Skip to content

Merge upstream rustls v0.23.40 into watfaq-rustls#10

Merged
ibigbug merged 404 commits into
utls-0.23from
merge-latest-0.23
May 11, 2026
Merged

Merge upstream rustls v0.23.40 into watfaq-rustls#10
ibigbug merged 404 commits into
utls-0.23from
merge-latest-0.23

Conversation

@ibigbug
Copy link
Copy Markdown
Member

@ibigbug ibigbug commented May 11, 2026
edited
Loading

Summary

Merges upstream rustls v0.23.40 into watfaq-rustls (the utls-0.23 branch), preserving all Reality/vless custom patches.

Key Changes from Upstream

  • Dependency bumps: rustls-webpki 0.103.5, webpki-roots 1.x, x509-parser 0.17, zeroize 1.8, zlib-rs 0.6, aws-lc-rs 1.14, hpke-rs 0.6, brotli 8, hickory-resolver 0.25, asn1 0.22
  • ClientHelloInput refactor: upstream moved session setup into a struct with new()/start_handshake() methods; our fork retains the free-function start_handshake<T> with session_id_generator and reality_state generics
  • ClientExtensionsInput: replaces Vec<ClientExtension> as the extra extensions type in start_handshake and for_client_with_session_id_generator
  • ClientHelloPayload helpers removed: find_extension, sni_extension, psk(), etc. replaced by Deref/DerefMut to ClientExtensions (direct field access)
  • HandshakeMessagePayload is now a newtype: field access changed from .payload to .0
  • SessionId kept public: remains pub struct with pub(crate) fields so reality.rs can construct it directly
  • PQ crypto moved: hybrid.rs and mlkem.rs moved from rustls-post-quantum/src/ into rustls/src/crypto/aws_lc_rs/pq/
  • New crates: rustls-test (common test utilities), nix signal handling in bogo
  • ClientSessionValue::retrieve(): replaces the find_session free function
  • EchConfig::state(): replaces EchState::new

Reality Patch Preservation

All custom Reality/vless code is intact:

  • rustls/src/client/reality.rs — unchanged
  • start_handshake free function with reality_state parameter
  • emit_client_hello_for_retry generic over T: SessionIdGenerator
  • SessionId public struct with direct field access
  • x25519-dalek with static_secrets feature in workspace deps

Bugs Fixed During Merge

  • support_tls13supported_versions.tls13 (field name fix)
  • Duplicate session_id assignment in start_handshake cleaned up
  • early_key_schedule renamed to tls13_early_data_key_schedule (upstream rename)

ctz and others added 30 commits April 18, 2025 09:54
@ctz
Use PayloadU16<NonEmpty> for DistinguishedName
3aad0a0
@ctz
Use PayloadU16<NonEmpty> for decoding TLS1.3 tickets
f7522b7 
This is a minor refactor of the existing emptiness check.  It does
not change the underlying type of tickets as this is shared with
TLS1.2.
@ctz
Use PayloadU16<NonEmpty> for PSK identity
66ac54f
@ctz
Use PayloadU16<NonEmpty> for HPKE public key
8dc9af9
@ctz
Use PayloadU16<NonEmpty> for ECH HPKE encrypted payload
d7146e4
@ctz
Use PayloadU16<NonEmpty> for TLS1.3 cookies
b7acce1
@ctz
Rename private enum type PSKKeyExchangeMode
fdf470d
@renovate-bot @djc
Update Rust crate brotli to v8
841a160
@renovate-bot @ctz
Update Rust crate brotli-decompressor to v5
7f26c40
@elagergren-spideroak @djc
add clarifying comments
72902db 
For rustls#2424

Signed-off-by: Eric Lagergren <elagergren@spideroak.com>
@elagergren-spideroak @djc
clarify some field and parameter identifiers
f8eaf83 
For rustls#2424

Signed-off-by: Eric Lagergren <elagergren@spideroak.com>
@elagergren-spideroak @djc
remove unused field
df8c684 
Signed-off-by: Eric Lagergren <elagergren@spideroak.com>
@djc @CodeMan62
Add support for connection-level ALPN protocol configuration
486de06 
Co-authored-by: CodeMan62 <sharmahimanshu15082007@gmail.com>
@ctz
Externalise copy of end_entity_ocsp return value
53580f7
@ctz
Extract reading of ListLength
14ff4f3
@ctz
Optimize client's SupportedVersions ext repr
2caa304
@ctz
Simplify ALPN server extension representation
17ef9e3
@ctz
Eliminate ConvertProtocolNameList
2fb28bb 
Now a given decoded `ProtocolName` cannot be empty, there is no need
to check that manually.
@ctz
Simplify SNI client extension representation
ffac73a 
Retire `Vec<ServerName>`, as in practice there can never be more
than one value: unknown name types (and everything that follows them)
cannot be decoded, and only one value of each name type is allowed.

