Client-side TLS 1.3 support on OSX (#117428)

* Native Interop Layer

* Native Layer Compilation fix for Mono + NativeAOT + templates

* First shape of new native + interop

* Newlines at the end of files

* Default constructor ownsHandle to true

* Delete couple of unsafe keyword in Interop

* Update src/native/libs/System.Net.Security.Native.Apple/pal_networkframework.m

Co-authored-by: Copilot <[email protected]>

* Fix PlatformManifestFileEntry

* Review feedback

* Apply suggestions from code review

Co-authored-by: Stephen Toub <[email protected]>

* Update src/libraries/Common/src/Interop/OSX/Interop.Network.Tls.cs

Co-authored-by: Radek Zikmund <[email protected]>

* Review feedbacks

* Further review feedback

* Add new library name to nativeaot build target file

* Merge System.Net.Security.Native.Apple with System.Security.Cryptography.Native.Apple

* fixup! Merge System.Net.Security.Native.Apple with System.Security.Cryptography.Native.Apple

* Shared OSStatus

* Correctly release some handles

* Remove printf

* Add comments

* Fix build

* Copy of initial changes

* Fix build

* WIP

* WIP

* more WIP

* Minimal example is working

* Fix concurrent read/write calls

* ALPN fix

* Certificate validation

* Report remote alerts

* CipherSuitesPolicy support

* Fix IDNA

* Zero-bytes read support

* fixup! ALPN fix

* Attach correct cancellation token to exceptions

* Fix framer lifetime

* fixup! CipherSuitesPolicy support

* Cleanup some unwanted changes

* Some more cleanup

* Fix ALPN reading

* ClientCertificates + CertificateContext + CertSelectionDelegate implementation

* Correctly pass remote certificate + acceptableIssuers to selection callback

* Disable Ciphersuite tests for NW

* Fix formatting

* Fix some test scenarios

* Delete unused ResettableTaskSource

* Fix build

* Unify certificate validation code

* TARGET_OSX to TARGET_APPLE

* Small changes

* Fix build of other platforms

* Disable known edge-case for now

* Some test fixes

* Disable EventSource order test for NW

* Add TCS for completion on transportStream Write and propagate exceptions

* Propagate exception for handshake + write tcs from transport read task

* Missing write part of propagation exception for transport read task

* App read optimization

* fixup! App read optimization

* Fix hanging pending read after read cancellation

* Unify local cert selection

* Improve thisHandle lifetime management

* Introduce specific exception for NetworkFramework + properly propagate error messages and error domain

* Refactor NetworkFramework error handling to use enum for error domains

* Refactor error extraction in NetworkFramework to return CFStringRef for better memory management

* Enhance cancellation support in SafeDeleteNwContext by throwing on cancellation requests and linking tokens for graceful shutdowns

* Typo fix

* Switch to Network.framework tests on CI

* Fix memory leaks, introduce CancellationAction for ResettableValueTaskSource objects to avoid deadlock on disposal

* Reverting back running nw tests on ci, as some apis requires at least 12.3 version

* A bit cleanup

* Use more appropriate names in nw shim functions

* Centralized gchandle management in native code

* Fix correct cancellation token when throwing

* Fix hang, remove try-catches in completion callbacks

* Revert unwanted changes

* Fix comment

* Logging improvements

* Apply suggestion from @liveans

Co-authored-by: Ahmet Ibrahim Aksoy <[email protected]>

* Update src/libraries/System.Net.Security/src/System/Net/Security/Pal.OSX/SafeDeleteNwContext.cs

Co-authored-by: Ahmet Ibrahim Aksoy <[email protected]>

* Code review feecback

* Remove duplicate void* state argument in native functions

* Update src/native/libs/System.Security.Cryptography.Native.Apple/pal_networkframework.m

Co-authored-by: Adeel Mujahid <[email protected]>

---------

Co-authored-by: Ahmet İbrahim Aksoy <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Stephen Toub <[email protected]>
Co-authored-by: Adeel Mujahid <[email protected]>

