[tls] Request a maximum fragment length of 2048 bytes

The default maximum plaintext fragment length for TLS is 16kB, which is a substantial amount of memory for iPXE to have to allocate for a temporary decryption buffer. Reduce the memory footprint of TLS connections by requesting a maximum fragment length of 2kB. Signed-off-by: Michael Brown <mcb30@ipxe.org>
ipxe · Jun 29, 2012 · 9a8c6b0 · 9a8c6b0
1 parent ea61075
commit 9a8c6b0
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h
@@ -89,10 +89,17 @@ struct tls_header {
 /* TLS signature algorithm identifiers */
 #define TLS_RSA_ALGORITHM 1
 
-/* TLS extension types */
+/* TLS server name extension */
 #define TLS_SERVER_NAME 0
 #define TLS_SERVER_NAME_HOST_NAME 0
 
+/* TLS maximum fragment length extension */
+#define TLS_MAX_FRAGMENT_LENGTH 1
+#define TLS_MAX_FRAGMENT_LENGTH_512 1
+#define TLS_MAX_FRAGMENT_LENGTH_1024 2
+#define TLS_MAX_FRAGMENT_LENGTH_2048 3
+#define TLS_MAX_FRAGMENT_LENGTH_4096 4
+
 /** TLS RX state machine state */
 enum tls_rx_state {
 	TLS_RX_HEADER = 0,

diff --git a/src/net/tls.c b/src/net/tls.c
@@ -869,6 +869,11 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
 					uint8_t name[ strlen ( tls->name ) ];
 				} __attribute__ (( packed )) list[1];
 			} __attribute__ (( packed )) server_name;
+			uint16_t max_fragment_length_type;
+			uint16_t max_fragment_length_len;
+			struct {
+				uint8_t max;
+			} __attribute__ (( packed )) max_fragment_length;
 		} __attribute__ (( packed )) extensions;
 	} __attribute__ (( packed )) hello;
 	unsigned int i;
@@ -894,6 +899,12 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
 		= htons ( sizeof ( hello.extensions.server_name.list[0].name ));
 	memcpy ( hello.extensions.server_name.list[0].name, tls->name,
 		 sizeof ( hello.extensions.server_name.list[0].name ) );
+	hello.extensions.max_fragment_length_type
+		= htons ( TLS_MAX_FRAGMENT_LENGTH );
+	hello.extensions.max_fragment_length_len
+		= htons ( sizeof ( hello.extensions.max_fragment_length ) );
+	hello.extensions.max_fragment_length.max
+		= TLS_MAX_FRAGMENT_LENGTH_2048;
 
 	return tls_send_handshake ( tls, &hello, sizeof ( hello ) );
 }