start adding configuration to iroh-net

and first failing test

Author: dignifiedquire

iroh-net/src/endpoint.rs

@@ -99,6 +99,7 @@ pub struct Builder {
     insecure_skip_relay_cert_verify: bool,
     addr_v4: Option<SocketAddrV4>,
     addr_v6: Option<SocketAddrV6>,
+    tls_auth: tls::Authentication,
 }
 
 impl Default for Builder {
@@ -117,6 +118,7 @@ impl Default for Builder {
             insecure_skip_relay_cert_verify: false,
             addr_v4: None,
             addr_v6: None,
+            tls_auth: tls::Authentication::X509,
         }
     }
 }
@@ -132,6 +134,7 @@ impl Builder {
         let relay_map = self.relay_mode.relay_map();
         let secret_key = self.secret_key.unwrap_or_else(SecretKey::generate);
         let static_config = StaticConfig {
+            tls_auth: self.tls_auth,
             transport_config: Arc::new(self.transport_config.unwrap_or_default()),
             keylog: self.keylog,
             secret_key: secret_key.clone(),
@@ -305,6 +308,18 @@ impl Builder {
         self
     }
 
+    /// Use libp2p based self signed certificates for TLS.
+    pub fn tls_x509(mut self) -> Self {
+        self.tls_auth = tls::Authentication::X509;
+        self
+    }
+
+    /// Use TLS Raw Public Keys
+    pub fn tls_raw_public_keys(mut self) -> Self {
+        self.tls_auth = tls::Authentication::RawPublicKey;
+        self
+    }
+
     #[cfg(feature = "discovery-pkarr-dht")]
     /// Configures the endpoint to also use the mainline DHT with default settings.
     ///
@@ -419,6 +434,7 @@ impl Builder {
 /// Configuration for a [`quinn::Endpoint`] that cannot be changed at runtime.
 #[derive(Debug)]
 struct StaticConfig {
+    tls_auth: tls::Authentication,
     secret_key: SecretKey,
     transport_config: Arc<quinn::TransportConfig>,
     keylog: bool,
@@ -428,6 +444,7 @@ impl StaticConfig {
     /// Create a [`quinn::ServerConfig`] with the specified ALPN protocols.
     fn create_server_config(&self, alpn_protocols: Vec<Vec<u8>>) -> Result<ServerConfig> {
         let server_config = make_server_config(
+            self.tls_auth,
             &self.secret_key,
             alpn_protocols,
             self.transport_config.clone(),
@@ -442,13 +459,13 @@ impl StaticConfig {
 // used by iroh::node::Node (or rather iroh::node::Builder) to create a plain Quinn
 // endpoint.
 pub fn make_server_config(
+    tls_auth: tls::Authentication,
     secret_key: &SecretKey,
     alpn_protocols: Vec<Vec<u8>>,
     transport_config: Arc<TransportConfig>,
     keylog: bool,
 ) -> Result<ServerConfig> {
-    let quic_server_config =
-        tls::Authentication::X509.make_server_config(secret_key, alpn_protocols, keylog)?;
+    let quic_server_config = tls_auth.make_server_config(secret_key, alpn_protocols, keylog)?;
     let mut server_config = ServerConfig::with_crypto(Arc::new(quic_server_config));
     server_config.transport_config(transport_config);
 

iroh-net/src/magicsock.rs

@@ -3207,15 +3207,26 @@ mod tests {
     }
 
     #[tokio::test]
-    async fn test_two_devices_roundtrip_quinn_raw() -> Result<()> {
+    async fn test_two_devices_roundtrip_quinn_raw_x509() -> Result<()> {
+        test_two_devices_roundtrip_quinn_raw(tls::Authentication::X509).await
+    }
+
+    #[tokio::test]
+    async fn test_two_devices_roundtrip_quinn_raw_public_key() -> Result<()> {
+        test_two_devices_roundtrip_quinn_raw(tls::Authentication::RawPublicKey).await
+    }
+
+    async fn test_two_devices_roundtrip_quinn_raw(tls_auth: tls::Authentication) -> Result<()> {
         let _guard = iroh_test::logging::setup();
 
