SslStream mutates state of options (#28666)

* decouple SslState from SslServerAuthenticationOptions

* rename certCallback to certSelectionCallback

* remove mutable ServerCertSelectionCallback from SslServerAuthenticationOptions

* remove mutable RemoteCertValidationCallback from SslServerAuthenticationOptions

* fix FakeSslState to match args

Author: krwq

src/System.Net.Security/src/System/Net/Security/SslAuthenticationOptions.cs

@@ -37,7 +37,6 @@ internal SslAuthenticationOptions(SslServerAuthenticationOptions sslServerAuthen
             // Common options.
             AllowRenegotiation = sslServerAuthenticationOptions.AllowRenegotiation;
             ApplicationProtocols = sslServerAuthenticationOptions.ApplicationProtocols;
-            CertValidationDelegate = sslServerAuthenticationOptions._certValidationDelegate;
             CheckCertName = false;
             EnabledSslProtocols = sslServerAuthenticationOptions.EnabledSslProtocols;
             EncryptionPolicy = sslServerAuthenticationOptions.EncryptionPolicy;
@@ -49,7 +48,6 @@ internal SslAuthenticationOptions(SslServerAuthenticationOptions sslServerAuthen
             // Server specific options.
             CertificateRevocationCheckMode = sslServerAuthenticationOptions.CertificateRevocationCheckMode;
             ServerCertificate = sslServerAuthenticationOptions.ServerCertificate;
-            ServerCertSelectionDelegate = sslServerAuthenticationOptions._serverCertDelegate;
         }
 
         internal bool AllowRenegotiation { get; set; }
@@ -67,7 +65,7 @@ internal SslAuthenticationOptions(SslServerAuthenticationOptions sslServerAuthen
         internal bool CheckCertName { get; set; }
         internal RemoteCertValidationCallback CertValidationDelegate { get; set; }
         internal LocalCertSelectionCallback CertSelectionDelegate { get; set; }
-        internal ServerCertCallback ServerCertSelectionDelegate { get; set; }
+        internal ServerCertSelectionCallback ServerCertSelectionDelegate { get; set; }
     }
 }
 

src/System.Net.Security/src/System/Net/Security/SslServerAuthenticationOptions.cs

@@ -15,9 +15,6 @@ public class SslServerAuthenticationOptions
         private EncryptionPolicy _encryptionPolicy = EncryptionPolicy.RequireEncryption;
         private bool _allowRenegotiation = true;
 
-        internal RemoteCertValidationCallback _certValidationDelegate;
-        internal ServerCertCallback _serverCertDelegate;
-
         public bool AllowRenegotiation
         {
             get => _allowRenegotiation;

src/System.Net.Security/src/System/Net/Security/SslState.cs

@@ -132,7 +132,7 @@ internal void ValidateCreateContext(SslClientAuthenticationOptions sslClientAuth
             }
         }
 
-        internal void ValidateCreateContext(SslServerAuthenticationOptions sslServerAuthenticationOptions)
+        internal void ValidateCreateContext(SslAuthenticationOptions sslAuthenticationOptions)
         {
             ThrowIfExceptional();
 
@@ -146,20 +146,11 @@ internal void ValidateCreateContext(SslServerAuthenticationOptions sslServerAuth
                 throw new InvalidOperationException(SR.net_auth_client_server);
             }
 
-            if (sslServerAuthenticationOptions.ServerCertificate == null && sslServerAuthenticationOptions._serverCertDelegate == null)
-            {
-                throw new ArgumentNullException(nameof(sslServerAuthenticationOptions.ServerCertificate));
-            }
-
-            if (sslServerAuthenticationOptions.ServerCertificate != null && sslServerAuthenticationOptions._serverCertDelegate != null)
-            {
-                throw new InvalidOperationException(SR.Format(SR.net_conflicting_options, nameof(ServerCertificateSelectionCallback)));
-            }
-
             _exception = null;
+            _sslAuthenticationOptions = sslAuthenticationOptions;
+
             try
             {
-                _sslAuthenticationOptions = new SslAuthenticationOptions(sslServerAuthenticationOptions);
                 _context = new SecureChannel(_sslAuthenticationOptions);
             }
             catch (Win32Exception e)

