fetch TLS client hello message from HTTP.SYS (#61494)

* setup for tls clinet hello exposure

* correctly retry access

* last minute changes

* fix warnings

* hook up tls client hello callback

* fix warnings & publish API

* minimal

* only go via callback if options has callback set; remove unused

* PR review

* address PR comments x1

* TTL & evict approach

* address comments 1

* periodic timer

* address comments x3

* TryAdd

* make a static field (just in case)

* Cache updates

* test

* whitespace

* clear array

* appcontext

* fb

* bp changes

* Update src/Servers/HttpSys/src/RequestProcessing/RequestContext.cs

Co-authored-by: Aditya Mandaleeka <[email protected]>

---------

Co-authored-by: Dmitrii Korolev <[email protected]>
Co-authored-by: Aditya Mandaleeka <[email protected]>

Author: 3 people

AspNetCore.sln

@@ -1784,6 +1784,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "NotReferencedInWasmCodePack
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Components.WasmRemoteAuthentication", "src\Components\test\testassets\Components.WasmRemoteAuthentication\Components.WasmRemoteAuthentication.csproj", "{8A021D6D-7935-4AB3-BB47-38D4FF9B0D13}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TlsFeaturesObserve", "src\Servers\HttpSys\samples\TlsFeaturesObserve\TlsFeaturesObserve.csproj", "{98C71EC8-1303-F55D-4032-E6728971770E}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -10753,6 +10755,22 @@ Global
 		{8A021D6D-7935-4AB3-BB47-38D4FF9B0D13}.Release|x64.Build.0 = Release|Any CPU
 		{8A021D6D-7935-4AB3-BB47-38D4FF9B0D13}.Release|x86.ActiveCfg = Release|Any CPU
 		{8A021D6D-7935-4AB3-BB47-38D4FF9B0D13}.Release|x86.Build.0 = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|arm64.ActiveCfg = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|arm64.Build.0 = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|x64.Build.0 = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|x86.Build.0 = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|arm64.ActiveCfg = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|arm64.Build.0 = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|x64.ActiveCfg = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|x64.Build.0 = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|x86.ActiveCfg = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -11634,6 +11652,7 @@ Global
 		{F232B503-D412-45EE-8B31-EFD46B9FA302} = {AA5ABFBC-177C-421E-B743-005E0FD1248B}
 		{433F91E4-E39D-4EB0-B798-2998B3969A2C} = {6126DCE4-9692-4EE2-B240-C65743572995}
 		{8A021D6D-7935-4AB3-BB47-38D4FF9B0D13} = {6126DCE4-9692-4EE2-B240-C65743572995}
+		{98C71EC8-1303-F55D-4032-E6728971770E} = {49016328-4D32-46E4-A4D2-94686ED38EA2}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {3E8720B3-DBDD-498C-B383-2CC32A054E8F}

src/Servers/HttpSys/HttpSysServer.slnf

@@ -37,6 +37,7 @@
       "src\\Servers\\HttpSys\\samples\\QueueSharing\\QueueSharing.csproj",
       "src\\Servers\\HttpSys\\samples\\SelfHostServer\\SelfHostServer.csproj",
       "src\\Servers\\HttpSys\\samples\\TestClient\\TestClient.csproj",
+      "src\\Servers\\HttpSys\\samples\\TlsFeaturesObserve\\TlsFeaturesObserve.csproj",
       "src\\Servers\\HttpSys\\src\\Microsoft.AspNetCore.Server.HttpSys.csproj",
       "src\\Servers\\HttpSys\\test\\FunctionalTests\\Microsoft.AspNetCore.Server.HttpSys.FunctionalTests.csproj",
       "src\\Servers\\HttpSys\\test\\NonHelixTests\\Microsoft.AspNetCore.Server.HttpSys.NonHelixTests.csproj",
@@ -53,4 +54,4 @@
       "src\\WebEncoders\\src\\Microsoft.Extensions.WebEncoders.csproj"
     ]
   }
-}
+}

