diff options
| author | Michael Brown | 2012-09-26 22:42:23 +0200 |
|---|---|---|
| committer | Michael Brown | 2012-09-27 02:56:01 +0200 |
| commit | 72db14640c2a9eac0ba53baa955b180f1f4b9c2f (patch) | |
| tree | 239f9dbbdfe5c889a9fd72110efae604ec80b14c /src/drivers/linux | |
| parent | [crypto] Allow in-place CBC decryption (diff) | |
| download | ipxe-72db14640c2a9eac0ba53baa955b180f1f4b9c2f.tar.gz ipxe-72db14640c2a9eac0ba53baa955b180f1f4b9c2f.tar.xz ipxe-72db14640c2a9eac0ba53baa955b180f1f4b9c2f.zip | |
[tls] Split received records over multiple I/O buffers
TLS servers are not obliged to implement the RFC3546 maximum fragment
length extension, and many common servers (including OpenSSL, as used
in Apache's mod_ssl) do not do so. iPXE may therefore have to cope
with TLS records of up to 16kB. Allocations for 16kB have a
non-negligible chance of failing, causing the TLS connection to abort.
Fix by maintaining the received record as a linked list of I/O
buffers, rather than a single contiguous buffer. To reduce memory
pressure, we also decrypt in situ, and deliver the decrypted data via
xfer_deliver_iob() rather than xfer_deliver_raw().
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/drivers/linux')
0 files changed, 0 insertions, 0 deletions