lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251023184404.4dd617f0@kernel.org>
Date: Thu, 23 Oct 2025 18:44:04 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Wilfred Mallawa <wilfred.opensource@...il.com>, Sabrina Dubroca
 <sd@...asysnail.net>
Cc: netdev@...r.kernel.org, linux-doc@...r.kernel.org,
 linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org, "David S .
 Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Paolo
 Abeni <pabeni@...hat.com>, Jonathan Corbet <corbet@....net>, Simon Horman
 <horms@...nel.org>, John Fastabend <john.fastabend@...il.com>, Shuah Khan
 <shuah@...nel.org>, Wilfred Mallawa <wilfred.mallawa@....com>
Subject: Re: [PATCH net-next v8 1/2] net/tls: support setting the maximum
 payload size

On Wed, 22 Oct 2025 10:19:36 +1000 Wilfred Mallawa wrote:
> +TLS_TX_MAX_PAYLOAD_LEN
> +~~~~~~~~~~~~~~~~~~~~~~
> +
> +Specifies the maximum size of the plaintext payload for transmitted TLS records.
> +
> +When this option is set, the kernel enforces the specified limit on all outgoing
> +TLS records. No plaintext fragment will exceed this size. This option can be used
> +to implement the TLS Record Size Limit extension [1].
> +
> +* For TLS 1.2, the value corresponds directly to the record size limit.
> +* For TLS 1.3, the value should be set to record_size_limit - 1, since
> +  the record size limit includes one additional byte for the ContentType
> +  field.
> +
> +The valid range for this option is 64 to 16384 bytes for TLS 1.2, and 63 to
> +16384 bytes for TLS 1.3. The lower minimum for TLS 1.3 accounts for the
> +extra byte used by the ContentType field.
> +
> +[1] https://datatracker.ietf.org/doc/html/rfc8449

Sorry for not paying attention to the last few revisions.

So we decided to go with the non-RFC definition of the sockopt
parameter? Is there a reason for that? I like how the "per RFC"
behavior shifts any blame away from us :)

> +	err = nla_put_u16(skb, TLS_INFO_TX_MAX_PAYLOAD_LEN,
> +			  ctx->tx_max_payload_len);
> +

nit: unnecessary empty line 

> +	if (err)
> +		goto nla_failure;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