Fix FTP/SSL data stream closure causing protocol violation in .NET 10

eng/pipelines/libraries/enterprise/linux.yml

@@ -19,6 +19,7 @@ pr:
       - src/native/libs/System.Net.Security.Native/*
       - src/libraries/System.Net.Http/*
       - src/libraries/System.Net.Security/*
+      - src/libraries/System.Net.Requests/*
 
 variables:
   - template: ../variables.yml
@@ -63,12 +64,14 @@ extends:
             docker exec linuxclient bash -c '/repo/build.sh -subset clr+libs -runtimeconfiguration release -ci /p:NativeOptimizationDataSupported=false'
             docker exec linuxclient bash -c '/repo/dotnet.sh build $(containerLibrariesRoot)/System.Net.Http/tests/EnterpriseTests/System.Net.Http.Enterprise.Tests.csproj'
             docker exec linuxclient bash -c '/repo/dotnet.sh build $(containerLibrariesRoot)/System.Net.Security/tests/EnterpriseTests/System.Net.Security.Enterprise.Tests.csproj'
+            docker exec linuxclient bash -c '/repo/dotnet.sh build $(containerLibrariesRoot)/System.Net.Requests/tests/EnterpriseTests/System.Net.Requests.Enterprise.Tests.csproj'
           displayName: Build product sources
 
         - bash: |
             docker exec linuxclient bash -c 'if [ -f /erc/resolv.conf.ORI ]; then cp -f /erc/resolv.conf.ORI /etc/resolv.conf; fi'
             docker exec linuxclient $(containerRunTestsCommand) $(containerLibrariesRoot)/System.Net.Http/tests/EnterpriseTests/System.Net.Http.Enterprise.Tests.csproj
             docker exec linuxclient $(containerRunTestsCommand) $(containerLibrariesRoot)/System.Net.Security/tests/EnterpriseTests/System.Net.Security.Enterprise.Tests.csproj
+            docker exec linuxclient $(containerRunTestsCommand) $(containerLibrariesRoot)/System.Net.Requests/tests/EnterpriseTests/System.Net.Requests.Enterprise.Tests.csproj
           displayName: Build and run tests
 
         - bash: |

src/libraries/Common/tests/System/Net/EnterpriseTests/setup/apacheweb/Dockerfile

@@ -1,24 +1,48 @@
-FROM mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-18.04
+FROM mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-24.04
 
 ARG DEBIAN_FRONTEND=noninteractive
 
-# Install Kerberos client, apache Negotiate auth plugin, and diagnostics
+# Install Kerberos client, ProFTPD with SSL, and diagnostics
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends apache2 libapache2-mod-auth-kerb procps krb5-user iputils-ping dnsutils nano \
-                                               libapache2-mod-auth-ntlm-winbind samba samba-dsdb-modules samba-vfs-modules
+    apt-get install -y --no-install-recommends apache2 procps krb5-user iputils-ping dnsutils nano \
+                                               samba samba-dsdb-modules samba-vfs-modules \
+                                               proftpd-basic proftpd-mod-crypto openssl \
+                                               apache2-dev libapache2-mod-auth-gssapi samba-ad-provision winbind
 WORKDIR /setup
 
