]>
Commit | Line | Data |
---|---|---|
9467fe62 | 1 | /* |
922fed06 | 2 | * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016 Nicira, Inc. |
9467fe62 BP |
3 | * |
4 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
5 | * you may not use this file except in compliance with the License. | |
6 | * You may obtain a copy of the License at: | |
7 | * | |
8 | * http://www.apache.org/licenses/LICENSE-2.0 | |
9 | * | |
10 | * Unless required by applicable law or agreed to in writing, software | |
11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
13 | * See the License for the specific language governing permissions and | |
14 | * limitations under the License. | |
15 | */ | |
16 | ||
17 | #include <config.h> | |
18 | #include "stream-ssl.h" | |
19 | #include "dhparams.h" | |
9467fe62 BP |
20 | #include <ctype.h> |
21 | #include <errno.h> | |
22 | #include <inttypes.h> | |
23 | #include <string.h> | |
bd6b7545 GC |
24 | #include <sys/types.h> |
25 | #include <sys/socket.h> | |
9467fe62 BP |
26 | #include <netinet/tcp.h> |
27 | #include <openssl/err.h> | |
47ebcf25 | 28 | #include <openssl/rand.h> |
9467fe62 BP |
29 | #include <openssl/ssl.h> |
30 | #include <openssl/x509v3.h> | |
31 | #include <poll.h> | |
5ea1366b | 32 | #include <fcntl.h> |
9467fe62 BP |
33 | #include <sys/stat.h> |
34 | #include <unistd.h> | |
f2f7be86 | 35 | #include "coverage.h" |
3e8a2ad1 | 36 | #include "openvswitch/dynamic-string.h" |
47ebcf25 | 37 | #include "entropy.h" |
64c96779 | 38 | #include "openvswitch/ofpbuf.h" |
9467fe62 BP |
39 | #include "openflow/openflow.h" |
40 | #include "packets.h" | |
41 | #include "poll-loop.h" | |
ee89ea7b | 42 | #include "openvswitch/shash.h" |
9467fe62 | 43 | #include "socket-util.h" |
9467fe62 BP |
44 | #include "util.h" |
45 | #include "stream-provider.h" | |
46 | #include "stream.h" | |
415f6c0b | 47 | #include "timeval.h" |
e6211adc | 48 | #include "openvswitch/vlog.h" |
5136ce49 | 49 | |
5ea1366b GS |
50 | #ifdef _WIN32 |
51 | /* Ref: https://www.openssl.org/support/faq.html#PROG2 | |
52 | * Your application must link against the same version of the Win32 C-Runtime | |
53 | * against which your openssl libraries were linked. The default version for | |
54 | * OpenSSL is /MD - "Multithreaded DLL". If we compile Open vSwitch with | |
55 | * something other than /MD, instead of re-compiling OpenSSL | |
56 | * toolkit, openssl/applink.c can be #included. Also, it is important | |
57 | * to add CRYPTO_malloc_init prior first call to OpenSSL. | |
58 | * | |
59 | * XXX: The behavior of the following #include when Open vSwitch is | |
60 | * compiled with /MD is not tested. */ | |
61 | #include <openssl/applink.c> | |
62 | #define SHUT_RDWR SD_BOTH | |
5ea1366b GS |
63 | #endif |
64 | ||
d98e6007 | 65 | VLOG_DEFINE_THIS_MODULE(stream_ssl); |
9467fe62 BP |
66 | |
67 | /* Active SSL. */ | |
68 | ||
69 | enum ssl_state { | |
70 | STATE_TCP_CONNECTING, | |
71 | STATE_SSL_CONNECTING | |
72 | }; | |
73 | ||
74 | enum session_type { | |
75 | CLIENT, | |
76 | SERVER | |
77 | }; | |
78 | ||
79 | struct ssl_stream | |
80 | { | |
81 | struct stream stream; | |
82 | enum ssl_state state; | |
9467fe62 BP |
83 | enum session_type type; |
84 | int fd; | |
85 | SSL *ssl; | |
86 | struct ofpbuf *txbuf; | |
ff1760f1 | 87 | unsigned int session_nr; |
9467fe62 BP |
88 | |
89 | /* rx_want and tx_want record the result of the last call to SSL_read() | |
90 | * and SSL_write(), respectively: | |
91 | * | |
92 | * - If the call reported that data needed to be read from the file | |
93 | * descriptor, the corresponding member is set to SSL_READING. | |
94 | * | |
95 | * - If the call reported that data needed to be written to the file | |
96 | * descriptor, the corresponding member is set to SSL_WRITING. | |
97 | * | |
98 | * - Otherwise, the member is set to SSL_NOTHING, indicating that the | |
99 | * call completed successfully (or with an error) and that there is no | |
100 | * need to block. | |
101 | * | |
102 | * These are needed because there is no way to ask OpenSSL what a data read | |
103 | * or write would require without giving it a buffer to receive into or | |
104 | * data to send, respectively. (Note that the SSL_want() status is | |
105 | * overwritten by each SSL_read() or SSL_write() call, so we can't rely on | |
106 | * its value.) | |
107 | * | |
108 | * A single call to SSL_read() or SSL_write() can perform both reading | |
109 | * and writing and thus invalidate not one of these values but actually | |
110 | * both. Consider this situation, for example: | |
111 | * | |
112 | * - SSL_write() blocks on a read, so tx_want gets SSL_READING. | |
113 | * | |
114 | * - SSL_read() laters succeeds reading from 'fd' and clears out the | |
115 | * whole receive buffer, so rx_want gets SSL_READING. | |
116 | * | |
117 | * - Client calls stream_wait(STREAM_RECV) and stream_wait(STREAM_SEND) | |
118 | * and blocks. | |
119 | * | |
120 | * - Now we're stuck blocking until the peer sends us data, even though | |
121 | * SSL_write() could now succeed, which could easily be a deadlock | |
122 | * condition. | |
123 | * | |
124 | * On the other hand, we can't reset both tx_want and rx_want on every call | |
125 | * to SSL_read() or SSL_write(), because that would produce livelock, | |
126 | * e.g. in this situation: | |
127 | * | |
128 | * - SSL_write() blocks, so tx_want gets SSL_READING or SSL_WRITING. | |
129 | * | |
130 | * - SSL_read() blocks, so rx_want gets SSL_READING or SSL_WRITING, | |
131 | * but tx_want gets reset to SSL_NOTHING. | |
132 | * | |
133 | * - Client calls stream_wait(STREAM_RECV) and stream_wait(STREAM_SEND) | |
134 | * and blocks. | |
135 | * | |
136 | * - Client wakes up immediately since SSL_NOTHING in tx_want indicates | |
137 | * that no blocking is necessary. | |
138 | * | |
139 | * The solution we adopt here is to set tx_want to SSL_NOTHING after | |
140 | * calling SSL_read() only if the SSL state of the connection changed, | |
141 | * which indicates that an SSL-level renegotiation made some progress, and | |
142 | * similarly for rx_want and SSL_write(). This prevents both the | |
143 | * deadlock and livelock situations above. | |
144 | */ | |
145 | int rx_want, tx_want; | |
1e3c0047 | 146 | |
ff1760f1 | 147 | /* A few bytes of header data in case SSL negotiation fails. */ |
1e3c0047 BP |
148 | uint8_t head[2]; |
149 | short int n_head; | |
9467fe62 BP |
150 | }; |
151 | ||
152 | /* SSL context created by ssl_init(). */ | |
153 | static SSL_CTX *ctx; | |
154 | ||
415f6c0b BP |
155 | struct ssl_config_file { |
156 | bool read; /* Whether the file was successfully read. */ | |
157 | char *file_name; /* Configured file name, if any. */ | |
9cb07887 | 158 | struct timespec mtime; /* File mtime as of last time we read it. */ |
415f6c0b BP |
159 | }; |
160 | ||
161 | /* SSL configuration files. */ | |
162 | static struct ssl_config_file private_key; | |
163 | static struct ssl_config_file certificate; | |
164 | static struct ssl_config_file ca_cert; | |
e18a1d08 ER |
165 | static char *ssl_protocols = "TLSv1,TLSv1.1,TLSv1.2"; |
