avoid ProtocolToken allocations in TLS handshake (#86163)

wfurt · web-flow · commit 16fc92fef48a · 2023-05-17T22:42:35.000-07:00
* avoild ProtocolToken allocations in TLS handshake

* cleanup

* UnitTests

* feedback from review
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Android.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Android.cs
@@ -14,7 +14,7 @@ public partial class SslStream
     {
         private JavaProxy.RemoteCertificateValidationResult VerifyRemoteCertificate()
         {
-            ProtocolToken? alertToken = null;
+            ProtocolToken alertToken = default;
             var isValid = VerifyRemoteCertificate(
                 _sslAuthenticationOptions.CertValidationDelegate,
                 _sslAuthenticationOptions.CertificateContext?.Trust,
@@ -31,13 +31,13 @@ private JavaProxy.RemoteCertificateValidationResult VerifyRemoteCertificate()
             };
         }
 
-        private bool TryGetRemoteCertificateValidationResult(out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus, out ProtocolToken? alertToken, out bool isValid)
+        private bool TryGetRemoteCertificateValidationResult(out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus, ref ProtocolToken alertToken, out bool isValid)
         {
             JavaProxy.RemoteCertificateValidationResult? validationResult = _securityContext?.SslStreamProxy.ValidationResult;
             sslPolicyErrors = validationResult?.SslPolicyErrors ?? default;
             chainStatus = validationResult?.ChainStatus ?? default;
             isValid = validationResult?.IsValid ?? default;
-            alertToken = validationResult?.AlertToken;
+            alertToken = validationResult?.AlertToken ?? default;
             return validationResult is not null;
         }
 
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs
@@ -216,7 +216,9 @@ private async Task RenegotiateAsync<TIOAdapter>(CancellationToken cancellationTo
                 ProtocolToken message;
                 do
                 {
-                    message = await ReceiveBlobAsync<TIOAdapter>(cancellationToken).ConfigureAwait(false);
+                    int frameSize = await ReceiveTlsFrameAsync<TIOAdapter>(cancellationToken).ConfigureAwait(false);
+                    ProcessTlsFrame(frameSize, out message);
+
                     if (message.Size > 0)
                     {
                         await TIOAdapter.WriteAsync(InnerStream, new ReadOnlyMemory<byte>(message.Payload!, 0, message.Size), cancellationToken).ConfigureAwait(false);
@@ -245,7 +247,7 @@ private async Task RenegotiateAsync<TIOAdapter>(CancellationToken cancellationTo
         private async Task ForceAuthenticationAsync<TIOAdapter>(bool receiveFirst, byte[]? reAuthenticationData, CancellationToken cancellationToken)
             where TIOAdapter : IReadWriteAdapter
         {
-            ProtocolToken message;
+            ProtocolToken message = default;
             bool handshakeCompleted = false;
 
             if (reAuthenticationData == null)
@@ -256,12 +258,12 @@ private async Task ForceAuthenticationAsync<TIOAdapter>(bool receiveFirst, byte[
                     throw new InvalidOperationException(SR.Format(SR.net_io_invalidnestedcall, "authenticate"));
                 }
             }
-
             try
             {
                 if (!receiveFirst)
                 {
-                    message = NextMessage(reAuthenticationData);
+                    NextMessage(reAuthenticationData, out message);
+
                     if (message.Size > 0)
                     {
                         await TIOAdapter.WriteAsync(InnerStream, new ReadOnlyMemory<byte>(message.Payload!, 0, message.Size), cancellationToken).ConfigureAwait(false);
@@ -289,7 +291,8 @@ private async Task ForceAuthenticationAsync<TIOAdapter>(bool receiveFirst, byte[
 
                 while (!handshakeCompleted)
                 {
-                    message = await ReceiveBlobAsync<TIOAdapter>(cancellationToken).ConfigureAwait(false);
+                    int frameSize = await ReceiveTlsFrameAsync<TIOAdapter>(cancellationToken).ConfigureAwait(false);
+                    ProcessTlsFrame(frameSize, out message);
 
                     ReadOnlyMemory<byte> payload = default;
                     if (message.Size > 0)
@@ -355,7 +358,8 @@ private async Task ForceAuthenticationAsync<TIOAdapter>(bool receiveFirst, byte[
 
