From 93e8c5cae41f21a4b0fd48a2117721f71c8c8101 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marie=20P=C3=ADchov=C3=A1?= <11718369+ManickaP@users.noreply.github.com> Date: Fri, 1 Dec 2023 09:56:03 +0100 Subject: [PATCH 01/12] Disable mock test (#95407) --- .../tests/FunctionalTests/HttpClientHandlerTest.Http3.cs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/libraries/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.Http3.cs b/src/libraries/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.Http3.cs index 2299a5af6840b..06f4dc63bd027 100644 --- a/src/libraries/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.Http3.cs +++ b/src/libraries/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.Http3.cs @@ -1013,6 +1013,13 @@ public async Task StatusCodes_ReceiveSuccess(HttpStatusCode statusCode, bool qpa [InlineData(1000)] public async Task EchoServerStreaming_DifferentMessageSize_Success(int messageSize) { + // Disable failing test in 6.0 branch, see https://github.com/dotnet/runtime/issues/95158 + // The mock tests don't exist in newer releases -> no need to keep an active issue. + if (this.UseQuicImplementationProvider == QuicImplementationProviders.Mock) + { + return; + } + int iters = 5; var message = new byte[messageSize]; var readBuffer = new byte[5 * messageSize]; // bigger than message From 97c6639c5aad20d620f78d91b86e33189664493e Mon Sep 17 00:00:00 2001 From: Parker Bibus Date: Tue, 5 Dec 2023 12:01:18 -0800 Subject: [PATCH 02/12] Update Perf Android jobs to use the Windows 11 Pixel Queue. --- eng/testing/performance/performance-setup.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eng/testing/performance/performance-setup.ps1 b/eng/testing/performance/performance-setup.ps1 index 70464206302d0..ec5bd4859d3be 100644 --- a/eng/testing/performance/performance-setup.ps1 +++ b/eng/testing/performance/performance-setup.ps1 @@ -48,7 +48,7 @@ if ($Internal) { "perftiger_crossgen" { $Queue = "Windows.10.Amd64.19H1.Tiger.Perf" } "perfowl" { $Queue = "Windows.10.Amd64.20H2.Owl.Perf" } "perfsurf" { $Queue = "Windows.10.Arm64.Perf.Surf" } - "perfpixel4a" { $Queue = "Windows.10.Amd64.Pixel.Perf" } + "perfpixel4a" { $Queue = "Windows.11.Amd64.Pixel.Perf" } Default { $Queue = "Windows.10.Amd64.19H1.Tiger.Perf" } } $PerfLabArguments = "--upload-to-perflab-container" From 95ca3cfd0cacf078408344b5ad0320968ad0d971 Mon Sep 17 00:00:00 2001 From: "dotnet-maestro[bot]" <42748379+dotnet-maestro[bot]@users.noreply.github.com> Date: Wed, 6 Dec 2023 10:17:44 +0100 Subject: [PATCH 03/12] [release/6.0-staging] Update dependencies from dotnet/emsdk (#95642) * Update dependencies from https://github.com/dotnet/emsdk build 20231122.1 Microsoft.NET.Workload.Emscripten.Manifest-6.0.100 , Microsoft.NET.Workload.Emscripten.Manifest-6.0.300 , Microsoft.NET.Workload.Emscripten.Manifest-6.0.400 From Version 6.0.25 -> To Version 6.0.25 * Update dependencies from https://github.com/dotnet/emsdk build 20231205.2 Microsoft.NET.Workload.Emscripten.Manifest-6.0.100 , Microsoft.NET.Workload.Emscripten.Manifest-6.0.300 , Microsoft.NET.Workload.Emscripten.Manifest-6.0.400 From Version 6.0.25 -> To Version 6.0.26 --------- Co-authored-by: dotnet-maestro[bot] --- NuGet.config | 1 + eng/Version.Details.xml | 12 ++++++------ eng/Versions.props | 6 +++--- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/NuGet.config b/NuGet.config index d5dbd101f043e..d2e16e4ab0166 100644 --- a/NuGet.config +++ b/NuGet.config @@ -9,6 +9,7 @@ + diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml index 4a2dfefd1ddb9..b2cb22035014e 100644 --- a/eng/Version.Details.xml +++ b/eng/Version.Details.xml @@ -8,17 +8,17 @@ https://github.com/dotnet/msquic 7312355e44fd230b7aa26c7190f3870391751476 - + https://github.com/dotnet/emsdk - d8bc162ccf7ce14fdbec9c2c50d6e856a7063c91 + 5ccc36f5985e2089f47c97a19c250e65ddefd0ba - + https://github.com/dotnet/emsdk - d8bc162ccf7ce14fdbec9c2c50d6e856a7063c91 + 5ccc36f5985e2089f47c97a19c250e65ddefd0ba - + https://github.com/dotnet/emsdk - d8bc162ccf7ce14fdbec9c2c50d6e856a7063c91 + 5ccc36f5985e2089f47c97a19c250e65ddefd0ba https://github.com/dotnet/wcf diff --git a/eng/Versions.props b/eng/Versions.props index ab08b32764321..02f6345de8118 100644 --- a/eng/Versions.props +++ b/eng/Versions.props @@ -176,9 +176,9 @@ 11.1.0-alpha.1.21416.1 11.1.0-alpha.1.21416.1 - 6.0.25 - 6.0.25 - 6.0.25 + 6.0.26 + 6.0.26 + 6.0.26 $(MicrosoftNETWorkloadEmscriptenManifest60100Version) 1.1.87-gba258badda From 8f280fcf17e37745a1771aa298b6e7221975cbe7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 4 Jan 2024 17:47:29 +0100 Subject: [PATCH 04/12] Temporarily disable NoCallback_RevokedCertificate_NoRevocationChecking_Succeeds (#96055) The 3rd party service has expired certificate Co-authored-by: Radek Zikmund --- .../Net/Http/HttpClientHandlerTest.ServerCertificates.cs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs b/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs index c90753dd4025d..1d6c690516ec8 100644 --- a/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs +++ b/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs @@ -146,7 +146,8 @@ public async Task UseCallback_ValidCertificate_ExpectedValuesDuringCallback(Conf { bool callbackCalled = false; handler.CheckCertificateRevocationList = checkRevocation; - handler.ServerCertificateCustomValidationCallback = (request, cert, chain, errors) => { + handler.ServerCertificateCustomValidationCallback = (request, cert, chain, errors) => + { callbackCalled = true; Assert.NotNull(request); @@ -225,6 +226,7 @@ public async Task NoCallback_BadCertificate_ThrowsException(string url) } [OuterLoop("Uses external servers")] + [ActiveIssue("https://github.com/dotnet/runtime/issues/77726")] [ConditionalFact(nameof(ClientSupportsDHECipherSuites))] public async Task NoCallback_RevokedCertificate_NoRevocationChecking_Succeeds() { From 715aae2d51c3b14f2371d2a13e0c35a29e7f5510 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20K=C3=B6plinger?= Date: Wed, 10 Jan 2024 00:04:03 +0100 Subject: [PATCH 05/12] [release/6.0] Use NuGetAuthenticate@1 instead of @0 (#96651) (#96668) There is a build warning about the old version now. eng/common usages are handled by https://github.com/dotnet/arcade/pull/14314 Backport of https://github.com/dotnet/runtime/pull/96651 --- eng/pipelines/common/restore-internal-tools.yml | 2 +- eng/pipelines/installer/jobs/base-job.yml | 2 +- eng/pipelines/official/jobs/prepare-signed-artifacts.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/eng/pipelines/common/restore-internal-tools.yml b/eng/pipelines/common/restore-internal-tools.yml index eead4b67c30f6..fdec41da53da5 100644 --- a/eng/pipelines/common/restore-internal-tools.yml +++ b/eng/pipelines/common/restore-internal-tools.yml @@ -1,5 +1,5 @@ steps: - - task: NuGetAuthenticate@0 + - task: NuGetAuthenticate@1 inputs: nuGetServiceConnections: 'devdiv/dotnet-core-internal-tooling' forceReinstallCredentialProvider: true diff --git a/eng/pipelines/installer/jobs/base-job.yml b/eng/pipelines/installer/jobs/base-job.yml index e0a060922481f..40e7969ba4aab 100644 --- a/eng/pipelines/installer/jobs/base-job.yml +++ b/eng/pipelines/installer/jobs/base-job.yml @@ -344,7 +344,7 @@ jobs: displayName: Clean up old artifacts owned by root - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}: - - task: NuGetAuthenticate@0 + - task: NuGetAuthenticate@1 - ${{ if eq(parameters.osGroup, 'windows') }}: # NuGet's http cache lasts 30 minutes. If we're on a static machine, this may interfere with diff --git a/eng/pipelines/official/jobs/prepare-signed-artifacts.yml b/eng/pipelines/official/jobs/prepare-signed-artifacts.yml index 8b0fbd711198f..0398bc3a4c505 100644 --- a/eng/pipelines/official/jobs/prepare-signed-artifacts.yml +++ b/eng/pipelines/official/jobs/prepare-signed-artifacts.yml @@ -26,7 +26,7 @@ jobs: fetchDepth: 20 - ${{ if eq(parameters.isOfficialBuild, true) }}: - - task: NuGetAuthenticate@0 + - task: NuGetAuthenticate@1 - task: MicroBuildSigningPlugin@2 displayName: Install MicroBuild plugin for Signing From 66c50c04c024ee453bb8b4eee3b2094f219f8d14 Mon Sep 17 00:00:00 2001 From: "dotnet-maestro[bot]" <42748379+dotnet-maestro[bot]@users.noreply.github.com> Date: Tue, 9 Jan 2024 17:53:25 -0800 Subject: [PATCH 06/12] Update dependencies from https://github.com/dotnet/arcade build 20231220.4 (#96670) Microsoft.DotNet.ApiCompat , Microsoft.DotNet.Arcade.Sdk , Microsoft.DotNet.Build.Tasks.Archives , Microsoft.DotNet.Build.Tasks.Feed , Microsoft.DotNet.Build.Tasks.Installers , Microsoft.DotNet.Build.Tasks.Packaging , Microsoft.DotNet.Build.Tasks.TargetFramework.Sdk , Microsoft.DotNet.Build.Tasks.Templating , Microsoft.DotNet.Build.Tasks.Workloads , Microsoft.DotNet.CodeAnalysis , Microsoft.DotNet.GenAPI , Microsoft.DotNet.GenFacades , Microsoft.DotNet.Helix.Sdk , Microsoft.DotNet.PackageTesting , Microsoft.DotNet.RemoteExecutor , Microsoft.DotNet.SharedFramework.Sdk , Microsoft.DotNet.VersionTools.Tasks , Microsoft.DotNet.XUnitConsoleRunner , Microsoft.DotNet.XUnitExtensions From Version 6.0.0-beta.23517.3 -> To Version 6.0.0-beta.23620.4 Co-authored-by: dotnet-maestro[bot] --- NuGet.config | 2 + eng/Version.Details.xml | 76 +++++++++---------- eng/Versions.props | 30 ++++---- eng/common/darc-init.ps1 | 2 +- eng/common/darc-init.sh | 2 +- .../post-build/add-build-to-channel.ps1 | 2 +- eng/common/post-build/publish-using-darc.ps1 | 2 +- .../post-build/trigger-subscriptions.ps1 | 2 +- eng/common/templates/job/job.yml | 2 +- .../templates/job/publish-build-assets.yml | 4 +- .../templates/post-build/common-variables.yml | 2 +- .../templates/post-build/post-build.yml | 2 +- global.json | 12 +-- 13 files changed, 71 insertions(+), 69 deletions(-) diff --git a/NuGet.config b/NuGet.config index d2e16e4ab0166..c784384ea9b35 100644 --- a/NuGet.config +++ b/NuGet.config @@ -10,6 +10,8 @@ + + diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml index b2cb22035014e..4b9b966570f3a 100644 --- a/eng/Version.Details.xml +++ b/eng/Version.Details.xml @@ -26,77 +26,77 @@ - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 https://github.com/microsoft/vstest @@ -222,9 +222,9 @@ https://github.com/dotnet/xharness dcd239f92887f600f75093d5ffff27b2dfeb034b - + https://github.com/dotnet/arcade - 7c67805da0adbf4e72f2f4799b63efcf1cc8fe4c + 10336beb8852ba1f98533413f311fcceb5abb141 https://dev.azure.com/dnceng/internal/_git/dotnet-optimization diff --git a/eng/Versions.props b/eng/Versions.props index 02f6345de8118..3c0aff3814acb 100644 --- a/eng/Versions.props +++ b/eng/Versions.props @@ -42,21 +42,21 @@ 1.1.0-preview.22164.17 - 6.0.0-beta.23517.3 - 6.0.0-beta.23517.3 - 6.0.0-beta.23517.3 - 6.0.0-beta.23517.3 - 6.0.0-beta.23517.3 - 6.0.0-beta.23517.3 - 2.5.1-beta.23517.3 - 6.0.0-beta.23517.3 - 6.0.0-beta.23517.3 - 6.0.0-beta.23517.3 - 6.0.0-beta.23517.3 - 6.0.0-beta.23517.3 - 6.0.0-beta.23517.3 - 6.0.0-beta.23517.3 - 6.0.0-beta.23517.3 + 6.0.0-beta.23620.4 + 6.0.0-beta.23620.4 + 6.0.0-beta.23620.4 + 6.0.0-beta.23620.4 + 6.0.0-beta.23620.4 + 6.0.0-beta.23620.4 + 2.5.1-beta.23620.4 + 6.0.0-beta.23620.4 + 6.0.0-beta.23620.4 + 6.0.0-beta.23620.4 + 6.0.0-beta.23620.4 + 6.0.0-beta.23620.4 + 6.0.0-beta.23620.4 + 6.0.0-beta.23620.4 + 6.0.0-beta.23620.4 6.0.0-preview.1.102 diff --git a/eng/common/darc-init.ps1 b/eng/common/darc-init.ps1 index 435e7641341b1..8fda30bdce2b0 100644 --- a/eng/common/darc-init.ps1 +++ b/eng/common/darc-init.ps1 @@ -1,6 +1,6 @@ param ( $darcVersion = $null, - $versionEndpoint = 'https://maestro-prod.westus2.cloudapp.azure.com/api/assets/darc-version?api-version=2019-01-16', + $versionEndpoint = 'https://maestro.dot.net/api/assets/darc-version?api-version=2019-01-16', $verbosity = 'minimal', $toolpath = $null ) diff --git a/eng/common/darc-init.sh b/eng/common/darc-init.sh index 39abdbecdcf11..4e4116f1d0bf9 100755 --- a/eng/common/darc-init.sh +++ b/eng/common/darc-init.sh @@ -2,7 +2,7 @@ source="${BASH_SOURCE[0]}" darcVersion='' -versionEndpoint='https://maestro-prod.westus2.cloudapp.azure.com/api/assets/darc-version?api-version=2019-01-16' +versionEndpoint='https://maestro.dot.net/api/assets/darc-version?api-version=2019-01-16' verbosity='minimal' while [[ $# > 0 ]]; do diff --git a/eng/common/post-build/add-build-to-channel.ps1 b/eng/common/post-build/add-build-to-channel.ps1 index de2d957922a65..49938f0c89f76 100644 --- a/eng/common/post-build/add-build-to-channel.ps1 +++ b/eng/common/post-build/add-build-to-channel.ps1 @@ -2,7 +2,7 @@ param( [Parameter(Mandatory=$true)][int] $BuildId, [Parameter(Mandatory=$true)][int] $ChannelId, [Parameter(Mandatory=$true)][string] $MaestroApiAccessToken, - [Parameter(Mandatory=$false)][string] $MaestroApiEndPoint = 'https://maestro-prod.westus2.cloudapp.azure.com', + [Parameter(Mandatory=$false)][string] $MaestroApiEndPoint = 'https://maestro.dot.net', [Parameter(Mandatory=$false)][string] $MaestroApiVersion = '2019-01-16' ) diff --git a/eng/common/post-build/publish-using-darc.ps1 b/eng/common/post-build/publish-using-darc.ps1 index 8508397d77640..1e779fec4dd1e 100644 --- a/eng/common/post-build/publish-using-darc.ps1 +++ b/eng/common/post-build/publish-using-darc.ps1 @@ -3,7 +3,7 @@ param( [Parameter(Mandatory=$true)][int] $PublishingInfraVersion, [Parameter(Mandatory=$true)][string] $AzdoToken, [Parameter(Mandatory=$true)][string] $MaestroToken, - [Parameter(Mandatory=$false)][string] $MaestroApiEndPoint = 'https://maestro-prod.westus2.cloudapp.azure.com', + [Parameter(Mandatory=$false)][string] $MaestroApiEndPoint = 'https://maestro.dot.net', [Parameter(Mandatory=$true)][string] $WaitPublishingFinish, [Parameter(Mandatory=$false)][string] $ArtifactsPublishingAdditionalParameters, [Parameter(Mandatory=$false)][string] $SymbolPublishingAdditionalParameters diff --git a/eng/common/post-build/trigger-subscriptions.ps1 b/eng/common/post-build/trigger-subscriptions.ps1 index 55dea518ac585..ac9a95778fcd9 100644 --- a/eng/common/post-build/trigger-subscriptions.ps1 +++ b/eng/common/post-build/trigger-subscriptions.ps1 @@ -2,7 +2,7 @@ param( [Parameter(Mandatory=$true)][string] $SourceRepo, [Parameter(Mandatory=$true)][int] $ChannelId, [Parameter(Mandatory=$true)][string] $MaestroApiAccessToken, - [Parameter(Mandatory=$false)][string] $MaestroApiEndPoint = 'https://maestro-prod.westus2.cloudapp.azure.com', + [Parameter(Mandatory=$false)][string] $MaestroApiEndPoint = 'https://maestro.dot.net', [Parameter(Mandatory=$false)][string] $MaestroApiVersion = '2019-01-16' ) diff --git a/eng/common/templates/job/job.yml b/eng/common/templates/job/job.yml index 0e10e7db69c77..01da2420df606 100644 --- a/eng/common/templates/job/job.yml +++ b/eng/common/templates/job/job.yml @@ -123,7 +123,7 @@ jobs: continueOnError: ${{ parameters.continueOnError }} condition: and(succeeded(), in(variables['_SignType'], 'real', 'test'), eq(variables['Agent.Os'], 'Windows_NT')) - - task: NuGetAuthenticate@0 + - task: NuGetAuthenticate@1 - ${{ if or(eq(parameters.artifacts.download, 'true'), ne(parameters.artifacts.download, '')) }}: - task: DownloadPipelineArtifact@2 diff --git a/eng/common/templates/job/publish-build-assets.yml b/eng/common/templates/job/publish-build-assets.yml index d91bf9147116f..239b17010fa7e 100644 --- a/eng/common/templates/job/publish-build-assets.yml +++ b/eng/common/templates/job/publish-build-assets.yml @@ -53,7 +53,7 @@ jobs: continueOnError: ${{ parameters.continueOnError }} - ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}: - - task: NuGetAuthenticate@0 + - task: NuGetAuthenticate@1 - task: PowerShell@2 displayName: Enable cross-org NuGet feed authentication @@ -68,7 +68,7 @@ jobs: arguments: -task PublishBuildAssets -restore -msbuildEngine dotnet /p:ManifestsPath='$(Build.StagingDirectory)/Download/AssetManifests' /p:BuildAssetRegistryToken=$(MaestroAccessToken) - /p:MaestroApiEndpoint=https://maestro-prod.westus2.cloudapp.azure.com + /p:MaestroApiEndpoint=https://maestro.dot.net /p:PublishUsingPipelines=${{ parameters.publishUsingPipelines }} /p:Configuration=$(_BuildConfig) /p:OfficialBuildId=$(Build.BuildNumber) diff --git a/eng/common/templates/post-build/common-variables.yml b/eng/common/templates/post-build/common-variables.yml index 1ac7f49a43ca8..fae340f4d20d7 100644 --- a/eng/common/templates/post-build/common-variables.yml +++ b/eng/common/templates/post-build/common-variables.yml @@ -11,7 +11,7 @@ variables: # Default Maestro++ API Endpoint and API Version - name: MaestroApiEndPoint - value: "https://maestro-prod.westus2.cloudapp.azure.com" + value: "https://maestro.dot.net" - name: MaestroApiAccessToken value: $(MaestroAccessToken) - name: MaestroApiVersion diff --git a/eng/common/templates/post-build/post-build.yml b/eng/common/templates/post-build/post-build.yml index fc022ca9b266a..d49c6156bf0aa 100644 --- a/eng/common/templates/post-build/post-build.yml +++ b/eng/common/templates/post-build/post-build.yml @@ -162,7 +162,7 @@ stages: # This is necessary whenever we want to publish/restore to an AzDO private feed # Since sdk-task.ps1 tries to restore packages we need to do this authentication here # otherwise it'll complain about accessing a private feed. - - task: NuGetAuthenticate@0 + - task: NuGetAuthenticate@1 displayName: 'Authenticate to AzDO Feeds' - task: PowerShell@2 diff --git a/global.json b/global.json index 6a42f9d953921..98e353db75f07 100644 --- a/global.json +++ b/global.json @@ -1,21 +1,21 @@ { "sdk": { - "version": "6.0.123", + "version": "6.0.124", "allowPrerelease": true, "rollForward": "major" }, "tools": { - "dotnet": "6.0.123" + "dotnet": "6.0.124" }, "native-tools": { "cmake": "3.16.4", "python3": "3.7.1" }, "msbuild-sdks": { - "Microsoft.DotNet.Build.Tasks.TargetFramework.Sdk": "6.0.0-beta.23517.3", - "Microsoft.DotNet.Arcade.Sdk": "6.0.0-beta.23517.3", - "Microsoft.DotNet.Helix.Sdk": "6.0.0-beta.23517.3", - "Microsoft.DotNet.SharedFramework.Sdk": "6.0.0-beta.23517.3", + "Microsoft.DotNet.Build.Tasks.TargetFramework.Sdk": "6.0.0-beta.23620.4", + "Microsoft.DotNet.Arcade.Sdk": "6.0.0-beta.23620.4", + "Microsoft.DotNet.Helix.Sdk": "6.0.0-beta.23620.4", + "Microsoft.DotNet.SharedFramework.Sdk": "6.0.0-beta.23620.4", "Microsoft.Build.NoTargets": "3.1.0", "Microsoft.Build.Traversal": "3.0.23", "Microsoft.NET.Sdk.IL": "6.0.0-rc.1.21415.6" From f27366fef07ed1b2cfc5ffb555a046e92bf7f094 Mon Sep 17 00:00:00 2001 From: Tomas Weinfurt Date: Wed, 10 Jan 2024 03:57:53 -0800 Subject: [PATCH 07/12] [release/6.0] fix IsMutuallyAuthenticated on SslStream (#92684) * fix IsMutuallyAuthenticated * update * update test data * cleanup * pick up also #65134 and #66077 --- .../Interop.Ssl.cs | 4 + .../Interop/Windows/SspiCli/Interop.SSPI.cs | 19 +- .../Interop/Windows/SspiCli/SSPIWrapper.cs | 26 +- .../Windows/SspiCli/SecuritySafeHandles.cs | 6 + .../Net/CertificateValidationPal.Android.cs | 10 + .../Net/CertificateValidationPal.OSX.cs | 5 + .../Net/CertificateValidationPal.Unix.cs | 5 + .../Net/CertificateValidationPal.Windows.cs | 54 ++- .../src/System/Net/Security/SecureChannel.cs | 30 +- .../Net/Security/SslStreamPal.Android.cs | 3 +- .../System/Net/Security/SslStreamPal.OSX.cs | 3 +- .../System/Net/Security/SslStreamPal.Unix.cs | 2 +- .../Net/Security/SslStreamPal.Windows.cs | 12 +- .../SslStreamMutualAuthenticationTest.cs | 400 ++++++++++++++++++ .../SslStreamStreamToStreamTest.cs | 6 - .../SslStreamSystemDefaultsTest.cs | 6 - .../System.Net.Security.Tests.csproj | 1 + 17 files changed, 564 insertions(+), 28 deletions(-) create mode 100644 src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamMutualAuthenticationTest.cs diff --git a/src/libraries/Common/src/Interop/Android/System.Security.Cryptography.Native.Android/Interop.Ssl.cs b/src/libraries/Common/src/Interop/Android/System.Security.Cryptography.Native.Android/Interop.Ssl.cs index 0fe2051f7beff..4342e47a19489 100644 --- a/src/libraries/Common/src/Interop/Android/System.Security.Cryptography.Native.Android/Interop.Ssl.cs +++ b/src/libraries/Common/src/Interop/Android/System.Security.Cryptography.Native.Android/Interop.Ssl.cs @@ -87,6 +87,10 @@ internal static void SSLStreamSetTargetHost( throw new SslException(); } + [DllImport(Interop.Libraries.AndroidCryptoNative, EntryPoint = "AndroidCryptoNative_SSLStreamIsLocalCertificateUsed")] + [return: MarshalAs(UnmanagedType.U1)] + internal static extern bool SSLStreamIsLocalCertificateUsed(SafeSslHandle sslHandle); + [DllImport(Interop.Libraries.AndroidCryptoNative, EntryPoint = "AndroidCryptoNative_SSLStreamRequestClientAuthentication")] internal static extern void SSLStreamRequestClientAuthentication(SafeSslHandle sslHandle); diff --git a/src/libraries/Common/src/Interop/Windows/SspiCli/Interop.SSPI.cs b/src/libraries/Common/src/Interop/Windows/SspiCli/Interop.SSPI.cs index 1694ca539a86a..098057aca7cd5 100644 --- a/src/libraries/Common/src/Interop/Windows/SspiCli/Interop.SSPI.cs +++ b/src/libraries/Common/src/Interop/Windows/SspiCli/Interop.SSPI.cs @@ -67,8 +67,10 @@ internal enum ContextAttribute SECPKG_ATTR_ISSUER_LIST_EX = 0x59, // returns SecPkgContext_IssuerListInfoEx SECPKG_ATTR_CLIENT_CERT_POLICY = 0x60, // sets SecPkgCred_ClientCertCtlPolicy SECPKG_ATTR_CONNECTION_INFO = 0x5A, // returns SecPkgContext_ConnectionInfo + SECPKG_ATTR_SESSION_INFO = 0x5D, // sets SecPkgContext_SessionInfo SECPKG_ATTR_CIPHER_INFO = 0x64, // returns SecPkgContext_CipherInfo - SECPKG_ATTR_UI_INFO = 0x68, // sets SEcPkgContext_UiInfo + SECPKG_ATTR_REMOTE_CERT_CHAIN = 0x67, // returns PCCERT_CONTEXT + SECPKG_ATTR_UI_INFO = 0x68, // sets SEcPkgContext_UiInfo } // These values are defined within sspi.h as ISC_REQ_*, ISC_RET_*, ASC_REQ_* and ASC_RET_*. @@ -330,6 +332,21 @@ internal unsafe struct SecPkgCred_ClientCertPolicy public char* pwszSslCtlIdentifier; } + [StructLayout(LayoutKind.Sequential)] + internal unsafe struct SecPkgContext_SessionInfo + { + public uint dwFlags; + public uint cbSessionId; + public fixed byte rgbSessionId[32]; + + [Flags] + public enum Flags + { + Zero = 0, + SSL_SESSION_RECONNECT = 0x01, + }; + } + [DllImport(Interop.Libraries.SspiCli, ExactSpelling = true, SetLastError = true)] internal static extern int EncryptMessage( ref CredHandle contextHandle, diff --git a/src/libraries/Common/src/Interop/Windows/SspiCli/SSPIWrapper.cs b/src/libraries/Common/src/Interop/Windows/SspiCli/SSPIWrapper.cs index 95763518c96ae..f36a072d981f9 100644 --- a/src/libraries/Common/src/Interop/Windows/SspiCli/SSPIWrapper.cs +++ b/src/libraries/Common/src/Interop/Windows/SspiCli/SSPIWrapper.cs @@ -426,27 +426,41 @@ public static bool QueryBlittableContextAttributes(ISSPIInterface secModule, } } - public static SafeFreeCertContext? QueryContextAttributes_SECPKG_ATTR_REMOTE_CERT_CONTEXT(ISSPIInterface secModule, SafeDeleteContext securityContext) + private static bool QueryCertContextAttribute(ISSPIInterface secModule, SafeDeleteContext securityContext, Interop.SspiCli.ContextAttribute attribute, out SafeFreeCertContext? certContext) { Span buffer = stackalloc IntPtr[1]; int errorCode = secModule.QueryContextAttributes( securityContext, - Interop.SspiCli.ContextAttribute.SECPKG_ATTR_REMOTE_CERT_CONTEXT, + attribute, MemoryMarshal.AsBytes(buffer), typeof(SafeFreeCertContext), out SafeHandle? sspiHandle); - if (errorCode != 0) + // certificate is not always present (e.g. on server when querying client certificate) + // but we still want to consider such case as a success. + bool success = errorCode == 0 || errorCode == (int)Interop.SECURITY_STATUS.NoCredentials; + + if (!success) { sspiHandle?.Dispose(); + sspiHandle = null; if (NetEventSource.Log.IsEnabled()) NetEventSource.Error(null, $"ERROR = {ErrorDescription(errorCode)}"); - return null; } - var result = (SafeFreeCertContext)sspiHandle!; - return result; + certContext = sspiHandle as SafeFreeCertContext; + return success; } + public static bool QueryContextAttributes_SECPKG_ATTR_REMOTE_CERT_CONTEXT(ISSPIInterface secModule, SafeDeleteContext securityContext, out SafeFreeCertContext? certContext) + => QueryCertContextAttribute(secModule, securityContext, Interop.SspiCli.ContextAttribute.SECPKG_ATTR_REMOTE_CERT_CONTEXT, out certContext); + + public static bool QueryContextAttributes_SECPKG_ATTR_LOCAL_CERT_CONTEXT(ISSPIInterface secModule, SafeDeleteContext securityContext, out SafeFreeCertContext? certContext) + => QueryCertContextAttribute(secModule, securityContext, Interop.SspiCli.ContextAttribute.SECPKG_ATTR_LOCAL_CERT_CONTEXT, out certContext); + + public static bool QueryContextAttributes_SECPKG_ATTR_REMOTE_CERT_CHAIN(ISSPIInterface secModule, SafeDeleteContext securityContext, out SafeFreeCertContext? certContext) + => QueryCertContextAttribute(secModule, securityContext, Interop.SspiCli.ContextAttribute.SECPKG_ATTR_REMOTE_CERT_CHAIN, out certContext); + + public static bool QueryContextAttributes_SECPKG_ATTR_ISSUER_LIST_EX(ISSPIInterface secModule, SafeDeleteContext securityContext, ref Interop.SspiCli.SecPkgContext_IssuerListInfoEx ctx, out SafeHandle? sspiHandle) { Span buffer = diff --git a/src/libraries/Common/src/Interop/Windows/SspiCli/SecuritySafeHandles.cs b/src/libraries/Common/src/Interop/Windows/SspiCli/SecuritySafeHandles.cs index 43b718524d1ca..7fe89376e831b 100644 --- a/src/libraries/Common/src/Interop/Windows/SspiCli/SecuritySafeHandles.cs +++ b/src/libraries/Common/src/Interop/Windows/SspiCli/SecuritySafeHandles.cs @@ -5,6 +5,7 @@ using System.Globalization; using System.Runtime.InteropServices; using System.Security.Authentication.ExtendedProtection; +using System.Security.Cryptography.X509Certificates; using Microsoft.Win32.SafeHandles; namespace System.Net.Security @@ -320,10 +321,15 @@ public static unsafe int AcquireCredentialsHandle( internal sealed class SafeFreeCredential_SECURITY : SafeFreeCredentials { +#pragma warning disable 0649 + // This is used only by SslStream but it is included elsewhere + public X509Certificate? LocalCertificate; + #pragma warning restore 0649 public SafeFreeCredential_SECURITY() : base() { } protected override bool ReleaseHandle() { + LocalCertificate?.Dispose(); return Interop.SspiCli.FreeCredentialsHandle(ref _handle) == 0; } } diff --git