Rent correct buffer size for SslStream.Encrypt

[benaadams]

Seen in #50921 (comment)

WriteSingleChunk rents a buffer the size of buffer.Length + FrameOverhead; however after the handshake the overhead is _headerSize + _trailerSize which can be different and causes Encrypt to ignore the buffer and allocate its own of the correct size.

runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs

Lines 253 to 257 in 125253b

	int bufferSizeNeeded = checked(input.Length + headerSize + trailerSize);
	if (output == null || output.Length < bufferSizeNeeded)
	{
	output = new byte[bufferSizeNeeded];
	}

Change to rent buffer.Length + _headerSize + _trailerSize when these values are available.

Also drop some unnecessary casting in the Pal layers by receiving the correct type rather than a less derived one.

Before

After

/cc @karelz @dotnet/ncl

Resolves #51076

[ghost]

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Seen in #50921 (comment)

WriteSingleChunk rents a buffer the size of buffer.Length + FrameOverhead; however after the handshake the overhead is _headerSize + _trailerSize which causes Encrypt to ignore the buffer and allocate its own of the correct size.

runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs

Lines 253 to 257 in 125253b

	int bufferSizeNeeded = checked(input.Length + headerSize + trailerSize);
	if (output == null || output.Length < bufferSizeNeeded)
	{
	output = new byte[bufferSizeNeeded];
	}

Change to rent buffer.Length + _headerSize + _trailerSize when these values are available.

Before

After

/cc @davidfowl @stephentoub

Author:	benaadams
Assignees:	-
Labels:	area-System.Net.Security
Milestone:	-

[geoffkizer]

We really shouldn't ever allocate in SslStreamPal.EncryptMessage; this is a legacy of previous times where we weren't very smart about buffer management. Now it's just hiding issues like this.

Could we change that check to an assert? Is there any code depending on the current behavior? Could it be fixed?

[geoffkizer]

Out of curiosity, what values for header size and trailer size were you seeing?

Presumably FrameOverhead was intended to be large enough to handle any cipher mode; but apparently it's not...

[benaadams]

Out of curiosity, what values for header size and trailer size were you seeing?

Outputting when header + trailer > FrameOverhead

headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (30), output.Length (128)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (30), output.Length (128)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (30), output.Length (128)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (348), output.Length (512)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (86), output.Length (256)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (30), output.Length (128)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (30), output.Length (128)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (83), output.Length (256)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (348), output.Length (512)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (348), output.Length (512)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (86), output.Length (256)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (348), output.Length (512)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (30), output.Length (128)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (348), output.Length (512)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (84), output.Length (256)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (30), output.Length (128)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (30), output.Length (128)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (86), output.Length (256)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (30), output.Length (128)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (86), output.Length (256)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (348), output.Length (512)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (348), output.Length (512)
headerSize (5) + trailerSize (44) > FrameOverhead (32) : input.Length (30), output.Length (128)

I see the reallocation about 4% of the calls; but I assume a lot get hidden from ArrayPool<byte>.Shared.Rent's round up to a power of 2?

[benaadams]

Looks like the FrameOverhead of 32 is too small from TLS 1.2 onwards with 32 byte HMAC? (5 + 32 is 37, and may be padding)

5 byte header
N byte payload
HMAC (32 bytes for the SHA-256-based HMAC, 20 bytes for the SHA-1-based HMAC, 16 bytes for the MD5-based HMAC.)
N byte Padding if a block cipher is used

[benaadams]

Could we change that check to an assert? Is there any code depending on the current behavior? Could it be fixed?

Not sure; it can wait for renegotiation to finish and then call it with the original rented buffer; so the sizes could have changed at that point. However it should only be that rare corner case now?

runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Implementation.cs

Lines 690 to 693 in 3cbbade

	// Wait for renegotiation to finish.
	await waitTask.ConfigureAwait(false);
	SecurityStatusPal status = EncryptData(buffer, ref outBuffer, out int encryptedBytes);

[geoffkizer]

it can wait for renegotiation to finish and then call it with the original rented buffer;

Is it possible to either (a) not rent the buffer until we know that we are not renegotiating; or (b) release the old rented buffer and rent a new one when renegotiation happens?

However it should only be that rare corner case now?

Yeah, renegotiation is not common and I don't really worry about the perf cost in that case. I'm more worried that if we continue to have the automatic fallback in the low-level Encrypt code, then it will hide perf problems in cases we care about, like the original one here.

[geoffkizer]

Looks like the FrameOverhead of 32 is too small from TLS 1.2 onwards

We should audit if there are other places we use FrameOverhead.

[benaadams]

it can wait for renegotiation to finish and then call it with the original rented buffer;

Is it possible to either (a) not rent the buffer until we know that we are not renegotiating; or (b) release the old rented buffer and rent a new one when renegotiation happens?

Already does (b); however there is a race condition with renegotiation which happens in EncryptData; and there are 3 different methods of working out the buffer size due to 3 different platform implementations.

I'm more worried that if we continue to have the automatic fallback in the low-level Encrypt code, then it will hide perf problems in cases we care about, like the original one here.

Separate issue to resolve across SChannel, OpenSsl and AppleCrypto as they all use different apis to determine size?

i.e. its currently always requesting a buffer that's too small; which is hidden 96% of the time due to ArrayPool's power of 2 round up, this resolves that and increases FrameOverhead to a larger value for newer TLS

I agree it would be better not to have the fallback; but changing it to throw an exception instead is a bit more responsibility that I want to take in this PR 😉

[geoffkizer]

I agree it would be better not to have the fallback; but changing it to throw an exception instead is a bit more responsibility that I want to take in this PR

I understand :)

That said, if we are not going to do a comprehensive fix right now, then we should probably do something with minimal risk and file a separate issue to address this in a comprehensive way. To that end, maybe we should just bump FrameOverhead up to 64.

Also adding @wfurt for his opinion.

[benaadams]

That said, if we are not going to do a comprehensive fix right now, then we should probably do something with minimal risk and file a separate issue to address this in a comprehensive way. To that end, maybe we should just bump FrameOverhead up to 64.

Something more like? #51320

[benaadams]

Opened PR for the casting #51324

[benaadams]

Will close this in favour of the other two