         }
 
-        private async ValueTask<ProtocolToken> ReceiveBlobAsync<TIOAdapter>(CancellationToken cancellationToken)
+        // This method will make sure we have at least one full TLS frame buffered.
+        private async ValueTask<int> ReceiveTlsFrameAsync<TIOAdapter>(CancellationToken cancellationToken)
             where TIOAdapter : IReadWriteAdapter
         {
             int frameSize = await EnsureFullTlsFrameAsync<TIOAdapter>(cancellationToken).ConfigureAwait(false);
@@ -430,11 +434,11 @@ private async ValueTask<ProtocolToken> ReceiveBlobAsync<TIOAdapter>(Cancellation
 
             }
 
-            return ProcessBlob(frameSize);
+            return frameSize;
         }
 
         // Calls crypto on received data. No IO inside.
-        private ProtocolToken ProcessBlob(int frameSize)
+        private void ProcessTlsFrame(int frameSize, out ProtocolToken message)
         {
             int chunkSize = frameSize;
 
@@ -467,26 +471,26 @@ private ProtocolToken ProcessBlob(int frameSize)
                 _buffer.DiscardEncrypted(frameSize);
             }
 
-            return NextMessage(availableData.Slice(0, chunkSize));
+            NextMessage(availableData.Slice(0, chunkSize), out message);
         }
 
         //
         //  This is to reset auth state on remote side.
         //  If this write succeeds we will allow auth retrying.
         //
-        private void SendAuthResetSignal(ProtocolToken? message, ExceptionDispatchInfo exception)
+        private void SendAuthResetSignal(ReadOnlySpan<byte> alert, ExceptionDispatchInfo exception)
         {
             SetException(exception.SourceException);
 
-            if (message == null || message.Size == 0)
+            if (alert.Length == 0)
             {
                 //
                 // We don't have an alert to send so cannot retry and fail prematurely.
                 //
                 exception.Throw();
             }
 
-            InnerStream.Write(message.Payload!, 0, message.Size);
+            InnerStream.Write(alert);
 
             exception.Throw();
         }
@@ -499,7 +503,7 @@ private void SendAuthResetSignal(ProtocolToken? message, ExceptionDispatchInfo e
         //
         // - Returns false if failed to verify the Remote Cert
         //
-        private bool CompleteHandshake(ref ProtocolToken? alertToken, out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus)
+        private bool CompleteHandshake(ref ProtocolToken alertToken, out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus)
         {
             ProcessHandshakeSuccess();
 
@@ -527,7 +531,7 @@ private bool CompleteHandshake(ref ProtocolToken? alertToken, out SslPolicyError
             // The Java TrustManager callback is called only when the peer has a certificate. It's possible that
             // the peer didn't provide any certificate (for example when the peer is the client) and the validation
             // result hasn't been set. In that case we still need to run the verification at this point.
-            if (TryGetRemoteCertificateValidationResult(out sslPolicyErrors, out chainStatus, out alertToken, out bool isValid))
+            if (TryGetRemoteCertificateValidationResult(out sslPolicyErrors, out chainStatus, ref alertToken, out bool isValid))
             {
                 _handshakeCompleted = isValid;
                 return isValid;
@@ -546,23 +550,23 @@ private bool CompleteHandshake(ref ProtocolToken? alertToken, out SslPolicyError
 