a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Android.cs b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Android.cs index 778ecefdb2633..143310a8d3a0c 100644 --- a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Android.cs +++ b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Android.cs @@ -105,6 +105,16 @@ internal static SslPolicyErrors VerifyCertificateProperties( return cert; } + // Check if the local certificate has been sent to the peer during the handshake. + internal static bool IsLocalCertificateUsed(SafeFreeCredentials? _, SafeDeleteContext? securityContext) + { + SafeSslHandle? sslContext = ((SafeDeleteSslContext?)securityContext)?.SslContext; + if (sslContext == null) + return false; + + return Interop.AndroidCrypto.SSLStreamIsLocalCertificateUsed(sslContext); + } + // // Used only by client SSL code, never returns null. // diff --git a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs index f1fef45e08126..f59bcd364c54e 100644 --- a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs +++ b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs @@ -114,6 +114,11 @@ internal static SslPolicyErrors VerifyCertificateProperties( return result; } + // This is only called when we selected local client certificate. + // Currently this is only when Apple crypto asked for it. + internal static bool IsLocalCertificateUsed(SafeFreeCredentials? _1, SafeDeleteContext? _2) => true; + + // // Used only by client SSL code, never returns null. // diff --git a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Unix.cs b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Unix.cs index 040111c8042b0..00a7db7b6b0c4 100644 --- a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Unix.cs +++ b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Unix.cs @@ -110,6 +110,11 @@ internal static SslPolicyErrors VerifyCertificateProperties( return result; } + + // This is only called when we selected local client certificate. + // Currently this is only when OpenSSL needs it because peer asked. + internal static bool IsLocalCertificateUsed(SafeFreeCredentials? _1, SafeDeleteContext? _2) => true; + // // Used only by client SSL code, never returns null. // diff --git a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs index 05ec3e1cce097..76a4382745506 100644 --- a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs +++ b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs @@ -8,6 +8,7 @@ using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.Security.Principal; +using static Interop.SspiCli; namespace System.Net { @@ -48,7 +49,21 @@ internal static SslPolicyErrors VerifyCertificateProperties( SafeFreeCertContext? remoteContext = null; try { - remoteContext = SSPIWrapper.QueryContextAttributes_SECPKG_ATTR_REMOTE_CERT_CONTEXT(GlobalSSPI.SSPISecureChannel, securityContext); + // SECPKG_ATTR_REMOTE_CERT_CONTEXT will not succeed before TLS handshake completes. Inside the handshake, + // we need to use (more expensive) SECPKG_ATTR_REMOTE_CERT_CHAIN. That one may be unsupported on older + // versions of windows. In that case, we have no option than to return null. + // + // We can use retrieveCollection to distinguish between in-handshake and after-handshake calls, because + // the collection is retrieved for cert validation purposes after the handshake completes. + if (retrieveCollection) // handshake completed + { + SSPIWrapper.QueryContextAttributes_SECPKG_ATTR_REMOTE_CERT_CONTEXT(GlobalSSPI.SSPISecureChannel, securityContext, out remoteContext); + } + else // in handshake + { + SSPIWrapper.QueryContextAttributes_SECPKG_ATTR_REMOTE_CERT_CHAIN(GlobalSSPI.SSPISecureChannel, securityContext, out remoteContext); + } + if (remoteContext != null && !remoteContext.IsInvalid) { result = new X509Certificate2(remoteContext.DangerousGetHandle()); @@ -71,6 +86,43 @@ internal static SslPolicyErrors VerifyCertificateProperties( return result; } + // Check that local certificate was used by schannel. + internal static bool IsLocalCertificateUsed(SafeFreeCredentials? _credentialsHandle, SafeDeleteContext securityContext) + { + SecPkgContext_SessionInfo info = default; + // fails on Server 2008 and older. We will fall-back to probing LOCAL_CERT_CONTEXT in that case. + if (SSPIWrapper.QueryBlittableContextAttributes( + GlobalSSPI.SSPISecureChannel, + securityContext, + Interop.SspiCli.ContextAttribute.SECPKG_ATTR_SESSION_INFO, + ref info) && + ((SecPkgContext_SessionInfo.Flags)info.dwFlags).HasFlag(SecPkgContext_SessionInfo.Flags.SSL_SESSION_RECONNECT)) + { + // This is TLS Resumed session. Windows can fail to query the local cert bellow. + // Instead, we will determine the usage form used credentials. + SafeFreeCredential_SECURITY creds = (SafeFreeCredential_SECURITY)_credentialsHandle!; + return creds.LocalCertificate != null; + } + + SafeFreeCertContext? localContext = null; + try + { + if (SSPIWrapper.QueryContextAttributes_SECPKG_ATTR_LOCAL_CERT_CONTEXT(GlobalSSPI.SSPISecureChannel, securityContext, out localContext) && + localContext != null) + { + return !localContext.IsInvalid; + } + } + finally + { + localContext?.Dispose(); + } + + // Some older Windows do not support that. This is only called when client certificate was provided + // so assume it was for a reason. + return true; + } + // // Used only by client SSL code, never returns null. // diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SecureChannel.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SecureChannel.cs index 05806fedd9cbd..288443bd90941 100644 --- a/src/libraries/System.Net.Security/src/System/Net/Security/SecureChannel.cs +++ b/src/libraries/System.Net.Security/src/System/Net/Security/SecureChannel.cs @@ -76,7 +76,12 @@ internal X509Certificate? LocalClientCertificate { get { - return _selectedClientCertificate; + if (_selectedClientCertificate != null && CertificateValidationPal.IsLocalCertificateUsed(_credentialsHandle, _securityContext!)) + { + return _selectedClientCertificate; + } + + return null; } } @@ -332,7 +337,7 @@ This will not restart a session but helps minimizing the number of handles we cr --*/ - private bool AcquireClientCredentials(ref byte[]? thumbPrint) + private bool AcquireClientCredentials(ref byte[]? thumbPrint, bool newCredentialsRequested = false) { // Acquire possible Client Certificate information and set it on the handle. X509Certificate? clientCertificate = null; // This is a candidate that can come from the user callback or be guessed when targeting a session restart. @@ -604,7 +609,7 @@ private bool AcquireClientCredentials(ref byte[]? thumbPrint) } _credentialsHandle = SslStreamPal.AcquireCredentialsHandle(_sslAuthenticationOptions.CertificateContext, - _sslAuthenticationOptions.EnabledSslProtocols, _sslAuthenticationOptions.EncryptionPolicy, _sslAuthenticationOptions.IsServer); + _sslAuthenticationOptions.EnabledSslProtocols, _sslAuthenticationOptions.EncryptionPolicy, _sslAuthenticationOptions.IsServer, newCredentialsRequested); thumbPrint = guessedThumbPrint; // Delay until here in case something above threw. _selectedClientCertificate = clientCertificate; @@ -711,7 +716,7 @@ private bool AcquireServerCredentials(ref byte[]? thumbPrint) else { _credentialsHandle = SslStreamPal.AcquireCredentialsHandle(_sslAuthenticationOptions.CertificateContext, _sslAuthenticationOptions.EnabledSslProtocols, - _sslAuthenticationOptions.EncryptionPolicy, _sslAuthenticationOptions.IsServer); + _sslAuthenticationOptions.EncryptionPolicy, _sslAuthenticationOptions.IsServer, newCredentialsRequested: false); thumbPrint = guessedThumbPrint; } @@ -804,6 +809,23 @@ private SecurityStatusPal GenerateToken(ReadOnlySpan inputBuffer, ref byte inputBuffer, ref result, _sslAuthenticationOptions); + + if (status.ErrorCode == SecurityStatusPalErrorCode.CredentialsNeeded) + { + _refreshCredentialNeeded = true; + cachedCreds = AcquireClientCredentials(ref thumbPrint, newCredentialsRequested: true); + + if (NetEventSource.Log.IsEnabled()) + NetEventSource.Info(this, "InitializeSecurityContext() returned 'CredentialsNeeded'."); + + status = SslStreamPal.InitializeSecurityContext( + ref _credentialsHandle!, + ref _securityContext, + _sslAuthenticationOptions.TargetHost, + inputBuffer, + ref result, + _sslAuthenticationOptions); + } } } while (cachedCreds && _credentialsHandle == null); } diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Android.