* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2023-09-03 8:32 Hans de Graaff
0 siblings, 0 replies; 7+ messages in thread
From: Hans de Graaff @ 2023-09-03 8:32 UTC (permalink / raw
To: gentoo-commits
commit: 0e37a586f336fa92d10c4113b9e3ebd5012f6a00
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 3 08:31:25 2023 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sun Sep 3 08:31:25 2023 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=0e37a586
Add rustls-ffi patch
Bug: https://bugs.gentoo.org/906523
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/06_rustls_ffi.patch | 51 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/2.4/patches/06_rustls_ffi.patch b/2.4/patches/06_rustls_ffi.patch
new file mode 100644
index 0000000..81869f7
--- /dev/null
+++ b/2.4/patches/06_rustls_ffi.patch
@@ -0,0 +1,51 @@
+https://github.com/apache/httpd/commit/0495a95f511c0bc7f34dc1b706d6d8276865743b
+https://bugs.gentoo.org/906523
+
+From 0495a95f511c0bc7f34dc1b706d6d8276865743b Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@apache.org>
+Date: Tue, 2 May 2023 09:21:07 +0000
+Subject: [PATCH] Backport of r1909558 from trunk:
+
+ *) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
+ Checking in configure for proper version installed. Code
+ fixes for changed clienthello member name.
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1909561 13f79535-47bb-0310-9956-ffa450edef68
+--- /dev/null
++++ b/changes-entries/tls-rustls-update.txt
+@@ -0,0 +1,4 @@
++ *) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
++ Checking in configure for proper version installed. Code
++ fixes for changed clienthello member name.
++ [Stefan Eissing]
+\ No newline at end of file
+--- a/modules/tls/config2.m4
++++ b/modules/tls/config2.m4
+@@ -109,9 +109,10 @@ AC_DEFUN([APACHE_CHECK_RUSTLS],[
+ fi
+ fi
+
+- AC_MSG_CHECKING([for rustls version >= 0.8.2])
++ AC_MSG_CHECKING([for rustls version >= 0.9.2])
+ AC_TRY_COMPILE([#include <rustls.h>],[
+ rustls_version();
++rustls_acceptor_new();
+ ],
+ [AC_MSG_RESULT(OK)
+ ac_cv_rustls=yes],
+--- a/modules/tls/tls_core.c
++++ b/modules/tls/tls_core.c
+@@ -507,8 +507,8 @@ static const rustls_certified_key *extract_client_hello_values(
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "extract client hello values");
+ if (!cc) goto cleanup;
+ cc->client_hello_seen = 1;
+- if (hello->sni_name.len > 0) {
+- cc->sni_hostname = apr_pstrndup(c->pool, hello->sni_name.data, hello->sni_name.len);
++ if (hello->server_name.len > 0) {
++ cc->sni_hostname = apr_pstrndup(c->pool, hello->server_name.data, hello->server_name.len);
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "sni detected: %s", cc->sni_hostname);
+ }
+ else {
+
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2023-09-03 8:32 Hans de Graaff
0 siblings, 0 replies; 7+ messages in thread
From: Hans de Graaff @ 2023-09-03 8:32 UTC (permalink / raw
To: gentoo-commits
commit: 4dc522359ec9731c76f5de74c4b3904c9592fd5a
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 3 08:30:15 2023 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sun Sep 3 08:30:15 2023 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=4dc52235
Add libtool patch
Bug: https://bugs.gentoo.org/858836
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/05_libtool.patch | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/2.4/patches/05_libtool.patch b/2.4/patches/05_libtool.patch
new file mode 100644
index 0000000..a0d55d8
--- /dev/null
+++ b/2.4/patches/05_libtool.patch
@@ -0,0 +1,21 @@
+Bug: https://bugs.gentoo.org/858836
+
+From: orbea <orbea@riseup.net>
+Date: Tue, 19 Jul 2022 07:46:36 -0700
+Subject: [PATCH] build: Fix the build with slibtool
+
+Adding LT_INIT to configure.in generates the libtool script in the build
+directory which is required by rlibtool to determine if the build is
+shared or static.
+
+--- a/configure.in
++++ b/configure.in
+@@ -398,7 +398,7 @@ AC_PATH_PROG(RSYNC, rsync)
+ AC_PATH_PROG(SVN, svn)
+ AC_PROG_AWK
+ AC_PROG_LN_S
+-AC_CHECK_TOOL(RANLIB, ranlib, true)
++LT_INIT
+ dnl AC_PATH_PROG(PERL_PATH, perl)
+ AC_CHECK_PROGS(LYNX_PATH,[lynx links elinks], [lynx])
+
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2023-09-03 8:32 Hans de Graaff
0 siblings, 0 replies; 7+ messages in thread
From: Hans de Graaff @ 2023-09-03 8:32 UTC (permalink / raw
To: gentoo-commits
commit: 2a33ab54bf77360d792c2ec853e2c03b2dbe0e3d
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 3 08:29:03 2023 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sun Sep 3 08:29:03 2023 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=2a33ab54
Add no-which patch
Bug: https://bugs.gentoo.org/844868
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/04_no_which.patch | 54 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 54 insertions(+)
diff --git a/2.4/patches/04_no_which.patch b/2.4/patches/04_no_which.patch
new file mode 100644
index 0000000..65764df
--- /dev/null
+++ b/2.4/patches/04_no_which.patch
@@ -0,0 +1,54 @@
+https://bugs.gentoo.org/844868
+https://bz.apache.org/bugzilla/show_bug.cgi?id=66130
+--- a/build/aix/buildaix.ksh
++++ b/build/aix/buildaix.ksh
+@@ -26,14 +26,14 @@ export CFLAGS='-O2 -qlanglvl=extc99'
+ lslpp -L bos.adt.insttools >/dev/null
+ [[ $? -ne 0 ]] && echo "must have bos.adt.insttools installed" && exit -1
+
+-apr_config=`which apr-1-config`
+-apu_config=`which apu-1-config`
++apr_config=`command -v apr-1-config 2>/dev/null`
++apu_config=`command -v apu-1-config 2>/dev/null`
+
+ if [[ -z ${apr_config} && -z ${apu_config} ]]
+ then
+ export PATH=/opt/bin:${PATH}
+- apr_config=`which apr-1-config`
+- apu_config=`which apu-1-config`
++ apr_config=`command -v apr-1-config 2>/dev/null`
++ apu_config=`command -v apu-1-config 2>/dev/null`
+ fi
+
+ while test $# -gt 0
+--- a/build/pkg/buildpkg.sh
++++ b/build/pkg/buildpkg.sh
+@@ -24,8 +24,8 @@ PREFIX=/usr/local/apache2
+ TEMPDIR=/var/tmp/$USER/httpd-root
+ rm -rf $TEMPDIR
+
+-apr_config=`which apr-1-config`
+-apu_config=`which apu-1-config`
++apr_config=`command -v apr-1-config 2>/dev/null`
++apu_config=`command -v apu-1-config 2>/dev/null`
+
+ while test $# -gt 0
+ do
+--- a/configure.in
++++ b/configure.in
+@@ -216,13 +216,13 @@ AC_ARG_WITH(pcre,
+ APACHE_HELP_STRING(--with-pcre=PATH,Use external PCRE library))
+ if test "x$with_pcre" = "x" || test "$with_pcre" = "yes"; then
+ with_pcre="$PATH"
+-else if which $with_pcre 2>/dev/null; then :; else
++else if command -v $with_pcre 2>/dev/null; then :; else
+ with_pcre="$with_pcre/bin:$with_pcre"
+ fi
+ fi
+
+ AC_CHECK_TARGET_TOOLS(PCRE_CONFIG, [pcre2-config pcre-config],
+- [`which $with_pcre 2>/dev/null`], $with_pcre)
++ [`command -v $with_pcre 2>/dev/null`], $with_pcre)
+
+ if test "x$PCRE_CONFIG" != "x"; then
+ if $PCRE_CONFIG --version >/dev/null 2>&1; then :; else
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2023-10-11 5:54 Hans de Graaff
0 siblings, 0 replies; 7+ messages in thread
From: Hans de Graaff @ 2023-10-11 5:54 UTC (permalink / raw
To: gentoo-commits
commit: 25a1eaafc964ef2e29cc663292a0bcddab7f43e5
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Wed Oct 11 05:48:11 2023 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Wed Oct 11 05:54:04 2023 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=25a1eaaf
Drop 2.4 libtool patch
Bug: https://bugs.gentoo.org/860081
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/05_libtool.patch | 21 ---------------------
1 file changed, 21 deletions(-)
diff --git a/2.4/patches/05_libtool.patch b/2.4/patches/05_libtool.patch
deleted file mode 100644
index a0d55d8..0000000
--- a/2.4/patches/05_libtool.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Bug: https://bugs.gentoo.org/858836
-
-From: orbea <orbea@riseup.net>
-Date: Tue, 19 Jul 2022 07:46:36 -0700
-Subject: [PATCH] build: Fix the build with slibtool
-
-Adding LT_INIT to configure.in generates the libtool script in the build
-directory which is required by rlibtool to determine if the build is
-shared or static.
