| Age | Commit message (Collapse) | Author |
|---|
|
* Implement NegotiateAuthentication.Wrap/Unwrap/UnwrapInPlace APIs
Updated unit tests
Migrate System.Net.Mail to use NegotiateAuthentication API
* Implementation of extended protection policy and impersonation in NegotiateAuthentication
|
|
(#71440)
* Fix tests by setting IlcTrimMetadata to false
* Disable linux failures
|
|
(#71373)
* Implement NTLM quirk in NegotiateStreamPal.Encrypt/Decrypt
NegotiateStream on non-encrypted connections with NTLM sends the
messages in a special `<signature token><plain text message>` format.
That's not something that gss_wrap/gss_unwrap would produce. It can be
produced through gss_get_mic/gss_verify_mic calls though so let's do
that.
* Remove MakeSignature/VerifySignature from SspiCli interop
The method names were misleading since they wrapped the EncryptMessage
and DecryptMessage native APIs and not the MakeSignature/VerifySignature
APIs that also exist.
* Remove unused sequenceNumber parameters in NegotiateStreamPal.Encrypt/Decrypt
The SSPI / GSSAPI providers keep track of the sequence numbers
themselves.
* Replace NTAuthentication.MakeSignature/VerifySignature with Wrap/Unwrap
This maps directly to the semantics of gss_wrap/gss_unwrap methods
that are used in many specifications. It replaces the misleading name
which in SSPI API is an equivalent of gss_get_mic/gss_verify_mic.
It also fixes the declaration to actually decode the buffers both
on Windows and Unix. In NTLM the content of the message is sealed
and needs to be decoded.
Note that previously on Unix the VerifySignature API didn't decode the
content. On Windows it did decode the content inside a buffer that was
passed as ReadOnlySpan<byte> but it didn't communicate back the offset
of the decoded data.
The SMTP GSSAPI authentication code was thus reading incorrect data.
In case the underlying authentication was Kerberos the data were
not encrypted and they were located at the beginning of the buffer
so it was not an issue. In case the underlying authentication was
NTLM it was looking at the NTLM signature token which luckily
happens to always start with the bytes 01 00 00 00. That exactly
matched the expected value by accident.
* Fix processing of last SMTP GSSAPI token
The last token in the GSSAPI SASL authentication mechanism is a bit
mask that specifies the supported security protections offered by the
server and the maximum token size. The client is supposed to choose
one of the protections and reply back. Relax the check to actually
support servers that offer anything but "no protection". As long
as the server also offers no protection we can choose it.
* Update unit test to use the new Wrap/Unwrap APIs
* Reset NTLM keys after successful Negotiate authentication
Updated the managed NTLM implementation and the fake servers to
implement the specification quirk:
MS-SPNG section 3.2.5.1 NTLM RC4 Key State for MechListMIC and First
Signed Message specifies that the RC4 sealing keys are reset back to
the initial state for the first message.
Since the managed implementation doesn't expose encryption yet it
didn't affect any observable behavior. Likewise the fake servers
didn't need this code path yet.
* Add GSSAPI authentication test to the loopback SMTP server
* Workaround for https://github.com/gssapi/gss-ntlmssp/issues/77
* Expose the confidentiality flag from the native gss_wrap/unwrap APIs
* Allow default credentials for NTLM server-side on Linux/macOS
|
|
* Reduce buffer allocations during NTLM/Negotiate authentication
* Update ReadWriteAdapter.WriteAsync prototype to use Memory<byte> instead of explicit offset/count
* Spanify NTAuthentication.Decrypt and avoid couple of offset/count checks
* Spanify NegotiateStreamPal.VerifySignature/MakeSignature.
Remove indirect Encrypt/Decrypt layer from SSPIWrapper, it is unnecessarily cumbersome to use and SslStreamPal already migrated away from it.
* Update src/libraries/Common/src/System/Net/NTAuthentication.Common.cs
Co-authored-by: Stephen Toub <stoub@microsoft.com>
Co-authored-by: Stephen Toub <stoub@microsoft.com>
|
|
* WIP: Add implementation of NegotiateAuthentication
Switch System.Net.Http to use NegotiateAuthentication
Fix IsCompleted in managed NTLM implementation
* WIP: Update error code mapping
* Spanify input of GetOutgoingBlob
* Update comments
* Move NegotiateStreamPal.Encrypt/Decrypt to shared sources. Unix implementation already had them and they get trimmed anyway.
* Revert accidental change
* Build fixes.
* Fix error handling condition
* Update error mapping based on HttpListener usage.
