Mailing List Archive

Author: icing
Date: Mon Apr 22 13:55:22 2024
New Revision: 1917270

URL: http://svn.apache.org/viewvc?rev=1917270&view=rev
Log:
* mod_tls: update version of rustls-ffi to v0.13.0.
[Daniel McCarney (@cpu}]


Added:
httpd/httpd/trunk/changes-entries/mod_tls_v0.9.0.txt
Modified:
httpd/httpd/trunk/.github/workflows/linux.yml
httpd/httpd/trunk/.gitignore
httpd/httpd/trunk/modules/tls/tls_cert.c
httpd/httpd/trunk/modules/tls/tls_cert.h
httpd/httpd/trunk/modules/tls/tls_core.c
httpd/httpd/trunk/modules/tls/tls_version.h
httpd/httpd/trunk/test/modules/tls/test_08_vars.py
httpd/httpd/trunk/test/modules/tls/test_14_proxy_ssl.py
httpd/httpd/trunk/test/travis_run_linux.sh

Modified: httpd/httpd/trunk/.github/workflows/linux.yml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/.github/workflows/linux.yml?rev=1917270&r1=1917269&r2=1917270&view=diff
==============================================================================
--- httpd/httpd/trunk/.github/workflows/linux.yml (original)
+++ httpd/httpd/trunk/.github/workflows/linux.yml Mon Apr 22 13:55:22 2024
@@ -241,7 +241,7 @@ jobs:
APR_VERSION=1.7.4
APU_VERSION=1.6.3
APU_CONFIG="--with-crypto"
- RUSTLS_VERSION="v0.10.0"
+ RUSTLS_VERSION="v0.13.0"
NO_TEST_FRAMEWORK=1
TEST_INSTALL=1
TEST_MOD_TLS=1

Modified: httpd/httpd/trunk/.gitignore
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/.gitignore?rev=1917270&r1=1917269&r2=1917270&view=diff
==============================================================================
--- httpd/httpd/trunk/.gitignore (original)
+++ httpd/httpd/trunk/.gitignore Mon Apr 22 13:55:22 2024
@@ -76,6 +76,19 @@ Release
/build/config.sub
/build/config.guess
/build/config_vars.sh
+/build/confdefs.h
+/build/config.log
+/build/config.nice
+/build/srclib/
+/build/srclib/pth
+/build/srclib/apr
+/build/srclib/apr-util
+/build/srclib/apr-iconv
+/build/srclib/distcache
+/build/srclib/lua
+/build/srclib/pcre
+/build/srclib/openssl
+/build/srclib/zlib

# /build/pkg/
/build/pkg/pkginfo
@@ -371,4 +384,4 @@ test/*/*/__pycache__

# make check
check
-build/config_vars.out
\ No newline at end of file
+build/config_vars.out

Added: httpd/httpd/trunk/changes-entries/mod_tls_v0.9.0.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/mod_tls_v0.9.0.txt?rev=1917270&view=auto
==============================================================================
--- httpd/httpd/trunk/changes-entries/mod_tls_v0.9.0.txt (added)
+++ httpd/httpd/trunk/changes-entries/mod_tls_v0.9.0.txt Mon Apr 22 13:55:22 2024
@@ -0,0 +1,2 @@
+ * mod_tls: update version of rustls-ffi to v0.13.0.
+ [Daniel McCarney (@cpu}]

Modified: httpd/httpd/trunk/modules/tls/tls_cert.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/tls/tls_cert.c?rev=1917270&r1=1917269&r2=1917270&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/tls/tls_cert.c (original)
+++ httpd/httpd/trunk/modules/tls/tls_cert.c Mon Apr 22 13:55:22 2024
@@ -331,11 +331,12 @@ const char *tls_cert_reg_get_id(tls_cert
}

apr_status_t tls_cert_load_root_store(
- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore)
+ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore)
{
const char *fpath;
tls_data_t pem;
- rustls_root_cert_store *store = NULL;
+ rustls_root_cert_store_builder *store_builder = NULL;
+ const rustls_root_cert_store *store = NULL;
rustls_result rr = RUSTLS_RESULT_OK;
apr_pool_t *ptemp = NULL;
apr_status_t rv;
@@ -353,11 +354,17 @@ apr_status_t tls_cert_load_root_store(
rv = tls_util_file_load(ptemp, fpath, 0, 1024*1024, &pem);
if (APR_SUCCESS != rv) goto cleanup;

