Skip to content

Commit 2d869a5

Browse files
authored
Merge pull request #1 from cpu/cpu-rustls-0.14
prepare mod_tls 0.14, updating to rustls-ffi 0.14
2 parents 377ee7d + 810fcb2 commit 2d869a5

File tree

8 files changed

+61
-37
lines changed

8 files changed

+61
-37
lines changed

ChangeLog

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,7 @@
1+
v0.14.0
2+
----------------------------------------------------------------------------------------------------
3+
* Updated to rustls-ffi 0.14.0
4+
15
v0.13.0
26
----------------------------------------------------------------------------------------------------
37
* align version somewhat with rustls-ffi version supported

README.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@ implementation in Rust.
66

77
## Status
88

9-
The current state is compatible with **rustls-ffi v0.13.0** and needs at least Apache 2.4.48 for the
10-
necessary infrastructure. A new release with support for rustls-ffi v0.14.0 is in the making.
9+
The current state is compatible with **rustls-ffi v0.14.0** and needs at least Apache 2.4.48 for the
10+
necessary infrastructure.
1111

1212
`mod_tls` gives you:
1313

@@ -27,7 +27,7 @@ There is a [comparison table with mod_ssl functionality](#comparison-with-mod_ss
2727

2828
## Platforms
2929

30-
* rustls-ffi v0.13.0
30+
* rustls-ffi v0.14.0
3131
* Apache 2.4.48 or later
3232
* build system: autoconf/automake
3333

@@ -473,4 +473,4 @@ This must be defined if client certificates are configured. The file needs to co
473473
474474
The path can be specified relative to the server root.
475475
476-
-->
476+
-->

configure.ac

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
#
1616

1717
AC_PREREQ([2.69])
18-
AC_INIT([mod_tls], [0.13.0], [[email protected]])
18+
AC_INIT([mod_tls], [0.14.0], [[email protected]])
1919

2020
LT_PREREQ([2.2.6])
2121
LT_INIT()

src/tls_cache.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -253,7 +253,7 @@ static rustls_result tls_cache_get(
253253
tls_cache_unlock(sc->global);
254254
if (APR_SUCCESS != rv) goto not_found;
255255
cc->session_id_cache_hit = 1;
256-
*out_n = count;
256+
*out_n = (size_t)vlen;
257257
return RUSTLS_RESULT_OK;
258258

259259
not_found:

src/tls_core.c

Lines changed: 41 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -553,8 +553,8 @@ static apr_status_t setup_hello_config(apr_pool_t *p, server_rec *base_server, t
553553
rr = RUSTLS_RESULT_PANIC; goto cleanup;
554554
}
555555
rustls_server_config_builder_set_hello_callback(builder, extract_client_hello_values);
556-
gc->rustls_hello_config = rustls_server_config_builder_build(builder);
557-
if (!gc->rustls_hello_config) {
556+
rr = rustls_server_config_builder_build(builder, &gc->rustls_hello_config);
557+
if (NULL == gc->rustls_hello_config) {
558558
rr = RUSTLS_RESULT_PANIC; goto cleanup;
559559
}
560560

@@ -564,7 +564,6 @@ static apr_status_t setup_hello_config(apr_pool_t *p, server_rec *base_server, t
564564
rv = tls_util_rustls_error(p, rr, &err_descr);
565565
ap_log_error(APLOG_MARK, APLOG_ERR, rv, base_server, APLOGNO(10328)
566566
"Failed to init generic hello config: [%d] %s", (int)rr, err_descr);
567-
goto cleanup;
568567
}
569568
return rv;
570569
}
@@ -762,6 +761,8 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
762761
{
763762
tls_conf_conn_t *cc = tls_conf_conn_get(c);
764763
tls_conf_proxy_t *pc;
764+
rustls_crypto_provider_builder *custom_provider_builder = NULL;
765+
const rustls_crypto_provider *custom_provider = NULL;
765766
const apr_array_header_t *ciphersuites = NULL;
766767
apr_array_header_t *tls_versions = NULL;
767768
rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL;
@@ -793,9 +794,20 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
793794

