
-        uses: actions/setup-python@v5.0.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: ${{ matrix.PYTHON.VERSION }}
           architecture: ${{ matrix.WINDOWS.ARCH }}
-      - uses: actions/cache@v3.3.2
+      - uses: actions/cache@v5.0.5
         timeout-minutes: 5
         with:
           path: |
             ~/AppData/Local/pip/Cache/
-            ~/.cargo/bin/
-            ~/.cargo/registry/cache/
-            ~/.cargo/registry/src/
-            ~/.cargo/git/db/
             src/_bcrypt/target/
-          key: ${{ runner.os }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          key: ${{ runner.os }}-${{ matrix.WINDOWS.ARCH }}-${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-cargo-${{ hashFiles('**/Cargo.lock') }}
 
-      - run: pip install tox
-      - run: tox
+      - run: pip install nox
+      - run: nox -v
         env:
-          TOXENV: ${{ matrix.PYTHON.TOXENV }}
+          NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }}
           CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}
   linux:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     strategy:
+      fail-fast: false
       matrix:
         PYTHON:
-          - {VERSION: "3.12", TOXENV: "pep8,packaging"}
-          - {VERSION: "3.12", TOXENV: "mypy"}
-          - {VERSION: "3.7", TOXENV: "py37"}
-          - {VERSION: "3.8", TOXENV: "py38"}
-          - {VERSION: "3.9", TOXENV: "py39"}
-          - {VERSION: "3.10", TOXENV: "py310"}
-          - {VERSION: "3.11", TOXENV: "py311"}
-          - {VERSION: "3.12", TOXENV: "py312"}
-          - {VERSION: "pypy-3.9", TOXENV: "pypy3"}
-          - {VERSION: "pypy-3.10", TOXENV: "pypy3"}
+          - {VERSION: "3.13", NOXSESSION: "pep8,packaging"}
+          - {VERSION: "3.13", NOXSESSION: "mypy"}
+          - {VERSION: "3.8", NOXSESSION: "tests"}
+          - {VERSION: "3.9", NOXSESSION: "tests"}
+          - {VERSION: "3.10", NOXSESSION: "tests"}
+          - {VERSION: "3.11", NOXSESSION: "tests"}
+          - {VERSION: "3.12", NOXSESSION: "tests"}
+          - {VERSION: "3.13", NOXSESSION: "tests"}
+          - {VERSION: "3.13t", NOXSESSION: "tests"}
+          - {VERSION: "3.14", NOXSESSION: "tests"}
+          - {VERSION: "3.14t", NOXSESSION: "tests"}
+          - {VERSION: "pypy-3.11", NOXSESSION: "tests"}
 
           # MSRV
-          - {VERSION: "3.12", TOXENV: "py312", RUST_VERSION: "1.63.0"}
-          - {VERSION: "3.12", TOXENV: "py312", RUST_VERSION: "1.64.0"}
-          - {VERSION: "3.12", TOXENV: "py312", RUST_VERSION: "beta"}
-          - {VERSION: "3.12", TOXENV: "py312", RUST_VERSION: "nightly"}
-    name: "${{ matrix.PYTHON.TOXENV }} on linux, Rust ${{ matrix.PYTHON.RUST_VERSION || 'stable' }}"
+          - {VERSION: "3.13", NOXSESSION: "tests", RUST_VERSION: "1.85"}
+          - {VERSION: "3.13", NOXSESSION: "tests", RUST_VERSION: "beta"}
+          - {VERSION: "3.13", NOXSESSION: "tests", RUST_VERSION: "nightly"}
+    name: "${{ matrix.PYTHON.VERSION }} on linux, Rust ${{ matrix.PYTHON.RUST_VERSION || 'stable' }}"
     steps:
-      - uses: actions/checkout@v3.6.0
+      - uses: actions/checkout@v6.0.2
       - name: Setup python
         id: setup-python
-        uses: actions/setup-python@v5.0.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: ${{ matrix.PYTHON.VERSION }}
-      - uses: actions/cache@v3.3.2
+      - uses: actions/cache@v5.0.5
         timeout-minutes: 5
         with:
           path: |
             ~/.cache/pip/
-            ~/.cargo/bin/
-            ~/.cargo/registry/cache/
-            ~/.cargo/registry/src/
-            ~/.cargo/git/db/
             src/_bcrypt/target/
           key: ${{ runner.os }}-${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-      - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8
+      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
         with:
           toolchain: ${{ matrix.PYTHON.RUST_VERSION || 'stable' }}
 
-      - run: pip install tox
-      - if: matrix.PYTHON.RUST_VERSION == '1.63.0'
-        run: echo 'BCRYPT_ALLOW_RUST_163=1' >> $GITHUB_ENV
-      - run: tox
+      - run: pip install nox
+      - run: nox -v
         env:
-          TOXENV: ${{ matrix.PYTHON.TOXENV }}
+          NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }}
           CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}
 
-  linux-distros:
+  alpine:
     runs-on: ${{ matrix.IMAGE.RUNNER }}
-    container: ghcr.io/pyca/cryptography-runner-${{ matrix.IMAGE.IMAGE }}
+    container:
+      image: ghcr.io/pyca/cryptography-runner-${{ matrix.IMAGE.IMAGE }}
+      volumes:
+        - /staticnodehost:/staticnodecontainer:rw,rshared
+        - /staticnodehost/24:/__e/node24:ro,rshared
     strategy:
+      fail-fast: false
       matrix:
         IMAGE:
-          - {IMAGE: "alpine", TOXENV: "py311", RUNNER: "ubuntu-latest"}
-          - {IMAGE: "alpine:aarch64", TOXENV: "py311", RUNNER: [self-hosted, Linux, ARM64]}
-          - {IMAGE: "ubuntu-jammy:aarch64", TOXENV: "py310", RUNNER: [self-hosted, Linux, ARM64]}
-    name: "${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}"
+          - {IMAGE: "alpine", NOXSESSION: "tests", RUNNER: "ubuntu-latest"}
+          - {IMAGE: "alpine:aarch64", NOXSESSION: "tests", RUNNER: "ubuntu-24.04-arm"}
+    name: "${{ matrix.IMAGE.NOXSESSION }} on ${{ matrix.IMAGE.IMAGE }}"
     steps:
+      - name: Ridiculous-er workaround for static node
+        run: |
+          cp -R /staticnode/* /staticnodecontainer/
       - name: Ridiculous alpine workaround for actions support on arm64
         run: |
           # This modifies /etc/os-release so the JS actions
@@ -147,24 +149,34 @@ jobs:
           # is installed in the container (which it is)
           sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release
         if: matrix.IMAGE.IMAGE == 'alpine:aarch64'
-      - uses: actions/checkout@v3.6.0
+      - uses: actions/checkout@v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/cache@v3.3.2
-        timeout-minutes: 5
-        with:
-          path: |
-            ~/.cache/pip/
-            ~/.cargo/bin/
-            ~/.cargo/registry/cache/
-            ~/.cargo/registry/src/
-            ~/.cargo/git/db/
-            src/_bcrypt/target/
-          key: ${{ runner.os }}-${{ matrix.IMAGE.IMAGE }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-      - run: /venv/bin/pip install tox
-      - run: '/venv/bin/tox'
+      - run: /venv/bin/pip install nox
+      - run: /venv/bin/nox -v
         env:
-          TOXENV: ${{ matrix.IMAGE.TOXENV }}
+          NOXSESSION: ${{ matrix.IMAGE.NOXSESSION }}
+          RUSTUP_HOME: /root/.rustup
+          CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}
+
+  linux-distros:
+    runs-on: ${{ matrix.IMAGE.RUNNER }}
+    container: ghcr.io/pyca/cryptography-runner-${{ matrix.IMAGE.IMAGE }}
+    strategy:
+      fail-fast: false
+      matrix:
+        IMAGE:
+          - {IMAGE: "ubuntu-rolling:aarch64", NOXSESSION: "tests", RUNNER: "ubuntu-24.04-arm"}
+          - {IMAGE: "ubuntu-rolling:armv7l", NOXSESSION: "tests", RUNNER: "ubuntu-24.04-arm"}
+    name: "${{ matrix.IMAGE.NOXSESSION }} on ${{ matrix.IMAGE.IMAGE }}"
+    steps:
+      - uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
+      - run: /venv/bin/pip install nox
+      - run: /venv/bin/nox -v
+        env:
+          NOXSESSION: ${{ matrix.IMAGE.NOXSESSION }}
           RUSTUP_HOME: /root/.rustup
           CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}
 
@@ -175,6 +187,7 @@ jobs:
     - macos
     - windows
     - linux
+    - alpine
     - linux-distros
 
     runs-on: ubuntu-latest

.github/workflows/lock.yml

@@ -10,7 +10,7 @@ jobs:
   lock:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@v5
+      - uses: dessant/lock-threads@v6
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           issue-inactive-days: 90

.github/workflows/pypi-publish.yml

@@ -0,0 +1,60 @@
+name: Publish to PyPI
+
+on:
+  workflow_dispatch:
+    inputs:
+      run_id:
+        description: The run of wheel-builder to use for finding artifacts.
+        required: true
+      environment:
+        description: Which PyPI environment to upload to
+        required: true
+        type: choice
+        options: ["testpypi", "pypi"]
+  workflow_run:
+    workflows: ["Wheel Builder"]
+    types: [completed]
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    # We're not actually verifying that the triggering push event was for a
+    # tag, because github doesn't expose enough information to do so.
+    # wheel-builder.yml currently only has push events for tags.
+    if: github.event_name == 'workflow_dispatch' || (github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success')
+    permissions:
+      id-token: "write"
+      attestations: "write"
+    steps:
+      - run: echo "$EVENT_CONTEXT"
+        env:
+          EVENT_CONTEXT: ${{ toJson(github.event) }}
+
+      - run: |
+          echo "PYPI_URL=https://upload.pypi.org/legacy/" >> $GITHUB_ENV
+        if: github.event_name == 'workflow_run' || (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'pypi')
+      - run: |
+          echo "PYPI_URL=https://test.pypi.org/legacy/" >> $GITHUB_ENV
+        if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'testpypi'
+
+      - uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
+        with:
+          path: tmpdist/
+          run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }}
+      - run: mkdir dist/
+      - run: |
+          find tmpdist/ -type f -name 'bcrypt*' -exec mv {} dist/ \;
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0
+        with:
+          repository-url: ${{ env.PYPI_URL }}
+          skip-existing: true
+          # Do not perform attestation for things for TestPyPI. This is
+          # because there's nothing that would prevent a malicious PyPI from
+          # serving a signed TestPyPI asset in place of a release intended for
+          # PyPI.
+          attestations: ${{ env.PYPI_URL == 'https://upload.pypi.org/legacy/' }}

