Re: [PATCH v4 1/2] net/tls: support maximum record size limit

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sabrina Dubroca <sd@queasysnail.net>
To: Wilfred Mallawa <wilfred.opensource@gmail.com>
Cc: netdev@vger.kernel.org, linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
	davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
	pabeni@redhat.com, horms@kernel.org, corbet@lwn.net,
	john.fastabend@gmail.com, shuah@kernel.org,
	Wilfred Mallawa <wilfred.mallawa@wdc.com>
Subject: Re: [PATCH v4 1/2] net/tls: support maximum record size limit
Date: Wed, 24 Sep 2025 19:50:56 +0200	[thread overview]
Message-ID: <aNQvgD7AvFe7-sAv@krikkit> (raw)
In-Reply-To: <20250923053207.113938-1-wilfred.opensource@gmail.com>

2025-09-23, 15:32:06 +1000, Wilfred Mallawa wrote:
> diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
> index a3ccb3135e51..09883d9c6c96 100644
> --- a/net/tls/tls_main.c
> +++ b/net/tls/tls_main.c
> @@ -544,6 +544,31 @@ static int do_tls_getsockopt_no_pad(struct sock *sk, char __user *optval,
>  	return 0;
>  }
>  
> +static int do_tls_getsockopt_tx_record_size(struct sock *sk, char __user *optval,
> +					    int __user *optlen)
> +{
> +	struct tls_context *ctx = tls_get_ctx(sk);
> +	int len;
> +	/* TLS 1.3: Record length contains ContentType */
> +	u16 record_size_limit = ctx->prot_info.version == TLS_1_3_VERSION ?
> +				ctx->tx_record_size_limit + 1 :
> +				ctx->tx_record_size_limit;

nit: reverse xmas tree


[...]
> +static int do_tls_setsockopt_tx_record_size(struct sock *sk, sockptr_t optval,
> +					    unsigned int optlen)
> +{
> +	struct tls_context *ctx = tls_get_ctx(sk);
> +	struct tls_sw_context_tx *sw_ctx = tls_sw_ctx_tx(ctx);
> +	u16 value;
> +
> +	if (sw_ctx->open_rec)
> +		return -EBUSY;
> +
> +	if (sockptr_is_null(optval) || optlen != sizeof(value))
> +		return -EINVAL;
> +
> +	if (copy_from_sockptr(&value, optval, sizeof(value)))
> +		return -EFAULT;
> +
> +	if (value < TLS_MIN_RECORD_SIZE_LIM)
> +		return -EINVAL;
> +
> +	if (ctx->prot_info.version == TLS_1_2_VERSION &&
> +	    value > TLS_MAX_PAYLOAD_SIZE)
> +		return -EINVAL;
> +
> +	if (ctx->prot_info.version == TLS_1_3_VERSION &&
> +	    value - 1 > TLS_MAX_PAYLOAD_SIZE)
> +		return -EINVAL;
> +
> +	/*
> +	 * For TLS 1.3: 'value' includes one byte for the appended ContentType.
> +	 * Adjust the kernel's internal plaintext limit accordingly.
> +	 */
> +	ctx->tx_record_size_limit = ctx->prot_info.version == TLS_1_3_VERSION ?
> +				    value - 1 : value;
> +
> +	return 0;
> +}
> +
>  static int do_tls_setsockopt(struct sock *sk, int optname, sockptr_t optval,
>  			     unsigned int optlen)
>  {
> @@ -833,6 +898,9 @@ static int do_tls_setsockopt(struct sock *sk, int optname, sockptr_t optval,
>  	case TLS_RX_EXPECT_NO_PAD:
>  		rc = do_tls_setsockopt_no_pad(sk, optval, optlen);
>  		break;
> +	case TLS_TX_RECORD_SIZE_LIM:
> +		rc = do_tls_setsockopt_tx_record_size(sk, optval, optlen);

I think we want to lock the socket here, to avoid any concurrent send()?
Especially now with the ->open_rec check.


> @@ -1111,6 +1180,11 @@ static int tls_get_info(struct sock *sk, struct sk_buff *skb, bool net_admin)
>  			goto nla_failure;
>  	}
>  
> +	err = nla_put_u16(skb, TLS_INFO_TX_RECORD_SIZE_LIM,
> +			  ctx->tx_record_size_limit);

I'm not sure here: if we do the +1 adjustment we'd be consistent with
the value reported by getsockopt, but OTOH users may get confused
about seeing a value larger than TLS_MAX_PAYLOAD_SIZE.

-- 
Sabrina

next prev parent reply	other threads:[~2025-09-24 17:51 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-23  5:32 [PATCH v4 1/2] net/tls: support maximum record size limit Wilfred Mallawa
2025-09-23  5:32 ` [PATCH v4 2/2] selftests: tls: add tls record_size_limit test Wilfred Mallawa
2025-09-24 17:50   ` Sabrina Dubroca
2025-09-25  5:16     ` Wilfred Mallawa
2025-09-24 17:03 ` [PATCH v4 1/2] net/tls: support maximum record size limit Simon Horman
2025-09-25  5:19   ` Wilfred Mallawa
2025-09-24 17:50 ` Sabrina Dubroca [this message]
2025-09-25  5:39   ` Wilfred Mallawa
2025-09-25 21:29     ` Sabrina Dubroca
2025-09-25 23:37       ` Wilfred Mallawa
2025-09-28 21:44         ` Sabrina Dubroca

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aNQvgD7AvFe7-sAv@krikkit \
    --to=sd@queasysnail.net \
    --cc=corbet@lwn.net \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=john.fastabend@gmail.com \
    --cc=kuba@kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=shuah@kernel.org \
    --cc=wilfred.mallawa@wdc.com \
    --cc=wilfred.opensource@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.