commit: c5353958548b881dcc526a0ed8ce3013dddd4df1 Author: Hans de Graaff <graaff <AT> gentoo <DOT> org> AuthorDate: Sat May 11 06:16:51 2024 +0000 Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org> CommitDate: Sat May 11 06:21:00 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5353958
www-servers/apache: fix compatibility with rustls-0.13.0 Closes: https://bugs.gentoo.org/928046 Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org> www-servers/apache/apache-2.4.59-r2.ebuild | 259 ++++++++++ .../apache/files/apache-2.4.59-rustls-0.13.0.patch | 544 +++++++++++++++++++++ 2 files changed, 803 insertions(+) diff --git a/www-servers/apache/apache-2.4.59-r2.ebuild b/www-servers/apache/apache-2.4.59-r2.ebuild new file mode 100644 index 000000000000..9da48f31fb38 --- /dev/null +++ b/www-servers/apache/apache-2.4.59-r2.ebuild @@ -0,0 +1,259 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +# latest gentoo apache files +GENTOO_PATCHSTAMP="20240405" +GENTOO_DEVELOPER="graaff" +GENTOO_PATCHNAME="gentoo-apache-2.4.59" + +# IUSE/USE_EXPAND magic +IUSE_MPMS_FORK="prefork" +IUSE_MPMS_THREAD="event worker" + +# << obsolete modules: +# authn_default authz_default mem_cache +# mem_cache is replaced by cache_disk +# ?? buggy modules +# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found +# >> added modules for reason: +# compat: compatibility with 2.2 access control +# authz_host: new module for access control +# authn_core: functionality provided by authn_alias in previous versions +# authz_core: new module, provides core authorization capabilities +# cache_disk: replacement for mem_cache +# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3 +# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3 +# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3 +# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3 +# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests). +# socache_shmcb: shared object cache provider. Default config with ssl needs it +# unixd: fixes startup error: Invalid command 'User' +IUSE_MODULES="access_compat actions alias allowmethods asis auth_basic auth_digest auth_form +authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authz_core +authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex +brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock +dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2 +ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness +lbmethod_heartbeat log_config log_forensic logio lua macro md mime mime_magic negotiation +proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_hcheck proxy_html proxy_http proxy_scgi +proxy_http2 proxy_fcgi proxy_uwsgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout +session session_cookie session_crypto session_dbd setenvif slotmem_shm socache_memcache +socache_shmcb speling status substitute systemd tls unique_id userdir usertrack +unixd version vhost_alias watchdog xml2enc" +# The following are also in the source as of this version, but are not available +# for user selection: +# bucketeer case_filter case_filter_in echo http isapi optional_fn_export +# optional_fn_import optional_hook_export optional_hook_import + +# inter-module dependencies +# TODO: this may still be incomplete +MODULE_DEPENDS=" + auth_form:session + brotli:filter + dav_fs:dav + dav_lock:dav + deflate:filter + cache_disk:cache + ext_filter:filter + file_cache:cache + lbmethod_byrequests:proxy_balancer + lbmethod_byrequests:slotmem_shm + lbmethod_bytraffic:proxy_balancer + lbmethod_bybusyness:proxy_balancer + lbmethod_heartbeat:proxy_balancer + log_forensic:log_config + logio:log_config + cache_disk:cache + cache_socache:cache + md:watchdog + mime_magic:mime + proxy_ajp:proxy + proxy_balancer:proxy + proxy_balancer:slotmem_shm + proxy_connect:proxy + proxy_ftp:proxy + proxy_hcheck:proxy + proxy_hcheck:watchdog + proxy_html:proxy + proxy_html:xml2enc + proxy_http:proxy + proxy_http2:proxy + proxy_scgi:proxy + proxy_uwsgi:proxy + proxy_fcgi:proxy + proxy_wstunnel:proxy + session_cookie:session + session_dbd:dbd + session_dbd:session + socache_memcache:cache + substitute:filter +" + +# module<->define mappings +MODULE_DEFINES=" + auth_digest:AUTH_DIGEST + authnz_ldap:AUTHNZ_LDAP + cache:CACHE + cache_disk:CACHE + cache_socache:CACHE + dav:DAV + dav_fs:DAV + dav_lock:DAV + file_cache:CACHE + http2:HTTP2 + info:INFO + ldap:LDAP + lua:LUA + md:SSL + proxy:PROXY + proxy_ajp:PROXY + proxy_balancer:PROXY + proxy_connect:PROXY + proxy_fcgi:PROXY + proxy_ftp:PROXY + proxy_hcheck:PROXY + proxy_html:PROXY + proxy_http:PROXY + proxy_http2:PROXY + proxy_scgi:PROXY + proxy_uwsgi:PROXY + proxy_wstunnel:PROXY + socache_shmcb:SSL + socache_memcache:CACHE + ssl:SSL + status:STATUS + suexec:SUEXEC + systemd:SYSTEMD + userdir:USERDIR +" + +# critical modules for the default config +MODULE_CRITICAL=" + authn_core + authz_core + authz_host + dir + mime + unixd +" +inherit apache-2 systemd tmpfiles toolchain-funcs + +DESCRIPTION="The Apache Web Server" +HOMEPAGE="https://httpd.apache.org/"; + +# some helper scripts are Apache-1.1, thus both are here +LICENSE="Apache-2.0 Apache-1.1" +SLOT="2" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x64-macos ~x64-solaris" + +RDEPEND=" + apache2_modules_tls? ( >=net-libs/rustls-ffi-0.13.0:= ) +" +DEPEND="${RDEPEND}" + +PATCHES=( "${FILESDIR}/${P}-dh-regression.patch" "${FILESDIR}/${P}-rustls-0.13.0.patch" ) + +pkg_setup() { + # dependent critical modules which are not allowed in global scope due + # to USE flag conditionals (bug #499260) + use ssl && MODULE_CRITICAL+=" socache_shmcb" + use doc && MODULE_CRITICAL+=" alias negotiation setenvif" + apache-2_pkg_setup +} + +src_configure() { + # Brain dead check. + tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no" + + apache-2_src_configure +} + +src_compile() { + if tc-is-cross-compiler ; then + # This header is the same across targets, so use the build compiler. + pushd server >/dev/null + emake gen_test_char + tc-export_build_env BUILD_CC + ${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \ + gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die + popd >/dev/null + fi + + default +} + +src_install() { + apache-2_src_install + local i + local apache_tools_prune_list=( + /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm} + /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs} + /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1} + /usr/share/man/man8/{rotatelogs.8,htcacheclean.8} + ) + for i in ${apache_tools_prune_list[@]} ; do + rm "${ED}"/${i} || die "Failed to prune apache-tools bits" + done + + dobin support/apxs + + # Note: wait for mod_systemd to be included in some forthcoming release, + # Then apache2.4.service can be used and systemd support controlled + # through --enable-systemd + systemd_newunit "${FILESDIR}/apache2.4-hardened.service" "apache2.service" + dotmpfiles "${FILESDIR}/apache.conf" + #insinto /etc/apache2/modules.d + #doins "${FILESDIR}/00_systemd.conf" + + # Install http2 module config + insinto /etc/apache2/modules.d + doins "${FILESDIR}"/41_mod_http2.conf + + # Fix path to apache libdir + sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die +} + +pkg_postinst() { + apache-2_pkg_postinst || die "apache-2_pkg_postinst failed" + + tmpfiles_process apache.conf #662544 + + # warnings that default config might not work out of the box + local mod cmod + for mod in ${MODULE_CRITICAL} ; do + if ! use "apache2_modules_${mod}"; then + echo + ewarn "Warning: Critical module not installed!" + ewarn "Modules 'authn_core', 'authz_core' and 'unixd'" + ewarn "are highly recomended but might not be in the base profile yet." + ewarn "Default config for ssl needs module 'socache_shmcb'." + ewarn "Enabling the following flags is highly recommended:" + for cmod in ${MODULE_CRITICAL} ; do + use "apache2_modules_${cmod}" || \ + ewarn "+ apache2_modules_${cmod}" + done + echo + break + fi + done + # warning for proxy_balancer and missing load balancing scheduler + if use apache2_modules_proxy_balancer; then + local lbset= + for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do + if use "apache2_modules_${mod}"; then + lbset=1 && break + fi + done + if [[ ! ${lbset} ]] ; then + echo + ewarn "Info: Missing load balancing scheduler algorithm module" + ewarn "(They were split off from proxy_balancer in 2.3)" + ewarn "In order to get the ability of load balancing, at least" + ewarn "one of these modules has to be present:" + ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat" + echo + fi + fi +} diff --git a/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch b/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch new file mode 100644 index 000000000000..f8cfc6b73c31 --- /dev/null +++ b/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch @@ -0,0 +1,544 @@ +From 68a5a569f630b116f30c49384e4f737a5e669bb2 Mon Sep 17 00:00:00 2001 +From: Daniel McCarney <[email protected]> +Date: Sun, 21 Apr 2024 15:05:19 -0400 +Subject: [PATCH] test: relax rustls-ffi SSL_VERSION_LIBRARY + +The rustls version included in the rustls-ffi version output does not +always contain three components. E.g. rustls-ffi 0.12.2 uses the version +string: + + rustls-ffi/0.12.2/rustls/0.22 + +Notably there is no `.0` after the `0.22` for the Rustls version, and +this requires the `SSL_VERSION_LIBRARY` regexp be relaxed to allow this. +--- + test/modules/tls/test_08_vars.py | 2 +- + test/modules/tls/test_14_proxy_ssl.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/modules/tls/test_08_vars.py b/test/modules/tls/test_08_vars.py +index ad764a7985a..0e3ee74d2df 100644 +--- a/test/modules/tls/test_08_vars.py ++++ b/test/modules/tls/test_08_vars.py +@@ -59,7 +59,7 @@ def test_tls_08_vars_const(self, env, name: str, value: str): + + @pytest.mark.parametrize("name, pattern", [ + ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'), +- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'), ++ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'), + ]) + def test_tls_08_vars_match(self, env, name: str, pattern: str): + r = env.tls_get(env.domain_b, f"/vars.py?name={name}") +diff --git a/test/modules/tls/test_14_proxy_ssl.py b/test/modules/tls/test_14_proxy_ssl.py +index 2f46c64f710..87e04c28afa 100644 +--- a/test/modules/tls/test_14_proxy_ssl.py ++++ b/test/modules/tls/test_14_proxy_ssl.py +@@ -100,7 +100,7 @@ def test_tls_14_proxy_ssl_vars_const(self, env, name: str, value: str): + + @pytest.mark.parametrize("name, pattern", [ + ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'), +- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'), ++ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'), + ]) + def test_tls_14_proxy_tsl_vars_match(self, env, name: str, pattern: str): + if not HttpdTestEnv.has_shared_module("tls"): +From fd64ac68206232641406c1512e0916d837821db5 Mon Sep 17 00:00:00 2001 +From: Daniel McCarney <[email protected]> +Date: Sun, 21 Apr 2024 15:19:50 -0400 +Subject: [PATCH] mod_tls: rustls-ffi 0.10 -> 0.11 + +See upstream release notes[0] for more information. + +Also note that the, ahem, clunkyness of the verifier API is reduced in +the 0.12 release and this is a transition state. + +[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.11.0 +--- + .github/workflows/linux.yml | 2 +- + modules/tls/tls_cert.c | 26 ++++++++++++++++++-------- + modules/tls/tls_cert.h | 6 +++--- + modules/tls/tls_core.c | 4 ++-- + 4 files changed, 24 insertions(+), 14 deletions(-) + +diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml +index 8c45faf5651..1ac41c6b2d6 100644 +--- a/.github/workflows/linux.yml ++++ b/.github/workflows/linux.yml +@@ -241,7 +241,7 @@ jobs: + APR_VERSION=1.7.4 + APU_VERSION=1.6.3 + APU_CONFIG="--with-crypto" +- RUSTLS_VERSION="v0.10.0" ++ RUSTLS_VERSION="v0.11.0" + NO_TEST_FRAMEWORK=1 + TEST_INSTALL=1 + TEST_MOD_TLS=1 +diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c +index 624535aa444..17a35fc498d 100644 +--- a/modules/tls/tls_cert.c ++++ b/modules/tls/tls_cert.c +@@ -449,8 +449,8 @@ apr_status_t tls_cert_root_stores_get( + + typedef struct { + const char *id; +- const rustls_client_cert_verifier *client_verifier; +- const rustls_client_cert_verifier_optional *client_verifier_opt; ++ const rustls_allow_any_authenticated_client_verifier *client_verifier; ++ const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt; + } tls_cert_verifiers_entry_t; + + static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val) +@@ -458,11 +458,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, + tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val; + (void)ctx; (void)key; (void)klen; + if (entry->client_verifier) { +- rustls_client_cert_verifier_free(entry->client_verifier); ++ rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier); + entry->client_verifier = NULL; + } + if (entry->client_verifier_opt) { +- rustls_client_cert_verifier_optional_free(entry->client_verifier_opt); ++ rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt); + entry->client_verifier_opt = NULL; + } + return 1; +@@ -514,20 +514,25 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry( + apr_status_t tls_cert_client_verifiers_get( + tls_cert_verifiers_t *verifiers, + const char *store_file, +- const rustls_client_cert_verifier **pverifier) ++ const rustls_allow_any_authenticated_client_verifier **pverifier) + { + apr_status_t rv = APR_SUCCESS; + tls_cert_verifiers_entry_t *entry; ++ struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL; + + entry = verifiers_get_or_make_entry(verifiers, store_file); + if (!entry->client_verifier) { + rustls_root_cert_store *store; + rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store); + if (APR_SUCCESS != rv) goto cleanup; +- entry->client_verifier = rustls_client_cert_verifier_new(store); ++ verifier_builder = rustls_allow_any_authenticated_client_builder_new(store); ++ entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder); + } + + cleanup: ++ if (verifier_builder != NULL) { ++ rustls_allow_any_authenticated_client_builder_free(verifier_builder); ++ } + if (APR_SUCCESS == rv) { + *pverifier = entry->client_verifier; + } +@@ -540,20 +545,25 @@ apr_status_t tls_cert_client_verifiers_get( + apr_status_t tls_cert_client_verifiers_get_optional( + tls_cert_verifiers_t *verifiers, + const char *store_file, +- const rustls_client_cert_verifier_optional **pverifier) ++ const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier) + { + apr_status_t rv = APR_SUCCESS; + tls_cert_verifiers_entry_t *entry; ++ struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL; + + entry = verifiers_get_or_make_entry(verifiers, store_file); + if (!entry->client_verifier_opt) { + rustls_root_cert_store *store; + rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store); + if (APR_SUCCESS != rv) goto cleanup; +- entry->client_verifier_opt = rustls_client_cert_verifier_optional_new(store); ++ verifier_builder = rustls_client_cert_verifier_optional_builder_new(store); ++ entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder); + } + + cleanup: ++ if (verifier_builder != NULL) { ++ rustls_client_cert_verifier_optional_builder_free(verifier_builder); ++ } + if (APR_SUCCESS == rv) { + *pverifier = entry->client_verifier_opt; + } +diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h +index 6ab3f48ae13..4ac3865dd86 100644 +--- a/modules/tls/tls_cert.h ++++ b/modules/tls/tls_cert.h +@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear( + apr_status_t tls_cert_client_verifiers_get( + tls_cert_verifiers_t *verifiers, + const char *store_file, +- const rustls_client_cert_verifier **pverifier); ++ const rustls_allow_any_authenticated_client_verifier **pverifier); + + /** + * Get the optional client certificate verifier for the +@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get( + apr_status_t tls_cert_client_verifiers_get_optional( + tls_cert_verifiers_t *verifiers, + const char *store_file, +- const rustls_client_cert_verifier_optional **pverifier); ++ const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier); + +-#endif /* tls_cert_h */ +\ No newline at end of file ++#endif /* tls_cert_h */ +diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c +index 25479392f1a..df29077826d 100644 +--- a/modules/tls/tls_core.c ++++ b/modules/tls/tls_core.c +@@ -1119,13 +1119,13 @@ static apr_status_t build_server_connection(rustls_connection **pconnection, + if (cc->client_auth != TLS_CLIENT_AUTH_NONE) { + ap_assert(sc->client_ca); /* checked in server_setup */ + if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) { +- const rustls_client_cert_verifier *verifier; ++ const rustls_allow_any_authenticated_client_verifier *verifier; + rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier); + if (APR_SUCCESS != rv) goto cleanup; + rustls_server_config_builder_set_client_verifier(builder, verifier); + } + else { +- const rustls_client_cert_verifier_optional *verifier; ++ const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier; + rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier); + if (APR_SUCCESS != rv) goto cleanup; + rustls_server_config_builder_set_client_verifier_optional(builder, verifier); +From 6d565575343ac5ddd674e53b7b9002396cc04375 