Prepare 0.15.1 release

.github/workflows/artifacts.yaml

@@ -80,6 +80,8 @@ jobs:
   linux-deb:
     name: Linux (x86-64 GNU Deb)
     runs-on: ubuntu-22.04 # x86_64.
+    outputs:
+      version: ${{ steps.version.outputs.version }}
     steps:
       - uses: actions/checkout@v6
         with:
@@ -95,14 +97,20 @@ jobs:
         run: |
           curl -L $LINK/$CARGO_C_FILE | tar xz -C ~/.cargo/bin
 
+      - name: Extract version
+        id: version
+        run: |
+          VERSION=$(cargo pkgid -p rustls-ffi | sed 's/.*@//')
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
       - name: Build deb
         run: ./debian/build.sh
 
       - name: Upload deb
         uses: actions/upload-artifact@v7
         with:
-          name: librustls_0.15.0_amd64.deb
-          path: librustls_0.15.0_amd64.deb
+          name: librustls_${{ steps.version.outputs.version }}_amd64.deb
+          path: librustls_${{ steps.version.outputs.version }}_amd64.deb
 
   macos-binaries:
     name: MacOS (Arm64 and x86_64)
@@ -281,9 +289,9 @@ jobs:
       - name: Download rustls-ffi deb artifact
         uses: actions/download-artifact@v8
         with:
-          name: librustls_0.15.0_amd64.deb
+          name: librustls_${{ needs.linux-deb.outputs.version }}_amd64.deb
       - name: Install deb
-        run: sudo dpkg --install ./librustls_0.15.0_amd64.deb
+        run: sudo dpkg --install ./librustls_${{ needs.linux-deb.outputs.version }}_amd64.deb
       - name: Check copyright exists
         run: test -f /usr/share/doc/librustls/COPYRIGHT
       # Dump out what pkg-config says about the rustls package.

CHANGELOG.md

@@ -1,5 +1,95 @@
 # Changelog
 
+## 0.15.1 (2026-03-13)
+
+This is a minor release with one security fix. It updates `rustls` to
+[0.23.37](https://github.com/rustls/rustls/releases/tag/v%2F0.23.37).
+
+### Security
+
+Updates `rustls-webpki` to
+[0.103.10](https://github.com/rustls/webpki/releases/tag/v%2F0.103.10):
+
+This update addresses
+[RUSTSEC-2026-0049](https://rustsec.org/advisories/RUSTSEC-2026-0049.html);
+a security issue affecting CRL revocation checking.
+
+This low-impact vulnerability affects users of the
+`rustls_web_pki_[server|client]_cert_verifier_builder` APIs that populated CRLs
+with `rustls_web_pki_server_cert_verifier_builder_add_crl()`. If a certificate
+signed by a trusted certificate authority contained multiple CRL distribution
+points, only the first was checked against the CRL's issuing distribution point.
+
+In a default configuration this oversight meant that revocation checking would
+fail-closed with an incorrect, but safe, `RUSTLS_RESULT_CERT_UNKNOWN_ISSUER`
+error.
+
+If configured with
+`rustls_web_pki_client_cert_verifier_allow_unknown_revocation_status()`, then
+revocation checking would fail-open, potentially allowing use of certificate
+revoked by the CRL.
+
+Inducing this bug requires a trusted certificate issuer to be compromised, which
+can result in more serious revocation bypasses and security issues.
+
+### Added
+
+* version detection macros in the C header
+  (https://github.com/rustls/rustls-ffi/pull/576): 
+  * `RUSTLS_VERSION_MAJOR`, `RUSTLS_VERSION_MINOR`, `RUSTLS_VERSION_PATCH`
+    individual version components as integers.
+  * `RUSTLS_VERSION_NUMBER` - a single number encoding the version as
+    `(major << 16 | minor << 8 | patch)`.
+
+* additional error variants (https://github.com/rustls/rustls-ffi/pull/574):
+  * `RUSTLS_RESULT_CERT_REVOCATION_LIST_UNSUPPORTED_SIGNATURE_ALGORITHM` - for
+    CRL signature algorithm errors.
+  * `RUSTLS_RESULT_CERT_UNSUPPORTED_SIGNATURE_ALGORITHM` - for certificate
+    signature algorithm errors.
+
+* `rustls_platform_server_cert_verifier_try_with_provider()`
+  (https://github.com/rustls/rustls-ffi/pull/574):
+  * A safer alternative to `rustls_platform_server_cert_verifier_with_provider`
+    with better error reporting. The older function for constructing a server
+    cert verifier backed by the platform verifier is now deprecated.
+
+* `rustls_connection_get_tls13_tickets_received()`
+  (https://github.com/rustls/rustls-ffi/pull/574):
+  * Returns the number of TLS 1.3 tickets received by a client connection. This
+    is FFI for the Rustls `ClientConnection::tls13_tickets_received()` API.
+
+* `rustls_client_connection_new_alpn()`
+  (https://github.com/rustls/rustls-ffi/pull/566):
+  * constructs a client `rustls_connection` with custom ALPN protocol support
+    that differs from the base `rustls_client_config`.
+
+### Deprecated
+
+* Deprecated functions are now visually annotated on the [documentation
+  website](https://ffi.rustls.dev).
+  (https://github.com/rustls/rustls-ffi/pull/584) and in the header file using
+  the appropriate clang/GCC/MSVC attributes
+  (https://github.com/rustls/rustls-ffi/pull/579).
+
+* Platform server cert verifier creation is now fallible, returning
+  a `rustls_result` that must be handled appropriately.
+
+  The pre-existing `rustls_platform_server_cert_verifier_with_provider()` is
+  now deprecated in favor of
+  `rustls_platform_server_cert_verifier_try_with_provider()`.
+
+### Changed
+
+* Post-quantum key exchange (`X25519MLKEM768`) is now preferred by default
+  matching upstream rustls (https://github.com/rustls/rustls-ffi/pull/566)
+
+* An additional field is now exposed in `rustls_client_hello`
+  (https://github.com/rustls/rustls-ffi/pull/574):
+  * `named_groups` - the supported key exchange groups advertised by the client.
+  * This is a breaking change, but limited to the server-side
+    `rustls_server_config_builder_set_hello_callback` APIs that are documented
+    as **experimental**.
+
 ## 0.15.0 (2025-03-25)
 
