[RFC net-next 2/3] net/tls: add randomized zero padding socket option

[Wilfred Mallawa <wilfred.opensource@gmail.com>]

From: Wilfred Mallawa <wilfred.mallawa@wdc.com>

Currently, for TLS 1.3, ktls does not support record zero padding [1].
Record zero padding is used to allow the sender to hide the size of the
traffic patterns from an observer. TLS is susceptible to a variety of traffic
analysis attacks based on observing the length and timing of encrypted
packets [2]. Upcoming Western Digital NVMe-TCP hardware controllers
implement TLS 1.3. Which from a security perspective, can benefit from having
record zero padding enabled to mitigate against traffic analysis attacks
[2].

Add a new TLS_TX_RANDOM_PAD ktls socket option that allows userspace to
enable and specify an upperbound for randomized record zero padding
in TLS 1.3. When this value is set and non-zero, ktls will append a
randomized amount of [0, min(record_room, upper_bound)] bytes to records
that are end-of-record (EOR) and aren't full. This can be set back to zero
to disable appending zero padding. By default, no record zero padding is added.

The number of zero padding bytes is randomised primarilly to reduce some of
the throughput overhead of using a fixed zero padding amount up to the
record size limit.

[1] https://datatracker.ietf.org/doc/html/rfc8446#section-5.4l
[2] https://datatracker.ietf.org/doc/html/rfc8446#appendix-E.3

Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
---
 Documentation/networking/tls.rst | 21 ++++++++++
 include/uapi/linux/tls.h         |  2 +
 net/tls/tls_main.c               | 70 ++++++++++++++++++++++++++++++++
 3 files changed, 93 insertions(+)

diff --git a/Documentation/networking/tls.rst b/Documentation/networking/tls.rst
index 980c442d7161..e112a68a9bfb 100644
--- a/Documentation/networking/tls.rst
+++ b/Documentation/networking/tls.rst
@@ -300,6 +300,27 @@ extra byte used by the ContentType field.
 
 [1] https://datatracker.ietf.org/doc/html/rfc8449
 
+TLS_TX_RANDOM_PAD
+~~~~~~~~~~~~~~~~~
+
+Enable and set the limit for randomized zero padding [1] of outgoing
+TLS records.
+
+When enabled, TLS records that are not full and are end of record (EOR)
+will be padded with a randomly chosen amount of zero padding up to the remaining
+record capacity or the limit provided by this option (smaller of the two).
+Randomized zero padding can reduce information leakage via observable TLS
+record lengths and mitigates traffic analysis based on message size.
+
+Padding never exceeds the protocol maximum record size and full-sized records
+are unchanged.
+
+This increases bandwidth usage and may add CPU overhead due to padding
+generation and larger encryption operations. For workloads with small records,
+the bandwidth overhead may be significant.
+
+[1] https://datatracker.ietf.org/doc/html/rfc8446#section-5.4
+
 Statistics
 ==========
 
diff --git a/include/uapi/linux/tls.h b/include/uapi/linux/tls.h
index b8b9c42f848c..42a318cb5eb8 100644
--- a/include/uapi/linux/tls.h
+++ b/include/uapi/linux/tls.h
@@ -42,6 +42,7 @@
 #define TLS_TX_ZEROCOPY_RO	3	/* TX zerocopy (only sendfile now) */
 #define TLS_RX_EXPECT_NO_PAD	4	/* Attempt opportunistic zero-copy */
 #define TLS_TX_MAX_PAYLOAD_LEN	5	/* Maximum plaintext size */
+#define TLS_TX_RANDOM_PAD	6	/* TLS TX randomized record zero padding */
 
 /* Supported versions */
 #define TLS_VERSION_MINOR(ver)	((ver) & 0xFF)
@@ -196,6 +197,7 @@ enum {
 	TLS_INFO_ZC_RO_TX,
 	TLS_INFO_RX_NO_PAD,
 	TLS_INFO_TX_MAX_PAYLOAD_LEN,
+	TLS_INFO_TX_RANDOM_PAD,
 	__TLS_INFO_MAX,
 };
 #define TLS_INFO_MAX (__TLS_INFO_MAX - 1)
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index b0702effbc26..62c525afbc14 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -563,6 +563,30 @@ static int do_tls_getsockopt_tx_payload_len(struct sock *sk, char __user *optval
 	return 0;
 }
 
