Add support for OpenSSL 1.1.0

This commit is relatively major refactoring of the `openssl-sys` crate as well
as the `openssl` crate itself. The end goal here was to support OpenSSL 1.1.0,
and lots of other various tweaks happened along the way. The major new features
are:

* OpenSSL 1.1.0 is supported
* OpenSSL 0.9.8 is no longer supported (aka all OSX users by default)
* All FFI bindings are verified with the `ctest` crate (same way as the `libc`
  crate)
* CI matrixes are vastly expanded to include 32/64 of all platforms, more
  OpenSSL version coverage, as well as ARM coverage on Linux
* The `c_helpers` module is completely removed along with the `gcc` dependency.
* The `openssl-sys` build script was completely rewritten
  * Now uses `OPENSSL_DIR` to find the installation, not include/lib env vars.
  * Better error messages for mismatched versions.
  * Better error messages for failing to find OpenSSL on a platform (more can be
    done here)
  * Probing of OpenSSL build-time configuration to inform the API of the `*-sys`
    crate.
* Many Cargo features have been removed as they're now enabled by default.

As this is a breaking change to both the `openssl` and `openssl-sys` crates this
will necessitate a major version bump of both. There's still a few more API
questions remaining but let's hash that out on a PR!

Closes #452

1 files changed, 64 insertions, 60 deletions

diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs
index 3bbbed03..e5bdc8da 100644
--- a/openssl/src/ssl/tests/mod.rs
+++ b/openssl/src/ssl/tests/mod.rs
@@ -1,5 +1,6 @@
 #![allow(unused_imports)]
 
+use std::env;
 use std::fs::File;
 use std::io::prelude::*;
 use std::io::{self, BufReader};
@@ -12,11 +13,12 @@ use std::thread;
 use std::time::Duration;
 
 use net2::TcpStreamExt;
+use tempdir::TempDir;
 
 use crypto::hash::Type::SHA256;
 use ssl;
 use ssl::SSL_VERIFY_PEER;
-use ssl::SslMethod::Sslv23;
+use ssl::SslMethod::Tls;
 use ssl::{SslMethod, HandshakeError};
 use ssl::error::Error;
 use ssl::{SslContext, SslStream};
@@ -46,10 +48,21 @@ fn next_addr() -> SocketAddr {
 
 struct Server {
     p: Child,
+    _temp: TempDir,
 }
 
 impl Server {
     fn spawn(args: &[&str], input: Option<Box<FnMut(ChildStdin) + Send>>) -> (Server, SocketAddr) {
+        static CERT: &'static [u8] = include_bytes!("../../../test/cert.pem");
+        static KEY: &'static [u8] = include_bytes!("../../../test/key.pem");
+
+
+        let td = TempDir::new("openssl").unwrap();
+        let cert = td.path().join("cert.pem");
+        let key = td.path().join("key.pem");
+        File::create(&cert).unwrap().write_all(CERT).unwrap();
+        File::create(&key).unwrap().write_all(KEY).unwrap();
+
         let addr = next_addr();
         let mut child = Command::new("openssl")
                             .arg("s_server")
@@ -57,11 +70,10 @@ impl Server {
                             .arg(addr.port().to_string())
                             .args(args)
                             .arg("-cert")
-                            .arg("cert.pem")
+                            .arg(&cert)
                             .arg("-key")
-                            .arg("key.pem")
+                            .arg(&key)
                             .arg("-no_dhe")
-                            .current_dir("test")
                             .stdout(Stdio::null())
                             .stderr(Stdio::null())
                             .stdin(Stdio::piped())
@@ -71,7 +83,7 @@ impl Server {
         if let Some(mut input) = input {
             thread::spawn(move || input(stdin));
         }
-        (Server { p: child }, addr)
+        (Server { p: child, _temp: td }, addr)
     }
 
     fn new_tcp(args: &[&str]) -> (Server, TcpStream) {
@@ -92,7 +104,7 @@ impl Server {
         Server::new_tcp(&["-www"])
     }
 
-    #[cfg(any(feature = "alpn", feature = "npn"))]
+    #[cfg(all(any(feature = "alpn", feature = "npn"), not(ossl101)))]
     fn new_alpn() -> (Server, TcpStream) {
         Server::new_tcp(&["-www",
                           "-nextprotoneg",
@@ -119,7 +131,7 @@ impl Server {
         // but don't currently have a great way to do that so just wait for a
         // bit.
         thread::sleep(Duration::from_millis(100));
-        let socket = UdpSocket::bind(next_addr()).unwrap();
+        let socket = UdpSocket::bind("127.0.0.1:0").unwrap();
         socket.connect(&addr).unwrap();
         (s, UdpConnected(socket))
     }
@@ -205,7 +217,7 @@ macro_rules! run_test(
             #[test]
             fn sslv23() {
                 let (_s, stream) = Server::new();
-                $blk(SslMethod::Sslv23, stream);
+                $blk(SslMethod::Tls, stream);
             }
 
