From 558124b7555539e09292b61be057d9ba24e64bf5 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 30 Oct 2016 22:02:26 -0700
Subject: [PATCH] Expose SSL_MODEs

---
 openssl-sys/src/lib.rs       | 10 ++++++--
 openssl/src/dh.rs            |  5 +---
 openssl/src/hash.rs          |  4 +--
 openssl/src/ssl/connector.rs | 46 ++++++++++++++++++---------------
 openssl/src/ssl/mod.rs       | 49 ++++++++++++++++++++++--------------
 openssl/src/ssl/tests/mod.rs | 14 +++++------
 6 files changed, 72 insertions(+), 56 deletions(-)

diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs
index 8fd287f7..755277e4 100644
--- a/openssl-sys/src/lib.rs
+++ b/openssl-sys/src/lib.rs
@@ -1051,8 +1051,14 @@ pub const SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:  c_int = 53;
 pub const SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: c_int = 54;
 pub const SSL_CTRL_SET_TLSEXT_HOSTNAME: c_int = 55;
 
-pub const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER: c_long = 2;
-pub const SSL_MODE_AUTO_RETRY: c_long = 4;
+pub const SSL_MODE_ENABLE_PARTIAL_WRITE: c_long = 0x1;
+pub const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER: c_long = 0x2;
+pub const SSL_MODE_AUTO_RETRY: c_long = 0x4;
+pub const SSL_MODE_NO_AUTO_CHAIN: c_long = 0x8;
+pub const SSL_MODE_RELEASE_BUFFERS: c_long = 0x10;
+pub const SSL_MODE_SEND_CLIENTHELLO_TIME: c_long = 0x20;
+pub const SSL_MODE_SEND_SERVERHELLO_TIME: c_long = 0x40;
+pub const SSL_MODE_SEND_FALLBACK_SCSV: c_long = 0x80;
 
 pub const SSL_ERROR_NONE: c_int = 0;
 pub const SSL_ERROR_SSL: c_int = 1;
diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs
index f2659eb3..5c5ea05e 100644
--- a/openssl/src/dh.rs
+++ b/openssl/src/dh.rs
@@ -27,10 +27,7 @@ impl Dh {
     pub fn from_params(p: BigNum, g: BigNum, q: BigNum) -> Result<Dh, ErrorStack> {
         unsafe {
             let dh = Dh(try!(cvt_p(ffi::DH_new())));
-            try!(cvt(compat::DH_set0_pqg(dh.0,
-                                         p.as_ptr(),
-                                         q.as_ptr(),
-                                         g.as_ptr())));
+            try!(cvt(compat::DH_set0_pqg(dh.0, p.as_ptr(), q.as_ptr(), g.as_ptr())));
             mem::forget((p, g, q));
             Ok(dh)
         }
diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs
index c91976bf..6a13371d 100644
--- a/openssl/src/hash.rs
+++ b/openssl/src/hash.rs
@@ -135,9 +135,7 @@ impl Hasher {
             try!(self.init());
         }
         unsafe {
-            try!(cvt(ffi::EVP_DigestUpdate(self.ctx,
-                                           data.as_ptr() as *mut _,
-                                           data.len())));
+            try!(cvt(ffi::EVP_DigestUpdate(self.ctx, data.as_ptr() as *mut _, data.len())));
         }
         self.state = Updated;
         Ok(())
diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index dd7656dd..c7bfb209 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -39,6 +39,10 @@ fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
     opts |= ssl::SSL_OP_CIPHER_SERVER_PREFERENCE;
     ctx.set_options(opts);
 
+    let mode = ssl::SSL_MODE_AUTO_RETRY | ssl::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
+               ssl::SSL_MODE_ENABLE_PARTIAL_WRITE;
+    ctx.set_mode(mode);
+
     Ok(ctx)
 }
 
@@ -53,9 +57,9 @@ impl SslConnectorBuilder {
         let mut ctx = try!(ctx(method));
         try!(ctx.set_default_verify_paths());
         // From https://github.com/python/cpython/blob/c30098c8c6014f3340a369a31df9c74bdbacc269/Lib/ssl.py#L191
-        try!(ctx.set_cipher_list(
-            "ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:\
-             DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES"));
+        try!(ctx.set_cipher_list("ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:\
+                                  DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:\
+                                  RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES"));
 