+static int do_tls_getsockopt_tx_random_pad(struct sock *sk, char __user *optval,
+					   int __user *optlen)
+{
+	struct tls_context *ctx = tls_get_ctx(sk);
+	u16 pad_limit = ctx->tx_record_zero_pad;
+	int len;
+
+	if (ctx->prot_info.version != TLS_1_3_VERSION)
+		return -EOPNOTSUPP;
+
+	if (get_user(len, optlen))
+		return -EFAULT;
+
+	if (len < sizeof(pad_limit))
+		return -EINVAL;
+
+	if (put_user(sizeof(pad_limit), optlen))
+		return -EFAULT;
+
+	if (copy_to_user(optval, &pad_limit, sizeof(pad_limit)))
+		return -EFAULT;
+
+	return 0;
+}
 static int do_tls_getsockopt(struct sock *sk, int optname,
 			     char __user *optval, int __user *optlen)
 {
@@ -585,6 +609,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
 	case TLS_TX_MAX_PAYLOAD_LEN:
 		rc = do_tls_getsockopt_tx_payload_len(sk, optval, optlen);
 		break;
+	case TLS_TX_RANDOM_PAD:
+		rc = do_tls_getsockopt_tx_random_pad(sk, optval, optlen);
+		break;
 	default:
 		rc = -ENOPROTOOPT;
 		break;
@@ -860,6 +887,33 @@ static int do_tls_setsockopt_tx_payload_len(struct sock *sk, sockptr_t optval,
 	return 0;
 }
 
+static int do_tls_setsockopt_tx_random_pad(struct sock *sk, sockptr_t optval,
+					   unsigned int optlen)
+{
+	struct tls_context *ctx = tls_get_ctx(sk);
+	struct tls_sw_context_tx *sw_ctx = tls_sw_ctx_tx(ctx);
+	u16 value;
+
+	if (ctx->prot_info.version != TLS_1_3_VERSION)
+		return -EOPNOTSUPP;
+
+	if (sw_ctx && sw_ctx->open_rec)
+		return -EBUSY;
+
+	if (sockptr_is_null(optval) || optlen != sizeof(value))
+		return -EINVAL;
+
+	if (copy_from_sockptr(&value, optval, sizeof(value)))
+		return -EFAULT;
+
+	if (value >= ctx->tx_max_payload_len)
+		return -EINVAL;
+
+	ctx->tx_record_zero_pad = value;
+
+	return 0;
+}
+
 static int do_tls_setsockopt(struct sock *sk, int optname, sockptr_t optval,
 			     unsigned int optlen)
 {
@@ -886,6 +940,11 @@ static int do_tls_setsockopt(struct sock *sk, int optname, sockptr_t optval,
 		rc = do_tls_setsockopt_tx_payload_len(sk, optval, optlen);
 		release_sock(sk);
 		break;
+	case TLS_TX_RANDOM_PAD:
+		lock_sock(sk);
+		rc = do_tls_setsockopt_tx_random_pad(sk, optval, optlen);
+		release_sock(sk);
+		break;
 	default:
 		rc = -ENOPROTOOPT;
 		break;
@@ -1173,6 +1232,13 @@ static int tls_get_info(struct sock *sk, struct sk_buff *skb, bool net_admin)
 	if (err)
 		goto nla_failure;
 
+	if (version != TLS_1_3_VERSION) {
+		err = nla_put_u16(skb, TLS_INFO_TX_RANDOM_PAD,
+				  ctx->tx_record_zero_pad);
+		if (err)
+			goto nla_failure;
+	}
+
 	rcu_read_unlock();
 	nla_nest_end(skb, start);
 	return 0;
@@ -1185,6 +1251,7 @@ static int tls_get_info(struct sock *sk, struct sk_buff *skb, bool net_admin)
 
 static size_t tls_get_info_size(const struct sock *sk, bool net_admin)
 {
+	struct tls_context *ctx = tls_get_ctx(sk);
 	size_t size = 0;
 
 	size += nla_total_size(0) +		/* INET_ULP_INFO_TLS */
@@ -1197,6 +1264,9 @@ static size_t tls_get_info_size(const struct sock *sk, bool net_admin)
 		nla_total_size(sizeof(u16)) +   /* TLS_INFO_TX_MAX_PAYLOAD_LEN */
 		0;
 
+	if (ctx->prot_info.version == TLS_1_3_VERSION)
+		size += nla_total_size(sizeof(u16)); /* TLS_INFO_TX_RANDOM_PAD */
+
 	return size;
 }
 
-- 
2.53.0