dnim/rust-postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add a more robust wrapper for OpenSSL support

Browse Source
This commit is contained in:
Steven Fackler 2016-07-01 13:16:12 -04:00
parent 7e48593a54
commit da7407f543
3 changed files with 48 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/io/mod.rs
View File

@ -6,7 +6,7 @@ use std::io::prelude::*;
use std::fmt; use std::fmt;
#[cfg(feature = "with-openssl")] #[cfg(feature = "with-openssl")]
mod openssl; pub mod openssl;
#[cfg(feature = "security-framework")] #[cfg(feature = "security-framework")]
mod security_framework; mod security_framework;

42
src/io/openssl.rs
View File

@ -1,9 +1,12 @@
//! NegotiateSsl support for OpenSSL.
extern crate openssl; extern crate openssl;
extern crate openssl_verify; extern crate openssl_verify;
use std::error::Error; use std::error::Error;
use self::openssl::ssl::{IntoSsl, SslContext, SslStream, SSL_VERIFY_PEER}; use self::openssl::ssl::{IntoSsl, SslContext, SslStream, SslMethod, SSL_VERIFY_PEER,
SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3, SSL_OP_NO_COMPRESSION};
use self::openssl::ssl::error::SslError;
use self::openssl_verify::verify_callback; use self::openssl_verify::verify_callback;
use io::{StreamWrapper, Stream, NegotiateSsl}; use io::{StreamWrapper, Stream, NegotiateSsl};
@ -17,13 +20,46 @@ impl StreamWrapper for SslStream<Stream> {
} }
} }
impl NegotiateSsl for SslContext { /// A `NegotiateSsl` implementation that uses OpenSSL.
#[derive(Debug)]
pub struct Negotiator(SslContext);
impl Negotiator {
/// Creates a `Negotiator` with a reasonable default configuration.
///
/// The configuration is modeled after libcurl's and is subject to change.
pub fn new() -> Result<Negotiator, SslError> {
let mut ctx = try!(SslContext::new(SslMethod::Sslv23));
try!(ctx.set_default_verify_paths());
ctx.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3 | SSL_OP_NO_COMPRESSION);
try!(ctx.set_cipher_list("ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4@STRENGTH"));
Ok(ctx.into())
}
/// Returns a reference to the associated `SslContext`.
pub fn context(&self) -> &SslContext {
&self.0
}
/// Returns a mutable reference to the associated `SslContext`.
pub fn context_mut(&mut self) -> &mut SslContext {
&mut self.0
}
}
impl From<SslContext> for Negotiator {
fn from(ctx: SslContext) -> Negotiator {
Negotiator(ctx)
}
}
impl NegotiateSsl for Negotiator {
fn negotiate_ssl(&self, fn negotiate_ssl(&self,
domain: &str, domain: &str,
stream: Stream) stream: Stream)
-> Result<Box<StreamWrapper>, Box<Error + Send + Sync>> { -> Result<Box<StreamWrapper>, Box<Error + Send + Sync>> {
let domain = domain.to_owned(); let domain = domain.to_owned();
let mut ssl = try!(self.into_ssl()); let mut ssl = try!(self.0.into_ssl());
ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| verify_callback(&domain, p, x)); ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| verify_callback(&domain, p, x));
let stream = try!(SslStream::connect(ssl, stream)); let stream = try!(SslStream::connect(ssl, stream));
Ok(Box::new(stream)) Ok(Box::new(stream))

16
tests/test.rs
View File

@ -6,8 +6,6 @@ extern crate openssl;
#[cfg(feature = "security-framework")] #[cfg(feature = "security-framework")]
extern crate security_framework; extern crate security_framework;
#[cfg(feature = "with-openssl")]
use openssl::ssl::{SslContext, SslMethod};
use std::thread; use std::thread;
use std::io; use std::io;
use std::io::prelude::*; use std::io::prelude::*;
@ -26,6 +24,8 @@ use postgres::error::SqlState::{SyntaxError,
use postgres::error::ErrorPosition::Normal; use postgres::error::ErrorPosition::Normal;
use postgres::rows::RowIndex; use postgres::rows::RowIndex;
use postgres::notification::Notification; use postgres::notification::Notification;
#[cfg(feature = "with-openssl")]
use postgres::io::openssl::Negotiator;
macro_rules! or_panic { macro_rules! or_panic {
($e:expr) => ( ($e:expr) => (
@ -665,20 +665,20 @@ fn test_cancel_query() {
#[test] #[test]
#[cfg(feature = "with-openssl")] #[cfg(feature = "with-openssl")]
fn test_require_ssl_conn() { fn test_require_ssl_conn() {
let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap(); let mut negotiator = Negotiator::new().unwrap();
ctx.set_CA_file(".travis/server.crt").unwrap(); negotiator.context_mut().set_CA_file(".travis/server.crt").unwrap();
let conn = or_panic!(Connection::connect("postgres://postgres@localhost", let conn = or_panic!(Connection::connect("postgres://postgres@localhost",
SslMode::Require(&ctx))); SslMode::Require(&negotiator)));
or_panic!(conn.execute("SELECT 1::VARCHAR", &[])); or_panic!(conn.execute("SELECT 1::VARCHAR", &[]));
} }
#[test] #[test]
#[cfg(feature = "with-openssl")] #[cfg(feature = "with-openssl")]
fn test_prefer_ssl_conn() { fn test_prefer_ssl_conn() {
let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap(); let mut negotiator = Negotiator::new().unwrap();
ctx.set_CA_file(".travis/server.crt").unwrap(); negotiator.context_mut().set_CA_file(".travis/server.crt").unwrap();
let conn = or_panic!(Connection::connect("postgres://postgres@localhost", let conn = or_panic!(Connection::connect("postgres://postgres@localhost",
SslMode::Prefer(&ctx))); SslMode::Require(&negotiator)));
or_panic!(conn.execute("SELECT 1::VARCHAR", &[])); or_panic!(conn.execute("SELECT 1::VARCHAR", &[]));
} }