]>
Commit | Line | Data |
---|---|---|
9467fe62 | 1 | /* |
e731d71b | 2 | * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc. |
9467fe62 BP |
3 | * |
4 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
5 | * you may not use this file except in compliance with the License. | |
6 | * You may obtain a copy of the License at: | |
7 | * | |
8 | * http://www.apache.org/licenses/LICENSE-2.0 | |
9 | * | |
10 | * Unless required by applicable law or agreed to in writing, software | |
11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
13 | * See the License for the specific language governing permissions and | |
14 | * limitations under the License. | |
15 | */ | |
16 | ||
17 | #include <config.h> | |
18 | #include "stream-ssl.h" | |
19 | #include "dhparams.h" | |
9467fe62 BP |
20 | #include <ctype.h> |
21 | #include <errno.h> | |
22 | #include <inttypes.h> | |
23 | #include <string.h> | |
bd6b7545 GC |
24 | #include <sys/types.h> |
25 | #include <sys/socket.h> | |
9467fe62 BP |
26 | #include <netinet/tcp.h> |
27 | #include <openssl/err.h> | |
47ebcf25 | 28 | #include <openssl/rand.h> |
9467fe62 BP |
29 | #include <openssl/ssl.h> |
30 | #include <openssl/x509v3.h> | |
31 | #include <poll.h> | |
5ea1366b | 32 | #include <fcntl.h> |
9467fe62 BP |
33 | #include <sys/stat.h> |
34 | #include <unistd.h> | |
f2f7be86 | 35 | #include "coverage.h" |
9467fe62 | 36 | #include "dynamic-string.h" |
47ebcf25 | 37 | #include "entropy.h" |
9467fe62 BP |
38 | #include "ofpbuf.h" |
39 | #include "openflow/openflow.h" | |
40 | #include "packets.h" | |
41 | #include "poll-loop.h" | |
f2f7be86 | 42 | #include "shash.h" |
9467fe62 | 43 | #include "socket-util.h" |
9467fe62 BP |
44 | #include "util.h" |
45 | #include "stream-provider.h" | |
46 | #include "stream.h" | |
415f6c0b | 47 | #include "timeval.h" |
9467fe62 | 48 | #include "vlog.h" |
5136ce49 | 49 | |
5ea1366b GS |
50 | #ifdef _WIN32 |
51 | /* Ref: https://www.openssl.org/support/faq.html#PROG2 | |
52 | * Your application must link against the same version of the Win32 C-Runtime | |
53 | * against which your openssl libraries were linked. The default version for | |
54 | * OpenSSL is /MD - "Multithreaded DLL". If we compile Open vSwitch with | |
55 | * something other than /MD, instead of re-compiling OpenSSL | |
56 | * toolkit, openssl/applink.c can be #included. Also, it is important | |
57 | * to add CRYPTO_malloc_init prior first call to OpenSSL. | |
58 | * | |
59 | * XXX: The behavior of the following #include when Open vSwitch is | |
60 | * compiled with /MD is not tested. */ | |
61 | #include <openssl/applink.c> | |
62 | #define SHUT_RDWR SD_BOTH | |
5ea1366b GS |
63 | #endif |
64 | ||
d98e6007 | 65 | VLOG_DEFINE_THIS_MODULE(stream_ssl); |
9467fe62 BP |
66 | |
67 | /* Active SSL. */ | |
68 | ||
69 | enum ssl_state { | |
70 | STATE_TCP_CONNECTING, | |
71 | STATE_SSL_CONNECTING | |
72 | }; | |
73 | ||
74 | enum session_type { | |
75 | CLIENT, | |
76 | SERVER | |
77 | }; | |
78 | ||
79 | struct ssl_stream | |
80 | { | |
81 | struct stream stream; | |
82 | enum ssl_state state; | |
9467fe62 BP |
83 | enum session_type type; |
84 | int fd; | |
5ea1366b | 85 | HANDLE wevent; |
9467fe62 BP |
86 | SSL *ssl; |
87 | struct ofpbuf *txbuf; | |
ff1760f1 | 88 | unsigned int session_nr; |
