From fbd46f34cbd2984c2b8103b13957d03c41f82b4f Mon Sep 17 00:00:00 2001 From: Juan Sebastian Hoyos Ayala Date: Sat, 12 Aug 2023 01:47:59 +0000 Subject: [PATCH 1/3] [release/7.0] Update Microsoft.DiaSymReader.Native to 16.11.29-beta1.23404.4 --- eng/Versions.props | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eng/Versions.props b/eng/Versions.props index 087a6ce171a8ca..ce59695b3a3c08 100644 --- a/eng/Versions.props +++ b/eng/Versions.props @@ -140,7 +140,7 @@ 1.0.0-prerelease.22415.6 1.0.0-prerelease.22415.6 - 16.11.27-beta1.23180.1 + 16.11.29-beta1.23404.4 2.0.0-beta4.22355.1 3.0.3 2.1.0 From de7841221e4ad56750e452db8ac4eab459b2ab23 Mon Sep 17 00:00:00 2001 From: Tomas Weinfurt Date: Tue, 15 Aug 2023 21:48:56 +0000 Subject: [PATCH 2/3] Merged PR 32990: [release/7.0] limit AIA download size This prevents using unlimited resources from evil sources. I originally wanted to split limits and have them separately for certificates, OCSP and CRLs. However, the HttpClient.MaxResponseContentBufferSize can be set only once so I decided to keep it simple for servicing. We could split the HttpClient and have one for small and one for large downloads. Or alternatively we can handle the body directly. But it is going to be unpleseant with the reflection and sync & async flavors. port of https://dev.azure.com/dnceng/internal/_git/dotnet-runtime/pullrequest/32920 --- .../src/System/Net/Http/X509ResourceClient.cs | 26 +++++++++++- .../tests/RevocationTests/AiaTests.cs | 40 +++++++++++++++++++ 2 files changed, 65 insertions(+), 1 deletion(-) diff --git a/src/libraries/Common/src/System/Net/Http/X509ResourceClient.cs b/src/libraries/Common/src/System/Net/Http/X509ResourceClient.cs index ff5a237c3f3ae3..6a78f1945d96b8 100644 --- a/src/libraries/Common/src/System/Net/Http/X509ResourceClient.cs +++ b/src/libraries/Common/src/System/Net/Http/X509ResourceClient.cs @@ -12,6 +12,9 @@ namespace System.Net.Http { internal static partial class X509ResourceClient { + private const long DefaultAiaDownloadLimit = 100 * 1024 * 1024; + + private static long AiaDownloadLimit { get; } = GetValue("System.Security.Cryptography.AiaDownloadLimit", DefaultAiaDownloadLimit); private static readonly Func>? s_downloadBytes = CreateDownloadBytesFunc(); static partial void ReportNoClient(); @@ -115,6 +118,7 @@ internal static partial class X509ResourceClient ConstructorInfo? httpRequestMessageCtor = httpRequestMessageType.GetConstructor(Type.EmptyTypes); MethodInfo? sendMethod = httpClientType.GetMethod("Send", new Type[] { httpRequestMessageType, typeof(CancellationToken) }); MethodInfo? sendAsyncMethod = httpClientType.GetMethod("SendAsync", new Type[] { httpRequestMessageType, typeof(CancellationToken) }); + PropertyInfo? maxResponseContentBufferSizeProp = httpClientType.GetProperty("MaxResponseContentBufferSize"); PropertyInfo? responseContentProp = httpResponseMessageType.GetProperty("Content"); PropertyInfo? responseStatusCodeProp = httpResponseMessageType.GetProperty("StatusCode"); PropertyInfo? responseHeadersProp = httpResponseMessageType.GetProperty("Headers"); @@ -125,7 +129,7 @@ internal static partial class X509ResourceClient if (socketsHttpHandlerCtor == null || pooledConnectionIdleTimeoutProp == null || allowAutoRedirectProp == null || httpClientCtor == null || requestUriProp == null || httpRequestMessageCtor == null || - sendMethod == null || sendAsyncMethod == null || + sendMethod == null || sendAsyncMethod == null || maxResponseContentBufferSizeProp == null || responseContentProp == null || responseStatusCodeProp == null || responseHeadersProp == null || responseHeadersLocationProp == null || readAsStreamMethod == null || taskOfHttpResponseMessageResultProp == null) @@ -149,6 +153,7 @@ internal static partial class X509ResourceClient pooledConnectionIdleTimeoutProp.SetValue(socketsHttpHandler, TimeSpan.FromSeconds(PooledConnectionIdleTimeoutSeconds)); allowAutoRedirectProp.SetValue(socketsHttpHandler, false); object? httpClient = httpClientCtor.Invoke(new object?