* mod_tls: update version of rustls-ffi to v0.13.0.

icing · icing · commit c8a9d21e0cce · 2024-04-22T13:55:22.000Z
[Daniel McCarney (@cpu}] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1917270 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -241,7 +241,7 @@ jobs:
               APR_VERSION=1.7.4
               APU_VERSION=1.6.3
               APU_CONFIG="--with-crypto"
-              RUSTLS_VERSION="v0.10.0"
+              RUSTLS_VERSION="v0.13.0"
               NO_TEST_FRAMEWORK=1
               TEST_INSTALL=1
               TEST_MOD_TLS=1
diff --git a/.gitignore b/.gitignore
@@ -76,6 +76,19 @@ Release
 /build/config.sub
 /build/config.guess
 /build/config_vars.sh
+/build/confdefs.h
+/build/config.log
+/build/config.nice
+/build/srclib/
+/build/srclib/pth
+/build/srclib/apr
+/build/srclib/apr-util
+/build/srclib/apr-iconv
+/build/srclib/distcache
+/build/srclib/lua
+/build/srclib/pcre
+/build/srclib/openssl
+/build/srclib/zlib
 
 # /build/pkg/
 /build/pkg/pkginfo
@@ -371,4 +384,4 @@ test/*/*/__pycache__
 
 # make check
 check
-build/config_vars.out
+build/config_vars.out
diff --git a/changes-entries/mod_tls_v0.9.0.txt b/changes-entries/mod_tls_v0.9.0.txt
@@ -0,0 +1,2 @@
+ * mod_tls: update version of rustls-ffi to v0.13.0.
+   [Daniel McCarney (@cpu}]
diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
@@ -331,11 +331,12 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
 }
 
 apr_status_t tls_cert_load_root_store(
-    apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore)
+    apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore)
 {
     const char *fpath;
     tls_data_t pem;
-    rustls_root_cert_store *store = NULL;
+    rustls_root_cert_store_builder *store_builder = NULL;
+    const rustls_root_cert_store *store = NULL;
     rustls_result rr = RUSTLS_RESULT_OK;
     apr_pool_t *ptemp = NULL;
     apr_status_t rv;
@@ -353,11 +354,17 @@ apr_status_t tls_cert_load_root_store(
     rv = tls_util_file_load(ptemp, fpath, 0, 1024*1024, &pem);
     if (APR_SUCCESS != rv) goto cleanup;
 
-    store = rustls_root_cert_store_new();
-    rr = rustls_root_cert_store_add_pem(store, pem.data, pem.len, 1);
+    store_builder = rustls_root_cert_store_builder_new();
+    rr = rustls_root_cert_store_builder_add_pem(store_builder, pem.data, pem.len, 1);
+    if (RUSTLS_RESULT_OK != rr) goto cleanup;
+
+    rr = rustls_root_cert_store_builder_build(store_builder, &store);
     if (RUSTLS_RESULT_OK != rr) goto cleanup;
 
 cleanup:
+    if (store_builder != NULL) {
+        rustls_root_cert_store_builder_free(store_builder);
+    }
     if (RUSTLS_RESULT_OK != rr) {
         const char *err_descr;
         rv = tls_util_rustls_error(p, rr, &err_descr);
@@ -378,7 +385,7 @@ apr_status_t tls_cert_load_root_store(
 
 typedef struct {
     const char *id;
-    rustls_root_cert_store *store;
+    const rustls_root_cert_store *store;
 } tls_cert_root_stores_entry_t;
 
 static int stores_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
@@ -421,14 +428,14 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores)
 apr_status_t tls_cert_root_stores_get(
     tls_cert_root_stores_t *stores,
     const char *store_file,
-    rustls_root_cert_store **pstore)
+    const rustls_root_cert_store **pstore)
 {
     apr_status_t rv = APR_SUCCESS;
     tls_cert_root_stores_entry_t *entry;
 
     entry = apr_hash_get(stores->file2store, store_file, APR_HASH_KEY_STRING);
     if (!entry) {
-        rustls_root_cert_store *store;
+        const rustls_root_cert_store *store;
         rv = tls_cert_load_root_store(stores->pool, store_file, &store);
         if (APR_SUCCESS != rv) goto cleanup;
         entry = apr_pcalloc(stores->pool, sizeof(*entry));
@@ -449,8 +456,8 @@ apr_status_t tls_cert_root_stores_get(
 
 typedef struct {
     const char *id;
-    const rustls_client_cert_verifier *client_verifier;
-    const rustls_client_cert_verifier_optional *client_verifier_opt;
+    rustls_client_cert_verifier *client_verifier;
+    rustls_client_cert_verifier *client_verifier_opt;
 } tls_cert_verifiers_entry_t;
 
 static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
@@ -462,7 +469,7 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
         entry->client_verifier = NULL;
     }
     if (entry->client_verifier_opt) {
-        rustls_client_cert_verifier_optional_free(entry->client_verifier_opt);
+        rustls_client_cert_verifier_free(entry->client_verifier_opt);
         entry->client_verifier_opt = NULL;
     }
     return 1;
@@ -511,23 +518,44 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
     return entry;
 }
 
