Thread (11 messages) 11 messages, 4 authors, 2025-09-28

Re: [PATCH v4 1/2] net/tls: support maximum record size limit

From: Simon Horman <horms@kernel.org>
Date: 2025-09-24 17:03:33
Also in: linux-doc, linux-kselftest, lkml 

On Tue, Sep 23, 2025 at 03:32:06PM +1000, Wilfred Mallawa wrote:
From: Wilfred Mallawa <redacted>

During a handshake, an endpoint may specify a maximum record size limit.
Currently, the kernel defaults to TLS_MAX_PAYLOAD_SIZE (16KB) for the
maximum record size. Meaning that, the outgoing records from the kernel
can exceed a lower size negotiated during the handshake. In such a case,
the TLS endpoint must send a fatal "record_overflow" alert [1], and
thus the record is discarded.

Upcoming Western Digital NVMe-TCP hardware controllers implement TLS
support. For these devices, supporting TLS record size negotiation is
necessary because the maximum TLS record size supported by the controller
is less than the default 16KB currently used by the kernel.

This patch adds support for retrieving the negotiated record size limit
during a handshake, and enforcing it at the TLS layer such that outgoing
records are no larger than the size negotiated. This patch depends on
the respective userspace support in tlshd and GnuTLS [2].

[1] https://www.rfc-editor.org/rfc/rfc8449
[2] https://gitlab.com/gnutls/gnutls/-/merge_requests/2005

Signed-off-by: Wilfred Mallawa <redacted>
---
Changes V3 -> V4:
    * Added record_size_limit RFC reference to documentation
    * Always export the record size limit in tls_get_info()
    * Disallow user space to change the record_size_limit from under us
      if an open record is pending.
    * Added record_size_limit minimum size check as per RFC
    * Allow space for the ContentType byte for TLS 1.3. The expected
      behaviour is that userspace directly uses the negotiated
      record_size_limit, kernel will limit the plaintext buffer size
      appropirately.
    * New patch to add self-tests.
Hi Wilfred,

Unfortunately this series doesn't apply cleanly against current net-next.
So you will need to rebase and repost after waiting for some more
meaningful review from others.

Also, please include net-next in the subject, assuming that is the target
tree.

Subject: [PATCH net-next v5 1/2] ...

See: https://docs.kernel.org/process/maintainer-netdev.html

Thanks!

...

-- 
pw-bot: changes-requested
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help