.github/workflows/wheel-builder.yml

@@ -7,6 +7,12 @@ on:
       version:
         description: The version to build
         required: false
+  # Do not add any non-tag push events without updating pypi-publish.yml. If
+  # you do, it'll upload wheels to PyPI.
+  push:
+    tags:
+      - '*.*'
+      - '*.*.*'
   pull_request:
     paths:
       - .github/workflows/wheel-builder.yml
@@ -19,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     name: sdists
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.2.2
         with:
           # The tag to build or the tag received by the tag event
           ref: ${{ github.event.inputs.version || github.ref }}
@@ -30,7 +36,7 @@ jobs:
         run: .venv/bin/pip install -U pip build
       - name: Make sdist
         run: .venv/bin/python -m build --sdist
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: "bcrypt-sdist"
           path: dist/bcrypt*
@@ -38,54 +44,53 @@ jobs:
     needs: [sdist]
     runs-on: ${{ matrix.MANYLINUX.RUNNER }}
     strategy:
+      fail-fast: false
       matrix:
         PYTHON:
-          - { VERSION: "cp37-cp37m", ABI_VERSION: 'cp37' }
+          - { VERSION: "cp38-cp38", ABI_VERSION: 'cp38' }
           - { VERSION: "cp39-cp39", ABI_VERSION: 'cp39' }
-          - { VERSION: "pp39-pypy39_pp73" }
-          - { VERSION: "pp310-pypy310_pp73" }
+          - { VERSION: "pp311-pypy311_pp73" }
+          - { VERSION: "cp313-cp313t" }
+          - { VERSION: "cp314-cp314t" }
         MANYLINUX:
           - { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest" }
           - { NAME: "manylinux_2_28_x86_64", CONTAINER: "cryptography-manylinux_2_28:x86_64", RUNNER: "ubuntu-latest"}
-          - { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"}
+          - { NAME: "manylinux_2_34_x86_64", CONTAINER: "cryptography-manylinux_2_34:x86_64", RUNNER: "ubuntu-latest"}
           - { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"}
 
-          - { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64] }
-          - { NAME: "manylinux_2_28_aarch64", CONTAINER: "cryptography-manylinux_2_28:aarch64", RUNNER: [self-hosted, Linux, ARM64]}
-          - { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]}
-          - { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]}
+          - { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: "ubuntu-24.04-arm" }
+          - { NAME: "manylinux_2_28_aarch64", CONTAINER: "cryptography-manylinux_2_28:aarch64", RUNNER: "ubuntu-24.04-arm" }
+          - { NAME: "manylinux_2_34_aarch64", CONTAINER: "cryptography-manylinux_2_34:aarch64", RUNNER: "ubuntu-24.04-arm" }
+          - { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: "ubuntu-24.04-arm" }
+
+          - { NAME: "manylinux_2_31_armv7l", CONTAINER: "cryptography-manylinux_2_31:armv7l", RUNNER: "ubuntu-24.04-arm" }
         exclude:
           # There are no readily available musllinux PyPy distributions
-          - PYTHON: { VERSION: "pp39-pypy39_pp73" }
-            MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"}
-          - PYTHON: { VERSION: "pp310-pypy310_pp73" }
-            MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"}
-          - PYTHON: { VERSION: "pp39-pypy39_pp73" }
-            MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]}
-          - PYTHON: { VERSION: "pp310-pypy310_pp73" }
-            MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]}
-
-          - PYTHON: { VERSION: "pp39-pypy39_pp73" }
+          - PYTHON: { VERSION: "pp311-pypy311_pp73" }
             MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"}
-          - PYTHON: { VERSION: "pp310-pypy310_pp73" }
-            MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"}
-          - PYTHON: { VERSION: "pp39-pypy39_pp73" }
-            MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]}
-          - PYTHON: { VERSION: "pp310-pypy310_pp73" }
-            MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]}
+          - PYTHON: { VERSION: "pp311-pypy311_pp73" }
+            MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: "ubuntu-24.04-arm" }
 
             # We also don't build pypy wheels for anything except the latest manylinux
-          - PYTHON: { VERSION: "pp39-pypy39_pp73" }
+          - PYTHON: { VERSION: "pp311-pypy311_pp73" }
             MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"}
-          - PYTHON: { VERSION: "pp310-pypy310_pp73" }
-            MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"}
-          - PYTHON: { VERSION: "pp39-pypy39_pp73" }
-            MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]}
-          - PYTHON: { VERSION: "pp310-pypy310_pp73" }
-            MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]}
+          - PYTHON: { VERSION: "pp311-pypy311_pp73" }
+            MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: "ubuntu-24.04-arm" }
+
+          # No PyPy on armv7l either
+          - PYTHON: { VERSION: "pp311-pypy311_pp73" }
+            MANYLINUX: { NAME: "manylinux_2_31_armv7l", CONTAINER: "cryptography-manylinux_2_31:armv7l", RUNNER: "ubuntu-24.04-arm" }
+
     name: "${{ matrix.PYTHON.VERSION }} for ${{ matrix.MANYLINUX.NAME }}"
-    container: ghcr.io/pyca/${{ matrix.MANYLINUX.CONTAINER }}
+    container:
+      image: ghcr.io/pyca/${{ matrix.MANYLINUX.CONTAINER }}
+      volumes:
+        - /staticnodehost:/staticnodecontainer:rw,rshared
+        - /staticnodehost/24:/__e/node24:ro,rshared
     steps:
+      - name: Ridiculous-er workaround for static node
+        run: |
+          cp -R /staticnode/* /staticnodecontainer/
       - name: Ridiculous alpine workaround for actions support on arm64
         run: |
           # This modifies /etc/os-release so the JS actions
@@ -97,7 +102,7 @@ jobs:
       - run: /opt/python/${{ matrix.PYTHON.VERSION }}/bin/python -m venv .venv
       - name: Install python dependencies
         run: .venv/bin/pip install -U pip wheel setuptools-rust
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: bcrypt-sdist
       - run: mkdir tmpwheelhouse
@@ -116,39 +121,61 @@ jobs:
 
       - run: mkdir bcrypt-wheelhouse
       - run: mv wheelhouse/bcrypt*.whl bcrypt-wheelhouse/
-      - uses: actions/upload-artifact@v3.1.3
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
-          name: "bcrypt-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }} -${{ matrix.PYTHON.VERSION }}"
+          name: "bcrypt-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION  }}${{ matrix.PYTHON.ABI_VERSION }}"
           path: bcrypt-wheelhouse/
 
   macos:
     needs: [sdist]
-    runs-on: macos-13
+    runs-on: macos-15
     strategy:
+      fail-fast: false
       matrix:
         PYTHON:
           - VERSION: '3.11'
-            ABI_VERSION: 'cp37'
-            DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg'
+            ABI_VERSION: 'cp38'
+            DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.9/python-3.11.9-macos11.pkg'
             BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3'
           - VERSION: '3.11'
             ABI_VERSION: 'cp39'
-            DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg'
+            DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.9/python-3.11.9-macos11.pkg'
             BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3'
-    name: "Python ${{ matrix.PYTHON.VERSION }} for ABI ${{ matrix.PYTHON.ABI_VERSION }} on macOS"
+          - VERSION: '3.13t'
+            DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.13.7/python-3.13.7-macos11.pkg'
+            BIN_PATH: '/Library/Frameworks/PythonT.framework/Versions/3.13/bin/python3.13t'
+          - VERSION: '3.14t'
+            DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.14.0/python-3.14.0-macos11.pkg'
+            BIN_PATH: '/Library/Frameworks/PythonT.framework/Versions/3.14/bin/python3.14t'
+    name: "Python ${{ matrix.PYTHON.VERSION }} ${{ matrix.PYTHON.ABI_VERSION }} on macOS"
     steps:
-      - run: |
+      - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.2.2
+        with:
+          # The tag to build or the tag received by the tag event
+          ref: ${{ github.event.inputs.version || github.ref }}
+          sparse-checkout: |
+            .github/config/macos-pkg-choices-freethreaded-3.13t.xml
+            .github/config/macos-pkg-choices-freethreaded-3.14t.xml
+          persist-credentials: false
+      - name: Install Python
+        if: ${{ !endsWith(matrix.PYTHON.VERSION, 't') }}
+        run: |
           curl "${{ matrix.PYTHON.DOWNLOAD_URL }}" -o python.pkg
           sudo installer -pkg python.pkg -target /
-      - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8
+      - name: Install Python (free-threaded)
+        if: ${{ endsWith(matrix.PYTHON.VERSION, 't') }}
+        run: |
+          curl "${{ matrix.PYTHON.DOWNLOAD_URL }}" -o python.pkg
+          sudo installer -pkg python.pkg -applyChoiceChangesXML .github/config/macos-pkg-choices-freethreaded-${{ matrix.PYTHON.VERSION  }}.xml -target /
+      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
         with:
           toolchain: stable
-          # Add the arm64 target in addition to the native arch (x86_64)
-          target: aarch64-apple-darwin
+          # Add the x86-64 target in addition to the native arch (arm64)
+          target: x86_64-apple-darwin
 
       - run: ${{ matrix.PYTHON.BIN_PATH }} -m venv venv
       - run: venv/bin/pip install -U pip wheel setuptools-rust
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: bcrypt-sdist
       - run: mkdir wheelhouse
@@ -169,33 +196,36 @@ jobs:
 