794795
if (ciphersuites && ciphersuites->nelts > 0
795796
&& tls_versions && tls_versions->nelts >= 0) {
797+
rr = rustls_crypto_provider_builder_new_from_default(&custom_provider_builder);
798+
if (RUSTLS_RESULT_OK != rr) goto cleanup;
799+
800+
rr = rustls_crypto_provider_builder_set_cipher_suites(
801+
custom_provider_builder,
802+
(const struct rustls_supported_ciphersuite *const *)ciphersuites->elts,
803+
(size_t)ciphersuites->nelts);
804+
if (RUSTLS_RESULT_OK != rr) goto cleanup;
805+
806+
rr = rustls_crypto_provider_builder_build(custom_provider_builder, &custom_provider);
807+
if (RUSTLS_RESULT_OK != rr) goto cleanup;
808+
796809
rr = rustls_client_config_builder_new_custom(
797-
(const struct rustls_supported_ciphersuite *const *)ciphersuites->elts,
798-
(size_t)ciphersuites->nelts,
810+
custom_provider,
799811
(const uint16_t *)tls_versions->elts, (size_t)tls_versions->nelts,
800812
&builder);
801813
if (RUSTLS_RESULT_OK != rr) goto cleanup;
@@ -878,14 +890,17 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
878890
}
879891
}
880892

881-
cc->rustls_client_config = rustls_client_config_builder_build(builder);
893+
rr = rustls_client_config_builder_build(builder, &cc->rustls_client_config);
894+
if (RUSTLS_RESULT_OK != rr) goto cleanup;
882895
builder = NULL;
883896

884897
rr = rustls_client_connection_new(cc->rustls_client_config, hostname, &cc->rustls_connection);
885898
if (RUSTLS_RESULT_OK != rr) goto cleanup;
886899
rustls_connection_set_userdata(cc->rustls_connection, c);
887900

888901
cleanup:
902+
if (custom_provider_builder != NULL) rustls_crypto_provider_builder_free(custom_provider_builder);
903+
if (custom_provider != NULL) rustls_crypto_provider_free(custom_provider);
889904
if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder);
890905
if (builder != NULL) rustls_client_config_builder_free(builder);
891906
if (RUSTLS_RESULT_OK != rr) {
@@ -896,7 +911,6 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
896911
cc->server->server_hostname, hostname, (int)rr, err_descr);
897912
c->aborted = 1;
898913
cc->state = TLS_CONN_ST_DISABLED;
899-
goto cleanup;
900914
}
901915
return rv;
902916
}
@@ -1065,6 +1079,8 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
10651079
{
10661080
tls_conf_conn_t *cc = tls_conf_conn_get(c);
10671081
tls_conf_server_t *sc;
1082+
rustls_crypto_provider_builder *custom_provider_builder = NULL;
1083+
const rustls_crypto_provider *custom_provider = NULL;
10681084
const apr_array_header_t *tls_versions = NULL;
10691085
rustls_server_config_builder *builder = NULL;
10701086
const rustls_server_config *config = NULL;
@@ -1103,9 +1119,20 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
11031119

11041120
if (sc->ciphersuites && sc->ciphersuites->nelts > 0
11051121
&& tls_versions && tls_versions->nelts >= 0) {
1122+
rr = rustls_crypto_provider_builder_new_from_default(&custom_provider_builder);
1123+
if (RUSTLS_RESULT_OK != rr) goto cleanup;
1124+
1125+
rr = rustls_crypto_provider_builder_set_cipher_suites(
1126+
custom_provider_builder,
1127+
(const struct rustls_supported_ciphersuite *const *)sc->ciphersuites->elts,
1128+
(size_t)sc->ciphersuites->nelts);
1129+
if (RUSTLS_RESULT_OK != rr) goto cleanup;
1130+
1131+
rr = rustls_crypto_provider_builder_build(custom_provider_builder, &custom_provider);
1132+
if (RUSTLS_RESULT_OK != rr) goto cleanup;
1133+
11061134
rr = rustls_server_config_builder_new_custom(
1107-
(const struct rustls_supported_ciphersuite *const *)sc->ciphersuites->elts,
1108-
(size_t)sc->ciphersuites->nelts,
1135+
custom_provider,
11091136
(const uint16_t *)tls_versions->elts, (size_t)tls_versions->nelts,
11101137
&builder);
11111138
if (RUSTLS_RESULT_OK != rr) goto cleanup;
@@ -1147,7 +1174,8 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
11471174
rv = tls_cache_init_server(builder, sc->server);
11481175
if (APR_SUCCESS != rv) goto cleanup;
11491176

