Copilot commented on code in PR #12914:
URL: https://github.com/apache/trafficserver/pull/12914#discussion_r2875185673
##########
include/ts/apidefs.h.in:
##########
@@ -1049,6 +1051,72 @@ struct TSHttp2Priority {
int32_t stream_dependency;
};
+// Wrapper class that provides controlled access to client hello data
+class TSClientHello
+{
+public:
+ class TSExtensionTypeList
+ {
+ public:
+ TSExtensionTypeList(void *ch) : _ch(ch) {}
+
+ class Iterator
+ {
+ public:
+ Iterator(const void *ite);
+ Iterator &operator++();
+ bool operator==(const Iterator &b) const;
+ int operator*() const;
+
+ private:
+ char _real_iterator[24];
+ };
Review Comment:
`TSExtensionTypeList::Iterator` uses a raw `char _real_iterator[24]` buffer
to store an internal iterator object, but it is not declared with any
alignment. Since this buffer is later reinterpreted as `ExtensionIdIterator`,
it should be declared with sufficient alignment (e.g., via `alignas(...)` /
`std::aligned_storage`) to avoid undefined behavior on architectures with
strict alignment requirements.
##########
include/ts/ts.h:
##########
@@ -1334,6 +1334,56 @@ int TSVConnIsSsl(TSVConn sslp);
int TSVConnProvidedSslCert(TSVConn sslp);
const char *TSVConnSslSniGet(TSVConn sslp, int *length);
+/**
+ Retrieve TLS Client Hello information from an SSL virtual connection.
+
+ This function extracts TLS Client Hello data from a TLS handshake.
+ The returned object provides access to version, cipher suites, and
extensions
+ in a way that is portable across both BoringSSL and OpenSSL
implementations.
+
+ IMPORTANT: This function must be called during the
TS_SSL_CLIENT_HELLO_HOOK.
+ The underlying SSL context may not be available at other hooks,
particularly
+ for BoringSSL where the SSL_CLIENT_HELLO structure is only valid during
+ specific callback functions. Calling this function outside of the client
+ hello hook may result in nullptr being returned.
+
+ For BoringSSL, the Client Hello data is copied from the SSL_CLIENT_HELLO
+ structure. For OpenSSL, cipher suites and extension IDs are extracted using
+ SSL_client_hello_get0_* functions.
Review Comment:
The doc states "For BoringSSL, the Client Hello data is copied from the
SSL_CLIENT_HELLO structure", but the PR description says the new API no longer
copies and getters access the underlying library structures. Please update this
comment to match the actual lifetime/ownership model (and clarify that data is
only valid during the SSL client-hello hook processing).
##########
src/api/InkAPI.cc:
##########
@@ -7920,6 +7922,37 @@ TSVConnSslSniGet(TSVConn sslp, int *length)
return server_name;
}
+TSClientHello
+TSVConnClientHelloGet(TSVConn sslp)
+{
+ NetVConnection *netvc = reinterpret_cast<NetVConnection *>(sslp);
+ if (netvc == nullptr) {
+ return nullptr;
+ }
+
+ if (auto snis = netvc->get_service<TLSSNISupport>(); snis) {
+ TLSSNISupport::ClientHello *client_hello = snis->get_client_hello();
+ if (client_hello == nullptr) {
+ return nullptr;
+ }
+
+ // Wrap the raw object in the accessor and return
+ return TSClientHello(client_hello);
+ }
+
+ return nullptr;
+}
+
+TSReturnCode
+TSClientHelloExtensionGet(TSClientHello ch, unsigned int type, const unsigned
char **out, size_t *outlen)
+{
+ if (static_cast<TLSSNISupport::ClientHello
*>(ch._get_internal())->getExtension(type, out, outlen) == 1) {
+ return TS_SUCCESS;
+ }
+
Review Comment:
`TSClientHelloExtensionGet()` unconditionally dereferences
`ch._get_internal()` and forwards `out/outlen` without validation. This
contradicts the API contract in `ts.h` (should return `TS_ERROR` on nullptr
params) and can segfault when plugins pass an unavailable `TSClientHello` or
null output pointers. Add explicit checks for `ch` availability, `out`,
`outlen`, and for the internal pointer before calling into
`TLSSNISupport::ClientHello`.