         private void CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
         {
-            ProtocolToken? alertToken = null;
+            ProtocolToken alertToken = default;
             if (!CompleteHandshake(ref alertToken, out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus))
             {
                 if (sslAuthenticationOptions!.CertValidationDelegate != null)
                 {
                     // there may be some chain errors but the decision was made by custom callback. Details should be tracing if enabled.
-                    SendAuthResetSignal(alertToken, ExceptionDispatchInfo.Capture(new AuthenticationException(SR.net_ssl_io_cert_custom_validation, null)));
+                    SendAuthResetSignal(new ReadOnlySpan<byte>(alertToken.Payload), ExceptionDispatchInfo.Capture(new AuthenticationException(SR.net_ssl_io_cert_custom_validation, null)));
                 }
                 else if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors && chainStatus != X509ChainStatusFlags.NoError)
                 {
                     // We failed only because of chain and we have some insight.
-                    SendAuthResetSignal(alertToken, ExceptionDispatchInfo.Capture(new AuthenticationException(SR.Format(SR.net_ssl_io_cert_chain_validation, chainStatus), null)));
+                    SendAuthResetSignal(new ReadOnlySpan<byte>(alertToken.Payload), ExceptionDispatchInfo.Capture(new AuthenticationException(SR.Format(SR.net_ssl_io_cert_chain_validation, chainStatus), null)));
                 }
                 else
                 {
                     // Simple add sslPolicyErrors as crude info.
-                    SendAuthResetSignal(alertToken, ExceptionDispatchInfo.Capture(new AuthenticationException(SR.Format(SR.net_ssl_io_cert_validation, sslPolicyErrors), null)));
+                    SendAuthResetSignal(new ReadOnlySpan<byte>(alertToken.Payload), ExceptionDispatchInfo.Capture(new AuthenticationException(SR.Format(SR.net_ssl_io_cert_validation, sslPolicyErrors), null)));
                 }
             }
         }
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs
@@ -751,20 +751,20 @@ static DateTime GetExpiryTimestamp(SslStreamCertificateContext certificateContex
         }
 
         //
-        internal ProtocolToken NextMessage(ReadOnlySpan<byte> incomingBuffer)
+        internal void NextMessage(ReadOnlySpan<byte> incomingBuffer, out ProtocolToken token)
         {
             byte[]? nextmsg = null;
-            SecurityStatusPal status = GenerateToken(incomingBuffer, ref nextmsg);
-            ProtocolToken token = new ProtocolToken(nextmsg, status);
+            token.Status = GenerateToken(incomingBuffer, ref nextmsg);
+            token.Size = nextmsg?.Length ?? 0;
+            token.Payload = nextmsg;
 
             if (NetEventSource.Log.IsEnabled())
             {
                 if (token.Failed)
                 {
-                    NetEventSource.Error(this, $"Authentication failed. Status: {status}, Exception message: {token.GetException()!.Message}");
+                    NetEventSource.Error(this, $"Authentication failed. Status: {token.Status}, Exception message: {token.GetException()!.Message}");
                 }
             }
-            return token;
         }
 
         /*++
@@ -992,7 +992,7 @@ internal SecurityStatusPal Decrypt(Span<byte> buffer, out int outputOffset, out
         --*/
 
         //This method validates a remote certificate.
-        internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remoteCertValidationCallback, SslCertificateTrust? trust, ref ProtocolToken? alertToken, out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus)
+        internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remoteCertValidationCallback, SslCertificateTrust? trust, ref ProtocolToken alertToken, out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus)
         {
             sslPolicyErrors = SslPolicyErrors.None;
             chainStatus = X509ChainStatusFlags.NoError;
@@ -1085,7 +1085,7 @@ internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remot
 
                 if (!success)
                 {
-                    alertToken = CreateFatalHandshakeAlertToken(sslPolicyErrors, chain!);
+                    CreateFatalHandshakeAlertToken(sslPolicyErrors, chain!, ref alertToken);
                     if (chain != null)
                     {
                         foreach (X509ChainStatus status in chain.ChainStatus)
@@ -1115,7 +1115,7 @@ internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remot
             return success;
         }
 
-        private ProtocolToken? CreateFatalHandshakeAlertToken(SslPolicyErrors sslPolicyErrors, X509Chain chain)
+        private void CreateFatalHandshakeAlertToken(SslPolicyErrors sslPolicyErrors, X509Chain chain, ref ProtocolToken alertToken)
         {
             TlsAlertMessage alertMessage;
 
@@ -1148,15 +1148,14 @@ internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remot
                 {
                     ExceptionDispatchInfo.Throw(status.Exception);
                 }
-
-                return null;
             }
 
-            return GenerateAlertToken();
+            GenerateAlertToken(ref alertToken);
         }
 
-        private ProtocolToken? CreateShutdownToken()
+        private byte[]? CreateShutdownToken()
         {
+            byte[]? nextmsg = null;
             SecurityStatusPal status;
             status = SslStreamPal.ApplyShutdownToken(_securityContext!);
 
@@ -1173,17 +1172,21 @@ internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remot
                 return null;
             }
 
