Merge pull request #1 from cpu/cpu-rustls-0.14

prepare mod_tls 0.14, updating to rustls-ffi 0.14

Author: icing

ChangeLog

@@ -1,3 +1,7 @@
+v0.14.0
+----------------------------------------------------------------------------------------------------
+ * Updated to rustls-ffi 0.14.0
+
 v0.13.0
 ----------------------------------------------------------------------------------------------------
  * align version somewhat with rustls-ffi version supported

README.md

@@ -6,8 +6,8 @@ implementation in Rust.
 
 ## Status
 
-The current state is compatible with **rustls-ffi v0.13.0** and needs at least Apache 2.4.48 for the 
-necessary infrastructure. A new release with support for rustls-ffi v0.14.0 is in the making.
+The current state is compatible with **rustls-ffi v0.14.0** and needs at least Apache 2.4.48 for the 
+necessary infrastructure.
 
 `mod_tls` gives you:
 
@@ -27,7 +27,7 @@ There is a [comparison table with mod_ssl functionality](#comparison-with-mod_ss
 
 ## Platforms
 
- * rustls-ffi v0.13.0
+ * rustls-ffi v0.14.0
  * Apache 2.4.48 or later
  * build system: autoconf/automake
 
@@ -473,4 +473,4 @@ This must be defined if client certificates are configured. The file needs to co
 
 The path can be specified relative to the server root.
 
--->
+-->

configure.ac

@@ -15,7 +15,7 @@
 #
 
 AC_PREREQ([2.69])
-AC_INIT([mod_tls], [0.13.0], [[email protected]])
+AC_INIT([mod_tls], [0.14.0], [[email protected]])
 
 LT_PREREQ([2.2.6])
 LT_INIT()

src/tls_cache.c

@@ -253,7 +253,7 @@ static rustls_result tls_cache_get(
     tls_cache_unlock(sc->global);
     if (APR_SUCCESS != rv) goto not_found;
     cc->session_id_cache_hit = 1;
-    *out_n = count;
+    *out_n = (size_t)vlen;
     return RUSTLS_RESULT_OK;
 
 not_found:

src/tls_core.c

@@ -553,8 +553,8 @@ static apr_status_t setup_hello_config(apr_pool_t *p, server_rec *base_server, t
         rr = RUSTLS_RESULT_PANIC; goto cleanup;
     }
     rustls_server_config_builder_set_hello_callback(builder, extract_client_hello_values);
-    gc->rustls_hello_config = rustls_server_config_builder_build(builder);
-    if (!gc->rustls_hello_config) {
+    rr = rustls_server_config_builder_build(builder, &gc->rustls_hello_config);
+    if (NULL == gc->rustls_hello_config) {
         rr = RUSTLS_RESULT_PANIC; goto cleanup;
     }
 
@@ -564,7 +564,6 @@ static apr_status_t setup_hello_config(apr_pool_t *p, server_rec *base_server, t
         rv = tls_util_rustls_error(p, rr, &err_descr);
         ap_log_error(APLOG_MARK, APLOG_ERR, rv, base_server, APLOGNO(10328)
                      "Failed to init generic hello config: [%d] %s", (int)rr, err_descr);
-        goto cleanup;
     }
     return rv;
 }
@@ -762,6 +761,8 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
 {
     tls_conf_conn_t *cc = tls_conf_conn_get(c);
     tls_conf_proxy_t *pc;
+    rustls_crypto_provider_builder *custom_provider_builder = NULL;
+    const rustls_crypto_provider *custom_provider = NULL;
     const apr_array_header_t *ciphersuites = NULL;
     apr_array_header_t *tls_versions = NULL;
     rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL;
@@ -793,9 +794,20 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
 
     if (ciphersuites && ciphersuites->nelts > 0
         && tls_versions && tls_versions->nelts >= 0) {
+        rr = rustls_crypto_provider_builder_new_from_default(&custom_provider_builder);
+        if (RUSTLS_RESULT_OK != rr) goto cleanup;
+
+        rr = rustls_crypto_provider_builder_set_cipher_suites(
+                custom_provider_builder,
+                (const struct rustls_supported_ciphersuite *const *)ciphersuites->elts,
+                (size_t)ciphersuites->nelts);
+        if (RUSTLS_RESULT_OK != rr) goto cleanup;
+
+        rr = rustls_crypto_provider_builder_build(custom_provider_builder, &custom_provider);
+        if (RUSTLS_RESULT_OK != rr) goto cleanup;
+
         rr = rustls_client_config_builder_new_custom(
-            (const struct rustls_supported_ciphersuite *const *)ciphersuites->elts,
-            (size_t)ciphersuites->nelts,
+            custom_provider,
             (const uint16_t *)tls_versions->elts, (size_t)tls_versions->nelts,
             &builder);
         if (RUSTLS_RESULT_OK != rr) goto cleanup;
@@ -878,14 +890,17 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
         }
     }
 
