Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Kernel TLS Receive Side #7848
This pull request completes the support for the Linux kernel TLS data-path
Similarly to the send-side, in the receive-side the kernel returns
The user API is as follows: (also see )
After setting the TLS_RX socket option, all recv family socket calls
Received data is decrypted directly in to the user buffer if it is
EINVAL is returned if the TLS version in the received message does not
EMSGSIZE is returned if the received message is too big.
EBADMSG is returned if decryption failed for any other reason.
bernd-edlinger left a comment
please include the linux headers directly.
I tried a test with this patch set
fallocate -l 100M 100M.out
echo -e "GET /100M.out \r\n\r\n" | ./openssl s_client -quiet -connect [fc00::1]:443 -cipher 'ECDHE-RSA-AES128-GCM-SHA256' -tls1_2
And I received this error
139661666381824:error:1408F092:SSL routines:ssl3_get_record:data length too long:ssl/record/ssl3_record.c:783:
Debugging this, it shows the incoming ktls record was 16688 Bytes.
It appears that KTLS RX is able to send > 16KB up to openssl, this is due to the socket buffer being 16712 bytes (defined in ssl3_setup_read_buffer). Not sure how best to solve this as I'm not overly familiar with the openssl codebase.
Information on how to run the BoringSSL tests is here: