diff options
| author | Michael Brown <mcb30@ipxe.org> | 2012-06-29 15:28:15 +0100 |
|---|---|---|
| committer | Michael Brown <mcb30@ipxe.org> | 2012-06-29 15:28:15 +0100 |
| commit | 9a8c6b00d4433eb5c24f50c0c4a93c127d77def0 (patch) | |
| tree | 4c365afc9d8a34dbaf784779ac842c63142d4c07 | |
| parent | ea61075c60e6417203bbb5fd54e1f313c99c164c (diff) | |
| download | ipxe-9a8c6b00d4433eb5c24f50c0c4a93c127d77def0.zip ipxe-9a8c6b00d4433eb5c24f50c0c4a93c127d77def0.tar.gz ipxe-9a8c6b00d4433eb5c24f50c0c4a93c127d77def0.tar.bz2 | |
[tls] Request a maximum fragment length of 2048 bytes
The default maximum plaintext fragment length for TLS is 16kB, which
is a substantial amount of memory for iPXE to have to allocate for a
temporary decryption buffer.
Reduce the memory footprint of TLS connections by requesting a maximum
fragment length of 2kB.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
| -rw-r--r-- | src/include/ipxe/tls.h | 9 | ||||
| -rw-r--r-- | src/net/tls.c | 11 |
2 files changed, 19 insertions, 1 deletions
diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h index 4273e4e..2af864d 100644 --- a/src/include/ipxe/tls.h +++ b/src/include/ipxe/tls.h @@ -89,10 +89,17 @@ struct tls_header { /* TLS signature algorithm identifiers */ #define TLS_RSA_ALGORITHM 1 -/* TLS extension types */ +/* TLS server name extension */ #define TLS_SERVER_NAME 0 #define TLS_SERVER_NAME_HOST_NAME 0 +/* TLS maximum fragment length extension */ +#define TLS_MAX_FRAGMENT_LENGTH 1 +#define TLS_MAX_FRAGMENT_LENGTH_512 1 +#define TLS_MAX_FRAGMENT_LENGTH_1024 2 +#define TLS_MAX_FRAGMENT_LENGTH_2048 3 +#define TLS_MAX_FRAGMENT_LENGTH_4096 4 + /** TLS RX state machine state */ enum tls_rx_state { TLS_RX_HEADER = 0, diff --git a/src/net/tls.c b/src/net/tls.c index 8d6620d..a3433f9 100644 --- a/src/net/tls.c +++ b/src/net/tls.c @@ -869,6 +869,11 @@ static int tls_send_client_hello ( struct tls_session *tls ) { uint8_t name[ strlen ( tls->name ) ]; } __attribute__ (( packed )) list[1]; } __attribute__ (( packed )) server_name; + uint16_t max_fragment_length_type; + uint16_t max_fragment_length_len; + struct { + uint8_t max; + } __attribute__ (( packed )) max_fragment_length; } __attribute__ (( packed )) extensions; } __attribute__ (( packed )) hello; unsigned int i; @@ -894,6 +899,12 @@ static int tls_send_client_hello ( struct tls_session *tls ) { = htons ( sizeof ( hello.extensions.server_name.list[0].name )); memcpy ( hello.extensions.server_name.list[0].name, tls->name, sizeof ( hello.extensions.server_name.list[0].name ) ); + hello.extensions.max_fragment_length_type + = htons ( TLS_MAX_FRAGMENT_LENGTH ); + hello.extensions.max_fragment_length_len + = htons ( sizeof ( hello.extensions.max_fragment_length ) ); + hello.extensions.max_fragment_length.max + = TLS_MAX_FRAGMENT_LENGTH_2048; return tls_send_handshake ( tls, &hello, sizeof ( hello ) ); } |