-apr_status_t tls_cert_client_verifiers_get(
-    tls_cert_verifiers_t *verifiers,
-    const char *store_file,
-    const rustls_client_cert_verifier **pverifier)
+static apr_status_t tls_cert_client_verifiers_get_internal(
+        tls_cert_verifiers_t *verifiers,
+        const char *store_file,
+        const rustls_client_cert_verifier **pverifier,
+        bool allow_unauthenticated)
 {
     apr_status_t rv = APR_SUCCESS;
     tls_cert_verifiers_entry_t *entry;
+    rustls_result rr = RUSTLS_RESULT_OK;
+    struct rustls_web_pki_client_cert_verifier_builder *verifier_builder = NULL;
 
     entry = verifiers_get_or_make_entry(verifiers, store_file);
     if (!entry->client_verifier) {
-        rustls_root_cert_store *store;
+        const rustls_root_cert_store *store;
         rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
         if (APR_SUCCESS != rv) goto cleanup;
-        entry->client_verifier = rustls_client_cert_verifier_new(store);
+        verifier_builder = rustls_web_pki_client_cert_verifier_builder_new(store);
+
+        if (allow_unauthenticated) {
+            rr = rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated(verifier_builder);
+            if (rr != RUSTLS_RESULT_OK) {
+                goto cleanup;
+            }
+        }
+
+        rr = rustls_web_pki_client_cert_verifier_builder_build(verifier_builder, &entry->client_verifier);
+        if (rr != RUSTLS_RESULT_OK) {
+            goto cleanup;
+        }
     }
 
 cleanup:
+    if (verifier_builder != NULL) {
+        rustls_web_pki_client_cert_verifier_builder_free(verifier_builder);
+    }
+    if (rr != RUSTLS_RESULT_OK) {
+        rv = tls_util_rustls_error(verifiers->pool, rr, NULL);
+    }
     if (APR_SUCCESS == rv) {
         *pverifier = entry->client_verifier;
     }
@@ -537,28 +565,19 @@ apr_status_t tls_cert_client_verifiers_get(
     return rv;
 }
 
-apr_status_t tls_cert_client_verifiers_get_optional(
+
+apr_status_t tls_cert_client_verifiers_get(
     tls_cert_verifiers_t *verifiers,
     const char *store_file,
-    const rustls_client_cert_verifier_optional **pverifier)
+    const rustls_client_cert_verifier **pverifier)
 {
-    apr_status_t rv = APR_SUCCESS;
-    tls_cert_verifiers_entry_t *entry;
-
-    entry = verifiers_get_or_make_entry(verifiers, store_file);
-    if (!entry->client_verifier_opt) {
-        rustls_root_cert_store *store;
-        rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
-        if (APR_SUCCESS != rv) goto cleanup;
-        entry->client_verifier_opt = rustls_client_cert_verifier_optional_new(store);
-    }
+    return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, false);
+}
 
-cleanup:
-    if (APR_SUCCESS == rv) {
-        *pverifier = entry->client_verifier_opt;
-    }
-    else {
-        *pverifier = NULL;
-    }
-    return rv;
+apr_status_t tls_cert_client_verifiers_get_optional(
+    tls_cert_verifiers_t *verifiers,
+    const char *store_file,
+    const rustls_client_cert_verifier **pverifier)
+{
+    return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, true);
 }
diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
@@ -128,7 +128,7 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
  * @param pstore the loaded root store on success
  */
 apr_status_t tls_cert_load_root_store(
-    apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore);
+    apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore);
 
 typedef struct tls_cert_root_stores_t tls_cert_root_stores_t;
 struct tls_cert_root_stores_t {
@@ -157,7 +157,7 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores);
 apr_status_t tls_cert_root_stores_get(
     tls_cert_root_stores_t *stores,
     const char *store_file,
-    rustls_root_cert_store **pstore);
+    const rustls_root_cert_store **pstore);
 
 typedef struct tls_cert_verifiers_t tls_cert_verifiers_t;
 struct tls_cert_verifiers_t {
@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
 apr_status_t tls_cert_client_verifiers_get_optional(
     tls_cert_verifiers_t *verifiers,
     const char *store_file,
-    const rustls_client_cert_verifier_optional **pverifier);
+    const rustls_client_cert_verifier **pverifier);
 