* WIP: HttpListener test
* Move workaround from HttpListener to low-level SSPI code
* Fix build
* Clean up
* Revert "WIP: HttpListener test"
This reverts commit 18d7d93f04c93e048efcaca0f3c55c3f1f73516a.
* Convert System.Net.Http.FunctionalTests to use NegotiateAuthentication instead of NTAuthentication
* Dispose the identity along NegotiateAuthentication
* Modify unit tests to use the new API
* Add exceptions for invalid inputs/states
* Remove tvOS unsupported marker, managed NTLM is used on tvOS
* Apply suggestions from code review
Co-authored-by: Stephen Toub <stoub@microsoft.com>
* Fix typo
* Remove reference equality checks from IsNTLM/IsKerberos
* Remove NTAuthentication.AssociatedName to make it more obvious which exceptions are thrown
* Add comment
* Add more tests, handle unsupported protocols
* Handle NotSupportedException from NTAuthentication constructor
* Add workaround for linker issue
* Apply suggestions from code review
Co-authored-by: Stephen Toub <stoub@microsoft.com>
|
|
(#70630)
* Add end-to-end test for NTLM/Negotiate authentication against fake server
* Simplify the test since HttpClientHandler is always SocketsHttpHandler for the test environment
* Fix test condition
* Remove extra comment
|
|
* Add fake server test for Negotiate authentication.
Fix incorrect computation of IsCompleted in managed NTLM implementation.
* Fix tests on Windows (raw NTLM disguised as Negotiate)
* Get the Negotiate test passing on Linux with all the MIC checks
|
|
|
|
* Use u8 in more places
Primarily replacing Encoding.UTF8/ASCII.GetBytes("literal") with "literal"u8.ToArray()
* Address PR feedback (and fix some vars)
|
|
* Update Roslyn to pick up recent features
* Replace a straggling !!
* Fix now erroneous use of u8
* Disable several generic math tests
|
|
|
|
* Add NTLM MakeSignature test, fix the output on Linux
* Add test for VerifySignature, make it working on macOS
* Use utf-8 string literals
|
|
* refactor SslStream internals
* fix validation and certs
* update fakes
* feedback from review
|
|
(#65611)
* Add basic NTLM fake server to test NTAuthentication round-trip scenarios
* Treat MIC as optional on Linux
* Add guard for IsNtlmInstalled
* Add comments; add protocol exchange example from NTLM specification
* Test both correct and incorrect credentials
* Check the SPN sent by client
* Replace NtlmAssert with regular Xunit Assert to get better messages
* Tweak algorithm for calculating flags in CHALLENGE_MESSAGE, add support for OEM encoding
* Set the NegotiateTargetInfo on CHALLENGE_MESSAGE; relax the check for Linux due to a bug in gss-ntlmssp
* Remove duplicate implementation of RC4.
* Fix paths.
* Rename EnableDllImportGenerator to EnableLibraryImportGenerator.
|
|
* Move MD4 implementation into Common/src/System/Net/Security
* Add minimal RC4 implementation
* WIP: Integrate managed Ntlm implementation into SocketsHttpHandler
Co-authored-by: Tomas Weinfurt <tweinfurt@yahoo.com>
* WIP: Makeshift tests for NTLM/Negotiate authentication
* Fix compilation, clean up some of the hashing
* Avoid using a temporary buffer
* Add computation of signing keys, sealing keys and mechListMIC
* Various cleanups
* Send SPN in target information
* Add some validation, mark spots with missing validation
* Clean up some of the memory offset manipulation
* Move NTLM version into static variable
* Add support for channel bindings, clean up
* Fix hash calculation in makeNtlm2Hash accidentally broken with last commit.
Read NegTokenResp explicitly.
Add mechListMIC reading and verification.
* Verify last authentication token in HTTP Negotiate authentication
* Address feedback
* Fix tvOS builds by making few methods static
* Enable System.Net.Security tests on Android and iOS
Co-authored-by: Tomas Weinfurt <tweinfurt@yahoo.com>
Co-authored-by: Steve Pfister <steve.pfister@microsoft.com>
|
|
obsolete (#66292)
Fixes #65545
|
|
(#65777)
Fixes #65547
|
|
interface methods (#65239)
* Use static abstract interface methods in Ssl/NegotiateStream adapters
* Remove unnecessary argument from a bunch of methods
It's only used to add duplicative information to an exception message, and in doing so it makes the async methods it's used in more expensive.
|
|
* Don't use Targets* helper properties in libs projs
This change makes it possible to migrate 200+ (ref+src) projects to use
TargetFramework instead of TargetFrameworks which avoids the additional
outer build evaluation and invocation which ultimately makes the overall
build faster.
