Introduce OpenSSL::SSL::Context::Server, OpenSSL::SSL::Context::Client,

jhass · jhass · commit b053e6bf4c28 · 2016-05-30T13:59:32.000-04:00
OpenSSL::SSL::Socket::Server and OpenSSL::SSL::Socket::Client
diff --git a/spec/std/http/client/client_spec.cr b/spec/std/http/client/client_spec.cr
@@ -61,13 +61,13 @@ module HTTP
         end
 
         it "keeps context" do
-          ctx = OpenSSL::SSL::Context.new_for_client
+          ctx = OpenSSL::SSL::Context::Client.new
           cl = Client.new(URI.parse("https://example.com"), ctx)
           cl.ssl.should be(ctx)
         end
 
         it "doesn't take context for HTTP" do
-          ctx = OpenSSL::SSL::Context.new_for_client
+          ctx = OpenSSL::SSL::Context::Client.new
           expect_raises(ArgumentError, "SSL context given") do
             Client.new(URI.parse("http://example.com"), ctx)
           end
diff --git a/spec/std/http/server/server_spec.cr b/spec/std/http/server/server_spec.cr
@@ -32,7 +32,7 @@ module HTTP
 
     describe Response do
       it "creates default ssl context" do
-        HTTP::Server.default_ssl_context.should be_a(OpenSSL::SSL::Context)
+        HTTP::Server.default_ssl_context.should be_a(OpenSSL::SSL::Context::Server)
       end
 
       it "closes" do
diff --git a/spec/std/openssl/ssl/context_spec.cr b/spec/std/openssl/ssl/context_spec.cr
@@ -3,91 +3,91 @@ require "openssl"
 
 describe OpenSSL::SSL::Context do
   it "new_for_client" do
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.verify_mode.should eq(OpenSSL::SSL::VerifyMode::PEER)
-    OpenSSL::SSL::Context.new_for_client(LibSSL.tlsv1_method)
+    OpenSSL::SSL::Context::Client.new(LibSSL.tlsv1_method)
   end
 
   it "new_for_server" do
-    ssl_context = OpenSSL::SSL::Context.new_for_server
+    ssl_context = OpenSSL::SSL::Context::Server.new
     ssl_context.verify_mode.should eq(OpenSSL::SSL::VerifyMode::NONE)
-    OpenSSL::SSL::Context.new_for_server(LibSSL.tlsv1_method)
+    OpenSSL::SSL::Context::Server.new(LibSSL.tlsv1_method)
   end
 
   it "sets certificate chain" do
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.certificate_chain = File.join(__DIR__, "openssl.crt")
   end
 
   it "fails to set certificate chain" do
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     expect_raises(OpenSSL::Error) { ssl_context.certificate_chain = File.join(__DIR__, "unknown.crt") }
     expect_raises(OpenSSL::Error) { ssl_context.certificate_chain = __FILE__ }
   end
 
   it "sets private key" do
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.private_key = File.join(__DIR__, "openssl.key")
   end
 
   it "fails to set private key" do
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     expect_raises(OpenSSL::Error) { ssl_context.private_key = File.join(__DIR__, "unknown.key") }
     expect_raises(OpenSSL::Error) { ssl_context.private_key = __FILE__ }
   end
 
   it "sets ciphers" do
     ciphers = "EDH+aRSA DES-CBC3-SHA !RC4"
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     (ssl_context.ciphers = ciphers).should eq(ciphers)
   end
 
   it "adds temporary ecdh curve (P-256)" do
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.set_tmp_ecdh_key
   end
 
   it "adds options" do
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.remove_options(ssl_context.options) # reset
     ssl_context.add_options(LibSSL::Options::ALL).should eq(LibSSL::Options::ALL)
     ssl_context.add_options(LibSSL::Options::NO_SSLV2 | LibSSL::Options::NO_SSLV3)
                .should eq(LibSSL::Options::ALL | LibSSL::Options::NO_SSLV2 | LibSSL::Options::NO_SSLV3)
   end
 
