Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/www-servers
diff options
context:
space:
mode:
authorHans de Graaff <graaff@gentoo.org>2024-05-11 09:12:55 +0200
committerHans de Graaff <graaff@gentoo.org>2024-05-11 09:13:21 +0200
commit7cd11ed4304bde562f3323e1c8771e92995cfb3c (patch)
tree49f983bffb7e9a36d8f8493b88a74aa339f2dffe /www-servers
parentwww-servers/apache: move patches into patchset (diff)
downloadgentoo-7cd11ed4304bde562f3323e1c8771e92995cfb3c.tar.gz
gentoo-7cd11ed4304bde562f3323e1c8771e92995cfb3c.tar.bz2
gentoo-7cd11ed4304bde562f3323e1c8771e92995cfb3c.zip
www-servers/apache: drop 2.4.59-r2
Signed-off-by: Hans de Graaff <graaff@gentoo.org>
Diffstat (limited to 'www-servers')
-rw-r--r--www-servers/apache/apache-2.4.59-r2.ebuild259
-rw-r--r--www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch544
2 files changed, 0 insertions, 803 deletions
diff --git a/www-servers/apache/apache-2.4.59-r2.ebuild b/www-servers/apache/apache-2.4.59-r2.ebuild
deleted file mode 100644
index 9da48f31fb38..000000000000
--- a/www-servers/apache/apache-2.4.59-r2.ebuild
+++ /dev/null
@@ -1,259 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-# latest gentoo apache files
-GENTOO_PATCHSTAMP="20240405"
-GENTOO_DEVELOPER="graaff"
-GENTOO_PATCHNAME="gentoo-apache-2.4.59"
-
-# IUSE/USE_EXPAND magic
-IUSE_MPMS_FORK="prefork"
-IUSE_MPMS_THREAD="event worker"
-
-# << obsolete modules:
-# authn_default authz_default mem_cache
-# mem_cache is replaced by cache_disk
-# ?? buggy modules
-# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
-# >> added modules for reason:
-# compat: compatibility with 2.2 access control
-# authz_host: new module for access control
-# authn_core: functionality provided by authn_alias in previous versions
-# authz_core: new module, provides core authorization capabilities
-# cache_disk: replacement for mem_cache
-# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
-# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
-# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
-# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
-# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
-# socache_shmcb: shared object cache provider. Default config with ssl needs it
-# unixd: fixes startup error: Invalid command 'User'
-IUSE_MODULES="access_compat actions alias allowmethods asis auth_basic auth_digest auth_form
-authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authz_core
-authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
-brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock
-dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2
-ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
-lbmethod_heartbeat log_config log_forensic logio lua macro md mime mime_magic negotiation
-proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_hcheck proxy_html proxy_http proxy_scgi
-proxy_http2 proxy_fcgi proxy_uwsgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout
-session session_cookie session_crypto session_dbd setenvif slotmem_shm socache_memcache
-socache_shmcb speling status substitute systemd tls unique_id userdir usertrack
-unixd version vhost_alias watchdog xml2enc"
-# The following are also in the source as of this version, but are not available
-# for user selection:
-# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
-# optional_fn_import optional_hook_export optional_hook_import
-
-# inter-module dependencies
-# TODO: this may still be incomplete
-MODULE_DEPENDS="
- auth_form:session
- brotli:filter
- dav_fs:dav
- dav_lock:dav
- deflate:filter
- cache_disk:cache
- ext_filter:filter
- file_cache:cache
- lbmethod_byrequests:proxy_balancer
- lbmethod_byrequests:slotmem_shm
- lbmethod_bytraffic:proxy_balancer
- lbmethod_bybusyness:proxy_balancer
- lbmethod_heartbeat:proxy_balancer
- log_forensic:log_config
- logio:log_config
- cache_disk:cache
