Take rustls-platform-verifier 0.6

ctz · ctz · commit 57b2fd6301e4 · 2025-07-03T12:05:06.000+01:00
Handle fallible verifier creation.

Disable miri isolation as the existing tests now touch the
file system (to load root certs).
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -414,6 +414,9 @@ jobs:
   miri:
     name: Miri
     runs-on: ubuntu-latest
+    env:
+      # allows platform-verifier initialisation to inspect filesystem
+      MIRIFLAGS: -Zmiri-disable-isolation
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,7 +16,7 @@ rustls = { version = "0.23", default-features = false, features = ["std", "tls12
 webpki = { package = "rustls-webpki", version = "0.103", default-features = false, features = ["std"] }
 libc = "0.2"
 log = "0.4.22"
-rustls-platform-verifier = "0.5.3"
+rustls-platform-verifier = "0.6"
 regex = "1.9.6"
 toml = { version = "0.8", default-features = false, features = ["parse"] }
 hickory-resolver = { version = "0.25", features = ["https-aws-lc-rs", "webpki-roots"] }
diff --git a/librustls/src/rustls.h b/librustls/src/rustls.h
@@ -2795,6 +2795,9 @@ rustls_result rustls_platform_server_cert_verifier(struct rustls_server_cert_ver
  * The verifier can be used in several `rustls_client_config` instances and must be freed by
  * the application using `rustls_server_cert_verifier_free` when no longer needed.
  *
+ * If the initialization of `rustls-platform-verifier` fails, this function returns
+ * `NULL`.
+ *
  * [`rustls-platform-verifier`]: https://github.com/rustls/rustls-platform-verifier
  */
 struct rustls_server_cert_verifier *rustls_platform_server_cert_verifier_with_provider(const struct rustls_crypto_provider *provider);
diff --git a/librustls/src/verifier.rs b/librustls/src/verifier.rs
@@ -666,9 +666,11 @@ impl rustls_server_cert_verifier {
                 Some(provider) => provider,
                 None => return rustls_result::NoDefaultCryptoProvider,
             };
-            let verifier: Arc<dyn ServerCertVerifier> =
-                Arc::new(rustls_platform_verifier::Verifier::new().with_provider(provider));
-            set_boxed_mut_ptr(verifier_out, verifier);
+            let verifier = match rustls_platform_verifier::Verifier::new(provider) {
+                Ok(v) => v,
+                Err(e) => return error::map_error(e),
+            };
+            set_boxed_mut_ptr(verifier_out, Arc::new(verifier));
             rustls_result::Ok
         }
     }
@@ -680,6 +682,9 @@ impl rustls_server_cert_verifier {
     /// The verifier can be used in several `rustls_client_config` instances and must be freed by
     /// the application using `rustls_server_cert_verifier_free` when no longer needed.
     ///
+    /// If the initialization of `rustls-platform-verifier` fails, this function returns
+    /// `NULL`.
+    ///
     /// [`rustls-platform-verifier`]: https://github.com/rustls/rustls-platform-verifier
     #[no_mangle]
     pub extern "C" fn rustls_platform_server_cert_verifier_with_provider(
@@ -688,7 +693,10 @@ impl rustls_server_cert_verifier {
         ffi_panic_boundary! {
             let provider = try_clone_arc!(provider);
             let verifier: Arc<dyn ServerCertVerifier> =
-                Arc::new(rustls_platform_verifier::Verifier::new().with_provider(provider));
+                match rustls_platform_verifier::Verifier::new(provider) {
+                    Ok(v) => Arc::new(v),
+                    Err(_) => return core::ptr::null_mut(),
+                };
             to_boxed_mut_ptr(verifier)
         }
     }
