diff options
author | Daniel McCarney <daniel@binaryparadox.net> | 2024-07-05 16:41:04 -0400 |
---|---|---|
committer | Daniel McCarney <daniel@binaryparadox.net> | 2024-09-09 11:42:49 -0400 |
commit | 837da0bded51cc12476337da5cbe5d27a8bc47ac (patch) | |
tree | ff0f4f016c0c1dbed56f26490872c80a5b1d7d79 /src | |
parent | 81b1df630edc2c88e0cb3ef747680bab0c78bb9a (diff) |
cipher: convert platform verifier to provider
This breaks an unconditional dep on `*ring*` for the
`rustls_platform_verifier` verifier.
The `client.c` test binary is updated to use the fallible form of the
verifier constructor that uses the default crypto provider.
Diffstat (limited to 'src')
-rw-r--r-- | src/acceptor.rs | 5 | ||||
-rw-r--r-- | src/cipher.rs | 36 | ||||
-rw-r--r-- | src/client.rs | 20 | ||||
-rw-r--r-- | src/rustls.h | 14 |
4 files changed, 64 insertions, 11 deletions
diff --git a/src/acceptor.rs b/src/acceptor.rs index a57feed..327bb6c 100644 --- a/src/acceptor.rs +++ b/src/acceptor.rs @@ -641,7 +641,10 @@ mod tests { protocols_slices.len(), ); - let verifier = rustls_server_cert_verifier::rustls_platform_server_cert_verifier(); + let mut verifier = null_mut(); + let result = + rustls_server_cert_verifier::rustls_platform_server_cert_verifier(&mut verifier); + assert_eq!(result, rustls_result::Ok); assert!(!verifier.is_null()); rustls_client_config_builder::rustls_client_config_builder_set_server_verifier( builder, verifier, diff --git a/src/cipher.rs b/src/cipher.rs index d68f416..0962645 100644 --- a/src/cipher.rs +++ b/src/cipher.rs @@ -1097,12 +1097,38 @@ impl rustls_server_cert_verifier { /// /// [`rustls-platform-verifier`]: https://github.com/rustls/rustls-platform-verifier #[no_mangle] - pub extern "C" fn rustls_platform_server_cert_verifier() -> *mut rustls_server_cert_verifier { + pub extern "C" fn rustls_platform_server_cert_verifier( + verifier_out: *mut *mut rustls_server_cert_verifier, + ) -> rustls_result { ffi_panic_boundary! { - let verifier: Arc<dyn ServerCertVerifier> = Arc::new( - rustls_platform_verifier::Verifier::new() - .with_provider(rustls::crypto::ring::default_provider().into()), - ); + let verifier_out = try_mut_from_ptr_ptr!(verifier_out); + let provider = match crypto_provider::get_default_or_install_from_crate_features() { + Some(provider) => provider, + None => return rustls_result::NoDefaultCryptoProvider, + }; + let verifier: Arc<dyn ServerCertVerifier> = + Arc::new(rustls_platform_verifier::Verifier::new().with_provider(provider)); + set_boxed_mut_ptr(verifier_out, verifier); + rustls_result::Ok + } + } + + /// Create a verifier that uses the default behavior for the current platform. + /// + /// This uses [`rustls-platform-verifier`][] and the specified crypto provider. + /// + /// The verifier can be used in several `rustls_client_config` instances and must be freed by + /// the application using `rustls_server_cert_verifier_free` when no longer needed. + /// + /// [`rustls-platform-verifier`]: https://github.com/rustls/rustls-platform-verifier + #[no_mangle] + pub extern "C" fn rustls_platform_server_cert_verifier_with_provider( + provider: *const rustls_crypto_provider, + ) -> *mut rustls_server_cert_verifier { + ffi_panic_boundary! { + let provider = try_clone_arc!