rpms/dotnet9.0
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to .NET SDK 9 preview 7 and Runtime 9 preview 7

Browse Source 
Resolves: RHEL-48619
This commit is contained in:
Omair Majid 2024-08-15 17:01:01 -04:00
parent 3bc8a7260d
commit ad36f7da0d
17 changed files with 1970 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.fmf/version Normal file
View File

@ -0,0 +1 @@
1

4
.gitignore vendored
View File

@ -0,0 +1,4 @@
/dotnet-prebuilts-9.0.100-preview.7.24380.1-ppc64le.tar.gz
/dotnet-prebuilts-9.0.100-preview.7.24380.1-s390x.tar.gz
/dotnet-sdk-9.0.100-preview.7.24380.2-linux-arm64.tar.gz
/dotnet-v9.0.0-preview.7.24405.7-x64-bootstrap.tar.gz

171
build-dotnet-bootstrap-tarball Executable file
View File

@ -0,0 +1,171 @@
#!/bin/bash
# Usage:
# build-dotnet-bootstrap-tarball <tag-or-commit-from-dotnet>
#
# Creates a source archive suitable for bootstrapping from a tag (or commit) at
# https://github.com/dotnet/dotnet
#
# Clone dotnet/dotnet, check out the tag, and build a source-tarball.
# Can also use a full git commit identifier instead of tag (not an
# abbreviated 8 character commit identifier though).
set -euo pipefail
IFS=$'\n\t'
function print_usage {
echo "Usage:"
echo "$0 <tag-from-dotnet>"
echo
echo "Creates a $arch bootstrap source archive from a tag at https://github.com/dotnet/dotnet"
}
function clean_dotnet_cache {
rm -rf ~/.aspnet ~/.dotnet/ ~/.nuget/ ~/.local/share/NuGet ~/.templateengine
rm -rf /tmp/NuGet /tmp/NuGetScratch /tmp/.NETCore* /tmp/.NETStandard* /tmp/.dotnet /tmp/dotnet.* /tmp/clr-debug-pipe* /tmp/Razor-Server /tmp/CoreFxPipe* /tmp/VBCSCompiler /tmp/.NETFramework*
rm -rf ~/.npm/
}
function check_bootstrap_environment {
if rpm -qa | grep dotnet ; then
echo "error: dotnet is installed. Not a good idea for bootstrapping."
exit 1
fi
if [ -d /usr/lib/dotnet ] || [ -d /usr/lib64/dotnet ] || [ -d /usr/share/dotnet ] ; then
echo "error: one of /usr/lib/dotnet /usr/lib64/dotnet or /usr/share/dotnet/ exists. Not a good idea for bootstrapping."
exit 1
fi
if command -v dotnet ; then
echo "error: dotnet is in $PATH. Not a good idea for bootstrapping."
exit 1
fi
}
function runtime_id {
source /etc/os-release
case "${ID}" in
# Remove the RHEL minor version
rhel) rid_version=${VERSION_ID%.*} ;;
*) rid_version=${VERSION_ID} ;;
esac
echo "${ID}.${rid_version}-${arch}"
}
build_bootstrap=false
declare -A archmap
archmap=(
["aarch64"]="arm64"
["amd64"]="x64"
["armv8l"]="arm"
["i386"]="x86"
["i686"]="x86"
["ppc64le"]="ppc64le"
["s390x"]="s390x"
["x86_64"]="x64"
)
arch=${archmap["$(uname -m)"]}
positional_args=()
while [[ "$#" -gt 0 ]]; do
arg="${1}"
case "${arg}" in
-h|--help)
print_usage
exit 0
;;
*)
positional_args+=("$1")
shift
;;
esac
done
check_bootstrap_environment
tag=${positional_args[0]:-}
if [[ -z ${tag} ]]; then
echo "error: missing tag to build"
exit 1
fi
set -x
dir_name="dotnet-${tag}"
unmodified_tarball_name="${dir_name}-original"
tarball_name="${dir_name}"
unmodified_tarball_name="${unmodified_tarball_name}-${arch}-bootstrap"
tarball_name="${tarball_name}-${arch}-bootstrap"
tarball_suffix=.tar.gz
if [ -f "${tarball_name}${tarball_suffix}" ]; then
echo "error: ${tarball_name}${tarball_suffix} already exists"
exit 1
fi
if [ ! -f "${unmodified_tarball_name}.tar.gz" ]; then
if [[ $tag =~ ^[0-9a-fA-F]+$ ]]; then
if [ ! -f $tag.zip ]; then
wget https://github.com/dotnet/dotnet/archive/$tag.zip
fi
dir=$(mktemp -d -p $(pwd))
pushd $dir
unzip -q ../$tag.zip
if [[ $(ls -1q | wc -l) -gt 3 ]]; then
echo "error: tarball doesn't have a single main directory"
exit 1
fi
tar czf ../${unmodified_tarball_name}.tar.gz dotnet-$tag
popd
else
wget https://github.com/dotnet/dotnet/archive/refs/tags/${tag}.tar.gz
mv "${tag}.tar.gz" "${unmodified_tarball_name}.tar.gz"
fi
fi
tar tf "${unmodified_tarball_name}".tar.gz > .tarball_file_list
extracted_tarball_root=$(head -1 .tarball_file_list | cut -d/ -f 1)
if [[ "$extracted_tarball_root" == "."* ]]; then
echo "error: can't find main directory in the dotnet tarball"
exit 1
fi
if [[ $(grep -cv "^${extracted_tarball_root}/" .tarball_file_list) -gt 0 ]]; then
echo "error: tarball doesn't have a single main directory"
exit 1
fi
rm .tarball_file_list
rm -rf "${tarball_name}"
rm -rf "${extracted_tarball_root}"
tar xf "${unmodified_tarball_name}.tar.gz"
mv "${extracted_tarball_root}" "${tarball_name}"
pushd "${tarball_name}"
./prep-source-build.sh --bootstrap
# Remove files with funny licenses and crypto implementations and
# other not-very-useful artifacts. We MUST NOT ship any files that
# have unapproved licenses and unexpected cryptographic
# implementations.
#
# We use rm -r (no -f) to make sure the operation fails if the files
# are not at the expected locations. If the files are not at the
# expected location, we need to find the new location of the files and
# delete them, or verify that upstream has already removed the files.
# rm -r $FILE_TO_REMOVE
popd
echo "Bootstrap .NET SDK: $(jq .tools.dotnet "${tarball_name}"/global.json)"
time tar -czf "${tarball_name}${tarball_suffix}" "${tarball_name}"