Author: 5 people

src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets

@@ -201,6 +201,7 @@ The .NET Foundation licenses this file to you under the MIT license.
       <NativeFramework Include="CoreFoundation" />
       <NativeFramework Include="CryptoKit" />
       <NativeFramework Include="Foundation" />
+      <NativeFramework Include="Network" />
       <NativeFramework Include="Security" />
       <!-- The library builds don't reference the GSS API on tvOS builds. -->
       <NativeFramework Condition="!$(_targetOS.StartsWith('tvos'))" Include="GSS" />

src/libraries/Common/src/Interop/OSX/Interop.Libraries.cs

@@ -14,6 +14,7 @@ internal static partial class Libraries
         internal const string OpenLdap = "libldap.dylib";
         internal const string SystemConfigurationLibrary = "/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration";
         internal const string AppleCryptoNative = "libSystem.Security.Cryptography.Native.Apple";
+        internal const string NetworkFramework = "/System/Library/Frameworks/Network.framework/Network";
         internal const string MsQuic = "libmsquic.dylib";
     }
 }

src/libraries/Common/src/Interop/OSX/Interop.NetworkFramework.Tls.cs

@@ -0,0 +1,88 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Buffers;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Net;
+using System.Net.Security;
+using System.Runtime.InteropServices;
+using System.Security.Authentication;
+using Microsoft.Win32.SafeHandles;
+
+internal static partial class Interop
+{
+    // TLS 1.3 specific Network Framework implementation for macOS
+    internal static partial class NetworkFramework
+    {
+        internal static partial class Tls
+        {
+            // Initialize internal shim for NetworkFramework integration
+            [LibraryImport(Interop.Libraries.AppleCryptoNative, EntryPoint = "AppleCryptoNative_Init")]
+            [return: MarshalAs(UnmanagedType.I4)]
+            internal static unsafe partial bool Init(
+                delegate* unmanaged<IntPtr, StatusUpdates, IntPtr, IntPtr, NetworkFrameworkError*, void> statusCallback,
+                delegate* unmanaged<IntPtr, byte*, ulong, void> writeCallback,
+                delegate* unmanaged<IntPtr, IntPtr, IntPtr> challengeCallback);
+
+            // Create a new connection context
+            [LibraryImport(Interop.Libraries.AppleCryptoNative, EntryPoint = "AppleCryptoNative_NwConnectionCreate", StringMarshalling = StringMarshalling.Utf8)]
+            internal static unsafe partial SafeNwHandle NwConnectionCreate([MarshalAs(UnmanagedType.I4)] bool isServer, IntPtr context, string targetName, byte* alpnBuffer, int alpnLength, SslProtocols minTlsProtocol, SslProtocols maxTlsProtocol, uint* cipherSuites, int cipherSuitesLength);
+
+            // Start the TLS handshake, notifications are received via the status callback (potentially from a different thread).
+            [LibraryImport(Interop.Libraries.AppleCryptoNative, EntryPoint = "AppleCryptoNative_NwConnectionStart")]
+            internal static partial int NwConnectionStart(SafeNwHandle connection, IntPtr context);
+
+            // takes encrypted input from underlying stream and feed it to the connection.
+            [LibraryImport(Interop.Libraries.AppleCryptoNative, EntryPoint = "AppleCryptoNative_NwFramerDeliverInput")]
+            internal static unsafe partial int NwFramerDeliverInput(SafeNwHandle framer, IntPtr context, byte* buffer, int bufferLength, delegate* unmanaged<IntPtr, NetworkFrameworkError*, void> completionCallback);
+
+            // sends plaintext data to the connection.
+            [LibraryImport(Interop.Libraries.AppleCryptoNative, EntryPoint = "AppleCryptoNative_NwConnectionSend")]
+            internal static unsafe partial void NwConnectionSend(SafeNwHandle connection, IntPtr context, void* buffer, int bufferLength, delegate* unmanaged<IntPtr, NetworkFrameworkError*, void> completionCallback);
+
+            // read plaintext data from the connection.
+            [LibraryImport(Interop.Libraries.AppleCryptoNative, EntryPoint = "AppleCryptoNative_NwConnectionReceive")]
+            internal static unsafe partial void NwConnectionReceive(SafeNwHandle connection, IntPtr context, int length, delegate* unmanaged<IntPtr, NetworkFrameworkError*, byte*, int, void> readCompletionCallback);
+
+            // starts connection cleanup
+            [LibraryImport(Interop.Libraries.AppleCryptoNative, EntryPoint = "AppleCryptoNative_NwConnectionCancel")]
+            internal static partial void NwConnectionCancel(SafeNwHandle connection);
+
+            // gets TLS connection information
+            [LibraryImport(Interop.Libraries.AppleCryptoNative, EntryPoint = "AppleCryptoNative_GetConnectionInfo")]
+            internal static unsafe partial int GetConnectionInfo(SafeNwHandle connection, IntPtr context, out SslProtocols pProtocol, out TlsCipherSuite pCipherSuiteOut, byte* negotiatedAlpn, ref int negotiatedAlpnLength);
+        }
+
+        // Status enumeration for Network Framework TLS operations
+        internal enum StatusUpdates
+        {
+            UnknownError = 0,
+            FramerStart = 1,
+            HandshakeFinished = 3,
+            ConnectionFailed = 4,
+            ConnectionCancelled = 103,
+            CertificateAvailable = 104,
+            DebugLog = 200,
+        }
+    }
+
+    // Safe handle classes for Network Framework TLS resources
+    internal sealed class SafeNwHandle : SafeHandleZeroOrMinusOneIsInvalid
+    {
+        public SafeNwHandle() : base(ownsHandle: true) { }
+
+        public SafeNwHandle(IntPtr handle, bool ownsHandle) : base(ownsHandle)
+        {
+            SetHandle(handle);
+        }
+
+        protected override bool ReleaseHandle()
+        {
+            NetworkFramework.Release(handle);
+            SetHandle(IntPtr.Zero);
+            return true;
+        }
+    }
+}