       - run: mkdir bcrypt-wheelhouse
       - run: mv wheelhouse/bcrypt*.whl bcrypt-wheelhouse/
-      - uses: actions/upload-artifact@v3.1.3
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
-          name: "bcrypt-${{ github.event.inputs.version }}-macOS-${{ matrix.PYTHON.ABI_VERSION }}"
+          name: "bcrypt-${{ github.event.inputs.version }}-macOS-${{ matrix.PYTHON.VERSION  }}${{ matrix.PYTHON.ABI_VERSION }}"
           path: bcrypt-wheelhouse/
 
   windows:
     needs: [sdist]
-    runs-on: windows-latest
+    runs-on: ${{ matrix.WINDOWS.RUNNER }}
     strategy:
+      fail-fast: false
       matrix:
         WINDOWS:
-          - {ARCH: 'x86', RUST_TRIPLE: 'i686-pc-windows-msvc'}
-          - {ARCH: 'x64', RUST_TRIPLE: 'x86_64-pc-windows-msvc'}
+          - {ARCH: 'x86', RUST_TRIPLE: 'i686-pc-windows-msvc', RUNNER: 'windows-latest'}
+          - {ARCH: 'x64', RUST_TRIPLE: 'x86_64-pc-windows-msvc', RUNNER: 'windows-latest'}
         PYTHON:
-          - {VERSION: "3.11", ABI_VERSION: "cp37"}
+          - {VERSION: "3.11", ABI_VERSION: "cp38"}
           - {VERSION: "3.11", ABI_VERSION: "cp39"}
+          - {VERSION: "3.13t"}
+          - {VERSION: "3.14t"}
     name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.PYTHON.ABI_VERSION }} ${{ matrix.WINDOWS.ARCH }}"
     steps:
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: bcrypt-sdist
       - name: Setup python
-        uses: actions/setup-python@v5.0.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: ${{ matrix.PYTHON.VERSION }}
           architecture: ${{ matrix.WINDOWS.ARCH }}
-      - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8
+      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
         with:
           toolchain: stable
           target: ${{ matrix.WINDOWS.RUST_TRIPLE }}
@@ -217,7 +247,7 @@ jobs:
       # TODO: can we setup another python and test in the same job? this would catch bad linking problems (e.g. build and test on py36, but then install py38 and see if it works
       - run: mkdir bcrypt-wheelhouse
       - run: move wheelhouse\bcrypt*.whl bcrypt-wheelhouse\
-      - uses: actions/upload-artifact@v3.1.3
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
-          name: "bcrypt-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.ARCH }}-${{ matrix.PYTHON.ABI_VERSION }}"
+          name: "bcrypt-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.ARCH }}-${{ matrix.PYTHON.VERSION  }}${{ matrix.PYTHON.ABI_VERSION }}"
           path: bcrypt-wheelhouse\

CHANGELOG.rst

@@ -0,0 +1,167 @@
+Changelog
+=========
+
+Unreleased
+----------
+
+* Bumped MSRV to 1.85.
+
+5.0.0
+-----
+
+* Bumped MSRV to 1.74.
+* Added support for Python 3.14 and free-threaded Python 3.14.
+* Added support for Windows on ARM.
+* Passing ``hashpw`` a password longer than 72 bytes now raises a
+  ``ValueError``. Previously the password was silently truncated, following the
+  behavior of the original OpenBSD ``bcrypt`` implementation.
+
+4.3.0
+-----
+
+* Dropped support for Python 3.7.
+* We now support free-threaded Python 3.13.
+* We now support PyPy 3.11.
+* We now publish wheels for free-threaded Python 3.13, for PyPy 3.11 on
+  ``manylinux``, and for ARMv7l on ``manylinux``.
+
+4.2.1
+-----
+
+* Bump Rust dependency versions - this should resolve crashes on Python 3.13
+  free-threaded builds.
+* We no longer build ``manylinux`` wheels for PyPy 3.9.
+
+4.2.0
+-----
+
+* Bump Rust dependency versions
+* Removed the ``BCRYPT_ALLOW_RUST_163`` environment variable.
+
+4.1.3
+-----
+
+* Bump Rust dependency versions
+
+4.1.2
+-----
+
+* Publish both ``py37`` and ``py39`` wheels. This should resolve some errors
+  relating to initializing a module multiple times per process.
+
+4.1.1
+-----
+
+* Fixed the type signature on the ``kdf`` method.
+* Fixed packaging bug on Windows.
+* Fixed incompatibility with passlib package detection assumptions.
+
+4.1.0
+-----
+
+* Dropped support for Python 3.6.
+* Bumped MSRV to 1.64. (Note: Rust 1.63 can be used by setting the ``BCRYPT_ALLOW_RUST_163`` environment variable)
+
+4.0.1
+-----
+
+* We now build PyPy ``manylinux`` wheels.
+* Fixed a bug where passing an invalid ``salt`` to ``checkpw`` could result in
+  a ``pyo3_runtime.PanicException``. It now correctly raises a ``ValueError``.
+
+4.0.0
+-----
+
+* ``bcrypt`` is now implemented in Rust. Users building from source will need
+  to have a Rust compiler available. Nothing will change for users downloading
+  wheels.
+* We no longer ship ``manylinux2010`` wheels. Users should upgrade to the latest
+  ``pip`` to ensure this doesn’t cause issues downloading wheels on their
+  platform. We now ship ``manylinux_2_28`` wheels for users on new enough platforms.
+* ``NUL`` bytes are now allowed in inputs.
+
+
+3.2.2
+-----
+
+* Fixed packaging of ``py.typed`` files in wheels so that ``mypy`` works.
+
+3.2.1
+-----
+
+* Added support for compilation on z/OS
+* The next release of ``bcrypt`` with be 4.0 and it will require Rust at
+  compile time, for users building from source. There will be no additional
+  requirement for users who are installing from wheels. Users on most
+  platforms will be able to obtain a wheel by making sure they have an up to
+  date ``pip``. The minimum supported Rust version will be 1.56.0.
+* This will be the final release for which we ship ``manylinux2010`` wheels.
+  Going forward the minimum supported manylinux ABI for our wheels will be
+  ``manylinux2014``. The vast majority of users will continue to receive
+  ``manylinux`` wheels provided they have an up to date ``pip``.
+
+
+3.2.0
+-----
+
+* Added typehints for library functions.
+* Dropped support for Python versions less than 3.6 (2.7, 3.4, 3.5).
+* Shipped ``abi3`` Windows wheels (requires pip >= 20).
+
+3.1.7
+-----
+
+* Set a ``setuptools`` lower bound for PEP517 wheel building.
+* We no longer distribute 32-bit ``manylinux1`` wheels. Continuing to produce
+  them was a maintenance burden.
+
+3.1.6
+-----
+
+* Added support for compilation on Haiku.
+
+3.1.5
+-----
+
+* Added support for compilation on AIX.
+* Dropped Python 2.6 and 3.3 support.
+* Switched to using ``abi3`` wheels for Python 3. If you are not getting a
+  wheel on a compatible platform please upgrade your ``pip`` version.
+
+3.1.4
+-----
+
+* Fixed compilation with mingw and on illumos.
+
+3.1.3
+-----
+* Fixed a compilation issue on Solaris.
+* Added a warning when using too few rounds with ``kdf``.
+
+3.1.2
+-----
+* Fixed a compile issue affecting big endian platforms.
+* Fixed invalid escape sequence warnings on Python 3.6.
+* Fixed building in non-UTF8 environments on Python 2.
+
+3.1.1
+-----
+* Resolved a ``UserWarning`` when used with ``cffi`` 1.8.3.
+
+3.1.0
+-----
+* Added support for ``checkpw``, a convenience method for verifying a password.
+* Ensure that you get a ``$2y$`` hash when you input a ``$2y$`` salt.
+* Fixed a regression where ``$2a`` hashes were vulnerable to a wraparound bug.
+* Fixed compilation under Alpine Linux.
+
+3.0.0
+-----
+* Switched the C backend to code obtained from the OpenBSD project rather than
+  openwall.
+* Added support for ``bcrypt_pbkdf`` via the ``kdf`` function.
+
+2.0.0
+-----
+* Added support for an adjustible prefix when calling ``gensalt``.
+* Switched to CFFI 1.0+

MANIFEST.in

@@ -1,8 +1,8 @@
-include LICENSE README.rst
+include LICENSE README.rst CHANGELOG.rst
 
 include pyproject.toml
 
-include tox.ini .coveragerc
+include noxfile.py .coveragerc
 
 recursive-include src py.typed *.pyi
 recursive-include src/_bcrypt Cargo.toml Cargo.lock *.rs

README.rst

@@ -17,28 +17,28 @@ Installation
 
 To install bcrypt, simply:
 
-.. code:: bash
+.. code:: console
 
     $ pip install bcrypt
 
 Note that bcrypt should build very easily on Linux provided you have a C
-compiler and a Rust compiler (the minimum supported Rust version is 1.56.0).
+compiler and a Rust compiler (the minimum supported Rust version is 1.74.0).
 
