From c0542e2accbda302e5bb12a09fa6049bee50feef Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Fri, 8 Nov 2013 10:15:00 -0800
Subject: Include all the requirements in the dev-requirements, even those
 which will be installed by `pip install .`

---
 AUTHORS.rst          | 1 -
 dev-requirements.txt | 2 ++
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/AUTHORS.rst b/AUTHORS.rst
index b3b7f35d..0ef9958d 100644
--- a/AUTHORS.rst
+++ b/AUTHORS.rst
@@ -10,4 +10,3 @@ PGP key fingerprints are enclosed in parentheses.
 * Christian Heimes <christian@python.org>
 * Paul Kehrer <paul.l.kehrer@gmail.com>
 * Jarret Raim <jarito@gmail.com>
-
diff --git a/dev-requirements.txt b/dev-requirements.txt
index 752517dd..73b876f2 100644
--- a/dev-requirements.txt
+++ b/dev-requirements.txt
@@ -4,3 +4,5 @@ pytest
 coverage
 sphinx
 tox
+cffi
+six
-- 
cgit v1.2.3


From ab5f0116a2fc906b854b0593675492ec5e406a3d Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Fri, 8 Nov 2013 10:34:00 -0800
Subject: Be more and more explicit about how to do things correctly

---
 docs/hazmat/primitives/cryptographic-hashes.rst |  7 ++++---
 docs/hazmat/primitives/symmetric-encryption.rst | 23 +++++++++++++++++------
 2 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/docs/hazmat/primitives/cryptographic-hashes.rst b/docs/hazmat/primitives/cryptographic-hashes.rst
index 76ca20c0..20fa23cf 100644
--- a/docs/hazmat/primitives/cryptographic-hashes.rst
+++ b/docs/hazmat/primitives/cryptographic-hashes.rst
@@ -12,9 +12,9 @@ Message Digests
     results (with a high probability) in different digests.
 
     This is an implementation of
-    :class:`cryptography.hazmat.primitives.interfaces.HashContext` meant to
+    :class:`~cryptography.hazmat.primitives.interfaces.HashContext` meant to
     be used with
-    :class:`cryptography.hazmat.primitives.interfaces.HashAlgorithm`
+    :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
     implementations to provide an incremental interface to calculating
     various message digests.
 
@@ -102,7 +102,8 @@ MD5
 .. warning::
 
     MD5 is a deprecated hash algorithm that has practical known collision
-    attacks. You are strongly discouraged from using it.
+    attacks. You are strongly discouraged from using it. Existing applications
+    should strongly consider moving away.
 
 .. class:: MD5()
 
diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
index 5f1a64a1..5542e832 100644
--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
@@ -14,13 +14,22 @@ Symmetric Encryption
 
 
 Symmetric encryption is a way to encrypt (hide the plaintext value) material
-where the encrypter and decrypter both use the same key.
+where the encrypter and decrypter both use the same key. Note that symmetric
+encryption is **not** sufficient for most applications, because it only
+provides secrecy (an attacker can't see the message) but not authenticity (an
+attacker can create bogus messages and force the application to decrypt them).
+For this reason it is *strongly* reccomended to combine encryption with a
+message authentication code, such as :doc:`HMAC </hazmat/primitives/hmac>`, in
+an "encrypt-then-MAC" formulation as `described by Colin Percival`_.
 
 .. class:: Cipher(algorithm, mode)
 
-    Cipher objects combine an algorithm (such as AES) with a mode (such as
-    CBC, CTR, or GCM). A simple example of encrypting (and then decrypting)
-    content with AES is:
+    Cipher objects combine an algorithm (such as
+    :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES`) with a
+    mode (such as
+    :class:`~cryptography.hazmat.primitives.ciphers.modes.CBC` or
+    :class:`~cryptography.hazmat.primitives.ciphers.modes.CTR`). A simple
+    example of encrypting (and then decrypting) content with AES is:
 
     .. doctest::
 
@@ -143,8 +152,7 @@ Weak Ciphers
 
     Blowfish is a block cipher developed by Bruce Schneier. It is known to be
     susceptible to attacks when using weak keys. The author has recommended
-    that users of Blowfish move to newer algorithms like
-    :class:`AES`.
+    that users of Blowfish move to newer algorithms, such as :class:`AES`.
 
     :param bytes key: The secret key, 32-448 bits in length (in increments of
                       8).  This must be kept secret.
@@ -252,3 +260,6 @@ Insecure Modes
     ciphers. Each block of data is encrypted in the same way. This means
     identical plaintext blocks will always result in identical ciphertext
     blocks, and thus result in information leakage
+
+
+.. _`described by Colin Percival`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
-- 
cgit v1.2.3


From 27283cfa4300162f6a7a667364acab781c49710f Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Fri, 8 Nov 2013 10:49:22 -0800
Subject: Try to use the sphinx rtd theme locally if it's installed

---
 docs/conf.py | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/docs/conf.py b/docs/conf.py
index 69be32e9..77050e72 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -14,6 +14,12 @@
 import os
 import sys
 
+try:
+    import sphinx_rtd_theme
+except ImportError:
+    sphinx_rtd_theme = None
+
+
 # If extensions (or modules to document with autodoc) are in another directory,
 # add these directories to sys.path here. If the directory is relative to the
 # documentation root, use os.path.abspath to make it absolute, like shown here.
@@ -98,16 +104,18 @@ pygments_style = 'sphinx'
 
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
-html_theme = 'default'
+
+if sphinx_rtd_theme:
+    html_theme = "sphinx_rtd_theme"
+    html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
+else:
+    html_theme = "default"
 
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
 #html_theme_options = {}
 
-# Add any paths that contain custom themes here, relative to this directory.
-#html_theme_path = []
-
 # The name for this set of Sphinx documents.  If None, it defaults to
 # "<project> v<release> documentation".
 #html_title = None
-- 
cgit v1.2.3


From e29acd11b4d226dee1ee88bdd34ca72d4500b065 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Fri, 8 Nov 2013 11:08:32 -0800
Subject: Put the theme in dev-requirements

---
 dev-requirements.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dev-requirements.txt b/dev-requirements.txt
index 752517dd..8e9a4ab0 100644
--- a/dev-requirements.txt
+++ b/dev-requirements.txt
@@ -4,3 +4,4 @@ pytest
 coverage
 sphinx
 tox
+sphinx_rtd_theme
-- 
cgit v1.2.3


From 2ff5352312b0355837d5059927d4abc36c10d6c6 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Fri, 8 Nov 2013 11:24:48 -0800
Subject: Do this another way

---
 dev-requirements.txt | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dev-requirements.txt b/dev-requirements.txt
index 73b876f2..66f46d83 100644
--- a/dev-requirements.txt
+++ b/dev-requirements.txt
@@ -4,5 +4,4 @@ pytest
 coverage
 sphinx
 tox
-cffi
-six
+-e .
-- 
cgit v1.2.3


From 13ec4799e47b5180d397e2f5028005c58e8e93be Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Fri, 8 Nov 2013 14:09:21 -0800
Subject: Include in tox.ini

---
 tox.ini | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tox.ini b/tox.ini
index dab22a6d..257275ce 100644
--- a/tox.ini
+++ b/tox.ini
@@ -11,7 +11,9 @@ commands =
     coverage report -m
 
 [testenv:docs]
-deps = sphinx
+deps =
+    sphinx
+    sphinx_rtd_theme
 basepython = python2.7
 commands =
     sphinx-build -W -b html -d {envtmpdir}/doctrees docs docs/_build/html
-- 
cgit v1.2.3


From 715e85f3f39a2b8f50ae810ba86d64af30e13c56 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Sat, 9 Nov 2013 06:45:00 -0800
Subject: Fixed two bugs in the PKCS7 padding where unpadding would accept bad
 inputs.

---
 cryptography/hazmat/primitives/padding.py | 4 ++--
 tests/hazmat/primitives/test_padding.py   | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py
index ddcadd89..eac18c2a 100644
--- a/cryptography/hazmat/primitives/padding.py
+++ b/cryptography/hazmat/primitives/padding.py
@@ -101,12 +101,12 @@ class _PKCS7UnpaddingContext(object):
         if self._buffer is None:
             raise ValueError("Context was already finalized")
 
-        if not self._buffer:
+        if len(self._buffer) != self.block_size // 8:
             raise ValueError("Invalid padding bytes")
 
         pad_size = six.indexbytes(self._buffer, -1)
 
-        if pad_size > self.block_size // 8:
+        if not (0 < pad_size <= self.block_size // 8):
             raise ValueError("Invalid padding bytes")
 
         mismatch = 0
diff --git a/tests/hazmat/primitives/test_padding.py b/tests/hazmat/primitives/test_padding.py
index 3cefafaf..6a2b6243 100644
--- a/tests/hazmat/primitives/test_padding.py
+++ b/tests/hazmat/primitives/test_padding.py
@@ -29,6 +29,8 @@ class TestPKCS7(object):
         (128, b"1111111111111111"),
         (128, b"111111111111111\x06"),
         (128, b""),
+        (128, b"\x06" * 6),
+        (128, b"\x00" * 16),
     ])
     def test_invalid_padding(self, size, padded):
         unpadder = padding.PKCS7(size).unpadder()
-- 
cgit v1.2.3