-#endif /* tls_cert_h */
+#endif /* tls_cert_h */
diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
@@ -764,8 +764,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
     tls_conf_proxy_t *pc;
     const apr_array_header_t *ciphersuites = NULL;
     apr_array_header_t *tls_versions = NULL;
+    rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL;
+    struct rustls_server_cert_verifier *verifier = NULL;
     rustls_client_config_builder *builder = NULL;
-    rustls_root_cert_store *ca_store = NULL;
+    const rustls_root_cert_store *ca_store = NULL;
     const char *hostname = NULL, *alpn_note = NULL;
     rustls_result rr = RUSTLS_RESULT_OK;
     apr_status_t rv = APR_SUCCESS;
@@ -809,7 +811,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
     if (pc->proxy_ca && strcasecmp(pc->proxy_ca, "default")) {
         rv = tls_cert_root_stores_get(pc->global->stores, pc->proxy_ca, &ca_store);
         if (APR_SUCCESS != rv) goto cleanup;
-        rustls_client_config_builder_use_roots(builder, ca_store);
+        verifier_builder = rustls_web_pki_server_cert_verifier_builder_new(ca_store);
+        rr = rustls_web_pki_server_cert_verifier_builder_build(verifier_builder, &verifier);
+        if (RUSTLS_RESULT_OK != rr) goto cleanup;
+        rustls_client_config_builder_set_server_verifier(builder, verifier);
     }
 
 #if TLS_MACHINE_CERTS
@@ -881,6 +886,7 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
     rustls_connection_set_userdata(cc->rustls_connection, c);
 
 cleanup:
+    if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder);
     if (builder != NULL) rustls_client_config_builder_free(builder);
     if (RUSTLS_RESULT_OK != rr) {
         const char *err_descr = NULL;
@@ -1125,10 +1131,10 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
             rustls_server_config_builder_set_client_verifier(builder, verifier);
         }
         else {
-            const rustls_client_cert_verifier_optional *verifier;
+            const rustls_client_cert_verifier *verifier;
             rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
             if (APR_SUCCESS != rv) goto cleanup;
-            rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
+            rustls_server_config_builder_set_client_verifier(builder, verifier);
         }
     }
 
diff --git a/modules/tls/tls_version.h b/modules/tls/tls_version.h
@@ -26,14 +26,14 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_TLS_VERSION "0.8.3"
+#define MOD_TLS_VERSION "0.9.0"
 
 /**
  * @macro
  * Numerical representation of the version number of the md module
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_TLS_VERSION_NUM 0x000802
+#define MOD_TLS_VERSION_NUM 0x000900
 
 #endif /* mod_md_md_version_h */
diff --git a/test/modules/tls/test_08_vars.py b/test/modules/tls/test_08_vars.py
@@ -59,7 +59,7 @@ def test_tls_08_vars_const(self, env, name: str, value: str):
 
     @pytest.mark.parametrize("name, pattern", [
         ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
-        ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
+        ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
     ])
     def test_tls_08_vars_match(self, env, name: str, pattern: str):
         r = env.tls_get(env.domain_b, f"/vars.py?name={name}")
diff --git a/test/modules/tls/test_14_proxy_ssl.py b/test/modules/tls/test_14_proxy_ssl.py
@@ -100,7 +100,7 @@ def test_tls_14_proxy_ssl_vars_const(self, env, name: str, value: str):
 
     @pytest.mark.parametrize("name, pattern", [
         ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
-        ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
+        ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
     ])
     def test_tls_14_proxy_tsl_vars_match(self, env, name: str, pattern: str):
         if not HttpdTestEnv.has_shared_module("tls"):
diff --git a/test/travis_run_linux.sh b/test/travis_run_linux.sh
@@ -266,7 +266,7 @@ fi
 if test -v TEST_MOD_TLS -a $RV -eq 0; then
     # Run mod_tls tests. The underlying librustls was build
     # and installed before we configured the server (see top of file).
-    # This will be replaved once librustls is available as a package.
+    # This will be replaced once librustls is available as a package.
     py.test-3 test/modules/tls
     RV=$?
 fi

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+ * mod_tls: update version of rustls-ffi to v0.13.0.`
	`2`	`+ [Daniel McCarney (@cpu}]`