public async Task SslStream_StreamToStream_Alpn_NonMatchingProtocols_Fail()
{
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, false))
using (var serverStream = new VirtualNetworkStream(network, true))
using (var client = new SslStream(clientStream, false))
using (var server = new SslStream(serverStream, false))
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions
{
ApplicationProtocols = new List <SslApplicationProtocol> {
SslApplicationProtocol.Http11
},
RemoteCertificateValidationCallback = AllowAnyServerCertificate,
TargetHost = certificate.GetNameInfo(X509NameType.SimpleName, false),
};
SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions
{
ApplicationProtocols = new List <SslApplicationProtocol> {
SslApplicationProtocol.Http2
},
ServerCertificate = certificate,
};
Task t1 = Assert.ThrowsAsync <AuthenticationException>(() => client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None));
Task t2 = Assert.ThrowsAsync <AuthenticationException>(() => server.AuthenticateAsServerAsync(serverOptions, CancellationToken.None));
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2);
}
}
#pragma warning restore 0618
public async Task ClientAndServer_OneUsesDefault_OtherUsesLowerProtocol_Fails(
SslProtocols?clientProtocols, SslProtocols?serverProtocols)
{
if (PlatformDetection.IsMono)
{
#pragma warning disable 0618
if (clientProtocols == SslProtocols.Ssl2 || serverProtocols == SslProtocols.Ssl2)
{
return;
}
#pragma warning restore 0618
}
using (X509Certificate2 serverCertificate = Configuration.Certificates.GetServerCertificate())
using (X509Certificate2 clientCertificate = Configuration.Certificates.GetClientCertificate())
{
string serverHost = serverCertificate.GetNameInfo(X509NameType.SimpleName, false);
var clientCertificates = new X509CertificateCollection()
{
clientCertificate
};
await Assert.ThrowsAnyAsync <Exception>(() => TestConfiguration.WhenAllOrAnyFailedWithTimeout(
AuthenticateClientAsync(serverHost, clientCertificates, checkCertificateRevocation: false, protocols: clientProtocols),
AuthenticateServerAsync(serverCertificate, clientCertificateRequired: true, checkCertificateRevocation: false, protocols: serverProtocols)));
}
}
public async Task ClientAndServer_OneOrBothUseDefault_Ok(SslProtocols?clientProtocols, SslProtocols?serverProtocols)
{
using (X509Certificate2 serverCertificate = Configuration.Certificates.GetServerCertificate())
using (X509Certificate2 clientCertificate = Configuration.Certificates.GetClientCertificate())
{
// Use a different SNI for each connection to prevent TLS 1.3 renegotiation issue: https://github.com/dotnet/runtime/issues/47378
string serverHost = TestHelper.GetTestSNIName(nameof(ClientAndServer_OneOrBothUseDefault_Ok), clientProtocols, serverProtocols);
var clientCertificates = new X509CertificateCollection()
{
clientCertificate
};
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
AuthenticateClientAsync(serverHost, clientCertificates, checkCertificateRevocation : false, protocols : clientProtocols),
AuthenticateServerAsync(serverCertificate, clientCertificateRequired : true, checkCertificateRevocation : false, protocols : serverProtocols));
if (PlatformDetection.IsWindows && PlatformDetection.WindowsVersion >= 10 &&
#pragma warning disable 0618
clientProtocols.GetValueOrDefault() != SslProtocols.Default &&
serverProtocols.GetValueOrDefault() != SslProtocols.Default)
#pragma warning restore 0618
{
Assert.True(
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
(_clientStream.SslProtocol == SslProtocols.Tls11 && _clientStream.HashAlgorithm == HashAlgorithmType.Sha1) ||
#pragma warning restore SYSLIB0039
_clientStream.HashAlgorithm == HashAlgorithmType.Sha256 ||
_clientStream.HashAlgorithm == HashAlgorithmType.Sha384 ||
_clientStream.HashAlgorithm == HashAlgorithmType.Sha512,
_clientStream.SslProtocol + " " + _clientStream.HashAlgorithm);
}
}
}
public async Task SslStream_StreamToStream_DuplicateOptions_Throws()
{
RemoteCertificateValidationCallback rCallback = (sender, certificate, chain, errors) => { return(true); };
LocalCertificateSelectionCallback lCallback = (sender, host, localCertificates, remoteCertificate, issuers) => { return(null); };
