@@ -553,8 +553,8 @@ static apr_status_t setup_hello_config(apr_pool_t *p, server_rec *base_server, t
553
553
rr = RUSTLS_RESULT_PANIC ; goto cleanup ;
554
554
}
555
555
rustls_server_config_builder_set_hello_callback (builder , extract_client_hello_values );
556
- gc -> rustls_hello_config = rustls_server_config_builder_build (builder );
557
- if (! gc -> rustls_hello_config ) {
556
+ rr = rustls_server_config_builder_build (builder , & gc -> rustls_hello_config );
557
+ if (NULL == gc -> rustls_hello_config ) {
558
558
rr = RUSTLS_RESULT_PANIC ; goto cleanup ;
559
559
}
560
560
@@ -564,7 +564,6 @@ static apr_status_t setup_hello_config(apr_pool_t *p, server_rec *base_server, t
564
564
rv = tls_util_rustls_error (p , rr , & err_descr );
565
565
ap_log_error (APLOG_MARK , APLOG_ERR , rv , base_server , APLOGNO (10328 )
566
566
"Failed to init generic hello config: [%d] %s" , (int )rr , err_descr );
567
- goto cleanup ;
568
567
}
569
568
return rv ;
570
569
}
@@ -762,6 +761,8 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
762
761
{
763
762
tls_conf_conn_t * cc = tls_conf_conn_get (c );
764
763
tls_conf_proxy_t * pc ;
764
+ rustls_crypto_provider_builder * custom_provider_builder = NULL ;
765
+ const rustls_crypto_provider * custom_provider = NULL ;
765
766
const apr_array_header_t * ciphersuites = NULL ;
766
767
apr_array_header_t * tls_versions = NULL ;
767
768
rustls_web_pki_server_cert_verifier_builder * verifier_builder = NULL ;
@@ -793,9 +794,20 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
793
794
794
795
if (ciphersuites && ciphersuites -> nelts > 0
795
796
&& tls_versions && tls_versions -> nelts >= 0 ) {
797
+ rr = rustls_crypto_provider_builder_new_from_default (& custom_provider_builder );
798
+ if (RUSTLS_RESULT_OK != rr ) goto cleanup ;
799
+
800
+ rr = rustls_crypto_provider_builder_set_cipher_suites (
801
+ custom_provider_builder ,
802
+ (const struct rustls_supported_ciphersuite * const * )ciphersuites -> elts ,
803
+ (size_t )ciphersuites -> nelts );
804
+ if (RUSTLS_RESULT_OK != rr ) goto cleanup ;
805
+
806
+ rr = rustls_crypto_provider_builder_build (custom_provider_builder , & custom_provider );
807
+ if (RUSTLS_RESULT_OK != rr ) goto cleanup ;
808
+
796
809
rr = rustls_client_config_builder_new_custom (
797
- (const struct rustls_supported_ciphersuite * const * )ciphersuites -> elts ,
798
- (size_t )ciphersuites -> nelts ,
810
+ custom_provider ,
799
811
(const uint16_t * )tls_versions -> elts , (size_t )tls_versions -> nelts ,
800
812
& builder );
801
813
if (RUSTLS_RESULT_OK != rr ) goto cleanup ;
@@ -878,14 +890,17 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
878
890
}
879
891
}
880
892
881
- cc -> rustls_client_config = rustls_client_config_builder_build (builder );
893
+ rr = rustls_client_config_builder_build (builder , & cc -> rustls_client_config );
894
+ if (RUSTLS_RESULT_OK != rr ) goto cleanup ;
882
895
builder = NULL ;
883
896
884
897
rr = rustls_client_connection_new (cc -> rustls_client_config , hostname , & cc -> rustls_connection );
885
898
if (RUSTLS_RESULT_OK != rr ) goto cleanup ;
886
899
rustls_connection_set_userdata (cc -> rustls_connection , c );
887
900
888
901
cleanup :
902
+ if (custom_provider_builder != NULL ) rustls_crypto_provider_builder_free (custom_provider_builder );
903
+ if (custom_provider != NULL ) rustls_crypto_provider_free (custom_provider );
889
904
if (verifier_builder != NULL ) rustls_web_pki_server_cert_verifier_builder_free (verifier_builder );
890
905
if (builder != NULL ) rustls_client_config_builder_free (builder );
891
906
if (RUSTLS_RESULT_OK != rr ) {
@@ -896,7 +911,6 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
896
911
cc -> server -> server_hostname , hostname , (int )rr , err_descr );
897
912
c -> aborted = 1 ;
898
913
cc -> state = TLS_CONN_ST_DISABLED ;
899
- goto cleanup ;
900
914
}
901
915
return rv ;
902
916
}
@@ -1065,6 +1079,8 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
1065
1079
{
1066
1080
tls_conf_conn_t * cc = tls_conf_conn_get (c );
