www-servers/apache: fix compatibility with rustls-0.13.0

Closes: https://bugs.gentoo.org/928046 Signed-off-by: Hans de Graaff <graaff@gentoo.org>
author: Hans de Graaff <graaff@gentoo.org> 2024-05-11 08:16:51 +0200
committer: Hans de Graaff <graaff@gentoo.org> 2024-05-11 08:21:00 +0200
commit: c5353958548b881dcc526a0ed8ce3013dddd4df1 (patch)
tree: 6cc5b2f79e34103f7400a65f2da9849ba25c0009 /www-servers
parent: media-sound/ncspot: add 1.1.1 (diff)
download: gentoo-c5353958548b881dcc526a0ed8ce3013dddd4df1.tar.gz
gentoo-c5353958548b881dcc526a0ed8ce3013dddd4df1.tar.bz2
gentoo-c5353958548b881dcc526a0ed8ce3013dddd4df1.zip
2 files changed, 803 insertions, 0 deletions
diff --git a/www-servers/apache/apache-2.4.59-r2.ebuild b/www-servers/apache/apache-2.4.59-r2.ebuild
new file mode 100644
index 000000000000..9da48f31fb38
--- /dev/null
+++ b/www-servers/apache/apache-2.4.59-r2.ebuild
@@ -0,0 +1,259 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+# latest gentoo apache files
+GENTOO_PATCHSTAMP="20240405"
+GENTOO_DEVELOPER="graaff"
+GENTOO_PATCHNAME="gentoo-apache-2.4.59"
+
+# IUSE/USE_EXPAND magic
+IUSE_MPMS_FORK="prefork"
+IUSE_MPMS_THREAD="event worker"
+
+# << obsolete modules:
+# authn_default authz_default mem_cache
+# mem_cache is replaced by cache_disk
+# ?? buggy modules
+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
+# >> added modules for reason:
+# compat: compatibility with 2.2 access control
+# authz_host: new module for access control
+# authn_core: functionality provided by authn_alias in previous versions
+# authz_core: new module, provides core authorization capabilities
+# cache_disk: replacement for mem_cache
+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
+# socache_shmcb: shared object cache provider. Default config with ssl needs it
+# unixd: fixes startup error: Invalid command 'User'
+IUSE_MODULES="access_compat actions alias allowmethods asis auth_basic auth_digest auth_form
+authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authz_core
+authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
+brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock
+dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2
+ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
+lbmethod_heartbeat log_config log_forensic logio lua macro md mime mime_magic negotiation
+proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_hcheck proxy_html proxy_http proxy_scgi
+proxy_http2 proxy_fcgi proxy_uwsgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout
+session session_cookie session_crypto session_dbd setenvif slotmem_shm socache_memcache
+socache_shmcb speling status substitute systemd tls unique_id userdir usertrack
+unixd version vhost_alias watchdog xml2enc"
+# The following are also in the source as of this version, but are not available
+# for user selection:
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
+# optional_fn_import optional_hook_export optional_hook_import
+
+# inter-module dependencies
+# TODO: this may still be incomplete
+MODULE_DEPENDS="
+	auth_form:session
+	brotli:filter
+	dav_fs:dav
+	dav_lock:dav
+	deflate:filter
+	cache_disk:cache
+	ext_filter:filter
+	file_cache:cache
+	lbmethod_byrequests:proxy_balancer
+	lbmethod_byrequests:slotmem_shm
+	lbmethod_bytraffic:proxy_balancer
+	lbmethod_bybusyness:proxy_balancer
+	lbmethod_heartbeat:proxy_balancer
+	log_forensic:log_config
+	logio:log_config
+	cache_disk:cache
+	cache_socache:cache
+	md:watchdog
+	mime_magic:mime
+	proxy_ajp:proxy
+	proxy_balancer:proxy
+	proxy_balancer:slotmem_shm
+	proxy_connect:proxy
+	proxy_ftp:proxy
+	proxy_hcheck:proxy
+	proxy_hcheck:watchdog