Eliminates `ServerName` type which was confusingly overlapping
with `rustls-pki-types::ServerName`.
@renovate-bot @djc
Update Rust crate nix to 0.30
70ed532
@djc
ci: skip push triggers for most branches
26b8ee3
@djc
ci: enable triggering CI workflow manually
47ed0c6
@swlynch99 @djc
Extract tls13 expand_secret function out of extract_secrets
35c44d2
@swlynch99 @djc
Add kernel connection API
5a12171 
For kTLS we want to be able to interact with rustls in order to refresh
traffic keys and save session tickets for future usage. The remaining
parts of the TLS protocol are possible to implement externally provided
that the user is willing to put in enough effort.

This commit introduces a new API that provides exactly 3 capabilities to
the user:
1. Refresh the TX traffic secrets.
2. Refresh the RX traffic secrets.
3. Handle a provided new_session_ticket message and save said session
   ticket for later use.

That's it. Everything else needs to be implemented by the library user.
@swlynch99 @djc
Add test cases for KernelConnection key updates
bf9e874
@swlynch99 @djc
Deprecate dangerous_extract_secrets on unbuffered connections
9509626 
While dangerous_extract_secrets allows users to extract secrets from a
connection there is more to implementing a TLS connection than just
encryption and decryption. Just getting the ExtractedSecrets does not
allow for handling TLS 1.3 key updates or session tickets. As such, this
commit deprecates it in favour of dangerous_into_kernel_connection,
which does support both of those things.
@djc
Update to webpki 0.103.2
06a704e
@djc
Handle webpki RequiredEkuNotFoundContext errors
a70b0e6
@djc
Bump version to 0.23.27
2601909
@cpu
fuzz: remove Cargo patch for webpki
8d46517
DarkmatterVale and others added 22 commits February 24, 2026 16:53
@DarkmatterVale @djc
Add ML-KEM-1024 key encapsulation mechanism
245963b
@DarkmatterVale @djc
Bump version of rustls
4b455b8
@ctz
Update semver-compatible dependencies
7e99b52
@ctz
Fix clippy::result_large_err
0f0fbf5 
Fixed on main in 6d09f24
@ctz
Fix ambiguous panic! warning
5b3ef11
@TaeHagen @djc
client: allow skipping selected ALPN validation
a1da268
@TaeHagen @djc
Bump version of rustls
6b116bc
@djc
Apply suggestions from clippy 1.95
d4b3ec5
@djc
Adapt to updated nightly features
6134204
@djc
Take semver-compatible dependency updates
7b37468
@cpu
Cargo: update semver compat deps
860798e
@cpu
Cargo: version 0.23.38 -> 0.23.39
0541605
@janrueth @ctz
Default require_ems based on CryptoProvider FIPS status
a612901 
Previously, require_ems was defaulted solely based on cfg!(feature = "fips"),
which is a compile-time check tied to the fips cargo feature. The fips feature
unconditionally pulls in aws-lc-rs as the cryptographic provider, making it
impossible for third-party FIPS-compliant CryptoProvider implementations
(e.g., those backed by BoringSSL) to get correct FIPS policy defaults without
also pulling in aws-lc-rs — which may conflict with their own crypto backend.

This change also considers the runtime CryptoProvider::fips() status when
defaulting require_ems in both ClientConfig and ServerConfig builders. If the
configured provider reports itself as FIPS-compliant, require_ems is now
automatically set to true, ensuring that ClientConfig::fips() and
ServerConfig::fips() return the correct result without requiring the fips
cargo feature.