             #[test]
@@ -226,11 +238,6 @@ run_test!(new_sslstream, |method, stream| {
     SslStream::connect(&SslContext::new(method).unwrap(), stream).unwrap();
 });
 
-run_test!(get_ssl_method, |method, _| {
-    let ssl = Ssl::new(&SslContext::new(method).unwrap()).unwrap();
-    assert_eq!(ssl.ssl_method(), method);
-});
-
 run_test!(verify_untrusted, |method, stream| {
     let mut ctx = SslContext::new(method).unwrap();
     ctx.set_verify(SSL_VERIFY_PEER);
@@ -391,11 +398,11 @@ run_test!(ssl_verify_callback, |method, stream| {
 // Make sure every write call translates to a write call to the underlying socket.
 #[test]
 fn test_write_hits_stream() {
-    let listener = TcpListener::bind(next_addr()).unwrap();
+    let listener = TcpListener::bind("127.0.0.1:0").unwrap();
     let addr = listener.local_addr().unwrap();
 
     let guard = thread::spawn(move || {
-        let ctx = SslContext::new(Sslv23).unwrap();
+        let ctx = SslContext::new(Tls).unwrap();
         let stream = TcpStream::connect(addr).unwrap();
         let mut stream = SslStream::connect(&ctx, stream).unwrap();
 
@@ -403,7 +410,7 @@ fn test_write_hits_stream() {
         stream
     });
 
-    let mut ctx = SslContext::new(Sslv23).unwrap();
+    let mut ctx = SslContext::new(Tls).unwrap();
     ctx.set_verify(SSL_VERIFY_PEER);
     ctx.set_certificate_file(&Path::new("test/cert.pem"), X509FileType::PEM).unwrap();
     ctx.set_private_key_file(&Path::new("test/key.pem"), X509FileType::PEM).unwrap();
@@ -423,7 +430,7 @@ fn test_set_certificate_and_private_key() {
     let cert = include_bytes!("../../../test/cert.pem");
     let cert = X509::from_pem(cert).unwrap();
 
-    let mut ctx = SslContext::new(Sslv23).unwrap();
+    let mut ctx = SslContext::new(Tls).unwrap();
     ctx.set_private_key(&key).unwrap();
     ctx.set_certificate(&cert).unwrap();
 
@@ -451,7 +458,7 @@ run_test!(clear_ctx_options, |method, _| {
 #[test]
 fn test_write() {
     let (_s, stream) = Server::new();
-    let mut stream = SslStream::connect(&SslContext::new(Sslv23).unwrap(), stream).unwrap();
+    let mut stream = SslStream::connect(&SslContext::new(Tls).unwrap(), stream).unwrap();
     stream.write_all("hello".as_bytes()).unwrap();
     stream.flush().unwrap();
     stream.write_all(" there".as_bytes()).unwrap();
@@ -461,7 +468,7 @@ fn test_write() {
 #[test]
 fn test_write_direct() {
     let (_s, stream) = Server::new();
-    let mut stream = SslStream::connect(&SslContext::new(Sslv23).unwrap(), stream).unwrap();
+    let mut stream = SslStream::connect(&SslContext::new(Tls).unwrap(), stream).unwrap();
     stream.write_all("hello".as_bytes()).unwrap();
     stream.flush().unwrap();
     stream.write_all(" there".as_bytes()).unwrap();
@@ -492,7 +499,7 @@ fn test_write_dtlsv1() {
 #[test]
 fn test_read() {
     let (_s, tcp) = Server::new();
-    let mut stream = SslStream::connect(&SslContext::new(Sslv23).unwrap(), tcp).unwrap();
+    let mut stream = SslStream::connect(&SslContext::new(Tls).unwrap(), tcp).unwrap();
     stream.write_all("GET /\r\n\r\n".as_bytes()).unwrap();
     stream.flush().unwrap();
     io::copy(&mut stream, &mut io::sink()).ok().expect("read error");
@@ -501,7 +508,7 @@ fn test_read() {
 #[test]
 fn test_read_direct() {
     let (_s, tcp) = Server::new();
-    let mut stream = SslStream::connect(&SslContext::new(Sslv23).unwrap(), tcp).unwrap();
+    let mut stream = SslStream::connect(&SslContext::new(Tls).unwrap(), tcp).unwrap();
     stream.write_all("GET /\r\n\r\n".as_bytes()).unwrap();
     stream.flush().unwrap();
     io::copy(&mut stream, &mut io::sink()).ok().expect("read error");
@@ -510,7 +517,7 @@ fn test_read_direct() {
 #[test]
 fn test_pending() {
     let (_s, tcp) = Server::new();
-    let mut stream = SslStream::connect(&SslContext::new(Sslv23).unwrap(), tcp).unwrap();
+    let mut stream = SslStream::connect(&SslContext::new(Tls).unwrap(), tcp).unwrap();
     stream.write_all("GET /\r\n\r\n".as_bytes()).unwrap();
     stream.flush().unwrap();
 