+	proxy_html:proxy
+	proxy_html:xml2enc
+	proxy_http:proxy
+	proxy_http2:proxy
+	proxy_scgi:proxy
+	proxy_uwsgi:proxy
+	proxy_fcgi:proxy
+	proxy_wstunnel:proxy
+	session_cookie:session
+	session_dbd:dbd
+	session_dbd:session
+	socache_memcache:cache
+	substitute:filter
+"
+
+# module<->define mappings
+MODULE_DEFINES="
+	auth_digest:AUTH_DIGEST
+	authnz_ldap:AUTHNZ_LDAP
+	cache:CACHE
+	cache_disk:CACHE
+	cache_socache:CACHE
+	dav:DAV
+	dav_fs:DAV
+	dav_lock:DAV
+	file_cache:CACHE
+	http2:HTTP2
+	info:INFO
+	ldap:LDAP
+	lua:LUA
+	md:SSL
+	proxy:PROXY
+	proxy_ajp:PROXY
+	proxy_balancer:PROXY
+	proxy_connect:PROXY
+	proxy_fcgi:PROXY
+	proxy_ftp:PROXY
+	proxy_hcheck:PROXY
+	proxy_html:PROXY
+	proxy_http:PROXY
+	proxy_http2:PROXY
+	proxy_scgi:PROXY
+	proxy_uwsgi:PROXY
+	proxy_wstunnel:PROXY
+	socache_shmcb:SSL
+	socache_memcache:CACHE
+	ssl:SSL
+	status:STATUS
+	suexec:SUEXEC
+	systemd:SYSTEMD
+	userdir:USERDIR
+"
+
+# critical modules for the default config
+MODULE_CRITICAL="
+	authn_core
+	authz_core
+	authz_host
+	dir
+	mime
+	unixd
+"
+inherit apache-2 systemd tmpfiles toolchain-funcs
+
+DESCRIPTION="The Apache Web Server"
+HOMEPAGE="https://httpd.apache.org/"
+
+# some helper scripts are Apache-1.1, thus both are here
+LICENSE="Apache-2.0 Apache-1.1"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x64-macos ~x64-solaris"
+
+RDEPEND="
+	apache2_modules_tls? ( >=net-libs/rustls-ffi-0.13.0:= )
+"
+DEPEND="${RDEPEND}"
+
+PATCHES=( "${FILESDIR}/${P}-dh-regression.patch" "${FILESDIR}/${P}-rustls-0.13.0.patch" )
+
+pkg_setup() {
+	# dependent critical modules which are not allowed in global scope due
+	# to USE flag conditionals (bug #499260)
+	use ssl && MODULE_CRITICAL+=" socache_shmcb"
+	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
+	apache-2_pkg_setup
+}
+
+src_configure() {
+	# Brain dead check.
+	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
+
+	apache-2_src_configure
+}
+
+src_compile() {
+	if tc-is-cross-compiler ; then
+		# This header is the same across targets, so use the build compiler.
+		pushd server >/dev/null
+		emake gen_test_char
+		tc-export_build_env BUILD_CC
+		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
+			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
+		popd >/dev/null
+	fi
+
+	default
+}
+
+src_install() {
+	apache-2_src_install
+	local i
+	local apache_tools_prune_list=(
+		/usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}
+		/usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}
+		/usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}
+		/usr/share/man/man8/{rotatelogs.8,htcacheclean.8}
+	)
+	for i in ${apache_tools_prune_list[@]} ; do
+		rm "${ED}"/${i} || die "Failed to prune apache-tools bits"
+	done
+
+	dobin support/apxs
+
+	# Note: wait for mod_systemd to be included in some forthcoming release,
+	# Then apache2.4.service can be used and systemd support controlled
+	# through --enable-systemd
+	systemd_newunit "${FILESDIR}/apache2.4-hardened.service" "apache2.service"
+	dotmpfiles "${FILESDIR}/apache.conf"
+	#insinto /etc/apache2/modules.d
+	#doins "${FILESDIR}/00_systemd.conf"
+
+	# Install http2 module config
+	insinto /etc/apache2/modules.d
+	doins "${FILESDIR}"/41_mod_http2.conf
+
+	# Fix path to apache libdir
+	sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die
+}
+
+pkg_postinst() {
+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
+
+	tmpfiles_process apache.conf #662544
+
+	# warnings that default config might not work out of the box
+	local mod cmod
+	for mod in ${MODULE_CRITICAL} ; do
+		if ! use "apache2_modules_${mod}"; then
+			echo
+			ewarn "Warning: Critical module not installed!"