- cache_socache:cache
- md:watchdog
- mime_magic:mime
- proxy_ajp:proxy
- proxy_balancer:proxy
- proxy_balancer:slotmem_shm
- proxy_connect:proxy
- proxy_ftp:proxy
- proxy_hcheck:proxy
- proxy_hcheck:watchdog
- proxy_html:proxy
- proxy_html:xml2enc
- proxy_http:proxy
- proxy_http2:proxy
- proxy_scgi:proxy
- proxy_uwsgi:proxy
- proxy_fcgi:proxy
- proxy_wstunnel:proxy
- session_cookie:session
- session_dbd:dbd
- session_dbd:session
- socache_memcache:cache
- substitute:filter
-"
-
-# module<->define mappings
-MODULE_DEFINES="
- auth_digest:AUTH_DIGEST
- authnz_ldap:AUTHNZ_LDAP
- cache:CACHE
- cache_disk:CACHE
- cache_socache:CACHE
- dav:DAV
- dav_fs:DAV
- dav_lock:DAV
- file_cache:CACHE
- http2:HTTP2
- info:INFO
- ldap:LDAP
- lua:LUA
- md:SSL
- proxy:PROXY
- proxy_ajp:PROXY
- proxy_balancer:PROXY
- proxy_connect:PROXY
- proxy_fcgi:PROXY
- proxy_ftp:PROXY
- proxy_hcheck:PROXY
- proxy_html:PROXY
- proxy_http:PROXY
- proxy_http2:PROXY
- proxy_scgi:PROXY
- proxy_uwsgi:PROXY
- proxy_wstunnel:PROXY
- socache_shmcb:SSL
- socache_memcache:CACHE
- ssl:SSL
- status:STATUS
- suexec:SUEXEC
- systemd:SYSTEMD
- userdir:USERDIR
-"
-
-# critical modules for the default config
-MODULE_CRITICAL="
- authn_core
- authz_core
- authz_host
- dir
- mime
- unixd
-"
-inherit apache-2 systemd tmpfiles toolchain-funcs
-
-DESCRIPTION="The Apache Web Server"
-HOMEPAGE="https://httpd.apache.org/"
-
-# some helper scripts are Apache-1.1, thus both are here
-LICENSE="Apache-2.0 Apache-1.1"
-SLOT="2"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x64-macos ~x64-solaris"
-
-RDEPEND="
- apache2_modules_tls? ( >=net-libs/rustls-ffi-0.13.0:= )
-"
-DEPEND="${RDEPEND}"
-
-PATCHES=( "${FILESDIR}/${P}-dh-regression.patch" "${FILESDIR}/${P}-rustls-0.13.0.patch" )
-
-pkg_setup() {
- # dependent critical modules which are not allowed in global scope due
- # to USE flag conditionals (bug #499260)
- use ssl && MODULE_CRITICAL+=" socache_shmcb"
- use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
- apache-2_pkg_setup
-}
-
-src_configure() {
- # Brain dead check.
- tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
-
- apache-2_src_configure
-}
-
-src_compile() {
- if tc-is-cross-compiler ; then
- # This header is the same across targets, so use the build compiler.
- pushd server >/dev/null
- emake gen_test_char
- tc-export_build_env BUILD_CC
- ${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
- gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
- popd >/dev/null
- fi
-
- default
-}
-
-src_install() {
- apache-2_src_install
- local i
- local apache_tools_prune_list=(
- /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}
- /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}
- /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}
- /usr/share/man/man8/{rotatelogs.8,htcacheclean.8}
- )
- for i in ${apache_tools_prune_list[@]} ; do
- rm "${ED}"/${i} || die "Failed to prune apache-tools bits"
- done
-
- dobin support/apxs
-
- # Note: wait for mod_systemd to be included in some forthcoming release,
- # Then apache2.4.service can be used and systemd support controlled
- # through --enable-systemd
- systemd_newunit "${FILESDIR}/apache2.4-hardened.service" "apache2.service"
- dotmpfiles "${FILESDIR}/apache.conf"
- #insinto /etc/apache2/modules.d
- #doins "${FILESDIR}/00_systemd.conf"
-
- # Install http2 module config
- insinto /etc/apache2/modules.d
- doins "${FILESDIR}"/41_mod_http2.conf
-
- # Fix path to apache libdir
- sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die
-}
-
-pkg_postinst() {
- apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
-
- tmpfiles_process apache.conf #662544
-
- # warnings that default config might not work out of the box
- local mod cmod
- for mod in ${MODULE_CRITICAL} ; do
- if ! use "apache2_modules_${mod}"; then
- echo
- ewarn "Warning: Critical module not installed!"
- ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
- ewarn "are highly recomended but might not be in the base profile yet."
- ewarn "Default config for ssl needs module 'socache_shmcb'."
- ewarn "Enabling the following flags is highly recommended:"
- for cmod in ${MODULE_CRITICAL} ; do
- use "apache2_modules_${cmod}" || \
- ewarn "+ apache2_modules_${cmod}"
- done
- echo
- break
- fi
- done
- # warning for proxy_balancer and missing load balancing scheduler
- if use apache2_modules_proxy_balancer; then
- local lbset=
- for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
- if use "apache2_modules_${mod}"; then
- lbset=1 && break
- fi
- done
- if [[ ! ${lbset} ]] ; then
- echo
- ewarn "Info: Missing load balancing scheduler algorithm module"
- ewarn "(They were split off from proxy_balancer in 2.3)"
- ewarn "In order to get the ability of load balancing, at least"
- ewarn "one of these modules has to be present:"
- ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
- echo
- fi
- fi
-}
diff --git a/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch b/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch
deleted file mode 100644
index f8cfc6b73c31..000000000000
--- a/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch
+++ /dev/null
@@ -1,544 +0,0 @@
-From 68a5a569f630b116f30c49384e4f737a5e669bb2 Mon Sep 17 00:00:00 2001
-From: Daniel McCarney <daniel@binaryparadox.net>
-Date: Sun, 21 Apr 2024 15:05:19 -0400
-Subject: [PATCH] test: relax rustls-ffi SSL_VERSION_LIBRARY
-
-The rustls version included in the rustls-ffi version output does not
-always contain three components. E.g. rustls-ffi 0.12.2 uses the version
-string:
-
- rustls-ffi/0.12.2/rustls/0.22
-
-Notably there is no `.0` after the `0.22` for the Rustls version, and
-this requires the `SSL_VERSION_LIBRARY` regexp be relaxed to allow this.
----
- test/modules/tls/test_08_vars.py | 2 +-
- test/modules/tls/test_14_proxy_ssl.py | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/test/modules/tls/test_08_vars.py b/test/modules/tls/test_08_vars.py
-index ad764a7985a..0e3ee74d2df 100644
---- a/test/modules/tls/test_08_vars.py
-+++ b/test/modules/tls/test_08_vars.py
-@@ -59,7 +59,7 @@ def test_tls_08_vars_const(self, env, name: str, value: str):
-
- @pytest.mark.parametrize("name, pattern", [
- ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
-- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
-+ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
- ])
- def test_tls_08_vars_match(self, env, name: str, pattern: str):
- r = env.tls_get(env.domain_b, f"/vars.py?name={name}")
-diff --git a/test/modules/tls/test_14_proxy_ssl.py b/test/modules/tls/test_14_proxy_ssl.py
-index 2f46c64f710..87e04c28afa 100644
---- a/test/modules/tls/test_14_proxy_ssl.py
-+++ b/test/modules/tls/test_14_proxy_ssl.py
-@@ -100,7 +100,7 @@ def test_tls_14_proxy_ssl_vars_const(self, env, name: str, value: str):
-
- @pytest.mark.parametrize("name, pattern", [
- ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
-- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
-+ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
- ])
- def test_tls_14_proxy_tsl_vars_match(self, env, name: str, pattern: str):
- if not HttpdTestEnv.has_shared_module("tls"):
-From fd64ac68206232641406c1512e0916d837821db5 Mon Sep 17 00:00:00 2001
-From: Daniel McCarney <daniel@binaryparadox.net>
-Date: Sun, 21 Apr 2024 15:19:50 -0400
-Subject: [PATCH] mod_tls: rustls-ffi 0.10 -> 0.11
-
-See upstream release notes[0] for more information.