9467fe62 BP |
89 | |
90 | /* rx_want and tx_want record the result of the last call to SSL_read() | |
91 | * and SSL_write(), respectively: | |
92 | * | |
93 | * - If the call reported that data needed to be read from the file | |
94 | * descriptor, the corresponding member is set to SSL_READING. | |
95 | * | |
96 | * - If the call reported that data needed to be written to the file | |
97 | * descriptor, the corresponding member is set to SSL_WRITING. | |
98 | * | |
99 | * - Otherwise, the member is set to SSL_NOTHING, indicating that the | |
100 | * call completed successfully (or with an error) and that there is no | |
101 | * need to block. | |
102 | * | |
103 | * These are needed because there is no way to ask OpenSSL what a data read | |
104 | * or write would require without giving it a buffer to receive into or | |
105 | * data to send, respectively. (Note that the SSL_want() status is | |
106 | * overwritten by each SSL_read() or SSL_write() call, so we can't rely on | |
107 | * its value.) | |
108 | * | |
109 | * A single call to SSL_read() or SSL_write() can perform both reading | |
110 | * and writing and thus invalidate not one of these values but actually | |
111 | * both. Consider this situation, for example: | |
112 | * | |
113 | * - SSL_write() blocks on a read, so tx_want gets SSL_READING. | |
114 | * | |
115 | * - SSL_read() laters succeeds reading from 'fd' and clears out the | |
116 | * whole receive buffer, so rx_want gets SSL_READING. | |
117 | * | |
118 | * - Client calls stream_wait(STREAM_RECV) and stream_wait(STREAM_SEND) | |
119 | * and blocks. | |
120 | * | |
121 | * - Now we're stuck blocking until the peer sends us data, even though | |
122 | * SSL_write() could now succeed, which could easily be a deadlock | |
123 | * condition. | |
124 | * | |
125 | * On the other hand, we can't reset both tx_want and rx_want on every call | |
126 | * to SSL_read() or SSL_write(), because that would produce livelock, | |
127 | * e.g. in this situation: | |
128 | * | |
129 | * - SSL_write() blocks, so tx_want gets SSL_READING or SSL_WRITING. | |
130 | * | |
131 | * - SSL_read() blocks, so rx_want gets SSL_READING or SSL_WRITING, | |
132 | * but tx_want gets reset to SSL_NOTHING. | |
133 | * | |
134 | * - Client calls stream_wait(STREAM_RECV) and stream_wait(STREAM_SEND) | |
135 | * and blocks. | |
136 | * | |
137 | * - Client wakes up immediately since SSL_NOTHING in tx_want indicates | |
138 | * that no blocking is necessary. | |
139 | * | |
140 | * The solution we adopt here is to set tx_want to SSL_NOTHING after | |
141 | * calling SSL_read() only if the SSL state of the connection changed, | |
142 | * which indicates that an SSL-level renegotiation made some progress, and | |
143 | * similarly for rx_want and SSL_write(). This prevents both the | |
144 | * deadlock and livelock situations above. | |
145 | */ | |
146 | int rx_want, tx_want; | |
1e3c0047 | 147 | |
ff1760f1 | 148 | /* A few bytes of header data in case SSL negotiation fails. */ |
1e3c0047 BP |
149 | uint8_t head[2]; |
150 | short int n_head; | |
9467fe62 BP |
151 | }; |
152 | ||
153 | /* SSL context created by ssl_init(). */ | |
154 | static SSL_CTX *ctx; | |
155 | ||
415f6c0b BP |
156 | struct ssl_config_file { |
157 | bool read; /* Whether the file was successfully read. */ | |
