[tls] Request a maximum fragment length of 2048 bytes

The default maximum plaintext fragment length for TLS is 16kB, which
is a substantial amount of memory for iPXE to have to allocate for a
temporary decryption buffer.

Reduce the memory footprint of TLS connections by requesting a maximum
fragment length of 2kB.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h
index 4273e4e5401e1118179924125df1a3455fa58ce8..2af864dfeb2ae420f72e618b152689d5418eded3 100644 (file)
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -89,10 +89,17 @@ struct tls_header {
 /* TLS signature algorithm identifiers */
 #define TLS_RSA_ALGORITHM 1
 
-/* TLS extension types */
+/* TLS server name extension */
 #define TLS_SERVER_NAME 0
 #define TLS_SERVER_NAME_HOST_NAME 0
 
+/* TLS maximum fragment length extension */
+#define TLS_MAX_FRAGMENT_LENGTH 1
+#define TLS_MAX_FRAGMENT_LENGTH_512 1
+#define TLS_MAX_FRAGMENT_LENGTH_1024 2
+#define TLS_MAX_FRAGMENT_LENGTH_2048 3
+#define TLS_MAX_FRAGMENT_LENGTH_4096 4
+
 /** TLS RX state machine state */
 enum tls_rx_state {
        TLS_RX_HEADER = 0,

diff --git a/src/net/tls.c b/src/net/tls.c
index 8d6620d3fa6b885edfe2675855e0e809d0a3aa67..a3433f9284e6547c5e1b83e2ed4b0717da9ffb4b 100644 (file)
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -869,6 +869,11 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
                                        uint8_t name[ strlen ( tls->name ) ];
                                } __attribute__ (( packed )) list[1];
                        } __attribute__ (( packed )) server_name;
+                       uint16_t max_fragment_length_type;
+                       uint16_t max_fragment_length_len;
+                       struct {
+                               uint8_t max;
+                       } __attribute__ (( packed )) max_fragment_length;
                } __attribute__ (( packed )) extensions;
        } __attribute__ (( packed )) hello;
        unsigned int i;
@@ -894,6 +899,12 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
                = htons ( sizeof ( hello.extensions.server_name.list[0].name ));
        memcpy ( hello.extensions.server_name.list[0].name, tls->name,
                 sizeof ( hello.extensions.server_name.list[0].name ) );
+       hello.extensions.max_fragment_length_type
+               = htons ( TLS_MAX_FRAGMENT_LENGTH );
+       hello.extensions.max_fragment_length_len
+               = htons ( sizeof ( hello.extensions.max_fragment_length ) );
+       hello.extensions.max_fragment_length.max
+               = TLS_MAX_FRAGMENT_LENGTH_2048;
 
        return tls_send_handshake ( tls, &hello, sizeof ( hello ) );
 }