-
-Also note that the, ahem, clunkyness of the verifier API is reduced in
-the 0.12 release and this is a transition state.
-
-[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.11.0
----
- .github/workflows/linux.yml | 2 +-
- modules/tls/tls_cert.c | 26 ++++++++++++++++++--------
- modules/tls/tls_cert.h | 6 +++---
- modules/tls/tls_core.c | 4 ++--
- 4 files changed, 24 insertions(+), 14 deletions(-)
-
-diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
-index 8c45faf5651..1ac41c6b2d6 100644
---- a/.github/workflows/linux.yml
-+++ b/.github/workflows/linux.yml
-@@ -241,7 +241,7 @@ jobs:
- APR_VERSION=1.7.4
- APU_VERSION=1.6.3
- APU_CONFIG="--with-crypto"
-- RUSTLS_VERSION="v0.10.0"
-+ RUSTLS_VERSION="v0.11.0"
- NO_TEST_FRAMEWORK=1
- TEST_INSTALL=1
- TEST_MOD_TLS=1
-diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
-index 624535aa444..17a35fc498d 100644
---- a/modules/tls/tls_cert.c
-+++ b/modules/tls/tls_cert.c
-@@ -449,8 +449,8 @@ apr_status_t tls_cert_root_stores_get(
-
- typedef struct {
- const char *id;
-- const rustls_client_cert_verifier *client_verifier;
-- const rustls_client_cert_verifier_optional *client_verifier_opt;
-+ const rustls_allow_any_authenticated_client_verifier *client_verifier;
-+ const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt;
- } tls_cert_verifiers_entry_t;
-
- static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
-@@ -458,11 +458,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
- tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val;
- (void)ctx; (void)key; (void)klen;
- if (entry->client_verifier) {
-- rustls_client_cert_verifier_free(entry->client_verifier);
-+ rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier);
- entry->client_verifier = NULL;
- }
- if (entry->client_verifier_opt) {
-- rustls_client_cert_verifier_optional_free(entry->client_verifier_opt);
-+ rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt);
- entry->client_verifier_opt = NULL;
- }
- return 1;
-@@ -514,20 +514,25 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
- apr_status_t tls_cert_client_verifiers_get(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_client_cert_verifier **pverifier)
-+ const rustls_allow_any_authenticated_client_verifier **pverifier)
- {
- apr_status_t rv = APR_SUCCESS;
- tls_cert_verifiers_entry_t *entry;
-+ struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL;
-
- entry = verifiers_get_or_make_entry(verifiers, store_file);
- if (!entry->client_verifier) {
- rustls_root_cert_store *store;
- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
- if (APR_SUCCESS != rv) goto cleanup;
-- entry->client_verifier = rustls_client_cert_verifier_new(store);
-+ verifier_builder = rustls_allow_any_authenticated_client_builder_new(store);
-+ entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder);
- }
-
- cleanup:
-+ if (verifier_builder != NULL) {
-+ rustls_allow_any_authenticated_client_builder_free(verifier_builder);
-+ }
- if (APR_SUCCESS == rv) {
- *pverifier = entry->client_verifier;
- }
-@@ -540,20 +545,25 @@ apr_status_t tls_cert_client_verifiers_get(
- apr_status_t tls_cert_client_verifiers_get_optional(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_client_cert_verifier_optional **pverifier)
-+ const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier)
- {
- apr_status_t rv = APR_SUCCESS;
- tls_cert_verifiers_entry_t *entry;
-+ struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL;
-
- entry = verifiers_get_or_make_entry(verifiers, store_file);
- if (!entry->client_verifier_opt) {
- rustls_root_cert_store *store;
- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
- if (APR_SUCCESS != rv) goto cleanup;
