From f9f34430ec95362f33776b8f93725c8da700dadc Mon Sep 17 00:00:00 2001 From: weijihui Date: Fri, 19 Sep 2025 11:05:31 +0800 Subject: [PATCH] update to dotnet 9.0 --- .gitattributes | 1 + 0001-Add-openEuler-Linux-support.patch | 23 +++ 0002-Update-openEuler-Linux-RIDs.patch | 114 ++++++++++++++ check-debug-symbols.py | 140 +++++++++++++++++ dotnet-9.0.109.tar.gz | 3 + dotnet-9.0.109.tar.gz.sig | 17 +++ dotnet.sh.in | 14 ++ release-key-2023.asc | 29 ++++ release.json | 10 ++ roslyn-analyzers-ppc64le-apphost.patch | 12 ++ runtime-disable-fortify-on-ilasm-parser.patch | 12 ++ runtime-openssl-sha1.patch | 34 +++++ runtime-re-enable-implicit-rejection.patch | 142 ++++++++++++++++++ 13 files changed, 551 insertions(+) create mode 100644 .gitattributes create mode 100644 0001-Add-openEuler-Linux-support.patch create mode 100644 0002-Update-openEuler-Linux-RIDs.patch create mode 100644 check-debug-symbols.py create mode 100644 dotnet-9.0.109.tar.gz create mode 100644 dotnet-9.0.109.tar.gz.sig create mode 100644 dotnet.sh.in create mode 100644 release-key-2023.asc create mode 100644 release.json create mode 100644 roslyn-analyzers-ppc64le-apphost.patch create mode 100644 runtime-disable-fortify-on-ilasm-parser.patch create mode 100644 runtime-openssl-sha1.patch create mode 100644 runtime-re-enable-implicit-rejection.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..c952474 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +dotnet-9.0.109.tar.gz filter=lfs diff=lfs merge=lfs -text diff --git a/0001-Add-openEuler-Linux-support.patch b/0001-Add-openEuler-Linux-support.patch new file mode 100644 index 0000000..f0bac5b --- /dev/null +++ b/0001-Add-openEuler-Linux-support.patch @@ -0,0 +1,23 @@ +diff --git a/src/runtime/src/native/corehost/hostmisc/pal.unix.cpp b/src/runtime/src/native/corehost/hostmisc/pal.unix.cpp +index 265ad809d..bc536c285 100644 +--- a/src/runtime/src/native/corehost/hostmisc/pal.unix.cpp ++++ b/src/runtime/src/native/corehost/hostmisc/pal.unix.cpp +@@ -788,6 +788,7 @@ pal::string_t normalize_linux_rid(pal::string_t rid) + pal::string_t rhelPrefix(_X("rhel.")); + pal::string_t alpinePrefix(_X("alpine.")); + pal::string_t rockyPrefix(_X("rocky.")); ++ pal::string_t oePrefix(_X("openeuler.")); + size_t lastVersionSeparatorIndex = std::string::npos; + + if (rid.compare(0, rhelPrefix.length(), rhelPrefix) == 0) +@@ -806,6 +807,10 @@ pal::string_t normalize_linux_rid(pal::string_t rid) + { + lastVersionSeparatorIndex = rid.find(_X("."), rockyPrefix.length()); + } ++ else if (rid.compare(0, oePrefix.length(), oePrefix) == 0) ++ { ++ lastVersionSeparatorIndex = rid.find(_X("."), oePrefix.length()); ++ } + + if (lastVersionSeparatorIndex != std::string::npos) + { diff --git a/0002-Update-openEuler-Linux-RIDs.patch b/0002-Update-openEuler-Linux-RIDs.patch new file mode 100644 index 0000000..bf66bbe --- /dev/null +++ b/0002-Update-openEuler-Linux-RIDs.patch @@ -0,0 +1,114 @@ +diff --git a/src/runtime/src/libraries/Microsoft.NETCore.Platforms/src/runtime.json b/src/runtime/src/libraries/Microsoft.NETCore.Platforms/src/runtime.json +index 64e7c5546..a65b75adc 100644 +--- a/src/runtime/src/libraries/Microsoft.NETCore.Platforms/src/runtime.json ++++ b/src/runtime/src/libraries/Microsoft.NETCore.Platforms/src/runtime.json +@@ -2600,6 +2600,109 @@ + "illumos-x64" + ] + }, ++ "openeuler": { ++ "#import": [ ++ "linux" ++ ] ++ }, ++ "openeuler-x64": { ++ "#import": [ ++ "openeuler", ++ "linux-x64" ++ ] ++ }, ++ "openeuler-arm64": { ++ "#import": [ ++ "openeuler", ++ "linux-arm64" ++ ] ++ }, ++ "openeuler.20": { ++ "#import": [ ++ "openeuler" ++ ] ++ }, ++ "openeuler.20-x64": { ++ "#import": [ ++ "openeuler.22", ++ "openeuler-x64" ++ ] ++ }, ++ "openeuler.20-arm64": { ++ "#import": [ ++ "openeuler.22", ++ "openeuler-arm64" ++ ] ++ }, ++ ++ "openeuler.22": { ++ "#import": [ ++ "openeuler" ++ ] ++ }, ++ "openeuler.22-x64": { ++ "#import": [ ++ "openeuler.22", ++ "openeuler-x64" ++ ] ++ }, ++ "openeuler.22-arm64": { ++ "#import": [ ++ "openeuler.22", ++ "openeuler-arm64" ++ ] ++ }, ++ "openeuler.22.03": { ++ "#import": [ ++ "openeuler.22" ++ ] ++ }, ++ "openeuler.22.03-x64": { ++ "#import": [ ++ "openeuler.22.03", ++ "openeuler.22-x64" ++ ] ++ }, ++ "openeuler.22.03-arm64": { ++ "#import": [ ++ "openeuler.22.03", ++ "openeuler.22-arm64" ++ ] ++ }, ++ "openeuler.25": { ++ "#import": [ ++ "openeuler" ++ ] ++ }, ++ "openeuler.25-x64": { ++ "#import": [ ++ "openeuler.25", ++ "openeuler-x64" ++ ] ++ }, ++ "openeuler.25-arm64": { ++ "#import": [ ++ "openeuler.25", ++ "openeuler-arm64" ++ ] ++ }, ++ "openeuler.25.09": { ++ "#import": [ ++ "openeuler.25" ++ ] ++ }, ++ "openeuler.25.09-x64": { ++ "#import": [ ++ "openeuler.25.09", ++ "openeuler.25-x64" ++ ] ++ }, ++ "openeuler.25.09-arm64": { ++ "#import": [ ++ "openeuler.25.09", ++ "openeuler.25-arm64" ++ ] ++ }, + "opensuse": { + "#import": [ + "linux" diff --git a/check-debug-symbols.py b/check-debug-symbols.py new file mode 100644 index 0000000..a4caa57 --- /dev/null +++ b/check-debug-symbols.py @@ -0,0 +1,140 @@ +#!/usr/bin/python3 + +""" +Check debug symbols are present in shared object and can identify +code. + +It starts scanning from a directory and recursively scans all ELF +files found in it for various symbols to ensure all debuginfo is +present and nothing has been stripped. + +Usage: + +./check-debug-symbols /path/of/dir/to/scan/ + + +Example: + +./check-debug-symbols /usr/lib64 +""" + +# This technique was explained to me by Mark Wielaard (mjw). + +import collections +import os +import re +import subprocess +import sys + +ScanResult = collections.namedtuple('ScanResult', + 'file_name debug_info debug_abbrev file_symbols gnu_debuglink') + +file_symbol_exclude_list = [ + 'ilc', +] + +def scan_file(file): + "Scan the provided file and return a ScanResult containing results of the scan." + + # Test for .debug_* sections in the shared object. This is the main test. + # Stripped objects will not contain these. + readelf_S_result = subprocess.run(['eu-readelf', '-S', file], + stdout=subprocess.PIPE, encoding='utf-8', check=True) + has_debug_info = any(line for line in readelf_S_result.stdout.split('\n') if '] .debug_info' in line) + + has_debug_abbrev = any(line for line in readelf_S_result.stdout.split('\n') if '] .debug_abbrev' in line) + + # Test FILE symbols. These will most likely be removed by anyting that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols. + def contains_file_symbols(line): + parts = line.split() + if len(parts) < 8: + return False + return \ + parts[2] == '0' and parts[3] == 'FILE' and parts[4] == 'LOCAL' and parts[5] == 'DEFAULT' and \ + parts[6] == 'ABS' and re.match(r'((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx))?', parts[7]) + + readelf_s_result = subprocess.run(["eu-readelf", '-s', file], + stdout=subprocess.PIPE, encoding='utf-8', check=True) + has_file_symbols = True + if not os.path.basename(file) in file_symbol_exclude_list: + has_file_symbols = any(line for line in readelf_s_result.stdout.split('\n') if contains_file_symbols(line)) + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either. + has_gnu_debuglink = any(line for line in readelf_s_result.stdout.split('\n') if '] .gnu_debuglink' in line) + + return ScanResult(file, has_debug_info, has_debug_abbrev, has_file_symbols, has_gnu_debuglink) + +def is_elf(file): + result = subprocess.run(['file', file], stdout=subprocess.PIPE, encoding='utf-8', check=True) + return re.search(r'ELF 64-bit [LM]SB (?:pie )?(?:executable|shared object)', result.stdout) + +def scan_file_if_sensible(file): + if is_elf(file): + return scan_file(file) + return None + +def scan_dir(dir): + results = [] + for root, _, files in os.walk(dir): + for name in files: + result = scan_file_if_sensible(os.path.join(root, name)) + if result: + results.append(result) + return results + +def scan(file): + file = os.path.abspath(file) + if os.path.isdir(file): + return scan_dir(file) + elif os.path.isfile(file): + return [scan_file_if_sensible(file)] + +def is_bad_result(result): + return not result.debug_info or not result.debug_abbrev or not result.file_symbols or result.gnu_debuglink + +def print_scan_results(results, verbose): + # print(results) + for result in results: + file_name = result.file_name + found_issue = False + if not result.debug_info: + found_issue = True + print('error: missing .debug_info section in', file_name) + if not result.debug_abbrev: + found_issue = True + print('error: missing .debug_abbrev section in', file_name) + if not result.file_symbols: + found_issue = True + print('error: missing FILE symbols in', file_name) + if result.gnu_debuglink: + found_issue = True + print('error: unexpected .gnu_debuglink section in', file_name) + if verbose and not found_issue: + print('OK: ', file_name) + +def main(args): + verbose = False + files = [] + for arg in args: + if arg == '--verbose' or arg == '-v': + verbose = True + else: + files.append(arg) + + results = [] + for file in files: + results.extend(scan(file)) + + print_scan_results(results, verbose) + + if any(is_bad_result(result) for result in results): + return 1 + return 0 + + +if __name__ == '__main__': + sys.exit(main(sys.argv[1:])) diff --git a/dotnet-9.0.109.tar.gz b/dotnet-9.0.109.tar.gz new file mode 100644 index 0000000..3e77b45 --- /dev/null +++ b/dotnet-9.0.109.