| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7e18e224-ba9f-420d-ad2e-e349d25b58e0@suse.de>
Date: Tue, 29 Jul 2025 10:16:02 +0200
From: Hannes Reinecke <hare@...e.de>
To: Wilfred Mallawa <wilfred.opensource@...il.com>, alistair.francis@....com,
dlemoal@...nel.org, chuck.lever@...cle.com, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, horms@...nel.org,
donald.hunter@...il.com, corbet@....net, kbusch@...nel.org, axboe@...nel.dk,
hch@....de, sagi@...mberg.me, kch@...dia.com, borisp@...dia.com,
john.fastabend@...il.com, jlayton@...nel.org, neil@...wn.name,
okorniev@...hat.com, Dai.Ngo@...cle.com, tom@...pey.com, trondmy@...nel.org,
anna@...nel.org, kernel-tls-handshake@...ts.linux.dev, netdev@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org,
linux-nvme@...ts.infradead.org, linux-nfs@...r.kernel.org,
Wilfred Mallawa <wilfred.mallawa@....com>
Subject: Re: [RFC 3/4] nvme/host/tcp: set max record size in the tls context
On 7/29/25 04:41, Wilfred Mallawa wrote:
> From: Wilfred Mallawa <wilfred.mallawa@....com>
>
> During a tls handshake, a host may specify the tls record size limit
> using the tls "record_size_limit" extension. Currently, the NVMe TCP
> host driver does not specify this value to the tls layer.
>
> This patch adds support for setting the tls record size limit into the
> tls context, such that outgoing records may not exceed this limit
> specified by the endpoint.
>
> Signed-off-by: Wilfred Mallawa <wilfred.mallawa@....com>
> ---
> drivers/nvme/host/tcp.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
> index 65ceadb4ffed..84a55736f269 100644
> --- a/drivers/nvme/host/tcp.c
> +++ b/drivers/nvme/host/tcp.c
> @@ -1677,6 +1677,7 @@ static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid,
> size_t tls_record_size_limit)
> {
> struct nvme_tcp_queue *queue = data;
> + struct tls_context *tls_ctx = tls_get_ctx(queue->sock->sk);
> struct nvme_tcp_ctrl *ctrl = queue->ctrl;
> int qid = nvme_tcp_queue_id(queue);
> struct key *tls_key;
> @@ -1700,6 +1701,20 @@ static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid,
> ctrl->ctrl.tls_pskid = key_serial(tls_key);
> key_put(tls_key);
> queue->tls_err = 0;
> +
> + /* Endpoint has specified a maximum tls record size limit */
> + if (tls_record_size_limit > TLS_MAX_PAYLOAD_SIZE) {
> + dev_err(ctrl->ctrl.device,
> + "queue %d: invalid tls max record size limit: %zd\n",
> + nvme_tcp_queue_id(queue), tls_record_size_limit);
> + queue->tls_err = -EINVAL;
> + goto out_complete;
> + } else if (tls_record_size_limit > 0) {
> + tls_ctx->tls_record_size_limit = (u32)tls_record_size_limit;
> + dev_dbg(ctrl->ctrl.device,
> + "queue %d: target specified tls_record_size_limit %u\n",
> + nvme_tcp_queue_id(queue), tls_ctx->tls_record_size_limit);
> + }
> }
>
> out_complete:
Why do we need to do that?
This value is never used in that driver, so why can't the TLS layer
handle it?
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@...e.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
Powered by blists - more mailing lists