diff options
author | Florin Coras <fcoras@cisco.com> | 2023-09-30 15:21:08 -0700 |
---|---|---|
committer | Dave Barach <vpp@barachs.net> | 2023-10-02 20:23:06 +0000 |
commit | c1b038001e1f18effb3c9ff5daa9e9cac1cd66e8 (patch) | |
tree | a8b7ba93f803ad1bbb62b18b54c5fb57438af395 | |
parent | d69ef3aeeb8b290917ce9e06d5f8f73da4268852 (diff) |
tls: limit openssl engine max read burst
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ic7a8fd37d79fc9c09c8b1539d630f3b8983b8bb3
-rw-r--r-- | src/plugins/tlsopenssl/tls_openssl.c | 8 | ||||
-rw-r--r-- | src/vnet/tls/tls.c | 2 |
2 files changed, 6 insertions, 4 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index 97b32bd405f..a3e93e1f588 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -163,7 +163,7 @@ openssl_lctx_get (u32 lctx_index) return -1; static int -openssl_read_from_ssl_into_fifo (svm_fifo_t * f, SSL * ssl) +openssl_read_from_ssl_into_fifo (svm_fifo_t *f, SSL *ssl, u32 max_len) { int read, rv, n_fs, i; const int n_segs = 2; @@ -174,6 +174,7 @@ openssl_read_from_ssl_into_fifo (svm_fifo_t * f, SSL * ssl) if (!max_enq) return 0; + max_enq = clib_min (max_len, max_enq); n_fs = svm_fifo_provision_chunks (f, fs, n_segs, max_enq); if (n_fs < 0) return 0; @@ -533,9 +534,10 @@ static inline int openssl_ctx_read_tls (tls_ctx_t *ctx, session_t *tls_session) { openssl_ctx_t *oc = (openssl_ctx_t *) ctx; + const u32 max_len = 128 << 10; session_t *app_session; - int read; svm_fifo_t *f; + int read; if (PREDICT_FALSE (SSL_in_init (oc->ssl))) { @@ -549,7 +551,7 @@ openssl_ctx_read_tls (tls_ctx_t *ctx, session_t *tls_session) app_session = session_get_from_handle (ctx->app_session_handle); f = app_session->rx_fifo; - read = openssl_read_from_ssl_into_fifo (f, oc->ssl); + read = openssl_read_from_ssl_into_fifo (f, oc->ssl, max_len); /* Unrecoverable protocol error. Reset connection */ if (PREDICT_FALSE (read < 0)) diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c index c3294634af5..159ed857339 100644 --- a/src/vnet/tls/tls.c +++ b/src/vnet/tls/tls.c @@ -1109,7 +1109,7 @@ tls_enable (vlib_main_t * vm, u8 is_en) vnet_app_attach_args_t _a, *a = &_a; u64 options[APP_OPTIONS_N_OPTIONS]; tls_main_t *tm = &tls_main; - u32 fifo_size = 128 << 12; + u32 fifo_size = 512 << 10; if (!is_en) { |