Split out TLS implementations

This provides a lot more flexibility around version support, and unlike
the ToSql/FromSql implementations, these don't actually need to be in
postgres itself.

Author: sfackler

.circleci/config.yml

@@ -29,8 +29,6 @@ jobs:
       - image: sfackler/rust-postgres-test:3
     steps:
       - checkout
-      - run: apt-get update
-      - run: DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends jq
       - *RESTORE_REGISTRY
       - run: cargo generate-lockfile
       - run: cargo update -p nalgebra --precise 0.14.3 # 0.14.4 requires 1.26 :(
@@ -39,6 +37,6 @@ jobs:
       - run: rustc --version > ~/rust-version
       - *RESTORE_DEPS
       - run: cargo test --all
-      - run: cargo test --manifest-path=postgres/Cargo.toml --features "$(cargo read-manifest --manifest-path=postgres/Cargo.toml | jq -r '.features|keys|map(select(. != "with-security-framework" and . != "with-schannel"))|join(" ")')"
-      - run: cargo test --manifest-path=tokio-postgres/Cargo.toml --all-features
+      - run: cargo test -p postgres --all-features
+      - run: cargo test -p tokio-postgres --all-features
       - *SAVE_DEPS

Cargo.toml

@@ -4,5 +4,7 @@ members = [
     "postgres",
     "postgres-protocol",
     "postgres-shared",
-    "tokio-postgres"
+    "postgres-openssl",
+    "postgres-native-tls",
+    "tokio-postgres",
 ]

postgres-native-tls/Cargo.toml

@@ -0,0 +1,9 @@
+[package]
+name = "postgres-native-tls"
+version = "0.1.0"
+authors = ["Steven Fackler <[email protected]>"]
+
+[dependencies]
+native-tls = "0.1"
+
+postgres = { version = "0.15", path = "../postgres" }

postgres-native-tls/src/lib.rs

@@ -0,0 +1,72 @@
+pub extern crate native_tls;
+extern crate postgres;
+
+use native_tls::TlsConnector;
+use postgres::tls::{Stream, TlsHandshake, TlsStream};
+use std::error::Error;
+use std::fmt::{self, Debug};
+use std::io::{self, Read, Write};
+
+#[cfg(test)]
+mod test;
+
+pub struct NativeTls {
+    connector: TlsConnector,
+}
+
+impl Debug for NativeTls {
+    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
+        fmt.debug_struct("NativeTls").finish()
+    }
+}
+
+impl NativeTls {
+    pub fn new() -> Result<NativeTls, native_tls::Error> {
+        let connector = TlsConnector::builder()?.build()?;
+        Ok(NativeTls::with_connector(connector))
+    }
+
+    pub fn with_connector(connector: TlsConnector) -> NativeTls {
+        NativeTls { connector }
+    }
+}
+
+impl TlsHandshake for NativeTls {
+    fn tls_handshake(
+        &self,
+        domain: &str,
+        stream: Stream,
+    ) -> Result<Box<TlsStream>, Box<Error + Sync + Send>> {
+        let stream = self.connector.connect(domain, stream)?;
+        Ok(Box::new(NativeTlsStream(stream)))
+    }
+}
+
+#[derive(Debug)]
+struct NativeTlsStream(native_tls::TlsStream<Stream>);
+
+impl Read for NativeTlsStream {
+    fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
+        self.0.read(buf)
+    }
+}
+
+impl Write for NativeTlsStream {
+    fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
+        self.0.write(buf)
+    }
+
+    fn flush(&mut self) -> io::Result<()> {
+        self.0.flush()
+    }
+}
+
+impl TlsStream for NativeTlsStream {
+    fn get_ref(&self) -> &Stream {
+        self.0.get_ref()
+    }
+
+    fn get_mut(&mut self) -> &mut Stream {
+        self.0.get_mut()
+    }
+}

postgres-native-tls/src/test.rs

@@ -0,0 +1,21 @@
+use native_tls::{Certificate, TlsConnector};
+use postgres::{Connection, TlsMode};
+
+use NativeTls;
+
+#[test]
+fn connect() {
+    let cert = include_bytes!("../../test/server.crt");
+    let cert = Certificate::from_pem(cert).unwrap();
+
+    let mut builder = TlsConnector::builder().unwrap();
+    builder.add_root_certificate(cert).unwrap();
+    let connector = builder.build().unwrap();
+
+    let handshake = NativeTls::with_connector(connector);
+    let conn = Connection::connect(
+        "postgres://ssl_user@localhost:5433/postgres",
+        TlsMode::Require(&handshake),
+    ).unwrap();
+    conn.execute("SELECT 1::VARCHAR", &[]).unwrap();
+}

postgres-openssl/Cargo.toml

@@ -0,0 +1,9 @@
+[package]
+name = "postgres-openssl"
+version = "0.1.0"
+authors = ["Steven Fackler <[email protected]>"]
+
+[dependencies]
+openssl = "0.10"
+
+postgres = { version = "0.15", path = "../postgres" }