 COPY ./common/krb5.conf /etc/
 COPY ./apacheweb/apache2.conf /setup/apache2.conf
 COPY ./apacheweb/*.sh ./
+COPY ./apacheweb/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.c /tmp
 RUN chmod +x *.sh ; \
     mkdir -p /setup/htdocs/auth/ntlm /setup/altdocs/auth/ntlm /setup/htdocs/auth/kerberos /setup/altdocs/auth/kerberos /setup/htdocs/auth/digest ;\
     touch /setup/htdocs/index.html /setup/htdocs/auth/kerberos/index.html /setup/htdocs/auth/ntlm/index.html /setup/htdocs/auth/digest/index.html ;\
     touch /setup/altdocs/auth/kerberos/index.html /setup/altdocs/auth/ntlm/index.html ;\
     cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.ORIG ;\
-    mv -f apache2.conf /etc/apache2/apache2.conf
+    mv -f apache2.conf /etc/apache2/apache2.conf ;\
+    cd /tmp && apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c
+
+# Setup FTP user and directories
+RUN useradd -m -s /bin/bash ftpuser && \
+    echo "ftpuser:ftppass" | chpasswd && \
+    mkdir -p /home/ftpuser/ftp && \
+    chown ftpuser:ftpuser /home/ftpuser/ftp && \
+    mkdir -p /var/log/proftpd && \
+    chmod 755 /var/log/proftpd
+
+# Generate self-signed certificate for FTP TLS
+RUN mkdir -p /etc/proftpd/ssl && \
+    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+    -keyout /etc/proftpd/ssl/proftpd.key \
+    -out /etc/proftpd/ssl/proftpd.crt \
+    -subj "/C=US/ST=State/L=City/O=Test/CN=apacheweb.linux.contoso.com"
+
+# Copy ProFTPD configuration
+COPY ./apacheweb/proftpd.conf /etc/proftpd/proftpd.conf
 
 EXPOSE 80/tcp
 EXPOSE 8080/tcp
+EXPOSE 21/tcp
+EXPOSE 50000-50100/tcp
 
 ENTRYPOINT ["/bin/bash", "/setup/run.sh"]

src/libraries/Common/tests/System/Net/EnterpriseTests/setup/apacheweb/apache2.conf

@@ -2,13 +2,13 @@
 # This is the main Apache HTTP server configuration file.  It contains the
 # configuration directives that give the server its instructions.
 # See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
-# In particular, see 
+# In particular, see
 # <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
 # for a discussion of each configuration directive.
 #
 # Do NOT simply read the instructions in here without understanding
 # what they do.  They're here only as hints or reminders.  If you are unsure
-# consult the online docs. You have been warned.  
+# consult the online docs. You have been warned.
 #
 # Configuration and logfile names: If the filenames you specify for many
 # of the server's control files begin with "/" (or "drive:/" for Win32), the
@@ -206,7 +206,7 @@ LoadModule alias_module modules/mod_alias.so
 <IfDefine NTLM>
 LoadModule auth_ntlm_winbind_module modules/mod_auth_ntlm_winbind.so
 </IfDefine>
-LoadModule auth_kerb_module modules/mod_auth_kerb.so
+LoadModule auth_gssapi_module modules/mod_auth_gssapi.so
 
 <IfModule unixd_module>
 #
@@ -285,11 +285,10 @@ DocumentRoot "/setup/htdocs"
     Options Indexes FollowSymLinks
     AllowOverride None
 
-    AuthType Kerberos
+    AuthType GSSAPI
     AuthName "Kerberos Login"
-    KrbAuthRealm LINUX.CONTOSO.COM
-    Krb5Keytab /etc/krb5.keytab
-    KrbMethodK5Passwd off
+    GssapiCredStore keytab:/etc/krb5.keytab
+    GssapiBasicAuth Off
     Require valid-user
 </Directory>
 <Directory "/setup/htdocs/auth/digest">
@@ -304,20 +303,19 @@ DocumentRoot "/setup/htdocs"
     AuthName "NTLM Authentication"
     AuthType NTLN
     NTLMauth on
-    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --diagnostic"
+    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp "
     Require valid-user
 </Directory>
 </IfDefine>
 <Directory "/setup/altdocs/auth/kerberos">
     Options Indexes FollowSymLinks
     AllowOverride None
 
-    AuthType Kerberos
+    AuthType GSSAPI
     AuthName "Kerberos Login"
-    KrbAuthRealm LINUX.CONTOSO.COM
-    Krb5Keytab /etc/krb5.keytab
-    KrbMethodK5Passwd off
-    KrbServiceName HTTP/altweb.linux.contoso.com:8080
+    GssapiCredStore keytab:/etc/krb5.keytab
+    GssapiBasicAuth Off
+    GssapiAcceptorName HTTP@altweb.linux.contoso.com:8080
     Require valid-user
 </Directory>
 