   it "removes options" do
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.add_options(LibSSL::Options::ALL | LibSSL::Options::NO_SSLV2)
     ssl_context.remove_options(LibSSL::Options::ALL).should eq(LibSSL::Options::NO_SSLV2)
   end
 
   it "returns options" do
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.add_options(LibSSL::Options::ALL | LibSSL::Options::NO_SSLV2)
     ssl_context.options.should eq(LibSSL::Options::ALL | LibSSL::Options::NO_SSLV2)
   end
 
   it "adds modes" do
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.add_modes(LibSSL::Modes::AUTO_RETRY).should eq(LibSSL::Modes::AUTO_RETRY)
     ssl_context.add_modes(LibSSL::Modes::RELEASE_BUFFERS)
                .should eq(LibSSL::Modes::AUTO_RETRY | LibSSL::Modes::RELEASE_BUFFERS)
   end
 
   it "removes modes" do
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.add_modes(LibSSL::Modes::AUTO_RETRY | LibSSL::Modes::RELEASE_BUFFERS)
     ssl_context.remove_modes(LibSSL::Modes::AUTO_RETRY).should eq(LibSSL::Modes::RELEASE_BUFFERS)
   end
 
   it "returns modes" do
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.add_modes(LibSSL::Modes::AUTO_RETRY | LibSSL::Modes::RELEASE_BUFFERS)
     ssl_context.modes.should eq(LibSSL::Modes::AUTO_RETRY | LibSSL::Modes::RELEASE_BUFFERS)
   end
 
   it "sets the verify mode" do
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.verify_mode = OpenSSL::SSL::VerifyMode::NONE
     ssl_context.verify_mode.should eq(OpenSSL::SSL::VerifyMode::NONE)
     ssl_context.verify_mode = OpenSSL::SSL::VerifyMode::PEER
@@ -96,7 +96,7 @@ describe OpenSSL::SSL::Context do
 
   pending "alpn_protocol=" do
     # requires OpenSSL 1.0.2+
-    ssl_context = OpenSSL::SSL::Context.new_for_client
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.alpn_protocol = "h2"
   end
 end
diff --git a/src/http/client/client.cr b/src/http/client/client.cr
@@ -69,18 +69,18 @@ class HTTP::Client
   # ```
   getter port : Int32
 
-  # If this client uses SSL, returns its `OpenSSL::SSL::Context`, raises otherwise.
+  # If this client uses SSL, returns its `OpenSSL::SSL::Context::Client`, raises otherwise.
   #
   # Changes made after the initial request will have no effect.
   #
   # ```
   # client = HTTP::Client.new "www.example.com", ssl: true
-  # client.ssl # => #<OpenSSL::SSL::Context ...>
+  # client.ssl # => #<OpenSSL::SSL::Context::Client ...>
   # ```
   ifdef without_openssl
     getter! ssl : Nil
   else
-    getter! ssl : OpenSSL::SSL::Context?
+    getter! ssl : OpenSSL::SSL::Context::Client?
   end
 
   # Whether automatic compression/decompression is enabled.
@@ -99,7 +99,7 @@ class HTTP::Client
   # Creates a new HTTP client with the given *host*, *port* and *ssl*
   # configurations. If no port is given, the default one will
   # be used depending on the *ssl* arguments: 80 for if *ssl* is `false`,
-  # 443 if *ssl* is truthy. If *ssl* is `true` a new `OpenSSL::SSL::Context` will
+  # 443 if *ssl* is truthy. If *ssl* is `true` a new `OpenSSL::SSL::Context::Client` will
   # be used, else the given one. In any case the active context can be accessed through `ssl`.
   ifdef without_openssl
     def initialize(@host, port = nil, ssl : Bool = false)
@@ -112,11 +112,11 @@ class HTTP::Client
       @compress = true
     end
   else
-    def initialize(@host, port = nil, ssl : Bool | OpenSSL::SSL::Context = false)
+    def initialize(@host, port = nil, ssl : Bool | OpenSSL::SSL::Context::Client = false)
       @ssl = case ssl
              when true
-               OpenSSL::SSL::Context.new_for_client
-             when OpenSSL::SSL::Context
+               OpenSSL::SSL::Context::Client.new
+             when OpenSSL::SSL::Context::Client
                ssl
              when false
                nil
@@ -530,7 +530,7 @@ class HTTP::Client
 
