2025-10-22, 10:19:36 +1000, Wilfred Mallawa wrote: > From: Wilfred Mallawa <[email protected]> > > During a handshake, an endpoint may specify a maximum record size limit. > Currently, the kernel defaults to TLS_MAX_PAYLOAD_SIZE (16KB) for the > maximum record size. Meaning that, the outgoing records from the kernel > can exceed a lower size negotiated during the handshake. In such a case, > the TLS endpoint must send a fatal "record_overflow" alert [1], and > thus the record is discarded. > > Upcoming Western Digital NVMe-TCP hardware controllers implement TLS > support. For these devices, supporting TLS record size negotiation is > necessary because the maximum TLS record size supported by the controller > is less than the default 16KB currently used by the kernel. > > Currently, there is no way to inform the kernel of such a limit. This patch > adds support to a new setsockopt() option `TLS_TX_MAX_PAYLOAD_LEN` that > allows for setting the maximum plaintext fragment size. Once set, outgoing > records are no larger than the size specified. This option can be used to > specify the record size limit. > > [1] https://www.rfc-editor.org/rfc/rfc8449 > > Signed-off-by: Wilfred Mallawa <[email protected]> > --- > V7 -> V8: > - Fixup HTML doc indentation > - Drop the getsockopt() change in V7 where ContentType was included in the > max payload length > --- > Documentation/networking/tls.rst | 20 ++++++++++ > include/net/tls.h | 3 ++ > include/uapi/linux/tls.h | 2 + > net/tls/tls_device.c | 2 +- > net/tls/tls_main.c | 64 ++++++++++++++++++++++++++++++++ > net/tls/tls_sw.c | 2 +- > 6 files changed, 91 insertions(+), 2 deletions(-)
Reviewed-by: Sabrina Dubroca <[email protected]> Thanks Wilfred. -- Sabrina