63
build-prebuilt-archive Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
# Usage:
# build-prebuilt-archive architecture vmr-directory
#
# Creates an archive containing necessary bootstrapping binaries for ppc64le or
# s390x architectures from a VMR build.
#
# You need to have cloned the VMR (https://github.com/dotnet/dotnet) and
# cross-compiled it for the target architecture already.
set -euo pipefail
IFS=$'\n\t'
set -x
function print_usage {
echo "Usage:"
echo "$0 <architecture> <vmr directory>"
echo
echo "Creates a ppc64le or s390x bootstrap archive from a VMR build."
echo
echo "You need to have cloned the VMR (https://github.com/dotnet/dotnet) and"
echo "cross-compiled it for the target architecture already."
}
positional_args=()
while [[ "$#" -gt 0 ]]; do
arg="${1}"
case "${arg}" in
-h|--help)
print_usage
exit 0
;;
*)
positional_args+=("$1")
shift
;;
esac
done
arch=${positional_args[0]} # Name of the architecture. Eg, s390x or ppc64le
dir=${positional_args[1]} # Checkout of the VMR with the cross-build for the target architecture
dir=$(readlink -f "$dir")
sdk_tarball=$(readlink -f $(find "$dir" -iname 'dotnet-sdk*'"$arch"'*tar.gz' | head -1))
# SDK is at VMR/artifacts/assets/Release/dotnet-sdk-9.0.100-preview.3.24165.1-linux-$arch.tar.gz. Extract the SDK version from the name.
sdk_version=$(echo "$(basename "${sdk_tarball}")" | sed -E -e 's/dotnet-sdk-//' -e "s/-linux-$arch.tar.gz//")
echo $sdk_version
archive_name=dotnet-prebuilts-${sdk_version}-${arch}
mkdir -p $archive_name
pushd $archive_name
cp -av $sdk_tarball .
# Get all architecture-specific nuget packages
find $dir/artifacts/packages/Release/Shipping/ -iname "*linux-$arch*nupkg" -exec cp -avL {} . \;
popd
tar cvzf $archive_name.tar.gz $archive_name