@@ -533,7 +540,7 @@ fn test_pending() {
 #[test]
 fn test_state() {
     let (_s, tcp) = Server::new();
-    let stream = SslStream::connect(&SslContext::new(Sslv23).unwrap(), tcp).unwrap();
+    let stream = SslStream::connect(&SslContext::new(Tls).unwrap(), tcp).unwrap();
     assert_eq!(stream.ssl().state_string(), "SSLOK ");
     assert_eq!(stream.ssl().state_string_long(),
                "SSL negotiation finished successfully");
@@ -542,10 +549,10 @@ fn test_state() {
 /// Tests that connecting with the client using ALPN, but the server not does not
 /// break the existing connection behavior.
 #[test]
-#[cfg(feature = "alpn")]
+#[cfg(all(feature = "alpn", not(ossl101)))]
 fn test_connect_with_unilateral_alpn() {
     let (_s, stream) = Server::new();
-    let mut ctx = SslContext::new(Sslv23).unwrap();
+    let mut ctx = SslContext::new(Tls).unwrap();
     ctx.set_verify(SSL_VERIFY_PEER);
     ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]);
     match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
@@ -564,10 +571,10 @@ fn test_connect_with_unilateral_alpn() {
 /// Tests that connecting with the client using NPN, but the server not does not
 /// break the existing connection behavior.
 #[test]
-#[cfg(feature = "npn")]
+#[cfg(all(feature = "npn", not(ossl101)))]
 fn test_connect_with_unilateral_npn() {
     let (_s, stream) = Server::new();
-    let mut ctx = SslContext::new(Sslv23).unwrap();
+    let mut ctx = SslContext::new(Tls).unwrap();
     ctx.set_verify(SSL_VERIFY_PEER);
     ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]);
     match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
@@ -586,10 +593,10 @@ fn test_connect_with_unilateral_npn() {
 /// Tests that when both the client as well as the server use ALPN and their
 /// lists of supported protocols have an overlap, the correct protocol is chosen.
 #[test]
-#[cfg(feature = "alpn")]
+#[cfg(all(feature = "alpn", not(ossl101)))]
 fn test_connect_with_alpn_successful_multiple_matching() {
     let (_s, stream) = Server::new_alpn();
-    let mut ctx = SslContext::new(Sslv23).unwrap();
+    let mut ctx = SslContext::new(Tls).unwrap();
     ctx.set_verify(SSL_VERIFY_PEER);
     ctx.set_alpn_protocols(&[b"spdy/3.1", b"http/1.1"]);
     match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
@@ -608,10 +615,10 @@ fn test_connect_with_alpn_successful_multiple_matching() {
 /// Tests that when both the client as well as the server use NPN and their
 /// lists of supported protocols have an overlap, the correct protocol is chosen.
 #[test]
-#[cfg(feature = "npn")]
+#[cfg(all(feature = "npn", not(ossl101)))]
 fn test_connect_with_npn_successful_multiple_matching() {
     let (_s, stream) = Server::new_alpn();
-    let mut ctx = SslContext::new(Sslv23).unwrap();
+    let mut ctx = SslContext::new(Tls).unwrap();
     ctx.set_verify(SSL_VERIFY_PEER);
     ctx.set_npn_protocols(&[b"spdy/3.1", b"http/1.1"]);
     match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
@@ -631,10 +638,10 @@ fn test_connect_with_npn_successful_multiple_matching() {
 /// lists of supported protocols have an overlap -- with only ONE protocol
 /// being valid for both.
 #[test]
-#[cfg(feature = "alpn")]
+#[cfg(all(feature = "alpn", not(ossl101)))]
 fn test_connect_with_alpn_successful_single_match() {
     let (_s, stream) = Server::new_alpn();
-    let mut ctx = SslContext::new(Sslv23).unwrap();
+    let mut ctx = SslContext::new(Tls).unwrap();
     ctx.set_verify(SSL_VERIFY_PEER);
     ctx.set_alpn_protocols(&[b"spdy/3.1"]);
     match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
@@ -655,10 +662,10 @@ fn test_connect_with_alpn_successful_single_match() {
 /// lists of supported protocols have an overlap -- with only ONE protocol
 /// being valid for both.
 #[test]
-#[cfg(feature = "npn")]
+#[cfg(all(feature = "npn", not(ossl101)))]
 fn test_connect_with_npn_successful_single_match() {
     let (_s, stream) = Server::new_alpn();
-    let mut ctx = SslContext::new(Sslv23).unwrap();
+    let mut ctx = SslContext::new(Tls).unwrap();
     ctx.set_verify(SSL_VERIFY_PEER);
     ctx.set_npn_protocols(&[b"spdy/3.1"]);
     match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
@@ -677,13 +684,13 @@ fn test_connect_with_npn_successful_single_match() {
 /// Tests that when the `SslStream` is created as a server stream, the protocols
 /// are correctly advertised to the client.
 #[test]
-#[cfg(feature = "npn")]
+#[cfg(all(feature = "npn", not(ossl101)))]
 fn test_npn_server_advertise_multiple() {
-    let listener = TcpListener::bind(next_addr()).unwrap();
+    let listener = TcpListener::bind("127.0.0.1:0").unwrap();
     let localhost = listener.local_addr().unwrap();
     // We create a different context instance for the server...
     let listener_ctx = {
-        let mut ctx = SslContext::new(Sslv23).unwrap();
+        let mut ctx = SslContext::new(Tls).unwrap();
         ctx.set_verify(SSL_VERIFY_PEER);
         ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]);
         assert!(ctx.set_certificate_file(&Path::new("test/cert.pem"), X509FileType::PEM)
@@ -698,7 +705,7 @@ fn test_npn_server_advertise_multiple() {
         let _ = SslStream::accept(&listener_ctx, stream).unwrap();
     });
 