-
---- a/configure.in
-+++ b/configure.in
-@@ -398,7 +398,7 @@ AC_PATH_PROG(RSYNC, rsync)
- AC_PATH_PROG(SVN, svn)
- AC_PROG_AWK
- AC_PROG_LN_S
--AC_CHECK_TOOL(RANLIB, ranlib, true)
-+LT_INIT
- dnl AC_PATH_PROG(PERL_PATH, perl)
- AC_CHECK_PROGS(LYNX_PATH,[lynx links elinks], [lynx])
-
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2023-10-19 12:10 Hans de Graaff
0 siblings, 0 replies; 7+ messages in thread
From: Hans de Graaff @ 2023-10-19 12:10 UTC (permalink / raw
To: gentoo-commits
commit: 39aa4f5d435a7c0888a494b7f86772bb94b86418
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 19 12:10:17 2023 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Thu Oct 19 12:10:17 2023 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=39aa4f5d
Remove rustls-ffi patch
This patch was taken from upstream and has been released in apache
2.0.48.
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/06_rustls_ffi.patch | 51 -----------------------------------------
1 file changed, 51 deletions(-)
diff --git a/2.4/patches/06_rustls_ffi.patch b/2.4/patches/06_rustls_ffi.patch
deleted file mode 100644
index 81869f7..0000000
--- a/2.4/patches/06_rustls_ffi.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-https://github.com/apache/httpd/commit/0495a95f511c0bc7f34dc1b706d6d8276865743b
-https://bugs.gentoo.org/906523
-
-From 0495a95f511c0bc7f34dc1b706d6d8276865743b Mon Sep 17 00:00:00 2001
-From: Stefan Eissing <icing@apache.org>
-Date: Tue, 2 May 2023 09:21:07 +0000
-Subject: [PATCH] Backport of r1909558 from trunk:
-
- *) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
- Checking in configure for proper version installed. Code
- fixes for changed clienthello member name.
-
-
-
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1909561 13f79535-47bb-0310-9956-ffa450edef68
---- /dev/null
-+++ b/changes-entries/tls-rustls-update.txt
-@@ -0,0 +1,4 @@
-+ *) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
-+ Checking in configure for proper version installed. Code
-+ fixes for changed clienthello member name.
-+ [Stefan Eissing]
-\ No newline at end of file
---- a/modules/tls/config2.m4
-+++ b/modules/tls/config2.m4
-@@ -109,9 +109,10 @@ AC_DEFUN([APACHE_CHECK_RUSTLS],[
- fi
- fi
-
-- AC_MSG_CHECKING([for rustls version >= 0.8.2])
-+ AC_MSG_CHECKING([for rustls version >= 0.9.2])
- AC_TRY_COMPILE([#include <rustls.h>],[
- rustls_version();
-+rustls_acceptor_new();
- ],
- [AC_MSG_RESULT(OK)
- ac_cv_rustls=yes],
---- a/modules/tls/tls_core.c
-+++ b/modules/tls/tls_core.c
-@@ -507,8 +507,8 @@ static const rustls_certified_key *extract_client_hello_values(
- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "extract client hello values");
- if (!cc) goto cleanup;
- cc->client_hello_seen = 1;
-- if (hello->sni_name.len > 0) {
-- cc->sni_hostname = apr_pstrndup(c->pool, hello->sni_name.data, hello->sni_name.len);
-+ if (hello->server_name.len > 0) {
-+ cc->sni_hostname = apr_pstrndup(c->pool, hello->server_name.data, hello->server_name.len);
- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "sni detected: %s", cc->sni_hostname);
- }
- else {
-
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2024-05-11 7:11 Hans de Graaff
0 siblings, 0 replies; 7+ messages in thread
From: Hans de Graaff @ 2024-05-11 7:11 UTC (permalink / raw
To: gentoo-commits
commit: 1a564c20ea1b5b1934d3e83d59a8fed07706b40b
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sat May 11 07:06:06 2024 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sat May 11 07:11:14 2024 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=1a564c20
Add patches originally added in the ebuild
Both these patches are already fixed upstream and should be included
in 2.5.60 when it is released.
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/05-rustls-0.13.0.patch | 544 +++++++++++++++++++++++++++++++++++++
2.4/patches/06-dh-regression.patch | 81 ++++++
2 files changed, 625 insertions(+)
diff --git a/2.4/patches/05-rustls-0.13.0.patch b/2.4/patches/05-rustls-0.13.0.patch
new file mode 100644
index 0000000..f8cfc6b
--- /dev/null
+++ b/2.4/patches/05-rustls-0.13.0.patch
@@ -0,0 +1,544 @@
+From 68a5a569f630b116f30c49384e4f737a5e669bb2 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 15:05:19 -0400
+Subject: [PATCH] test: relax rustls-ffi SSL_VERSION_LIBRARY
+
+The rustls version included in the rustls-ffi version output does not
+always contain three components. E.g. rustls-ffi 0.12.2 uses the version
+string:
+
+ rustls-ffi/0.12.2/rustls/0.22
+
+Notably there is no `.0` after the `0.22` for the Rustls version, and
+this requires the `SSL_VERSION_LIBRARY` regexp be relaxed to allow this.
+---
+ test/modules/tls/test_08_vars.py | 2 +-
+ test/modules/tls/test_14_proxy_ssl.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/test/modules/tls/test_08_vars.py b/test/modules/tls/test_08_vars.py
+index ad764a7985a..0e3ee74d2df 100644
+--- a/test/modules/tls/test_08_vars.py
++++ b/test/modules/tls/test_08_vars.py
+@@ -59,7 +59,7 @@ def test_tls_08_vars_const(self, env, name: str, value: str):
+
+ @pytest.mark.parametrize("name, pattern", [
+ ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
+- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
++ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
+ ])
+ def test_tls_08_vars_match(self, env, name: str, pattern: str):
+ r = env.tls_get(env.domain_b, f"/vars.py?name={name}")
+diff --git a/test/modules/tls/test_14_proxy_ssl.py b/test/modules/tls/test_14_proxy_ssl.py
+index 2f46c64f710..87e04c28afa 100644
+--- a/test/modules/tls/test_14_proxy_ssl.py
++++ b/test/modules/tls/test_14_proxy_ssl.py
+@@ -100,7 +100,7 @@ def test_tls_14_proxy_ssl_vars_const(self, env, name: str, value: str):
+
+ @pytest.mark.parametrize("name, pattern", [
+ ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
+- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
++ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
+ ])
+ def test_tls_14_proxy_tsl_vars_match(self, env, name: str, pattern: str):
+ if not HttpdTestEnv.has_shared_module("tls"):
+From fd64ac68206232641406c1512e0916d837821db5 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 15:19:50 -0400
+Subject: [PATCH] mod_tls: rustls-ffi 0.10 -> 0.11
+
+See upstream release notes[0] for more information.
+
+Also note that the, ahem, clunkyness of the verifier API is reduced in
+the 0.12 release and this is a transition state.