140
check-debug-symbols.py Executable file
View File

@ -0,0 +1,140 @@
#!/usr/bin/python3
"""
Check debug symbols are present in shared object and can identify
code.
It starts scanning from a directory and recursively scans all ELF
files found in it for various symbols to ensure all debuginfo is
present and nothing has been stripped.
Usage:
./check-debug-symbols /path/of/dir/to/scan/
Example:
./check-debug-symbols /usr/lib64
"""
# This technique was explained to me by Mark Wielaard (mjw).
import collections
import os
import re
import subprocess
import sys
ScanResult = collections.namedtuple('ScanResult',
'file_name debug_info debug_abbrev file_symbols gnu_debuglink')
file_symbol_exclude_list = [
'ilc',
]
def scan_file(file):
"Scan the provided file and return a ScanResult containing results of the scan."
# Test for .debug_* sections in the shared object. This is the main test.
# Stripped objects will not contain these.
readelf_S_result = subprocess.run(['eu-readelf', '-S', file],
stdout=subprocess.PIPE, encoding='utf-8', check=True)
has_debug_info = any(line for line in readelf_S_result.stdout.split('\n') if '] .debug_info' in line)
has_debug_abbrev = any(line for line in readelf_S_result.stdout.split('\n') if '] .debug_abbrev' in line)
# Test FILE symbols. These will most likely be removed by anyting that
# manipulates symbol tables because it's generally useless. So a nice test
# that nothing has messed with symbols.
def contains_file_symbols(line):
parts = line.split()
if len(parts) < 8:
return False
return \
parts[2] == '0' and parts[3] == 'FILE' and parts[4] == 'LOCAL' and parts[5] == 'DEFAULT' and \
parts[6] == 'ABS' and re.match(r'((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx))?', parts[7])
readelf_s_result = subprocess.run(["eu-readelf", '-s', file],
stdout=subprocess.PIPE, encoding='utf-8', check=True)
has_file_symbols = True
if not os.path.basename(file) in file_symbol_exclude_list:
has_file_symbols = any(line for line in readelf_s_result.stdout.split('\n') if contains_file_symbols(line))
# Test that there are no .gnu_debuglink sections pointing to another
# debuginfo file. There shouldn't be any debuginfo files, so the link makes
# no sense either.
has_gnu_debuglink = any(line for line in readelf_s_result.stdout.split('\n') if '] .gnu_debuglink' in line)
return ScanResult(file, has_debug_info, has_debug_abbrev, has_file_symbols, has_gnu_debuglink)
def is_elf(file):
result = subprocess.run(['file', file], stdout=subprocess.PIPE, encoding='utf-8', check=True)
return re.search(r'ELF 64-bit [LM]SB (?:pie )?(?:executable|shared object)', result.stdout)
def scan_file_if_sensible(file):
if is_elf(file):
return scan_file(file)
return None
def scan_dir(dir):
results = []
for root, _, files in os.walk(dir):
for name in files:
result = scan_file_if_sensible(os.path.join(root, name))
if result:
results.append(result)
return results
def scan(file):
file = os.path.abspath(file)
if os.path.isdir(file):
return scan_dir(file)
elif os.path.isfile(file):
return [scan_file_if_sensible(file)]
def is_bad_result(result):
return not result.debug_info or not result.debug_abbrev or not result.file_symbols or result.gnu_debuglink
def print_scan_results(results, verbose):
# print(results)
for result in results:
file_name = result.file_name
found_issue = False
if not result.debug_info:
found_issue = True
print('error: missing .debug_info section in', file_name)
if not result.debug_abbrev:
found_issue = True
print('error: missing .debug_abbrev section in', file_name)
if not result.file_symbols:
found_issue = True
print('error: missing FILE symbols in', file_name)
if result.gnu_debuglink:
found_issue = True
print('error: unexpected .gnu_debuglink section in', file_name)
if verbose and not found_issue:
print('OK: ', file_name)
def main(args):
verbose = False
files = []
for arg in args:
if arg == '--verbose' or arg == '-v':
verbose = True
else:
files.append(arg)
results = []
for file in files:
results.extend(scan(file))
print_scan_results(results, verbose)
if any(is_bad_result(result) for result in results):
return 1
return 0
if __name__ == '__main__':
sys.exit(main(sys.argv[1:]))

