search

palantir / conjure-rust-runtime

Rust implementation of the Conjure runtime
10 stars 7 forks source link

Update rustls requirement from 0.21.5 to 0.23.0 #187

Closed dependabot[bot] closed 8 months ago

dependabot[bot] commented 8 months ago

Updates the requirements on rustls to permit the latest version.

Release notes

Sourced from rustls's releases.

0.23.0

  • Default cryptography provider changed to aws-lc-rs. Note that this has some implications on platform support and build-time tool requirements such as cmake on all platforms and nasm on Windows. Support for ring continues to be available: set the ring crate feature.

  • Support for FIPS validated mode with aws-lc-rs: see the manual section and aws-lc-rs's FIPS documentation. Note that aws-lc-rs in FIPS mode has further build-time requirements as detailed in the FIPS documentation. Thanks to the aws-lc-rs for their assistance on this.

  • Support for process-wide selection of CryptoProviders. See the documentation. Note that callers of ClientConfig::builder(), ServerConfig::builder(), WebPkiServerVerifier::builder() and WebPkiClientVerifier::builder() must now ensure that the crate's features are unambiguous or explicitly select a process-level provider using CryptoProvider::install_default(). Otherwise, these calls will panic with:

    no process-level CryptoProvider available -- call CryptoProvider::install_default() before this point

    We recommend that libraries rely on the process-level provider by default, and that applications use this new API to select the provider they wish to use.

  • New unbuffered API. UnbufferedClientConnection and UnbufferedServerConnection offer a low-level, event-driven API which does not internally buffer data. Thanks to the team from Ferrous Systems.

  • New no_std support. A new (enabled by default) std crate feature now gates all APIs that depend on std. The above unbuffered APIs must be used for no_std support. Note that alloc continues to be required. Work is ongoing to reintroduce certain APIs for no_std users (see #1688) -- please file issues for other no_std use cases. Thanks to the team from Ferrous Systems.

  • Performance improvement: internal copying while sending data is reduced. Thanks to the team from the Sōzu project.

  • Performance improvement: write_vectored now produces less on-the-wire overhead, which will dramatically improve throughput if it is used with a large number of small messages. Thanks to the team from the Sōzu project.

  • Acceptor API error handling improvement. If a TLS alert should be sent to inform the peer of a connection failure, this is now made available in the Err() variant returned from [Acceptor::accept] and [Accepted::into_connection] (which is also a breaking change). Applications should write this data to the peer. See the [server_acceptor] example.

  • Support for FFDHE key exchange: custom CryptoProviders can now support FFDHE key exchange, in accordance with [RFC7919]. Note that the default providers do not do this. Thanks to the team from Fortanix.

  • Support for servers requiring extended_master_secret support from clients. See [ServerConfig::require_ems]. Thanks to the team from Fortanix.

  • Extension ordering in ClientHello messages are now randomised as an anti-fingerprinting measure. We do not foresee any interoperability issues [as Chrome has already rolled out the same change][chrome-ext-order]. Thanks to @​GomesGoncalo.

  • Breaking change: CipherSuiteCommon::integrity_limit field removed (this was QUIC-specific, it has moved to quic::PacketKey::integrity_limit()).

  • Breaking change: crypto::cipher::BorrowedPlainMessage and crypto::cipher::OpaqueMessage have been renamed (to OutboundPlainMessage and OutboundOpaqueMessage) and altered to support performance improvements. See the example code.

  • Breaking change: all protocol enum types (eg. [CipherSuite]) have had their get_u8/get_u16 accessor removed; use u8::from() / u16::from() instead.

... (truncated)

Commits
  • eb0791b Prepare 0.23.0
  • 88022fc Reword no process-level CryptoProvider panic
  • d5c6036 refactor: avoid pretty printing when logging
  • cf098b0 Cargo.toml: disentangle std/aws_lc_rs features
  • 425b527 ROADMAP.md: prepare for 0.23 release
  • d5842f4 tls13/quic: construct QUIC suite from TLS 1.3 suite
  • 4aafdc8 client/server: crypto_provider accessor for configs
  • 50a6563 client_conn: reorder ClientConfig members
  • 5138cd8 suites: split integrity and confidentiality limit handling
  • 542b12c quic: expose limits via PacketKey trait
  • Additional commits viewable in compare view


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
changelog-app[bot] commented 8 months ago

Generate changelog in changelog-dir>`changelog/@unreleased`</changelog-dir

What do the change types mean? - `feature`: A new feature of the service. - `improvement`: An incremental improvement in the functionality or operation of the service. - `fix`: Remedies the incorrect behaviour of a component of the service in a backwards-compatible way. - `break`: Has the potential to break consumers of this service's API, inclusive of both Palantir services and external consumers of the service's API (e.g. customer-written software or integrations). - `deprecation`: Advertises the intention to remove service functionality without any change to the operation of the service itself. - `manualTask`: Requires the possibility of manual intervention (running a script, eyeballing configuration, performing database surgery, ...) at the time of upgrade for it to succeed. - `migration`: A fully automatic upgrade migration task with no engineer input required. _Note: only one type should be chosen._
How are new versions calculated? - ❗The `break` and `manual task` changelog types will result in a major release! - 🐛 The `fix` changelog type will result in a minor release in most cases, and a patch release version for patch branches. This behaviour is configurable in autorelease. - ✨ All others will result in a minor version release.

Type

- [ ] Feature - [ ] Improvement - [ ] Fix - [ ] Break - [ ] Deprecation - [ ] Manual task - [ ] Migration

Description

Update rustls requirement from 0.21.5 to 0.23.0 **Check the box to generate changelog(s)** - [ ] Generate changelog entry
dependabot[bot] commented 8 months ago

Superseded by #190.