refactor to be used as part of HttpsConnectionMiddleware

Author: DeagleGross

src/Servers/Kestrel/Core/src/ListenOptionsHttpsExtensions.cs

@@ -5,7 +5,6 @@
 using System.Security.Cryptography.X509Certificates;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
 using Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure;
-using Microsoft.AspNetCore.Server.Kestrel.Core.Middleware;
 using Microsoft.AspNetCore.Server.Kestrel.Https;
 using Microsoft.AspNetCore.Server.Kestrel.Https.Internal;
 using Microsoft.Extensions.DependencyInjection;
@@ -198,15 +197,6 @@ public static ListenOptions UseHttps(this ListenOptions listenOptions, HttpsConn
         listenOptions.IsTls = true;
         listenOptions.HttpsOptions = httpsOptions;
 
-        if (httpsOptions.TlsClientHelloBytesCallback is not null)
-        {
-            listenOptions.Use(next =>
-            {
-                var middleware = new TlsListenerMiddleware(next, httpsOptions.TlsClientHelloBytesCallback);
-                return middleware.OnTlsClientHelloAsync;
-            });
-        }
-
         listenOptions.Use(next =>
         {
             var middleware = new HttpsConnectionMiddleware(next, httpsOptions, listenOptions.Protocols, loggerFactory, metrics);

src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs

@@ -17,6 +17,7 @@
 using Microsoft.AspNetCore.Server.Kestrel.Core.Features;
 using Microsoft.AspNetCore.Server.Kestrel.Core.Internal;
 using Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure;
+using Microsoft.AspNetCore.Server.Kestrel.Core.Middleware;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
 
@@ -44,6 +45,9 @@ internal sealed class HttpsConnectionMiddleware
     private readonly Func<TlsHandshakeCallbackContext, ValueTask<SslServerAuthenticationOptions>>? _tlsCallbackOptions;
     private readonly object? _tlsCallbackOptionsState;
 
+    // Captures raw TLS client hello and invokes a user callback if any
+    private readonly TlsListener? _tlsListener;
+
     // Internal for testing
     internal readonly HttpProtocols _httpProtocols;
 
@@ -112,6 +116,11 @@ public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapter
             (RemoteCertificateValidationCallback?)null : RemoteCertificateValidationCallback;
 
         _sslStreamFactory = s => new SslStream(s, leaveInnerStreamOpen: false, userCertificateValidationCallback: remoteCertificateValidationCallback);
+
+        if (options.TlsClientHelloBytesCallback is not null)
+        {
+            _tlsListener = new TlsListener(options.TlsClientHelloBytesCallback);
+        }
     }
 
     internal HttpsConnectionMiddleware(
@@ -162,6 +171,10 @@ public async Task OnConnectionAsync(ConnectionContext context)
             using var cancellationTokenSource = _ctsPool.Rent();
             cancellationTokenSource.CancelAfter(_handshakeTimeout);
 
+            if (_tlsListener is not null)
+            {
+                await _tlsListener.OnTlsClientHelloAsync(context, cancellationTokenSource.Token);
+            }
             if (_tlsCallbackOptions is null)
             {
                 await DoOptionsBasedHandshakeAsync(context, sslStream, feature, cancellationTokenSource.Token);

src/Servers/Kestrel/Core/src/Middleware/TlsListenerMiddleware.cs renamed to src/Servers/Kestrel/Core/src/Middleware/TlsListener.cs

@@ -7,28 +7,26 @@
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Core.Middleware;
 
-internal sealed class TlsListenerMiddleware
+internal sealed class TlsListener
 {
-    private readonly ConnectionDelegate _next;
     private readonly Action<ConnectionContext, ReadOnlySequence<byte>> _tlsClientHelloBytesCallback;
 
-    public TlsListenerMiddleware(ConnectionDelegate next, Action<ConnectionContext, ReadOnlySequence<byte>> tlsClientHelloBytesCallback)
+    public TlsListener(Action<ConnectionContext, ReadOnlySequence<byte>> tlsClientHelloBytesCallback)
     {
-        _next = next;
         _tlsClientHelloBytesCallback = tlsClientHelloBytesCallback;
     }
 
     /// <summary>
     /// Sniffs the TLS Client Hello message, and invokes a callback if found.
     /// </summary>
-    internal async Task OnTlsClientHelloAsync(ConnectionContext connection)
+    internal async Task OnTlsClientHelloAsync(ConnectionContext connection, CancellationToken cancellationToken)
     {
         var input = connection.Transport.Input;
         ClientHelloParseState parseState = ClientHelloParseState.NotEnoughData;
 
         while (true)
         {
-            var result = await input.ReadAsync();
+            var result = await input.ReadAsync(cancellationToken);
             var buffer = result.Buffer;
 
             try
@@ -74,8 +72,6 @@ internal async Task OnTlsClientHelloAsync(ConnectionContext connection)
                 }
             }
         }
-
-        await _next(connection);
     }
 
     /// <summary>

src/Servers/Kestrel/Core/test/TlsListenerMiddlewareTests.cs

@@ -66,34 +66,21 @@ public async Task RunTlsClientHelloCallbackTest_DeterministicallyReads()
         var transport = new DuplexPipe(reader, writer);
         var transportConnection = new DefaultConnectionContext("test", transport, transport);
 
