net.vschannel: chunk large TLS payloads to fix 16KB EncryptMessage crash on Windows (#26681)

* fix(vschannel): chunk large TLS request payloads on Windows

Split request payloads into cbMaximumMessage-sized chunks before EncryptMessage and send each encrypted record fully to avoid large-body crashes in Schannel path.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test(tools): add vschannel 16kb httpbin probe script

Add a reproducible probe script that posts payloads around the 16KB boundary to https://httpbin.org/post and supports before/after expectation modes for regression verification.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* style(tools): vfmt vschannel_16kb_httpbin_probe.v

* refactor(tools): apply Copilot suggestions to vschannel probe

- use os.new_process instead of os.execute to avoid shell escaping
  issues on Windows and separate stdout/stderr capture
- add explicit 'none' branch in expected_success_for_mode to make
  intent clear and guard against future unexpected mode values

* fix(vschannel): cast send result before DWORD accumulation

---------

Co-authored-by: baiyunfeng <baiyunfeng@bailian.ai>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 3 people

cmd/tools/vschannel_16kb_httpbin_probe.v

@@ -0,0 +1,165 @@
+import flag
+import net.http
+import os
+import time
+
+const probe_url = 'https://httpbin.org/post'
+const vschannel_16kb_boundary = 16 * 1024
+const default_sizes_csv = '12000,15000,17000,24000,32768'
+
+fn main() {
+	if os.args.len >= 2 && os.args[1] == '--worker' {
+		run_worker_mode()
+		return
+	}
+	run_parent_mode()
+}
+
+fn run_worker_mode() {
+	if os.args.len < 3 {
+		eprintln('missing payload size for --worker')
+		exit(2)
+	}
+	size := os.args[2].int()
+	if size <= 0 {
+		eprintln('invalid payload size `${os.args[2]}`')
+		exit(2)
+	}
+	payload := '{"size":${size},"payload":"' + 'x'.repeat(size) + '"}'
+	mut headers := http.new_header()
+	headers.add(.content_type, 'application/json')
+	mut req := http.Request{
+		method:        .post
+		url:           probe_url
+		header:        headers
+		data:          payload
+		read_timeout:  60 * time.second
+		write_timeout: 30 * time.second
+	}
+	resp := req.do() or {
+		eprintln('request failed at size=${size}: ${err}')
+		exit(1)
+	}
+	if resp.status_code != 200 {
+		eprintln('unexpected status at size=${size}: ${resp.status_code}')
+		exit(1)
+	}
+	if !resp.body.contains('httpbin.org/post') {
+		eprintln('unexpected response body at size=${size}')
+		exit(1)
+	}
+	println('OK size=${size} payload_bytes=${payload.len}')
+}
+
+fn run_parent_mode() {
+	mut fp := flag.new_flag_parser(os.args)
+	fp.application('vschannel_16kb_httpbin_probe')
+	fp.version('0.0.1')
+	fp.description('Probe net.http HTTPS POST behavior around 16KB payloads using https://httpbin.org/post.')
+	fp.skip_executable()
+
+	expect_mode := fp.string('expect', `e`, 'after', 'Expected behavior mode: before|after|none. before expects >16KB failures, after expects all succeed.')
+	sizes_csv := fp.string('sizes', `s`, default_sizes_csv, 'Comma separated payload sizes in bytes.')
+	verbose := fp.bool('verbose', `v`, false, 'Print child process output for all sizes.')
+	show_help := fp.bool('help', `h`, false, 'Show this help screen.')
+	free_args := fp.finalize() or {
+		eprintln('flag parse failed: ${err}')
+		exit(2)
+	}
+	if free_args.len > 0 {
+		eprintln('unexpected positional args: ${free_args}')
+		exit(2)
+	}
+	if show_help {
+		println(fp.usage())
+		return
+	}
+
+	mode := expect_mode.to_lower()
+	if mode !in ['before', 'after', 'none'] {
+		eprintln('invalid --expect `${expect_mode}` (allowed: before|after|none)')
+		exit(2)
+	}
+	sizes := parse_sizes_csv(sizes_csv) or {
+		eprintln(err)
+		exit(2)
+	}
+
+	self_exe := os.executable()
+	println('probe url: ${probe_url}')
+	println('expect mode: ${mode}')
+	println('sizes: ${sizes}')
+
+	mut mismatches := 0
+	for size in sizes {
+		// Launch worker directly without going through a shell, and capture stdout/stderr separately.
+		mut p := os.new_process(self_exe)
+		p.set_args(['--worker', size.str()])
+		p.set_redirect_stdio()
+		p.run()
+		p.wait()
+		exit_code := p.code
+		stdout := p.stdout_read().trim_space()
+		stderr := p.stderr_read().trim_space()
+		p.close()
+		success := exit_code == 0
+		expected_success := expected_success_for_mode(mode, size)
+		status := if success { 'OK' } else { 'FAIL' }
+		expect_text := if expected_success { 'expect=OK' } else { 'expect=FAIL' }
+		println('${status:4} size=${size:6} exit=${exit_code:3} ${expect_text}')
+		if verbose || !success {
+			if stdout.len > 0 {
+				println(stdout)
+			}
+			if stderr.len > 0 {
+				eprintln(stderr)
+			}
+		}
+		if mode != 'none' && success != expected_success {
+			mismatches++
+		}
+	}
+
+	if mismatches > 0 {
+		eprintln('mismatch count: ${mismatches}')
+		exit(1)
+	}
+	println('probe completed without mismatches')
+}
+
+fn parse_sizes_csv(raw string) ![]int {
+	mut sizes := []int{}
+	for part in raw.split(',') {
+		item := part.trim_space()
+		if item.len == 0 {
+			continue
+		}
+		size := item.int()
+		if size <= 0 {
+			return error('invalid size entry `${item}` in --sizes')
+		}
+		sizes << size
+	}
+	if sizes.len == 0 {
+		return error('no sizes provided in --sizes')
+	}
+	return sizes
+}
+
+fn expected_success_for_mode(mode string, size int) bool {
+	return match mode {
+		'before' {
+			size <= vschannel_16kb_boundary
+		}
+		'after' {
+			true
+		}
+		'none' {
+			true
+		}
+		else {
+			eprintln('unexpected mode `${mode}` in expected_success_for_mode')
+			false
+		}
+	}
+}