-        let make_conn = |addr: SocketAddr| -> anyhow::Result<quinn::Endpoint> {
+        let make_conn = |addr: SocketAddr,
+                         tls_auth: tls::Authentication|
+         -> anyhow::Result<quinn::Endpoint> {
             let key = SecretKey::generate();
             let conn = std::net::UdpSocket::bind(addr)?;
 
             let quic_server_config =
-                tls::Authentication::X509.make_server_config(&key, vec![ALPN.to_vec()], false)?;
+                tls_auth.make_server_config(&key, vec![ALPN.to_vec()], false)?;
             let mut server_config = quinn::ServerConfig::with_crypto(Arc::new(quic_server_config));
             let mut transport_config = quinn::TransportConfig::default();
             transport_config.keep_alive_interval(Some(Duration::from_secs(5)));
@@ -3228,12 +3239,8 @@ mod tests {
                 Arc::new(quinn::TokioRuntime),
             )?;
 
-            let quic_client_config = tls::Authentication::X509.make_client_config(
-                &key,
-                None,
-                vec![ALPN.to_vec()],
-                false,
-            )?;
+            let quic_client_config =
+                tls_auth.make_client_config(&key, None, vec![ALPN.to_vec()], false)?;
             let mut client_config = quinn::ClientConfig::new(Arc::new(quic_client_config));
             let mut transport_config = quinn::TransportConfig::default();
             transport_config.max_idle_timeout(Some(Duration::from_secs(10).try_into().unwrap()));
@@ -3243,8 +3250,8 @@ mod tests {
             Ok(quic_ep)
         };
 
-        let m1 = make_conn("127.0.0.1:0".parse().unwrap())?;
-        let m2 = make_conn("127.0.0.1:0".parse().unwrap())?;
+        let m1 = make_conn("127.0.0.1:0".parse().unwrap(), tls_auth)?;
+        let m2 = make_conn("127.0.0.1:0".parse().unwrap(), tls_auth)?;
 
         // msg from  a -> b
         macro_rules! roundtrip {
@@ -3362,14 +3369,18 @@ mod tests {
 
     #[tokio::test]
     async fn test_two_devices_roundtrip_quinn_rebinding_conn() -> Result<()> {
+        let tls_auth = tls::Authentication::X509;
         let _guard = iroh_test::logging::setup();
 
-        fn make_conn(addr: SocketAddr) -> anyhow::Result<quinn::Endpoint> {
+        fn make_conn(
+            addr: SocketAddr,
+            tls_auth: tls::Authentication,
+        ) -> anyhow::Result<quinn::Endpoint> {
             let key = SecretKey::generate();
             let conn = UdpConn::bind(addr)?;
 
             let quic_server_config =
-                tls::Authentication::X509.make_server_config(&key, vec![ALPN.to_vec()], false)?;
+                tls_auth.make_server_config(&key, vec![ALPN.to_vec()], false)?;
             let mut server_config = quinn::ServerConfig::with_crypto(Arc::new(quic_server_config));
             let mut transport_config = quinn::TransportConfig::default();
             transport_config.keep_alive_interval(Some(Duration::from_secs(5)));
@@ -3382,12 +3393,8 @@ mod tests {
                 Arc::new(quinn::TokioRuntime),
             )?;
 
-            let quic_client_config = tls::Authentication::X509.make_client_config(
-                &key,
-                None,
-                vec![ALPN.to_vec()],
-                false,
-            )?;
+            let quic_client_config =
+                tls_auth.make_client_config(&key, None, vec![ALPN.to_vec()], false)?;
             let mut client_config = quinn::ClientConfig::new(Arc::new(quic_client_config));
             let mut transport_config = quinn::TransportConfig::default();
             transport_config.max_idle_timeout(Some(Duration::from_secs(10).try_into().unwrap()));
@@ -3397,8 +3404,8 @@ mod tests {
             Ok(quic_ep)
         }
 
-        let m1 = make_conn("127.0.0.1:7770".parse().unwrap())?;
-        let m2 = make_conn("127.0.0.1:7771".parse().unwrap())?;
+        let m1 = make_conn("127.0.0.1:7770".parse().unwrap(), tls_auth)?;
+        let m2 = make_conn("127.0.0.1:7771".parse().unwrap(), tls_auth)?;
 
