Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MacCatalyst] Make AppleCryptoNative_SslSetEnabledCipherSuites check for 32 bit & 16 bit SSLCipherSuite #57623

Merged
merged 2 commits into from
Aug 26, 2021
Merged

[MacCatalyst] Make AppleCryptoNative_SslSetEnabledCipherSuites check for 32 bit & 16 bit SSLCipherSuite #57623

merged 2 commits into from
Aug 26, 2021

Conversation

steveisok
Copy link
Member

According to CipherSuites.h, SSLCipherSuite is a 16 bit value on iOS/tvOS x64 & arm64, but on MacCatalyst that is only true on arm64. x64 is defined as 32 bit.

/* 16-bit value on iOS */
typedef uint16_t SSLCipherSuite;
/* 32-bit value elsewhere */
typedef uint32_t SSLCipherSuite;

Fixes #53120

[MacCatalyst] Make AppleCryptoNative_SslSetEnabledCipherSuites check …
8336312 
…for 32 bit & 16 bit SSLCipherSuite

According to CipherSuites.h, SSLCipherSuite is a 16 bit value on iOS/tvOS x64 & arm64, but on MacCatalyst that is only true on arm64.  x64 is defined as 32 bit.

```
/* 16-bit value on iOS */
typedef uint16_t SSLCipherSuite;
/* 32-bit value elsewhere */
typedef uint32_t SSLCipherSuite;
```

Fixes dotnet#53120
@ghost
Copy link

ghost commented Aug 18, 2021

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

According to CipherSuites.h, SSLCipherSuite is a 16 bit value on iOS/tvOS x64 & arm64, but on MacCatalyst that is only true on arm64. x64 is defined as 32 bit.

/* 16-bit value on iOS */
typedef uint16_t SSLCipherSuite;
/* 32-bit value elsewhere */
typedef uint32_t SSLCipherSuite;

Fixes #53120

Author: steveisok
Assignees: -
Labels:

area-System.Security
Milestone: -

@filipnavara
Copy link
Member

I'll have to check if Apple fixed the headers. At the time I filed the issue the Apple headers were actually incorrect for MacCatalyst arm64 and thus the check would still end up in incorrect branch.

filipnavara
filipnavara reviewed Aug 18, 2021
View reviewed changes
src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.c Outdated
@@ -596,19 +596,19 @@ int32_t AppleCryptoNative_SslSetEnabledCipherSuites(SSLContextRef sslContext, co
// Max numCipherSuites is 2^16 (all possible cipher suites)
assert(numCipherSuites < (1 << 16));

#if !defined(TARGET_MACCATALYST) && !defined(TARGET_IOS) && !defined(TARGET_TVOS)
#if !defined(TARGET_IOS) && !defined(TARGET_TVOS)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#if !defined(TARGET_IOS) && !defined(TARGET_TVOS)
#if !defined(TARGET_CPU_ARM64) && !defined(TARGET_IOS) && !defined(TARGET_TVOS)

So, Apple headers are still broken and return sizeof(SSLCipherSuite) == sizeof(uint32_t) for MacCatalyst arm64. The simplest fix is to use the else (uint16_t) branch on any arm64 architecture.

Here's the additional rationale why the headers are broken: The system libraries that the app links to at runtime are identical for macOS and Mac Catalyst. Some of the APIs do runtime checks to adjust behavior but that's not the case for SSLSetEnabledCiphers. On macOS the API provably takes uint16_t and that's what is specified correctly in the system headers. For Mac Catalyst arm64 the SSLSetEnabledCiphers was already long obsolete by the time the arm64 architecture was added so Apple probably didn't bother with changing the type in the header.

Copy link
Member

@akoeplinger akoeplinger Aug 18, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good though TARGET_CPU_ARM64 is coming from TargetConditionals.h and I'm not sure it's available here. We already have our own define TARGET_ARM64 that we're already using in other parts of the PAL so better to use that one.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TargetConditionals.h is included but I am fine with either one as long as it works. I knew there was some other #define but I was not able to find where it is defined :-)

@steveisok steveisok merged commit 3010642 into dotnet:main Aug 26, 2021
@steveisok
Copy link
Member Author

/backport to release/6.0-rc1

@github-actions
Copy link
Contributor

Started backporting to release/6.0-rc1: https://github.com/dotnet/runtime/actions/runs/1170882691

@github-actions github-actions bot mentioned this pull request Aug 26, 2021
Merged
@karelz karelz added this to the 7.0.0 milestone Aug 31, 2021
@karelz karelz mentioned this pull request Aug 31, 2021
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Sep 30, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@akoeplinger akoeplinger akoeplinger approved these changes

@filipnavara filipnavara filipnavara approved these changes

@bartonjs bartonjs Awaiting requested review from bartonjs

Assignees
No one assigned
Labels
area-System.Security
Projects
None yet
Milestone
7.0.0
Development

Successfully merging this pull request may close these issues.

AppleCryptoNative_SslSetEnabledCipherSuites is likely broken on Mac Catalyst x64
4 participants
@steveisok @filipnavara @akoeplinger @karelz