Merge branch 'main' of https://github.com/dotnet/runtime into tlsClie…

…ntResume
dotnet · wfurt · Mar 25, 2022 · Jan 27, 2022 · Jan 27, 2022 · Feb 1, 2022
commit acd3b46a9f648f79303a2823b5d2ced969e9fe88
diff --git a/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs b/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs
@@ -390,6 +390,14 @@ internal static SafeSslHandle AllocateSslHandle(SafeFreeSslCredentials credentia
                         sslCtxHandle.TrySetSession(sslHandle, punyCode);
                     }
 
+                    // relevant to TLS 1.3 only: if user supplied a client cert or cert callback,
+                    // advertise that we are willing to send the certificate post-handshake.
+                    if (sslAuthenticationOptions.ClientCertificates?.Count > 0 ||
+                        sslAuthenticationOptions.CertSelectionDelegate != null)
+                    {
+                        Ssl.SslSetPostHandshakeAuth(sslHandle, 1);
+                    }
+
                     // Set client cert callback, this will interrupt the handshake with SecurityStatusPalErrorCode.CredentialsNeeded
                     // if server actually requests a certificate.
                     Ssl.SslSetClientCertCallback(sslHandle, 1);
@@ -681,8 +689,8 @@ private static unsafe int AlpnServerSelectCallback(IntPtr ssl, byte** outp, byte
         [UnmanagedCallersOnly]
         // Invoked from OpenSSL when new session is created.
         // We attached GCHandle to the SSL so we can find back SafeSslContextHandle holding the cache.
-        // New session ahs refCount of 1.
-        // If this function return 0, OpenSSL will drop the refCount and discard the session.
+        // New session has refCount of 1.
+        // If this function returns 0, OpenSSL will drop the refCount and discard the session.
         // If we return 1, the ownership is transfered to us and we will need to call SessionFree().
         private static unsafe int NewSessionCallback(IntPtr ssl, IntPtr session)
         {

diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c b/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c
@@ -591,6 +591,7 @@ int CryptoNative_SslCtxSetCaching(SSL_CTX* ctx, int mode, SslCtxNewSessionCallba
             retValue = 0;
         }
     }
+    // void shim functions don't lead to exceptions, so skip the unconditional error clearing.
 
     // We never reuse same CTX for both client and server
     SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SESS_CACHE_MODE,  mode ? SSL_SESS_CACHE_BOTH : SSL_SESS_CACHE_OFF, NULL);

diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_ssl.h b/src/native/libs/System.Security.Cryptography.Native/pal_ssl.h
@@ -154,6 +154,11 @@ It will unset callback if set is zero.
 */
 PALEXPORT void CryptoNative_SslSetClientCertCallback(SSL* ssl, int set);
 
+/*
+Requests that client sends Post-Handshake Authentication extension in ClientHello.
+*/
+PALEXPORT void CryptoNative_SslSetPostHandshakeAuth(SSL* ssl, int32_t val);
+
 /*
 Sets session caching. 0 is disabled.
 */