]>
Commit | Line | Data |
---|---|---|
9467fe62 | 1 | /* |
922fed06 | 2 | * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016 Nicira, Inc. |
9467fe62 BP |
3 | * |
4 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
5 | * you may not use this file except in compliance with the License. | |
6 | * You may obtain a copy of the License at: | |
7 | * | |
8 | * http://www.apache.org/licenses/LICENSE-2.0 | |
9 | * | |
10 | * Unless required by applicable law or agreed to in writing, software | |
11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
13 | * See the License for the specific language governing permissions and | |
14 | * limitations under the License. | |
15 | */ | |
16 | ||
17 | #include <config.h> | |
18 | #include "stream-ssl.h" | |
19 | #include "dhparams.h" | |
9467fe62 BP |
20 | #include <ctype.h> |
21 | #include <errno.h> | |
22 | #include <inttypes.h> | |
23 | #include <string.h> | |
bd6b7545 GC |
24 | #include <sys/types.h> |
25 | #include <sys/socket.h> | |
9467fe62 BP |
26 | #include <netinet/tcp.h> |
27 | #include <openssl/err.h> | |
47ebcf25 | 28 | #include <openssl/rand.h> |
9467fe62 BP |
29 | #include <openssl/ssl.h> |
30 | #include <openssl/x509v3.h> | |
31 | #include <poll.h> | |
5ea1366b | 32 | #include <fcntl.h> |
9467fe62 BP |
33 | #include <sys/stat.h> |
34 | #include <unistd.h> | |
f2f7be86 | 35 | #include "coverage.h" |
3e8a2ad1 | 36 | #include "openvswitch/dynamic-string.h" |
47ebcf25 | 37 | #include "entropy.h" |
64c96779 | 38 | #include "openvswitch/ofpbuf.h" |
9467fe62 BP |
39 | #include "openflow/openflow.h" |
40 | #include "packets.h" | |
41 | #include "poll-loop.h" | |
ee89ea7b | 42 | #include "openvswitch/shash.h" |
9467fe62 | 43 | #include "socket-util.h" |
9467fe62 BP |
44 | #include "util.h" |
45 | #include "stream-provider.h" | |
46 | #include "stream.h" | |
415f6c0b | 47 | #include "timeval.h" |
e6211adc | 48 | #include "openvswitch/vlog.h" |
5136ce49 | 49 | |
5ea1366b GS |
50 | #ifdef _WIN32 |
51 | /* Ref: https://www.openssl.org/support/faq.html#PROG2 | |
52 | * Your application must link against the same version of the Win32 C-Runtime | |
53 | * against which your openssl libraries were linked. The default version for | |
54 | * OpenSSL is /MD - "Multithreaded DLL". If we compile Open vSwitch with | |
55 | * something other than /MD, instead of re-compiling OpenSSL | |
56 | * toolkit, openssl/applink.c can be #included. Also, it is important | |
57 | * to add CRYPTO_malloc_init prior first call to OpenSSL. | |
58 | * | |
59 | * XXX: The behavior of the following #include when Open vSwitch is | |
60 | * compiled with /MD is not tested. */ | |
61 | #include <openssl/applink.c> | |
62 | #define SHUT_RDWR SD_BOTH | |
5ea1366b GS |
63 | #endif |
64 | ||
d98e6007 | 65 | VLOG_DEFINE_THIS_MODULE(stream_ssl); |
9467fe62 BP |
66 | |
67 | /* Active SSL. */ | |
68 | ||
69 | enum ssl_state { | |
70 | STATE_TCP_CONNECTING, | |
71 | STATE_SSL_CONNECTING | |
72 | }; | |
73 | ||
74 | enum session_type { | |
75 | CLIENT, | |
76 | SERVER | |
77 | }; | |
78 | ||
79 | struct ssl_stream | |
80 | { | |
81 | struct stream stream; | |
82 | enum ssl_state state; | |
9467fe62 BP |
83 | enum session_type type; |
84 | int fd; | |
85 | SSL *ssl; | |
86 | struct ofpbuf *txbuf; | |
ff1760f1 | 87 | unsigned int session_nr; |
9467fe62 BP |
88 | |
89 | /* rx_want and tx_want record the result of the last call to SSL_read() | |
90 | * and SSL_write(), respectively: | |
91 | * | |
92 | * - If the call reported that data needed to be read from the file | |
93 | * descriptor, the corresponding member is set to SSL_READING. | |
94 | * | |
95 | * - If the call reported that data needed to be written to the file | |
96 | * descriptor, the corresponding member is set to SSL_WRITING. | |
97 | * | |
98 | * - Otherwise, the member is set to SSL_NOTHING, indicating that the | |
99 | * call completed successfully (or with an error) and that there is no | |
100 | * need to block. | |
101 | * | |
102 | * These are needed because there is no way to ask OpenSSL what a data read | |
103 | * or write would require without giving it a buffer to receive into or | |
104 | * data to send, respectively. (Note that the SSL_want() status is | |
105 | * overwritten by each SSL_read() or SSL_write() call, so we can't rely on | |
106 | * its value.) | |
107 | * | |
108 | * A single call to SSL_read() or SSL_write() can perform both reading | |
109 | * and writing and thus invalidate not one of these values but actually | |
110 | * both. Consider this situation, for example: | |
111 | * | |
112 | * - SSL_write() blocks on a read, so tx_want gets SSL_READING. | |
113 | * | |
114 | * - SSL_read() laters succeeds reading from 'fd' and clears out the | |
115 | * whole receive buffer, so rx_want gets SSL_READING. | |
116 | * | |
117 | * - Client calls stream_wait(STREAM_RECV) and stream_wait(STREAM_SEND) | |
118 | * and blocks. | |
119 | * | |
120 | * - Now we're stuck blocking until the peer sends us data, even though | |
121 | * SSL_write() could now succeed, which could easily be a deadlock | |
122 | * condition. | |
123 | * | |
124 | * On the other hand, we can't reset both tx_want and rx_want on every call | |
125 | * to SSL_read() or SSL_write(), because that would produce livelock, | |
126 | * e.g. in this situation: | |
127 | * | |
128 | * - SSL_write() blocks, so tx_want gets SSL_READING or SSL_WRITING. | |
129 | * | |
130 | * - SSL_read() blocks, so rx_want gets SSL_READING or SSL_WRITING, | |
131 | * but tx_want gets reset to SSL_NOTHING. | |
132 | * | |
133 | * - Client calls stream_wait(STREAM_RECV) and stream_wait(STREAM_SEND) | |
134 | * and blocks. | |
135 | * | |
136 | * - Client wakes up immediately since SSL_NOTHING in tx_want indicates | |
137 | * that no blocking is necessary. | |
138 | * | |
139 | * The solution we adopt here is to set tx_want to SSL_NOTHING after | |
140 | * calling SSL_read() only if the SSL state of the connection changed, | |
141 | * which indicates that an SSL-level renegotiation made some progress, and | |
142 | * similarly for rx_want and SSL_write(). This prevents both the | |
143 | * deadlock and livelock situations above. | |
144 | */ | |
145 | int rx_want, tx_want; | |
1e3c0047 | 146 | |
ff1760f1 | 147 | /* A few bytes of header data in case SSL negotiation fails. */ |
1e3c0047 BP |
148 | uint8_t head[2]; |
149 | short int n_head; | |
9467fe62 BP |
150 | }; |
151 | ||
152 | /* SSL context created by ssl_init(). */ | |
153 | static SSL_CTX *ctx; | |
154 | ||
415f6c0b BP |
155 | struct ssl_config_file { |
156 | bool read; /* Whether the file was successfully read. */ | |
157 | char *file_name; /* Configured file name, if any. */ | |
9cb07887 | 158 | struct timespec mtime; /* File mtime as of last time we read it. */ |
415f6c0b BP |
159 | }; |
160 | ||
161 | /* SSL configuration files. */ | |
162 | static struct ssl_config_file private_key; | |
163 | static struct ssl_config_file certificate; | |
164 | static struct ssl_config_file ca_cert; | |
e18a1d08 ER |
165 | static char *ssl_protocols = "TLSv1,TLSv1.1,TLSv1.2"; |
