Skip to content

[Android] Improve SslStream PAL buffer resizing#104726

Merged
simonrozsival merged 4 commits intodotnet:mainfrom
simonrozsival:android-fix-sslstream-tls-frame-buffer-size
Jul 19, 2024
Merged

[Android] Improve SslStream PAL buffer resizing#104726
simonrozsival merged 4 commits intodotnet:mainfrom
simonrozsival:android-fix-sslstream-tls-frame-buffer-size

Conversation

@simonrozsival
Copy link
Member

@simonrozsival simonrozsival commented Jul 11, 2024
edited
Loading

Our current implementation of the AndroidCryptoNative_SSLStreamWrite doesn't correctly handle buffer overflows when calling the wrap method. This isn't an issue because we always create buffers large enough to fit the wrapped data. The problem is that we are splitting data into many small chunks instead of sending fewer larger TLS frames and reducing overhead. This also affects certain protocols such as MS-TDS as reported in #95295.

Closes #95295

/cc @rzikm @wfurt

@simonrozsival
Copy link
Member Author

simonrozsival commented Jul 11, 2024

/azp run runtime-extra-platforms

@azure-pipelines
Copy link

azure-pipelines bot commented Jul 11, 2024

Azure Pipelines successfully started running 1 pipeline(s).

This was referenced Jul 11, 2024
Closed
Open
Closed
@simonrozsival simonrozsival requested a review from rzikm July 12, 2024 11:10
simonrozsival
simonrozsival commented Jul 12, 2024
View reviewed changes
src/native/libs/System.Security.Cryptography.Native.Android/pal_sslstream.c Outdated
int32_t arraySize = length > remaining ? remaining : length;
jbyteArray data = make_java_byte_array(env, arraySize);
// data.setByteArrayRegion(0, length, buffer);
jbyteArray data = make_java_byte_array(env, length);
Copy link
Member Author

@simonrozsival simonrozsival Jul 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about capping the size of the data buffer to the max payload size of one TLS frame and keep copying just a subset of the data as we did previously, but the SslStream is already chunking the data (StreamSizes.Default == 32,768).

@simonrozsival
Copy link
Member Author

simonrozsival commented Jul 12, 2024

/azp run runtime-extra-platforms

@azure-pipelines
Copy link

azure-pipelines bot commented Jul 12, 2024

Azure Pipelines successfully started running 1 pipeline(s).

rzikm
rzikm approved these changes Jul 12, 2024
View reviewed changes
Copy link
Member

@rzikm rzikm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@simonrozsival simonrozsival marked this pull request as ready for review July 12, 2024 14:24
vcsjones
vcsjones reviewed Jul 12, 2024
View reviewed changes
src/native/libs/System.Security.Cryptography.Native.Android/pal_sslstream.c Outdated
int32_t arraySize = length > remaining ? remaining : length;
jbyteArray data = make_java_byte_array(env, arraySize);
// data.setByteArrayRegion(0, length, buffer);
jbyteArray data = make_java_byte_array(env, length);
Copy link
Member

@vcsjones vcsjones Jul 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to allocate a java array here or can we use NIO? appOutBuffer is a ByteBuffer. ByteBuffer has a put that accepts another ByteBuffer.

We can create a ByteBuffer over buffer with jobject bufferByteBuffer = (*env)->NewDirectByteBuffer(env, buffer, length);

Then we can put that in to appOutBuffer. That remove an allocation and a copy from a handshake.

Copy link
Member

@vcsjones vcsjones Jul 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a thought, can be done as a follow up.

Copy link
Member Author

@simonrozsival simonrozsival Jul 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion, I'll give it a try.

@simonrozsival
Copy link
Member Author

simonrozsival commented Jul 12, 2024

/azp run runtime-extra-platforms

@azure-pipelines
Copy link

azure-pipelines bot commented Jul 12, 2024

Azure Pipelines successfully started running 1 pipeline(s).

@simonrozsival
Copy link
Member Author

simonrozsival commented Jul 19, 2024

There are failing runtime-extra-platforms tests, but they are all unrelated:

@simonrozsival simonrozsival merged commit a3fd095 into dotnet:main Jul 19, 2024
@simonrozsival simonrozsival deleted the android-fix-sslstream-tls-frame-buffer-size branch July 19, 2024 08:32
@bartonjs bartonjs added the cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. label Aug 15, 2024
@karelz karelz added this to the 9.0.0 milestone Sep 3, 2024
@bartonjs bartonjs added the tracking This issue is tracking the completion of other related issues. label Sep 10, 2024
@vitek-karas vitek-karas mentioned this pull request Oct 1, 2024
Open
@github-actions github-actions bot locked and limited conversation to collaborators Oct 12, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@vcsjones vcsjones vcsjones left review comments

@steveisok steveisok steveisok approved these changes

@rzikm rzikm rzikm approved these changes

Assignees

@simonrozsival simonrozsival

Labels

area-System.Net.Security cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. os-android tracking This issue is tracking the completion of other related issues.

Projects

None yet

Milestone

9.0.0

Development

Successfully merging this pull request may close these issues.

Android SslStream splits messages over 2048 bytes in multiple TLS records (breaks MS-TDS protocol)

6 participants

@simonrozsival @vcsjones @steveisok @rzikm @karelz @bartonjs