Client-side TLS 1.3 support on OSX

[rzikm]

Replaces #117016.

The goal is to integrate the new NetworkFramework to support client-side TLS 1.3 on OSX to unblock developers working on OSX. The feature is gated behind one of the following

• System.Net.Security.UseNetworkFramework AppCtx switch
• DOTNET_SYSTEM_NET_SECURITY_USENETWORKFRAMEWORK environment variable

[rzikm]

Removing WIP status as we are getting stable. The target is to merge this PR before the end of week

[Copilot]

Pull Request Overview

Integrates Network.framework for client-side TLS 1.3 on macOS, selectable via an AppContext switch or environment variable

• Link the Network framework in build scripts (CMake, MSBuild, extra_libs.cmake)
• Introduce a pal_networkframework native module and wire it up through new C# PAL types (SafeDeleteNwContext, interop)
• Extend SslStream to choose between SecureTransport and Network.framework paths and update functional tests to skip or adapt when using Network.framework

Reviewed Changes

Copilot reviewed 37 out of 38 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/tasks/LibraryBuilder/Templates/CMakeLists.txt.template	Link Network framework for library builds
src/tasks/AppleAppBuilder/Templates/CMakeLists.txt.template	Link Network framework for app builder
src/tasks/AppleAppBuilder/Templates/CMakeLists-librarymode.txt.template	Link Network framework in library mode
src/native/libs/System.Security.Cryptography.Native.Apple/pal_ssl.h	Change hostname-match API to accept a SecTrustRef
src/native/libs/System.Security.Cryptography.Native.Apple/pal_ssl.c	Adapt hostname-match implementation to use the passed-in trust
src/native/libs/System.Security.Cryptography.Native.Apple/pal_networkframework.m	Add Network.framework–based TLS I/O implementation
src/native/libs/System.Security.Cryptography.Native.Apple/pal_networkframework.h	Declare PAL APIs for Network.framework
src/native/libs/System.Security.Cryptography.Native.Apple/extra_libs.cmake	Include Network library in extra linking
src/native/libs/System.Security.Cryptography.Native.Apple/entrypoints.c	Export new Network.framework entry points
src/native/libs/System.Security.Cryptography.Native.Apple/CMakeLists.txt	Add pal_networkframework.m to native sources
src/mono/msbuild/apple/build/AppleBuild.targets	Link Network framework in Mono MSBuild targets
src/libraries/System.Net.Security/tests/FunctionalTests/*.cs	Update tests to skip or adapt when Network.framework is enabled
src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs	Expose custom-alert capability on Windows
src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Unix.cs	Expose custom-alert capability on Unix
src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.OSX.cs	Extend PAL to detect and route to Network.framework contexts
src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Android.cs	Expose custom-alert capability on Android
src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs	Add gating logic and async context selection
src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs	Support async read/write via Network.framework context
src/libraries/System.Net.Security/src/System/Net/Security/SslConnectionInfo.OSX.cs	Handle connection info for both PAL contexts
src/libraries/System.Net.Security/src/System/Net/Security/Pal.OSX/SafeDeleteSslContext.cs	Refactor status codes to use Interop.AppleCrypto.OSStatus
src/libraries/System.Net.Security/src/System/Net/Security/Pal.OSX/SafeDeleteNwContext.cs	Implement SafeDeleteNwContext for Network.framework
src/libraries/System.Net.Security/src/System/Net/Security/Pal.Managed/SslProtocolsValidation.cs	Change ValidateContiguous to accept ReadOnlySpan<SslProtocols>
src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs	Use SecTrustRef for hostname validation in both contexts
src/libraries/System.Net.Security/src/System.Net.Security.csproj	Define TARGET_APPLE and include new interop files
src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs	Add detection for Network.framework and TLS 1.3 client/server support
src/libraries/Common/src/System/Net/ReadWriteAdapter.cs	Extend IReadWriteAdapter with Task/ValueTask overloads
src/libraries/Common/src/Interop/OSX/System.Security.Cryptography.Native.Apple/Interop.Ssl.cs	Update p/invoke for the new hostname-match signature
src/libraries/Common/src/Interop/OSX/System.Security.Cryptography.Native.Apple/Interop.OSStatus.cs	Add OSStatus constants for native error mapping
src/libraries/Common/src/Interop/OSX/Interop.NetworkFramework.cs	Declare basic Network.framework interop and error handling
src/libraries/Common/src/Interop/OSX/Interop.NetworkFramework.Tls.cs	Declare TLS entry points for the Network.framework shim
src/libraries/Common/src/Interop/OSX/Interop.Libraries.cs	Add NetworkFramework library constant
src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets	Link Network framework in NativeAOT Unix builds

Comments suppressed due to low confidence (2)

src/native/libs/System.Security.Cryptography.Native.Apple/pal_networkframework.m:1

• The new Network.framework integration layer is extensive but currently has no direct unit or functional tests; adding tests for handshake, send/receive, and error paths on macOS would help validate this feature.

// Licensed to the .NET Foundation under one or more agreements.

src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.OSX.cs:4

• The using directives for System.IO, System.Threading, and System.Threading.Tasks appear unused in this file; consider removing them to reduce clutter.

using System.IO;

[wfurt]

LGTM. this is big milestone.

[rzikm]

/ba-g WASM failures are unrelated, linux failures are unrelated