Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement TLS1.3 delayed client cert requests on Linux #64268

Merged
merged 7 commits into from
Feb 9, 2022
Merged

Implement TLS1.3 delayed client cert requests on Linux #64268

merged 7 commits into from
Feb 9, 2022

Conversation

rzikm
Copy link
Member

@rzikm rzikm commented Jan 25, 2022
edited
Loading

Fixes #55757

This PR adds the NegotiateClientCertificateAsync support for TLS1.3 on Linux

The changes in this PR depend on changes made in #63945, so this PR will need to stay in draft state until that one is merged.
https://github.com/dotnet/runtime/pull/64268/files#diff-5d47fb42fd96c09e13b52482e126d7a282513646feb5f672108dbbd7dd0d5f4aR543-R545

The changes also should contribute to #58927, I was able to reproduce the hang in SslStream_NegotiateClientCertificateAsyncTls13_Succeeds when using OpenSSL and Linux.
https://github.com/dotnet/runtime/pull/64268/files#diff-1d28e92dd65ace08e351f991ffd5da78f606a6bc4f212160df97d5012bd7cdc9R577-R579

@ghost ghost assigned rzikm Jan 25, 2022
@ghost
Copy link

ghost commented Jan 25, 2022

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Fixes #55757

This PR adds the NegotiateClientCertificateAsync support for TLS1.3 on Linux

The changes in this PR depend on changes made in #63945, so this PR will need to stay in draft state until that one is merged.

The changes also should contribute to #58927, I was able to reproduce the hang in SslStream_NegotiateClientCertificateAsyncTls13_Succeeds when using OpenSSL and Linux.

Author: rzikm
Assignees: -
Labels:

area-System.Net.Security
Milestone: -

@rzikm rzikm changed the title Use correct API on TLS1.3 for delayed client cert requests (WIP) Implement TLS1.3 delayed client cert requests on Linux Jan 25, 2022
@rzikm rzikm added the os-linux Linux OS (any supported distro) label Jan 25, 2022
wfurt
wfurt reviewed Jan 25, 2022
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like good start. I left few early comments

src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs Outdated Show resolved Hide resolved
src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs Outdated Show resolved Hide resolved
src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Implementation.cs Outdated Show resolved Hide resolved
src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs Outdated Show resolved Hide resolved
src/native/libs/System.Security.Cryptography.Native/configure.cmake Outdated Show resolved Hide resolved
src/native/libs/System.Security.Cryptography.Native/opensslshim.h Outdated Show resolved Hide resolved
@rzikm rzikm force-pushed the 55757_nego-tls-1.3 branch 3 times, most recently from 709984b to 6f64c53 Compare January 27, 2022 13:24
@rzikm rzikm requested a review from wfurt January 27, 2022 13:56
@rzikm rzikm marked this pull request as ready for review January 27, 2022 19:33
@rzikm
Copy link
Member Author

rzikm commented Jan 28, 2022

Looks like we have test failures on Ubuntu 18.04, possibly becuase we are calling SSL_renegotiate on TLS 1.3 session. The only way this can happen IMO is that we are compiling against older openssl headers and thus the branch calling SSL_verify_client_post_handshake is left out due to preprocessor define.

CI Log 
===========================================================================================================
/datadisks/disk1/work/9FBA08A2/w/A8980923/e /datadisks/disk1/work/9FBA08A2/w/A8980923/e
  Discovering: System.Net.Security.Tests (method display = ClassAndMethod, method display options = None)
  Discovered:  System.Net.Security.Tests (found 290 of 475 test cases)
  Starting:    System.Net.Security.Tests (parallel test collections = on, max threads = 2)
    System.Net.Security.Tests.SslStreamEKUTest.SslStream_SelfSignedClientEKUClientAuth_Ok [SKIP]
      Condition(s) not met: "IsRootCertificateInstalled"
    System.Net.Security.Tests.SslStreamEKUTest.SslStream_ServerEKUClientAuth_Fails [SKIP]
      Condition(s) not met: "IsRootCertificateInstalled"
    System.Net.Security.Tests.SslStreamEKUTest.SslStream_ClientEKUServerAuth_Fails [SKIP]
      Condition(s) not met: "IsRootCertificateInstalled"
    System.Net.Security.Tests.SslStreamEKUTest.SslStream_NoEKUServerAuth_Ok [SKIP]
      Condition(s) not met: "IsRootCertificateInstalled"
    System.Net.Security.Tests.SslStreamEKUTest.SslStream_NoEKUClientAuth_Ok [SKIP]
      Condition(s) not met: "IsRootCertificateInstalled"
    System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_NegotiateClientCertificateAsyncTls13_Succeeds(sendClientCertificate: True) [FAIL]
      Interop+Crypto+OpenSslCryptographicException : error:1420410A:SSL routines:SSL_renegotiate:wrong ssl version
      Stack Trace:
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Implementation.cs(298,0): at System.Net.Security.SslStream.<RenegotiateAsync>d__172`1[[System.Net.Security.AsyncReadWriteAdapter, System.Net.Security, Version=7.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a]].MoveNext()
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs(463,0): at System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_NegotiateClientCertificateAsyncTls13_Succeeds(Boolean sendClientCertificate)
        --- End of stack trace from previous location ---
    System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_NegotiateClientCertificateAsyncTls13_Succeeds(sendClientCertificate: False) [FAIL]
      Interop+Crypto+OpenSslCryptographicException : error:1420410A:SSL routines:SSL_renegotiate:wrong ssl version
      Stack Trace:
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Implementation.cs(298,0): at System.Net.Security.SslStream.<RenegotiateAsync>d__172`1[[System.Net.Security.AsyncReadWriteAdapter, System.Net.Security, Version=7.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a]].MoveNext()
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs(463,0): at System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_NegotiateClientCertificateAsyncTls13_Succeeds(Boolean sendClientCertificate)
        --- End of stack trace from previous location ---
  Finished:    System.Net.Security.Tests
=== TEST EXECUTION SUMMARY ===

