Imported Upstream version 5.16.0.100

Former-commit-id: 38faa55fb9669e35e7d8448b15c25dc447f25767

mcs/class/System/Mono.Btls/MonoBtlsContext.cs

@@ -62,16 +62,11 @@ namespace Mono.Btls
 		bool isAuthenticated;
 		bool connected;
 
-		public MonoBtlsContext (
-			MNS.MobileAuthenticatedStream parent,
-			bool serverMode, string targetHost,
-			SslProtocols enabledProtocols, X509Certificate serverCertificate,
-			X509CertificateCollection clientCertificates, bool askForClientCert)
-			: base (parent, serverMode, targetHost, enabledProtocols,
-			        serverCertificate, clientCertificates, askForClientCert)
+		public MonoBtlsContext (MNS.MobileAuthenticatedStream parent, MNS.MonoSslAuthenticationOptions options)
+			: base (parent, options)
 		{
-			if (serverMode)
-				nativeServerCertificate = GetPrivateCertificate (serverCertificate);
+			if (IsServer)
+				nativeServerCertificate = GetPrivateCertificate (LocalServerCertificate);
 		}
 
 		static X509CertificateImplBtls GetPrivateCertificate (X509Certificate certificate)
@@ -103,21 +98,26 @@ namespace Mono.Btls
 			}
 		}
 
-		int SelectCallback ()
+		int SelectCallback (string[] acceptableIssuers)
 		{
 			Debug ("SELECT CALLBACK!");
 
-			GetPeerCertificate ();
-			if (remoteCertificate == null)
-				throw new TlsException (AlertDescription.InternalError, "Cannot request client certificate before receiving one from the server.");
+			/*
+			 * Make behavior consistent with AppleTls, which does not call the selection callback after a
+			 * certificate has been set.  See the comment in AppleTlsContext for details.
+			 */
+			if (nativeClientCertificate != null)
+				return 1;
 
-			var clientCert = SelectClientCertificate (remoteCertificate, null);
-			Debug ("SELECT CALLBACK #1: {0}", clientCert);
+			GetPeerCertificate ();
+
+			var clientCert = SelectClientCertificate (acceptableIssuers);
+			Debug ($"SELECT CALLBACK #1: {clientCert}");
 			if (clientCert == null)
 				return 1;
 
 			nativeClientCertificate = GetPrivateCertificate (clientCert);
-			Debug ("SELECT CALLBACK #2: {0}", nativeClientCertificate);
+			Debug ($"SELECT CALLBACK #2: {nativeClientCertificate}");
 			clientCertificate = new X509Certificate (nativeClientCertificate);
 			SetPrivateCertificate (nativeClientCertificate);
 			return 1;
@@ -137,6 +137,9 @@ namespace Mono.Btls
 			} else {
 				ssl.SetServerName (ServerName);
 			}
+
+			if (Options.AllowRenegotiation)
+				ssl.SetRenegotiateMode (MonoBtlsSslRenegotiateMode.FREELY);
 		}
 
 		void SetPrivateCertificate (X509CertificateImplBtls privateCert)
@@ -162,6 +165,10 @@ namespace Mono.Btls
 			if (error == 0)
 				return new MonoBtlsException (status);
 
+			var reason = MonoBtlsError.GetErrorReason (error);
+			if (reason > 0)
+				return new TlsException ((AlertDescription)reason);
+
 			var text = MonoBtlsError.GetErrorString (error);
 
 			string message;
@@ -236,11 +243,13 @@ namespace Mono.Btls
 
 			ctx.SetVerifyParam (MonoBtlsProvider.GetVerifyParam (Settings, ServerName, IsServer));
 
-			TlsProtocolCode minProtocol, maxProtocol;
+			TlsProtocolCode? minProtocol, maxProtocol;
 			GetProtocolVersions (out minProtocol, out maxProtocol);
 
-			ctx.SetMinVersion ((int)minProtocol);
-			ctx.SetMaxVersion ((int)maxProtocol);
+			if (minProtocol != null)
+				ctx.SetMinVersion ((int)minProtocol.Value);
+			if (maxProtocol != null)
+				ctx.SetMaxVersion ((int)maxProtocol.Value);
 
 			if (Settings != null && Settings.EnabledCiphers != null) {
 				var ciphers = new short [Settings.EnabledCiphers.Length];
@@ -248,6 +257,9 @@ namespace Mono.Btls
 					ciphers [i] = (short)Settings.EnabledCiphers [i];
 				ctx.SetCiphers (ciphers, true);
 			}
+
+			if (IsServer && Settings?.ClientCertificateIssuers != null)
+				ctx.SetClientCertificateIssuers (Settings.ClientCertificateIssuers);
 		}
 
 		void GetPeerCertificate ()
@@ -354,6 +366,17 @@ namespace Mono.Btls
 			}
 		}
 
+		public override bool CanRenegotiate {
+			get {
+				return false;
+			}
+		}
+
+		public override void Renegotiate ()
+		{
+			throw new NotSupportedException ();
+		}
+
 		public override void Shutdown ()
 		{
 			Debug ("Shutdown!");
@@ -362,6 +385,11 @@ namespace Mono.Btls
 			ssl.Shutdown ();
 		}
 
+		public override bool PendingRenegotiation ()
+		{
+			return ssl.RenegotiatePending ();
+		}
+
 		void Dispose<T> (ref T disposable)
 			where T : class, IDisposable
 		{

mcs/class/System/Mono.Btls/MonoBtlsError.cs

@@ -56,6 +56,9 @@ namespace Mono.Btls
 		[DllImport (MonoBtlsObject.BTLS_DYLIB)]
 		extern static void mono_btls_error_get_error_string_n (int error, IntPtr buf, int len);
 
+		[DllImport (MonoBtlsObject.BTLS_DYLIB)]
+		extern static int mono_btls_error_get_reason (int error);
+
 		public static int PeekError ()
 		{
 			return mono_btls_error_peek_error ();
@@ -106,6 +109,11 @@ namespace Mono.Btls
 				file = null;
 			return error;
 		}
+
+		public static int GetErrorReason (int error)
+		{
+			return mono_btls_error_get_reason (error);
+		}
 	}
 }
 #endif

mcs/class/System/Mono.Btls/MonoBtlsSsl.cs

@@ -33,7 +33,7 @@ using System.Runtime.CompilerServices;
 namespace Mono.Btls
 {
 	delegate int MonoBtlsVerifyCallback (MonoBtlsX509StoreCtx ctx);
-	delegate int MonoBtlsSelectCallback ();
+	delegate int MonoBtlsSelectCallback (string[] acceptableIssuers);
 
 	class MonoBtlsSsl : MonoBtlsObject
 	{

mcs/class/System/Mono.Btls/MonoBtlsSslCtx.cs

@@ -25,6 +25,7 @@
 // THE SOFTWARE.
 #if SECURITY_DEP && MONO_FEATURE_BTLS
 using System;
+using System.Security.Cryptography.X509Certificates;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
@@ -86,8 +87,11 @@ namespace Mono.Btls
 		[DllImport (BTLS_DYLIB)]
 		extern static int mono_btls_ssl_ctx_set_verify_param (IntPtr handle, IntPtr param);
 
+		[DllImport (BTLS_DYLIB)]
+		extern static int mono_btls_ssl_ctx_set_client_ca_list (IntPtr handle, int count, IntPtr sizes, IntPtr data);
+
 		delegate int NativeVerifyFunc (IntPtr instance, int preverify_ok, IntPtr ctx);
-		delegate int NativeSelectFunc (IntPtr instance);
+		delegate int NativeSelectFunc (IntPtr instance, int count, IntPtr sizes, IntPtr data);
 
 		NativeVerifyFunc verifyFunc;
 		NativeSelectFunc selectFunc;
@@ -151,25 +155,42 @@ namespace Mono.Btls
 			return 0;
 		}
 
