From: Wilfred Mallawa <[email protected]> Currently, for TLS 1.3, ktls does not support record zero padding [1]. Record zero padding is used to allow the sender to hide the size of the traffic patterns from an observer. TLS is susceptible to a variety of traffic analysis attacks based on observing the length and timing of encrypted packets [2]. Upcoming Western Digital NVMe-TCP hardware controllers implement TLS 1.3. Which from a security perspective, can benefit from having record zero padding enabled to mitigate against traffic analysis attacks [2].
Add a new TLS_TX_RANDOM_PAD ktls socket option that allows userspace to enable and specify an upperbound for randomized record zero padding in TLS 1.3. When this value is set and non-zero, ktls will append a randomized amount of [0, min(record_room, upper_bound)] bytes to records that are end-of-record (EOR) and aren't full. This can be set back to zero to disable appending zero padding. By default, no record zero padding is added. The number of zero padding bytes is randomised primarilly to reduce some of the throughput overhead of using a fixed zero padding amount up to the record size limit. [1] https://datatracker.ietf.org/doc/html/rfc8446#section-5.4l [2] https://datatracker.ietf.org/doc/html/rfc8446#appendix-E.3 Signed-off-by: Wilfred Mallawa <[email protected]> --- Documentation/networking/tls.rst | 21 ++++++++++ include/uapi/linux/tls.h | 2 + net/tls/tls_main.c | 70 ++++++++++++++++++++++++++++++++ 3 files changed, 93 insertions(+) diff --git a/Documentation/networking/tls.rst b/Documentation/networking/tls.rst index 980c442d7161..e112a68a9bfb 100644 --- a/Documentation/networking/tls.rst +++ b/Documentation/networking/tls.rst @@ -300,6 +300,27 @@ extra byte used by the ContentType field. [1] https://datatracker.ietf.org/doc/html/rfc8449 +TLS_TX_RANDOM_PAD +~~~~~~~~~~~~~~~~~ + +Enable and set the limit for randomized zero padding [1] of outgoing +TLS records. + +When enabled, TLS records that are not full and are end of record (EOR) +will be padded with a randomly chosen amount of zero padding up to the remaining +record capacity or the limit provided by this option (smaller of the two). +Randomized zero padding can reduce information leakage via observable TLS +record lengths and mitigates traffic analysis based on message size. + +Padding never exceeds the protocol maximum record size and full-sized records +are unchanged. + +This increases bandwidth usage and may add CPU overhead due to padding +generation and larger encryption operations. For workloads with small records, +the bandwidth overhead may be significant. + +[1] https://datatracker.ietf.org/doc/html/rfc8446#section-5.4 + Statistics ========== diff --git a/include/uapi/linux/tls.h b/include/uapi/linux/tls.h index b8b9c42f848c..42a318cb5eb8 100644 --- a/include/uapi/linux/tls.h +++ b/include/uapi/linux/tls.h @@ -42,6 +42,7 @@ #define TLS_TX_ZEROCOPY_RO 3 /* TX zerocopy (only sendfile now) */ #define TLS_RX_EXPECT_NO_PAD 4 /* Attempt opportunistic zero-copy */ #define TLS_TX_MAX_PAYLOAD_LEN 5 /* Maximum plaintext size */ +#define TLS_TX_RANDOM_PAD 6 /* TLS TX randomized record zero padding */ /* Supported versions */ #define TLS_VERSION_MINOR(ver) ((ver) & 0xFF) @@ -196,6 +197,7 @@ enum { TLS_INFO_ZC_RO_TX, TLS_INFO_RX_NO_PAD, TLS_INFO_TX_MAX_PAYLOAD_LEN, + TLS_INFO_TX_RANDOM_PAD, __TLS_INFO_MAX, }; #define