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Android.cs index 27c854c99168e..d5155b2cfa396 100644 --- a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Android.cs +++ b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Android.cs @@ -54,7 +54,8 @@ public static SafeFreeCredentials AcquireCredentialsHandle( SslStreamCertificateContext? certificateContext, SslProtocols protocols, EncryptionPolicy policy, - bool isServer) + bool isServer, + bool newCredentialsRequested = false) { return new SafeFreeSslCredentials(certificateContext, protocols, policy); } diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.OSX.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.OSX.cs index 0414082781c1e..455ee4b5bb398 100644 --- a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.OSX.cs +++ b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.OSX.cs @@ -61,7 +61,8 @@ public static SafeFreeCredentials AcquireCredentialsHandle( SslStreamCertificateContext? certificateContext, SslProtocols protocols, EncryptionPolicy policy, - bool isServer) + bool isServer, + bool newCredentialsRequested = false) { return new SafeFreeSslCredentials(certificateContext, protocols, policy); } diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Unix.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Unix.cs index c3b2e7e291e89..acf1f11fa3040 100644 --- a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Unix.cs +++ b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Unix.cs @@ -37,7 +37,7 @@ public static SecurityStatusPal InitializeSecurityContext(ref SafeFreeCredential } public static SafeFreeCredentials AcquireCredentialsHandle(SslStreamCertificateContext? certificateContext, - SslProtocols protocols, EncryptionPolicy policy, bool isServer) + SslProtocols protocols, EncryptionPolicy policy, bool isServer, bool newCredentialsRequested = false) { return new SafeFreeSslCredentials(certificateContext?.Certificate, protocols, policy); } diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs index 85d176aaa88a6..8f6b6462da1df 100644 --- a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs +++ b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs @@ -120,7 +120,7 @@ public static SecurityStatusPal Renegotiate(ref SafeFreeCredentials? credentials return status; } - public static SafeFreeCredentials AcquireCredentialsHandle(SslStreamCertificateContext? certificateContext, SslProtocols protocols, EncryptionPolicy policy, bool isServer) + public static SafeFreeCredentials AcquireCredentialsHandle(SslStreamCertificateContext? certificateContext, SslProtocols protocols, EncryptionPolicy policy, bool isServer, bool newCredentialsRequested) { try { @@ -133,6 +133,16 @@ public static SafeFreeCredentials AcquireCredentialsHandle(SslStreamCertificateC AttachCertificateStore(cred, certificateContext.Trust._store!); } + // Windows can fail to get local credentials in case of TLS Resume. + // We will store associated certificate in credentials and use it in case + // of TLS resume. It will be disposed when the credentials are. + if (newCredentialsRequested && certificateContext != null) + { + SafeFreeCredential_SECURITY handle = (SafeFreeCredential_SECURITY)cred; + // We need to create copy to avoid Disposal issue. + handle.LocalCertificate = new X509Certificate2(certificateContext.Certificate); + } + return cred; } catch (Win32Exception e) diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamMutualAuthenticationTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamMutualAuthenticationTest.cs new file mode 100644 index 0000000000000..bb753a9c8bbe8 --- /dev/null +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamMutualAuthenticationTest.cs @@ -0,0 +1,400 @@ +// Licensed to the .NET Foundation under one or more agreements. +// The .NET Foundation licenses this file to you under the MIT license. + +using System.IO; +using System.Threading.Tasks; +using System.Net.Test.Common; +using System.Security.Authentication; +using System.Security.Cryptography.X509Certificates; + +using Xunit; +using System.Runtime.InteropServices; + +namespace System.Net.Security.Tests +{ + using Configuration = System.Net.Test.Common.Configuration; + + [PlatformSpecific(TestPlatforms.Windows)] + public class SslStreamMutualAuthenticationTest : IDisposable + { + private readonly X509Certificate2 _clientCertificate; + private readonly X509Certificate2 _serverCertificate; + private readonly X509Certificate2 _selfSignedCertificate; + + public SslStreamMutualAuthenticationTest() + { + _serverCertificate = Configuration.Certificates.GetServerCertificate(); + _clientCertificate = Configuration.Certificates.GetClientCertificate(); + _selfSignedCertificate = Configuration.Certificates.GetSelfSignedServerCertificate(); + } + + public void Dispose() + { + _serverCertificate.Dispose(); + _clientCertificate.Dispose(); + } + + public enum ClientCertSource + { + ClientCertificate, + SelectionCallback, + } + + public static TheoryData CertSourceData() + { + TheoryData data = new(); + + foreach (var source in Enum.GetValues()) + { + data.Add(source); + } + + return data; + } + + + public static TheoryData BoolAndCertSourceData() + { + TheoryData data = new(); + + foreach (var source in Enum.GetValues()) + { + data.Add(true, source); + data.Add(false, source); + } + + return data; + } + + [ConditionalTheory(typeof(PlatformDetection), nameof(PlatformDetection.IsNotWindows7))] + [MemberData(nameof(BoolAndCertSourceData))] + public async Task SslStream_RequireClientCert_IsMutuallyAuthenticated_ReturnsTrue(bool clientCertificateRequired, ClientCertSource certSource) + { + (Stream stream1, Stream stream2) = TestHelper.GetConnectedStreams(); + using (var client = new SslStream(stream1, false, AllowAnyCertificate)) + using (var server = new SslStream(stream2, false, AllowAnyCertificate)) + { + var clientOptions = new SslClientAuthenticationOptions + { + TargetHost = Guid.NewGuid().ToString("N") + }; + + switch (certSource) + { + case ClientCertSource.ClientCertificate: + clientOptions.ClientCertificates = new X509CertificateCollection() { _clientCertificate }; + break; + case ClientCertSource.SelectionCallback: + clientOptions.LocalCertificateSelectionCallback = ClientCertSelectionCallback; + break; + } + + Task t2 = client.AuthenticateAsClientAsync(clientOptions); + Task t1 = server.AuthenticateAsServerAsync(new SslServerAuthenticationOptions + { + ServerCertificate = _serverCertificate, + ClientCertificateRequired = clientCertificateRequired + }); + + await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2); + + if (clientCertificateRequired) + { + Assert.True(client.IsMutuallyAuthenticated, "client.IsMutuallyAuthenticated"); + Assert.True(server.IsMutuallyAuthenticated, "server.IsMutuallyAuthenticated"); + } + else + { + // Even though the certificate was provided, it was not requested by the server and thus the client + // was not authenticated. + Assert.False(client.IsMutuallyAuthenticated, "client.IsMutuallyAuthenticated"); + Assert.False(server.IsMutuallyAuthenticated, "server.IsMutuallyAuthenticated"); + } + } + } + + [ConditionalTheory(typeof(PlatformDetection), nameof(PlatformDetection.IsNotWindows7))] + [ClassData(typeof(SslProtocolSupport.SupportedSslProtocolsTestData))] + public async Task SslStream_CachedCredentials_IsMutuallyAuthenticatedCorrect( + SslProtocols protocol) + { + var clientOptions = new SslClientAuthenticationOptions + { + ClientCertificates = new X509CertificateCollection() { _clientCertificate }, + EnabledSslProtocols = protocol, + RemoteCertificateValidationCallback = delegate { return true; }, + TargetHost = Guid.NewGuid().ToString("N") + }; + + for (int i = 0; i < 5; i++) + { + (SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams(); + using (client) + using (server) + { + bool expectMutualAuthentication = (i % 2) == 0; + + var serverOptions = new SslServerAuthenticationOptions + { + ClientCertificateRequired = expectMutualAuthentication, + ServerCertificate = expectMutualAuthentication ? _serverCertificate : _selfSignedCertificate, + RemoteCertificateValidationCallback = delegate { return true; }, + EnabledSslProtocols = protocol + }; + + await TestConfiguration.WhenAllOrAnyFailedWithTimeout( + client.AuthenticateAsClientAsync(clientOptions), + server.AuthenticateAsServerAsync(serverOptions)); + + // mutual authentication should only be set if server required client cert + Assert.Equal(expectMutualAuthentication, server.IsMutuallyAuthenticated); + Assert.Equal(expectMutualAuthentication, client.IsMutuallyAuthenticated); + }; + } + } + + [ConditionalTheory(typeof(TestConfiguration), nameof(TestConfiguration.SupportsRenegotiation))] + [MemberData(nameof(CertSourceData))] + [PlatformSpecific(TestPlatforms.Windows | TestPlatforms.Linux)] + public async Task SslStream_NegotiateClientCertificate_IsMutuallyAuthenticatedCorrect(ClientCertSource certSource) + { + SslStreamCertificateContext context = SslStreamCertificateContext.Create(_serverCertificate, null); + var