aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorin Coras <fcoras@cisco.com>2023-09-30 15:21:08 -0700
committerDave Wallace <dwallacelf@gmail.com>2023-10-09 21:37:55 +0000
commit15d0c7a3fb015868c5e391b9c862c5a83ea1f471 (patch)
tree3d537f4f2cb8a26566b8a47e667f0f6a8b493bc6
parentf9af6b32efcd948a2eb449d0d5157c8781786fbb (diff)
tls: limit openssl engine max read burst
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ic7a8fd37d79fc9c09c8b1539d630f3b8983b8bb3 (cherry picked from commit c1b038001e1f18effb3c9ff5daa9e9cac1cd66e8)
-rw-r--r--src/plugins/tlsopenssl/tls_openssl.c8
-rw-r--r--src/vnet/tls/tls.c2
2 files changed, 6 insertions, 4 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 97b32bd405f..a3e93e1f588 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -163,7 +163,7 @@ openssl_lctx_get (u32 lctx_index)
return -1;
static int
-openssl_read_from_ssl_into_fifo (svm_fifo_t * f, SSL * ssl)
+openssl_read_from_ssl_into_fifo (svm_fifo_t *f, SSL *ssl, u32 max_len)
{
int read, rv, n_fs, i;
const int n_segs = 2;
@@ -174,6 +174,7 @@ openssl_read_from_ssl_into_fifo (svm_fifo_t * f, SSL * ssl)
if (!max_enq)
return 0;
+ max_enq = clib_min (max_len, max_enq);
n_fs = svm_fifo_provision_chunks (f, fs, n_segs, max_enq);
if (n_fs < 0)
return 0;
@@ -533,9 +534,10 @@ static inline int
openssl_ctx_read_tls (tls_ctx_t *ctx, session_t *tls_session)
{
openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
+ const u32 max_len = 128 << 10;
session_t *app_session;
- int read;
svm_fifo_t *f;
+ int read;
if (PREDICT_FALSE (SSL_in_init (oc->ssl)))
{
@@ -549,7 +551,7 @@ openssl_ctx_read_tls (tls_ctx_t *ctx, session_t *tls_session)
app_session = session_get_from_handle (ctx->app_session_handle);
f = app_session->rx_fifo;
- read = openssl_read_from_ssl_into_fifo (f, oc->ssl);
+ read = openssl_read_from_ssl_into_fifo (f, oc->ssl, max_len);
/* Unrecoverable protocol error. Reset connection */
if (PREDICT_FALSE (read < 0))
diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c
index c3294634af5..159ed857339 100644
--- a/src/vnet/tls/tls.c
+++ b/src/vnet/tls/tls.c
@@ -1109,7 +1109,7 @@ tls_enable (vlib_main_t * vm, u8 is_en)
vnet_app_attach_args_t _a, *a = &_a;
u64 options[APP_OPTIONS_N_OPTIONS];
tls_main_t *tm = &tls_main;
- u32 fifo_size = 128 << 12;
+ u32 fifo_size = 512 << 10;
if (!is_en)
{