robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
Browse Source

[tls] Request a maximum fragment length of 2048 bytes 

The default maximum plaintext fragment length for TLS is 16kB, which
is a substantial amount of memory for iPXE to have to allocate for a
temporary decryption buffer.

Reduce the memory footprint of TLS connections by requesting a maximum
fragment length of 2kB.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 12 years ago
parent
ea61075c60
commit
9a8c6b00d4
2 changed files with 19 additions and 1 deletions
Split View Show Diff Stats
  1. 8
    1
      src/include/ipxe/tls.h
  2. 11
    0
      src/net/tls.c

+ 8
- 1
src/include/ipxe/tls.h View File 

@@ -89,10 +89,17 @@ struct tls_header {
89 89 
 /* TLS signature algorithm identifiers */
90 90 
 #define TLS_RSA_ALGORITHM 1
91 91
92 
-/* TLS extension types */
92 
+/* TLS server name extension */
93 93 
 #define TLS_SERVER_NAME 0
94 94 
 #define TLS_SERVER_NAME_HOST_NAME 0
95 95
96 
+/* TLS maximum fragment length extension */
97 
+#define TLS_MAX_FRAGMENT_LENGTH 1
98 
+#define TLS_MAX_FRAGMENT_LENGTH_512 1
99 
+#define TLS_MAX_FRAGMENT_LENGTH_1024 2
100 
+#define TLS_MAX_FRAGMENT_LENGTH_2048 3
101 
+#define TLS_MAX_FRAGMENT_LENGTH_4096 4
102 
+
96 103 
 /** TLS RX state machine state */
97 104 
 enum tls_rx_state {
98 105 
 	TLS_RX_HEADER = 0,

+ 11
- 0
src/net/tls.c View File 

@@ -869,6 +869,11 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
869 869 
 					uint8_t name[ strlen ( tls->name ) ];
870 870 
 				} __attribute__ (( packed )) list[1];
871 871 
 			} __attribute__ (( packed )) server_name;
872 
+			uint16_t max_fragment_length_type;
873 
+			uint16_t max_fragment_length_len;
874 
+			struct {
875 
+				uint8_t max;
876 
+			} __attribute__ (( packed )) max_fragment_length;
872 877 
 		} __attribute__ (( packed )) extensions;
873 878 
 	} __attribute__ (( packed )) hello;
874 879 
 	unsigned int i;
 
@@ -894,6 +899,12 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
894 899 
 		= htons ( sizeof ( hello.extensions.server_name.list[0].name ));
895 900 
 	memcpy ( hello.extensions.server_name.list[0].name, tls->name,
896 901 
 		 sizeof ( hello.extensions.server_name.list[0].name ) );
902 
+	hello.extensions.max_fragment_length_type
903 
+		= htons ( TLS_MAX_FRAGMENT_LENGTH );
904 
+	hello.extensions.max_fragment_length_len
905 
+		= htons ( sizeof ( hello.extensions.max_fragment_length ) );
906 
+	hello.extensions.max_fragment_length.max
907 
+		= TLS_MAX_FRAGMENT_LENGTH_2048;
897 908
898 909 
 	return tls_send_handshake ( tls, &hello, sizeof ( hello ) );
899 910 
 }

Write Preview
Loading…
Cancel
Save