src/libraries/Common/src/Interop/OSX/Interop.NetworkFramework.cs

@@ -0,0 +1,85 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Runtime.InteropServices;
+using Microsoft.Win32.SafeHandles;
+
+internal static partial class Interop
+{
+    internal static partial class NetworkFramework
+    {
+        // Network Framework reference counting functions
+        [LibraryImport(Libraries.NetworkFramework, EntryPoint = "nw_retain")]
+        internal static partial IntPtr Retain(IntPtr obj);
+
+        [LibraryImport(Libraries.NetworkFramework, EntryPoint = "nw_release")]
+        internal static partial void Release(IntPtr obj);
+
+        // Network Framework error domains
+        internal enum NetworkFrameworkErrorDomain
+        {
+            Invalid = 0,
+            POSIX = 1,
+            DNS = 2,
+            TLS = 3
+        }
+
+        internal enum NWErrorDomainPOSIX
+        {
+            OperationCanceled = 89, // ECANCELED
+        }
+
+        internal sealed class NetworkFrameworkException : Exception
+        {
+            public int ErrorCode { get; }
+            public NetworkFrameworkErrorDomain ErrorDomain { get; }
+
+            internal NetworkFrameworkException()
+            {
+            }
+
+            internal NetworkFrameworkException(int errorCode, NetworkFrameworkErrorDomain errorDomain, string? message)
+                : base(message ?? $"Network Framework error {errorCode} in domain {errorDomain}")
+            {
+                HResult = errorCode;
+                ErrorCode = errorCode;
+                ErrorDomain = errorDomain;
+            }
+
+            internal NetworkFrameworkException(int errorCode, NetworkFrameworkErrorDomain errorDomain, string? message, Exception innerException)
+                : base(message ?? $"Network Framework error {errorCode} in domain {errorDomain}", innerException)
+            {
+                HResult = errorCode;
+                ErrorCode = errorCode;
+                ErrorDomain = errorDomain;
+            }
+
+            public override string ToString()
+            {
+                return $"{base.ToString()}, ErrorCode: {ErrorCode}, ErrorDomain: {ErrorDomain}";
+            }
+        }
+
+        [StructLayout(LayoutKind.Sequential)]
+        internal struct NetworkFrameworkError
+        {
+            public int ErrorCode;
+            public int ErrorDomain;
+            public IntPtr ErrorMessage; // C string of NULL
+        }
+
+        internal static Exception CreateExceptionForNetworkFrameworkError(in NetworkFrameworkError error)
+        {
+            string? message = null;
+            NetworkFrameworkErrorDomain domain = (NetworkFrameworkErrorDomain)error.ErrorDomain;
+
+            if (error.ErrorMessage != IntPtr.Zero)
+            {
+                message = Marshal.PtrToStringUTF8(error.ErrorMessage);
+            }
+
+            return new NetworkFrameworkException(error.ErrorCode, domain, message);
+        }
+    }
+}

src/libraries/Common/src/Interop/OSX/System.Security.Cryptography.Native.Apple/Interop.OSStatus.cs