166 | static char *ssl_ciphers = "HIGH:!aNULL:!MD5"; | |
9467fe62 | 167 | |
ba104a1e BP |
168 | /* Ordinarily, the SSL client and server verify each other's certificates using |
169 | * a CA certificate. Setting this to false disables this behavior. (This is a | |
170 | * security risk.) */ | |
171 | static bool verify_peer_cert = true; | |
172 | ||
9467fe62 | 173 | /* Ordinarily, we require a CA certificate for the peer to be locally |
415f6c0b BP |
174 | * available. We can, however, bootstrap the CA certificate from the peer at |
175 | * the beginning of our first connection then use that certificate on all | |
176 | * subsequent connections, saving it to a file for use in future runs also. In | |
177 | * this case, 'bootstrap_ca_cert' is true. */ | |
9467fe62 | 178 | static bool bootstrap_ca_cert; |
9467fe62 | 179 | |
ff1760f1 BP |
180 | /* Session number. Used in debug logging messages to uniquely identify a |
181 | * session. */ | |
182 | static unsigned int next_session_nr; | |
183 | ||
9467fe62 BP |
184 | /* Who knows what can trigger various SSL errors, so let's throttle them down |
185 | * quite a bit. */ | |
186 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(10, 25); | |
187 | ||
188 | static int ssl_init(void); | |
189 | static int do_ssl_init(void); | |
190 | static bool ssl_wants_io(int ssl_error); | |
191 | static void ssl_close(struct stream *); | |
192 | static void ssl_clear_txbuf(struct ssl_stream *); | |
246f5b5e | 193 | static void interpret_queued_ssl_error(const char *function); |
9467fe62 BP |
194 | static int interpret_ssl_error(const char *function, int ret, int error, |
195 | int *want); | |
67a4917b | 196 | static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength); |
9467fe62 | 197 | static void log_ca_cert(const char *file_name, X509 *cert); |
415f6c0b | 198 | static void stream_ssl_set_ca_cert_file__(const char *file_name, |
f1484874 | 199 | bool bootstrap, bool force); |
ff1760f1 BP |
200 | static void ssl_protocol_cb(int write_p, int version, int content_type, |
201 | const void *, size_t, SSL *, void *sslv_); | |
f1484874 | 202 | static bool update_ssl_config(struct ssl_config_file *, const char *file_name); |
5ea1366b | 203 | static int sock_errno(void); |
9467fe62 BP |
204 | |
205 | static short int | |
206 | want_to_poll_events(int want) | |
207 | { | |
208 | switch (want) { | |
209 | case SSL_NOTHING: | |
428b2edd | 210 | OVS_NOT_REACHED(); |
9467fe62 BP |
211 | |
212 | case SSL_READING: | |
213 | return POLLIN; | |
214 | ||
215 | case SSL_WRITING: | |
216 | return POLLOUT; | |
217 | ||
218 | default: | |
428b2edd | 219 | OVS_NOT_REACHED(); |
9467fe62 BP |
220 | } |
221 | } | |
222 | ||
b7636967 | 223 | /* Takes ownership of 'name'. */ |
9467fe62 | 224 | static int |
b7636967 | 225 | new_ssl_stream(char *name, int fd, enum session_type type, |
a8d81967 | 226 | enum ssl_state state, struct stream **streamp) |
9467fe62 | 227 | { |
9467fe62 BP |
228 | struct ssl_stream *sslv; |
229 | SSL *ssl = NULL; | |
9467fe62 BP |
230 | int retval; |
231 | ||
232 | /* Check for all the needful configuration. */ | |
233 | retval = 0; | |
415f6c0b | 234 | if (!private_key.read) { |
9467fe62 BP |
235 | VLOG_ERR("Private key must be configured to use SSL"); |
236 | retval = ENOPROTOOPT; | |
237 | } | |
415f6c0b | 238 | if (!certificate.read) { |
9467fe62 BP |
239 | VLOG_ERR("Certificate must be configured to use SSL"); |
240 | retval = ENOPROTOOPT; | |
241 | } | |
ba104a1e | 242 | if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) { |
9467fe62 BP |
243 | VLOG_ERR("CA certificate must be configured to use SSL"); |
244 | retval = ENOPROTOOPT; | |
245 | } | |
b6d729ad | 246 | if (!retval && !SSL_CTX_check_private_key(ctx)) { |
9467fe62 BP |
247 | VLOG_ERR("Private key does not match certificate public key: %s", |
248 | ERR_error_string(ERR_get_error(), NULL)); | |
249 | retval = ENOPROTOOPT; | |
250 | } | |
251 | if (retval) { | |
252 | goto error; | |
253 | } | |
254 | ||
8b768391 LS |
255 | /* Disable Nagle. |
256 | * On windows platforms, this can only be called upon TCP connected. | |
257 | */ | |
258 | if (state == STATE_SSL_CONNECTING) { | |
b7cefbf7 | 259 | setsockopt_tcp_nodelay(fd); |
9467fe62 BP |
260 | } |
261 | ||
262 | /* Create and configure OpenSSL stream. */ | |
263 | ssl = SSL_new(ctx); | |
264 | if (ssl == NULL) { | |
265 | VLOG_ERR("SSL_new: %s", ERR_error_string(ERR_get_error(), NULL)); | |
266 | retval = ENOPROTOOPT; | |
267 | goto error; | |
268 | } | |
269 | if (SSL_set_fd(ssl, fd) == 0) { | |
270 | VLOG_ERR("SSL_set_fd: %s", ERR_error_string(ERR_get_error(), NULL)); | |
271 | retval = ENOPROTOOPT; | |
272 | goto error; | |
273 | } | |
ba104a1e | 274 | if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) { |
9467fe62 BP |
275 | SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); |
276 | } | |
277 | ||
278 | /* Create and return the ssl_stream. */ | |
279 | sslv = xmalloc(sizeof *sslv); | |
280 | stream_init(&sslv->stream, &ssl_stream_class, EAGAIN, name); | |
9467fe62 BP |
281 | sslv->state = state; |
282 | sslv->type = type; | |
283 | sslv->fd = fd; | |
284 | sslv->ssl = ssl; | |
285 | sslv->txbuf = NULL; | |
286 | sslv->rx_want = sslv->tx_want = SSL_NOTHING; | |
ff1760f1 | 287 | sslv->session_nr = next_session_nr++; |
1e3c0047 | 288 | sslv->n_head = 0; |
ff1760f1 BP |
289 | |
290 | if (VLOG_IS_DBG_ENABLED()) { | |
291 | SSL_set_msg_callback(ssl, ssl_protocol_cb); | |
292 | SSL_set_msg_callback_arg(ssl, sslv); | |
293 | } | |
294 | ||
9467fe62 BP |
295 | *streamp = &sslv->stream; |
296 | return 0; | |
297 | ||
298 | error: | |
299 | if (ssl) { | |
300 | SSL_free(ssl); | |
301 | } | |
5ea1366b | 302 | closesocket(fd); |
9467fe62 BP |
303 | return retval; |
304 | } | |
305 | ||
306 | static struct ssl_stream * | |
307 | ssl_stream_cast(struct stream *stream) | |
308 | { | |
309 | stream_assert_class(stream, &ssl_stream_class); | |
310 | return CONTAINER_OF(stream, struct ssl_stream, stream); | |
311 | } | |
312 | ||
313 | static int | |
f125905c | 314 | ssl_open(const char *name, char *suffix, struct stream **streamp, uint8_t dscp) |
9467fe62 | 315 | { |
9467fe62 BP |
316 | int error, fd; |
317 | ||
318 | error = ssl_init(); | |
319 | if (error) { | |
320 | return error; | |
321 | } | |
322 | ||
d4763d1d | 323 | error = inet_open_active(SOCK_STREAM, suffix, OFP_PORT, NULL, &fd, |
f125905c | 324 | dscp); |
9467fe62 BP |
325 | if (fd >= 0) { |
326 | int state = error ? STATE_TCP_CONNECTING : STATE_SSL_CONNECTING; | |
b7636967 | 327 | return new_ssl_stream(xstrdup(name), fd, CLIENT, state, streamp); |
9467fe62 | 328 | } else { |
10a89ef0 | 329 | VLOG_ERR("%s: connect: %s", name, ovs_strerror(error)); |
9467fe62 BP |
330 | return error; |
331 | } | |
332 | } | |
333 | ||
334 | static int | |
335 | do_ca_cert_bootstrap(struct stream *stream) | |
336 | { | |
337 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
338 | STACK_OF(X509) *chain; | |
415f6c0b | 339 | X509 *cert; |
9467fe62 BP |
340 | FILE *file; |
341 | int error; | |
342 | int fd; | |
343 | ||
