Upgrade to security-framework 0.2

sfackler · Mar 24, 2018 · d173102 · d173102
1 parent 79d4ccc
commit d173102
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 46 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 target
 Cargo.lock
 .idea
-*.iml
+*.iml
+.vscode
diff --git a/Cargo.toml b/Cargo.toml
@@ -12,8 +12,8 @@ readme = "README.md"
 lazy_static = "1.0"
 
 [target.'cfg(any(target_os = "macos", target_os = "ios"))'.dependencies]
-security-framework = { version = "0.1.15", features = ["OSX_10_8" ]}
-security-framework-sys = "0.1.15"
+security-framework = "0.2"
+security-framework-sys = "0.2"
 libc = "0.2"
 tempdir = "0.3"
 

diff --git a/src/imp/security_framework.rs b/src/imp/security_framework.rs
@@ -6,9 +6,9 @@ extern crate tempdir;
 use self::security_framework::base;
 use self::security_framework::certificate::SecCertificate;
 use self::security_framework::identity::SecIdentity;
-use self::security_framework::import_export::{Pkcs12ImportOptions, ImportedIdentityOptions};
-use self::security_framework::secure_transport::{self, SslContext, ProtocolSide, ConnectionType,
-                                                 SslProtocol, ClientBuilder};
+use self::security_framework::import_export::{ImportedIdentity, Pkcs12ImportOptions};
+use self::security_framework::secure_transport::{self, ClientBuilder, SslConnectionType,
+                                                 SslContext, SslProtocol, SslProtocolSide};
 use self::security_framework_sys::base::errSecIO;
 use self::tempdir::TempDir;
 use std::fmt;
@@ -18,9 +18,9 @@ use std::sync::Mutex;
 use std::sync::{Once, ONCE_INIT};
 
 #[cfg(not(target_os = "ios"))]
-use self::security_framework::os::macos::keychain::{self, SecKeychain, KeychainSettings};
+use self::security_framework::os::macos::keychain::{self, KeychainSettings, SecKeychain};
 #[cfg(not(target_os = "ios"))]
-use self::security_framework::os::macos::import_export::{SecItems, ImportOptions};
+use self::security_framework::os::macos::import_export::{ImportOptions, SecItems};
 #[cfg(not(target_os = "ios"))]
 use self::security_framework_sys::base::errSecParam;
 
@@ -35,10 +35,10 @@ lazy_static! {
 
 fn convert_protocol(protocol: Protocol) -> SslProtocol {
     match protocol {
-        Protocol::Sslv3 => SslProtocol::Ssl3,
-        Protocol::Tlsv10 => SslProtocol::Tls1,
-        Protocol::Tlsv11 => SslProtocol::Tls11,
-        Protocol::Tlsv12 => SslProtocol::Tls12,
+        Protocol::Sslv3 => SslProtocol::SSL3,
+        Protocol::Tlsv10 => SslProtocol::TLS1,
+        Protocol::Tlsv11 => SslProtocol::TLS11,
+        Protocol::Tlsv12 => SslProtocol::TLS12,
         Protocol::__NonExhaustive => unreachable!(),
     }
 }
@@ -98,9 +98,9 @@ impl Pkcs12 {
         let mut imports = try!(Pkcs12::import_options(buf, pass));
         let import = imports.pop().unwrap();
 
-        let identity = import.identity.expect(
-            "Pkcs12 files must include an identity",
-        );
+        let identity = import
+            .identity
+            .expect("Pkcs12 files must include an identity");
 
         // FIXME: Compare the certificates for equality using CFEqual
         let identity_cert = try!(identity.certificate()).to_der();
@@ -117,7 +117,7 @@ impl Pkcs12 {
     }
 