clientOptions = new SslClientAuthenticationOptions + { + TargetHost = Guid.NewGuid().ToString("N") + }; + + for (int round = 0; round < 3; round++) + { + (Stream stream1, Stream stream2) = TestHelper.GetConnectedStreams(); + using (var client = new SslStream(stream1, false, AllowAnyCertificate)) + using (var server = new SslStream(stream2, false, AllowAnyCertificate)) + { + + switch (certSource) + { + case ClientCertSource.ClientCertificate: + clientOptions.ClientCertificates = new X509CertificateCollection() { _clientCertificate }; + break; + case ClientCertSource.SelectionCallback: + clientOptions.LocalCertificateSelectionCallback = ClientCertSelectionCallback; + break; + } + + Task t2 = client.AuthenticateAsClientAsync(clientOptions); + Task t1 = server.AuthenticateAsServerAsync(new SslServerAuthenticationOptions + { + ServerCertificateContext = context, + ClientCertificateRequired = false, + EnabledSslProtocols = SslProtocols.Tls12, + + }); + + await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2); + + if (round >= 0 && server.RemoteCertificate != null) + { + // TLS resumed + Assert.True(client.IsMutuallyAuthenticated, "client.IsMutuallyAuthenticated"); + Assert.True(server.IsMutuallyAuthenticated, "server.IsMutuallyAuthenticated"); + continue; + } + + Assert.False(client.IsMutuallyAuthenticated, "client.IsMutuallyAuthenticated"); + Assert.False(server.IsMutuallyAuthenticated, "server.IsMutuallyAuthenticated"); + + var t = client.ReadAsync(new byte[1]); + await server.NegotiateClientCertificateAsync(); + Assert.NotNull(server.RemoteCertificate); + await server.WriteAsync(new byte[1]); + await t; + + Assert.NotNull(server.RemoteCertificate); + Assert.True(client.IsMutuallyAuthenticated, "client.IsMutuallyAuthenticated"); + Assert.True(server.IsMutuallyAuthenticated, "server.IsMutuallyAuthenticated"); + } + } + } + + [ConditionalTheory(typeof(PlatformDetection), nameof(PlatformDetection.IsNotWindows7))] + [ClassData(typeof(SslProtocolSupport.SupportedSslProtocolsTestData))] + public async Task SslStream_ResumedSessionsClientCollection_IsMutuallyAuthenticatedCorrect( + SslProtocols protocol) + { + var clientOptions = new SslClientAuthenticationOptions + { + EnabledSslProtocols = protocol, + RemoteCertificateValidationCallback = delegate { return true; }, + TargetHost = Guid.NewGuid().ToString("N") + }; + + // Create options with certificate context so TLS resume is possible on Linux + var serverOptions = new SslServerAuthenticationOptions + { + ClientCertificateRequired = true, + ServerCertificateContext = SslStreamCertificateContext.Create(_serverCertificate, null), + RemoteCertificateValidationCallback = delegate { return true; }, + EnabledSslProtocols = protocol + }; + + for (int i = 0; i < 5; i++) + { + (SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams(); + using (client) + using (server) + { + bool expectMutualAuthentication = (i % 2) == 0; + + clientOptions.ClientCertificates = expectMutualAuthentication ? new X509CertificateCollection() { _clientCertificate } : null; + await TestConfiguration.WhenAllOrAnyFailedWithTimeout( + client.AuthenticateAsClientAsync(clientOptions), + server.AuthenticateAsServerAsync(serverOptions)); + + // mutual authentication should only be set if client set certificate + Assert.Equal(expectMutualAuthentication, server.IsMutuallyAuthenticated); + Assert.Equal(expectMutualAuthentication, client.IsMutuallyAuthenticated); + + if (expectMutualAuthentication) + { + Assert.NotNull(server.RemoteCertificate); + } + else + { + Assert.Null(server.RemoteCertificate); + } + }; + } + } + + [ConditionalTheory(typeof(PlatformDetection), nameof(PlatformDetection.IsNotWindows7))] + [ClassData(typeof(SslProtocolSupport.SupportedSslProtocolsTestData))] + public async Task SslStream_ResumedSessionsCallbackSet_IsMutuallyAuthenticatedCorrect( + SslProtocols protocol) + { + var clientOptions = new SslClientAuthenticationOptions + { + EnabledSslProtocols = protocol, + RemoteCertificateValidationCallback = delegate { return true; }, + TargetHost = Guid.NewGuid().ToString("N") + }; + + // Create options with certificate context so TLS resume is possible on Linux + var serverOptions = new SslServerAuthenticationOptions + { + ClientCertificateRequired = true, + ServerCertificateContext = SslStreamCertificateContext.Create(_serverCertificate, null), + RemoteCertificateValidationCallback = delegate { return true; }, + EnabledSslProtocols = protocol + }; + + for (int i = 0; i < 5; i++) + { + (SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams(); + using (client) + using (server) + { + bool expectMutualAuthentication = (i % 2) == 0; + + clientOptions.LocalCertificateSelectionCallback = (s, t, l, r, a) => + { + return expectMutualAuthentication ? _clientCertificate : null; + }; + + await TestConfiguration.WhenAllOrAnyFailedWithTimeout( + client.AuthenticateAsClientAsync(clientOptions), + server.AuthenticateAsServerAsync(serverOptions)); + + // mutual authentication should only be set if client set certificate + Assert.Equal(expectMutualAuthentication, server.IsMutuallyAuthenticated); + Assert.Equal(expectMutualAuthentication, client.IsMutuallyAuthenticated); + + if (expectMutualAuthentication) + { + Assert.NotNull(server.RemoteCertificate); + } + else + { + Assert.Null(server.RemoteCertificate); + } + }; + } + } + + [ConditionalTheory(typeof(PlatformDetection), nameof(PlatformDetection.IsNotWindows7))] + [ClassData(typeof(SslProtocolSupport.SupportedSslProtocolsTestData))] + public async Task SslStream_ResumedSessionsCallbackMaybeSet_IsMutuallyAuthenticatedCorrect( + SslProtocols protocol) + { + var clientOptions = new SslClientAuthenticationOptions + { + EnabledSslProtocols = protocol, + RemoteCertificateValidationCallback = delegate { return true; }, + TargetHost = Guid.NewGuid().ToString("N") + }; + + // Create options with certificate context so TLS resume is possible on Linux + var serverOptions = new SslServerAuthenticationOptions + { + ClientCertificateRequired = true, + ServerCertificateContext = SslStreamCertificateContext.Create(_serverCertificate, null), + RemoteCertificateValidationCallback = delegate { return true; }, + EnabledSslProtocols = protocol + }; + + for (int i = 0; i < 5; i++) + { + (SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams(); + using (client) + using (server) + { + bool expectMutualAuthentication = (i % 2) == 0; + + if (expectMutualAuthentication) + { + clientOptions.LocalCertificateSelectionCallback = (s, t, l, r, a) => _clientCertificate; + } + else + { + clientOptions.LocalCertificateSelectionCallback = null; + } + + await TestConfiguration.WhenAllOrAnyFailedWithTimeout( + client.AuthenticateAsClientAsync(clientOptions), + server.AuthenticateAsServerAsync(serverOptions)); + + // mutual authentication should only be set if client set certificate + Assert.Equal(expectMutualAuthentication, server.IsMutuallyAuthenticated); + Assert.Equal(expectMutualAuthentication, client.IsMutuallyAuthenticated); + + if (expectMutualAuthentication) + { + Assert.NotNull(server.RemoteCertificate); + } + else + { + Assert.Null(server.RemoteCertificate); + } + }; + } + } + + private static bool AllowAnyCertificate( + object sender, + X509Certificate certificate, + X509Chain chain, + SslPolicyErrors sslPolicyErrors) + { + return true; + } + + private X509Certificate ClientCertSelectionCallback( + object sender, + string targetHost, + X509CertificateCollection localCertificates, + X509Certificate remoteCertificate, + string[] acceptableIssuers) + { + return _clientCertificate; + } + } +} diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamStreamToStreamTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamStreamToStreamTest.cs index b9917bee216dc..f2b6bb575bd6c 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamStreamToStreamTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamStreamToStreamTest.cs @@ -72,12 +72,6 @@ public static IEnumerable SslStream_StreamToStream_Authentication_Succ [SkipOnPlatform(TestPlatforms.iOS | TestPlatforms.tvOS, "X509 certificate store is not supported on iOS or tvOS.")] public async Task SslStream_StreamToStream_Authentication_Success(X509Certificate serverCert = null, X509Certificate clientCert = null) { - if (PlatformDetection.IsWindows10Version20348OrGreater) - { - // [ActiveIssue("https://github.com/dotnet/runtime/issues/58927")] - throw new SkipTestException("Unstable on Windows 11"); - } - (Stream stream1, Stream stream2) = TestHelper.GetConnectedStreams(); using (var client = new SslStream(stream1, false, AllowAnyServerCertificate)) using (var server = new SslStream(stream2, false, delegate { return true; })) diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamSystemDefaultsTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamSystemDefaultsTest.cs index 9175833c8e470..b7f70fcecd57c 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamSystemDefaultsTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamSystemDefaultsTest.cs @@ -76,12 +76,6 @@ public static IEnumerable OneOrBothUseDefaulData() [MemberData(nameof(OneOrBothUseDefaulData))] public async Task ClientAndServer_OneOrBothUseDefault_Ok(SslProtocols? clientProtocols, SslProtocols? serverProtocols) { - if (PlatformDetection.IsWindows10Version20348OrGreater) - { - // [ActiveIssue("https://github.com/dotnet/runtime/issues/58927")] - throw new SkipTestException("Unstable on Windows 11"); - } - using (X509Certificate2 serverCertificate = Configuration.Certificates.GetServerCertificate()) using (X509Certificate2 clientCertificate = Configuration.Certificates.GetClientCertificate()) { diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/System.Net.Security.Tests.csproj b/src/libraries/System.Net.Security/tests/FunctionalTests/System.Net.Security.Tests.csproj index 3dc537ad91deb..f92663083b527 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/System.Net.Security.Tests.csproj +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/System.Net.Security.Tests.csproj @@ -27,6 +27,7 @@ + From 4a9016e9619c5090618a40bac07f38031eb6ca23 Mon Sep 17 00:00:00 2001 From: "dotnet-maestro[bot]" <42748379+dotnet-maestro[bot]@users.noreply.github.com> Date: Wed, 10 Jan 2024 10:57:16 -0800 Subject: [PATCH 08/12] Update dependencies from https://github.com/dotnet/emsdk build 20240110.1 (#96760) Microsoft.NET.Workload.Emscripten.Manifest-6.0.100 , Microsoft.NET.Workload.Emscripten.Manifest-6.0.300 , Microsoft.NET.Workload.Emscripten.Manifest-6.0.400 From Version 6.0.26 -> To Version 6.0.26 Co-authored-by: dotnet-maestro[bot] --- NuGet.config | 4 +--- eng/Version.Details.xml | 6 +++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/NuGet.config b/NuGet.config index c784384ea9b35..847436d514115 100644 --- a/NuGet.config +++ b/NuGet.config @@ -9,9 +9,7 @@ - - - + diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml index 4b9b966570f3a..9ed7f95ac7cc5 100644 --- a/eng/Version.Details.xml +++ b/eng/Version.Details.xml @@ -10,15 +10,15 @@ https://github.com/dotnet/emsdk - 5ccc36f5985e2089f47c97a19c250e65ddefd0ba + 5460e2cb3721954528c452d9d32474e4c32b7141 https://github.com/dotnet/emsdk - 5ccc36f5985e2089f47c97a19c250e65ddefd0ba + 5460e2cb3721954528c452d9d32474e4c32b7141 https://github.com/dotnet/emsdk - 5ccc36f5985e2089f47c97a19c250e65ddefd0ba + 5460e2cb3721954528c452d9d32474e4c32b7141 https://github.com/dotnet/wcf From 1fceb54c16a229842fe61674d3759c99c3d7a51f Mon Sep 17 00:00:00 2001 From: "dotnet-maestro[bot]" <42748379+dotnet-maestro[bot]@users.noreply.github.com> Date: Thu, 11 Jan 2024 19:46:55 -0800 Subject: [PATCH 09/12] Update dependencies from https://github.com/dotnet/arcade build 20240109.3 (#96784) Microsoft.DotNet.ApiCompat , Microsoft.DotNet.Arcade.Sdk , Microsoft.DotNet.Build.Tasks.Archives , Microsoft.DotNet.Build.Tasks.Feed , Microsoft.DotNet.Build.Tasks.Installers , Microsoft.DotNet.Build.Tasks.Packaging , Microsoft.DotNet.Build.Tasks.TargetFramework.Sdk , Microsoft.DotNet.Build.Tasks.Templating , Microsoft.DotNet.Build.Tasks.Workloads , Microsoft.DotNet.CodeAnalysis , Microsoft.DotNet.GenAPI , Microsoft.DotNet.GenFacades , Microsoft.DotNet.Helix.Sdk , Microsoft.DotNet.PackageTesting , Microsoft.DotNet.RemoteExecutor , Microsoft.DotNet.SharedFramework.Sdk , Microsoft.DotNet.VersionTools.Tasks , Microsoft.DotNet.XUnitConsoleRunner , Microsoft.DotNet.XUnitExtensions From Version 6.0.0-beta.23620.4 -> To Version 6.0.0-beta.24059.3 Co-authored-by: dotnet-maestro[bot] --- eng/Version.Details.xml | 76 ++++++++++++++++++++--------------------- eng/Versions.props | 30 ++++++++-------- global.json | 12 +++---- 3 files changed, 59 insertions(+), 59 deletions(-) diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml index 9ed7f95ac7cc5..4cf93dda42e66 100644 --- a/eng/Version.Details.xml +++ b/eng/Version.Details.xml @@ -26,77 +26,77 @@ - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 https://github.com/microsoft/vstest @@ -222,9 +222,9 @@ https://github.com/dotnet/xharness dcd239f92887f600f75093d5ffff27b2dfeb034b - + https://github.com/dotnet/arcade - 10336beb8852ba1f98533413f311fcceb5abb141 + e5e9a01e6d0dcde2e945624bc1ba1bc05d2c1fc2 https://dev.azure.com/dnceng/internal/_git/dotnet-optimization diff --git a/eng/Versions.props b/eng/Versions.props index 704071a6fd11c..50b329e69f590 100644 --- a/eng/Versions.props +++ b/eng/Versions.props @@ -42,21 +42,21 @@ 1.1.0-preview.22164.17 - 6.0.0-beta.23620.4 - 6.0.0-beta.23620.4 - 6.0.0-beta.23620.4 - 6.0.0-beta.23620.4 - 6.0.0-beta.23620.4 - 6.0.0-beta.23620.4 - 2.5.1-beta.23620.4 - 6.0.0-beta.23620.4 - 6.0.0-beta.23620.4 - 6.0.0-beta.23620.4 - 6.0.0-beta.23620.4 - 6.0.0-beta.23620.4 - 6.0.0-beta.23620.4 - 6.0.0-beta.23620.4 - 6.0.0-beta.23620.4 + 6.0.0-beta.24059.3 + 6.0.0-beta.24059.3 + 6.0.0-beta.24059.3 + 6.0.0-beta.24059.3 + 6.0.0-beta.24059.3 + 6.0.0-beta.24059.3 + 2.5.1-beta.24059.3 + 6.0.0-beta.24059.3 + 6.0.0-beta.24059.3 + 6.0.0-beta.24059.3 + 6.0.0-beta.24059.3 + 6.0.0-beta.24059.3 + 6.0.0-beta.24059.3 + 6.0.0-beta.24059.3 + 6.0.0-beta.24059.3 6.0.0-preview.1.102 diff --git a/global.json b/global.json index 98e353db75f07..9f87ed8e140e0 100644 --- a/global.json +++ b/global.json @@ -1,21 +1,21 @@ { "sdk": { - "version": "6.0.124", + "version": "6.0.126", "allowPrerelease": true, "rollForward": "major" }, "tools": { - "dotnet": "6.0.124" + "dotnet": "6.0.126" }, "native-tools": { "cmake": "3.16.4", "python3": "3.7.1" }, "msbuild-sdks": { - "Microsoft.DotNet.Build.Tasks.TargetFramework.Sdk": "6.0.0-beta.23620.4", - "Microsoft.DotNet.Arcade.Sdk": "6.0.0-beta.23620.4", - "Microsoft.DotNet.Helix.Sdk": "6.0.0-beta.23620.4", - "Microsoft.DotNet.SharedFramework.Sdk": "6.0.0-beta.23620.4", + "Microsoft.DotNet.Build.Tasks.TargetFramework.Sdk": "6.0.0-beta.24059.3", + "Microsoft.DotNet.Arcade.Sdk": "6.0.0-beta.24059.3", + "Microsoft.DotNet.Helix.Sdk": "6.0.0-beta.24059.3", + "Microsoft.DotNet.SharedFramework.Sdk": "6.0.0-beta.24059.3", "Microsoft.Build.NoTargets": "3.1.0", "Microsoft.Build.Traversal": "3.0.23", "Microsoft.NET.Sdk.IL": "6.0.0-rc.1.21415.6" From 62c2ce4105e612ab13606fc94a5f9dcd45a8e5f1 Mon Sep 17 00:00:00 2001 From: "dotnet-maestro[bot]" <42748379+dotnet-maestro[bot]@users.noreply.github.com> Date: Thu, 11 Jan 2024 19:47:07 -0800 Subject: [PATCH 10/12] Update dependencies from https://github.com/dotnet/xharness build 20231031.3 (#96785) Microsoft.DotNet.XHarness.CLI , Microsoft.DotNet.XHarness.TestRunners.Xunit From Version 6.0.0-prerelease.23455.2 -> To Version 6.0.0-prerelease.23531.3 Co-authored-by: dotnet-maestro[bot] --- .config/dotnet-tools.json | 2 +- eng/Version.Details.xml | 8 ++++---- eng/Versions.props | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json index b4a4cb6770cd5..a5a04609e8a63 100644 --- a/.config/dotnet-tools.json +++ b/.config/dotnet-tools.json @@ -15,7 +15,7 @@ ] }, "microsoft.dotnet.xharness.cli": { - "version": "6.0.0-prerelease.23455.2", + "version": "6.0.0-prerelease.23531.3", "commands": [ "xharness" ] diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml index 4cf93dda42e66..0fedcb3cb5ec3 100644 --- a/eng/Version.Details.xml +++ b/eng/Version.Details.xml @@ -214,13 +214,13 @@ https://github.com/mono/linker c8499798a2a09639174e2f5c694d6652794cc73d - + https://github.com/dotnet/xharness - dcd239f92887f600f75093d5ffff27b2dfeb034b + 9cffd0b49204fa44c7577fa1a132e39e7cf4d038 - + https://github.com/dotnet/xharness - dcd239f92887f600f75093d5ffff27b2dfeb034b + 9cffd0b49204fa44c7577fa1a132e39e7cf4d038 https://github.com/dotnet/arcade diff --git a/eng/Versions.props b/eng/Versions.props index 50b329e69f590..d020ffab9cb00 100644 --- a/eng/Versions.props +++ b/eng/Versions.props @@ -143,8 +143,8 @@ 1.0.1-prerelease-00006 17.4.0-preview-20220707-01 - 6.0.0-prerelease.23455.2 - 6.0.0-prerelease.23455.2 + 6.0.0-prerelease.23531.3 + 6.0.0-prerelease.23531.3 6.0.0-alpha.0.23518.4 6.0.0-alpha.0.23367.3 2.4.2-pre.9 From d8a274899a398d824b6da9b60fae8a6d48ed5733 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20K=C3=B6plinger?