 For Debian and Ubuntu, the following command will ensure that the required dependencies are installed:
 
-.. code:: bash
+.. code:: console
 
     $ sudo apt-get install build-essential cargo
 
 For Fedora and RHEL-derivatives, the following command will ensure that the required dependencies are installed:
 
-.. code:: bash
+.. code:: console
 
     $ sudo yum install gcc cargo
 
 For Alpine, the following command will ensure that the required dependencies are installed:
 
-.. code:: bash
+.. code:: console
 
     $ apk add --update musl-dev gcc cargo
 
@@ -51,131 +51,10 @@ While bcrypt remains an acceptable choice for password storage, depending on you
 Changelog
 =========
 
-4.1.2
------
-
-* Publish both ``py37`` and ``py39`` wheels. This should resolve some errors
-  relating to initializing a module multiple times per process.
-
-4.1.1
------
-
-* Fixed the type signature on the ``kdf`` method.
-* Fixed packaging bug on Windows.
-* Fixed incompatibility with passlib package detection assumptions.
-
-4.1.0
------
-
-* Dropped support for Python 3.6.
-* Bumped MSRV to 1.64. (Note: Rust 1.63 can be used by setting the ``BCRYPT_ALLOW_RUST_163`` environment variable)
-
-4.0.1
------
-
-* We now build PyPy ``manylinux`` wheels.
-* Fixed a bug where passing an invalid ``salt`` to ``checkpw`` could result in
-  a ``pyo3_runtime.PanicException``. It now correctly raises a ``ValueError``.
-
-4.0.0
------
-
-* ``bcrypt`` is now implemented in Rust. Users building from source will need
-  to have a Rust compiler available. Nothing will change for users downloading
-  wheels.
-* We no longer ship ``manylinux2010`` wheels. Users should upgrade to the latest
-  ``pip`` to ensure this doesn’t cause issues downloading wheels on their
-  platform. We now ship ``manylinux_2_28`` wheels for users on new enough platforms.
-* ``NUL`` bytes are now allowed in inputs.
-
-
-3.2.2
------
-
-* Fixed packaging of ``py.typed`` files in wheels so that ``mypy`` works.
-
-3.2.1
------
-
-* Added support for compilation on z/OS
-* The next release of ``bcrypt`` with be 4.0 and it will require Rust at
-  compile time, for users building from source. There will be no additional
-  requirement for users who are installing from wheels. Users on most
-  platforms will be able to obtain a wheel by making sure they have an up to
-  date ``pip``. The minimum supported Rust version will be 1.56.0.
-* This will be the final release for which we ship ``manylinux2010`` wheels.
-  Going forward the minimum supported manylinux ABI for our wheels will be
-  ``manylinux2014``. The vast majority of users will continue to receive
-  ``manylinux`` wheels provided they have an up to date ``pip``.
-
-
-3.2.0
------
-
-* Added typehints for library functions.
-* Dropped support for Python versions less than 3.6 (2.7, 3.4, 3.5).
-* Shipped ``abi3`` Windows wheels (requires pip >= 20).
-
-3.1.7
------
-
-* Set a ``setuptools`` lower bound for PEP517 wheel building.
-* We no longer distribute 32-bit ``manylinux1`` wheels. Continuing to produce
-  them was a maintenance burden.
-
-3.1.6
------
-
-* Added support for compilation on Haiku.
-
-3.1.5
------
-
-* Added support for compilation on AIX.
-* Dropped Python 2.6 and 3.3 support.
-* Switched to using ``abi3`` wheels for Python 3. If you are not getting a
-  wheel on a compatible platform please upgrade your ``pip`` version.
-
-3.1.4
------
-
-* Fixed compilation with mingw and on illumos.
-
-3.1.3
------
-* Fixed a compilation issue on Solaris.
-* Added a warning when using too few rounds with ``kdf``.
-
-3.1.2
------
-* Fixed a compile issue affecting big endian platforms.
-* Fixed invalid escape sequence warnings on Python 3.6.
-* Fixed building in non-UTF8 environments on Python 2.
-
-3.1.1
------
-* Resolved a ``UserWarning`` when used with ``cffi`` 1.8.3.
-
-3.1.0
------
-* Added support for ``checkpw``, a convenience method for verifying a password.
-* Ensure that you get a ``$2y$`` hash when you input a ``$2y$`` salt.
-* Fixed a regression where ``$2a`` hashes were vulnerable to a wraparound bug.
-* Fixed compilation under Alpine Linux.
-
-3.0.0
------
-* Switched the C backend to code obtained from the OpenBSD project rather than
-  openwall.
-* Added support for ``bcrypt_pbkdf`` via the ``kdf`` function.
-
-2.0.0
------
-* Added support for an adjustible prefix when calling ``gensalt``.
-* Switched to CFFI 1.0+
+The changelog is maintained in `CHANGELOG.rst <https://github.com/pyca/bcrypt/blob/main/CHANGELOG.rst>`_
 
 Usage
------
+=====
 
 Password Hashing
 ~~~~~~~~~~~~~~~~
@@ -244,8 +123,9 @@ As of 3.0.0 the ``$2y$`` prefix is still supported in ``hashpw`` but deprecated.
 Maximum Password Length
 ~~~~~~~~~~~~~~~~~~~~~~~
 
-The bcrypt algorithm only handles passwords up to 72 characters, any characters
-beyond that are ignored. To work around this, a common approach is to hash a
+Passing ``hashpw`` a password longer than 72 bytes now raises a ``ValueError``.
+Previously the password was silently truncated, following the behavior of the 
+original OpenBSD ``bcrypt`` implementation. To work around this, a common approach is to hash a
 password with a cryptographic hash (such as ``sha256``) and then base64
 encode it to prevent NULL byte problems before hashing the result with
 ``bcrypt``:
@@ -262,12 +142,7 @@ Compatibility
 -------------
 
 This library should be compatible with py-bcrypt and it will run on Python
-3.6+, and PyPy 3.
-
-C Code
-------
-
-This library uses code from OpenBSD.
+3.8+ (including free-threaded builds), and PyPy 3.
 
 Security
 --------

noxfile.py

@@ -0,0 +1,42 @@
+import nox
+
+nox.options.reuse_existing_virtualenvs = True
+nox.options.default_venv_backend = "uv|virtualenv"
+
+
+@nox.session
+def tests(session: nox.Session) -> None:
+    session.install("coverage")
+    session.install(".[tests]")
+
+    session.run(
+        "coverage", "run", "-m", "pytest", "--strict-markers", *session.posargs
+    )
+    session.run("coverage", "combine")
+    session.run("coverage", "report", "-m", "--fail-under", "100")
+
+
+@nox.session
+def pep8(session: nox.Session) -> None:
+    session.install("ruff")
+
+    session.run("ruff", "check", ".")
+    session.run("ruff", "format", "--check", ".")
+
+
+@nox.session
+def mypy(session: nox.Session) -> None:
+    session.install("mypy")
+    session.install(".[tests]")
+
+    session.run("mypy", "tests/")
+
+
+@nox.session
+def packaging(session: nox.Session) -> None:
+    session.install("setuptools-rust", "check-manifest", "readme_renderer")
+
+    session.run("check-manifest")
+    session.run(
+        "python3", "-m", "readme_renderer", "README.rst", "-o", "/dev/null"
+    )

pyproject.toml

@@ -1,9 +1,8 @@
 [build-system]
-# Must be kept in sync with `setup_requirements` in `setup.py`
 requires = [
     "setuptools>=42.0.0",
     "wheel",
-    "setuptools-rust",
+    "setuptools-rust>=1.7.0",
 ]
 # Point to the setuptools' PEP517 build backend explicitly to
 # disable Pip's fallback guessing
@@ -12,7 +11,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "bcrypt"
 # When updating this, also update lib.rs
-version = "4.1.2"
+version = "5.0.0"
 authors = [
     {name = "The Python Cryptographic Authority developers", email = "cryptography-dev@python.org"}
 ]
@@ -25,18 +24,21 @@ classifiers = [
     "Programming Language :: Python :: Implementation :: PyPy",
     "Programming Language :: Python :: 3",
     "Programming Language :: Python :: 3 :: Only",
-    "Programming Language :: Python :: 3.7",
     "Programming Language :: Python :: 3.8",
     "Programming Language :: Python :: 3.9",
     "Programming Language :: Python :: 3.10",
     "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+    "Programming Language :: Python :: Free Threading :: 3 - Stable",
 ]
-requires-python = ">= 3.7"
+requires-python = ">= 3.8"
 dynamic = ["readme"]
 
 [project.urls]
 homepage = "https://github.com/pyca/bcrypt/"
+changelog = "https://github.com/pyca/bcrypt/blob/main/CHANGELOG.rst"
 
 [tool.setuptools]
 zip-safe = false
@@ -50,13 +52,19 @@ readme = {file = "README.rst", content-type = "text/x-rst"}
 tests = ["pytest>=3.2.1,!=3.3.0"]
 typecheck = ["mypy"]
 
+[[tool.setuptools-rust.ext-modules]]
+target = "bcrypt._bcrypt"
+path = "src/_bcrypt/Cargo.toml"
+py-limited-api = "auto"
+rust-version = ">=1.64.0"
 
 [tool.ruff]
-ignore = ['N818']
-select = ['E', 'F', 'I', 'N', 'W', 'UP', 'RUF']
 line-length = 79
 
-[tool.ruff.isort]
+lint.ignore = ['N818']
+lint.select = ['E', 'F', 'I', 'N', 'W', 'UP', 'RUF']
+
+[tool.ruff.lint.isort]
 known-first-party = ["bcrypt", "tests"]
 
 [tool.mypy]
@@ -67,3 +75,6 @@ warn_redundant_casts = true
 warn_unused_ignores = true
 warn_unused_configs = true
 strict_equality = true
+
+[tool.check-manifest]
+ignore = ["tests/reference/*"]

release.py

@@ -1,18 +1,18 @@
-# This file is dual licensed under the terms of the Apache License, Version
-# 2.0, and the BSD License. See the LICENSE file in the root of this repository
-# for complete details.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
-
-import getpass
-import io
-import json
-import os
 import subprocess
-import time
-import zipfile
 
 import click
-import requests
 
 
 def run(*args, **kwargs):
@@ -20,113 +20,14 @@ def run(*args, **kwargs):
     subprocess.check_call(list(args), **kwargs)
 