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, false))
using (var serverStream = new VirtualNetworkStream(network, true))
using (var client = new SslStream(clientStream, false, rCallback, lCallback, EncryptionPolicy.RequireEncryption))
using (var server = new SslStream(serverStream, false, rCallback))
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions();
clientOptions.RemoteCertificateValidationCallback = AllowAnyServerCertificate;
clientOptions.TargetHost = certificate.GetNameInfo(X509NameType.SimpleName, false);
SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions();
serverOptions.ServerCertificate = certificate;
serverOptions.RemoteCertificateValidationCallback = AllowAnyServerCertificate;
Task t1 = Assert.ThrowsAsync <InvalidOperationException>(() => client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None));
Task t2 = Assert.ThrowsAsync <InvalidOperationException>(() => server.AuthenticateAsServerAsync(serverOptions, CancellationToken.None));
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2);
}
}
public async Task SslStream_SameCertUsedForClientAndServer_Ok()
{
(Stream stream1, Stream stream2) = TestHelper.GetConnectedStreams();
using (var client = new SslStream(stream1, true, AllowAnyCertificate))
using (var server = new SslStream(stream2, true, AllowAnyCertificate))
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
// Using the same certificate for server and client auth.
X509Certificate2Collection clientCertificateCollection =
new X509Certificate2Collection(certificate);
Task t1 = server.AuthenticateAsServerAsync(certificate, true, false);
Task t2 = client.AuthenticateAsClientAsync(
certificate.GetNameInfo(X509NameType.SimpleName, false),
clientCertificateCollection, false);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2);
if (!PlatformDetection.IsWindows7 ||
Capability.IsTrustedRootCertificateInstalled())
{
// https://technet.microsoft.com/en-us/library/hh831771.aspx#BKMK_Changes2012R2
// Starting with Windows 8, the "Management of trusted issuers for client authentication" has changed:
// The behavior to send the Trusted Issuers List by default is off.
//
// In Windows 7 the Trusted Issuers List is sent within the Server Hello TLS record. This list is built
// by the server using certificates from the Trusted Root Authorities certificate store.
// The client side will use the Trusted Issuers List, if not empty, to filter proposed certificates.
Assert.True(client.IsMutuallyAuthenticated);
Assert.True(server.IsMutuallyAuthenticated);
}
}
}
public async Task NegotiateStream_StreamToStream_KerberosAuthWithoutRealm_Success()
{
if (!_isKrbAvailable)
{
_output.WriteLine("skipping NegotiateStream_StreamToStream_KerberosAuthWithoutRealm_Success");
return;
}
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new UnixGssFakeNegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
NetworkCredential credential = new NetworkCredential(TestConfiguration.KerberosUser, _fixture.password);
Task[] auth = new Task[] {
client.AuthenticateAsClientAsync(credential, TestConfiguration.HostTarget),
server.AuthenticateAsServerAsync()
};
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
AssertClientPropertiesForTarget(client, TestConfiguration.HostTarget);
}
}
public async Task SslStream_ServerLocalCertificateSelectionCallbackReturnsNull_Throw()
{
VirtualNetwork network = new VirtualNetwork();
var selectionCallback = new LocalCertificateSelectionCallback((object sender, string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, string[] issuers) =>
{
return(null);
});
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new SslStream(clientStream, false, AllowAnyServerCertificate))
using (var server = new SslStream(serverStream, false, null, selectionCallback))
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
var clientJob = client.AuthenticateAsClientAsync(certificate.GetNameInfo(X509NameType.SimpleName, false));
await Assert.ThrowsAsync <NotSupportedException>(() => server.AuthenticateAsServerAsync(certificate));
// Mono terminates the connection when the server handshake fails.