-            return GenerateAlertToken();
+            GenerateToken(default, ref nextmsg);
+
+            return nextmsg;
         }
 
-        private ProtocolToken GenerateAlertToken()
+        private void GenerateAlertToken(ref ProtocolToken alertToken)
         {
             byte[]? nextmsg = null;
 
             SecurityStatusPal status;
             status = GenerateToken(default, ref nextmsg);
 
-            return new ProtocolToken(nextmsg, status);
+            alertToken.Payload = nextmsg;
+            alertToken.Size = nextmsg?.Length ?? 0;
+            alertToken.Status = status;
         }
 
         private static TlsAlertMessage GetAlertMessageFromChain(X509Chain chain)
@@ -1286,7 +1289,7 @@ private void LogCertificateValidation(RemoteCertificateValidationCallback? remot
     }
 
     // ProtocolToken - used to process and handle the return codes from the SSPI wrapper
-    internal sealed class ProtocolToken
+    internal struct ProtocolToken
     {
         internal SecurityStatusPal Status;
         internal byte[]? Payload;
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.cs
@@ -441,9 +441,14 @@ public virtual Task ShutdownAsync()
         {
             ThrowIfExceptionalOrNotAuthenticatedOrShutdown();
 
-            ProtocolToken message = CreateShutdownToken()!;
+            byte[]? message = CreateShutdownToken();
             _shutdown = true;
-            return InnerStream.WriteAsync(message.Payload, default).AsTask();
+            if (message != null)
+            {
+                return InnerStream.WriteAsync(message, default).AsTask();
+            }
+
+            return Task.CompletedTask;
         }
         #endregion
 
diff --git a/src/libraries/System.Net.Security/tests/UnitTests/Fakes/FakeSslStream.Implementation.cs b/src/libraries/System.Net.Security/tests/UnitTests/Fakes/FakeSslStream.Implementation.cs
@@ -92,7 +92,7 @@ private void ReturnReadBufferIfEmpty()
         {
         }
 
-        private ProtocolToken? CreateShutdownToken()
+        private byte[]? CreateShutdownToken()
         {
             return null;
         }

