0.23.0
-
Default cryptography provider changed to
aws-lc-rs
. Note that this has some implications on platform support and build-time tool requirements such ascmake
on all platforms andnasm
on Windows.
Support forring
continues to be available: set thering
crate feature. -
Support for FIPS validated mode with
aws-lc-rs
: see the manual section and aws-lc-rs's FIPS documentation. Note thataws-lc-rs
in FIPS mode has further build-time requirements as detailed in the FIPS documentation.
Thanks to the aws-lc-rs for their assistance on this. -
Support for process-wide selection of
CryptoProvider
s. See the documentation. Note that callers ofClientConfig::builder()
,ServerConfig::builder()
,WebPkiServerVerifier::builder()
andWebPkiClientVerifier::builder()
must now ensure that the crate's features are unambiguous or explicitly select a process-level provider usingCryptoProvider::install_default()
. Otherwise, these calls will panic with:no process-level CryptoProvider available -- call CryptoProvider::install_default() before this point
We recommend that libraries rely on the process-level provider by default, and that applications use this new API to select the provider they wish to use.
-
New unbuffered API.
UnbufferedClientConnection
andUnbufferedServerConnection
offer a low-level, event-driven API which does not internally buffer data.
Thanks to the team from Ferrous Systems. -
New
no_std
support. A new (enabled by default)std
crate feature now gates all APIs that depend onstd
. The above unbuffered APIs must be used forno_std
support. Note thatalloc
continues to be required. Work is ongoing to reintroduce certain APIs forno_std
users (see #1688) -- please file issues for otherno_std
use cases.
Thanks to the team from Ferrous Systems. -
Performance improvement: internal copying while sending data is reduced.
Thanks to the team from the SΕzu project. -
Performance improvement:
write_vectored
now produces less on-the-wire overhead, which will dramatically improve throughput if it is used with a large number of small messages.
Thanks to the team from the SΕzu project. -
Acceptor
API error handling improvement. If a TLS alert should be sent to inform the peer of a connection failure, this is now made available in theErr()
variant returned fromAcceptor::accept
andAccepted::into_connection
(which is also a breaking change). Applications should write this data to the peer. See the server_acceptor example. -
Support for FFDHE key exchange: custom
CryptoProviders
can now support FFDHE key exchange, in accordance with RFC7919. Note that the default providers do not do this.
Thanks to the team from Fortanix. -
Support for servers requiring
extended_master_secret
support from clients. SeeServerConfig::require_ems
.
Thanks to the team from Fortanix. -
Extension ordering in ClientHello messages are now randomised as an anti-fingerprinting measure. We do not foresee any interoperability issues as Chrome has already rolled out the same change.
Thanks to @GomesGoncalo. -
Breaking change:
CipherSuiteCommon::integrity_limit
field removed (this was QUIC-specific, it has moved toquic::PacketKey::integrity_limit()
). -
Breaking change:
crypto::cipher::BorrowedPlainMessage
andcrypto::cipher::OpaqueMessage
have been renamed (toOutboundPlainMessage
andOutboundOpaqueMessage
) and altered to support performance improvements. See the example code. -
Breaking change: all protocol enum types (eg.
CipherSuite
) have had theirget_u8
/get_u16
accessor removed; useu8::from()
/u16::from()
instead.
What's Changed
- make the
provider-example
library no-std compatible (almost) by @japaric in #1636 - doc: fix outdated documentation by @omegablitz in #1669
- Minor tweaks to provider-example code by @djc in #1670
- remove the TLS 1.2 session ticket on DecryptError by @Geal in #1668
- [1/3]
MessageDeframer
: batch discard operations by @japaric in #1595 - Cargo: version 0.22 -> 0.23-alpha.0 by @cpu in #1672
- crypto: explain TLS 1.2 version in TLS 1.3 message encrypters by @cpu in #1671
- Mark
SupportedProtocolVersion
as non-exhaustive by @pvdrz in #1673 - quic: require that PacketKey and HeaderProtectionKey are Send + Sync by @djc in #1665
- bench: remove redundant benchmark param by @aochagavia in #1675
- Re-export the types crate contents by @djc in #1674
- update examples to use pki_types re-export by @jsha in #1679
- build(deps): bump actions/setup-go from 4 to 5 by @dependabot in #1681
- Update semver-compatible dependencies by @djc in #1683
- bench: remove unused function by @aochagavia in #1684
- Add a roadmap by @ctz in #1676
- build(deps): bump actions/upload-artifact from 3 to 4 by @dependabot in #1695
- build(deps): bump the crates-io group with 1 update by @dependabot in #1694
- bench: remove icount workflow from GitHub Actions by @aochagavia in #1696
- bench: remove cachegrind diff post-processing by @aochagavia in #1697
- examples: consistently document example program purpose by @cpu in #1693
- [2/3] implement the caller-side managed buffers API (take 2) by @japaric in #1583
- verify.rs: correct comment for
verify_server_name
by @ctz in #1698 - ci-bench: explain motivation for wall-time measurements in readme by @aochagavia in #1700
- Condense the
fragment_slice
return type by @pvdrz in #1701 - Add BENCHMARKING.md by @aochagavia in #1699
- move sendable_plaintext from CommonState to ConnectionCommon by @japaric in #1591
- Clarify
ClientHello