This is backward-compatible: existing users of the fips feature see no
behavior change, while third-party providers now work correctly out of the
box.
@ctz
ech: expand maximum_name_length to usize ASAP
9088004
@ctz
ech: pop comment from match arm
8bf935c
@ctz
ech: avoid short-lived allocation for padding
c574ffd
@ctz
ech: add both name and "gross" padding
3e06ef1
@ctz
ech: test inner name padding
4e49529
@ctz
ech: base inner name padding on actual extension
c0005be 
In the case where SNI is disabled, `inner_sni` falls out of sync with
`self.inner_name`.  `inner_sni` is used to alter the inner hello's
`server_name`, but `self.inner_name` was used as a basis for padding.

This means padding would be added even if the extension wasn't, which
ironically leaks the length of the inner name.
@ctz
Prefer Ord::max to core::cmp
e7a555f
@ctz
Prepare 0.23.40
b44c09f
@ibigbug
Merge tag 'v/0.23.40' into merge-latest-0.23
32dc9bc 
# Conflicts:
#	Cargo.lock
#	Cargo.toml
#	bogo/Cargo.toml
#	bogo/src/main.rs
#	ci-bench/Cargo.toml
#	ci-bench/src/benchmark.rs
#	ci-bench/src/main.rs
#	ci-bench/src/util.rs
#	connect-tests/Cargo.toml
#	examples/Cargo.toml
#	examples/src/bin/ech-client.rs
#	examples/src/bin/limitedclient.rs
#	examples/src/bin/server_acceptor.rs
#	examples/src/bin/simple_0rtt_client.rs
#	examples/src/bin/simpleserver.rs
#	examples/src/bin/tlsclient-mio.rs
#	examples/src/bin/tlsserver-mio.rs
#	examples/src/bin/unbuffered-async-client.rs
#	examples/src/bin/unbuffered-server.rs
#	fuzz/Cargo.toml
#	openssl-tests/src/ffdhe.rs
#	openssl-tests/src/ffdhe_kx_with_openssl.rs
#	openssl-tests/src/raw_key_openssl_interop.rs
#	openssl-tests/src/validate_ffdhe_params.rs
#	provider-example/examples/server.rs
#	provider-example/src/aead.rs
#	provider-example/src/kx.rs
#	provider-example/src/verify.rs
#	rustls-bench/Cargo.toml
#	rustls-bench/src/main.rs
#	rustls-fuzzing-provider/Cargo.toml
#	rustls-fuzzing-provider/src/lib.rs
#	rustls-post-quantum/Cargo.toml
#	rustls-post-quantum/README.md
#	rustls-post-quantum/benches/benchmarks.rs
#	rustls-post-quantum/src/lib.rs
#	rustls/Cargo.toml
#	rustls/benches/benchmarks.rs
#	rustls/build.rs
#	rustls/src/client/client_conn.rs
#	rustls/src/client/hs.rs
#	rustls/src/crypto/aws_lc_rs/pq/hybrid.rs
#	rustls/src/crypto/aws_lc_rs/pq/mlkem.rs
#	rustls/src/lib.rs
#	rustls/src/msgs/handshake.rs
#	rustls/src/quic.rs
#	rustls/src/server/server_conn.rs
#	rustls/tests/api.rs
#	rustls/tests/api_ffdhe.rs
#	rustls/tests/client_cert_verifier.rs
#	rustls/tests/common/mod.rs
#	rustls/tests/key_log_file_env.rs
#	rustls/tests/process_provider.rs
#	rustls/tests/server_cert_verifier.rs
#	rustls/tests/unbuffered.rs
Copilot AI reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of lines (20,000). Try reducing the number of changed lines and requesting a review from Copilot again.

@ibigbug ibigbug changed the title Merge latest 0.23 Merge upstream rustls v0.23.40 into watfaq-rustls May 11, 2026
@ibigbug
fix: skip session_id_generator when Reality is active
71016a0 
Reality computes a cryptographic session_id (encrypted auth data tied to
the server's public key). If a session_id_generator was also provided,
it would overwrite Reality's value, silently breaking the handshake.

Guard the session_id_generator block to only run when Reality is not
active, and add a test that verifies Reality's session_id is preserved.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ibigbug ibigbug merged commit 0828f67 into utls-0.23 May 11, 2026
1 check passed
@ibigbug ibigbug deleted the merge-latest-0.23 branch May 11, 2026 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SKTT1Ryze SKTT1Ryze Awaiting requested review from SKTT1Ryze

@VendettaReborn VendettaReborn Awaiting requested review from VendettaReborn

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.