(provider); + let verifier: Arc<dyn ServerCertVerifier> = + Arc::new(rustls_platform_verifier::Verifier::new().with_provider(provider)); to_boxed_mut_ptr(verifier) } } diff --git a/src/client.rs b/src/client.rs index 9ed00ac..a167905 100644 --- a/src/client.rs +++ b/src/client.rs @@ -585,7 +585,10 @@ mod tests { #[test] fn test_config_builder() { let builder = rustls_client_config_builder::rustls_client_config_builder_new(); - let verifier = rustls_server_cert_verifier::rustls_platform_server_cert_verifier(); + let mut verifier = null_mut(); + let result = + rustls_server_cert_verifier::rustls_platform_server_cert_verifier(&mut verifier); + assert_eq!(result, rustls_result::Ok); assert!(!verifier.is_null()); rustls_client_config_builder::rustls_client_config_builder_set_server_verifier( builder, verifier, @@ -609,7 +612,8 @@ mod tests { assert!(!config2.enable_sni); assert_eq!(config2.alpn_protocols, vec![h1, h2]); } - rustls_client_config::rustls_client_config_free(config) + rustls_client_config::rustls_client_config_free(config); + rustls_server_cert_verifier::rustls_server_cert_verifier_free(verifier); } // Build a client connection and test the getters and initial values. @@ -617,7 +621,10 @@ mod tests { #[cfg_attr(miri, ignore)] fn test_client_connection_new() { let builder = rustls_client_config_builder::rustls_client_config_builder_new(); - let verifier = rustls_server_cert_verifier::rustls_platform_server_cert_verifier(); + let mut verifier = null_mut(); + let result = + rustls_server_cert_verifier::rustls_platform_server_cert_verifier(&mut verifier); + assert_eq!(result, rustls_result::Ok); assert!(!verifier.is_null()); rustls_client_config_builder::rustls_client_config_builder_set_server_verifier( builder, verifier, @@ -667,13 +674,17 @@ mod tests { 0 ); rustls_connection::rustls_connection_free(conn); + rustls_server_cert_verifier::rustls_server_cert_verifier_free(verifier); } #[test] #[cfg_attr(miri, ignore)] fn test_client_connection_new_ipaddress() { let builder = rustls_client_config_builder::rustls_client_config_builder_new(); - let verifier = rustls_server_cert_verifier::rustls_platform_server_cert_verifier(); + let mut verifier = null_mut(); + let result = + rustls_server_cert_verifier::rustls_platform_server_cert_verifier(&mut verifier); + assert_eq!(result, rustls_result::Ok); assert!(!verifier.is_null()); rustls_client_config_builder::rustls_client_config_builder_set_server_verifier( builder, verifier, @@ -692,6 +703,7 @@ mod tests { if !matches!(result, rustls_result::Ok) { panic!("expected RUSTLS_RESULT_OK, got {:?}", result); } + rustls_server_cert_verifier::rustls_server_cert_verifier_free(verifier); } #[test] diff --git a/src/rustls.h b/src/rustls.h index 5021877..6797364 100644 --- a/src/rustls.h +++ b/src/rustls.h @@ -1450,7 +1450,19 @@ void rustls_web_pki_server_cert_verifier_builder_free(struct rustls_web_pki_serv * * [`rustls-platform-verifier`]: https://github.com/rustls/rustls-platform-verifier */ -struct rustls_server_cert_verifier *rustls_platform_server_cert_verifier(void); +rustls_result rustls_platform_server_cert_verifier(struct rustls_server_cert_verifier **verifier_out); + +/** + * Create a verifier that uses the default behavior for the current platform. + * + * This uses [`rustls-platform-verifier`][] and the specified crypto provider. + * + * The verifier can be used in several `rustls_client_config` instances and must be freed by + * the application using `rustls_server_cert_verifier_free` when no longer needed. + * + * [`rustls-platform-verifier`]: https://github.com/rustls/rustls-platform-verifier + */ +struct rustls_server_cert_verifier *rustls_platform_server_cert_verifier_with_provider(const struct rustls_crypto_provider *provider); /** * Free a `rustls_server_cert_verifier` previously returned from |