diff --git a/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.c b/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.c index 2336fc4aa032..ba8583d3460f 100644 --- a/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.c +++ b/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.c @@ -20,6 +20,7 @@ SSLContextRef AppleCryptoNative_SslCreateContext(int32_t isServer) { if (isServer != 0 && isServer != 1) return NULL; + #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wdeprecated-declarations" return SSLCreateContext(NULL, isServer ? kSSLServerSide : kSSLClientSide, kSSLStreamType); @@ -63,6 +64,7 @@ static SSLProtocol PalSslProtocolToSslProtocol(PAL_SslProtocol palProtocolId) int32_t AppleCryptoNative_SslSetMinProtocolVersion(SSLContextRef sslContext, PAL_SslProtocol sslProtocol) { SSLProtocol protocol = PalSslProtocolToSslProtocol(sslProtocol); + #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wdeprecated-declarations" if (protocol == kSSLProtocolUnknown) @@ -76,6 +78,7 @@ int32_t AppleCryptoNative_SslSetMinProtocolVersion(SSLContextRef sslContext, PAL int32_t AppleCryptoNative_SslSetMaxProtocolVersion(SSLContextRef sslContext, PAL_SslProtocol sslProtocol) { SSLProtocol protocol = PalSslProtocolToSslProtocol(sslProtocol); + #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wdeprecated-declarations" if (protocol == kSSLProtocolUnknown) @@ -95,6 +98,7 @@ int32_t AppleCryptoNative_SslCopyCertChain(SSLContextRef sslContext, SecTrustRef if (sslContext == NULL || pChainOut == NULL || pOSStatus == NULL) return -1; + #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wdeprecated-declarations" *pOSStatus = SSLCopyPeerTrust(sslContext, pChainOut); @@ -112,10 +116,12 @@ AppleCryptoNative_SslCopyCADistinguishedNames(SSLContextRef sslContext, CFArrayR if (sslContext == NULL || pArrayOut == NULL || pOSStatus == NULL) return -1; + #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wdeprecated-declarations" *pOSStatus = SSLCopyDistinguishedNames(sslContext, pArrayOut); #pragma clang diagnostic pop + return *pOSStatus == noErr; } @@ -129,10 +135,12 @@ static int32_t AppleCryptoNative_SslSetSessionOption(SSLContextRef sslContext, if (value != 0 && value != 1) return -2; + #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wdeprecated-declarations" *pOSStatus = SSLSetSessionOption(sslContext, option, !!value); #pragma clang diagnostic pop + return *pOSStatus == noErr; } @@ -188,6 +196,7 @@ int32_t AppleCryptoNative_SslSetTargetName(SSLContextRef sslContext, *pOSStatus = SSLSetPeerDomainName(sslContext, pszTargetName, (size_t)cbTargetName); } #pragma clang diagnostic pop + return *pOSStatus == noErr; } @@ -248,10 +257,12 @@ PAL_TlsHandshakeState AppleCryptoNative_SslHandshake(SSLContextRef sslContext) { if (sslContext == NULL) return PAL_TlsHandshakeState_Unknown; + #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wdeprecated-declarations" OSStatus osStatus = SSLHandshake(sslContext); #pragma clang diagnostic pop + switch (osStatus) { case noErr: @@ -288,10 +299,12 @@ AppleCryptoNative_SslWrite(SSLContextRef sslContext, const uint8_t* buf, uint32_ size_t expected = (size_t)bufLen; size_t totalWritten; + #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wdeprecated-declarations" OSStatus status = SSLWrite(sslContext, buf, expected, &totalWritten); #pragma clang diagnostic pop + if (status != noErr) { *bytesWritten = (uint32_t)totalWritten; @@ -308,10 +321,12 @@ PAL_TlsIo AppleCryptoNative_SslRead(SSLContextRef sslContext, uint8_t* buf, uint size_t writtenSize = 0; size_t bufSize = (size_t)bufLen; + #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wdeprecated-declarations" OSStatus status = SSLRead(sslContext, buf, bufSize, &writtenSize); #pragma clang diagnostic pop + if (writtenSize > UINT_MAX) { // This shouldn't happen, because we passed a uint32_t as the initial buffer size. @@ -361,6 +376,7 @@ int32_t AppleCryptoNative_SslIsHostnameMatch(SSLContextRef sslContext, CFStringR #pragma clang diagnostic ignored "-Wdeprecated-declarations" OSStatus osStatus = SSLCopyPeerTrust(sslContext, &existingTrust); #pragma clang diagnostic pop + if (osStatus != noErr) { CFRelease(certs); @@ -408,10 +424,12 @@ int32_t AppleCryptoNative_SslIsHostnameMatch(SSLContextRef sslContext, CFStringR { SecTrustResultType trustResult; memset(&trustResult, 0, sizeof(SecTrustResultType)); + #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wdeprecated-declarations" osStatus = SecTrustEvaluate(trust, &trustResult); #pragma clang diagnostic pop + if (osStatus != noErr) { ret = -7; @@ -458,6 +476,7 @@ int32_t AppleCryptoNative_SslGetProtocolVersion(SSLContextRef sslContext, PAL_Ss if (sslContext == NULL || pProtocol == NULL) return errSecParam; + #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wdeprecated-declarations" SSLProtocol protocol = kSSLProtocolUnknown; @@ -483,6 +502,7 @@ int32_t AppleCryptoNative_SslGetProtocolVersion(SSLContextRef sslContext, PAL_Ss *pProtocol = matchedProtocol; } #pragma clang diagnostic pop + return osStatus; } @@ -530,10 +550,12 @@ int32_t AppleCryptoNative_SslSetEnabledCipherSuites(SSLContextRef sslContext, co { cipherSuites16[i] = (SSLCipherSuite)cipherSuites[i]; } + #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wdeprecated-declarations" OSStatus status = SSLSetEnabledCiphers(sslContext, cipherSuites16, (size_t)numCipherSuites); #pragma clang diagnostic pop + free(cipherSuites16); return status; } diff --git a/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_x509chain.c b/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_x509chain.c index ff8aa8565e3c..0944bb196822 100644 --- a/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_x509chain.c +++ b/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_x509chain.c @@ -67,6 +67,7 @@ int32_t AppleCryptoNative_X509ChainEvaluate(SecTrustRef chain, #pragma clang diagnostic ignored "-Wdeprecated-declarations" *pOSStatus = SecTrustEvaluate(chain, &trustResult); #pragma clang diagnostic pop + // If any error is reported from the function or the trust result value indicates that // otherwise was a failed chain build (vs an untrusted chain, etc) return failure and // we'll throw in the managed layer. (but if we hit the "or" the message is "No error") @@ -174,7 +175,9 @@ static void MergeStatusCodes(CFTypeRef key, CFTypeRef value, void* context) else if (CFEqual(keyString, CFSTR("MissingIntermediate"))) *pStatus |= PAL_X509ChainPartialChain; else if (CFEqual(keyString, CFSTR("UnparseableExtension"))) - *pStatus |= PAL_X509ChainInvalidExtension; + { + // 10.15 introduced new status code value which is not reported by Windows. Ignoring for now. + } else if (CFEqual(keyString, CFSTR("WeakLeaf")) || CFEqual(keyString, CFSTR("WeakIntermediates")) || CFEqual(keyString, CFSTR("WeakRoot")) || CFEqual(keyString, CFSTR("WeakKeySize"))) { diff --git a/src/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs b/src/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs index 865a0c2d0707..da9511dad7fa 100644 --- a/src/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs +++ b/src/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs @@ -237,8 +237,10 @@ public static void TestInvalidAia() using (X509Certificate2 ee = certReq.Create(root, notBefore, notAfter, root.GetSerialNumber())) { X509Chain chain = new X509Chain(); + chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; Assert.False(chain.Build(ee)); Assert.Equal(1, chain.ChainElements.Count); + Assert.Equal(X509ChainStatusFlags.PartialChain, chain.AllStatusFlags()); } } }