You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Dan Mihai Dumitriu (JIRA)" <ji...@apache.org> on 2008/11/17 21:54:44 UTC
[jira] Created: (DIRMINA-637) SSLEngine output buffer seems to be
too small
SSLEngine output buffer seems to be too small
---------------------------------------------
Key: DIRMINA-637
URL: https://issues.apache.org/jira/browse/DIRMINA-637
Project: MINA
Issue Type: Bug
Components: Filter
Affects Versions: 1.1.7, 1.1.1
Reporter: Dan Mihai Dumitriu
the code below is in SSLHandler.java. it makes the assumption that the size of the output will never be larger than 2x the size of the input. that assumption appears to not hold up. It looks like this code has been fixed in trunk, but not in 1.1.7. we only see an error for VERY specific content, i.e. almost never.
public void encrypt(ByteBuffer src) throws SSLException {
if (!initialHandshakeComplete) {
throw new IllegalStateException();
}
// The data buffer is (must be) empty, we can reuse the entire
// buffer.
outNetBuffer.clear();
// Loop until there is no more data in src
while (src.hasRemaining()) {
if (src.remaining() > ((outNetBuffer.capacity() - outNetBuffer
.position()) / 2)) {
// We have to expand outNetBuffer
// Note: there is no way to know the exact size required, but enrypted data
// shouln't need to be larger than twice the source data size?
outNetBuffer = SSLByteBufferPool.expandBuffer(outNetBuffer, src
.capacity() * 2);
if (SessionLog.isDebugEnabled(session)) {
SessionLog.debug(session, " expanded outNetBuffer:"
+ outNetBuffer);
}
}
SSLEngineResult result = sslEngine.wrap(src, outNetBuffer);
if (SessionLog.isDebugEnabled(session)) {
SessionLog.debug(session, " Wrap res:" + result);
}
if (result.getStatus() == SSLEngineResult.Status.OK) {
if (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_TASK) {
doTasks();
}
} else {
throw new SSLException("SSLEngine error during encrypt: "
+ result.getStatus() + " src: " + src
+ "outNetBuffer: " + outNetBuffer);
}
}
outNetBuffer.flip();
}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRMINA-637) SSLEngine output buffer seems to be
too small
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRMINA-637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12649045#action_12649045 ]
Emmanuel Lecharny commented on DIRMINA-637:
-------------------------------------------
Acn you do a svn diff, and attach the result in this JIRA ? It will be easier to inject in trunk.
Thanks !
> SSLEngine output buffer seems to be too small
> ---------------------------------------------
>
> Key: DIRMINA-637
> URL: https://issues.apache.org/jira/browse/DIRMINA-637
> Project: MINA
> Issue Type: Bug
> Components: Filter
> Affects Versions: 1.1.1, 1.1.7
> Reporter: Dan Mihai Dumitriu
> Assignee: Emmanuel Lecharny
> Fix For: 1.1.8
>
>
> the code below is in SSLHandler.java. it makes the assumption that the size of the output will never be larger than 2x the size of the input. that assumption appears to not hold up. It looks like this code has been fixed in trunk, but not in 1.1.7. we only see an error for VERY specific content, i.e. almost never.
> public void encrypt(ByteBuffer src) throws SSLException {
> if (!initialHandshakeComplete) {
> throw new IllegalStateException();
> }
> // The data buffer is (must be) empty, we can reuse the entire
> // buffer.
> outNetBuffer.clear();
> // Loop until there is no more data in src
> while (src.hasRemaining()) {
> if (src.remaining() > ((outNetBuffer.capacity() - outNetBuffer
> .position()) / 2)) {
> // We have to expand outNetBuffer
> // Note: there is no way to know the exact size required, but enrypted data
> // shouln't need to be larger than twice the source data size?
> outNetBuffer = SSLByteBufferPool.expandBuffer(outNetBuffer, src
> .capacity() * 2);
> if (SessionLog.isDebugEnabled(session)) {
> SessionLog.debug(session, " expanded outNetBuffer:"
> + outNetBuffer);
> }
> }
> SSLEngineResult result = sslEngine.wrap(src, outNetBuffer);
> if (SessionLog.isDebugEnabled(session)) {
> SessionLog.debug(session, " Wrap res:" + result);
> }
> if (result.getStatus() == SSLEngineResult.Status.OK) {
> if (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_TASK) {
> doTasks();
> }
> } else {
> throw new SSLException("SSLEngine error during encrypt: "
> + result.getStatus() + " src: " + src
> + "outNetBuffer: " + outNetBuffer);
> }
> }
> outNetBuffer.flip();
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRMINA-637) SSLEngine output buffer seems to be
too small
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRMINA-637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12649005#action_12649005 ]
Emmanuel Lecharny commented on DIRMINA-637:
-------------------------------------------
Ok, so we are safe in 2.0 :) That's a good news !
