| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3339e2d0-02ac-470a-9511-0e60ed1d0598@suse.de>
Date: Tue, 29 Jul 2025 10:16:48 +0200
From: Hannes Reinecke <hare@...e.de>
To: Wilfred Mallawa <wilfred.opensource@...il.com>, alistair.francis@....com,
dlemoal@...nel.org, chuck.lever@...cle.com, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, horms@...nel.org,
donald.hunter@...il.com, corbet@....net, kbusch@...nel.org, axboe@...nel.dk,
hch@....de, sagi@...mberg.me, kch@...dia.com, borisp@...dia.com,
john.fastabend@...il.com, jlayton@...nel.org, neil@...wn.name,
okorniev@...hat.com, Dai.Ngo@...cle.com, tom@...pey.com, trondmy@...nel.org,
anna@...nel.org, kernel-tls-handshake@...ts.linux.dev, netdev@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org,
linux-nvme@...ts.infradead.org, linux-nfs@...r.kernel.org,
Wilfred Mallawa <wilfred.mallawa@....com>
Subject: Re: [RFC 4/4] nvme/target/tcp: set max record size in the tls context
On 7/29/25 04:41, Wilfred Mallawa wrote:
> From: Wilfred Mallawa <wilfred.mallawa@....com>
>
> During a tls handshake, a host may specify the tls record size limit
> using the tls "record_size_limit" extension. Currently, the NVMe target
> driver does not specify this value to the tls layer.
>
> This patch adds support for setting the tls record size limit into the
> tls context, such that outgoing records may not exceed this limit
> specified by the endpoint.
>
> Signed-off-by: Wilfred Mallawa <wilfred.mallawa@....com>
> ---
> drivers/nvme/target/tcp.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
> index 60e308401a54..f2ab473ea5de 100644
> --- a/drivers/nvme/target/tcp.c
> +++ b/drivers/nvme/target/tcp.c
> @@ -1784,6 +1784,7 @@ static void nvmet_tcp_tls_handshake_done(void *data, int status,
> size_t tls_record_size_limit)
> {
> struct nvmet_tcp_queue *queue = data;
> + struct tls_context *tls_ctx = tls_get_ctx(queue->sock->sk);
>
> pr_debug("queue %d: TLS handshake done, key %x, status %d\n",
> queue->idx, peerid, status);
> @@ -1795,6 +1796,17 @@ static void nvmet_tcp_tls_handshake_done(void *data, int status,
> if (!status) {
> queue->tls_pskid = peerid;
> queue->state = NVMET_TCP_Q_CONNECTING;
> +
> + /* Endpoint has specified a maximum tls record size limit */
> + if (tls_record_size_limit > TLS_MAX_PAYLOAD_SIZE) {
> + pr_err("queue %d: invalid tls max record size limit: %zu\n",
> + queue->idx, tls_record_size_limit);
> + queue->state = NVMET_TCP_Q_FAILED;
> + } else if (tls_record_size_limit > 0) {
> + tls_ctx->tls_record_size_limit = (u32)tls_record_size_limit;
> + pr_debug("queue %d: host specified tls max record size %u\n",
> + queue->idx, tls_ctx->tls_record_size_limit);
> + }
> } else
> queue->state = NVMET_TCP_Q_FAILED;
> spin_unlock_bh(&queue->state_lock);
> @@ -1808,6 +1820,7 @@ static void nvmet_tcp_tls_handshake_done(void *data, int status,
> nvmet_tcp_schedule_release_queue(queue);
> else
> nvmet_tcp_set_queue_sock(queue);
> +
> kref_put(&queue->kref, nvmet_tcp_release_queue);
> }
>
Again, why?
I'd rather have the TLS layer handling that internally.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@...e.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
Powered by blists - more mailing lists