Age | Commit message (Collapse) | Author |
|
(#17751)
If `byte[] data` has additional data at the end `Decode` will try to parse it and will generate incorrect tags or throw an exception. This fix makes `Decode` to use only `nLength` bytes from `byte[] data`.
|
|
### Overview
After the removal of the Legacy TLS Provider, we can make some cleanups and improvements to the `SslStream` class. Since both the remaining providers use the internal `MobileAuthenticatedStream` and support Task-async code, we can get rid of some of the Begin/End async logic and the the underlying
`Stream` class handle it instead.
This also fixes a nasty issue with some of those task objects leaking unobserved exceptions. The problem was that `SslStream.Dispose()` needs to clear out all resources, but in doing so also nulls out the `Impl` handle to the `MobileAuthenticatedStream` - so a subsequent `End*()` call will not reach it's corresponding `TaskToApm.End()` method.
There are also some cleanups in the internal APIs that were only ever used internally and not intended for public consumption.
### Mono.Security.dll
* `Mono.Security.Interface`: removed internal `ICertificateValidator2` interface.
* `Mono.Security.Interface.IMonoSslStream`: this internal interface is only used by the web-tests, which only use it as a way to get the `SslStream` instance, so all those `Begin/End` async methods are now gone.
* `Mono.Security.Interface.IMonoSslStream2`: removed another internal interface.
* `Mono.Security.Interface.MonoTlsProvider`: removed some `internal abstract` methods; these have been moved into a new `Mono.Net.Security.MobileTlsProvider` inside `System.dll`.
### System.dll
* `Mono.Net.Security.MobileTlsProvider`:
New abstract internal base class, which received the aforementioned abstract internal methods. The naming is such to make it consistent with the already existing `MobileTlsContext` and `MobileAuthenticatedStream`.
Since both `AppleTlsProvider` and `BtlsProvider` now have an abstract internal base class inside `System.dll`, they can use the `ChainValidationHelper` class directly and we can also avoid some `Mono.Security` dances like for instance that `MonoSslPolicyErrors` enum.
This will also help make the code easier to read and maintainer.
* `Mono.AppleTls.AppleTlsProvider` and `Mono.Btls.MonoBtlsProvider`: change base class into `MobileTlsProvider` and reflect above mentioned overload changes.
* `Mono.AppleTls.AppleCertificateHelper`: use `ChainValidationHelper` as well.
* `Mono.Net.Security.ChainValidationHelper`: only implement `ICertificateValidator`.
The `ICertificateValidator` interface is still required because it is in use by the web-tests, but the previous `ICertificateValidator2` was an internal dance.
* `Mono.Net.Security.MobileAuthenticatedStream`: largely cleaned up this class.
- we now implement the current slimmer version of `IMonoSslStream`.
- moved all those overloads into `SslStream` that only fill in default values for some of their arguments and then call another overloaded version of their own.
- removed lots of `Begin/End` methods that are not used anymore.
* `Mono.Net.Security.MonoTlsProviderFactory`: use `MobileTlsStream` everywhere.
* `Mono.Net.Security.MonoTlsStream`: cleanup `SslStream` creation logic; instead of going throw `provider.CreateSslStream()`, we can now use an internal constructor directly, thus avoiding the `IMonoSslStream` interface while also making the code a lot easier to read and understand.
* `System.Net.Mail.SmtpClient`: same here.
* `System.Net.HttpWebRequest`: use `MobileTlsProvider`.
* `System.Net.Security.SslStream`: largely cleaned up this class.
- we now use `MobileAuthenticatedStream` directly instead of the `IMonoSslStream` interface and therefore could also get rid of `IMonoSslStream2`.
- cleanup constructor logic to allow the internal constructor being used with a `MobileTlsProvider` instead of going through `provider.CreateSslStream()`.
- all those overloads that are only filling in default values for some of their arguments before calling another overloaded version of their own now live here instead of in the `MobileAuthenticatedStream` class. The reason is to simply that `MobileAuthenticatedStream` is already quite a complex and difficult class, and removing some of that complexity out of it will make it easier to understand.
- handle the `TaskToApm.Begin()` / `TaskToApm.End()` here to ensure that we are not leaking any task objects with unobserved exceptions.
- removed `BeginRead()` and `BeginWrite()` overloads to let the underlying `Stream` class handle these.
* Bump API snapshot submodule
* [csproj] Update project files
|
|
* `MonoTlsProviderFactory` now treats "legacy" as an alias for "default".
* `Mono.Net.Security/LegacySslStream`: Removed. This class also wasn't using the `MobileAuthenticatedStream` base class, thus preventing cleanups simplifications in that area.