src/Servers/HttpSys/samples/TlsFeaturesObserve/HttpSys/HttpSysConfigurator.cs

@@ -0,0 +1,123 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Net;
+using System.Runtime.InteropServices;
+
+namespace TlsFeaturesObserve.HttpSys;
+
+internal static class HttpSysConfigurator
+{
+    const uint HTTP_INITIALIZE_CONFIG = 0x00000002;
+    const uint ERROR_ALREADY_EXISTS = 183;
+
+    static readonly HTTPAPI_VERSION HttpApiVersion = new HTTPAPI_VERSION(1, 0);
+
+    internal static void ConfigureCacheTlsClientHello()
+    {
+        // Arbitrarily chosen port, but must match the port used in the web server. Via UrlPrefixes or launchsettings.
+        var ipPort = new IPEndPoint(new IPAddress([0, 0, 0, 0]), 6000);
+        var certThumbprint = "" /* your cert thumbprint here */;
+        var appId = Guid.NewGuid();
+        var sslCertStoreName = "My";
+
+        CallHttpApi(() => SetConfiguration(ipPort, certThumbprint, appId, sslCertStoreName));
+    }
+
+    static void SetConfiguration(IPEndPoint ipPort, string certThumbprint, Guid appId, string sslCertStoreName)
+    {
+        var sockAddrHandle = CreateSockaddrStructure(ipPort);
+        var pIpPort = sockAddrHandle.AddrOfPinnedObject();
+        var httpServiceConfigSslKey = new HTTP_SERVICE_CONFIG_SSL_KEY(pIpPort);
+
+        var hash = GetHash(certThumbprint);
+        var handleHash = GCHandle.Alloc(hash, GCHandleType.Pinned);
+        var configSslParam = new HTTP_SERVICE_CONFIG_SSL_PARAM
+        {
+            AppId = appId,
+            DefaultFlags = 0x00008000 /* HTTP_SERVICE_CONFIG_SSL_FLAG_ENABLE_CACHE_CLIENT_HELLO */,
+            DefaultRevocationFreshnessTime = 0,
+            DefaultRevocationUrlRetrievalTimeout = 15,
+            pSslCertStoreName = sslCertStoreName,
+            pSslHash = handleHash.AddrOfPinnedObject(),
+            SslHashLength = hash.Length,
+            pDefaultSslCtlIdentifier = null,
+            pDefaultSslCtlStoreName = sslCertStoreName
+        };
+
+        var configSslSet = new HTTP_SERVICE_CONFIG_SSL_SET
+        {
+            ParamDesc = configSslParam,
+            KeyDesc = httpServiceConfigSslKey
+        };
+
+        var pInputConfigInfo = Marshal.AllocCoTaskMem(
+            Marshal.SizeOf(typeof(HTTP_SERVICE_CONFIG_SSL_SET)));
+        Marshal.StructureToPtr(configSslSet, pInputConfigInfo, false);
+
+        var status = HttpSetServiceConfiguration(nint.Zero,
+            HTTP_SERVICE_CONFIG_ID.HttpServiceConfigSSLCertInfo,
+            pInputConfigInfo,
+            Marshal.SizeOf(configSslSet),
+            nint.Zero);
+
+        if (status == ERROR_ALREADY_EXISTS || status == 0) // already present or success
+        {
+            Console.WriteLine($"HttpServiceConfiguration is correct");
+        }
+        else
+        {
+            Console.WriteLine("Failed to HttpSetServiceConfiguration: " + status);
+        }
+    }
+
+    static byte[] GetHash(string thumbprint)
+    {
+        var length = thumbprint.Length;
+        var bytes = new byte[length / 2];
+        for (var i = 0; i < length; i += 2)
+        {
+            bytes[i / 2] = Convert.ToByte(thumbprint.Substring(i, 2), 16);
+        }
+
+        return bytes;
+    }
+
+    static GCHandle CreateSockaddrStructure(IPEndPoint ipEndPoint)
+    {
+        var socketAddress = ipEndPoint.Serialize();
+
+        // use an array of bytes instead of the sockaddr structure 
+        var sockAddrStructureBytes = new byte[socketAddress.Size];
+        var sockAddrHandle = GCHandle.Alloc(sockAddrStructureBytes, GCHandleType.Pinned);
+        for (var i = 0; i < socketAddress.Size; ++i)
+        {
+            sockAddrStructureBytes[i] = socketAddress[i];
+        }
+        return sockAddrHandle;
+    }
+
+    static void CallHttpApi(Action body)
+    {
+        const uint flags = HTTP_INITIALIZE_CONFIG;
+        var retVal = HttpInitialize(HttpApiVersion, flags, IntPtr.Zero);
+        body();
+    }
+
+// disabled warning since it is just a sample
+#pragma warning disable SYSLIB1054 // Use 'LibraryImportAttribute' instead of 'DllImportAttribute' to generate P/Invoke marshalling code at compile time
+    [DllImport("httpapi.dll", SetLastError = true)]
+    private static extern uint HttpInitialize(
+            HTTPAPI_VERSION version,
+            uint flags,
+            IntPtr pReserved);
+
+    [DllImport("httpapi.dll", SetLastError = true)]
+    public static extern uint HttpSetServiceConfiguration(
+        nint serviceIntPtr,
+        HTTP_SERVICE_CONFIG_ID configId,
+        nint pConfigInformation,
+        int configInformationLength,
+        nint pOverlapped);
+#pragma warning restore SYSLIB1054 // Use 'LibraryImportAttribute' instead of 'DllImportAttribute' to generate P/Invoke marshalling code at compile time
+}