- store = rustls_root_cert_store_new();
- rr = rustls_root_cert_store_add_pem(store, pem.data, pem.len, 1);
+ store_builder = rustls_root_cert_store_builder_new();
+ rr = rustls_root_cert_store_builder_add_pem(store_builder, pem.data, pem.len, 1);
+ if (RUSTLS_RESULT_OK != rr) goto cleanup;
+
+ rr = rustls_root_cert_store_builder_build(store_builder, &store);
if (RUSTLS_RESULT_OK != rr) goto cleanup;

cleanup:
+ if (store_builder != NULL) {
+ rustls_root_cert_store_builder_free(store_builder);
+ }
if (RUSTLS_RESULT_OK != rr) {
const char *err_descr;
rv = tls_util_rustls_error(p, rr, &err_descr);
@@ -378,7 +385,7 @@ cleanup:

typedef struct {
const char *id;
- rustls_root_cert_store *store;
+ const rustls_root_cert_store *store;
} tls_cert_root_stores_entry_t;

static int stores_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
@@ -421,14 +428,14 @@ void tls_cert_root_stores_clear(tls_cert
apr_status_t tls_cert_root_stores_get(
tls_cert_root_stores_t *stores,
const char *store_file,
- rustls_root_cert_store **pstore)
+ const rustls_root_cert_store **pstore)
{
apr_status_t rv = APR_SUCCESS;
tls_cert_root_stores_entry_t *entry;

entry = apr_hash_get(stores->file2store, store_file, APR_HASH_KEY_STRING);
if (!entry) {
- rustls_root_cert_store *store;
+ const rustls_root_cert_store *store;
rv = tls_cert_load_root_store(stores->pool, store_file, &store);
if (APR_SUCCESS != rv) goto cleanup;
entry = apr_pcalloc(stores->pool, sizeof(*entry));
@@ -449,8 +456,8 @@ cleanup:

typedef struct {
const char *id;
- const rustls_client_cert_verifier *client_verifier;
- const rustls_client_cert_verifier_optional *client_verifier_opt;
+ rustls_client_cert_verifier *client_verifier;
+ rustls_client_cert_verifier *client_verifier_opt;
} tls_cert_verifiers_entry_t;

static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
@@ -462,7 +469,7 @@ static int verifiers_entry_cleanup(void
entry->client_verifier = NULL;
}
if (entry->client_verifier_opt) {
- rustls_client_cert_verifier_optional_free(entry->client_verifier_opt);
+ rustls_client_cert_verifier_free(entry->client_verifier_opt);
entry->client_verifier_opt = NULL;
}
return 1;
@@ -511,23 +518,44 @@ static tls_cert_verifiers_entry_t * veri
return entry;
}

-apr_status_t tls_cert_client_verifiers_get(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
- const rustls_client_cert_verifier **pverifier)
+static apr_status_t tls_cert_client_verifiers_get_internal(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+ const rustls_client_cert_verifier **pverifier,
+ bool allow_unauthenticated)
{
apr_status_t rv = APR_SUCCESS;
tls_cert_verifiers_entry_t *entry;
+ rustls_result rr = RUSTLS_RESULT_OK;
+ struct rustls_web_pki_client_cert_verifier_builder *verifier_builder = NULL;

entry = verifiers_get_or_make_entry(verifiers, store_file);
if (!entry->client_verifier) {
- rustls_root_cert_store *store;
+ const rustls_root_cert_store *store;
rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
if (APR_SUCCESS != rv) goto cleanup;
- entry->client_verifier = rustls_client_cert_verifier_new(store);
+ verifier_builder = rustls_web_pki_client_cert_verifier_builder_new(store);
+
+ if (allow_unauthenticated) {
+ rr = rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated(verifier_builder);
+ if (rr != RUSTLS_RESULT_OK) {
+ goto cleanup;
+ }
+ }
+
+ rr = rustls_web_pki_client_cert_verifier_builder_build(verifier_builder, &entry->client_verifier);
+ if (rr != RUSTLS_RESULT_OK) {
+ goto cleanup;
+ }
}

cleanup:
+ if (verifier_builder != NULL) {
+ rustls_web_pki_client_cert_verifier_builder_free(verifier_builder);
+ }
+ if (rr != RUSTLS_RESULT_OK) {
+ rv = tls_util_rustls_error(verifiers->pool, rr, NULL);
+ }
if (APR_SUCCESS == rv) {
*pverifier = entry->client_verifier;
}
@@ -537,28 +565,19 @@ cleanup:
return rv;
}