1067
1081
tls_conf_server_t * sc ;
1082
+ rustls_crypto_provider_builder * custom_provider_builder = NULL ;
1083
+ const rustls_crypto_provider * custom_provider = NULL ;
1068
1084
const apr_array_header_t * tls_versions = NULL ;
1069
1085
rustls_server_config_builder * builder = NULL ;
1070
1086
const rustls_server_config * config = NULL ;
@@ -1103,9 +1119,20 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
1103
1119
1104
1120
if (sc -> ciphersuites && sc -> ciphersuites -> nelts > 0
1105
1121
&& tls_versions && tls_versions -> nelts >= 0 ) {
1122
+ rr = rustls_crypto_provider_builder_new_from_default (& custom_provider_builder );
1123
+ if (RUSTLS_RESULT_OK != rr ) goto cleanup ;
1124
+
1125
+ rr = rustls_crypto_provider_builder_set_cipher_suites (
1126
+ custom_provider_builder ,
1127
+ (const struct rustls_supported_ciphersuite * const * )sc -> ciphersuites -> elts ,
1128
+ (size_t )sc -> ciphersuites -> nelts );
1129
+ if (RUSTLS_RESULT_OK != rr ) goto cleanup ;
1130
+
1131
+ rr = rustls_crypto_provider_builder_build (custom_provider_builder , & custom_provider );
1132
+ if (RUSTLS_RESULT_OK != rr ) goto cleanup ;
1133
+
1106
1134
rr = rustls_server_config_builder_new_custom (
1107
- (const struct rustls_supported_ciphersuite * const * )sc -> ciphersuites -> elts ,
1108
- (size_t )sc -> ciphersuites -> nelts ,
1135
+ custom_provider ,
1109
1136
(const uint16_t * )tls_versions -> elts , (size_t )tls_versions -> nelts ,
1110
1137
& builder );
1111
1138
if (RUSTLS_RESULT_OK != rr ) goto cleanup ;
@@ -1147,7 +1174,8 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
1147
1174
rv = tls_cache_init_server (builder , sc -> server );
1148
1175
if (APR_SUCCESS != rv ) goto cleanup ;
1149
1176
1150
- config = rustls_server_config_builder_build (builder );
1177
+ rr = rustls_server_config_builder_build (builder , & config );
1178
+ if (RUSTLS_RESULT_OK != rr ) goto cleanup ;
1151
1179
builder = NULL ;
1152
1180
if (!config ) {
1153
1181
rv = APR_ENOMEM ; goto cleanup ;
@@ -1158,6 +1186,8 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
1158
1186
rustls_connection_set_userdata (rconnection , c );
1159
1187
1160
1188
cleanup :
1189
+ if (custom_provider_builder != NULL ) rustls_crypto_provider_builder_free (custom_provider_builder );
1190
+ if (custom_provider != NULL ) rustls_crypto_provider_free (custom_provider );
1161
1191
if (rr != RUSTLS_RESULT_OK ) {
1162
1192
const char * err_descr = NULL ;
1163
1193
rv = tls_util_rustls_error (c -> pool , rr , & err_descr );
@@ -1258,7 +1288,6 @@ apr_status_t tls_core_conn_post_handshake(conn_rec *c)
1258
1288
{
1259
1289
tls_conf_conn_t * cc = tls_conf_conn_get (c );
1260
1290
tls_conf_server_t * sc = tls_conf_server_get (cc -> server );
1261
- const rustls_supported_ciphersuite * rsuite ;
1262
1291
const rustls_certificate * cert ;
1263
1292
apr_status_t rv = APR_SUCCESS ;
1264
1293
@@ -1273,15 +1302,7 @@ apr_status_t tls_core_conn_post_handshake(conn_rec *c)
1273
1302
cc -> tls_protocol_id = rustls_connection_get_protocol_version (cc -> rustls_connection );
1274
1303
cc -> tls_protocol_name = tls_proto_get_version_name (sc -> global -> proto ,
1275
1304
cc -> tls_protocol_id , c -> pool );
1276
- rsuite = rustls_connection_get_negotiated_ciphersuite (cc -> rustls_connection );
1277
- if (!rsuite ) {
1278
- rv = APR_EGENERAL ;
1279
- ap_log_error (APLOG_MARK , APLOG_ERR , rv , cc -> server , APLOGNO (10343 )
1280
- "post handshake, but rustls does not report negotiated cipher suite: %s" ,
1281
- cc -> server -> server_hostname );
1282
- goto cleanup ;
1283
- }
1284
- cc -> tls_cipher_id = rustls_supported_ciphersuite_get_suite (rsuite );
1305
+ cc -> tls_cipher_id = rustls_connection_get_negotiated_ciphersuite (cc -> rustls_connection );
1285
1306
cc -> tls_cipher_name = tls_proto_get_cipher_name (sc -> global -> proto ,
1286
1307
cc -> tls_cipher_id , c -> pool );
1287
1308
ap_log_cerror (APLOG_MARK , APLOG_TRACE1 , 0 , c , "post_handshake %s: %s [%s]" ,
0 commit comments