Flow SNI HttpProtocols to middleware

Author: halter73

src/Servers/Kestrel/Core/src/Internal/HttpProtocolsFeature.cs

@@ -0,0 +1,15 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal
+{
+    internal class HttpProtocolsFeature
+    {
+        public HttpProtocolsFeature(HttpProtocols httpProtocols)
+        {
+            HttpProtocols = httpProtocols;
+        }
+
+        public HttpProtocols HttpProtocols { get; }
+    }
+}

src/Servers/Kestrel/Core/src/Internal/SniOptions.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.Linq;
 using System.Net.Security;
 using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
@@ -42,13 +43,13 @@ public SniOptionsSelector(
 
             foreach (var (name, sniConfig) in endpointConfig.SNI)
             {
-                var sslServerOptions = new SslServerAuthenticationOptions
+                var sslOptions = new SslServerAuthenticationOptions
                 {
                     ServerCertificate = configLoader.LoadCertificate(sniConfig.Certificate, endpointConfig.Name),
                     EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackOptions.SslProtocols,
                 };
 
-                if (sslServerOptions.ServerCertificate is null)
+                if (sslOptions.ServerCertificate is null)
                 {
                     if (fallbackOptions.ServerCertificate is null && fallbackOptions.ServerCertificateSelector is null)
                     {
@@ -58,27 +59,27 @@ public SniOptionsSelector(
                     if (fallbackOptions.ServerCertificateSelector is null)
                     {
                         // Cache the fallback ServerCertificate since there's no fallback ServerCertificateSelector taking precedence. 
-                        sslServerOptions.ServerCertificate = fallbackOptions.ServerCertificate;
+                        sslOptions.ServerCertificate = fallbackOptions.ServerCertificate;
                     }
                 }
 
                 var clientCertificateMode = sniConfig.ClientCertificateMode ?? fallbackOptions.ClientCertificateMode;
 
                 if (clientCertificateMode != ClientCertificateMode.NoCertificate)
                 {
-                    sslServerOptions.ClientCertificateRequired = true;
-                    sslServerOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
+                    sslOptions.ClientCertificateRequired = true;
+                    sslOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
                         HttpsConnectionMiddleware.RemoteCertificateValidationCallback(
                             clientCertificateMode, fallbackOptions.ClientCertificateValidation, certificate, chain, sslPolicyErrors);
                 }
 
                 var httpProtocols = sniConfig.Protocols ?? fallbackHttpProtocols;
                 httpProtocols = HttpsConnectionMiddleware.ValidateAndNormalizeHttpProtocols(httpProtocols, logger);
-                HttpsConnectionMiddleware.ConfigureAlpn(sslServerOptions, httpProtocols);
+                HttpsConnectionMiddleware.ConfigureAlpn(sslOptions, httpProtocols);
 
                 var sniOptions = new SniOptions
                 {
-                    SslOptions = sslServerOptions,
+                    SslOptions = sslOptions,
                     HttpProtocols = httpProtocols,
                 };
 
@@ -97,37 +98,19 @@ public SniOptionsSelector(
             }
         }
 
-        public SniOptions GetOptions(ConnectionContext connection, string serverName)
+        public SslServerAuthenticationOptions GetOptions(ConnectionContext connection, string serverName)
         {
-            SniOptions options = null;
+            SniOptions sniOptions = null;
 
-            if (!string.IsNullOrEmpty(serverName))
+            if (!string.IsNullOrEmpty(serverName) && !_fullNameOptions.TryGetValue(serverName, out sniOptions))
             {
-                if (_fullNameOptions.TryGetValue(serverName, out options))
-                {
-                    return options;
-                }
-
-                var matchedNameLength = 0;
-                ReadOnlySpan<char> serverNameSpan = serverName;
-
-                foreach (var (nameCandidate, optionsCandidate) in _wildcardPrefixOptions)
-                {
-                    ReadOnlySpan<char> nameCandidateSpan = nameCandidate;
-
-                    // Note that we only slice off the `*`. We want to match the leading `.` also.
-                    if (serverNameSpan.EndsWith(nameCandidateSpan.Slice(wildcardHost.Length), StringComparison.OrdinalIgnoreCase) &&
-                        nameCandidateSpan.Length > matchedNameLength)
-                    {
-                        matchedNameLength = nameCandidateSpan.Length;
-                        options = optionsCandidate;
-                    }
-                }
+                TryGetWildcardPrefixedOptions(serverName, out sniOptions);
             }
 