 
-def wait_for_build_complete_github_actions(session, token, run_url):
-    while True:
-        response = session.get(
-            run_url,
-            headers={
-                "Content-Type": "application/json",
-                "Authorization": f"token {token}",
-            },
-        )
-        response.raise_for_status()
-        if response.json()["conclusion"] is not None:
-            break
-        time.sleep(3)
-
-
-def download_artifacts_github_actions(session, token, run_url):
-    response = session.get(
-        run_url,
-        headers={
-            "Content-Type": "application/json",
-            "Authorization": f"token {token}",
-        },
-    )
-    response.raise_for_status()
-
-    response = session.get(
-        response.json()["artifacts_url"],
-        headers={
-            "Content-Type": "application/json",
-            "Authorization": f"token {token}",
-        },
-    )
-    response.raise_for_status()
-    paths = []
-    for artifact in response.json()["artifacts"]:
-        response = session.get(
-            artifact["archive_download_url"],
-            headers={
-                "Content-Type": "application/json",
-                "Authorization": f"token {token}",
-            },
-        )
-        with zipfile.ZipFile(io.BytesIO(response.content)) as z:
-            for name in z.namelist():
-                if not name.endswith((".whl", ".tar.gz")):
-                    continue
-                p = z.open(name)
-                out_path = os.path.join(
-                    os.path.dirname(__file__),
-                    "dist",
-                    os.path.basename(name),
-                )
-                with open(out_path, "wb") as f:
-                    f.write(p.read())
-                paths.append(out_path)
-    return paths
-
-
-def build_github_actions_sdist_wheels(token, version):
-    session = requests.Session()
-
-    response = session.post(
-        "https://api.github.com/repos/pyca/bcrypt/actions/workflows/"
-        "wheel-builder.yml/dispatches",
-        headers={
-            "Content-Type": "application/json",
-            "Accept": "application/vnd.github.v3+json",
-            "Authorization": f"token {token}",
-        },
-        data=json.dumps({"ref": "main", "inputs": {"version": version}}),
-    )
-    response.raise_for_status()
-
-    # Give it a few seconds for the run to kick off.
-    time.sleep(5)
-    response = session.get(
-        (
-            "https://api.github.com/repos/pyca/bcrypt/actions/workflows/"
-            "wheel-builder.yml/runs?event=workflow_dispatch"
-        ),
-        headers={
-            "Content-Type": "application/json",
-            "Authorization": f"token {token}",
-        },
-    )
-    response.raise_for_status()
-    run_url = response.json()["workflow_runs"][0]["url"]
-    wait_for_build_complete_github_actions(session, token, run_url)
-    return download_artifacts_github_actions(session, token, run_url)
-
-
 @click.command()
 @click.argument("version")
 def release(version):
     """
     ``version`` should be a string like '0.4' or '1.0'.
     """
-    github_token = getpass.getpass("Github person access token: ")
-
     run("git", "tag", "-s", version, "-m", f"{version} release")
-    run("git", "push", "--tags")
-
-    github_actions_paths = build_github_actions_sdist_wheels(
-        github_token, version
-    )
-
-    run("twine", "upload", *github_actions_paths)
+    run("git", "push", "--tags", "git@github.com:pyca/bcrypt.git")
 
 
 if __name__ == "__main__":

setup.py

@@ -1,101 +0,0 @@
-import os
-import platform
-import re
-import shutil
-import subprocess
-import sys
-
-from setuptools import setup
-
-try:
-    from setuptools_rust import RustExtension
-except ImportError:
-    print(
-        """
-        =============================DEBUG ASSISTANCE==========================
-        If you are seeing an error here please try the following to
-        successfully install bcrypt:
-
-        Upgrade to the latest pip and try again. This will fix errors for most
-        users. See: https://pip.pypa.io/en/stable/installing/#upgrading-pip
-        =============================DEBUG ASSISTANCE==========================
-        """
-    )
-    raise
-
-if platform.python_implementation() == "PyPy":
-    if sys.pypy_version_info < (2, 6):
-        raise RuntimeError(
-            "bcrypt is not compatible with PyPy < 2.6. Please upgrade PyPy to "
-            "use this library."
-        )
-
-
-try:
-    setup(
-        rust_extensions=[
-            RustExtension(
-                "bcrypt._bcrypt",
-                "src/_bcrypt/Cargo.toml",
-                py_limited_api="auto",
-                rust_version=(
-                    ">=1.64.0"
-                    if os.environ.get("BCRYPT_ALLOW_RUST_163", "0") != "0"
-                    else ">=1.63.0"
-                ),
-            ),
-        ],
-    )
-except:
-    # Note: This is a bare exception that re-raises so that we don't interfere
-    # with anything the installation machinery might want to do. Because we
-    # print this for any exception this msg can appear (e.g. in verbose logs)
-    # even if there's no failure. For example, SetupRequirementsError is raised
-    # during PEP517 building and prints this text. setuptools raises SystemExit
-    # when compilation fails right now, but it's possible this isn't stable
-    # or a public API commitment so we'll remain ultra conservative.
-
-    import pkg_resources
-
-    print(
-        """
-    =============================DEBUG ASSISTANCE=============================
-    If you are seeing a compilation error please try the following steps to
-    successfully install bcrypt:
-    1) Upgrade to the latest pip and try again. This will fix errors for most
-       users. See: https://pip.pypa.io/en/stable/installing/#upgrading-pip
-    2) Ensure you have a recent Rust toolchain installed. bcrypt requires
-       rustc >= 1.64.0. (1.63 may be used by setting the BCRYPT_ALLOW_RUST_163
-       environment variable)
-    """
-    )
-    print(f"    Python: {'.'.join(str(v) for v in sys.version_info[:3])}")
-    print(f"    platform: {platform.platform()}")
-    for dist in ["pip", "setuptools", "setuptools_rust"]:
-        try:
-            version = pkg_resources.get_distribution(dist).version
-        except pkg_resources.DistributionNotFound:
-            version = "n/a"
-        print(f"    {dist}: {version}")
-    version = "n/a"
-    if shutil.which("rustc") is not None:
-        try:
-            # If for any reason `rustc --version` fails, silently ignore it
-            rustc_output = subprocess.run(
-                ["rustc", "--version"],
-                capture_output=True,
-                timeout=0.5,
-                encoding="utf8",
-                check=True,
-            ).stdout
-            version = re.sub("^rustc ", "", rustc_output.strip())
-        except subprocess.SubprocessError:
-            pass
-    print(f"    rustc: {version}")
-
-    print(
-        """\
-    =============================DEBUG ASSISTANCE=============================
-    """
-    )
-    raise

src/_bcrypt/Cargo.lock

@@ -1,24 +1,24 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
-version = 3
+version = 4
 
 [[package]]
-name = "autocfg"
-version = "1.1.0"
+name = "anyhow"
+version = "1.0.102"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
 
 [[package]]
 name = "base64"
-version = "0.21.5"
+version = "0.22.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "35636a1494ede3b646cc98f74f8e62c773a38a659ebc777a2cf26b9b74171df9"
+checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
 
 [[package]]
 name = "bcrypt"
-version = "0.15.0"
+version = "0.19.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "28d1c9c15093eb224f0baa400f38fcd713fc1391a6f1c389d886beef146d60a3"
+checksum = "24ae5479c93d3720e4c1dbd6b945b97457c50cb672781104768190371df1a905"
 dependencies = [
  "base64",
  "blowfish",
@@ -29,9 +29,9 @@ dependencies = [
 
 [[package]]
 name = "bcrypt-pbkdf"
-version = "0.10.0"
+version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6aeac2e1fe888769f34f05ac343bbef98b14d1ffb292ab69d4608b3abc86f2a2"
+checksum = "144e573728da132683b9488acd528274c790e07fc06ff81ee29f9d8f8b1041e0"
 dependencies = [
  "blowfish",
  "pbkdf2",
@@ -52,24 +52,24 @@ dependencies = [
 
 [[package]]
 name = "bitflags"
-version = "1.3.2"
+version = "2.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3"
 
 [[package]]
 name = "block-buffer"
-version = "0.10.4"
+version = "0.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+checksum = "cdd35008169921d80bc60d3d0ab416eecb028c4cd653352907921d95084790be"
 dependencies = [
- "generic-array",
+ "hybrid-array",
 ]
 
 [[package]]
 name = "blowfish"
-version = "0.9.1"
+version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e412e2cd0f2b2d93e02543ceae7917b3c70331573df19ee046bcbc35e45e87d7"
+checksum = "62ce3946557b35e71d1bbe07ec385073ce9eda05043f95de134eb578fcf1a298"
 dependencies = [
  "byteorder",
  "cipher",
@@ -83,196 +83,244 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
 
 [[package]]
 name = "cfg-if"
-version = "1.0.0"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
 
 [[package]]
 name = "cipher"
-version = "0.4.4"
+version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
+checksum = "e34d8227fe1ba289043aeb13792056ff80fd6de1a9f49137a5f499de8e8c78ea"
 dependencies = [
  "crypto-common",
  "inout",
 ]
 
 [[package]]
-name = "cpufeatures"
-version = "0.2.11"
+name = "cmov"
+version = "0.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ce420fe07aecd3e67c5f910618fe65e94158f6dcc0adf44e00d69ce2bdfe0fd0"
+checksum = "3f88a43d011fc4a6876cb7344703e297c71dda42494fee094d5f7c76bf13f746"
+
+[[package]]
+name = "cpufeatures"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201"
 dependencies = [
  "libc",
 ]
 
 [[package]]
 name = "crypto-common"
-version = "0.1.6"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+checksum = "77727bb15fa921304124b128af125e7e3b968275d1b108b379190264f4423710"
 dependencies = [
- "generic-array",
- "typenum",
+ "hybrid-array",
+]
+
+[[package]]
+name = "ctutils"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d5515a3834141de9eafb9717ad39eea8247b5674e6066c404e8c4b365d2a29e"
+dependencies = [
+ "cmov",
 ]
 
 [[package]]
 name = "digest"
-version = "0.10.7"
+version = "0.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+checksum = "f1dd6dbb5841937940781866fa1281a1ff7bd3bf827091440879f9994983d5c2"
 dependencies = [
  "block-buffer",
  "crypto-common",
- "subtle",
+ "ctutils",
 ]
 
 [[package]]
-name = "generic-array"
-version = "0.14.7"
+name = "equivalent"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
-dependencies = [
- "typenum",
- "version_check",
-]
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
+
+[[package]]
+name = "foldhash"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
 
 [[package]]
 name = "getrandom"
-version = "0.2.11"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fe9006bed769170c11f845cf00c7c1e9092aeb3f268e007c3e760ac68008070f"
+checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555"
 dependencies = [
  "cfg-if",
  "libc",
- "wasi",
+ "r-efi",
+ "wasip2",
+ "wasip3",
 ]
 
+[[package]]
+name = "hashbrown"
+version = "0.15.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
+dependencies = [
+ "foldhash",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51"
+
 [[package]]
 name = "heck"
-version = "0.4.1"
+version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
 