* `Mono.Net.Security/LegacyTlsProvider`: Removed.
* `Mono.Security/Mono.Security.Protocol.Tls*`: Removed all the old legacy code.
* `Mono.Security.Interface.MonoTlsProviderFactory`: Bump internal version to 4.
|
|
* [System.Net.Http] Clean up HttpMessageHandler setup
to avoid reflection and not to be recursive
Superseded #15051 and #15922
* [csproj] Update project files
|
|
(#14210)
This change allows a number of games, such as DARK, to start successfully. The games use X509Certificate.CreateFromSignedFile() to load the certificate from their assemblies in order to verify them.
* Added support for creating an AuthenticodeDeformatter for an assembly
that has been loaded into memory
* Allow importing a certificate from an assembly signed with authenticode
when using BTLS
* Allow importing a certificate from an assembly signed with authenticode
when not using BTLS
* Added a test for loading certificates from assemblies signed with
authenticode
|
|
Add support to run full interpreter test suite on CI for Windows x64 Full AOT.
Since Windows x64 Full AOT uses a different full AOT profile WinAOT a separate
testing profile was setup for the interpreter testing. NOTE, this profile is
pure for testing, inline with the other testing profiles. It is also reusing
most of its sources from other sources files (mainly WinAOT) to reduce maintenance
of the profile.
Commit also includes some smaller adjustments needed in order to get full
pass rate for Windows x64 Full AOT + Interpreter on CI.
|
|
Use example.com and example.org instead.
Fixes https://github.com/mono/mono/issues/14585
Note that not all of the things I replaced make an actual network request but I thought it'd be nice to be consistent.
|
|
* [monodroid] Introduce 'win32 host' BCL build
* [sdks] Add _bcl_$(1)_BUILD_FLAGS variable to BclTemplate build step
Allows Android SDK on Windows to pass PROFILE_PLATFORM=win32
* [sdks] Pass _bcl_$(1)_BUILD_FLAGS when building the tests, too
* Copy test source exclusion files from the general monodroid profile
Apparently we don't fall back to the general exclusion sources for tests if the platorm-specific exclusion file does not exist.
* Also add win32 copies of the nunit exclude files:
files=$(find . -name "monodroid*_test*exclude.sources")
for file in $files
do
name=$(basename $file)
pushd $(dirname $file)
cp $name win32_$name
git add win32_$name
popd
done
* [csproj] Update project files
|
|
|
|
|
|
|
|
|
|
They can be used with native line endings.
We now have a shared folder with the dotnet repos and they have CRLF normalization enabled.
This difference leads to conflicts while applying changes from the dotnet repos to mono.
|
|
linker-friendly. (#13204)
* Add new internal `CryptoConvert.TryImportCapiPrivateKeyBlob()` method that's using `RSAManaged` directly to make it more linker-friendly.
* Also add new internal `CryptoConvert.TryImportCapiPublicKeyBlob()`.
* Use it in `AssemblyName.IsPublicKeyValid`.
|
|
linker-friendly." (#13202)
This reverts commit ef7e64a5beb6d6ccc4e44f0dedfd65550e7dbbab.
|
|
* [ci] Add new mode of execution for nunit tests on Android
This makes it possible to run the `nunit-lite-console.exe` on the host, while the tests still run on the device. This makes it transparent wherever the tests are running, giving us a seamless integration with the existing infrastructure based around nunit.
* [android] Fix System.Net.Http test suite
* [android] Fix System.ServiceModel.Web test suite
* [android] Fix Mono.Security test suite
* fixup! [ci] Add new mode of execution for nunit tests on Android
* [ci] Disable failing tests
* [csproj] Update project files
|
|
* Add new internal `CryptoConvert.TryImportCapiPrivateKeyBlob()`
method that's using `RSAManaged` directly to make it more
linker-friendly.
* Use it in `AssemblyName.IsPublicKeyValid`.
|
|
|
|
These tools were using the obsolete `Mono.Security.Protocol.Tls` code
(Legacy TLS), which is scheduled for removal.
|
|
Enable SHA256, SHA384 and SHA512 hash algorithms to be used for
Authenticode signatures. This enables producing digital signatures that
are trustworthy using the `mono` tooling.
Fixes #7517
|
|
|
|
* [interp] Enable System.Data tests on fullaotinterp
* [csproj] Update project files
|
|
We aot only the bcl (--aot=full,interp) while the tests code is interpreted.
<!--
Thank you for your Pull Request!