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:42fdfe3733884a3f6ceb3b428ff346ccb92f95010c447e27f3b164f70145730c +size 495158284 diff --git a/dotnet-9.0.109.tar.gz.sig b/dotnet-9.0.109.tar.gz.sig new file mode 100644 index 0000000..74f2f6c --- /dev/null +++ b/dotnet-9.0.109.tar.gz.sig @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: BSN Pgp v1.0.0.0 + +iQIcBAABCAAGBQJoiUE2AAoJEP2/U8JNtIcuIjkQAJvFD1WwftRIn/Ll5PUw6YD8 +edNoU2z7dfogRJ+N3Wy/yxUeYCmYUGY82/afVYqanW0Uao7GHeqBJhjTdIf6lmiS +ny0DU6J0oBCYaJk/dxCCtjCPNz26AGo3oEIWTSlR1EOO/G3v6S6y8PI13YF13fxp +G4QRRiD+3MCuzZ7O3/otNZ1NWZ7rb9Fpbg0FcwhQrFUbVTtAAEFx3CEqXV0JQaJq +EnmzAGeiDa6by4QfdgYhkvuQko2lsBmZOa4Ung9r/DzhuIGA6wKlq+Nv70Y+rpkG +4/f2diGq7N6uER6mxoBvgVKrVECDdLf/atM/pyebFG5ccTGdj3KZGAG1uO95WlAH +SnCXsRfisERhmw8FXzrsJQ5awU3aMnqMalVF/zcVcqL/N+N56K7jQfOyzNStLa0C +zVA9vx8KyPpJk0Ua643Cih4XR7kKKnZNZ+JfzPxkCF3fXqx8qIhB8GqAGxBwKBG9 +bQk81WAXKx7KjeyDJLOIKff7O1GEK883PqSPbTzWm6Ip4mbpgtbnFUW6lm0AjAiy +/KaJ+z9NdkhXw46zTODcvdTa69RXQ54bGKPHnHezHUmYoLZ/h2AYIj37JSxG611N +0NJDqxP6JQVIsy6t7BUosTFo8YTO4bBHjINDZlpdOaNz6G0Jqj+GYkLbXL5l5VCT +SpD3zMussN+T0giRHHoW +=bbNN +-----END PGP SIGNATURE----- diff --git a/dotnet.sh.in b/dotnet.sh.in new file mode 100644 index 0000000..65b92a0 --- /dev/null +++ b/dotnet.sh.in @@ -0,0 +1,14 @@ + +# Set location for AppHost lookup +[ -z "$DOTNET_ROOT" ] && export DOTNET_ROOT=@LIBDIR@/dotnet + +# Add dotnet tools directory to PATH +DOTNET_TOOLS_PATH="$HOME/.dotnet/tools" +case "$PATH" in + *"$DOTNET_TOOLS_PATH"* ) true ;; + * ) PATH="$PATH:$DOTNET_TOOLS_PATH" ;; +esac + +# Extract self-contained executables under HOME +# to avoid multi-user issues from using the default '/var/tmp'. +[ -z "$DOTNET_BUNDLE_EXTRACT_BASE_DIR" ] && export DOTNET_BUNDLE_EXTRACT_BASE_DIR="${XDG_CACHE_HOME:-"$HOME"/.cache}/dotnet_bundle_extract" diff --git a/release-key-2023.asc b/release-key-2023.asc new file mode 100644 index 0000000..8f0ec57 --- /dev/null +++ b/release-key-2023.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: BSN Pgp v1.1.0.0 + +mQINBGUKsUYBEADVCJm4EhXALr1ld42kWeh/vM0XMZ2orNT6NRLDRYjpE4mm4UqA +vpjfGCwt5fLcrT4yZng8ABkB3QwTsZzmxesAMD5AZR/gdU1G96DuDGsjp6zJvTuX +zvz3PXUYfcl9n5X32acA6N9J5Xfp10xqX3oitUODBdYy/vKW/v/y87ZxgaR6a3wp +pPJBJIVKwFJx13v4BHRsGp1fepliQcXPvmNKFNI20le5+FbLq6C9hY5wcwGHGfQr +EokH79GsmqgSImqxDOIh06J5VfWA+JwV+3vf95pD8IUrRfGQ+GK7b1/bySxtM5Qa +b/IDgvl/Qq3AzEpGarMBaqGbqMz1C7jd8Y6nyKMP/V+OCjbEdYNM8GRz6kBP3Un+ +Frat5Lc2o4DF+zB3PKIJS3hku5gwlJu6IU1F23vmYFtjUcpRGmyQZDoWyBbOWlB5 +4SXqVu16amUsRFYmOK8BJMjdotcVbriVIv6WRmugfhIMoRJzVGxYkdbuiuMAX69V +xDoGpxX5A8S5A79y0USUVtadQfFavMTyb/gUuUe8oDsqK9gdI3ETxLYG4gYwauVX +fCGfoLOKsq5dPzEuEA7GCRrMau+rHKFaM7BigSdnHFW7xNZ4v0YnXAagoqM2G5o5 +9sak0l57vxxTVk2V3iZzkoU2J2Zlyxyh72n5vjRmb7aNwmQh4Eav6a8ssQARAQAB +tBlvbm54Y29yZWRldkBtaWNyb3NvZnQuY29tiQI4BBMBCAAiBQJlCrFGAhsDBgsJ +CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD9v1PCTbSHLtfzEADIKq15XDeQxLSo +BG1aFa9n82K1YADVcu1LeddfhDmQWLnZNgyHtQlKN2n59282CXtgymzae3uc05s2 +feIJaqF4M4NnCX8Ct3K7Hq1jI7ZktlquPCCy9XHq9aQY8XTxmdtRevtclKgYTwDh +w+D/KbE8vTZ6o7JoubA3MKf4k3S8qL/0rIyaC6h0EpiWoMy1TdNMMK7BT4kl6Vz4 +W6KmNgOux1Pzku5ULM4WuOzmwW+NAzpOLJowfDs1ZC2RM3+g9i1/DmwWtCHngvGD ++clA0I0agXxo05toOBTfwxd2gWYczuo/Ole16fYTzqT6n0DHqOjjcc9A7EmC72fQ +J+hHAqM+4+CbEGuMpNnTMpCZs98bcK3Rqx/bDJYtbclZzm5O/V4nVbDrJZKzpgA1 +KuzNMLkr62P6/t15UsStgmrlTILmE5NG0CR1mj/46+mNbsMZCel3dcvnT1Zf4rTq +QxMC7Dd/DECKQVC339G/BRfNyhOk2S1mZR/g1uS4bznL+tiwudDh/TAi5C3ZBDMh +0muwD9caXS/QFIBWtb2ai3IcpU357R/ERPKLcWYtoYJ80RuKi6XYr1WxSPBmd5Qm +wuncye+wR2dveo2jnIXZGUSgz50ZNgBxs/cYWAQ8J6KMgIBa+JY2qalzvIGbrC5x +Sr+CkhS8vrktfnRgc8yBssJnvNfqXA== +=pKgS +-----END PGP PUBLIC KEY BLOCK----- diff --git a/release.json b/release.json new file mode 100644 index 0000000..05a9b70 --- /dev/null +++ b/release.json @@ -0,0 +1,10 @@ +{ + "release": "9.0.8", + "channel": "9.0", + "tag": "v9.0.109", + "sdkVersion": "9.0.109", + "runtimeVersion": "9.0.8", + "aspNetCoreVersion": "9.0.8", + "sourceRepository": "https://github.com/dotnet/dotnet", + "sourceVersion": "a1e39f97e51f1d381385d2dc6c94b368ea333784" +} diff --git a/roslyn-analyzers-ppc64le-apphost.patch b/roslyn-analyzers-ppc64le-apphost.patch new file mode 100644 index 0000000..4dd465c --- /dev/null +++ b/roslyn-analyzers-ppc64le-apphost.patch @@ -0,0 +1,12 @@ +diff --git a/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj b/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj +index 044a2aba4..b3f8f2611 100644 +--- a/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj ++++ b/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj +@@ -4,6 +4,7 @@ + preview + disable + Exe ++ false + + + true diff --git a/runtime-disable-fortify-on-ilasm-parser.patch b/runtime-disable-fortify-on-ilasm-parser.patch new file mode 100644 index 0000000..a128222 --- /dev/null +++ b/runtime-disable-fortify-on-ilasm-parser.patch @@ -0,0 +1,12 @@ +diff --git dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt +index cca2c6da185..d31e6cb2070 100644 +--- dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt ++++ dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt +@@ -52,6 +52,7 @@ if(CLR_CMAKE_HOST_UNIX) + add_compile_options(-Wno-array-bounds) + add_compile_options(-Wno-unused-label) + set_source_files_properties( prebuilt/asmparse.cpp PROPERTIES COMPILE_FLAGS "-O0" ) ++ set_source_files_properties( prebuilt/asmparse.cpp PROPERTIES COMPILE_FLAGS "-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=0" ) + endif(CLR_CMAKE_HOST_UNIX) + + if(CLR_CMAKE_HOST_LINUX OR CLR_CMAKE_HOST_FREEBSD OR CLR_CMAKE_HOST_NETBSD OR CLR_CMAKE_HOST_SUNOS OR CLR_CMAKE_HOST_HAIKU) diff --git a/runtime-openssl-sha1.patch b/runtime-openssl-sha1.patch new file mode 100644 index 0000000..6e307ef --- /dev/null +++ b/runtime-openssl-sha1.patch @@ -0,0 +1,34 @@ +From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001 +From: Tom Deseyn +Date: Wed, 28 Feb 2024 14:08:15 +0100 +Subject: [PATCH] Allow certificate validation with SHA-1 signatures. + +RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate +validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag +with a chain where the last certificate uses a SHA-1 signature. + +This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default +OpenSSL behavior for certificate validation. +--- + .../libs/System.Security.Cryptography.Native/pal_x509.