166 | static char *ssl_ciphers = "HIGH:!aNULL:!MD5"; | |
9467fe62 | 167 | |
ba104a1e BP |
168 | /* Ordinarily, the SSL client and server verify each other's certificates using |
169 | * a CA certificate. Setting this to false disables this behavior. (This is a | |
170 | * security risk.) */ | |
171 | static bool verify_peer_cert = true; | |
172 | ||
9467fe62 | 173 | /* Ordinarily, we require a CA certificate for the peer to be locally |
415f6c0b BP |
174 | * available. We can, however, bootstrap the CA certificate from the peer at |
175 | * the beginning of our first connection then use that certificate on all | |
176 | * subsequent connections, saving it to a file for use in future runs also. In | |
177 | * this case, 'bootstrap_ca_cert' is true. */ | |
9467fe62 | 178 | static bool bootstrap_ca_cert; |
9467fe62 | 179 | |
ff1760f1 BP |
180 | /* Session number. Used in debug logging messages to uniquely identify a |
181 | * session. */ | |
182 | static unsigned int next_session_nr; | |
183 | ||
9467fe62 BP |
184 | /* Who knows what can trigger various SSL errors, so let's throttle them down |
185 | * quite a bit. */ | |
186 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(10, 25); | |
187 | ||
188 | static int ssl_init(void); | |
189 | static int do_ssl_init(void); | |
190 | static bool ssl_wants_io(int ssl_error); | |
191 | static void ssl_close(struct stream *); | |
192 | static void ssl_clear_txbuf(struct ssl_stream *); | |
246f5b5e | 193 | static void interpret_queued_ssl_error(const char *function); |
9467fe62 BP |
194 | static int interpret_ssl_error(const char *function, int ret, int error, |
195 | int *want); | |
67a4917b | 196 | static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength); |
9467fe62 | 197 | static void log_ca_cert(const char *file_name, X509 *cert); |
415f6c0b | 198 | static void stream_ssl_set_ca_cert_file__(const char *file_name, |
f1484874 | 199 | bool bootstrap, bool force); |
ff1760f1 BP |
200 | static void ssl_protocol_cb(int write_p, int version, int content_type, |
201 | const void *, size_t, SSL *, void *sslv_); | |
f1484874 | 202 | static bool update_ssl_config(struct ssl_config_file *, const char *file_name); |
5ea1366b | 203 | static int sock_errno(void); |
9467fe62 BP |
204 | |
205 | static short int | |
206 | want_to_poll_events(int want) | |
207 | { | |
208 | switch (want) { | |
209 | case SSL_NOTHING: | |
428b2edd | 210 | OVS_NOT_REACHED(); |
9467fe62 BP |
211 | |
212 | case SSL_READING: | |
213 | return POLLIN; | |
214 | ||
215 | case SSL_WRITING: | |
216 | return POLLOUT; | |
217 | ||
218 | default: | |
428b2edd | 219 | OVS_NOT_REACHED(); |
9467fe62 BP |
220 | } |
221 | } | |
222 | ||
223 | static int | |
224 | new_ssl_stream(const char *name, int fd, enum session_type type, | |
a8d81967 | 225 | enum ssl_state state, struct stream **streamp) |
9467fe62 | 226 | { |
9467fe62 BP |
227 | struct ssl_stream *sslv; |
228 | SSL *ssl = NULL; | |
9467fe62 BP |
229 | int retval; |
230 | ||
231 | /* Check for all the needful configuration. */ | |
232 | retval = 0; | |
415f6c0b | 233 | if (!private_key.read) { |
9467fe62 BP |
234 | VLOG_ERR("Private key must be configured to use SSL"); |
235 | retval = ENOPROTOOPT; | |
236 | } | |
415f6c0b | 237 | if (!certificate.read) { |
9467fe62 BP |
238 | VLOG_ERR("Certificate must be configured to use SSL"); |
239 | retval = ENOPROTOOPT; | |
240 | } | |
ba104a1e | 241 | if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) { |
9467fe62 BP |
242 | VLOG_ERR("CA certificate must be configured to use SSL"); |
243 | retval = ENOPROTOOPT; | |
244 | } | |
b6d729ad | 245 | if (!retval && !SSL_CTX_check_private_key(ctx)) { |
9467fe62 BP |
246 | VLOG_ERR("Private key does not match certificate public key: %s", |
247 | ERR_error_string(ERR_get_error(), NULL)); | |
248 | retval = ENOPROTOOPT; | |
249 | } | |
250 | if (retval) { | |
251 | goto error; | |
252 | } | |
253 | ||
8b768391 LS |
254 | /* Disable Nagle. |
255 | * On windows platforms, this can only be called upon TCP connected. | |
256 | */ | |
257 | if (state == STATE_SSL_CONNECTING) { | |
b7cefbf7 | 258 | setsockopt_tcp_nodelay(fd); |
9467fe62 BP |
259 | } |
260 | ||
261 | /* Create and configure OpenSSL stream. */ | |
262 | ssl = SSL_new(ctx); | |
263 | if (ssl == NULL) { | |
264 | VLOG_ERR("SSL_new: %s", ERR_error_string(ERR_get_error(), NULL)); | |
265 | retval = ENOPROTOOPT; | |
266 | goto error; | |
267 | } | |
268 | if (SSL_set_fd(ssl, fd) == 0) { | |
269 | VLOG_ERR("SSL_set_fd: %s", ERR_error_string(ERR_get_error(), NULL)); | |
270 | retval = ENOPROTOOPT; | |
271 | goto error; | |
272 | } | |
ba104a1e | 273 | if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) { |
9467fe62 BP |
274 | SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); |
275 | } | |
276 | ||
277 | /* Create and return the ssl_stream. */ | |
278 | sslv = xmalloc(sizeof *sslv); | |
279 | stream_init(&sslv->stream, &ssl_stream_class, EAGAIN, name); | |
9467fe62 BP |
280 | sslv->state = state; |
281 | sslv->type = type; | |
282 | sslv->fd = fd; | |
283 | sslv->ssl = ssl; | |
284 | sslv->txbuf = NULL; | |
285 | sslv->rx_want = sslv->tx_want = SSL_NOTHING; | |
ff1760f1 | 286 | sslv->session_nr = next_session_nr++; |
1e3c0047 | 287 | sslv->n_head = 0; |
ff1760f1 BP |
288 | |
289 | if (VLOG_IS_DBG_ENABLED()) { | |
290 | SSL_set_msg_callback(ssl, ssl_protocol_cb); | |
291 | SSL_set_msg_callback_arg(ssl, sslv); | |
292 | } | |
293 | ||
9467fe62 BP |
294 | *streamp = &sslv->stream; |
295 | return 0; | |
296 | ||
297 | error: | |
298 | if (ssl) { | |
299 | SSL_free(ssl); | |
300 | } | |
5ea1366b | 301 | closesocket(fd); |
9467fe62 BP |
302 | return retval; |
303 | } | |
304 | ||
305 | static struct ssl_stream * | |
306 | ssl_stream_cast(struct stream *stream) | |
307 | { | |
308 | stream_assert_class(stream, &ssl_stream_class); | |
309 | return CONTAINER_OF(stream, struct ssl_stream, stream); | |
310 | } | |
311 | ||
312 | static int | |
f125905c | 313 | ssl_open(const char *name, char *suffix, struct stream **streamp, uint8_t dscp) |
9467fe62 | 314 | { |
9467fe62 BP |
315 | int error, fd; |
316 | ||
317 | error = ssl_init(); | |
318 | if (error) { | |
319 | return error; | |
320 | } | |
321 | ||
d4763d1d | 322 | error = inet_open_active(SOCK_STREAM, suffix, OFP_PORT, NULL, &fd, |
f125905c | 323 | dscp); |
9467fe62 BP |
324 | if (fd >= 0) { |
325 | int state = error ? STATE_TCP_CONNECTING : STATE_SSL_CONNECTING; | |
a8d81967 | 326 | return new_ssl_stream(name, fd, CLIENT, state, streamp); |
9467fe62 | 327 | } else { |
10a89ef0 | 328 | VLOG_ERR("%s: connect: %s", name, ovs_strerror(error)); |
9467fe62 BP |
329 | return error; |
330 | } | |
331 | } | |
332 | ||
333 | static int | |
334 | do_ca_cert_bootstrap(struct stream *stream) | |
335 | { | |
336 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
337 | STACK_OF(X509) *chain; | |
415f6c0b | 338 | X509 *cert; |
9467fe62 BP |
339 | FILE *file; |
340 | int error; | |
341 | int fd; | |
342 | ||
343 | chain = SSL_get_peer_cert_chain(sslv->ssl); | |