-        var nextMiddlewareInvoked = false;
         var tlsClientHelloCallbackInvoked = false;
-
-        var middleware = new TlsListenerMiddleware(
-            next: ctx =>
-            {
-                nextMiddlewareInvoked = true;
-                var readResult = ctx.Transport.Input.ReadAsync();
-                Assert.Equal(5, readResult.Result.Buffer.Length);
-
-                return Task.CompletedTask;
-            },
-            tlsClientHelloBytesCallback: (ctx, data) =>
-            {
-                tlsClientHelloCallbackInvoked = true;
-            }
-        );
+        var middleware = new TlsListener((ctx, data) => { tlsClientHelloCallbackInvoked = true; });
 
         await writer.WriteAsync(new byte[1] { 0x16 });
-        var middlewareTask = middleware.OnTlsClientHelloAsync(transportConnection);
+        var middlewareTask = middleware.OnTlsClientHelloAsync(transportConnection, CancellationToken.None);
         await writer.WriteAsync(new byte[2] { 0x03, 0x01 });
         await writer.WriteAsync(new byte[2] { 0x00, 0x20 });
         await writer.CompleteAsync();
 
         await middlewareTask;
-        Assert.True(nextMiddlewareInvoked);
         Assert.False(tlsClientHelloCallbackInvoked);
 
+        var readResult = await reader.ReadAsync();
+        Assert.Equal(5, readResult.Buffer.Length);
+
         // ensuring that we have read limited number of times
         Assert.True(reader.ReadAsyncCounter is >= 2 && reader.ReadAsyncCounter is <= 4,
             $"Expected ReadAsync() to happen about 2-4 times. Actually happened {reader.ReadAsyncCounter} times.");
@@ -110,23 +97,11 @@ private async Task RunTlsClientHelloCallbackTest_WithMultipleSegments(
         var transport = new DuplexPipe(pipe.Reader, writer);
         var transportConnection = new DefaultConnectionContext("test", transport, transport);
 
-        var nextMiddlewareInvokedActual = false;
         var tlsClientHelloCallbackActual = false;
 
         var fullLength = packets.Sum(p => p.Length);
 
-        var middleware = new TlsListenerMiddleware(
-            next: ctx =>
-            {
-                nextMiddlewareInvokedActual = true;
-                if (tlsClientHelloCallbackActual)
-                {
-                    var readResult = ctx.Transport.Input.ReadAsync();
-                    Assert.Equal(fullLength, readResult.Result.Buffer.Length);
-                }
-
-                return Task.CompletedTask;
-            },
+        var middleware = new TlsListener(
             tlsClientHelloBytesCallback: (ctx, data) =>
             {
                 tlsClientHelloCallbackActual = true;
@@ -139,9 +114,8 @@ private async Task RunTlsClientHelloCallbackTest_WithMultipleSegments(
 
         // write first packet
         await writer.WriteAsync(packets[0]);
-        var middlewareTask = middleware.OnTlsClientHelloAsync(transportConnection);
+        var middlewareTask = middleware.OnTlsClientHelloAsync(transportConnection, CancellationToken.None);
 
-        
         /* It is a race condition (middleware's loop and writes here).
          * We don't know specifically how many packets will be read by middleware's loop
          * (possibly there are even 2 packets - the first and all others combined).
@@ -156,8 +130,13 @@ private async Task RunTlsClientHelloCallbackTest_WithMultipleSegments(
         await writer.CompleteAsync();
         await middlewareTask;
 
-        Assert.True(nextMiddlewareInvokedActual);
         Assert.Equal(tlsClientHelloCallbackExpected, tlsClientHelloCallbackActual);
+
+        if (tlsClientHelloCallbackActual)
+        {
+            var readResult = await pipe.Reader.ReadAsync();
+            Assert.Equal(fullLength, readResult.Buffer.Length);
+        }
     }
 
     private async Task RunTlsClientHelloCallbackTest(
@@ -171,18 +150,9 @@ private async Task RunTlsClientHelloCallbackTest(
         var transport = new DuplexPipe(pipe.Reader, writer);
         var transportConnection = new DefaultConnectionContext("test", transport, transport);
 
-        var nextMiddlewareInvokedActual = false;
         var tlsClientHelloCallbackActual = false;
 
-        var middleware = new TlsListenerMiddleware(
-            next: ctx =>
-            {
-                nextMiddlewareInvokedActual = true;
-                var readResult = ctx.Transport.Input.ReadAsync();
-                Assert.Equal(packetBytes.Length, readResult.Result.Buffer.Length);
-
-                return Task.CompletedTask;
-            },
+        var middleware = new TlsListener(
             tlsClientHelloBytesCallback: (ctx, data) =>
             {
                 tlsClientHelloCallbackActual = true;
@@ -197,10 +167,12 @@ private async Task RunTlsClientHelloCallbackTest(
         await writer.CompleteAsync();
 
         // call middleware and expect a callback
-        await middleware.OnTlsClientHelloAsync(transportConnection);
+        await middleware.OnTlsClientHelloAsync(transportConnection, CancellationToken.None);
 
-        Assert.True(nextMiddlewareInvokedActual);
         Assert.Equal(tlsClientHelloCallbackExpected, tlsClientHelloCallbackActual);
+
+        var readResult = await pipe.Reader.ReadAsync();
+        Assert.Equal(packetBytes.Length, readResult.Buffer.Length);
     }
 
     public static IEnumerable<object[]> ValidClientHelloData()