+
+[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.11.0
+---
+ .github/workflows/linux.yml | 2 +-
+ modules/tls/tls_cert.c | 26 ++++++++++++++++++--------
+ modules/tls/tls_cert.h | 6 +++---
+ modules/tls/tls_core.c | 4 ++--
+ 4 files changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
+index 8c45faf5651..1ac41c6b2d6 100644
+--- a/.github/workflows/linux.yml
++++ b/.github/workflows/linux.yml
+@@ -241,7 +241,7 @@ jobs:
+ APR_VERSION=1.7.4
+ APU_VERSION=1.6.3
+ APU_CONFIG="--with-crypto"
+- RUSTLS_VERSION="v0.10.0"
++ RUSTLS_VERSION="v0.11.0"
+ NO_TEST_FRAMEWORK=1
+ TEST_INSTALL=1
+ TEST_MOD_TLS=1
+diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
+index 624535aa444..17a35fc498d 100644
+--- a/modules/tls/tls_cert.c
++++ b/modules/tls/tls_cert.c
+@@ -449,8 +449,8 @@ apr_status_t tls_cert_root_stores_get(
+
+ typedef struct {
+ const char *id;
+- const rustls_client_cert_verifier *client_verifier;
+- const rustls_client_cert_verifier_optional *client_verifier_opt;
++ const rustls_allow_any_authenticated_client_verifier *client_verifier;
++ const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt;
+ } tls_cert_verifiers_entry_t;
+
+ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
+@@ -458,11 +458,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
+ tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val;
+ (void)ctx; (void)key; (void)klen;
+ if (entry->client_verifier) {
+- rustls_client_cert_verifier_free(entry->client_verifier);
++ rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier);
+ entry->client_verifier = NULL;
+ }
+ if (entry->client_verifier_opt) {
+- rustls_client_cert_verifier_optional_free(entry->client_verifier_opt);
++ rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt);
+ entry->client_verifier_opt = NULL;
+ }
+ return 1;
+@@ -514,20 +514,25 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
+ apr_status_t tls_cert_client_verifiers_get(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+- const rustls_client_cert_verifier **pverifier)
++ const rustls_allow_any_authenticated_client_verifier **pverifier)
+ {
+ apr_status_t rv = APR_SUCCESS;
+ tls_cert_verifiers_entry_t *entry;
++ struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL;
+
+ entry = verifiers_get_or_make_entry(verifiers, store_file);
+ if (!entry->client_verifier) {
+ rustls_root_cert_store *store;
+ rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+ if (APR_SUCCESS != rv) goto cleanup;
+- entry->client_verifier = rustls_client_cert_verifier_new(store);
++ verifier_builder = rustls_allow_any_authenticated_client_builder_new(store);
++ entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder);
+ }
+
+ cleanup:
++ if (verifier_builder != NULL) {
++ rustls_allow_any_authenticated_client_builder_free(verifier_builder);
++ }
+ if (APR_SUCCESS == rv) {
+ *pverifier = entry->client_verifier;
+ }
+@@ -540,20 +545,25 @@ apr_status_t tls_cert_client_verifiers_get(
+ apr_status_t tls_cert_client_verifiers_get_optional(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+- const rustls_client_cert_verifier_optional **pverifier)
++ const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier)
+ {
+ apr_status_t rv = APR_SUCCESS;
+ tls_cert_verifiers_entry_t *entry;
++ struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL;
+
+ entry = verifiers_get_or_make_entry(verifiers, store_file);
+ if (!entry->client_verifier_opt) {
+ rustls_root_cert_store *store;
+ rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+ if (APR_SUCCESS != rv) goto cleanup;
+- entry->client_verifier_opt = rustls_client_cert_verifier_optional_new(store);
++ verifier_builder = rustls_client_cert_verifier_optional_builder_new(store);
++ entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder);
+ }
+
+ cleanup:
++ if (verifier_builder != NULL) {
++ rustls_client_cert_verifier_optional_builder_free(verifier_builder);
++ }
+ if (APR_SUCCESS == rv) {
+ *pverifier = entry->client_verifier_opt;
+ }
+diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
+index 6ab3f48ae13..4ac3865dd86 100644
+--- a/modules/tls/tls_cert.h
++++ b/modules/tls/tls_cert.h
+@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear(
+ apr_status_t tls_cert_client_verifiers_get(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+- const rustls_client_cert_verifier **pverifier);
++ const rustls_allow_any_authenticated_client_verifier **pverifier);
+
+ /**
+ * Get the optional client certificate verifier for the
+@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
+ apr_status_t tls_cert_client_verifiers_get_optional(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+- const rustls_client_cert_verifier_optional **pverifier);
++ const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier);
+
+-#endif /* tls_cert_h */
+\ No newline at end of file
++#endif /* tls_cert_h */
+diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
+index 25479392f1a..df29077826d 100644
+--- a/modules/tls/tls_core.c
++++ b/modules/tls/tls_core.c
+@@ -1119,13 +1119,13 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
+ if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
+ ap_assert(sc->client_ca); /* checked in server_setup */
+ if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
+- const rustls_client_cert_verifier *verifier;
++ const rustls_allow_any_authenticated_client_verifier *verifier;
+ rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
+ if (APR_SUCCESS != rv) goto cleanup;
+ rustls_server_config_builder_set_client_verifier(builder, verifier);
+ }
+ else {
+- const rustls_client_cert_verifier_optional *verifier;
++ const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier;
+ rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
+ if (APR_SUCCESS != rv) goto cleanup;
+ rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
+From 6d565575343ac5ddd674e53b7b9002396cc04375 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 15:37:25 -0400
+Subject: [PATCH] mod_tls: rustls-ffi 0.11 -> 0.12
+
+See upstream release notes for more information:
+
+https://github.com/rustls/rustls-ffi/releases/tag/v0.12.0
+https://github.com/rustls/rustls-ffi/releases/tag/v0.12.1
+https://github.com/rustls/rustls-ffi/releases/tag/v0.12.2
+---
+ .github/workflows/linux.yml | 2 +-
+ modules/tls/tls_cert.c | 99 ++++++++++++++++++++-----------------
+ modules/tls/tls_cert.h | 8 +--
+ modules/tls/tls_core.c | 16 ++++--
+ 4 files changed, 70 insertions(+), 55 deletions(-)
+
+diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
+index 1ac41c6b2d6..3700bc4546a 100644
+--- a/.github/workflows/linux.yml
++++ b/.github/workflows/linux.yml
+@@ -241,7 +241,7 @@ jobs:
+ APR_VERSION=1.7.4
+ APU_VERSION=1.6.3
+ APU_CONFIG="--with-crypto"
+- RUSTLS_VERSION="v0.11.0"
++ RUSTLS_VERSION="v0.12.2"
+ NO_TEST_FRAMEWORK=1
+ TEST_INSTALL=1
+ TEST_MOD_TLS=1
+diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
+index 17a35fc498d..ffb941cae40 100644
+--- a/modules/tls/tls_cert.c
++++ b/modules/tls/tls_cert.c
+@@ -331,11 +331,12 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
+ }
+
+ apr_status_t tls_cert_load_root_store(
+- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore)
++ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore)
+ {
+ const char *fpath;
+ tls_data_t pem;
+- rustls_root_cert_store *store = NULL;
++ rustls_root_cert_store_builder *store_builder = NULL;
++ const rustls_root_cert_store *store = NULL;
+ rustls_result rr = RUSTLS_RESULT_OK;
+ apr_pool_t *ptemp = NULL;
+ apr_status_t rv;
+@@ -353,11 +354,17 @@ apr_status_t tls_cert_load_root_store(
+ rv = tls_util_file_load(ptemp, fpath, 0, 1024*1024, &pem);
+ if (APR_SUCCESS != rv) goto cleanup;
+
+- store = rustls_root_cert_store_new();
+- rr = rustls_root_cert_store_add_pem(store, pem.data, pem.len, 1);
++ store_builder = rustls_root_cert_store_builder_new();
++ rr = rustls_root_cert_store_builder_add_pem(store_builder, pem.data, pem.len, 1);
++ if (RUSTLS_RESULT_OK != rr) goto cleanup;
++
++ rr = rustls_root_cert_store_builder_build(store_builder, &store);
+ if (RUSTLS_RESULT_OK != rr) goto cleanup;
+
+ cleanup:
++ if (store_builder != NULL) {
++ rustls_root_cert_store_builder_free(store_builder);
++ }
+ if (RUSTLS_RESULT_OK != rr) {
+ const char *err_descr;
+ rv = tls_util_rustls_error(p, rr, &err_descr);
+@@ -378,7 +385,7 @@ apr_status_t tls_cert_load_root_store(
+
+ typedef struct {
+ const char *id;
+- rustls_root_cert_store *store;
++ const rustls_root_cert_store *store;
+ } tls_cert_root_stores_entry_t;
+
+ static int stores_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
+@@ -421,14 +428,14 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores)
+ apr_status_t tls_cert_root_stores_get(
+ tls_cert_root_stores_t *stores,
+ const char *store_file,
+- rustls_root_cert_store **pstore)
++ const rustls_root_cert_store **pstore)
+ {
+ apr_status_t rv = APR_SUCCESS;
+ tls_cert_root_stores_entry_t *entry;
+
+ entry = apr_hash_get(stores->file2store, store_file, APR_HASH_KEY_STRING);
+ if (!entry) {
