| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250729024150.222513-7-wilfred.opensource@gmail.com>
Date: Tue, 29 Jul 2025 12:41:52 +1000
From: Wilfred Mallawa <wilfred.opensource@...il.com>
To: alistair.francis@....com,
dlemoal@...nel.org,
chuck.lever@...cle.com,
davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
horms@...nel.org,
donald.hunter@...il.com,
corbet@....net,
kbusch@...nel.org,
axboe@...nel.dk,
hch@....de,
sagi@...mberg.me,
kch@...dia.com,
borisp@...dia.com,
john.fastabend@...il.com,
jlayton@...nel.org,
neil@...wn.name,
okorniev@...hat.com,
Dai.Ngo@...cle.com,
tom@...pey.com,
trondmy@...nel.org,
anna@...nel.org,
kernel-tls-handshake@...ts.linux.dev,
netdev@...r.kernel.org
Cc: linux-kernel@...r.kernel.org,
linux-doc@...r.kernel.org,
linux-nvme@...ts.infradead.org,
linux-nfs@...r.kernel.org,
Wilfred Mallawa <wilfred.mallawa@....com>
Subject: [RFC 4/4] nvme/target/tcp: set max record size in the tls context
From: Wilfred Mallawa <wilfred.mallawa@....com>
During a tls handshake, a host may specify the tls record size limit
using the tls "record_size_limit" extension. Currently, the NVMe target
driver does not specify this value to the tls layer.
This patch adds support for setting the tls record size limit into the
tls context, such that outgoing records may not exceed this limit
specified by the endpoint.
Signed-off-by: Wilfred Mallawa <wilfred.mallawa@....com>
---
drivers/nvme/target/tcp.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
index 60e308401a54..f2ab473ea5de 100644
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -1784,6 +1784,7 @@ static void nvmet_tcp_tls_handshake_done(void *data, int status,
size_t tls_record_size_limit)
{
struct nvmet_tcp_queue *queue = data;
+ struct tls_context *tls_ctx = tls_get_ctx(queue->sock->sk);
pr_debug("queue %d: TLS handshake done, key %x, status %d\n",
queue->idx, peerid, status);
@@ -1795,6 +1796,17 @@ static void nvmet_tcp_tls_handshake_done(void *data, int status,
if (!status) {
queue->tls_pskid = peerid;
queue->state = NVMET_TCP_Q_CONNECTING;
+
+ /* Endpoint has specified a maximum tls record size limit */
+ if (tls_record_size_limit > TLS_MAX_PAYLOAD_SIZE) {
+ pr_err("queue %d: invalid tls max record size limit: %zu\n",
+ queue->idx, tls_record_size_limit);
+ queue->state = NVMET_TCP_Q_FAILED;
+ } else if (tls_record_size_limit > 0) {
+ tls_ctx->tls_record_size_limit = (u32)tls_record_size_limit;
+ pr_debug("queue %d: host specified tls max record size %u\n",
+ queue->idx, tls_ctx->tls_record_size_limit);
+ }
} else
queue->state = NVMET_TCP_Q_FAILED;
spin_unlock_bh(&queue->state_lock);
@@ -1808,6 +1820,7 @@ static void nvmet_tcp_tls_handshake_done(void *data, int status,
nvmet_tcp_schedule_release_queue(queue);
else
nvmet_tcp_set_queue_sock(queue);
+
kref_put(&queue->kref, nvmet_tcp_release_queue);
}
--
2.50.1
Powered by blists - more mailing lists