Skip to content

0.14.0

Compare
Choose a tag to compare
@cpu cpu released this 12 Sep 15:44
· 127 commits to main since this release

This release updates to Rustls 0.23.13 and changes the rustls-ffi API to allow choosing a cryptography provider to use with Rustls. See the Rustls CryptoProvider for more information on this model.

The default provider has been changed to match the Rustls default, aws-lc-rs. Users that wish to continue using *ring* as the provider may opt-in. See the README for more detail on supported platforms and build requirements.

Added

  • A new rustls_crypto_provider type has been added to represent rustls::CryptoProvider instances.

    • The current process-wide default crypto provider (if any) can be retrieved with rustls_crypto_provider_default().
    • If rustls-ffi was built with aws-lc-rs, (DEFINE_AWS_LC_RS is true), then rustls_aws_lc_rs_crypto_provider() can be used to retrieve the aws-lc-rs provider.
    • If rustls-ffi was built with ring, (DEFINE_RING is true), then rustls_ring_crypto_provider() can be used to retrieve the aws-lc-rs provider.
    • Ciphersuites supported by a specific rustls_crypto_provider can be retrieved with rustls_crypto_provider_ciphersuites_len() and rustls_crypto_provider_ciphersuites_get().
    • Ciphersuites supported by the current process-wide default crypto provider (if any) can be retrieved with rustls_default_crypto_provider_ciphersuites_len() and rustls_default_crypto_provider_ciphersuites_get().
    • A buffer can be filled with cryptographically secure random data from a specific rustls_crypto_provider using rustls_crypto_provider_random(), or the process-wide default provider using rustls_default_crypto_provider_random().
  • A new RUSTLS_RESULT_NO_DEFAULT_CRYPTO_PROVIDER rustls_result was added to indicate when an operation that requires a process-wide default crypto provider fails because no provider has been installed as the default, or the default was not implicit based on supported provider.

  • A new rustls_crypto_provider_builder type has been added to customize, or install, a crypto provider.

    • rustls_crypto_provider_builder_new_from_default will construct a builder based on the current process-wide default.
    • rustls_crypto_provider_builder_new_with_base will construct a builder based on a specified rustls_crypto_provider.
    • Customization of supported ciphersuites can be achieved with rustls_crypto_provider_builder_set_cipher_suites().
    • The default process-wide provider can be installed from a builder using rustls_crypto_provider_builder_build_as_default(), if it has not already been done.
    • Or, a new rustls_crypto_provider instance built with rustls_crypto_provider_builder_build().
    • See the function documentation for more information on recommended workflows.
  • A new rustls_signing_key type has been added to represent a private key that has been parsed by a rustls_crypto_provider and is ready to use for cryptographic operations.

    • Use rustls_crypto_provider_load_key() to load a signing_key from a buffer of PEM data using a rustls_crypto_provider.
    • Use rustls_certified_key_build_with_signing_key() to build a rustls_certified_key with a PEM cert chain and a rustls_signing_key.
  • New rustls_web_pki_client_cert_verifier_builder_new_with_provider() and rustls_web_pki_server_cert_verifier_builder_new_with_provider() functions have been added to construct rustls_client_cert_verifier or rustls_server_cert_verifier instances that use a specified rustls_crypto_provider.

  • Support for constructing a rustls_server_cert_verifier that uses the platform operating system's native certificate verification functionality was added. See the rustls-platform-verifier crate docs for more information on supported platforms.

    • Use rustls_platform_server_cert_verifier() to construct a platform verifier that uses the default crypto provider.
    • Use rustls_platform_server_cert_verifier_with_provider() to construct a platform verifier that uses the specified rustls_crypto_provider.
    • The returned rustls_server_cert_verifier can be used with a rustls_client_config_builder with rustls_client_config_builder_set_server_verifier().
  • A new rustls_supported_ciphersuite_protocol_version() function was added for getting the rustls_tls_version IANA registered protocol version identifier supported by a given rustls_supported_ciphersuite.

  • When using aws-lc-rs as the crypto provider, NIST P-521 signatures are now supported.

Changed

  • rustls_server_config_builder_new(), rustls_client_config_builder_new(), rustls_web_pki_client_cert_verifier_builder_new(), and rustls_web_pki_server_cert_verifier_builder_new(), and rustls_certified_key_build functions now use the process default crypto provider instead of being hardcoded to use ring.

  • rustls_server_config_builder_new_custom() and rustls_client_config_builder_new_custom() no longer take custom ciphersuites as an argument. Instead they require providing a rustls_crypto_provider.

    • Customizing ciphersuite support is now done at the provider level using rustls_crypto_provider_builder and rustls_crypto_provider_builder_set_cipher_suites().
  • rustls_server_config_builder_build() and rustls_client_config_builder_build() now use out-parameters for the rustls_server_config or rustls_client_config, and return a rustls_result. This allows returning an error if the build operation fails because a suitable crypto provider was not available.