src/Servers/HttpSys/samples/TlsFeaturesObserve/HttpSys/Native.cs

@@ -0,0 +1,97 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Runtime.InteropServices;
+using System.Text;
+
+namespace TlsFeaturesObserve.HttpSys;
+
+// Http.Sys types from https://learn.microsoft.com/windows/win32/api/http/
+
+[StructLayout(LayoutKind.Sequential, Pack = 2)]
+public struct HTTPAPI_VERSION
+{
+    public ushort HttpApiMajorVersion;
+    public ushort HttpApiMinorVersion;
+
+    public HTTPAPI_VERSION(ushort majorVersion, ushort minorVersion)
+    {
+        HttpApiMajorVersion = majorVersion;
+        HttpApiMinorVersion = minorVersion;
+    }
+}
+
+public enum HTTP_SERVICE_CONFIG_ID
+{
+    HttpServiceConfigIPListenList = 0,
+    HttpServiceConfigSSLCertInfo,
+    HttpServiceConfigUrlAclInfo,
+    HttpServiceConfigMax
+}
+
+[StructLayout(LayoutKind.Sequential)]
+public struct HTTP_SERVICE_CONFIG_SSL_SET
+{
+    public HTTP_SERVICE_CONFIG_SSL_KEY KeyDesc;
+    public HTTP_SERVICE_CONFIG_SSL_PARAM ParamDesc;
+}
+
+[StructLayout(LayoutKind.Sequential)]
+public struct HTTP_SERVICE_CONFIG_SSL_KEY
+{
+    public IntPtr pIpPort;
+
+    public HTTP_SERVICE_CONFIG_SSL_KEY(IntPtr pIpPort)
+    {
+        this.pIpPort = pIpPort;
+    }
+}
+
+[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+public struct HTTP_SERVICE_CONFIG_SSL_PARAM
+{
+    public int SslHashLength;
+    public IntPtr pSslHash;
+    public Guid AppId;
+    [MarshalAs(UnmanagedType.LPWStr)]
+    public string pSslCertStoreName;
+    public CertCheckModes DefaultCertCheckMode;
+    public int DefaultRevocationFreshnessTime;
+    public int DefaultRevocationUrlRetrievalTimeout;
+    [MarshalAs(UnmanagedType.LPWStr)]
+    public string pDefaultSslCtlIdentifier;
+    [MarshalAs(UnmanagedType.LPWStr)]
+    public string pDefaultSslCtlStoreName;
+    public uint DefaultFlags; // HTTP_SERVICE_CONFIG_SSL_FLAG
+}
+
+[Flags]
+public enum CertCheckModes : uint
+{
+    /// <summary>
+    /// Enables the client certificate revocation check.
+    /// </summary>
+    None = 0,
+
+    /// <summary>
+    /// Client certificate is not to be verified for revocation. 
+    /// </summary>
+    DoNotVerifyCertificateRevocation = 1,
+
+    /// <summary>
+    /// Only cached certificate is to be used the revocation check. 
+    /// </summary>
+    VerifyRevocationWithCachedCertificateOnly = 2,
+
+    /// <summary>
+    /// The RevocationFreshnessTime setting is enabled.
+    /// </summary>
+    EnableRevocationFreshnessTime = 4,
+
+    /// <summary>
+    /// No usage check is to be performed.
+    /// </summary>
+    NoUsageCheck = 0x10000
+}

