Relax hard *ring* dep

rustls · Mar 12, 2024 · 5e953b8 · 5e953b8
1 parent fe72708
commit 5e953b8
Show file tree

Hide file tree

Showing 7 changed files with 42 additions and 12 deletions.
diff --git a/rustls-platform-verifier/Cargo.toml b/rustls-platform-verifier/Cargo.toml
@@ -29,7 +29,7 @@ cert-logging = ["base64"]
 docsrs = ["jni", "once_cell"]
 
 [dependencies]
-rustls = { version = "0.23", default-features = false, features = ["std", "ring"] }
+rustls = { version = "0.23", default-features = false, features = ["std"] }
 log = { version = "0.4" }
 base64 = { version = "0.21", optional = true } # Only used when the `cert-logging` feature is enabled.
 jni = { version = "0.19", default-features = false, optional = true } # Only used during doc generation
@@ -64,6 +64,9 @@ security-framework-sys = { version = "2.4", features = ["OSX_10_14"] }
 [target.'cfg(windows)'.dependencies]
 winapi = { version = "0.3", features = ["wincrypt", "winerror"] }
 
+[dev-dependencies]
+rustls = { version = "0.23", default-features = false, features = ["ring"] }
+
 [package.metadata.docs.rs]
 rustdoc-args = ["--cfg", "docsrs"]
 features = ["dbg", "docsrs"]
diff --git a/rustls-platform-verifier/src/tests/mod.rs b/rustls-platform-verifier/src/tests/mod.rs
@@ -61,3 +61,10 @@ pub(crate) fn verification_time() -> pki_types::UnixTime {
     // Monday, March 11, 2024 8:30:25 PM UTC
     pki_types::UnixTime::since_unix_epoch(Duration::from_secs(1_710_189_025))
 }
+
+fn ensure_global_state() {
+    #[cfg(test)]
+    {
+        _ = rustls::crypto::ring::default_provider().install_default();
+    }
+}
diff --git a/rustls-platform-verifier/src/tests/verification_mock/mod.rs b/rustls-platform-verifier/src/tests/verification_mock/mod.rs
@@ -16,7 +16,7 @@
 #![cfg(all(any(windows, unix, target_os = "android"), not(target_os = "ios")))]
 
 use super::TestCase;
-use crate::tests::{assert_cert_error_eq, verification_time};
+use crate::tests::{assert_cert_error_eq, ensure_global_state, verification_time};
 use crate::verification::{EkuError, Verifier};
 use rustls::client::danger::ServerCertVerifier;
 use rustls::pki_types;
@@ -79,6 +79,7 @@ const LOCALHOST_IPV6: &str = "::1";
 #[cfg(any(test, feature = "ffi-testing"))]
 #[cfg_attr(feature = "ffi-testing", allow(dead_code))]
 pub(super) fn verification_without_mock_root() {
+    ensure_global_state();
     // Since Rustls 0.22 constructing a webpki verifier (like the one backing Verifier on unix
     // systems) without any roots produces `OtherError(NoRootAnchors)` - since our FreeBSD CI
     // runner fails to find any roots with openssl-probe we need to provide webpki-roots here
@@ -283,6 +284,7 @@ mock_root_test_cases! {
 }
 
 fn test_with_mock_root<E: std::error::Error + PartialEq + 'static>(test_case: &TestCase<E>) {
+    ensure_global_state();
     log::info!("verifying {:?}", test_case.expected_result);
 
     let verifier = Verifier::new_with_fake_root(ROOT1); // TODO: time

diff --git a/rustls-platform-verifier/src/tests/verification_real_world/mod.rs b/rustls-platform-verifier/src/tests/verification_real_world/mod.rs
@@ -35,7 +35,7 @@
 //! Thus we don't expect these tests to be flaky w.r.t. that, except for
 //! potentially poor performance.     
 use super::TestCase;
-use crate::tests::{assert_cert_error_eq, verification_time};
+use crate::tests::{assert_cert_error_eq, ensure_global_state, verification_time};
 use crate::Verifier;
 use rustls::client::danger::ServerCertVerifier;
 use rustls::pki_types;
@@ -118,6 +118,7 @@ macro_rules! no_error {
 }
 
 fn real_world_test<E: std::error::Error>(test_case: &TestCase<E>) {
+    ensure_global_state();
     log::info!(
         "verifying ref ID {:?} expected {:?}",
         test_case.reference_id,