> SSLEngine output buffer seems to be too small
> ---------------------------------------------
>
> Key: DIRMINA-637
> URL: https://issues.apache.org/jira/browse/DIRMINA-637
> Project: MINA
> Issue Type: Bug
> Components: Filter
> Affects Versions: 1.1.1, 1.1.7
> Reporter: Dan Mihai Dumitriu
> Assignee: Emmanuel Lecharny
> Fix For: 1.1.8
>
>
> the code below is in SSLHandler.java. it makes the assumption that the size of the output will never be larger than 2x the size of the input. that assumption appears to not hold up. It looks like this code has been fixed in trunk, but not in 1.1.7. we only see an error for VERY specific content, i.e. almost never.
> public void encrypt(ByteBuffer src) throws SSLException {
> if (!initialHandshakeComplete) {
> throw new IllegalStateException();
> }
> // The data buffer is (must be) empty, we can reuse the entire
> // buffer.
> outNetBuffer.clear();
> // Loop until there is no more data in src
> while (src.hasRemaining()) {
> if (src.remaining() > ((outNetBuffer.capacity() - outNetBuffer
> .position()) / 2)) {
> // We have to expand outNetBuffer
> // Note: there is no way to know the exact size required, but enrypted data
> // shouln't need to be larger than twice the source data size?
> outNetBuffer = SSLByteBufferPool.expandBuffer(outNetBuffer, src
> .capacity() * 2);
> if (SessionLog.isDebugEnabled(session)) {
> SessionLog.debug(session, " expanded outNetBuffer:"
> + outNetBuffer);
> }
> }
> SSLEngineResult result = sslEngine.wrap(src, outNetBuffer);
> if (SessionLog.isDebugEnabled(session)) {
> SessionLog.debug(session, " Wrap res:" + result);
> }
> if (result.getStatus() == SSLEngineResult.Status.OK) {
> if (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_TASK) {
> doTasks();
> }
> } else {
> throw new SSLException("SSLEngine error during encrypt: "
> + result.getStatus() + " src: " + src
> + "outNetBuffer: " + outNetBuffer);
> }
> }
> outNetBuffer.flip();
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRMINA-637) SSLEngine output buffer seems to be
too small
Posted by "Dan Mihai Dumitriu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRMINA-637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12649042#action_12649042 ]
Dan Mihai Dumitriu commented on DIRMINA-637:
--------------------------------------------
To fix our immediate problem, I adapted the code from 2.0.0, as shown below. Maybe it would be good to make the initial capacity larger than just src.remaining(), so that it doesn't overflow everytime.
public void encrypt(ByteBuffer src) throws SSLException {
if (!handshakeComplete) {
throw new IllegalStateException();
}
// The data buffer is (must be) empty, we can reuse the entire
// buffer.
outNetBuffer.clear();
int capacity = Math.max(
src.remaining(),
sslEngine.getSession().getPacketBufferSize());
outNetBuffer = SSLByteBufferPool.expandBuffer(outNetBuffer, capacity);
// Loop until there is no more data in src
while (src.hasRemaining()) {
SSLEngineResult result = sslEngine.wrap(src, outNetBuffer);
if (result.getStatus() == SSLEngineResult.Status.OK) {
if (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_TASK) {
doTasks();
}
} else if (result.getStatus() == SSLEngineResult.Status.BUFFER_OVERFLOW) {
outNetBuffer = SSLByteBufferPool.expandBuffer(outNetBuffer, outNetBuffer.capacity() * 2);
} else {
throw new SSLException("SSLEngine error during encrypt: "
+ result.getStatus() + " src: " + src
+ "outNetBuffer: " + outNetBuffer);
}
}
outNetBuffer.flip();
}
> SSLEngine output buffer seems to be too small
> ---------------------------------------------
>
> Key: DIRMINA-637
> URL: https://issues.apache.org/jira/browse/DIRMINA-637
> Project: MINA
> Issue Type: Bug
> Components: Filter
> Affects Versions: 1.1.1, 1.1.7
> Reporter: Dan Mihai Dumitriu
> Assignee: Emmanuel Lecharny
> Fix For: 1.1.8
>
>
> the code below is in SSLHandler.java. it makes the assumption that the size of the output will never be larger than 2x the size of the input. that assumption appears to not hold up. It looks like this code has been fixed in trunk, but not in 1.1.7. we only see an error for VERY specific content, i.e. almost never.