 [[package]]
-name = "indoc"
-version = "2.0.4"
+name = "hybrid-array"
+version = "0.4.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e186cfbae8084e513daff4240b4797e342f988cecda4fb6c939150f96315fd8"
+checksum = "9155a582abd142abc056962c29e3ce5ff2ad5469f4246b537ed42c5deba857da"
+dependencies = [
+ "typenum",
+]
+
+[[package]]
+name = "id-arena"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"
+
+[[package]]
+name = "indexmap"
+version = "2.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9"
+dependencies = [
+ "equivalent",
+ "hashbrown 0.17.0",
+ "serde",
+ "serde_core",
+]
 
 [[package]]
 name = "inout"
-version = "0.1.3"
+version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5"
+checksum = "4250ce6452e92010fdf7268ccc5d14faa80bb12fc741938534c58f16804e03c7"
 dependencies = [
- "generic-array",
+ "hybrid-array",
 ]
 
+[[package]]
+name = "itoa"
+version = "1.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
+
+[[package]]
+name = "leb128fmt"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
+
 [[package]]
 name = "libc"
-version = "0.2.151"
+version = "0.2.186"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "302d7ab3130588088d277783b1e2d2e10c9e9e4a16dd9050e6ec93fb3e7048f4"
+checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66"
 
 [[package]]
-name = "lock_api"
-version = "0.4.11"
+name = "log"
+version = "0.4.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3c168f8615b12bc01f9c17e2eb0cc07dcae1940121185446edc3744920e8ef45"
-dependencies = [
- "autocfg",
- "scopeguard",
-]
+checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
 
 [[package]]
-name = "memoffset"
-version = "0.9.0"
+name = "memchr"
+version = "2.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a634b1c61a95585bd15607c6ab0c4e5b226e695ff2800ba0cdccddf208c406c"
-dependencies = [
- "autocfg",
-]
+checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
 
 [[package]]
 name = "once_cell"
-version = "1.19.0"
+version = "1.21.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
-
-[[package]]
-name = "parking_lot"
-version = "0.12.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f"
-dependencies = [
- "lock_api",
- "parking_lot_core",
-]
-
-[[package]]
-name = "parking_lot_core"
-version = "0.9.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c42a9226546d68acdd9c0a280d17ce19bfe27a46bf68784e4066115788d008e"
-dependencies = [
- "cfg-if",
- "libc",
- "redox_syscall",
- "smallvec",
- "windows-targets",
-]
+checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
 
 [[package]]
 name = "pbkdf2"
-version = "0.12.2"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8ed6a7761f76e3b9f92dfb0a60a6a6477c61024b775147ff0973a02653abaf2"
+checksum = "112d82ceb8c5bf524d9af484d4e4970c9fd5a0cc15ba14ad93dccd28873b0629"
 dependencies = [
  "digest",
 ]
 
 [[package]]
-name = "proc-macro2"
-version = "1.0.70"
+name = "portable-atomic"
+version = "1.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "39278fbbf5fb4f646ce651690877f89d1c5811a3d4acb27700c1cb3cdb78fd3b"
+checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
+
+[[package]]
+name = "prettyplease"
+version = "0.2.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
+dependencies = [
+ "proc-macro2",
+ "syn",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.106"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
 dependencies = [
  "unicode-ident",
 ]
 
 [[package]]
 name = "pyo3"
-version = "0.20.0"
+version = "0.28.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "04e8453b658fe480c3e70c8ed4e3d3ec33eb74988bd186561b0cc66b85c3bc4b"
+checksum = "91fd8e38a3b50ed1167fb981cd6fd60147e091784c427b8f7183a7ee32c31c12"
 dependencies = [
- "cfg-if",
- "indoc",
  "libc",
- "memoffset",
- "parking_lot",
+ "once_cell",
+ "portable-atomic",
  "pyo3-build-config",
  "pyo3-ffi",
  "pyo3-macros",
- "unindent",
 ]
 
 [[package]]
 name = "pyo3-build-config"
-version = "0.20.0"
+version = "0.28.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a96fe70b176a89cff78f2fa7b3c930081e163d5379b4dcdf993e3ae29ca662e5"
+checksum = "e368e7ddfdeb98c9bca7f8383be1648fd84ab466bf2bc015e94008db6d35611e"
 dependencies = [
- "once_cell",
  "target-lexicon",
 ]
 
 [[package]]
 name = "pyo3-ffi"
-version = "0.20.0"
+version = "0.28.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "214929900fd25e6604661ed9cf349727c8920d47deff196c4e28165a6ef2a96b"
+checksum = "7f29e10af80b1f7ccaf7f69eace800a03ecd13e883acfacc1e5d0988605f651e"
 dependencies = [
  "libc",
  "pyo3-build-config",
@@ -280,9 +328,9 @@ dependencies = [
 
 [[package]]
 name = "pyo3-macros"
-version = "0.20.0"
+version = "0.28.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dac53072f717aa1bfa4db832b39de8c875b7c7af4f4a6fe93cdbf9264cf8383b"
+checksum = "df6e520eff47c45997d2fc7dd8214b25dd1310918bbb2642156ef66a67f29813"
 dependencies = [
  "proc-macro2",
  "pyo3-macros-backend",
@@ -292,68 +340,102 @@ dependencies = [
 
 [[package]]
 name = "pyo3-macros-backend"
-version = "0.20.0"
+version = "0.28.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7774b5a8282bd4f25f803b1f0d945120be959a36c72e08e7cd031c792fdfd424"
+checksum = "c4cdc218d835738f81c2338f822078af45b4afdf8b2e33cbb5916f108b813acb"
 dependencies = [
  "heck",
  "proc-macro2",
+ "pyo3-build-config",
  "quote",
  "syn",
 ]
 
 [[package]]
 name = "quote"
-version = "1.0.33"
+version = "1.0.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae"
+checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
 dependencies = [
  "proc-macro2",
 ]
 
 [[package]]
-name = "redox_syscall"
-version = "0.4.1"
+name = "r-efi"
+version = "6.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa"
+checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
+
+[[package]]
+name = "semver"
+version = "1.0.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8a7852d02fc848982e0c167ef163aaff9cd91dc640ba85e263cb1ce46fae51cd"
+
+[[package]]
+name = "serde"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
 dependencies = [
- "bitflags",
+ "serde_core",
 ]
 
 [[package]]
-name = "scopeguard"
-version = "1.2.0"
+name = "serde_core"
+version = "1.0.228"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.149"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
+dependencies = [
+ "itoa",
+ "memchr",
+ "serde",
+ "serde_core",
+ "zmij",
+]
 
 [[package]]
 name = "sha2"
-version = "0.10.8"
+version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8"
+checksum = "446ba717509524cb3f22f17ecc096f10f4822d76ab5c0b9822c5f9c284e825f4"
 dependencies = [
  "cfg-if",
  "cpufeatures",
  "digest",
 ]
 
-[[package]]
-name = "smallvec"
-version = "1.11.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970"
-
 [[package]]
 name = "subtle"
-version = "2.5.0"
+version = "2.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
 [[package]]
 name = "syn"
-version = "2.0.41"
+version = "2.0.117"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44c8b28c477cc3bf0e7966561e3460130e1255f7a1cf71931075f1c5e7a7e269"
+checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -362,99 +444,182 @@ dependencies = [
 
 [[package]]
 name = "target-lexicon"
-version = "0.12.12"
+version = "0.13.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14c39fd04924ca3a864207c66fc2cd7d22d7c016007f9ce846cbb9326331930a"
+checksum = "adb6935a6f5c20170eeceb1a3835a49e12e19d792f6dd344ccc76a985ca5a6ca"
 
 [[package]]
 name = "typenum"
-version = "1.17.0"
+version = "1.20.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
+checksum = "40ce102ab67701b8526c123c1bab5cbe42d7040ccfd0f64af1a385808d2f43de"
 
 [[package]]
 name = "unicode-ident"
-version = "1.0.12"
+version = "1.0.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
+checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
 
 [[package]]
-name = "unindent"
-version = "0.2.3"
+name = "unicode-xid"
+version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c7de7d73e1754487cb58364ee906a499937a0dfabd86bcb980fa99ec8c8fa2ce"
+checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
 
 [[package]]
-name = "version_check"
-version = "0.9.4"
+name = "wasip2"
+version = "1.0.1+wasi-0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
-
-[[package]]
-name = "wasi"
-version = "0.11.0+wasi-snapshot-preview1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
-
-[[package]]
-name = "windows-targets"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
+checksum = "0562428422c63773dad2c345a1882263bbf4d65cf3f42e90921f787ef5ad58e7"
 dependencies = [
- "windows_aarch64_gnullvm",
- "windows_aarch64_msvc",
- "windows_i686_gnu",
- "windows_i686_msvc",
- "windows_x86_64_gnu",
- "windows_x86_64_gnullvm",
- "windows_x86_64_msvc",
+ "wit-bindgen 0.46.0",
 ]
 
 [[package]]
-name = "windows_aarch64_gnullvm"
-version = "0.48.5"
+name = "wasip3"
+version = "0.4.0+wasi-0.3.0-rc-2026-01-06"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
+checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5"
+dependencies = [
+ "wit-bindgen 0.51.0",
+]
 
 [[package]]
-name = "windows_aarch64_msvc"
-version = "0.48.5"
+name = "wasm-encoder"
+version = "0.244.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
+checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319"
+dependencies = [
+ "leb128fmt",
+ "wasmparser",
+]
 
 [[package]]
-name = "windows_i686_gnu"
-version = "0.48.5"
+name = "wasm-metadata"
+version = "0.244.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
+checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909"
+dependencies = [
+ "anyhow",
+ "indexmap",
+ "wasm-encoder",
+ "wasmparser",
+]
 
 [[package]]
-name = "windows_i686_msvc"
-version = "0.48.5"
+name = "wasmparser"
+version = "0.244.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
+checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
+dependencies = [
+ "bitflags",
+ "hashbrown 0.15.5",
+ "indexmap",
+ "semver",
+]
 
