Support overriding MsQuic.dll in the application directory on Windows. by rzikm · Pull Request #103351 · dotnet/runtime

rzikm · 2024-06-12T16:20:47Z

This PR allows (via some explicit user action) to use OpenSSL version of MsQuic to enable use of System.Net.Quic on Windows 10 and other OSes where the Schannel build of MsQuic is not supported.

To use OpenSSL build of MsQuic, you can use e.g. the following snippet in csproj.

  <ItemGroup>
    <PackageReference Include="Microsoft.Native.Quic.MsQuic.OpenSSL"
                      Version="2.3.5"
                      PrivateAssets="all"
                      GeneratePathProperty="true" />

    <RuntimeHostConfigurationOption Include="System.Net.Quic.AppLocalMsQuic" Value="true" />
  </ItemGroup>

  <Target Name="CopyCustomContent" AfterTargets="AfterBuild">
    <Copy SourceFiles="$(PkgMicrosoft_Native_Quic_MsQuic_OpenSSL)\build\native\bin\x64\msquic.dll" DestinationFolder="$(OutDir)" />
  </Target>
  <Target Name="CopyCustomContentOnPublish" AfterTargets="Publish">
    <Copy SourceFiles="$(PkgMicrosoft_Native_Quic_MsQuic_OpenSSL)\build\native\bin\x64\msquic.dll" DestinationFolder="$(PublishDir)" />
  </Target>

src/libraries/System.Net.Quic/src/System/Net/Quic/Internal/MsQuicApi.cs

jkotas · 2024-06-12T22:23:06Z

Explicit probing for native .dll in application directory that is not there is going to introduce DLL planting vulnerability. You can read about it in https://msrc.microsoft.com/blog/2018/04/triaging-a-dll-planting-vulnerability/ . This particular case is "Malicious binary planted in an untrusted application directory.".

You may want to mirror what we have done to enable loading app-local copies of lib ICU so that you do not have to deal with reports of dll planting vulnerabilities. App local lib ICU requires explicit opt-in via System.Globalization.AppLocalIcu switch.

EDIT: I see @elinor-fung made the same comment as well.

ManickaP · 2024-06-13T07:22:52Z

App local lib ICU requires explicit opt-in via System.Globalization.AppLocalIcu switch.

👍

rzikm · 2024-06-14T08:52:19Z

Added opt-in via appctx switch + envvar (appctx switch takes precedence)

runtime/src/libraries/System.Net.Quic/src/System/Net/Quic/Internal/MsQuicApi.cs

Line 282 in 6b967a0

    
           private static bool AllowAppLocalMsQuic() => AppContextSwitchHelper.GetBooleanConfig("System.Net.Quic.AppLocalMsQuic", "DOTNET_SYSTEM_NET_QUIC_APPLOCALMSQUIC");

ManickaP

LGTM, thanks.
Do you think it'd be possible to add a test for this? To prevent us from accidentally breaking it in the future.

src/libraries/Common/src/System/AppContextSwitchHelper.cs

src/libraries/System.Net.Quic/src/System/Net/Quic/Internal/MsQuicApi.cs

wfurt · 2024-06-14T17:46:10Z

Do you think it'd be possible to add a test for this? To prevent us from accidentally breaking it in the future.

It would be great to hook it up to our tests and run standard test suite on older windows.

rzikm · 2024-06-17T10:40:33Z

looks like Microsoft.Native.Quic.MsQuic.OpenSSL needs to be added to dotnet-public mirror first, https://dev.azure.com/dnceng/internal/_build/results?buildId=2475371&view=results

rzikm · 2024-06-17T10:53:23Z

/azp run runtime

azure-pipelines · 2024-06-17T10:53:52Z

Azure Pipelines successfully started running 1 pipeline(s).

src/libraries/System.Net.Quic/src/System/Net/Quic/Internal/MsQuicApi.cs

src/libraries/System.Net.Quic/tests/FunctionalTests/QuicTestBase.cs

rzikm · 2024-06-18T19:06:09Z

/azp run runtime-extra-platforms

azure-pipelines · 2024-06-18T19:06:29Z

Azure Pipelines successfully started running 1 pipeline(s).

rzikm · 2024-06-19T07:40:19Z

There don't seem to be any Windows 10 runs in the runtime runtime-extra-platforms and runtime-libraries-coreclr outerloop pipelines, from a quick look at the yml definitions, there should be, unless I misunderstand something.