+- rustls_root_cert_store *store;
++ const rustls_root_cert_store *store;
+ rv = tls_cert_load_root_store(stores->pool, store_file, &store);
+ if (APR_SUCCESS != rv) goto cleanup;
+ entry = apr_pcalloc(stores->pool, sizeof(*entry));
+@@ -449,8 +456,8 @@ apr_status_t tls_cert_root_stores_get(
+
+ typedef struct {
+ const char *id;
+- const rustls_allow_any_authenticated_client_verifier *client_verifier;
+- const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt;
++ rustls_client_cert_verifier *client_verifier;
++ rustls_client_cert_verifier *client_verifier_opt;
+ } tls_cert_verifiers_entry_t;
+
+ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
+@@ -458,11 +465,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
+ tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val;
+ (void)ctx; (void)key; (void)klen;
+ if (entry->client_verifier) {
+- rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier);
++ rustls_client_cert_verifier_free(entry->client_verifier);
+ entry->client_verifier = NULL;
+ }
+ if (entry->client_verifier_opt) {
+- rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt);
++ rustls_client_cert_verifier_free(entry->client_verifier_opt);
+ entry->client_verifier_opt = NULL;
+ }
+ return 1;
+@@ -511,27 +518,43 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
+ return entry;
+ }
+
+-apr_status_t tls_cert_client_verifiers_get(
+- tls_cert_verifiers_t *verifiers,
+- const char *store_file,
+- const rustls_allow_any_authenticated_client_verifier **pverifier)
++static apr_status_t tls_cert_client_verifiers_get_internal(
++ tls_cert_verifiers_t *verifiers,
++ const char *store_file,
++ const rustls_client_cert_verifier **pverifier,
++ bool allow_unauthenticated)
+ {
+ apr_status_t rv = APR_SUCCESS;
+ tls_cert_verifiers_entry_t *entry;
+- struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL;
++ rustls_result rr = RUSTLS_RESULT_OK;
++ struct rustls_web_pki_client_cert_verifier_builder *verifier_builder = NULL;
+
+ entry = verifiers_get_or_make_entry(verifiers, store_file);
+ if (!entry->client_verifier) {
+- rustls_root_cert_store *store;
++ const rustls_root_cert_store *store;
+ rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+ if (APR_SUCCESS != rv) goto cleanup;
+- verifier_builder = rustls_allow_any_authenticated_client_builder_new(store);
+- entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder);
++ verifier_builder = rustls_web_pki_client_cert_verifier_builder_new(store);
++
++ if (allow_unauthenticated) {
++ rr = rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated(verifier_builder);
++ if (rr != RUSTLS_RESULT_OK) {
++ goto cleanup;
++ }
++ }
++
++ rr = rustls_web_pki_client_cert_verifier_builder_build(verifier_builder, &entry->client_verifier);
++ if (rr != RUSTLS_RESULT_OK) {
++ goto cleanup;
++ }
+ }
+
+ cleanup:
+ if (verifier_builder != NULL) {
+- rustls_allow_any_authenticated_client_builder_free(verifier_builder);
++ rustls_web_pki_client_cert_verifier_builder_free(verifier_builder);
++ }
++ if (rr != RUSTLS_RESULT_OK) {
++ rv = tls_util_rustls_error(verifiers->pool, rr, NULL);
+ }
+ if (APR_SUCCESS == rv) {
+ *pverifier = entry->client_verifier;
+@@ -542,33 +565,19 @@ apr_status_t tls_cert_client_verifiers_get(
+ return rv;
+ }
+
+-apr_status_t tls_cert_client_verifiers_get_optional(
++
++apr_status_t tls_cert_client_verifiers_get(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+- const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier)
++ const rustls_client_cert_verifier **pverifier)
+ {
+- apr_status_t rv = APR_SUCCESS;
+- tls_cert_verifiers_entry_t *entry;
+- struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL;
+-
+- entry = verifiers_get_or_make_entry(verifiers, store_file);
+- if (!entry->client_verifier_opt) {
+- rustls_root_cert_store *store;
+- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+- if (APR_SUCCESS != rv) goto cleanup;
+- verifier_builder = rustls_client_cert_verifier_optional_builder_new(store);
+- entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder);
+- }
++ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, false);
++}
+
+-cleanup:
+- if (verifier_builder != NULL) {
+- rustls_client_cert_verifier_optional_builder_free(verifier_builder);
+- }
+- if (APR_SUCCESS == rv) {
+- *pverifier = entry->client_verifier_opt;
+- }
+- else {
+- *pverifier = NULL;
+- }
+- return rv;
++apr_status_t tls_cert_client_verifiers_get_optional(
++ tls_cert_verifiers_t *verifiers,
++ const char *store_file,
++ const rustls_client_cert_verifier **pverifier)
++{
++ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, true);
+ }
+diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
+index 4ac3865dd86..3326f0eb3e7 100644
+--- a/modules/tls/tls_cert.h
++++ b/modules/tls/tls_cert.h
+@@ -128,7 +128,7 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
+ * @param pstore the loaded root store on success
+ */
+ apr_status_t tls_cert_load_root_store(
+- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore);
++ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore);
+
+ typedef struct tls_cert_root_stores_t tls_cert_root_stores_t;
+ struct tls_cert_root_stores_t {
+@@ -157,7 +157,7 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores);
+ apr_status_t tls_cert_root_stores_get(
+ tls_cert_root_stores_t *stores,
+ const char *store_file,
+- rustls_root_cert_store **pstore);
++ const rustls_root_cert_store **pstore);
+
+ typedef struct tls_cert_verifiers_t tls_cert_verifiers_t;
+ struct tls_cert_verifiers_t {
+@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear(
+ apr_status_t tls_cert_client_verifiers_get(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+- const rustls_allow_any_authenticated_client_verifier **pverifier);
++ const rustls_client_cert_verifier **pverifier);
+
+ /**
+ * Get the optional client certificate verifier for the
+@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
+ apr_status_t tls_cert_client_verifiers_get_optional(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+- const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier);
++ const rustls_client_cert_verifier **pverifier);
+
+ #endif /* tls_cert_h */
+diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
+index df29077826d..1cef254f103 100644
+--- a/modules/tls/tls_core.c
++++ b/modules/tls/tls_core.c
+@@ -764,8 +764,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
+ tls_conf_proxy_t *pc;
+ const apr_array_header_t *ciphersuites = NULL;
+ apr_array_header_t *tls_versions = NULL;
++ rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL;
++ struct rustls_server_cert_verifier *verifier = NULL;
+ rustls_client_config_builder *builder = NULL;
+- rustls_root_cert_store *ca_store = NULL;
++ const rustls_root_cert_store *ca_store = NULL;
+ const char *hostname = NULL, *alpn_note = NULL;
+ rustls_result rr = RUSTLS_RESULT_OK;
+ apr_status_t rv = APR_SUCCESS;
+@@ -809,7 +811,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
+ if (pc->proxy_ca && strcasecmp(pc->proxy_ca, "default")) {
+ rv = tls_cert_root_stores_get(pc->global->stores, pc->proxy_ca, &ca_store);
+ if (APR_SUCCESS != rv) goto cleanup;
+- rustls_client_config_builder_use_roots(builder, ca_store);
++ verifier_builder = rustls_web_pki_server_cert_verifier_builder_new(ca_store);
++ rr = rustls_web_pki_server_cert_verifier_builder_build(verifier_builder, &verifier);
++ if (RUSTLS_RESULT_OK != rr) goto cleanup;
++ rustls_client_config_builder_set_server_verifier(builder, verifier);
+ }
+
+ #if TLS_MACHINE_CERTS
+@@ -881,6 +886,7 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
+ rustls_connection_set_userdata(cc->rustls_connection, c);
+
+ cleanup:
++ if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder);
+ if (builder != NULL) rustls_client_config_builder_free(builder);
+ if (RUSTLS_RESULT_OK != rr) {
+ const char *err_descr = NULL;
+@@ -1119,16 +1125,16 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
+ if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
+ ap_assert(sc->client_ca); /* checked in server_setup */
+ if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
+- const rustls_allow_any_authenticated_client_verifier *verifier;
++ const rustls_client_cert_verifier *verifier;
+ rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
+ if (APR_SUCCESS != rv) goto cleanup;
+ rustls_server_config_builder_set_client_verifier(builder, verifier);
+ }
+ else {
+- const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier;
++ const rustls_client_cert_verifier *verifier;
+ rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
+ if (APR_SUCCESS != rv) goto cleanup;
+- rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
++ rustls_server_config_builder_set_client_verifier(builder, verifier);
+ }
+ }
+
+From ef690ed43eed53a7b6aaba6027842cdd76d3ccb4 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 13:49:49 -0400
+Subject: [PATCH] mod_tls: rustls-ffi 0.12 -> 0.13
+
+The breaking API changes in this release don't affect `mod_tls`, making
+this an in-place update.
