From bbae793eb3ba06e5ad8813ce8182e52fb4a2abd3 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Mon, 25 Dec 2017 19:38:00 -0700
Subject: Upgrade bitflags to 1.0

Closes #756
---
 openssl/src/ssl/connector.rs | 42 ++++++++++++++++++++++--------------------
 1 file changed, 22 insertions(+), 20 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index cd02dc18..cf199d24 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -3,8 +3,8 @@ use std::ops::{Deref, DerefMut};
 
 use dh::Dh;
 use error::ErrorStack;
-use ssl::{self, HandshakeError, Ssl, SslRef, SslContext, SslContextBuilder, SslMethod, SslStream,
-          SSL_VERIFY_PEER};
+use ssl::{HandshakeError, Ssl, SslContext, SslContextBuilder, SslMethod, SslMode, SslOptions,
+          SslRef, SslStream, SslVerifyMode};
 use pkey::PKeyRef;
 use version;
 use x509::X509Ref;
@@ -29,26 +29,19 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
 fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
     let mut ctx = SslContextBuilder::new(method)?;
 
-    let mut opts = ssl::SSL_OP_ALL;
-    opts &= !ssl::SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
-    opts &= !ssl::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
-    opts |= ssl::SSL_OP_NO_TICKET;
-    opts |= ssl::SSL_OP_NO_COMPRESSION;
-    opts |= ssl::SSL_OP_NO_SSLV2;
-    opts |= ssl::SSL_OP_NO_SSLV3;
-    opts |= ssl::SSL_OP_SINGLE_DH_USE;
-    opts |= ssl::SSL_OP_SINGLE_ECDH_USE;
-    opts |= ssl::SSL_OP_CIPHER_SERVER_PREFERENCE;
+    let opts = SslOptions::ALL | SslOptions::NO_TICKET | SslOptions::NO_COMPRESSION
+        | SslOptions::NO_SSLV2 | SslOptions::NO_SSLV3 | SslOptions::SINGLE_DH_USE
+        | SslOptions::SINGLE_ECDH_USE | SslOptions::CIPHER_SERVER_PREFERENCE;
     ctx.set_options(opts);
 
-    let mut mode = ssl::SSL_MODE_AUTO_RETRY | ssl::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
-        | ssl::SSL_MODE_ENABLE_PARTIAL_WRITE;
+    let mut mode =
+        SslMode::AUTO_RETRY | SslMode::ACCEPT_MOVING_WRITE_BUFFER | SslMode::ENABLE_PARTIAL_WRITE;
 
     // This is quite a useful optimization for saving memory, but historically
     // caused CVEs in OpenSSL pre-1.0.1h, according to
     // https://bugs.python.org/issue25672
     if version::number() >= 0x1000108f {
-        mode |= ssl::SSL_MODE_RELEASE_BUFFERS;
+        mode |= SslMode::RELEASE_BUFFERS;
     }
 
     ctx.set_mode(mode);
@@ -152,7 +145,11 @@ impl SslConnector {
 
     /// Returns a structure allowing for configuration of a single TLS session before connection.
     pub fn configure(&self) -> Result<ConnectConfiguration, ErrorStack> {
-        Ssl::new(&self.0).map(|ssl| ConnectConfiguration { ssl, sni: true, verify_hostname: true })
+        Ssl::new(&self.0).map(|ssl| ConnectConfiguration {
+            ssl,
+            sni: true,
+            verify_hostname: true,
+        })
     }
 }
 
@@ -228,7 +225,9 @@ impl ConnectConfiguration {
     where
         S: Read + Write,
     {
-        self.use_server_name_indication(false).verify_hostname(false).connect("", stream)
+        self.use_server_name_indication(false)
+            .verify_hostname(false)
+            .connect("", stream)
     }
 }
 
@@ -415,7 +414,7 @@ impl SslAcceptor {
 
 #[cfg(any(ossl102, ossl110))]
 fn setup_verify(ctx: &mut SslContextBuilder) {
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
 }
 
