correctly retry access

Author: DeagleGross

src/Servers/Connections.Abstractions/src/Features/ITlsFingerprintingFeature.cs renamed to src/Servers/Connections.Abstractions/src/Features/ITlsAccessFeature.cs

@@ -13,12 +13,12 @@
 namespace Microsoft.AspNetCore.Connections.Features;
 
 /// <summary>
-/// Represents the details about the TLS fingerprinting.
+/// Allows to access underlying TLS data.
 /// </summary>
-public interface ITlsFingerprintingFeature
+public interface ITlsAccessFeature
 {
     /// <summary>
-    /// Returns the TLS client hello details, if any.
+    /// Returns the raw bytes of TLS client hello message.
     /// </summary>
-    TLS_CLIENT_HELLO GetTlsClientHello();
+    byte[]? GetTlsClientHelloMessageBytes();
 }

src/Servers/HttpSys/samples/TlsFeaturesObserve/Startup.cs

@@ -21,15 +21,15 @@ public void Configure(IApplicationBuilder app)
         {
             context.Response.ContentType = "text/plain";
 
-            var tlsFingerprintingFeature = context.Features.Get<ITlsFingerprintingFeature>();
+            var tlsFingerprintingFeature = context.Features.Get<ITlsAccessFeature>();
             if (tlsFingerprintingFeature is null)
             {
-                await context.Response.WriteAsync(nameof(ITlsFingerprintingFeature) + " is not resolved from " + nameof(context));
+                await context.Response.WriteAsync(nameof(ITlsAccessFeature) + " is not resolved from " + nameof(context));
                 return;
             }
 
-            var tlsClientHello = tlsFingerprintingFeature.GetTlsClientHello();
-            await context.Response.WriteAsync("TLS CLIENT HELLO: " + tlsClientHello);
+            var tlsClientHello = tlsFingerprintingFeature.GetTlsClientHelloMessageBytes();
+            await context.Response.WriteAsync("TLS CLIENT HELLO: bytearray.len=" + tlsClientHello.Length);
         });
     }
 }

src/Servers/HttpSys/src/RequestProcessing/Request.cs

@@ -339,7 +339,10 @@ private AspNetCore.HttpSys.Internal.SocketAddress LocalEndPoint
 
     public SslProtocols Protocol { get; private set; }
 
-    public TLS_CLIENT_HELLO TlsClientHelloMessage { get; private set; }
+    /// <summary>
+    /// Raw bytes of TLS client hello message
+    /// </summary>
+    public byte[]? TlsClientHelloMessageBytes { get; private set; }
 
     [Obsolete(Obsoletions.RuntimeTlsCipherAlgorithmEnumsMessage, DiagnosticId = Obsoletions.RuntimeTlsCipherAlgorithmEnumsDiagId, UrlFormat = Obsoletions.RuntimeSharedUrlFormat)]
     public CipherAlgorithmType CipherAlgorithm { get; private set; }
@@ -378,7 +381,7 @@ private void GetTlsHandshakeResults()
 
     private void ParseTlsClientHello()
     {
-        TlsClientHelloMessage = RequestContext.TryGetTlsClientHello();
+        TlsClientHelloMessageBytes = RequestContext.GetTlsClientHelloMessageBytes();
     }
 
     public X509Certificate2? ClientCertificate

src/Servers/HttpSys/src/RequestProcessing/RequestContext.FeatureCollection.cs

@@ -8,7 +8,6 @@
 using System.Security.Authentication;
 using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
-using Microsoft.AspNetCore.Connections.Abstractions.TLS;
 using Microsoft.AspNetCore.Connections.Features;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Features;
@@ -25,7 +24,7 @@ internal partial class RequestContext :
     IHttpResponseBodyFeature,
     ITlsConnectionFeature,
     ITlsHandshakeFeature,
-    ITlsFingerprintingFeature,
+    ITlsAccessFeature,
     // ITlsTokenBindingFeature, TODO: https://github.com/aspnet/HttpSysServer/issues/231
     IHttpRequestLifetimeFeature,
     IHttpAuthenticationFeature,
@@ -384,7 +383,7 @@ string IHttpConnectionFeature.ConnectionId
         return Request.IsHttps ? this : null;
     }
 