+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
+			ewarn "are highly recomended but might not be in the base profile yet."
+			ewarn "Default config for ssl needs module 'socache_shmcb'."
+			ewarn "Enabling the following flags is highly recommended:"
+			for cmod in ${MODULE_CRITICAL} ; do
+				use "apache2_modules_${cmod}" || \
+					ewarn "+ apache2_modules_${cmod}"
+			done
+			echo
+			break
+		fi
+	done
+	# warning for proxy_balancer and missing load balancing scheduler
+	if use apache2_modules_proxy_balancer; then
+		local lbset=
+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
+			if use "apache2_modules_${mod}"; then
+				lbset=1 && break
+			fi
+		done
+		if [[ ! ${lbset} ]] ; then
+			echo
+			ewarn "Info: Missing load balancing scheduler algorithm module"
+			ewarn "(They were split off from proxy_balancer in 2.3)"
+			ewarn "In order to get the ability of load balancing, at least"
+			ewarn "one of these modules has to be present:"
+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
+			echo
+		fi
+	fi
+}
diff --git a/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch b/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch
new file mode 100644
index 000000000000..f8cfc6b73c31
--- /dev/null
+++ b/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch
@@ -0,0 +1,544 @@
+From 68a5a569f630b116f30c49384e4f737a5e669bb2 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 15:05:19 -0400
+Subject: [PATCH] test: relax rustls-ffi SSL_VERSION_LIBRARY
+
+The rustls version included in the rustls-ffi version output does not
+always contain three components. E.g. rustls-ffi 0.12.2 uses the version
+string:
+
+  rustls-ffi/0.12.2/rustls/0.22
+
+Notably there is no `.0` after the `0.22` for the Rustls version, and
+this requires the `SSL_VERSION_LIBRARY` regexp be relaxed to allow this.
+---
+ test/modules/tls/test_08_vars.py      | 2 +-
+ test/modules/tls/test_14_proxy_ssl.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/test/modules/tls/test_08_vars.py b/test/modules/tls/test_08_vars.py
+index ad764a7985a..0e3ee74d2df 100644
+--- a/test/modules/tls/test_08_vars.py
++++ b/test/modules/tls/test_08_vars.py
+@@ -59,7 +59,7 @@ def test_tls_08_vars_const(self, env, name: str, value: str):
+ 
+     @pytest.mark.parametrize("name, pattern", [
+         ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
+-        ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
++        ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
+     ])
+     def test_tls_08_vars_match(self, env, name: str, pattern: str):
+         r = env.tls_get(env.domain_b, f"/vars.py?name={name}")
+diff --git a/test/modules/tls/test_14_proxy_ssl.py b/test/modules/tls/test_14_proxy_ssl.py
+index 2f46c64f710..87e04c28afa 100644
+--- a/test/modules/tls/test_14_proxy_ssl.py
++++ b/test/modules/tls/test_14_proxy_ssl.py
+@@ -100,7 +100,7 @@ def test_tls_14_proxy_ssl_vars_const(self, env, name: str, value: str):
+ 
+     @pytest.mark.parametrize("name, pattern", [
+         ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
+-        ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
++        ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
+     ])
+     def test_tls_14_proxy_tsl_vars_match(self, env, name: str, pattern: str):
+         if not HttpdTestEnv.has_shared_module("tls"):
+From fd64ac68206232641406c1512e0916d837821db5 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 15:19:50 -0400
+Subject: [PATCH] mod_tls: rustls-ffi 0.10 -> 0.11
+
+See upstream release notes[0] for more information.
+
+Also note that the, ahem, clunkyness of the verifier API is reduced in
+the 0.12 release and this is a transition state.