if (PlatformDetection.IsMono)
{
await Assert.ThrowsAsync <VirtualNetwork.VirtualNetworkConnectionBroken>(() => clientJob);
}
else
{
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(clientJob);
}
}
}
#pragma warning restore 0618
public async Task ClientAndServer_OneOrBothUseDefault_Ok(SslProtocols?clientProtocols, SslProtocols?serverProtocols)
{
using (X509Certificate2 serverCertificate = Configuration.Certificates.GetServerCertificate())
using (X509Certificate2 clientCertificate = Configuration.Certificates.GetClientCertificate())
{
string serverHost = serverCertificate.GetNameInfo(X509NameType.SimpleName, false);
var clientCertificates = new X509CertificateCollection()
{
clientCertificate
};
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
AuthenticateClientAsync(serverHost, clientCertificates, checkCertificateRevocation : false, protocols : clientProtocols),
AuthenticateServerAsync(serverCertificate, clientCertificateRequired : true, checkCertificateRevocation : false, protocols : serverProtocols));
if (PlatformDetection.IsWindows && PlatformDetection.WindowsVersion >= 10 &&
#pragma warning disable 0618
clientProtocols.GetValueOrDefault() != SslProtocols.Default &&
serverProtocols.GetValueOrDefault() != SslProtocols.Default)
#pragma warning restore 0618
{
Assert.True(
(_clientStream.SslProtocol == SslProtocols.Tls11 && _clientStream.HashAlgorithm == HashAlgorithmType.Sha1) ||
_clientStream.HashAlgorithm == HashAlgorithmType.Sha256 ||
_clientStream.HashAlgorithm == HashAlgorithmType.Sha384 ||
_clientStream.HashAlgorithm == HashAlgorithmType.Sha512,
_clientStream.SslProtocol + " " + _clientStream.HashAlgorithm);
}
}
}
public async Task NegotiateStream_StreamContractTest_Success()
{
var network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.CanSeek);
Assert.False(client.CanRead);
Assert.False(client.CanTimeout);
Assert.False(client.CanWrite);
Assert.False(server.CanSeek);
Assert.False(server.CanRead);
Assert.False(server.CanTimeout);
Assert.False(server.CanWrite);
Assert.Throws <InvalidOperationException>(() => client.ReadTimeout);
Assert.Throws <InvalidOperationException>(() => client.WriteTimeout);
Assert.Throws <NotImplementedException>(() => client.Length);
Assert.Throws <NotImplementedException>(() => client.Position);
Assert.Throws <NotSupportedException>(() => client.Seek(0, new SeekOrigin()));
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
client.AuthenticateAsClientAsync(),
server.AuthenticateAsServerAsync());
Assert.True(client.CanRead);
Assert.True(client.CanWrite);
Assert.True(server.CanRead);
Assert.True(server.CanWrite);
}
}
public async Task NegotiateStream_EndAuthenticateInvalidParameter_Throws()
{
var network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
Task.Factory.FromAsync(client.BeginAuthenticateAsClient, (asyncResult) =>
{
NegotiateStream authStream = (NegotiateStream)asyncResult.AsyncState;
AssertExtensions.Throws <ArgumentNullException>(nameof(asyncResult), () => authStream.EndAuthenticateAsClient(null));
IAsyncResult result = new MyAsyncResult();
AssertExtensions.Throws <ArgumentException>(nameof(asyncResult), () => authStream.EndAuthenticateAsClient(result));
authStream.EndAuthenticateAsClient(asyncResult);
}, CredentialCache.DefaultNetworkCredentials, string.Empty, client),
Task.Factory.FromAsync(server.BeginAuthenticateAsServer, (asyncResult) =>
{
NegotiateStream authStream = (NegotiateStream)asyncResult.AsyncState;
AssertExtensions.Throws <ArgumentNullException>(nameof(asyncResult), () => authStream.EndAuthenticateAsServer(null));
IAsyncResult result = new MyAsyncResult();
AssertExtensions.Throws <ArgumentException>(nameof(asyncResult), () => authStream.EndAuthenticateAsServer(result));
authStream.EndAuthenticateAsServer(asyncResult);
}, server));
}
}
public async Task NegotiateStream_StreamToStream_Successive_CancelableReadsWrites()
{
if (!SupportsCancelableReadsWrites)
{
return;
}
byte[] recvBuf = new byte[s_sampleMsg.Length];
