Port System.Net.Security to OpenBSD

eng/versioning.targets

@@ -81,6 +81,7 @@
 
   <!-- Add target platforms into MSBuild SupportedPlatform list -->
   <ItemGroup Condition="'$(IsTestProject)' != 'true'">
+    <SupportedPlatform Condition="'$(TargetPlatformIdentifier)' == 'openbsd'" Include="OpenBSD" />
     <SupportedPlatform Condition="'$(TargetPlatformIdentifier)' == 'illumos'" Include="illumos" />
     <SupportedPlatform Condition="'$(TargetPlatformIdentifier)' == 'solaris'" Include="Solaris" />
     <SupportedPlatform Condition="'$(TargetPlatformIdentifier)' == 'haiku'" Include="Haiku" />

src/libraries/System.Net.Security/src/System.Net.Security.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>$(NetCoreAppCurrent)-windows;$(NetCoreAppCurrent)-linux;$(NetCoreAppCurrent)-freebsd;$(NetCoreAppCurrent)-haiku;$(NetCoreAppCurrent)-android;$(NetCoreAppCurrent)-osx;$(NetCoreAppCurrent)-ios;$(NetCoreAppCurrent)-tvos;$(NetCoreAppCurrent)</TargetFrameworks>
+    <TargetFrameworks>$(NetCoreAppCurrent)-windows;$(NetCoreAppCurrent)-linux;$(NetCoreAppCurrent)-freebsd;$(NetCoreAppCurrent)-openbsd;$(NetCoreAppCurrent)-haiku;$(NetCoreAppCurrent)-android;$(NetCoreAppCurrent)-osx;$(NetCoreAppCurrent)-ios;$(NetCoreAppCurrent)-tvos;$(NetCoreAppCurrent)</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <!-- This is needed so that code for TlsCipherSuite will have no namespace (causes compile errors) when used within T4 template  -->
     <DefineConstants>$(DefineConstants);PRODUCT</DefineConstants>

src/libraries/System.Net.Security/src/System/Net/NegotiateAuthenticationPal.ManagedSpnego.cs

@@ -182,7 +182,18 @@ private IEnumerable<KeyValuePair<string, string>> EnumerateMechanisms()
                                                 mechBlob = null;
                                                 _optimisticMechanism?.Dispose();
                                                 _optimisticMechanism = null;
-                                                if (statusCode != NegotiateAuthenticationStatusCode.Unsupported)
+
+                                                // When an optimistic mechanism (e.g. Kerberos) is unavailable, fall
+                                                // back to the next offered mechanism (NTLM) instead of failing the
+                                                // whole exchange. NTLM is always the last mechanism, so a fallback is
+                                                // only attempted when another mechanism follows. On OpenBSD the GSS-API
+                                                // (Heimdal) reports a missing Kerberos TGT as UnknownCredentials rather
+                                                // than Unsupported, so that status is also treated as recoverable there.
+                                                bool canFallBackToNextMechanism = packageAndOid.Key != NegotiationInfoClass.NTLM;
+                                                bool isRecoverableOptimisticFailure =
+                                                    statusCode == NegotiateAuthenticationStatusCode.Unsupported ||
+                                                    (LocalAppContextSwitches.IsOpenBsd && statusCode == NegotiateAuthenticationStatusCode.UnknownCredentials);
+                                                if (!canFallBackToNextMechanism || !isRecoverableOptimisticFailure)
                                                 {
                                                     return null;
                                                 }

src/libraries/System.Net.Security/src/System/Net/Security/LocalAppContextSwitches.cs

@@ -9,6 +9,10 @@ namespace System
 {
     internal static partial class LocalAppContextSwitches
     {
+        // OpenBSD's GSS-API (Heimdal) cannot drive password-based NTLM and reports a
+        // missing Kerberos TGT as a missing credential, so managed NTLM is used there.
+        internal static readonly bool IsOpenBsd = RuntimeInformation.IsOSPlatform(OSPlatform.Create("OPENBSD"));
+
         private static int s_disableTlsResume;
         internal static bool DisableTlsResume
         {
@@ -38,6 +42,7 @@ internal static bool UseManagedNtlm
             [MethodImpl(MethodImplOptions.AggressiveInlining)]
             get => GetCachedSwitchValue("System.Net.Security.UseManagedNtlm", ref s_useManagedNtlm,
                 defaultValue: OperatingSystem.IsMacOS() || OperatingSystem.IsIOS() || OperatingSystem.IsMacCatalyst() ||
+                IsOpenBsd ||
                 (OperatingSystem.IsLinux() && RuntimeInformation.RuntimeIdentifier.StartsWith("linux-bionic-", StringComparison.OrdinalIgnoreCase)));
         }
 #endif

src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs

@@ -26,8 +26,8 @@ internal static class TestConfiguration
         public const string NtlmUserFilePath = "/var/tmp/ntlm_user_file";
 
         public static bool SupportsNullEncryption { get { return s_supportsNullEncryption.Value; } }
-        public static bool SupportsHandshakeAlerts { get { return OperatingSystem.IsLinux() || OperatingSystem.IsWindows() || OperatingSystem.IsFreeBSD(); } }
-        public static bool SupportsRenegotiation { get { return OperatingSystem.IsWindows() || ((OperatingSystem.IsLinux() || OperatingSystem.IsFreeBSD()) && PlatformDetection.OpenSslVersion >= new Version(1, 1, 1)); } }
+        public static bool SupportsHandshakeAlerts { get { return OperatingSystem.IsLinux() || OperatingSystem.IsWindows() || OperatingSystem.IsFreeBSD() || RuntimeInformation.IsOSPlatform(OSPlatform.Create("OPENBSD")); } }
+        public static bool SupportsRenegotiation { get { return OperatingSystem.IsWindows() || ((OperatingSystem.IsLinux() || OperatingSystem.IsFreeBSD() || RuntimeInformation.IsOSPlatform(OSPlatform.Create("OPENBSD"))) && PlatformDetection.OpenSslVersion >= new Version(1, 1, 1)); } }
 
         public static readonly X509Certificate2 ServerCertificate = System.Net.Test.Common.Configuration.Certificates.GetServerCertificate();