14
dotnet.sh.in Normal file
View File

@ -0,0 +1,14 @@
# Set location for AppHost lookup
[ -z "$DOTNET_ROOT" ] && export DOTNET_ROOT=@LIBDIR@/dotnet
# Add dotnet tools directory to PATH
DOTNET_TOOLS_PATH="$HOME/.dotnet/tools"
case "$PATH" in
*"$DOTNET_TOOLS_PATH"* ) true ;;
* ) PATH="$PATH:$DOTNET_TOOLS_PATH" ;;
esac
# Extract self-contained executables under HOME
# to avoid multi-user issues from using the default '/var/tmp'.
[ -z "$DOTNET_BUNDLE_EXTRACT_BASE_DIR" ] && export DOTNET_BUNDLE_EXTRACT_BASE_DIR="${XDG_CACHE_HOME:-"$HOME"/.cache}/dotnet_bundle_extract"

1246
dotnet9.0.spec Normal file
View File

File diff suppressed because it is too large Load Diff

23
gating.yaml Normal file
View File

@ -0,0 +1,23 @@
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_testing
subject_type: koji_build
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpminspect.static-analysis}
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_stable
subject_type: koji_build
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpminspect.static-analysis}
--- !Policy
product_versions:
- rhel-*
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.other-archs.functional}

29
release-key-2023.asc Normal file
View File

@ -0,0 +1,29 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BSN Pgp v1.1.0.0
mQINBGUKsUYBEADVCJm4EhXALr1ld42kWeh/vM0XMZ2orNT6NRLDRYjpE4mm4UqA
vpjfGCwt5fLcrT4yZng8ABkB3QwTsZzmxesAMD5AZR/gdU1G96DuDGsjp6zJvTuX
zvz3PXUYfcl9n5X32acA6N9J5Xfp10xqX3oitUODBdYy/vKW/v/y87ZxgaR6a3wp
pPJBJIVKwFJx13v4BHRsGp1fepliQcXPvmNKFNI20le5+FbLq6C9hY5wcwGHGfQr
EokH79GsmqgSImqxDOIh06J5VfWA+JwV+3vf95pD8IUrRfGQ+GK7b1/bySxtM5Qa
b/IDgvl/Qq3AzEpGarMBaqGbqMz1C7jd8Y6nyKMP/V+OCjbEdYNM8GRz6kBP3Un+
Frat5Lc2o4DF+zB3PKIJS3hku5gwlJu6IU1F23vmYFtjUcpRGmyQZDoWyBbOWlB5
4SXqVu16amUsRFYmOK8BJMjdotcVbriVIv6WRmugfhIMoRJzVGxYkdbuiuMAX69V
xDoGpxX5A8S5A79y0USUVtadQfFavMTyb/gUuUe8oDsqK9gdI3ETxLYG4gYwauVX
fCGfoLOKsq5dPzEuEA7GCRrMau+rHKFaM7BigSdnHFW7xNZ4v0YnXAagoqM2G5o5
9sak0l57vxxTVk2V3iZzkoU2J2Zlyxyh72n5vjRmb7aNwmQh4Eav6a8ssQARAQAB
tBlvbm54Y29yZWRldkBtaWNyb3NvZnQuY29tiQI4BBMBCAAiBQJlCrFGAhsDBgsJ
CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD9v1PCTbSHLtfzEADIKq15XDeQxLSo
BG1aFa9n82K1YADVcu1LeddfhDmQWLnZNgyHtQlKN2n59282CXtgymzae3uc05s2
feIJaqF4M4NnCX8Ct3K7Hq1jI7ZktlquPCCy9XHq9aQY8XTxmdtRevtclKgYTwDh
w+D/KbE8vTZ6o7JoubA3MKf4k3S8qL/0rIyaC6h0EpiWoMy1TdNMMK7BT4kl6Vz4
W6KmNgOux1Pzku5ULM4WuOzmwW+NAzpOLJowfDs1ZC2RM3+g9i1/DmwWtCHngvGD
+clA0I0agXxo05toOBTfwxd2gWYczuo/Ole16fYTzqT6n0DHqOjjcc9A7EmC72fQ
J+hHAqM+4+CbEGuMpNnTMpCZs98bcK3Rqx/bDJYtbclZzm5O/V4nVbDrJZKzpgA1
KuzNMLkr62P6/t15UsStgmrlTILmE5NG0CR1mj/46+mNbsMZCel3dcvnT1Zf4rTq
QxMC7Dd/DECKQVC339G/BRfNyhOk2S1mZR/g1uS4bznL+tiwudDh/TAi5C3ZBDMh
0muwD9caXS/QFIBWtb2ai3IcpU357R/ERPKLcWYtoYJ80RuKi6XYr1WxSPBmd5Qm
wuncye+wR2dveo2jnIXZGUSgz50ZNgBxs/cYWAQ8J6KMgIBa+JY2qalzvIGbrC5x
Sr+CkhS8vrktfnRgc8yBssJnvNfqXA==
=pKgS
-----END PGP PUBLIC KEY BLOCK-----

