From: Geliang Tang <tanggeliang@kylinos.cn>
Prior to this work, MPTCP did not support TLS. The two protocols
conflicted because both MPTCP and TLS use the ULP (Upper Layer
Protocol) infrastructure in the Linux kernel. ULP settings, including
TLS configuration, were disabled in MPTCP. If an application attempted
to set TLS for an MPTCP socket, the system would return an error code
indicating EOPNOTSUPP (Operation not supported).
This series adds KTLS support for MPTCP. Since no ULP is currently
attached to the MPTCP socket (msk), KTLS can be configured directly on
the msk rather than on individual subflows. This does not affect its
existing communication, and leverages HMAC-based authentication to
ensure subflow security.
RFC versions of this series have gone through many iterations on MPTCP
mailing list, mainly to address Sashiko's review comments. It is now mostly
stable.
A follow-up series will add MPTCP support to the TLS selftests
(tools/testing/selftests/net/tls.c). All existing TCP test cases have
already been verified to pass over MPTCP as well.
The primary validation use case for this work is NVMe over MPTCP with KTLS.
NVMe over TCP is a storage protocol that transports NVMe commands over TCP.
By combining it with MPTCP, multipath capabilities for storage traffic are
gained. By adding KTLS, the storage traffic is secured with encryption.
Although NVMe over MPTCP is still under active development, I have already
verified that KTLS operates correctly on top of it.
All feedback is welcome.
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/480
Co-developed-by: Gang Yan <yangang@kylinos.cn>
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Co-developed-by: Zqiang <qiang.zhang@linux.dev>
Signed-off-by: Zqiang <qiang.zhang@linux.dev>
Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
Gang Yan (1):
mptcp: update mptcp_check_readable helper
Geliang Tang (16):
tls: make tls_ctx_create and update_sk_prot static
tls: factor out __tls_build_proto for mptcp support
tls: add protocol dimension to tls operation cache
mptcp: add sendmsg_locked to proto_ops
tls: use sendmsg_locked from the underlying socket
mptcp: implement peek_len for proto_ops
tls: replace tcp_inq with socket peek_len
tls: store original read_sock for non-tcp sockets
tls: introduce tls protocol ops structure
tls: use protocol ops via tls_context
mptcp: implement mptcp-specific tls protocol ops
tls: add mptcp support for sk_poll
tls: disable device offload for mptcp sockets
mptcp: implement ulp getsockopt for tls support
mptcp: implement ulp setsockopt for tls support
selftests: mptcp: connect: use espintcp for ulp test
include/net/mptcp.h | 11 +
include/net/tcp.h | 1 +
include/net/tls.h | 19 ++
net/ipv4/tcp.c | 9 +-
net/mptcp/protocol.c | 180 +++++++++++++-
net/mptcp/protocol.h | 1 +
net/mptcp/sockopt.c | 68 +++++-
net/tls/tls.h | 2 -
net/tls/tls_device.c | 10 +-
net/tls/tls_main.c | 227 +++++++++++++++---
net/tls/tls_strp.c | 35 ++-
net/tls/tls_sw.c | 10 +-
tools/testing/selftests/net/mptcp/config | 4 +
.../selftests/net/mptcp/mptcp_connect.c | 4 +-
14 files changed, 516 insertions(+), 65 deletions(-)
--
2.53.0