-- entry->client_verifier_opt = rustls_client_cert_verifier_optional_new(store);
-+ verifier_builder = rustls_client_cert_verifier_optional_builder_new(store);
-+ entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder);
- }
-
- cleanup:
-+ if (verifier_builder != NULL) {
-+ rustls_client_cert_verifier_optional_builder_free(verifier_builder);
-+ }
- if (APR_SUCCESS == rv) {
- *pverifier = entry->client_verifier_opt;
- }
-diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
-index 6ab3f48ae13..4ac3865dd86 100644
---- a/modules/tls/tls_cert.h
-+++ b/modules/tls/tls_cert.h
-@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear(
- apr_status_t tls_cert_client_verifiers_get(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_client_cert_verifier **pverifier);
-+ const rustls_allow_any_authenticated_client_verifier **pverifier);
-
- /**
- * Get the optional client certificate verifier for the
-@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
- apr_status_t tls_cert_client_verifiers_get_optional(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_client_cert_verifier_optional **pverifier);
-+ const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier);
-
--#endif /* tls_cert_h */
-\ No newline at end of file
-+#endif /* tls_cert_h */
-diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
-index 25479392f1a..df29077826d 100644
---- a/modules/tls/tls_core.c
-+++ b/modules/tls/tls_core.c
-@@ -1119,13 +1119,13 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
- if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
- ap_assert(sc->client_ca); /* checked in server_setup */
- if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
-- const rustls_client_cert_verifier *verifier;
-+ const rustls_allow_any_authenticated_client_verifier *verifier;
- rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
- if (APR_SUCCESS != rv) goto cleanup;
- rustls_server_config_builder_set_client_verifier(builder, verifier);
- }
- else {
-- const rustls_client_cert_verifier_optional *verifier;
-+ const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier;
- rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
- if (APR_SUCCESS != rv) goto cleanup;
- rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
-From 6d565575343ac5ddd674e53b7b9002396cc04375 Mon Sep 17 00:00:00 2001
-From: Daniel McCarney <daniel@binaryparadox.net>
-Date: Sun, 21 Apr 2024 15:37:25 -0400
-Subject: [PATCH] mod_tls: rustls-ffi 0.11 -> 0.12
-
-See upstream release notes for more information:
-
-https://github.com/rustls/rustls-ffi/releases/tag/v0.12.0
-https://github.com/rustls/rustls-ffi/releases/tag/v0.12.1
-https://github.com/rustls/rustls-ffi/releases/tag/v0.12.2
----
- .github/workflows/linux.yml | 2 +-
- modules/tls/tls_cert.c | 99 ++++++++++++++++++++-----------------
- modules/tls/tls_cert.h | 8 +--
- modules/tls/tls_core.c | 16 ++++--
- 4 files changed, 70 insertions(+), 55 deletions(-)
-
-diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
-index 1ac41c6b2d6..3700bc4546a 100644
---- a/.github/workflows/linux.yml
-+++ b/.github/workflows/linux.yml
-@@ -241,7 +241,7 @@ jobs:
- APR_VERSION=1.7.4
- APU_VERSION=1.6.3
- APU_CONFIG="--with-crypto"
-- RUSTLS_VERSION="v0.11.0"
-+ RUSTLS_VERSION="v0.12.2"
- NO_TEST_FRAMEWORK=1
- TEST_INSTALL=1
- TEST_MOD_TLS=1
-diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
-index 17a35fc498d..ffb941cae40 100644
---- a/modules/tls/tls_cert.c
-+++ b/modules/tls/tls_cert.c
-@@ -331,11 +331,12 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
- }
-
- apr_status_t tls_cert_load_root_store(
-- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore)
-+ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore)
- {
- const char *fpath;
- tls_data_t pem;
