Skip to content

Fix handling SECBUFFER_EXTRA with renegotiation after handshake. #103419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Jul 9, 2024
Merged

Fix handling SECBUFFER_EXTRA with renegotiation after handshake. #103419

merged 10 commits into from
Jul 9, 2024

Conversation

rzikm
Copy link
Member

@rzikm rzikm commented Jun 13, 2024
edited
Loading

Fixes #91409.

In case Renegotiation request arrives immediately after handshake, we may read it together with the ServerDone message, passing the Renegotiate message to InitializeSecurityContext would leave it unprocessed (and reported via SECBUFFER_EXTRA), but the existing code would attempt to feed it back into ISC, when the right thing to do is to pass it to DecryptMessage (as normal post-handshake data).

This PR bubbles up the amount of consumed bytes from InitializeSecurityContext and AcceptSecurityContext, so that the upper layer can decide where the extra data should go next (back to ISC/ASC if handshake is not yet finished, DecryptMessage if handshake is finished). It also adds unit tests (one of which fails without this change).

This was referenced Jun 13, 2024
Open
Closed
@rzikm rzikm marked this pull request as ready for review June 14, 2024 07:55
@rzikm rzikm requested a review from wfurt June 14, 2024 07:55
@rzikm
Copy link
Member Author

rzikm commented Jun 14, 2024

/azp run runtime-libraries coreclr-outerloop

@azure-pipelines Azure Pipelines
Copy link

No pipelines are associated with this pull request.

@rzikm
Copy link
Member Author

rzikm commented Jun 14, 2024

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@rzikm
Copy link
Member Author

rzikm commented Jun 14, 2024

/azp run runtime-extra-platforms

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

This was referenced Jun 14, 2024
Closed
Closed
Open
@wfurt
Copy link
Member

wfurt commented Jun 14, 2024

I was originally wondering if we can do something here:

runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs

Lines 850 to 866 in f8f4509

extraBuffer = new byte[_buffer.DecryptedLength];
_buffer.DecryptedSpan.CopyTo(extraBuffer);
_buffer.Discard(_buffer.DecryptedLength);
}
if (NetEventSource.Log.IsEnabled())
NetEventSource.Info(null, $"***Processing an error Status = {status}");
if (status.ErrorCode == SecurityStatusPalErrorCode.Renegotiate)
{
// We determined above that we will not process it.
if (_handshakeWaiter == null)
{
throw new IOException(SR.net_ssl_io_renego);
}
await ReplyOnReAuthenticationAsync<TIOAdapter>(extraBuffer, cancellationToken).ConfigureAwait(false);

we treat it as opaque buffer but it is probably sequence of TLS frames...?

This issue impacts only Windows IMHO so it would be nice to keep is scoped down.

@rzikm
Copy link
Member Author

rzikm commented Jun 17, 2024

we treat it as opaque buffer but it is probably sequence of TLS frames...?

The Renegotiate frame which causes the problem in this case is of type Handshake, so it cannot be distinguished from the tail end of the TLS handshake (ChangeCipherSpec, Finished and such).

This issue impacts only Windows IMHO so it would be nice to keep is scoped down.

I tried to scope it down as much as possible, the Unix/OSX paths should behave the same way as before, the only change over there is the added out parameter which always reports that entire buffer passed in was processed.

I have some ideas how to refactor and simplify the Windows/Unix logic split, but I want to postpone them until early .NET 10.

This was referenced Jun 19, 2024
Open
Open
Closed
Open
Closed
@rzikm
Copy link
Member Author

rzikm commented Jun 19, 2024

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@wfurt wfurt mentioned this pull request Jun 28, 2024
Closed
wfurt
wfurt approved these changes Jul 8, 2024
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rzikm rzikm closed this Jul 8, 2024
@rzikm rzikm reopened this Jul 8, 2024
rzikm added 2 commits July 8, 2024 13:14
@rzikm
Merge branch 'main' into 91409-AuthenticateAsClientAsync-can-fail-if-…
417a140 
…renegotiation-is-requested-immediately-after-handshake
@rzikm
Merge commit '82f7537' into 91409-AuthenticateAsClientAsync-can-fail-…
ba66143 
…if-renegotiation-is-requested-immediately-after-handshake
@rzikm rzikm merged commit 1164d2f into dotnet:main Jul 9, 2024
83 checks passed
@rzikm rzikm mentioned this pull request Jul 9, 2024
Closed
@mdh1418 mdh1418 mentioned this pull request Jul 10, 2024
Closed
@github-actions github-actions bot locked and limited conversation to collaborators Aug 9, 2024
@karelz karelz added this to the 9.0.0 milestone Sep 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@wfurt wfurt wfurt approved these changes

Assignees

@rzikm rzikm

Labels
area-System.Net.Security
Projects
None yet
Milestone
9.0.0
Development

Successfully merging this pull request may close these issues.

AuthenticateAsClientAsync can fail if renegotiation is requested immediately after handshake
3 participants
@rzikm @wfurt @karelz