Removing SSLv2 and SSLv3 support from System.Net.Security.

APIs will throw NotSupportedException if SSLv2 or v3 is used. This behavior is different from .NET Desktop. Tests have been changed to pin this new behavior. Increased passing-test timeouts to 15s. Fix #3114 (partial), #4467
CIPop · Nov 13, 2015 · 6471f3b · 6471f3b
1 parent 895e759
commit 6471f3b
Show file tree

Hide file tree

Showing 10 changed files with 344 additions and 161 deletions.
diff --git a/src/Common/src/Interop/Windows/SChannel/Interop.SchProtocols.cs b/src/Common/src/Interop/Windows/SChannel/Interop.SchProtocols.cs
@@ -8,10 +8,8 @@ internal static partial class SChannel
         // Most constants below are taken from schannel.h; those that are not are
         // called out explicitly.
 
-        public const int SP_PROT_PCT1_SERVER = 0x00000001;
-        public const int SP_PROT_PCT1_CLIENT = 0x00000002;
-        public const int SP_PROT_PCT1 = (SP_PROT_PCT1_SERVER | SP_PROT_PCT1_CLIENT);
-
+        // IMPORTANT: SSL2 and SSL3 definitions are required for System.Net.Primitives enum definitions only.
+        // These values should NOT be used in Schannel setup.
         public const int SP_PROT_SSL2_SERVER = 0x00000004;
         public const int SP_PROT_SSL2_CLIENT = 0x00000008;
         public const int SP_PROT_SSL2 = (SP_PROT_SSL2_SERVER | SP_PROT_SSL2_CLIENT);
@@ -32,18 +30,10 @@ internal static partial class SChannel
         public const int SP_PROT_TLS1_2_CLIENT = 0x00000800;
         public const int SP_PROT_TLS1_2 = (SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_2_CLIENT);
 
-        public const int SP_PROT_SSL3TLS1_CLIENTS = (SP_PROT_TLS1_0_CLIENT | SP_PROT_SSL3_CLIENT);
-        public const int SP_PROT_SSL3TLS1_SERVERS = (SP_PROT_TLS1_0_SERVER | SP_PROT_SSL3_SERVER);
-        public const int SP_PROT_SSL3TLS1 = (SP_PROT_SSL3 | SP_PROT_TLS1_0);
-
-        public const int SP_PROT_UNI_SERVER = 0x40000000;
-        public const int SP_PROT_UNI_CLIENT = unchecked((int)0x80000000);
-        public const int SP_PROT_UNI = (SP_PROT_UNI_SERVER | SP_PROT_UNI_CLIENT);
-
         public const int SP_PROT_NONE = 0;
 
         // These two constants are not taken from schannel.h. 
-        public const int ClientProtocolMask = (SP_PROT_PCT1_CLIENT | SP_PROT_SSL2_CLIENT | SP_PROT_SSL3_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_2_CLIENT | SP_PROT_UNI_CLIENT);
-        public const int ServerProtocolMask = (SP_PROT_PCT1_SERVER | SP_PROT_SSL2_SERVER | SP_PROT_SSL3_SERVER | SP_PROT_TLS1_0_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_2_SERVER | SP_PROT_UNI_SERVER);
+        public const int ClientProtocolMask = (SP_PROT_TLS1_0_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_2_CLIENT);
+        public const int ServerProtocolMask = (SP_PROT_TLS1_0_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_2_SERVER);
     }
 }
diff --git a/src/System.Net.Security/src/Resources/Strings.resx b/src/System.Net.Security/src/Resources/Strings.resx
@@ -123,6 +123,9 @@
   <data name="net_securitypackagesupport" xml:space="preserve">
     <value>The requested security package is not supported.</value>
   </data>
+  <data name="net_securityprotocolnotsupported" xml:space="preserve">
+    <value>The requested security protocol is not supported.</value>
+  </data>
   <data name="net_MethodNotImplementedException" xml:space="preserve">
     <value>This method is not implemented by this class.</value>
   </data>