-apr_status_t tls_cert_client_verifiers_get_optional(
+
+apr_status_t tls_cert_client_verifiers_get(
tls_cert_verifiers_t *verifiers,
const char *store_file,
- const rustls_client_cert_verifier_optional **pverifier)
+ const rustls_client_cert_verifier **pverifier)
{
- apr_status_t rv = APR_SUCCESS;
- tls_cert_verifiers_entry_t *entry;
-
- entry = verifiers_get_or_make_entry(verifiers, store_file);
- if (!entry->client_verifier_opt) {
- rustls_root_cert_store *store;
- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
- if (APR_SUCCESS != rv) goto cleanup;
- entry->client_verifier_opt = rustls_client_cert_verifier_optional_new(store);
- }
+ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, false);
+}

-cleanup:
- if (APR_SUCCESS == rv) {
- *pverifier = entry->client_verifier_opt;
- }
- else {
- *pverifier = NULL;
- }
- return rv;
+apr_status_t tls_cert_client_verifiers_get_optional(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+ const rustls_client_cert_verifier **pverifier)
+{
+ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, true);
}

Modified: httpd/httpd/trunk/modules/tls/tls_cert.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/tls/tls_cert.h?rev=1917270&r1=1917269&r2=1917270&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/tls/tls_cert.h (original)
+++ httpd/httpd/trunk/modules/tls/tls_cert.h Mon Apr 22 13:55:22 2024
@@ -128,7 +128,7 @@ const char *tls_cert_reg_get_id(tls_cert
* @param pstore the loaded root store on success
*/
apr_status_t tls_cert_load_root_store(
- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore);
+ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore);

typedef struct tls_cert_root_stores_t tls_cert_root_stores_t;
struct tls_cert_root_stores_t {
@@ -157,7 +157,7 @@ void tls_cert_root_stores_clear(tls_cert
apr_status_t tls_cert_root_stores_get(
tls_cert_root_stores_t *stores,
const char *store_file,
- rustls_root_cert_store **pstore);
+ const rustls_root_cert_store **pstore);

typedef struct tls_cert_verifiers_t tls_cert_verifiers_t;
struct tls_cert_verifiers_t {
@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_g
apr_status_t tls_cert_client_verifiers_get_optional(
tls_cert_verifiers_t *verifiers,
const char *store_file,
- const rustls_client_cert_verifier_optional **pverifier);
+ const rustls_client_cert_verifier **pverifier);

-#endif /* tls_cert_h */
\ No newline at end of file
+#endif /* tls_cert_h */

Modified: httpd/httpd/trunk/modules/tls/tls_core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/tls/tls_core.c?rev=1917270&r1=1917269&r2=1917270&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/tls/tls_core.c (original)
+++ httpd/httpd/trunk/modules/tls/tls_core.c Mon Apr 22 13:55:22 2024
@@ -764,8 +764,10 @@ static apr_status_t init_outgoing_connec
tls_conf_proxy_t *pc;
const apr_array_header_t *ciphersuites = NULL;
apr_array_header_t *tls_versions = NULL;
+ rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL;
+ struct rustls_server_cert_verifier *verifier = NULL;
rustls_client_config_builder *builder = NULL;
- rustls_root_cert_store *ca_store = NULL;
+ const rustls_root_cert_store *ca_store = NULL;
const char *hostname = NULL, *alpn_note = NULL;
rustls_result rr = RUSTLS_RESULT_OK;
apr_status_t rv = APR_SUCCESS;
@@ -809,7 +811,10 @@ static apr_status_t init_outgoing_connec
if (pc->proxy_ca && strcasecmp(pc->proxy_ca, "default")) {
rv = tls_cert_root_stores_get(pc->global->stores, pc->proxy_ca, &ca_store);
if (APR_SUCCESS != rv) goto cleanup;
- rustls_client_config_builder_use_roots(builder, ca_store);
+ verifier_builder = rustls_web_pki_server_cert_verifier_builder_new(ca_store);
+ rr = rustls_web_pki_server_cert_verifier_builder_build(verifier_builder, &verifier);
+ if (RUSTLS_RESULT_OK != rr) goto cleanup;
+ rustls_client_config_builder_set_server_verifier(builder, verifier);
}

