diff --git a/rustls-libssl/Cargo.lock b/rustls-libssl/Cargo.lock index 9b7c53c..6f4098c 100644 --- a/rustls-libssl/Cargo.lock +++ b/rustls-libssl/Cargo.lock @@ -94,6 +94,12 @@ version = "2.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "523dc4f511e55ab87b694dc30d0f820d60906ef06413f93d4d7a1385599cc149" +[[package]] +name = "openssl-probe" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" + [[package]] name = "openssl-sys" version = "0.9.101" @@ -176,6 +182,7 @@ version = "0.1.0" dependencies = [ "env_logger", "log", + "openssl-probe", "openssl-sys", "rustls", "rustls-pemfile", diff --git a/rustls-libssl/Cargo.toml b/rustls-libssl/Cargo.toml index c81317d..cc7ab01 100644 --- a/rustls-libssl/Cargo.toml +++ b/rustls-libssl/Cargo.toml @@ -12,6 +12,7 @@ crate-type = ["cdylib"] [dependencies] env_logger = "0.10" log = "0.4" +openssl-probe = "0.1" openssl-sys = "0.9.98" rustls = "0.22" rustls-pemfile = "2" diff --git a/rustls-libssl/src/entry.rs b/rustls-libssl/src/entry.rs index bc8d6cb..f6a1280 100644 --- a/rustls-libssl/src/entry.rs +++ b/rustls-libssl/src/entry.rs @@ -234,6 +234,48 @@ fn load_verify_files(ctx: &Mutex, file_names: impl Iterator c_int { + let ctx = try_clone_arc!(ctx); + match ctx + .lock() + .map_err(|_| Error::cannot_lock()) + .map(|mut ctx| ctx.set_default_verify_paths()) + { + Err(e) => e.raise().into(), + Ok(()) => C_INT_SUCCESS, + } + } +} + +entry! { + pub fn _SSL_CTX_set_default_verify_dir(ctx: *mut SSL_CTX) -> c_int { + let ctx = try_clone_arc!(ctx); + match ctx + .lock() + .map_err(|_| Error::cannot_lock()) + .map(|mut ctx| ctx.set_default_verify_dir()) + { + Err(e) => e.raise().into(), + Ok(()) => C_INT_SUCCESS, + } + } +} + +entry! { + pub fn _SSL_CTX_set_default_verify_file(ctx: *mut SSL_CTX) -> c_int { + let ctx = try_clone_arc!(ctx); + match ctx + .lock() + .map_err(|_| Error::cannot_lock()) + .map(|mut ctx| ctx.set_default_verify_file()) + { + Err(e) => e.raise().into(), + Ok(()) => C_INT_SUCCESS, + } + } +} + entry! { pub fn _SSL_CTX_load_verify_file(ctx: *mut SSL_CTX, ca_file: *const c_char) -> c_int { let ctx = try_clone_arc!(ctx); @@ -1007,6 +1049,11 @@ entry_stub! { ) -> c_int; } +// The SSL_CTX X509_STORE isn't being meaningfully used yet. +entry_stub! { + pub fn _SSL_CTX_set_default_verify_store(_ctx: *mut SSL_CTX) -> c_int; +} + pub struct SSL_SESSION; entry_stub! { diff --git a/rustls-libssl/src/lib.rs b/rustls-libssl/src/lib.rs index 5b9d339..9426908 100644 --- a/rustls-libssl/src/lib.rs +++ b/rustls-libssl/src/lib.rs @@ -1,7 +1,9 @@ use core::ffi::{c_int, CStr}; use std::io::{ErrorKind, Read, Write}; +use std::path::PathBuf; use std::sync::{Arc, Mutex}; +use openssl_probe::ProbeResult; use openssl_sys::{ SSL_ERROR_NONE, SSL_ERROR_SSL, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE, X509_STORE, X509_V_ERR_UNSPECIFIED, @@ -205,6 +207,8 @@ pub struct SslContext { verify_roots: RootCertStore, verify_x509_store: x509::OwnedX509Store, alpn: Vec>, + default_cert_file: Option, + default_cert_dir: Option, } impl SslContext { @@ -216,6 +220,8 @@ impl SslContext { verify_roots: RootCertStore::empty(), verify_x509_store: x509::OwnedX509Store::new(), alpn: vec![], + default_cert_file: None, + default_cert_dir: None, } } @@ -237,6 +243,25 @@ impl SslContext { self.verify_mode = mode; } + fn set_default_verify_paths(&mut self) { + let ProbeResult { + cert_file, + cert_dir, + } = openssl_probe::probe(); + self.default_cert_file = cert_file; + self.default_cert_dir = cert_dir; + } + + fn set_default_verify_dir(&mut self) { + let ProbeResult { cert_dir, .. } = openssl_probe::probe(); + self.default_cert_dir = cert_dir; + } + + fn set_default_verify_file(&mut self) { + let ProbeResult { cert_file, .. } = openssl_probe::probe(); + self.default_cert_file = cert_file; + } + fn add_trusted_certs( &mut self, certs: Vec>,