+
+See the upstream release notes[0] for more information.
+
+[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.13.0
+---
+ .github/workflows/linux.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
+index 3700bc4546a..54dcd7b0b32 100644
+--- a/.github/workflows/linux.yml
++++ b/.github/workflows/linux.yml
+@@ -241,7 +241,7 @@ jobs:
+ APR_VERSION=1.7.4
+ APU_VERSION=1.6.3
+ APU_CONFIG="--with-crypto"
+- RUSTLS_VERSION="v0.12.2"
++ RUSTLS_VERSION="v0.13.0"
+ NO_TEST_FRAMEWORK=1
+ TEST_INSTALL=1
+ TEST_MOD_TLS=1
diff --git a/2.4/patches/06-dh-regression.patch b/2.4/patches/06-dh-regression.patch
new file mode 100644
index 0000000..63cb606
--- /dev/null
+++ b/2.4/patches/06-dh-regression.patch
@@ -0,0 +1,81 @@
+From dee1eb37d787d34cb37df7eab535240e1774293a Mon Sep 17 00:00:00 2001
+From: Ruediger Pluem <rpluem@apache.org>
+Date: Mon, 8 Apr 2024 13:18:28 +0000
+Subject: [PATCH] * Ensure that we set the default DH parameters for the key
+
+Replace else with an if as the if branch no longer ensures that
+custome DH parameters have been loaded.
+This fixes a regression that causes the default DH parameters for a key
+no longer set and thus effectively disabling DH ciphers when no explicit
+DH parameters are set.
+
+PR: 68863
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916863 13f79535-47bb-0310-9956-ffa450edef68
+---
+ changes-entries/pr68863.txt | 3 +++
+ modules/ssl/ssl_engine_init.c | 11 ++++++-----
+ 2 files changed, 9 insertions(+), 5 deletions(-)
+ create mode 100644 changes-entries/pr68863.txt
+
+diff --git a/changes-entries/pr68863.txt b/changes-entries/pr68863.txt
+new file mode 100644
+index 00000000000..d45ffc708cc
+--- /dev/null
++++ b/changes-entries/pr68863.txt
+@@ -0,0 +1,3 @@
++ *) mod_ssl: Fix a regression that causes the default DH parameters for a key
++ no longer set and thus effectively disabling DH ciphers when no explicit
++ DH parameters are set. PR 68863 [Ruediger Pluem]
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 64e4aaf1dcd..f657026d137 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -1416,6 +1416,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+ const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
+ int i;
+ EVP_PKEY *pkey;
++ int custom_dh_done = 0;
+ #ifdef HAVE_ECC
+ EC_GROUP *ecgroup = NULL;
+ int curve_nid = 0;
+@@ -1591,14 +1592,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+ */
+ certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
+ if (certfile && !modssl_is_engine_id(certfile)) {
+- int done = 0, num_bits = 0;
++ int num_bits = 0;
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+ DH *dh = modssl_dh_from_file(certfile);
+ if (dh) {
+ num_bits = DH_bits(dh);
+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
+ DH_free(dh);
+- done = 1;
++ custom_dh_done = 1;
+ }
+ #else
+ pkey = modssl_dh_pkey_from_file(certfile);
+@@ -1608,18 +1609,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+ EVP_PKEY_free(pkey);
+ }
+ else {
+- done = 1;
++ custom_dh_done = 1;
+ }
+ }
+ #endif
+- if (done) {
++ if (custom_dh_done) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
+ "Custom DH parameters (%d bits) for %s loaded from %s",
+ num_bits, vhost_id, certfile);
+ }
+ }
+ #if !MODSSL_USE_OPENSSL_PRE_1_1_API
+- else {
++ if (!custom_dh_done) {
+ /* If no parameter is manually configured, enable auto
+ * selection. */
+ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2024-07-01 19:47 Hans de Graaff
0 siblings, 0 replies; 7+ messages in thread
From: Hans de Graaff @ 2024-07-01 19:47 UTC (permalink / raw
To: gentoo-commits
commit: ce494eb59b4868bd110942041e3c0a6cfb558ed6
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Mon Jul 1 18:24:54 2024 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Mon Jul 1 19:47:09 2024 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=ce494eb5
Update patches for 2.4.60
Remove patches that are already included in the 2.5.60 release.
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/05-rustls-0.13.0.patch | 544 -------------------------------------
2.4/patches/06-dh-regression.patch | 81 ------
2 files changed, 625 deletions(-)
diff --git a/2.4/patches/05-rustls-0.13.0.patch b/2.4/patches/05-rustls-0.13.0.patch
deleted file mode 100644
index f8cfc6b..0000000
--- a/2.4/patches/05-rustls-0.13.0.patch
+++ /dev/null
@@ -1,544 +0,0 @@
-From 68a5a569f630b116f30c49384e4f737a5e669bb2 Mon Sep 17 00:00:00 2001
-From: Daniel McCarney <daniel@binaryparadox.net>
-Date: Sun, 21 Apr 2024 15:05:19 -0400
-Subject: [PATCH] test: relax rustls-ffi SSL_VERSION_LIBRARY
-
-The rustls version included in the rustls-ffi version output does not
-always contain three components. E.g. rustls-ffi 0.12.2 uses the version
-string:
-
- rustls-ffi/0.12.2/rustls/0.22
-
-Notably there is no `.0` after the `0.22` for the Rustls version, and
-this requires the `SSL_VERSION_LIBRARY` regexp be relaxed to allow this.