rzikm · 2024-06-19T07:40:24Z

/azp run runtime-coreclr libraries-jitstress

dotnet-policy-service · 2024-09-26T19:51:15Z

Draft Pull Request was automatically closed for 30 days of inactivity. Please let us know if you'd like to reopen it.

rzikm · 2025-03-31T15:15:38Z

/azp run runtime-extra-platforms

rzikm · 2025-03-31T15:18:25Z

https://helixr1107v0xdcypoyl9e7f.blob.core.windows.net/dotnet-runtime-refs-pull-103351-merge-1de63c2e075e4af0ad/System.Net.Quic.Functional.Tests/1/console.760e2ed9.log?helixlogtype=result

----- start Mon 03/31/2025 10:47:42.75 ===============  To repro directly: =====================================================
pushd C:\helix\work\workitem\e\
"C:\helix\work\correlation\dotnet.exe" exec --runtimeconfig System.Net.Quic.Functional.Tests.runtimeconfig.json --depsfile System.Net.Quic.Functional.Tests.deps.json xunit.console.dll System.Net.Quic.Functional.Tests.dll -xml testResults.xml -nologo -nocolor -notrait category=IgnoreForCI -notrait category=OuterLoop -notrait category=failing 
popd
===========================================================================================================

C:\helix\work\workitem\e>"C:\helix\work\correlation\dotnet.exe" exec --runtimeconfig System.Net.Quic.Functional.Tests.runtimeconfig.json --depsfile System.Net.Quic.Functional.Tests.deps.json xunit.console.dll System.Net.Quic.Functional.Tests.dll -xml testResults.xml -nologo -nocolor -notrait category=IgnoreForCI -notrait category=OuterLoop -notrait category=failing  
  Discovering: System.Net.Quic.Functional.Tests (method display = ClassAndMethod, method display options = None)
  Discovered:  System.Net.Quic.Functional.Tests (found 140 of 153 test cases)
  Starting:    System.Net.Quic.Functional.Tests (parallel test collections = on [2 threads], stop on fail = off)
MsQuic supported and using 'msquic.dll 2.4.8.569855 (5ddc9bff4e82e910872fd239340e7970e3c768f8)' (OpenSSL).
    System.Net.Quic.Tests.MsQuicPlatformDetectionTests.SupportedWindowsPlatforms_IsSupportedIsTrue [SKIP]
      Condition(s) not met: "SupportsTls13"
    System.Net.Quic.Tests.MsQuicPlatformDetectionTests.UnsupportedPlatforms_ThrowsPlatformNotSupportedException [SKIP]
      Condition(s) not met: "IsQuicUnsupported"
    System.Net.Quic.Tests.MsQuicTests.Server_CertificateWithEphemeralKey_Throws [SKIP]
      Condition(s) not met: "IsUsingSchannelBackend"
    System.Net.Quic.Tests.MsQuicTests.Client_CertificateWithEphemeralKey_Throws [SKIP]
      Condition(s) not met: "IsUsingSchannelBackend"
MsQuic Counters:
    CONN_CREATED 1602
    CONN_HANDSHAKE_FAIL 23
    CONN_APP_REJECT 8
    CONN_LOAD_REJECT 0

Unobserved exceptions of 0 different types: 

  Finished:    System.Net.Quic.Functional.Tests
=== TEST EXECUTION SUMMARY ===
   System.Net.Quic.Functional.Tests  Total: 429, Errors: 0, Failed: 0, Skipped: 4, Time: 87.917s
----- end Mon 03/31/2025 10:49:12.28 ----- exit code 0 ----------------------------------------------------------

Seems to work fine

wfurt · 2025-03-31T15:45:10Z

src/libraries/Common/src/System/AppContextSwitchHelper.cs

+                {
+                    return true;
+                }
+                if (str == "1" || string.Equals(str, bool.FalseString, StringComparison.OrdinalIgnoreCase))


should this be 0? we already test "1" above.

wfurt

LFTM in general

ManickaP

LGTM, just few nits. Thanks for this!

src/libraries/Common/src/System/AppContextSwitchHelper.cs

src/libraries/System.Net.Quic/tests/FunctionalTests/QuicTestCollection.cs

src/libraries/System.Net.Quic/tests/FunctionalTests/System.Net.Quic.Functional.Tests.csproj

ghost added the area-System.Net.Quic label Jun 12, 2024

rzikm commented Jun 12, 2024

View reviewed changes