|
1 | 1 | # Changelog |
2 | 2 |
|
| 3 | +## 0.15.0 (XXXX-XX-XX) |
| 4 | + |
| 5 | +This release updates to [Rustls 0.23.20][] and increases the project minimum |
| 6 | +supported rust version (MSRV) from 1.71 to 1.74 to avoid a Rust compiler bug |
| 7 | +provoked by the ECH support in Rustls. |
| 8 | + |
| 9 | +[Rustls 0.23.20]: https://github.com/rustls/rustls/releases/tag/v%2F0.23.18 |
| 10 | + |
| 11 | +### Added |
| 12 | + |
| 13 | +* New opt-in feature flags: |
| 14 | + * Optional support for [RFC 8879][] certificate compression by enabling the |
| 15 | + `cert_compression` feature when building `rustls-ffi`. When enabled |
| 16 | + connections will transparently use certificate compression using Brotli or |
| 17 | + ZLib based on peer compatibility. |
| 18 | + * Optional FIPS-140-3 support using the `aws-lc-rs` provider. Enabled with teh |
| 19 | + `fips` feature when building `rustls-ffi`. When enabled the `aws-lc-rs` |
| 20 | + crypto provider is used in its FIPS compatible mode. See the [Rustls |
| 21 | + project documentation][FIPS-docs] for more information on FIPS status. |
| 22 | + |
| 23 | +* Encrypted Client Hello (ECH) support for client connections. |
| 24 | + * `rustls_hpke` struct for representing supported HPKE suites. |
| 25 | + * `rustls_supported_hpke()` function for returning a const pointer to |
| 26 | + a `rustls_hpke` instance if available. Only the `aws-lc-rs` backend returns |
| 27 | + a non-`NULL` value at this time. |
| 28 | + * `rustls_client_config_builder_enable_ech_grease()` client config |
| 29 | + builder function for configuring ECH GREASE using a `rustls_hpke`. This |
| 30 | + chooses a supported HPKE suite at random and is an anti-ossification |
| 31 | + measure clients may opt-in to when not performing "real" ECH. |
| 32 | + * `rustls_client_config_builder_enable_ech()` client config builder function |
| 33 | + for configuring ECH using a `rustls_hpke` and a TLS encoded ECH config list. |
| 34 | + The encoded ECH config list should be retrieved from DNS using a secure |
| 35 | + transport, such as DNS-over-HTTPS. See the `librustls/tests/client.c` |
| 36 | + example, and the `ech-fetch.rs` tool, for example usage. |
| 37 | + |
| 38 | +* Additional connection information APIs: |
| 39 | + * Negotiated key exchange group, using |
| 40 | + `rustls_connection_get_negotiated_key_exchange_group()` for the IANA |
| 41 | + registered identifier, and |
| 42 | + `rustls_connection_get_negotiated_key_exchange_group_name()` for the name as |
| 43 | + a `rustls_str`. |
| 44 | + * Determining whether the handshake was a full TLS handshake, a full TLS |
| 45 | + handshake with an extra hello retry request (HRR) round-trip, a resumed TLS |
| 46 | + or a handshake, using `rustls_connection_handshake_kind()`. This returns |
| 47 | + a `rustls_handshake_kind` enum variant, which can be translated to |
| 48 | + a `rustls_str` using `rustls_handshake_kind_str()`. |
| 49 | + |
| 50 | +* Support for checking whether a `rustls_certified_key`'s certificate matches |
| 51 | + the corresponding private key using `rustls_certified_key_keys_match()`. |
| 52 | + |
| 53 | +* Support for queuing TLS 1.3 key updates using |
| 54 | + `rustls_connection_refresh_traffic_keys()`. |
| 55 | + |
| 56 | +* Support for strict handling of CRL expiry using |
| 57 | + `rustls_web_pki_server_cert_verifier_enforce_revocation_expiry()` to customize |
| 58 | + a `rustls_web_pki_server_cert_verifier_builder` builder instance to reject |
| 59 | + CRLs with a next update in the past. |
| 60 | + |
| 61 | +* Support for building `rustls-ffi` without any built in cryptography providers. |
| 62 | + This is mainly helpful for users that don't intend to use `aws-lc-rs` or |
