make dane flags more strongly typed, by hiding them(!)

At this time there is only a single flag, and it doesn't seem likely that more are going to be added any time soon, so expose the corresponding functionality via a method instead.
sfackler · Oct 15, 2023 · 2f1a918 · 2f1a918
1 parent 15f0619
commit 2f1a918
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 24 deletions.
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
@@ -1768,10 +1768,7 @@ impl SslContextBuilder {
         }
     }
 
-    /// Enable optional DANE verification features.
-    ///
-    /// Currently, the only supported feature is `DANE_FLAG_NO_DANE_EE_NAMECHECKS`
-    /// which can be used to disable server name checks when authenticating via DANE-EE(3) TLSA
+    /// Disable server name checks when authenticating via DANE-EE(3) TLSA
     /// records. For some applications, primarily web browsers, it is not safe to disable name
     /// checks due to "unknown key share" attacks, in which a malicious server can convince a
     /// client that a connection to a victim server is instead a secure connection to the malicious
@@ -1786,19 +1783,26 @@ impl SslContextBuilder {
     /// Requires OpenSSL 1.1.0 or newer.
     #[corresponds(SSL_CTX_dane_set_flags)]
     #[cfg(ossl110)]
-    pub fn dane_set_flags(&mut self, flags: libc::c_ulong) -> libc::c_ulong {
-        unsafe { ffi::SSL_CTX_dane_set_flags(self.as_ptr(), flags) }
+    pub fn set_no_dane_ee_namechecks(&mut self) {
+        unsafe {
+            ffi::SSL_CTX_dane_set_flags(self.as_ptr(), ffi::DANE_FLAG_NO_DANE_EE_NAMECHECKS);
+        }
     }
 
-    /// Disable optional DANE verification features.
+    /// Enable server name checks when authenticating via DANE-EE(3) TLSA
+    /// records.
+    ///
+    /// This is the default state of the context.
     ///
-    /// See `dane_set_flags` for more information.
+    /// See `set_no_dane_ee_namechecks` for more information.
     ///
     /// Requires OpenSSL 1.1.0 or newer.
-    #[corresponds(SSL_CTX_dane_clear_flags)]
+    #[corresponds(SSL_CTX_dane_set_flags)]
     #[cfg(ossl110)]
-    pub fn dane_clear_flags(&mut self, flags: libc::c_ulong) -> libc::c_ulong {
-        unsafe { ffi::SSL_CTX_dane_clear_flags(self.as_ptr(), flags) }
+    pub fn set_dane_ee_namechecks(&mut self) {
+        unsafe {
+            ffi::SSL_CTX_dane_clear_flags(self.as_ptr(), ffi::DANE_FLAG_NO_DANE_EE_NAMECHECKS);
+        }
     }
 
     /// Consumes the builder, returning a new `SslContext`.
@@ -3611,10 +3615,7 @@ impl SslRef {
         unsafe { ffi::SSL_get_num_tickets(self.as_ptr()) }
     }
 
-    /// Enable optional DANE verification features.
-    ///
-    /// Currently, the only supported feature is `DANE_FLAG_NO_DANE_EE_NAMECHECKS`
-    /// which can be used to disable server name checks when authenticating via DANE-EE(3) TLSA
+    /// Disable server name checks when authenticating via DANE-EE(3) TLSA
     /// records. For some applications, primarily web browsers, it is not safe to disable name
     /// checks due to "unknown key share" attacks, in which a malicious server can convince a
     /// client that a connection to a victim server is instead a secure connection to the malicious
@@ -3629,19 +3630,26 @@ impl SslRef {
     /// Requires OpenSSL 1.1.0 or newer.
     #[corresponds(SSL_dane_set_flags)]
     #[cfg(ossl110)]
-    pub fn dane_set_flags(&mut self, flags: libc::c_ulong) -> libc::c_ulong {
-        unsafe { ffi::SSL_dane_set_flags(self.as_ptr(), flags) }
+    pub fn set_no_dane_ee_namechecks(&mut self) {
+        unsafe {
+            ffi::SSL_dane_set_flags(self.as_ptr(), ffi::DANE_FLAG_NO_DANE_EE_NAMECHECKS);
+        }
     }
 
-    /// Disable optional DANE verification features.
+    /// Enable server name checks when authenticating via DANE-EE(3) TLSA
+    /// records.
+    ///
+    /// This is the default state of the context.
     ///
-    /// See `dane_set_flags` for more information.
+    /// See `set_no_dane_ee_namechecks` for more information.
     ///
     /// Requires OpenSSL 1.1.0 or newer.
-    #[corresponds(SSL_dane_clear_flags)]
+    #[corresponds(SSL_dane_set_flags)]
     #[cfg(ossl110)]
-    pub fn dane_clear_flags(&mut self, flags: libc::c_ulong) -> libc::c_ulong {
-        unsafe { ffi::SSL_dane_clear_flags(self.as_ptr(), flags) }
+    pub fn set_dane_ee_namechecks(&mut self) {
+        unsafe {
+            ffi::SSL_dane_clear_flags(self.as_ptr(), ffi::DANE_FLAG_NO_DANE_EE_NAMECHECKS);
+        }
     }
 
     /// Adds name as an additional reference identifier that can match the peer's certificate. Any

diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs
@@ -710,8 +710,15 @@ fn connector_dane() {
     let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
 
     connector.dane_enable().unwrap();
+    connector.set_no_dane_ee_namechecks();
     let mut config = connector.build().configure().unwrap();
-    config.dane_enable("foobar.com").unwrap();
+
+    // The name in the cert is foobar.com, but we're claiming
+    // to access it via some other name. Since we turned off
+    // dane-ee-namechecks above, we expect this to still validate
+    // overall because the tlsa record matches the digest of the
+    // cert; the name is ignored.
+    config.dane_enable("mx.foobar.com").unwrap();
 
     let cert = X509::from_pem(CERT).unwrap();
     let data = cert.digest(MessageDigest::sha256()).unwrap();
@@ -728,7 +735,7 @@ fn connector_dane() {
     assert!(usable);
 
     let s = server.connect_tcp();
-    let mut s = config.connect("foobar.com", s).unwrap();
+    let mut s = config.connect("mx.foobar.com", s).unwrap();
     s.read_exact(&mut [0]).unwrap();
 
     let authority = s.ssl.dane_authority().unwrap();