Block zero-byte calls to encrypt for Unix SslStream

SSL_write is described as having an undefined behavior for this input.
The observed behavior is that it returns 0 (which is ambiguous for "wrote 0/0
bytes" or "writing failed"), and that we then try to read the framed message and
the message buffer is empty.

Trying to detect this case once inside the PAL seemed to violate assumptions of the common code, so instead a PAL-capability check is done in
SslStreamInternal.StartWriting.  Windows will continue to write the framed
empty message, non-Windows will do nothing.

Author: bartonjs

src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs

@@ -185,7 +185,7 @@ internal static int Encrypt(SafeSslHandle context, byte[] input, int offset, int
         {
             Debug.Assert(input != null);
             Debug.Assert(offset >= 0);
-            Debug.Assert(count >= 0);
+            Debug.Assert(count > 0);
             Debug.Assert(offset <= input.Length);
             Debug.Assert(input.Length - offset >= count);
 

src/System.Net.Security/src/System/Net/SecureProtocols/SslStreamInternal.cs

@@ -394,6 +394,13 @@ private void StartWriting(byte[] buffer, int offset, int count, AsyncProtocolReq
 
                 do
                 {
+                    if (count == 0 && !SslStreamPal.CanEncryptEmptyMessage)
+                    {
+                        // If it's an empty message and the PAL doesn't support that,
+                        // we're done.
+                        return;
+                    }
+
                     // Request a write IO slot.
                     if (_sslState.CheckEnqueueWrite(asyncRequest))
                     {

src/System.Net.Security/src/System/Net/SslStreamPal.Unix.cs

@@ -22,6 +22,7 @@ public static Exception GetException(SecurityStatusPal status)
         }
 
         internal const bool StartMutualAuthAsAnonymous = false;
+        internal const bool CanEncryptEmptyMessage = false;
 
         public static void VerifyPackageInfo()
         {

src/System.Net.Security/src/System/Net/SslStreamPal.Windows.cs

@@ -33,6 +33,7 @@ public static Exception GetException(SecurityStatusPal status)
         }
 
         internal const bool StartMutualAuthAsAnonymous = true;
+        internal const bool CanEncryptEmptyMessage = true;
 
         public static void VerifyPackageInfo()
         {

src/System.Net.Security/tests/FunctionalTests/SslStreamStreamToStreamTest.cs

@@ -93,6 +93,38 @@ public void SslStream_StreamToStream_Successive_ClientWrite_Sync_Success()
             }
         }
 
+        [OuterLoop] // TODO: Issue #11345
+        [Fact]
+        public void SslStream_StreamToStream_Successive_ClientWrite_Sync_WithZeroBytes_Success()
+        {
+            byte[] recvBuf = new byte[_sampleMsg.Length];
+            VirtualNetwork network = new VirtualNetwork();
+
+            using (var clientStream = new VirtualNetworkStream(network, isServer: false))
+            using (var serverStream = new VirtualNetworkStream(network, isServer: true))
+            using (var clientSslStream = new SslStream(clientStream, false, AllowAnyServerCertificate))
+            using (var serverSslStream = new SslStream(serverStream))
+            {
+                bool result = DoHandshake(clientSslStream, serverSslStream);
+
+                Assert.True(result, "Handshake completed.");
+
+                clientSslStream.Write(Array.Empty<byte>());
+                clientSslStream.Write(_sampleMsg);
+
+                serverSslStream.Read(recvBuf, 0, _sampleMsg.Length);
+
+                Assert.True(VerifyOutput(recvBuf, _sampleMsg), "verify first read data is as expected.");
+
+                clientSslStream.Write(_sampleMsg);
+                clientSslStream.Write(Array.Empty<byte>());
+
+                serverSslStream.Read(recvBuf, 0, _sampleMsg.Length);
+
+                Assert.True(VerifyOutput(recvBuf, _sampleMsg), "verify second read data is as expected.");
+            }
+        }
+
         [OuterLoop] // TODO: Issue #11345
         [Theory]
         [InlineData(false)]