> public void encrypt(ByteBuffer src) throws SSLException {
> if (!initialHandshakeComplete) {
> throw new IllegalStateException();
> }
> // The data buffer is (must be) empty, we can reuse the entire
> // buffer.
> outNetBuffer.clear();
> // Loop until there is no more data in src
> while (src.hasRemaining()) {
> if (src.remaining() > ((outNetBuffer.capacity() - outNetBuffer
> .position()) / 2)) {
> // We have to expand outNetBuffer
> // Note: there is no way to know the exact size required, but enrypted data
> // shouln't need to be larger than twice the source data size?
> outNetBuffer = SSLByteBufferPool.expandBuffer(outNetBuffer, src
> .capacity() * 2);
> if (SessionLog.isDebugEnabled(session)) {
> SessionLog.debug(session, " expanded outNetBuffer:"
> + outNetBuffer);
> }
> }
> SSLEngineResult result = sslEngine.wrap(src, outNetBuffer);
> if (SessionLog.isDebugEnabled(session)) {
> SessionLog.debug(session, " Wrap res:" + result);
> }
> if (result.getStatus() == SSLEngineResult.Status.OK) {
> if (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_TASK) {
> doTasks();
> }
> } else {
> throw new SSLException("SSLEngine error during encrypt: "
> + result.getStatus() + " src: " + src
> + "outNetBuffer: " + outNetBuffer);
> }
> }
> outNetBuffer.flip();
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRMINA-637) SSLEngine output buffer seems to be
too small
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRMINA-637?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRMINA-637:
--------------------------------------
Fix Version/s: 1.1.8
We should check if it also affects 2.0.0
> SSLEngine output buffer seems to be too small
> ---------------------------------------------
>
> Key: DIRMINA-637
> URL: https://issues.apache.org/jira/browse/DIRMINA-637
> Project: MINA
> Issue Type: Bug
> Components: Filter
> Affects Versions: 1.1.1, 1.1.7
> Reporter: Dan Mihai Dumitriu
> Assignee: Emmanuel Lecharny
> Fix For: 1.1.8
>
>
> the code below is in SSLHandler.java. it makes the assumption that the size of the output will never be larger than 2x the size of the input. that assumption appears to not hold up. It looks like this code has been fixed in trunk, but not in 1.1.7. we only see an error for VERY specific content, i.e. almost never.
> public void encrypt(ByteBuffer src) throws SSLException {
> if (!initialHandshakeComplete) {
> throw new IllegalStateException();
> }
> // The data buffer is (must be) empty, we can reuse the entire
> // buffer.
> outNetBuffer.clear();
> // Loop until there is no more data in src
> while (src.hasRemaining()) {
> if (src.remaining() > ((outNetBuffer.capacity() - outNetBuffer
> .position()) / 2)) {
> // We have to expand outNetBuffer
> // Note: there is no way to know the exact size required, but enrypted data
> // shouln't need to be larger than twice the source data size?
> outNetBuffer = SSLByteBufferPool.expandBuffer(outNetBuffer, src
> .capacity() * 2);
> if (SessionLog.isDebugEnabled(session)) {
> SessionLog.debug(session, " expanded outNetBuffer:"
> + outNetBuffer);
> }
> }
> SSLEngineResult result = sslEngine.wrap(src, outNetBuffer);
> if (SessionLog.isDebugEnabled(session)) {
> SessionLog.debug(session, " Wrap res:" + result);
> }
> if (result.getStatus() == SSLEngineResult.Status.OK) {
> if (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_TASK) {
> doTasks();
> }
> } else {
> throw new SSLException("SSLEngine error during encrypt: "
> + result.getStatus() + " src: " + src
> + "outNetBuffer: " + outNetBuffer);
> }
> }
> outNetBuffer.flip();
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (DIRMINA-637) SSLEngine output buffer seems to be
too small
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRMINA-637?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny reassigned DIRMINA-637:
-----------------------------------------
Assignee: Emmanuel Lecharny
> SSLEngine output buffer seems to be too small
> ---------------------------------------------
>
> Key: DIRMINA-637
> URL: https://issues.apache.org/jira/browse/DIRMINA-637
> Project: MINA
> Issue Type: Bug
> Components: Filter
> Affects Versions: 1.1.1, 1.1.7
> Reporter: Dan Mihai Dumitriu
> Assignee: Emmanuel Lecharny
> Fix For: 1.1.8
>
>
> the code below is in SSLHandler.java. it makes the assumption that the size of the output will never be larger than 2x the size of the input. that assumption appears to not hold up. It looks like this code has been fixed in trunk, but not in 1.1.7. we only see an error for VERY specific content, i.e. almost never.