344 | if (!chain || !sk_X509_num(chain)) { | |
345 | VLOG_ERR("could not bootstrap CA cert: no certificate presented by " | |
346 | "peer"); | |
347 | return EPROTO; | |
348 | } | |
415f6c0b | 349 | cert = sk_X509_value(chain, sk_X509_num(chain) - 1); |
9467fe62 | 350 | |
415f6c0b | 351 | /* Check that 'cert' is self-signed. Otherwise it is not a CA |
9467fe62 | 352 | * certificate and we should not attempt to use it as one. */ |
415f6c0b | 353 | error = X509_check_issued(cert, cert); |
9467fe62 BP |
354 | if (error) { |
355 | VLOG_ERR("could not bootstrap CA cert: obtained certificate is " | |
356 | "not self-signed (%s)", | |
357 | X509_verify_cert_error_string(error)); | |
358 | if (sk_X509_num(chain) < 2) { | |
359 | VLOG_ERR("only one certificate was received, so probably the peer " | |
360 | "is not configured to send its CA certificate"); | |
361 | } | |
362 | return EPROTO; | |
363 | } | |
364 | ||
415f6c0b | 365 | fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444); |
9467fe62 | 366 | if (fd < 0) { |
deb1f433 | 367 | if (errno == EEXIST) { |
f1484874 BP |
368 | VLOG_INFO_RL(&rl, "reading CA cert %s created by another process", |
369 | ca_cert.file_name); | |
370 | stream_ssl_set_ca_cert_file__(ca_cert.file_name, true, true); | |
deb1f433 BP |
371 | return EPROTO; |
372 | } else { | |
373 | VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s", | |
10a89ef0 | 374 | ca_cert.file_name, ovs_strerror(errno)); |
deb1f433 BP |
375 | return errno; |
376 | } | |
9467fe62 BP |
377 | } |
378 | ||
379 | file = fdopen(fd, "w"); | |
380 | if (!file) { | |
2a022368 | 381 | error = errno; |
9467fe62 | 382 | VLOG_ERR("could not bootstrap CA cert: fdopen failed: %s", |
10a89ef0 | 383 | ovs_strerror(error)); |
415f6c0b | 384 | unlink(ca_cert.file_name); |
9467fe62 BP |
385 | return error; |
386 | } | |
387 | ||
415f6c0b | 388 | if (!PEM_write_X509(file, cert)) { |
9467fe62 | 389 | VLOG_ERR("could not bootstrap CA cert: PEM_write_X509 to %s failed: " |
415f6c0b BP |
390 | "%s", ca_cert.file_name, |
391 | ERR_error_string(ERR_get_error(), NULL)); | |
9467fe62 | 392 | fclose(file); |
415f6c0b | 393 | unlink(ca_cert.file_name); |
9467fe62 BP |
394 | return EIO; |
395 | } | |
396 | ||
397 | if (fclose(file)) { | |
2a022368 | 398 | error = errno; |
9467fe62 | 399 | VLOG_ERR("could not bootstrap CA cert: writing %s failed: %s", |
10a89ef0 | 400 | ca_cert.file_name, ovs_strerror(error)); |
415f6c0b | 401 | unlink(ca_cert.file_name); |
9467fe62 BP |
402 | return error; |
403 | } | |
404 | ||
415f6c0b BP |
405 | VLOG_INFO("successfully bootstrapped CA cert to %s", ca_cert.file_name); |
406 | log_ca_cert(ca_cert.file_name, cert); | |
9467fe62 | 407 | bootstrap_ca_cert = false; |
415f6c0b | 408 | ca_cert.read = true; |
9467fe62 | 409 | |
415f6c0b BP |
410 | /* SSL_CTX_add_client_CA makes a copy of cert's relevant data. */ |
411 | SSL_CTX_add_client_CA(ctx, cert); | |
9467fe62 | 412 | |
e6a8ca62 | 413 | SSL_CTX_set_cert_store(ctx, X509_STORE_new()); |
415f6c0b | 414 | if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) { |
9467fe62 BP |
415 | VLOG_ERR("SSL_CTX_load_verify_locations: %s", |
416 | ERR_error_string(ERR_get_error(), NULL)); | |
417 | return EPROTO; | |
418 | } | |
419 | VLOG_INFO("killing successful connection to retry using CA cert"); | |
420 | return EPROTO; | |
421 | } | |
422 | ||
c19ae4cc LR |
423 | static char * |
424 | get_peer_common_name(const struct ssl_stream *sslv) | |
425 | { | |
426 | X509 *peer_cert = SSL_get_peer_certificate(sslv->ssl); | |
427 | if (!peer_cert) { | |
428 | return NULL; | |
429 | } | |
430 | ||
431 | int cn_index = X509_NAME_get_index_by_NID(X509_get_subject_name(peer_cert), | |
432 | NID_commonName, -1); | |
433 | if (cn_index < 0) { | |
434 | return NULL; | |
435 | } | |
436 | ||
437 | X509_NAME_ENTRY *cn_entry = X509_NAME_get_entry( | |
438 | X509_get_subject_name(peer_cert), cn_index); | |
439 | if (!cn_entry) { | |
440 | return NULL; | |
441 | } | |
442 | ||
443 | ASN1_STRING *cn_data = X509_NAME_ENTRY_get_data(cn_entry); | |
444 | if (!cn_data) { | |
445 | return NULL; | |
446 | } | |
447 | ||
448 | const char *cn; | |
449 | #if OPENSSL_VERSION_NUMBER < 0x10100000L | |
450 | /* ASN1_STRING_data() is deprecated as of OpenSSL version 1.1 */ | |
451 | cn = (const char *)ASN1_STRING_data(cn_data); | |
452 | #else | |
453 | cn = (const char *)ASN1_STRING_get0_data(cn_data); | |
454 | #endif | |
455 | return xstrdup(cn); | |
456 | } | |
457 | ||
9467fe62 BP |
458 | static int |
459 | ssl_connect(struct stream *stream) | |
460 | { | |
461 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
462 | int retval; | |
463 | ||
464 | switch (sslv->state) { | |
465 | case STATE_TCP_CONNECTING: | |
466 | retval = check_connection_completion(sslv->fd); | |
467 | if (retval) { | |
468 | return retval; | |
469 | } | |
470 | sslv->state = STATE_SSL_CONNECTING; | |
b7cefbf7 | 471 | setsockopt_tcp_nodelay(sslv->fd); |
9467fe62 BP |
472 | /* Fall through. */ |
473 | ||
474 | case STATE_SSL_CONNECTING: | |
1e3c0047 | 475 | /* Capture the first few bytes of received data so that we can guess |
ec9f40dc | 476 | * what kind of funny data we've been sent if SSL negotiation fails. */ |
1e3c0047 BP |
477 | if (sslv->n_head <= 0) { |
478 | sslv->n_head = recv(sslv->fd, sslv->head, sizeof sslv->head, | |
479 | MSG_PEEK); | |
480 | } | |
481 | ||
9467fe62 BP |
482 | retval = (sslv->type == CLIENT |
483 | ? SSL_connect(sslv->ssl) : SSL_accept(sslv->ssl)); | |
484 | if (retval != 1) { | |
485 | int error = SSL_get_error(sslv->ssl, retval); | |
486 | if (retval < 0 && ssl_wants_io(error)) { | |
487 | return EAGAIN; | |
488 | } else { | |
489 | int unused; | |
f2f7be86 | 490 | |
9467fe62 BP |
491 | interpret_ssl_error((sslv->type == CLIENT ? "SSL_connect" |
492 | : "SSL_accept"), retval, error, &unused); | |
493 | shutdown(sslv->fd, SHUT_RDWR); | |
1e3c0047 | 494 | stream_report_content(sslv->head, sslv->n_head, STREAM_SSL, |
922fed06 | 495 | &this_module, stream_get_name(stream)); |
9467fe62 BP |
496 | return EPROTO; |
497 | } | |
498 | } else if (bootstrap_ca_cert) { | |
499 | return do_ca_cert_bootstrap(stream); | |
ba104a1e BP |
500 | } else if (verify_peer_cert |
501 | && ((SSL_get_verify_mode(sslv->ssl) | |
502 | & (SSL_VERIFY_NONE | SSL_VERIFY_PEER)) | |
503 | != SSL_VERIFY_PEER)) { | |
9467fe62 BP |
504 | /* Two or more SSL connections completed at the same time while we |
505 | * were in bootstrap mode. Only one of these can finish the | |
506 | * bootstrap successfully. The other one(s) must be rejected | |
507 | * because they were not verified against the bootstrapped CA | |
508 | * certificate. (Alternatively we could verify them against the CA | |
509 | * certificate, but that's more trouble than it's worth. These | |
510 | * connections will succeed the next time they retry, assuming that | |
511 | * they have a certificate against the correct CA.) */ | |
1ee62357 | 512 | VLOG_INFO("rejecting SSL connection during bootstrap race window"); |
9467fe62 BP |
513 | return EPROTO; |
514 | } else { | |
c19ae4cc LR |
