diff options
| author | Martin Baulig <mabaul@microsoft.com> | 2019-10-24 20:42:54 +0300 |
|---|---|---|
| committer | Alexander Köplinger <alex.koeplinger@outlook.com> | 2019-10-24 20:42:54 +0300 |
| commit | 1553889bc54f87060158febca7e6b8b9910975f8 (patch) | |
| tree | b6565f378f3432404961bcb66e594cb73824feb3 /mcs/class/Mono.Security | |
| parent | 638e2c6a8614d25aad591112d3414e28641b97e0 (diff) | |
Cleaning up SslStream, MobileAuthenticatedStream and TaskToApm. (#17393)
### Overview
After the removal of the Legacy TLS Provider, we can make some cleanups and improvements to the `SslStream` class. Since both the remaining providers use the internal `MobileAuthenticatedStream` and support Task-async code, we can get rid of some of the Begin/End async logic and the the underlying
`Stream` class handle it instead.
This also fixes a nasty issue with some of those task objects leaking unobserved exceptions. The problem was that `SslStream.Dispose()` needs to clear out all resources, but in doing so also nulls out the `Impl` handle to the `MobileAuthenticatedStream` - so a subsequent `End*()` call will not reach it's corresponding `TaskToApm.End()` method.
There are also some cleanups in the internal APIs that were only ever used internally and not intended for public consumption.
### Mono.Security.dll
* `Mono.Security.Interface`: removed internal `ICertificateValidator2` interface.
* `Mono.Security.Interface.IMonoSslStream`: this internal interface is only used by the web-tests, which only use it as a way to get the `SslStream` instance, so all those `Begin/End` async methods are now gone.
* `Mono.Security.Interface.IMonoSslStream2`: removed another internal interface.
* `Mono.Security.Interface.MonoTlsProvider`: removed some `internal abstract` methods; these have been moved into a new `Mono.Net.Security.MobileTlsProvider` inside `System.dll`.
### System.dll
* `Mono.Net.Security.MobileTlsProvider`:
New abstract internal base class, which received the aforementioned abstract internal methods. The naming is such to make it consistent with the already existing `MobileTlsContext` and `MobileAuthenticatedStream`.
Since both `AppleTlsProvider` and `BtlsProvider` now have an abstract internal base class inside `System.dll`, they can use the `ChainValidationHelper` class directly and we can also avoid some `Mono.Security` dances like for instance that `MonoSslPolicyErrors` enum.
This will also help make the code easier to read and maintainer.
* `Mono.AppleTls.AppleTlsProvider` and `Mono.Btls.MonoBtlsProvider`: change base class into `MobileTlsProvider` and reflect above mentioned overload changes.
* `Mono.AppleTls.AppleCertificateHelper`: use `ChainValidationHelper` as well.
* `Mono.Net.Security.ChainValidationHelper`: only implement `ICertificateValidator`.
The `ICertificateValidator` interface is still required because it is in use by the web-tests, but the previous `ICertificateValidator2` was an internal dance.
* `Mono.Net.Security.MobileAuthenticatedStream`: largely cleaned up this class.
- we now implement the current slimmer version of `IMonoSslStream`.
- moved all those overloads into `SslStream` that only fill in default values for some of their arguments and then call another overloaded version of their own.
- removed lots of `Begin/End` methods that are not used anymore.
* `Mono.Net.Security.MonoTlsProviderFactory`: use `MobileTlsStream` everywhere.
* `Mono.Net.Security.MonoTlsStream`: cleanup `SslStream` creation logic; instead of going throw `provider.CreateSslStream()`, we can now use an internal constructor directly, thus avoiding the `IMonoSslStream` interface while also making the code a lot easier to read and understand.
* `System.Net.Mail.SmtpClient`: same here.
* `System.Net.HttpWebRequest`: use `MobileTlsProvider`.
* `System.Net.Security.SslStream`: largely cleaned up this class.
- we now use `MobileAuthenticatedStream` directly instead of the `IMonoSslStream` interface and therefore could also get rid of `IMonoSslStream2`.
- cleanup constructor logic to allow the internal constructor being used with a `MobileTlsProvider` instead of going through `provider.CreateSslStream()`.
- all those overloads that are only filling in default values for some of their arguments before calling another overloaded version of their own now live here instead of in the `MobileAuthenticatedStream` class. The reason is to simply that `MobileAuthenticatedStream` is already quite a complex and difficult class, and removing some of that complexity out of it will make it easier to understand.
- handle the `TaskToApm.Begin()` / `TaskToApm.End()` here to ensure that we are not leaking any task objects with unobserved exceptions.
- removed `BeginRead()` and `BeginWrite()` overloads to let the underlying `Stream` class handle these.