1150-
config = rustls_server_config_builder_build(builder);
1177+
rr = rustls_server_config_builder_build(builder, &config);
1178+
if (RUSTLS_RESULT_OK != rr) goto cleanup;
11511179
builder = NULL;
11521180
if (!config) {
11531181
rv = APR_ENOMEM; goto cleanup;
@@ -1158,6 +1186,8 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
11581186
rustls_connection_set_userdata(rconnection, c);
11591187

11601188
cleanup:
1189+
if (custom_provider_builder != NULL) rustls_crypto_provider_builder_free(custom_provider_builder);
1190+
if (custom_provider != NULL) rustls_crypto_provider_free(custom_provider);
11611191
if (rr != RUSTLS_RESULT_OK) {
11621192
const char *err_descr = NULL;
11631193
rv = tls_util_rustls_error(c->pool, rr, &err_descr);
@@ -1258,7 +1288,6 @@ apr_status_t tls_core_conn_post_handshake(conn_rec *c)
12581288
{
12591289
tls_conf_conn_t *cc = tls_conf_conn_get(c);
12601290
tls_conf_server_t *sc = tls_conf_server_get(cc->server);
1261-
const rustls_supported_ciphersuite *rsuite;
12621291
const rustls_certificate *cert;
12631292
apr_status_t rv = APR_SUCCESS;
12641293

@@ -1273,15 +1302,7 @@ apr_status_t tls_core_conn_post_handshake(conn_rec *c)
12731302
cc->tls_protocol_id = rustls_connection_get_protocol_version(cc->rustls_connection);
12741303
cc->tls_protocol_name = tls_proto_get_version_name(sc->global->proto,
12751304
cc->tls_protocol_id, c->pool);
1276-
rsuite = rustls_connection_get_negotiated_ciphersuite(cc->rustls_connection);
1277-
if (!rsuite) {
1278-
rv = APR_EGENERAL;
1279-
ap_log_error(APLOG_MARK, APLOG_ERR, rv, cc->server, APLOGNO(10343)
1280-
"post handshake, but rustls does not report negotiated cipher suite: %s",
1281-
cc->server->server_hostname);
1282-
goto cleanup;
1283-
}
1284-
cc->tls_cipher_id = rustls_supported_ciphersuite_get_suite(rsuite);
1305+
cc->tls_cipher_id = rustls_connection_get_negotiated_ciphersuite(cc->rustls_connection);
12851306
cc->tls_cipher_name = tls_proto_get_cipher_name(sc->global->proto,
12861307
cc->tls_cipher_id, c->pool);
12871308
ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "post_handshake %s: %s [%s]",

src/tls_filter.c

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,7 @@ static rustls_io_result tls_read_callback(
5353
* If <fctx->fin_tls_bb> holds data, take it from there. Otherwise perform a
5454
* read via the network filters below us into that brigade.
5555
*
56-
* <fctx->fin_block> determines if we do a blocking read inititally or not.
56+
* <fctx->fin_block> determines if we do a blocking read initially or not.
5757
* If the first read did to not produce enough data, any secondary read is done
5858
* non-blocking.
5959
*
@@ -357,7 +357,7 @@ static apr_status_t progress_tls_atleast_to(tls_filter_ctx_t *fctx, tls_conn_sta
357357
}
358358

359359
/**
360-
* The connection filter converting TLS encrypted network data into plain, unencrpyted
360+
* The connection filter converting TLS encrypted network data into plain, unencrypted
361361
* traffic data to be processed by filters above it in the filter chain.
362362
*
363363
* Unfortunately, Apache's filter infrastructure places a heavy implementation
@@ -417,7 +417,7 @@ static apr_status_t filter_conn_input(
417417
* a) ask rustls_connection for decrypted data, if it has any.
418418
* Note that only full records can be decrypted. We might have
419419
* written TLS data to the session, but that does not mean it
420-
* can give unencryted data out again.
420+
* can give unencrypted data out again.
421421
* b) read TLS bytes from the network and feed them to the rustls session.
422422
* c) go back to a) if b) added data.
423423
*/
@@ -620,7 +620,7 @@ static apr_status_t fout_pass_buf_to_rustls(
620620