> public void encrypt(ByteBuffer src) throws SSLException {
> if (!initialHandshakeComplete) {
> throw new IllegalStateException();
> }
> // The data buffer is (must be) empty, we can reuse the entire
> // buffer.
> outNetBuffer.clear();
> // Loop until there is no more data in src
> while (src.hasRemaining()) {
> if (src.remaining() > ((outNetBuffer.capacity() - outNetBuffer
> .position()) / 2)) {
> // We have to expand outNetBuffer
> // Note: there is no way to know the exact size required, but enrypted data
> // shouln't need to be larger than twice the source data size?
> outNetBuffer = SSLByteBufferPool.expandBuffer(outNetBuffer, src
> .capacity() * 2);
> if (SessionLog.isDebugEnabled(session)) {
> SessionLog.debug(session, " expanded outNetBuffer:"
> + outNetBuffer);
> }
> }
> SSLEngineResult result = sslEngine.wrap(src, outNetBuffer);
> if (SessionLog.isDebugEnabled(session)) {
> SessionLog.debug(session, " Wrap res:" + result);
> }
> if (result.getStatus() == SSLEngineResult.Status.OK) {
> if (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_TASK) {
> doTasks();
> }
> } else {
> throw new SSLException("SSLEngine error during encrypt: "
> + result.getStatus() + " src: " + src
> + "outNetBuffer: " + outNetBuffer);
> }
> }
> outNetBuffer.flip();
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRMINA-637) SSLEngine output buffer seems to be
too small
Posted by "Dan Mihai Dumitriu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRMINA-637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12649003#action_12649003 ]
Dan Mihai Dumitriu commented on DIRMINA-637:
--------------------------------------------
I don't believe that it does. The 2.0.0 code doubles the output buffer and tries again if there is overflow.
> SSLEngine output buffer seems to be too small
> ---------------------------------------------
>
> Key: DIRMINA-637
> URL: https://issues.apache.org/jira/browse/DIRMINA-637
> Project: MINA
> Issue Type: Bug
> Components: Filter
> Affects Versions: 1.1.1, 1.1.7
> Reporter: Dan Mihai Dumitriu
> Assignee: Emmanuel Lecharny
> Fix For: 1.1.8
>
>
> the code below is in SSLHandler.java. it makes the assumption that the size of the output will never be larger than 2x the size of the input. that assumption appears to not hold up. It looks like this code has been fixed in trunk, but not in 1.1.7. we only see an error for VERY specific content, i.e. almost never.
> public void encrypt(ByteBuffer src) throws SSLException {
> if (!initialHandshakeComplete) {
> throw new IllegalStateException();
> }
> // The data buffer is (must be) empty, we can reuse the entire
> // buffer.
> outNetBuffer.clear();
> // Loop until there is no more data in src
> while (src.hasRemaining()) {
> if (src.remaining() > ((outNetBuffer.capacity() - outNetBuffer
> .position()) / 2)) {
> // We have to expand outNetBuffer
> // Note: there is no way to know the exact size required, but enrypted data
> // shouln't need to be larger than twice the source data size?
> outNetBuffer = SSLByteBufferPool.expandBuffer(outNetBuffer, src
> .capacity() * 2);
> if (SessionLog.isDebugEnabled(session)) {
> SessionLog.debug(session, " expanded outNetBuffer:"
> + outNetBuffer);
> }
> }
> SSLEngineResult result = sslEngine.wrap(src, outNetBuffer);
> if (SessionLog.isDebugEnabled(session)) {
> SessionLog.debug(session, " Wrap res:" + result);
> }
> if (result.getStatus() == SSLEngineResult.Status.OK) {
> if (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_TASK) {
> doTasks();
> }
> } else {
> throw new SSLException("SSLEngine error during encrypt: "
> + result.getStatus() + " src: " + src
> + "outNetBuffer: " + outNetBuffer);
> }
> }
> outNetBuffer.flip();
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.