158 | char *file_name; /* Configured file name, if any. */ | |
9cb07887 | 159 | struct timespec mtime; /* File mtime as of last time we read it. */ |
415f6c0b BP |
160 | }; |
161 | ||
162 | /* SSL configuration files. */ | |
163 | static struct ssl_config_file private_key; | |
164 | static struct ssl_config_file certificate; | |
165 | static struct ssl_config_file ca_cert; | |
9467fe62 | 166 | |
ba104a1e BP |
167 | /* Ordinarily, the SSL client and server verify each other's certificates using |
168 | * a CA certificate. Setting this to false disables this behavior. (This is a | |
169 | * security risk.) */ | |
170 | static bool verify_peer_cert = true; | |
171 | ||
9467fe62 | 172 | /* Ordinarily, we require a CA certificate for the peer to be locally |
415f6c0b BP |
173 | * available. We can, however, bootstrap the CA certificate from the peer at |
174 | * the beginning of our first connection then use that certificate on all | |
175 | * subsequent connections, saving it to a file for use in future runs also. In | |
176 | * this case, 'bootstrap_ca_cert' is true. */ | |
9467fe62 | 177 | static bool bootstrap_ca_cert; |
9467fe62 | 178 | |
ff1760f1 BP |
179 | /* Session number. Used in debug logging messages to uniquely identify a |
180 | * session. */ | |
181 | static unsigned int next_session_nr; | |
182 | ||
9467fe62 BP |
183 | /* Who knows what can trigger various SSL errors, so let's throttle them down |
184 | * quite a bit. */ | |
185 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(10, 25); | |
186 | ||
187 | static int ssl_init(void); | |
188 | static int do_ssl_init(void); | |
189 | static bool ssl_wants_io(int ssl_error); | |
190 | static void ssl_close(struct stream *); | |
191 | static void ssl_clear_txbuf(struct ssl_stream *); | |
246f5b5e | 192 | static void interpret_queued_ssl_error(const char *function); |
9467fe62 BP |
193 | static int interpret_ssl_error(const char *function, int ret, int error, |
194 | int *want); | |
67a4917b | 195 | static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength); |
9467fe62 | 196 | static void log_ca_cert(const char *file_name, X509 *cert); |
415f6c0b | 197 | static void stream_ssl_set_ca_cert_file__(const char *file_name, |
f1484874 | 198 | bool bootstrap, bool force); |
ff1760f1 BP |
199 | static void ssl_protocol_cb(int write_p, int version, int content_type, |
200 | const void *, size_t, SSL *, void *sslv_); | |
f1484874 | 201 | static bool update_ssl_config(struct ssl_config_file *, const char *file_name); |
5ea1366b GS |
202 | static int sock_errno(void); |
203 | static void clear_handle(int fd, HANDLE wevent); | |
9467fe62 BP |
204 | |
205 | static short int | |
206 | want_to_poll_events(int want) | |
207 | { | |
208 | switch (want) { | |
209 | case SSL_NOTHING: | |
428b2edd | 210 | OVS_NOT_REACHED(); |
9467fe62 BP |
211 | |
212 | case SSL_READING: | |
213 | return POLLIN; | |
214 | ||
215 | case SSL_WRITING: | |
216 | return POLLOUT; | |
217 | ||
218 | default: | |
428b2edd | 219 | OVS_NOT_REACHED(); |
9467fe62 BP |
220 | } |
221 | } | |
222 | ||
223 | static int | |
224 | new_ssl_stream(const char *name, int fd, enum session_type type, | |
a8d81967 | 225 | enum ssl_state state, struct stream **streamp) |
9467fe62 | 226 | { |