-            options ??= _wildcardHostOptions;
+            // Fully wildcarded ("*") options can be used even when given an empty server name.
+            sniOptions ??= _wildcardHostOptions;
 
-            if (options is null)
+            if (sniOptions is null)
             {
                 if (serverName is null)
                 {
@@ -139,25 +122,75 @@ public SniOptions GetOptions(ConnectionContext connection, string serverName)
                 }
             }
 
-            if (options.SslOptions.ServerCertificate is null)
+            connection.Features.Set(new HttpProtocolsFeature(sniOptions.HttpProtocols));
+
+            var sslOptions = sniOptions.SslOptions;
+
+            if (sslOptions.ServerCertificate is null)
             {
                 Debug.Assert(_fallbackServerCertificateSelector != null,
                     "The cached SniOptions ServerCertificate can only be null if there's a fallback certificate selector.");
 
                 // If a ServerCertificateSelector doesn't return a cert, HttpsConnectionMiddleware doesn't fallback to the ServerCertificate.
-                options = options.Clone();
-                options.SslOptions.ServerCertificate = _fallbackServerCertificateSelector(connection, serverName);
+                sslOptions = CloneSslOptions(sslOptions);
+                sslOptions.ServerCertificate = _fallbackServerCertificateSelector(connection, serverName);
             }
 
             if (_onAuthenticateCallback != null)
             {
-                options = options.Clone();
+                sslOptions = CloneSslOptions(sslOptions);
 
                 // From doc comments: "This is called after all of the other settings have already been applied."
-                _onAuthenticateCallback(connection, options.SslOptions);
-            }    
+                _onAuthenticateCallback(connection, sslOptions);
+            }
+
+            return sslOptions;
+        }
 
-            return options;
+        private bool TryGetWildcardPrefixedOptions(string serverName, out SniOptions sniOptions)
+        {
+            sniOptions = null;
+
+            var matchedNameLength = 0;
+            ReadOnlySpan<char> serverNameSpan = serverName;
+
+            foreach (var (nameCandidate, optionsCandidate) in _wildcardPrefixOptions)
+            {
+                ReadOnlySpan<char> nameCandidateSpan = nameCandidate;
+
+                // Note that we only slice off the `*`. We want to match the leading `.` also.
+                if (serverNameSpan.EndsWith(nameCandidateSpan.Slice(wildcardHost.Length), StringComparison.OrdinalIgnoreCase) &&
+                    nameCandidateSpan.Length > matchedNameLength)
+                {
+                    matchedNameLength = nameCandidateSpan.Length;
+                    sniOptions = optionsCandidate;
+                }
+            }
+
+            return sniOptions != null;
+        }
+
+        // TODO: Reflection based test to ensure we clone everything!
+        internal static SslServerAuthenticationOptions CloneSslOptions(SslServerAuthenticationOptions sslOptions) =>
+            new SslServerAuthenticationOptions
+            {
+                AllowRenegotiation = sslOptions.AllowRenegotiation,
+                ApplicationProtocols = sslOptions.ApplicationProtocols?.ToList(),
+                CertificateRevocationCheckMode = sslOptions.CertificateRevocationCheckMode,
+                CipherSuitesPolicy = sslOptions.CipherSuitesPolicy,
+                ClientCertificateRequired = sslOptions.ClientCertificateRequired,
+                EnabledSslProtocols = sslOptions.EnabledSslProtocols,
+                EncryptionPolicy = sslOptions.EncryptionPolicy,
+                RemoteCertificateValidationCallback = sslOptions.RemoteCertificateValidationCallback,
+                ServerCertificate = sslOptions.ServerCertificate,
+                ServerCertificateContext = sslOptions.ServerCertificateContext,
+                ServerCertificateSelectionCallback = sslOptions.ServerCertificateSelectionCallback,
+            };
+
+        private class SniOptions
+        {
+            public SslServerAuthenticationOptions SslOptions { get; set; }
+            public HttpProtocols HttpProtocols { get; set; }
         }
     }
 }

