Skip to content

Load default openssl config when possible#333

Draft
simo5 wants to merge 2 commits into
latchset:mainfrom
simo5:ossldefconfig
Draft

Load default openssl config when possible#333
simo5 wants to merge 2 commits into
latchset:mainfrom
simo5:ossldefconfig

Conversation

@simo5
Copy link
Copy Markdown
Member

@simo5 simo5 commented Sep 16, 2025
edited
Loading

Description

Changes kryoptic (in non-fips builds) to try to load the default openssl configuration on the custom context.
Because the configuration file could be missing for "legitimate" reasons, we do not treat as fatal the failure to load the default configuration.

Fixes #319

Checklist

  • Test suite already has enough coverage for this change
  • Rustdoc string were added or updated
  • CHANGELOG and/or other documentation added or updated
  • This is not a code change

Reviewer's checklist:

  • Any issues marked for closing are fully addressed
  • There is a test suite reasonably covering new functionality or modifications
  • This feature/change has adequate documentation added
  • A changelog entry is added if the change is significant
  • Code conform to coding style that today cannot yet be enforced via the check style test
  • Commits have short titles and sensible text
  • Doc string are properly updated

@simo5
Add function to load legacy provider
120dfeb 
This may be needed if an application tries to use ciphers the have been
moved to the legacy provider and therefore normally fetching them would
fail.

Signed-off-by: Simo Sorce <simo@redhat.com>
@simo5 simo5 changed the title Load default config when possible Load default openssl config when possible Sep 16, 2025
@simo5
Load the openssl default configuration by default
1de3511 
Kryoptic creates a new context to avoid influencing (or being
influenced by) applications, however it should at least load the
default configuration so it conforms to things like the system-wide
crypto policy on OSs that have that feature.

Signed-off-by: Simo Sorce <simo@redhat.com>
@Jakuje
Copy link
Copy Markdown
Contributor

Jakuje commented Sep 17, 2025

the pkcs11-provider integration test failure is a recursion when we try to load the pkcs11 provider into the kryoptic's openssl context?

@Jakuje
Copy link
Copy Markdown
Contributor

Jakuje commented Sep 17, 2025

the pkcs11-provider integration test failure is a recursion when we try to load the pkcs11 provider into the kryoptic's openssl context?

In that case, I think doing this in the kryoptic pkcs11 module is not that great idea :) But for any other users of ossl bindings, ye, this looks good to me.

@simo5
Copy link
Copy Markdown
Member Author

simo5 commented Sep 17, 2025

the pkcs11-provider integration test failure is a recursion when we try to load the pkcs11 provider into the kryoptic's openssl context?

In that case, I think doing this in the kryoptic pkcs11 module is not that great idea :) But for any other users of ossl bindings, ye, this looks good to me.

This is why I had created a new context an not loaded the default config in the first place ... sounds like we should revert this commit and rethink the strategy.

There are two reasons we wanted to load the default config:

  1. crypto-policies
  2. loading the FIPS provider when kryoptic is build with dynamic openssl bindings

Perhaps we should create a custom configuration file for kryoptic that loads just crypto-policies snippets but only the default provider. That would take care of both 1 and 2 w/o the risk of pulling in other providers that may break it?

@Jakuje
Copy link
Copy Markdown
Contributor

Jakuje commented Sep 17, 2025

That makes it much more complicated, but likely only reasonable solution.

@simo5 simo5 marked this pull request as draft September 17, 2025 15:32
@simo5 simo5 added the deferred Will be finished later label Sep 17, 2025
@simo5
Copy link
Copy Markdown
Member Author

simo5 commented Apr 30, 2026

/gemini review

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request modifies the OsslContext to automatically load the default OpenSSL configuration file and adds support for managing OpenSSL providers. It introduces a providers vector to track loaded modules, a method to load the legacy provider, and logic to unload providers when the context is dropped. The review feedback highlights a typo in the changelog and suggests using the trace_ossl! macro to improve error logging when provider loading fails.

Comment thread CHANGELOG.md
Comment thread ossl/src/lib.rs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

deferred Will be finished later

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Kryoptic should probably load the default openssl config

2 participants

@simo5 @Jakuje