| 63 | + `*ring*` but instead will bring their own FFI-ready `rustls_crypto_provider`. |
| 64 | + |
| 65 | +* SSLKEYLOG support: |
| 66 | + * For simple logging to a file, use |
| 67 | + `rustls_server_config_builder_set_key_log_file()` or |
| 68 | + `rustls_client_config_builder_set_key_log_file()` with a client/server |
| 69 | + config builder to have the `SSLKEYLOGFILE` env var used to log an NSS |
| 70 | + formatted key log file appropriate for use with Wireshark and other tools. |
| 71 | + * For deeper integration, use `rustls_server_config_builder_set_key_log()` or |
| 72 | + `rustls_client_config_builder_set_key_log()` to configure C callbacks to be |
| 73 | + invoked to decide which secrets are logged and to do the logging. |
| 74 | + * See `librustls/tests/client.c` and `librustls/tests/server.c` for example |
| 75 | + usage. |
| 76 | + |
| 77 | +* FIPS-140-3 APIs: |
| 78 | + * `rustls_default_fips_provider()` for instantiating a FIPS compatible |
| 79 | + `rustls_crypto_provider` (requires "fips" feature enabled). |
| 80 | + * `rustls_crypto_provider_fips()` for determining if a `rustls_crypto_provider` |
| 81 | + is FIPS compatible or not. |
| 82 | + * `rustls_client_config_fips()` for determining if a `rustls_client_config` |
| 83 | + was built with a FIPS compatible `rustls_crypto_provider`. |
| 84 | + * `rustls_server_config_fips()` for determining if a `rustls_server_config` |
| 85 | + was built with a FIPS compatible `rustls_crypto_provider`. |
| 86 | + * `rustls_connection_fips()` for determining if a `rustls_connection` was |
| 87 | + created from a `rustls_client_config` or `rustls_server_config` that was |
| 88 | + built with a FIPS compatible `rustls_crypto_provider`. |
| 89 | + |
| 90 | +* Additional `rustls_result` error variants: |
| 91 | + * `RUSTLS_RESULT_CERT_EXPIRED_REVOCATION_LIST`, |
| 92 | + `RUSTLS_RESULT_MESSAGE_CERTIFICATE_PAYLOAD_TOO_LARGE`, |
| 93 | + `RUSTLS_RESULT_INCONSISTENT_KEYS_KEYS_MISMATCH`, |
| 94 | + `RUSTLS_RESULT_INCONSISTENT_KEYS_UNKNOWN`, |
| 95 | + `RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_INVALID_CONFIG_LIST`, |
| 96 | + `RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_NO_COMPATIBLE_CONFIG`, |
| 97 | + `RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_SNI_REQUIRED`. |
| 98 | + |
| 99 | +[RFC 8879]: https://www.rfc-editor.org/rfc/rfc8879 |
| 100 | +[FIPS-docs]: https://docs.rs/rustls/latest/rustls/manual/_06_fips/index.html |
| 101 | + |
| 102 | +### Changed |
| 103 | + |
| 104 | +* [cargo-c][] is now the only supported method for building `rustls-ffi`. It |
| 105 | + supports building both static and shared libraries as well as making `.pc` |
| 106 | + pkg-config files per-platform. The pre-existing `Makefile` has been removed in |
| 107 | + favour of `cargo-c`. See our README for more information. |
| 108 | + |
| 109 | +* Calling `rustls_server_config_builder_build()` with no certificate/key |
| 110 | + configured previously returned `RUSTLS_RESULT_GENERAL`, it now returns |
| 111 | + `RUSTLS_RESULT_NO_CERT_RESOLVER`. |
| 112 | + |
| 113 | +* Building the client/server examples now requires `cmake`. The GNU Makefile has |
| 114 | + been removed in favour of unifying the example build system with `cmake`. |
| 115 | + Users only interested in building `rustls-ffi` (not the example applications) |
| 116 | + do not require `cmake` unless it is a requirement of their chosen cryptography |
| 117 | + provider (e.g. `aws-lc-rs` in fips mode). |
| 118 | + |
| 119 | +[cargo-c]: https://github.com/lu-zero/cargo-c |
| 120 | + |
| 121 | +### Removed |
| 122 | + |
| 123 | +* N/A |
| 124 | + |
| 125 | + |
3 | 126 | ## 0.14.1 (2024-11-22) |
4 | 127 |
|
5 | 128 | This release updates to [Rustls 0.23.18][] and increases the project MSRV from |
|
0 commit comments