     ifdef !without_openssl
       if ssl = @ssl
-        ssl_socket = OpenSSL::SSL::Socket.new(socket, context: ssl, sync_close: true, hostname: @host)
+        ssl_socket = OpenSSL::SSL::Socket::Client.new(socket, context: ssl, sync_close: true, hostname: @host)
         @socket = socket = ssl_socket
       end
     end
@@ -574,18 +574,18 @@ class HTTP::Client
       end
     end
   else
-    protected def self.ssl_flag(uri, context : OpenSSL::SSL::Context?)
+    protected def self.ssl_flag(uri, context : OpenSSL::SSL::Context::Client?)
       scheme = uri.scheme
       case {scheme, context}
       when {nil, _}
         raise ArgumentError.new("missing scheme: #{uri}")
       when {"http", nil}
         false
-      when {"http", OpenSSL::SSL::Context}
+      when {"http", OpenSSL::SSL::Context::Client}
         raise ArgumentError.new("SSL context given for HTTP URI")
       when {"https", nil}
         true
-      when {"https", OpenSSL::SSL::Context}
+      when {"https", OpenSSL::SSL::Context::Client}
         context
       else
         raise ArgumentError.new "Unsupported scheme: #{scheme}"
diff --git a/src/http/server/server.cr b/src/http/server/server.cr
@@ -89,10 +89,10 @@ require "../common"
 # ```
 class HTTP::Server
   ifdef !without_openssl
-    property ssl : OpenSSL::SSL::Context?
+    property ssl : OpenSSL::SSL::Context::Server?
 
     def self.default_ssl_context : OpenSSL::SSL::Context
-      ctx = OpenSSL::SSL::Context.new_for_server
+      ctx = OpenSSL::SSL::Context::Server.new
       ctx.add_options(
         LibSSL::Options::ALL |
           LibSSL::Options::NO_SSLV2 |
@@ -176,7 +176,7 @@ class HTTP::Server
 
     ifdef !without_openssl
       if ssl = @ssl
-        io = OpenSSL::SSL::Socket.new(io, :server, ssl, sync_close: true)
+        io = OpenSSL::SSL::Socket::Server.new(io, ssl, sync_close: true)
       end
     end
 
diff --git a/src/http/web_socket/protocol.cr b/src/http/web_socket/protocol.cr
@@ -233,11 +233,11 @@ class HTTP::WebSocket::Protocol
     ifdef !without_openssl
       if ssl
         if ssl.is_a?(Bool) # true, but we want to get rid of the union
-          context = OpenSSL::SSL::Context.new_for_client
+          context = OpenSSL::SSL::Context::Client.new
         else
           context = ssl
         end
-        socket = OpenSSL::SSL::Socket.new(socket, context: context, sync_close: true)
+        socket = OpenSSL::SSL::Socket::Client.new(socket, context: context, sync_close: true)
       end
     end
 