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
AuthenticateAsClientAsync(client, CredentialCache.DefaultNetworkCredentials, string.Empty),
AuthenticateAsServerAsync(server));
clientStream.DelayMilliseconds = int.MaxValue;
serverStream.DelayMilliseconds = int.MaxValue;
var cts = new CancellationTokenSource();
Task t = WriteAsync(client, s_sampleMsg, 0, s_sampleMsg.Length, cts.Token);
Assert.False(t.IsCompleted);
cts.Cancel();
await Assert.ThrowsAnyAsync <OperationCanceledException>(() => t);
cts = new CancellationTokenSource();
t = ReadAsync(server, s_sampleMsg, 0, s_sampleMsg.Length, cts.Token);
Assert.False(t.IsCompleted);
cts.Cancel();
await Assert.ThrowsAnyAsync <OperationCanceledException>(() => t);
}
}
public async Task NegotiateStream_StreamToStream_Authenticated_DisposeAsync(int delay)
{
var network = new VirtualNetwork();
await using (var client = new NegotiateStream(new VirtualNetworkStream(network, isServer: false)
{
DelayMilliseconds = delay
}))
await using (var server = new NegotiateStream(new VirtualNetworkStream(network, isServer: true)
{
DelayMilliseconds = delay
}))
{
Assert.False(client.IsServer);
Assert.False(server.IsServer);
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Assert.False(client.IsMutuallyAuthenticated);
Assert.False(server.IsMutuallyAuthenticated);
Assert.False(client.IsEncrypted);
Assert.False(server.IsEncrypted);
Assert.False(client.IsSigned);
Assert.False(server.IsSigned);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
AuthenticateAsClientAsync(client, CredentialCache.DefaultNetworkCredentials, string.Empty),
AuthenticateAsServerAsync(server));
}
}
public async Task NegotiateStream_StreamToStream_Authentication_EmptyCredentials_Fails()
{
string targetName = "testTargetName";
// Ensure there is no confusion between DefaultCredentials / DefaultNetworkCredentials and a
// NetworkCredential object with empty user, password and domain.
NetworkCredential emptyNetworkCredential = new NetworkCredential("", "", "");
Assert.NotEqual(emptyNetworkCredential, CredentialCache.DefaultCredentials);
Assert.NotEqual(emptyNetworkCredential, CredentialCache.DefaultNetworkCredentials);
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Task[] auth = new Task[2];
auth[0] = AuthenticateAsClientAsync(client, emptyNetworkCredential, targetName);
auth[1] = AuthenticateAsServerAsync(server);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
// Expected Client property values:
Assert.True(client.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.Equal(IsEncryptedAndSigned, client.IsEncrypted);
Assert.False(client.IsMutuallyAuthenticated);
Assert.False(client.IsServer);
Assert.Equal(IsEncryptedAndSigned, client.IsSigned);
Assert.False(client.LeaveInnerStreamOpen);
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("NTLM", serverIdentity.AuthenticationType);
Assert.True(serverIdentity.IsAuthenticated);
Assert.Equal(targetName, serverIdentity.Name);
// Expected Server property values:
Assert.True(server.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, server.ImpersonationLevel);
Assert.Equal(IsEncryptedAndSigned, server.IsEncrypted);
Assert.False(server.IsMutuallyAuthenticated);
Assert.True(server.IsServer);
Assert.Equal(IsEncryptedAndSigned, server.IsSigned);
Assert.False(server.LeaveInnerStreamOpen);
IIdentity clientIdentity = server.RemoteIdentity;
Assert.Equal("NTLM", clientIdentity.AuthenticationType);
Assert.False(clientIdentity.IsAuthenticated);
// On .NET Desktop: Assert.True(clientIdentity.IsAuthenticated);
IdentityValidator.AssertHasName(clientIdentity, new SecurityIdentifier(WellKnownSidType.AnonymousSid, null).Translate(typeof(NTAccount)).Value);
}
}
public async Task DisposeAsync_Connected_ClosesStream()
{
(Stream stream1, Stream stream2) = TestHelper.GetConnectedStreams();
var trackingStream1 = new CallTrackingStream(stream1);
var trackingStream2 = new CallTrackingStream(stream2);