         Ok(SslConnectorBuilder(ctx))
     }
@@ -123,17 +127,20 @@ impl SslAcceptorBuilder {
         let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
         try!(ctx.set_tmp_dh(&dh));
         try!(setup_curves(&mut ctx));
-        try!(ctx.set_cipher_list(
-            "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
-             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
-             ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
-             DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:\
-             ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:\
-             ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:\
-             ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:\
-             DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
-             EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:\
-             AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"));
+        try!(ctx.set_cipher_list("ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
+                                  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
+                                  ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
+                                  DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:\
+                                  ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:\
+                                  ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:\
+                                  ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:\
+                                  ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:\
+                                  DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:\
+                                  DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:\
+                                  ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
+                                  EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:\
+                                  AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:\
+                                  DES-CBC3-SHA:!DSS"));
         SslAcceptorBuilder::finish_setup(ctx, private_key, certificate, chain)
     }
 
@@ -153,12 +160,11 @@ impl SslAcceptorBuilder {
     {
         let mut ctx = try!(ctx(method));
         try!(setup_curves(&mut ctx));
-        try!(ctx.set_cipher_list(
-            "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
-             ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
-             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
-             ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:\
-             ECDHE-RSA-AES128-SHA256"));
+        try!(ctx.set_cipher_list("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
+                                  ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
+                                  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
+                                  ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:\
+                                  ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"));
         SslAcceptorBuilder::finish_setup(ctx, private_key, certificate, chain)
     }
 
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
index 2aea5af4..3aa509f4 100644
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@@ -108,12 +108,11 @@ mod tests;
 
 use self::bio::BioMethod;
 
-pub use ssl::connector::{SslConnectorBuilder, SslConnector, SslAcceptorBuilder,
-                         SslAcceptor};
+pub use ssl::connector::{SslConnectorBuilder, SslConnector, SslAcceptorBuilder, SslAcceptor};
 pub use ssl::error::{Error, HandshakeError};
 
 bitflags! {
-    pub flags SslOptions: c_ulong {
+    pub flags SslOption: c_ulong {
         const SSL_OP_MICROSOFT_SESS_ID_BUG = ffi::SSL_OP_MICROSOFT_SESS_ID_BUG,
         const SSL_OP_NETSCAPE_CHALLENGE_BUG = ffi::SSL_OP_NETSCAPE_CHALLENGE_BUG,
         const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG =
@@ -154,6 +153,19 @@ bitflags! {
     }
 }
 
+bitflags! {
+    pub flags SslMode: c_long {
+        const SSL_MODE_ENABLE_PARTIAL_WRITE = ffi::SSL_MODE_ENABLE_PARTIAL_WRITE,
+        const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER = ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER,
+        const SSL_MODE_AUTO_RETRY = ffi::SSL_MODE_AUTO_RETRY,
+        const SSL_MODE_NO_AUTO_CHAIN = ffi::SSL_MODE_NO_AUTO_CHAIN,
+        const SSL_MODE_RELEASE_BUFFERS = ffi::SSL_MODE_RELEASE_BUFFERS,
+        const SSL_MODE_SEND_CLIENTHELLO_TIME = ffi::SSL_MODE_SEND_CLIENTHELLO_TIME,
+        const SSL_MODE_SEND_SERVERHELLO_TIME = ffi::SSL_MODE_SEND_SERVERHELLO_TIME,
+        const SSL_MODE_SEND_FALLBACK_SCSV = ffi::SSL_MODE_SEND_FALLBACK_SCSV,
+    }
+}
+
 #[derive(Copy, Clone)]
 pub struct SslMethod(*const ffi::SSL_METHOD);
 
@@ -426,16 +438,12 @@ impl Drop for SslContextBuilder {
 
 impl SslContextBuilder {
     pub fn new(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
-        init();
-
-        let mut ctx = unsafe {
+        unsafe {
+            init();
             let ctx = try!(cvt_p(ffi::SSL_CTX_new(method.as_ptr())));
-            SslContextBuilder::from_ptr(ctx)
-        };
 