515 | char *cn = get_peer_common_name(sslv); |
516 | ||
517 | if (cn) { | |
518 | stream_set_peer_id(stream, cn); | |
519 | free(cn); | |
520 | } | |
9467fe62 BP |
521 | return 0; |
522 | } | |
523 | } | |
524 | ||
428b2edd | 525 | OVS_NOT_REACHED(); |
9467fe62 BP |
526 | } |
527 | ||
528 | static void | |
529 | ssl_close(struct stream *stream) | |
530 | { | |
531 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
532 | ssl_clear_txbuf(sslv); | |
5e4641a1 BP |
533 | |
534 | /* Attempt clean shutdown of the SSL connection. This will work most of | |
535 | * the time, as long as the kernel send buffer has some free space and the | |
536 | * SSL connection isn't renegotiating, etc. That has to be good enough, | |
537 | * since we don't have any way to continue the close operation in the | |
538 | * background. */ | |
539 | SSL_shutdown(sslv->ssl); | |
540 | ||
3d47699c BP |
541 | /* SSL_shutdown() might have signaled an error, in which case we need to |
542 | * flush it out of the OpenSSL error queue or the next OpenSSL operation | |
543 | * will falsely signal an error. */ | |
544 | ERR_clear_error(); | |
545 | ||
9467fe62 | 546 | SSL_free(sslv->ssl); |
5ea1366b | 547 | closesocket(sslv->fd); |
9467fe62 BP |
548 | free(sslv); |
549 | } | |
550 | ||
246f5b5e BP |
551 | static void |
552 | interpret_queued_ssl_error(const char *function) | |
553 | { | |
554 | int queued_error = ERR_get_error(); | |
555 | if (queued_error != 0) { | |
556 | VLOG_WARN_RL(&rl, "%s: %s", | |
557 | function, ERR_error_string(queued_error, NULL)); | |
558 | } else { | |
559 | VLOG_ERR_RL(&rl, "%s: SSL_ERROR_SSL without queued error", function); | |
560 | } | |
561 | } | |
562 | ||
9467fe62 BP |
563 | static int |
564 | interpret_ssl_error(const char *function, int ret, int error, | |
565 | int *want) | |
566 | { | |
567 | *want = SSL_NOTHING; | |
568 | ||
569 | switch (error) { | |
570 | case SSL_ERROR_NONE: | |
571 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_NONE", function); | |
572 | break; | |
573 | ||
574 | case SSL_ERROR_ZERO_RETURN: | |
575 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_ZERO_RETURN", function); | |
576 | break; | |
577 | ||
578 | case SSL_ERROR_WANT_READ: | |
579 | *want = SSL_READING; | |
580 | return EAGAIN; | |
581 | ||
582 | case SSL_ERROR_WANT_WRITE: | |
583 | *want = SSL_WRITING; | |
584 | return EAGAIN; | |
585 | ||
586 | case SSL_ERROR_WANT_CONNECT: | |
587 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_CONNECT", function); | |
588 | break; | |
589 | ||
590 | case SSL_ERROR_WANT_ACCEPT: | |
591 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_ACCEPT", function); | |
592 | break; | |
593 | ||
594 | case SSL_ERROR_WANT_X509_LOOKUP: | |
595 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_X509_LOOKUP", | |
596 | function); | |
597 | break; | |
598 | ||
599 | case SSL_ERROR_SYSCALL: { | |
600 | int queued_error = ERR_get_error(); | |
601 | if (queued_error == 0) { | |
602 | if (ret < 0) { | |
603 | int status = errno; | |
604 | VLOG_WARN_RL(&rl, "%s: system error (%s)", | |
10a89ef0 | 605 | function, ovs_strerror(status)); |
9467fe62 BP |
606 | return status; |
607 | } else { | |
608 | VLOG_WARN_RL(&rl, "%s: unexpected SSL connection close", | |
609 | function); | |
610 | return EPROTO; | |
611 | } | |
612 | } else { | |
613 | VLOG_WARN_RL(&rl, "%s: %s", | |
614 | function, ERR_error_string(queued_error, NULL)); | |
615 | break; | |
616 | } | |
617 | } | |
618 | ||
246f5b5e BP |
619 | case SSL_ERROR_SSL: |
620 | interpret_queued_ssl_error(function); | |
9467fe62 | 621 | break; |
9467fe62 BP |
622 | |
623 | default: | |
624 | VLOG_ERR_RL(&rl, "%s: bad SSL error code %d", function, error); | |
625 | break; | |
626 | } | |
627 | return EIO; | |
628 | } | |
629 | ||
630 | static ssize_t | |
631 | ssl_recv(struct stream *stream, void *buffer, size_t n) | |
632 | { | |
633 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
634 | int old_state; | |
635 | ssize_t ret; | |
636 | ||
637 | /* Behavior of zero-byte SSL_read is poorly defined. */ | |
cb22974d | 638 | ovs_assert(n > 0); |
9467fe62 BP |
639 | |
640 | old_state = SSL_get_state(sslv->ssl); | |
641 | ret = SSL_read(sslv->ssl, buffer, n); | |
642 | if (old_state != SSL_get_state(sslv->ssl)) { | |
643 | sslv->tx_want = SSL_NOTHING; | |
644 | } | |
645 | sslv->rx_want = SSL_NOTHING; | |
646 | ||
647 | if (ret > 0) { | |
648 | return ret; | |
649 | } else { | |
650 | int error = SSL_get_error(sslv->ssl, ret); | |
651 | if (error == SSL_ERROR_ZERO_RETURN) { | |
652 | return 0; | |
653 | } else { | |
2b494771 BP |
654 | return -interpret_ssl_error("SSL_read", ret, error, |
655 | &sslv->rx_want); | |
9467fe62 BP |
656 | } |
657 | } | |
658 | } | |
659 | ||
660 | static void | |
661 | ssl_clear_txbuf(struct ssl_stream *sslv) | |
662 | { | |
663 | ofpbuf_delete(sslv->txbuf); | |
664 | sslv->txbuf = NULL; | |
665 | } | |
666 | ||
667 | static int | |
668 | ssl_do_tx(struct stream *stream) | |
669 | { | |
670 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
671 | ||
672 | for (;;) { | |
673 | int old_state = SSL_get_state(sslv->ssl); | |
560d3df7 | 674 | int ret = SSL_write(sslv->ssl, sslv->txbuf->data, sslv->txbuf->size); |
9467fe62 BP |
675 | if (old_state != SSL_get_state(sslv->ssl)) { |
676 | sslv->rx_want = SSL_NOTHING; | |
677 | } | |
678 | sslv->tx_want = SSL_NOTHING; | |
679 | if (ret > 0) { | |
680 | ofpbuf_pull(sslv->txbuf, ret); | |
560d3df7 | 681 | if (sslv->txbuf->size == 0) { |
9467fe62 BP |
682 | return 0; |
683 | } | |
684 | } else { | |
685 | int ssl_error = SSL_get_error(sslv->ssl, ret); | |
686 | if (ssl_error == SSL_ERROR_ZERO_RETURN) { | |
687 | VLOG_WARN_RL(&rl, "SSL_write: connection closed"); | |
688 | return EPIPE; | |
689 | } else { | |
690 | return interpret_ssl_error("SSL_write", ret, ssl_error, | |
691 | &sslv->tx_want); | |
692 | } | |
693 | } | |
694 | } | |
695 | } | |
696 | ||
697 | static ssize_t | |
698 | ssl_send(struct stream *stream, const void *buffer, size_t n) | |
699 | { | |
700 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
701 | ||
702 | if (sslv->txbuf) { | |
2b494771 | 703 | return -EAGAIN; |
9467fe62 BP |
704 | } else { |
705 | int error; | |
706 | ||
707 | sslv->txbuf = ofpbuf_clone_data(buffer, n); | |
708 | error = ssl_do_tx(stream); | |
709 | switch (error) { | |
710 | case 0: | |
711 | ssl_clear_txbuf(sslv); | |
2b494771 | 712 | return n; |
9467fe62 | 713 | case EAGAIN: |
2b494771 | 714 | return n; |
9467fe62 | 715 | default: |
5c8f8763 | 716 | ssl_clear_txbuf(sslv); |
2b494771 | 717 | return -error; |
9467fe62 BP |
718 | } |
719 | } | |
720 | } | |
721 | ||
722 | static void | |
723 | ssl_run(struct stream *stream) | |
724 | { | |
725 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
726 | ||
727 | if (sslv->txbuf && ssl_do_tx(stream) != EAGAIN) { | |
728 | ssl_clear_txbuf(sslv); | |
729 | } | |
730 | } | |
731 | ||
732 | static void | |
733 | ssl_run_wait(struct stream *stream) | |
734 | { | |
735 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
736 | ||
737 | if (sslv->tx_want != SSL_NOTHING) { | |