-    cc->rustls_client_config = rustls_client_config_builder_build(builder);
+    rr = rustls_client_config_builder_build(builder, &cc->rustls_client_config);
+    if (RUSTLS_RESULT_OK != rr) goto cleanup;
     builder = NULL;
 
     rr = rustls_client_connection_new(cc->rustls_client_config, hostname, &cc->rustls_connection);
     if (RUSTLS_RESULT_OK != rr) goto cleanup;
     rustls_connection_set_userdata(cc->rustls_connection, c);
 
 cleanup:
+    if (custom_provider_builder != NULL) rustls_crypto_provider_builder_free(custom_provider_builder);
+    if (custom_provider != NULL) rustls_crypto_provider_free(custom_provider);
     if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder);
     if (builder != NULL) rustls_client_config_builder_free(builder);
     if (RUSTLS_RESULT_OK != rr) {
@@ -896,7 +911,6 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
                      cc->server->server_hostname, hostname, (int)rr, err_descr);
         c->aborted = 1;
         cc->state = TLS_CONN_ST_DISABLED;
-        goto cleanup;
     }
     return rv;
 }
@@ -1065,6 +1079,8 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
 {
     tls_conf_conn_t *cc = tls_conf_conn_get(c);
     tls_conf_server_t *sc;
+    rustls_crypto_provider_builder *custom_provider_builder = NULL;
+    const rustls_crypto_provider *custom_provider = NULL;
     const apr_array_header_t *tls_versions = NULL;
     rustls_server_config_builder *builder = NULL;
     const rustls_server_config *config = NULL;
@@ -1103,9 +1119,20 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
 
     if (sc->ciphersuites && sc->ciphersuites->nelts > 0
         && tls_versions && tls_versions->nelts >= 0) {
+        rr = rustls_crypto_provider_builder_new_from_default(&custom_provider_builder);
+        if (RUSTLS_RESULT_OK != rr) goto cleanup;
+
+        rr = rustls_crypto_provider_builder_set_cipher_suites(
+                custom_provider_builder,
+                (const struct rustls_supported_ciphersuite *const *)sc->ciphersuites->elts,
+                (size_t)sc->ciphersuites->nelts);
+        if (RUSTLS_RESULT_OK != rr) goto cleanup;
+
+        rr = rustls_crypto_provider_builder_build(custom_provider_builder, &custom_provider);
+        if (RUSTLS_RESULT_OK != rr) goto cleanup;
+
         rr = rustls_server_config_builder_new_custom(
-            (const struct rustls_supported_ciphersuite *const *)sc->ciphersuites->elts,
-            (size_t)sc->ciphersuites->nelts,
+            custom_provider,
             (const uint16_t *)tls_versions->elts, (size_t)tls_versions->nelts,
             &builder);
         if (RUSTLS_RESULT_OK != rr) goto cleanup;
@@ -1147,7 +1174,8 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
     rv = tls_cache_init_server(builder, sc->server);
     if (APR_SUCCESS != rv) goto cleanup;
 
-    config = rustls_server_config_builder_build(builder);
+    rr = rustls_server_config_builder_build(builder, &config);
+    if (RUSTLS_RESULT_OK != rr) goto cleanup;
     builder = NULL;
     if (!config) {
         rv = APR_ENOMEM; goto cleanup;
@@ -1158,6 +1186,8 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
     rustls_connection_set_userdata(rconnection, c);
 
 cleanup:
+    if (custom_provider_builder != NULL) rustls_crypto_provider_builder_free(custom_provider_builder);
+    if (custom_provider != NULL) rustls_crypto_provider_free(custom_provider);
     if (rr != RUSTLS_RESULT_OK) {
         const char *err_descr = NULL;
         rv = tls_util_rustls_error(c->pool, rr, &err_descr);
@@ -1258,7 +1288,6 @@ apr_status_t tls_core_conn_post_handshake(conn_rec *c)
 {
     tls_conf_conn_t *cc = tls_conf_conn_get(c);
     tls_conf_server_t *sc = tls_conf_server_get(cc->server);
-    const rustls_supported_ciphersuite *rsuite;
     const rustls_certificate *cert;
     apr_status_t rv = APR_SUCCESS;
 
@@ -1273,15 +1302,7 @@ apr_status_t tls_core_conn_post_handshake(conn_rec *c)
     cc->tls_protocol_id = rustls_connection_get_protocol_version(cc->rustls_connection);
     cc->tls_protocol_name = tls_proto_get_version_name(sc->global->proto,
         cc->tls_protocol_id, c->pool);
-    rsuite = rustls_connection_get_negotiated_ciphersuite(cc->rustls_connection);
-    if (!rsuite) {
-        rv = APR_EGENERAL;
-        ap_log_error(APLOG_MARK, APLOG_ERR, rv, cc->server, APLOGNO(10343)
-                     "post handshake, but rustls does not report negotiated cipher suite: %s",
-                     cc->server->server_hostname);
-        goto cleanup;
-    }
-    cc->tls_cipher_id = rustls_supported_ciphersuite_get_suite(rsuite);
+    cc->tls_cipher_id = rustls_connection_get_negotiated_ciphersuite(cc->rustls_connection);
     cc->tls_cipher_name = tls_proto_get_cipher_name(sc->global->proto,
         cc->tls_cipher_id, c->pool);
     ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "post_handshake %s: %s [%s]",

src/tls_filter.c

@@ -53,7 +53,7 @@ static rustls_io_result tls_read_callback(
  * If <fctx->fin_tls_bb> holds data, take it from there. Otherwise perform a
  * read via the network filters below us into that brigade.
  *
- * <fctx->fin_block> determines if we do a blocking read inititally or not.
+ * <fctx->fin_block> determines if we do a blocking read initially or not.
  * If the first read did to not produce enough data, any secondary read is done
  * non-blocking.
  *
@@ -357,7 +357,7 @@ static apr_status_t progress_tls_atleast_to(tls_filter_ctx_t *fctx, tls_conn_sta
 }
 
