From 8065a9f7c3f6ace733b2797f747da33f9d7624e1 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Tue, 13 Feb 2024 16:38:06 -0600
Subject: [PATCH] fix provider loading take two

we previously hoisted this into rust, but we used the try_load feature
which supposedly retains fallbacks. Something about that doesn't behave
the way we expect though and the machinery in providers is sufficiently
complex that we are just going to load the default provider explicitly.

this matches our behavior pre-rust.
---
 src/rust/src/lib.rs | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs
index 62d86884af7a..a21f3986dd18 100644
--- a/src/rust/src/lib.rs
+++ b/src/rust/src/lib.rs
@@ -24,6 +24,7 @@ mod x509;
 #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")]
 struct LoadedProviders {
     legacy: Option<provider::Provider>,
+    _default: provider::Provider,
 }
 
 #[pyo3::prelude::pyfunction]
@@ -42,7 +43,7 @@ fn is_fips_enabled() -> bool {
 }
 
 #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)]
-fn _initialize_legacy_provider() -> CryptographyResult<LoadedProviders> {
+fn _initialize_providers() -> CryptographyResult<LoadedProviders> {
     // As of OpenSSL 3.0.0 we must register a legacy cipher provider
     // to get RC2 (needed for junk asymmetric private key
     // serialization), RC4, Blowfish, IDEA, SEED, etc. These things
@@ -52,13 +53,14 @@ fn _initialize_legacy_provider() -> CryptographyResult<LoadedProviders> {
         .map(|v| v.is_empty() || v == "0")
         .unwrap_or(true);
     let legacy = if load_legacy {
-        let legacy_result = provider::Provider::try_load(None, "legacy", true);
+        let legacy_result = provider::Provider::load(None, "legacy");
         _legacy_provider_error(legacy_result.is_ok())?;
         Some(legacy_result?)
     } else {
         None
     };
-    Ok(LoadedProviders { legacy })
+    let _default = provider::Provider::load(None, "default")?;
+    Ok(LoadedProviders { legacy, _default })
 }
 
 fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> {
@@ -99,13 +101,13 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()>
     let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?;
     cfg_if::cfg_if! {
         if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] {
-            let providers = _initialize_legacy_provider()?;
+            let providers = _initialize_providers()?;
             if providers.legacy.is_some() {
                 openssl_mod.add("_legacy_provider_loaded", true)?;
-                openssl_mod.add("_providers", providers)?;
             } else {
                 openssl_mod.add("_legacy_provider_loaded", false)?;
             }
+            openssl_mod.add("_providers", providers)?;
         } else {
             // default value for non-openssl 3+
             openssl_mod.add("_legacy_provider_loaded", false)?;