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ public partial class SslStream`
`14`	`14`	`{`
`15`	`15`	`private JavaProxy.RemoteCertificateValidationResult VerifyRemoteCertificate()`
`16`	`16`	`{`
`17`		`- ProtocolToken? alertToken = null;`
	`17`	`+ ProtocolToken alertToken = default;`
`18`	`18`	`var isValid = VerifyRemoteCertificate(`
`19`	`19`	`_sslAuthenticationOptions.CertValidationDelegate,`
`20`	`20`	`_sslAuthenticationOptions.CertificateContext?.Trust,`
`@@ -31,13 +31,13 @@ private JavaProxy.RemoteCertificateValidationResult VerifyRemoteCertificate()`
`31`	`31`	`};`
`32`	`32`	`}`
`33`	`33`
`34`		`- private bool TryGetRemoteCertificateValidationResult(out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus, out ProtocolToken? alertToken, out bool isValid)`
	`34`	`+ private bool TryGetRemoteCertificateValidationResult(out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus, ref ProtocolToken alertToken, out bool isValid)`
`35`	`35`	`{`
`36`	`36`	`JavaProxy.RemoteCertificateValidationResult? validationResult = _securityContext?.SslStreamProxy.ValidationResult;`
`37`	`37`	`sslPolicyErrors = validationResult?.SslPolicyErrors ?? default;`
`38`	`38`	`chainStatus = validationResult?.ChainStatus ?? default;`
`39`	`39`	`isValid = validationResult?.IsValid ?? default;`
`40`		`- alertToken = validationResult?.AlertToken;`
	`40`	`+ alertToken = validationResult?.AlertToken ?? default;`
`41`	`41`	`return validationResult is not null;`
`42`	`42`	`}`
`43`	`43`
Original file line number	Diff line number	Diff line change
`@@ -216,7 +216,9 @@ private async Task RenegotiateAsync<TIOAdapter>(CancellationToken cancellationTo`
`216`	`216`	`ProtocolToken message;`
`217`	`217`	`do`
`218`	`218`	`{`
`219`		`- message = await ReceiveBlobAsync<TIOAdapter>(cancellationToken).ConfigureAwait(false);`
	`219`	`+ int frameSize = await ReceiveTlsFrameAsync<TIOAdapter>(cancellationToken).ConfigureAwait(false);`
	`220`	`+ ProcessTlsFrame(frameSize, out message);`
	`221`	`+`
`220`	`222`	`if (message.Size > 0)`
`221`	`223`	`{`
`222`	`224`	`await TIOAdapter.WriteAsync(InnerStream, new ReadOnlyMemory<byte>(message.Payload!, 0, message.Size), cancellationToken).ConfigureAwait(false);`
`@@ -245,7 +247,7 @@ private async Task RenegotiateAsync<TIOAdapter>(CancellationToken cancellationTo`
`245`	`247`	`private async Task ForceAuthenticationAsync<TIOAdapter>(bool receiveFirst, byte[]? reAuthenticationData, CancellationToken cancellationToken)`
`246`	`248`	`where TIOAdapter : IReadWriteAdapter`
`247`	`249`	`{`
`248`		`- ProtocolToken message;`
	`250`	`+ ProtocolToken message = default;`
`249`	`251`	`bool handshakeCompleted = false;`
`250`	`252`
`251`	`253`	`if (reAuthenticationData == null)`
`@@ -256,12 +258,12 @@ private async Task ForceAuthenticationAsync<TIOAdapter>(bool receiveFirst, byte[`
`256`	`258`	`throw new InvalidOperationException(SR.Format(SR.net_io_invalidnestedcall, "authenticate"));`
`257`	`259`	`}`
`258`	`260`	`}`
`259`		`-`
`260`	`261`	`try`
`261`	`262`	`{`
`262`	`263`	`if (!receiveFirst)`
`263`	`264`	`{`
`264`		`- message = NextMessage(reAuthenticationData);`
	`265`	`+ NextMessage(reAuthenticationData, out message);`
	`266`	`+`
`265`	`267`	`if (message.Size > 0)`
`266`	`268`	`{`
`267`	`269`	`await TIOAdapter.WriteAsync(InnerStream, new ReadOnlyMemory<byte>(message.Payload!, 0, message.Size), cancellationToken).ConfigureAwait(false);`
`@@ -289,7 +291,8 @@ private async Task ForceAuthenticationAsync<TIOAdapter>(bool receiveFirst, byte[`
`289`	`291`
`290`	`292`	`while (!handshakeCompleted)`
`291`	`293`	`{`
`292`		`- message = await ReceiveBlobAsync<TIOAdapter>(cancellationToken).ConfigureAwait(false);`
	`294`	`+ int frameSize = await ReceiveTlsFrameAsync<TIOAdapter>(cancellationToken).ConfigureAwait(false);`