@rzikm rzikm force-pushed the 55757_nego-tls-1.3 branch 2 times, most recently from 0698b85 to 0996fcd Compare February 2, 2022 12:01
@rzikm
Copy link
Member Author

rzikm commented Feb 2, 2022

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@rzikm
Copy link
Member Author

rzikm commented Feb 3, 2022

CI failures are unrelated:

  • System.Net.Sockets.Tests.SocketAsyncEventArgsTest.AcceptAsync_WithTooSmallReceiveBuffer_Failure
  • System.Net.Security.Tests.TelemetryTest.EventSource_SuccessfulHandshake_LogsStartStop

bartonjs
bartonjs reviewed Feb 8, 2022
View reviewed changes
src/native/libs/System.Security.Cryptography.Native/osslcompat_111.h Outdated
Comment on lines 82 to 83
int SSL_verify_client_post_handshake(SSL *s);
void SSL_set_post_handshake_auth(SSL *s, int val);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If no special #if is required for these prototypes, they should be sorted alphabetically in this block.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be fixed now

@rzikm
Copy link
Member Author

rzikm commented Feb 8, 2022

I think the code is ready now for (hopefully last) round of reviews

@rzikm rzikm requested a review from bartonjs February 8, 2022 19:29
wfurt
wfurt approved these changes Feb 9, 2022
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SslStream part look good to me. I'll deferrer final judgement on the PAL to @bartonjs.

@rzikm
Copy link
Member Author

rzikm commented Feb 9, 2022

Failing test is #64964
build runtime-libraries enterprise-linux failure seems unrelated

  [ 45%] Building ASM object vm/wks/CMakeFiles/cee_wks_core.dir/__/amd64/jithelpers_fastwritebarriers.S.o
  /repo/src/coreclr/vm/amd64/jithelpers_fast.S:456:9: error: invalid operand for instruction
          mov r10, 0xCDCDCDCDCDCDCDCD
          ^

@rzikm
Copy link
Member Author

rzikm commented Feb 9, 2022

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

rzikm and others added 7 commits February 9, 2022 11:40
@rzikm
Use correct API on TLS1.3 for delayed client cert requests (WIP)
1c78e29 
Fix native shims on older OpenSSL versions

Remove unneeded hacks

Remove redundant PlatformSpecificAttribute

Merge CryptoNative_SslVerifyClientPostHandshake to CryptoNative_SslRenegotiate

Reenable test on Windows 11

Revert unwanted changes

Advertise post-handshake auth if client provided a cert

Fix compilation against older OpenSSL versions

Fix trailing whitespace

Fix compilation on older versions

Add missing define
@rzikm
Fix compilation
1e36e7c
@rzikm
Redisable TLS13 renego tests on Windows
b5e049e
@rzikm
Improve wording of a comment.
25fe070
@rzikm
Use NEED_OPENSSL_1_1 instead of NEED_OPENSSL_1_3
bdc29d0
@rzikm
Move function prototypes to osslcompat_111.h
a014271
@rzikm
Sort the function prototypes alphabetically
72eb1bb
@runfoapp runfoapp bot mentioned this pull request Feb 9, 2022
Closed
@bartonjs bartonjs merged commit aaaa2a7 into dotnet:main Feb 9, 2022
@rzikm rzikm removed their assignment Feb 16, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Mar 18, 2022
@karelz karelz added this to the 7.0.0 milestone Apr 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@stephentoub stephentoub stephentoub left review comments

@wfurt wfurt wfurt approved these changes

@bartonjs bartonjs bartonjs approved these changes

Assignees
No one assigned
Labels
area-System.Net.Security os-linux Linux OS (any supported distro)
Projects
None yet
Milestone
7.0.0
Development

Successfully merging this pull request may close these issues.

SslStream delayed client certificate with TLS 1.3 on Linux
5 participants
@rzikm @stephentoub @bartonjs @wfurt @karelz