private static SecurityStatusPal HandshakeInternal(
SafeFreeCredentials credential,
ref SafeDeleteSslContext?context,
ReadOnlySpan <byte> inputBuffer,
ref byte[]?outputBuffer,
SslAuthenticationOptions sslAuthenticationOptions,
SelectClientCertificate?clientCertificateSelectionCallback)
{
Debug.Assert(!credential.IsInvalid);
try
{
SafeDeleteSslContext?sslContext = ((SafeDeleteSslContext?)context);
if ((null == context) || context.IsInvalid)
{
sslContext = new SafeDeleteSslContext((credential as SafeFreeSslCredentials) !, sslAuthenticationOptions);
context = sslContext;
}
if (inputBuffer.Length > 0)
{
sslContext !.Write(inputBuffer);
}
SafeSslHandle sslHandle = sslContext !.SslContext;
SecurityStatusPal status = PerformHandshake(sslHandle);
if (status.ErrorCode == SecurityStatusPalErrorCode.CredentialsNeeded && clientCertificateSelectionCallback != null)
{
X509Certificate2?clientCertificate = clientCertificateSelectionCallback(out bool _);
if (clientCertificate != null)
{
sslAuthenticationOptions.CertificateContext = SslStreamCertificateContext.Create(clientCertificate);
SafeDeleteSslContext.SetCertificate(sslContext.SslContext, sslAuthenticationOptions.CertificateContext);
}
// We either got certificate or we can proceed without it. It is up to the server to decide if either is OK.
status = PerformHandshake(sslHandle);
}
outputBuffer = sslContext.ReadPendingWrites();
return(status);
}
catch (Exception exc)
{
return(new SecurityStatusPal(SecurityStatusPalErrorCode.InternalError, exc));
}
}
private static SecurityStatusPal HandshakeInternal(
SecureChannel secureChannel,
SafeFreeCredentials credential,
ref SafeDeleteSslContext?context,
ReadOnlySpan <byte> inputBuffer,
ref byte[]?outputBuffer,
SslAuthenticationOptions sslAuthenticationOptions)
{
Debug.Assert(!credential.IsInvalid);
try
{
SafeDeleteSslContext?sslContext = ((SafeDeleteSslContext?)context);
if ((null == context) || context.IsInvalid)
{
sslContext = new SafeDeleteSslContext((credential as SafeFreeSslCredentials) !, sslAuthenticationOptions);
context = sslContext;
if (!string.IsNullOrEmpty(sslAuthenticationOptions.TargetHost) && !sslAuthenticationOptions.IsServer)
{
Interop.AppleCrypto.SslSetTargetName(sslContext.SslContext, sslAuthenticationOptions.TargetHost);
}
if (sslAuthenticationOptions.CertificateContext == null && sslAuthenticationOptions.CertSelectionDelegate != null)
{
// certificate was not provided but there is user callback. We can break handshake if server asks for certificate
// and we can try to get it based on remote certificate and trusted issuers.
Interop.AppleCrypto.SslBreakOnCertRequested(sslContext.SslContext, true);
}
if (sslAuthenticationOptions.IsServer && sslAuthenticationOptions.RemoteCertRequired)
{
Interop.AppleCrypto.SslSetAcceptClientCert(sslContext.SslContext);
}
}
if (inputBuffer.Length > 0)
{
sslContext !.Write(inputBuffer);
}
SafeSslHandle sslHandle = sslContext !.SslContext;
SecurityStatusPal status = PerformHandshake(sslHandle);
if (status.ErrorCode == SecurityStatusPalErrorCode.CredentialsNeeded)
{
X509Certificate2?clientCertificate = secureChannel.SelectClientCertificate(out _);
if (clientCertificate != null)
{
sslAuthenticationOptions.CertificateContext = SslStreamCertificateContext.Create(clientCertificate);
SafeDeleteSslContext.SetCertificate(sslContext.SslContext, sslAuthenticationOptions.CertificateContext);
}
// We either got certificate or we can proceed without it. It is up to the server to decide if either is OK.
status = PerformHandshake(sslHandle);
}
outputBuffer = sslContext.ReadPendingWrites();
return(status);
}
catch (Exception exc)
{
return(new SecurityStatusPal(SecurityStatusPalErrorCode.InternalError, exc));
}
}