         // msg from  a -> b
         macro_rules! roundtrip {
@@ -3611,7 +3618,10 @@ mod tests {
     ///
     /// Use [`magicsock_connect`] to establish connections.
     #[instrument(name = "ep", skip_all, fields(me = secret_key.public().fmt_short()))]
-    async fn magicsock_ep(secret_key: SecretKey) -> anyhow::Result<(quinn::Endpoint, Handle)> {
+    async fn magicsock_ep(
+        secret_key: SecretKey,
+        tls_auth: tls::Authentication,
+    ) -> anyhow::Result<(quinn::Endpoint, Handle)> {
         let opts = Options {
             addr_v4: None,
             addr_v6: None,
@@ -3625,6 +3635,7 @@ mod tests {
         };
         let msock = MagicSock::spawn(opts).await?;
         let server_config = crate::endpoint::make_server_config(
+            tls_auth,
             &secret_key,
             vec![ALPN.to_vec()],
             Arc::new(quinn::TransportConfig::default()),
@@ -3650,17 +3661,19 @@ mod tests {
         ep_secret_key: SecretKey,
         addr: QuicMappedAddr,
         node_id: NodeId,
+        tls_auth: tls::Authentication,
     ) -> Result<quinn::Connection> {
         // Endpoint::connect sets this, do the same to have similar behaviour.
         let mut transport_config = quinn::TransportConfig::default();
         transport_config.keep_alive_interval(Some(Duration::from_secs(1)));
 
-        magicsock_connet_with_transport_config(
+        magicsock_connect_with_transport_config(
             ep,
             ep_secret_key,
             addr,
             node_id,
             Arc::new(transport_config),
+            tls_auth,
         )
         .await
     }
@@ -3671,20 +3684,17 @@ mod tests {
     ///
     /// Uses [`ALPN`], `node_id`, must match `addr`.
     #[instrument(name = "connect", skip_all, fields(me = ep_secret_key.public().fmt_short()))]
-    async fn magicsock_connet_with_transport_config(
+    async fn magicsock_connect_with_transport_config(
         ep: &quinn::Endpoint,
         ep_secret_key: SecretKey,
         addr: QuicMappedAddr,
         node_id: NodeId,
         transport_config: Arc<quinn::TransportConfig>,
+        tls_auth: tls::Authentication,
     ) -> Result<quinn::Connection> {
         let alpns = vec![ALPN.to_vec()];
-        let quic_client_config = tls::Authentication::X509.make_client_config(
-            &ep_secret_key,
-            Some(node_id),
-            alpns,
-            true,
-        )?;
+        let quic_client_config =
+            tls_auth.make_client_config(&ep_secret_key, Some(node_id), alpns, true)?;
         let mut client_config = quinn::ClientConfig::new(Arc::new(quic_client_config));
         client_config.transport_config(transport_config);
         let connect = ep.connect_with(client_config, addr.0, "localhost")?;
@@ -3697,14 +3707,15 @@ mod tests {
         // Regression test: if there is no send_addr we should keep being able to use the
         // Endpoint.
         let _guard = iroh_test::logging::setup();
+        let tls_auth = tls::Authentication::X509;
 
         let secret_key_1 = SecretKey::from_bytes(&[1u8; 32]);
         let secret_key_2 = SecretKey::from_bytes(&[2u8; 32]);
         let node_id_2 = secret_key_2.public();
         let secret_key_missing_node = SecretKey::from_bytes(&[255u8; 32]);
         let node_id_missing_node = secret_key_missing_node.public();
 
-        let (ep_1, msock_1) = magicsock_ep(secret_key_1.clone()).await.unwrap();
+        let (ep_1, msock_1) = magicsock_ep(secret_key_1.clone(), tls_auth).await.unwrap();
 
         // Generate an address not present in the NodeMap.
         let bad_addr = QuicMappedAddr::generate();
@@ -3715,13 +3726,19 @@ mod tests {
         // this speeds up the test.
         let res = tokio::time::timeout(
             Duration::from_millis(500),
-            magicsock_connect(&ep_1, secret_key_1.clone(), bad_addr, node_id_missing_node),
+            magicsock_connect(
+                &ep_1,
+                secret_key_1.clone(),
+                bad_addr,
+                node_id_missing_node,
+                tls_auth,
+            ),
         )
         .await;
         assert!(res.is_err(), "expecting timeout");
 
         // Now check we can still create another connection with this endpoint.
-        let (ep_2, msock_2) = magicsock_ep(secret_key_2.clone()).await.unwrap();
+        let (ep_2, msock_2) = magicsock_ep(secret_key_2.clone(), tls_auth).await.unwrap();
 