10
release.json Normal file
View File

@ -0,0 +1,10 @@
{
"release": "9.0.0-preview.7",
"channel": "9.0",
"tag": "v9.0.0-preview.7.24405.7",
"sdkVersion": "9.0.100-preview.7.24407.12",
"runtimeVersion": "9.0.0-preview.7.24405.7",
"aspNetCoreVersion": "9.0.0-preview.7.24406.2",
"sourceRepository": "https://github.com/dotnet/dotnet",
"sourceVersion": "aecea31eada5f5506de2112d72b3bd238a5317b4"
}

12
roslyn-analyzers-ppc64le-apphost.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj b/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj
index 044a2aba4..b3f8f2611 100644
--- a/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj
+++ b/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj
@@ -4,6 +4,7 @@
<LangVersion>preview</LangVersion>
<Nullable>disable</Nullable>
<OutputType>Exe</OutputType>
+ <UseAppHost>false</UseAppHost>
</PropertyGroup>
<PropertyGroup>
<NonShipping>true</NonShipping>

20
rpminspect.yaml Normal file
View File

@ -0,0 +1,20 @@
---
inspections:
# We patch upstream a lot, no need to reject patches
patches: off
badfuncs:
allowed:
# The Mono runtime (used on s390x, for example), uses inet_addr for
# debugging (such as sending the control flow graph to a remote process).
# See runtime/src/mono/mono/mini/cfgdump.c. This isn't part of any
# standard networking facility; networking APIs are implemented/used in
# libSystem*so.
/usr/lib64/dotnet/shared/Microsoft.NETCore.App/*/libcoreclr.so:
- inet_addr
/usr/lib64/dotnet/packs/Microsoft.NETCore.App.Runtime.*/*/runtimes/*/native/libcoreclr.so:
- inet_addr
runpath:
# Upstream explicitly sets $ORIGIN/netcoredeps as an RPATH
# See https://github.com/dotnet/core/blob/main/Documentation/self-contained-linux-apps.md
allowed_origin_paths:
- /netcoredeps

12
runtime-disable-fortify-on-ilasm-parser.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt
index cca2c6da185..d31e6cb2070 100644
--- dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt
+++ dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt
@@ -52,6 +52,7 @@ if(CLR_CMAKE_HOST_UNIX)
add_compile_options(-Wno-array-bounds)
add_compile_options(-Wno-unused-label)
set_source_files_properties( prebuilt/asmparse.cpp PROPERTIES COMPILE_FLAGS "-O0" )
+ set_source_files_properties( prebuilt/asmparse.cpp PROPERTIES COMPILE_FLAGS "-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=0" )
endif(CLR_CMAKE_HOST_UNIX)
if(CLR_CMAKE_HOST_LINUX OR CLR_CMAKE_HOST_FREEBSD OR CLR_CMAKE_HOST_NETBSD OR CLR_CMAKE_HOST_SUNOS OR CLR_CMAKE_HOST_HAIKU)

34
runtime-openssl-sha1.patch Normal file
View File

@ -0,0 +1,34 @@
From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001
From: Tom Deseyn <tom.deseyn@gmail.com>
Date: Wed, 28 Feb 2024 14:08:15 +0100
Subject: [PATCH] Allow certificate validation with SHA-1 signatures.
RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate
validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag
with a chain where the last certificate uses a SHA-1 signature.
This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default
OpenSSL behavior for certificate validation.
---
.../libs/System.Security.Cryptography.Native/pal_x509.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
index 04c6ba06cd..2cd3413dae 100644
--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5
int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore);
- if (val != 0)
- {
- X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE);
- }
-
return val;
}
--
2.43.2