344 | chain = SSL_get_peer_cert_chain(sslv->ssl); | |
345 | if (!chain || !sk_X509_num(chain)) { | |
346 | VLOG_ERR("could not bootstrap CA cert: no certificate presented by " | |
347 | "peer"); | |
348 | return EPROTO; | |
349 | } | |
415f6c0b | 350 | cert = sk_X509_value(chain, sk_X509_num(chain) - 1); |
9467fe62 | 351 | |
415f6c0b | 352 | /* Check that 'cert' is self-signed. Otherwise it is not a CA |
9467fe62 | 353 | * certificate and we should not attempt to use it as one. */ |
415f6c0b | 354 | error = X509_check_issued(cert, cert); |
9467fe62 BP |
355 | if (error) { |
356 | VLOG_ERR("could not bootstrap CA cert: obtained certificate is " | |
357 | "not self-signed (%s)", | |
358 | X509_verify_cert_error_string(error)); | |
359 | if (sk_X509_num(chain) < 2) { | |
360 | VLOG_ERR("only one certificate was received, so probably the peer " | |
361 | "is not configured to send its CA certificate"); | |
362 | } | |
363 | return EPROTO; | |
364 | } | |
365 | ||
415f6c0b | 366 | fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444); |
9467fe62 | 367 | if (fd < 0) { |
deb1f433 | 368 | if (errno == EEXIST) { |
f1484874 BP |
369 | VLOG_INFO_RL(&rl, "reading CA cert %s created by another process", |
370 | ca_cert.file_name); | |
371 | stream_ssl_set_ca_cert_file__(ca_cert.file_name, true, true); | |
deb1f433 BP |
372 | return EPROTO; |
373 | } else { | |
374 | VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s", | |
10a89ef0 | 375 | ca_cert.file_name, ovs_strerror(errno)); |
deb1f433 BP |
376 | return errno; |
377 | } | |
9467fe62 BP |
378 | } |
379 | ||
380 | file = fdopen(fd, "w"); | |
381 | if (!file) { | |
2a022368 | 382 | error = errno; |
9467fe62 | 383 | VLOG_ERR("could not bootstrap CA cert: fdopen failed: %s", |
10a89ef0 | 384 | ovs_strerror(error)); |
415f6c0b | 385 | unlink(ca_cert.file_name); |
9467fe62 BP |
386 | return error; |
387 | } | |
388 | ||
415f6c0b | 389 | if (!PEM_write_X509(file, cert)) { |
9467fe62 | 390 | VLOG_ERR("could not bootstrap CA cert: PEM_write_X509 to %s failed: " |
415f6c0b BP |
391 | "%s", ca_cert.file_name, |
392 | ERR_error_string(ERR_get_error(), NULL)); | |
9467fe62 | 393 | fclose(file); |
415f6c0b | 394 | unlink(ca_cert.file_name); |
9467fe62 BP |
395 | return EIO; |
396 | } | |
397 | ||
398 | if (fclose(file)) { | |
2a022368 | 399 | error = errno; |
9467fe62 | 400 | VLOG_ERR("could not bootstrap CA cert: writing %s failed: %s", |
10a89ef0 | 401 | ca_cert.file_name, ovs_strerror(error)); |
415f6c0b | 402 | unlink(ca_cert.file_name); |
9467fe62 BP |
403 | return error; |
404 | } | |
405 | ||
415f6c0b BP |
406 | VLOG_INFO("successfully bootstrapped CA cert to %s", ca_cert.file_name); |
407 | log_ca_cert(ca_cert.file_name, cert); | |
9467fe62 | 408 | bootstrap_ca_cert = false; |
415f6c0b | 409 | ca_cert.read = true; |
9467fe62 | 410 | |
415f6c0b BP |
411 | /* SSL_CTX_add_client_CA makes a copy of cert's relevant data. */ |
412 | SSL_CTX_add_client_CA(ctx, cert); | |
9467fe62 | 413 | |
e6a8ca62 | 414 | SSL_CTX_set_cert_store(ctx, X509_STORE_new()); |
415f6c0b | 415 | if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) { |
9467fe62 BP |
416 | VLOG_ERR("SSL_CTX_load_verify_locations: %s", |
417 | ERR_error_string(ERR_get_error(), NULL)); | |
418 | return EPROTO; | |
419 | } | |
420 | VLOG_INFO("killing successful connection to retry using CA cert"); | |
421 | return EPROTO; | |
422 | } | |
423 | ||
c19ae4cc LR |
424 | static char * |
425 | get_peer_common_name(const struct ssl_stream *sslv) | |
426 | { | |
427 | X509 *peer_cert = SSL_get_peer_certificate(sslv->ssl); | |
428 | if (!peer_cert) { | |
429 | return NULL; | |
430 | } | |
431 | ||
432 | int cn_index = X509_NAME_get_index_by_NID(X509_get_subject_name(peer_cert), | |
433 | NID_commonName, -1); | |
434 | if (cn_index < 0) { | |
435 | return NULL; | |
436 | } | |
437 | ||
438 | X509_NAME_ENTRY *cn_entry = X509_NAME_get_entry( | |
439 | X509_get_subject_name(peer_cert), cn_index); | |
440 | if (!cn_entry) { | |
441 | return NULL; | |
442 | } | |
443 | ||
444 | ASN1_STRING *cn_data = X509_NAME_ENTRY_get_data(cn_entry); | |
445 | if (!cn_data) { | |
446 | return NULL; | |
447 | } | |
448 | ||
449 | const char *cn; | |
450 | #if OPENSSL_VERSION_NUMBER < 0x10100000L | |
451 | /* ASN1_STRING_data() is deprecated as of OpenSSL version 1.1 */ | |
452 | cn = (const char *)ASN1_STRING_data(cn_data); | |
453 | #else | |
454 | cn = (const char *)ASN1_STRING_get0_data(cn_data); | |
455 | #endif | |
456 | return xstrdup(cn); | |
457 | } | |
458 | ||
9467fe62 BP |
459 | static int |
460 | ssl_connect(struct stream *stream) | |
461 | { | |
462 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
463 | int retval; | |
464 | ||
465 | switch (sslv->state) { | |
466 | case STATE_TCP_CONNECTING: | |
467 | retval = check_connection_completion(sslv->fd); | |
468 | if (retval) { | |
469 | return retval; | |
470 | } | |
471 | sslv->state = STATE_SSL_CONNECTING; | |
b7cefbf7 | 472 | setsockopt_tcp_nodelay(sslv->fd); |
9467fe62 BP |
473 | /* Fall through. */ |
474 | ||
475 | case STATE_SSL_CONNECTING: | |
1e3c0047 | 476 | /* Capture the first few bytes of received data so that we can guess |
ec9f40dc | 477 | * what kind of funny data we've been sent if SSL negotiation fails. */ |
1e3c0047 BP |
478 | if (sslv->n_head <= 0) { |
479 | sslv->n_head = recv(sslv->fd, sslv->head, sizeof sslv->head, | |
480 | MSG_PEEK); | |
481 | } | |
482 | ||
9467fe62 BP |
483 | retval = (sslv->type == CLIENT |
484 | ? SSL_connect(sslv->ssl) : SSL_accept(sslv->ssl)); | |
485 | if (retval != 1) { | |
486 | int error = SSL_get_error(sslv->ssl, retval); | |
487 | if (retval < 0 && ssl_wants_io(error)) { | |
488 | return EAGAIN; | |
489 | } else { | |
490 | int unused; | |
f2f7be86 | 491 | |
9467fe62 BP |
492 | interpret_ssl_error((sslv->type == CLIENT ? "SSL_connect" |
493 | : "SSL_accept"), retval, error, &unused); | |
494 | shutdown(sslv->fd, SHUT_RDWR); | |
1e3c0047 | 495 | stream_report_content(sslv->head, sslv->n_head, STREAM_SSL, |
922fed06 | 496 | &this_module, stream_get_name(stream)); |
9467fe62 BP |
497 | return EPROTO; |
498 | } | |
499 | } else if (bootstrap_ca_cert) { | |
500 | return do_ca_cert_bootstrap(stream); | |
ba104a1e BP |
501 | } else if (verify_peer_cert |
502 | && ((SSL_get_verify_mode(sslv->ssl) | |
503 | & (SSL_VERIFY_NONE | SSL_VERIFY_PEER)) | |
504 | != SSL_VERIFY_PEER)) { | |
9467fe62 BP |
505 | /* Two or more SSL connections completed at the same time while we |
506 | * were in bootstrap mode. Only one of these can finish the | |
507 | * bootstrap successfully. The other one(s) must be rejected | |
508 | * because they were not verified against the bootstrapped CA | |
509 | * certificate. (Alternatively we could verify them against the CA | |
510 | * certificate, but that's more trouble than it's worth. These | |
511 | * connections will succeed the next time they retry, assuming that | |
512 | * they have a certificate against the correct CA.) */ | |
1ee62357 | 513 | VLOG_INFO("rejecting SSL connection during bootstrap race window"); |
9467fe62 BP |