	`295`	`+ ProcessTlsFrame(frameSize, out message);`
`293`	`296`
`294`	`297`	`ReadOnlyMemory<byte> payload = default;`
`295`	`298`	`if (message.Size > 0)`
`@@ -355,7 +358,8 @@ private async Task ForceAuthenticationAsync<TIOAdapter>(bool receiveFirst, byte[`
`355`	`358`
`356`	`359`	`}`
`357`	`360`
`358`		`- private async ValueTask<ProtocolToken> ReceiveBlobAsync<TIOAdapter>(CancellationToken cancellationToken)`
	`361`	`+ // This method will make sure we have at least one full TLS frame buffered.`
	`362`	`+ private async ValueTask<int> ReceiveTlsFrameAsync<TIOAdapter>(CancellationToken cancellationToken)`
`359`	`363`	`where TIOAdapter : IReadWriteAdapter`
`360`	`364`	`{`
`361`	`365`	`int frameSize = await EnsureFullTlsFrameAsync<TIOAdapter>(cancellationToken).ConfigureAwait(false);`
`@@ -430,11 +434,11 @@ private async ValueTask<ProtocolToken> ReceiveBlobAsync<TIOAdapter>(Cancellation`
`430`	`434`
`431`	`435`	`}`
`432`	`436`
`433`		`- return ProcessBlob(frameSize);`
	`437`	`+ return frameSize;`
`434`	`438`	`}`
`435`	`439`
`436`	`440`	`// Calls crypto on received data. No IO inside.`
`437`		`- private ProtocolToken ProcessBlob(int frameSize)`
	`441`	`+ private void ProcessTlsFrame(int frameSize, out ProtocolToken message)`
`438`	`442`	`{`
`439`	`443`	`int chunkSize = frameSize;`
`440`	`444`
`@@ -467,26 +471,26 @@ private ProtocolToken ProcessBlob(int frameSize)`
`467`	`471`	`_buffer.DiscardEncrypted(frameSize);`
`468`	`472`	`}`
`469`	`473`
`470`		`- return NextMessage(availableData.Slice(0, chunkSize));`
	`474`	`+ NextMessage(availableData.Slice(0, chunkSize), out message);`
`471`	`475`	`}`
`472`	`476`
`473`	`477`	`//`
`474`	`478`	`// This is to reset auth state on remote side.`
`475`	`479`	`// If this write succeeds we will allow auth retrying.`
`476`	`480`	`//`
`477`		`- private void SendAuthResetSignal(ProtocolToken? message, ExceptionDispatchInfo exception)`
	`481`	`+ private void SendAuthResetSignal(ReadOnlySpan<byte> alert, ExceptionDispatchInfo exception)`
`478`	`482`	`{`
`479`	`483`	`SetException(exception.SourceException);`
`480`	`484`
`481`		`- if (message == null \|\| message.Size == 0)`
	`485`	`+ if (alert.Length == 0)`
`482`	`486`	`{`
`483`	`487`	`//`
`484`	`488`	`// We don't have an alert to send so cannot retry and fail prematurely.`
`485`	`489`	`//`
`486`	`490`	`exception.Throw();`
`487`	`491`	`}`
`488`	`492`
`489`		`- InnerStream.Write(message.Payload!, 0, message.Size);`
	`493`	`+ InnerStream.Write(alert);`
`490`	`494`
`491`	`495`	`exception.Throw();`
`492`	`496`	`}`
`@@ -499,7 +503,7 @@ private void SendAuthResetSignal(ProtocolToken? message, ExceptionDispatchInfo e`
`499`	`503`	`//`
`500`	`504`	`// - Returns false if failed to verify the Remote Cert`
`501`	`505`	`//`
`502`		`- private bool CompleteHandshake(ref ProtocolToken? alertToken, out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus)`
	`506`	`+ private bool CompleteHandshake(ref ProtocolToken alertToken, out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus)`
`503`	`507`	`{`
`504`	`508`	`ProcessHandshakeSuccess();`
`505`	`509`
`@@ -527,7 +531,7 @@ private bool CompleteHandshake(ref ProtocolToken? alertToken, out SslPolicyError`
`527`	`531`	`// The Java TrustManager callback is called only when the peer has a certificate. It's possible that`
`528`	`532`	`// the peer didn't provide any certificate (for example when the peer is the client) and the validation`
`529`	`533`	`// result hasn't been set. In that case we still need to run the verification at this point.`
`530`		`- if (TryGetRemoteCertificateValidationResult(out sslPolicyErrors, out chainStatus, out alertToken, out bool isValid))`
	`534`	`+ if (TryGetRemoteCertificateValidationResult(out sslPolicyErrors, out chainStatus, ref alertToken, out bool isValid))`