diff --git a/src/openssl/ssl/context.cr b/src/openssl/ssl/context.cr
@@ -1,47 +1,51 @@
-class OpenSSL::SSL::Context
-  # Generates a new SSL context with sane defaults for a client connection.
-  #
-  # By default it defaults to the `SSLv23_method` which actually means that
-  # OpenSSL will negotiate the TLS or SSL protocol to use with the remote
-  # endpoint.
-  #
-  # Don't change the method unless you must restrict a specific protocol to be
-  # used (eg: TLSv1.2) and nothing else. You should specify options to disable
-  # specific protocols, yet allow to negotiate from various other ones. For
-  # example the following snippet will enable the TLSv1, TLSv1.1 and TLSv1.2
-  # protocols but disable the deprecated SSLv2 and SSLv3 protocols:
-  #
-  # ```
-  # ssl_context = OpenSSL::SSL::Context.new_for_client
-  # ssl_context.options = LibSSL::Options::NO_SSLV2 | LibSSL::Options::NO_SSLV3
-  # ```
-  def self.new_for_client(method : LibSSL::SSLMethod = LibSSL.sslv23_method)
-    new(method).tap do |context|
-      context.verify_mode = OpenSSL::SSL::VerifyMode::PEER
+abstract class OpenSSL::SSL::Context
+  class Client < Context
+    # Generates a new SSL context with sane defaults for a client connection.
+    #
+    # By default it defaults to the `SSLv23_method` which actually means that
+    # OpenSSL will negotiate the TLS or SSL protocol to use with the remote
+    # endpoint.
+    #
+    # Don't change the method unless you must restrict a specific protocol to be
+    # used (eg: TLSv1.2) and nothing else. You should specify options to disable
+    # specific protocols, yet allow to negotiate from various other ones. For
+    # example the following snippet will enable the TLSv1, TLSv1.1 and TLSv1.2
+    # protocols but disable the deprecated SSLv2 and SSLv3 protocols:
+    #
+    # ```
+    # ssl_context = OpenSSL::SSL::Context::Client.new
+    # ssl_context.options = LibSSL::Options::NO_SSLV2 | LibSSL::Options::NO_SSLV3
+    # ```
+    def initialize(method : LibSSL::SSLMethod = LibSSL.sslv23_method)
+      super(method)
+
+      self.verify_mode = OpenSSL::SSL::VerifyMode::PEER
     end
   end
 
-  # Generates a new SSL context with sane defaults for a server connection.
-  #
-  # By default it defaults to the `SSLv23_method` which actually means that
-  # OpenSSL will negotiate the TLS or SSL protocol to use with the remote
-  # endpoint.
-  #
-  # Don't change the method unless you must restrict a specific protocol to be
-  # used (eg: TLSv1.2) and nothing else. You should specify options to disable
-  # specific protocols, yet allow to negotiate from various other ones. For
-  # example the following snippet will enable the TLSv1, TLSv1.1 and TLSv1.2
-  # protocols but disable the deprecated SSLv2 and SSLv3 protocols:
-  #
-  # ```
-  # ssl_context = OpenSSL::SSL::Context.new_for_server
-  # ssl_context.options = LibSSL::Options::NO_SSLV2 | LibSSL::Options::NO_SSLV3
-  # ```
-  def self.new_for_server(method : LibSSL::SSLMethod = LibSSL.sslv23_method)
-    new(method)
+  class Server < Context
+    # Generates a new SSL context with sane defaults for a server connection.
+    #
+    # By default it defaults to the `SSLv23_method` which actually means that
+    # OpenSSL will negotiate the TLS or SSL protocol to use with the remote
+    # endpoint.
+    #
+    # Don't change the method unless you must restrict a specific protocol to be
+    # used (eg: TLSv1.2) and nothing else. You should specify options to disable
+    # specific protocols, yet allow to negotiate from various other ones. For
+    # example the following snippet will enable the TLSv1, TLSv1.1 and TLSv1.2
+    # protocols but disable the deprecated SSLv2 and SSLv3 protocols:
+    #
+    # ```
+    # ssl_context = OpenSSL::SSL::Context::Server.new
+    # ssl_context.options = LibSSL::Options::NO_SSLV2 | LibSSL::Options::NO_SSLV3
+    # ```
+    def initialize(method : LibSSL::SSLMethod = LibSSL.sslv23_method)
+      super(method)
+    end
   end
 
-  private def initialize(method : LibSSL::SSLMethod = LibSSL.sslv23_method)
+  protected def initialize(method : LibSSL::SSLMethod = LibSSL.sslv23_method)
     @handle = LibSSL.ssl_ctx_new(method)
     raise OpenSSL::Error.new("SSL_CTX_new") if @handle.null?
     LibSSL.ssl_ctx_set_default_verify_paths(@handle)
diff --git a/src/openssl/ssl/socket.cr b/src/openssl/ssl/socket.cr