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c +index 04c6ba06cd..2cd3413dae 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c +@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5 + + int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore); + +- if (val != 0) +- { +- X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE); +- } +- + return val; + } + +-- +2.43.2 + diff --git a/runtime-re-enable-implicit-rejection.patch b/runtime-re-enable-implicit-rejection.patch new file mode 100644 index 0000000..a2e5614 --- /dev/null +++ b/runtime-re-enable-implicit-rejection.patch @@ -0,0 +1,142 @@ +From 5fdc289903bd3a77d455583650b00297da0cae8f Mon Sep 17 00:00:00 2001 +From: Omair Majid +Date: Fri, 2 Feb 2024 15:51:23 -0500 +Subject: [PATCH] Revert "Disable implicit rejection for RSA PKCS#1 (#95216)" + +This reverts commit a5fc8ff9b03ffb2fdb81dad524ad1a20a0714995. + +To quote Clemens Lang: + +> [Disabling implcit rejection] re-enables a Bleichenbacher timing oracle +> attack against PKCS#1v1.5 decryption. See +> https://people.redhat.com/~hkario/marvin/ for details and +> https://github.com/dotnet/runtime/pull/95157#issuecomment-1842784399 for a +> comment by the researcher who published the vulnerability and proposed the +> change in OpenSSL. + +For more details, see: +https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314 +--- + .../RSA/EncryptDecrypt.cs | 49 ++++--------------- + .../opensslshim.h | 6 --- + .../pal_evp_pkey_rsa.c | 13 ----- + 3 files changed, 10 insertions(+), 58 deletions(-) + +diff --git a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs +index 39f3ebc82ec..5b97f468a42 100644 +--- a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs ++++ b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs +@@ -353,10 +353,19 @@ private void RsaCryptRoundtrip(RSAEncryptionPadding paddingMode, bool expectSucc + Assert.Equal(TestData.HelloBytes, output); + } + +- [ConditionalFact(nameof(PlatformSupportsEmptyRSAEncryption))] ++ [ConditionalFact] + [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework)] + public void RoundtripEmptyArray() + { ++ if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6)) ++ { ++ throw new SkipTestException("iOS prior to 13.6 does not reliably support RSA encryption of empty data."); ++ } ++ if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0)) ++ { ++ throw new SkipTestException("tvOS prior to 14.0 does not reliably support RSA encryption of empty data."); ++ } ++ + using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params)) + { + void RoundtripEmpty(RSAEncryptionPadding paddingMode) +@@ -757,23 +746,5 @@ public static IEnumerable OaepPaddingModes + } + } + } +- +- public static bool PlatformSupportsEmptyRSAEncryption +- { +- get +- { +- if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6)) +- { +- return