-- rustls_root_cert_store *store = NULL;
-+ rustls_root_cert_store_builder *store_builder = NULL;
-+ const rustls_root_cert_store *store = NULL;
- rustls_result rr = RUSTLS_RESULT_OK;
- apr_pool_t *ptemp = NULL;
- apr_status_t rv;
-@@ -353,11 +354,17 @@ apr_status_t tls_cert_load_root_store(
- rv = tls_util_file_load(ptemp, fpath, 0, 1024*1024, &pem);
- if (APR_SUCCESS != rv) goto cleanup;
-
-- store = rustls_root_cert_store_new();
-- rr = rustls_root_cert_store_add_pem(store, pem.data, pem.len, 1);
-+ store_builder = rustls_root_cert_store_builder_new();
-+ rr = rustls_root_cert_store_builder_add_pem(store_builder, pem.data, pem.len, 1);
-+ if (RUSTLS_RESULT_OK != rr) goto cleanup;
-+
-+ rr = rustls_root_cert_store_builder_build(store_builder, &store);
- if (RUSTLS_RESULT_OK != rr) goto cleanup;
-
- cleanup:
-+ if (store_builder != NULL) {
-+ rustls_root_cert_store_builder_free(store_builder);
-+ }
- if (RUSTLS_RESULT_OK != rr) {
- const char *err_descr;
- rv = tls_util_rustls_error(p, rr, &err_descr);
-@@ -378,7 +385,7 @@ apr_status_t tls_cert_load_root_store(
-
- typedef struct {
- const char *id;
-- rustls_root_cert_store *store;
-+ const rustls_root_cert_store *store;
- } tls_cert_root_stores_entry_t;
-
- static int stores_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
-@@ -421,14 +428,14 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores)
- apr_status_t tls_cert_root_stores_get(
- tls_cert_root_stores_t *stores,
- const char *store_file,
-- rustls_root_cert_store **pstore)
-+ const rustls_root_cert_store **pstore)
- {
- apr_status_t rv = APR_SUCCESS;
- tls_cert_root_stores_entry_t *entry;
-
- entry = apr_hash_get(stores->file2store, store_file, APR_HASH_KEY_STRING);
- if (!entry) {
-- rustls_root_cert_store *store;
-+ const rustls_root_cert_store *store;
- rv = tls_cert_load_root_store(stores->pool, store_file, &store);
- if (APR_SUCCESS != rv) goto cleanup;
- entry = apr_pcalloc(stores->pool, sizeof(*entry));
-@@ -449,8 +456,8 @@ apr_status_t tls_cert_root_stores_get(
-
- typedef struct {
- const char *id;
-- const rustls_allow_any_authenticated_client_verifier *client_verifier;
-- const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt;
-+ rustls_client_cert_verifier *client_verifier;
-+ rustls_client_cert_verifier *client_verifier_opt;
- } tls_cert_verifiers_entry_t;
-
- static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
-@@ -458,11 +465,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
- tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val;
- (void)ctx; (void)key; (void)klen;
- if (entry->client_verifier) {
-- rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier);
-+ rustls_client_cert_verifier_free(entry->client_verifier);
- entry->client_verifier = NULL;
- }
- if (entry->client_verifier_opt) {
-- rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt);
-+ rustls_client_cert_verifier_free(entry->client_verifier_opt);
- entry->client_verifier_opt = NULL;
- }
- return 1;
-@@ -511,27 +518,43 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
- return entry;
- }
-
--apr_status_t tls_cert_client_verifiers_get(
-- tls_cert_verifiers_t *verifiers,
-- const char *store_file,
-- const rustls_allow_any_authenticated_client_verifier **pverifier)
-+static apr_status_t tls_cert_client_verifiers_get_internal(
-+ tls_cert_verifiers_t *verifiers,
-+ const char *store_file,
-+ const rustls_client_cert_verifier **pverifier,
-+ bool allow_unauthenticated)
- {
- apr_status_t rv = APR_SUCCESS;
- tls_cert_verifiers_entry_t *entry;
-- struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL;
-+ rustls_result rr = RUSTLS_RESULT_OK;
-+ struct rustls_web_pki_client_cert_verifier_builder *verifier_builder = NULL;
-