1ca3348e | 738 | poll_fd_wait(sslv->fd, want_to_poll_events(sslv->tx_want)); |
9467fe62 BP |
739 | } |
740 | } | |
741 | ||
742 | static void | |
743 | ssl_wait(struct stream *stream, enum stream_wait_type wait) | |
744 | { | |
745 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
746 | ||
747 | switch (wait) { | |
748 | case STREAM_CONNECT: | |
749 | if (stream_connect(stream) != EAGAIN) { | |
750 | poll_immediate_wake(); | |
751 | } else { | |
752 | switch (sslv->state) { | |
753 | case STATE_TCP_CONNECTING: | |
1ca3348e | 754 | poll_fd_wait(sslv->fd, POLLOUT); |
9467fe62 BP |
755 | break; |
756 | ||
757 | case STATE_SSL_CONNECTING: | |
758 | /* ssl_connect() called SSL_accept() or SSL_connect(), which | |
759 | * set up the status that we test here. */ | |
1ca3348e GS |
760 | poll_fd_wait(sslv->fd, |
761 | want_to_poll_events(SSL_want(sslv->ssl))); | |
9467fe62 BP |
762 | break; |
763 | ||
764 | default: | |
428b2edd | 765 | OVS_NOT_REACHED(); |
9467fe62 BP |
766 | } |
767 | } | |
768 | break; | |
769 | ||
770 | case STREAM_RECV: | |
771 | if (sslv->rx_want != SSL_NOTHING) { | |
1ca3348e | 772 | poll_fd_wait(sslv->fd, want_to_poll_events(sslv->rx_want)); |
9467fe62 BP |
773 | } else { |
774 | poll_immediate_wake(); | |
775 | } | |
776 | break; | |
777 | ||
778 | case STREAM_SEND: | |
779 | if (!sslv->txbuf) { | |
780 | /* We have room in our tx queue. */ | |
781 | poll_immediate_wake(); | |
782 | } else { | |
783 | /* stream_run_wait() will do the right thing; don't bother with | |
784 | * redundancy. */ | |
785 | } | |
786 | break; | |
787 | ||
788 | default: | |
428b2edd | 789 | OVS_NOT_REACHED(); |
9467fe62 BP |
790 | } |
791 | } | |
792 | ||
da327b18 | 793 | const struct stream_class ssl_stream_class = { |
9467fe62 | 794 | "ssl", /* name */ |
f1936eb6 | 795 | true, /* needs_probes */ |
9467fe62 BP |
796 | ssl_open, /* open */ |
797 | ssl_close, /* close */ | |
798 | ssl_connect, /* connect */ | |
799 | ssl_recv, /* recv */ | |
800 | ssl_send, /* send */ | |
801 | ssl_run, /* run */ | |
802 | ssl_run_wait, /* run_wait */ | |
803 | ssl_wait, /* wait */ | |
804 | }; | |
805 | \f | |
806 | /* Passive SSL. */ | |
807 | ||
808 | struct pssl_pstream | |
809 | { | |
810 | struct pstream pstream; | |
811 | int fd; | |
812 | }; | |
813 | ||
da327b18 | 814 | const struct pstream_class pssl_pstream_class; |
9467fe62 BP |
815 | |
816 | static struct pssl_pstream * | |
817 | pssl_pstream_cast(struct pstream *pstream) | |
818 | { | |
819 | pstream_assert_class(pstream, &pssl_pstream_class); | |
820 | return CONTAINER_OF(pstream, struct pssl_pstream, pstream); | |
821 | } | |
822 | ||
823 | static int | |
f125905c MM |
824 | pssl_open(const char *name OVS_UNUSED, char *suffix, struct pstream **pstreamp, |
825 | uint8_t dscp) | |
9467fe62 | 826 | { |
e731d71b AS |
827 | char bound_name[SS_NTOP_BUFSIZE + 16]; |
828 | char addrbuf[SS_NTOP_BUFSIZE]; | |
829 | struct sockaddr_storage ss; | |
9467fe62 | 830 | struct pssl_pstream *pssl; |
e731d71b | 831 | uint16_t port; |
9467fe62 BP |
832 | int retval; |
833 | int fd; | |
834 | ||
835 | retval = ssl_init(); | |
836 | if (retval) { | |
837 | return retval; | |
838 | } | |
839 | ||
d4763d1d | 840 | fd = inet_open_passive(SOCK_STREAM, suffix, OFP_PORT, &ss, dscp, true); |
9467fe62 BP |
841 | if (fd < 0) { |
842 | return -fd; | |
843 | } | |
e731d71b AS |
844 | |
845 | port = ss_get_port(&ss); | |
e7e50013 | 846 | snprintf(bound_name, sizeof bound_name, "pssl:%"PRIu16":%s", |
e731d71b | 847 | port, ss_format_address(&ss, addrbuf, sizeof addrbuf)); |
9467fe62 BP |
848 | |
849 | pssl = xmalloc(sizeof *pssl); | |
42967038 | 850 | pstream_init(&pssl->pstream, &pssl_pstream_class, bound_name); |
e731d71b | 851 | pstream_set_bound_port(&pssl->pstream, htons(port)); |
9467fe62 BP |
852 | pssl->fd = fd; |
853 | *pstreamp = &pssl->pstream; | |
854 | return 0; | |
855 | } | |
856 | ||
857 | static void | |
858 | pssl_close(struct pstream *pstream) | |
859 | { | |
860 | struct pssl_pstream *pssl = pssl_pstream_cast(pstream); | |
5ea1366b | 861 | closesocket(pssl->fd); |
9467fe62 BP |
862 | free(pssl); |
863 | } | |
864 | ||
865 | static int | |
866 | pssl_accept(struct pstream *pstream, struct stream **new_streamp) | |
867 | { | |
868 | struct pssl_pstream *pssl = pssl_pstream_cast(pstream); | |
e731d71b AS |
869 | char name[SS_NTOP_BUFSIZE + 16]; |
870 | char addrbuf[SS_NTOP_BUFSIZE]; | |
871 | struct sockaddr_storage ss; | |
872 | socklen_t ss_len = sizeof ss; | |
9467fe62 BP |
873 | int new_fd; |
874 | int error; | |
875 | ||
e731d71b | 876 | new_fd = accept(pssl->fd, (struct sockaddr *) &ss, &ss_len); |
9467fe62 | 877 | if (new_fd < 0) { |
5ea1366b GS |
878 | error = sock_errno(); |
879 | #ifdef _WIN32 | |
880 | if (error == WSAEWOULDBLOCK) { | |
881 | error = EAGAIN; | |
882 | } | |
883 | #endif | |
9467fe62 | 884 | if (error != EAGAIN) { |
5ea1366b | 885 | VLOG_DBG_RL(&rl, "accept: %s", sock_strerror(error)); |
9467fe62 BP |
886 | } |
887 | return error; | |
888 | } | |
889 | ||
890 | error = set_nonblocking(new_fd); | |
891 | if (error) { | |
5ea1366b | 892 | closesocket(new_fd); |
9467fe62 BP |
893 | return error; |
894 | } | |
895 | ||
e7e50013 | 896 | snprintf(name, sizeof name, "ssl:%s:%"PRIu16, |
e731d71b AS |
897 | ss_format_address(&ss, addrbuf, sizeof addrbuf), |
898 | ss_get_port(&ss)); | |
a8d81967 | 899 | return new_ssl_stream(name, new_fd, SERVER, STATE_SSL_CONNECTING, |
f125905c | 900 | new_streamp); |
9467fe62 BP |
901 | } |
902 | ||
903 | static void | |
904 | pssl_wait(struct pstream *pstream) | |
905 | { | |
906 | struct pssl_pstream *pssl = pssl_pstream_cast(pstream); | |
1ca3348e | 907 | poll_fd_wait(pssl->fd, POLLIN); |
9467fe62 BP |
908 | } |
909 | ||
da327b18 | 910 | const struct pstream_class pssl_pstream_class = { |
9467fe62 | 911 | "pssl", |
f1936eb6 | 912 | true, |
9467fe62 BP |
913 | pssl_open, |
914 | pssl_close, | |
915 | pssl_accept, | |
916 | pssl_wait, | |
917 | }; | |
918 | \f | |
919 | /* | |
920 | * Returns true if OpenSSL error is WANT_READ or WANT_WRITE, indicating that | |
921 | * OpenSSL is requesting that we call it back when the socket is ready for read | |
922 | * or writing, respectively. | |
923 | */ | |
924 | static bool | |
925 | ssl_wants_io(int ssl_error) | |
926 | { | |
927 | return (ssl_error == SSL_ERROR_WANT_WRITE | |
928 | || ssl_error == SSL_ERROR_WANT_READ); | |
929 | } | |
930 | ||
931 | static int | |
932 | ssl_init(void) | |
933 | { | |
934 | static int init_status = -1; | |
935 | if (init_status < 0) { | |
936 | init_status = do_ssl_init(); | |
cb22974d | 937 | ovs_assert(init_status >= 0); |
9467fe62 BP |
938 | } |
939 | return init_status; | |
940 | } | |
941 | ||
942 | static int | |
943 | do_ssl_init(void) | |
944 | { | |
945 | SSL_METHOD *method; | |
946 | ||
5ea1366b GS |
947 | #ifdef _WIN32 |
948 | /* The following call is needed if we "#include <openssl/applink.c>". */ | |
949 | CRYPTO_malloc_init(); | |
950 | #endif | |
9467fe62 BP |
951 | SSL_library_init(); |
952 | SSL_load_error_strings(); | |
953 | ||
47ebcf25 BP |