thirdparty/vschannel/vschannel.c

@@ -726,8 +726,12 @@ static SECURITY_STATUS https_make_request(TlsContext *tls_ctx, CHAR *req, DWORD
 	PBYTE pbMessage;
 	DWORD cbMessage;
 
-	DWORD cbData;
+	INT   cbData;
 	INT   i;
+	DWORD req_offset;
+	DWORD chunk_len;
+	DWORD to_send;
+	DWORD sent;
 
 
 	// Read stream encryption properties.
@@ -748,50 +752,57 @@ static SECURITY_STATUS https_make_request(TlsContext *tls_ctx, CHAR *req, DWORD
 		return SEC_E_INTERNAL_ERROR;
 	}
 
-	// Build an HTTP request to send to the server.
-
-	// Build the HTTP request offset into the data buffer by "header size"
-	// bytes. This enables Schannel to perform the encryption in place,
-	// which is a significant performance win.
+	// Build and send HTTP request in chunks no larger than cbMaximumMessage.
+	// EncryptMessage expects plaintext <= cbMaximumMessage.
 	pbMessage = pbIoBuffer + Sizes.cbHeader;
+	req_offset = 0;
+	while(req_offset < req_len) {
+		chunk_len = req_len - req_offset;
+		if(chunk_len > Sizes.cbMaximumMessage) {
+			chunk_len = Sizes.cbMaximumMessage;
+		}
 
