diff options
author | Daniel McCarney <daniel@binaryparadox.net> | 2024-07-05 15:44:08 -0400 |
---|---|---|
committer | Daniel McCarney <daniel@binaryparadox.net> | 2024-09-09 11:42:49 -0400 |
commit | 3275fa3bf3497d2e46a2386fe9715332bd361a96 (patch) | |
tree | 80ce1483fd48830565ab4f05824bd7caeb76f180 | |
parent | 824382e6f38b665995787aac425fce215d156e67 (diff) |
client: convert Verifier to provider
The `Verifier` type previously had an unconditional dependency on the
`*ring*` crypto provider. This commit converts it to use the crypto
provider set up by the client config builder as appropriate.
-rw-r--r-- | src/client.rs | 25 | ||||
-rw-r--r-- | src/rustls.h | 5 |
2 files changed, 21 insertions, 9 deletions
diff --git a/src/client.rs b/src/client.rs index 7c87378..9ed00ac 100644 --- a/src/client.rs +++ b/src/client.rs @@ -7,7 +7,7 @@ use libc::{c_char, size_t}; use pki_types::{CertificateDer, UnixTime}; use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier}; use rustls::client::ResolvesClientCert; -use rustls::crypto::CryptoProvider; +use rustls::crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider}; use rustls::{ sign::CertifiedKey, ClientConfig, ClientConnection, DigitallySignedStruct, Error, ProtocolVersion, SignatureScheme, SupportedProtocolVersion, @@ -187,6 +187,7 @@ type VerifyCallback = unsafe extern "C" fn( // An implementation of rustls::ServerCertVerifier based on a C callback. struct Verifier { + provider: Arc<CryptoProvider>, callback: VerifyCallback, } @@ -242,11 +243,11 @@ impl ServerCertVerifier for Verifier { cert: &CertificateDer, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error> { - rustls::crypto::verify_tls12_signature( + verify_tls12_signature( message, cert, dss, - &rustls::crypto::ring::default_provider().signature_verification_algorithms, + &self.provider.signature_verification_algorithms, ) } @@ -256,16 +257,16 @@ impl ServerCertVerifier for Verifier { cert: &CertificateDer, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error> { - rustls::crypto::verify_tls13_signature( + verify_tls13_signature( message, cert, dss, - &rustls::crypto::ring::default_provider().signature_verification_algorithms, + &self.provider.signature_verification_algorithms, ) } fn supported_verify_schemes(&self) -> Vec<SignatureScheme> { - rustls::crypto::ring::default_provider() + self.provider .signature_verification_algorithms .supported_schemes() } @@ -278,7 +279,10 @@ impl Debug for Verifier { } impl rustls_client_config_builder { - /// Set a custom server certificate verifier. + /// Set a custom server certificate verifier using the builder crypto provider. + /// Returns rustls_result::NoDefaultCryptoProvider if no process default crypto + /// provider has been set, and the builder was not constructed with an explicit + /// provider choice. /// /// The callback must not capture any of the pointers in its /// rustls_verify_server_cert_params. @@ -314,7 +318,12 @@ impl rustls_client_config_builder { None => return InvalidParameter, }; - config_builder.verifier = Some(Arc::new(Verifier { callback })); + let provider = match &config_builder.provider { + Some(provider) => provider.clone(), + None => return rustls_result::NoDefaultCryptoProvider, + }; + + config_builder.verifier = Some(Arc::new(Verifier { provider, callback })); rustls_result::Ok } } diff --git a/src/rustls.h b/src/rustls.h index bb15ecc..a201b36 100644 --- a/src/rustls.h +++ b/src/rustls.h @@ -1405,7 +1405,10 @@ rustls_result rustls_client_config_builder_new_custom(const struct rustls_crypto struct rustls_client_config_builder **builder_out); /** - * Set a custom server certificate verifier. + * Set a custom server certificate verifier using the builder crypto provider. + * Returns rustls_result::NoDefaultCryptoProvider if no process default crypto + * provider has been set, and the builder was not constructed with an explicit + * provider choice. * * The callback must not capture any of the pointers in its * rustls_verify_server_cert_params. |