- entry = verifiers_get_or_make_entry(verifiers, store_file);
- if (!entry->client_verifier) {
-- rustls_root_cert_store *store;
-+ const rustls_root_cert_store *store;
- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
- if (APR_SUCCESS != rv) goto cleanup;
-- verifier_builder = rustls_allow_any_authenticated_client_builder_new(store);
-- entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder);
-+ verifier_builder = rustls_web_pki_client_cert_verifier_builder_new(store);
-+
-+ if (allow_unauthenticated) {
-+ rr = rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated(verifier_builder);
-+ if (rr != RUSTLS_RESULT_OK) {
-+ goto cleanup;
-+ }
-+ }
-+
-+ rr = rustls_web_pki_client_cert_verifier_builder_build(verifier_builder, &entry->client_verifier);
-+ if (rr != RUSTLS_RESULT_OK) {
-+ goto cleanup;
-+ }
- }
-
- cleanup:
- if (verifier_builder != NULL) {
-- rustls_allow_any_authenticated_client_builder_free(verifier_builder);
-+ rustls_web_pki_client_cert_verifier_builder_free(verifier_builder);
-+ }
-+ if (rr != RUSTLS_RESULT_OK) {
-+ rv = tls_util_rustls_error(verifiers->pool, rr, NULL);
- }
- if (APR_SUCCESS == rv) {
- *pverifier = entry->client_verifier;
-@@ -542,33 +565,19 @@ apr_status_t tls_cert_client_verifiers_get(
- return rv;
- }
-
--apr_status_t tls_cert_client_verifiers_get_optional(
-+
-+apr_status_t tls_cert_client_verifiers_get(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier)
-+ const rustls_client_cert_verifier **pverifier)
- {
-- apr_status_t rv = APR_SUCCESS;
-- tls_cert_verifiers_entry_t *entry;
-- struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL;
--
-- entry = verifiers_get_or_make_entry(verifiers, store_file);
-- if (!entry->client_verifier_opt) {
-- rustls_root_cert_store *store;
-- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
-- if (APR_SUCCESS != rv) goto cleanup;
-- verifier_builder = rustls_client_cert_verifier_optional_builder_new(store);
-- entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder);
-- }
-+ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, false);
-+}
-
--cleanup:
-- if (verifier_builder != NULL) {
-- rustls_client_cert_verifier_optional_builder_free(verifier_builder);
-- }
-- if (APR_SUCCESS == rv) {
-- *pverifier = entry->client_verifier_opt;
-- }
-- else {
-- *pverifier = NULL;
-- }
-- return rv;
-+apr_status_t tls_cert_client_verifiers_get_optional(
-+ tls_cert_verifiers_t *verifiers,
-+ const char *store_file,
-+ const rustls_client_cert_verifier **pverifier)
-+{
-+ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, true);
- }
-diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
-index 4ac3865dd86..3326f0eb3e7 100644
---- a/modules/tls/tls_cert.h
-+++ b/modules/tls/tls_cert.h
-@@ -128,7 +128,7 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
- * @param pstore the loaded root store on success
- */
- apr_status_t tls_cert_load_root_store(
-- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore);
-+ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore);
-
- typedef struct tls_cert_root_stores_t tls_cert_root_stores_t;
- struct tls_cert_root_stores_t {
-@@ -157,7 +157,7 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores);
- apr_status_t tls_cert_root_stores_get(
- tls_cert_root_stores_t *stores,
- const char *store_file,
-- rustls_root_cert_store **pstore);
-+ const rustls_root_cert_store **pstore);
-
- typedef struct tls_cert_verifiers_t tls_cert_verifiers_t;
- struct tls_cert_verifiers_t {
-@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear(
- apr_status_t tls_cert_client_verifiers_get(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_allow_any_authenticated_client_verifier **pverifier);
-+ const rustls_client_cert_verifier **pverifier);
-
- /**