TLS_INFO_MAX (__TLS_INFO_MAX - 1) diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c index b0702effbc26..62c525afbc14 100644 --- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c @@ -563,6 +563,30 @@ static int do_tls_getsockopt_tx_payload_len(struct sock *sk, char __user *optval return 0; } +static int do_tls_getsockopt_tx_random_pad(struct sock *sk, char __user *optval, + int __user *optlen) +{ + struct tls_context *ctx = tls_get_ctx(sk); + u16 pad_limit = ctx->tx_record_zero_pad; + int len; + + if (ctx->prot_info.version != TLS_1_3_VERSION) + return -EOPNOTSUPP; + + if (get_user(len, optlen)) + return -EFAULT; + + if (len < sizeof(pad_limit)) + return -EINVAL; + + if (put_user(sizeof(pad_limit), optlen)) + return -EFAULT; + + if (copy_to_user(optval, &pad_limit, sizeof(pad_limit))) + return -EFAULT; + + return 0; +} static int do_tls_getsockopt(struct sock *sk, int optname, char __user *optval, int __user *optlen) { @@ -585,6 +609,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname, case TLS_TX_MAX_PAYLOAD_LEN: rc = do_tls_getsockopt_tx_payload_len(sk, optval, optlen); break; + case TLS_TX_RANDOM_PAD: + rc = do_tls_getsockopt_tx_random_pad(sk, optval, optlen); + break; default: rc = -ENOPROTOOPT; break; @@ -860,6 +887,33 @@ static int do_tls_setsockopt_tx_payload_len(struct sock *sk, sockptr_t optval, return 0; } +static int do_tls_setsockopt_tx_random_pad(struct sock *sk, sockptr_t optval, + unsigned int optlen) +{ + struct tls_context *ctx = tls_get_ctx(sk); + struct tls_sw_context_tx *sw_ctx = tls_sw_ctx_tx(ctx); + u16 value; + + if (ctx->prot_info.version != TLS_1_3_VERSION) + return -EOPNOTSUPP; + + if (sw_ctx && sw_ctx->open_rec) + return -EBUSY; + + if (sockptr_is_null(optval) || optlen != sizeof(value)) + return -EINVAL; + + if (copy_from_sockptr(&value, optval, sizeof(value))) + return -EFAULT; + + if (value >= ctx->tx_max_payload_len) + return -EINVAL; + + ctx->tx_record_zero_pad = value; + + return 0; +} + static int do_tls_setsockopt(struct sock *sk, int optname, sockptr_t optval, unsigned int optlen) { @@ -886,6 +940,11 @@ static int do_tls_setsockopt(struct sock *sk, int optname, sockptr_t optval, rc = do_tls_setsockopt_tx_payload_len(sk, optval, optlen); release_sock(sk); break; + case TLS_TX_RANDOM_PAD: + lock_sock(sk); + rc = do_tls_setsockopt_tx_random_pad(sk, optval, optlen); + release_sock(sk); + break; default: rc = -ENOPROTOOPT; break; @@ -1173,6 +1232,13 @@ static int tls_get_info(struct sock *sk, struct sk_buff *skb, bool net_admin) if (err) goto nla_failure; + if (version != TLS_1_3_VERSION) { + err = nla_put_u16(skb, TLS_INFO_TX_RANDOM_PAD, + ctx->tx_record_zero_pad); + if (err) + goto nla_failure; + } + rcu_read_unlock(); nla_nest_end(skb, start); return 0; @@ -1185,6 +1251,7 @@ static int tls_get_info(struct sock *sk, struct sk_buff *skb, bool net_admin) static size_t tls_get_info_size(const struct sock *sk, bool net_admin) { + struct tls_context *ctx = tls_get_ctx(sk); size_t size = 0; size += nla_total_size(0) + /* INET_ULP_INFO_TLS */ @@ -1197,6 +1264,9 @@ static size_t tls_get_info_size(const struct sock *sk, bool net_admin) nla_total_size(sizeof(u16)) + /* TLS_INFO_TX_MAX_PAYLOAD_LEN */ 0; + if (ctx->prot_info.version == TLS_1_3_VERSION) + size += nla_total_size(sizeof(u16)); /* TLS_INFO_TX_RANDOM_PAD */ + return size; } -- 2.53.0