Targets* properties (i.e. TargetsWindows, TargetsAnyOS, TargetsUnix,
etc.) rely on the TargetFramework property which usually are set
inside a project. The TargetFramework property is only
available before a project specifies it if it's explicitly set in a props
file or if the project is cross-targeting and the outer-build dispatches
into the inner-build. During the dispatch, the TargetFramework property
is passed in as a global property.
Until now that behavior wasn't a problem because every libraries project
cross-targeted (by setting the TargetFrameworks property) even though
many only include a single TargetFramework (i.e. NetCoreAppCurrent).
To allow projects to use the TargetFramework property instead of
TargetFrameworks, the Targets* helper properties can't be calculated
anymore early in a props file as the TargetFramework property isn't set
at that time.
In general, the guidance by the SDK/msbuild team is to not read from the
TargetFramework property before the project sets it
(in a property group). That effectively means that the TargetFramework
property shouldn't be used in props files at all.
Therefore these helper properties can't be used anymore for property
conditions and I'm replacing their usage with TargetPlatformIdentifier
comparisons for both properties and items.
In nearly all cases, the Targets* helper properties can be replaced with
TargetPlatformIdentifier checks on items and in the few cases where
TargetsUnix or TargetsLinux marks multiple tfms as compatible, the exact
tfms must be used instead for the TargetPlatformIdentifier comparison.
Whenever a project needs to condition properties on the platform, I'm
first setting the TargetPlatformIdentifier the same way the SDK sets it
so that the SDK later doesn't need to set it again to avoid the
additional expensive msbuild function call.
* Use TargetFramework singular to avoid outer builds
Use TargetFramework instead of TargetFrameworks property whenever a
projects only targets a single target framework. This avoid unnecessary
outer builds and evaluations and makes the build faster.
|
|
The two buffers have been merged together since they are never used in parallel (i.e. receciving appdata is not allowed during renegotiation etc.).
|
|
Porting MD4 managed implementation from mono/mono (MD4.cs and MD4Managed.cs).
It adds:
- an internal class in the System.Net.Security with a single HashData method for now;
- a set of related MD 4 unit tests to System.Net.Security.Unit.Tests project.
|
|
* Add SslApplicationProtocol.Http3
Fix #1293
* Add XML doc
* Reuse in Http3Connection
* Reuse in tests
* HTTP/3 has no negotiation
* Use SslApplicationProtocol.Http3.ToString() in tests
* Ascending order in ref
|
|
* Update System.Net.Security Telemetry tests
* Always return Task from ProcessAuthenticationAsync
* Name bool arguments
Co-authored-by: Stephen Toub <stoub@microsoft.com>
Co-authored-by: Stephen Toub <stoub@microsoft.com>
|
|
* initial prototype
* Restore TLS 1.2 renegotiation
* First windows functionality merge
* reenable client certificate
* Add more renegotiate tests
* Remove client certificates
* Cleanup
* add test log
* Apply PR comments
* Add Data frame test
* Add drain buffer test
* Fix tls 1.3 incomming app data frame
* Restore verify callback
* Remove debug log
* Remove keylog callback and unused method
* Fix test build
* Attempt to fix openssl version api difference
* Sort shim
* fix build
* CI log
* Restore mac tests
* Add logs
* fix test runs on old openssl
* fix tests
* fix w7 condition
* feedback from review
Co-authored-by: wfurt <tweinfurt@yahoo.com>
|
|
|
|
* add NegotiateClientCertificateAsync support on Windows
* feedback from review and test update
* throw on data during renegotiation
* disable NegotiateClientCertificateAsync on Win7
* feedback from review
* use Interlocked.Exchang instead of CompareExchange
* add trace message
|
|
We have a bunch of test assemblies that don't make sense on some platforms, e.g. Browser.
Right now we're skipping them via `[SkipOnMono("reason", TestPlatforms.Browser)]` but there's nothing that inherently ties this to Mono other than the current implementation.
The more generic `SkipOnPlatform` attribute can be used instead.
