From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Wed, 11 Feb 2026 10:24:57 +0000 (+0100)
Subject: Make pkcs12 feature dependent on rust version
X-Git-Tag: rec-5.5.0-alpha0~6^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3f752f31327edb98740bee78d91217e8d54da03b;p=thirdparty%2Fpdns.git

Make pkcs12 feature dependent on rust version

Also add test infra to test for rec features

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>
---

diff --git a/pdns/recursordist/rec-rust-lib/rust/Cargo.lock b/pdns/recursordist/rec-rust-lib/rust/Cargo.lock
index bf42a4c936..b4c889a562 100644
--- a/pdns/recursordist/rec-rust-lib/rust/Cargo.lock
+++ b/pdns/recursordist/rec-rust-lib/rust/Cargo.lock
@@ -907,7 +907,6 @@ dependencies = [
  "rustls-pki-types",
  "serde",
  "serde_yaml",
- "time",
  "tokio",
  "tokio-rustls",
 ]
diff --git a/pdns/recursordist/rec-rust-lib/rust/Cargo.toml b/pdns/recursordist/rec-rust-lib/rust/Cargo.toml
index 74c78c4bbf..e540fc10a5 100644
--- a/pdns/recursordist/rec-rust-lib/rust/Cargo.toml
+++ b/pdns/recursordist/rec-rust-lib/rust/Cargo.toml
@@ -14,6 +14,10 @@ version = "5.4.0"
 name = "recrust"
 crate-type = ["staticlib"]
 
+[features]
+# default = []
+pkcs12 = ["p12-keystore"]
+
 [dependencies]
 cxx = "1.0.181" # issue #16101
 serde = { version = "1.0", features = ["derive"] }
@@ -34,9 +38,10 @@ pki-types = { package = "rustls-pki-types", version = "1.10" }
 tokio-rustls = { version = "0.26", default-features = false }
 
 # time pinned to avoid too high rustc version dependency (1.88), remove at some point!
-time = { version = "=0.3.45" }
+# Handled in a different way: the pkcs12 feature is now optional, can be enabled is rust version >= 1.88
+#time = { version = "=0.3.45" }
 
-p12-keystore = { version = "0.2.0" }
+p12-keystore = { version = "0.2.0", optional = true }
 
 [build-dependencies]
 cxx-build = "1.0"
diff --git a/pdns/recursordist/rec-rust-lib/rust/build_recrust b/pdns/recursordist/rec-rust-lib/rust/build_recrust
index 30d607bda7..5e9bc5db52 100755
--- a/pdns/recursordist/rec-rust-lib/rust/build_recrust
+++ b/pdns/recursordist/rec-rust-lib/rust/build_recrust
@@ -19,7 +19,7 @@ if [ -n "${CARGO_USE_DEV}" ]; then
     fi
 fi
 
-$CARGO build ${CARGO_PROFILE} $RUST_TARGET --target-dir=$builddir/target --manifest-path $srcdir/Cargo.toml
+$CARGO build ${CARGO_PROFILE} $RUST_TARGET --target-dir=$builddir/target --manifest-path $srcdir/Cargo.toml $features
 
 if [ -n "${CARGO_USE_DEV}" ]; then
     cp -p target/$RUSTC_TARGET_ARCH/debug/librecrust.a $builddir/rec-rust-lib/rust/librecrust.a
diff --git a/pdns/recursordist/rec-rust-lib/rust/meson.build b/pdns/recursordist/rec-rust-lib/rust/meson.build
index 06fbbd7cdf..57f386218e 100644
--- a/pdns/recursordist/rec-rust-lib/rust/meson.build
+++ b/pdns/recursordist/rec-rust-lib/rust/meson.build
@@ -16,6 +16,10 @@ env.set('srcdir', meson.current_source_dir())
 env.append('RUST_TARGET', '', separator: '')
 env.append('RUSTC_TARGET_ARCH', '', separator: '')
 
