dotnet · wfurt · Dec 18, 2019 · Dec 2, 2019 · Dec 2, 2019 · Dec 3, 2019
diff --git a/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs b/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs
@@ -253,15 +253,15 @@ internal static SafeSslHandle AllocateSslContext(SslProtocols protocols, SafeX50
             return context;
         }
 
-        internal static bool DoSslHandshake(SafeSslHandle context, byte[] recvBuf, int recvOffset, int recvCount, out byte[] sendBuf, out int sendCount)
+        internal static bool DoSslHandshake(SafeSslHandle context, ReadOnlySpan<byte> input, out byte[] sendBuf, out int sendCount)
         {
             sendBuf = null;
             sendCount = 0;
             Exception handshakeException = null;
 
-            if ((recvBuf != null) && (recvCount > 0))
+            if (input.Length > 0)
             {
-                if (BioWrite(context.InputBio, recvBuf, recvOffset, recvCount) <= 0)
+                if (Ssl.BioWrite(context.InputBio, ref MemoryMarshal.GetReference(input), input.Length) != input.Length)
                 {
                     // Make sure we clear out the error that is stored in the queue
                     throw Crypto.CreateOpenSslCryptographicException();
@@ -321,7 +321,7 @@ internal static bool DoSslHandshake(SafeSslHandle context, byte[] recvBuf, int r
             return stateOk;
         }
 
-        internal static int Encrypt(SafeSslHandle context, ReadOnlyMemory<byte> input, ref byte[] output, out Ssl.SslErrorCode errorCode)
+        internal static int Encrypt(SafeSslHandle context, ReadOnlySpan<byte> input, ref byte[] output, out Ssl.SslErrorCode errorCode)
         {
 #if DEBUG
             ulong assertNoError = Crypto.ErrPeekError();
@@ -334,13 +334,7 @@ internal static int Encrypt(SafeSslHandle context, ReadOnlyMemory<byte> input, r
 
             lock (context)
             {
-                unsafe
-                {
-                    using (MemoryHandle handle = input.Pin())
-                    {
-                        retVal = Ssl.SslWrite(context, (byte*)handle.Pointer, input.Length);
-                    }
-                }
+                retVal = Ssl.SslWrite(context, ref MemoryMarshal.GetReference(input), input.Length);
 
                 if (retVal != input.Length)
                 {

diff --git a/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.Ssl.cs b/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.Ssl.cs
@@ -74,6 +74,9 @@ internal static byte[] SslGetAlpnSelected(SafeSslHandle ssl)
         [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_SslWrite")]
         internal static extern unsafe int SslWrite(SafeSslHandle ssl, byte* buf, int num);
 
+        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_SslWrite")]
+        internal static extern unsafe int SslWrite(SafeSslHandle ssl, ref byte buf, int num);
+
         [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_SslRead")]
         internal static extern unsafe int SslRead(SafeSslHandle ssl, byte* buf, int num);
 
@@ -101,6 +104,9 @@ internal static byte[] SslGetAlpnSelected(SafeSslHandle ssl)
         [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_BioWrite")]
         internal static extern unsafe int BioWrite(SafeBioHandle b, byte* data, int len);
 
+        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_BioWrite")]
+        internal static extern unsafe int BioWrite(SafeBioHandle b, ref byte data, int len);
+
         [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_SslGetPeerCertificate")]
         internal static extern SafeX509Handle SslGetPeerCertificate(SafeSslHandle ssl);
 

diff --git a/src/libraries/Common/tests/System/Net/Capability.Security.cs b/src/libraries/Common/tests/System/Net/Capability.Security.cs
@@ -50,6 +50,18 @@ public static bool Http2ForceUnencryptedLoopback()
             {
                 return true;
             }
+
+            return false;
+        }
+
+        public static bool SecurityForceSocketStreams()
+        {
+            string value = Configuration.Security.SecurityForceSocketStreams;
+            if (value != null && (value.Equals("true", StringComparison.OrdinalIgnoreCase) || value.Equals("1")))
+            {
+                return true;
+            }
+
             return false;
         }
 

diff --git a/src/libraries/Common/tests/System/Net/Configuration.Security.cs b/src/libraries/Common/tests/System/Net/Configuration.Security.cs
@@ -35,6 +35,8 @@ public static partial class Security
             //      127.0.0.1 testclienteku.contoso.com
 
             public static string HostsFileNamesInstalled => GetValue("COREFX_NET_SECURITY_HOSTS_FILE_INSTALLED");
+            // Allows packet captures.
+            public static string SecurityForceSocketStreams => GetValue("COREFX_NET_SECURITY_FORCE_SOCKET_STREAMS");
         }
     }
 }
diff --git a/src/libraries/System.Net.Security/src/System/Net/HelperAsyncResults.cs b/src/libraries/System.Net.Security/src/System/Net/HelperAsyncResults.cs
@@ -20,10 +20,6 @@ namespace System.Net
     //
     internal class AsyncProtocolRequest
     {
-#if DEBUG
-        internal object _DebugAsyncChain;         // Optionally used to track chains of async calls.
-#endif
-
         private AsyncProtocolCallback _callback;
         private int _completionStatus;
 
