Add a more robust wrapper for OpenSSL support

2016-07-01 13:16:12 -04:00 · 2016-07-01 13:16:12 -04:00 · da7407f543
commit da7407f543
parent 7e48593a54
3 changed files with 48 additions and 12 deletions
--- a/src/io/mod.rs
+++ b/src/io/mod.rs
@ -6,7 +6,7 @@ use std::io::prelude::*;
 use std::fmt;

 #[cfg(feature = "with-openssl")]
-mod openssl;
+pub mod openssl;
 #[cfg(feature = "security-framework")]
 mod security_framework;

--- a/src/io/openssl.rs
+++ b/src/io/openssl.rs
@ -1,9 +1,12 @@
+//! NegotiateSsl support for OpenSSL.
 extern crate openssl;
 extern crate openssl_verify;

 use std::error::Error;

-use self::openssl::ssl::{IntoSsl, SslContext, SslStream, SSL_VERIFY_PEER};
+use self::openssl::ssl::{IntoSsl, SslContext, SslStream, SslMethod, SSL_VERIFY_PEER,
+                         SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3, SSL_OP_NO_COMPRESSION};
+use self::openssl::ssl::error::SslError;
 use self::openssl_verify::verify_callback;
 use io::{StreamWrapper, Stream, NegotiateSsl};

@ -17,13 +20,46 @@ impl StreamWrapper for SslStream<Stream> {
    }
 }

-impl NegotiateSsl for SslContext {
+/// A `NegotiateSsl` implementation that uses OpenSSL.
+#[derive(Debug)]
+pub struct Negotiator(SslContext);
+
+impl Negotiator {
+    /// Creates a `Negotiator` with a reasonable default configuration.
+    ///
+    /// The configuration is modeled after libcurl's and is subject to change.
+    pub fn new() -> Result<Negotiator, SslError> {
+        let mut ctx = try!(SslContext::new(SslMethod::Sslv23));
+        try!(ctx.set_default_verify_paths());
+        ctx.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3 | SSL_OP_NO_COMPRESSION);
+        try!(ctx.set_cipher_list("ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4@STRENGTH"));
+        Ok(ctx.into())
+    }
+
+    /// Returns a reference to the associated `SslContext`.
+    pub fn context(&self) -> &SslContext {
+        &self.0
+    }
+
+    /// Returns a mutable reference to the associated `SslContext`.
+    pub fn context_mut(&mut self) -> &mut SslContext {
+        &mut self.0
+    }
+}
+
+impl From<SslContext> for Negotiator {
+    fn from(ctx: SslContext) -> Negotiator {
+        Negotiator(ctx)
+    }
+}
+
+impl NegotiateSsl for Negotiator {
    fn negotiate_ssl(&self,
                     domain: &str,
                     stream: Stream)
                     -> Result<Box<StreamWrapper>, Box<Error + Send + Sync>> {
        let domain = domain.to_owned();
-        let mut ssl = try!(self.into_ssl());
+        let mut ssl = try!(self.0.into_ssl());
        ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| verify_callback(&domain, p, x));
        let stream = try!(SslStream::connect(ssl, stream));
        Ok(Box::new(stream))
--- a/tests/test.rs
+++ b/tests/test.rs
@ -6,8 +6,6 @@ extern crate openssl;
 #[cfg(feature = "security-framework")]
 extern crate security_framework;

-#[cfg(feature = "with-openssl")]
-use openssl::ssl::{SslContext, SslMethod};
 use std::thread;
 use std::io;
 use std::io::prelude::*;
@ -26,6 +24,8 @@ use postgres::error::SqlState::{SyntaxError,
 use postgres::error::ErrorPosition::Normal;
 use postgres::rows::RowIndex;
 use postgres::notification::Notification;
+#[cfg(feature = "with-openssl")]
+use postgres::io::openssl::Negotiator;

 macro_rules! or_panic {
    ($e:expr) => (
@ -665,20 +665,20 @@ fn test_cancel_query() {
 #[test]
 #[cfg(feature = "with-openssl")]
 fn test_require_ssl_conn() {
-    let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap();
-    ctx.set_CA_file(".travis/server.crt").unwrap();
+    let mut negotiator = Negotiator::new().unwrap();
+    negotiator.context_mut().set_CA_file(".travis/server.crt").unwrap();
    let conn = or_panic!(Connection::connect("postgres://postgres@localhost",
-                                             SslMode::Require(&ctx)));
+                                             SslMode::Require(&negotiator)));
    or_panic!(conn.execute("SELECT 1::VARCHAR", &[]));
 }

 #[test]
 #[cfg(feature = "with-openssl")]
 fn test_prefer_ssl_conn() {
-    let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap();
-    ctx.set_CA_file(".travis/server.crt").unwrap();
+    let mut negotiator = Negotiator::new().unwrap();
+    negotiator.context_mut().set_CA_file(".travis/server.crt").unwrap();
    let conn = or_panic!(Connection::connect("postgres://postgres@localhost",
-                                             SslMode::Prefer(&ctx)));
+                                             SslMode::Require(&negotiator)));
    or_panic!(conn.execute("SELECT 1::VARCHAR", &[]));
 }