```suggestion
if (out == nullptr || outlen == nullptr) {
return TS_ERROR;
}
*out = nullptr;
*outlen = 0;
auto *client_hello = static_cast<TLSSNISupport::ClientHello
*>(ch._get_internal());
if (client_hello == nullptr) {
return TS_ERROR;
}
if (client_hello->getExtension(type, out, outlen) == 1) {
return TS_SUCCESS;
}
*out = nullptr;
*outlen = 0;
```
##########
src/iocore/net/TLSSNISupport.cc:
##########
@@ -95,6 +102,9 @@ TLSSNISupport::perform_sni_action(SSL &ssl)
void
TLSSNISupport::on_client_hello(ClientHello &client_hello)
{
+ // Save local copy for later use;
+ _ch = &client_hello;
Review Comment:
`TLSSNISupport::on_client_hello()` stores `_ch = &client_hello`, but
`client_hello` is a stack object created inside `ssl_client_hello_callback`
(see SSLUtils.cc). `_ch` is never cleared, so any later call to
`TSVConnClientHelloGet()` (e.g. from another hook) can return a dangling
pointer and cause UAF. Consider storing the underlying `ClientHelloContainer`
(SSL*/SSL_CLIENT_HELLO*) or copying the `ClientHello` into a member, and
explicitly clearing the stored handle once the SSL client-hello hooks finish
executing (or when returning CLIENT_HELLO_RETRY/CLIENT_HELLO_SUCCESS).
```suggestion
// Store a heap-allocated copy instead of a pointer to the stack-allocated
argument
if (_ch != nullptr) {
delete _ch;
_ch = nullptr;
}
_ch = new ClientHello(client_hello);
```
##########
plugins/experimental/ja4_fingerprint/README.md:
##########
@@ -21,6 +21,8 @@ The technical specification of the algorithm is available
[here](https://github.
These changes were made to simplify the plugin as much as possible. The
missing features are useful and may be implemented in the future.
+Ja4 now supports boringssl
Review Comment:
Spelling/capitalization: "Ja4 now supports boringssl" should use the project
spelling/casing ("JA4" and "BoringSSL") and end with punctuation.
```suggestion
JA4 now supports BoringSSL.
```
##########
include/ts/ts.h:
##########
@@ -1334,6 +1334,56 @@ int TSVConnIsSsl(TSVConn sslp);
int TSVConnProvidedSslCert(TSVConn sslp);
const char *TSVConnSslSniGet(TSVConn sslp, int *length);
+/**
+ Retrieve TLS Client Hello information from an SSL virtual connection.
+
+ This function extracts TLS Client Hello data from a TLS handshake.
+ The returned object provides access to version, cipher suites, and
extensions
+ in a way that is portable across both BoringSSL and OpenSSL
implementations.
+
+ IMPORTANT: This function must be called during the
TS_SSL_CLIENT_HELLO_HOOK.
+ The underlying SSL context may not be available at other hooks,
particularly
+ for BoringSSL where the SSL_CLIENT_HELLO structure is only valid during
+ specific callback functions. Calling this function outside of the client
+ hello hook may result in nullptr being returned.
+
+ For BoringSSL, the Client Hello data is copied from the SSL_CLIENT_HELLO
+ structure. For OpenSSL, cipher suites and extension IDs are extracted using
+ SSL_client_hello_get0_* functions.
+
+ @param sslp The SSL virtual connection handle. Must not be nullptr.
+ @return A TSClientHello object containing Client Hello data.
Review Comment:
The `TSVConnClientHelloGet` doc still says calling outside the client hello
hook may result in `nullptr` being returned, but the function now returns a
`TSClientHello` value object (never a pointer). Update the docs to describe an
unavailable object (e.g., `!ch` / `ch.is_available()==false`) rather than
`nullptr`.
```suggestion
hello hook may result in an unavailable TSClientHello object (for
example,
one for which !ch or ch.is_available() == false).
For BoringSSL, the Client Hello data is copied from the SSL_CLIENT_HELLO
structure. For OpenSSL, cipher suites and extension IDs are extracted
using
SSL_client_hello_get0_* functions.
@param sslp The SSL virtual connection handle. Must not be nullptr.
@return A TSClientHello object containing Client Hello data. The object
may
be unavailable if called outside TS_SSL_CLIENT_HELLO_HOOK.