+if cargo.version().version_compare('>=1.88')
+env.set('features', '--features pkcs12')
+endif
+
 lib_recrust = custom_target('librecrust.a',
   output: [outfile, 'cxx.h', 'lib.rs.h', 'misc.rs.h', 'web.rs.h'],
   input: infile,
diff --git a/pdns/recursordist/rec-rust-lib/rust/src/misc.rs b/pdns/recursordist/rec-rust-lib/rust/src/misc.rs
index aa750c56ea..7fe8ff6a07 100644
--- a/pdns/recursordist/rec-rust-lib/rust/src/misc.rs
+++ b/pdns/recursordist/rec-rust-lib/rust/src/misc.rs
@@ -66,4 +66,15 @@ pub mod rustmisc {
         );
         fn getUUID() -> String;
     }
+    extern "Rust" {
+        fn rust_features() ->String;
+    }
+}
+
+pub fn rust_features() -> String {
+    #![allow(unused_mut)]
+    let mut ret = String::from("");
+    #[cfg(feature = "pkcs12")]
+    ret.push_str(" pkcs12");
+    ret
 }
diff --git a/pdns/recursordist/rec-rust-lib/rust/src/web.rs b/pdns/recursordist/rec-rust-lib/rust/src/web.rs
index ea9cdf3df9..12e2acbcdc 100644
--- a/pdns/recursordist/rec-rust-lib/rust/src/web.rs
+++ b/pdns/recursordist/rec-rust-lib/rust/src/web.rs
@@ -1064,6 +1064,7 @@ fn load_pem_private_key(
 
 
 // Load private key and certs from pkcs12 (pfx) file.
+#[cfg(feature = "pkcs12")]
 fn load_pkcs12_key_and_certs(
     filename: &str,
     password: &str,
@@ -1130,6 +1131,26 @@ fn load_pkcs12_key_and_certs(
     }
 }
 
+#[cfg(not(feature = "pkcs12"))]
+fn load_pkcs12_key_and_certs(
+    filename: &str,
+    _password: &str,
+    ctx: &Arc<Context>,
+) -> std::io::Result<(pki_types::PrivateKeyDer<'static>, Vec<pki_types::CertificateDer<'static>>)> {
+    let msg = "PKCS12 feature is not enabled";
+    rustmisc::log(
+        &ctx.logger,
+        rustmisc::Priority::Error,
+        msg,
+        &vec![rustmisc::KeyValue {
+            key: "filename".to_string(),
+            value: filename.to_string(),
+        }]);
+    Err(std::io::Error::other(msg))
+}
+
+
+
 // impl below needed because the classes are used in the Context, which gets passed around.
 unsafe impl Send for rustweb::CredentialsHolder {}
 unsafe impl Sync for rustweb::CredentialsHolder {}
diff --git a/pdns/version.cc b/pdns/version.cc
index 900c185c56..e41bdb985a 100644
--- a/pdns/version.cc
+++ b/pdns/version.cc
@@ -31,6 +31,10 @@
 #include <sstream>
 #include <boost/algorithm/string/join.hpp>
 
+#ifdef RECURSOR
+#include "rust/misc.rs.h"
+#endif
+
 static ProductType productType;
 
 string compilerVersion()
@@ -176,6 +180,9 @@ string getBuildConfiguration()
 #endif
 #ifdef HAVE_LIBCAP
       << " libcap"
+#endif
+#ifdef RECURSOR
+      << pdns::rust::misc::rust_features()
 #endif
       << endl;
 #ifdef PDNS_MODULES
diff --git a/regression-tests.recursor-dnssec/recursortests.py b/regression-tests.recursor-dnssec/recursortests.py
index 311a3ef2ce..996f0a499d 100644
--- a/regression-tests.recursor-dnssec/recursortests.py
+++ b/regression-tests.recursor-dnssec/recursortests.py
@@ -749,6 +749,18 @@ distributor-threads={threads}
         except subprocess.CalledProcessError as e:
             raise AssertionError('%s failed (%d): %s' % (rec_controlCmd, e.returncode, e.output))
 
