Skip to content

Commit

Permalink
make dane flags more strongly typed, by hiding them(!)
Browse files Browse the repository at this point in the history
At this time there is only a single flag, and it doesn't seem
likely that more are going to be added any time soon, so expose
the corresponding functionality via a method instead.
  • Loading branch information
wez committed Oct 15, 2023
1 parent 15f0619 commit 2f1a918
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 24 deletions.
52 changes: 30 additions & 22 deletions openssl/src/ssl/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1768,10 +1768,7 @@ impl SslContextBuilder {
}
}

/// Enable optional DANE verification features.
///
/// Currently, the only supported feature is `DANE_FLAG_NO_DANE_EE_NAMECHECKS`
/// which can be used to disable server name checks when authenticating via DANE-EE(3) TLSA
/// Disable server name checks when authenticating via DANE-EE(3) TLSA
/// records. For some applications, primarily web browsers, it is not safe to disable name
/// checks due to "unknown key share" attacks, in which a malicious server can convince a
/// client that a connection to a victim server is instead a secure connection to the malicious
Expand All @@ -1786,19 +1783,26 @@ impl SslContextBuilder {
/// Requires OpenSSL 1.1.0 or newer.
#[corresponds(SSL_CTX_dane_set_flags)]
#[cfg(ossl110)]
pub fn dane_set_flags(&mut self, flags: libc::c_ulong) -> libc::c_ulong {
unsafe { ffi::SSL_CTX_dane_set_flags(self.as_ptr(), flags) }
pub fn set_no_dane_ee_namechecks(&mut self) {
unsafe {
ffi::SSL_CTX_dane_set_flags(self.as_ptr(), ffi::DANE_FLAG_NO_DANE_EE_NAMECHECKS);
}
}

/// Disable optional DANE verification features.
/// Enable server name checks when authenticating via DANE-EE(3) TLSA
/// records.
///
/// This is the default state of the context.
///
/// See `dane_set_flags` for more information.
/// See `set_no_dane_ee_namechecks` for more information.
///
/// Requires OpenSSL 1.1.0 or newer.
#[corresponds(SSL_CTX_dane_clear_flags)]
#[corresponds(SSL_CTX_dane_set_flags)]
#[cfg(ossl110)]
pub fn dane_clear_flags(&mut self, flags: libc::c_ulong) -> libc::c_ulong {
unsafe { ffi::SSL_CTX_dane_clear_flags(self.as_ptr(), flags) }
pub fn set_dane_ee_namechecks(&mut self) {
unsafe {
ffi::SSL_CTX_dane_clear_flags(self.as_ptr(), ffi::DANE_FLAG_NO_DANE_EE_NAMECHECKS);
}
}

/// Consumes the builder, returning a new `SslContext`.
Expand Down Expand Up @@ -3611,10 +3615,7 @@ impl SslRef {
unsafe { ffi::SSL_get_num_tickets(self.as_ptr()) }
}

/// Enable optional DANE verification features.
///
/// Currently, the only supported feature is `DANE_FLAG_NO_DANE_EE_NAMECHECKS`
/// which can be used to disable server name checks when authenticating via DANE-EE(3) TLSA
/// Disable server name checks when authenticating via DANE-EE(3) TLSA
/// records. For some applications, primarily web browsers, it is not safe to disable name
/// checks due to "unknown key share" attacks, in which a malicious server can convince a
/// client that a connection to a victim server is instead a secure connection to the malicious
Expand All @@ -3629,19 +3630,26 @@ impl SslRef {
/// Requires OpenSSL 1.1.0 or newer.
#[corresponds(SSL_dane_set_flags)]
#[cfg(ossl110)]
pub fn dane_set_flags(&mut self, flags: libc::c_ulong) -> libc::c_ulong {
unsafe { ffi::SSL_dane_set_flags(self.as_ptr(), flags) }
pub fn set_no_dane_ee_namechecks(&mut self) {
unsafe {
ffi::SSL_dane_set_flags(self.as_ptr(), ffi::DANE_FLAG_NO_DANE_EE_NAMECHECKS);
}
}

/// Disable optional DANE verification features.
/// Enable server name checks when authenticating via DANE-EE(3) TLSA
/// records.
///
/// This is the default state of the context.
///
/// See `dane_set_flags` for more information.
/// See `set_no_dane_ee_namechecks` for more information.
///
/// Requires OpenSSL 1.1.0 or newer.
#[corresponds(SSL_dane_clear_flags)]
#[corresponds(SSL_dane_set_flags)]
#[cfg(ossl110)]
pub fn dane_clear_flags(&mut self, flags: libc::c_ulong) -> libc::c_ulong {
unsafe { ffi::SSL_dane_clear_flags(self.as_ptr(), flags) }
pub fn set_dane_ee_namechecks(&mut self) {
unsafe {
ffi::SSL_dane_clear_flags(self.as_ptr(), ffi::DANE_FLAG_NO_DANE_EE_NAMECHECKS);
}
}

/// Adds name as an additional reference identifier that can match the peer's certificate. Any
Expand Down
11 changes: 9 additions & 2 deletions openssl/src/ssl/test/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -710,8 +710,15 @@ fn connector_dane() {
let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();

connector.dane_enable().unwrap();
connector.set_no_dane_ee_namechecks();
let mut config = connector.build().configure().unwrap();
config.dane_enable("foobar.com").unwrap();

// The name in the cert is foobar.com, but we're claiming
// to access it via some other name. Since we turned off
// dane-ee-namechecks above, we expect this to still validate
// overall because the tlsa record matches the digest of the
// cert; the name is ignored.
config.dane_enable("mx.foobar.com").unwrap();

let cert = X509::from_pem(CERT).unwrap();
let data = cert.digest(MessageDigest::sha256()).unwrap();
Expand All @@ -728,7 +735,7 @@ fn connector_dane() {
assert!(usable);

let s = server.connect_tcp();
let mut s = config.connect("foobar.com", s).unwrap();
let mut s = config.connect("mx.foobar.com", s).unwrap();
s.read_exact(&mut [0]).unwrap();

let authority = s.ssl.dane_authority().unwrap();
Expand Down

0 comments on commit 2f1a918

Please sign in to comment.