2025-10-15, 11:52:43 +1000, Wilfred Mallawa wrote:
diff --git a/Documentation/networking/tls.rst b/Documentation/networking/tls.rst index 36cc7afc2527..dabab17ab84a 100644 --- a/Documentation/networking/tls.rst +++ b/Documentation/networking/tls.rst @@ -280,6 +280,17 @@ If the record decrypted turns out to had been padded or is not a data record it will be decrypted again into a kernel buffer without zero copy. Such events are counted in the ``TlsDecryptRetry`` statistic. +TLS_TX_MAX_PAYLOAD_LEN +~~~~~~~~~~~~~~~~~~~~~~
+Sets the maximum size for the plaintext of a protected record.
+When this option is set, the kernel enforces this limit on all transmitted TLS +records, ensuring no plaintext fragment exceeds the specified size. This can be +used to specify the TLS Record Size Limit [1].
Since this is now "max payload" instead of directly the record size, we should probably add something to describe how to derive the value to pass to TLS_TX_MAX_PAYLOAD_LEN from the record size limit:
For TLS1.2, the record size limit can be used directly. For TLS1.3, limit-1 should be passed, as the record size limit includes 1B for the ContentType.
And possibly mention that TLS1.3 record padding is currently unsupported, so whether it should be counted in the value passed via this setsockopt or not is undecided. (I'm not sure we need to go that far. Jakub, WDYT?)
[...]
+static int do_tls_setsockopt_tx_payload_len(struct sock *sk, sockptr_t optval,
unsigned int optlen)+{
- struct tls_context *ctx = tls_get_ctx(sk);
- struct tls_sw_context_tx *sw_ctx = tls_sw_ctx_tx(ctx);
- u16 value;
- if (sw_ctx && sw_ctx->open_rec)
return -EBUSY;- if (sockptr_is_null(optval) || optlen != sizeof(value))
return -EINVAL;- if (copy_from_sockptr(&value, optval, sizeof(value)))
return -EFAULT;- if (value < TLS_MIN_RECORD_SIZE_LIM || value > TLS_MAX_PAYLOAD_SIZE)
For 1.3, should we allow TLS_MIN_RECORD_SIZE_LIM-1? The smallest valid record size limit (according to rfc8449) is 64 (TLS_MIN_RECORD_SIZE_LIM), so after userspace subtracts 1 we would get TLS_MIN_RECORD_SIZE_LIM-1?
(but this would bring back one "are we 1.2 or 1.3?" check :/)
return -EINVAL;- ctx->tx_max_payload_len = value;
- return 0;
+}