diff --git a/rustls-platform-verifier/src/verification/android.rs b/rustls-platform-verifier/src/verification/android.rs
@@ -1,3 +1,5 @@
+use std::sync::Arc;
+
 use jni::{
     objects::{JObject, JValue},
     strings::JavaStr,
@@ -44,7 +46,7 @@ pub struct Verifier {
     /// Testing only: The root CA certificate to trust.
     #[cfg(any(test, feature = "ffi-testing"))]
     test_only_root_ca_override: Option<Vec<u8>>,
-    default_provider: CryptoProvider,
+    default_provider: Arc<CryptoProvider>,
 }
 
 impl Default for Verifier {
@@ -73,7 +75,9 @@ impl Verifier {
         Self {
             #[cfg(any(test, feature = "ffi-testing"))]
             test_only_root_ca_override: None,
-            default_provider: rustls::crypto::ring::default_provider(),
+            default_provider: rustls::crypto::CryptoProvider::get_default()
+                .expect("rustls default CryptoProvider not set")
+                .clone(),
         }
     }
 
@@ -82,7 +86,9 @@ impl Verifier {
     pub(crate) fn new_with_fake_root(root: &[u8]) -> Self {
         Self {
             test_only_root_ca_override: Some(root.into()),
-            default_provider: rustls::crypto::ring::default_provider(),
+            default_provider: rustls::crypto::CryptoProvider::get_default()
+                .expect("rustls default CryptoProvider not set")
+                .clone(),
         }
     }
 

diff --git a/rustls-platform-verifier/src/verification/apple.rs b/rustls-platform-verifier/src/verification/apple.rs
@@ -1,3 +1,5 @@
+use std::sync::Arc;
+
 use super::log_server_cert;
 use crate::verification::invalid_certificate;
 use core_foundation::date::CFDate;
@@ -43,7 +45,7 @@ pub struct Verifier {
     /// Testing only: The root CA certificate to trust.
     #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
     test_only_root_ca_override: Option<Vec<u8>>,
-    default_provider: CryptoProvider,
+    default_provider: Arc<CryptoProvider>,
 }
 
 impl Verifier {
@@ -53,7 +55,9 @@ impl Verifier {
         Self {
             #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
             test_only_root_ca_override: None,
-            default_provider: rustls::crypto::ring::default_provider(),
+            default_provider: rustls::crypto::CryptoProvider::get_default()
+                .expect("rustls default CryptoProvider not set")
+                .clone(),
         }
     }
 
@@ -62,7 +66,9 @@ impl Verifier {
     pub(crate) fn new_with_fake_root(root: &[u8]) -> Self {
         Self {
             test_only_root_ca_override: Some(root.into()),
-            default_provider: rustls::crypto::ring::default_provider(),
+            default_provider: rustls::crypto::CryptoProvider::get_default()
+                .expect("rustls default CryptoProvider not set")
+                .clone(),
         }
     }
 

diff --git a/rustls-platform-verifier/src/verification/windows.rs b/rustls-platform-verifier/src/verification/windows.rs
@@ -55,6 +55,7 @@ use std::{
     convert::TryInto,
     mem::{self, MaybeUninit},
     ptr::{self, NonNull},
+    sync::Arc,
 };
 
 use crate::verification::invalid_certificate;
@@ -419,7 +420,7 @@ pub struct Verifier {
     /// Testing only: The root CA certificate to trust.
     #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
     test_only_root_ca_override: Option<Vec<u8>>,
-    default_provider: CryptoProvider,
+    default_provider: Arc<CryptoProvider>,
 }
 
 impl Verifier {
@@ -429,7 +430,9 @@ impl Verifier {
         Self {
             #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
             test_only_root_ca_override: None,
-            default_provider: rustls::crypto::ring::default_provider(),
+            default_provider: rustls::crypto::CryptoProvider::get_default()
+                .expect("rustls default CryptoProvider not set")
+                .clone(),
         }
     }
 
@@ -438,7 +441,9 @@ impl Verifier {
     pub(crate) fn new_with_fake_root(root: &[u8]) -> Self {
         Self {
             test_only_root_ca_override: Some(root.into()),
-            default_provider: rustls::crypto::ring::default_provider(),
+            default_provider: rustls::crypto::CryptoProvider::get_default()
+                .expect("rustls default CryptoProvider not set")
+                .clone(),
         }
     }