+
+[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.11.0
+---
+ .github/workflows/linux.yml |  2 +-
+ modules/tls/tls_cert.c      | 26 ++++++++++++++++++--------
+ modules/tls/tls_cert.h      |  6 +++---
+ modules/tls/tls_core.c      |  4 ++--
+ 4 files changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
+index 8c45faf5651..1ac41c6b2d6 100644
+--- a/.github/workflows/linux.yml
++++ b/.github/workflows/linux.yml
+@@ -241,7 +241,7 @@ jobs:
+               APR_VERSION=1.7.4
+               APU_VERSION=1.6.3
+               APU_CONFIG="--with-crypto"
+-              RUSTLS_VERSION="v0.10.0"
++              RUSTLS_VERSION="v0.11.0"
+               NO_TEST_FRAMEWORK=1
+               TEST_INSTALL=1
+               TEST_MOD_TLS=1
+diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
+index 624535aa444..17a35fc498d 100644
+--- a/modules/tls/tls_cert.c
++++ b/modules/tls/tls_cert.c
+@@ -449,8 +449,8 @@ apr_status_t tls_cert_root_stores_get(
+ 
+ typedef struct {
+     const char *id;
+-    const rustls_client_cert_verifier *client_verifier;
+-    const rustls_client_cert_verifier_optional *client_verifier_opt;
++    const rustls_allow_any_authenticated_client_verifier *client_verifier;
++    const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt;
+ } tls_cert_verifiers_entry_t;
+ 
+ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
+@@ -458,11 +458,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
+     tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val;
+     (void)ctx; (void)key; (void)klen;
+     if (entry->client_verifier) {
+-        rustls_client_cert_verifier_free(entry->client_verifier);
++        rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier);
+         entry->client_verifier = NULL;
+     }
+     if (entry->client_verifier_opt) {
+-        rustls_client_cert_verifier_optional_free(entry->client_verifier_opt);
++        rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt);
+         entry->client_verifier_opt = NULL;
+     }
+     return 1;
+@@ -514,20 +514,25 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
+ apr_status_t tls_cert_client_verifiers_get(
+     tls_cert_verifiers_t *verifiers,
+     const char *store_file,
+-    const rustls_client_cert_verifier **pverifier)
++    const rustls_allow_any_authenticated_client_verifier **pverifier)
+ {
+     apr_status_t rv = APR_SUCCESS;
+     tls_cert_verifiers_entry_t *entry;
++    struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL;
+ 
+     entry = verifiers_get_or_make_entry(verifiers, store_file);
+     if (!entry->client_verifier) {
+         rustls_root_cert_store *store;
+         rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+         if (APR_SUCCESS != rv) goto cleanup;
+-        entry->client_verifier = rustls_client_cert_verifier_new(store);
++        verifier_builder = rustls_allow_any_authenticated_client_builder_new(store);
++        entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder);
+     }
+ 
+ cleanup:
++    if (verifier_builder != NULL) {
++        rustls_allow_any_authenticated_client_builder_free(verifier_builder);
++    }
+     if (APR_SUCCESS == rv) {
+         *pverifier = entry->client_verifier;
+     }
+@@ -540,20 +545,25 @@ apr_status_t tls_cert_client_verifiers_get(
+ apr_status_t tls_cert_client_verifiers_get_optional(
+     tls_cert_verifiers_t *verifiers,
+     const char *store_file,
+-    const rustls_client_cert_verifier_optional **pverifier)
++    const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier)
+ {
+     apr_status_t rv = APR_SUCCESS;
+     tls_cert_verifiers_entry_t *entry;
++    struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL;
+ 
+     entry = verifiers_get_or_make_entry(verifiers, store_file);
+     if (!entry->client_verifier_opt) {
+         rustls_root_cert_store *store;
+         rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+         if (APR_SUCCESS != rv) goto cleanup;
+-        entry->client_verifier_opt = rustls_client_cert_verifier_optional_new(store);
++        verifier_builder = rustls_client_cert_verifier_optional_builder_new(store);
++        entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder);
