Add server-side SNI support (dotnet/corefx#28278)

* add initial implementation for server side SNI support

* remove analyzerdata

* add braces around single line if statements and inline simple functions

* fix deadlock on linux

* add test with special characters

* IDN decoding

* idn unmapping (with fallback)

* apply feedback, fix netfx/uwp

* rename the SNIHelper to SniHelper

* rename test file as well (git does not like renames on windows)

* change file casing in csproj

* test should expect AuthenticationException

* add SniHelper tests

* apply review feedback

* shorten SNI (limit is 63 bytes)

* replace remaining constants

* test behavior on truncated client hello

* add structures descriptions

* apply review feedback

* get rid of the new dependency and add a test for invalid utf-8 bytes


Commit migrated from dotnet/corefx@2d39212

Author: krwq

src/libraries/Common/tests/System/Net/VirtualNetwork/VirtualNetwork.cs

@@ -10,16 +10,29 @@ namespace System.Net.Test.Common
 {
     public class VirtualNetwork
     {
+        public class VirtualNetworkConnectionBroken : Exception
+        {
+            public VirtualNetworkConnectionBroken() : base("Connection broken") { }
+        }
+
         private readonly int WaitForReadDataTimeoutMilliseconds = 30 * 1000;
-        
+
         private readonly ConcurrentQueue<byte[]> _clientWriteQueue = new ConcurrentQueue<byte[]>();
         private readonly ConcurrentQueue<byte[]> _serverWriteQueue = new ConcurrentQueue<byte[]>();
 
         private readonly SemaphoreSlim _clientDataAvailable = new SemaphoreSlim(0);
         private readonly SemaphoreSlim _serverDataAvailable = new SemaphoreSlim(0);
 
+        public bool DisableConnectionBreaking { get; set; } = false;
+        private bool _connectionBroken = false;
+
         public void ReadFrame(bool server, out byte[] buffer)
         {
+            if (_connectionBroken)
+            {
+                throw new VirtualNetworkConnectionBroken();
+            }
+
             SemaphoreSlim semaphore;
             ConcurrentQueue<byte[]> packetQueue;
 
@@ -39,6 +52,11 @@ public void ReadFrame(bool server, out byte[] buffer)
                 throw new TimeoutException("VirtualNetwork: Timeout reading the next frame.");
             }
 
+            if (_connectionBroken)
+            {
+                throw new VirtualNetworkConnectionBroken();
+            }
+
             bool dequeueSucceeded = false;
             int remainingTries = 3;
             int backOffDelayMilliseconds = 2;
@@ -62,6 +80,11 @@ public void ReadFrame(bool server, out byte[] buffer)
 
         public void WriteFrame(bool server, byte[] buffer)
         {
+            if (_connectionBroken)
+            {
+                throw new VirtualNetworkConnectionBroken();
+            }
+
             SemaphoreSlim semaphore;
             ConcurrentQueue<byte[]> packetQueue;
 
@@ -82,5 +105,15 @@ public void WriteFrame(bool server, byte[] buffer)
             packetQueue.Enqueue(innerBuffer);
             semaphore.Release();
         }
+
+        public void BreakConnection()
+        {
+            if (!DisableConnectionBreaking)
+            {
+                _connectionBroken = true;
+                _serverDataAvailable.Release(1_000_000);
+                _clientDataAvailable.Release(1_000_000);
+            }
+        }
     }
 }

src/libraries/Common/tests/System/Net/VirtualNetwork/VirtualNetworkStream.cs

@@ -156,5 +156,15 @@ public override IAsyncResult BeginWrite(byte[] buffer, int offset, int count, As
 
         public override void EndWrite(IAsyncResult asyncResult) =>
             TaskToApm.End(asyncResult);
+
+        protected override void Dispose(bool disposing)
+        {
+            if (disposing)
+            {
+                _network.BreakConnection();
+            }
+
+            base.Dispose(disposing);
+        }
     }
 }

