Final polish on removing backends from places they aren't required

src/cryptography/fernet.py

@@ -12,8 +12,6 @@
 
 from cryptography import utils
 from cryptography.exceptions import InvalidSignature
-from cryptography.hazmat.backends import _get_backend
-from cryptography.hazmat.backends.interfaces import Backend
 from cryptography.hazmat.primitives import hashes, padding
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
 from cryptography.hazmat.primitives.hmac import HMAC
@@ -30,10 +28,8 @@ class Fernet(object):
     def __init__(
         self,
         key: typing.Union[bytes, str],
-        backend: typing.Optional[Backend] = None,
+        backend: typing.Any = None,
     ):
-        backend = _get_backend(backend)
-
         key = base64.urlsafe_b64decode(key)
         if len(key) != 32:
             raise ValueError(
@@ -42,7 +38,6 @@ def __init__(
 
         self._signing_key = key[:16]
         self._encryption_key = key[16:]
-        self._backend = backend
 
     @classmethod
     def generate_key(cls) -> bytes:
@@ -63,15 +58,16 @@ def _encrypt_from_parts(
         padder = padding.PKCS7(algorithms.AES.block_size).padder()
         padded_data = padder.update(data) + padder.finalize()
         encryptor = Cipher(
-            algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend
+            algorithms.AES(self._encryption_key),
+            modes.CBC(iv),
         ).encryptor()
         ciphertext = encryptor.update(padded_data) + encryptor.finalize()
 
         basic_parts = (
             b"\x80" + struct.pack(">Q", current_time) + iv + ciphertext
         )
 
-        h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend)
+        h = HMAC(self._signing_key, hashes.SHA256())
         h.update(basic_parts)
         hmac = h.finalize()
         return base64.urlsafe_b64encode(basic_parts + hmac)
@@ -118,7 +114,7 @@ def _get_unverified_token_data(token: bytes) -> typing.Tuple[int, bytes]:
         return timestamp, data
 
     def _verify_signature(self, data: bytes) -> None:
-        h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend)
+        h = HMAC(self._signing_key, hashes.SHA256())
         h.update(data[:-32])
         try:
             h.verify(data[-32:])
@@ -144,7 +140,7 @@ def _decrypt_data(
         iv = data[9:25]
         ciphertext = data[25:-32]
         decryptor = Cipher(
-            algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend
+            algorithms.AES(self._encryption_key), modes.CBC(iv)
         ).decryptor()
         plaintext_padded = decryptor.update(ciphertext)
         try:

src/cryptography/hazmat/backends/__init__.py

@@ -2,26 +2,10 @@
 # 2.0, and the BSD License. See the LICENSE file in the root of this repository
 # for complete details.
 
-import typing
-
 from cryptography.hazmat.backends.interfaces import Backend
 
-_default_backend: typing.Optional[Backend] = None
-
 
 def default_backend() -> Backend:
-    global _default_backend
-
-    if _default_backend is None:
-        from cryptography.hazmat.backends.openssl.backend import backend
-
-        _default_backend = backend
-
-    return _default_backend
-
+    from cryptography.hazmat.backends.openssl.backend import backend
 
-def _get_backend(backend: typing.Optional[Backend]) -> Backend:
-    if backend is None:
-        return default_backend()
-    else:
-        return backend
+    return backend

tests/hazmat/backends/test_openssl.py

@@ -13,6 +13,7 @@
 
 from cryptography import utils, x509
 from cryptography.exceptions import InternalError, _Reasons
+from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.backends.openssl.backend import backend
 from cryptography.hazmat.backends.openssl.ec import _sn_to_elliptic_curve
 from cryptography.hazmat.primitives import hashes, serialization
@@ -58,6 +59,9 @@ class TestOpenSSL(object):
     def test_backend_exists(self):
         assert backend
 
+    def test_is_default_backend(self):
+        assert backend is default_backend()
+
     def test_openssl_version_text(self):
         """
         This test checks the value of OPENSSL_VERSION_TEXT.

tests/test_fernet.py

@@ -16,7 +16,6 @@
 import pytest
 
 from cryptography.fernet import Fernet, InvalidToken, MultiFernet
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.ciphers import algorithms, modes
 
 import cryptography_vectors
@@ -33,11 +32,6 @@ def json_parametrize(keys, filename):
         )
 
 
-def test_default_backend():
-    f = Fernet(Fernet.generate_key())
-    assert f._backend is default_backend()
-
-
 @pytest.mark.supported(
     only_if=lambda backend: backend.cipher_supported(
         algorithms.AES(b"\x00" * 32), modes.CBC(b"\x00" * 16)