514 | return EPROTO; |
515 | } else { | |
c19ae4cc LR |
516 | char *cn = get_peer_common_name(sslv); |
517 | ||
518 | if (cn) { | |
519 | stream_set_peer_id(stream, cn); | |
520 | free(cn); | |
521 | } | |
9467fe62 BP |
522 | return 0; |
523 | } | |
524 | } | |
525 | ||
428b2edd | 526 | OVS_NOT_REACHED(); |
9467fe62 BP |
527 | } |
528 | ||
529 | static void | |
530 | ssl_close(struct stream *stream) | |
531 | { | |
532 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
533 | ssl_clear_txbuf(sslv); | |
5e4641a1 BP |
534 | |
535 | /* Attempt clean shutdown of the SSL connection. This will work most of | |
536 | * the time, as long as the kernel send buffer has some free space and the | |
537 | * SSL connection isn't renegotiating, etc. That has to be good enough, | |
538 | * since we don't have any way to continue the close operation in the | |
539 | * background. */ | |
540 | SSL_shutdown(sslv->ssl); | |
541 | ||
3d47699c BP |
542 | /* SSL_shutdown() might have signaled an error, in which case we need to |
543 | * flush it out of the OpenSSL error queue or the next OpenSSL operation | |
544 | * will falsely signal an error. */ | |
545 | ERR_clear_error(); | |
546 | ||
9467fe62 | 547 | SSL_free(sslv->ssl); |
5ea1366b | 548 | closesocket(sslv->fd); |
9467fe62 BP |
549 | free(sslv); |
550 | } | |
551 | ||
246f5b5e BP |
552 | static void |
553 | interpret_queued_ssl_error(const char *function) | |
554 | { | |
555 | int queued_error = ERR_get_error(); | |
556 | if (queued_error != 0) { | |
557 | VLOG_WARN_RL(&rl, "%s: %s", | |
558 | function, ERR_error_string(queued_error, NULL)); | |
559 | } else { | |
560 | VLOG_ERR_RL(&rl, "%s: SSL_ERROR_SSL without queued error", function); | |
561 | } | |
562 | } | |
563 | ||
9467fe62 BP |
564 | static int |
565 | interpret_ssl_error(const char *function, int ret, int error, | |
566 | int *want) | |
567 | { | |
568 | *want = SSL_NOTHING; | |
569 | ||
570 | switch (error) { | |
571 | case SSL_ERROR_NONE: | |
572 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_NONE", function); | |
573 | break; | |
574 | ||
575 | case SSL_ERROR_ZERO_RETURN: | |
576 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_ZERO_RETURN", function); | |
577 | break; | |
578 | ||
579 | case SSL_ERROR_WANT_READ: | |
580 | *want = SSL_READING; | |
581 | return EAGAIN; | |
582 | ||
583 | case SSL_ERROR_WANT_WRITE: | |
584 | *want = SSL_WRITING; | |
585 | return EAGAIN; | |
586 | ||
587 | case SSL_ERROR_WANT_CONNECT: | |
588 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_CONNECT", function); | |
589 | break; | |
590 | ||
591 | case SSL_ERROR_WANT_ACCEPT: | |
592 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_ACCEPT", function); | |
593 | break; | |
594 | ||
595 | case SSL_ERROR_WANT_X509_LOOKUP: | |
596 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_X509_LOOKUP", | |
597 | function); | |
598 | break; | |
599 | ||
600 | case SSL_ERROR_SYSCALL: { | |
601 | int queued_error = ERR_get_error(); | |
602 | if (queued_error == 0) { | |
603 | if (ret < 0) { | |
604 | int status = errno; | |
605 | VLOG_WARN_RL(&rl, "%s: system error (%s)", | |
10a89ef0 | 606 | function, ovs_strerror(status)); |
9467fe62 BP |
607 | return status; |
608 | } else { | |
609 | VLOG_WARN_RL(&rl, "%s: unexpected SSL connection close", | |
610 | function); | |
611 | return EPROTO; | |
612 | } | |
613 | } else { | |
614 | VLOG_WARN_RL(&rl, "%s: %s", | |
615 | function, ERR_error_string(queued_error, NULL)); | |
616 | break; | |
617 | } | |
618 | } | |
619 | ||
246f5b5e BP |
620 | case SSL_ERROR_SSL: |
621 | interpret_queued_ssl_error(function); | |
9467fe62 | 622 | break; |
9467fe62 BP |
623 | |
624 | default: | |
625 | VLOG_ERR_RL(&rl, "%s: bad SSL error code %d", function, error); | |
626 | break; | |
627 | } | |
628 | return EIO; | |
629 | } | |
630 | ||
631 | static ssize_t | |
632 | ssl_recv(struct stream *stream, void *buffer, size_t n) | |
633 | { | |
634 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
635 | int old_state; | |
636 | ssize_t ret; | |
637 | ||
638 | /* Behavior of zero-byte SSL_read is poorly defined. */ | |
cb22974d | 639 | ovs_assert(n > 0); |
9467fe62 BP |
640 | |
641 | old_state = SSL_get_state(sslv->ssl); | |
642 | ret = SSL_read(sslv->ssl, buffer, n); | |
643 | if (old_state != SSL_get_state(sslv->ssl)) { | |
644 | sslv->tx_want = SSL_NOTHING; | |
645 | } | |
646 | sslv->rx_want = SSL_NOTHING; | |
647 | ||
648 | if (ret > 0) { | |
649 | return ret; | |
650 | } else { | |
651 | int error = SSL_get_error(sslv->ssl, ret); | |
652 | if (error == SSL_ERROR_ZERO_RETURN) { | |
653 | return 0; | |
654 | } else { | |
2b494771 BP |
655 | return -interpret_ssl_error("SSL_read", ret, error, |
656 | &sslv->rx_want); | |
9467fe62 BP |
657 | } |
658 | } | |
659 | } | |
660 | ||
661 | static void | |
662 | ssl_clear_txbuf(struct ssl_stream *sslv) | |
663 | { | |
664 | ofpbuf_delete(sslv->txbuf); | |
665 | sslv->txbuf = NULL; | |
666 | } | |
667 | ||
668 | static int | |
669 | ssl_do_tx(struct stream *stream) | |
670 | { | |
671 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
672 | ||
673 | for (;;) { | |
674 | int old_state = SSL_get_state(sslv->ssl); | |
560d3df7 | 675 | int ret = SSL_write(sslv->ssl, sslv->txbuf->data, sslv->txbuf->size); |
9467fe62 BP |
676 | if (old_state != SSL_get_state(sslv->ssl)) { |
677 | sslv->rx_want = SSL_NOTHING; | |
678 | } | |
679 | sslv->tx_want = SSL_NOTHING; | |
680 | if (ret > 0) { | |
681 | ofpbuf_pull(sslv->txbuf, ret); | |
560d3df7 | 682 | if (sslv->txbuf->size == 0) { |
9467fe62 BP |
683 | return 0; |
684 | } | |
685 | } else { | |
686 | int ssl_error = SSL_get_error(sslv->ssl, ret); | |
687 | if (ssl_error == SSL_ERROR_ZERO_RETURN) { | |
688 | VLOG_WARN_RL(&rl, "SSL_write: connection closed"); | |
689 | return EPIPE; | |
690 | } else { | |
691 | return interpret_ssl_error("SSL_write", ret, ssl_error, | |
692 | &sslv->tx_want); | |
693 | } | |
694 | } | |
695 | } | |
696 | } | |
697 | ||
698 | static ssize_t | |
699 | ssl_send(struct stream *stream, const void *buffer, size_t n) | |
700 | { | |
701 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
702 | ||
703 | if (sslv->txbuf) { | |
2b494771 | 704 | return -EAGAIN; |
9467fe62 BP |
705 | } else { |
706 | int error; | |
707 | ||
708 | sslv->txbuf = ofpbuf_clone_data(buffer, n); | |
709 | error = ssl_do_tx(stream); | |
710 | switch (error) { | |
711 | case 0: | |
712 | ssl_clear_txbuf(sslv); | |
2b494771 | 713 | return n; |
9467fe62 | 714 | case EAGAIN: |
2b494771 | 715 | return n; |
9467fe62 | 716 | default: |
5c8f8763 | 717 | ssl_clear_txbuf(sslv); |
2b494771 | 718 | return -error; |
9467fe62 BP |
719 | } |
720 | } | |
721 | } | |
722 | ||
723 | static void | |
724 | ssl_run(struct stream *stream) | |
725 | { | |
726 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
727 | ||
728 | if (sslv->txbuf && ssl_do_tx(stream) != EAGAIN) { | |
729 | ssl_clear_txbuf(sslv); | |
730 | } | |
731 | } | |
732 | ||
733 | static void | |
734 | ssl_run_wait(struct stream *stream) | |
735 | { | |
736 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