`531`	`535`	`{`
`532`	`536`	`_handshakeCompleted = isValid;`
`533`	`537`	`return isValid;`
`@@ -546,23 +550,23 @@ private bool CompleteHandshake(ref ProtocolToken? alertToken, out SslPolicyError`
`546`	`550`
`547`	`551`	`private void CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)`
`548`	`552`	`{`
`549`		`- ProtocolToken? alertToken = null;`
	`553`	`+ ProtocolToken alertToken = default;`
`550`	`554`	`if (!CompleteHandshake(ref alertToken, out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus))`
`551`	`555`	`{`
`552`	`556`	`if (sslAuthenticationOptions!.CertValidationDelegate != null)`
`553`	`557`	`{`
`554`	`558`	`// there may be some chain errors but the decision was made by custom callback. Details should be tracing if enabled.`
`555`		`- SendAuthResetSignal(alertToken, ExceptionDispatchInfo.Capture(new AuthenticationException(SR.net_ssl_io_cert_custom_validation, null)));`
	`559`	`+ SendAuthResetSignal(new ReadOnlySpan<byte>(alertToken.Payload), ExceptionDispatchInfo.Capture(new AuthenticationException(SR.net_ssl_io_cert_custom_validation, null)));`
`556`	`560`	`}`
`557`	`561`	`else if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors && chainStatus != X509ChainStatusFlags.NoError)`
`558`	`562`	`{`
`559`	`563`	`// We failed only because of chain and we have some insight.`
`560`		`- SendAuthResetSignal(alertToken, ExceptionDispatchInfo.Capture(new AuthenticationException(SR.Format(SR.net_ssl_io_cert_chain_validation, chainStatus), null)));`
	`564`	`+ SendAuthResetSignal(new ReadOnlySpan<byte>(alertToken.Payload), ExceptionDispatchInfo.Capture(new AuthenticationException(SR.Format(SR.net_ssl_io_cert_chain_validation, chainStatus), null)));`
`561`	`565`	`}`
`562`	`566`	`else`
`563`	`567`	`{`
`564`	`568`	`// Simple add sslPolicyErrors as crude info.`
`565`		`- SendAuthResetSignal(alertToken, ExceptionDispatchInfo.Capture(new AuthenticationException(SR.Format(SR.net_ssl_io_cert_validation, sslPolicyErrors), null)));`
	`569`	`+ SendAuthResetSignal(new ReadOnlySpan<byte>(alertToken.Payload), ExceptionDispatchInfo.Capture(new AuthenticationException(SR.Format(SR.net_ssl_io_cert_validation, sslPolicyErrors), null)));`
`566`	`570`	`}`
`567`	`571`	`}`
`568`	`572`	`}`
Original file line number	Diff line number	Diff line change
`@@ -751,20 +751,20 @@ static DateTime GetExpiryTimestamp(SslStreamCertificateContext certificateContex`
`751`	`751`	`}`
`752`	`752`
`753`	`753`	`//`
`754`		`- internal ProtocolToken NextMessage(ReadOnlySpan<byte> incomingBuffer)`
	`754`	`+ internal void NextMessage(ReadOnlySpan<byte> incomingBuffer, out ProtocolToken token)`
`755`	`755`	`{`
`756`	`756`	`byte[]? nextmsg = null;`
`757`		`- SecurityStatusPal status = GenerateToken(incomingBuffer, ref nextmsg);`
`758`		`- ProtocolToken token = new ProtocolToken(nextmsg, status);`
	`757`	`+ token.Status = GenerateToken(incomingBuffer, ref nextmsg);`
	`758`	`+ token.Size = nextmsg?.Length ?? 0;`
	`759`	`+ token.Payload = nextmsg;`
`759`	`760`
`760`	`761`	`if (NetEventSource.Log.IsEnabled())`
`761`	`762`	`{`
`762`	`763`	`if (token.Failed)`
`763`	`764`	`{`
`764`		`- NetEventSource.Error(this, $"Authentication failed. Status: {status}, Exception message: {token.GetException()!.Message}");`
	`765`	`+ NetEventSource.Error(this, $"Authentication failed. Status: {token.Status}, Exception message: {token.GetException()!.Message}");`
`765`	`766`	`}`
`766`	`767`	`}`
`767`		`- return token;`
`768`	`768`	`}`
`769`	`769`
`770`	`770`	`/*++`
`@@ -992,7 +992,7 @@ internal SecurityStatusPal Decrypt(Span<byte> buffer, out int outputOffset, out`
`992`	`992`	`--*/`
`993`	`993`
`994`	`994`	`//This method validates a remote certificate.`