954 | if (!RAND_status()) { |
955 | /* We occasionally see OpenSSL fail to seed its random number generator | |
956 | * in heavily loaded hypervisors. I suspect the following scenario: | |
957 | * | |
958 | * 1. OpenSSL calls read() to get 32 bytes from /dev/urandom. | |
959 | * 2. The kernel generates 10 bytes of randomness and copies it out. | |
960 | * 3. A signal arrives (perhaps SIGALRM). | |
961 | * 4. The kernel interrupts the system call to service the signal. | |
962 | * 5. Userspace gets 10 bytes of entropy. | |
963 | * 6. OpenSSL doesn't read again to get the final 22 bytes. Therefore | |
964 | * OpenSSL doesn't have enough entropy to consider itself | |
965 | * initialized. | |
966 | * | |
967 | * The only part I'm not entirely sure about is #6, because the OpenSSL | |
968 | * code is so hard to read. */ | |
969 | uint8_t seed[32]; | |
970 | int retval; | |
971 | ||
972 | VLOG_WARN("OpenSSL random seeding failed, reseeding ourselves"); | |
973 | ||
974 | retval = get_entropy(seed, sizeof seed); | |
975 | if (retval) { | |
976 | VLOG_ERR("failed to obtain entropy (%s)", | |
977 | ovs_retval_to_string(retval)); | |
978 | return retval > 0 ? retval : ENOPROTOOPT; | |
979 | } | |
980 | ||
981 | RAND_seed(seed, sizeof seed); | |
982 | } | |
983 | ||
b56ea5d5 BP |
984 | /* OpenSSL has a bunch of "connection methods": SSLv2_method(), |
985 | * SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these | |
986 | * support exactly one version of SSL, e.g. TLSv1_method() supports TLSv1 | |
987 | * only, not any earlier *or later* version. The only exception is | |
988 | * SSLv23_method(), which in fact supports *any* version of SSL and TLS. | |
989 | * We don't want SSLv2 or SSLv3 support, so we turn it off below with | |
990 | * SSL_CTX_set_options(). | |
991 | * | |
992 | * The cast is needed to avoid a warning with newer versions of OpenSSL in | |
993 | * which SSLv23_method() returns a "const" pointer. */ | |
994 | method = CONST_CAST(SSL_METHOD *, SSLv23_method()); | |
9467fe62 BP |
995 | if (method == NULL) { |
996 | VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL)); | |
997 | return ENOPROTOOPT; | |
998 | } | |
999 | ||
1000 | ctx = SSL_CTX_new(method); | |
1001 | if (ctx == NULL) { | |
1002 | VLOG_ERR("SSL_CTX_new: %s", ERR_error_string(ERR_get_error(), NULL)); | |
1003 | return ENOPROTOOPT; | |
1004 | } | |
1005 | SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); | |
1006 | SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback); | |
1007 | SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); | |
1008 | SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); | |
1009 | SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, | |
1010 | NULL); | |
895107e4 | 1011 | SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); |
e18a1d08 | 1012 | SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!MD5"); |
9467fe62 BP |
1013 | |
1014 | return 0; | |
1015 | } | |
1016 | ||
1017 | static DH * | |
67a4917b | 1018 | tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength) |
9467fe62 BP |
1019 | { |
1020 | struct dh { | |
1021 | int keylength; | |
1022 | DH *dh; | |
1023 | DH *(*constructor)(void); | |
1024 | }; | |
1025 | ||
1026 | static struct dh dh_table[] = { | |
1027 | {1024, NULL, get_dh1024}, | |
1028 | {2048, NULL, get_dh2048}, | |
1029 | {4096, NULL, get_dh4096}, | |
1030 | }; | |
1031 | ||
1032 | struct dh *dh; | |
1033 | ||
1034 | for (dh = dh_table; dh < &dh_table[ARRAY_SIZE(dh_table)]; dh++) { | |
1035 | if (dh->keylength == keylength) { | |
1036 | if (!dh->dh) { | |
1037 | dh->dh = dh->constructor(); | |
1038 | if (!dh->dh) { | |
1d2c568d | 1039 | out_of_memory(); |
9467fe62 BP |
1040 | } |
1041 | } | |
1042 | return dh->dh; | |
1043 | } | |
1044 | } | |
1045 | VLOG_ERR_RL(&rl, "no Diffie-Hellman parameters for key length %d", | |
1046 | keylength); | |
1047 | return NULL; | |
1048 | } | |
1049 | ||
1050 | /* Returns true if SSL is at least partially configured. */ | |
1051 | bool | |
d295e8e9 | 1052 | stream_ssl_is_configured(void) |
9467fe62 | 1053 | { |
415f6c0b BP |
1054 | return private_key.file_name || certificate.file_name || ca_cert.file_name; |
1055 | } | |
1056 | ||
1057 | static bool | |
1058 | update_ssl_config(struct ssl_config_file *config, const char *file_name) | |
1059 | { | |
9cb07887 | 1060 | struct timespec mtime; |
e68f6dea | 1061 | int error; |
9cb07887 BP |
1062 | |
1063 | if (ssl_init() || !file_name) { | |
1064 | return false; | |
1065 | } | |
1066 | ||
1067 | /* If the file name hasn't changed and neither has the file contents, stop | |
1068 | * here. */ | |
e68f6dea BP |
1069 | error = get_mtime(file_name, &mtime); |
1070 | if (error && error != ENOENT) { | |
10a89ef0 BP |
1071 | VLOG_ERR_RL(&rl, "%s: stat failed (%s)", |
1072 | file_name, ovs_strerror(error)); | |
e68f6dea | 1073 | } |
9cb07887 BP |
1074 | if (config->file_name |
1075 | && !strcmp(config->file_name, file_name) | |
1076 | && mtime.tv_sec == config->mtime.tv_sec | |
1077 | && mtime.tv_nsec == config->mtime.tv_nsec) { | |
415f6c0b BP |
1078 | return false; |
1079 | } | |
1080 | ||
2b1a27a1 | 1081 | /* Update 'config'. */ |
9cb07887 | 1082 | config->mtime = mtime; |
2b1a27a1 BP |
1083 | if (file_name != config->file_name) { |
1084 | free(config->file_name); | |
1085 | config->file_name = xstrdup(file_name); | |
1086 | } | |
415f6c0b | 1087 | return true; |
9467fe62 BP |
1088 | } |
1089 | ||
6f1e91b1 BP |
1090 | static void |
1091 | stream_ssl_set_private_key_file__(const char *file_name) | |
1092 | { | |
1093 | if (SSL_CTX_use_PrivateKey_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) { | |
1094 | private_key.read = true; | |
1095 | } else { | |
1096 | VLOG_ERR("SSL_use_PrivateKey_file: %s", | |
1097 | ERR_error_string(ERR_get_error(), NULL)); | |
1098 | } | |
1099 | } | |
1100 | ||
9467fe62 BP |
1101 | void |
1102 | stream_ssl_set_private_key_file(const char *file_name) | |
1103 | { | |
6f1e91b1 BP |
1104 | if (update_ssl_config(&private_key, file_name)) { |
1105 | stream_ssl_set_private_key_file__(file_name); | |
9467fe62 | 1106 | } |
6f1e91b1 BP |
1107 | } |
1108 | ||
1109 | static void | |
1110 | stream_ssl_set_certificate_file__(const char *file_name) | |
1111 | { | |
1b494f3e | 1112 | if (SSL_CTX_use_certificate_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) { |
6f1e91b1 BP |
1113 | certificate.read = true; |
1114 | } else { | |
1115 | VLOG_ERR("SSL_use_certificate_file: %s", | |
9467fe62 | 1116 | ERR_error_string(ERR_get_error(), NULL)); |
9467fe62 | 1117 | } |
9467fe62 BP |
1118 | } |
1119 | ||
1120 | void | |
1121 | stream_ssl_set_certificate_file(const char *file_name) | |
1122 | { | |
6f1e91b1 BP |
1123 | if (update_ssl_config(&certificate, file_name)) { |
1124 | stream_ssl_set_certificate_file__(file_name); | |
9467fe62 | 1125 | } |
6f1e91b1 BP |
1126 | } |
1127 | ||
1128 | /* Sets the private key and certificate files in one operation. Use this | |
1129 | * interface, instead of calling stream_ssl_set_private_key_file() and | |