@@ -33,7 +29,6 @@ internal class AsyncProtocolRequest
 
         public LazyAsyncResult UserAsyncResult;
         public int Result;
-        public object AsyncState;
         public readonly CancellationToken CancellationToken;
 
         public byte[] Buffer; // Temporary buffer reused by a protocol.

diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/Pal.OSX/SafeDeleteSslContext.cs b/src/libraries/System.Net.Security/src/System/Net/Security/Pal.OSX/SafeDeleteSslContext.cs
@@ -217,15 +217,18 @@ internal void Write(byte[] buf, int offset, int count)
             Debug.Assert(count >= 0);
             Debug.Assert(count <= buf.Length - offset);
 
+            Write(buf.AsSpan(offset, count));
+        }
 
+        internal void Write(ReadOnlySpan<byte> buf)
+        {
             lock (_fromConnection)
             {
-                for (int i = 0; i < count; i++)
+                foreach (byte b in buf)
                 {
-                    _fromConnection.Enqueue(buf[offset + i]);
+                    _fromConnection.Enqueue(b);
                 }
             }
-
         }
 
         internal int BytesReadyForConnection => _toConnection.Count;

diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SecureChannel.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SecureChannel.cs
@@ -626,7 +626,7 @@ private bool AcquireClientCredentials(ref byte[] thumbPrint)
         //
         // Acquire Server Side Certificate information and set it on the class.
         //
-        private bool AcquireServerCredentials(ref byte[] thumbPrint, byte[] clientHello)
+        private bool AcquireServerCredentials(ref byte[] thumbPrint, ReadOnlySpan<byte> clientHello)
         {
             if (NetEventSource.IsEnabled)
                 NetEventSource.Enter(this);
@@ -797,7 +797,7 @@ private SecurityStatusPal GenerateToken(byte[] input, int offset, int count, ref
                     if (_refreshCredentialNeeded)
                     {
                         cachedCreds = _sslAuthenticationOptions.IsServer
-                                        ? AcquireServerCredentials(ref thumbPrint, input)
+                                        ? AcquireServerCredentials(ref thumbPrint, new ReadOnlySpan<byte>(input, offset, count))
                                         : AcquireClientCredentials(ref thumbPrint);
                     }
 
@@ -806,7 +806,7 @@ private SecurityStatusPal GenerateToken(byte[] input, int offset, int count, ref
                         status = SslStreamPal.AcceptSecurityContext(
                                       ref _credentialsHandle,
                                       ref _securityContext,
-                                      input != null ? new ArraySegment<byte>(input, offset, count) : default,
+                                      input, offset, count,
                                       ref result,
                                       _sslAuthenticationOptions);
                     }
@@ -816,7 +816,7 @@ private SecurityStatusPal GenerateToken(byte[] input, int offset, int count, ref
                                        ref _credentialsHandle,
                                        ref _securityContext,
                                        _sslAuthenticationOptions.TargetHost,
-                                      input != null ? new ArraySegment<byte>(input, offset, count) : default,
+                                       input, offset, count,
                                        ref result,
                                        _sslAuthenticationOptions);
                     }

diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SniHelper.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SniHelper.cs
@@ -16,12 +16,12 @@ internal class SniHelper
         private static readonly IdnMapping s_idnMapping = CreateIdnMapping();
         private static readonly Encoding s_encoding = CreateEncoding();
 
-        public static string GetServerName(byte[] clientHello)
+        public static string GetServerName(byte[] clientHello, int offset, int count)
         {
-            return GetSniFromSslPlainText(clientHello);
+            return GetServerName(new ReadOnlySpan<byte>(clientHello, offset, count));
         }
 
-        private static string GetSniFromSslPlainText(ReadOnlySpan<byte> sslPlainText)
+        public static string GetServerName(ReadOnlySpan<byte> sslPlainText)
         {
             // https://tools.ietf.org/html/rfc6101#section-5.2.1
             // struct {