----
- test/modules/tls/test_08_vars.py | 2 +-
- test/modules/tls/test_14_proxy_ssl.py | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/test/modules/tls/test_08_vars.py b/test/modules/tls/test_08_vars.py
-index ad764a7985a..0e3ee74d2df 100644
---- a/test/modules/tls/test_08_vars.py
-+++ b/test/modules/tls/test_08_vars.py
-@@ -59,7 +59,7 @@ def test_tls_08_vars_const(self, env, name: str, value: str):
-
- @pytest.mark.parametrize("name, pattern", [
- ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
-- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
-+ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
- ])
- def test_tls_08_vars_match(self, env, name: str, pattern: str):
- r = env.tls_get(env.domain_b, f"/vars.py?name={name}")
-diff --git a/test/modules/tls/test_14_proxy_ssl.py b/test/modules/tls/test_14_proxy_ssl.py
-index 2f46c64f710..87e04c28afa 100644
---- a/test/modules/tls/test_14_proxy_ssl.py
-+++ b/test/modules/tls/test_14_proxy_ssl.py
-@@ -100,7 +100,7 @@ def test_tls_14_proxy_ssl_vars_const(self, env, name: str, value: str):
-
- @pytest.mark.parametrize("name, pattern", [
- ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
-- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
-+ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
- ])
- def test_tls_14_proxy_tsl_vars_match(self, env, name: str, pattern: str):
- if not HttpdTestEnv.has_shared_module("tls"):
-From fd64ac68206232641406c1512e0916d837821db5 Mon Sep 17 00:00:00 2001
-From: Daniel McCarney <daniel@binaryparadox.net>
-Date: Sun, 21 Apr 2024 15:19:50 -0400
-Subject: [PATCH] mod_tls: rustls-ffi 0.10 -> 0.11
-
-See upstream release notes[0] for more information.
-
-Also note that the, ahem, clunkyness of the verifier API is reduced in
-the 0.12 release and this is a transition state.
-
-[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.11.0
----
- .github/workflows/linux.yml | 2 +-
- modules/tls/tls_cert.c | 26 ++++++++++++++++++--------
- modules/tls/tls_cert.h | 6 +++---
- modules/tls/tls_core.c | 4 ++--
- 4 files changed, 24 insertions(+), 14 deletions(-)
-
-diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
-index 8c45faf5651..1ac41c6b2d6 100644
---- a/.github/workflows/linux.yml
-+++ b/.github/workflows/linux.yml
-@@ -241,7 +241,7 @@ jobs:
- APR_VERSION=1.7.4
- APU_VERSION=1.6.3
- APU_CONFIG="--with-crypto"
-- RUSTLS_VERSION="v0.10.0"
-+ RUSTLS_VERSION="v0.11.0"
- NO_TEST_FRAMEWORK=1
- TEST_INSTALL=1
- TEST_MOD_TLS=1
-diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
-index 624535aa444..17a35fc498d 100644
---- a/modules/tls/tls_cert.c
-+++ b/modules/tls/tls_cert.c
-@@ -449,8 +449,8 @@ apr_status_t tls_cert_root_stores_get(
-
- typedef struct {
- const char *id;
-- const rustls_client_cert_verifier *client_verifier;
-- const rustls_client_cert_verifier_optional *client_verifier_opt;
-+ const rustls_allow_any_authenticated_client_verifier *client_verifier;
-+ const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt;
- } tls_cert_verifiers_entry_t;
-
- static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
-@@ -458,11 +458,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
- tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val;
- (void)ctx; (void)key; (void)klen;
- if (entry->client_verifier) {
-- rustls_client_cert_verifier_free(entry->client_verifier);
-+ rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier);
- entry->client_verifier = NULL;
- }
- if (entry->client_verifier_opt) {
-- rustls_client_cert_verifier_optional_free(entry->client_verifier_opt);
-+ rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt);
- entry->client_verifier_opt = NULL;
- }
- return 1;
-@@ -514,20 +514,25 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
- apr_status_t tls_cert_client_verifiers_get(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_client_cert_verifier **pverifier)
-+ const rustls_allow_any_authenticated_client_verifier **pverifier)
- {
- apr_status_t rv = APR_SUCCESS;
- tls_cert_verifiers_entry_t *entry;
-+ struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL;
-
- entry = verifiers_get_or_make_entry(verifiers, store_file);
- if (!entry->client_verifier) {
- rustls_root_cert_store *store;
- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
- if (APR_SUCCESS != rv) goto cleanup;
-- entry->client_verifier = rustls_client_cert_verifier_new(store);
-+ verifier_builder = rustls_allow_any_authenticated_client_builder_new(store);
-+ entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder);
- }
-
- cleanup:
-+ if (verifier_builder != NULL) {
-+ rustls_allow_any_authenticated_client_builder_free(verifier_builder);
-+ }
- if (APR_SUCCESS == rv) {
- *pverifier = entry->client_verifier;
- }
-@@ -540,20 +545,25 @@ apr_status_t tls_cert_client_verifiers_get(
- apr_status_t tls_cert_client_verifiers_get_optional(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_client_cert_verifier_optional **pverifier)
-+ const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier)
- {
- apr_status_t rv = APR_SUCCESS;
- tls_cert_verifiers_entry_t *entry;
-+ struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL;
-
- entry = verifiers_get_or_make_entry(verifiers, store_file);
- if (!entry->client_verifier_opt) {
- rustls_root_cert_store *store;
- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
- if (APR_SUCCESS != rv) goto cleanup;
-- entry->client_verifier_opt = rustls_client_cert_verifier_optional_new(store);
-+ verifier_builder = rustls_client_cert_verifier_optional_builder_new(store);
-+ entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder);
- }
-
- cleanup:
-+ if (verifier_builder != NULL) {
-+ rustls_client_cert_verifier_optional_builder_free(verifier_builder);
-+ }
- if (APR_SUCCESS == rv) {
- *pverifier = entry->client_verifier_opt;
- }
-diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
-index 6ab3f48ae13..4ac3865dd86 100644
---- a/modules/tls/tls_cert.h
-+++ b/modules/tls/tls_cert.h
-@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear(
- apr_status_t tls_cert_client_verifiers_get(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_client_cert_verifier **pverifier);
-+ const rustls_allow_any_authenticated_client_verifier **pverifier);
-
- /**
- * Get the optional client certificate verifier for the
-@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
- apr_status_t tls_cert_client_verifiers_get_optional(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_client_cert_verifier_optional **pverifier);
-+ const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier);
-
--#endif /* tls_cert_h */
-\ No newline at end of file
-+#endif /* tls_cert_h */
-diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
-index 25479392f1a..df29077826d 100644
---- a/modules/tls/tls_core.c
-+++ b/modules/tls/tls_core.c
-@@ -1119,13 +1119,13 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
- if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
- ap_assert(sc->client_ca); /* checked in server_setup */
- if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
-- const rustls_client_cert_verifier *verifier;
-+ const rustls_allow_any_authenticated_client_verifier *verifier;
- rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
- if (APR_SUCCESS != rv) goto cleanup;
- rustls_server_config_builder_set_client_verifier(builder, verifier);
- }
- else {
-- const rustls_client_cert_verifier_optional *verifier;
-+ const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier;
- rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
- if (APR_SUCCESS != rv) goto cleanup;
- rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
-From 6d565575343ac5ddd674e53b7b9002396cc04375 Mon Sep 17 00:00:00 2001
-From: Daniel McCarney <daniel@binaryparadox.net>
-Date: Sun, 21 Apr 2024 15:37:25 -0400
-Subject: [PATCH] mod_tls: rustls-ffi 0.11 -> 0.12
-
-See upstream release notes for more information:
-