142
runtime-re-enable-implicit-rejection.patch Normal file
View File

@ -0,0 +1,142 @@
From 5fdc289903bd3a77d455583650b00297da0cae8f Mon Sep 17 00:00:00 2001
From: Omair Majid <omajid@redhat.com>
Date: Fri, 2 Feb 2024 15:51:23 -0500
Subject: [PATCH] Revert "Disable implicit rejection for RSA PKCS#1 (#95216)"
This reverts commit a5fc8ff9b03ffb2fdb81dad524ad1a20a0714995.
To quote Clemens Lang:
> [Disabling implcit rejection] re-enables a Bleichenbacher timing oracle
> attack against PKCS#1v1.5 decryption. See
> https://people.redhat.com/~hkario/marvin/ for details and
> https://github.com/dotnet/runtime/pull/95157#issuecomment-1842784399 for a
> comment by the researcher who published the vulnerability and proposed the
> change in OpenSSL.
For more details, see:
https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314
---
.../RSA/EncryptDecrypt.cs | 49 ++++---------------
.../opensslshim.h | 6 ---
.../pal_evp_pkey_rsa.c | 13 -----
3 files changed, 10 insertions(+), 58 deletions(-)
diff --git a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
index 39f3ebc82ec..5b97f468a42 100644
--- a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
+++ b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
@@ -353,10 +353,19 @@ private void RsaCryptRoundtrip(RSAEncryptionPadding paddingMode, bool expectSucc
Assert.Equal(TestData.HelloBytes, output);
}
- [ConditionalFact(nameof(PlatformSupportsEmptyRSAEncryption))]
+ [ConditionalFact]
[SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework)]
public void RoundtripEmptyArray()
{
+ if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
+ {
+ throw new SkipTestException("iOS prior to 13.6 does not reliably support RSA encryption of empty data.");
+ }
+ if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
+ {
+ throw new SkipTestException("tvOS prior to 14.0 does not reliably support RSA encryption of empty data.");
+ }
+
using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params))
{
void RoundtripEmpty(RSAEncryptionPadding paddingMode)
@@ -757,23 +746,5 @@ public static IEnumerable<object[]> OaepPaddingModes
}
}
}
-
- public static bool PlatformSupportsEmptyRSAEncryption
- {
- get
- {
- if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
- {
- return false;
- }
-
- if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
- {
- return false;
- }
-
- return true;
- }
- }
}
}
diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
index 0748e305d5c..cf10d2f7949 100644
--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
@@ -296,10 +296,8 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
REQUIRED_FUNCTION(ERR_peek_error) \
REQUIRED_FUNCTION(ERR_peek_error_line) \
REQUIRED_FUNCTION(ERR_peek_last_error) \
- REQUIRED_FUNCTION(ERR_pop_to_mark) \
FALLBACK_FUNCTION(ERR_put_error) \
REQUIRED_FUNCTION(ERR_reason_error_string) \
- REQUIRED_FUNCTION(ERR_set_mark) \
LIGHTUP_FUNCTION(ERR_set_debug) \
LIGHTUP_FUNCTION(ERR_set_error) \
REQUIRED_FUNCTION(EVP_aes_128_cbc) \
@@ -355,7 +353,6 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
REQUIRED_FUNCTION(EVP_PKCS82PKEY) \
REQUIRED_FUNCTION(EVP_PKEY2PKCS8) \
REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl) \
- REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl_str) \
REQUIRED_FUNCTION(EVP_PKEY_CTX_free) \
REQUIRED_FUNCTION(EVP_PKEY_CTX_get0_pkey) \
REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \
@@ -797,10 +794,8 @@ FOR_ALL_OPENSSL_FUNCTIONS
#define ERR_peek_error_line ERR_peek_error_line_ptr
#define ERR_peek_last_error ERR_peek_last_error_ptr
#define ERR_put_error ERR_put_error_ptr
-#define ERR_pop_to_mark ERR_pop_to_mark_ptr
#define ERR_reason_error_string ERR_reason_error_string_ptr
#define ERR_set_debug ERR_set_debug_ptr
-#define ERR_set_mark ERR_set_mark_ptr
#define ERR_set_error ERR_set_error_ptr
#define EVP_aes_128_cbc EVP_aes_128_cbc_ptr
#define EVP_aes_128_cfb8 EVP_aes_128_cfb8_ptr
@@ -855,7 +850,6 @@ FOR_ALL_OPENSSL_FUNCTIONS
#define EVP_PKCS82PKEY EVP_PKCS82PKEY_ptr
#define EVP_PKEY2PKCS8 EVP_PKEY2PKCS8_ptr
#define EVP_PKEY_CTX_ctrl EVP_PKEY_CTX_ctrl_ptr
-#define EVP_PKEY_CTX_ctrl_str EVP_PKEY_CTX_ctrl_str_ptr
#define EVP_PKEY_CTX_free EVP_PKEY_CTX_free_ptr
#define EVP_PKEY_CTX_get0_pkey EVP_PKEY_CTX_get0_pkey_ptr
#define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr
diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
index 043bf9f9d1e..c9ccdf33e3a 100644
--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
@@ -67,19 +67,6 @@ static bool ConfigureEncryption(EVP_PKEY_CTX* ctx, RsaPaddingMode padding, const
{
return false;
}
-
- // OpenSSL 3.2 introduced a change where PKCS#1 RSA decryption does not fail for invalid padding.
- // If the padding is invalid, the decryption operation returns random data.
- // See https://github.com/openssl/openssl/pull/13817 for background.
- // Some Linux distributions backported this change to previous versions of OpenSSL.
- // Here we do a best-effort to set a flag to revert the behavior to failing if the padding is invalid.
- ERR_set_mark();
-
- EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "0");
-
- // Undo any changes to the error queue that may have occured while configuring implicit rejection if the
- // current version does not support implicit rejection.
- ERR_pop_to_mark();
}
else
{
--
2.43.0

