From 9f2b1a16bd0d8ca6e69c869d161a7f9dba961efc Mon Sep 17 00:00:00 2001 From: wfurt Date: Thu, 10 Feb 2022 04:48:46 +0000 Subject: [PATCH 01/10] update SSL tests to deal better with disabled protocols --- .../ClientAsyncAuthenticateTest.cs | 23 ++++++++++++++----- .../tests/FunctionalTests/LoggingTest.cs | 2 +- .../ServerAsyncAuthenticateTest.cs | 12 +++++++--- .../FunctionalTests/ServerNoEncryptionTest.cs | 5 +++- .../FunctionalTests/TestConfiguration.cs | 3 ++- 5 files changed, 33 insertions(+), 12 deletions(-) diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs index a0e76e49354fbd..9af449182df4df 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs @@ -97,12 +97,23 @@ public static IEnumerable ProtocolMismatchData() yield return new object[] { SslProtocols.Ssl2, SslProtocols.Tls12, typeof(Exception) }; yield return new object[] { SslProtocols.Ssl3, SslProtocols.Tls12, typeof(Exception) }; #pragma warning restore 0618 - yield return new object[] { SslProtocols.Tls, SslProtocols.Tls11, typeof(AuthenticationException) }; - yield return new object[] { SslProtocols.Tls, SslProtocols.Tls12, typeof(AuthenticationException) }; - yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls, typeof(AuthenticationException) }; - yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls, typeof(AuthenticationException) }; - yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls11, typeof(AuthenticationException) }; - yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls12, typeof(AuthenticationException) }; + if (PlatformDetection.SupportsTls10) + { + yield return new object[] { SslProtocols.Tls, SslProtocols.Tls11, PlatformDetection.SupportsTls11 ? typeof(AuthenticationException) : typeof(IOException) }; + yield return new object[] { SslProtocols.Tls, SslProtocols.Tls12, PlatformDetection.SupportsTls12 ? typeof(AuthenticationException) : typeof(IOException) }; + } + + if (PlatformDetection.SupportsTls11) + { + yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls, PlatformDetection.SupportsTls10 ? typeof(AuthenticationException) : typeof(IOException) }; + yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls12, PlatformDetection.SupportsTls12 ? typeof(AuthenticationException) : typeof(IOException) }; + } + + if (PlatformDetection.SupportsTls12) + { + yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls11, PlatformDetection.SupportsTls11 ? typeof(AuthenticationException) : typeof(IOException) }; + yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls, PlatformDetection.SupportsTls10 ? typeof(AuthenticationException) : typeof(IOException) }; + } } #region Helpers diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/LoggingTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/LoggingTest.cs index 1b99f0cd4d85ae..f042a633a66466 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/LoggingTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/LoggingTest.cs @@ -27,7 +27,7 @@ public void EventSource_ExistsWithCorrectId() [ConditionalFact(typeof(RemoteExecutor), nameof(RemoteExecutor.IsSupported))] public void EventSource_EventsRaisedAsExpected() { - if (PlatformDetection.IsWindows10Version22000OrGreater) + if (PlatformDetection.IsWindows10Version20348OrGreater) { // [ActiveIssue("https://github.com/dotnet/runtime/issues/58927")] throw new SkipTestException("Unstable on Windows 11"); diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs index 1a452e8f893093..739a96c7a8fe2c 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs @@ -10,7 +10,7 @@ using System.Security.Cryptography.X509Certificates; using System.Threading; using System.Threading.Tasks; - +using Microsoft.DotNet.XUnitExtensions; using Xunit; using Xunit.Abstractions; @@ -43,13 +43,19 @@ public async Task ServerAsyncAuthenticate_EachSupportedProtocol_Success(SslProto await ServerAsyncSslHelper(protocol, protocol); } - [Theory] + [ConditionalTheory] [MemberData(nameof(ProtocolMismatchData))] public async Task ServerAsyncAuthenticate_MismatchProtocols_Fails( SslProtocols serverProtocol, SslProtocols clientProtocol, Type expectedException) { + + if ((serverProtocol & SslProtocolSupport.SupportedSslProtocols) == 0) + { + throw new SkipTestException($"None of '{serverProtocol}' requested