 [[package]]
-name = "windows_x86_64_gnu"
-version = "0.48.5"
+name = "wit-bindgen"
+version = "0.46.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
+checksum = "f17a85883d4e6d00e8a97c586de764dabcc06133f7f1d55dce5cdc070ad7fe59"
 
 [[package]]
-name = "windows_x86_64_gnullvm"
-version = "0.48.5"
+name = "wit-bindgen"
+version = "0.51.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
+checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
+dependencies = [
+ "wit-bindgen-rust-macro",
+]
 
 [[package]]
-name = "windows_x86_64_msvc"
-version = "0.48.5"
+name = "wit-bindgen-core"
+version = "0.51.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
+checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc"
+dependencies = [
+ "anyhow",
+ "heck",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-bindgen-rust"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21"
+dependencies = [
+ "anyhow",
+ "heck",
+ "indexmap",
+ "prettyplease",
+ "syn",
+ "wasm-metadata",
+ "wit-bindgen-core",
+ "wit-component",
+]
+
+[[package]]
+name = "wit-bindgen-rust-macro"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a"
+dependencies = [
+ "anyhow",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wit-bindgen-core",
+ "wit-bindgen-rust",
+]
+
+[[package]]
+name = "wit-component"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
+dependencies = [
+ "anyhow",
+ "bitflags",
+ "indexmap",
+ "log",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "wasm-encoder",
+ "wasm-metadata",
+ "wasmparser",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-parser"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736"
+dependencies = [
+ "anyhow",
+ "id-arena",
+ "indexmap",
+ "log",
+ "semver",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "unicode-xid",
+ "wasmparser",
+]
 
 [[package]]
 name = "zeroize"
-version = "1.7.0"
+version = "1.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d"
+checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
+
+[[package]]
+name = "zmij"
+version = "1.0.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa"

src/_bcrypt/Cargo.toml

@@ -2,16 +2,18 @@
 name = "bcrypt-rust"
 version = "0.1.0"
 authors = ["The bcrypt developers <cryptography-dev@python.org>"]
-edition = "2018"
+edition = "2024"
+# This specifies the MSRV
+rust-version = "1.85"
 publish = false
 
 [dependencies]
-pyo3 = { version = "0.20.0", features = ["abi3"] }
-bcrypt = "0.15"
-bcrypt-pbkdf = "0.10.0"
-base64 = "0.21.5"
-subtle = "2.5"
-getrandom = "0.2"
+pyo3 = { version = "0.28", features = ["abi3"] }
+bcrypt = "0.19.1"
+bcrypt-pbkdf = "0.11.0"
+base64 = "0.22.1"
+subtle = "2.6"
+getrandom = "0.4"
 
 [features]
 extension-module = ["pyo3/extension-module"]

src/_bcrypt/src/lib.rs

@@ -1,12 +1,22 @@
-// This file is dual licensed under the terms of the Apache License, Version
-// 2.0, and the BSD License. See the LICENSE file in the root of this repository
-// for complete details.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
 
 #![deny(rust_2018_idioms)]
 
 use base64::Engine;
+use pyo3::types::PyBytesMethods;
 use pyo3::PyTypeInfo;
 use std::convert::TryInto;
+use std::ffi::CString;
 use std::io::Write;
 use subtle::ConstantTimeEq;
 
@@ -15,13 +25,13 @@ pub const BASE64_ENGINE: base64::engine::GeneralPurpose = base64::engine::Genera
     base64::engine::general_purpose::NO_PAD,
 );
 
-#[pyo3::prelude::pyfunction]
+#[pyo3::pyfunction]
+#[pyo3(signature = (rounds=12, prefix=None), text_signature = "(rounds=12, prefix=b'2b')")]
 fn gensalt<'p>(
     py: pyo3::Python<'p>,
-    rounds: Option<u16>,
+    rounds: u16,
     prefix: Option<&[u8]>,
-) -> pyo3::PyResult<&'p pyo3::types::PyBytes> {
-    let rounds = rounds.unwrap_or(12);
+) -> pyo3::PyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
     let prefix = prefix.unwrap_or(b"2b");
 
     if prefix != b"2a" && prefix != b"2b" {
@@ -35,7 +45,7 @@ fn gensalt<'p>(
     }
 
     let mut salt = [0; 16];
-    getrandom::getrandom(&mut salt).unwrap();
+    getrandom::fill(&mut salt).unwrap();
 
     let encoded_salt = BASE64_ENGINE.encode(salt);
 
@@ -55,31 +65,42 @@ fn gensalt<'p>(
     )
 }
 
-#[pyo3::prelude::pyfunction]
+#[pyo3::pyfunction]
 fn hashpw<'p>(
     py: pyo3::Python<'p>,
     password: &[u8],
     salt: &[u8],
-) -> pyo3::PyResult<&'p pyo3::types::PyBytes> {
+) -> pyo3::PyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
     // bcrypt originally suffered from a wraparound bug:
     // http://www.openwall.com/lists/oss-security/2012/01/02/4
     // This bug was corrected in the OpenBSD source by truncating inputs to 72
     // bytes on the updated prefix $2b$, but leaving $2a$ unchanged for
     // compatibility. However, pyca/bcrypt 2.0.0 *did* correctly truncate inputs
     // on $2a$, so we do it here to preserve compatibility with 2.0.0
-    let password = &password[..password.len().min(72)];
+    // Silent truncation is _probably_ not the best idea, even if the "original"
+    // OpenBSD implementation did/does this.
+    // We prefer to raise a ValueError in this case - if the user _wants_ to truncate,
+    // they can always do so manually by passing s[:72] instead of s into hashpw().
+
+    if password.len() > 72 {
+        return Err(pyo3::exceptions::PyValueError::new_err(
+            "password cannot be longer than 72 bytes, truncate manually if necessary (e.g. my_password[:72])",
+        ));
+    }
 
     // salt here is not just the salt bytes, but rather an encoded value
     // containing a version number, number of rounds, and the salt.
     // Should be [prefix, cost, hash]. This logic is copied from `bcrypt`
-    let raw_parts: Vec<_> = salt
-        .split(|&b| b == b'$')
-        .filter(|s| !s.is_empty())
-        .collect();
-    if raw_parts.len() != 3 {
-        return Err(pyo3::exceptions::PyValueError::new_err("Invalid salt"));
+    let invalid_salt = || pyo3::exceptions::PyValueError::new_err("Invalid salt");
+    let mut parts = salt.split(|&b| b == b'$').filter(|s| !s.is_empty());
+    let raw_version = parts.next().ok_or_else(invalid_salt)?;
+    let raw_cost = parts.next().ok_or_else(invalid_salt)?;
+    let remainder = parts.next().ok_or_else(invalid_salt)?;
+    if parts.next().is_some() {
+        return Err(invalid_salt());
     }
-    let version = match raw_parts[0] {
+
+    let version = match raw_version {
         b"2y" => bcrypt::Version::TwoY,
         b"2b" => bcrypt::Version::TwoB,
         b"2a" => bcrypt::Version::TwoA,
@@ -88,21 +109,26 @@ fn hashpw<'p>(
             return Err(pyo3::exceptions::PyValueError::new_err("Invalid salt"));
         }
     };
-    let cost = std::str::from_utf8(raw_parts[1])
+    let cost = std::str::from_utf8(raw_cost)
         .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid salt"))?
         .parse::<u32>()
         .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid salt"))?;
+
+    if remainder.len() < 22 {
+        return Err(pyo3::exceptions::PyValueError::new_err("Invalid salt"));
+    }
+
     // The last component can contain either just the salt, or the salt and
     // the result hash, depending on if the `salt` value come from `hashpw` or
     // `gensalt`.
     let raw_salt = BASE64_ENGINE
-        .decode(&raw_parts[2][..22])
+        .decode(&remainder[..22])
         .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid salt"))?
         .try_into()
         .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid salt"))?;
 
     let hashed = py
-        .allow_threads(|| bcrypt::hash_with_salt(password, cost, raw_salt))
+        .detach(|| bcrypt::hash_with_salt(password, cost, raw_salt))
         .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid salt"))?;
     Ok(pyo3::types::PyBytes::new(
         py,
@@ -110,29 +136,24 @@ fn hashpw<'p>(
     ))
 }
 
-#[pyo3::prelude::pyfunction]
-fn checkpw(
-    py: pyo3::Python<'_>,
-    password: &[u8],
-    hashed_password: &[u8],
-) -> pyo3::PyResult<bool> {
+#[pyo3::pyfunction]
+fn checkpw(py: pyo3::Python<'_>, password: &[u8], hashed_password: &[u8]) -> pyo3::PyResult<bool> {
     Ok(hashpw(py, password, hashed_password)?
         .as_bytes()
         .ct_eq(hashed_password)
         .into())
 }
 
-#[pyo3::prelude::pyfunction]
+#[pyo3::pyfunction]
+#[pyo3(signature = (password, salt, desired_key_bytes, rounds, ignore_few_rounds=false))]
 fn kdf<'p>(
     py: pyo3::Python<'p>,
     password: &[u8],
     salt: &[u8],
     desired_key_bytes: usize,
     rounds: u32,
-    ignore_few_rounds: Option<bool>,
-) -> pyo3::PyResult<&'p pyo3::types::PyBytes> {
-    let ignore_few_rounds = ignore_few_rounds.unwrap_or(false);
-
+    ignore_few_rounds: bool,
+) -> pyo3::PyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
     if password.is_empty() || salt.is_empty() {
         return Err(pyo3::exceptions::PyValueError::new_err(
             "password and salt must not be empty",
@@ -157,42 +178,49 @@ fn kdf<'p>(
         // were bcrypt). Emit a warning.
         pyo3::PyErr::warn(
             py,
-            pyo3::exceptions::PyUserWarning::type_object(py),
-            &format!("Warning: bcrypt.kdf() called with only {rounds} round(s). This few is not secure: the parameter is linear, like PBKDF2."),
+            &pyo3::exceptions::PyUserWarning::type_object(py),
+            &CString::new(format!("Warning: bcrypt.kdf() called with only {rounds} round(s). This few is not secure: the parameter is linear, like PBKDF2.")).unwrap(),
             3
         )?;
     }
 
     pyo3::types::PyBytes::new_with(py, desired_key_bytes, |output| {
-        py.allow_threads(|| {
+        py.detach(|| {
             bcrypt_pbkdf::bcrypt_pbkdf(password, salt, rounds, output).unwrap();
         });
         Ok(())
     })
 }
 
