Add support for mbedtls to rust-native-tls #1
Conversation
jack-fortanix
force-pushed
the
jack/mbedtls
branch
from
f6beddf to
85c8540
Compare
jack-fortanix
force-pushed
the
jack/mbedtls
branch
from
8aaab8e to
f82fd4f
Compare
| Box::from_raw(self.config); | ||
| Box::from_raw(self.rng); | ||
| Box::from_raw(self.entropy); | ||
|
|
There was a problem hiding this comment.
Maybe if !self.cred_cert_list.is_null()?
src/imp/mbedtls.rs
Outdated
| let trust_roots = if builder.root_certificates.len() > 0 { | ||
| builder.root_certificates.clone() | ||
| } else { | ||
| load_ca_certs("/usr/share/ca-certificates/mozilla")? |
There was a problem hiding this comment.
This seems to imply that this only works on *nix systems, so the mbedtls feature should only be available on those systems.
There was a problem hiding this comment.
This is already Unix specific since on Windows and macOS/iOS rust-native-tls always uses the platform native APIs. Actually not just Unix specific but Ubuntu specific, as the location of the trust roots varies. This is just where Ubuntu sticks them.
So I guess this can be improved somewhat - first try several commonly used paths so things nominally work on RHEL etc. If none of the paths work, return an error telling the user they must provide the trust roots manually.
This PR is not for merging to this branch but just for review/commentary before I try opening a PR with upstream. There is a lot of unsafe, a lot of raw pointer manipulation in here. I do not believe upstream will take this PR as is.
I certainly think the rust-mbedtls API could be improved, such that it would be possible to implement this without all the unsafe. This would of course benefit any other current or potential users. See fortanix/rust-mbedtls#4. However I have no idea how to go about fixing our crates API. Suggestions very welcome.