internal static partial int SslRead(SafeSslHandle ssl, ref byte buf, int num, out SslErrorCode error);
internal static unsafe partial void SslSetClientCertCallback(SafeSslHandle ssl, int set);
internal static partial bool SslAddExtraChainCert(SafeSslHandle ssl, SafeX509Handle x509);
internal static partial IntPtr SslGetData(SafeSslHandle ssl);
internal static partial int SslUseCertificate(SafeSslHandle ssl, SafeX509Handle certPtr);
internal static partial bool SslGetCurrentCipherId(SafeSslHandle ssl, out int cipherId);
internal static unsafe partial bool SslSetCiphers(SafeSslHandle ssl, byte *cipherList, byte *cipherSuites);
public SslConnectionInfo(SafeSslHandle sslContext)
{
throw new NotImplementedException(nameof(SslConnectionInfo));
}
internal static SafeX509Handle GetPeerCertificate(SafeSslHandle context)
{
return(Ssl.SslGetPeerCertificate(context));
}
private static SecurityStatusPal HandshakeInternal(
SecureChannel secureChannel,
SafeFreeCredentials credential,
ref SafeDeleteSslContext?context,
ReadOnlySpan <byte> inputBuffer,
ref byte[]?outputBuffer,
SslAuthenticationOptions sslAuthenticationOptions)
{
Debug.Assert(!credential.IsInvalid);
try
{
SafeDeleteSslContext?sslContext = ((SafeDeleteSslContext?)context);
if ((null == context) || context.IsInvalid)
{
sslContext = new SafeDeleteSslContext((credential as SafeFreeSslCredentials) !, sslAuthenticationOptions);
context = sslContext;
if (!string.IsNullOrEmpty(sslAuthenticationOptions.TargetHost) && !sslAuthenticationOptions.IsServer)
{
Interop.AppleCrypto.SslSetTargetName(sslContext.SslContext, sslAuthenticationOptions.TargetHost);
}
if (sslAuthenticationOptions.CertificateContext == null && sslAuthenticationOptions.CertSelectionDelegate != null)
{
// certificate was not provided but there is user callback. We can break handshake if server asks for certificate
// and we can try to get it based on remote certificate and trusted issuers.
Interop.AppleCrypto.SslBreakOnCertRequested(sslContext.SslContext, true);
}
if (sslAuthenticationOptions.IsServer && sslAuthenticationOptions.RemoteCertRequired)
{
Interop.AppleCrypto.SslSetAcceptClientCert(sslContext.SslContext);
}
}
if (inputBuffer.Length > 0)
{
sslContext !.Write(inputBuffer);
}
SafeSslHandle sslHandle = sslContext !.SslContext;
SecurityStatusPal status = PerformHandshake(sslHandle);
if (status.ErrorCode == SecurityStatusPalErrorCode.CredentialsNeeded)
{
X509Certificate2?clientCertificate = secureChannel.SelectClientCertificate(out _);
if (clientCertificate != null)
{
sslAuthenticationOptions.CertificateContext = SslStreamCertificateContext.Create(clientCertificate);
SafeDeleteSslContext.SetCertificate(sslContext.SslContext, sslAuthenticationOptions.CertificateContext);
}
// We either got certificate or we can proceed without it. It is up to the server to decide if either is OK.
status = PerformHandshake(sslHandle);
}
outputBuffer = sslContext.ReadPendingWrites();
return(status);
}
catch (Exception exc)
{
return(new SecurityStatusPal(SecurityStatusPalErrorCode.InternalError, exc));
}
}
public static SecurityStatusPal EncryptMessage(
SafeDeleteSslContext securityContext,
ReadOnlyMemory <byte> input,
int headerSize,
int trailerSize,
ref byte[] output,
out int resultSize)
{
resultSize = 0;
Debug.Assert(input.Length > 0, $"{nameof(input.Length)} > 0 since {nameof(CanEncryptEmptyMessage)} is false");
try
{
SafeSslHandle sslHandle = securityContext.SslContext;
unsafe
{
MemoryHandle memHandle = input.Pin();
try
{
PAL_TlsIo status = Interop.AppleCrypto.SslWrite(
sslHandle,
(byte *)memHandle.Pointer,
input.Length,
out int written);
if (status < 0)
{
return(new SecurityStatusPal(
SecurityStatusPalErrorCode.InternalError,
Interop.AppleCrypto.CreateExceptionForOSStatus((int)status)));
}
if (securityContext.BytesReadyForConnection <= output?.Length)
{
resultSize = securityContext.ReadPendingWrites(output, 0, output.Length);
}
else
{
output = securityContext.ReadPendingWrites() !;
resultSize = output.Length;
}
switch (status)
{
case PAL_TlsIo.Success:
return(new SecurityStatusPal(SecurityStatusPalErrorCode.OK));
case PAL_TlsIo.WouldBlock:
return(new SecurityStatusPal(SecurityStatusPalErrorCode.ContinueNeeded));
default:
Debug.Fail($"Unknown status value: {status}");
return(new SecurityStatusPal(SecurityStatusPalErrorCode.InternalError));
}
}
finally
{
memHandle.Dispose();
}
}
}
catch (Exception e)
{
return(new SecurityStatusPal(SecurityStatusPalErrorCode.InternalError, e));
}
}
internal static partial int SslShutdown(SafeSslHandle ssl);
internal static partial bool IsSslRenegotiatePending(SafeSslHandle ssl);
internal static partial int SslRenegotiate(SafeSslHandle ssl, out SslErrorCode error);
internal static partial bool SslSessionReused(SafeSslHandle ssl);
internal static SafeSharedX509StackHandle GetPeerCertificateChain(SafeSslHandle context)
{
return(Ssl.SslGetPeerCertChain(context));
}
private static partial SafeSharedX509NameStackHandle SslGetClientCAList_private(SafeSslHandle ssl);
internal static partial void SslSetBio(SafeSslHandle ssl, SafeBioHandle rbio, SafeBioHandle wbio);
private static partial IntPtr GetOpenSslCipherSuiteName(SafeSslHandle ssl, int cipherSuite, out int isTls12OrLower);
internal static partial int SslDoHandshake(SafeSslHandle ssl, out SslErrorCode error);
internal static partial void SslSetVerifyPeer(SafeSslHandle ssl);
internal static partial bool IsSslStateOK(SafeSslHandle ssl);
internal static partial int SslSetData(SafeSslHandle ssl, IntPtr data);
internal static partial SafeX509Handle SslGetPeerCertificate(SafeSslHandle ssl);
internal static partial int SslUsePrivateKey(SafeSslHandle ssl, SafeEvpPKeyHandle keyPtr);
internal static partial SafeSharedX509StackHandle SslGetPeerCertChain(SafeSslHandle ssl);
internal static partial void SslSetPostHandshakeAuth(SafeSslHandle ssl, int value);
internal static partial int SslGetFinished(SafeSslHandle ssl, IntPtr buf, int count);
private static unsafe partial bool SslAddClientCAs(SafeSslHandle ssl, IntPtr *x509s, int count);
internal static partial void SslGetAlpnSelected(SafeSslHandle ssl, out IntPtr protocol, out int len);