e731d71b | 227 | struct sockaddr_storage local; |
9467fe62 BP |
228 | socklen_t local_len = sizeof local; |
229 | struct ssl_stream *sslv; | |
230 | SSL *ssl = NULL; | |
231 | int on = 1; | |
232 | int retval; | |
233 | ||
234 | /* Check for all the needful configuration. */ | |
235 | retval = 0; | |
415f6c0b | 236 | if (!private_key.read) { |
9467fe62 BP |
237 | VLOG_ERR("Private key must be configured to use SSL"); |
238 | retval = ENOPROTOOPT; | |
239 | } | |
415f6c0b | 240 | if (!certificate.read) { |
9467fe62 BP |
241 | VLOG_ERR("Certificate must be configured to use SSL"); |
242 | retval = ENOPROTOOPT; | |
243 | } | |
ba104a1e | 244 | if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) { |
9467fe62 BP |
245 | VLOG_ERR("CA certificate must be configured to use SSL"); |
246 | retval = ENOPROTOOPT; | |
247 | } | |
b6d729ad | 248 | if (!retval && !SSL_CTX_check_private_key(ctx)) { |
9467fe62 BP |
249 | VLOG_ERR("Private key does not match certificate public key: %s", |
250 | ERR_error_string(ERR_get_error(), NULL)); | |
251 | retval = ENOPROTOOPT; | |
252 | } | |
253 | if (retval) { | |
254 | goto error; | |
255 | } | |
256 | ||
257 | /* Get the local IP and port information */ | |
258 | retval = getsockname(fd, (struct sockaddr *) &local, &local_len); | |
259 | if (retval) { | |
260 | memset(&local, 0, sizeof local); | |
261 | } | |
262 | ||
263 | /* Disable Nagle. */ | |
264 | retval = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof on); | |
265 | if (retval) { | |
5ea1366b GS |
266 | retval = sock_errno(); |
267 | VLOG_ERR("%s: setsockopt(TCP_NODELAY): %s", name, | |
268 | sock_strerror(retval)); | |
9467fe62 BP |
269 | goto error; |
270 | } | |
271 | ||
272 | /* Create and configure OpenSSL stream. */ | |
273 | ssl = SSL_new(ctx); | |
274 | if (ssl == NULL) { | |
275 | VLOG_ERR("SSL_new: %s", ERR_error_string(ERR_get_error(), NULL)); | |
276 | retval = ENOPROTOOPT; | |
277 | goto error; | |
278 | } | |
279 | if (SSL_set_fd(ssl, fd) == 0) { | |
280 | VLOG_ERR("SSL_set_fd: %s", ERR_error_string(ERR_get_error(), NULL)); | |
281 | retval = ENOPROTOOPT; | |
282 | goto error; | |
283 | } | |
ba104a1e | 284 | if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) { |
9467fe62 BP |
285 | SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); |
286 | } | |
287 | ||
288 | /* Create and return the ssl_stream. */ | |
289 | sslv = xmalloc(sizeof *sslv); | |
290 | stream_init(&sslv->stream, &ssl_stream_class, EAGAIN, name); | |
9467fe62 BP |
291 | sslv->state = state; |
292 | sslv->type = type; | |
293 | sslv->fd = fd; | |
5ea1366b GS |
294 | #ifdef _WIN32 |
295 | sslv->wevent = CreateEvent(NULL, FALSE, FALSE, NULL); | |
296 | #endif | |
9467fe62 BP |
297 | sslv->ssl = ssl; |
298 | sslv->txbuf = NULL; | |
299 | sslv->rx_want = sslv->tx_want = SSL_NOTHING; | |
ff1760f1 | 300 | sslv->session_nr = next_session_nr++; |
1e3c0047 | 301 | sslv->n_head = 0; |
ff1760f1 BP |
302 | |
303 | if (VLOG_IS_DBG_ENABLED()) { | |
304 | SSL_set_msg_callback(ssl, ssl_protocol_cb); | |
305 | SSL_set_msg_callback_arg(ssl, sslv); | |
306 | } | |
307 | ||
9467fe62 BP |
308 | *streamp = &sslv->stream; |
309 | return 0; | |
310 | ||
311 | error: | |
312 | if (ssl) { | |
313 | SSL_free(ssl); | |
314 | } | |
5ea1366b | 315 | closesocket(fd); |