 This release updates to [Rustls 0.23.25][] and increases the project minimum
@@ -184,7 +274,7 @@ requirements.
   * Ciphersuites supported by a specific `rustls_crypto_provider` can be retrieved with
     `rustls_crypto_provider_ciphersuites_len()` and `rustls_crypto_provider_ciphersuites_get()`.
   * Ciphersuites supported by the current process-wide default crypto provider (if any) can
-    be retrieved with `rustls_default_crypto_provider_ciphersuites_len()` and 
+    be retrieved with `rustls_default_crypto_provider_ciphersuites_len()` and
     `rustls_default_crypto_provider_ciphersuites_get()`.
   * A buffer can be filled with cryptographically secure random data from
     a specific `rustls_crypto_provider` using `rustls_crypto_provider_random()`,
@@ -201,7 +291,7 @@ requirements.
      based on the current process-wide default.
    * `rustls_crypto_provider_builder_new_with_base` will construct a builder
      based on a specified `rustls_crypto_provider`.
-   * Customization of supported ciphersuites can be achieved with 
+   * Customization of supported ciphersuites can be achieved with
      `rustls_crypto_provider_builder_set_cipher_suites()`.
    * The default process-wide provider can be installed from a builder using
      `rustls_crypto_provider_builder_build_as_default()`, if it has not already
@@ -231,7 +321,7 @@ requirements.
   more information on supported platforms.
     * Use `rustls_platform_server_cert_verifier()` to construct a platform verifier
       that uses the default crypto provider.
-    * Use `rustls_platform_server_cert_verifier_with_provider()` to construct a 
+    * Use `rustls_platform_server_cert_verifier_with_provider()` to construct a
       platform verifier that uses the specified `rustls_crypto_provider`.
     * The returned `rustls_server_cert_verifier` can be used with
       a `rustls_client_config_builder` with
@@ -264,7 +354,7 @@ requirements.
 
 * `rustls_server_config_builder_build()` and
   `rustls_client_config_builder_build()` now use out-parameters for the
-  `rustls_server_config` or `rustls_client_config`, and return a `rustls_result`. 
+  `rustls_server_config` or `rustls_client_config`, and return a `rustls_result`.
   This allows returning an error if the build operation fails because a suitable
   crypto provider was not available.
 
@@ -286,7 +376,7 @@ requirements.
   functions (`rustls_all_ciphersuites_len()`,
   `rustls_all_ciphersuites_get_entry()`, `rustls_default_ciphersuites_len()` and
   `rustls_default_ciphersuites_get_entry()`) have been
-  removed. Ciphersuite support is dictated by the `rustls_crypto_provider`. 
+  removed. Ciphersuite support is dictated by the `rustls_crypto_provider`.
   * Use `rustls_default_supported_ciphersuites()` to retrieve
     a `rustls_supported_ciphersuites` for the default `rustls_crypto_provider`.
   * Use `rustls_crypto_provider_ciphersuites()` to retrieve a
@@ -307,7 +397,7 @@ only cryptographic provider.
 * A new `rustls_accepted_alert` type is added. Calling
   `rustls_accepted_alert_bytes` on this type produces TLS data to write
   in the case where a server acceptor encountered an error accepting a client.
-  The returned TLS data should be written to the connection before freeing 
+  The returned TLS data should be written to the connection before freeing
   the `rustls_accepted_alert` by calling `rustls_accepted_alert_write_tls` with
   a `rustls_write_callback` implementation.
 