var clientStream = new SslStream(trackingStream1, false, delegate { return(true); });
var serverStream = new SslStream(trackingStream2, false, delegate { return(true); });
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
clientStream.AuthenticateAsClientAsync(certificate.GetNameInfo(X509NameType.SimpleName, false)),
serverStream.AuthenticateAsServerAsync(certificate));
}
Assert.Equal(0, trackingStream1.TimesCalled(nameof(Stream.DisposeAsync)));
await clientStream.DisposeAsync();
Assert.NotEqual(0, trackingStream1.TimesCalled(nameof(Stream.DisposeAsync)));
Assert.Equal(0, trackingStream2.TimesCalled(nameof(Stream.DisposeAsync)));
await serverStream.DisposeAsync();
Assert.NotEqual(0, trackingStream2.TimesCalled(nameof(Stream.DisposeAsync)));
}
public async Task NegotiateStream_EndReadEndWriteInvalidParameter_Throws()
{
byte[] recvBuf = new byte[s_sampleMsg.Length];
(Stream stream1, Stream stream2) = ConnectedStreams.CreateBidirectional();
using (var client = new NegotiateStream(stream1))
using (var server = new NegotiateStream(stream2))
{
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
client.AuthenticateAsClientAsync(CredentialCache.DefaultNetworkCredentials, string.Empty),
server.AuthenticateAsServerAsync());
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
Task.Factory.FromAsync(client.BeginWrite,
(asyncResult) =>
{
NegotiateStream authStream = (NegotiateStream)asyncResult.AsyncState;
AssertExtensions.Throws <ArgumentNullException>(nameof(asyncResult), () => authStream.EndWrite(null));
IAsyncResult result = new MyAsyncResult();
AssertExtensions.Throws <ArgumentException>(nameof(asyncResult), () => authStream.EndWrite(result));
},
s_sampleMsg, 0, s_sampleMsg.Length, client),
Task.Factory.FromAsync(server.BeginRead,
(asyncResult) =>
{
NegotiateStream authStream = (NegotiateStream)asyncResult.AsyncState;
AssertExtensions.Throws <ArgumentNullException>(nameof(asyncResult), () => authStream.EndRead(null));
IAsyncResult result = new MyAsyncResult();
AssertExtensions.Throws <ArgumentException>(nameof(asyncResult), () => authStream.EndRead(result));
},
recvBuf, 0, s_sampleMsg.Length, server));
}
}
public async Task NegotiateStream_StreamContractTest_Success()
{
(Stream clientStream, Stream serverStream) = ConnectedStreams.CreateBidirectional();
using (clientStream)
using (serverStream)
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.CanSeek);
Assert.False(client.CanRead);
Assert.False(client.CanTimeout);
Assert.False(client.CanWrite);
Assert.False(server.CanSeek);
Assert.False(server.CanRead);
Assert.False(server.CanTimeout);
Assert.False(server.CanWrite);
Assert.Throws <InvalidOperationException>(() => client.ReadTimeout);
Assert.Throws <InvalidOperationException>(() => client.WriteTimeout);
Assert.Throws <NotSupportedException>(() => client.Length);
Assert.Throws <NotSupportedException>(() => client.Position);
Assert.Throws <NotSupportedException>(() => client.Seek(0, new SeekOrigin()));
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
client.AuthenticateAsClientAsync(),
server.AuthenticateAsServerAsync());
Assert.True(client.CanRead);
Assert.True(client.CanWrite);
Assert.True(server.CanRead);
Assert.True(server.CanWrite);
}
}
public async Task NegotiateStream_StreamToStream_KerberosAuthDefaultCredentials_Success()
{
if (!_isKrbAvailable)
{
_output.WriteLine("skipping NegotiateStream_StreamToStream_KerberosAuthDefaultCredentials_Success");
return;
}
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new UnixGssFakeNegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated, "client is not authenticated before AuthenticateAsClient call");
string user = string.Format("{0}@{1}", TestConfiguration.KerberosUser, TestConfiguration.Realm);
string target = string.Format("{0}@{1}", TestConfiguration.HostTarget, TestConfiguration.Realm);
// Seed the default Kerberos cache with the TGT
UnixGssFakeNegotiateStream.GetDefaultKerberosCredentials(user, _fixture.password);
Task[] auth = new Task[] {
