From c1b038001e1f18effb3c9ff5daa9e9cac1cd66e8 Mon Sep 17 00:00:00 2001 From: Florin Coras Date: Sat, 30 Sep 2023 15:21:08 -0700 Subject: [PATCH] tls: limit openssl engine max read burst Type: improvement Signed-off-by: Florin Coras Change-Id: Ic7a8fd37d79fc9c09c8b1539d630f3b8983b8bb3 --- src/plugins/tlsopenssl/tls_openssl.c | 8 +++++--- src/vnet/tls/tls.c | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index 97b32bd405f..a3e93e1f588 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -163,7 +163,7 @@ openssl_lctx_get (u32 lctx_index) return -1; static int -openssl_read_from_ssl_into_fifo (svm_fifo_t * f, SSL * ssl) +openssl_read_from_ssl_into_fifo (svm_fifo_t *f, SSL *ssl, u32 max_len) { int read, rv, n_fs, i; const int n_segs = 2; @@ -174,6 +174,7 @@ openssl_read_from_ssl_into_fifo (svm_fifo_t * f, SSL * ssl) if (!max_enq) return 0; + max_enq = clib_min (max_len, max_enq); n_fs = svm_fifo_provision_chunks (f, fs, n_segs, max_enq); if (n_fs < 0) return 0; @@ -533,9 +534,10 @@ static inline int openssl_ctx_read_tls (tls_ctx_t *ctx, session_t *tls_session) { openssl_ctx_t *oc = (openssl_ctx_t *) ctx; + const u32 max_len = 128 << 10; session_t *app_session; - int read; svm_fifo_t *f; + int read; if (PREDICT_FALSE (SSL_in_init (oc->ssl))) { @@ -549,7 +551,7 @@ openssl_ctx_read_tls (tls_ctx_t *ctx, session_t *tls_session) app_session = session_get_from_handle (ctx->app_session_handle); f = app_session->rx_fifo; - read = openssl_read_from_ssl_into_fifo (f, oc->ssl); + read = openssl_read_from_ssl_into_fifo (f, oc->ssl, max_len); /* Unrecoverable protocol error. Reset connection */ if (PREDICT_FALSE (read < 0)) diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c index c3294634af5..159ed857339 100644 --- a/src/vnet/tls/tls.c +++ b/src/vnet/tls/tls.c @@ -1109,7 +1109,7 @@ tls_enable (vlib_main_t * vm, u8 is_en) vnet_app_attach_args_t _a, *a = &_a; u64 options[APP_OPTIONS_N_OPTIONS]; tls_main_t *tm = &tls_main; - u32 fifo_size = 128 << 12; + u32 fifo_size = 512 << 10; if (!is_en) { -- 2.16.6