+    @classmethod
+    def recFeatures(cls):
+        rec_versionCmd = [os.environ['PDNSRECURSOR'],
+                          '--version']
+        try:
+            full = subprocess.check_output(rec_versionCmd, text=True, stderr=subprocess.STDOUT)
+            for line in full.splitlines():
+                if line.startswith("Features: "):
+                    return line
+        except subprocess.CalledProcessError as e:
+            raise AssertionError('%s failed (%d): %s' % (rec_versionCmd, e.returncode, e.output))
+
     @classmethod
     def setUpSockets(cls):
         print("Setting up UDP socket..")
diff --git a/regression-tests.recursor-dnssec/runtests b/regression-tests.recursor-dnssec/runtests
index d83a3f67e7..57ebdc6bf5 100755
--- a/regression-tests.recursor-dnssec/runtests
+++ b/regression-tests.recursor-dnssec/runtests
@@ -65,10 +65,6 @@ if [ "${PDNS_DEBUG}" = "YES" ]; then
   set -x
 fi
 
-if ! "$PDNSRECURSOR" --version 2>&1 | grep Features | grep -q dnstap-framestream; then
-  export NODNSTAPTESTS=1
-fi
-
 # Run with -m 'not external' to skip test that require external connectivity
 # Run with -m 'not unreliable_on_gh' to skip tests that are unreliable on GitHUb
 # Run with -m 'not (external or unreliable_on_gh)' to skip both categories
diff --git a/regression-tests.recursor-dnssec/test_Prometheus.py b/regression-tests.recursor-dnssec/test_Prometheus.py
index 147b61047a..9ddf62cc93 100644
--- a/regression-tests.recursor-dnssec/test_Prometheus.py
+++ b/regression-tests.recursor-dnssec/test_Prometheus.py
@@ -1,6 +1,6 @@
 import requests
 import subprocess
-
+import pytest
 from recursortests import RecursorTest
 
 class RecPrometheusTest(RecursorTest):
@@ -126,6 +126,7 @@ webservice:
     def generateRecursorConfig(cls, confdir):
         super(HttpsPKCS12PrometheusTest, cls).generateRecursorYamlConfig(confdir)
 
+    @pytest.mark.skipif('pkcs12' not in RecursorTest.recFeatures(), reason='pkcs12 feature not available')
     def testPrometheus(self):
         self.waitForTCPSocket("127.0.0.1", self._wsPort)
         url = 'https://user:' + self._wsPassword + '@127.0.0.1:' + str(self._wsPort) + '/metrics'
diff --git a/regression-tests.recursor-dnssec/test_RecDnstap.py b/regression-tests.recursor-dnssec/test_RecDnstap.py
index e310e0b014..beca12017d 100644
--- a/regression-tests.recursor-dnssec/test_RecDnstap.py
+++ b/regression-tests.recursor-dnssec/test_RecDnstap.py
@@ -7,6 +7,7 @@ import threading
 import time
 import dns
 import dnstap_pb2
+import pytest
 from unittest import SkipTest
 from recursortests import RecursorTest
 
@@ -219,12 +220,9 @@ class TestRecursorDNSTap(RecursorTest):
         sock.close()
 
     @classmethod
+    @pytest.mark.skipif('dnstap-framestream' not in RecursorTest.recFeatures(), reason='dnstap feature not available')
     def setUpClass(cls):
-        if os.environ.get("NODNSTAPTESTS") == "1":
-            raise SkipTest("Not Yet Supported")
-
         cls.setUpSockets()
-
         cls.startResponders()
 
         listener = threading.Thread(name='DNSTap Listener', target=cls.FrameStreamUnixListenerMain, args=[DNSTapServerParameters])