fix TLS13 procesing on windows #34181
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -234,8 +234,8 @@ private async Task ReplyOnReAuthenticationAsync<TIOAdapter>(TIOAdapter adapter, | |
| private async Task ForceAuthenticationAsync<TIOAdapter>(TIOAdapter adapter, bool receiveFirst, byte[]? reAuthenticationData, bool isApm = false) | ||
| where TIOAdapter : ISslIOAdapter | ||
| { | ||
| ProtocolToken message; | ||
| bool handshakeCompleted = false; | ||
|
|
||
| if (reAuthenticationData == null) | ||
| { | ||
|
|
@@ -262,10 +262,22 @@ private async Task ForceAuthenticationAsync<TIOAdapter>(TIOAdapter adapter, bool | |
| // tracing done in NextMessage() | ||
| throw new AuthenticationException(SR.net_auth_SSPI, message.GetException()); | ||
| } | ||
|
|
||
| if (message.Status.ErrorCode == SecurityStatusPalErrorCode.OK) | ||
| { | ||
| // We can finish renegotiation without doing any read. | ||
| handshakeCompleted = true; | ||
| } | ||
| } | ||
|
|
||
| if (!handshakeCompleted) | ||
| { | ||
| // get ready to receive first frame | ||
| _handshakeBuffer = new ArrayBuffer(InitialHandshakeBufferSize); | ||
| _framing = Framing.Unknown; | ||
| } | ||
|
|
||
| while (!handshakeCompleted) | ||
| { | ||
| message = await ReceiveBlobAsync(adapter).ConfigureAwait(false); | ||
| if (message.Size > 0) | ||
|
|
@@ -278,7 +290,12 @@ private async Task ForceAuthenticationAsync<TIOAdapter>(TIOAdapter adapter, bool | |
| { | ||
| throw new AuthenticationException(SR.net_auth_SSPI, message.GetException()); | ||
| } | ||
| else if (message.Status.ErrorCode == SecurityStatusPalErrorCode.OK) | ||
| { | ||
| // We can finish renegotiation without doing any read. | ||
| handshakeCompleted = true; | ||
| } | ||
| } | ||
|
|
||
| if (_handshakeBuffer.ActiveLength > 0) | ||
| { | ||
|
|
@@ -659,10 +676,18 @@ private async ValueTask<int> ReadAsyncInternal<TIOAdapter>(TIOAdapter adapter, M | |
| // To handle this we call DecryptData() under lock and we create TCS waiter. | ||
| // EncryptData() checks that under same lock and if it exist it will not call low-level crypto. | ||
| // Instead it will wait synchronously or asynchronously and it will try again after the wait. | ||
| // The result will be set when ReplyOnReAuthenticationAsync() is finished e.g. lsass business is over. | ||
| // If that happen before EncryptData() runs, _handshakeWaiter will be set to null | ||
| // and EncryptData() will work normally e.g. no waiting, just exclusion with DecryptData() | ||
|
|
||
|
|
||
| if (_sslAuthenticationOptions!.AllowRenegotiation || SslProtocol == SslProtocols.Tls13) | ||
| { | ||
| // create TCS only if we plan to proceed. If not, we will throw in block bellow outside of the lock. | ||
| // Tls1.3 does not have renegotiation. However on Windows this error code is used | ||
| // for session management e.g. anything lsass needs to see. | ||
| _handshakeWaiter = new TaskCompletionSource<bool>(TaskCreationOptions.RunContinuationsAsynchronously); | ||
| } | ||
| } | ||
| } | ||
|
|
||
|
|
@@ -686,11 +711,9 @@ private async ValueTask<int> ReadAsyncInternal<TIOAdapter>(TIOAdapter adapter, M | |
|
|
||
| if (status.ErrorCode == SecurityStatusPalErrorCode.Renegotiate) | ||
| { | ||
| // We determine above that we will not process it. | ||
| if (_handshakeWaiter == null) | ||
| { | ||
| if (NetEventSource.IsEnabled) NetEventSource.Fail(this, "Renegotiation was requested but it is disallowed"); | ||
| throw new IOException(SR.net_ssl_io_renego); | ||
| } | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -60,7 +60,7 @@ public async Task ServerNoEncryption_ClientAllowNoEncryption_ConnectWithNoEncryp | |
|
|
||
| using (var sslStream = new SslStream(client.GetStream(), false, AllowAnyServerCertificate, null, EncryptionPolicy.AllowNoEncryption)) | ||
| { | ||
| await sslStream.AuthenticateAsClientAsync("localhost", null, SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12, false); | ||
|
|
||
| _log.WriteLine("Client authenticated to server({0}) with encryption cipher: {1} {2}-bit strength", | ||
| serverNoEncryption.RemoteEndPoint, sslStream.CipherAlgorithm, sslStream.CipherStrength); | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -715,13 +715,17 @@ private static NegotiatedParams ConnectAndGetNegotiatedParams(ConnectionParams s | |
| { | ||
| // send some bytes, make sure they can talk | ||
| byte[] data = new byte[] { 1, 2, 3 }; | ||
| byte[] receivedData = new byte[1]; | ||
| Task serverTask = server.WriteAsync(data, 0, data.Length); | ||
| for (int i = 0; i < data.Length; i++) | ||
| { | ||
| Assert.True(client.ReadAsync(receivedData, 0, 1).Wait(TestConfiguration.PassingTestTimeoutMilliseconds), | ||
| $"Read task failed to finish in {TestConfiguration.PassingTestTimeoutMilliseconds}ms."); | ||
| Assert.Equal(data[i], receivedData[0]); | ||
| } | ||
|
|
||
| Assert.True(serverTask.Wait(TestConfiguration.PassingTestTimeoutMilliseconds), | ||
| $"WriteTask failed to finish in {TestConfiguration.PassingTestTimeoutMilliseconds}ms."); | ||
| return new NegotiatedParams(server, client); | ||
| } | ||
| else | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
macOS doesn't support TLS 1.3 on any version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not in .NET. Tracked by #1979
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In that case can you please change this to something like:
? Thanks.