src/libraries/System.Net.Security/ref/System.Net.Security.cs

@@ -32,6 +32,8 @@ public enum EncryptionPolicy
         RequireEncryption = 0,
     }
     public delegate System.Security.Cryptography.X509Certificates.X509Certificate LocalCertificateSelectionCallback(object sender, string targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection localCertificates, System.Security.Cryptography.X509Certificates.X509Certificate remoteCertificate, string[] acceptableIssuers);
+    public delegate System.Security.Cryptography.X509Certificates.X509Certificate ServerCertificateSelectionCallback(object sender, string hostName);
+
     public partial class NegotiateStream : AuthenticatedStream
     {
         public NegotiateStream(System.IO.Stream innerStream) : base(innerStream, false) { }
@@ -108,6 +110,7 @@ public class SslServerAuthenticationOptions
         public X509RevocationMode CertificateRevocationCheckMode { get { throw null;  } set { } }
         public List<SslApplicationProtocol> ApplicationProtocols { get { throw null; } set { } }
         public RemoteCertificateValidationCallback RemoteCertificateValidationCallback { get { throw null;  } set { } }
+        public ServerCertificateSelectionCallback ServerCertificateSelectionCallback { get { throw null; } set { } }
         public EncryptionPolicy EncryptionPolicy { get { throw null;  } set { } }
     }
     public partial class SslClientAuthenticationOptions

src/libraries/System.Net.Security/src/System.Net.Security.csproj

@@ -23,6 +23,7 @@
     <Compile Include="System\Net\FixedSizeReader.cs" />
     <Compile Include="System\Net\HelperAsyncResults.cs" />
     <Compile Include="System\Net\Logging\NetEventSource.cs" />
+    <Compile Include="System\Net\Security\SniHelper.cs" />
     <Compile Include="System\Net\Security\SslApplicationProtocol.cs" />
     <Compile Include="System\Net\Security\SslAuthenticationOptions.cs" />
     <Compile Include="System\Net\Security\SslClientAuthenticationOptions.cs" />

src/libraries/System.Net.Security/src/System/Net/Security/SecureChannel.cs

@@ -624,15 +624,26 @@ private bool AcquireClientCredentials(ref byte[] thumbPrint)
         //
         // Acquire Server Side Certificate information and set it on the class.
         //
-        private bool AcquireServerCredentials(ref byte[] thumbPrint)
+        private bool AcquireServerCredentials(ref byte[] thumbPrint, byte[] clientHello)
         {
             if (NetEventSource.IsEnabled)
                 NetEventSource.Enter(this);
 
             X509Certificate localCertificate = null;
             bool cachedCred = false;
 
-            if (_sslAuthenticationOptions.CertSelectionDelegate != null)
+            if (_sslAuthenticationOptions.ServerCertSelectionDelegate != null)
+            {
+                string serverIdentity = SniHelper.GetServerName(clientHello);
+                localCertificate = _sslAuthenticationOptions.ServerCertSelectionDelegate(serverIdentity);
+
+                if (localCertificate == null)
+                {
+                    throw new AuthenticationException(SR.net_ssl_io_no_server_cert);
+                }
+            }
+            // This probably never gets called as this is a client options delegate
+            else if (_sslAuthenticationOptions.CertSelectionDelegate != null)
             {
                 X509CertificateCollection tempCollection = new X509CertificateCollection();
                 tempCollection.Add(_sslAuthenticationOptions.ServerCertificate);
@@ -744,7 +755,6 @@ private SecurityStatusPal GenerateToken(byte[] input, int offset, int count, ref
 #if TRACE_VERBOSE
             if (NetEventSource.IsEnabled) NetEventSource.Enter(this, $"_refreshCredentialNeeded = {_refreshCredentialNeeded}");
 #endif
-
             if (offset < 0 || offset > (input == null ? 0 : input.Length))
             {
                 NetEventSource.Fail(this, "Argument 'offset' out of range.");
@@ -786,7 +796,7 @@ private SecurityStatusPal GenerateToken(byte[] input, int offset, int count, ref
                     if (_refreshCredentialNeeded)
                     {
                         cachedCreds = _sslAuthenticationOptions.IsServer
-                                        ? AcquireServerCredentials(ref thumbPrint)
+                                        ? AcquireServerCredentials(ref thumbPrint, input)
                                         : AcquireClientCredentials(ref thumbPrint);
                     }