Imported Upstream version 5.8.0.22

Former-commit-id: df344e34b07851d296efb3e6604c8db42b6f7aa3
2017-10-19 20:04:20 +00:00
parent 5f4a27cc8a
commit 7d05485754
5020 changed files with 114082 additions and 186061 deletions
--- a/external/corefx/src/Native/Unix/System.Native/pal_networkstatistics.cpp
+++ b/external/corefx/src/Native/Unix/System.Native/pal_networkstatistics.cpp
@@ -20,6 +20,7 @@
 #include <errno.h>
 #include <memory>
 #include <net/route.h>
+#include <net/if.h>

 #include <sys/types.h>
 #if HAVE_SYS_SYSCTL_H
--- a/external/corefx/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_symmetric.cpp
+++ b/external/corefx/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_symmetric.cpp
@@ -131,6 +131,10 @@ extern "C" int32_t AppleCryptoNative_CryptorReset(CCCryptorRef cryptor, const ui
    if (cryptor == nullptr)
        return -1;

+    // 10.13 Beta reports an error when resetting ECB, which is the only mode which has a null IV.
+    if (pbIv == nullptr)
+        return 1;
+
    CCStatus status = CCCryptorReset(cryptor, pbIv);
    *pccStatus = status;
    return status == kCCSuccess;
--- a/external/corefx/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_x509chain.cpp
+++ b/external/corefx/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_x509chain.cpp
@@ -65,7 +65,10 @@ extern "C" int32_t AppleCryptoNative_X509ChainEvaluate(SecTrustRef chain,
    SecTrustResultType trustResult;
    *pOSStatus = SecTrustEvaluate(chain, &trustResult);

-    if (*pOSStatus != noErr)
+    // If any error is reported from the function or the trust result value indicates that
+    // otherwise was a failed chain build (vs an untrusted chain, etc) return failure and
+    // we'll throw in the managed layer.  (but if we hit the "or" the message is "No error")
+    if (*pOSStatus != noErr || trustResult == kSecTrustResultInvalid)
    {
        return 0;
    }
@@ -174,7 +177,12 @@ static void MergeStatusCodes(CFTypeRef key, CFTypeRef value, void* context)
        // (On Windows CERT_CHAIN_PARA.pStrongSignPara is NULL, so "strongness" checks
        // are not performed).
    }
-
+    else if (CFEqual(keyString, CFSTR("StatusCodes")))
+    {
+        // 10.13 added a StatusCodes value which may be a numeric rehashing of the string data.
+        // It doesn't represent a new error code, and we're still getting the old ones, so
+        // just ignore it for now.
+    }
    else
    {
 #ifdef DEBUGGING_UNKNOWN_VALUE
--- a/external/corefx/src/Native/Unix/System.Security.Cryptography.Native/pal_ssl.cpp
+++ b/external/corefx/src/Native/Unix/System.Security.Cryptography.Native/pal_ssl.cpp
@@ -27,48 +27,6 @@ extern "C" const SSL_METHOD* CryptoNative_SslV2_3Method()
    return method;
 }

-extern "C" const SSL_METHOD* CryptoNative_SslV3Method()
-{
-    const SSL_METHOD* method = nullptr;
-#ifndef OPENSSL_NO_SSL3_METHOD
-    if (API_EXISTS(SSLv3_method))
-    {
-        method = SSLv3_method();
-        assert(method != nullptr);
-    }
-#endif
-    return method;
-}
-
-extern "C" const SSL_METHOD* CryptoNative_TlsV1Method()
-{
-    const SSL_METHOD* method = TLSv1_method();
-    assert(method != nullptr);
-    return method;
-}
-
-extern "C" const SSL_METHOD* CryptoNative_TlsV1_1Method()
-{
-#if HAVE_TLS_V1_1
-    const SSL_METHOD* method = TLSv1_1_method();
-    assert(method != nullptr);
-    return method;
-#else
-    return nullptr;
-#endif
-}
-
-extern "C" const SSL_METHOD* CryptoNative_TlsV1_2Method()
-{
-#if HAVE_TLS_V1_2
-    const SSL_METHOD* method = TLSv1_2_method();
-    assert(method != nullptr);
-    return method;
-#else
-    return nullptr;
-#endif
-}
-
 extern "C" SSL_CTX* CryptoNative_SslCtxCreate(SSL_METHOD* method)
 {
    SSL_CTX* ctx = SSL_CTX_new(method);
@@ -85,7 +43,12 @@ extern "C" SSL_CTX* CryptoNative_SslCtxCreate(SSL_METHOD* method)