false; +- } +- +- if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0)) +- { +- return false; +- } +- +- return true; +- } +- } + } + } +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h +index 0748e305d5c..cf10d2f7949 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h +@@ -296,10 +296,8 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); + REQUIRED_FUNCTION(ERR_peek_error) \ + REQUIRED_FUNCTION(ERR_peek_error_line) \ + REQUIRED_FUNCTION(ERR_peek_last_error) \ +- REQUIRED_FUNCTION(ERR_pop_to_mark) \ + FALLBACK_FUNCTION(ERR_put_error) \ + REQUIRED_FUNCTION(ERR_reason_error_string) \ +- REQUIRED_FUNCTION(ERR_set_mark) \ + LIGHTUP_FUNCTION(ERR_set_debug) \ + LIGHTUP_FUNCTION(ERR_set_error) \ + REQUIRED_FUNCTION(EVP_aes_128_cbc) \ +@@ -355,7 +353,6 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); + REQUIRED_FUNCTION(EVP_PKCS82PKEY) \ + REQUIRED_FUNCTION(EVP_PKEY2PKCS8) \ + REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl) \ +- REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl_str) \ + REQUIRED_FUNCTION(EVP_PKEY_CTX_free) \ + REQUIRED_FUNCTION(EVP_PKEY_CTX_get0_pkey) \ + REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \ +@@ -797,10 +794,8 @@ FOR_ALL_OPENSSL_FUNCTIONS + #define ERR_peek_error_line ERR_peek_error_line_ptr + #define ERR_peek_last_error ERR_peek_last_error_ptr + #define ERR_put_error ERR_put_error_ptr +-#define ERR_pop_to_mark ERR_pop_to_mark_ptr + #define ERR_reason_error_string ERR_reason_error_string_ptr + #define ERR_set_debug ERR_set_debug_ptr +-#define ERR_set_mark ERR_set_mark_ptr + #define ERR_set_error ERR_set_error_ptr + #define EVP_aes_128_cbc EVP_aes_128_cbc_ptr + #define EVP_aes_128_cfb8 EVP_aes_128_cfb8_ptr +@@ -855,7 +850,6 @@ FOR_ALL_OPENSSL_FUNCTIONS + #define EVP_PKCS82PKEY EVP_PKCS82PKEY_ptr + #define EVP_PKEY2PKCS8 EVP_PKEY2PKCS8_ptr + #define EVP_PKEY_CTX_ctrl EVP_PKEY_CTX_ctrl_ptr +-#define EVP_PKEY_CTX_ctrl_str EVP_PKEY_CTX_ctrl_str_ptr + #define EVP_PKEY_CTX_free EVP_PKEY_CTX_free_ptr + #define EVP_PKEY_CTX_get0_pkey EVP_PKEY_CTX_get0_pkey_ptr + #define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c +index 043bf9f9d1e..c9ccdf33e3a 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c +@@ -67,19 +67,6 @@ static bool ConfigureEncryption(EVP_PKEY_CTX* ctx, RsaPaddingMode padding, const + { + return false; + } +- +- // OpenSSL 3.2 introduced a change where PKCS#1 RSA decryption does not fail for invalid padding. +- // If the padding is invalid, the decryption operation returns random data. +- // See https://github.com/openssl/openssl/pull/13817 for background. +- // Some Linux distributions backported this change to previous versions of OpenSSL. +- // Here we do a best-effort to set a flag to revert the behavior to failing if the padding is invalid. +- ERR_set_mark(); +- +- EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "0"); +- +- // Undo any changes to the error queue that may have occured while configuring implicit rejection if the +- // current version does not support implicit rejection. +- ERR_pop_to_mark(); + } + else + { +-- +2.43.0 + -- Gitee