 #[cfg(ossl101)]
@@ -435,7 +434,7 @@ fn setup_verify(ctx: &mut SslContextBuilder) {
 #[cfg(any(ossl102, ossl110))]
 fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
     let param = ssl._param_mut();
-    param.set_hostflags(::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+    param.set_hostflags(::verify::X509CheckFlags::NO_PARTIAL_WILDCARDS);
     match domain.parse() {
         Ok(ip) => param.set_ip(ip),
         Err(_) => param.set_host(domain),
@@ -516,7 +515,10 @@ mod verify {
                 // Unlike SANs, IP addresses in the subject name don't have a
                 // different encoding.
                 match domain.parse::<IpAddr>() {
-                    Ok(ip) => pattern.parse::<IpAddr>().ok().map_or(false, |pattern| pattern == ip),
+                    Ok(ip) => pattern
+                        .parse::<IpAddr>()
+                        .ok()
+                        .map_or(false, |pattern| pattern == ip),
                     Err(_) => matches_dns(pattern, domain),
                 }
             }
-- 
cgit v1.2.3


From 7d0c6c944207b1a989c37810fa7967d07655b2f0 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Mon, 25 Dec 2017 20:11:38 -0700
Subject: Fix tests

---
 openssl/src/ssl/connector.rs | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index cf199d24..34cb4956 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -378,9 +378,9 @@ impl DerefMut for SslAcceptorBuilder {
 #[cfg(ossl101)]
 fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
     use ec::EcKey;
-    use nid;
+    use nid::Nid;
 
-    let curve = EcKey::from_curve_name(nid::X9_62_PRIME256V1)?;
+    let curve = EcKey::from_curve_name(Nid::X9_62_PRIME256V1)?;
     ctx.set_tmp_ecdh(&curve)
 }
 
@@ -419,7 +419,7 @@ fn setup_verify(ctx: &mut SslContextBuilder) {
 
 #[cfg(ossl101)]
 fn setup_verify(ctx: &mut SslContextBuilder) {
-    ctx.set_verify_callback(SSL_VERIFY_PEER, |p, x509| {
+    ctx.set_verify_callback(SslVerifyMode::PEER, |p, x509| {
         let hostname = match x509.ssl() {
             Ok(Some(ssl)) => ssl.ex_data(*HOSTNAME_IDX),
             _ => None,
@@ -453,7 +453,7 @@ mod verify {
     use std::net::IpAddr;
     use std::str;
 
-    use nid;
+    use nid::Nid;
     use x509::{GeneralName, X509NameRef, X509Ref, X509StoreContextRef};
     use stack::Stack;
 
@@ -505,7 +505,7 @@ mod verify {
     }
 
     fn verify_subject_name(domain: &str, subject_name: &X509NameRef) -> bool {
-        match subject_name.entries_by_nid(nid::COMMONNAME).next() {
+        match subject_name.entries_by_nid(Nid::COMMONNAME).next() {
             Some(pattern) => {
                 let pattern = match str::from_utf8(pattern.data().as_slice()) {
                     Ok(pattern) => pattern,
-- 
cgit v1.2.3


From 7cc6c9b2f275ed0a9c42c326d71fa98eb3addf36 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Mon, 25 Dec 2017 21:18:49 -0700
Subject: Tweak default ssl options

---
 openssl/src/ssl/connector.rs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 34cb4956..dc65ad5e 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -29,9 +29,11 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
 fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
     let mut ctx = SslContextBuilder::new(method)?;
 
-    let opts = SslOptions::ALL | SslOptions::NO_TICKET | SslOptions::NO_COMPRESSION
-        | SslOptions::NO_SSLV2 | SslOptions::NO_SSLV3 | SslOptions::SINGLE_DH_USE
+    let mut opts = SslOptions::ALL | SslOptions::NO_COMPRESSION | SslOptions::NO_SSLV2
+        | SslOptions::NO_SSLV3 | SslOptions::SINGLE_DH_USE
         | SslOptions::SINGLE_ECDH_USE | SslOptions::CIPHER_SERVER_PREFERENCE;
+    opts &= !SslOptions::DONT_INSERT_EMPTY_FRAGMENTS;
+
     ctx.set_options(opts);
 
     let mut mode =
-- 
cgit v1.2.3