If you are new to contributing to Mono, please try to do your best at conforming to our coding guidelines http://www.mono-project.com/community/contributing/coding-guidelines/ but don't worry if you get something wrong. One of the project members will help you to get things landed.
Does your pull request fix any of the existing issues? Please use the following format: Fixes #issue-number
-->
|
|
override it (#10429)
* Move the PreBuild dependency property later in the file so targets can't override it
* [csproj] Update project files
|
|
* Remove use of sln dependencies and use csproj project references instead
* Rewrite jay.vcxproj so it builds correctly even without help from the sln file
* Force pre-build event to run after references are resolved. Change how culevel.exe path is computed to be more resilient.
* [csproj] Update project files
|
|
<!--
Thank you for your Pull Request!
If you are new to contributing to Mono, please try to do your best at conforming to our coding guidelines http://www.mono-project.com/community/contributing/coding-guidelines/ but don't worry if you get something wrong. One of the project members will help you to get things landed.
Does your pull request fix any of the existing issues? Please use the following format: Fixes #issue-number
-->
|
|
for sources in projects so that we don't get erroneous duplicate files in cases where there are both profile and host platform criteria (#9952)
A recent commit revealed that in cases where we select based on a mix of host platform and profile, genproj csproj files can end up with duplicate sources because the existing <ItemGroup Condition= approach could make multiple groups match for a given compile when we really just want one.
This PR changes to generating a cascade of msbuild <Choose> elements, which give if-else selection to ensure that we only ever build a single set of files.
|
|
of solution dependencies (#9670)
Using solution dependencies in ```bcl.sln``` seems flaky and seems like it might not establish the full ordering we need to ensure that ```Consts.cs``` exists before we build things that require it. Let's try using project references (where ```corlib.dll``` 'depends' on ```genconsts.exe```) instead. This should also insert the dependency for any project that includes Consts.cs instead of just corlib.
This PR also makes update-solution-files actually fail if ```genconsts.exe``` fails to build because it was driving me mad.
Part of #6886
|
|
(#9453)
* Fix unit tests to use SERIALNUMBER instead of OID.2.5.4.5 in X.500 names. Modify the code to pass the tests.
* Add SERIALNUMBER for BTLS implementation.
* Fix one more place where SERIALNUMBER was not handled.
|
|
This PR prepares the upcoming removal of the Legacy TLS Provider.
- The internal (and soon-to-be-removed) class `MD5SHA1` has been moved and changed namespace.
- `Novell.Directory.Ldap.Connection` now uses `SslStream` instead of Legacy TLS, this ports the Novell Ldap library to use TLS 1.2, see #9363.
- Removed obsolete Ssl/Spnego authentication from `System.ServiceModel`.
- Removed duplicate copy of the Legacy TLS Provider from `System.ServiceModel`.
- Ported `System.Web.Mail.SmtpClient` to use `SslStream`.
- Removed the `Mono.Security.Protocol.Tls` documentation.
|
|
host platform (#8985)
* Update genproj makefile to include gensources
Update genproj argument parser to be more generous about displaying help
* Checkpoint
* Checkpoint
* Checkpoint
* Checkpoint
* Checkpoint
* Checkpoint
* Checkpoint
* Checkpoint
* Fix rebase issue
* Checkpoint
* Checkpoint
* Fix built sources only being added to one profile
* Fix typo
* Checkpoint
* Fix indentation
* Use csc instead of mcs
* Checkpoint
* Fix BUILT_SOURCES only being handled for the first profile processed
* Checkpoint
* Checkpoint
* Strip double slashes from paths to fix spurious csproj change
* Checkpoint
* Checkpoint
* Checkpoint
* Checkpoint: Fix genproj compilation
* Checkpoint
* Checkpoint
* Checkpoint
* Fix crash when no targets were loaded (due to an error)
* Checkpoint
* Checkpoint
* Checkpoint
* Fix TryParseTargetInto bug
* Checkpoint
* Shuffle exclude logic around so that it works correctly during genproj diffing
* Remove gensources tracing
* Checkpoint
* Fix handling of oddball sources paths from executable.make
* Fix jay not being set to build
* Fix wrong slashes being used for embedded resource paths
* [csproj] Update project files
|
|
The following files in `mcs/class/*.cs` are not used anywhere (*.csproj/*.source).
|
|
the content. (#9168)
* Detect the private key type from the supplied OID instead of guessing from the content.
* Use oid constants from X509Certificate.
|
|
* [mcs] Rename darwin paltform to macos
Darwin is common to both macOS and iOS/tvOS/watchOS, while we use the darwin platform only for macOS.
