Eliminate heap allocations

Author: maskit

doc/developer-guide/api/functions/TSVConnClientHelloGet.en.rst

@@ -29,26 +29,21 @@ Synopsis
     #include <ts/ts.h>
 
 .. function:: TSClientHello TSVConnClientHelloGet(TSVConn sslp)
-.. function:: void TSClientHelloDestroy(TSClientHello ch)
 .. function:: TSReturnCode TSClientHelloExtensionGet(TSClientHello ch, unsigned int type, const unsigned char **out, size_t *outlen)
 
 Description
 ===========
 
 :func:`TSVConnClientHelloGet` retrieves ClientHello message data from the TLS
-virtual connection :arg:`sslp`. Returns ``nullptr`` if :arg:`sslp` is invalid
-or not a TLS connection.
+virtual connection :arg:`sslp`. Returns a :type:`TSClientHello` always. The availability
+of the returned object must be checked before use.
 
 .. important::
 
    This function should only be called from the ``TS_EVENT_SSL_CLIENT_HELLO`` hook.
    The returned :type:`TSClientHello` is only valid during the SSL ClientHello event processing.
    Using this function from other hooks may result in accessing invalid or stale data.
 
-The caller must call :func:`TSClientHelloDestroy` to free the returned object.
-
-:func:`TSClientHelloDestroy` frees the :type:`TSClientHello` object :arg:`ch`.
-
 :func:`TSClientHelloExtensionGet` retrieves extension data for the specified
 :arg:`type` (e.g., ``0x10`` for ALPN). Returns :enumerator:`TS_SUCCESS` if
 found, :enumerator:`TS_ERROR` otherwise. The returned pointer in :arg:`out` is

doc/developer-guide/api/types/TSClientHello.en.rst

@@ -42,15 +42,20 @@ Description
 a client during the TLS handshake. It provides access to the client's TLS
 version, cipher suites, and extensions.
 
-Objects of this type are obtained via :func:`TSVConnClientHelloGet` and must
-be freed using :func:`TSClientHelloDestroy`. The implementation abstracts
-differences between OpenSSL and BoringSSL to provide a consistent interface.
+The implementation abstracts differences between OpenSSL and BoringSSL to
+provide a consistent interface.
 
 Accessor Methods
 ================
 
 The following methods are available to access ClientHello data:
 
+.. function:: bool is_available() const
+
+   Returns whether the object contains valid values. As long as
+   :func:`TSVConnClientHelloGet` is called for a TLS connection, the return
+   value should be `true`.
+
 .. function:: uint16_t get_version() const
 
    Returns the TLS version from the ClientHello message.

include/iocore/net/TLSSNISupport.h

@@ -23,6 +23,7 @@
  */
 #pragma once
 
+#include "tscore/ink_config.h"
 #include "tscore/ink_memory.h"
 #include "SSLTypes.h"
 
@@ -40,11 +41,44 @@ class TLSSNISupport
   {
   public:
     ClientHello(ClientHelloContainer chc) : _chc(chc) {}
+    ~ClientHello();
+
+    class ExtensionIdIterator
+    {
+    public:
+#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
+      ExtensionIdIterator(int *ids, size_t len, size_t offset) : _ids(ids), _ext_len(len), _offset(offset) {}
+#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
+      ExtensionIdIterator(const uint8_t *extensions, size_t len, size_t offset)
+        : _extensions(extensions), _ext_len(len), _offset(offset)
+      {
+      }
+#endif
+      ~ExtensionIdIterator();
+
+      ExtensionIdIterator &operator++();
+      bool                 operator==(const ExtensionIdIterator &b) const;
+      int                  operator*() const;
+
+    private:
+#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
+      int *_extensions;
+#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
+      const uint8_t *_extensions;
+#endif
+      size_t _ext_len;
+      size_t _offset;
+    };
+
+    uint16_t            getVersion();
+    std::string_view    getCipherSuites();
+    ExtensionIdIterator begin();
+    ExtensionIdIterator end();
+
     /**
      * @return 1 if successful
      */
-    int                  getExtension(int type, const uint8_t **out, size_t *outlen);
-    ClientHelloContainer get_client_hello_container();
+    int getExtension(int type, const uint8_t **out, size_t *outlen);
 
   private:
     ClientHelloContainer _chc;
@@ -56,9 +90,9 @@ class TLSSNISupport
   static TLSSNISupport *getInstance(SSL *ssl);
   static void           bind(SSL *ssl, TLSSNISupport *snis);
   static void           unbind(SSL *ssl);
-  int                   perform_sni_action(SSL &ssl);
-  ClientHelloContainer  get_client_hello_container() const;
-  void                  set_client_hello_container(ClientHelloContainer container);
+
+  int          perform_sni_action(SSL &ssl);
+  ClientHello *get_client_hello() const;
   // Callback functions for OpenSSL libraries
 
   /** Process a CLIENT_HELLO from a client.
@@ -116,6 +150,6 @@ class TLSSNISupport
   // Null-terminated string, or nullptr if there is no SNI server name.
   std::unique_ptr<char[]> _sni_server_name;
 