@@ -0,0 +1,18 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+internal static partial class Interop
+{
+    internal static partial class AppleCrypto
+    {
+        internal static class OSStatus
+        {
+            public const int NoErr = 0;
+            public const int ReadErr = -19;
+            public const int WritErr = -20;
+            public const int EOFErr = -39;
+            public const int SecUserCanceled = -128;
+            public const int ErrSSLWouldBlock = -9803;
+        }
+    }
+}

src/libraries/Common/src/System/Net/ReadWriteAdapter.cs

@@ -14,6 +14,8 @@ internal interface IReadWriteAdapter
         static abstract ValueTask WriteAsync(Stream stream, ReadOnlyMemory<byte> buffer, CancellationToken cancellationToken);
         static abstract Task FlushAsync(Stream stream, CancellationToken cancellationToken);
         static abstract Task WaitAsync(TaskCompletionSource<bool> waiter);
+        static abstract Task WaitAsync(Task task);
+        static abstract ValueTask<T> WaitAsync<T>(ValueTask<T> task);
     }
 
     internal readonly struct AsyncReadWriteAdapter : IReadWriteAdapter
@@ -30,6 +32,8 @@ public static ValueTask WriteAsync(Stream stream, ReadOnlyMemory<byte> buffer, C
         public static Task FlushAsync(Stream stream, CancellationToken cancellationToken) => stream.FlushAsync(cancellationToken);
 
         public static Task WaitAsync(TaskCompletionSource<bool> waiter) => waiter.Task;
+        public static Task WaitAsync(Task task) => task;
+        public static ValueTask<T> WaitAsync<T>(ValueTask<T> task) => task;
     }
 
     internal readonly struct SyncReadWriteAdapter : IReadWriteAdapter
@@ -57,5 +61,16 @@ public static Task WaitAsync(TaskCompletionSource<bool> waiter)
             waiter.Task.GetAwaiter().GetResult();
             return Task.CompletedTask;
         }
+
+        public static Task WaitAsync(Task task)
+        {
+            task.GetAwaiter().GetResult();
+            return Task.CompletedTask;
+        }
+
+        public static ValueTask<T> WaitAsync<T>(ValueTask<T> task)
+        {
+            return ValueTask.FromResult(task.AsTask().GetAwaiter().GetResult());
+        }
     }
 }

src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs

@@ -547,7 +547,7 @@ private static bool GetSsl3Support()
 
             }
 
-            return (IsOSX || (IsLinux && OpenSslVersion < new Version(1, 0, 2) && !IsDebian));
+            return ((IsOSX && !IsNetworkFrameworkEnabled()) || (IsLinux && OpenSslVersion < new Version(1, 0, 2) && !IsDebian));
         }
 
         private static bool OpenSslGetTlsSupport(SslProtocols protocol)
@@ -569,7 +569,7 @@ private static bool AndroidGetSslProtocolSupport(SslProtocols protocol)
         private static bool GetTls10Support()
         {
             // on macOS and Android TLS 1.0 is supported.
-            if (IsApplePlatform || IsAndroid)
+            if ((IsApplePlatform && !IsNetworkFrameworkEnabled()) || IsAndroid)
             {
                 return true;
             }
@@ -580,7 +580,7 @@ private static bool GetTls10Support()
                 return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls, defaultProtocolSupport: true) && !IsWindows10Version20348OrGreater;
             }
 
-            return OpenSslGetTlsSupport(SslProtocols.Tls);
+            return IsOpenSslSupported && OpenSslGetTlsSupport(SslProtocols.Tls);
         }
 
         private static bool GetTls11Support()
@@ -597,12 +597,12 @@ private static bool GetTls11Support()
                 return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls11, defaultProtocolSupport: true) && !IsWindows10Version20348OrGreater;
             }
             // on macOS and Android TLS 1.1 is supported.
-            else if (IsApplePlatform || IsAndroid)
+            else if ((IsApplePlatform && !IsNetworkFrameworkEnabled()) || IsAndroid)
             {
                 return true;
             }
 
-            return OpenSslGetTlsSupport(SslProtocols.Tls11);
+            return IsOpenSslSupported && OpenSslGetTlsSupport(SslProtocols.Tls11);
         }
 #pragma warning restore SYSLIB0039
 
@@ -665,6 +665,31 @@ private static bool GetTls13Support()
             return false;
         }
 
+        /// <summary>
+        /// Determines if Network.framework is enabled for SSL/TLS operations on Apple platforms.
+        /// This can be controlled via AppContext switch or environment variable.
+        /// </summary>
+        /// <returns>True if Network.framework is enabled, false otherwise.</returns>
+        public static bool IsNetworkFrameworkEnabled()
+        {
+            // Check AppContext switch first (highest priority)
+            if (AppContext.TryGetSwitch("System.Net.Security.UseNetworkFramework", out bool isEnabled))
+            {
+                return isEnabled;
+            }
+
+            // Fall back to environment variable
+            string? envVar = Environment.GetEnvironmentVariable("DOTNET_SYSTEM_NET_SECURITY_USENETWORKFRAMEWORK");
+            if (!string.IsNullOrEmpty(envVar))
+            {
+                return envVar == "1" || envVar.Equals("true", StringComparison.OrdinalIgnoreCase);
+            }
+
+            // Default is disabled
+            return false;
+        }
+
+
         private static bool GetSendsCAListByDefault()
         {
             if (IsWindows)