* [mcs] Add Unix platform for other Unixes than Linux
* [mcs] Remove PLATFORMS from xammac_net_4_5 since it only make sense on macos
* [bcl] Bump corlib version
* [csproj] Update project files
|
|
* Fix quoting of BMPString names in X501Name.
* Fix the set of characters in X.501 name that need quoting.
|
|
System.Security.Principal.WindowsImpersonationContext. (#8608)
* [Coop] Convert Mono.Security.Cryptography.KeyPairPersistence and System.Security.Principal.WindowsImpersonationContext.
* Bump corlib version.
|
|
|
|
This is the second and final part to bring Client Certificate support.
It needs to be landed on top of #8753 and #8756.
* `Mono.Security.Interface.IMonoSslStream`: Add `CanRenegotiate` and `RenegotiateAsync()`.
* `Mono.Security.Interface.MonoTlsSettings`: Add `DisallowUnauthenticatedCertificateRequest`.
* `AppleTlsContext`: fully support renegotiation.
- we may now receive `SslStatus.PeerAuthCompleted` and `SslStatus.PeerClientCertRequested`
during `Read()`. It should in theory not happen during `Write()`, but I added it there
as well just to be on the safe side.
- `SetSessionOption()` may only be called before the initial handshake.
* `MobileAuthenticatedStream`: this is the major part of the work and the most complex one.
- added a new `Operation` enum to keep track of what is going on and detect invalid state.
- a renegotion may only be triggered while we're idle - that is no handshake, read or write
operation is currently active.
- `InternalWrite()` may now be called from `SSLRead()`, the new `Operation` tells us what
is currently happening.
- `ProcessHandshake()` now takes a `bool renegotiate` argument.
- added sanity checks to `ProcessRead()` and `ProcessWrite()`.
* `MobileTlsContext.SelectClientCertificate()`: check for
`MonoTlsSettings.DisallowUnauthenticatedCertificateRequest`
* `MonoTlsProviderFactory.InternalVersion`: bump the internal version number.
Tests have already been added to `web-tests/master`, they will auto-enable themselves when
using a Mono runtime that contains this code.
|
|
This is the first of two Pull Requests to implement Client Certificates :-)
Part One binds the new native APIs that will be used internally, finishes
the certificate selection callbacks, but without the more riskly changes
to the underlying handshake and I/O layer.
Part Two will bring support for TLS Renegotiation - and due to the required
changes in the underlying handshake, it is the more risky one.
* `Mono.Security.Interface.MonoTlsSettings`: Add `ClientCertificateIssuers`.
* `MobileTlsContext`:
- fully implement `SelectClientCertificate()`; the `acceptableIssuers` parameter
is now actually set and we also have a reasonable default selection.
- add `CanRenegotiate` and `RenegotiateAsync()` - these are not hooked up yet.
* `AppleTlsContext`:
- we will only ever call `RequirePeerTrust()` once per session, so we can
also remove it alltogether and just use `EvaluatePeerTrust()` instead.
- use proper exceptions for `SslStatus.PeerNoRenegotiation` and `PeerUnexpectedMsg`.
- don't call `SetClientSideAuthenticate()` on the client side.
- bind and hook up `SSLAddDistinguishedName()` and `SSLCopyDistinguishedNames()`.
- bind `SSLReHandshake()`.
* `MobileAuthenticatedStream`: minor cleanups; there will be more uses of the new
`GetInvalidNestedCallException()` helper class once Part Two lands.
* Enable some more constants in `SecureTransport.cs`.
* Add new `MonoBtlsError.GetErrorReason()` and `mono_btls_error_get_reason()`
implementation, only supporting `SSL_R_NO_RENEGOTIATION` at the moment.
* Add new native `mono_btls_ssl_ctx_set_client_ca_list()` function and managed
`MonoBtlsSslCtx.SetClientCertificateIssuers()`; hooked up via
`MonoTlsSettings.ClientCertificateIssuers`.
* According to a comment in the header file, `SSL_get_client_CA_list()` may only
be called during the selection callback or while the handshake is paused.
To respect this restriction, we now call it during the client certificate
selection callback and pass the list from native to managed.
- changed signature of `MonoBtlsSelectFunc` from
`int (* MonoBtlsSelectFunc) (void *instance)` to
`int (* MonoBtlsSelectFunc) (void *instance, int countIssuers, const int *sizes, void **issuerData)`.
- the managed counter-part is in `MonoBtlsSslCtx.NativeSelectFunc` / `NativeSelectCallback`.