legacy_record_version
commentary by @ctz in #1705 - Implement FromIterator for RootCertStore by @niklasf in #1708
- Cargo: update semver compat deps by @cpu in #1714
- Misc testing improvements by @ctz in #1717
- examples: add very simple server, README by @cpu in #1715
- docs: provide more pointers for examples by @cpu in #1716
- Support P521-SHA512 signatures with aws-lc-rs by @ctz in #1706
- examples: fix style w.r.t env var usage, const placement by @cpu in #1719
- Update roadmap regarding rustls-platform-verifier and ECH support by @bdaehlie in #1721
- macros: allow trailing enum_builder comma by @cpu in #1725
- msgs/handshake.rs: remove get_ fn prefixes by @cpu in #1726
- docs: provide more guidance for customizing private keys by @cpu in #1724
- Don't add empty
certificate_authorities
extension by @ctz in #1729 - examples: simpleserver: skip argv[0] & update doc comment by @bnjmnjrk in #1733
- client_conn: style tweaks for member/impl ordering by @cpu in #1736
- Small HPKE trait tweaks by @cpu in #1737
- handshake: derive a few more traits by @cpu in #1738
- make the decode / decrypt pipeline non-allocating (groundwork) by @japaric in #1597
- hash_hs: support cloning (forking) HandshakeHash[Buffer] by @cpu in #1739
- Update bogo version by @ctz in #1740
- Randomize ClientHello extensions by @GomesGoncalo in #1730
- Update hs.rs by @NRKirby in #1743
- deps: update Cargo lock for semver compatible dependency updates by @cpu in #1747
- docs: add more documentation on crypto providers by @cpu in #1742
- examples: minor optimization for mio client NoCertificateVerification by @cpu in #1753
- build(deps): bump h2 from 0.3.22 to 0.3.24 by @dependabot in #1755
- Update semver-compatible dependencies by @djc in #1759
- Update README.md - server auth by @elardus-erasmus in #1756
- Add config option for requiring peer must support
extended_master_secret
extension in TLS 1.2 by @Taowyoo in #1754 - Clarify MAX_PAYLOAD comment by @themighty1 in #1761
- Remove work-around for loading SEC1-format ECDSA keys by @ctz in #1767
- Depend on
aws-lc-rs
withdefault-features = false
by @joshtriplett in #1768 - Add 'fips' cargo feature to enable to the aws-lc-rs crypto provider with the AWS-LC FIPS implementations. by @skmcgrail in #1732
- Fix cargo powerset build for ring w/o tls1.2 feature by @cpu in #1769
- build(deps): bump codecov/codecov-action from 3 to 4 by @dependabot in #1770
- Default to
require_ems
in FIPS mode by @ctz in #1772 - github actions: standardise on ubuntu-latest by @ctz in #1773
- Add support for FFDHE key exchange by @s-arash in #1702
- Take curve25519-dalek 4.1.2 by @ctz in #1775
- Add rustls-rustcrypto to the list of third-party providers by @stevefan1999-personal in #1763
- Introduce concept of "process default" provider by @ctz in #1766
- Improve testing when multiple built-in providers are enabled by @ctz in #1778
- provide codecov token for coverage job by @ctz in #1781
- Update dependencies by @djc in #1783
- Change crate default features to use aws-lc-rs by @ctz in #1780
- ci: add Windows aws-lc-rs build reqs to daily-tests by @cpu in #1786
- Make peer-certificates lifetime explicit by @richardpringle in #1787
- Update version of nightly for check-external-types by @ctz in #1791
- examples: ignore interrupted syscalls for mio poll by @cpu in #1790
- Limit fragmentation in
write_vectored
by @Keksoj in #1640 - Improve provider and FIPS documentation by @ctz in #1789
- Tidy away
BorrowedPlainMessage
by @ctz in #1794 - Correct kx group selection by @ctz in #1784
- Cargo: bump semver compat deps by @cpu in #1795
- Use
end_entity
variable when verifying CertificateVerify by @thomwiggers in #1799 - Take semver compatible updates by @ctz in #1800
- ci: skip docs deploy for forks by @cpu in #1801
- Avoid unnecessary allocation and copy in
OpaqueMessage::encode
by @Wonshtrum in #1774 - Another docs pass after reviewing #1774 by @ctz in #1807
- Tweaks to the enum macros by @djc in #1809
- [3/3] no-std support phase I by @japaric in #1502
- Message type tweaks by @djc in #1810
- Fix a typo by @haroldbruintjes in #1812
- server: allow acceptor to send alerts after error by @djc in #1811
- Fix new nightly warnings by @ctz in #1813
- Next steps for Quinn support (cont'd) by @cpu in #1798
- Prepare 0.23 roadmap entries by @ctz in #1802
- Cargo.toml: disentangle std/aws_lc_rs features by @ctz in #1818
- refactor: avoid pretty printing used in logging beyond debug level by @Taowyoo in #1820
- Reword
no process-level CryptoProvider
panic by @ctz in #1822 - Prepare 0.23.0 by @ctz in #1817
New Contributors
- @omegablitz made their first contribution in #1669
- @Geal made their first contribution in #1668
- @pvdrz made their first contribution in #1673
- @bnjmnjrk made their first contribution in #1733
- @GomesGoncalo made their first contribution in #1730
- @NRKirby made their first contribution in #1743
- @elardus-erasmus made their first contribution in #1756
- @themighty1 made their first contribution in #1761
- @joshtriplett made their first contribution in #1768
- @skmcgrail made their first contribution in #1732
- @s-arash made their first contribution in #1702
- @richardpringle made their first contribution in #1787
- @Keksoj made their first contribution in #1640
- @Wonshtrum made their first contribution in #1774
- @haroldbruintjes made their first contribution in #1812
Full Changelog: v/0.22.2...v/0.23.0