4
sources Normal file
View File

@ -0,0 +1,4 @@
SHA512 (dotnet-prebuilts-9.0.100-preview.7.24380.1-ppc64le.tar.gz) = 0d5609f05e6d2f18b9a9fa2d25164cc5b87b53a5f31139b23737a172aad7713352800082303257f65fb9ace57c94132a8ccf5762fd435ccf09936d6bbfbadca1
SHA512 (dotnet-prebuilts-9.0.100-preview.7.24380.1-s390x.tar.gz) = 0442321e5a346ad1989d9c70adbe687276e2b0b4b17b15db53928536ad5ec2e974a349c532e5cc5ca920586daec6c344042da6c3515846be9f2babe78e913f31
SHA512 (dotnet-sdk-9.0.100-preview.7.24380.2-linux-arm64.tar.gz) = 8b2e7b17b34edc985c58d0f978a7c6408d7b9de474e102333ab7a36697362bd1ac24eda2473a383e6844c3b0fb977db15c7f7a9d6441903ebe9f86b10727cf99
SHA512 (dotnet-v9.0.0-preview.7.24405.7-x64-bootstrap.tar.gz) = 1daf2c027bcf6f24deb325a728708ff1e8fc9cad836b24cc4d2b70939677ca4895699379916e593d01ef647ca3da3581b9c1bae5ab4e9cb5f3f6d295d64847a9

45
tests/ci.fmf Normal file
View File

@ -0,0 +1,45 @@
summary: Basic smoke test
provision:
disk: 20
memory: 5120
prepare:
how: install
package:
- aspnetcore-runtime-9.0
- babeltrace
- bash-completion
- bc
- binutils
- dotnet-runtime-9.0
- dotnet-sdk-9.0
- expect
- file
- findutils
- gcc-c++
- git
- jq
- libstdc++-devel
- lldb
- lttng-tools
- npm
- postgresql-odbc
- postgresql-server
- procps-ng
- python3
- strace
- util-linux
- wget
- which
- zlib-devel
execute:
script:
- dotnet --info
- wget --no-verbose https://github.com/redhat-developer/dotnet-bunny/releases/latest/download/turkey.tar.gz
- tar xf turkey.tar.gz
- dotnet turkey/Turkey.dll --version
- git clone "https://github.com/redhat-developer/dotnet-regular-tests.git"
- dotnet turkey/Turkey.dll -l="$TMT_TEST_DATA" dotnet-regular-tests --timeout=1200
- dnf remove -yq 'dotnet*'
- set -x; if command -v dotnet ; then exit 1; fi
- set -x; if [ -d /usr/lib64/dotnet ]; then exit 1; fi
- set -x; if man dotnet; then exit 1; fi