client.AuthenticateAsClientAsync(CredentialCache.DefaultNetworkCredentials, target),
server.AuthenticateAsServerAsync()
};
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
AssertClientPropertiesForTarget(client, target);
}
}
public async Task StreamToStream_ValidAuthentication_Success(
NetworkCredential creds, bool isKerberos, string target)
{
var network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Task[] auth = new Task[2];
auth[0] = AuthenticateAsClientAsync(client, creds, target);
auth[1] = AuthenticateAsServerAsync(server);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
VerifyStreamProperties(client, isServer: false, isKerberos, target);
string remoteName = (creds == CredentialCache.DefaultNetworkCredentials) ?
TestConfiguration.DefaultNetworkCredentials.UserName : creds.UserName;
if (isKerberos)
{
remoteName += "@" + TestConfiguration.Realm;
}
else
{
remoteName = TestConfiguration.Domain + "\\" + remoteName;
}
VerifyStreamProperties(server, isServer: true, isKerberos, remoteName);
}
}
public async Task NegotiateStream_StreamToStream_Authenticated_DisposeAsync(int delay)
{
(Stream stream1, Stream stream2) = TestHelper.GetConnectedStreams();
await using (var client = new NegotiateStream(new DelayStream(stream1, delay)))
await using (var server = new NegotiateStream(new DelayStream(stream2, delay)))
{
Assert.False(client.IsServer);
Assert.False(server.IsServer);
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Assert.False(client.IsMutuallyAuthenticated);
Assert.False(server.IsMutuallyAuthenticated);
Assert.False(client.IsEncrypted);
Assert.False(server.IsEncrypted);
Assert.False(client.IsSigned);
Assert.False(server.IsSigned);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
AuthenticateAsClientAsync(client, CredentialCache.DefaultNetworkCredentials, string.Empty),
AuthenticateAsServerAsync(server));
}
}
public async Task ClientOptions_TargetHostNull_OK()
{
(SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams();
using (client)
using (server)
{
var serverOptions = new SslServerAuthenticationOptions()
{
ServerCertificate = Configuration.Certificates.GetServerCertificate()
};
var clientOptions = new SslClientAuthenticationOptions()
{
RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true
};
Assert.Null(clientOptions.TargetHost);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
client.AuthenticateAsClientAsync(clientOptions),
server.AuthenticateAsServerAsync(serverOptions));
Assert.Equal(string.Empty, client.TargetHostName);
Assert.Equal(string.Empty, server.TargetHostName);
}
}
public async Task ServerAsyncAuthenticate_SimpleSniOptions_Success()
{
var state = new object();
var serverOptions = new SslServerAuthenticationOptions()
{
ServerCertificate = _serverCertificate
};
var clientOptions = new SslClientAuthenticationOptions()
{
TargetHost = _serverCertificate.GetNameInfo(X509NameType.SimpleName, false)
};
clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
(SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams();
using (client)
using (server)
{
Task t1 = client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None);
Task t2 = server.AuthenticateAsServerAsync(
(stream, clientHelloInfo, userState, cancellationToken) =>
{
Assert.Equal(server, stream);
Assert.Equal(clientOptions.TargetHost, clientHelloInfo.ServerName);
Assert.True(object.ReferenceEquals(state, userState));
return(new ValueTask <SslServerAuthenticationOptions>(serverOptions));
},
state, CancellationToken.None);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2);
}
}
public async Task NegotiateStream_StreamToStream_Successive_ClientWrite_Async_Success()
{
byte[] recvBuf = new byte[_sampleMsg.Length];
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Task[] auth = new Task[2];
auth[0] = AuthenticateAsClientAsync(client, CredentialCache.DefaultNetworkCredentials, string.Empty);
auth[1] = AuthenticateAsServerAsync(server);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