* Bump API snapshot submodule
* [csproj] Update project files
Diffstat (limited to 'mcs/class/Mono.Security')
3 files changed, 1 insertions, 96 deletions
diff --git a/mcs/class/Mono.Security/Mono.Security.Interface/CertificateValidationHelper.cs b/mcs/class/Mono.Security/Mono.Security.Interface/CertificateValidationHelper.cs index 9b55f6cc91a..a40f5e64339 100644 --- a/mcs/class/Mono.Security/Mono.Security.Interface/CertificateValidationHelper.cs +++ b/mcs/class/Mono.Security/Mono.Security.Interface/CertificateValidationHelper.cs @@ -96,14 +96,6 @@ namespace Mono.Security.Interface ValidationResult ValidateCertificate (string targetHost, bool serverMode, X509CertificateCollection certificates); } - internal interface ICertificateValidator2 : ICertificateValidator - { - /* - * Internal use only. - */ - ValidationResult ValidateCertificate (string targetHost, bool serverMode, X509Certificate leaf, X509Chain chain); - } - public static class CertificateValidationHelper { const string SecurityLibrary = "/System/Library/Frameworks/Security.framework/Security"; diff --git a/mcs/class/Mono.Security/Mono.Security.Interface/IMonoSslStream.cs b/mcs/class/Mono.Security/Mono.Security.Interface/IMonoSslStream.cs index fd8b7da41bb..84989904faa 100644 --- a/mcs/class/Mono.Security/Mono.Security.Interface/IMonoSslStream.cs +++ b/mcs/class/Mono.Security/Mono.Security.Interface/IMonoSslStream.cs @@ -42,59 +42,11 @@ namespace Mono.Security.Interface get; } - void AuthenticateAsClient (string targetHost); - - void AuthenticateAsClient (string targetHost, X509CertificateCollection clientCertificates, bool checkCertificateRevocation); - - void AuthenticateAsClient (string targetHost, X509CertificateCollection clientCertificates, SSA.SslProtocols enabledSslProtocols, bool checkCertificateRevocation); - - IAsyncResult BeginAuthenticateAsClient (string targetHost, AsyncCallback asyncCallback, object asyncState); - - IAsyncResult BeginAuthenticateAsClient (string targetHost, X509CertificateCollection clientCertificates, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState); - - IAsyncResult BeginAuthenticateAsClient (string targetHost, X509CertificateCollection clientCertificates, SSA.SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState); - - void EndAuthenticateAsClient (IAsyncResult asyncResult); - - void AuthenticateAsServer (X509Certificate serverCertificate); - - void AuthenticateAsServer (X509Certificate serverCertificate, bool clientCertificateRequired, bool checkCertificateRevocation); - - void AuthenticateAsServer (X509Certificate serverCertificate, bool clientCertificateRequired, SSA.SslProtocols enabledSslProtocols, bool checkCertificateRevocation); - - IAsyncResult BeginAuthenticateAsServer (X509Certificate serverCertificate, AsyncCallback asyncCallback, object asyncState); - - IAsyncResult BeginAuthenticateAsServer (X509Certificate serverCertificate, bool clientCertificateRequired, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState); - - IAsyncResult BeginAuthenticateAsServer (X509Certificate serverCertificate, bool clientCertificateRequired, SSA.SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState); - - void EndAuthenticateAsServer (IAsyncResult asyncResult); - - Task AuthenticateAsClientAsync (string targetHost); - - Task AuthenticateAsClientAsync (string targetHost, X509CertificateCollection clientCertificates, bool checkCertificateRevocation); - Task AuthenticateAsClientAsync (string targetHost, X509CertificateCollection clientCertificates, SSA.SslProtocols enabledSslProtocols, bool checkCertificateRevocation); - Task AuthenticateAsServerAsync (X509Certificate serverCertificate); - - Task AuthenticateAsServerAsync (X509Certificate serverCertificate, bool clientCertificateRequired, bool checkCertificateRevocation); - Task AuthenticateAsServerAsync (X509Certificate serverCertificate, bool clientCertificateRequired, SSA.SslProtocols enabledSslProtocols, bool checkCertificateRevocation); - int Read (byte[] buffer, int offset, int count); - - void Write (byte[] buffer); - - void Write (byte[] buffer, int offset, int count); - - IAsyncResult BeginRead (byte[] buffer, int offset, int count, AsyncCallback asyncCallback, object asyncState); - - int EndRead (IAsyncResult asyncResult); - - IAsyncResult BeginWrite (byte[] buffer, int offset, int count, AsyncCallback asyncCallback, object asyncState); - - void EndWrite (IAsyncResult asyncResult); + Task<int> ReadAsync (byte[] buffer, int offset, int count, CancellationToken cancellationToken); Task WriteAsync (byte[] buffer, int offset, int count, CancellationToken cancellationToken); @@ -215,12 +167,5 @@ namespace Mono.Security.Interface Task RenegotiateAsync (CancellationToken cancellationToken); } - - interface IMonoSslStream2 : IMonoSslStream - { - Task AuthenticateAsClientAsync (IMonoSslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken); - - Task AuthenticateAsServerAsync (IMonoSslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken); - } } diff --git a/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsProvider.cs b/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsProvider.cs index 2f040e0f613..f61ccbacbbd 100644 --- a/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsProvider.cs +++ b/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsProvider.cs @@ -121,10 +121,6 @@ namespace Mono.Security.Interface Stream innerStream, bool leaveInnerStreamOpen, MonoTlsSettings settings = null); - internal abstract IMonoSslStream CreateSslStreamInternal ( - SslStream sslStream, Stream innerStream, bool leaveInnerStreamOpen, - MonoTlsSettings settings); - #endregion #region Native Certificate Implementation @@ -133,34 +129,6 @@ namespace Mono.Security.Interface get { return false; } } - internal virtual X509Certificate2Impl GetNativeCertificate ( - byte[] data, string password, X509KeyStorageFlags flags) - { - throw new InvalidOperationException (); - } - - internal virtual X509Certificate2Impl GetNativeCertificate ( - X509Certificate certificate) - { - throw new InvalidOperationException (); - } - -#endregion - -#region Certificate Validation - /* - * If @serverMode is true, then we're a server and want to validate a certificate - * that we received from a client. - * - * On OS X and Mobile, the @chain will be initialized with the @certificates, but not actually built. - * - * Returns `true` if certificate validation has been performed and `false` to invoke the - * default system validator. - */ - internal abstract bool ValidateCertificate ( - ICertificateValidator2 validator, string targetHost, bool serverMode, - X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain, - ref MonoSslPolicyErrors errors, ref int status11); #endregion #region Misc |