Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Android] Improve SslStream PAL buffer resizing #104726

Merged
merged 4 commits into from
Jul 19, 2024
Merged

[Android] Improve SslStream PAL buffer resizing #104726

merged 4 commits into from
Jul 19, 2024

Conversation

simonrozsival
Copy link
Member

@simonrozsival simonrozsival commented Jul 11, 2024
edited
Loading

Our current implementation of the AndroidCryptoNative_SSLStreamWrite doesn't correctly handle buffer overflows when calling the wrap method. This isn't an issue because we always create buffers large enough to fit the wrapped data. The problem is that we are splitting data into many small chunks instead of sending fewer larger TLS frames and reducing overhead. This also affects certain protocols such as MS-TDS as reported in #95295.

Closes #95295

/cc @rzikm @wfurt

@simonrozsival
Copy link
Member Author

/azp run runtime-extra-platforms

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

This was referenced Jul 11, 2024
Open
Open
Open
Closed
@simonrozsival simonrozsival requested a review from rzikm July 12, 2024 11:10
simonrozsival
simonrozsival commented Jul 12, 2024
View reviewed changes
src/native/libs/System.Security.Cryptography.Native.Android/pal_sslstream.c Outdated
int32_t arraySize = length > remaining ? remaining : length;
jbyteArray data = make_java_byte_array(env, arraySize);
// data.setByteArrayRegion(0, length, buffer);
jbyteArray data = make_java_byte_array(env, length);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about capping the size of the data buffer to the max payload size of one TLS frame and keep copying just a subset of the data as we did previously, but the SslStream is already chunking the data (StreamSizes.Default == 32,768).

@simonrozsival
Copy link
Member Author

/azp run runtime-extra-platforms

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

rzikm
rzikm approved these changes Jul 12, 2024
View reviewed changes
Copy link
Member

@rzikm rzikm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@simonrozsival simonrozsival marked this pull request as ready for review July 12, 2024 14:24
vcsjones
vcsjones reviewed Jul 12, 2024
View reviewed changes
src/native/libs/System.Security.Cryptography.Native.Android/pal_sslstream.c Outdated
int32_t arraySize = length > remaining ? remaining : length;
jbyteArray data = make_java_byte_array(env, arraySize);
// data.setByteArrayRegion(0, length, buffer);
jbyteArray data = make_java_byte_array(env, length);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to allocate a java array here or can we use NIO? appOutBuffer is a ByteBuffer. ByteBuffer has a put that accepts another ByteBuffer.

We can create a ByteBuffer over buffer with jobject bufferByteBuffer = (*env)->NewDirectByteBuffer(env, buffer, length);

Then we can put that in to appOutBuffer. That remove an allocation and a copy from a handshake.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a thought, can be done as a follow up.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion, I'll give it a try.

@simonrozsival
Copy link
Member Author

/azp run runtime-extra-platforms

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@simonrozsival
Copy link
Member Author

There are failing runtime-extra-platforms tests, but they are all unrelated:

@simonrozsival simonrozsival merged commit a3fd095 into dotnet:main Jul 19, 2024
128 of 136 checks passed
@simonrozsival simonrozsival deleted the android-fix-sslstream-tls-frame-buffer-size branch July 19, 2024 08:32
@bartonjs bartonjs added the cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. label Aug 15, 2024
@karelz karelz added this to the 9.0.0 milestone Sep 3, 2024
@bartonjs bartonjs added the tracking This issue is tracking the completion of other related issues. label Sep 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vcsjones vcsjones vcsjones left review comments

@steveisok steveisok steveisok approved these changes

@rzikm rzikm rzikm approved these changes

Assignees

@simonrozsival simonrozsival

Labels
area-System.Net.Security cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. os-android tracking This issue is tracking the completion of other related issues.
Projects
None yet
Milestone
9.0.0
Development

Successfully merging this pull request may close these issues.

Android SslStream splits messages over 2048 bytes in multiple TLS records (breaks MS-TDS protocol)
6 participants
@simonrozsival @vcsjones @steveisok @rzikm @karelz @bartonjs