     #[cfg(not(target_os = "ios"))]
-    fn import_options(buf: &[u8], pass: &str) -> Result<Vec<ImportedIdentityOptions>, Error> {
+    fn import_options(buf: &[u8], pass: &str) -> Result<Vec<ImportedIdentity>, Error> {
         SET_AT_EXIT.call_once(|| {
             extern "C" fn atexit() {
                 *TEMP_KEYCHAIN.lock().unwrap() = None;
@@ -130,13 +130,12 @@ impl Pkcs12 {
         let keychain = match *TEMP_KEYCHAIN.lock().unwrap() {
             Some((ref keychain, _)) => keychain.clone(),
             ref mut lock @ None => {
-                let dir = TempDir::new("native-tls").map_err(|_| {
-                    Error(base::Error::from(errSecIO))
-                })?;
+                let dir =
+                    TempDir::new("native-tls").map_err(|_| Error(base::Error::from(errSecIO)))?;
 
-                let mut keychain = keychain::CreateOptions::new().password(pass).create(
-                    dir.path().join("tmp.keychain"),
-                )?;
+                let mut keychain = keychain::CreateOptions::new()
+                    .password(pass)
+                    .create(dir.path().join("tmp.keychain"))?;
                 keychain.set_settings(&KeychainSettings::new())?;
 
                 *lock = Some((keychain, dir));
@@ -147,7 +146,7 @@ impl Pkcs12 {
             Pkcs12ImportOptions::new()
                 .passphrase(pass)
                 .keychain(keychain)
-                .import_optional(buf)
+                .import(buf)
         );
         Ok(imports)
     }
@@ -256,18 +255,14 @@ where
 
     pub fn handshake(self) -> Result<TlsStream<S>, HandshakeError<S>> {
         match self {
-            MidHandshakeTlsStream::Server(s) => {
-                match s.handshake() {
-                    Ok(s) => Ok(TlsStream(s)),
-                    Err(e) => Err(e.into()),
-                }
-            }
-            MidHandshakeTlsStream::Client(s) => {
-                match s.handshake() {
-                    Ok(s) => Ok(TlsStream(s)),
-                    Err(e) => Err(e.into()),
-                }
-            }
+            MidHandshakeTlsStream::Server(s) => match s.handshake() {
+                Ok(s) => Ok(TlsStream(s)),
+                Err(e) => Err(e.into()),
+            },
+            MidHandshakeTlsStream::Client(s) => match s.handshake() {
+                Ok(s) => Ok(TlsStream(s)),
+                Err(e) => Err(e.into()),
+            },
         }
     }
 }
@@ -342,11 +337,11 @@ impl TlsConnector {
         }
         builder.anchor_certificates(&self.roots);
 
-        let r = match domain {
-            Some(domain) => builder.handshake2(domain, stream),
-            None => builder.danger_handshake_without_providing_domain_for_certificate_validation_and_server_name_indication(stream),
-        };
-        match r {
+        if domain.is_none() {
+            builder.use_sni(false).danger_accept_invalid_hostnames(true);
+        }
+
+        match builder.handshake(domain.unwrap_or(""), stream) {
             Ok(s) => Ok(TlsStream(s)),
             Err(e) => Err(e.into()),
         }
@@ -385,17 +380,14 @@ impl TlsAcceptor {
         S: io::Read + io::Write,
     {
         let mut ctx = try!(SslContext::new(
-            ProtocolSide::Server,
-            ConnectionType::Stream,
+            SslProtocolSide::SERVER,
+            SslConnectionType::STREAM,
         ));
 
         let (min, max) = protocol_min_max(&self.protocols);
         try!(ctx.set_protocol_version_min(min));
         try!(ctx.set_protocol_version_max(max));
-        try!(ctx.set_certificate(
-            &self.pkcs12.identity,
-            &self.pkcs12.chain,
-        ));
+        try!(ctx.set_certificate(&self.pkcs12.identity, &self.pkcs12.chain,));
         match ctx.handshake(stream) {
             Ok(s) => Ok(TlsStream(s)),
             Err(e) => Err(e.into()),