```
##########
plugins/experimental/ja4_fingerprint/plugin.cc:
##########
@@ -264,66 +266,64 @@ log_fingerprint(JA4_data const *data)
}
std::uint16_t
-get_version(SSL *ssl)
+get_version(TSClientHello ch)
{
unsigned char const *buf{};
std::size_t buflen{};
- if (SSL_SUCCESS == SSL_client_hello_get0_ext(ssl, EXT_SUPPORTED_VERSIONS,
&buf, &buflen)) {
+ if (TS_SUCCESS == TSClientHelloExtensionGet(ch, EXT_SUPPORTED_VERSIONS,
&buf, &buflen)) {
std::uint16_t max_version{0};
- for (std::size_t i{1}; i < buflen; i += 2) {
- std::uint16_t version{make_word(buf[i - 1], buf[i])};
- if ((!JA4::is_GREASE(version)) && version > max_version) {
+ size_t n_versions = buf[0];
+ for (size_t i = 1; i + 1 < buflen && i < (n_versions * 2) + 1; i += 2) {
+ std::uint16_t version = (buf[i] << 8) | buf[i + 1];
+ if (!JA4::is_GREASE(version) && version > max_version) {
Review Comment:
`get_version()` reads `buf[0]` without first ensuring `buflen >= 1`, and it
treats `buf[0]` as a count (`n_versions`) even though the SupportedVersions
extension uses a 1-byte *length in bytes* for the versions vector (RFC 8446).
Add a length check before reading `buf[0]`, validate that `1 + buf[0] <=
buflen` (and that `buf[0]` is even), and bound the loop based on the declared
vector length rather than `buflen` alone.
##########
include/iocore/net/TLSSNISupport.h:
##########
@@ -40,13 +41,51 @@ class TLSSNISupport
{
public:
ClientHello(ClientHelloContainer chc) : _chc(chc) {}
+ ~ClientHello();
+
+ class ExtensionIdIterator
+ {
+ public:
+#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
+ ExtensionIdIterator(int *ids, size_t len, size_t offset) :
_extensions(ids), _ext_len(len), _offset(offset) {}
+#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
+ ExtensionIdIterator(const uint8_t *extensions, size_t len, size_t offset)
+ : _extensions(extensions), _ext_len(len), _offset(offset)
+ {
+ }
+#endif
+ ~ExtensionIdIterator() = default;
+
+ ExtensionIdIterator &operator++();
+ bool operator==(const ExtensionIdIterator &b) const;
+ int operator*() const;
+
+ private:
+#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
+ int *_extensions;
+#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
+ const uint8_t *_extensions;
+#endif
+ size_t _ext_len;
+ size_t _offset;
+ };
+
+ uint16_t getVersion();
+ std::string_view getCipherSuites();
+ ExtensionIdIterator begin();
+ ExtensionIdIterator end();
+
/**
* @return 1 if successful
*/
int getExtension(int type, const uint8_t **out, size_t *outlen);
private:
ClientHelloContainer _chc;
+#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
+ int *_ext_ids = nullptr;
+ size_t _ext_len;
Review Comment:
In the OpenSSL branch, `_ext_len` is not initialized and
`SSL_client_hello_get1_extensions_present()` return value is not checked. If
that call fails, `_ext_len` may remain uninitialized and `begin()/end()` will
build iterators with an indeterminate length. Initialize `_ext_len` to 0 and
handle a failure by treating the extension list as empty.
```suggestion
size_t _ext_len = 0;
```
##########
src/api/InkAPI.cc:
##########
@@ -9158,3 +9191,72 @@ TSLogAddrUnmarshal(char **buf, char *dest, int len)
return {-1, -1};
}
+
+bool
+TSClientHello::is_available() const
+{
+ return static_cast<bool>(*this);
+}
+
+uint16_t
+TSClientHello::get_version() const
+{
+ return static_cast<TLSSNISupport::ClientHello
*>(_client_hello)->getVersion();
+}
+
+const uint8_t *
+TSClientHello::get_cipher_suites() const
+{
+ return reinterpret_cast<const uint8_t
*>(static_cast<TLSSNISupport::ClientHello
*>(_client_hello)->getCipherSuites().data());
+}
+
+size_t
+TSClientHello::get_cipher_suites_len() const
+{
+ return static_cast<TLSSNISupport::ClientHello
*>(_client_hello)->getCipherSuites().length();
+}
+
+TSClientHello::TSExtensionTypeList::Iterator::Iterator(const void *ite)
+{
+ static_assert(sizeof(_real_iterator) >=
sizeof(TLSSNISupport::ClientHello::ExtensionIdIterator));
+
+ ink_assert(_real_iterator);
+ ink_assert(ite);
+ memcpy(_real_iterator, ite,
sizeof(TLSSNISupport::ClientHello::ExtensionIdIterator));
+}
+
+TSClientHello::TSExtensionTypeList::Iterator
+TSClientHello::TSExtensionTypeList::begin()
+{
+ ink_assert(_ch);
+ auto ch = static_cast<TLSSNISupport::ClientHello *>(_ch);
+ auto ite = ch->begin();
+ // The temporal pointer is for the memcpy in the constructor. It's only used
in the constructor.
