Load default openssl config when possible

CHANGELOG.md

@@ -38,6 +38,10 @@ All notable changes to this project should be documented in this file.
   - [Handle imports where only the Seed is
      provided](https://github.com/latchset/kryoptic/pull/330)
 
+* Openssl context now loads the default openssl confgiuration file by default
+  - [Load default openssl config when
+     possible](https://github.com/latchset/kryoptic/pull/333)
+
 # [1.2.0]
 ## 2025-06-09
 

ossl/ossl.h

@@ -12,6 +12,7 @@
 #include "openssl/obj_mac.h"
 #include "openssl/kdf.h"
 #include "openssl/err.h"
+#include "openssl/provider.h"
 
 #ifdef _KRYOPTIC_FIPS_
 #include "crypto/evp.h"

ossl/src/lib.rs

@@ -206,22 +206,29 @@ pub(crate) use trace_ossl;
 /// A structure representing the main crypto library context
 pub struct OsslContext {
     context: *mut OSSL_LIB_CTX,
+    providers: Vec<*mut OSSL_PROVIDER>,
 }
 
+static LEGACY_PROVIDER_NAME: &CStr = c"legacy";
+
 impl OsslContext {
     pub fn new_lib_ctx() -> OsslContext {
         OsslContext {
             context: unsafe { OSSL_LIB_CTX_new() },
+            providers: Vec::new(),
         }
     }
 
     #[allow(dead_code)]
     pub(crate) fn from_ctx(ctx: *mut OSSL_LIB_CTX) -> OsslContext {
-        OsslContext { context: ctx }
+        OsslContext {
+            context: ctx,
+            providers: Vec::new(),
+        }
     }
 
     pub fn load_configuration_file(
-        &self,
+        &mut self,
         fname: Option<&Path>,
     ) -> Result<(), Error> {
         let filename: *const c_char = match fname {
@@ -239,10 +246,29 @@ impl OsslContext {
         }
     }
 
-    pub fn load_default_configuration(&self) -> Result<(), Error> {
+    pub fn load_default_configuration(&mut self) -> Result<(), Error> {
         self.load_configuration_file(None)
     }
 
+    pub fn load_legacy_provider(&mut self) -> Result<(), Error> {
+        if unsafe {
+            OSSL_PROVIDER_available(self.ptr(), LEGACY_PROVIDER_NAME.as_ptr())
+        } == 1
+        {
+            return Ok(());
+        }
+
+        let provider = unsafe {
+            OSSL_PROVIDER_load(self.ptr(), LEGACY_PROVIDER_NAME.as_ptr())
+        };
+        if provider.is_null() {
+            Err(Error::new(ErrorKind::OsslError))
+        } else {
+            self.providers.push(provider);
+            Ok(())
+        }
+    }
+
     pub fn ptr(&self) -> *mut OSSL_LIB_CTX {
         self.context
     }
@@ -251,6 +277,9 @@ impl OsslContext {
 impl Drop for OsslContext {
     fn drop(&mut self) {
         unsafe {
+            while let Some(provider) = self.providers.pop() {
+                OSSL_PROVIDER_unload(provider);
+            }
             OSSL_LIB_CTX_free(self.context);
         }
     }

src/ossl/mod.rs

@@ -4,7 +4,17 @@
 /// The static instance of the library context lazily created on first use
 #[cfg(not(feature = "fips"))]
 static OSSL_CONTEXT: ::std::sync::LazyLock<::ossl::OsslContext> =
-    ::std::sync::LazyLock::new(|| ::ossl::OsslContext::new_lib_ctx());
+    ::std::sync::LazyLock::new(|| {
+        let mut ctx = ::ossl::OsslContext::new_lib_ctx();
+        /* Failing to load the default configuration file is not
+         * considered fatal as there are cases when the config
+         * file is not available in the location built into the
+         * openssl code. For example in CI static build the
+         * canonical location is set to /usr/local/ssl/openssl.cnf
+         * but there is no file at that path in the containers */
+        let _ = ctx.load_default_configuration();
+        ctx
+    });
 
 pub mod aes;
 pub mod common;