-    let mut ctx = SslContext::new(Sslv23).unwrap();
+    let mut ctx = SslContext::new(Tls).unwrap();
     ctx.set_verify(SSL_VERIFY_PEER);
     ctx.set_npn_protocols(&[b"spdy/3.1"]);
     match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
@@ -718,13 +725,13 @@ fn test_npn_server_advertise_multiple() {
 /// Tests that when the `SslStream` is created as a server stream, the protocols
 /// are correctly advertised to the client.
 #[test]
-#[cfg(feature = "alpn")]
+#[cfg(all(feature = "alpn", not(ossl101)))]
 fn test_alpn_server_advertise_multiple() {
-    let listener = TcpListener::bind(next_addr()).unwrap();
+    let listener = TcpListener::bind("127.0.0.1:0").unwrap();
     let localhost = listener.local_addr().unwrap();
     // We create a different context instance for the server...
     let listener_ctx = {
-        let mut ctx = SslContext::new(Sslv23).unwrap();
+        let mut ctx = SslContext::new(Tls).unwrap();
         ctx.set_verify(SSL_VERIFY_PEER);
         ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]);
         assert!(ctx.set_certificate_file(&Path::new("test/cert.pem"), X509FileType::PEM)
@@ -739,7 +746,7 @@ fn test_alpn_server_advertise_multiple() {
         let _ = SslStream::accept(&listener_ctx, stream).unwrap();
     });
 
-    let mut ctx = SslContext::new(Sslv23).unwrap();
+    let mut ctx = SslContext::new(Tls).unwrap();
     ctx.set_verify(SSL_VERIFY_PEER);
     ctx.set_alpn_protocols(&[b"spdy/3.1"]);
     match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
@@ -759,13 +766,13 @@ fn test_alpn_server_advertise_multiple() {
 /// Test that Servers supporting ALPN don't report a protocol when none of their protocols match
 /// the client's reported protocol.
 #[test]
-#[cfg(feature = "alpn")]
+#[cfg(all(feature = "alpn", not(ossl101)))]
 fn test_alpn_server_select_none() {
-    let listener = TcpListener::bind(next_addr()).unwrap();
+    let listener = TcpListener::bind("127.0.0.1:0").unwrap();
     let localhost = listener.local_addr().unwrap();
     // We create a different context instance for the server...
     let listener_ctx = {
-        let mut ctx = SslContext::new(Sslv23).unwrap();
+        let mut ctx = SslContext::new(Tls).unwrap();
         ctx.set_verify(SSL_VERIFY_PEER);
         ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]);
         assert!(ctx.set_certificate_file(&Path::new("test/cert.pem"), X509FileType::PEM)
@@ -780,7 +787,7 @@ fn test_alpn_server_select_none() {
         let _ = SslStream::accept(&listener_ctx, stream).unwrap();
     });
 