-        try!(ctx.set_mode(ffi::SSL_MODE_AUTO_RETRY | ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER));
-
-        Ok(ctx)
+            Ok(SslContextBuilder::from_ptr(ctx))
+        }
     }
 
     pub unsafe fn from_ptr(ctx: *mut ffi::SSL_CTX) -> SslContextBuilder {
@@ -498,8 +506,11 @@ impl SslContextBuilder {
         }
     }
 
-    fn set_mode(&mut self, mode: c_long) -> Result<(), ErrorStack> {
-        unsafe { cvt(ffi::SSL_CTX_set_mode(self.as_ptr(), mode) as c_int).map(|_| ()) }
+    pub fn set_mode(&mut self, mode: SslMode) -> SslMode {
+        unsafe {
+            let mode = ffi::SSL_CTX_set_mode(self.as_ptr(), mode.bits());
+            SslMode::from_bits(mode).unwrap()
+        }
     }
 
     pub fn set_tmp_dh(&mut self, dh: &DhRef) -> Result<(), ErrorStack> {
@@ -630,19 +641,19 @@ impl SslContextBuilder {
         unsafe { cvt(ffi::SSL_CTX_set_ecdh_auto(self.as_ptr(), onoff as c_int)).map(|_| ()) }
     }
 
-    pub fn set_options(&mut self, option: SslOptions) -> SslOptions {
+    pub fn set_options(&mut self, option: SslOption) -> SslOption {
         let ret = unsafe { compat::SSL_CTX_set_options(self.as_ptr(), option.bits()) };
-        SslOptions::from_bits(ret).unwrap()
+        SslOption::from_bits(ret).unwrap()
     }
 
-    pub fn options(&self) -> SslOptions {
+    pub fn options(&self) -> SslOption {
         let ret = unsafe { compat::SSL_CTX_get_options(self.as_ptr()) };
-        SslOptions::from_bits(ret).unwrap()
+        SslOption::from_bits(ret).unwrap()
     }
 
-    pub fn clear_options(&mut self, option: SslOptions) -> SslOptions {
+    pub fn clear_options(&mut self, option: SslOption) -> SslOption {
         let ret = unsafe { compat::SSL_CTX_clear_options(self.as_ptr(), option.bits()) };
-        SslOptions::from_bits(ret).unwrap()
+        SslOption::from_bits(ret).unwrap()
     }
 
     /// Set the protocols to be used during Next Protocol Negotiation (the protocols
diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs
index 61eac063..a874fe3b 100644
--- a/openssl/src/ssl/tests/mod.rs
+++ b/openssl/src/ssl/tests/mod.rs
@@ -18,8 +18,8 @@ use hash::MessageDigest;
 use ssl;
 use ssl::SSL_VERIFY_PEER;
 use ssl::{SslMethod, HandshakeError};
-use ssl::{SslContext, SslStream, Ssl, ShutdownResult, SslConnectorBuilder,
-          SslAcceptorBuilder, Error};
+use ssl::{SslContext, SslStream, Ssl, ShutdownResult, SslConnectorBuilder, SslAcceptorBuilder,
+          Error};
 use x509::X509StoreContextRef;
 use x509::X509FileType;
 use x509::X509;
@@ -1115,12 +1115,10 @@ fn connector_client_server_mozilla_intermediate() {
     let t = thread::spawn(move || {
         let key = PKey::private_key_from_pem(KEY).unwrap();
         let cert = X509::from_pem(CERT).unwrap();
-        let connector = SslAcceptorBuilder::mozilla_intermediate(SslMethod::tls(),
-                                                                     &key,
-                                                                     &cert,
-                                                                     None::<X509>)
-            .unwrap()
-            .build();
+        let connector =
+            SslAcceptorBuilder::mozilla_intermediate(SslMethod::tls(), &key, &cert, None::<X509>)
+                .unwrap()
+                .build();
         let stream = listener.accept().unwrap().0;
         let mut stream = connector.accept(stream).unwrap();