621621
while (len) {
622622
/* check if we will exceed the limit of data in rustls.
623-
* rustls does not guarantuee that it will accept all data, so we
623+
* rustls does not guarantee that it will accept all data, so we
624624
* iterate and flush when needed. */
625625
if (fctx->fout_bytes_in_rustls + (apr_off_t)len > (apr_off_t)fctx->fout_max_in_rustls) {
626626
rv = fout_pass_rustls_to_tls(fctx);
@@ -795,7 +795,7 @@ static apr_status_t fout_append_plain(tls_filter_ctx_t *fctx, apr_bucket *b)
795795

796796
if (APR_BUCKET_IS_FILE(b)
797797
&& (lbuf = malloc(b->length))) {
798-
/* A file bucket is a most wonderous thing. Since the dawn of time,
798+
/* A file bucket is a most wondrous thing. Since the dawn of time,
799799
* it has been subject to many optimizations for efficient handling
800800
* of large data in the server:
801801
* - unless one reads from it, it will just consist of a file handle
@@ -810,7 +810,7 @@ static apr_status_t fout_append_plain(tls_filter_ctx_t *fctx, apr_bucket *b)
810810
* the file handle directly and uses sendfile() when the OS supports it.
811811
* - But there is not sendfile() for TLS (netflix did some experiments).
812812
* So.
813-
* rustls will try to collect max length traffic data into ont TLS
813+
* rustls will try to collect max length traffic data into one TLS
814814
* message, but it can only work with what we gave it. If we give it buffers
815815
* that fit what it wants to assemble already, its work is much easier.
816816
*
@@ -949,7 +949,7 @@ int tls_filter_pre_conn_init(conn_rec *c)
949949
* to the filter "below" our filter. That will be other registered
950950
* filters and last, but not least, the network filter on the socket.
951951
*
952-
* Therefore, wenn we need to read/write TLS data during handshake, we can
952+
* Therefore, when we need to read/write TLS data during handshake, we can
953953
* pass the data to/call on ->next- Since ->next can change during the setup of
954954
* a connections (other modules register also sth.), we keep the ap_filter_t*
955955
* returned here, since httpd core will update the ->next whenever someone

src/tls_proto.c

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -448,14 +448,13 @@ tls_proto_conf_t *tls_proto_init(apr_pool_t *pool, server_rec *s)
448448
conf->supported_cipher_ids = apr_array_make(pool, 10, sizeof(apr_uint16_t));
449449
conf->rustls_ciphers_by_id = apr_hash_make(pool);
450450
i = 0;
451-
while ((rustls_suite = rustls_all_ciphersuites_get_entry(i++))) {
451+
while ((rustls_suite = rustls_default_crypto_provider_ciphersuites_get(i++))) {
452452
id = rustls_supported_ciphersuite_get_suite(rustls_suite);
453453
rcipher = apr_pcalloc(pool, sizeof(*rcipher));
454454
rcipher->id = id;
455455
rcipher->rustls_suite = rustls_suite;
456456
APR_ARRAY_PUSH(conf->supported_cipher_ids, apr_uint16_t) = id;
457457
apr_hash_set(conf->rustls_ciphers_by_id, &rcipher->id, sizeof(apr_uint16_t), rcipher);
458-
459458
}
460459

461460
return conf;

src/tls_version.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,14 +26,14 @@
2626
* @macro
2727
* Version number of the md module as c string
2828
*/
29-
#define MOD_TLS_VERSION "0.13.0-git"
29+
#define MOD_TLS_VERSION "0.14.0-git"
3030

3131
/**
3232
* @macro
3333
* Numerical representation of the version number of the md module
3434
* release. This is a 24 bit number with 8 bits for major number, 8 bits
3535
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
3636
*/
37-
#define MOD_TLS_VERSION_NUM 0x000d00
37+
#define MOD_TLS_VERSION_NUM 0x000e00
3838

3939
#endif /* mod_md_md_version_h */

0 commit comments

Comments
 (0)