* MonoBtlsContext:
- use the new `MonoBtlsError.GetErrorReason()` to throw a `TlsException` with
`AlertDescription.NoRenegotiation` that can be checked for by user code.
- `SelectCallback()` now has a `string[] acceptableIssuers` argument; pass it
to `SelectClientCertificate()`.
- the native backend does not support TLS Renegotiation, so `CanRenegotiate`
always returns false.
Implements #7075
|
|
This PR introduces a new tool, gensources.cs, which replaces gensources.sh. It is able to parse the whole set of .sources files for a library in one go so that genproj can use that information to encode all our platform and profile specific files into one csproj file.
For now this PR just introduces it and switches libraries to using it instead of gensources.sh.
|
|
* `SslStream`: Reject attempts of setting conflicting callbacks using both the
Mono-specific `MonoTlsSettings` and the new `SslClientAuthenticationOptions` /
`SslServerAuthenticationOptions`.
This makes it consistent with CoreFx behavior where those callbacks may only be
specified in one of the possible places.
* `ChainValidationHelper` - this internal class has received a major overhaul and
lots of old and unused code removed.
All callbacks are not invoked with the correct `sender` parameter to make it
match the .NET / CoreFx behavior.
* `Mono.Security.Interface.CertificateValidationHelper`: remove unused internal code.
|
|
* Bring `SslClientAuthenticationOptions`, `SslServerAuthenticationOptions`
and `SslApplicationProtocol` from CoreFX.
* SslStream: Added new public overloads from CoreFX:
- All authentication methods have a new overload without the `SslProtocols` argument.
- New `AuthenticateAsClientAsync(SslClientAuthenticationOptions,CancellationToken)`.
- New `AuthenticateAsServerAsync(SslServerAuthenticationOptions,CancellationToken)`.
- We now use `SecurityProtocol.SystemDefaultSecurityProtocols` (which is zero) as
default value everywhere.
Everything below is internal:
* `Mono.Security.Interface`: Add internal `MonoServerCertificateSelectionCallback`,
`IMonoAuthenticationOptions`, `IMonoSslClientAuthenticationOptions` and
`IMonoSslServerAuthenticationOptions`.
* `Mono.Security.Interface.IMonoSslStream`: Add new overloads without the
`SslProtocols` argument.
* `Mono.Security.Interface.IMonoSslStream2`: New internal interface, extending
`IMonoSslStream` with the new internal APIs.
* `Mono.Net.Security`: New internal `MonoSslAuthenticationOptions`,
`MonoSslClientAuthenticationOptions` and `MonoSslServerAuthenticationOptions`
classes; these are just proxies for `SslClientAuthenticationOptions` and
`SslServerAuthenticationOptions` (which unfortunately don't share a common
base class).
* `Mono.Net.Security.MobileAuthenticatedStream`:
- Implement `IMonoSslStream2`.
- `ProcessAuthentication()` now takes `MonoSslAuthenticationOptions` instead
of the old argument list, added `CancellationToken`.
- All `IMonoSslStream` facing APIs now construct `MonoSslAuthenticationOptions`
to pass it to `ProcessAuthentication()`.
* `Mono.Net.Security`: `MobileTlsContext` and `MobileTlsStream` now use
`MonoSslAuthenticationOptions` to store all options.
Tests for the new APIs are in https://github.com/xamarin/web-tests/commit/fe347589326206f36d3cd42b59d305ff3c291857.
|
|
* [System]: Free ServicePoints when they're no longer used.
* Cleanup.
* Don't crash when ServicePoint.CloseConnectionGroup() is called after the ServicePoint has been freed.
* Remove the CloseConnectionGroupConcurrency() test.
This test was for a regression in a piece of code that no longer exist
and the test is poorly designed as it depends on precise timings.
It also attempts to make a web request to a non-exisiting server and
just ignores the error - it is unclear whether that is intentional or not.
|
|
(#8232)
* Teach sn.exe about PE32+, and while there ROM images and MS-DOS-less.
See https://github.com/mono/mono/issues/8218.
* Make Error static.
* Remove .Close () redundant with using.
* Use helper function ReadMore and System.Array.Resize.
* Fix typos in comment.
* Move hash.Hash to fix 'Hash must be finalized before the hash value is retrieved.'.
* Cleanup.
|
|
without setting a platform (#8223)
* Default platform to net_4_x if none is specified, to fix tools that build without setting a platform
* [csproj] Update project files
|
|
* [msvc] Update csproj files
* [msvc] Delete old net_4_x.csproj and xbuild_12.csproj files
|
|
|
|
|
|
|
|
|