+     }
+ 
+ cleanup:
++    if (verifier_builder != NULL) {
++        rustls_client_cert_verifier_optional_builder_free(verifier_builder);
++    }
+     if (APR_SUCCESS == rv) {
+         *pverifier = entry->client_verifier_opt;
+     }
+diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
+index 6ab3f48ae13..4ac3865dd86 100644
+--- a/modules/tls/tls_cert.h
++++ b/modules/tls/tls_cert.h
+@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear(
+ apr_status_t tls_cert_client_verifiers_get(
+     tls_cert_verifiers_t *verifiers,
+     const char *store_file,
+-    const rustls_client_cert_verifier **pverifier);
++    const rustls_allow_any_authenticated_client_verifier **pverifier);
+ 
+ /**
+  * Get the optional client certificate verifier for the
+@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
+ apr_status_t tls_cert_client_verifiers_get_optional(
+     tls_cert_verifiers_t *verifiers,
+     const char *store_file,
+-    const rustls_client_cert_verifier_optional **pverifier);
++    const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier);
+ 
+-#endif /* tls_cert_h */
+\ No newline at end of file
++#endif /* tls_cert_h */
+diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
+index 25479392f1a..df29077826d 100644
+--- a/modules/tls/tls_core.c
++++ b/modules/tls/tls_core.c
+@@ -1119,13 +1119,13 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
+     if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
+         ap_assert(sc->client_ca);  /* checked in server_setup */
+         if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
+-            const rustls_client_cert_verifier *verifier;
++            const rustls_allow_any_authenticated_client_verifier *verifier;
+             rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
+             if (APR_SUCCESS != rv) goto cleanup;
+             rustls_server_config_builder_set_client_verifier(builder, verifier);
+         }
+         else {
+-            const rustls_client_cert_verifier_optional *verifier;
++            const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier;
+             rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
+             if (APR_SUCCESS != rv) goto cleanup;
+             rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
+From 6d565575343ac5ddd674e53b7b9002396cc04375 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 15:37:25 -0400
+Subject: [PATCH] mod_tls: rustls-ffi 0.11 -> 0.12
+
+See upstream release notes for more information:
+
+https://github.com/rustls/rustls-ffi/releases/tag/v0.12.0
+https://github.com/rustls/rustls-ffi/releases/tag/v0.12.1
+https://github.com/rustls/rustls-ffi/releases/tag/v0.12.2
+---
+ .github/workflows/linux.yml |  2 +-
+ modules/tls/tls_cert.c      | 99 ++++++++++++++++++++-----------------
+ modules/tls/tls_cert.h      |  8 +--
+ modules/tls/tls_core.c      | 16 ++++--
+ 4 files changed, 70 insertions(+), 55 deletions(-)
+
+diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
+index 1ac41c6b2d6..3700bc4546a 100644
+--- a/.github/workflows/linux.yml
++++ b/.github/workflows/linux.yml
+@@ -241,7 +241,7 @@ jobs:
+               APR_VERSION=1.7.4
+               APU_VERSION=1.6.3
+               APU_CONFIG="--with-crypto"
+-              RUSTLS_VERSION="v0.11.0"
++              RUSTLS_VERSION="v0.12.2"
+               NO_TEST_FRAMEWORK=1
+               TEST_INSTALL=1
+               TEST_MOD_TLS=1
+diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
+index 17a35fc498d..ffb941cae40 100644
+--- a/modules/tls/tls_cert.c
++++ b/modules/tls/tls_cert.c
+@@ -331,11 +331,12 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
+ }
+ 
+ apr_status_t tls_cert_load_root_store(
+-    apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore)
++    apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore)
+ {
+     const char *fpath;
+     tls_data_t pem;
+-    rustls_root_cert_store *store = NULL;
++    rustls_root_cert_store_builder *store_builder = NULL;
++    const rustls_root_cert_store *store = NULL;
+     rustls_result rr = RUSTLS_RESULT_OK;
+     apr_pool_t *ptemp = NULL;
+     apr_status_t rv;
+@@ -353,11 +354,17 @@ apr_status_t tls_cert_load_root_store(