-  void                 _set_sni_server_name_buffer(std::string_view name);
-  ClientHelloContainer _chc = nullptr;
+  void         _set_sni_server_name_buffer(std::string_view name);
+  ClientHello *_ch;
 };

include/ts/apidefs.h.in

@@ -1050,124 +1050,70 @@ struct TSHttp2Priority {
    * or -1 if the stream has no dependency. */
   int32_t stream_dependency;
 };
-/**
- * A structure for SSL Client Hello data
- */
-struct tsapi_ssl_client_hello {
-  uint16_t       version{0};
-  const uint8_t *cipher_suites{nullptr};
-  size_t         cipher_suites_len{0};
-  const uint8_t *extensions{nullptr};
-  size_t         extensions_len{0};
-  int           *extension_ids{nullptr};
-  size_t         extension_ids_len{0};
-  void          *ssl_ptr{nullptr};
-};
 
 // Wrapper class that provides controlled access to client hello data
-class TSClientHelloImpl
+class TSClientHello
 {
 public:
-  // Type alias for extension type list
-  using TSExtensionTypeList = std::vector<uint16_t>;
+  class TSExtensionTypeList
+  {
+  public:
+    TSExtensionTypeList(void *ch) : _ch(ch) {}
 
-  TSClientHelloImpl(std::unique_ptr<tsapi_ssl_client_hello> ch) : _ssl_client_hello(std::move(ch)) {}
+    class Iterator
+    {
+    public:
+      Iterator(const void *ite);
+      Iterator &operator++();
+      bool      operator==(const Iterator &b) const;
+      int       operator*() const;
 
-  ~TSClientHelloImpl() = default;
+    private:
+      char _real_iterator[24];
+    };
 
-  uint16_t
-  get_version() const
-  {
-    return _ssl_client_hello->version;
-  }
+    Iterator begin();
+    Iterator end();
 
-  const uint8_t *
-  get_cipher_suites() const
-  {
-    return _ssl_client_hello->cipher_suites;
-  }
+  private:
+    void *_ch;
+  };
 
-  size_t
-  get_cipher_suites_len() const
-  {
-    return _ssl_client_hello->cipher_suites_len;
-  }
+  TSClientHello(void *ch) : _client_hello(ch) {}
 
-  const uint8_t *
-  get_extensions() const
-  {
-    return _ssl_client_hello->extensions;
-  }
+  ~TSClientHello() = default;
 
-  size_t
-  get_extensions_len() const
+  explicit
+  operator bool() const
   {
-    return _ssl_client_hello->extensions_len;
+    return _client_hello != nullptr;
   }
 
-  const int *
-  get_extension_ids() const
-  {
-    return _ssl_client_hello->extension_ids;
-  }
+  bool is_available() const;
 
-  size_t
-  get_extension_ids_len() const
-  {
-    return _ssl_client_hello->extension_ids_len;
-  }
+  uint16_t get_version() const;
 
-  void *
-  get_ssl_ptr() const
-  {
-    return _ssl_client_hello->ssl_ptr;
-  }
+  const uint8_t *get_cipher_suites() const;
+
+  size_t get_cipher_suites_len() const;
 
   // Returns an iterable container of extension type IDs
   // This abstracts the difference between BoringSSL (extensions buffer) and OpenSSL (extension_ids array)
   TSExtensionTypeList
   get_extension_types() const
   {
-    TSExtensionTypeList result;
-
-    // For BoringSSL, parse the extensions buffer
-    if (_ssl_client_hello->extensions != nullptr) {
-      const uint8_t *ext       = _ssl_client_hello->extensions;
-      size_t         remaining = _ssl_client_hello->extensions_len;
-
-      while (remaining >= 4) {
-        uint16_t ext_type       = (ext[0] << 8) | ext[1];
-        uint16_t ext_len        = (ext[2] << 8) | ext[3];
-        size_t   total_ext_size = 4 + ext_len;
-
-        result.push_back(ext_type);
-
-        if (total_ext_size > remaining) {
-          break;
-        }
-        ext       += total_ext_size;
-        remaining -= total_ext_size;
-      }
-    }
-    // For OpenSSL, use the extension IDs array
-    else if (_ssl_client_hello->extension_ids != nullptr) {
-      for (size_t i = 0; i < _ssl_client_hello->extension_ids_len; i++) {
-        result.push_back(static_cast<uint16_t>(_ssl_client_hello->extension_ids[i]));
-      }
-    }
-
-    return result;
+    return TSExtensionTypeList(_client_hello);
   }
 
   // Internal accessor for API implementation
-  tsapi_ssl_client_hello *
+  void *
   _get_internal() const
   {
-    return _ssl_client_hello.get();
+    return _client_hello;
   }
 
 private:
-  std::unique_ptr<tsapi_ssl_client_hello> _ssl_client_hello;
+  void *_client_hello;
 };
 
 using TSFile = struct tsapi_file *;
@@ -1205,7 +1151,6 @@ using TSHostLookupResult = struct tsapi_hostlookupresult *;
 using TSAIOCallback      = struct tsapi_aiocallback *;
 using TSAcceptor         = struct tsapi_net_accept *;
 using TSRemapPluginInfo  = struct tsapi_remap_plugin_info *;
-using TSClientHello      = TSClientHelloImpl *;
 
 using TSFetchSM = struct tsapi_fetchsm *;
 

include/ts/ts.h

@@ -1351,32 +1351,12 @@ const char *TSVConnSslSniGet(TSVConn sslp, int *length);
     structure. For OpenSSL, cipher suites and extension IDs are extracted using
     SSL_client_hello_get0_* functions.
 