#if TLS_MACHINE_CERTS
@@ -881,6 +886,7 @@ static apr_status_t init_outgoing_connec
rustls_connection_set_userdata(cc->rustls_connection, c);

cleanup:
+ if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder);
if (builder != NULL) rustls_client_config_builder_free(builder);
if (RUSTLS_RESULT_OK != rr) {
const char *err_descr = NULL;
@@ -1125,10 +1131,10 @@ static apr_status_t build_server_connect
rustls_server_config_builder_set_client_verifier(builder, verifier);
}
else {
- const rustls_client_cert_verifier_optional *verifier;
+ const rustls_client_cert_verifier *verifier;
rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
if (APR_SUCCESS != rv) goto cleanup;
- rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
+ rustls_server_config_builder_set_client_verifier(builder, verifier);
}
}


Modified: httpd/httpd/trunk/modules/tls/tls_version.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/tls/tls_version.h?rev=1917270&r1=1917269&r2=1917270&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/tls/tls_version.h (original)
+++ httpd/httpd/trunk/modules/tls/tls_version.h Mon Apr 22 13:55:22 2024
@@ -26,7 +26,7 @@
* @macro
* Version number of the md module as c string
*/
-#define MOD_TLS_VERSION "0.8.3"
+#define MOD_TLS_VERSION "0.9.0"

/**
* @macro
@@ -34,6 +34,6 @@
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
-#define MOD_TLS_VERSION_NUM 0x000802
+#define MOD_TLS_VERSION_NUM 0x000900

#endif /* mod_md_md_version_h */

Modified: httpd/httpd/trunk/test/modules/tls/test_08_vars.py
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/test/modules/tls/test_08_vars.py?rev=1917270&r1=1917269&r2=1917270&view=diff
==============================================================================
--- httpd/httpd/trunk/test/modules/tls/test_08_vars.py (original)
+++ httpd/httpd/trunk/test/modules/tls/test_08_vars.py Mon Apr 22 13:55:22 2024
@@ -59,7 +59,7 @@ class TestVars:

@pytest.mark.parametrize("name, pattern", [
("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
+ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
])
def test_tls_08_vars_match(self, env, name: str, pattern: str):
r = env.tls_get(env.domain_b, f"/vars.py?name={name}")

Modified: httpd/httpd/trunk/test/modules/tls/test_14_proxy_ssl.py
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/test/modules/tls/test_14_proxy_ssl.py?rev=1917270&r1=1917269&r2=1917270&view=diff
==============================================================================
--- httpd/httpd/trunk/test/modules/tls/test_14_proxy_ssl.py (original)
+++ httpd/httpd/trunk/test/modules/tls/test_14_proxy_ssl.py Mon Apr 22 13:55:22 2024
@@ -100,7 +100,7 @@ class TestProxySSL:

@pytest.mark.parametrize("name, pattern", [
("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
+ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
])
def test_tls_14_proxy_tsl_vars_match(self, env, name: str, pattern: str):
if not HttpdTestEnv.has_shared_module("tls"):

Modified: httpd/httpd/trunk/test/travis_run_linux.sh
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/test/travis_run_linux.sh?rev=1917270&r1=1917269&r2=1917270&view=diff
==============================================================================
--- httpd/httpd/trunk/test/travis_run_linux.sh (original)
+++ httpd/httpd/trunk/test/travis_run_linux.sh Mon Apr 22 13:55:22 2024
@@ -266,7 +266,7 @@ fi
if test -v TEST_MOD_TLS -a $RV -eq 0; then
# Run mod_tls tests. The underlying librustls was build
# and installed before we configured the server (see top of file).
- # This will be replaved once librustls is available as a package.
+ # This will be replaced once librustls is available as a package.
py.test-3 test/modules/tls
RV=$?
fi