+     rv = tls_util_file_load(ptemp, fpath, 0, 1024*1024, &pem);
+     if (APR_SUCCESS != rv) goto cleanup;
+ 
+-    store = rustls_root_cert_store_new();
+-    rr = rustls_root_cert_store_add_pem(store, pem.data, pem.len, 1);
++    store_builder = rustls_root_cert_store_builder_new();
++    rr = rustls_root_cert_store_builder_add_pem(store_builder, pem.data, pem.len, 1);
++    if (RUSTLS_RESULT_OK != rr) goto cleanup;
++
++    rr = rustls_root_cert_store_builder_build(store_builder, &store);
+     if (RUSTLS_RESULT_OK != rr) goto cleanup;
+ 
+ cleanup:
++    if (store_builder != NULL) {
++        rustls_root_cert_store_builder_free(store_builder);
++    }
+     if (RUSTLS_RESULT_OK != rr) {
+         const char *err_descr;
+         rv = tls_util_rustls_error(p, rr, &err_descr);
+@@ -378,7 +385,7 @@ apr_status_t tls_cert_load_root_store(
+ 
+ typedef struct {
+     const char *id;
+-    rustls_root_cert_store *store;
++    const rustls_root_cert_store *store;
+ } tls_cert_root_stores_entry_t;
+ 
+ static int stores_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
+@@ -421,14 +428,14 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores)
+ apr_status_t tls_cert_root_stores_get(
+     tls_cert_root_stores_t *stores,
+     const char *store_file,
+-    rustls_root_cert_store **pstore)
++    const rustls_root_cert_store **pstore)
+ {
+     apr_status_t rv = APR_SUCCESS;
+     tls_cert_root_stores_entry_t *entry;
+ 
+     entry = apr_hash_get(stores->file2store, store_file, APR_HASH_KEY_STRING);
+     if (!entry) {
+-        rustls_root_cert_store *store;
++        const rustls_root_cert_store *store;
+         rv = tls_cert_load_root_store(stores->pool, store_file, &store);
+         if (APR_SUCCESS != rv) goto cleanup;
+         entry = apr_pcalloc(stores->pool, sizeof(*entry));
+@@ -449,8 +456,8 @@ apr_status_t tls_cert_root_stores_get(
+ 
+ typedef struct {
+     const char *id;
+-    const rustls_allow_any_authenticated_client_verifier *client_verifier;
+-    const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt;
++    rustls_client_cert_verifier *client_verifier;
++    rustls_client_cert_verifier *client_verifier_opt;
+ } tls_cert_verifiers_entry_t;
+ 
+ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
+@@ -458,11 +465,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
+     tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val;
+     (void)ctx; (void)key; (void)klen;
+     if (entry->client_verifier) {
+-        rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier);
++        rustls_client_cert_verifier_free(entry->client_verifier);
+         entry->client_verifier = NULL;
+     }
+     if (entry->client_verifier_opt) {
+-        rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt);
++        rustls_client_cert_verifier_free(entry->client_verifier_opt);
+         entry->client_verifier_opt = NULL;
+     }
+     return 1;
+@@ -511,27 +518,43 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
+     return entry;
+ }
+ 
+-apr_status_t tls_cert_client_verifiers_get(
+-    tls_cert_verifiers_t *verifiers,
+-    const char *store_file,
+-    const rustls_allow_any_authenticated_client_verifier **pverifier)
++static apr_status_t tls_cert_client_verifiers_get_internal(
++        tls_cert_verifiers_t *verifiers,
++        const char *store_file,
++        const rustls_client_cert_verifier **pverifier,
++        bool allow_unauthenticated)
+ {
+     apr_status_t rv = APR_SUCCESS;
+     tls_cert_verifiers_entry_t *entry;
+-    struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL;
++    rustls_result rr = RUSTLS_RESULT_OK;
++    struct rustls_web_pki_client_cert_verifier_builder *verifier_builder = NULL;
+ 
+     entry = verifiers_get_or_make_entry(verifiers, store_file);
+     if (!entry->client_verifier) {
+-        rustls_root_cert_store *store;
++        const rustls_root_cert_store *store;
+         rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+         if (APR_SUCCESS != rv) goto cleanup;
+-        verifier_builder = rustls_allow_any_authenticated_client_builder_new(store);
+-        entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder);