+ return TSClientHello::TSExtensionTypeList::Iterator(&ite);
+}
+
+TSClientHello::TSExtensionTypeList::Iterator
+TSClientHello::TSExtensionTypeList::end()
+{
+ auto ite = static_cast<TLSSNISupport::ClientHello *>(_ch)->end();
+ // The temporal pointer is for the memcpy in the constructor. It's only used
in the constructor.
+ return TSClientHello::TSExtensionTypeList::Iterator(&ite);
+}
+
+TSClientHello::TSExtensionTypeList::Iterator &
+TSClientHello::TSExtensionTypeList::Iterator::operator++()
+{
+ ++(*reinterpret_cast<TLSSNISupport::ClientHello::ExtensionIdIterator
*>(_real_iterator));
+ return *this;
+}
Review Comment:
`TSClientHello::TSExtensionTypeList::Iterator` stores the real iterator in a
`char[24]` buffer, then uses `reinterpret_cast<...*>(_real_iterator)` in
`operator++/operator*`. A `char` buffer does not guarantee the alignment
required by `TLSSNISupport::ClientHello::ExtensionIdIterator`, so this is
undefined behavior on platforms where the iterator alignment > 1. Use properly
aligned storage (e.g., `std::aligned_storage_t` / `alignas(...)`) for
`_real_iterator`.
##########
doc/developer-guide/api/types/TSClientHello.en.rst:
##########
@@ -0,0 +1,82 @@
+.. Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed
+ with this work for additional information regarding copyright
+ ownership. The ASF licenses this file to you under the Apache
+ License, Version 2.0 (the "License"); you may not use this file
+ except in compliance with the License. You may obtain a copy of
+ the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied. See the License for the specific language governing
+ permissions and limitations under the License.
+
+.. include:: ../../../common.defs
+
+.. default-domain:: cpp
+
+TSClientHello
+*************
+
+Synopsis
+========
+
+.. code-block:: cpp
+
+ #include <ts/apidefs.h>
+
+.. type:: TSClientHello
+
+.. type:: TSClientHello::TSExtensionTypeList
+
+ A type alias for an iterable container of extension type IDs.
+
+
+Description
+===========
+
+:type:`TSClientHello` is an opaque handle to a TLS ClientHello message sent by
+a client during the TLS handshake. It provides access to the client's TLS
+version, cipher suites, and extensions.
+
+The implementation abstracts differences between OpenSSL and BoringSSL to
+provide a consistent interface.
+
+Accessor Methods
+================
+
+The following methods are available to access ClientHello data:
+
+.. function:: bool is_available() const
+
+ Returns whether the object contains valid values. As long as
+ :func:`TSVConnClientHelloGet` is called for a TLS connection, the return
+ value should be `true`.
+
+.. function:: uint16_t get_version() const
+
+ Returns the TLS version from the ClientHello message.
+
+.. function:: const uint8_t* get_cipher_suites() const
+
+ Returns a pointer to the cipher suites buffer. The length is available via
+ :func:`get_cipher_suites_len()`.
+
+.. function:: size_t get_cipher_suites_len() const
+
+ Returns the length of the cipher suites buffer in bytes.
+
+.. function:: TSClientHello::TSExtensionTypeList get_extension_types() const
+
+ Returns an iterable container of extension type IDs present in the
ClientHello.
+ This method abstracts the differences between BoringSSL (which uses an
extensions
+ buffer) and OpenSSL (which uses an extension_ids array), providing a
consistent
+ interface regardless of the SSL library in use.
+
+.. function:: void* _get_internal() const
+
+ Returns the underlying SSL pointer. This is an internal accessor for
advanced use
+ cases.
Review Comment:
`_get_internal()` does not return an "underlying SSL pointer"; it returns an
internal pointer used by the ATS API implementation (currently a
`TLSSNISupport::ClientHello*`). Documenting it as an SSL pointer is misleading
and could lead to unsafe casts in plugins. Please correct the description (or
consider removing this from public docs if it is not intended for plugin use).