@@ -428,12 +426,11 @@ LogLevel warn
 <Directory "/usr/local/apache2/cgi-bin">
     AllowOverride None
     Options None
-    AuthType Kerberos
-AuthName "Kerberos Login"
-KrbAuthRealm LINUX.CONTOSO.COM
-Krb5Keytab /etc/krb5.keytab
-KrbMethodK5Passwd off
-Require valid-user
+    AuthType GSSAPI
+    AuthName "Kerberos Login"
+    GssapiCredStore keytab:/etc/krb5.keytab
+    GssapiBasicAuth Off
+    Require valid-user
 </Directory>
 
 <IfModule headers_module>

src/libraries/Common/tests/System/Net/EnterpriseTests/setup/apacheweb/mod_auth_ntlm_winbind/README

@@ -0,0 +1,101 @@
+OVERVIEW
+
+The mod_auth_ntlm_winbind module provides authentication and
+authorisation over the web against a Microsoft Windows NT/2000/XP or
+Samba Domain Controller using Samba's winbind daemon running on the
+same machine Apache 1.x or 2.x is running on.
+
+Used only by IE and newer versions of the Mozilla browser family, the
+NTLM over HTTP protocol is completed undocumented by Microsoft but has
+been reverse engineered and described at the following URL:
+
+http://davenport.sf.net/ntlm.html
+
+
+INSTALLATION
+
+The configure.in script and Makefile are essentially wrappers around
+apxs, which should be able to do all the work by itself. Having said
+that, the build/install process should simply be a matter of:
+
+$ autoconf
+$ ./configure
+$ make
+$ sudo make install
+
+The configure script will attempt to locate apxs and httpd. It will
+prefer apxs2 to apxs, and will use the httpd it finds to determine
+whether it is building for Apache 1 or Apache 2. You can override the
+detected settings using --with-apxs=/path/to/apxs and
+--with-httpd=/path/to/httpd
+
+In the event that the configure/Make combination doesn't work, you
+should be able to do:
+
+[Apache 1.x]
+$ apxs -c -i mod_auth_ntlm_winbind.c
+
+[Apache 2.x]
+$ apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c
+(substitute apxs2 as appropriate)
+
+
+CONFIGURATION
+
+mod_auth_ntlm_winbind uses the same ntlm_auth helper as the Squid
+proxy, so the same setup applies as for Squid: the winbindd_privileged
+directory must be accessible by the webserver userid. The
+configuration directives added by this module are as follows:
+
+NTLMAuth
+  set to 'on' to activate NTLM authentication
+NegotiateAuth
+  set to 'on' to activate Negotiate authentication
+NTLMBasicAuthoritative
+  set to 'off' to allow access control to be passed along to lower
+  modules if the UserID is not known to this module
+NTLMBasicAuth
+  set to 'on' to activate Basic authentication (for non-NTLM browsers)
+NTLMBasicRealm
+  Realm to use for Basic authentication
+NTLMAuthHelper
+  Location and arguments to the Samba ntlm_auth utility for NTLM auth
+NegotiateAuthHelper
+  Location and arguments to the Samba ntlm_auth utility for Negotiate auth
+PlaintextAuthHelper
+  Location and arguments to the Samba ntlm_auth utility for Plaintext auth
+
+
+The following httpd.conf configuration describes an example
+configuration for this module:
+
+NTLM authentication:
+
+<Directory "/srv/www/auth">
+  AuthName "NTLM Authentication thingy"
+  NTLMAuth on
+  NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
+  NTLMBasicAuthoritative on
+  AuthType NTLM
+  require valid-user
+</Directory>
+
+or, to enable 'NTLM+Negotiate' authentication too:
+
+<Directory "/srv/www/auth">
+  AuthName "NTLM Authentication thingy"
+  NTLMAuth on
+  NegotiateAuth on
+  NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
+  NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
+  NTLMBasicAuthoritative on
+  AuthType NTLM
+  AuthType Negotiate
+  require valid-user
+</Directory>
+
+
+To debug what is going on, add the following line to your httpd.conf
+to enable debug messages to be written to the apache error log file:
+
+LogLevel debug