++        verifier_builder = rustls_web_pki_client_cert_verifier_builder_new(store);
++
++        if (allow_unauthenticated) {
++            rr = rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated(verifier_builder);
++            if (rr != RUSTLS_RESULT_OK) {
++                goto cleanup;
++            }
++        }
++
++        rr = rustls_web_pki_client_cert_verifier_builder_build(verifier_builder, &entry->client_verifier);
++        if (rr != RUSTLS_RESULT_OK) {
++            goto cleanup;
++        }
+     }
+ 
+ cleanup:
+     if (verifier_builder != NULL) {
+-        rustls_allow_any_authenticated_client_builder_free(verifier_builder);
++        rustls_web_pki_client_cert_verifier_builder_free(verifier_builder);
++    }
++    if (rr != RUSTLS_RESULT_OK) {
++        rv = tls_util_rustls_error(verifiers->pool, rr, NULL);
+     }
+     if (APR_SUCCESS == rv) {
+         *pverifier = entry->client_verifier;
+@@ -542,33 +565,19 @@ apr_status_t tls_cert_client_verifiers_get(
+     return rv;
+ }
+ 
+-apr_status_t tls_cert_client_verifiers_get_optional(
++
++apr_status_t tls_cert_client_verifiers_get(
+     tls_cert_verifiers_t *verifiers,
+     const char *store_file,
+-    const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier)
++    const rustls_client_cert_verifier **pverifier)
+ {
+-    apr_status_t rv = APR_SUCCESS;
+-    tls_cert_verifiers_entry_t *entry;
+-    struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL;
+-
+-    entry = verifiers_get_or_make_entry(verifiers, store_file);
+-    if (!entry->client_verifier_opt) {
+-        rustls_root_cert_store *store;
+-        rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+-        if (APR_SUCCESS != rv) goto cleanup;
+-        verifier_builder = rustls_client_cert_verifier_optional_builder_new(store);
+-        entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder);
+-    }
++    return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, false);
++}
+ 
+-cleanup:
+-    if (verifier_builder != NULL) {
+-        rustls_client_cert_verifier_optional_builder_free(verifier_builder);
+-    }
+-    if (APR_SUCCESS == rv) {
+-        *pverifier = entry->client_verifier_opt;
+-    }
+-    else {
+-        *pverifier = NULL;
+-    }
+-    return rv;
++apr_status_t tls_cert_client_verifiers_get_optional(
++    tls_cert_verifiers_t *verifiers,
++    const char *store_file,
++    const rustls_client_cert_verifier **pverifier)
++{
++    return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, true);
+ }
+diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
+index 4ac3865dd86..3326f0eb3e7 100644
+--- a/modules/tls/tls_cert.h
++++ b/modules/tls/tls_cert.h
+@@ -128,7 +128,7 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
+  * @param pstore the loaded root store on success
+  */
+ apr_status_t tls_cert_load_root_store(
+-    apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore);
++    apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore);
+ 
+ typedef struct tls_cert_root_stores_t tls_cert_root_stores_t;
+ struct tls_cert_root_stores_t {
+@@ -157,7 +157,7 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores);
+ apr_status_t tls_cert_root_stores_get(
+     tls_cert_root_stores_t *stores,
+     const char *store_file,
+-    rustls_root_cert_store **pstore);
++    const rustls_root_cert_store **pstore);
+ 
+ typedef struct tls_cert_verifiers_t tls_cert_verifiers_t;
+ struct tls_cert_verifiers_t {
+@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear(
+ apr_status_t tls_cert_client_verifiers_get(
+     tls_cert_verifiers_t *verifiers,
+     const char *store_file,
+-    const rustls_allow_any_authenticated_client_verifier **pverifier);
++    const rustls_client_cert_verifier **pverifier);
+ 
+ /**
+  * Get the optional client certificate verifier for the
+@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
+ apr_status_t tls_cert_client_verifiers_get_optional(
+     tls_cert_verifiers_t *verifiers,
+     const char *store_file,
+-    const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier);
++    const rustls_client_cert_verifier **pverifier);
+ 
+ #endif /* tls_cert_h */
+diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