[] { socketsHttpHandler }); + maxResponseContentBufferSizeProp.SetValue(httpClient, AiaDownloadLimit); return async (string uriString, CancellationToken cancellationToken, bool async) => { @@ -306,5 +311,24 @@ private static bool IsAllowedScheme(string scheme) { return string.Equals(scheme, "http", StringComparison.OrdinalIgnoreCase); } + + private static long GetValue(string name, long defaultValue) + { + object? data = AppContext.GetData(name); + + if (data is null) + { + return defaultValue; + } + + try + { + return Convert.ToInt64(data); + } + catch + { + return defaultValue; + } + } } } diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs b/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs index 753bec3b88b6bd..c2e70c7f150a86 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs @@ -3,6 +3,7 @@ using System.Linq; using System.Security.Cryptography.X509Certificates.Tests.Common; +using Microsoft.DotNet.RemoteExecutor; using Test.Cryptography; using Xunit; @@ -177,5 +178,44 @@ public static void DisableAiaOptionWorks() }); } } + + [ActiveIssue("https://github.com/dotnet/runtime/issues/57506", typeof(PlatformDetection), nameof(PlatformDetection.IsMonoRuntime), nameof(PlatformDetection.IsMariner))] + [PlatformSpecific(TestPlatforms.Linux)] + [ConditionalFact(typeof(RemoteExecutor), nameof(RemoteExecutor.IsSupported))] + public static void AiaIgnoresCertOverLimit() + { + RemoteExecutor.Invoke(() => + { + AppContext.SetData("System.Security.Cryptography.AiaDownloadLimit", 100); + CertificateAuthority.BuildPrivatePki( + PkiOptions.AllRevocation, + out RevocationResponder responder, + out CertificateAuthority root, + out CertificateAuthority intermediate, + out X509Certificate2 endEntity, + pkiOptionsInSubject: false, + testName: Guid.NewGuid().ToString()); + + using (responder) + using (root) + using (intermediate) + using (endEntity) + using (X509Certificate2 rootCert = root.CloneIssuerCert()) + { + responder.AiaResponseKind = AiaResponseKind.Cert; + + using (ChainHolder holder = new ChainHolder()) + { + X509Chain chain = holder.Chain; + chain.ChainPolicy.CustomTrustStore.Add(rootCert); + chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; + chain.ChainPolicy.VerificationTime = endEntity.NotBefore.AddMinutes(1); + chain.ChainPolicy.UrlRetrievalTimeout = DynamicRevocationTests.s_urlRetrievalLimit; + + Assert.False(chain.Build(endEntity)); + } + } + }).Dispose(); + } } } From 0c355d0594f6c856253e574dc7cd5e993d953c29 Mon Sep 17 00:00:00 2001 From: Carlos Sanchez Lopez Date: Fri, 18 Aug 2023 21:57:56 +0000 Subject: [PATCH 3/3] Merged PR 33267: Bump Microsoft.Windows.Compatibility version to 5 --- .../src/Microsoft.Windows.Compatibility.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libraries/Microsoft.Windows.Compatibility/src/Microsoft.Windows.Compatibility.csproj b/src/libraries/Microsoft.Windows.Compatibility/src/Microsoft.Windows.Compatibility.csproj index 6d4340447e966e..1b55f563eeb999 100644 --- a/src/libraries/Microsoft.Windows.Compatibility/src/Microsoft.Windows.Compatibility.csproj +++ b/src/libraries/Microsoft.Windows.Compatibility/src/Microsoft.Windows.Compatibility.csproj @@ -6,7 +6,7 @@ false true true - 4 + 5 $(NoWarn);NU5128 This Windows Compatibility Pack provides access to APIs that were previously available only for .NET Framework. It can be used from both .NET as well as .NET Standard.