Mon Sep 17 00:00:00 2001 +From: Daniel McCarney <[email protected]> +Date: Sun, 21 Apr 2024 15:37:25 -0400 +Subject: [PATCH] mod_tls: rustls-ffi 0.11 -> 0.12 + +See upstream release notes for more information: + +https://github.com/rustls/rustls-ffi/releases/tag/v0.12.0 +https://github.com/rustls/rustls-ffi/releases/tag/v0.12.1 +https://github.com/rustls/rustls-ffi/releases/tag/v0.12.2 +--- + .github/workflows/linux.yml | 2 +- + modules/tls/tls_cert.c | 99 ++++++++++++++++++++----------------- + modules/tls/tls_cert.h | 8 +-- + modules/tls/tls_core.c | 16 ++++-- + 4 files changed, 70 insertions(+), 55 deletions(-) + +diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml +index 1ac41c6b2d6..3700bc4546a 100644 +--- a/.github/workflows/linux.yml ++++ b/.github/workflows/linux.yml +@@ -241,7 +241,7 @@ jobs: + APR_VERSION=1.7.4 + APU_VERSION=1.6.3 + APU_CONFIG="--with-crypto" +- RUSTLS_VERSION="v0.11.0" ++ RUSTLS_VERSION="v0.12.2" + NO_TEST_FRAMEWORK=1 + TEST_INSTALL=1 + TEST_MOD_TLS=1 +diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c +index 17a35fc498d..ffb941cae40 100644 +--- a/modules/tls/tls_cert.c ++++ b/modules/tls/tls_cert.c +@@ -331,11 +331,12 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key + } + + apr_status_t tls_cert_load_root_store( +- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore) ++ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore) + { + const char *fpath; + tls_data_t pem; +- rustls_root_cert_store *store = NULL; ++ rustls_root_cert_store_builder *store_builder = NULL; ++ const rustls_root_cert_store *store = NULL; + rustls_result rr = RUSTLS_RESULT_OK; + apr_pool_t *ptemp = NULL; + apr_status_t rv; +@@ -353,11 +354,17 @@ apr_status_t tls_cert_load_root_store( + rv = tls_util_file_load(ptemp, fpath, 0, 1024*1024, &pem); + if (APR_SUCCESS != rv) goto cleanup; + +- store = rustls_root_cert_store_new(); +- rr = rustls_root_cert_store_add_pem(store, pem.data, pem.len, 1); ++ store_builder = rustls_root_cert_store_builder_new(); ++ rr = rustls_root_cert_store_builder_add_pem(store_builder, pem.data, pem.len, 1); ++ if (RUSTLS_RESULT_OK != rr) goto cleanup; ++ ++ rr = rustls_root_cert_store_builder_build(store_builder, &store); + if (RUSTLS_RESULT_OK != rr) goto cleanup; + + cleanup: ++ if (store_builder != NULL) { ++ rustls_root_cert_store_builder_free(store_builder); ++ } + if (RUSTLS_RESULT_OK != rr) { + const char *err_descr; + rv = tls_util_rustls_error(p, rr, &err_descr); +@@ -378,7 +385,7 @@ apr_status_t tls_cert_load_root_store( + + typedef struct { + const char *id; +- rustls_root_cert_store *store; ++ const rustls_root_cert_store *store; + } tls_cert_root_stores_entry_t; + + static int stores_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val) +@@ -421,14 +428,14 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores) + apr_status_t tls_cert_root_stores_get( + tls_cert_root_stores_t *stores, + const char *store_file, +- rustls_root_cert_store **pstore) ++ const rustls_root_cert_store **pstore) + { + apr_status_t rv = APR_SUCCESS; + tls_cert_root_stores_entry_t *entry; + + entry = apr_hash_get(stores->file2store, store_file, APR_HASH_KEY_STRING); + if (!entry) { +- rustls_root_cert_store *store; ++ const rustls_root_cert_store *store; + rv = tls_cert_load_root_store(stores->pool, store_file, &store); + if (APR_SUCCESS != rv) goto cleanup; + entry = apr_pcalloc(stores->pool, sizeof(*entry)); +@@ -449,8 +456,8 @@ apr_status_t tls_cert_root_stores_get( + + typedef struct { + const char *id; +- const rustls_allow_any_authenticated_client_verifier *client_verifier; +- const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt; ++ rustls_client_cert_verifier *client_verifier; ++ rustls_client_cert_verifier *client_verifier_opt; + } tls_cert_verifiers_entry_t; + + static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val) +@@ -458,11 +465,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, + tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val; + (void)ctx; (void)key; (void)klen; + if (entry->client_verifier) { +- rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier); ++ rustls_client_cert_verifier_free(entry->client_verifier); + entry->client_verifier = NULL; + } + if (entry->client_verifier_opt) { +- rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt); ++ rustls_client_cert_verifier_free(entry->client_verifier_opt); + entry->client_verifier_opt = NULL; + } + return 1; +@@ -511,27 +518,43 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry( + return entry; + } + +-apr_status_t tls_cert_client_verifiers_get( +- tls_cert_verifiers_t *verifiers, +- const char *store_file, +- const rustls_allow_any_authenticated_client_verifier **pverifier) ++static apr_status_t tls_cert_client_verifiers_get_internal( ++ tls_cert_verifiers_t *verifiers, ++ const char *store_file, ++ const rustls_client_cert_verifier **pverifier, ++ bool allow_unauthenticated) + { + apr_status_t rv = APR_SUCCESS; + tls_cert_verifiers_entry_t *entry; +- struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL; ++ rustls_result rr = RUSTLS_RESULT_OK; ++ struct rustls_web_pki_client_cert_verifier_builder *verifier_builder = NULL; + + entry = verifiers_get_or_make_entry(verifiers, store_file); + if (!entry->client_verifier) { +- rustls_root_cert_store *store; ++ const rustls_root_cert_store *store; + rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store); + if (APR_SUCCESS != rv) goto cleanup; +- verifier_builder = rustls_allow_any_authenticated_client_builder_new(store); +- entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder); ++ verifier_builder = rustls_web_pki_client_cert_verifier_builder_new(store); ++ ++ if (allow_unauthenticated) { ++ rr = rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated(verifier_builder); ++ if (rr != RUSTLS_RESULT_OK) { ++ goto cleanup; ++ } ++ } ++ ++ rr = rustls_web_pki_client_cert_verifier_builder_build(verifier_builder, &entry->client_verifier); ++ if (rr != RUSTLS_RESULT_OK) { ++ goto cleanup; ++ } + } + + cleanup: + if (verifier_builder != NULL) { +- rustls_allow_any_authenticated_client_builder_free(verifier_builder); ++ rustls_web_pki_client_cert_verifier_builder_free(verifier_builder); ++ } ++ if (rr != RUSTLS_RESULT_OK) { ++ rv = tls_util_rustls_error(verifiers->pool, rr, NULL); + } + if (APR_SUCCESS == rv) { + *pverifier = entry->client_verifier; +@@ -542,33 +565,19 @@ apr_status_t tls_cert_client_verifiers_get( + return rv; + } + +-apr_status_t tls_cert_client_verifiers_get_optional( ++ ++apr_status_t tls_cert_client_verifiers_get( + tls_cert_verifiers_t *verifiers, + const char *store_file, +- const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier) ++ const rustls_client_cert_verifier **pverifier) + { +- apr_status_t rv = APR_SUCCESS; +- tls_cert_verifiers_entry_t *entry; +- struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL; +- +- entry = verifiers_get_or_make_entry(verifiers, store_file); +- if (!entry->client_verifier_opt) { +- rustls_root_cert_store *store; +- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store); +- if (APR_SUCCESS != rv) goto cleanup; +- verifier_builder = rustls_client_cert_verifier_optional_builder_new(store); +- entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder); +- } ++ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, false); ++} + +-cleanup: +- if (verifier_builder != NULL) { +- rustls_client_cert_verifier_optional_builder_free(verifier_builder); +- } +- if (APR_SUCCESS == rv) { +- *pverifier = entry->client_verifier_opt; +- } +- else { +- *pverifier = NULL; +- } +- return rv; ++apr_status_t tls_cert_client_verifiers_get_optional( ++ tls_cert_verifiers_t *verifiers, ++ const char *store_file, ++ const rustls_client_cert_verifier **pverifier) ++{ ++ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, true); + } +diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h +index 4ac3865dd86..3326f0eb3e7 100644 +--- a/modules/tls/tls_cert.h ++++ b/modules/tls/tls_cert.h +@@ -128,7 +128,7 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key + * @param pstore the loaded root store on success + */ + apr_status_t tls_cert_load_root_store( +- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore); ++ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore); + + typedef struct tls_cert_root_stores_t tls_cert_root_stores_t; + struct tls_cert_root_stores_t { +@@ -157,7 +157,7 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores); + apr_status_t tls_cert_root_stores_get( + tls_cert_root_stores_t *stores, + const char *store_file, +- rustls_root_cert_store **pstore); ++ const rustls_root_cert_store **pstore); + + typedef struct tls_cert_verifiers_t tls_cert_verifiers_t; + struct tls_cert_verifiers_t { +@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear( + apr_status_t tls_cert_client_verifiers_get( + tls_cert_verifiers_t *verifiers, + const char *store_file, +- const rustls_allow_any_authenticated_client_verifier **pverifier); ++ const rustls_client_cert_verifier **pverifier); + + /** + * Get the optional client certificate verifier for the +@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get( + apr_status_t tls_cert_client_verifiers_get_optional( + tls_cert_verifiers_t *verifiers, + const char *store_file, +- const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier); ++ const rustls_client_cert_verifier **pverifier); + + #endif /* tls_cert_h */ +diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c +index df29077826d..1cef254f103 100644 +--- a/modules/tls/tls_core.c ++++ b/modules/tls/tls_core.c +@@ -764,8 +764,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c) + tls_conf_proxy_t *pc; + const apr_array_header_t *ciphersuites = NULL; + apr_array_header_t *tls_versions = NULL; ++ rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL; ++ struct rustls_server_cert_verifier *verifier = NULL; + rustls_client_config_builder *builder = NULL; +- rustls_root_cert_store *ca_store = NULL; ++ const rustls_root_cert_store *ca_store = NULL; + const char *hostname = NULL, *alpn_note = NULL; + rustls_result rr = RUSTLS_RESULT_OK; + apr_status_t rv = APR_SUCCESS; +@@ -809,7 +811,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c) + if (pc->proxy_ca && strcasecmp(pc->proxy_ca, "default")) { + rv = tls_cert_root_stores_get(pc->global->stores, pc->proxy_ca, &ca_store); + if (APR_SUCCESS != rv) goto cleanup; +- rustls_client_config_builder_use_roots(builder, ca_store); ++ verifier_builder = rustls_web_pki_server_cert_verifier_builder_new(ca_store); ++ rr = rustls_web_pki_server_cert_verifier_builder_build(verifier_builder, &verifier); ++ if (RUSTLS_RESULT_OK != rr) goto cleanup; ++ rustls_client_config_builder_set_server_verifier(builder, verifier); + } + + #if TLS_MACHINE_CERTS +@@ -881,6 +886,7 @@ static apr_status_t init_outgoing_connection(conn_rec *c) + rustls_connection_set_userdata(cc->rustls_connection, c); + + cleanup: ++ if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder); + if (builder != NULL) rustls_client_config_builder_free(builder); + if (RUSTLS_RESULT_OK != rr) { + const char *err_descr = NULL; +@@ -1119,16 +1125,16 @@ static apr_status_t build_server_connection(rustls_connection **pconnection, + if (cc->client_auth != TLS_CLIENT_AUTH_NONE) { + ap_assert(sc->client_ca); /* checked in server_setup */ + if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) { +- const rustls_allow_any_authenticated_client_verifier *verifier; ++ const rustls_client_cert_verifier *verifier; + rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier); + if (APR_SUCCESS != rv) goto cleanup; + rustls_server_config_builder_set_client_verifier(builder, verifier); + } + else { +- const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier; ++ const rustls_client_cert_verifier *verifier; + rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier); + if (APR_SUCCESS != rv) goto cleanup; +- rustls_server_config_builder_set_client_verifier_optional(builder, verifier); ++ rustls_server_config_builder_set_client_verifier(builder, verifier); + } + } + +From ef690ed43eed53a7b6aaba6027842cdd76d3ccb4 Mon Sep 17 00:00:00 2001 +From: Daniel McCarney <[email protected]> +Date: Sun, 21 Apr 2024 13:49:49 -0400 +Subject: [PATCH] mod_tls: rustls-ffi 0.12 -> 0.13 + +The breaking API changes in this release don't affect `mod_tls`, making +this an in-place update. + +See the upstream release notes[0] for more information. + +[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.13.0 +--- + .github/workflows/linux.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml +index 3700bc4546a..54dcd7b0b32 100644 +--- a/.github/workflows/linux.yml ++++ b/.github/workflows/linux.yml +@@ -241,7 +241,7 @@ jobs: + APR_VERSION=1.7.4 + APU_VERSION=1.6.3 + APU_CONFIG="--with-crypto" +- RUSTLS_VERSION="v0.12.2" ++ RUSTLS_VERSION="v0.13.0" + NO_TEST_FRAMEWORK=1 + TEST_INSTALL=1 + TEST_MOD_TLS=1
