Re: [PATCH v4 1/2] net/tls: support maximum record size limit

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Simon Horman <horms@kernel.org>
To: Wilfred Mallawa <wilfred.opensource@gmail.com>
Cc: netdev@vger.kernel.org, linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
	davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
	pabeni@redhat.com, corbet@lwn.net, john.fastabend@gmail.com,
	sd@queasysnail.net, shuah@kernel.org,
	Wilfred Mallawa <wilfred.mallawa@wdc.com>
Subject: Re: [PATCH v4 1/2] net/tls: support maximum record size limit
Date: Wed, 24 Sep 2025 18:03:28 +0100	[thread overview]
Message-ID: <20250924170328.GR836419@horms.kernel.org> (raw)
In-Reply-To: <20250923053207.113938-1-wilfred.opensource@gmail.com>

On Tue, Sep 23, 2025 at 03:32:06PM +1000, Wilfred Mallawa wrote:
> From: Wilfred Mallawa <wilfred.mallawa@wdc.com>
> 
> During a handshake, an endpoint may specify a maximum record size limit.
> Currently, the kernel defaults to TLS_MAX_PAYLOAD_SIZE (16KB) for the
> maximum record size. Meaning that, the outgoing records from the kernel
> can exceed a lower size negotiated during the handshake. In such a case,
> the TLS endpoint must send a fatal "record_overflow" alert [1], and
> thus the record is discarded.
> 
> Upcoming Western Digital NVMe-TCP hardware controllers implement TLS
> support. For these devices, supporting TLS record size negotiation is
> necessary because the maximum TLS record size supported by the controller
> is less than the default 16KB currently used by the kernel.
> 
> This patch adds support for retrieving the negotiated record size limit
> during a handshake, and enforcing it at the TLS layer such that outgoing
> records are no larger than the size negotiated. This patch depends on
> the respective userspace support in tlshd and GnuTLS [2].
> 
> [1] https://www.rfc-editor.org/rfc/rfc8449
> [2] https://gitlab.com/gnutls/gnutls/-/merge_requests/2005
> 
> Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
> ---
> Changes V3 -> V4:
>     * Added record_size_limit RFC reference to documentation
>     * Always export the record size limit in tls_get_info()
>     * Disallow user space to change the record_size_limit from under us
>       if an open record is pending.
>     * Added record_size_limit minimum size check as per RFC
>     * Allow space for the ContentType byte for TLS 1.3. The expected
>       behaviour is that userspace directly uses the negotiated
>       record_size_limit, kernel will limit the plaintext buffer size
>       appropirately.
>     * New patch to add self-tests.

Hi Wilfred,

Unfortunately this series doesn't apply cleanly against current net-next.
So you will need to rebase and repost after waiting for some more
meaningful review from others.

Also, please include net-next in the subject, assuming that is the target
tree.

Subject: [PATCH net-next v5 1/2] ...

See: https://docs.kernel.org/process/maintainer-netdev.html

Thanks!

...

-- 
pw-bot: changes-requested

next prev parent reply	other threads:[~2025-09-24 17:03 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-23  5:32 [PATCH v4 1/2] net/tls: support maximum record size limit Wilfred Mallawa
2025-09-23  5:32 ` [PATCH v4 2/2] selftests: tls: add tls record_size_limit test Wilfred Mallawa
2025-09-24 17:50   ` Sabrina Dubroca
2025-09-25  5:16     ` Wilfred Mallawa
2025-09-24 17:03 ` Simon Horman [this message]
2025-09-25  5:19   ` [PATCH v4 1/2] net/tls: support maximum record size limit Wilfred Mallawa
2025-09-24 17:50 ` Sabrina Dubroca
2025-09-25  5:39   ` Wilfred Mallawa
2025-09-25 21:29     ` Sabrina Dubroca
2025-09-25 23:37       ` Wilfred Mallawa
2025-09-28 21:44         ` Sabrina Dubroca

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250924170328.GR836419@horms.kernel.org \
    --to=horms@kernel.org \
    --cc=corbet@lwn.net \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=john.fastabend@gmail.com \
    --cc=kuba@kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=sd@queasysnail.net \
    --cc=shuah@kernel.org \
    --cc=wilfred.mallawa@wdc.com \
    --cc=wilfred.opensource@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).