-		int SelectCallback ()
-		{
-			if (selectCallback != null)
-				return selectCallback ();
-			return 1;
-		}
-
 		[Mono.Util.MonoPInvokeCallback (typeof (NativeSelectFunc))]
-		static int NativeSelectCallback (IntPtr instance)
+		static int NativeSelectCallback (IntPtr instance, int count, IntPtr sizes, IntPtr data)
 		{
 			var c = (MonoBtlsSslCtx)GCHandle.FromIntPtr (instance).Target;
 			try {
-				return c.SelectCallback ();
+				var acceptableIssuers = CopyIssuers (count, sizes, data);
+				if (c.selectCallback != null)
+					return c.selectCallback (acceptableIssuers);
+				return 1;
 			} catch (Exception ex) {
 				c.SetException (ex);
 				return 0;
 			}
 		}
 
+		static string[] CopyIssuers (int count, IntPtr sizesPtr, IntPtr dataPtr)
+		{
+			if (count == 0 || sizesPtr == IntPtr.Zero || dataPtr == IntPtr.Zero)
+				return null;
+			var sizes = new int [count];
+			Marshal.Copy (sizesPtr, sizes, 0, count);
+			var data = new IntPtr [count];
+			Marshal.Copy (dataPtr, data, 0, count);
+
+			var issuers = new string [count];
+
+			for (int i = 0; i < count; i++) {
+				var buffer = new byte [sizes [i]];
+				Marshal.Copy (data[i], buffer, 0, buffer.Length);
+				using (var xname = MonoBtlsX509Name.CreateFromData (buffer, false))
+					issuers[i] = MonoBtlsUtils.FormatName (xname, true, ", ", true);
+			}
+
+			return issuers;
+		}
+
 		public void SetDebugBio (MonoBtlsBio bio)
 		{
 			CheckThrow ();
@@ -237,6 +258,48 @@ namespace Mono.Btls
 			CheckError (ret);
 		}
 
+		public void SetClientCertificateIssuers (string[] acceptableIssuers)
+		{
+			CheckThrow ();
+			if (acceptableIssuers == null || acceptableIssuers.Length == 0)
+				return;
+
+			var count = acceptableIssuers.Length;
+			var buffers = new byte[count][];
+			var sizes = new int[count];
+			var pointers = new IntPtr[count];
+
+			var sizeData = IntPtr.Zero;
+			var pointerData = IntPtr.Zero;
+
+			try {
+				for (int i = 0; i < count; i++) {
+					var data = new X500DistinguishedName (acceptableIssuers[i]).RawData;
+					sizes[i] = data.Length;
+					pointers[i] = Marshal.AllocHGlobal (data.Length);
+					Marshal.Copy (data, 0, pointers[i], data.Length);
+				}
+
+				sizeData = Marshal.AllocHGlobal (count * 4);
+				Marshal.Copy (sizes, 0, sizeData, count);
+
+				pointerData = Marshal.AllocHGlobal (count * 8);
+				Marshal.Copy (pointers, 0, pointerData, count);
+
+				var ret = mono_btls_ssl_ctx_set_client_ca_list (Handle.DangerousGetHandle (), count, sizeData, pointerData);
+				CheckError (ret);
+			} finally {
+				for (int i = 0; i < count; i++) {
+					if (pointers[i] != IntPtr.Zero)
+						Marshal.FreeHGlobal (pointers [i]);
+				}
+				if (sizeData != IntPtr.Zero)
+					Marshal.FreeHGlobal (sizeData);
+				if (pointerData != IntPtr.Zero)
+					Marshal.FreeHGlobal (pointerData);
+			}
+		}
+
 		protected override void Close ()
 		{
 			if (store != null) {

mcs/class/System/Mono.Btls/MonoBtlsStream.cs

@@ -52,15 +52,9 @@ namespace Mono.Btls
 		{
 		}
 
-		protected override MNS.MobileTlsContext CreateContext (
-			bool serverMode, string targetHost, SslProtocols enabledProtocols,
-			X509Certificate serverCertificate, X509CertificateCollection clientCertificates,
-			bool askForClientCert)
+		protected override MNS.MobileTlsContext CreateContext (MNS.MonoSslAuthenticationOptions options)
 		{
-			return new MonoBtlsContext (
-				this, serverMode, targetHost,
-				enabledProtocols, serverCertificate,
-				clientCertificates, askForClientCert);
+			return new MonoBtlsContext (this, options);
 		}
 	}
 }