= Date: Fri, 12 Jan 2024 23:19:02 +0100 Subject: [PATCH 11/12] [release/6.0] Disable CI job: Android x64 Release AllSubsets_Mono_RuntimeTests (#96891) It is causing a lot of flaky failures: https://github.com/dotnet/runtime/issues/83422 .NET MAUI is already EOL on 6.0 so disabling the tests is fine. Fixes https://github.com/dotnet/runtime/issues/83422 --- eng/pipelines/runtime.yml | 68 +++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/eng/pipelines/runtime.yml b/eng/pipelines/runtime.yml index 2cc107b62157f..b2a8dd83c50b2 100644 --- a/eng/pipelines/runtime.yml +++ b/eng/pipelines/runtime.yml @@ -492,40 +492,40 @@ jobs: # # Build the whole product using Mono for Android and run runtime tests with Android emulator # -- template: /eng/pipelines/common/platform-matrix.yml - parameters: - jobTemplate: /eng/pipelines/common/global-build-job.yml - helixQueuesTemplate: /eng/pipelines/coreclr/templates/helix-queues-setup.yml - buildConfig: Release - runtimeFlavor: mono - platforms: - - Android_x64 - variables: - - ${{ if and(eq(variables['System.TeamProject'], 'public'), eq(variables['Build.Reason'], 'PullRequest')) }}: - - name: _HelixSource - value: pr/dotnet/runtime/$(Build.SourceBranch) - - ${{ if and(eq(variables['System.TeamProject'], 'public'), ne(variables['Build.Reason'], 'PullRequest')) }}: - - name: _HelixSource - value: ci/dotnet/runtime/$(Build.SourceBranch) - - name: timeoutPerTestInMinutes - value: 60 - - name: timeoutPerTestCollectionInMinutes - value: 180 - jobParameters: - testGroup: innerloop - nameSuffix: AllSubsets_Mono_RuntimeTests - buildArgs: -s mono+libs -c $(_BuildConfig) - timeoutInMinutes: 240 - condition: >- - or( - eq(dependencies.evaluate_paths.outputs['SetPathVars_runtimetests.containsChange'], true), - eq(dependencies.evaluate_paths.outputs['SetPathVars_mono.containsChange'], true), - eq(variables['isFullMatrix'], true)) - # extra steps, run tests - extraStepsTemplate: /eng/pipelines/common/templates/runtimes/android-runtime-and-send-to-helix.yml - extraStepsParameters: - creator: dotnet-bot - testRunNamePrefixSuffix: Mono_$(_BuildConfig) +#- template: /eng/pipelines/common/platform-matrix.yml +# parameters: +# jobTemplate: /eng/pipelines/common/global-build-job.yml +# helixQueuesTemplate: /eng/pipelines/coreclr/templates/helix-queues-setup.yml +# buildConfig: Release +# runtimeFlavor: mono +# platforms: +# - Android_x64 +# variables: +# - ${{ if and(eq(variables['System.TeamProject'], 'public'), eq(variables['Build.Reason'], 'PullRequest')) }}: +# - name: _HelixSource +# value: pr/dotnet/runtime/$(Build.SourceBranch) +# - ${{ if and(eq(variables['System.TeamProject'], 'public'), ne(variables['Build.Reason'], 'PullRequest')) }}: +# - name: _HelixSource +# value: ci/dotnet/runtime/$(Build.SourceBranch) +# - name: timeoutPerTestInMinutes +# value: 60 +# - name: timeoutPerTestCollectionInMinutes +# value: 180 +# jobParameters: +# testGroup: innerloop +# nameSuffix: AllSubsets_Mono_RuntimeTests +# buildArgs: -s mono+libs -c $(_BuildConfig) +# timeoutInMinutes: 240 +# condition: >- +# or( +# eq(dependencies.evaluate_paths.outputs['SetPathVars_runtimetests.containsChange'], true), +# eq(dependencies.evaluate_paths.outputs['SetPathVars_mono.containsChange'], true), +# eq(variables['isFullMatrix'], true)) +# # extra steps, run tests +# extraStepsTemplate: /eng/pipelines/common/templates/runtimes/android-runtime-and-send-to-helix.yml +# extraStepsParameters: +# creator: dotnet-bot +# testRunNamePrefixSuffix: Mono_$(_BuildConfig) # # Build Mono and Installer on LLVMJIT mode From e3500b8e8ad18e8bf067dc5250863b64bb8f0de0 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 10:24:38 -0800 Subject: [PATCH 12/12] Disable implicit rejection for RSA PKCS#1 (#95218) Co-authored-by: Kevin Jones --- .../RSA/EncryptDecrypt.cs | 49 +++++++++++++++---- .../opensslshim.h | 6 +++ .../pal_evp_pkey_rsa.c | 13 +++++ 3 files changed, 58 insertions(+), 10 deletions(-) diff --git a/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs b/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs index e72d42e87d217..55a044d62a695 100644 --- a/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs +++ b/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs @@ -338,19 +338,10 @@ private void RsaCryptRoundtrip(RSAEncryptionPadding paddingMode, bool expectSucc Assert.Equal(TestData.HelloBytes, output); } - [ConditionalFact] + [ConditionalFact(nameof(PlatformSupportsEmptyRSAEncryption))] [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework)] public void RoundtripEmptyArray() { - if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6)) - { - throw new SkipTestException("iOS prior to 13.6 does not reliably support RSA encryption of empty data."); - } - if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0)) - { - throw new SkipTestException("tvOS prior to 14.0 does not reliably support RSA encryption of empty data."); - } - using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params)) { void RoundtripEmpty(RSAEncryptionPadding paddingMode) @@ -701,6 +692,26 @@ public void NotSupportedValueMethods() } } + [ConditionalTheory] + [InlineData(new byte[] { 1, 2, 3, 4 })] + [InlineData(new byte[0])] + public void Decrypt_Pkcs1_ErrorsForInvalidPadding(byte[] data) + { + if (data.Length == 0 && !PlatformSupportsEmptyRSAEncryption) + { + throw new SkipTestException("Platform does not support RSA encryption of empty data."); + } + + using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params)) + { + byte[] encrypted = Encrypt(rsa, data, RSAEncryptionPadding.Pkcs1); + encrypted[1] ^= 0xFF; + + // PKCS#1, the data, and the key are all deterministic so this should always throw an exception. + Assert.ThrowsAny(() => Decrypt(rsa, encrypted, RSAEncryptionPadding.Pkcs1)); + } + } + public static IEnumerable OaepPaddingModes { get @@ -715,5 +726,23 @@ public static IEnumerable OaepPaddingModes } } } + + public static bool PlatformSupportsEmptyRSAEncryption + { + get + { + if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6)) + { + return false; + } + + if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0)) + { + return false; + } + + return true; + } + } } } diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.h b/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.h index dad18ebd9a1eb..050df1193ff02 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.h +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.h @@ -272,8 +272,10 @@ const EVP_CIPHER* EVP_chacha20_poly1305(void); REQUIRED_FUNCTION(ERR_peek_error) \ REQUIRED_FUNCTION(ERR_peek_error_line) \ REQUIRED_FUNCTION(ERR_peek_last_error) \ + REQUIRED_FUNCTION(ERR_pop_to_mark) \ FALLBACK_FUNCTION(ERR_put_error) \ REQUIRED_FUNCTION(ERR_reason_error_string) \ + REQUIRED_FUNCTION(ERR_set_mark) \ LIGHTUP_FUNCTION(ERR_set_debug) \ LIGHTUP_FUNCTION(ERR_set_error) \ REQUIRED_FUNCTION(EVP_aes_128_cbc) \ @@ -328,6 +330,7 @@ const EVP_CIPHER* EVP_chacha20_poly1305(void); REQUIRED_FUNCTION(EVP_PKCS82PKEY) \ REQUIRED_FUNCTION(EVP_PKEY2PKCS8) \ REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl) \ + REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl_str) \ REQUIRED_FUNCTION(EVP_PKEY_CTX_free) \ REQUIRED_FUNCTION(EVP_PKEY_CTX_get0_pkey) \ REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \ @@ -725,8 +728,10 @@ FOR_ALL_OPENSSL_FUNCTIONS #define ERR_peek_error_line ERR_peek_error_line_ptr #define ERR_peek_last_error ERR_peek_last_error_ptr #define ERR_put_error ERR_put_error_ptr +#define ERR_pop_to_mark ERR_pop_to_mark_ptr #define ERR_reason_error_string ERR_reason_error_string_ptr #define ERR_set_debug ERR_set_debug_ptr +#define ERR_set_mark ERR_set_mark_ptr #define ERR_set_error ERR_set_error_ptr #define EVP_aes_128_cbc EVP_aes_128_cbc_ptr #define EVP_aes_128_cfb8 EVP_aes_128_cfb8_ptr @@ -780,6 +785,7 @@ FOR_ALL_OPENSSL_FUNCTIONS #define EVP_PKCS82PKEY EVP_PKCS82PKEY_ptr #define EVP_PKEY2PKCS8 EVP_PKEY2PKCS8_ptr #define EVP_PKEY_CTX_ctrl EVP_PKEY_CTX_ctrl_ptr +#define EVP_PKEY_CTX_ctrl_str EVP_PKEY_CTX_ctrl_str_ptr #define EVP_PKEY_CTX_free EVP_PKEY_CTX_free_ptr #define EVP_PKEY_CTX_get0_pkey EVP_PKEY_CTX_get0_pkey_ptr #define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c index 36924abb50581..c3e491a868f5e 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c @@ -63,6 +63,19 @@ static bool ConfigureEncryption(EVP_PKEY_CTX* ctx, RsaPaddingMode padding, const { return false; } + + // OpenSSL 3.2 introduced a change where PKCS#1 RSA decryption does not fail for invalid padding. + // If the padding is invalid, the decryption operation returns random data. + // See https://github.com/openssl/openssl/pull/13817 for background. + // Some Linux distributions backported this change to previous versions of OpenSSL. + // Here we do a best-effort to set a flag to revert the behavior to failing if the padding is invalid. + ERR_set_mark(); + + EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "0"); + + // Undo any changes to the error queue that may have occured while configuring implicit rejection if the + // current version does not support implicit rejection. + ERR_pop_to_mark(); } else {