versions is available"); + } + Exception e = await Record.ExceptionAsync( () => { @@ -236,7 +242,7 @@ public async Task ServerAsyncAuthenticate_ConstructorVerificationDelegate_Succes (Stream clientStream, Stream serverStream) = TestHelper.GetConnectedStreams(); var client = new SslStream(clientStream); - var server = new SslStream(serverStream, false, (sender, certificate, chain, sslPolicyErrors) => { validationCallbackCalled = true; return true;}); + var server = new SslStream(serverStream, false, (sender, certificate, chain, sslPolicyErrors) => { validationCallbackCalled = true; return true; }); using (client) using (server) diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/ServerNoEncryptionTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/ServerNoEncryptionTest.cs index 4515f15843004b..6d43dc8f320172 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/ServerNoEncryptionTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/ServerNoEncryptionTest.cs @@ -96,7 +96,10 @@ public async Task ServerNoEncryption_ClientNoEncryption_ConnectWithNoEncryption( else { var ae = await Assert.ThrowsAsync(() => sslStream.AuthenticateAsClientAsync("localhost", null, SslProtocolSupport.DefaultSslProtocols, false)); - Assert.IsType(ae.InnerException); + if (!OperatingSystem.IsWindows()) + { + Assert.IsType(ae.InnerException); + } } } } diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs index 21e5385bdb9c28..c0b8db8e488abb 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs @@ -38,7 +38,8 @@ public static Task WhenAllOrAnyFailedWithTimeout(params Task[] tasks) // On Windows, null ciphers (no encryption) are supported. if (OperatingSystem.IsWindows()) { - return true; + // This may be more complicated but Server 2022 and Windows 11 some with restricted set of default ciphers. + return !PlatformDetection.IsWindows10Version20348OrGreater; } // On macOS and Android, the null cipher (no encryption) is not supported. From 318518c9122857f68c49c347d84328b6ea7b13ae Mon Sep 17 00:00:00 2001 From: wfurt Date: Thu, 10 Feb 2022 21:44:22 +0000 Subject: [PATCH 02/10] Improve detection of Null encryption on Windows --- .../tests/FunctionalTests/TestConfiguration.cs | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs index c0b8db8e488abb..81bd9565989945 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs @@ -38,8 +38,14 @@ public static Task WhenAllOrAnyFailedWithTimeout(params Task[] tasks) // On Windows, null ciphers (no encryption) are supported. if (OperatingSystem.IsWindows()) { - // This may be more complicated but Server 2022 and Windows 11 some with restricted set of default ciphers. - return !PlatformDetection.IsWindows10Version20348OrGreater; + try + { + using (Process p = Process.Start(new ProcessStartInfo("powershell", "-Command Get-TlsCipherSuite") { RedirectStandardOutput = true, RedirectStandardError = true })) + { + return p.StandardOutput.ReadToEnd().Contains("WITH_NULL"); + } + } + catch { return true; } // assume availability } // On macOS and Android, the null cipher (no encryption) is not supported. From 6dddb96d31f7058aeed5179b84cf38a093bf1960 Mon Sep 17 00:00:00 2001 From: wfurt Date: Thu, 10 Feb 2022 14:17:28 -0800 Subject: [PATCH 03/10] update expectation for Mismatched protocols --- .../FunctionalTests/ClientAsyncAuthenticateTest.cs | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs index 9af449182df4df..b6d22f523912e7 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs @@ -59,6 +59,7 @@ public async Task ClientAsyncAuthenticate_MismatchProtocols_Fails( SslProtocols clientProtocol, Type expectedException) { + Console.WriteLine("PlatformDetection.SupportsTls12 = {0} 11 {1} 10 {2}", PlatformDetection.SupportsTls12, PlatformDetection.SupportsTls11, PlatformDetection.SupportsTls10); Exception e = await Record.ExceptionAsync(() => ClientAsyncSslHelper(serverProtocol, clientProtocol)); Assert.NotNull(e); Assert.IsAssignableFrom(expectedException, e); @@ -99,20 +100,20 @@ public static IEnumerable ProtocolMismatchData() #pragma warning restore 0618 if (PlatformDetection.SupportsTls10) { - yield return new object[] { SslProtocols.Tls, SslProtocols.Tls11, PlatformDetection.SupportsTls11 ? typeof(AuthenticationException) : typeof(IOException) }; - yield return new object[] { SslProtocols.Tls, SslProtocols.Tls12, PlatformDetection.SupportsTls12 ? typeof(AuthenticationException) : typeof(IOException) }; + yield return new object[] { SslProtocols.Tls, SslProtocols.Tls11, PlatformDetection.SupportsTls11 || !PlatformDetection.IsWindows ? typeof(AuthenticationException) : typeof(IOException) }; + yield return new object[] { SslProtocols.Tls, SslProtocols.Tls12, PlatformDetection.SupportsTls12 || !PlatformDetection.IsWindows ? typeof(AuthenticationException) : typeof(IOException) }; } if (PlatformDetection.SupportsTls11) { - yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls, PlatformDetection.SupportsTls10 ? typeof(AuthenticationException) : typeof(IOException) }; - yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls12, PlatformDetection.SupportsTls12 ? typeof(AuthenticationException) : typeof(IOException) }; + yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls, PlatformDetection.SupportsTls10 || !PlatformDetection.IsWindows ? typeof(AuthenticationException) : typeof(IOException) }; + yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls12, PlatformDetection.SupportsTls12 || !PlatformDetection.IsWindows ? typeof(AuthenticationException) : typeof(IOException) }; } if (PlatformDetection.SupportsTls12) { - yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls11, PlatformDetection.SupportsTls11 ? typeof(AuthenticationException) : typeof(IOException) }; - yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls, PlatformDetection.SupportsTls10 ? typeof(AuthenticationException) : typeof(IOException) }; + yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls, PlatformDetection.SupportsTls10 || !PlatformDetection.IsWindows ? typeof(AuthenticationException) : typeof(IOException) }; + yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls11, PlatformDetection.SupportsTls11 || !PlatformDetection.IsWindows ? typeof(AuthenticationException) : typeof(IOException) }; } } From 36b4b36343f4ef9eef48d8817976cd0358a5cdd4 Mon Sep 17 00:00:00 2001 From: wfurt Date: Fri, 11 Feb 2022 03:51:02 +0000 Subject: [PATCH 04/10] update detection --- .../tests/FunctionalTests/TestConfiguration.cs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs index 81bd9565989945..b3493381933ad2 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs @@ -38,8 +38,15 @@ public static Task WhenAllOrAnyFailedWithTimeout(params Task[] tasks) // On Windows, null ciphers (no encryption) are supported. if (OperatingSystem.IsWindows()) { + if (!PlatformDetection.IsWindows10OrLater) + { + // All old versions support null encryption + return true; + } + try { + // New Windows can support null but it may be disabled in Azure images using (Process p = Process.Start(new ProcessStartInfo("powershell", "-Command Get-TlsCipherSuite") { RedirectStandardOutput = true, RedirectStandardError = true })) { return p.StandardOutput.ReadToEnd().Contains("WITH_NULL"); From 429d7daba8aa42689ff926b957cfa87061eaff89 Mon Sep 17 00:00:00 2001 From: wfurt Date: Mon, 14 Feb 2022 22:34:01 +0000 Subject: [PATCH 05/10] wrap win32 exception --- .../Net/Security/SslStreamPal.Windows.cs | 23 ++++++++++++------- .../ClientAsyncAuthenticateTest.cs | 13 +++++------ 2 files changed, 21 insertions(+), 15 deletions(-) diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs index 2cb0f2ec14e66c..00c4de0f437501 100644 --- a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs +++ b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs @@ -140,16 +140,23 @@ public static SecurityStatusPal Renegotiate( public static SafeFreeCredentials AcquireCredentialsHandle(SslStreamCertificateContext? certificateContext, SslProtocols protocols, EncryptionPolicy policy, bool isServer) { - // New crypto API supports TLS1.3 but it does not allow to force NULL encryption. - SafeFreeCredentials cred = !UseNewCryptoApi || policy == EncryptionPolicy.NoEncryption ? - AcquireCredentialsHandleSchannelCred(certificateContext, protocols, policy, isServer) : - AcquireCredentialsHandleSchCredentials(certificateContext, protocols, policy, isServer); - if (certificateContext != null && certificateContext.Trust != null && certificateContext.Trust._sendTrustInHandshake) + try { - AttachCertificateStore(cred, certificateContext.Trust._store!); - } + // New crypto API supports TLS1.3 but it does not allow to force NULL encryption. + SafeFreeCredentials cred = !UseNewCryptoApi || policy == EncryptionPolicy.NoEncryption ? + AcquireCredentialsHandleSchannelCred(certificateContext, protocols, policy, isServer) : + AcquireCredentialsHandleSchCredentials(certificateContext, protocols, policy, isServer); + if (certificateContext != null && certificateContext.Trust != null && certificateContext.Trust._sendTrustInHandshake) + { + AttachCertificateStore(cred, certificateContext.Trust._store!); + } - return cred; + return cred; + } + catch (Win32Exception e) + { + throw new AuthenticationException(SR.net_auth_SSPI, e); + } } private static unsafe void AttachCertificateStore(SafeFreeCredentials cred, X509Store store) diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs index b6d22f523912e7..66007061db48a7 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs @@ -100,20 +100,20 @@ public static IEnumerable ProtocolMismatchData() #pragma warning restore 0618 if (PlatformDetection.SupportsTls10) { - yield return new object[] { SslProtocols.Tls, SslProtocols.Tls11, PlatformDetection.SupportsTls11 || !PlatformDetection.IsWindows ? typeof(AuthenticationException) : typeof(IOException) }; - yield return new object[] { SslProtocols.Tls, SslProtocols.Tls12, PlatformDetection.SupportsTls12 || !PlatformDetection.IsWindows ? typeof(AuthenticationException) : typeof(IOException) }; + yield return new object[] { SslProtocols.Tls, SslProtocols.Tls11, typeof(AuthenticationException) }; + yield return new object[] { SslProtocols.Tls, SslProtocols.Tls12, typeof(AuthenticationException) }; } if (PlatformDetection.SupportsTls11) { - yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls, PlatformDetection.SupportsTls10 || !PlatformDetection.IsWindows ? typeof(AuthenticationException) : typeof(IOException) }; - yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls12, PlatformDetection.SupportsTls12 || !PlatformDetection.IsWindows ? typeof(AuthenticationException) : typeof(IOException) }; + yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls, typeof(AuthenticationException) }; + yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls12, typeof(AuthenticationException) }; } if (PlatformDetection.SupportsTls12) { - yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls, PlatformDetection.SupportsTls10 || !PlatformDetection.IsWindows ? typeof(AuthenticationException) : typeof(IOException) }; - yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls11, PlatformDetection.SupportsTls11 || !PlatformDetection.IsWindows ? typeof(AuthenticationException) : typeof(IOException) }; + yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls, typeof(AuthenticationException) }; + yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls11, typeof(AuthenticationException) }; } } @@ -138,7 +138,6 @@ private async Task ClientAsyncSslHelper( _log.WriteLine("Server: " + serverSslProtocols + "; Client: " + clientSslProtocols); IPEndPoint endPoint = new IPEndPoint(IPAddress.Loopback, 0); - using (var server = new DummyTcpServer(endPoint, encryptionPolicy)) using (var client = new TcpClient()) { From 212fa5b60d4e3032d06a2b669d96621d5b651a56 Mon Sep 17 00:00:00 2001 From: wfurt Date: Tue, 15 Feb 2022 01:30:09 +0000 Subject: [PATCH 06/10] update ProtocolMismatchData sets --- .../ClientAsyncAuthenticateTest.cs | 34 ++++++++++++++--- .../ServerAsyncAuthenticateTest.cs | 38 +++++++++++++------ 2 files changed, 55 insertions(+), 17 deletions(-) diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs index 66007061db48a7..aa60c456d485ee 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs @@ -100,20 +100,42 @@ public static IEnumerable ProtocolMismatchData() #pragma warning restore 0618 if (PlatformDetection.SupportsTls10) { - yield return new object[] { SslProtocols.Tls, SslProtocols.Tls11, typeof(AuthenticationException) }; - yield return new object[] { SslProtocols.Tls, SslProtocols.Tls12, typeof(AuthenticationException) }; + if (PlatformDetection.SupportsTls11) + { + yield return new object[] { SslProtocols.Tls, SslProtocols.Tls11, typeof(AuthenticationException) }; + } + + if (PlatformDetection.SupportsTls12) + { + yield return new object[] { SslProtocols.Tls, SslProtocols.Tls12, typeof(AuthenticationException) }; + } } if (PlatformDetection.SupportsTls11) { - yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls, typeof(AuthenticationException) }; - yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls12, typeof(AuthenticationException) }; + + if (PlatformDetection.SupportsTls10) + { + yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls, typeof(AuthenticationException) }; + } + + if (PlatformDetection.SupportsTls12) + { + yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls12, typeof(AuthenticationException) }; + } } if (PlatformDetection.SupportsTls12) { - yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls, typeof(AuthenticationException) }; - yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls11, typeof(AuthenticationException) }; + if (PlatformDetection.SupportsTls10) + { + yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls, typeof(AuthenticationException) }; + } + + if (PlatformDetection.SupportsTls11) + { + yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls11, typeof(AuthenticationException) }; + } } } diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs index 739a96c7a8fe2c..c660399435b0c7 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs @@ -51,11 +51,6 @@ public async Task ServerAsyncAuthenticate_MismatchProtocols_Fails( Type expectedException) { - if ((serverProtocol & SslProtocolSupport.SupportedSslProtocols) == 0) - { - throw new SkipTestException($"None of '{serverProtocol}' requested versions is available"); - } - Exception e = await Record.ExceptionAsync( () => { @@ -346,20 +341,41 @@ public static IEnumerable ProtocolMismatchData() if (PlatformDetection.SupportsTls10) { - yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls, typeof(AuthenticationException) }; - yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls, typeof(AuthenticationException) }; + if (PlatformDetection.SupportsTls11) + { + yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls, typeof(AuthenticationException) }; + } + + if (PlatformDetection.SupportsTls12) + { + yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls, typeof(AuthenticationException) }; + } } if (PlatformDetection.SupportsTls11) { - yield return new object[] { SslProtocols.Tls, SslProtocols.Tls11, typeof(AuthenticationException) }; - yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls11, typeof(AuthenticationException) }; + if (PlatformDetection.SupportsTls10) + { + yield return new object[] { SslProtocols.Tls, SslProtocols.Tls11, typeof(AuthenticationException) }; + } + + if (PlatformDetection.SupportsTls12) + { + yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls11, typeof(AuthenticationException) }; + } } if (PlatformDetection.SupportsTls12) { - yield return new object[] { SslProtocols.Tls, SslProtocols.Tls12, typeof(AuthenticationException) }; - yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls12, typeof(AuthenticationException) }; + if (PlatformDetection.SupportsTls10) + { + yield return new object[] { SslProtocols.Tls, SslProtocols.Tls12, typeof(AuthenticationException) }; + } + + if (PlatformDetection.SupportsTls11) + { + yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls12, typeof(AuthenticationException) }; + } } } From 76a485a2efc677e2049669028f0d924f72bc9c41 Mon Sep 17 00:00:00 2001 From: wfurt Date: Tue, 15 Feb 2022 01:34:04 +0000 Subject: [PATCH 07/10] remove debug print --- .../tests/FunctionalTests/ClientAsyncAuthenticateTest.cs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs index aa60c456d485ee..0b8c834e80b5d8 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs @@ -59,7 +59,6 @@ public async Task ClientAsyncAuthenticate_MismatchProtocols_Fails( SslProtocols clientProtocol, Type expectedException) { - Console.WriteLine("PlatformDetection.SupportsTls12 = {0} 11 {1} 10 {2}", PlatformDetection.SupportsTls12, PlatformDetection.SupportsTls11, PlatformDetection.SupportsTls10); Exception e = await Record.ExceptionAsync(() => ClientAsyncSslHelper(serverProtocol, clientProtocol)); Assert.NotNull(e); Assert.IsAssignableFrom(expectedException, e); From