We can also use it in places where we do `[PlatformSpecific(~TestPlatforms....)]` to avoid the double inversion.
|
|
This allows us to reuse the existing iOS build configs since we don't have MacCatalyst-specific logic yet.
|
|
Initial support for Mac Catalyst for mono subset. This enables building runtime packs and working jobs, but right now the `tests` subset needs some work to allow library test runs in CI
|
|
of the sdk for platform specific tfms. (#43651)
* eng change
* coreclr change
* libraries change
* tests change
* installer & mono change
* py files changed
* .md change
* .yml change
* remove redundant targetos property
* Windows_NT -> windows after ninja change
* fixing runtime build failure
|
|
(#43968)
* Add Stream argument validation helpers and use throughout dotnet/runtime
* Delete unnecessary code in Stream
Stream.Null was using BlockingBegin/EndRead/Write, but the operations are nops (they don't even do argument validation), so the functionality was unnecessary complication. We can just use TaskToApm instead, with already completed tasks, and then also delete the SynchronousAsyncResult that was used by these operations.
Also, the Begin/EndRead/Write methods were checking CanRead/Write and throwing if they return false, but this is a private sealed type with CanRead/Write hardcoded to return true! Delete.
Finally added consistency across Stream.Null to checking for cancellation.
* Clean up some style on Stream
Also consolidate a few resources and use a few existing ThrowHelpers where appropriate.
* Fix a few issues, and remove duplicative tests missed in conformance tests rollout
* Address PR feedback
|
|
* Remove unused locals in System.Net.HttpListener
* Remove unused local in System.Net.Requests
* Remove unused locals and methods in System.Net.Security
|
|
(#40110)
* include more details in exception if remote certificate validation fails
* fix unit test linking
* feedback from review
* update exception message
|
|
- Remove depprojs which currently binplace external references into the RefPath folders in favor of PackageReference and PackageDownload items.
- Build all configurations by default when building an individual project (either on the CLI or inside VS) same as with the official SDK. This enables .NETFramework Test Explorer support.
- Centrally define libraries that compose the shared framework instead of in each Directory.Build.props file to be able to build the targeting pack first and consume it in the OOB libraries.
- Use ProjectReferences to reference OOB projects. Compile against the reference assembly but use the implementation assembly app-local during runtime.
- Remove OOBs from the testhost and remove the testhost folder for .NETFramework as it isn't required anymore.
- Only binplace for $(NetCoreAppCurrent) to compose a) the targeting pack, b) the runtime pack, c) the testhost, d) a full closure for the shims.
- Use Targeting Packs for OOB projects (with their implicit assembly references) but still explicitly define granular references for .NETCoreApp configurations (DisableImplicitAssemblyReferences switch). Use the implicit targeting pack references in some Microsoft.Extensions.* cases.
- Remove placeholder configurations as they aren't needed anymore with explicit P2Ps vs Targeting Pack references.
- Remove implicit assembly references (ie for .NETFramework, mscorlib)
- Remove AssemblySearchPath hacks that were introduced with b7c4cb7 as the targeting pack is now used by default.
- Reduce unnecessary .NETFramework configurations that were added to run tests in favor of the already existing ref&src configurations.
- Stop hardcoding the paths for wasm assemblies and use the returned TargetPath of the ProjectReferences.
- Addressed formatting (ItemGroups, References at the bottom of the project file, ordering of references, use LibrariesProjectRoot instead of a relative path, unnecessary AssemblyName and RootNamespace properties which are identical to the project name, ordering of tfms)
- Revert "fix clean (#33758)"
|
|
Co-authored-by: Alexander Köplinger <alex.koeplinger@outlook.com>
|
|
|
|
Fixes https://github.com/dotnet/runtime/issues/38559
|
|
* initial support for SslStreamCertificateContext
* update openssl pal
* feedback from review
* fix unit tests
* fix platforms
* update ref
|
|
* add TargetHostName to SslStream
* fix unit tests
* feedback from review
|
|
* [libraries] Add IsThreadingSupported
* [libraries] Add IsThreadingSupported attribute to failing wasm tests
* [libraries] Add IsObdcNotAvailableAndThreadingSupported property to DependencyCheckTest
* [libraries] Include system namespace in RedactedLogValueIntegrationTest and fix DependencyCheckTest ConditionalFact
* [libraries] Revert System.Console IsThreadingSupported changes
* [libraries] Remove IsThreadingSupported attribute from EncodingCodePages
Co-authored-by: Mitchell Hwang <mitchell.hwang@microsoft.com>
|
|
* improve corelation for EventSource events in SslStream
* fix UnitTests build
* feedback from review
* add line
* add missing reference
Co-authored-by: Tomas Weinfurt <furt@Shining.local>
|
|
* Rewrite NegotiateStream.Read/Write* operations with async/await
Gets rid of a bunch of IAsyncResult cruft and makes the XxAsync APIs cancelable.