         // This needs an accept task
         let accept_task = tokio::spawn({
@@ -3769,7 +3786,7 @@ mod tests {
         let addr = msock_1.get_mapping_addr(node_id_2).unwrap();
         let res = tokio::time::timeout(
             Duration::from_secs(10),
-            magicsock_connect(&ep_1, secret_key_1.clone(), addr, node_id_2),
+            magicsock_connect(&ep_1, secret_key_1.clone(), addr, node_id_2, tls_auth),
         )
         .await
         .expect("timeout while connecting");
@@ -3786,13 +3803,14 @@ mod tests {
         // This specifically tests the `if udp_addr.is_none() && relay_url.is_none()`
         // behaviour of MagicSock::try_send.
         let _logging_guard = iroh_test::logging::setup();
+        let tls_auth = tls::Authentication::X509;
 
         let secret_key_1 = SecretKey::from_bytes(&[1u8; 32]);
         let secret_key_2 = SecretKey::from_bytes(&[2u8; 32]);
         let node_id_2 = secret_key_2.public();
 
-        let (ep_1, msock_1) = magicsock_ep(secret_key_1.clone()).await.unwrap();
-        let (ep_2, msock_2) = magicsock_ep(secret_key_2.clone()).await.unwrap();
+        let (ep_1, msock_1) = magicsock_ep(secret_key_1.clone(), tls_auth).await.unwrap();
+        let (ep_2, msock_2) = magicsock_ep(secret_key_2.clone(), tls_auth).await.unwrap();
 
         // We need a task to accept the connection.
         let accept_task = tokio::spawn({
@@ -3838,12 +3856,13 @@ mod tests {
         // little slower though.
         let mut transport_config = quinn::TransportConfig::default();
         transport_config.max_idle_timeout(Some(Duration::from_millis(200).try_into().unwrap()));
-        let res = magicsock_connet_with_transport_config(
+        let res = magicsock_connect_with_transport_config(
             &ep_1,
             secret_key_1.clone(),
             addr_2,
             node_id_2,
             Arc::new(transport_config),
+            tls_auth,
         )
         .await;
         assert!(res.is_err(), "expected timeout");
@@ -3873,7 +3892,7 @@ mod tests {
         // We can now connect
         tokio::time::timeout(Duration::from_secs(10), async move {
             info!("establishing new connection");
-            let conn = magicsock_connect(&ep_1, secret_key_1.clone(), addr_2, node_id_2)
+            let conn = magicsock_connect(&ep_1, secret_key_1.clone(), addr_2, node_id_2, tls_auth)
                 .await
                 .unwrap();
             info!("have connection");

iroh/src/client/quic.rs

@@ -31,16 +31,19 @@ impl Iroh {
 
     /// Connects to an iroh node at the given RPC address.
     pub async fn connect_addr(addr: SocketAddr) -> anyhow::Result<Self> {
-        let client = connect_raw(addr).await?;
+        let client = connect_raw(addr, iroh_net::tls::Authentication::X509).await?;
         Ok(Iroh::new(client))
     }
 }
 
 /// Create a raw RPC client to an iroh node running on the same computer, but in a different
 /// process.
-pub(crate) async fn connect_raw(addr: SocketAddr) -> anyhow::Result<RpcClient> {
+pub(crate) async fn connect_raw(
+    addr: SocketAddr,
+    tls_auth: iroh_net::tls::Authentication,
+) -> anyhow::Result<RpcClient> {
     let bind_addr = SocketAddrV4::new(Ipv4Addr::UNSPECIFIED, 0).into();
-    let endpoint = create_quinn_client(bind_addr, vec![RPC_ALPN.to_vec()], false)?;
+    let endpoint = create_quinn_client(tls_auth, bind_addr, vec![RPC_ALPN.to_vec()], false)?;
 
     let server_name = "localhost".to_string();
     let connection = QuinnConnector::new(endpoint, addr, server_name);
@@ -54,17 +57,14 @@ pub(crate) async fn connect_raw(addr: SocketAddr) -> anyhow::Result<RpcClient> {
 }
 
 fn create_quinn_client(
+    tls_auth: iroh_net::tls::Authentication,
     bind_addr: SocketAddr,
     alpn_protocols: Vec<Vec<u8>>,
     keylog: bool,
 ) -> anyhow::Result<quinn::Endpoint> {
     let secret_key = iroh_net::key::SecretKey::generate();
-    let tls_client_config = iroh_net::tls::Authentication::X509.make_client_config(
-        &secret_key,
-        None,
-        alpn_protocols,
-        keylog,
-    )?;
+    let tls_client_config =
+        tls_auth.make_client_config(&secret_key, None, alpn_protocols, keylog)?;
     let mut client_config = quinn::ClientConfig::new(Arc::new(tls_client_config));
     let mut endpoint = quinn::Endpoint::client(bind_addr)?;
     let mut transport_config = quinn::TransportConfig::default();