-    Memory Management: The caller must call TSClientHelloDestroy() to free the
-    returned object when it is no longer needed. Failure to do so will result
-    in memory leaks, especially for OpenSSL which allocates memory for the
-    extension IDs array.
-
     @param sslp The SSL virtual connection handle. Must not be nullptr.
-    @return Pointer to TSClientHello object containing Client Hello data, or
-            nullptr if the client hello is not available or if an error occurs.
+    @return A TSClientHello object containing Client Hello data.
 
-    @see TSClientHelloDestroy
     @see TSClientHelloExtensionGet
  */
 TSClientHello TSVConnClientHelloGet(TSVConn sslp);
-/**
-    Destroys a Client Hello object and frees associated memory.
-
-    This function must be called to properly free a TSClientHello object
-    obtained from TSVConnClientHelloGet(). It handles SSL library-specific
-    cleanup, including freeing the extension IDs array allocated by OpenSSL's
-    SSL_client_hello_get1_extensions_present() function.
-
-    @param ch The Client Hello object to destroy.
-
-    @see TSVConnClientHelloGet
- */
-void TSClientHelloDestroy(TSClientHello ch);
 
 /**
     Retrieve a specific TLS extension from the Client Hello.
@@ -1387,11 +1367,10 @@ void TSClientHelloDestroy(TSClientHello ch);
     OpenSSL without requiring conditional compilation in the plugin.
 
     The returned buffer is still owned by the underlying SSL context and must
-    not be freed by the caller. The buffer is valid only as long as the
-    TSClientHello object has not been destroyed.
+    not be freed by the caller. The buffer is valid only in the condition where
+    you can get a TSClientHello object from an SSL virtual connection.
 
     @param ch The Client Hello object obtained from TSVConnClientHelloGet().
-              Must not be nullptr.
     @param type The TLS extension type to retrieve.
     @param out Pointer to receive the extension data buffer. Must not be nullptr.
     @param outlen Pointer to receive the length of the extension data in bytes.
@@ -1402,7 +1381,6 @@ void TSClientHelloDestroy(TSClientHello ch);
             or if an error occurred during lookup.
 
     @see TSVConnClientHelloGet
-    @see TSClientHelloDestroy
  */
 TSReturnCode TSClientHelloExtensionGet(TSClientHello ch, unsigned int type, const unsigned char **out, size_t *outlen);
 

plugins/experimental/ja4_fingerprint/plugin.cc

@@ -202,15 +202,13 @@ handle_client_hello(TSCont /* cont ATS_UNUSED */, TSEvent event, void *edata)
 
   TSClientHello ch = TSVConnClientHelloGet(ssl_vc);
 
-  if (nullptr == ch) {
+  if (!ch) {
     Dbg(dbg_ctl, "Could not get TSClientHello object.");
   } else {
     auto data{std::make_unique<JA4_data>()};
     data->fingerprint = get_fingerprint(ch);
     get_IP(TSNetVConnRemoteAddrGet(ssl_vc), data->IP_addr);
     log_fingerprint(data.get());
-    // Clean up the TSClientHello structure
-    TSClientHelloDestroy(ch);
     // The VCONN_CLOSE handler is now responsible for freeing the resource.
     TSUserArgSet(ssl_vc, *get_user_arg_index(), static_cast<void *>(data.release()));
   }
@@ -284,7 +282,7 @@ get_version(TSClientHello ch)
     return max_version;
   } else {
     Dbg(dbg_ctl, "No supported_versions extension... using legacy version.");
-    return ch->get_version();
+    return ch.get_version();
   }
 }
 
@@ -308,8 +306,8 @@ get_first_ALPN(TSClientHello ch)
 void
 add_ciphers(JA4::TLSClientHelloSummary &summary, TSClientHello ch)
 {
-  const uint8_t *buf    = ch->get_cipher_suites();
-  size_t         buflen = ch->get_cipher_suites_len();
+  const uint8_t *buf    = ch.get_cipher_suites();
+  size_t         buflen = ch.get_cipher_suites_len();
 
   if (buflen > 0) {
     for (std::size_t i = 0; i + 1 < buflen; i += 2) {
@@ -323,7 +321,7 @@ add_ciphers(JA4::TLSClientHelloSummary &summary, TSClientHello ch)
 void
 add_extensions(JA4::TLSClientHelloSummary &summary, TSClientHello ch)
 {
-  for (auto ext_type : ch->get_extension_types()) {
+  for (auto ext_type : ch.get_extension_types()) {
     summary.add_extension(ext_type);
   }
 }