auth[0] = client.WriteAsync(_sampleMsg, 0, _sampleMsg.Length);
auth[1] = server.ReadAsync(recvBuf, 0, _sampleMsg.Length);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
Assert.True(_sampleMsg.SequenceEqual(recvBuf));
auth[0] = client.WriteAsync(_sampleMsg, 0, _sampleMsg.Length);
auth[1] = server.ReadAsync(recvBuf, 0, _sampleMsg.Length);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
Assert.True(_sampleMsg.SequenceEqual(recvBuf));
}
}
public async Task SslStream_UntrustedCaWithCustomCallback_OK()
{
var clientOptions = new SslClientAuthenticationOptions()
{
TargetHost = "localhost"
};
clientOptions.RemoteCertificateValidationCallback =
(sender, certificate, chain, sslPolicyErrors) =>
{
chain.ChainPolicy.CustomTrustStore.Add(_serverChain[_serverChain.Count - 1]);
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
bool result = chain.Build((X509Certificate2)certificate);
Assert.True(result);
return(result);
};
var serverOptions = new SslServerAuthenticationOptions();
serverOptions.ServerCertificateContext = SslStreamCertificateContext.Create(_serverCert, _serverChain);
(Stream clientStream, Stream serverStream) = TestHelper.GetConnectedStreams();
using (clientStream)
using (serverStream)
using (SslStream client = new SslStream(clientStream))
using (SslStream server = new SslStream(serverStream))
{
Task t1 = client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None);
Task t2 = server.AuthenticateAsServerAsync(serverOptions, CancellationToken.None);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2);
}
}
public async Task ServerAsyncAuthenticate_SniSetVersion_Success(SslProtocols version)
{
var serverOptions = new SslServerAuthenticationOptions()
{
ServerCertificate = _serverCertificate, EnabledSslProtocols = version
};
var clientOptions = new SslClientAuthenticationOptions()
{
TargetHost = _serverCertificate.GetNameInfo(X509NameType.SimpleName, forIssuer: false)
};
clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
(SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams();
using (client)
using (server)
{
Task t1 = client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None);
Task t2 = server.AuthenticateAsServerAsync(
(stream, clientHelloInfo, userState, cancellationToken) =>
{
Assert.Equal(server, stream);
Assert.Equal(clientOptions.TargetHost, clientHelloInfo.ServerName);
return(new ValueTask <SslServerAuthenticationOptions>(serverOptions));
},
null, CancellationToken.None);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2);
// Verify that the SNI callback can impact version.
Assert.Equal(version, client.SslProtocol);
}
}
public async Task DisposeAsync_Connected_ClosesStream()
{
var network = new VirtualNetwork();
var clientNet = new VirtualNetworkStream(network, isServer: false);
var serverNet = new VirtualNetworkStream(network, isServer: true);
var clientStream = new SslStream(clientNet, false, delegate { return(true); });
var serverStream = new SslStream(serverNet, false, delegate { return(true); });
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
clientStream.AuthenticateAsClientAsync(certificate.GetNameInfo(X509NameType.SimpleName, false)),
serverStream.AuthenticateAsServerAsync(certificate));
}
Assert.False(clientNet.Disposed);
await clientStream.DisposeAsync();
Assert.True(clientNet.Disposed);
Assert.False(serverNet.Disposed);
await serverStream.DisposeAsync();
Assert.True(serverNet.Disposed);
}
public async Task NegotiateStream_ReadWriteLongMsgAsync_Success()
{
byte[] recvBuf = new byte[s_longMsg.Length];
var network = new VirtualNetwork();
int bytesRead = 0;
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
client.AuthenticateAsClientAsync(CredentialCache.DefaultNetworkCredentials, string.Empty),
server.AuthenticateAsServerAsync());
await client.WriteAsync(s_longMsg, 0, s_longMsg.Length);
while (bytesRead < s_longMsg.Length)
{
bytesRead += await server.ReadAsync(recvBuf, bytesRead, s_longMsg.Length - bytesRead);
}
