diff --git a/bin/Cargo.toml b/bin/Cargo.toml index a9f72eb9..245b6a0d 100644 --- a/bin/Cargo.toml +++ b/bin/Cargo.toml @@ -90,9 +90,6 @@ dns-over-tls = [] tls-openssl = ["dns-over-openssl"] tls = ["dns-over-openssl"] -# WARNING: there is a bug in the mutual tls auth code at the moment see issue #100 -# mtls = ["hickory-client/mtls"] - webpki-roots = ["hickory-client/webpki-roots", "hickory-server/webpki-roots"] native-certs = ["hickory-client/native-certs", "hickory-server/native-certs"] diff --git a/crates/proto/Cargo.toml b/crates/proto/Cargo.toml index 3fbe8063..888b68b7 100644 --- a/crates/proto/Cargo.toml +++ b/crates/proto/Cargo.toml @@ -73,9 +73,6 @@ serde-config = ["serde", "url/serde"] # enables experimental the mDNS (multicast) feature mdns = ["socket2/all"] -# WARNING: there is a bug in the mutual tls auth code at the moment see issue #100 -# mtls = ["tls"] - wasm-bindgen = ["wasm-bindgen-crate", "js-sys"] backtrace = ["dep:backtrace"] diff --git a/crates/proto/src/native_tls/tests.rs b/crates/proto/src/native_tls/tests.rs index 29d3f0c7..922d8b91 100644 --- a/crates/proto/src/native_tls/tests.rs +++ b/crates/proto/src/native_tls/tests.rs @@ -42,15 +42,7 @@ use crate::{iocompat::AsyncIoTokioAsStd, DnsStreamHandle}; #[test] #[cfg_attr(target_os = "macos", ignore)] // TODO: add back once https://github.com/sfackler/rust-native-tls/issues/143 is fixed fn test_tls_client_stream_ipv4() { - tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), false) -} - -// FIXME: mtls is disabled at the moment, it causes a hang on Linux, and is currently not supported on macOS -#[cfg(feature = "mtls")] -#[test] -#[cfg(not(target_os = "macos"))] -fn test_tls_client_stream_ipv4_mtls() { - tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), true) + tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1))) } #[test] @@ -74,7 +66,7 @@ fn read_file(path: &str) -> Vec { } #[allow(unused, unused_mut)] -fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) { +fn tls_client_stream_test(server_addr: IpAddr) { let succeeded = Arc::new(atomic::AtomicBool::new(false)); let succeeded_clone = succeeded.clone(); thread::Builder::new() @@ -117,28 +109,6 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) { .spawn(move || { let mut tls = TlsAcceptor::builder(identity); - // #[cfg(target_os = "linux")] - // { - // let mut openssl_builder = tls.builder_mut(); - // let mut openssl_ctx_builder = openssl_builder.builder_mut(); - - // let mut mode = openssl::ssl::SslVerifyMode::empty(); - - // // TODO: mtls tests hang on Linux... - // if mtls { - // // mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; - - // // let mut store = X509StoreBuilder::new().unwrap(); - // // let root_ca = X509::from_der(&root_cert_der_copy).unwrap(); - // // store.add_cert(root_ca).unwrap(); - // // openssl_ctx_builder.set_verify_cert_store(store.build()).unwrap(); - // } else { - // mode.insert(SSL_VERIFY_NONE); - // } - - // openssl_ctx_builder.set_verify(mode); - // } - // TODO: add CA on macOS let tls = tls.build().expect("tls build failed"); @@ -199,11 +169,6 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) { let mut builder = TlsStreamBuilder::>::new(); builder.add_ca(trust_chain); - // fix MTLS - // if mtls { - // config_mtls(&root_pkey, &root_name, &root_cert, &mut builder); - // } - let (stream, mut sender) = builder.build(server_addr, dns_name.to_string()); // TODO: there is a race failure here... a race with the server thread most likely... @@ -226,20 +191,3 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) { succeeded.store(true, std::sync::atomic::Ordering::Relaxed); server_handle.join().expect("server thread failed"); } - -// TODO: fix MTLS -// #[allow(unused_variables)] -// fn config_mtls(root_pkey: &PKey, -// root_name: &X509Name, -// root_cert: &X509, -// builder: &mut TlsStreamBuilder) { -// // signed by the same root cert -// let client_name = "resolv.example.com"; -// let (_ /*client_pkey*/, _ /*client_cert*/, client_identity) = -// cert(client_name, root_pkey, root_name, root_cert); -// let client_identity = -// native_tls::Pkcs12::from_der(&client_identity.to_der().unwrap(), "mypass").unwrap(); - -// #[cfg(feature = "mtls")] -// builder.identity(client_identity); -// } diff --git a/crates/proto/src/native_tls/tls_client_stream.rs b/crates/proto/src/native_tls/tls_client_stream.rs index ab18bb0d..fd07d42b 100644 --- a/crates/proto/src/native_tls/tls_client_stream.rs +++ b/crates/proto/src/native_tls/tls_client_stream.rs @@ -13,8 +13,6 @@ use std::pin::Pin; use futures_util::TryFutureExt; use native_tls::Certificate; -#[cfg(feature = "mtls")] -use native_tls::Pkcs12; use tokio_native_tls::TlsStream as TokioTlsStream; use crate::error::ProtoError; @@ -46,12 +44,6 @@ impl TlsClientStreamBuilder { self.0.add_ca(ca); } - /// Client side identity for client auth in TLS (aka mutual TLS auth) - #[cfg(feature = "mtls")] - pub fn identity(&mut self, pkcs12: Pkcs12) { - self.0.identity(pkcs12); - } - /// Sets the address to connect from. pub fn bind_addr(&mut self, bind_addr: SocketAddr) { self.0.bind_addr(bind_addr); diff --git a/crates/proto/src/native_tls/tls_stream.rs b/crates/proto/src/native_tls/tls_stream.rs index 9d5d6651..00be4aa4 100644 --- a/crates/proto/src/native_tls/tls_stream.rs +++ b/crates/proto/src/native_tls/tls_stream.rs @@ -86,12 +86,6 @@ impl TlsStreamBuilder { self.ca_chain.push(ca); } - /// Client side identity for client auth in TLS (aka mutual TLS auth) - #[cfg(feature = "mtls")] - pub fn identity(&mut self, identity: Identity) { - self.identity = Some(identity); - } - /// Sets the address to connect from. pub fn bind_addr(&mut self, bind_addr: SocketAddr) { self.bind_addr = Some(bind_addr); diff --git a/crates/proto/src/openssl/tls_client_stream.rs b/crates/proto/src/openssl/tls_client_stream.rs index 0ac994cb..0e9fe866 100644 --- a/crates/proto/src/openssl/tls_client_stream.rs +++ b/crates/proto/src/openssl/tls_client_stream.rs @@ -11,8 +11,6 @@ use std::net::SocketAddr; use std::pin::Pin; use futures_util::TryFutureExt; -#[cfg(feature = "mtls")] -use openssl::pkcs12::Pkcs12; use openssl::x509::X509; use tokio_openssl::SslStream as TokioTlsStream; @@ -54,12 +52,6 @@ impl TlsClientStreamBuilder { Ok(()) } - /// Client side identity for client auth in TLS (aka mutual TLS auth) - #[cfg(feature = "mtls")] - pub fn identity(&mut self, pkcs12: Pkcs12) { - self.0.identity(pkcs12); - } - /// Sets the address to connect from. pub fn bind_addr(&mut self, bind_addr: SocketAddr) { self.0.bind_addr(bind_addr); diff --git a/crates/proto/src/openssl/tls_stream.rs b/crates/proto/src/openssl/tls_stream.rs index 86df2320..abb858c9 100644 --- a/crates/proto/src/openssl/tls_stream.rs +++ b/crates/proto/src/openssl/tls_stream.rs @@ -170,12 +170,6 @@ impl TlsStreamBuilder { self.ca_chain.push(ca); } - /// Client side identity for client auth in TLS (aka mutual TLS auth) - #[cfg(feature = "mtls")] - pub fn identity(&mut self, pkcs12: ParsedPkcs12) { - self.identity = Some(pkcs12); - } - /// Sets the address to connect from. pub fn bind_addr(&mut self, bind_addr: SocketAddr) { self.bind_addr = Some(bind_addr); diff --git a/crates/proto/src/rustls/tests.rs b/crates/proto/src/rustls/tests.rs index b7785cf8..5e409534 100644 --- a/crates/proto/src/rustls/tests.rs +++ b/crates/proto/src/rustls/tests.rs @@ -18,7 +18,6 @@ use std::{thread, time}; use openssl::pkey::PKey; use openssl::ssl::*; -use openssl::x509::store::X509StoreBuilder; use openssl::x509::*; use futures_util::stream::StreamExt; @@ -36,20 +35,12 @@ use crate::{iocompat::AsyncIoTokioAsStd, DnsStreamHandle}; // #[cfg(not(target_os = "linux"))] #[test] fn