737 | ||
738 | if (sslv->tx_want != SSL_NOTHING) { | |
1ca3348e | 739 | poll_fd_wait(sslv->fd, want_to_poll_events(sslv->tx_want)); |
9467fe62 BP |
740 | } |
741 | } | |
742 | ||
743 | static void | |
744 | ssl_wait(struct stream *stream, enum stream_wait_type wait) | |
745 | { | |
746 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
747 | ||
748 | switch (wait) { | |
749 | case STREAM_CONNECT: | |
750 | if (stream_connect(stream) != EAGAIN) { | |
751 | poll_immediate_wake(); | |
752 | } else { | |
753 | switch (sslv->state) { | |
754 | case STATE_TCP_CONNECTING: | |
1ca3348e | 755 | poll_fd_wait(sslv->fd, POLLOUT); |
9467fe62 BP |
756 | break; |
757 | ||
758 | case STATE_SSL_CONNECTING: | |
759 | /* ssl_connect() called SSL_accept() or SSL_connect(), which | |
760 | * set up the status that we test here. */ | |
1ca3348e GS |
761 | poll_fd_wait(sslv->fd, |
762 | want_to_poll_events(SSL_want(sslv->ssl))); | |
9467fe62 BP |
763 | break; |
764 | ||
765 | default: | |
428b2edd | 766 | OVS_NOT_REACHED(); |
9467fe62 BP |
767 | } |
768 | } | |
769 | break; | |
770 | ||
771 | case STREAM_RECV: | |
772 | if (sslv->rx_want != SSL_NOTHING) { | |
1ca3348e | 773 | poll_fd_wait(sslv->fd, want_to_poll_events(sslv->rx_want)); |
9467fe62 BP |
774 | } else { |
775 | poll_immediate_wake(); | |
776 | } | |
777 | break; | |
778 | ||
779 | case STREAM_SEND: | |
780 | if (!sslv->txbuf) { | |
781 | /* We have room in our tx queue. */ | |
782 | poll_immediate_wake(); | |
783 | } else { | |
784 | /* stream_run_wait() will do the right thing; don't bother with | |
785 | * redundancy. */ | |
786 | } | |
787 | break; | |
788 | ||
789 | default: | |
428b2edd | 790 | OVS_NOT_REACHED(); |
9467fe62 BP |
791 | } |
792 | } | |
793 | ||
da327b18 | 794 | const struct stream_class ssl_stream_class = { |
9467fe62 | 795 | "ssl", /* name */ |
f1936eb6 | 796 | true, /* needs_probes */ |
9467fe62 BP |
797 | ssl_open, /* open */ |
798 | ssl_close, /* close */ | |
799 | ssl_connect, /* connect */ | |
800 | ssl_recv, /* recv */ | |
801 | ssl_send, /* send */ | |
802 | ssl_run, /* run */ | |
803 | ssl_run_wait, /* run_wait */ | |
804 | ssl_wait, /* wait */ | |
805 | }; | |
806 | \f | |
807 | /* Passive SSL. */ | |
808 | ||
809 | struct pssl_pstream | |
810 | { | |
811 | struct pstream pstream; | |
812 | int fd; | |
813 | }; | |
814 | ||
da327b18 | 815 | const struct pstream_class pssl_pstream_class; |
9467fe62 BP |
816 | |
817 | static struct pssl_pstream * | |
818 | pssl_pstream_cast(struct pstream *pstream) | |
819 | { | |
820 | pstream_assert_class(pstream, &pssl_pstream_class); | |
821 | return CONTAINER_OF(pstream, struct pssl_pstream, pstream); | |
822 | } | |
823 | ||
824 | static int | |
f125905c MM |
825 | pssl_open(const char *name OVS_UNUSED, char *suffix, struct pstream **pstreamp, |
826 | uint8_t dscp) | |
9467fe62 | 827 | { |
e731d71b | 828 | struct sockaddr_storage ss; |
9467fe62 | 829 | struct pssl_pstream *pssl; |
e731d71b | 830 | uint16_t port; |
9467fe62 BP |
831 | int retval; |
832 | int fd; | |
833 | ||
834 | retval = ssl_init(); | |
835 | if (retval) { | |
836 | return retval; | |
837 | } | |
838 | ||
d4763d1d | 839 | fd = inet_open_passive(SOCK_STREAM, suffix, OFP_PORT, &ss, dscp, true); |
9467fe62 BP |
840 | if (fd < 0) { |
841 | return -fd; | |
842 | } | |
e731d71b AS |
843 | |
844 | port = ss_get_port(&ss); | |
fd245f1d BP |
845 | |
846 | struct ds bound_name = DS_EMPTY_INITIALIZER; | |
847 | ds_put_format(&bound_name, "pssl:%"PRIu16":", port); | |
848 | ss_format_address(&ss, &bound_name); | |
9467fe62 BP |
849 | |
850 | pssl = xmalloc(sizeof *pssl); | |
fd245f1d BP |
851 | pstream_init(&pssl->pstream, &pssl_pstream_class, |
852 | ds_steal_cstr(&bound_name)); | |
e731d71b | 853 | pstream_set_bound_port(&pssl->pstream, htons(port)); |
9467fe62 BP |
854 | pssl->fd = fd; |
855 | *pstreamp = &pssl->pstream; | |
fd245f1d | 856 | |
9467fe62 BP |
857 | return 0; |
858 | } | |
859 | ||
860 | static void | |
861 | pssl_close(struct pstream *pstream) | |
862 | { | |
863 | struct pssl_pstream *pssl = pssl_pstream_cast(pstream); | |
5ea1366b | 864 | closesocket(pssl->fd); |
9467fe62 BP |
865 | free(pssl); |
866 | } | |
867 | ||
868 | static int | |
869 | pssl_accept(struct pstream *pstream, struct stream **new_streamp) | |
870 | { | |
871 | struct pssl_pstream *pssl = pssl_pstream_cast(pstream); | |
e731d71b AS |
872 | struct sockaddr_storage ss; |
873 | socklen_t ss_len = sizeof ss; | |
9467fe62 BP |
874 | int new_fd; |
875 | int error; | |
876 | ||
e731d71b | 877 | new_fd = accept(pssl->fd, (struct sockaddr *) &ss, &ss_len); |
9467fe62 | 878 | if (new_fd < 0) { |
5ea1366b GS |
879 | error = sock_errno(); |
880 | #ifdef _WIN32 | |
881 | if (error == WSAEWOULDBLOCK) { | |
882 | error = EAGAIN; | |
883 | } | |
884 | #endif | |
9467fe62 | 885 | if (error != EAGAIN) { |
5ea1366b | 886 | VLOG_DBG_RL(&rl, "accept: %s", sock_strerror(error)); |
9467fe62 BP |
887 | } |
888 | return error; | |
889 | } | |
890 | ||
891 | error = set_nonblocking(new_fd); | |
892 | if (error) { | |
5ea1366b | 893 | closesocket(new_fd); |
9467fe62 BP |
894 | return error; |
895 | } | |
896 | ||
fd245f1d BP |
897 | struct ds name = DS_EMPTY_INITIALIZER; |
898 | ds_put_cstr(&name, "ssl:"); | |
899 | ss_format_address(&ss, &name); | |
900 | ds_put_format(&name, ":%"PRIu16, ss_get_port(&ss)); | |
901 | return new_ssl_stream(ds_steal_cstr(&name), new_fd, SERVER, | |
902 | STATE_SSL_CONNECTING, new_streamp); | |
9467fe62 BP |
903 | } |
904 | ||
905 | static void | |
906 | pssl_wait(struct pstream *pstream) | |
907 | { | |
908 | struct pssl_pstream *pssl = pssl_pstream_cast(pstream); | |
1ca3348e | 909 | poll_fd_wait(pssl->fd, POLLIN); |
9467fe62 BP |
910 | } |
911 | ||
da327b18 | 912 | const struct pstream_class pssl_pstream_class = { |
9467fe62 | 913 | "pssl", |
f1936eb6 | 914 | true, |
9467fe62 BP |
915 | pssl_open, |
916 | pssl_close, | |
917 | pssl_accept, | |
918 | pssl_wait, | |
919 | }; | |
920 | \f | |
921 | /* | |
922 | * Returns true if OpenSSL error is WANT_READ or WANT_WRITE, indicating that | |
923 | * OpenSSL is requesting that we call it back when the socket is ready for read | |
924 | * or writing, respectively. | |
925 | */ | |
926 | static bool | |
927 | ssl_wants_io(int ssl_error) | |
928 | { | |
929 | return (ssl_error == SSL_ERROR_WANT_WRITE | |
930 | || ssl_error == SSL_ERROR_WANT_READ); | |
931 | } | |
932 | ||
933 | static int | |
934 | ssl_init(void) | |
935 | { | |
936 | static int init_status = -1; | |
937 | if (init_status < 0) { | |
938 | init_status = do_ssl_init(); | |
cb22974d | 939 | ovs_assert(init_status >= 0); |
9467fe62 BP |
940 | } |
941 | return init_status; | |
942 | } | |
943 | ||
944 | static int | |
945 | do_ssl_init(void) | |
946 | { | |
947 | SSL_METHOD *method; | |
948 | ||
5ea1366b GS |
949 | #ifdef _WIN32 |
950 | /* The following call is needed if we "#include <openssl/applink.c>". */ | |
951 | CRYPTO_malloc_init(); | |
952 | #endif | |
9467fe62 BP |
953 | SSL_library_init(); |
954 | SSL_load_error_strings(); | |
955 | ||