- * Get the optional client certificate verifier for the
-@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
- apr_status_t tls_cert_client_verifiers_get_optional(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier);
-+ const rustls_client_cert_verifier **pverifier);
-
- #endif /* tls_cert_h */
-diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
-index df29077826d..1cef254f103 100644
---- a/modules/tls/tls_core.c
-+++ b/modules/tls/tls_core.c
-@@ -764,8 +764,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
- tls_conf_proxy_t *pc;
- const apr_array_header_t *ciphersuites = NULL;
- apr_array_header_t *tls_versions = NULL;
-+ rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL;
-+ struct rustls_server_cert_verifier *verifier = NULL;
- rustls_client_config_builder *builder = NULL;
-- rustls_root_cert_store *ca_store = NULL;
-+ const rustls_root_cert_store *ca_store = NULL;
- const char *hostname = NULL, *alpn_note = NULL;
- rustls_result rr = RUSTLS_RESULT_OK;
- apr_status_t rv = APR_SUCCESS;
-@@ -809,7 +811,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
- if (pc->proxy_ca && strcasecmp(pc->proxy_ca, "default")) {
- rv = tls_cert_root_stores_get(pc->global->stores, pc->proxy_ca, &ca_store);
- if (APR_SUCCESS != rv) goto cleanup;
-- rustls_client_config_builder_use_roots(builder, ca_store);
-+ verifier_builder = rustls_web_pki_server_cert_verifier_builder_new(ca_store);
-+ rr = rustls_web_pki_server_cert_verifier_builder_build(verifier_builder, &verifier);
-+ if (RUSTLS_RESULT_OK != rr) goto cleanup;
-+ rustls_client_config_builder_set_server_verifier(builder, verifier);
- }
-
- #if TLS_MACHINE_CERTS
-@@ -881,6 +886,7 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
- rustls_connection_set_userdata(cc->rustls_connection, c);
-
- cleanup:
-+ if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder);
- if (builder != NULL) rustls_client_config_builder_free(builder);
- if (RUSTLS_RESULT_OK != rr) {
- const char *err_descr = NULL;
-@@ -1119,16 +1125,16 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
- if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
- ap_assert(sc->client_ca); /* checked in server_setup */
- if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
-- const rustls_allow_any_authenticated_client_verifier *verifier;
-+ const rustls_client_cert_verifier *verifier;
- rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
- if (APR_SUCCESS != rv) goto cleanup;
- rustls_server_config_builder_set_client_verifier(builder, verifier);
- }
- else {
-- const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier;
-+ const rustls_client_cert_verifier *verifier;
- rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
- if (APR_SUCCESS != rv) goto cleanup;
-- rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
-+ rustls_server_config_builder_set_client_verifier(builder, verifier);
- }
- }
-
-From ef690ed43eed53a7b6aaba6027842cdd76d3ccb4 Mon Sep 17 00:00:00 2001
-From: Daniel McCarney <daniel@binaryparadox.net>
-Date: Sun, 21 Apr 2024 13:49:49 -0400
-Subject: [PATCH] mod_tls: rustls-ffi 0.12 -> 0.13
-
-The breaking API changes in this release don't affect `mod_tls`, making
-this an in-place update.
-
-See the upstream release notes[0] for more information.
-
-[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.13.0
----
- .github/workflows/linux.yml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
-index 3700bc4546a..54dcd7b0b32 100644
---- a/.github/workflows/linux.yml
-+++ b/.github/workflows/linux.yml
-@@ -241,7 +241,7 @@ jobs:
- APR_VERSION=1.7.4
- APU_VERSION=1.6.3
- APU_CONFIG="--with-crypto"
-- RUSTLS_VERSION="v0.12.2"
-+ RUSTLS_VERSION="v0.13.0"
- NO_TEST_FRAMEWORK=1
- TEST_INSTALL=1
- TEST_MOD_TLS=1