-https://github.com/rustls/rustls-ffi/releases/tag/v0.12.0
-https://github.com/rustls/rustls-ffi/releases/tag/v0.12.1
-https://github.com/rustls/rustls-ffi/releases/tag/v0.12.2
----
- .github/workflows/linux.yml | 2 +-
- modules/tls/tls_cert.c | 99 ++++++++++++++++++++-----------------
- modules/tls/tls_cert.h | 8 +--
- modules/tls/tls_core.c | 16 ++++--
- 4 files changed, 70 insertions(+), 55 deletions(-)
-
-diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
-index 1ac41c6b2d6..3700bc4546a 100644
---- a/.github/workflows/linux.yml
-+++ b/.github/workflows/linux.yml
-@@ -241,7 +241,7 @@ jobs:
- APR_VERSION=1.7.4
- APU_VERSION=1.6.3
- APU_CONFIG="--with-crypto"
-- RUSTLS_VERSION="v0.11.0"
-+ RUSTLS_VERSION="v0.12.2"
- NO_TEST_FRAMEWORK=1
- TEST_INSTALL=1
- TEST_MOD_TLS=1
-diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
-index 17a35fc498d..ffb941cae40 100644
---- a/modules/tls/tls_cert.c
-+++ b/modules/tls/tls_cert.c
-@@ -331,11 +331,12 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
- }
-
- apr_status_t tls_cert_load_root_store(
-- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore)
-+ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore)
- {
- const char *fpath;
- tls_data_t pem;
-- rustls_root_cert_store *store = NULL;
-+ rustls_root_cert_store_builder *store_builder = NULL;
-+ const rustls_root_cert_store *store = NULL;
- rustls_result rr = RUSTLS_RESULT_OK;
- apr_pool_t *ptemp = NULL;
- apr_status_t rv;
-@@ -353,11 +354,17 @@ apr_status_t tls_cert_load_root_store(
- rv = tls_util_file_load(ptemp, fpath, 0, 1024*1024, &pem);
- if (APR_SUCCESS != rv) goto cleanup;
-
-- store = rustls_root_cert_store_new();
-- rr = rustls_root_cert_store_add_pem(store, pem.data, pem.len, 1);
-+ store_builder = rustls_root_cert_store_builder_new();
-+ rr = rustls_root_cert_store_builder_add_pem(store_builder, pem.data, pem.len, 1);
-+ if (RUSTLS_RESULT_OK != rr) goto cleanup;
-+
-+ rr = rustls_root_cert_store_builder_build(store_builder, &store);
- if (RUSTLS_RESULT_OK != rr) goto cleanup;
-
- cleanup:
-+ if (store_builder != NULL) {
-+ rustls_root_cert_store_builder_free(store_builder);
-+ }
- if (RUSTLS_RESULT_OK != rr) {
- const char *err_descr;
- rv = tls_util_rustls_error(p, rr, &err_descr);
-@@ -378,7 +385,7 @@ apr_status_t tls_cert_load_root_store(
-
- typedef struct {
- const char *id;
-- rustls_root_cert_store *store;
-+ const rustls_root_cert_store *store;
- } tls_cert_root_stores_entry_t;
-
- static int stores_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
-@@ -421,14 +428,14 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores)
- apr_status_t tls_cert_root_stores_get(
- tls_cert_root_stores_t *stores,
- const char *store_file,
-- rustls_root_cert_store **pstore)
-+ const rustls_root_cert_store **pstore)
- {
- apr_status_t rv = APR_SUCCESS;
- tls_cert_root_stores_entry_t *entry;
-
- entry = apr_hash_get(stores->file2store, store_file, APR_HASH_KEY_STRING);
- if (!entry) {
-- rustls_root_cert_store *store;
-+ const rustls_root_cert_store *store;
- rv = tls_cert_load_root_store(stores->pool, store_file, &store);
- if (APR_SUCCESS != rv) goto cleanup;
- entry = apr_pcalloc(stores->pool, sizeof(*entry));
-@@ -449,8 +456,8 @@ apr_status_t tls_cert_root_stores_get(
-
- typedef struct {
- const char *id;
-- const rustls_allow_any_authenticated_client_verifier *client_verifier;
-- const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt;
-+ rustls_client_cert_verifier *client_verifier;
-+ rustls_client_cert_verifier *client_verifier_opt;
- } tls_cert_verifiers_entry_t;
-
- static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
-@@ -458,11 +465,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
- tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val;
- (void)ctx; (void)key; (void)klen;
- if (entry->client_verifier) {
-- rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier);
-+ rustls_client_cert_verifier_free(entry->client_verifier);
- entry->client_verifier = NULL;
- }
- if (entry->client_verifier_opt) {
-- rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt);
-+ rustls_client_cert_verifier_free(entry->client_verifier_opt);
- entry->client_verifier_opt = NULL;
- }
- return 1;
-@@ -511,27 +518,43 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
- return entry;
- }
-
--apr_status_t tls_cert_client_verifiers_get(
-- tls_cert_verifiers_t *verifiers,
-- const char *store_file,
-- const rustls_allow_any_authenticated_client_verifier **pverifier)
-+static apr_status_t tls_cert_client_verifiers_get_internal(
-+ tls_cert_verifiers_t *verifiers,
-+ const char *store_file,
-+ const rustls_client_cert_verifier **pverifier,
-+ bool allow_unauthenticated)
- {
- apr_status_t rv = APR_SUCCESS;
- tls_cert_verifiers_entry_t *entry;
-- struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL;
-+ rustls_result rr = RUSTLS_RESULT_OK;
-+ struct rustls_web_pki_client_cert_verifier_builder *verifier_builder = NULL;
-
- entry = verifiers_get_or_make_entry(verifiers, store_file);
- if (!entry->client_verifier) {
-- rustls_root_cert_store *store;
-+ const rustls_root_cert_store *store;
- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
- if (APR_SUCCESS != rv) goto cleanup;
-- verifier_builder = rustls_allow_any_authenticated_client_builder_new(store);
-- entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder);
-+ verifier_builder = rustls_web_pki_client_cert_verifier_builder_new(store);
-+
-+ if (allow_unauthenticated) {
-+ rr = rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated(verifier_builder);
-+ if (rr != RUSTLS_RESULT_OK) {
-+ goto cleanup;
-+ }
-+ }
-+
-+ rr = rustls_web_pki_client_cert_verifier_builder_build(verifier_builder, &entry->client_verifier);
-+ if (rr != RUSTLS_RESULT_OK) {
-+ goto cleanup;
-+ }
- }
-
- cleanup:
- if (verifier_builder != NULL) {
-- rustls_allow_any_authenticated_client_builder_free(verifier_builder);
-+ rustls_web_pki_client_cert_verifier_builder_free(verifier_builder);
-+ }
-+ if (rr != RUSTLS_RESULT_OK) {
-+ rv = tls_util_rustls_error(verifiers->pool, rr, NULL);
- }
- if (APR_SUCCESS == rv) {
- *pverifier = entry->client_verifier;
-@@ -542,33 +565,19 @@ apr_status_t tls_cert_client_verifiers_get(
- return rv;
- }
-
--apr_status_t tls_cert_client_verifiers_get_optional(
-+
-+apr_status_t tls_cert_client_verifiers_get(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier)
-+ const rustls_client_cert_verifier **pverifier)
- {
-- apr_status_t rv = APR_SUCCESS;
-- tls_cert_verifiers_entry_t *entry;
-- struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL;
--
-- entry = verifiers_get_or_make_entry(verifiers, store_file);
-- if (!entry->client_verifier_opt) {
-- rustls_root_cert_store *store;
-- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
-- if (APR_SUCCESS != rv) goto cleanup;
-- verifier_builder = rustls_client_cert_verifier_optional_builder_new(store);
-- entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder);
-- }
-+ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, false);
-+}
-
--cleanup:
-- if (verifier_builder != NULL) {
-- rustls_client_cert_verifier_optional_builder_free(verifier_builder);
-- }
-- if (APR_SUCCESS == rv) {
-- *pverifier = entry->client_verifier_opt;
-- }
-- else {
-- *pverifier = NULL;
-- }
-- return rv;
-+apr_status_t tls_cert_client_verifiers_get_optional(
-+ tls_cert_verifiers_t *verifiers,
-+ const char *store_file,
-+ const rustls_client_cert_verifier **pverifier)
-+{
-+ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, true);
- }
-diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
-index 4ac3865dd86..3326f0eb3e7 100644
---- a/modules/tls/tls_cert.h
-+++ b/modules/tls/tls_cert.h
-@@ -128,7 +128,7 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
- * @param pstore the loaded root store on success
- */
- apr_status_t tls_cert_load_root_store(
-- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore);