src/System.Net.Security/src/System/Net/Security/SslStream.cs

@@ -36,7 +36,7 @@ public enum EncryptionPolicy
     // Internal versions of the above delegates.
     internal delegate bool RemoteCertValidationCallback(string host, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors);
     internal delegate X509Certificate LocalCertSelectionCallback(string targetHost, X509CertificateCollection localCertificates, X509Certificate2 remoteCertificate, string[] acceptableIssuers);
-    internal delegate X509Certificate ServerCertCallback(string hostName);
+    internal delegate X509Certificate ServerCertSelectionCallback(string hostName);
 
     public class SslStream : AuthenticatedStream
     {
@@ -150,10 +150,26 @@ private X509Certificate ServerCertSelectionCallbackWrapper(string targetHost)
             return _userServerCertificateSelectionCallback(this, targetHost);
         }
 
-        private void SetServerCertificateSelectionCallbackWrapper(SslServerAuthenticationOptions sslServerAuthenticationOptions)
+        private SslAuthenticationOptions CreateAuthenticationOptions(SslServerAuthenticationOptions sslServerAuthenticationOptions)
         {
+            if (sslServerAuthenticationOptions.ServerCertificate == null && sslServerAuthenticationOptions.ServerCertificateSelectionCallback == null)
+            {
+                throw new ArgumentNullException(nameof(sslServerAuthenticationOptions.ServerCertificate));
+            }
+
+            if (sslServerAuthenticationOptions.ServerCertificate != null && sslServerAuthenticationOptions.ServerCertificateSelectionCallback != null)
+            {
+                throw new InvalidOperationException(SR.Format(SR.net_conflicting_options, nameof(ServerCertificateSelectionCallback)));
+            }
+
+            var authOptions = new SslAuthenticationOptions(sslServerAuthenticationOptions);
+
             _userServerCertificateSelectionCallback = sslServerAuthenticationOptions.ServerCertificateSelectionCallback;
-            sslServerAuthenticationOptions._serverCertDelegate = _userServerCertificateSelectionCallback == null ? null : new ServerCertCallback(ServerCertSelectionCallbackWrapper);
+            authOptions.ServerCertSelectionDelegate = _userServerCertificateSelectionCallback == null ? null : new ServerCertSelectionCallback(ServerCertSelectionCallbackWrapper);
+
+            authOptions.CertValidationDelegate = _certValidationDelegate;
+
+            return authOptions;
         }
 
         //
@@ -244,12 +260,7 @@ private IAsyncResult BeginAuthenticateAsServer(SslServerAuthenticationOptions ss
             SecurityProtocol.ThrowOnNotAllowed(sslServerAuthenticationOptions.EnabledSslProtocols);
             SetAndVerifyValidationCallback(sslServerAuthenticationOptions.RemoteCertificateValidationCallback);
 
-            // Set the delegate on the options.
-            sslServerAuthenticationOptions._certValidationDelegate = _certValidationDelegate;
-
-            SetServerCertificateSelectionCallbackWrapper(sslServerAuthenticationOptions);
-
-            _sslState.ValidateCreateContext(sslServerAuthenticationOptions);
+            _sslState.ValidateCreateContext(CreateAuthenticationOptions(sslServerAuthenticationOptions));
 
             LazyAsyncResult result = new LazyAsyncResult(_sslState, asyncState, asyncCallback);
             _sslState.ProcessAuthentication(result);
@@ -348,10 +359,7 @@ private void AuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthen
             SecurityProtocol.ThrowOnNotAllowed(sslServerAuthenticationOptions.EnabledSslProtocols);
             SetAndVerifyValidationCallback(sslServerAuthenticationOptions.RemoteCertificateValidationCallback);
 
-            // Set the delegate on the options.
-            sslServerAuthenticationOptions._certValidationDelegate = _certValidationDelegate;
-
-            _sslState.ValidateCreateContext(sslServerAuthenticationOptions);
+            _sslState.ValidateCreateContext(CreateAuthenticationOptions(sslServerAuthenticationOptions));
             _sslState.ProcessAuthentication(null);
         }
         #endregion

src/System.Net.Security/tests/UnitTests/Fakes/FakeSslState.cs

@@ -25,7 +25,7 @@ internal void ValidateCreateContext(SslClientAuthenticationOptions sslClientAuth
         {
         }
 
-        internal void ValidateCreateContext(SslServerAuthenticationOptions sslServerAuthenticationOptions)
+        internal void ValidateCreateContext(SslAuthenticationOptions sslAuthenticationOptions)
         {
         }