tls: openssl: fix SSL_read partial read scenario

When application performs SSL_read from the app rx-fifo, it can
pre-allocate multiple segments, but there is an issue if the OpenSSL
manages to partially fill in the first segment, in this case, since
data is assumed to be copied over by OpenSSL to the pre-allocated
segments(s), vpp uses svm_fifo_enqueue_nocopy API which performs
zero copy by passing the pre-allocated segment to SSL_read.

If the decrypted data size is smaller than the pre-allocated fifo
segment buffer size, application will fetch buffers including zero
in the area not filled in by SSL_read.

Type: fix

Signed-off-by: Ofer Heifetz <oferh@marvell.com>
Change-Id: I941a89b17d567d86e5bd2c35785f1df043c33f38

diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 5ccc492..426bf2f 100644 (file)
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -186,18 +186,20 @@ openssl_read_from_ssl_into_fifo (svm_fifo_t * f, SSL * ssl)
       return 0;
     }
 
-  for (i = 1; i < n_fs; i++)
+  if (read == (int) fs[0].len)
     {
-      rv = SSL_read (ssl, fs[i].data, fs[i].len);
-      read += rv > 0 ? rv : 0;
-
-      if (rv < (int) fs[i].len)
+      for (i = 1; i < n_fs; i++)
        {
-         ossl_check_err_is_fatal (ssl, rv);
-         break;
+         rv = SSL_read (ssl, fs[i].data, fs[i].len);
+         read += rv > 0 ? rv : 0;
+
+         if (rv < (int) fs[i].len)
+           {
+             ossl_check_err_is_fatal (ssl, rv);
+             break;
+           }
        }
     }
-
   svm_fifo_enqueue_nocopy (f, read);
 
   return read;