test_tls_client_stream_ipv4() { - tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), false) -} - -// FIXME: mtls is disabled at the moment, it causes a hang on Linux, and is currently not supported on macOS -#[cfg(feature = "mtls")] -#[test] -#[cfg(not(target_os = "macos"))] // ignored until Travis-CI fixes IPv6 -fn test_tls_client_stream_ipv4_mtls() { - tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), true) + tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1))) } #[test] fn test_tls_client_stream_ipv6() { - tls_client_stream_test(IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1)), false) + tls_client_stream_test(IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1))) } const TEST_BYTES: &[u8; 8] = b"DEADBEEF"; @@ -65,7 +56,7 @@ fn read_file(path: &str) -> Vec { } #[allow(unused_mut)] -fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) { +fn tls_client_stream_test(server_addr: IpAddr) { let succeeded = Arc::new(atomic::AtomicBool::new(false)); let succeeded_clone = succeeded.clone(); thread::Builder::new() @@ -88,7 +79,6 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) { println!("using server src path: {server_path}"); let root_cert_der = read_file(&format!("{server_path}/tests/test-data/ca.der")); - let root_cert_der_copy = root_cert_der.clone(); // Generate X509 certificate let ca = X509::from_der(&root_cert_der).expect("could not read CA"); @@ -124,23 +114,8 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) { { let mut openssl_ctx_builder = &mut tls; - let mut mode = SslVerifyMode::empty(); - - // FIXME: mtls tests hang on Linux... - if mtls { - mode = SslVerifyMode::PEER | SslVerifyMode::FAIL_IF_NO_PEER_CERT; - - let mut store = X509StoreBuilder::new().unwrap(); - let root_ca = X509::from_der(&root_cert_der_copy).unwrap(); - store.add_cert(root_ca).unwrap(); - openssl_ctx_builder - .set_verify_cert_store(store.build()) - .unwrap(); - } else { - mode.insert(SslVerifyMode::NONE); - } - + mode.insert(SslVerifyMode::NONE); openssl_ctx_builder.set_verify(mode); } @@ -206,12 +181,6 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) { .with_root_certificates(roots) .with_no_client_auth(); - // barrier.wait(); - // fix MTLS - // if mtls { - // config_mtls(&root_pkey, &root_name, &root_cert, &mut builder); - // } - let (stream, mut sender) = tls_connect::>( server_addr, dns_name.to_string(), @@ -237,20 +206,3 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) { succeeded.store(true, std::sync::atomic::Ordering::Relaxed); server_handle.join().expect("server thread failed"); } - -// TODO: fix MTLS -// #[allow(unused_variables)] -// fn config_mtls(root_pkey: &PKey, -// root_name: &X509Name, -// root_cert: &X509, -// builder: &mut TlsStreamBuilder) { -// // signed by the same root cert -// let client_name = "resolv.example.com"; -// let (_ /*client_pkey*/, _ /*client_cert*/, client_identity) = -// cert(client_name, root_pkey, root_name, root_cert); -// let client_identity = -// native_tls::server_cert::from_der(&client_identity.to_der().unwrap(), "mypass").unwrap(); - -// #[cfg(feature = "mtls")] -// builder.identity(client_identity); -// } diff --git a/crates/proto/tests/openssl_tests.rs b/crates/proto/tests/openssl_tests.rs index eabc3de1..6640d60d 100644 --- a/crates/proto/tests/openssl_tests.rs +++ b/crates/proto/tests/openssl_tests.rs @@ -17,7 +17,6 @@ use std::{thread, time}; use futures_util::stream::StreamExt; use openssl::pkey::*; use openssl::ssl::*; -use openssl::x509::store::X509StoreBuilder; use openssl::x509::*; use tokio::net::TcpStream as TokioTcpStream; use tokio::runtime::Runtime; @@ -30,7 +29,6 @@ use openssl::pkcs12::*; use openssl::rsa::*; use openssl::x509::extension::*; -use hickory_proto::tcp::Connect; use hickory_proto::xfer::SerialMessage; use hickory_proto::{iocompat::AsyncIoTokioAsStd, DnsStreamHandle}; @@ -42,27 +40,19 @@ use hickory_proto::openssl::TlsStreamBuilder; // #[cfg(not(target_os = "linux"))] #[test] fn test_tls_client_stream_ipv4() { - tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), false) -} - -// FIXME: mtls is disabled at the moment, it causes a hang on Linux, and is currently not supported on macOS -#[cfg(feature = "mtls")] -#[test] -#[cfg(not(target_os = "macos"))] // ignored until Travis-CI fixes IPv6 -fn test_tls_client_stream_ipv4_mtls() { - tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), true) + tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1))) } #[test] fn test_tls_client_stream_ipv6() { - tls_client_stream_test(IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1)), false) + tls_client_stream_test(IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1))) } const TEST_BYTES: &[u8; 8] = b"DEADBEEF"; const TEST_BYTES_LEN: usize = 8; #[allow(unused_mut)] -fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) { +fn tls_client_stream_test(server_addr: IpAddr) { let succeeded = Arc::new(atomic::AtomicBool::new(false)); let succeeded_clone = succeeded.clone(); thread::Builder::new() @@ -97,9 +87,6 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) { let send_recv_times = 4; - // an in and out server - let root_cert_der_copy = root_cert_der.clone(); - let server_handle = thread::Builder::new() .name("test_tls_client_stream:server".to_string()) .spawn(move || { @@ -126,23 +113,8 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) { { let mut openssl_ctx_builder = &mut tls; - let mut mode = SslVerifyMode::empty(); - - // FIXME: mtls tests hang on Linux... - if mtls { - mode = SslVerifyMode::PEER | SslVerifyMode::FAIL_IF_NO_PEER_CERT; - - let mut store = X509StoreBuilder::new().unwrap(); - let root_ca = X509::from_der(&root_cert_der_copy).unwrap(); - store.add_cert(root_ca).unwrap(); - openssl_ctx_builder - .set_verify_cert_store(store.build()) - .unwrap(); - } else { - mode.insert(SslVerifyMode::NONE); - } - + mode.insert(SslVerifyMode::NONE); openssl_ctx_builder.set_verify(mode); } @@ -206,10 +178,6 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) { let mut builder = TlsStreamBuilder::>::new(); builder.add_ca(trust_chain); - if mtls { - config_mtls(&root_pkey, &root_name, &root_cert, &mut builder); - } - let (stream, mut sender) = builder.build(server_addr, subject_name.to_string()); // TODO: there is a race failure here... a race with the server thread most likely... @@ -232,30 +200,6 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) { server_handle.join().expect("server thread failed"); } -#[allow(unused_variables)] -fn config_mtls( - root_pkey: &PKey, - root_name: &X509Name, - root_cert: &X509, - builder: &mut TlsStreamBuilder, -) { - #[cfg(feature = "mtls")] - { - // signed by the same root cert - let client_name = "resolv.example.com"; - let (_ /*client_pkey*/, _ /*client_cert*/, client_identity) = - cert(client_name, root_pkey, root_name, root_cert); - - let client_identity = Pkcs12::from_der(&client_identity) - .and_then(|p| p.parse("mypass")) - .expect("Pkcs12::from_der"); - let client_identity = - Pkcs12::from_der(&client_identity.to_der().unwrap(), "mypass").unwrap(); - - builder.identity(client_identity); - } -} - /// Generates a root certificate fn root_ca() -> (PKey, X509Name, X509) { let subject_name = "root.example.com"; diff --git a/crates/server/Cargo.toml b/crates/server/Cargo.toml index 79c701ff..cc87aa83 100644 --- a/crates/server/Cargo.toml +++ b/crates/server/Cargo.toml @@ -103,9 +103,6 @@ tls = ["dns-over-openssl"] webpki-roots = ["hickory-resolver/webpki-roots"] native-certs = ["hickory-resolver/native-certs"] -# WARNING: there is a bug in the mutual tls auth code at the moment see issue #100 -# mtls = ["hickory-client/mtls"] - testing = [] [lib]