 extern "C" void CryptoNative_SetProtocolOptions(SSL_CTX* ctx, SslProtocols protocols)
 {
-    // protocols may be 0 (default). Less secure protocols should be excluded in this case.    
+    // protocols may be 0, meaning system default, in which case let OpenSSL do what OpenSSL wants.
+    if (protocols == 0)
+    {
+        return;
+    }
+
    long protocolOptions = 0;

    if ((protocols & PAL_SSL_SSL2) != PAL_SSL_SSL2)
@@ -94,10 +57,13 @@ extern "C" void CryptoNative_SetProtocolOptions(SSL_CTX* ctx, SslProtocols proto
    }
 #ifndef OPENSSL_NO_SSL3
    if ((protocols & PAL_SSL_SSL3) != PAL_SSL_SSL3)
+#endif
    {
+        // If OPENSSL_NO_SSL3 is defined, then ensure we always include
+        // SSL_OP_NO_SSLv3 in case we end up running against a binary
+        // which had SSLv3 enabled (we don't want to use SSLv3 in that case).
        protocolOptions |= SSL_OP_NO_SSLv3;
    }
-#endif
    if ((protocols & PAL_SSL_TLS) != PAL_SSL_TLS)
    {
        protocolOptions |= SSL_OP_NO_TLSv1;
--- a/external/corefx/src/Native/Unix/System.Security.Cryptography.Native/pal_ssl.h
+++ b/external/corefx/src/Native/Unix/System.Security.Cryptography.Native/pal_ssl.h
@@ -129,34 +129,6 @@ Returns the requested SSL_METHOD.
 */
 extern "C" const SSL_METHOD* CryptoNative_SslV2_3Method();

-/*
-Shims the SSLv3_method method.
-
-Returns the requested SSL_METHOD.
-*/
-extern "C" const SSL_METHOD* CryptoNative_SslV3Method();
-
-/*
-Shims the TLSv1_method method.
-
-Returns the requested SSL_METHOD.
-*/
-extern "C" const SSL_METHOD* CryptoNative_TlsV1Method();
-
-/*
-Shims the TLSv1_1_method method.
-
-Returns the requested SSL_METHOD.
-*/
-extern "C" const SSL_METHOD* CryptoNative_TlsV1_1Method();
-
-/*
-Shims the TLSv1_2_method method.
-
-Returns the requested SSL_METHOD.
-*/
-extern "C" const SSL_METHOD* CryptoNative_TlsV1_2Method();
-
 /*
 Shims the SSL_CTX_new method.

--- a/external/corefx/src/Native/Unix/System.Security.Cryptography.Native/pal_x509.cpp
+++ b/external/corefx/src/Native/Unix/System.Security.Cryptography.Native/pal_x509.cpp
@@ -10,6 +10,7 @@ static_assert(PAL_X509_V_OK == X509_V_OK, "");
 static_assert(PAL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, "");
 static_assert(PAL_X509_V_ERR_UNABLE_TO_GET_CRL == X509_V_ERR_UNABLE_TO_GET_CRL, "");
 static_assert(PAL_X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE == X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, "");
+static_assert(PAL_X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY == X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, "");
 static_assert(PAL_X509_V_ERR_CERT_SIGNATURE_FAILURE == X509_V_ERR_CERT_SIGNATURE_FAILURE, "");
 static_assert(PAL_X509_V_ERR_CRL_SIGNATURE_FAILURE == X509_V_ERR_CRL_SIGNATURE_FAILURE, "");
 static_assert(PAL_X509_V_ERR_CERT_NOT_YET_VALID == X509_V_ERR_CERT_NOT_YET_VALID, "");
--- a/external/corefx/src/Native/Unix/System.Security.Cryptography.Native/pal_x509.h
+++ b/external/corefx/src/Native/Unix/System.Security.Cryptography.Native/pal_x509.h
@@ -26,6 +26,7 @@ enum X509VerifyStatusCode : int32_t
    PAL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = 2,
    PAL_X509_V_ERR_UNABLE_TO_GET_CRL = 3,
    PAL_X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = 5,
+    PAL_X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = 6,
    PAL_X509_V_ERR_CERT_SIGNATURE_FAILURE = 7,
    PAL_X509_V_ERR_CRL_SIGNATURE_FAILURE = 8,
    PAL_X509_V_ERR_CERT_NOT_YET_VALID = 9,