 /**
- * The connection filter converting TLS encrypted network data into plain, unencrpyted
+ * The connection filter converting TLS encrypted network data into plain, unencrypted
  * traffic data to be processed by filters above it in the filter chain.
  *
  * Unfortunately, Apache's filter infrastructure places a heavy implementation
@@ -417,7 +417,7 @@ static apr_status_t filter_conn_input(
      * a) ask rustls_connection for decrypted data, if it has any.
      *    Note that only full records can be decrypted. We might have
      *    written TLS data to the session, but that does not mean it
-     *    can give unencryted data out again.
+     *    can give unencrypted data out again.
      * b) read TLS bytes from the network and feed them to the rustls session.
      * c) go back to a) if b) added data.
      */
@@ -620,7 +620,7 @@ static apr_status_t fout_pass_buf_to_rustls(
 
     while (len) {
         /* check if we will exceed the limit of data in rustls.
-         * rustls does not guarantuee that it will accept all data, so we
+         * rustls does not guarantee that it will accept all data, so we
          * iterate and flush when needed. */
         if (fctx->fout_bytes_in_rustls + (apr_off_t)len > (apr_off_t)fctx->fout_max_in_rustls) {
             rv = fout_pass_rustls_to_tls(fctx);
@@ -795,7 +795,7 @@ static apr_status_t fout_append_plain(tls_filter_ctx_t *fctx, apr_bucket *b)
 
             if (APR_BUCKET_IS_FILE(b)
                 && (lbuf = malloc(b->length))) {
-                /* A file bucket is a most wonderous thing. Since the dawn of time,
+                /* A file bucket is a most wondrous thing. Since the dawn of time,
                  * it has been subject to many optimizations for efficient handling
                  * of large data in the server:
                  * - unless one reads from it, it will just consist of a file handle
@@ -810,7 +810,7 @@ static apr_status_t fout_append_plain(tls_filter_ctx_t *fctx, apr_bucket *b)
                  *   the file handle directly and uses sendfile() when the OS supports it.
                  * - But there is not sendfile() for TLS (netflix did some experiments).
                  * So.
-                 * rustls will try to collect max length traffic data into ont TLS
+                 * rustls will try to collect max length traffic data into one TLS
                  * message, but it can only work with what we gave it. If we give it buffers
                  * that fit what it wants to assemble already, its work is much easier.
                  *
@@ -949,7 +949,7 @@ int tls_filter_pre_conn_init(conn_rec *c)
      * to the filter "below" our filter. That will be other registered
      * filters and last, but not least, the network filter on the socket.
      *
-     * Therefore, wenn we need to read/write TLS data during handshake, we can
+     * Therefore, when we need to read/write TLS data during handshake, we can
      * pass the data to/call on ->next- Since ->next can change during the setup of
      * a connections (other modules register also sth.), we keep the ap_filter_t*
      * returned here, since httpd core will update the ->next whenever someone

src/tls_proto.c

@@ -448,14 +448,13 @@ tls_proto_conf_t *tls_proto_init(apr_pool_t *pool, server_rec *s)
     conf->supported_cipher_ids = apr_array_make(pool, 10, sizeof(apr_uint16_t));
     conf->rustls_ciphers_by_id = apr_hash_make(pool);
     i = 0;
-    while ((rustls_suite = rustls_all_ciphersuites_get_entry(i++))) {
+    while ((rustls_suite = rustls_default_crypto_provider_ciphersuites_get(i++))) {
         id = rustls_supported_ciphersuite_get_suite(rustls_suite);
         rcipher = apr_pcalloc(pool, sizeof(*rcipher));
         rcipher->id = id;
         rcipher->rustls_suite = rustls_suite;
         APR_ARRAY_PUSH(conf->supported_cipher_ids, apr_uint16_t) = id;
         apr_hash_set(conf->rustls_ciphers_by_id, &rcipher->id, sizeof(apr_uint16_t), rcipher);
-
     }
 
     return conf;

src/tls_version.h

@@ -26,14 +26,14 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_TLS_VERSION "0.13.0-git"
+#define MOD_TLS_VERSION "0.14.0-git"
 
 /**
  * @macro
  * Numerical representation of the version number of the md module
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_TLS_VERSION_NUM 0x000d00
+#define MOD_TLS_VERSION_NUM 0x000e00
 
 #endif /* mod_md_md_version_h */