-    let mut ctx = SslContext::new(Sslv23).unwrap();
+    let mut ctx = SslContext::new(Tls).unwrap();
     ctx.set_verify(SSL_VERIFY_PEER);
     ctx.set_alpn_protocols(&[b"http/2"]);
     match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
@@ -875,7 +882,7 @@ fn handshake(res: Result<SslStream<TcpStream>, HandshakeError<TcpStream>>)
 fn test_write_nonblocking() {
     let (_s, stream) = Server::new();
     stream.set_nonblocking(true).unwrap();
-    let cx = SslContext::new(Sslv23).unwrap();
+    let cx = SslContext::new(Tls).unwrap();
     let mut stream = handshake(SslStream::connect(&cx, stream));
 
     let mut iterations = 0;
@@ -913,7 +920,7 @@ fn test_write_nonblocking() {
 fn test_read_nonblocking() {
     let (_s, stream) = Server::new();
     stream.set_nonblocking(true).unwrap();
-    let cx = SslContext::new(Sslv23).unwrap();
+    let cx = SslContext::new(Tls).unwrap();
     let mut stream = handshake(SslStream::connect(&cx, stream));
 
     let mut iterations = 0;
@@ -965,7 +972,6 @@ fn test_read_nonblocking() {
 
 #[test]
 #[should_panic(expected = "blammo")]
-#[cfg(feature = "nightly")]
 fn write_panic() {
     struct ExplodingStream(TcpStream);
 
@@ -988,13 +994,12 @@ fn write_panic() {
     let (_s, stream) = Server::new();
     let stream = ExplodingStream(stream);
 
-    let ctx = SslContext::new(SslMethod::Sslv23).unwrap();
+    let ctx = SslContext::new(SslMethod::Tls).unwrap();
     let _ = SslStream::connect(&ctx, stream);
 }
 
 #[test]
 #[should_panic(expected = "blammo")]
-#[cfg(feature = "nightly")]
 fn read_panic() {
     struct ExplodingStream(TcpStream);
 
@@ -1017,13 +1022,12 @@ fn read_panic() {
     let (_s, stream) = Server::new();
     let stream = ExplodingStream(stream);
 
-    let ctx = SslContext::new(SslMethod::Sslv23).unwrap();
+    let ctx = SslContext::new(SslMethod::Tls).unwrap();
     let _ = SslStream::connect(&ctx, stream);
 }
 
 #[test]
 #[should_panic(expected = "blammo")]
-#[cfg(feature = "nightly")]
 fn flush_panic() {
     struct ExplodingStream(TcpStream);
 
@@ -1046,20 +1050,20 @@ fn flush_panic() {
     let (_s, stream) = Server::new();
     let stream = ExplodingStream(stream);
 
-    let ctx = SslContext::new(SslMethod::Sslv23).unwrap();
-    let mut stream = SslStream::connect(&ctx, stream).unwrap();
+    let ctx = SslContext::new(SslMethod::Tls).unwrap();
+    let mut stream = SslStream::connect(&ctx, stream).ok().unwrap();
     let _ = stream.flush();
 }
 
 #[test]
 fn refcount_ssl_context() {
     let mut ssl = {
-        let ctx = SslContext::new(SslMethod::Sslv23).unwrap();
+        let ctx = SslContext::new(SslMethod::Tls).unwrap();
         ssl::Ssl::new(&ctx).unwrap()
     };
 
     {
-        let new_ctx_a = SslContext::new(SslMethod::Sslv23).unwrap();
+        let new_ctx_a = SslContext::new(SslMethod::Tls).unwrap();
         let _new_ctx_b = ssl.set_ssl_context(&new_ctx_a);
     }
 }
@@ -1067,7 +1071,7 @@ fn refcount_ssl_context() {
 #[test]
 #[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :(
 fn default_verify_paths() {
-    let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap();
+    let mut ctx = SslContext::new(SslMethod::Tls).unwrap();
     ctx.set_default_verify_paths().unwrap();
     ctx.set_verify(SSL_VERIFY_PEER);
     let s = TcpStream::connect("google.com:443").unwrap();
@@ -1086,6 +1090,6 @@ fn default_verify_paths() {
 fn add_extra_chain_cert() {
     let cert = include_bytes!("../../../test/cert.pem");
     let cert = X509::from_pem(cert).unwrap();
-    let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap();
+    let mut ctx = SslContext::new(SslMethod::Tls).unwrap();
     ctx.add_extra_chain_cert(&cert).unwrap();
 }