-    internal ITlsFingerprintingFeature? GetTlsFingerprintingFeature()
+    internal ITlsAccessFeature? GetTlsFingerprintingFeature()
     {
         return Request.IsHttps ? this : null;
     }
@@ -599,9 +598,9 @@ bool IHttpBodyControlFeature.AllowSynchronousIO
 
     SslProtocols ITlsHandshakeFeature.Protocol => Request.Protocol;
 
-    TLS_CLIENT_HELLO ITlsFingerprintingFeature.GetTlsClientHello()
+    byte[]? ITlsAccessFeature.GetTlsClientHelloMessageBytes()
     {
-        return Request.TlsClientHelloMessage;
+        return Request.TlsClientHelloMessageBytes;
     }
 
 #pragma warning disable SYSLIB0058 // Type or member is obsolete

src/Servers/HttpSys/src/RequestProcessing/RequestContext.Log.cs

@@ -23,8 +23,5 @@ private static partial class Log
 
         [LoggerMessage(LoggerEventIds.RequestParsingError, LogLevel.Debug, "Failed to invoke QueryTlsClientHello.", EventName = "TlsClientHelloRetrieveError")]
         public static partial void TlsClientHelloRetrieveError(ILogger logger, string message);
-
-        [LoggerMessage(LoggerEventIds.RequestParsingError, LogLevel.Debug, "Failed to parse TLS client hello message.", EventName = "TlsClientHelloParseError")]
-        public static partial void TlsClientHelloParseError(ILogger logger, Exception exception);
     }
 }

src/Servers/HttpSys/src/RequestProcessing/RequestContext.cs

@@ -3,9 +3,7 @@
 
 using System.Buffers;
 using System.Runtime.InteropServices;
-using System.Security.Authentication;
 using System.Security.Principal;
-using Microsoft.AspNetCore.Connections.Abstractions.TLS;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.HttpSys.Internal;
 using Microsoft.AspNetCore.WebUtilities;
@@ -222,7 +220,11 @@ internal void ForceCancelRequest()
         }
     }
 
-    internal unsafe TLS_CLIENT_HELLO TryGetTlsClientHello()
+    /// <summary>
+    /// Attempts to get the client hello message bytes from the http.sys.
+    /// If not successful, will return `null`
+    /// </summary>
+    internal unsafe byte[]? GetTlsClientHelloMessageBytes()
     {
         if (!HttpApi.HttpGetRequestPropertySupported)
         {
@@ -231,84 +233,63 @@ internal unsafe TLS_CLIENT_HELLO TryGetTlsClientHello()
 
         uint bytesReturnedValue = 0;
         uint* bytesReturned = &bytesReturnedValue;
+        uint statusCode;
 
-        var buffer = new byte[256];
+        var buffer = ArrayPool<byte>.Shared.Rent(256);
         try
         {
             fixed (byte* pBuffer = buffer)
             {
-                var statusCode = HttpApi.HttpGetRequestProperty(
-                    Server.RequestQueue.Handle,
-                    RequestId,
+                statusCode = HttpApi.HttpGetRequestProperty(
+                    Server.RequestQueue.Handle, RequestId,
                     11 /* HTTP_REQUEST_PROPERTY.HttpRequestPropertyTlsClientHello  */,
-                    qualifier: null,
-                    qualifierSize: 0,
-                    pBuffer,
-                    (uint)buffer.Length,
-                    bytesReturned: (IntPtr)bytesReturned,
-                    IntPtr.Zero);
-
-                if (statusCode is ErrorCodes.ERROR_MORE_DATA or ErrorCodes.ERROR_INSUFFICIENT_BUFFER)
+                    qualifier: null, qualifierSize: 0,
+                    pBuffer, (uint)buffer.Length,
+                    bytesReturned: (IntPtr)bytesReturned, IntPtr.Zero);
+
+                if (statusCode is ErrorCodes.ERROR_SUCCESS)
                 {
-                    // The buffer is too small, we need to allocate a larger one.
-                    // Firstly, return the initial buffer to not leak
-                    // ArrayPool<byte>.Shared.Return(buffer);
+                    return buffer.AsSpan().ToArray();
+                }
+            }
+        }
+        finally
+        {
+            ArrayPool<byte>.Shared.Return(buffer);
+        }
 