47ebcf25 BP |
956 | if (!RAND_status()) { |
957 | /* We occasionally see OpenSSL fail to seed its random number generator | |
958 | * in heavily loaded hypervisors. I suspect the following scenario: | |
959 | * | |
960 | * 1. OpenSSL calls read() to get 32 bytes from /dev/urandom. | |
961 | * 2. The kernel generates 10 bytes of randomness and copies it out. | |
962 | * 3. A signal arrives (perhaps SIGALRM). | |
963 | * 4. The kernel interrupts the system call to service the signal. | |
964 | * 5. Userspace gets 10 bytes of entropy. | |
965 | * 6. OpenSSL doesn't read again to get the final 22 bytes. Therefore | |
966 | * OpenSSL doesn't have enough entropy to consider itself | |
967 | * initialized. | |
968 | * | |
969 | * The only part I'm not entirely sure about is #6, because the OpenSSL | |
970 | * code is so hard to read. */ | |
971 | uint8_t seed[32]; | |
972 | int retval; | |
973 | ||
974 | VLOG_WARN("OpenSSL random seeding failed, reseeding ourselves"); | |
975 | ||
976 | retval = get_entropy(seed, sizeof seed); | |
977 | if (retval) { | |
978 | VLOG_ERR("failed to obtain entropy (%s)", | |
979 | ovs_retval_to_string(retval)); | |
980 | return retval > 0 ? retval : ENOPROTOOPT; | |
981 | } | |
982 | ||
983 | RAND_seed(seed, sizeof seed); | |
984 | } | |
985 | ||
b56ea5d5 BP |
986 | /* OpenSSL has a bunch of "connection methods": SSLv2_method(), |
987 | * SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these | |
988 | * support exactly one version of SSL, e.g. TLSv1_method() supports TLSv1 | |
989 | * only, not any earlier *or later* version. The only exception is | |
990 | * SSLv23_method(), which in fact supports *any* version of SSL and TLS. | |
991 | * We don't want SSLv2 or SSLv3 support, so we turn it off below with | |
992 | * SSL_CTX_set_options(). | |
993 | * | |
994 | * The cast is needed to avoid a warning with newer versions of OpenSSL in | |
995 | * which SSLv23_method() returns a "const" pointer. */ | |
996 | method = CONST_CAST(SSL_METHOD *, SSLv23_method()); | |
9467fe62 BP |
997 | if (method == NULL) { |
998 | VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL)); | |
999 | return ENOPROTOOPT; | |
1000 | } | |
1001 | ||
1002 | ctx = SSL_CTX_new(method); | |
1003 | if (ctx == NULL) { | |
1004 | VLOG_ERR("SSL_CTX_new: %s", ERR_error_string(ERR_get_error(), NULL)); | |
1005 | return ENOPROTOOPT; | |
1006 | } | |
1007 | SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); | |
1008 | SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback); | |
1009 | SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); | |
1010 | SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); | |
1011 | SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, | |
1012 | NULL); | |
895107e4 | 1013 | SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); |
e18a1d08 | 1014 | SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!MD5"); |
9467fe62 BP |
1015 | |
1016 | return 0; | |
1017 | } | |
1018 | ||
1019 | static DH * | |
67a4917b | 1020 | tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength) |
9467fe62 BP |
1021 | { |
1022 | struct dh { | |
1023 | int keylength; | |
1024 | DH *dh; | |
1025 | DH *(*constructor)(void); | |
1026 | }; | |
1027 | ||
1028 | static struct dh dh_table[] = { | |
1029 | {1024, NULL, get_dh1024}, | |
1030 | {2048, NULL, get_dh2048}, | |
1031 | {4096, NULL, get_dh4096}, | |
1032 | }; | |
1033 | ||
1034 | struct dh *dh; | |
1035 | ||
1036 | for (dh = dh_table; dh < &dh_table[ARRAY_SIZE(dh_table)]; dh++) { | |
1037 | if (dh->keylength == keylength) { | |
1038 | if (!dh->dh) { | |
1039 | dh->dh = dh->constructor(); | |
1040 | if (!dh->dh) { | |
1d2c568d | 1041 | out_of_memory(); |
9467fe62 BP |
1042 | } |
1043 | } | |
1044 | return dh->dh; | |
1045 | } | |
1046 | } | |
1047 | VLOG_ERR_RL(&rl, "no Diffie-Hellman parameters for key length %d", | |
1048 | keylength); | |
1049 | return NULL; | |
1050 | } | |
1051 | ||
1052 | /* Returns true if SSL is at least partially configured. */ | |
1053 | bool | |
d295e8e9 | 1054 | stream_ssl_is_configured(void) |
9467fe62 | 1055 | { |
415f6c0b BP |
1056 | return private_key.file_name || certificate.file_name || ca_cert.file_name; |
1057 | } | |
1058 | ||
1059 | static bool | |
1060 | update_ssl_config(struct ssl_config_file *config, const char *file_name) | |
1061 | { | |
9cb07887 | 1062 | struct timespec mtime; |
e68f6dea | 1063 | int error; |
9cb07887 BP |
1064 | |
1065 | if (ssl_init() || !file_name) { | |
1066 | return false; | |
1067 | } | |
1068 | ||
1069 | /* If the file name hasn't changed and neither has the file contents, stop | |
1070 | * here. */ | |
e68f6dea BP |
1071 | error = get_mtime(file_name, &mtime); |
1072 | if (error && error != ENOENT) { | |
10a89ef0 BP |
1073 | VLOG_ERR_RL(&rl, "%s: stat failed (%s)", |
1074 | file_name, ovs_strerror(error)); | |
e68f6dea | 1075 | } |
9cb07887 BP |
1076 | if (config->file_name |
1077 | && !strcmp(config->file_name, file_name) | |
1078 | && mtime.tv_sec == config->mtime.tv_sec | |
1079 | && mtime.tv_nsec == config->mtime.tv_nsec) { | |
415f6c0b BP |
1080 | return false; |
1081 | } | |
1082 | ||
2b1a27a1 | 1083 | /* Update 'config'. */ |
9cb07887 | 1084 | config->mtime = mtime; |
2b1a27a1 BP |
1085 | if (file_name != config->file_name) { |
1086 | free(config->file_name); | |
1087 | config->file_name = xstrdup(file_name); | |
1088 | } | |
415f6c0b | 1089 | return true; |
9467fe62 BP |
1090 | } |
1091 | ||
6f1e91b1 BP |
1092 | static void |
1093 | stream_ssl_set_private_key_file__(const char *file_name) | |
1094 | { | |
1095 | if (SSL_CTX_use_PrivateKey_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) { | |
1096 | private_key.read = true; | |
1097 | } else { | |
1098 | VLOG_ERR("SSL_use_PrivateKey_file: %s", | |
1099 | ERR_error_string(ERR_get_error(), NULL)); | |
1100 | } | |
1101 | } | |
1102 | ||
9467fe62 BP |
1103 | void |
1104 | stream_ssl_set_private_key_file(const char *file_name) | |
1105 | { | |
6f1e91b1 BP |
1106 | if (update_ssl_config(&private_key, file_name)) { |
1107 | stream_ssl_set_private_key_file__(file_name); | |
9467fe62 | 1108 | } |
6f1e91b1 BP |
1109 | } |
1110 | ||
1111 | static void | |
1112 | stream_ssl_set_certificate_file__(const char *file_name) | |
1113 | { | |
1b494f3e | 1114 | if (SSL_CTX_use_certificate_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) { |
6f1e91b1 BP |
1115 | certificate.read = true; |
1116 | } else { | |
1117 | VLOG_ERR("SSL_use_certificate_file: %s", | |
9467fe62 | 1118 | ERR_error_string(ERR_get_error(), NULL)); |
9467fe62 | 1119 | } |
9467fe62 BP |
1120 | } |
1121 | ||
1122 | void | |
1123 | stream_ssl_set_certificate_file(const char *file_name) | |
1124 | { | |
6f1e91b1 BP |
1125 | if (update_ssl_config(&certificate, file_name)) { |
1126 | stream_ssl_set_certificate_file__(file_name); | |
9467fe62 | 1127 | } |
6f1e91b1 BP |
1128 | } |
1129 | ||
1130 | /* Sets the private key and certificate files in one operation. Use this | |
1131 | * interface, instead of calling stream_ssl_set_private_key_file() and | |