  • rustls_client_config_builder_build() now returns a RUSTLS_RESULT_NO_SERVER_CERT_VERIFIER rustls_result error if a server certificate verifier was not set instead of falling back to a verifier that would fail all certificate validation attempts.

  • The NoneVerifier used if a rustls_client_config is constructed by a rustls_client_config_builder without a verifier configured has been changed to return an unknown issuer error instead of a bad signature error when asked to verify a server certificate.

  • Error specificity for revoked certificates was improved.

Removed

  • The ALL_CIPHER_SUITES and DEFAULT_CIPHER_SUITES constants and associated functions (rustls_all_ciphersuites_len(), rustls_all_ciphersuites_get_entry(), rustls_default_ciphersuites_len() and rustls_default_ciphersuites_get_entry()) have been removed. Ciphersuite support is dictated by the rustls_crypto_provider.
    • Use rustls_default_supported_ciphersuites() to retrieve a rustls_supported_ciphersuites for the default rustls_crypto_provider.
    • Use rustls_crypto_provider_ciphersuites() to retrieve a rustls_supported_ciphersuites for a given rustls_crypto_provider.
    • Use rustls_supported_ciphersuites_len() and rustls_supported_ciphersuites_get() to iterate the rustls_supported_ciphersuites.

What's Changed

  • docs: add 0.12.2 release to CHANGELOG by @cpu in #403
  • docs: fix mod_tls link in README by @cpu in #410
  • NULL safe set_boxed_mut_ptr/set_arc_mut_ptr by @cpu in #402
  • README: Add packaging status badge by @kpcyrd in #411
  • Fix valgrind job by @ctz in #413
  • Makefile: limit scope of format/format-check by @cpu in #415
  • Fix valgrind warning in server.c by @ctz in #414
  • build(deps): bump rustls-pemfile from 2.1.1 to 2.1.2 by @dependabot in #418
  • Fix two incompatible types warnings in example code by @cpu in #405
  • client: NoneVerifier UnknownIssuer instead of BadSignature by @cpu in #421
  • run clippy on tests, fix findings by @cpu in #416
  • cmake: don't run cbindgen for build by @cpu in #408
  • ci: add Linux pkg-config/.so test coverage by @cpu in #412
  • Add rustls-platform-verifier binding by @amesgen in #419
  • arc_castable!, box_castable!, ref_castable! macros by @cpu in #404
  • Avoid ASAN for release builds, use w/ GCC or clang in debug builds by @cpu in #425
  • build(deps): bump libc from 0.2.153 to 0.2.154 by @dependabot in #426
  • lib: whitespace around Userdata invariants list by @cpu in #429
  • build(deps): bump libc from 0.2.154 to 0.2.155 by @dependabot in #428
  • connection: more docs for rustls_connection_is_handshaking by @cpu in #430
  • ci: test pkg-config workflow on macOS by @cpu in #431
  • chore: update to use spdx license identifier by @chenrui333 in #433
  • project-wide tidying, style updates by @cpu in #432
  • ci: pin cargo-c version in pkg-config workflow by @cpu in #435
  • ci: revert cargo-c pin, set libdir explicitly by @cpu in #436
  • rustls_version() integration test by @cpu in #434
  • build(deps): bump rustls-platform-verifier from 0.3.1 to 0.3.2 by @dependabot in #438
  • build(deps): bump log from 0.4.21 to 0.4.22 by @dependabot in #439
  • lib: allow renamed_and_removed_lints for now by @cpu in #444
  • docs: clarify freeing client/server builder directly by @cpu in #443
  • Remove authors from Cargo.toml by @jsha in #446
  • build(deps): bump rustls-platform-verifier from 0.3.2 to 0.3.3 by @dependabot in #448
  • doc: fix comment on WebPKI and platform verifier by @jsha in #447
  • Add missing error UnknownRevocationStatus by @ctz in #449
  • build(deps): bump rustls-pemfile from 2.1.2 to 2.1.3 by @dependabot in #451
  • build(deps): bump libc from 0.2.155 to 0.2.157 by @dependabot in #453
  • build(deps): bump libc from 0.2.157 to 0.2.158 by @dependabot in #454
  • build(deps): bump rustls-platform-verifier from 0.3.3 to 0.3.4 by @dependabot in #455
  • Docs pass by @ctz in #457
  • pkg-config.yml: fix typo by @ctz in #456
  • 0.14.0-rc1: Adopt crypto provider API, use aws-lc-rs as default provider by @cpu in #441
  • ci: remove unneeded cargo-c job in test workflow by @cpu in #459
  • crypto_provider: expose a way to get CSRNG data by @cpu in #458
  • cargo: rustls 0.23.12 -> 0.23.13 by @cpu in #460
  • cipher: allow getting the proto of a ciphersuite by @cpu in #461
  • 0.14.0 release by @cpu in #462

New Contributors

Full Changelog: v0.13.0...v0.14.0