src/libraries/Common/tests/TestUtilities/TestEventListener.cs

@@ -129,7 +129,7 @@ protected override void OnEventWritten(EventWrittenEventArgs eventData)
                 }
             }
 #endif
-            sb.Append($"[{eventData.EventName}] ");
+        sb.Append($"[{eventData.EventName}] ");
 
         for (int i = 0; i < eventData.Payload?.Count; i++)
         {

src/libraries/System.Net.Security/src/System.Net.Security.csproj

@@ -15,6 +15,7 @@
     <ApiExclusionListPath Condition="'$(TargetPlatformIdentifier)' == ''">ExcludeApiList.PNSE.txt</ApiExclusionListPath>
     <DefineConstants Condition="'$(TargetPlatformIdentifier)' == 'windows'">$(DefineConstants);TARGET_WINDOWS</DefineConstants>
     <DefineConstants Condition="'$(TargetPlatformIdentifier)' == 'android'">$(DefineConstants);TARGET_ANDROID</DefineConstants>
+    <DefineConstants Condition="'$(TargetPlatformIdentifier)' == 'osx' or '$(TargetPlatformIdentifier)' == 'ios' or '$(TargetPlatformIdentifier)' == 'tvos'">$(DefineConstants);TARGET_APPLE</DefineConstants>
     <UseAndroidCrypto Condition="'$(TargetPlatformIdentifier)' == 'android'">true</UseAndroidCrypto>
     <UseAppleCrypto Condition="'$(TargetPlatformIdentifier)' == 'osx' or '$(TargetPlatformIdentifier)' == 'ios' or '$(TargetPlatformIdentifier)' == 'tvos'">true</UseAppleCrypto>
     <UseManagedNtlm Condition="'$(TargetPlatformIdentifier)' == 'android' or '$(TargetPlatformIdentifier)' == 'tvos'">true</UseManagedNtlm>
@@ -440,13 +441,22 @@
              Link="Common\Interop\OSX\System.Security.Cryptography.Native.Apple\Interop.Ssl.cs" />
     <Compile Include="$(CommonPath)Interop\OSX\System.Security.Cryptography.Native.Apple\Interop.X509Chain.cs"
              Link="Common\Interop\OSX\System.Security.Cryptography.Native.Apple\Interop.X509Chain.cs" />
+    <Compile Include="$(CommonPath)Interop\OSX\System.Security.Cryptography.Native.Apple\Interop.OSStatus.cs"
+             Link="Common\Interop\OSX\System.Security.Cryptography.Native.Apple\Interop.OSStatus.cs" />
+    <Compile Include="$(CommonPath)Interop\OSX\Interop.NetworkFramework.cs"
+             Link="Common\Interop\OSX\Interop.NetworkFramework.cs" />
+    <Compile Include="$(CommonPath)Interop\OSX\Interop.NetworkFramework.Tls.cs"
+             Link="Common\Interop\OSX\Interop.NetworkFramework.Tls.cs" />
     <Compile Include="$(CommonPath)Microsoft\Win32\SafeHandles\SafeCreateHandle.OSX.cs"
              Link="Common\Microsoft\Win32\SafeHandles\SafeCreateHandle.OSX.cs" />
     <Compile Include="$(CommonPath)System\Net\Security\CertificateValidation.OSX.cs"
              Link="Common\System\Net\Security\CertificateValidation.OSX.cs" />
     <Compile Include="System\Net\CertificateValidationPal.OSX.cs" />
     <Compile Include="System\Net\Security\Pal.Managed\SslProtocolsValidation.cs" />
     <Compile Include="System\Net\Security\Pal.OSX\SafeDeleteSslContext.cs" />
+    <Compile Include="System\Net\Security\Pal.OSX\SafeDeleteNwContext.cs" />
+    <!-- TODO: move to shared code -->
+    <Compile Include="../../System.Net.Quic/src/System/Net/Quic/Internal/ResettableValueTaskSource.cs" />
     <Compile Include="System\Net\Security\SslConnectionInfo.OSX.cs" />
     <Compile Include="System\Net\Security\SslStreamCertificateContext.OSX.cs" />
     <Compile Include="System\Net\Security\SslStreamPal.OSX.cs" />