-	// Build HTTP request. Note that I'm assuming that this is less than
-	// the maximum message size. If it weren't, it would have to be broken up.
-	memcpy(pbMessage, req, req_len);
-	cbMessage = req_len;
+		memcpy(pbMessage, req + req_offset, chunk_len);
+		cbMessage = chunk_len;
 
-	// Encrypt the HTTP request.
-	Buffers[0].pvBuffer     = pbIoBuffer;
-	Buffers[0].cbBuffer     = Sizes.cbHeader;
-	Buffers[0].BufferType   = SECBUFFER_STREAM_HEADER;
+		Buffers[0].pvBuffer     = pbIoBuffer;
+		Buffers[0].cbBuffer     = Sizes.cbHeader;
+		Buffers[0].BufferType   = SECBUFFER_STREAM_HEADER;
 
-	Buffers[1].pvBuffer     = pbMessage;
-	Buffers[1].cbBuffer     = cbMessage;
-	Buffers[1].BufferType   = SECBUFFER_DATA;
+		Buffers[1].pvBuffer     = pbMessage;
+		Buffers[1].cbBuffer     = cbMessage;
+		Buffers[1].BufferType   = SECBUFFER_DATA;
 
-	Buffers[2].pvBuffer     = pbMessage + cbMessage;
-	Buffers[2].cbBuffer     = Sizes.cbTrailer;
-	Buffers[2].BufferType   = SECBUFFER_STREAM_TRAILER;
+		Buffers[2].pvBuffer     = pbMessage + cbMessage;
+		Buffers[2].cbBuffer     = Sizes.cbTrailer;
+		Buffers[2].BufferType   = SECBUFFER_STREAM_TRAILER;
 
-	Buffers[3].BufferType   = SECBUFFER_EMPTY;
+		Buffers[3].BufferType   = SECBUFFER_EMPTY;
 
-	Message.ulVersion       = SECBUFFER_VERSION;
-	Message.cBuffers        = 4;
-	Message.pBuffers        = Buffers;
+		Message.ulVersion       = SECBUFFER_VERSION;
+		Message.cBuffers        = 4;
+		Message.pBuffers        = Buffers;
 
-	scRet = tls_ctx->sspi->EncryptMessage(&tls_ctx->h_context, 0, &Message, 0);
+		scRet = tls_ctx->sspi->EncryptMessage(&tls_ctx->h_context, 0, &Message, 0);
+		if(FAILED(scRet)) {
+			wprintf(L"Error 0x%x returned by EncryptMessage\n", scRet);
+			return scRet;
+		}
 
-	if(FAILED(scRet)) {
-		wprintf(L"Error 0x%x returned by EncryptMessage\n", scRet);
-		return scRet;
-	}
+		// Send all encrypted bytes for this chunk.
+		to_send = Buffers[0].cbBuffer + Buffers[1].cbBuffer + Buffers[2].cbBuffer;
+		sent = 0;
+		while(sent < to_send) {
+			cbData = send(tls_ctx->socket, (char*)pbIoBuffer + sent, (int)(to_send - sent), 0);
+			if(cbData == SOCKET_ERROR || cbData == 0) {
+				wprintf(L"Error %d sending data to server (3)\n", WSAGetLastError());
+				tls_ctx->sspi->DeleteSecurityContext(&tls_ctx->h_context);
+				return SEC_E_INTERNAL_ERROR;
+			}
+			sent += (DWORD)cbData;
+		}
 
-	// Send the encrypted data to the server.
-	cbData = send(tls_ctx->socket, pbIoBuffer, Buffers[0].cbBuffer + Buffers[1].cbBuffer + Buffers[2].cbBuffer, 0);
-	if(cbData == SOCKET_ERROR || cbData == 0) {
-		wprintf(L"Error %d sending data to server (3)\n",  WSAGetLastError());
-		tls_ctx->sspi->DeleteSecurityContext(&tls_ctx->h_context);
-		return SEC_E_INTERNAL_ERROR;
+		req_offset += chunk_len;
 	}
 
 	// Read data from server until done.