```suggestion
Returns a pointer to internal implementation data for
:type:`TSClientHello`. The
concrete type and contents of this pointer are ATS internals (currently a
``TLSSNISupport::ClientHello*``) and are subject to change without
notice. This
accessor is not part of the stable public API, and plugins must not cast
or rely
on the returned pointer type.
```
##########
src/api/InkAPI.cc:
##########
@@ -9158,3 +9191,72 @@ TSLogAddrUnmarshal(char **buf, char *dest, int len)
return {-1, -1};
}
+
+bool
+TSClientHello::is_available() const
+{
+ return static_cast<bool>(*this);
+}
+
+uint16_t
+TSClientHello::get_version() const
+{
+ return static_cast<TLSSNISupport::ClientHello
*>(_client_hello)->getVersion();
+}
+
+const uint8_t *
+TSClientHello::get_cipher_suites() const
+{
+ return reinterpret_cast<const uint8_t
*>(static_cast<TLSSNISupport::ClientHello
*>(_client_hello)->getCipherSuites().data());
+}
+
+size_t
+TSClientHello::get_cipher_suites_len() const
+{
+ return static_cast<TLSSNISupport::ClientHello
*>(_client_hello)->getCipherSuites().length();
+}
+
+TSClientHello::TSExtensionTypeList::Iterator::Iterator(const void *ite)
+{
+ static_assert(sizeof(_real_iterator) >=
sizeof(TLSSNISupport::ClientHello::ExtensionIdIterator));
+
+ ink_assert(_real_iterator);
+ ink_assert(ite);
+ memcpy(_real_iterator, ite,
sizeof(TLSSNISupport::ClientHello::ExtensionIdIterator));
+}
+
+TSClientHello::TSExtensionTypeList::Iterator
+TSClientHello::TSExtensionTypeList::begin()
+{
+ ink_assert(_ch);
+ auto ch = static_cast<TLSSNISupport::ClientHello *>(_ch);
+ auto ite = ch->begin();
+ // The temporal pointer is for the memcpy in the constructor. It's only used
in the constructor.
+ return TSClientHello::TSExtensionTypeList::Iterator(&ite);
+}
+
+TSClientHello::TSExtensionTypeList::Iterator
+TSClientHello::TSExtensionTypeList::end()
+{
+ auto ite = static_cast<TLSSNISupport::ClientHello *>(_ch)->end();
+ // The temporal pointer is for the memcpy in the constructor. It's only used
in the constructor.
+ return TSClientHello::TSExtensionTypeList::Iterator(&ite);
+}
+
+TSClientHello::TSExtensionTypeList::Iterator &
+TSClientHello::TSExtensionTypeList::Iterator::operator++()
+{
+ ++(*reinterpret_cast<TLSSNISupport::ClientHello::ExtensionIdIterator
*>(_real_iterator));
+ return *this;
+}
+
+bool
+TSClientHello::TSExtensionTypeList::Iterator::operator==(const
TSClientHello::TSExtensionTypeList::Iterator &b) const
+{
+ return memcmp(_real_iterator, b._real_iterator, sizeof(_real_iterator)) == 0;
Review Comment:
`Iterator::operator==` uses `memcmp(_real_iterator, ...)` over the full
24-byte buffer, but the constructor only `memcpy`s
`sizeof(ExtensionIdIterator)` bytes. If `sizeof(ExtensionIdIterator) < 24` on
some platforms/ABIs, the trailing bytes are uninitialized and comparisons
become nondeterministic. Either zero-initialize `_real_iterator` before
copying, track the copied size, or compare by invoking the underlying
iterator’s `operator==` instead of `memcmp`.
```suggestion
auto *lhs = reinterpret_cast<const
TLSSNISupport::ClientHello::ExtensionIdIterator *>(_real_iterator);
auto *rhs = reinterpret_cast<const
TLSSNISupport::ClientHello::ExtensionIdIterator *>(b._real_iterator);
return *lhs == *rhs;
```
##########
include/ts/apidefs.h.in:
##########
@@ -43,6 +43,8 @@
*/
#include <cstdint>
Review Comment:
This header uses `std::is_trivially_copyable_v` but does not include
`<type_traits>`, which will break compilation for translation units that
include `ts/apidefs.h` without first including `ts/ts.h`. Add the required
include (and consider removing `<memory>` / `<vector>` here if they are no
longer needed).
```suggestion
#include <cstdint>
#include <type_traits>
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
