* [RFC v2 0/1] net/tls: add support for limiting the max record size @ 2025-08-08 7:23 Wilfred Mallawa 2025-08-08 7:24 ` [RFC v2 1/1] net/tls: allow limiting maximum " Wilfred Mallawa 0 siblings, 1 reply; 5+ messages in thread From: Wilfred Mallawa @ 2025-08-08 7:23 UTC (permalink / raw) To: chuck.lever, davem, edumazet, kuba, pabeni, donald.hunter, borisp, john.fastabend Cc: alistair.francis, dlemoal, kernel-tls-handshake, netdev, linux-kernel, Wilfred Mallawa From: Wilfred Mallawa <wilfred.mallawa@wdc.com> During a handshake, an endpoint may specify a maximum record size limit. Currently, the kernel defaults to TLS_MAX_PAYLOAD_SIZE (16KB) for the maximum record size. Meaning that, outgoing records from the kernel can exceed the negotiated size during a handshake. In such a case, the TLS endpoint must send a fatal "record_overflow" alert [1], and thus the record is discarded. Upcoming Western Digital NVMe-TCP hardware controllers implement TLS support. For these devices, supporting TLS record size negotiation is necessary because the maximum TLS record size supported by the controller is less than the default 16KB currently used by the kernel. This patch adds support for retrieving the negotiated record size limit during a handshake, and enforcing it at the TLS layer such that outgoing records are no larger than the size negotiated. This patch depends on the respective userspace support in tlshd [2] and GnuTLS [3]. GnuTLS patches have been merged. [1] https://www.rfc-editor.org/rfc/rfc8449 [2] https://github.com/oracle/ktls-utils/pull/112 [3] https://gitlab.com/gnutls/gnutls/-/merge_requests/2005 Wilfred Mallawa (1): net/tls: allow limiting maximum record size Documentation/netlink/specs/handshake.yaml | 3 +++ include/net/tls.h | 2 ++ include/uapi/linux/handshake.h | 1 + net/handshake/genl.c | 5 ++-- net/handshake/tlshd.c | 29 +++++++++++++++++++++- net/tls/tls_sw.c | 6 ++++- 6 files changed, 42 insertions(+), 4 deletions(-) -- 2.50.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [RFC v2 1/1] net/tls: allow limiting maximum record size 2025-08-08 7:23 [RFC v2 0/1] net/tls: add support for limiting the max record size Wilfred Mallawa @ 2025-08-08 7:24 ` Wilfred Mallawa 2025-08-18 6:31 ` Hannes Reinecke 0 siblings, 1 reply; 5+ messages in thread From: Wilfred Mallawa @ 2025-08-08 7:24 UTC (permalink / raw) To: chuck.lever, davem, edumazet, kuba, pabeni, donald.hunter, borisp, john.fastabend Cc: alistair.francis, dlemoal, kernel-tls-handshake, netdev, linux-kernel, Wilfred Mallawa From: Wilfred Mallawa <wilfred.mallawa@wdc.com> During a handshake, an endpoint may specify a maximum record size limit. Currently, the kernel defaults to TLS_MAX_PAYLOAD_SIZE (16KB) for the maximum record size. Meaning that, the outgoing records from the kernel can exceed a lower size negotiated during the handshake. In such a case, the TLS endpoint must send a fatal "record_overflow" alert [1], and thus the record is discarded. This patch adds support for retrieving the negotiated record size limit during a handshake, and enforcing it at the TLS layer such that outgoing records are no larger than the size negotiated. This patch depends on the respective userspace support in tlshd [2] and GnuTLS [3]. [1] https://www.rfc-editor.org/rfc/rfc8449 [2] https://github.com/oracle/ktls-utils/pull/112 [3] https://gitlab.com/gnutls/gnutls/-/merge_requests/2005 Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com> --- Documentation/netlink/specs/handshake.yaml | 3 +++ include/net/tls.h | 2 ++ include/uapi/linux/handshake.h | 1 + net/handshake/genl.c | 5 ++-- net/handshake/tlshd.c | 29 +++++++++++++++++++++- net/tls/tls_sw.c | 6 ++++- 6 files changed, 42 insertions(+), 4 deletions(-) diff --git a/Documentation/netlink/specs/handshake.yaml b/Documentation/netlink/specs/handshake.yaml index b934cc513e3d..4e6bc348f1fd 100644 --- a/Documentation/netlink/specs/handshake.yaml +++ b/Documentation/netlink/specs/handshake.yaml @@ -84,6 +84,9 @@ attribute-sets: name: remote-auth type: u32 multi-attr: true + - + name: record-size-limit + type: u32 operations: list: diff --git a/include/net/tls.h b/include/net/tls.h index 857340338b69..02e7b59fcc30 100644 --- a/include/net/tls.h +++ b/include/net/tls.h @@ -250,6 +250,8 @@ struct tls_context { */ unsigned long flags; + u32 tls_record_size_limit; + /* cache cold stuff */ struct proto *sk_proto; struct sock *sk; diff --git a/include/uapi/linux/handshake.h b/include/uapi/linux/handshake.h index 3d7ea58778c9..0768eb8eb415 100644 --- a/include/uapi/linux/handshake.h +++ b/include/uapi/linux/handshake.h @@ -54,6 +54,7 @@ enum { HANDSHAKE_A_DONE_STATUS = 1, HANDSHAKE_A_DONE_SOCKFD, HANDSHAKE_A_DONE_REMOTE_AUTH, + HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT, __HANDSHAKE_A_DONE_MAX, HANDSHAKE_A_DONE_MAX = (__HANDSHAKE_A_DONE_MAX - 1) diff --git a/net/handshake/genl.c b/net/handshake/genl.c index f55d14d7b726..44c43ce18361 100644 --- a/net/handshake/genl.c +++ b/net/handshake/genl.c @@ -16,10 +16,11 @@ static const struct nla_policy handshake_accept_nl_policy[HANDSHAKE_A_ACCEPT_HAN }; /* HANDSHAKE_CMD_DONE - do */ -static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_REMOTE_AUTH + 1] = { +static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT + 1] = { [HANDSHAKE_A_DONE_STATUS] = { .type = NLA_U32, }, [HANDSHAKE_A_DONE_SOCKFD] = { .type = NLA_S32, }, [HANDSHAKE_A_DONE_REMOTE_AUTH] = { .type = NLA_U32, }, + [HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT] = { .type = NLA_U32, }, }; /* Ops table for handshake */ @@ -35,7 +36,7 @@ static const struct genl_split_ops handshake_nl_ops[] = { .cmd = HANDSHAKE_CMD_DONE, .doit = handshake_nl_done_doit, .policy = handshake_done_nl_policy, - .maxattr = HANDSHAKE_A_DONE_REMOTE_AUTH, + .maxattr = HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT, .flags = GENL_CMD_CAP_DO, }, }; diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c index d6f52839827e..f4e793f6288d 100644 --- a/net/handshake/tlshd.c +++ b/net/handshake/tlshd.c @@ -19,6 +19,7 @@ #include <net/handshake.h> #include <net/genetlink.h> #include <net/tls_prot.h> +#include <net/tls.h> #include <uapi/linux/keyctl.h> #include <uapi/linux/handshake.h> @@ -37,6 +38,8 @@ struct tls_handshake_req { key_serial_t th_certificate; key_serial_t th_privkey; + struct socket *th_sock; + unsigned int th_num_peerids; key_serial_t th_peerid[5]; }; @@ -52,6 +55,7 @@ tls_handshake_req_init(struct handshake_req *req, treq->th_consumer_data = args->ta_data; treq->th_peername = args->ta_peername; treq->th_keyring = args->ta_keyring; + treq->th_sock = args->ta_sock; treq->th_num_peerids = 0; treq->th_certificate = TLS_NO_CERT; treq->th_privkey = TLS_NO_PRIVKEY; @@ -85,6 +89,27 @@ static void tls_handshake_remote_peerids(struct tls_handshake_req *treq, } } +static void tls_handshake_record_size(struct tls_handshake_req *treq, + struct genl_info *info) +{ + struct tls_context *tls_ctx; + struct nlattr *head = nlmsg_attrdata(info->nlhdr, GENL_HDRLEN); + struct nlattr *nla; + u32 record_size_limit; + int rem, len = nlmsg_attrlen(info->nlhdr, GENL_HDRLEN); + + nla_for_each_attr(nla, head, len, rem) { + if (nla_type(nla) == HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT) { + record_size_limit = nla_get_u32(nla); + if (treq->th_sock) { + tls_ctx = tls_get_ctx(treq->th_sock->sk); + tls_ctx->tls_record_size_limit = record_size_limit; + } + break; + } + } +} + /** * tls_handshake_done - callback to handle a CMD_DONE request * @req: socket on which the handshake was performed @@ -98,8 +123,10 @@ static void tls_handshake_done(struct handshake_req *req, struct tls_handshake_req *treq = handshake_req_private(req); treq->th_peerid[0] = TLS_NO_PEERID; - if (info) + if (info) { tls_handshake_remote_peerids(treq, info); + tls_handshake_record_size(treq, info); + } if (!status) set_bit(HANDSHAKE_F_REQ_SESSION, &req->hr_flags); diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index fc88e34b7f33..70ffc4f5e382 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1024,6 +1024,7 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg, ssize_t copied = 0; struct sk_msg *msg_pl, *msg_en; struct tls_rec *rec; + u32 tls_record_size_limit; int required_size; int num_async = 0; bool full_record; @@ -1045,6 +1046,9 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg, } } + tls_record_size_limit = min_not_zero(tls_ctx->tls_record_size_limit, + TLS_MAX_PAYLOAD_SIZE); + while (msg_data_left(msg)) { if (sk->sk_err) { ret = -sk->sk_err; @@ -1066,7 +1070,7 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg, orig_size = msg_pl->sg.size; full_record = false; try_to_copy = msg_data_left(msg); - record_room = TLS_MAX_PAYLOAD_SIZE - msg_pl->sg.size; + record_room = tls_record_size_limit - msg_pl->sg.size; if (try_to_copy >= record_room) { try_to_copy = record_room; full_record = true; -- 2.50.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [RFC v2 1/1] net/tls: allow limiting maximum record size 2025-08-08 7:24 ` [RFC v2 1/1] net/tls: allow limiting maximum " Wilfred Mallawa @ 2025-08-18 6:31 ` Hannes Reinecke 2025-08-21 6:18 ` Wilfred Mallawa 0 siblings, 1 reply; 5+ messages in thread From: Hannes Reinecke @ 2025-08-18 6:31 UTC (permalink / raw) To: Wilfred Mallawa, chuck.lever, davem, edumazet, kuba, pabeni, donald.hunter, borisp, john.fastabend Cc: alistair.francis, dlemoal, kernel-tls-handshake, netdev, linux-kernel, Wilfred Mallawa On 8/8/25 09:24, Wilfred Mallawa wrote: > From: Wilfred Mallawa <wilfred.mallawa@wdc.com> > > During a handshake, an endpoint may specify a maximum record size limit. > Currently, the kernel defaults to TLS_MAX_PAYLOAD_SIZE (16KB) for the > maximum record size. Meaning that, the outgoing records from the kernel > can exceed a lower size negotiated during the handshake. In such a case, > the TLS endpoint must send a fatal "record_overflow" alert [1], and > thus the record is discarded. > > This patch adds support for retrieving the negotiated record size limit > during a handshake, and enforcing it at the TLS layer such that outgoing > records are no larger than the size negotiated. This patch depends on > the respective userspace support in tlshd [2] and GnuTLS [3]. > > [1] https://www.rfc-editor.org/rfc/rfc8449 > [2] https://github.com/oracle/ktls-utils/pull/112 > [3] https://gitlab.com/gnutls/gnutls/-/merge_requests/2005 > > Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com> > --- > Documentation/netlink/specs/handshake.yaml | 3 +++ > include/net/tls.h | 2 ++ > include/uapi/linux/handshake.h | 1 + > net/handshake/genl.c | 5 ++-- > net/handshake/tlshd.c | 29 +++++++++++++++++++++- > net/tls/tls_sw.c | 6 ++++- > 6 files changed, 42 insertions(+), 4 deletions(-) > > diff --git a/Documentation/netlink/specs/handshake.yaml b/Documentation/netlink/specs/handshake.yaml > index b934cc513e3d..4e6bc348f1fd 100644 > --- a/Documentation/netlink/specs/handshake.yaml > +++ b/Documentation/netlink/specs/handshake.yaml > @@ -84,6 +84,9 @@ attribute-sets: > name: remote-auth > type: u32 > multi-attr: true > + - > + name: record-size-limit > + type: u32 > > operations: > list: > diff --git a/include/net/tls.h b/include/net/tls.h > index 857340338b69..02e7b59fcc30 100644 > --- a/include/net/tls.h > +++ b/include/net/tls.h > @@ -250,6 +250,8 @@ struct tls_context { > */ > unsigned long flags; > > + u32 tls_record_size_limit; > + > /* cache cold stuff */ > struct proto *sk_proto; > struct sock *sk; > diff --git a/include/uapi/linux/handshake.h b/include/uapi/linux/handshake.h > index 3d7ea58778c9..0768eb8eb415 100644 > --- a/include/uapi/linux/handshake.h > +++ b/include/uapi/linux/handshake.h > @@ -54,6 +54,7 @@ enum { > HANDSHAKE_A_DONE_STATUS = 1, > HANDSHAKE_A_DONE_SOCKFD, > HANDSHAKE_A_DONE_REMOTE_AUTH, > + HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT, > > __HANDSHAKE_A_DONE_MAX, > HANDSHAKE_A_DONE_MAX = (__HANDSHAKE_A_DONE_MAX - 1) > diff --git a/net/handshake/genl.c b/net/handshake/genl.c > index f55d14d7b726..44c43ce18361 100644 > --- a/net/handshake/genl.c > +++ b/net/handshake/genl.c > @@ -16,10 +16,11 @@ static const struct nla_policy handshake_accept_nl_policy[HANDSHAKE_A_ACCEPT_HAN > }; > > /* HANDSHAKE_CMD_DONE - do */ > -static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_REMOTE_AUTH + 1] = { > +static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT + 1] = { Shouldn't that be 'HANDSHAKE_A_DONE_MAX'? > [HANDSHAKE_A_DONE_STATUS] = { .type = NLA_U32, }, > [HANDSHAKE_A_DONE_SOCKFD] = { .type = NLA_S32, }, > [HANDSHAKE_A_DONE_REMOTE_AUTH] = { .type = NLA_U32, }, > + [HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT] = { .type = NLA_U32, }, > }; > > /* Ops table for handshake */ > @@ -35,7 +36,7 @@ static const struct genl_split_ops handshake_nl_ops[] = { > .cmd = HANDSHAKE_CMD_DONE, > .doit = handshake_nl_done_doit, > .policy = handshake_done_nl_policy, > - .maxattr = HANDSHAKE_A_DONE_REMOTE_AUTH, > + .maxattr = HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT, HANDSHAKE_A_DONE_MAX - 1? > .flags = GENL_CMD_CAP_DO, > }, > }; > diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c > index d6f52839827e..f4e793f6288d 100644 > --- a/net/handshake/tlshd.c > +++ b/net/handshake/tlshd.c > @@ -19,6 +19,7 @@ > #include <net/handshake.h> > #include <net/genetlink.h> > #include <net/tls_prot.h> > +#include <net/tls.h> > > #include <uapi/linux/keyctl.h> > #include <uapi/linux/handshake.h> > @@ -37,6 +38,8 @@ struct tls_handshake_req { > key_serial_t th_certificate; > key_serial_t th_privkey; > > + struct socket *th_sock; > + > unsigned int th_num_peerids; > key_serial_t th_peerid[5]; > }; > @@ -52,6 +55,7 @@ tls_handshake_req_init(struct handshake_req *req, > treq->th_consumer_data = args->ta_data; > treq->th_peername = args->ta_peername; > treq->th_keyring = args->ta_keyring; > + treq->th_sock = args->ta_sock; > treq->th_num_peerids = 0; > treq->th_certificate = TLS_NO_CERT; > treq->th_privkey = TLS_NO_PRIVKEY; > @@ -85,6 +89,27 @@ static void tls_handshake_remote_peerids(struct tls_handshake_req *treq, > } > } > > +static void tls_handshake_record_size(struct tls_handshake_req *treq, > + struct genl_info *info) > +{ > + struct tls_context *tls_ctx; > + struct nlattr *head = nlmsg_attrdata(info->nlhdr, GENL_HDRLEN); > + struct nlattr *nla; > + u32 record_size_limit; > + int rem, len = nlmsg_attrlen(info->nlhdr, GENL_HDRLEN); > + > + nla_for_each_attr(nla, head, len, rem) { > + if (nla_type(nla) == HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT) { > + record_size_limit = nla_get_u32(nla); > + if (treq->th_sock) { > + tls_ctx = tls_get_ctx(treq->th_sock->sk); > + tls_ctx->tls_record_size_limit = record_size_limit; > + } > + break; > + } > + } > +} > + > /** > * tls_handshake_done - callback to handle a CMD_DONE request > * @req: socket on which the handshake was performed > @@ -98,8 +123,10 @@ static void tls_handshake_done(struct handshake_req *req, > struct tls_handshake_req *treq = handshake_req_private(req); > > treq->th_peerid[0] = TLS_NO_PEERID; > - if (info) > + if (info) { > tls_handshake_remote_peerids(treq, info); > + tls_handshake_record_size(treq, info); > + } > > if (!status) > set_bit(HANDSHAKE_F_REQ_SESSION, &req->hr_flags); > diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c > index fc88e34b7f33..70ffc4f5e382 100644 > --- a/net/tls/tls_sw.c > +++ b/net/tls/tls_sw.c > @@ -1024,6 +1024,7 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg, > ssize_t copied = 0; > struct sk_msg *msg_pl, *msg_en; > struct tls_rec *rec; > + u32 tls_record_size_limit; > int required_size; > int num_async = 0; > bool full_record; > @@ -1045,6 +1046,9 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg, > } > } > > + tls_record_size_limit = min_not_zero(tls_ctx->tls_record_size_limit, > + TLS_MAX_PAYLOAD_SIZE); > + > while (msg_data_left(msg)) { > if (sk->sk_err) { > ret = -sk->sk_err; > @@ -1066,7 +1070,7 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg, > orig_size = msg_pl->sg.size; > full_record = false; > try_to_copy = msg_data_left(msg); > - record_room = TLS_MAX_PAYLOAD_SIZE - msg_pl->sg.size; > + record_room = tls_record_size_limit - msg_pl->sg.size; > if (try_to_copy >= record_room) { > try_to_copy = record_room; > full_record = true; Otherwise: Reviewed-by: Hannes Reinecke <hare@suse.de> Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [RFC v2 1/1] net/tls: allow limiting maximum record size 2025-08-18 6:31 ` Hannes Reinecke @ 2025-08-21 6:18 ` Wilfred Mallawa 2025-08-21 6:47 ` Hannes Reinecke 0 siblings, 1 reply; 5+ messages in thread From: Wilfred Mallawa @ 2025-08-21 6:18 UTC (permalink / raw) To: Hannes Reinecke, chuck.lever, davem, edumazet, kuba, pabeni, donald.hunter, borisp, john.fastabend Cc: alistair.francis, dlemoal, kernel-tls-handshake, netdev, linux-kernel On Mon, 2025-08-18 at 08:31 +0200, Hannes Reinecke wrote: > [snip] > > --- a/include/uapi/linux/handshake.h > > +++ b/include/uapi/linux/handshake.h > > @@ -54,6 +54,7 @@ enum { > > HANDSHAKE_A_DONE_STATUS = 1, > > HANDSHAKE_A_DONE_SOCKFD, > > HANDSHAKE_A_DONE_REMOTE_AUTH, > > + HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT, > > > > __HANDSHAKE_A_DONE_MAX, > > HANDSHAKE_A_DONE_MAX = (__HANDSHAKE_A_DONE_MAX - 1) > > diff --git a/net/handshake/genl.c b/net/handshake/genl.c > > index f55d14d7b726..44c43ce18361 100644 > > --- a/net/handshake/genl.c > > +++ b/net/handshake/genl.c > > @@ -16,10 +16,11 @@ static const struct nla_policy > > handshake_accept_nl_policy[HANDSHAKE_A_ACCEPT_HAN > > }; > > > > /* HANDSHAKE_CMD_DONE - do */ > > -static const struct nla_policy > > handshake_done_nl_policy[HANDSHAKE_A_DONE_REMOTE_AUTH + 1] = { > > +static const struct nla_policy > > handshake_done_nl_policy[HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT + 1] = > > { > Hey Hannes, I did consider using HANDSHAKE_A_DONE_MAX, but wasn't sure if the existing convention is there for some reason. But I can switch over if you think that is best. > Shouldn't that be 'HANDSHAKE_A_DONE_MAX'? > > > [HANDSHAKE_A_DONE_STATUS] = { .type = NLA_U32, }, > > [HANDSHAKE_A_DONE_SOCKFD] = { .type = NLA_S32, }, > > [HANDSHAKE_A_DONE_REMOTE_AUTH] = { .type = NLA_U32, }, > > + [HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT] = { .type = NLA_U32, > > }, > > }; > > > > /* Ops table for handshake */ > > @@ -35,7 +36,7 @@ static const struct genl_split_ops > > handshake_nl_ops[] = { > > .cmd = HANDSHAKE_CMD_DONE, > > .doit = handshake_nl_done_doit, > > .policy = > > handshake_done_nl_policy, > > - .maxattr = HANDSHAKE_A_DONE_REMOTE_AUTH, > > + .maxattr = > > HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT, > > HANDSHAKE_A_DONE_MAX - 1? Shouldn't it be `HANDSHAKE_A_DONE_MAX`? Unless the existing `HANDSHAKE_A_DONE_REMOTE_AUTH` is incorrect? Thanks for the review! Regards, Wilfred > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [RFC v2 1/1] net/tls: allow limiting maximum record size 2025-08-21 6:18 ` Wilfred Mallawa @ 2025-08-21 6:47 ` Hannes Reinecke 0 siblings, 0 replies; 5+ messages in thread From: Hannes Reinecke @ 2025-08-21 6:47 UTC (permalink / raw) To: Wilfred Mallawa, chuck.lever, davem, edumazet, kuba, pabeni, donald.hunter, borisp, john.fastabend Cc: alistair.francis, dlemoal, kernel-tls-handshake, netdev, linux-kernel On 8/21/25 08:18, Wilfred Mallawa wrote: > On Mon, 2025-08-18 at 08:31 +0200, Hannes Reinecke wrote: >> > [snip] >>> --- a/include/uapi/linux/handshake.h >>> +++ b/include/uapi/linux/handshake.h >>> @@ -54,6 +54,7 @@ enum { >>> HANDSHAKE_A_DONE_STATUS = 1, >>> HANDSHAKE_A_DONE_SOCKFD, >>> HANDSHAKE_A_DONE_REMOTE_AUTH, >>> + HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT, >>> >>> __HANDSHAKE_A_DONE_MAX, >>> HANDSHAKE_A_DONE_MAX = (__HANDSHAKE_A_DONE_MAX - 1) >>> diff --git a/net/handshake/genl.c b/net/handshake/genl.c >>> index f55d14d7b726..44c43ce18361 100644 >>> --- a/net/handshake/genl.c >>> +++ b/net/handshake/genl.c >>> @@ -16,10 +16,11 @@ static const struct nla_policy >>> handshake_accept_nl_policy[HANDSHAKE_A_ACCEPT_HAN >>> }; >>> >>> /* HANDSHAKE_CMD_DONE - do */ >>> -static const struct nla_policy >>> handshake_done_nl_policy[HANDSHAKE_A_DONE_REMOTE_AUTH + 1] = { >>> +static const struct nla_policy >>> handshake_done_nl_policy[HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT + 1] = >>> { >> > Hey Hannes, > > I did consider using HANDSHAKE_A_DONE_MAX, but wasn't sure if the > existing convention is there for some reason. But I can switch over if > you think that is best. > I guess, no reason, just an oversight. >> Shouldn't that be 'HANDSHAKE_A_DONE_MAX'? >> >>> [HANDSHAKE_A_DONE_STATUS] = { .type = NLA_U32, }, >>> [HANDSHAKE_A_DONE_SOCKFD] = { .type = NLA_S32, }, >>> [HANDSHAKE_A_DONE_REMOTE_AUTH] = { .type = NLA_U32, }, >>> + [HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT] = { .type = NLA_U32, >>> }, >>> }; >>> >>> /* Ops table for handshake */ >>> @@ -35,7 +36,7 @@ static const struct genl_split_ops >>> handshake_nl_ops[] = { >>> .cmd = HANDSHAKE_CMD_DONE, >>> .doit = handshake_nl_done_doit, >>> .policy = >>> handshake_done_nl_policy, >>> - .maxattr = HANDSHAKE_A_DONE_REMOTE_AUTH, >>> + .maxattr = >>> HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT, >> >> HANDSHAKE_A_DONE_MAX - 1? > > Shouldn't it be `HANDSHAKE_A_DONE_MAX`? Unless the existing > `HANDSHAKE_A_DONE_REMOTE_AUTH` is incorrect? > Yes, you are right. Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-08-21 6:47 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-08-08 7:23 [RFC v2 0/1] net/tls: add support for limiting the max record size Wilfred Mallawa 2025-08-08 7:24 ` [RFC v2 1/1] net/tls: allow limiting maximum " Wilfred Mallawa 2025-08-18 6:31 ` Hannes Reinecke 2025-08-21 6:18 ` Wilfred Mallawa 2025-08-21 6:47 ` Hannes Reinecke
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).