* Combine NegoState into NegotiateStream
* Rewrite AuthenticateAs* with async/await
* Add more NegotiateStream tests
Including for cancellation and a product fix to enable cancellation.
* Update ref with overrides
* Remove custom IAsyncResults from System.Net.Security
* Fix UnitTests project
|
|
* Change <Link>...</Link> to Link="..."
* Format existing Link="..."
|
|
This adds support for iOS using the Mono runtime to the build system.
|
|
* annotate System.Net.Security for nullable reference types
* address task nullability issue
* add nullable directives to common files
* address feedback
* add missing nullable directive
* make ProcessAuthentication method explicitly nullable
* fix build after rebase
* add missing nullable directives to common source files
* fix build
* fix build
* make APM method annotations consistent
* address feedback
* address feedback
* address feedback
* address feedback
* address feedback
* fix rebase build issues
|
|
* use proper IO in ssl handshake
* fix UnitTests/Fakes
* feedback from review
* rename adapters to SyncSslIOAdapter and AsyncSslIOAdapter
* feedback from review
|
|
* Unify int to hexadecimal char conversions
This replaces about 7 different implementations with a single version
|
|
multiple frameworks (#31948)
* Vy Default show windows targetFramework file in VS
* doing same thing for freebsd Linux netbsd and osx
* missing tag
|
|
* libraries -restore for vertical build without test restore
* Automatic test change and regex to remove the addition of an extra line at eof
* manual test restore fixed (restore completely done for vertical build)
* build native done
* Automatic ref change and regex to remove the last line
* manual reference assebly change and generated shims build
* automatic src change and regex
* native bin place and src build manual change
* apicompat and pretest.csproj done
* fixing the package build
* fixing all config
* packaging and feedback
* adding back placeholder configuration
* fixing the shims
* delete configuration.props
* making the build work in master
* Test Change
* fixing the packageing, test restore replacing TargetFramework -> OriginalTargetFramework
* delete test configuraiton.props, trailing semicolon and use targetFramework
* reverting the package change
* enable apicompat and fixing configurationGroup for individual projects
* fixing the api compat
* making ilproj work
* adding the outerBuildTest
* adding the arcade package version
* fixing the merge conflicts
* minor changes
* adding additional configs and setting the runtimeOS
* making the vs stuff work
* removing the target Group to fix the apicompat
* fixing the linux build and some minor changes
* making additionalBuildTargetFramework LOcalProperty
* fixing the allConfigurations build
* fixing the netfx build
* fixing package Testing and restore
* Missing TargetFrameworks tag
* making the VSdesgin stuff work
* Remove OriginalFramework Entirely
* some minor pr feedback
* RemoveExtraSemicolon
* use boolean exclude flag
* fixing yml scripts to pass tests
* adding comments and some minor feedback
* moving packaging property to correct plave
* fixing the build for web assembly
* Fixing the live ci build
* Fixing the live build for shims
* fixing the tests
* fixing the packaging and enterprise linux
* fixing package sizes
* Fix the targetFramework
* updating the targetFramework sdl
* removing the buildOS and be able to use OSGroup as done in the old system
* Fixing the osgroup stuff for send to helix task
* Fix OSX failures
* Fixing the osx build
* uploading tmp folder to artifacts
* running restore for runtime.deproj correctly
|
|
* Delete unnecessary ClsCompliant
* Merge System.Diagnostics.Tools\src into CoreLib
* Merge System.Security.Pricipal\src into CoreLib
* Delete System.IO.UnmanagedMemoryStream\ref\System.IO.UnmanagedMemoryStream.cs
* Delete System.Reflection\ref\System.Reflection.cs
* Delete System.Threading.Timer\src\ApiCompatBaseline.uapaot.txt
* Delete System.Buffers\src\Resources\Strings.resx
* Merge System.Buffers\ref into System.Runtime
* Merge System.Diagnostics.Debug\ref into System.Runtime
* Delete *\MatchingRefApiCompatBaseline.txt
* Merge System.Diagnostics.Tools into System.Runtime\ref
* Merge System.Resources.ResourceManager into System.Runtime\ref
* Cleanup System.IO.* project references
* Cleanup System.Reflection project references
* Cleanup System.Runtime.Handles project references
* Merge System.Threading.Thread\src into CoreLib
* Merge System.Threading.Timer\ref into System.Runtime
* Merge System.Threading.Tasks\ref into System.Runtime
|