postgres-openssl/src/lib.rs

@@ -0,0 +1,87 @@
+pub extern crate openssl;
+extern crate postgres;
+
+use openssl::error::ErrorStack;
+use openssl::ssl::{ConnectConfiguration, SslConnector, SslMethod, SslStream};
+use postgres::tls::{Stream, TlsHandshake, TlsStream};
+use std::error::Error;
+use std::fmt;
+use std::io::{self, Read, Write};
+
+#[cfg(test)]
+mod test;
+
+pub struct OpenSsl {
+    connector: SslConnector,
+    config: Box<Fn(&mut ConnectConfiguration) -> Result<(), ErrorStack> + Sync + Send>,
+}
+
+impl fmt::Debug for OpenSsl {
+    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
+        fmt.debug_struct("OpenSsl").finish()
+    }
+}
+
+impl OpenSsl {
+    pub fn new() -> Result<OpenSsl, ErrorStack> {
+        let connector = SslConnector::builder(SslMethod::tls())?.build();
+        Ok(OpenSsl::with_connector(connector))
+    }
+
+    pub fn with_connector(connector: SslConnector) -> OpenSsl {
+        OpenSsl {
+            connector,
+            config: Box::new(|_| Ok(())),
+        }
+    }
+
+    pub fn callback<F>(&mut self, f: F)
+    where
+        F: Fn(&mut ConnectConfiguration) -> Result<(), ErrorStack> + 'static + Sync + Send,
+    {
+        self.config = Box::new(f);
+    }
+}
+
+impl TlsHandshake for OpenSsl {
+    fn tls_handshake(
+        &self,
+        domain: &str,
+        stream: Stream,
+    ) -> Result<Box<TlsStream>, Box<Error + Sync + Send>> {
+        let mut ssl = self.connector.configure()?;
+        (self.config)(&mut ssl)?;
+        let stream = ssl.connect(domain, stream)?;
+
+        Ok(Box::new(OpenSslStream(stream)))
+    }
+}
+
+#[derive(Debug)]
+struct OpenSslStream(SslStream<Stream>);
+
+impl Read for OpenSslStream {
+    fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
+        self.0.read(buf)
+    }
+}
+
+impl Write for OpenSslStream {
+    fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
+        self.0.write(buf)
+    }
+
+    fn flush(&mut self) -> io::Result<()> {
+        self.0.flush()
+    }
+}
+
+impl TlsStream for OpenSslStream {
+    fn get_ref(&self) -> &Stream {
+        self.0.get_ref()
+    }
+
+    fn get_mut(&mut self) -> &mut Stream {
+        self.0.get_mut()
+    }
+}

postgres-openssl/src/test.rs

@@ -0,0 +1,28 @@
+use openssl::ssl::{SslConnector, SslMethod};
+use postgres::{Connection, TlsMode};
+
+use OpenSsl;
+
+#[test]
+fn test_require_ssl_conn() {
+    let mut builder = SslConnector::builder(SslMethod::tls()).unwrap();
+    builder.set_ca_file("../test/server.crt").unwrap();
+    let negotiator = OpenSsl::with_connector(builder.build());
+    let conn = Connection::connect(
+        "postgres://ssl_user@localhost:5433/postgres",
+        TlsMode::Require(&negotiator),
+    ).unwrap();
+    conn.execute("SELECT 1::VARCHAR", &[]).unwrap();
+}
+
+#[test]
+fn test_prefer_ssl_conn() {
+    let mut builder = SslConnector::builder(SslMethod::tls()).unwrap();
+    builder.set_ca_file("../test/server.crt").unwrap();
+    let negotiator = OpenSsl::with_connector(builder.build());
+    let conn = Connection::connect(
+        "postgres://ssl_user@localhost:5433/postgres",
+        TlsMode::Require(&negotiator),
+    ).unwrap();
+    conn.execute("SELECT 1::VARCHAR", &[]).unwrap();
+}

postgres/Cargo.toml

@@ -43,11 +43,6 @@ path = "tests/test.rs"
 "with-serde_json-1" = ["postgres-shared/with-serde_json-1"]
 "with-uuid-0.6" = ["postgres-shared/with-uuid-0.6"]
 
-with-openssl = ["openssl"]
-with-native-tls = ["native-tls"]
-with-schannel = ["schannel"]
-with-security-framework = ["security-framework"]
-
 no-logging = []
 
 [dependencies]
@@ -56,11 +51,6 @@ fallible-iterator = "0.1.3"
 log = "0.4"
 socket2 = { version = "0.3.5", features = ["unix"] }
 
-openssl = { version = "0.9.23", optional = true }
-native-tls = { version = "0.1", optional = true }
-schannel = { version = "0.1", optional = true }
-security-framework = { version = "0.1.2", optional = true }
-
 postgres-protocol = { version = "0.3.0", path = "../postgres-protocol" }
 postgres-shared = { version = "0.4.1", path = "../postgres-shared" }