diff --git a/src/System.Net.Security/src/System/Net/SecureProtocols/SslStream.cs b/src/System.Net.Security/src/System/Net/SecureProtocols/SslStream.cs
@@ -110,6 +110,8 @@ public virtual void AuthenticateAsClient(string targetHost)
 
         public virtual void AuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
         {
+            ValidateSecurityProtocol(enabledSslProtocols);
+
             _sslState.ValidateCreateContext(false, targetHost, enabledSslProtocols, null, clientCertificates, true, checkCertificateRevocation);
             _sslState.ProcessAuthentication(null);
         }
@@ -147,6 +149,8 @@ public virtual void AuthenticateAsServer(X509Certificate serverCertificate)
         public virtual void AuthenticateAsServer(X509Certificate serverCertificate, bool clientCertificateRequired,
                                                SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
         {
+            ValidateSecurityProtocol(enabledSslProtocols);
+
             _sslState.ValidateCreateContext(true, string.Empty, enabledSslProtocols, serverCertificate, null, clientCertificateRequired, checkCertificateRevocation);
             _sslState.ProcessAuthentication(null);
         }
@@ -196,6 +200,8 @@ public virtual Task AuthenticateAsClientAsync(string targetHost)
 
         public virtual Task AuthenticateAsClientAsync(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
         {
+            ValidateSecurityProtocol(enabledSslProtocols);
+
             return Task.Factory.FromAsync((callback, state) => BeginAuthenticateAsClient(targetHost, clientCertificates, enabledSslProtocols, checkCertificateRevocation, callback, state), EndAuthenticateAsClient, null);
         }
 
@@ -206,6 +212,8 @@ public virtual Task AuthenticateAsServerAsync(X509Certificate serverCertificate)
 
         public virtual Task AuthenticateAsServerAsync(X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
         {
+            ValidateSecurityProtocol(enabledSslProtocols);
+
             return Task.Factory.FromAsync((callback, state) => BeginAuthenticateAsServer(serverCertificate, clientCertificateRequired, enabledSslProtocols, checkCertificateRevocation, callback, state), EndAuthenticateAsServer, null);
         }
         #endregion
@@ -460,5 +468,15 @@ public override void Write(byte[] buffer, int offset, int count)
         {
             _sslState.SecureStream.Write(buffer, offset, count);
         }
+
+        private static void ValidateSecurityProtocol(SslProtocols protocols)
+        {
+            SslProtocols allowedProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+
+            if ((protocols == SslProtocols.None) || ((protocols & ~allowedProtocols) != 0))
+            {
+                throw new NotSupportedException(SR.net_securityprotocolnotsupported);
+            }
+        }
     }
 }
diff --git a/src/System.Net.Security/tests/FunctionalTests/CertificateValidationClientServer.cs b/src/System.Net.Security/tests/FunctionalTests/CertificateValidationClientServer.cs
@@ -45,7 +45,7 @@ public async Task CertificateValidationClientServer_EndToEnd_Ok()
                 Assert.True(
                     Task.WaitAll(
                         new Task[] { clientConnect, serverAccept }, 
-                        TestConfiguration.TestTimeoutSeconds * 1000),
+                        TestConfiguration.PassingTestTimeoutMilliseconds),
                     "Client/Server TCP Connect timed out.");
 
                 using (TcpClient serverConnection = await serverAccept)
@@ -80,7 +80,7 @@ public async Task CertificateValidationClientServer_EndToEnd_Ok()
                     Assert.True(
                         Task.WaitAll(
                             new Task[] { clientAuthentication, serverAuthentication }, 
-                            TestConfiguration.TestTimeoutSeconds * 1000),
+                            TestConfiguration.PassingTestTimeoutMilliseconds),
                         "Client/Server Authentication timed out.");
                 }
             }