@@ -367,19 +457,19 @@ and 0.12.0 continues to use `*ring*` as the only cryptographic provider.
   `rustls_root_cert_store_builder_add_pem` and
   `rustls_root_cert_store_builder_load_roots_from_file`.
 * The client verifier builders (
-  `rustls_allow_any_anonymous_or_authenticated_client_builder`, and 
+  `rustls_allow_any_anonymous_or_authenticated_client_builder`, and
   `rustls_allow_any_authenticated_client_builder`) as well as the client
-  verifier types (`rustls_allow_any_anonymous_or_authenticated_client_verifier`, 
+  verifier types (`rustls_allow_any_anonymous_or_authenticated_client_verifier`,
   `rustls_allow_any_authenticated_client_verifier`) have been replaced with
   `rustls_web_pki_client_cert_verifier_builder` and `rustls_client_cert_verifier`.
-* The server config client verifier setters 
+* The server config client verifier setters
   (`rustls_server_config_builder_set_client_verifier` and
   `rustls_server_config_builder_set_client_verifier_optional`) have been
   replaced with `rustls_server_config_builder_set_client_verifier`.
-* The client config builder functions for specifying root trust anchors 
+* The client config builder functions for specifying root trust anchors
   (`rustls_client_config_builder_use_roots` and
   `rustls_client_config_builder_load_roots_from_file`) have been replaced
-  with a server certificate verifier builder 
+  with a server certificate verifier builder
   (`rustls_web_pki_server_cert_verifier_builder`) constructed with
   `rustls_web_pki_server_cert_verifier_builder_new` and
   a `rustls_root_cert_store`. The built `rustls_web_pki_server_cert_verifier`

debian/build.sh

@@ -4,7 +4,7 @@ set -x
 
 cd "$(dirname "$0")"
 
-VERSION=$(sed -n 's/^version = "\(.*\)"$/\1/p' ../librustls/Cargo.toml)
+VERSION=$(cargo pkgid -p rustls-ffi | sed 's/.*@//')
 if [ -z "$VERSION" ]; then
     echo "Failed to extract version from Cargo.toml" >&2
     exit 1

librustls/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "rustls-ffi"
 # Keep in sync with defines in cbindgen.toml
-version = "0.15.0"
+version = "0.15.1"
 license = "Apache-2.0 OR ISC OR MIT"
 readme = "../README-crates.io.md"
 description = "Rustls bindings for non-Rust languages"
@@ -30,7 +30,7 @@ prefer-post-quantum = ["aws-lc-rs", "rustls/prefer-post-quantum"]
 
 [dependencies]
 # Keep in sync with RUSTLS_CRATE_VERSION in build.rs
-rustls = { version = "=0.23.36", default-features = false, features = ["std", "tls12"] }
+rustls = { version = "=0.23.37", default-features = false, features = ["std", "tls12"] }
 webpki  = { workspace = true }
 libc = { workspace = true }
 log = { workspace = true }

librustls/build.rs

@@ -2,14 +2,6 @@ use std::fs::File;
 use std::io::Write;
 use std::{env, fs, path::PathBuf};
 
-// Keep in sync with Cargo.toml.
-//
-// We don't populate this automatically from the Cargo.toml at build time
-// because doing so would require a heavy-weight deserialization lib dependency
-// (and it couldn't be a _dev_ dep for use in a build script) or doing brittle
-// by-hand parsing.
-const RUSTLS_CRATE_VERSION: &str = "0.23.36";
-
 fn main() {
     let out_dir = PathBuf::from(env::var_os("OUT_DIR").unwrap());
     let include_dir = out_dir.join("include");
@@ -38,3 +30,11 @@ fn main() {
 
     println!("cargo:rerun-if-env-changed=CARGO_PKG_VERSION");
 }
+
+// Keep in sync with Cargo.toml.
+//
+// We don't populate this automatically from the Cargo.toml at build time
+// because doing so would require a heavy-weight deserialization lib dependency
+// (and it couldn't be a _dev_ dep for use in a build script) or doing brittle
+// by-hand parsing.
+const RUSTLS_CRATE_VERSION: &str = "0.23.37";

librustls/cbindgen.toml

@@ -5,7 +5,7 @@ after_includes = """
 
 #define RUSTLS_VERSION_MAJOR 0
 #define RUSTLS_VERSION_MINOR 15
-#define RUSTLS_VERSION_PATCH 0
+#define RUSTLS_VERSION_PATCH 1
 
 /**
  * This gives each version part 8 bits, and leaves the 8 least significant bits

librustls/src/rustls.h

@@ -9,7 +9,7 @@
 
 #define RUSTLS_VERSION_MAJOR 0
 #define RUSTLS_VERSION_MINOR 15
-#define RUSTLS_VERSION_PATCH 0
+#define RUSTLS_VERSION_PATCH 1
 
 /**
  * This gives each version part 8 bits, and leaves the 8 least significant bits