`995`		`- internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remoteCertValidationCallback, SslCertificateTrust? trust, ref ProtocolToken? alertToken, out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus)`
	`995`	`+ internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remoteCertValidationCallback, SslCertificateTrust? trust, ref ProtocolToken alertToken, out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus)`
`996`	`996`	`{`
`997`	`997`	`sslPolicyErrors = SslPolicyErrors.None;`
`998`	`998`	`chainStatus = X509ChainStatusFlags.NoError;`
`@@ -1085,7 +1085,7 @@ internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remot`
`1085`	`1085`
`1086`	`1086`	`if (!success)`
`1087`	`1087`	`{`
`1088`		`- alertToken = CreateFatalHandshakeAlertToken(sslPolicyErrors, chain!);`
	`1088`	`+ CreateFatalHandshakeAlertToken(sslPolicyErrors, chain!, ref alertToken);`
`1089`	`1089`	`if (chain != null)`
`1090`	`1090`	`{`
`1091`	`1091`	`foreach (X509ChainStatus status in chain.ChainStatus)`
`@@ -1115,7 +1115,7 @@ internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remot`
`1115`	`1115`	`return success;`
`1116`	`1116`	`}`
`1117`	`1117`
`1118`		`- private ProtocolToken? CreateFatalHandshakeAlertToken(SslPolicyErrors sslPolicyErrors, X509Chain chain)`
	`1118`	`+ private void CreateFatalHandshakeAlertToken(SslPolicyErrors sslPolicyErrors, X509Chain chain, ref ProtocolToken alertToken)`
`1119`	`1119`	`{`
`1120`	`1120`	`TlsAlertMessage alertMessage;`
`1121`	`1121`
`@@ -1148,15 +1148,14 @@ internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remot`
`1148`	`1148`	`{`
`1149`	`1149`	`ExceptionDispatchInfo.Throw(status.Exception);`
`1150`	`1150`	`}`
`1151`		`-`
`1152`		`- return null;`
`1153`	`1151`	`}`
`1154`	`1152`
`1155`		`- return GenerateAlertToken();`
	`1153`	`+ GenerateAlertToken(ref alertToken);`
`1156`	`1154`	`}`
`1157`	`1155`
`1158`		`- private ProtocolToken? CreateShutdownToken()`
	`1156`	`+ private byte[]? CreateShutdownToken()`
`1159`	`1157`	`{`
	`1158`	`+ byte[]? nextmsg = null;`
`1160`	`1159`	`SecurityStatusPal status;`
`1161`	`1160`	`status = SslStreamPal.ApplyShutdownToken(_securityContext!);`
`1162`	`1161`
`@@ -1173,17 +1172,21 @@ internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remot`
`1173`	`1172`	`return null;`
`1174`	`1173`	`}`
`1175`	`1174`
`1176`		`- return GenerateAlertToken();`
	`1175`	`+ GenerateToken(default, ref nextmsg);`
	`1176`	`+`
	`1177`	`+ return nextmsg;`
`1177`	`1178`	`}`
`1178`	`1179`
`1179`		`- private ProtocolToken GenerateAlertToken()`
	`1180`	`+ private void GenerateAlertToken(ref ProtocolToken alertToken)`
`1180`	`1181`	`{`
`1181`	`1182`	`byte[]? nextmsg = null;`
`1182`	`1183`
`1183`	`1184`	`SecurityStatusPal status;`
`1184`	`1185`	`status = GenerateToken(default, ref nextmsg);`
`1185`	`1186`
`1186`		`- return new ProtocolToken(nextmsg, status);`
	`1187`	`+ alertToken.Payload = nextmsg;`
	`1188`	`+ alertToken.Size = nextmsg?.Length ?? 0;`
	`1189`	`+ alertToken.Status = status;`
`1187`	`1190`	`}`
`1188`	`1191`
`1189`	`1192`	`private static TlsAlertMessage GetAlertMessageFromChain(X509Chain chain)`
`@@ -1286,7 +1289,7 @@ private void LogCertificateValidation(RemoteCertificateValidationCallback? remot`
`1286`	`1289`	`}`
`1287`	`1290`
`1288`	`1291`	`// ProtocolToken - used to process and handle the return codes from the SSPI wrapper`
`1289`		`- internal sealed class ProtocolToken`
	`1292`	`+ internal struct ProtocolToken`
`1290`	`1293`	`{`
`1291`	`1294`	`internal SecurityStatusPal Status;`
`1292`	`1295`	`internal byte[]? Payload;`
Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,7 @@ private void ReturnReadBufferIfEmpty()`
`92`	`92`	`{`
`93`	`93`	`}`
`94`	`94`
`95`		`- private ProtocolToken? CreateShutdownToken()`
	`95`	`+ private byte[]? CreateShutdownToken()`
`96`	`96`	`{`
`97`	`97`	`return null;`
`98`	`98`	`}`