1132 | * stream_ssl_set_certificate_file() individually, in the main loop of a | |
1133 | * long-running program whose key and certificate might change at runtime. | |
1134 | * | |
1135 | * This is important because of OpenSSL's behavior. If an OpenSSL context | |
1136 | * already has a certificate, and stream_ssl_set_private_key_file() is called | |
1137 | * to install a new private key, OpenSSL will report an error because the new | |
1138 | * private key does not match the old certificate. The other order, of setting | |
1139 | * a new certificate, then setting a new private key, does work. | |
1140 | * | |
1141 | * If this were the only problem, calling stream_ssl_set_certificate_file() | |
1142 | * before stream_ssl_set_private_key_file() would fix it. But, if the private | |
1143 | * key is changed before the certificate (e.g. someone "scp"s or "mv"s the new | |
1144 | * private key in place before the certificate), then OpenSSL would reject that | |
1145 | * change, and then the change of certificate would succeed, but there would be | |
1146 | * no associated private key (because it had only changed once and therefore | |
1147 | * there was no point in re-reading it). | |
1148 | * | |
1149 | * This function avoids both problems by, whenever either the certificate or | |
1150 | * the private key file changes, re-reading both of them, in the correct order. | |
1151 | */ | |
1152 | void | |
1153 | stream_ssl_set_key_and_cert(const char *private_key_file, | |
1154 | const char *certificate_file) | |
1155 | { | |
1156 | if (update_ssl_config(&private_key, private_key_file) | |
1157 | || update_ssl_config(&certificate, certificate_file)) { | |
1158 | stream_ssl_set_certificate_file__(certificate_file); | |
1159 | stream_ssl_set_private_key_file__(private_key_file); | |
9467fe62 | 1160 | } |
9467fe62 BP |
1161 | } |
1162 | ||
e18a1d08 ER |
1163 | /* Sets SSL ciphers based on string input. Aborts with an error message |
1164 | * if 'arg' is invalid. */ | |
1165 | void | |
1166 | stream_ssl_set_ciphers(const char *arg) | |
1167 | { | |
1168 | if (ssl_init() || !arg || !strcmp(ssl_ciphers, arg)) { | |
1169 | return; | |
1170 | } | |
1171 | if (SSL_CTX_set_cipher_list(ctx,arg) == 0) { | |
1172 | VLOG_ERR("SSL_CTX_set_cipher_list: %s", | |
1173 | ERR_error_string(ERR_get_error(), NULL)); | |
1174 | } | |
1175 | ssl_ciphers = xstrdup(arg); | |
1176 | } | |
1177 | ||
1178 | /* Set SSL protocols based on the string input. Aborts with an error message | |
1179 | * if 'arg' is invalid. */ | |
1180 | void | |
1181 | stream_ssl_set_protocols(const char *arg) | |
1182 | { | |
1183 | if (ssl_init() || !arg || !strcmp(arg, ssl_protocols)){ | |
1184 | return; | |
1185 | } | |
1186 | ||
1187 | /* Start with all the flags off and turn them on as requested. */ | |
1188 | long protocol_flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1; | |
1189 | protocol_flags |= SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; | |
1190 | ||
1191 | char *s = xstrdup(arg); | |
1192 | char *save_ptr = NULL; | |
1193 | char *word = strtok_r(s, " ,\t", &save_ptr); | |
1194 | if (word == NULL) { | |
1195 | VLOG_ERR("SSL protocol settings invalid"); | |
1196 | goto exit; | |
1197 | } | |
1198 | while (word != NULL) { | |
1199 | long on_flag; | |
1200 | if (!strcasecmp(word, "TLSv1.2")){ | |
1201 | on_flag = SSL_OP_NO_TLSv1_2; | |
1202 | } else if (!strcasecmp(word, "TLSv1.1")){ | |
1203 | on_flag = SSL_OP_NO_TLSv1_1; | |
1204 | } else if (!strcasecmp(word, "TLSv1")){ | |
1205 | on_flag = SSL_OP_NO_TLSv1; | |
1206 | } else { | |
1207 | VLOG_ERR("%s: SSL protocol not recognized", word); | |
1208 | goto exit; | |
1209 | } | |
1210 | /* Reverse the no flag and mask it out in the flags | |
1211 | * to turn on that protocol. */ | |
1212 | protocol_flags &= ~on_flag; | |
1213 | word = strtok_r(NULL, " ,\t", &save_ptr); | |
1214 | }; | |
1215 | ||
1216 | /* Set the actual options. */ | |
1217 | SSL_CTX_set_options(ctx, protocol_flags); | |
1218 | ||
1219 | ssl_protocols = xstrdup(arg); | |
1220 | ||
1221 | exit: | |
1222 | free(s); | |
1223 | } | |
1224 | ||
9467fe62 BP |
1225 | /* Reads the X509 certificate or certificates in file 'file_name'. On success, |
1226 | * stores the address of the first element in an array of pointers to | |
1227 | * certificates in '*certs' and the number of certificates in the array in | |
1228 | * '*n_certs', and returns 0. On failure, stores a null pointer in '*certs', 0 | |
1229 | * in '*n_certs', and returns a positive errno value. | |
1230 | * | |
1231 | * The caller is responsible for freeing '*certs'. */ | |
1232 | static int | |
1233 | read_cert_file(const char *file_name, X509 ***certs, size_t *n_certs) | |
1234 | { | |
1235 | FILE *file; | |
1236 | size_t allocated_certs = 0; | |
1237 | ||
1238 | *certs = NULL; | |
1239 | *n_certs = 0; | |
1240 | ||
1241 | file = fopen(file_name, "r"); | |
1242 | if (!file) { | |
1243 | VLOG_ERR("failed to open %s for reading: %s", | |
10a89ef0 | 1244 | file_name, ovs_strerror(errno)); |
9467fe62 BP |
1245 | return errno; |
1246 | } | |
1247 | ||
1248 | for (;;) { | |
1249 | X509 *certificate; | |
1250 | int c; | |
1251 | ||
1252 | /* Read certificate from file. */ | |
1253 | certificate = PEM_read_X509(file, NULL, NULL, NULL); | |
1254 | if (!certificate) { | |
1255 | size_t i; | |
1256 | ||
1257 | VLOG_ERR("PEM_read_X509 failed reading %s: %s", | |
1258 | file_name, ERR_error_string(ERR_get_error(), NULL)); | |
1259 | for (i = 0; i < *n_certs; i++) { | |
1260 | X509_free((*certs)[i]); | |
1261 | } | |
1262 | free(*certs); | |
1263 | *certs = NULL; | |
1264 | *n_certs = 0; | |
0ded15d4 | 1265 | fclose(file); |
9467fe62 BP |
1266 | return EIO; |
1267 | } | |
1268 | ||
1269 | /* Add certificate to array. */ | |
1270 | if (*n_certs >= allocated_certs) { | |
1271 | *certs = x2nrealloc(*certs, &allocated_certs, sizeof **certs); | |
1272 | } | |
1273 | (*certs)[(*n_certs)++] = certificate; | |
1274 | ||
1275 | /* Are there additional certificates in the file? */ | |
1276 | do { | |
1277 | c = getc(file); | |
1278 | } while (isspace(c)); | |
1279 | if (c == EOF) { | |
1280 | break; | |
1281 | } | |
1282 | ungetc(c, file); | |
1283 | } | |
1284 | fclose(file); | |
1285 | return 0; | |
1286 | } | |
1287 | ||
1288 | ||
1289 | /* Sets 'file_name' as the name of a file containing one or more X509 | |
1290 | * certificates to send to the peer. Typical use in OpenFlow is to send the CA | |
1291 | * certificate to the peer, which enables a switch to pick up the controller's | |
1292 | * CA certificate on its first connection. */ | |
1293 | void | |
1294 | stream_ssl_set_peer_ca_cert_file(const char *file_name) | |
1295 | { | |
1296 | X509 **certs; | |
1297 | size_t n_certs; | |
1298 | size_t i; | |
1299 | ||
1300 | if (ssl_init()) { | |
1301 | return; | |
1302 | } | |
1303 | ||
1304 | if (!read_cert_file(file_name, &certs, &n_certs)) { | |
1305 | for (i = 0; i < n_certs; i++) { | |
1306 | if (SSL_CTX_add_extra_chain_cert(ctx, certs[i]) != 1) { | |
1307 | VLOG_ERR("SSL_CTX_add_extra_chain_cert: %s", | |
1308 | ERR_error_string(ERR_get_error(), NULL)); | |