-#[pyo3::prelude::pymodule]
-fn _bcrypt(_py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> {
-    m.add_function(pyo3::wrap_pyfunction!(gensalt, m)?)?;
-    m.add_function(pyo3::wrap_pyfunction!(hashpw, m)?)?;
-    m.add_function(pyo3::wrap_pyfunction!(checkpw, m)?)?;
-    m.add_function(pyo3::wrap_pyfunction!(kdf, m)?)?;
+#[pyo3::pymodule(gil_used = false)]
+mod _bcrypt {
+    use pyo3::types::PyModuleMethods;
 
-    m.add("__title__", "bcrypt")?;
-    m.add("__summary__", "Modern(-ish) password hashing for your software and your servers")?;
-    m.add("__uri__", "https://github.com/pyca/bcrypt/")?;
+    #[pymodule_export]
+    use super::{checkpw, gensalt, hashpw, kdf};
 
-    // When updating this, also update pyproject.toml
-    // This isn't named __version__ because passlib treats the existence of
-    // that attribute as proof that we're a different module
-    m.add("__version_ex__", "4.1.2")?;
+    // Not yet possible to add constants declaratively.
+    #[pymodule_init]
+    fn init(m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> {
+        m.add("__title__", "bcrypt")?;
+        m.add(
+            "__summary__",
+            "Modern(-ish) password hashing for your software and your servers",
+        )?;
+        m.add("__uri__", "https://github.com/pyca/bcrypt/")?;
 
-    let author = "The Python Cryptographic Authority developers";
-    m.add("__author__", author)?;
-    m.add("__email__", "cryptography-dev@python.org")?;
+        // When updating this, also update pyproject.toml
+        // This isn't named __version__ because passlib treats the existence of
+        // that attribute as proof that we're a different module
+        m.add("__version_ex__", "5.0.0")?;
 
-    m.add("__license__", "Apache License, Version 2.0")?;
-    m.add("__copyright__", format!("Copyright 2013-2023 {author}"))?;
+        let author = "The Python Cryptographic Authority developers";
+        m.add("__author__", author)?;
+        m.add("__email__", "cryptography-dev@python.org")?;
 
-    Ok(())
+        m.add("__license__", "Apache License, Version 2.0")?;
+        m.add("__copyright__", format!("Copyright 2013-2025 {author}"))?;
+
+        Ok(())
+    }
 }

src/bcrypt/__init__.py

@@ -28,16 +28,16 @@ from ._bcrypt import (
 )
 
 __all__ = [
-    "gensalt",
-    "hashpw",
-    "checkpw",
-    "kdf",
-    "__title__",
-    "__summary__",
-    "__uri__",
-    "__version__",
     "__author__",
+    "__copyright__",
     "__email__",
     "__license__",
-    "__copyright__",
+    "__summary__",
+    "__title__",
+    "__uri__",
+    "__version__",
+    "checkpw",
+    "gensalt",
+    "hashpw",
+    "kdf",
 ]

tests/reference/Makefile

@@ -1,4 +0,0 @@
-.PHONY: all
-
-all:
-	go build -v ./bcrypt_reference.go

tests/reference/bcrypt_reference.go

@@ -1,35 +0,0 @@
-package main
-
-import (
-	"io"
-	"os"
-	"strconv"
-
-	"golang.org/x/crypto/bcrypt"
-)
-
-// provides access to the golang implementation of bcrypt, for reference:
-// "password" to hash is provided on stdin, cost parameter is an optional
-// command-line parameter
-
-func main() {
-	cost := bcrypt.MinCost
-	if len(os.Args) > 1 {
-		if parsed, err := strconv.Atoi(os.Args[1]); err == nil {
-			cost = parsed
-		}
-	}
-
-	buf, err := io.ReadAll(os.Stdin)
-	if err != nil {
-		panic(err)
-	}
-
-	out, err := bcrypt.GenerateFromPassword(buf, cost)
-	if err != nil {
-		panic(err)
-	}
-
-	os.Stdout.Write(out)
-	os.Stdout.Write([]byte("\n"))
-}

tests/reference/go.mod

@@ -1,5 +0,0 @@
-module github.com/pyca/bcrypt
-
-go 1.17
-
-require golang.org/x/crypto v0.6.0

tests/reference/go.sum

@@ -1,29 +0,0 @@
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

tests/test_bcrypt.py

@@ -1,3 +1,6 @@
+import uuid
+from concurrent.futures import ThreadPoolExecutor
+
 import pytest
 
 import bcrypt
@@ -118,24 +121,6 @@ _test_vectors = [
         b"$2a$05$XXXXXXXXXXXXXXXXXXXXXO",
         b"$2a$05$XXXXXXXXXXXXXXXXXXXXXOAcXxm9kjPGEMsLznoKqmqw7tc8WCx4a",
     ),
-    (
-        b"0123456789abcdefghijklmnopqrstuvwxyz"
-        b"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
-        b"chars after 72 are ignored",
-        b"$2a$05$abcdefghijklmnopqrstuu",
-        b"$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui",
-    ),
-    (
-        b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-        b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-        b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-        b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-        b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-        b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-        b"chars after 72 are ignored as usual",
-        b"$2a$05$/OK.fbVrR/bpIqNJ5ianF.",
-        b"$2a$05$/OK.fbVrR/bpIqNJ5ianF.swQOIzjOiJ9GHEPuhEkvqrUyvWhEMx6",
-    ),
     (
         b"\xa3",
         b"$2a$05$/OK.fbVrR/bpIqNJ5ianF.",
@@ -171,7 +156,7 @@ _2y_test_vectors = [
 ]
 
 
-def test_gensalt_basic(monkeypatch):
+def test_gensalt_basic():
     salt = bcrypt.gensalt()
     assert salt.startswith(b"$2b$12$")
 
@@ -219,7 +204,7 @@ def test_gensalt_bad_prefix():
         bcrypt.gensalt(prefix=b"bad")
 
 
-def test_gensalt_2a_prefix(monkeypatch):
+def test_gensalt_2a_prefix():
     salt = bcrypt.gensalt(prefix=b"2a")
     assert salt.startswith(b"$2a$12$")
 
@@ -249,6 +234,25 @@ def test_checkpw_2y_prefix(password, hashed, expected):
     assert bcrypt.checkpw(password, hashed) is True
 
 
+@pytest.mark.parametrize(
+    ("pw_length", "should_raise"),
+    [
+        (71, False),
+        (72, False),
+        (73, True),
+    ],
+)
+def test_hashpw_raises_correctly_for_long_passwords(pw_length, should_raise):
+    password = b"\xaa" * pw_length
+    salt = b"$2b$04$xnFVhJsTzsFBTeP3PpgbMe"
+
+    if should_raise:
+        with pytest.raises(ValueError):
+            bcrypt.hashpw(password, salt)
+    else:
+        bcrypt.hashpw(password, salt)
+
+
 def test_hashpw_invalid():
     with pytest.raises(ValueError):
         bcrypt.hashpw(b"password", b"$2z$04$cVWp4XaNU8a4v1uMRum2SO")
@@ -275,6 +279,8 @@ def test_checkpw_bad_salt():
             b"password",
             b"$2b$3$mdEQPMOtfPX.WGZNXgF66OhmBlOGKEd66SQ7DyJPGucYYmvTJYviy",
         )
+    with pytest.raises(ValueError):
+        bcrypt.checkpw(b"password", b"$2b$12$incorrect")
 
 
 def test_checkpw_str_password():
@@ -485,10 +491,22 @@ def test_invalid_params(password, salt, desired_key_bytes, rounds, error):
         bcrypt.kdf(password, salt, desired_key_bytes, rounds)
 
 
-def test_2a_wraparound_bug():
-    assert (
-        bcrypt.hashpw(
-            (b"0123456789" * 26)[:255], b"$2a$04$R1lJ2gkNaoPGdafE.H.16."
-        )
-        == b"$2a$04$R1lJ2gkNaoPGdafE.H.16.1MKHPvmKwryeulRe225LKProWYwt9Oi"
-    )
+def test_multithreading():
+    def create_user(pw):
+        salt = bcrypt.gensalt(4)
+        hash_ = bcrypt.hashpw(pw, salt)
+        key = bcrypt.kdf(pw, salt, 32, 50)
+        assert bcrypt.checkpw(pw, hash_)
+        return (salt, hash_, key)
+
+    user_creator = ThreadPoolExecutor(max_workers=4)
+    pws = [uuid.uuid4().bytes for _ in range(50)]
+
+    futures = [user_creator.submit(create_user, pw) for pw in pws]
+
+    users = [future.result() for future in futures]
+
+    for pw, (salt, hash_, key) in zip(pws, users):
+        assert bcrypt.hashpw(pw, salt) == hash_
+        assert bcrypt.checkpw(pw, hash_)
+        assert bcrypt.kdf(pw, salt, 32, 50) == key

tox.ini

@@ -1,43 +0,0 @@
-[tox]
-isolated_build = True
-
-[testenv]
-extras =
-    tests
-deps =
-    coverage
-passenv =
-    RUSTUP_HOME
-commands =
-    coverage run -m pytest --strict-markers {posargs}
-    coverage combine
-    coverage report -m --fail-under 100
-
-[testenv:pep8]
-deps =
-    ruff
-commands =
-    ruff .
-    ruff format --check .
-
-[testenv:mypy]
-extras =
-    tests
-deps =
-    mypy
-commands =
-    mypy tests/
-
-[testenv:packaging]
-deps =
-    setuptools-rust
-    check-manifest
-    readme_renderer
-commands =
-    check-manifest
-    python setup.py check --metadata --restructuredtext --strict
-
-
-[check-manifest]
-ignore =
-    tests/reference/*