commit: 7cd11ed4304bde562f3323e1c8771e92995cfb3c Author: Hans de Graaff <graaff <AT> gentoo <DOT> org> AuthorDate: Sat May 11 07:12:55 2024 +0000 Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org> CommitDate: Sat May 11 07:13:21 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7cd11ed4
www-servers/apache: drop 2.4.59-r2 Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org> www-servers/apache/apache-2.4.59-r2.ebuild | 259 ---------- .../apache/files/apache-2.4.59-rustls-0.13.0.patch | 544 --------------------- 2 files changed, 803 deletions(-) diff --git a/www-servers/apache/apache-2.4.59-r2.ebuild b/www-servers/apache/apache-2.4.59-r2.ebuild deleted file mode 100644 index 9da48f31fb38..000000000000 --- a/www-servers/apache/apache-2.4.59-r2.ebuild +++ /dev/null @@ -1,259 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -# latest gentoo apache files -GENTOO_PATCHSTAMP="20240405" -GENTOO_DEVELOPER="graaff" -GENTOO_PATCHNAME="gentoo-apache-2.4.59" - -# IUSE/USE_EXPAND magic -IUSE_MPMS_FORK="prefork" -IUSE_MPMS_THREAD="event worker" - -# << obsolete modules: -# authn_default authz_default mem_cache -# mem_cache is replaced by cache_disk -# ?? buggy modules -# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found -# >> added modules for reason: -# compat: compatibility with 2.2 access control -# authz_host: new module for access control -# authn_core: functionality provided by authn_alias in previous versions -# authz_core: new module, provides core authorization capabilities -# cache_disk: replacement for mem_cache -# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3 -# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3 -# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3 -# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3 -# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests). -# socache_shmcb: shared object cache provider. Default config with ssl needs it -# unixd: fixes startup error: Invalid command 'User' -IUSE_MODULES="access_compat actions alias allowmethods asis auth_basic auth_digest auth_form -authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authz_core -authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex -brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock -dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2 -ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness -lbmethod_heartbeat log_config log_forensic logio lua macro md mime mime_magic negotiation -proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_hcheck proxy_html proxy_http proxy_scgi -proxy_http2 proxy_fcgi proxy_uwsgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout -session session_cookie session_crypto session_dbd setenvif slotmem_shm socache_memcache -socache_shmcb speling status substitute systemd tls unique_id userdir usertrack -unixd version vhost_alias watchdog xml2enc" -# The following are also in the source as of this version, but are not available -# for user selection: -# bucketeer case_filter case_filter_in echo http isapi optional_fn_export -# optional_fn_import optional_hook_export optional_hook_import - -# inter-module dependencies -# TODO: this may still be incomplete -MODULE_DEPENDS=" - auth_form:session - brotli:filter - dav_fs:dav - dav_lock:dav - deflate:filter - cache_disk:cache - ext_filter:filter - file_cache:cache - lbmethod_byrequests:proxy_balancer - lbmethod_byrequests:slotmem_shm - lbmethod_bytraffic:proxy_balancer - lbmethod_bybusyness:proxy_balancer - lbmethod_heartbeat:proxy_balancer - log_forensic:log_config - logio:log_config - cache_disk:cache - cache_socache:cache - md:watchdog - mime_magic:mime - proxy_ajp:proxy - proxy_balancer:proxy - proxy_balancer:slotmem_shm - proxy_connect:proxy - proxy_ftp:proxy - proxy_hcheck:proxy - proxy_hcheck:watchdog - proxy_html:proxy - proxy_html:xml2enc - proxy_http:proxy - proxy_http2:proxy - proxy_scgi:proxy - proxy_uwsgi:proxy - proxy_fcgi:proxy - proxy_wstunnel:proxy - session_cookie:session - session_dbd:dbd - session_dbd:session - socache_memcache:cache - substitute:filter -" - -# module<->define mappings -MODULE_DEFINES=" - auth_digest:AUTH_DIGEST - authnz_ldap:AUTHNZ_LDAP - cache:CACHE - cache_disk:CACHE - cache_socache:CACHE - dav:DAV - dav_fs:DAV - dav_lock:DAV - file_cache:CACHE - http2:HTTP2 - info:INFO - ldap:LDAP - lua:LUA - md:SSL - proxy:PROXY - proxy_ajp:PROXY - proxy_balancer:PROXY - proxy_connect:PROXY - proxy_fcgi:PROXY - proxy_ftp:PROXY - proxy_hcheck:PROXY - proxy_html:PROXY - proxy_http:PROXY - proxy_http2:PROXY - proxy_scgi:PROXY - proxy_uwsgi:PROXY - proxy_wstunnel:PROXY - socache_shmcb:SSL - socache_memcache:CACHE - ssl:SSL - status:STATUS - suexec:SUEXEC - systemd:SYSTEMD - userdir:USERDIR -" - -# critical modules for the default config -MODULE_CRITICAL=" - authn_core - authz_core - authz_host - dir - mime - unixd -" -inherit apache-2 systemd tmpfiles toolchain-funcs - -DESCRIPTION="The Apache Web Server" -HOMEPAGE="https://httpd.apache.org/"; - -# some helper scripts are Apache-1.1, thus both are here -LICENSE="Apache-2.0 Apache-1.1" -SLOT="2" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x64-macos ~x64-solaris" - -RDEPEND=" - apache2_modules_tls? ( >=net-libs/rustls-ffi-0.13.0:= ) -" -DEPEND="${RDEPEND}" - -PATCHES=( "${FILESDIR}/${P}-dh-regression.patch" "${FILESDIR}/${P}-rustls-0.13.0.patch" ) - -pkg_setup() { - # dependent critical modules which are not allowed in global scope due - # to USE flag conditionals (bug #499260) - use ssl && MODULE_CRITICAL+=" socache_shmcb" - use doc && MODULE_CRITICAL+=" alias negotiation setenvif" - apache-2_pkg_setup -} - -src_configure() { - # Brain dead check. - tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no" - - apache-2_src_configure -} - -src_compile() { - if tc-is-cross-compiler ; then - # This header is the same across targets, so use the build compiler. - pushd server >/dev/null - emake gen_test_char - tc-export_build_env BUILD_CC - ${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \ - gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die - popd >/dev/null - fi - - default -} - -src_install() { - apache-2_src_install - local i - local apache_tools_prune_list=( - /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm} - /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs} - /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1} - /usr/share/man/man8/{rotatelogs.8,htcacheclean.8} - ) - for i in ${apache_tools_prune_list[@]} ; do - rm "${ED}"/${i} || die "Failed to prune apache-tools bits" - done - - dobin support/apxs - - # Note: wait for mod_systemd to be included in some forthcoming release, - # Then apache2.4.service can be used and systemd support controlled - # through --enable-systemd - systemd_newunit "${FILESDIR}/apache2.4-hardened.service" "apache2.service" - dotmpfiles "${FILESDIR}/apache.conf" - #insinto /etc/apache2/modules.d - #doins "${FILESDIR}/00_systemd.conf" - - # Install http2 module config - insinto /etc/apache2/modules.d - doins "${FILESDIR}"/41_mod_http2.conf - - # Fix path to apache libdir - sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die -} - -pkg_postinst() { - apache-2_pkg_postinst || die "apache-2_pkg_postinst failed" - - tmpfiles_process apache.conf #662544 - - # warnings that default config might not work out of the box - local mod cmod - for mod in ${MODULE_CRITICAL} ; do - if ! use "apache2_modules_${mod}"; then - echo - ewarn "Warning: Critical module not installed!" - ewarn "Modules 'authn_core', 'authz_core' and 'unixd'" - ewarn "are highly recomended but might not be in the base profile yet." - ewarn "Default config for ssl needs module 'socache_shmcb'." - ewarn "Enabling the following flags is highly recommended:" - for cmod in ${MODULE_CRITICAL} ; do - use "apache2_modules_${cmod}" || \ - ewarn "+ apache2_modules_${cmod}" - done - echo - break - fi - done - # warning for proxy_balancer and missing load balancing scheduler - if use apache2_modules_proxy_balancer; then - local lbset= - for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do - if use "apache2_modules_${mod}"; then - lbset=1 && break - fi - done - if [[ ! ${lbset} ]] ; then - echo - ewarn "Info: Missing load balancing scheduler algorithm module" - ewarn "(They were split off from proxy_balancer in 2.3)" - ewarn "In order to get the ability of load balancing, at least" - ewarn "one of these modules has to be present:" - ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat" - echo - fi - fi -} diff --git a/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch b/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch deleted file mode 100644 index f8cfc6b73c31..000000000000 --- a/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch +++ /dev/null @@ -1,544 +0,0 @@ -From 68a5a569f630b116f30c49384e4f737a5e669bb2 Mon Sep 17 00:00:00 2001 -From: Daniel McCarney <[email protected]> -Date: Sun, 21 Apr 2024 15:05:19 -0400 -Subject: [PATCH] test: relax rustls-ffi SSL_VERSION_LIBRARY - -The rustls version included in the rustls-ffi version output does not -always contain three components. E.g. rustls-ffi 0.12.2 uses the version -string: - - rustls-ffi/0.12.2/rustls/0.22 - -Notably there is no `.0` after the `0.22` for the Rustls version, and -this requires the `SSL_VERSION_LIBRARY` regexp be relaxed to allow this. ---- - test/modules/tls/test_08_vars.py | 2 +- - test/modules/tls/test_14_proxy_ssl.py | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/test/modules/tls/test_08_vars.py b/test/modules/tls/test_08_vars.py -index ad764a7985a..0e3ee74d2df 100644 ---- a/test/modules/tls/test_08_vars.py -+++ b/test/modules/tls/test_08_vars.py -@@ -59,7 +59,7 @@ def test_tls_08_vars_const(self, env, name: str, value: str): - - @pytest.mark.parametrize("name, pattern", [ - ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'), -- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'), -+ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'), - ]) - def test_tls_08_vars_match(self, env, name: str, pattern: str): - r = env.tls_get(env.domain_b, f"/vars.py?name={name}") -diff --git a/test/modules/tls/test_14_proxy_ssl.py b/test/modules/tls/test_14_proxy_ssl.py -index 2f46c64f710..87e04c28afa 100644 ---- a/test/modules/tls/test_14_proxy_ssl.py -+++ b/test/modules/tls/test_14_proxy_ssl.py -@@ -100,7 +100,7 @@ def test_tls_14_proxy_ssl_vars_const(self, env, name: str, value: str): - - @pytest.mark.parametrize("name, pattern", [ - ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'), -- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'), -+ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'), - ]) - def test_tls_14_proxy_tsl_vars_match(self, env, name: str, pattern: str): - if not HttpdTestEnv.has_shared_module("tls"): -From fd64ac68206232641406c1512e0916d837821db5 Mon Sep 17 00:00:00 2001 -From: Daniel McCarney <[email protected]> -Date: Sun, 21 Apr 2024 15:19:50 -0400 -Subject: [PATCH] mod_tls: rustls-ffi 0.10 -> 0.11 - -See upstream release notes[0] for more information. - -Also note that the, ahem, clunkyness of the verifier API is reduced in -the 0.12 release and this is a transition state. - -[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.11.0 ---- - .github/workflows/linux.yml | 2 +- - modules/tls/tls_cert.c | 26 ++++++++++++++++++-------- - modules/tls/tls_cert.h | 6 +++--- - modules/tls/tls_core.c | 4 ++-- - 4 files changed, 24 insertions(+), 14 deletions(-) - -diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml -index 8c45faf5651..1ac41c6b2d6 100644 ---- a/.github/workflows/linux.yml -+++ b/.github/workflows/linux.yml -@@ -241,7 +241,7 @@ jobs: - APR_VERSION=1.7.4 - APU_VERSION=1.6.3 - APU_CONFIG="--with-crypto" -- RUSTLS_VERSION="v0.10.0" -+ RUSTLS_VERSION="v0.11.0" - NO_TEST_FRAMEWORK=1 - TEST_INSTALL=1 - TEST_MOD_TLS=1 -diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c -index 624535aa444..17a35fc498d 100644 ---- a/modules/tls/tls_cert.c -+++ b/modules/tls/tls_cert.c -@@ -449,8 +449,8 @@ apr_status_t tls_cert_root_stores_get( - - typedef struct { - const char *id; -- const rustls_client_cert_verifier *client_verifier; -- const rustls_client_cert_verifier_optional *client_verifier_opt; -+ const rustls_allow_any_authenticated_client_verifier *client_verifier; -+ const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt; - } tls_cert_verifiers_entry_t; - - static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val) -@@ -458,11 +458,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, - tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val; - (void)ctx; (void)key; (void)klen; - if (entry->client_verifier) { -- rustls_client_cert_verifier_free(entry->client_verifier); -+ rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier); - entry->client_verifier = NULL; - } - if (entry->client_verifier_opt) { -- rustls_client_cert_verifier_optional_free(entry->client_verifier_opt); -+ rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt); - entry->client_verifier_opt = NULL; - } - return 1; -@@ -514,20 +514,25 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry( - apr_status_t tls_cert_client_verifiers_get( - tls_cert_verifiers_t *verifiers, - const char *store_file, -- const rustls_client_cert_verifier **pverifier) -+ const rustls_allow_any_authenticated_client_verifier **pverifier) - { - apr_status_t rv = APR_SUCCESS; - tls_cert_verifiers_entry_t *entry; -+ struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL; - - entry = verifiers_get_or_make_entry(verifiers, store_file); - if (!entry->client_verifier) { - rustls_root_cert_store *store; - rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store); - if (APR_SUCCESS != rv) goto cleanup; -- entry->client_verifier = rustls_client_cert_verifier_new(store); -+ verifier_builder = rustls_allow_any_authenticated_client_builder_new(store); -+ entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder); - } - - cleanup: -+ if (verifier_builder != NULL) { -+ rustls_allow_any_authenticated_client_builder_free(verifier_builder); -+ } - if (APR_SUCCESS == rv) { - *pverifier = entry->client_verifier; - } -@@ -540,20 +545,25 @@ apr_status_t tls_cert_client_verifiers_get( - apr_status_t tls_cert_client_verifiers_get_optional( - tls_cert_verifiers_t *verifiers, - const char *store_file, -- const rustls_client_cert_verifier_optional **pverifier) -+ const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier) - { - apr_status_t rv = APR_SUCCESS; - tls_cert_verifiers_entry_t *entry; -+ struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL; - - entry = verifiers_get_or_make_entry(verifiers, store_file); - if (!entry->client_verifier_opt) { - rustls_root_cert_store *store; - rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store); - if (APR_SUCCESS != rv) goto cleanup; -- entry->client_verifier_opt = rustls_client_cert_verifier_optional_new(store); -+ verifier_builder = rustls_client_cert_verifier_optional_builder_new(store); -+ entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder); - } - - cleanup: -+ if (verifier_builder != NULL) { -+ rustls_client_cert_verifier_optional_builder_free(verifier_builder); -+ } - if (APR_SUCCESS == rv) { - *pverifier = entry->client_verifier_opt; - } -diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h -index 6ab3f48ae13..4ac3865dd86 100644 ---- a/modules/tls/tls_cert.h -+++ b/modules/tls/tls_cert.h -@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear( - apr_status_t tls_cert_client_verifiers_get( - tls_cert_verifiers_t *verifiers, - const char *store_file, -- const rustls_client_cert_verifier **pverifier); -+ const rustls_allow_any_authenticated_client_verifier **pverifier); - - /** - * Get the optional client certificate verifier for the -@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get( - apr_status_t tls_cert_client_verifiers_get_optional( - tls_cert_verifiers_t *verifiers, - const char *store_file, -- const rustls_client_cert_verifier_optional **pverifier); -+ const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier); - --#endif /* tls_cert_h */ -\ No newline at end of file -+#endif /* tls_cert_h */ -diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c -index 25479392f1a..df29077826d 100644 ---- a/modules/tls/tls_core.c -+++ b/modules/tls/tls_core.c -@@ -1119,13 +1119,13 @@ static apr_status_t build_server_connection(rustls_connection **pconnection, - if (cc->client_auth != TLS_CLIENT_AUTH_NONE) { - ap_assert(sc->client_ca); /* checked in server_setup */ - if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) { -- const rustls_client_cert_verifier *verifier; -+ const rustls_allow_any_authenticated_client_verifier *verifier; - rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier); - if (APR_SUCCESS != rv) goto cleanup; - rustls_server_config_builder_set_client_verifier(builder, verifier); - } - else { -- const rustls_client_cert_verifier_optional *verifier; -+ const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier; - rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier); - if (APR_SUCCESS != rv) goto cleanup; - rustls_server_config_builder_set_client_verifier_optional(builder, verifier); -From 6d565575343ac5ddd674e53b7b9002396cc04375 Mon