src/Servers/HttpSys/samples/TlsFeaturesObserve/Program.cs

@@ -0,0 +1,69 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Reflection;
+using System.Runtime.InteropServices;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http.Features;
+using Microsoft.AspNetCore.Server.HttpSys;
+using Microsoft.Extensions.Hosting;
+using TlsFeatureObserve;
+using TlsFeaturesObserve.HttpSys;
+
+HttpSysConfigurator.ConfigureCacheTlsClientHello();
+CreateHostBuilder(args).Build().Run();
+
+static IHostBuilder CreateHostBuilder(string[] args) =>
+    Host.CreateDefaultBuilder(args)
+        .ConfigureWebHost(webBuilder =>
+        {
+            webBuilder.UseStartup<Startup>()
+            .UseHttpSys(options =>
+            {
+                // If you want to use https locally: https://stackoverflow.com/a/51841893
+                options.UrlPrefixes.Add("https://*:6000"); // HTTPS
+
+                options.Authentication.Schemes = AuthenticationSchemes.None;
+                options.Authentication.AllowAnonymous = true;
+
+                var property = typeof(HttpSysOptions).GetProperty("TlsClientHelloBytesCallback", BindingFlags.NonPublic | BindingFlags.Instance);
+                var delegateType = property.PropertyType; // Get the exact delegate type
+
+                // Create a delegate of the correct type
+                var callbackDelegate = Delegate.CreateDelegate(delegateType, typeof(Holder).GetMethod(nameof(Holder.ProcessTlsClientHello), BindingFlags.Static | BindingFlags.Public));
+
+                property?.SetValue(options, callbackDelegate);
+            });
+        });
+
+public static class Holder
+{
+    public static void ProcessTlsClientHello(IFeatureCollection features, ReadOnlySpan<byte> tlsClientHelloBytes)
+    {
+        var httpConnectionFeature = features.Get<IHttpConnectionFeature>();
+
+        var myTlsFeature = new MyTlsFeature(
+            connectionId: httpConnectionFeature.ConnectionId,
+            tlsClientHelloLength: tlsClientHelloBytes.Length);
+
+        features.Set<IMyTlsFeature>(myTlsFeature);
+    }
+}
+
+public interface IMyTlsFeature
+{
+    string ConnectionId { get; }
+    int TlsClientHelloLength { get; }
+}
+
+public class MyTlsFeature : IMyTlsFeature
+{
+    public string ConnectionId { get; }
+    public int TlsClientHelloLength { get; }
+
+    public MyTlsFeature(string connectionId, int tlsClientHelloLength)
+    {
+        ConnectionId = connectionId;
+        TlsClientHelloLength = tlsClientHelloLength;
+    }
+}

src/Servers/HttpSys/samples/TlsFeaturesObserve/Properties/launchSettings.json

@@ -0,0 +1,10 @@
+{
+  "profiles": {
+    "TlsFeaturesObserve": {
+      "commandName": "Project",
+      "launchBrowser": true,
+      "applicationUrl": "http://localhost:5000",
+      "nativeDebugging": true
+    }
+  }
+}

src/Servers/HttpSys/samples/TlsFeaturesObserve/Startup.cs

@@ -0,0 +1,28 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Connections.Features;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Features;
+using Microsoft.AspNetCore.Server.HttpSys;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+
+namespace TlsFeatureObserve;
+
+public class Startup
+{
+    public void Configure(IApplicationBuilder app)
+    {
+        app.Run(async (HttpContext context) =>
+        {
+            context.Response.ContentType = "text/plain";
+
+            var tlsFeature = context.Features.Get<IMyTlsFeature>();
+            await context.Response.WriteAsync("TlsClientHello data: " + $"connectionId={tlsFeature?.ConnectionId}; length={tlsFeature?.TlsClientHelloLength}");
+        });
+    }
+}