Assert.True(s_longMsg.SequenceEqual(recvBuf));
}
}
public async Task ServerNoEncryption_ClientPermitsNoEncryption_ConnectWithNoEncryption(EncryptionPolicy policy)
{
(NetworkStream clientStream, NetworkStream serverStream) = TestHelper.GetConnectedTcpStreams();
using (clientStream)
using (serverStream)
{
using (var client = new SslStream(clientStream, false, TestHelper.AllowAnyServerCertificate, null, policy))
using (var server = new SslStream(serverStream, false, TestHelper.AllowAnyServerCertificate, null, EncryptionPolicy.NoEncryption))
{
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
// null encryption is not permitted with Tls13
client.AuthenticateAsClientAsync("localhost", null, SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12, false),
server.AuthenticateAsServerAsync(TestConfiguration.ServerCertificate));
#pragma warning restore SYSLIB0039
_log.WriteLine("Client authenticated to server({0}) with encryption cipher: {1} {2}-bit strength",
serverStream.Socket.RemoteEndPoint, client.CipherAlgorithm, client.CipherStrength);
Assert.Equal(CipherAlgorithmType.Null, client.CipherAlgorithm);
Assert.Equal(0, client.CipherStrength);
}
}
}
public async Task SslStream_SecondNegotiateClientCertificateAsync_Throws(bool sendClientCertificate)
{
using CancellationTokenSource cts = new CancellationTokenSource();
cts.CancelAfter(TestConfiguration.PassingTestTimeout);
(SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams();
using (client)
using (server)
using (X509Certificate2 serverCertificate = Configuration.Certificates.GetServerCertificate())
using (X509Certificate2 clientCertificate = Configuration.Certificates.GetClientCertificate())
{
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions()
{
TargetHost = Guid.NewGuid().ToString("N"),
EnabledSslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12,
};
clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
clientOptions.LocalCertificateSelectionCallback = (sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers) =>
{
return(sendClientCertificate ? clientCertificate : null);
};
SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions()
{
ServerCertificate = serverCertificate
};
serverOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
client.AuthenticateAsClientAsync(clientOptions, cts.Token),
server.AuthenticateAsServerAsync(serverOptions, cts.Token));
await TestHelper.PingPong(client, server, cts.Token);
Assert.Null(server.RemoteCertificate);
// Client needs to be reading for renegotiation to happen.
byte[] buffer = new byte[TestHelper.s_ping.Length];
ValueTask <int> t = client.ReadAsync(buffer, cts.Token);
await server.NegotiateClientCertificateAsync(cts.Token);
if (sendClientCertificate)
{
Assert.NotNull(server.RemoteCertificate);
}
else
{
Assert.Null(server.RemoteCertificate);
}
// Finish the client's read
await server.WriteAsync(TestHelper.s_ping, cts.Token);
await t;
await Assert.ThrowsAsync <InvalidOperationException>(() => server.NegotiateClientCertificateAsync());
}
}
protected override async Task DoHandshake(SslStream clientSslStream, SslStream serverSslStream)
{
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
Task t1 = Task.Run(() => clientSslStream.AuthenticateAsClient(certificate.GetNameInfo(X509NameType.SimpleName, false)));
Task t2 = Task.Run(() => serverSslStream.AuthenticateAsServer(certificate));
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2);
}
}
protected override async Task DoHandshake(SslStream clientSslStream, SslStream serverSslStream)
{
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
Task t1 = Task.Factory.FromAsync(clientSslStream.BeginAuthenticateAsClient(certificate.GetNameInfo(X509NameType.SimpleName, false), null, null), clientSslStream.EndAuthenticateAsClient);
Task t2 = Task.Factory.FromAsync(serverSslStream.BeginAuthenticateAsServer(certificate, null, null), serverSslStream.EndAuthenticateAsServer);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2);
}
}