-                    // then reallocate the buffer of size as `bytesReturned`
-                    buffer = new byte[(int)bytesReturned];
+        // if buffer supplied is too small, `bytesReturned` will have proper size
+        // so retry should succeed with the properly allocated buffer
+        if (statusCode is ErrorCodes.ERROR_MORE_DATA or ErrorCodes.ERROR_INSUFFICIENT_BUFFER)
+        {
+            try
+            {
+                var correctSize = (int)bytesReturnedValue;
+                buffer = ArrayPool<byte>.Shared.Rent(correctSize);
 
-                    // and try again!
+                fixed (byte* pBuffer = buffer)
+                {
                     statusCode = HttpApi.HttpGetRequestProperty(
-                        Server.RequestQueue.Handle,
-                        RequestId,
+                        Server.RequestQueue.Handle, RequestId,
                         11 /* HTTP_REQUEST_PROPERTY.HttpRequestPropertyTlsClientHello  */,
-                        qualifier: null,
-                        qualifierSize: 0,
-                        pBuffer,
-                        (uint)buffer.Length,
-                        bytesReturned: (IntPtr)bytesReturned,
-                        IntPtr.Zero);
-                }
+                        qualifier: null, qualifierSize: 0,
+                        pBuffer, (uint)buffer.Length,
+                        bytesReturned: (IntPtr)bytesReturned, IntPtr.Zero);
 
-                if (statusCode == ErrorCodes.ERROR_SUCCESS)
-                {
-                    try
-                    {
-                        var tlsMajorVersion = pBuffer[1];
-                        var tlsMinorVersion = pBuffer[2];
-
-                        return new TLS_CLIENT_HELLO
-                        {
-                            ProtocolVersion = tlsMinorVersion switch
-                            {
-                                4 => SslProtocols.Tls13,
-                                3 => SslProtocols.Tls12,
-#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
-                                2 => SslProtocols.Tls11,
-                                1 => SslProtocols.Tls,
-#pragma warning restore SYSLIB0039
-#pragma warning disable CS0618 // Type or member is obsolete
-                                0 => SslProtocols.Ssl3,
-#pragma warning restore CS0618 // Type or member is obsolete
-                                _ => SslProtocols.None,
-                            }
-                        };
-                    }
-                    catch (Exception ex)
+                    if (statusCode is ErrorCodes.ERROR_SUCCESS)
                     {
-                        Log.TlsClientHelloParseError(Logger, ex);
+                        return buffer.AsSpan(0, correctSize).ToArray();
                     }
                 }
-
-                // if not returned here, we got a non-success status code
-                Log.TlsClientHelloRetrieveError(Logger, "Status code: " + statusCode);
-                return default;
+            }
+            finally
+            {
+                ArrayPool<byte>.Shared.Return(buffer);
             }
         }
-        finally
-        {
-            ArrayPool<byte>.Shared.Return(buffer);
-        }
+
+        Log.TlsClientHelloRetrieveError(Logger, "Status code: " + statusCode);
+        return default;
     }
 
     internal unsafe HTTP_REQUEST_PROPERTY_SNI GetClientSni()

src/Servers/HttpSys/src/StandardFeatureCollection.cs

@@ -19,7 +19,7 @@ internal sealed class StandardFeatureCollection : IFeatureCollection
         { typeof(IHttpResponseFeature), _identityFunc },
         { typeof(IHttpResponseBodyFeature), _identityFunc },
         { typeof(ITlsConnectionFeature), ctx => ctx.GetTlsConnectionFeature() },
-        { typeof(ITlsFingerprintingFeature), ctx => ctx.GetTlsFingerprintingFeature() },
+        { typeof(ITlsAccessFeature), ctx => ctx.GetTlsFingerprintingFeature() },
         { typeof(IHttpRequestLifetimeFeature), _identityFunc },
         { typeof(IHttpAuthenticationFeature), _identityFunc },
         { typeof(IHttpRequestIdentifierFeature), _identityFunc },