1130 | * stream_ssl_set_certificate_file() individually, in the main loop of a | |
1131 | * long-running program whose key and certificate might change at runtime. | |
1132 | * | |
1133 | * This is important because of OpenSSL's behavior. If an OpenSSL context | |
1134 | * already has a certificate, and stream_ssl_set_private_key_file() is called | |
1135 | * to install a new private key, OpenSSL will report an error because the new | |
1136 | * private key does not match the old certificate. The other order, of setting | |
1137 | * a new certificate, then setting a new private key, does work. | |
1138 | * | |
1139 | * If this were the only problem, calling stream_ssl_set_certificate_file() | |
1140 | * before stream_ssl_set_private_key_file() would fix it. But, if the private | |
1141 | * key is changed before the certificate (e.g. someone "scp"s or "mv"s the new | |
1142 | * private key in place before the certificate), then OpenSSL would reject that | |
1143 | * change, and then the change of certificate would succeed, but there would be | |
1144 | * no associated private key (because it had only changed once and therefore | |
1145 | * there was no point in re-reading it). | |
1146 | * | |
1147 | * This function avoids both problems by, whenever either the certificate or | |
1148 | * the private key file changes, re-reading both of them, in the correct order. | |
1149 | */ | |
1150 | void | |
1151 | stream_ssl_set_key_and_cert(const char *private_key_file, | |
1152 | const char *certificate_file) | |
1153 | { | |
1154 | if (update_ssl_config(&private_key, private_key_file) | |
1155 | || update_ssl_config(&certificate, certificate_file)) { | |
1156 | stream_ssl_set_certificate_file__(certificate_file); | |
1157 | stream_ssl_set_private_key_file__(private_key_file); | |
9467fe62 | 1158 | } |
9467fe62 BP |
1159 | } |
1160 | ||
e18a1d08 ER |
1161 | /* Sets SSL ciphers based on string input. Aborts with an error message |
1162 | * if 'arg' is invalid. */ | |
1163 | void | |
1164 | stream_ssl_set_ciphers(const char *arg) | |
1165 | { | |
1166 | if (ssl_init() || !arg || !strcmp(ssl_ciphers, arg)) { | |
1167 | return; | |
1168 | } | |
1169 | if (SSL_CTX_set_cipher_list(ctx,arg) == 0) { | |
1170 | VLOG_ERR("SSL_CTX_set_cipher_list: %s", | |
1171 | ERR_error_string(ERR_get_error(), NULL)); | |
1172 | } | |
1173 | ssl_ciphers = xstrdup(arg); | |
1174 | } | |
1175 | ||
1176 | /* Set SSL protocols based on the string input. Aborts with an error message | |
1177 | * if 'arg' is invalid. */ | |
1178 | void | |
1179 | stream_ssl_set_protocols(const char *arg) | |
1180 | { | |
1181 | if (ssl_init() || !arg || !strcmp(arg, ssl_protocols)){ | |
1182 | return; | |
1183 | } | |
1184 | ||
1185 | /* Start with all the flags off and turn them on as requested. */ | |
1186 | long protocol_flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1; | |
1187 | protocol_flags |= SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; | |
1188 | ||
1189 | char *s = xstrdup(arg); | |
1190 | char *save_ptr = NULL; | |
1191 | char *word = strtok_r(s, " ,\t", &save_ptr); | |
1192 | if (word == NULL) { | |
1193 | VLOG_ERR("SSL protocol settings invalid"); | |
1194 | goto exit; | |
1195 | } | |
1196 | while (word != NULL) { | |
1197 | long on_flag; | |
1198 | if (!strcasecmp(word, "TLSv1.2")){ | |
1199 | on_flag = SSL_OP_NO_TLSv1_2; | |
1200 | } else if (!strcasecmp(word, "TLSv1.1")){ | |
1201 | on_flag = SSL_OP_NO_TLSv1_1; | |
1202 | } else if (!strcasecmp(word, "TLSv1")){ | |
1203 | on_flag = SSL_OP_NO_TLSv1; | |
1204 | } else { | |
1205 | VLOG_ERR("%s: SSL protocol not recognized", word); | |
1206 | goto exit; | |
1207 | } | |
1208 | /* Reverse the no flag and mask it out in the flags | |
1209 | * to turn on that protocol. */ | |
1210 | protocol_flags &= ~on_flag; | |
1211 | word = strtok_r(NULL, " ,\t", &save_ptr); | |
1212 | }; | |
1213 | ||
1214 | /* Set the actual options. */ | |
1215 | SSL_CTX_set_options(ctx, protocol_flags); | |
1216 | ||
1217 | ssl_protocols = xstrdup(arg); | |
1218 | ||
1219 | exit: | |
1220 | free(s); | |
1221 | } | |
1222 | ||
9467fe62 BP |
1223 | /* Reads the X509 certificate or certificates in file 'file_name'. On success, |
1224 | * stores the address of the first element in an array of pointers to | |
1225 | * certificates in '*certs' and the number of certificates in the array in | |
1226 | * '*n_certs', and returns 0. On failure, stores a null pointer in '*certs', 0 | |
1227 | * in '*n_certs', and returns a positive errno value. | |
1228 | * | |
1229 | * The caller is responsible for freeing '*certs'. */ | |
1230 | static int | |
1231 | read_cert_file(const char *file_name, X509 ***certs, size_t *n_certs) | |
1232 | { | |
1233 | FILE *file; | |
1234 | size_t allocated_certs = 0; | |
1235 | ||
1236 | *certs = NULL; | |
1237 | *n_certs = 0; | |
1238 | ||
1239 | file = fopen(file_name, "r"); | |
1240 | if (!file) { | |
1241 | VLOG_ERR("failed to open %s for reading: %s", | |
10a89ef0 | 1242 | file_name, ovs_strerror(errno)); |
9467fe62 BP |
1243 | return errno; |
1244 | } | |
1245 | ||
1246 | for (;;) { | |
1247 | X509 *certificate; | |
1248 | int c; | |
1249 | ||
1250 | /* Read certificate from file. */ | |
1251 | certificate = PEM_read_X509(file, NULL, NULL, NULL); | |
1252 | if (!certificate) { | |
1253 | size_t i; | |
1254 | ||
1255 | VLOG_ERR("PEM_read_X509 failed reading %s: %s", | |
1256 | file_name, ERR_error_string(ERR_get_error(), NULL)); | |
1257 | for (i = 0; i < *n_certs; i++) { | |
1258 | X509_free((*certs)[i]); | |
1259 | } | |
1260 | free(*certs); | |
1261 | *certs = NULL; | |
1262 | *n_certs = 0; | |
0ded15d4 | 1263 | fclose(file); |
9467fe62 BP |
1264 | return EIO; |
1265 | } | |
1266 | ||
1267 | /* Add certificate to array. */ | |
1268 | if (*n_certs >= allocated_certs) { | |
1269 | *certs = x2nrealloc(*certs, &allocated_certs, sizeof **certs); | |
1270 | } | |
1271 | (*certs)[(*n_certs)++] = certificate; | |
1272 | ||
1273 | /* Are there additional certificates in the file? */ | |
1274 | do { | |
1275 | c = getc(file); | |
1276 | } while (isspace(c)); | |
1277 | if (c == EOF) { | |
1278 | break; | |
1279 | } | |
1280 | ungetc(c, file); | |
1281 | } | |
1282 | fclose(file); | |
1283 | return 0; | |
1284 | } | |
1285 | ||
1286 | ||
1287 | /* Sets 'file_name' as the name of a file containing one or more X509 | |
1288 | * certificates to send to the peer. Typical use in OpenFlow is to send the CA | |
1289 | * certificate to the peer, which enables a switch to pick up the controller's | |
1290 | * CA certificate on its first connection. */ | |
1291 | void | |
1292 | stream_ssl_set_peer_ca_cert_file(const char *file_name) | |
1293 | { | |
1294 | X509 **certs; | |
1295 | size_t n_certs; | |
1296 | size_t i; | |
1297 | ||
1298 | if (ssl_init()) { | |
1299 | return; | |
1300 | } | |
1301 | ||
1302 | if (!read_cert_file(file_name, &certs, &n_certs)) { | |
1303 | for (i = 0; i < n_certs; i++) { | |
1304 | if (SSL_CTX_add_extra_chain_cert(ctx, certs[i]) != 1) { | |
1305 | VLOG_ERR("SSL_CTX_add_extra_chain_cert: %s", | |
1306 | ERR_error_string(ERR_get_error(), NULL)); | |
