Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

small fixes, a couple new API fns, and a bunch of stubs #43

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

small fixes, a couple new API fns, and a bunch of stubs #43

wants to merge 9 commits into from

Conversation

cpu
Copy link
Member

@cpu cpu commented Sep 27, 2024
edited
Loading

  • Restores the .gitignore that was lost in the repo contents shuffling.
  • Tries to fix dependabot - I think our YAML indentation was making this config a NOP (f'ing YAML...).
  • Updates Rustls to the latest release
  • Updates the make format target to also format the rust code for one-step convenience.
  • Implements SSL_alert_type_string() and SSL_alert_type_string_long() - these are very boring but serve as companions to the pre-existing SSL_alert_desc_string() and SSL_alert_desc_string_long() fns.
  • Partially implements SSL_set_cipher_list() by matching the partial impl for SSL_CTX_set_cipher_list().
  • Implements SSL_set_verify_result() to allow overriding the value returned by SSL_get_verify_result().
  • Stubs ~23 new functions that a clean build of Apache HTTPD trunk requires when loading mod_ssl. I've tried to place these in our stub section of entry.rs based on guesses on which I think we might actually want to impl one day. Most are things that are a clear no-go (SRP related, low level protocol details, etc)

This branch gets me to the point where httpd starts up without symbol resolution error but it certainly doesn't work yet. I've avoided updating the MATRIX.md to list which APIs HTTPD specifically needs because I'm not totally convinced it's a sensible target for this compat layer. The HTTPD mod_ssl code is quite old/crufty and so its interactions with the libssl APIs are much more nuanced and complex than we may wish to support. Mostly I was curious about the level of effort required vs continuing to support mod_tls & a rustls-ffi based solution.

@cpu
proj: restore gitignore
e8ee73d 
When the `rustls-libssl` code was moved to the root of the repo I think
the `.gitignore` got nuked. This commit restores the content we had
before the move.
@cpu
ci: try to fix dependabot
8e72768 
This repo hasn't been receiving any dependabot PRs despite there being
updates available (e.g. Rustls). Spot checking against a config in
a repo that is working I _think_ the issue might be YAML whitespace
related... Let's try to match to the other repo's config exactly.
@cpu
Cargo: specify only major openssl-sys version
b37847e 
We don't need a specific minimum version of the 0.9 release stream.
@cpu
Cargo: update rustls 0.23.11 -> 0.23.13
85ed713
@cpu
Makefile: run admin/format as part of make format
3891f91
@cpu
implement SSL_alert_type_string[_long]
1ea8cac 
This commit implements `SSL_alert_type_string()` and
`SSL_alert_type_string_long()`. These functions act similarly to the
existing `SSL_alert_desc_string()` and `SSL_alert_desc_string_long()`
functions except returning a (short or long) string for the alert level
(fatal, warning, unknown) instead of the alert description.
@cpu
implement SSL_set_cipher_list
923f70e 
This commit adds a very simple implementation of `SSL_set_cipher_list`
that only returns success for the string "HIGH:!aNULL:!MD5", and
otherwise raises a not supported error.

This matches the pre-existing `SSL_CTX_set_cipher_list` that operated
similarly for a `SSL_CTX` as this new fn operates for a `SSL`.
@cpu
implement SSL_set_verify_result
0f6989c 
Overrides the value that will be returned by `SSL_get_verify_result()`.
Is this smart to do? Probably not.
@cpu
stub a number of API functions
ca165c7 
Adds stub implementations for a variety of functions HTTPD's
`mod_ssl.so` expects to be able to resolve:

  SSL_add_file_cert_subjects_to_stack
  SSL_client_hello_get0_ext,
  SSL_COMP_get_compression_methods,
  SSL_CTX_set0_tmp_dh_pkey,
  SSL_CTX_set_client_cert_cb,
  SSL_CTX_set_client_hello_cb,
  SSL_CTX_set_srp_cb_arg
  SSL_CTX_set_srp_username_callback,
  SSL_CTX_set_tlsext_ticket_key_evp_cb,
  SSL_get_ciphers,
  SSL_get_client_CA_list,
  SSL_get_finished,
  SSL_get_peer_finished,
  SSL_get_shared_ciphers,
  SSL_get_srp_userinfo,
  SSL_get_srp_username,
  SSL_peek,
  SSL_renegotiate,
  SSL_SESSION_get_compress_id,
  SSL_set_session_id_context,
  SSL_set_srp_server_param,
  SSL_state_string,
  SSL_state_string_long,
  SSL_verify_client_post_handshake,
@cpu cpu self-assigned this Sep 27, 2024
cpu
cpu commented Sep 27, 2024
View reviewed changes
src/verifier.rs
@@ -66,6 +66,10 @@ impl ServerVerifier {
self.last_result.load(Ordering::Acquire)
}

pub fn update_last_result(&self, v: i64) {
self.last_result.store(v, Ordering::Relaxed);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think Relaxed is the right choice here, but I admit to not being 100% sure. (Ditto L210).

Calling this out as something I'd appreciate input on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@cpu