9467fe62 BP |
316 | return retval; |
317 | } | |
318 | ||
319 | static struct ssl_stream * | |
320 | ssl_stream_cast(struct stream *stream) | |
321 | { | |
322 | stream_assert_class(stream, &ssl_stream_class); | |
323 | return CONTAINER_OF(stream, struct ssl_stream, stream); | |
324 | } | |
325 | ||
326 | static int | |
f125905c | 327 | ssl_open(const char *name, char *suffix, struct stream **streamp, uint8_t dscp) |
9467fe62 | 328 | { |
9467fe62 BP |
329 | int error, fd; |
330 | ||
331 | error = ssl_init(); | |
332 | if (error) { | |
333 | return error; | |
334 | } | |
335 | ||
a8d81967 | 336 | error = inet_open_active(SOCK_STREAM, suffix, OFP_OLD_PORT, NULL, &fd, |
f125905c | 337 | dscp); |
9467fe62 BP |
338 | if (fd >= 0) { |
339 | int state = error ? STATE_TCP_CONNECTING : STATE_SSL_CONNECTING; | |
a8d81967 | 340 | return new_ssl_stream(name, fd, CLIENT, state, streamp); |
9467fe62 | 341 | } else { |
10a89ef0 | 342 | VLOG_ERR("%s: connect: %s", name, ovs_strerror(error)); |
9467fe62 BP |
343 | return error; |
344 | } | |
345 | } | |
346 | ||
347 | static int | |
348 | do_ca_cert_bootstrap(struct stream *stream) | |
349 | { | |
350 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
351 | STACK_OF(X509) *chain; | |
415f6c0b | 352 | X509 *cert; |
9467fe62 BP |
353 | FILE *file; |
354 | int error; | |
355 | int fd; | |
356 | ||
357 | chain = SSL_get_peer_cert_chain(sslv->ssl); | |
358 | if (!chain || !sk_X509_num(chain)) { | |
359 | VLOG_ERR("could not bootstrap CA cert: no certificate presented by " | |
360 | "peer"); | |
361 | return EPROTO; | |
362 | } | |
415f6c0b | 363 | cert = sk_X509_value(chain, sk_X509_num(chain) - 1); |
9467fe62 | 364 | |
415f6c0b | 365 | /* Check that 'cert' is self-signed. Otherwise it is not a CA |
9467fe62 | 366 | * certificate and we should not attempt to use it as one. */ |
415f6c0b | 367 | error = X509_check_issued(cert, cert); |
9467fe62 BP |
368 | if (error) { |
369 | VLOG_ERR("could not bootstrap CA cert: obtained certificate is " | |
370 | "not self-signed (%s)", | |
371 | X509_verify_cert_error_string(error)); | |
372 | if (sk_X509_num(chain) < 2) { | |
373 | VLOG_ERR("only one certificate was received, so probably the peer " | |
374 | "is not configured to send its CA certificate"); | |
375 | } | |
376 | return EPROTO; | |
377 | } | |
378 | ||
415f6c0b | 379 | fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444); |
9467fe62 | 380 | if (fd < 0) { |
deb1f433 | 381 | if (errno == EEXIST) { |
f1484874 BP |
382 | VLOG_INFO_RL(&rl, "reading CA cert %s created by another process", |
383 | ca_cert.file_name); | |
384 | stream_ssl_set_ca_cert_file__(ca_cert.file_name, true, true); | |
deb1f433 BP |
385 | return EPROTO; |
386 | } else { | |
387 | VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s", | |
10a89ef0 | 388 | ca_cert.file_name, ovs_strerror(errno)); |
deb1f433 BP |
389 | return errno; |
390 | } | |
9467fe62 BP |
391 | } |
392 | ||
393 | file = fdopen(fd, "w"); | |
394 | if (!file) { | |
2a022368 | 395 | error = errno; |
9467fe62 | 396 | VLOG_ERR("could not bootstrap CA cert: fdopen failed: %s", |
10a89ef0 | 397 | ovs_strerror(error)); |
415f6c0b | 398 | unlink(ca_cert.file_name); |
9467fe62 BP |
399 | return error; |
400 | } | |
401 | ||
415f6c0b | 402 | if (!PEM_write_X509(file, cert)) { |
