Imported Upstream version 6.4.0.137

Former-commit-id: 943baa9f16a098c33e129777827f3a9d20da00d6

mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs

@@ -187,7 +187,8 @@ namespace Mono.Net.Security
 				await ProcessOperation (cancellationToken).ConfigureAwait (false);
 				return new AsyncProtocolResult (UserResult);
 			} catch (Exception ex) {
-				var info = Parent.SetException (MobileAuthenticatedStream.GetSSPIException (ex));
+				// Any exceptions thrown by the underlying stream will be propagated.
+				var info = Parent.SetException (ex);
 				return new AsyncProtocolResult (info);
 			}
 		}
@@ -218,7 +219,12 @@ namespace Mono.Net.Security
 				case AsyncOperationStatus.Initialize:
 				case AsyncOperationStatus.Continue:
 				case AsyncOperationStatus.ReadDone:
-					newStatus = Run (status);
+					try {
+						newStatus = Run (status);
+					} catch (Exception ex) {
+						// We only want to wrap exceptions that are thrown by the TLS code.
+						throw MobileAuthenticatedStream.GetSSPIException (ex);
+					}
 					break;
 				default:
 					throw new InvalidOperationException ();

mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs

@@ -115,14 +115,16 @@ namespace Mono.Net.Security
 
 		internal static Exception GetSSPIException (Exception e)
 		{
-			if (e is OperationCanceledException || e is IOException || e is ObjectDisposedException || e is AuthenticationException)
+			if (e is OperationCanceledException || e is IOException || e is ObjectDisposedException ||
+			    e is AuthenticationException || e is NotSupportedException)
 				return e;
 			return new AuthenticationException (SR.net_auth_SSPI, e);
 		}
 
 		internal static Exception GetIOException (Exception e, string message)
 		{
-			if (e is OperationCanceledException || e is IOException || e is ObjectDisposedException || e is AuthenticationException)
+			if (e is OperationCanceledException || e is IOException || e is ObjectDisposedException ||
+			    e is AuthenticationException || e is NotSupportedException)
 				return e;
 			return new IOException (message, e);
 		}
@@ -349,7 +351,7 @@ namespace Mono.Net.Security
 		async Task ProcessAuthentication (bool runSynchronously, MonoSslAuthenticationOptions options, CancellationToken cancellationToken)
 		{
 			if (options.ServerMode) {
-				if (options.ServerCertificate == null)
+				if (options.ServerCertificate == null && options.ServerCertSelectionDelegate == null)
 					throw new ArgumentException (nameof (options.ServerCertificate));
 			} else {
 				if (options.TargetHost == null)
@@ -826,10 +828,16 @@ namespace Mono.Net.Security
 				 * to take care of I/O and call it again.
 				*/
 				var newStatus = AsyncOperationStatus.Continue;
-				if (xobileTlsContext.ProcessHandshake ()) {
-					xobileTlsContext.FinishHandshake ();
-					operation = Operation.Authenticated;
-					newStatus = AsyncOperationStatus.Complete;
+				try {
+					if (xobileTlsContext.ProcessHandshake ()) {
+						xobileTlsContext.FinishHandshake ();
+						operation = Operation.Authenticated;
+						newStatus = AsyncOperationStatus.Complete;
+					}
+				} catch (Exception ex) {
+					SetException (GetSSPIException (ex));
+					Dispose ();
+					throw;
 				}
 
 				if (lastException != null)
@@ -920,7 +928,7 @@ namespace Mono.Net.Security
 			try {
 				lock (ioLock) {
 					Debug ("Dispose: {0}", xobileTlsContext != null);
-					lastException = ExceptionDispatchInfo.Capture (new ObjectDisposedException ("MobileAuthenticatedStream"));
+					SetException (new ObjectDisposedException ("MobileAuthenticatedStream"));
 					if (xobileTlsContext != null) {
 						xobileTlsContext.Dispose ();
 						xobileTlsContext = null;

mcs/class/System/Mono.Net.Security/MobileTlsContext.cs

@@ -146,6 +146,7 @@ namespace Mono.Net.Security
 
 		internal X509Certificate LocalServerCertificate {
 			get;
+			private set;
 		}
 
 		internal abstract bool IsRemoteCertificateAvailable {
@@ -186,6 +187,33 @@ namespace Mono.Net.Security
 			return result != null && result.Trusted && !result.UserDenied;
 		}
 
+		protected X509Certificate SelectServerCertificate (string serverIdentity)
+		{
+			// There are three options for selecting the server certificate. When
+			// selecting which to use, we prioritize the new ServerCertSelectionDelegate
+			// API. If the new API isn't used we call LocalCertSelectionCallback (for compat
+			// with .NET Framework), and if neither is set we fall back to using ServerCertificate.
+
+			if (Options.ServerCertSelectionDelegate != null) {
+				LocalServerCertificate = Options.ServerCertSelectionDelegate (serverIdentity);
+
+				if (LocalServerCertificate == null)
+					throw new AuthenticationException (SR.net_ssl_io_no_server_cert);
+			} else if (Settings.ClientCertificateSelectionCallback != null) {
+				var tempCollection = new X509CertificateCollection ();
+				tempCollection.Add (Options.ServerCertificate);
+				// We pass string.Empty here to maintain strict compatability with .NET Framework.
+				LocalServerCertificate = Settings.ClientCertificateSelectionCallback (string.Empty, tempCollection, null, Array.Empty<string>());
+			} else {
+				LocalServerCertificate = Options.ServerCertificate;
+			}
+
+			if (LocalServerCertificate == null)
+				throw new NotSupportedException (SR.net_ssl_io_no_server_cert);
+
+			return LocalServerCertificate;
+		}
+
 		protected X509Certificate SelectClientCertificate (string[] acceptableIssuers)
 		{
 			if (Settings.DisallowUnauthenticatedCertificateRequest && !IsAuthenticated)

mcs/class/System/Mono.Net.Security/MonoSslAuthenticationOptions.cs

@@ -83,5 +83,9 @@ namespace Mono.Net.Security
 		public abstract bool ClientCertificateRequired {
 			get; set;
 		}
+
+		internal ServerCertSelectionCallback ServerCertSelectionDelegate {
+			get; set;
+		}
 	}
 }