+index df29077826d..1cef254f103 100644
+--- a/modules/tls/tls_core.c
++++ b/modules/tls/tls_core.c
+@@ -764,8 +764,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
+     tls_conf_proxy_t *pc;
+     const apr_array_header_t *ciphersuites = NULL;
+     apr_array_header_t *tls_versions = NULL;
++    rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL;
++    struct rustls_server_cert_verifier *verifier = NULL;
+     rustls_client_config_builder *builder = NULL;
+-    rustls_root_cert_store *ca_store = NULL;
++    const rustls_root_cert_store *ca_store = NULL;
+     const char *hostname = NULL, *alpn_note = NULL;
+     rustls_result rr = RUSTLS_RESULT_OK;
+     apr_status_t rv = APR_SUCCESS;
+@@ -809,7 +811,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
+     if (pc->proxy_ca && strcasecmp(pc->proxy_ca, "default")) {
+         rv = tls_cert_root_stores_get(pc->global->stores, pc->proxy_ca, &ca_store);
+         if (APR_SUCCESS != rv) goto cleanup;
+-        rustls_client_config_builder_use_roots(builder, ca_store);
++        verifier_builder = rustls_web_pki_server_cert_verifier_builder_new(ca_store);
++        rr = rustls_web_pki_server_cert_verifier_builder_build(verifier_builder, &verifier);
++        if (RUSTLS_RESULT_OK != rr) goto cleanup;
++        rustls_client_config_builder_set_server_verifier(builder, verifier);
+     }
+ 
+ #if TLS_MACHINE_CERTS
+@@ -881,6 +886,7 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
+     rustls_connection_set_userdata(cc->rustls_connection, c);
+ 
+ cleanup:
++    if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder);
+     if (builder != NULL) rustls_client_config_builder_free(builder);
+     if (RUSTLS_RESULT_OK != rr) {
+         const char *err_descr = NULL;
+@@ -1119,16 +1125,16 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
+     if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
+         ap_assert(sc->client_ca);  /* checked in server_setup */
+         if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
+-            const rustls_allow_any_authenticated_client_verifier *verifier;
++            const rustls_client_cert_verifier *verifier;
+             rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
+             if (APR_SUCCESS != rv) goto cleanup;
+             rustls_server_config_builder_set_client_verifier(builder, verifier);
+         }
+         else {
+-            const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier;
++            const rustls_client_cert_verifier *verifier;
+             rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
+             if (APR_SUCCESS != rv) goto cleanup;
+-            rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
++            rustls_server_config_builder_set_client_verifier(builder, verifier);
+         }
+     }
+ 
+From ef690ed43eed53a7b6aaba6027842cdd76d3ccb4 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 13:49:49 -0400
+Subject: [PATCH] mod_tls: rustls-ffi 0.12 -> 0.13
+
+The breaking API changes in this release don't affect `mod_tls`, making
+this an in-place update.
+
+See the upstream release notes[0] for more information.
+
+[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.13.0
+---
+ .github/workflows/linux.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
+index 3700bc4546a..54dcd7b0b32 100644
+--- a/.github/workflows/linux.yml
++++ b/.github/workflows/linux.yml
+@@ -241,7 +241,7 @@ jobs:
+               APR_VERSION=1.7.4
+               APU_VERSION=1.6.3
+               APU_CONFIG="--with-crypto"
+-              RUSTLS_VERSION="v0.12.2"
++              RUSTLS_VERSION="v0.13.0"
+               NO_TEST_FRAMEWORK=1
+               TEST_INSTALL=1
+               TEST_MOD_TLS=1
author	Hans de Graaff <graaff@gentoo.org>	2024-05-11 08:16:51 +0200
committer	Hans de Graaff <graaff@gentoo.org>	2024-05-11 08:21:00 +0200
commit	c5353958548b881dcc526a0ed8ce3013dddd4df1 (patch)
tree	6cc5b2f79e34103f7400a65f2da9849ba25c0009 /www-servers
parent	media-sound/ncspot: add 1.1.1 (diff)
download	gentoo-c5353958548b881dcc526a0ed8ce3013dddd4df1.tar.gz gentoo-c5353958548b881dcc526a0ed8ce3013dddd4df1.tar.bz2 gentoo-c5353958548b881dcc526a0ed8ce3013dddd4df1.zip