Author: remy.maucherat(a)jboss.com Date: 2015-10-02 09:19:12 -0400 (Fri, 02 Oct 2015) New Revision: 2629 Modified: branches/7.5.x/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java branches/7.5.x/src/main/java/org/apache/coyote/http11/InternalNioOutputBuffer.java branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/SecureNioChannel.java Log: BZ1266247: fix buffer sizes when using SSL (SSL engine has a size limit with no workaround), recurse unwrap if no bytes are decoded, simplify handshake. Modified: branches/7.5.x/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java 2015-09-03 08:20:42 UTC (rev 2628) +++ branches/7.5.x/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java 2015-10-02 13:19:12 UTC (rev 2629) @@ -35,6 +35,7 @@ import org.apache.tomcat.util.net.NioChannel; import org.apache.tomcat.util.net.NioEndpoint; import org.apache.tomcat.util.net.SocketStatus; +import org.apache.tomcat.util.net.jsse.SecureNioChannel; import org.jboss.web.CoyoteLogger; /** @@ -98,7 +99,7 @@ * @param endpoint */ public InternalNioInputBuffer(Http11NioProcessor processor, Request request, int headerBufferSize, NioEndpoint endpoint) { - super(request, headerBufferSize); + super(request, (endpoint.getSSLEnabled()) ? Math.max(headerBufferSize, SecureNioChannel.MIN_APP_BUFFER_SIZE) : headerBufferSize); this.endpoint = endpoint; this.processor = processor; this.init(); Modified: branches/7.5.x/src/main/java/org/apache/coyote/http11/InternalNioOutputBuffer.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/coyote/http11/InternalNioOutputBuffer.java 2015-09-03 08:20:42 UTC (rev 2628) +++ branches/7.5.x/src/main/java/org/apache/coyote/http11/InternalNioOutputBuffer.java 2015-10-02 13:19:12 UTC (rev 2629) @@ -38,6 +38,7 @@ import org.apache.tomcat.util.net.NioChannel; import org.apache.tomcat.util.net.NioEndpoint; import org.apache.tomcat.util.net.SocketStatus; +import org.apache.tomcat.util.net.jsse.SecureNioChannel; import org.jboss.web.CoyoteLogger; /** @@ -160,8 +161,8 @@ this.response = response; this.headers = response.getMimeHeaders(); - buf = new byte[headerBufferSize]; - bbuf = ByteBuffer.allocateDirect(headerBufferSize); + buf = new byte[(endpoint.getSSLEnabled()) ? Math.max(headerBufferSize, SecureNioChannel.MIN_APP_BUFFER_SIZE) : headerBufferSize]; + bbuf = ByteBuffer.allocateDirect((endpoint.getSSLEnabled()) ? Math.max(headerBufferSize, SecureNioChannel.MIN_APP_BUFFER_SIZE) : headerBufferSize); outputBuffer = new OutputBufferImpl(); filterLibrary = new OutputFilter[0]; Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/SecureNioChannel.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/SecureNioChannel.java 2015-09-03 08:20:42 UTC (rev 2628) +++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/SecureNioChannel.java 2015-10-02 13:19:12 UTC (rev 2629) @@ -54,7 +54,8 @@ */ public class SecureNioChannel extends NioChannel { - private static final int MIN_BUFFER_SIZE = 16 * 1024; + public static final int MIN_BUFFER_SIZE = 16921; + public static final int MIN_APP_BUFFER_SIZE = 16916; protected SSLEngine sslEngine; private ByteBuffer netInBuffer; @@ -124,15 +125,24 @@ // The handshake is completed checkHandshake(); - if (this.netInBuffer.position() == 0) { - this.reset(this.netInBuffer); - int x = this.channel.read(this.netInBuffer).get(timeout, unit); + if (netInBuffer.position() == 0) { + reset(netInBuffer); + int x = channel.read(this.netInBuffer).get(timeout, unit); if (x < 0) { throw new ClosedChannelException(); } } // Unwrap the data read, and return the number of unwrapped bytes - return this.unwrap(this.netInBuffer, dst); + int result = unwrap(this.netInBuffer, dst); + if (result == 0) { + // Try reading since it means an underflow + int x = channel.read(this.netInBuffer).get(timeout, unit); + if (x < 0) { + throw new ClosedChannelException(); + } + result = unwrap(this.netInBuffer, dst); + } + return result; } /* @@ -582,7 +592,7 @@ tryTasks(); // if we need more network data, then bail out for now. if (result.getStatus() == Status.BUFFER_UNDERFLOW) { - break; + break; } } else if (result.getStatus() == Status.BUFFER_OVERFLOW && read > 0) { // buffer overflow can happen, if we have read data, then @@ -725,18 +735,6 @@ if (res.getStatus() == SSLEngineResult.Status.OK) { // Execute tasks if we need to tryTasks(); - read = true; - } else if (res.getStatus() == Status.BUFFER_UNDERFLOW) { - read = true; - } else if (res.getStatus() == Status.BUFFER_OVERFLOW) { - ByteBuffer tmp = ByteBuffer.allocate(packetBufferSize * (++i)); - - if (clientAppData.position() > 0) { - clientAppData.flip(); - } - tmp.put(clientAppData); - clientAppData = tmp; - read = false; } // Perform another unwrap? cont = res.getStatus() == SSLEngineResult.Status.OK @@ -746,7 +744,6 @@ break; case NEED_WRAP: - clientNetData.compact(); this.netOutBuffer.clear(); SSLEngineResult res = sslEngine.wrap(clientNetData, this.netOutBuffer); handshakeStatus = res.getHandshakeStatus();