-+ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore);
-
- typedef struct tls_cert_root_stores_t tls_cert_root_stores_t;
- struct tls_cert_root_stores_t {
-@@ -157,7 +157,7 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores);
- apr_status_t tls_cert_root_stores_get(
- tls_cert_root_stores_t *stores,
- const char *store_file,
-- rustls_root_cert_store **pstore);
-+ const rustls_root_cert_store **pstore);
-
- typedef struct tls_cert_verifiers_t tls_cert_verifiers_t;
- struct tls_cert_verifiers_t {
-@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear(
- apr_status_t tls_cert_client_verifiers_get(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_allow_any_authenticated_client_verifier **pverifier);
-+ const rustls_client_cert_verifier **pverifier);
-
- /**
- * Get the optional client certificate verifier for the
-@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
- apr_status_t tls_cert_client_verifiers_get_optional(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier);
-+ const rustls_client_cert_verifier **pverifier);
-
- #endif /* tls_cert_h */
-diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
-index df29077826d..1cef254f103 100644
---- a/modules/tls/tls_core.c
-+++ b/modules/tls/tls_core.c
-@@ -764,8 +764,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
- tls_conf_proxy_t *pc;
- const apr_array_header_t *ciphersuites = NULL;
- apr_array_header_t *tls_versions = NULL;
-+ rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL;
-+ struct rustls_server_cert_verifier *verifier = NULL;
- rustls_client_config_builder *builder = NULL;
-- rustls_root_cert_store *ca_store = NULL;
-+ const rustls_root_cert_store *ca_store = NULL;
- const char *hostname = NULL, *alpn_note = NULL;
- rustls_result rr = RUSTLS_RESULT_OK;
- apr_status_t rv = APR_SUCCESS;
-@@ -809,7 +811,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
- if (pc->proxy_ca && strcasecmp(pc->proxy_ca, "default")) {
- rv = tls_cert_root_stores_get(pc->global->stores, pc->proxy_ca, &ca_store);
- if (APR_SUCCESS != rv) goto cleanup;
-- rustls_client_config_builder_use_roots(builder, ca_store);
-+ verifier_builder = rustls_web_pki_server_cert_verifier_builder_new(ca_store);
-+ rr = rustls_web_pki_server_cert_verifier_builder_build(verifier_builder, &verifier);
-+ if (RUSTLS_RESULT_OK != rr) goto cleanup;
-+ rustls_client_config_builder_set_server_verifier(builder, verifier);
- }
-
- #if TLS_MACHINE_CERTS
-@@ -881,6 +886,7 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
- rustls_connection_set_userdata(cc->rustls_connection, c);
-
- cleanup:
-+ if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder);
- if (builder != NULL) rustls_client_config_builder_free(builder);
- if (RUSTLS_RESULT_OK != rr) {
- const char *err_descr = NULL;
-@@ -1119,16 +1125,16 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
- if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
- ap_assert(sc->client_ca); /* checked in server_setup */
- if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
-- const rustls_allow_any_authenticated_client_verifier *verifier;
-+ const rustls_client_cert_verifier *verifier;
- rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
- if (APR_SUCCESS != rv) goto cleanup;
- rustls_server_config_builder_set_client_verifier(builder, verifier);
- }
- else {
-- const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier;
-+ const rustls_client_cert_verifier *verifier;
- rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
- if (APR_SUCCESS != rv) goto cleanup;
-- rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
-+ rustls_server_config_builder_set_client_verifier(builder, verifier);
- }
- }
-
-From ef690ed43eed53a7b6aaba6027842cdd76d3ccb4 Mon Sep 17 00:00:00 2001
-From: Daniel McCarney <daniel@binaryparadox.net>
-Date: Sun, 21 Apr 2024 13:49:49 -0400
-Subject: [PATCH] mod_tls: rustls-ffi 0.12 -> 0.13
-
-The breaking API changes in this release don't affect `mod_tls`, making
-this an in-place update.
-
-See the upstream release notes[0] for more information.
-
-[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.13.0
----
- .github/workflows/linux.yml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
-index 3700bc4546a..54dcd7b0b32 100644
---- a/.github/workflows/linux.yml
-+++ b/.github/workflows/linux.yml
-@@ -241,7 +241,7 @@ jobs:
- APR_VERSION=1.7.4
- APU_VERSION=1.6.3
- APU_CONFIG="--with-crypto"
-- RUSTLS_VERSION="v0.12.2"
-+ RUSTLS_VERSION="v0.13.0"
- NO_TEST_FRAMEWORK=1
- TEST_INSTALL=1
- TEST_MOD_TLS=1
diff --git a/2.4/patches/06-dh-regression.patch b/2.4/patches/06-dh-regression.patch
deleted file mode 100644
index 63cb606..0000000
--- a/2.4/patches/06-dh-regression.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From dee1eb37d787d34cb37df7eab535240e1774293a Mon Sep 17 00:00:00 2001
-From: Ruediger Pluem <rpluem@apache.org>
-Date: Mon, 8 Apr 2024 13:18:28 +0000
-Subject: [PATCH] * Ensure that we set the default DH parameters for the key
-
-Replace else with an if as the if branch no longer ensures that
-custome DH parameters have been loaded.
-This fixes a regression that causes the default DH parameters for a key
-no longer set and thus effectively disabling DH ciphers when no explicit
-DH parameters are set.
-
-PR: 68863
-
-
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916863 13f79535-47bb-0310-9956-ffa450edef68
----
- changes-entries/pr68863.txt | 3 +++
- modules/ssl/ssl_engine_init.c | 11 ++++++-----
- 2 files changed, 9 insertions(+), 5 deletions(-)
- create mode 100644 changes-entries/pr68863.txt
-
-diff --git a/changes-entries/pr68863.txt b/changes-entries/pr68863.txt
-new file mode 100644
-index 00000000000..d45ffc708cc
---- /dev/null
-+++ b/changes-entries/pr68863.txt
-@@ -0,0 +1,3 @@
-+ *) mod_ssl: Fix a regression that causes the default DH parameters for a key
-+ no longer set and thus effectively disabling DH ciphers when no explicit
-+ DH parameters are set. PR 68863 [Ruediger Pluem]
-diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
-index 64e4aaf1dcd..f657026d137 100644
---- a/modules/ssl/ssl_engine_init.c
-+++ b/modules/ssl/ssl_engine_init.c
-@@ -1416,6 +1416,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
- const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
- int i;
- EVP_PKEY *pkey;
-+ int custom_dh_done = 0;
- #ifdef HAVE_ECC
- EC_GROUP *ecgroup = NULL;
- int curve_nid = 0;
-@@ -1591,14 +1592,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
- */
- certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
- if (certfile && !modssl_is_engine_id(certfile)) {
-- int done = 0, num_bits = 0;
-+ int num_bits = 0;
- #if OPENSSL_VERSION_NUMBER < 0x30000000L
- DH *dh = modssl_dh_from_file(certfile);
- if (dh) {
- num_bits = DH_bits(dh);
- SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
- DH_free(dh);
-- done = 1;
-+ custom_dh_done = 1;
- }
- #else
- pkey = modssl_dh_pkey_from_file(certfile);
-@@ -1608,18 +1609,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
- EVP_PKEY_free(pkey);
- }
- else {
-- done = 1;
-+ custom_dh_done = 1;
- }
- }
- #endif
-- if (done) {
-+ if (custom_dh_done) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
- "Custom DH parameters (%d bits) for %s loaded from %s",
- num_bits, vhost_id, certfile);
- }
- }
- #if !MODSSL_USE_OPENSSL_PRE_1_1_API
-- else {
-+ if (!custom_dh_done) {
- /* If no parameter is manually configured, enable auto
- * selection. */
- SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-07-01 19:47 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-11 5:54 [gentoo-commits] proj/apache:master commit in: 2.4/patches/ Hans de Graaff
-- strict thread matches above, loose matches on Subject: below --
2024-07-01 19:47 Hans de Graaff
2024-05-11 7:11 Hans de Graaff
2023-10-19 12:10 Hans de Graaff
2023-09-03 8:32 Hans de Graaff
2023-09-03 8:32 Hans de Graaff
2023-09-03 8:32 Hans de Graaff
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox