}
apr_status_t tls_cert_load_root_store(
- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore)
+ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore)
{
const char *fpath;
tls_data_t pem;
- rustls_root_cert_store *store = NULL;
+ rustls_root_cert_store_builder *store_builder = NULL;
+ const rustls_root_cert_store *store = NULL;
rustls_result rr = RUSTLS_RESULT_OK;
apr_pool_t *ptemp = NULL;
apr_status_t rv;
rv = tls_util_file_load(ptemp, fpath, 0, 1024*1024, &pem);
if (APR_SUCCESS != rv) goto cleanup;
- store = rustls_root_cert_store_new();
- rr = rustls_root_cert_store_add_pem(store, pem.data, pem.len, 1);
+ store_builder = rustls_root_cert_store_builder_new();
+ rr = rustls_root_cert_store_builder_add_pem(store_builder, pem.data, pem.len, 1);
+ if (RUSTLS_RESULT_OK != rr) goto cleanup;
+
+ rr = rustls_root_cert_store_builder_build(store_builder, &store);
if (RUSTLS_RESULT_OK != rr) goto cleanup;
cleanup:
+ if (store_builder != NULL) {
+ rustls_root_cert_store_builder_free(store_builder);
+ }
if (RUSTLS_RESULT_OK != rr) {
const char *err_descr;
rv = tls_util_rustls_error(p, rr, &err_descr);
typedef struct {
const char *id;
- rustls_root_cert_store *store;
+ const rustls_root_cert_store *store;
} tls_cert_root_stores_entry_t;
static int stores_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
apr_status_t tls_cert_root_stores_get(
tls_cert_root_stores_t *stores,
const char *store_file,
- rustls_root_cert_store **pstore)
+ const rustls_root_cert_store **pstore)
{
apr_status_t rv = APR_SUCCESS;
tls_cert_root_stores_entry_t *entry;
entry = apr_hash_get(stores->file2store, store_file, APR_HASH_KEY_STRING);
if (!entry) {
- rustls_root_cert_store *store;
+ const rustls_root_cert_store *store;
rv = tls_cert_load_root_store(stores->pool, store_file, &store);
if (APR_SUCCESS != rv) goto cleanup;
entry = apr_pcalloc(stores->pool, sizeof(*entry));
typedef struct {
const char *id;
- const rustls_client_cert_verifier *client_verifier;
- const rustls_client_cert_verifier_optional *client_verifier_opt;
+ rustls_client_cert_verifier *client_verifier;
+ rustls_client_cert_verifier *client_verifier_opt;
} tls_cert_verifiers_entry_t;
static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
entry->client_verifier = NULL;
}
if (entry->client_verifier_opt) {
- rustls_client_cert_verifier_optional_free(entry->client_verifier_opt);
+ rustls_client_cert_verifier_free(entry->client_verifier_opt);
entry->client_verifier_opt = NULL;
}
return 1;
return entry;
}
-apr_status_t tls_cert_client_verifiers_get(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
- const rustls_client_cert_verifier **pverifier)
+static apr_status_t tls_cert_client_verifiers_get_internal(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+ const rustls_client_cert_verifier **pverifier,
+ bool allow_unauthenticated)
{
apr_status_t rv = APR_SUCCESS;
tls_cert_verifiers_entry_t *entry;
+ rustls_result rr = RUSTLS_RESULT_OK;
+ struct rustls_web_pki_client_cert_verifier_builder *verifier_builder = NULL;
entry = verifiers_get_or_make_entry(verifiers, store_file);
if (!entry->client_verifier) {
- rustls_root_cert_store *store;
+ const rustls_root_cert_store *store;
rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
if (APR_SUCCESS != rv) goto cleanup;
- entry->client_verifier = rustls_client_cert_verifier_new(store);
+ verifier_builder = rustls_web_pki_client_cert_verifier_builder_new(store);
+
+ if (allow_unauthenticated) {
+ rr = rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated(verifier_builder);
+ if (rr != RUSTLS_RESULT_OK) {
+ goto cleanup;
+ }
+ }
+
+ rr = rustls_web_pki_client_cert_verifier_builder_build(verifier_builder, &entry->client_verifier);
+ if (rr != RUSTLS_RESULT_OK) {
+ goto cleanup;
+ }
}
cleanup:
+ if (verifier_builder != NULL) {
+ rustls_web_pki_client_cert_verifier_builder_free(verifier_builder);
+ }
+ if (rr != RUSTLS_RESULT_OK) {
+ rv = tls_util_rustls_error(verifiers->pool, rr, NULL);
+ }
if (APR_SUCCESS == rv) {
*pverifier = entry->client_verifier;
}
return rv;
}
-apr_status_t tls_cert_client_verifiers_get_optional(
+
+apr_status_t tls_cert_client_verifiers_get(
tls_cert_verifiers_t *verifiers,
const char *store_file,
- const rustls_client_cert_verifier_optional **pverifier)
+ const rustls_client_cert_verifier **pverifier)
{
- apr_status_t rv = APR_SUCCESS;
- tls_cert_verifiers_entry_t *entry;
-
- entry = verifiers_get_or_make_entry(verifiers, store_file);
- if (!entry->client_verifier_opt) {
- rustls_root_cert_store *store;
- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
- if (APR_SUCCESS != rv) goto cleanup;
- entry->client_verifier_opt = rustls_client_cert_verifier_optional_new(store);
- }
+ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, false);
+}
-cleanup:
- if (APR_SUCCESS == rv) {
- *pverifier = entry->client_verifier_opt;
- }
- else {
- *pverifier = NULL;
- }
- return rv;
+apr_status_t tls_cert_client_verifiers_get_optional(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+ const rustls_client_cert_verifier **pverifier)
+{
+ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, true);
}
tls_conf_proxy_t *pc;
const apr_array_header_t *ciphersuites = NULL;
apr_array_header_t *tls_versions = NULL;
+ rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL;
+ struct rustls_server_cert_verifier *verifier = NULL;
rustls_client_config_builder *builder = NULL;
- rustls_root_cert_store *ca_store = NULL;
+ const rustls_root_cert_store *ca_store = NULL;
const char *hostname = NULL, *alpn_note = NULL;
rustls_result rr = RUSTLS_RESULT_OK;
apr_status_t rv = APR_SUCCESS;
if (pc->proxy_ca && strcasecmp(pc->proxy_ca, "default")) {
rv = tls_cert_root_stores_get(pc->global->stores, pc->proxy_ca, &ca_store);
if (APR_SUCCESS != rv) goto cleanup;
- rustls_client_config_builder_use_roots(builder, ca_store);
+ verifier_builder = rustls_web_pki_server_cert_verifier_builder_new(ca_store);
+ rr = rustls_web_pki_server_cert_verifier_builder_build(verifier_builder, &verifier);
+ if (RUSTLS_RESULT_OK != rr) goto cleanup;
+ rustls_client_config_builder_set_server_verifier(builder, verifier);
}
#if TLS_MACHINE_CERTS
rustls_connection_set_userdata(cc->rustls_connection, c);
cleanup:
+ if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder);
if (builder != NULL) rustls_client_config_builder_free(builder);
if (RUSTLS_RESULT_OK != rr) {
const char *err_descr = NULL;
rustls_server_config_builder_set_client_verifier(builder, verifier);
}
else {
- const rustls_client_cert_verifier_optional *verifier;
+ const rustls_client_cert_verifier *verifier;
rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
if (APR_SUCCESS != rv) goto cleanup;
- rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
+ rustls_server_config_builder_set_client_verifier(builder, verifier);
}
}
projects / thirdparty / apache / httpd.git / commitdiff
