lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aPlRzZtmnbLJNzmR@krikkit>
Date: Wed, 22 Oct 2025 23:51:09 +0200
From: Sabrina Dubroca <sd@...asysnail.net>
To: Wilfred Mallawa <wilfred.opensource@...il.com>
Cc: netdev@...r.kernel.org, linux-doc@...r.kernel.org,
	linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
	"David S . Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	Jonathan Corbet <corbet@....net>, Simon Horman <horms@...nel.org>,
	John Fastabend <john.fastabend@...il.com>,
	Shuah Khan <shuah@...nel.org>,
	Wilfred Mallawa <wilfred.mallawa@....com>
Subject: Re: [PATCH net-next v8 1/2] net/tls: support setting the maximum
 payload size

2025-10-22, 10:19:36 +1000, Wilfred Mallawa wrote:
> From: Wilfred Mallawa <wilfred.mallawa@....com>
> 
> During a handshake, an endpoint may specify a maximum record size limit.
> Currently, the kernel defaults to TLS_MAX_PAYLOAD_SIZE (16KB) for the
> maximum record size. Meaning that, the outgoing records from the kernel
> can exceed a lower size negotiated during the handshake. In such a case,
> the TLS endpoint must send a fatal "record_overflow" alert [1], and
> thus the record is discarded.
> 
> Upcoming Western Digital NVMe-TCP hardware controllers implement TLS
> support. For these devices, supporting TLS record size negotiation is
> necessary because the maximum TLS record size supported by the controller
> is less than the default 16KB currently used by the kernel.
> 
> Currently, there is no way to inform the kernel of such a limit. This patch
> adds support to a new setsockopt() option `TLS_TX_MAX_PAYLOAD_LEN` that
> allows for setting the maximum plaintext fragment size. Once set, outgoing
> records are no larger than the size specified. This option can be used to
> specify the record size limit.
> 
> [1] https://www.rfc-editor.org/rfc/rfc8449
> 
> Signed-off-by: Wilfred Mallawa <wilfred.mallawa@....com>
> ---
> V7 -> V8:
>  - Fixup HTML doc indentation
>  - Drop the getsockopt() change in V7 where ContentType was included in the
>    max payload length
> ---
>  Documentation/networking/tls.rst | 20 ++++++++++
>  include/net/tls.h                |  3 ++
>  include/uapi/linux/tls.h         |  2 +
>  net/tls/tls_device.c             |  2 +-
>  net/tls/tls_main.c               | 64 ++++++++++++++++++++++++++++++++
>  net/tls/tls_sw.c                 |  2 +-
>  6 files changed, 91 insertions(+), 2 deletions(-)

Reviewed-by: Sabrina Dubroca <sd@...asysnail.net>

Thanks Wilfred.

-- 
Sabrina

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