src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs

@@ -359,7 +359,7 @@ public void Load()
                         var logger = Options.ApplicationServices.GetRequiredService<ILogger<KestrelConfigurationLoader>>();
                         var sniOptionsSelector = new SniOptionsSelector(this, endpoint, httpsOptions, listenOptions.Protocols, logger);
 
-                        listenOptions.UseHttps(ServerOptionsSelectionCallback, sniOptionsSelector, httpsOptions.HandshakeTimeout);
+                        listenOptions.UseHttps(SniCallback, sniOptionsSelector, httpsOptions.HandshakeTimeout);
                     }
                 }
 
@@ -372,11 +372,11 @@ public void Load()
             return (endpointsToStop, endpointsToStart);
         }
 
-        private static ValueTask<SslServerAuthenticationOptions> ServerOptionsSelectionCallback(ConnectionContext connection, SslStream stream, SslClientHelloInfo clientHelloInfo, object state, CancellationToken cancellationToken)
+        private static ValueTask<SslServerAuthenticationOptions> SniCallback(ConnectionContext connection, SslStream stream, SslClientHelloInfo clientHelloInfo, object state, CancellationToken cancellationToken)
         {
             var sniOptionsSelector = (SniOptionsSelector)state;
             var options = sniOptionsSelector.GetOptions(connection, clientHelloInfo.ServerName);
-            return new ValueTask<SslServerAuthenticationOptions>(options.SslOptions);
+            return new ValueTask<SslServerAuthenticationOptions>(options);
         }
 
         private void LoadDefaultCert(ConfigurationReader configReader)

src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs

@@ -13,13 +13,13 @@ internal class HttpConnectionMiddleware<TContext>
     {
         private readonly ServiceContext _serviceContext;
         private readonly IHttpApplication<TContext> _application;
-        private readonly HttpProtocols _protocols;
+        private readonly HttpProtocols _endpointDefaultProtocols;
 
         public HttpConnectionMiddleware(ServiceContext serviceContext, IHttpApplication<TContext> application, HttpProtocols protocols)
         {
             _serviceContext = serviceContext;
             _application = application;
-            _protocols = protocols;
+            _endpointDefaultProtocols = protocols;
         }
 
         public Task OnConnectionAsync(ConnectionContext connectionContext)
@@ -30,7 +30,7 @@ public Task OnConnectionAsync(ConnectionContext connectionContext)
             {
                 ConnectionId = connectionContext.ConnectionId,
                 ConnectionContext = connectionContext,
-                Protocols = _protocols,
+                Protocols = connectionContext.Features.Get<HttpProtocolsFeature>()?.HttpProtocols ?? _endpointDefaultProtocols,
                 ServiceContext = _serviceContext,
                 ConnectionFeatures = connectionContext.Features,
                 MemoryPool = memoryPoolFeature?.MemoryPool ?? System.Buffers.MemoryPool<byte>.Shared,

src/Servers/Kestrel/Core/src/Middleware/HttpConnectionMiddleware.cs

@@ -24,7 +24,6 @@
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Https.Internal
 {
-
     internal delegate ValueTask<SslServerAuthenticationOptions> HttpsOptionsCallback(ConnectionContext connection, SslStream stream, SslClientHelloInfo clientHelloInfo, object state, CancellationToken cancellationToken);
 
     internal class HttpsConnectionMiddleware