From 64b9095c7ae62e9da8003701666be355c2db4128 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Thu, 15 Feb 2024 14:36:24 -0800
Subject: [PATCH] fix provider loading take two (#10390)

we previously hoisted this into rust, but we used the try_load feature
which supposedly retains fallbacks. Something about that doesn't behave
the way we expect though and the machinery in providers is sufficiently
complex that we are just going to load the default provider explicitly.

this matches our behavior pre-rust.
---
 src/rust/src/lib.rs | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs
index 62d86884af7a..a21f3986dd18 100644
--- a/src/rust/src/lib.rs
+++ b/src/rust/src/lib.rs
@@ -24,6 +24,7 @@ mod x509;
 #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")]
 struct LoadedProviders {
     legacy: Option<provider::Provider>,
+    _default: provider::Provider,
 }
 
 #[pyo3::prelude::pyfunction]
@@ -42,7 +43,7 @@ fn is_fips_enabled() -> bool {
 }
 
 #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)]
-fn _initialize_legacy_provider() -> CryptographyResult<LoadedProviders> {
+fn _initialize_providers() -> CryptographyResult<LoadedProviders> {
     // As of OpenSSL 3.0.0 we must register a legacy cipher provider
     // to get RC2 (needed for junk asymmetric private key
     // serialization), RC4, Blowfish, IDEA, SEED, etc. These things
@@ -52,13 +53,14 @@ fn _initialize_legacy_provider() -> CryptographyResult<LoadedProviders> {
         .map(|v| v.is_empty() || v == "0")
         .unwrap_or(true);
     let legacy = if load_legacy {
-        let legacy_result = provider::Provider::try_load(None, "legacy", true);
+        let legacy_result = provider::Provider::load(None, "legacy");
         _legacy_provider_error(legacy_result.is_ok())?;
         Some(legacy_result?)
     } else {
         None
     };
-    Ok(LoadedProviders { legacy })
+    let _default = provider::Provider::load(None, "default")?;
+    Ok(LoadedProviders { legacy, _default })
 }
 
 fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> {
@@ -99,13 +101,13 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()>
     let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?;
     cfg_if::cfg_if! {
         if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] {
-            let providers = _initialize_legacy_provider()?;
+            let providers = _initialize_providers()?;
             if providers.legacy.is_some() {
                 openssl_mod.add("_legacy_provider_loaded", true)?;
-                openssl_mod.add("_providers", providers)?;
             } else {
                 openssl_mod.add("_legacy_provider_loaded", false)?;
             }
+            openssl_mod.add("_providers", providers)?;
         } else {
             // default value for non-openssl 3+
             openssl_mod.add("_legacy_provider_loaded", false)?;