c4add0dae8d8c00931790b4cc7a9fb3d2190291d Mon Sep 17 00:00:00 2001 From: wfurt Date: Mon, 14 Feb 2022 19:58:56 -0800 Subject: [PATCH 08/10] final cleanup --- .../tests/FunctionalTests/ClientAsyncAuthenticateTest.cs | 1 + .../tests/FunctionalTests/ServerAsyncAuthenticateTest.cs | 5 ++--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs index 0b8c834e80b5d8..755e35c3581253 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs @@ -159,6 +159,7 @@ private async Task ClientAsyncSslHelper( _log.WriteLine("Server: " + serverSslProtocols + "; Client: " + clientSslProtocols); IPEndPoint endPoint = new IPEndPoint(IPAddress.Loopback, 0); + using (var server = new DummyTcpServer(endPoint, encryptionPolicy)) using (var client = new TcpClient()) { diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs index c660399435b0c7..e51712c9b5f8d1 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs @@ -10,7 +10,7 @@ using System.Security.Cryptography.X509Certificates; using System.Threading; using System.Threading.Tasks; -using Microsoft.DotNet.XUnitExtensions; + using Xunit; using Xunit.Abstractions; @@ -43,14 +43,13 @@ public async Task ServerAsyncAuthenticate_EachSupportedProtocol_Success(SslProto await ServerAsyncSslHelper(protocol, protocol); } - [ConditionalTheory] + [Theory] [MemberData(nameof(ProtocolMismatchData))] public async Task ServerAsyncAuthenticate_MismatchProtocols_Fails( SslProtocols serverProtocol, SslProtocols clientProtocol, Type expectedException) { - Exception e = await Record.ExceptionAsync( () => { From 34cfde33178bf27d11eff82e7bfc7d94dc2cb705 Mon Sep 17 00:00:00 2001 From: wfurt Date: Tue, 15 Feb 2022 22:47:29 +0000 Subject: [PATCH 09/10] generate mismatch data --- .../ClientAsyncAuthenticateTest.cs | 49 +++------------- .../ServerAsyncAuthenticateTest.cs | 56 +++---------------- 2 files changed, 17 insertions(+), 88 deletions(-) diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs index 755e35c3581253..fae4ac37ba3226 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs @@ -55,11 +55,11 @@ public async Task ClientAsyncAuthenticate_EachSupportedProtocol_Success(SslProto [Theory] [MemberData(nameof(ProtocolMismatchData))] public async Task ClientAsyncAuthenticate_MismatchProtocols_Fails( - SslProtocols serverProtocol, SslProtocols clientProtocol, + SslProtocols serverProtocol, Type expectedException) { - Exception e = await Record.ExceptionAsync(() => ClientAsyncSslHelper(serverProtocol, clientProtocol)); + Exception e = await Record.ExceptionAsync(() => ClientAsyncSslHelper(clientProtocol, serverProtocol)); Assert.NotNull(e); Assert.IsAssignableFrom(expectedException, e); } @@ -92,48 +92,17 @@ public async Task ClientAsyncAuthenticate_IndividualServerVsAllClientSupportedPr public static IEnumerable ProtocolMismatchData() { -#pragma warning disable 0618 - yield return new object[] { SslProtocols.Ssl2, SslProtocols.Ssl3, typeof(Exception) }; - yield return new object[] { SslProtocols.Ssl2, SslProtocols.Tls12, typeof(Exception) }; - yield return new object[] { SslProtocols.Ssl3, SslProtocols.Tls12, typeof(Exception) }; -#pragma warning restore 0618 - if (PlatformDetection.SupportsTls10) - { - if (PlatformDetection.SupportsTls11) - { - yield return new object[] { SslProtocols.Tls, SslProtocols.Tls11, typeof(AuthenticationException) }; - } - - if (PlatformDetection.SupportsTls12) - { - yield return new object[] { SslProtocols.Tls, SslProtocols.Tls12, typeof(AuthenticationException) }; - } - } - - if (PlatformDetection.SupportsTls11) - { - - if (PlatformDetection.SupportsTls10) - { - yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls, typeof(AuthenticationException) }; - } - - if (PlatformDetection.SupportsTls12) - { - yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls12, typeof(AuthenticationException) }; - } - } + var supportedProtocols = new SslProtocolSupport.SupportedSslProtocolsTestData(); - if (PlatformDetection.SupportsTls12) + foreach (var serverProtocols in supportedProtocols) + foreach (var clientProtocols in supportedProtocols) { - if (PlatformDetection.SupportsTls10) - { - yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls, typeof(AuthenticationException) }; - } + SslProtocols serverProtocol = (SslProtocols)serverProtocols[0]; + SslProtocols clientProtocol = (SslProtocols)clientProtocols[0]; - if (PlatformDetection.SupportsTls11) + if (clientProtocol != serverProtocol) { - yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls11, typeof(AuthenticationException) }; + yield return new object[] { clientProtocol, serverProtocol, typeof(AuthenticationException) }; } } } diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs index e51712c9b5f8d1..ef7eb8fac06aa0 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/ServerAsyncAuthenticateTest.cs @@ -46,8 +46,8 @@ public async Task ServerAsyncAuthenticate_EachSupportedProtocol_Success(SslProto [Theory] [MemberData(nameof(ProtocolMismatchData))] public async Task ServerAsyncAuthenticate_MismatchProtocols_Fails( - SslProtocols serverProtocol, SslProtocols clientProtocol, + SslProtocols serverProtocol, Type expectedException) { Exception e = await Record.ExceptionAsync( @@ -323,57 +323,17 @@ public async Task ServerAsyncAuthenticate_InvalidHello_Throws(bool close) public static IEnumerable ProtocolMismatchData() { - if (PlatformDetection.SupportsSsl3) - { -#pragma warning disable 0618 - yield return new object[] { SslProtocols.Ssl3, SslProtocols.Tls12, typeof(Exception) }; - if (PlatformDetection.SupportsSsl2) - { - yield return new object[] { SslProtocols.Ssl2, SslProtocols.Ssl3, typeof(Exception) }; - yield return new object[] { SslProtocols.Ssl2, SslProtocols.Tls12, typeof(Exception) }; - } -#pragma warning restore 0618 - } - - // It is OK if server does not support given protocol. It should still fail. - // But if client does not support it, it will simply fail without sending out any data. + var supportedProtocols = new SslProtocolSupport.SupportedSslProtocolsTestData(); - if (PlatformDetection.SupportsTls10) + foreach (var serverProtocols in supportedProtocols) + foreach (var clientProtocols in supportedProtocols) { - if (PlatformDetection.SupportsTls11) - { - yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls, typeof(AuthenticationException) }; - } - - if (PlatformDetection.SupportsTls12) - { - yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls, typeof(AuthenticationException) }; - } - } - - if (PlatformDetection.SupportsTls11) - { - if (PlatformDetection.SupportsTls10) - { - yield return new object[] { SslProtocols.Tls, SslProtocols.Tls11, typeof(AuthenticationException) }; - } - - if (PlatformDetection.SupportsTls12) - { - yield return new object[] { SslProtocols.Tls12, SslProtocols.Tls11, typeof(AuthenticationException) }; - } - } - - if (PlatformDetection.SupportsTls12) - { - if (PlatformDetection.SupportsTls10) - { - yield return new object[] { SslProtocols.Tls, SslProtocols.Tls12, typeof(AuthenticationException) }; - } + SslProtocols serverProtocol = (SslProtocols)serverProtocols[0]; + SslProtocols clientProtocol = (SslProtocols)clientProtocols[0]; - if (PlatformDetection.SupportsTls11) + if (clientProtocol != serverProtocol) { - yield return new object[] { SslProtocols.Tls11, SslProtocols.Tls12, typeof(AuthenticationException) }; + yield return new object[] { clientProtocol, serverProtocol, typeof(AuthenticationException) }; } } } From 63e96383b7934e0cfc1646fd86cdb6c1f102c216 Mon Sep 17 00:00:00 2001 From: wfurt Date: Wed, 16 Feb 2022 01:42:34 +0000 Subject: [PATCH 10/10] avoid SslProtocols.Default --- src/libraries/Common/tests/System/Net/SslProtocolSupport.cs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/libraries/Common/tests/System/Net/SslProtocolSupport.cs b/src/libraries/Common/tests/System/Net/SslProtocolSupport.cs index e6ac1884c358e7..302021b8c08531 100644 --- a/src/libraries/Common/tests/System/Net/SslProtocolSupport.cs +++ b/src/libraries/Common/tests/System/Net/SslProtocolSupport.cs @@ -61,10 +61,12 @@ public IEnumerator GetEnumerator() { foreach (SslProtocols protocol in Enum.GetValues(typeof(SslProtocols))) { - if (protocol != SslProtocols.None && (protocol & SupportedSslProtocols) == protocol) +#pragma warning disable 0618 // SSL2/3 are deprecated + if (protocol != SslProtocols.None && protocol != SslProtocols.Default && (protocol & SupportedSslProtocols) == protocol) { yield return new object[] { protocol }; } +#pragma warning restore 0618 } }