Sep 17 00:00:00 2001 -From: Daniel McCarney <[email protected]> -Date: Sun, 21 Apr 2024 15:37:25 -0400 -Subject: [PATCH] mod_tls: rustls-ffi 0.11 -> 0.12 - -See upstream release notes for more information: - -https://github.com/rustls/rustls-ffi/releases/tag/v0.12.0 -https://github.com/rustls/rustls-ffi/releases/tag/v0.12.1 -https://github.com/rustls/rustls-ffi/releases/tag/v0.12.2 ---- - .github/workflows/linux.yml | 2 +- - modules/tls/tls_cert.c | 99 ++++++++++++++++++++----------------- - modules/tls/tls_cert.h | 8 +-- - modules/tls/tls_core.c | 16 ++++-- - 4 files changed, 70 insertions(+), 55 deletions(-) - -diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml -index 1ac41c6b2d6..3700bc4546a 100644 ---- a/.github/workflows/linux.yml -+++ b/.github/workflows/linux.yml -@@ -241,7 +241,7 @@ jobs: - APR_VERSION=1.7.4 - APU_VERSION=1.6.3 - APU_CONFIG="--with-crypto" -- RUSTLS_VERSION="v0.11.0" -+ RUSTLS_VERSION="v0.12.2" - NO_TEST_FRAMEWORK=1 - TEST_INSTALL=1 - TEST_MOD_TLS=1 -diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c -index 17a35fc498d..ffb941cae40 100644 ---- a/modules/tls/tls_cert.c -+++ b/modules/tls/tls_cert.c -@@ -331,11 +331,12 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key - } - - apr_status_t tls_cert_load_root_store( -- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore) -+ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore) - { - const char *fpath; - tls_data_t pem; -- rustls_root_cert_store *store = NULL; -+ rustls_root_cert_store_builder *store_builder = NULL; -+ const rustls_root_cert_store *store = NULL; - rustls_result rr = RUSTLS_RESULT_OK; - apr_pool_t *ptemp = NULL; - apr_status_t rv; -@@ -353,11 +354,17 @@ apr_status_t tls_cert_load_root_store( - rv = tls_util_file_load(ptemp, fpath, 0, 1024*1024, &pem); - if (APR_SUCCESS != rv) goto cleanup; - -- store = rustls_root_cert_store_new(); -- rr = rustls_root_cert_store_add_pem(store, pem.data, pem.len, 1); -+ store_builder = rustls_root_cert_store_builder_new(); -+ rr = rustls_root_cert_store_builder_add_pem(store_builder, pem.data, pem.len, 1); -+ if (RUSTLS_RESULT_OK != rr) goto cleanup; -+ -+ rr = rustls_root_cert_store_builder_build(store_builder, &store); - if (RUSTLS_RESULT_OK != rr) goto cleanup; - - cleanup: -+ if (store_builder != NULL) { -+ rustls_root_cert_store_builder_free(store_builder); -+ } - if (RUSTLS_RESULT_OK != rr) { - const char *err_descr; - rv = tls_util_rustls_error(p, rr, &err_descr); -@@ -378,7 +385,7 @@ apr_status_t tls_cert_load_root_store( - - typedef struct { - const char *id; -- rustls_root_cert_store *store; -+ const rustls_root_cert_store *store; - } tls_cert_root_stores_entry_t; - - static int stores_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val) -@@ -421,14 +428,14 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores) - apr_status_t tls_cert_root_stores_get( - tls_cert_root_stores_t *stores, - const char *store_file, -- rustls_root_cert_store **pstore) -+ const rustls_root_cert_store **pstore) - { - apr_status_t rv = APR_SUCCESS; - tls_cert_root_stores_entry_t *entry; - - entry = apr_hash_get(stores->file2store, store_file, APR_HASH_KEY_STRING); - if (!entry) { -- rustls_root_cert_store *store; -+ const rustls_root_cert_store *store; - rv = tls_cert_load_root_store(stores->pool, store_file, &store); - if (APR_SUCCESS != rv) goto cleanup; - entry = apr_pcalloc(stores->pool, sizeof(*entry)); -@@ -449,8 +456,8 @@ apr_status_t tls_cert_root_stores_get( - - typedef struct { - const char *id; -- const rustls_allow_any_authenticated_client_verifier *client_verifier; -- const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt; -+ rustls_client_cert_verifier *client_verifier; -+ rustls_client_cert_verifier *client_verifier_opt; - } tls_cert_verifiers_entry_t; - - static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val) -@@ -458,11 +465,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, - tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val; - (void)ctx; (void)key; (void)klen; - if (entry->client_verifier) { -- rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier); -+ rustls_client_cert_verifier_free(entry->client_verifier); - entry->client_verifier = NULL; - } - if (entry->client_verifier_opt) { -- rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt); -+ rustls_client_cert_verifier_free(entry->client_verifier_opt); - entry->client_verifier_opt = NULL; - } - return 1; -@@ -511,27 +518,43 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry( - return entry; - } - --apr_status_t tls_cert_client_verifiers_get( -- tls_cert_verifiers_t *verifiers, -- const char *store_file, -- const rustls_allow_any_authenticated_client_verifier **pverifier) -+static apr_status_t tls_cert_client_verifiers_get_internal( -+ tls_cert_verifiers_t *verifiers, -+ const char *store_file, -+ const rustls_client_cert_verifier **pverifier, -+ bool allow_unauthenticated) - { - apr_status_t rv = APR_SUCCESS; - tls_cert_verifiers_entry_t *entry; -- struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL; -+ rustls_result rr = RUSTLS_RESULT_OK; -+ struct rustls_web_pki_client_cert_verifier_builder *verifier_builder = NULL; - - entry = verifiers_get_or_make_entry(verifiers, store_file); - if (!entry->client_verifier) { -- rustls_root_cert_store *store; -+ const rustls_root_cert_store *store; - rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store); - if (APR_SUCCESS != rv) goto cleanup; -- verifier_builder = rustls_allow_any_authenticated_client_builder_new(store); -- entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder); -+ verifier_builder = rustls_web_pki_client_cert_verifier_builder_new(store); -+ -+ if (allow_unauthenticated) { -+ rr = rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated(verifier_builder); -+ if (rr != RUSTLS_RESULT_OK) { -+ goto cleanup; -+ } -+ } -+ -+ rr = rustls_web_pki_client_cert_verifier_builder_build(verifier_builder, &entry->client_verifier); -+ if (rr != RUSTLS_RESULT_OK) { -+ goto cleanup; -+ } - } - - cleanup: - if (verifier_builder != NULL) { -- rustls_allow_any_authenticated_client_builder_free(verifier_builder); -+ rustls_web_pki_client_cert_verifier_builder_free(verifier_builder); -+ } -+ if (rr != RUSTLS_RESULT_OK) { -+ rv = tls_util_rustls_error(verifiers->pool, rr, NULL); - } - if (APR_SUCCESS == rv) { - *pverifier = entry->client_verifier; -@@ -542,33 +565,19 @@ apr_status_t tls_cert_client_verifiers_get( - return rv; - } - --apr_status_t tls_cert_client_verifiers_get_optional( -+ -+apr_status_t tls_cert_client_verifiers_get( - tls_cert_verifiers_t *verifiers, - const char *store_file, -- const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier) -+ const rustls_client_cert_verifier **pverifier) - { -- apr_status_t rv = APR_SUCCESS; -- tls_cert_verifiers_entry_t *entry; -- struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL; -- -- entry = verifiers_get_or_make_entry(verifiers, store_file); -- if (!entry->client_verifier_opt) { -- rustls_root_cert_store *store; -- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store); -- if (APR_SUCCESS != rv) goto cleanup; -- verifier_builder = rustls_client_cert_verifier_optional_builder_new(store); -- entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder); -- } -+ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, false); -+} - --cleanup: -- if (verifier_builder != NULL) { -- rustls_client_cert_verifier_optional_builder_free(verifier_builder); -- } -- if (APR_SUCCESS == rv) { -- *pverifier = entry->client_verifier_opt; -- } -- else { -- *pverifier = NULL; -- } -- return rv; -+apr_status_t tls_cert_client_verifiers_get_optional( -+ tls_cert_verifiers_t *verifiers, -+ const char *store_file, -+ const rustls_client_cert_verifier **pverifier) -+{ -+ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, true); - } -diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h -index 4ac3865dd86..3326f0eb3e7 100644 ---- a/modules/tls/tls_cert.h -+++ b/modules/tls/tls_cert.h -@@ -128,7 +128,7 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key - * @param pstore the loaded root store on success - */ - apr_status_t tls_cert_load_root_store( -- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore); -+ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore); - - typedef struct tls_cert_root_stores_t tls_cert_root_stores_t; - struct tls_cert_root_stores_t { -@@ -157,7 +157,7 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores); - apr_status_t tls_cert_root_stores_get( - tls_cert_root_stores_t *stores, - const char *store_file, -- rustls_root_cert_store **pstore); -+ const rustls_root_cert_store **pstore); - - typedef struct tls_cert_verifiers_t tls_cert_verifiers_t; - struct tls_cert_verifiers_t { -@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear( - apr_status_t tls_cert_client_verifiers_get( - tls_cert_verifiers_t *verifiers, - const char *store_file, -- const rustls_allow_any_authenticated_client_verifier **pverifier); -+ const rustls_client_cert_verifier **pverifier); - - /** - * Get the optional client certificate verifier for the -@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get( - apr_status_t tls_cert_client_verifiers_get_optional( - tls_cert_verifiers_t *verifiers, - const char *store_file, -- const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier); -+ const rustls_client_cert_verifier **pverifier); - - #endif /* tls_cert_h */ -diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c -index df29077826d..1cef254f103 100644 ---- a/modules/tls/tls_core.c -+++ b/modules/tls/tls_core.c -@@ -764,8 +764,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c) - tls_conf_proxy_t *pc; - const apr_array_header_t *ciphersuites = NULL; - apr_array_header_t *tls_versions = NULL; -+ rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL; -+ struct rustls_server_cert_verifier *verifier = NULL; - rustls_client_config_builder *builder = NULL; -- rustls_root_cert_store *ca_store = NULL; -+ const rustls_root_cert_store *ca_store = NULL; - const char *hostname = NULL, *alpn_note = NULL; - rustls_result rr = RUSTLS_RESULT_OK; - apr_status_t rv = APR_SUCCESS; -@@ -809,7 +811,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c) - if (pc->proxy_ca && strcasecmp(pc->proxy_ca, "default")) { - rv = tls_cert_root_stores_get(pc->global->stores, pc->proxy_ca, &ca_store); - if (APR_SUCCESS != rv) goto cleanup; -- rustls_client_config_builder_use_roots(builder, ca_store); -+ verifier_builder = rustls_web_pki_server_cert_verifier_builder_new(ca_store); -+ rr = rustls_web_pki_server_cert_verifier_builder_build(verifier_builder, &verifier); -+ if (RUSTLS_RESULT_OK != rr) goto cleanup; -+ rustls_client_config_builder_set_server_verifier(builder, verifier); - } - - #if TLS_MACHINE_CERTS -@@ -881,6 +886,7 @@ static apr_status_t init_outgoing_connection(conn_rec *c) - rustls_connection_set_userdata(cc->rustls_connection, c); - - cleanup: -+ if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder); - if (builder != NULL) rustls_client_config_builder_free(builder); - if (RUSTLS_RESULT_OK != rr) { - const char *err_descr = NULL; -@@ -1119,16 +1125,16 @@ static apr_status_t build_server_connection(rustls_connection **pconnection, - if (cc->client_auth != TLS_CLIENT_AUTH_NONE) { - ap_assert(sc->client_ca); /* checked in server_setup */ - if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) { -- const rustls_allow_any_authenticated_client_verifier *verifier; -+ const rustls_client_cert_verifier *verifier; - rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier); - if (APR_SUCCESS != rv) goto cleanup; - rustls_server_config_builder_set_client_verifier(builder, verifier); - } - else { -- const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier; -+ const rustls_client_cert_verifier *verifier; - rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier); - if (APR_SUCCESS != rv) goto cleanup; -- rustls_server_config_builder_set_client_verifier_optional(builder, verifier); -+ rustls_server_config_builder_set_client_verifier(builder, verifier); - } - } - -From ef690ed43eed53a7b6aaba6027842cdd76d3ccb4 Mon Sep 17 00:00:00 2001 -From: Daniel McCarney <[email protected]> -Date: Sun, 21 Apr 2024 13:49:49 -0400 -Subject: [PATCH] mod_tls: rustls-ffi 0.12 -> 0.13 - -The breaking API changes in this release don't affect `mod_tls`, making -this an in-place update. - -See the upstream release notes[0] for more information. - -[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.13.0 ---- - .github/workflows/linux.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml -index 3700bc4546a..54dcd7b0b32 100644 ---- a/.github/workflows/linux.yml -+++ b/.github/workflows/linux.yml -@@ -241,7 +241,7 @@ jobs: - APR_VERSION=1.7.4 - APU_VERSION=1.6.3 - APU_CONFIG="--with-crypto" -- RUSTLS_VERSION="v0.12.2" -+ RUSTLS_VERSION="v0.13.0" - NO_TEST_FRAMEWORK=1 - TEST_INSTALL=1 - TEST_MOD_TLS=1