1307 | } | |
1308 | } | |
1309 | free(certs); | |
1310 | } | |
1311 | } | |
1312 | ||
1313 | /* Logs fingerprint of CA certificate 'cert' obtained from 'file_name'. */ | |
1314 | static void | |
1315 | log_ca_cert(const char *file_name, X509 *cert) | |
1316 | { | |
1317 | unsigned char digest[EVP_MAX_MD_SIZE]; | |
1318 | unsigned int n_bytes; | |
1319 | struct ds fp; | |
1320 | char *subject; | |
1321 | ||
1322 | ds_init(&fp); | |
1323 | if (!X509_digest(cert, EVP_sha1(), digest, &n_bytes)) { | |
1324 | ds_put_cstr(&fp, "<out of memory>"); | |
1325 | } else { | |
1326 | unsigned int i; | |
1327 | for (i = 0; i < n_bytes; i++) { | |
1328 | if (i) { | |
1329 | ds_put_char(&fp, ':'); | |
1330 | } | |
34582733 | 1331 | ds_put_format(&fp, "%02x", digest[i]); |
9467fe62 BP |
1332 | } |
1333 | } | |
1334 | subject = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); | |
1335 | VLOG_INFO("Trusting CA cert from %s (%s) (fingerprint %s)", file_name, | |
1336 | subject ? subject : "<out of memory>", ds_cstr(&fp)); | |
3c7b5c2d | 1337 | OPENSSL_free(subject); |
9467fe62 BP |
1338 | ds_destroy(&fp); |
1339 | } | |
1340 | ||
415f6c0b | 1341 | static void |
f1484874 BP |
1342 | stream_ssl_set_ca_cert_file__(const char *file_name, |
1343 | bool bootstrap, bool force) | |
9467fe62 | 1344 | { |
9467fe62 BP |
1345 | struct stat s; |
1346 | ||
f1484874 BP |
1347 | if (!update_ssl_config(&ca_cert, file_name) && !force) { |
1348 | return; | |
1349 | } | |
1350 | ||
ba104a1e BP |
1351 | if (!strcmp(file_name, "none")) { |
1352 | verify_peer_cert = false; | |
1353 | VLOG_WARN("Peer certificate validation disabled " | |
1354 | "(this is a security risk)"); | |
1355 | } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) { | |
9467fe62 | 1356 | bootstrap_ca_cert = true; |
01960474 L |
1357 | } else { |
1358 | STACK_OF(X509_NAME) *cert_names = SSL_load_client_CA_file(file_name); | |
1359 | if (cert_names) { | |
1360 | /* Set up list of CAs that the server will accept from the | |
1361 | * client. */ | |
1362 | SSL_CTX_set_client_CA_list(ctx, cert_names); | |
1363 | ||
1364 | /* Set up CAs for OpenSSL to trust in verifying the peer's | |
1365 | * certificate. */ | |
1366 | SSL_CTX_set_cert_store(ctx, X509_STORE_new()); | |
1367 | if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) { | |
1368 | VLOG_ERR("SSL_CTX_load_verify_locations: %s", | |
9467fe62 | 1369 | ERR_error_string(ERR_get_error(), NULL)); |
01960474 | 1370 | return; |
9467fe62 | 1371 | } |
01960474 L |
1372 | bootstrap_ca_cert = false; |
1373 | } else { | |
1374 | VLOG_ERR("failed to load client certificates from %s: %s", | |
1375 | file_name, ERR_error_string(ERR_get_error(), NULL)); | |
9467fe62 | 1376 | } |
9467fe62 | 1377 | } |
415f6c0b | 1378 | ca_cert.read = true; |
9467fe62 | 1379 | } |
415f6c0b BP |
1380 | |
1381 | /* Sets 'file_name' as the name of the file from which to read the CA | |
1382 | * certificate used to verify the peer within SSL connections. If 'bootstrap' | |
1383 | * is false, the file must exist. If 'bootstrap' is false, then the file is | |
1384 | * read if it is exists; if it does not, then it will be created from the CA | |
1385 | * certificate received from the peer on the first SSL connection. */ | |
1386 | void | |
1387 | stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap) | |
1388 | { | |
f1484874 | 1389 | stream_ssl_set_ca_cert_file__(file_name, bootstrap, false); |
415f6c0b | 1390 | } |
ff1760f1 BP |
1391 | \f |
1392 | /* SSL protocol logging. */ | |
1393 | ||
1394 | static const char * | |
1395 | ssl_alert_level_to_string(uint8_t type) | |
1396 | { | |
1397 | switch (type) { | |
1398 | case 1: return "warning"; | |
1399 | case 2: return "fatal"; | |
1400 | default: return "<unknown>"; | |
1401 | } | |
1402 | } | |
415f6c0b | 1403 | |
ff1760f1 BP |
1404 | static const char * |
1405 | ssl_alert_description_to_string(uint8_t type) | |
1406 | { | |
1407 | switch (type) { | |
1408 | case 0: return "close_notify"; | |
1409 | case 10: return "unexpected_message"; | |
1410 | case 20: return "bad_record_mac"; | |
1411 | case 21: return "decryption_failed"; | |
1412 | case 22: return "record_overflow"; | |
1413 | case 30: return "decompression_failure"; | |
1414 | case 40: return "handshake_failure"; | |
1415 | case 42: return "bad_certificate"; | |
1416 | case 43: return "unsupported_certificate"; | |
1417 | case 44: return "certificate_revoked"; | |
1418 | case 45: return "certificate_expired"; | |
1419 | case 46: return "certificate_unknown"; | |
1420 | case 47: return "illegal_parameter"; | |
1421 | case 48: return "unknown_ca"; | |
1422 | case 49: return "access_denied"; | |
1423 | case 50: return "decode_error"; | |
1424 | case 51: return "decrypt_error"; | |
1425 | case 60: return "export_restriction"; | |
1426 | case 70: return "protocol_version"; | |
1427 | case 71: return "insufficient_security"; | |
1428 | case 80: return "internal_error"; | |
1429 | case 90: return "user_canceled"; | |
1430 | case 100: return "no_renegotiation"; | |
1431 | default: return "<unknown>"; | |
1432 | } | |
1433 | } | |
415f6c0b | 1434 | |
ff1760f1 BP |
1435 | static const char * |
1436 | ssl_handshake_type_to_string(uint8_t type) | |
1437 | { | |
1438 | switch (type) { | |
1439 | case 0: return "hello_request"; | |
1440 | case 1: return "client_hello"; | |
1441 | case 2: return "server_hello"; | |
1442 | case 11: return "certificate"; | |
1443 | case 12: return "server_key_exchange"; | |
1444 | case 13: return "certificate_request"; | |
1445 | case 14: return "server_hello_done"; | |
1446 | case 15: return "certificate_verify"; | |
1447 | case 16: return "client_key_exchange"; | |
1448 | case 20: return "finished"; | |
1449 | default: return "<unknown>"; | |
1450 | } | |
1451 | } | |
1452 | ||
1453 | static void | |
1454 | ssl_protocol_cb(int write_p, int version OVS_UNUSED, int content_type, | |
1455 | const void *buf_, size_t len, SSL *ssl OVS_UNUSED, void *sslv_) | |
1456 | { | |
1457 | const struct ssl_stream *sslv = sslv_; | |
1458 | const uint8_t *buf = buf_; | |
1459 | struct ds details; | |
1460 | ||
1461 | if (!VLOG_IS_DBG_ENABLED()) { | |
1462 | return; | |
1463 | } | |
1464 | ||
1465 | ds_init(&details); | |
1466 | if (content_type == 20) { | |
1467 | ds_put_cstr(&details, "change_cipher_spec"); | |
1468 | } else if (content_type == 21) { | |
1469 | ds_put_format(&details, "alert: %s, %s", | |
1470 | ssl_alert_level_to_string(buf[0]), | |
1471 | ssl_alert_description_to_string(buf[1])); | |
1472 | } else if (content_type == 22) { | |
1473 | ds_put_format(&details, "handshake: %s", | |
1474 | ssl_handshake_type_to_string(buf[0])); | |
1475 | } else { | |
1476 | ds_put_format(&details, "type %d", content_type); | |
1477 | } | |
1478 | ||
34582733 | 1479 | VLOG_DBG("%s%u%s%s %s (%"PRIuSIZE" bytes)", |
ff1760f1 BP |
1480 | sslv->type == CLIENT ? "client" : "server", |
1481 | sslv->session_nr, write_p ? "-->" : "<--", | |
1482 | stream_get_name(&sslv->stream), ds_cstr(&details), len); | |
1483 | ||
1484 | ds_destroy(&details); | |
1485 | } |