1309 | } | |
1310 | } | |
1311 | free(certs); | |
1312 | } | |
1313 | } | |
1314 | ||
1315 | /* Logs fingerprint of CA certificate 'cert' obtained from 'file_name'. */ | |
1316 | static void | |
1317 | log_ca_cert(const char *file_name, X509 *cert) | |
1318 | { | |
1319 | unsigned char digest[EVP_MAX_MD_SIZE]; | |
1320 | unsigned int n_bytes; | |
1321 | struct ds fp; | |
1322 | char *subject; | |
1323 | ||
1324 | ds_init(&fp); | |
1325 | if (!X509_digest(cert, EVP_sha1(), digest, &n_bytes)) { | |
1326 | ds_put_cstr(&fp, "<out of memory>"); | |
1327 | } else { | |
1328 | unsigned int i; | |
1329 | for (i = 0; i < n_bytes; i++) { | |
1330 | if (i) { | |
1331 | ds_put_char(&fp, ':'); | |
1332 | } | |
34582733 | 1333 | ds_put_format(&fp, "%02x", digest[i]); |
9467fe62 BP |
1334 | } |
1335 | } | |
1336 | subject = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); | |
1337 | VLOG_INFO("Trusting CA cert from %s (%s) (fingerprint %s)", file_name, | |
1338 | subject ? subject : "<out of memory>", ds_cstr(&fp)); | |
3c7b5c2d | 1339 | OPENSSL_free(subject); |
9467fe62 BP |
1340 | ds_destroy(&fp); |
1341 | } | |
1342 | ||
415f6c0b | 1343 | static void |
f1484874 BP |
1344 | stream_ssl_set_ca_cert_file__(const char *file_name, |
1345 | bool bootstrap, bool force) | |
9467fe62 | 1346 | { |
9467fe62 BP |
1347 | struct stat s; |
1348 | ||
f1484874 BP |
1349 | if (!update_ssl_config(&ca_cert, file_name) && !force) { |
1350 | return; | |
1351 | } | |
1352 | ||
ba104a1e BP |
1353 | if (!strcmp(file_name, "none")) { |
1354 | verify_peer_cert = false; | |
1355 | VLOG_WARN("Peer certificate validation disabled " | |
1356 | "(this is a security risk)"); | |
1357 | } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) { | |
9467fe62 | 1358 | bootstrap_ca_cert = true; |
01960474 L |
1359 | } else { |
1360 | STACK_OF(X509_NAME) *cert_names = SSL_load_client_CA_file(file_name); | |
1361 | if (cert_names) { | |
1362 | /* Set up list of CAs that the server will accept from the | |
1363 | * client. */ | |
1364 | SSL_CTX_set_client_CA_list(ctx, cert_names); | |
1365 | ||
1366 | /* Set up CAs for OpenSSL to trust in verifying the peer's | |
1367 | * certificate. */ | |
1368 | SSL_CTX_set_cert_store(ctx, X509_STORE_new()); | |
1369 | if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) { | |
1370 | VLOG_ERR("SSL_CTX_load_verify_locations: %s", | |
9467fe62 | 1371 | ERR_error_string(ERR_get_error(), NULL)); |
01960474 | 1372 | return; |
9467fe62 | 1373 | } |
01960474 L |
1374 | bootstrap_ca_cert = false; |
1375 | } else { | |
1376 | VLOG_ERR("failed to load client certificates from %s: %s", | |
1377 | file_name, ERR_error_string(ERR_get_error(), NULL)); | |
9467fe62 | 1378 | } |
9467fe62 | 1379 | } |
415f6c0b | 1380 | ca_cert.read = true; |
9467fe62 | 1381 | } |
415f6c0b BP |
1382 | |
1383 | /* Sets 'file_name' as the name of the file from which to read the CA | |
1384 | * certificate used to verify the peer within SSL connections. If 'bootstrap' | |
1385 | * is false, the file must exist. If 'bootstrap' is false, then the file is | |
1386 | * read if it is exists; if it does not, then it will be created from the CA | |
1387 | * certificate received from the peer on the first SSL connection. */ | |
1388 | void | |
1389 | stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap) | |
1390 | { | |
f1484874 | 1391 | stream_ssl_set_ca_cert_file__(file_name, bootstrap, false); |
415f6c0b | 1392 | } |
ff1760f1 BP |
1393 | \f |
1394 | /* SSL protocol logging. */ | |
1395 | ||
1396 | static const char * | |
1397 | ssl_alert_level_to_string(uint8_t type) | |
1398 | { | |
1399 | switch (type) { | |
1400 | case 1: return "warning"; | |
1401 | case 2: return "fatal"; | |
1402 | default: return "<unknown>"; | |
1403 | } | |
1404 | } | |
415f6c0b | 1405 | |
ff1760f1 BP |
1406 | static const char * |
1407 | ssl_alert_description_to_string(uint8_t type) | |
1408 | { | |
1409 | switch (type) { | |
1410 | case 0: return "close_notify"; | |
1411 | case 10: return "unexpected_message"; | |
1412 | case 20: return "bad_record_mac"; | |
1413 | case 21: return "decryption_failed"; | |
1414 | case 22: return "record_overflow"; | |
1415 | case 30: return "decompression_failure"; | |
1416 | case 40: return "handshake_failure"; | |
1417 | case 42: return "bad_certificate"; | |
1418 | case 43: return "unsupported_certificate"; | |
1419 | case 44: return "certificate_revoked"; | |
1420 | case 45: return "certificate_expired"; | |
1421 | case 46: return "certificate_unknown"; | |
1422 | case 47: return "illegal_parameter"; | |
1423 | case 48: return "unknown_ca"; | |
1424 | case 49: return "access_denied"; | |
1425 | case 50: return "decode_error"; | |
1426 | case 51: return "decrypt_error"; | |
1427 | case 60: return "export_restriction"; | |
1428 | case 70: return "protocol_version"; | |
1429 | case 71: return "insufficient_security"; | |
1430 | case 80: return "internal_error"; | |
1431 | case 90: return "user_canceled"; | |
1432 | case 100: return "no_renegotiation"; | |
1433 | default: return "<unknown>"; | |
1434 | } | |
1435 | } | |
415f6c0b | 1436 | |
ff1760f1 BP |
1437 | static const char * |
1438 | ssl_handshake_type_to_string(uint8_t type) | |
1439 | { | |
1440 | switch (type) { | |
1441 | case 0: return "hello_request"; | |
1442 | case 1: return "client_hello"; | |
1443 | case 2: return "server_hello"; | |
1444 | case 11: return "certificate"; | |
1445 | case 12: return "server_key_exchange"; | |
1446 | case 13: return "certificate_request"; | |
1447 | case 14: return "server_hello_done"; | |
1448 | case 15: return "certificate_verify"; | |
1449 | case 16: return "client_key_exchange"; | |
1450 | case 20: return "finished"; | |
1451 | default: return "<unknown>"; | |
1452 | } | |
1453 | } | |
1454 | ||
1455 | static void | |
1456 | ssl_protocol_cb(int write_p, int version OVS_UNUSED, int content_type, | |
1457 | const void *buf_, size_t len, SSL *ssl OVS_UNUSED, void *sslv_) | |
1458 | { | |
1459 | const struct ssl_stream *sslv = sslv_; | |
1460 | const uint8_t *buf = buf_; | |
1461 | struct ds details; | |
1462 | ||
1463 | if (!VLOG_IS_DBG_ENABLED()) { | |
1464 | return; | |
1465 | } | |
1466 | ||
1467 | ds_init(&details); | |
1468 | if (content_type == 20) { | |
1469 | ds_put_cstr(&details, "change_cipher_spec"); | |
1470 | } else if (content_type == 21) { | |
1471 | ds_put_format(&details, "alert: %s, %s", | |
1472 | ssl_alert_level_to_string(buf[0]), | |
1473 | ssl_alert_description_to_string(buf[1])); | |
1474 | } else if (content_type == 22) { | |
1475 | ds_put_format(&details, "handshake: %s", | |
1476 | ssl_handshake_type_to_string(buf[0])); | |
1477 | } else { | |
1478 | ds_put_format(&details, "type %d", content_type); | |
1479 | } | |
1480 | ||
34582733 | 1481 | VLOG_DBG("%s%u%s%s %s (%"PRIuSIZE" bytes)", |
ff1760f1 BP |
1482 | sslv->type == CLIENT ? "client" : "server", |
1483 | sslv->session_nr, write_p ? "-->" : "<--", | |
1484 | stream_get_name(&sslv->stream), ds_cstr(&details), len); | |
1485 | ||
1486 | ds_destroy(&details); | |
1487 | } |