9467fe62 | 403 | VLOG_ERR("could not bootstrap CA cert: PEM_write_X509 to %s failed: " |
415f6c0b BP |
404 | "%s", ca_cert.file_name, |
405 | ERR_error_string(ERR_get_error(), NULL)); | |
9467fe62 | 406 | fclose(file); |
415f6c0b | 407 | unlink(ca_cert.file_name); |
9467fe62 BP |
408 | return EIO; |
409 | } | |
410 | ||
411 | if (fclose(file)) { | |
2a022368 | 412 | error = errno; |
9467fe62 | 413 | VLOG_ERR("could not bootstrap CA cert: writing %s failed: %s", |
10a89ef0 | 414 | ca_cert.file_name, ovs_strerror(error)); |
415f6c0b | 415 | unlink(ca_cert.file_name); |
9467fe62 BP |
416 | return error; |
417 | } | |
418 | ||
415f6c0b BP |
419 | VLOG_INFO("successfully bootstrapped CA cert to %s", ca_cert.file_name); |
420 | log_ca_cert(ca_cert.file_name, cert); | |
9467fe62 | 421 | bootstrap_ca_cert = false; |
415f6c0b | 422 | ca_cert.read = true; |
9467fe62 | 423 | |
415f6c0b BP |
424 | /* SSL_CTX_add_client_CA makes a copy of cert's relevant data. */ |
425 | SSL_CTX_add_client_CA(ctx, cert); | |
9467fe62 BP |
426 | |
427 | /* SSL_CTX_use_certificate() takes ownership of the certificate passed in. | |
415f6c0b BP |
428 | * 'cert' is owned by sslv->ssl, so we need to duplicate it. */ |
429 | cert = X509_dup(cert); | |
430 | if (!cert) { | |
9467fe62 BP |
431 | out_of_memory(); |
432 | } | |
e6a8ca62 | 433 | SSL_CTX_set_cert_store(ctx, X509_STORE_new()); |
415f6c0b | 434 | if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) { |
9467fe62 BP |
435 | VLOG_ERR("SSL_CTX_load_verify_locations: %s", |
436 | ERR_error_string(ERR_get_error(), NULL)); | |
437 | return EPROTO; | |
438 | } | |
439 | VLOG_INFO("killing successful connection to retry using CA cert"); | |
440 | return EPROTO; | |
441 | } | |
442 | ||
443 | static int | |
444 | ssl_connect(struct stream *stream) | |
445 | { | |
446 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
447 | int retval; | |
448 | ||
449 | switch (sslv->state) { | |
450 | case STATE_TCP_CONNECTING: | |
451 | retval = check_connection_completion(sslv->fd); | |
452 | if (retval) { | |
453 | return retval; | |
454 | } | |
455 | sslv->state = STATE_SSL_CONNECTING; | |
456 | /* Fall through. */ | |
457 | ||
458 | case STATE_SSL_CONNECTING: | |
1e3c0047 | 459 | /* Capture the first few bytes of received data so that we can guess |
ec9f40dc | 460 | * what kind of funny data we've been sent if SSL negotiation fails. */ |
1e3c0047 BP |
461 | if (sslv->n_head <= 0) { |
462 | sslv->n_head = recv(sslv->fd, sslv->head, sizeof sslv->head, | |
463 | MSG_PEEK); | |
464 | } | |
465 | ||
9467fe62 BP |
466 | retval = (sslv->type == CLIENT |
467 | ? SSL_connect(sslv->ssl) : SSL_accept(sslv->ssl)); | |
468 | if (retval != 1) { | |
469 | int error = SSL_get_error(sslv->ssl, retval); | |
470 | if (retval < 0 && ssl_wants_io(error)) { | |
471 | return EAGAIN; | |
472 | } else { | |
473 | int unused; | |
f2f7be86 | 474 | |
9467fe62 BP |
475 | interpret_ssl_error((sslv->type == CLIENT ? "SSL_connect" |
476 | : "SSL_accept"), retval, error, &unused); | |
477 | shutdown(sslv->fd, SHUT_RDWR); | |
1e3c0047 BP |
478 | stream_report_content(sslv->head, sslv->n_head, STREAM_SSL, |
479 | THIS_MODULE, stream_get_name(stream)); | |
9467fe62 BP |
480 | return EPROTO; |
481 | } | |
482 | } else if (bootstrap_ca_cert) { | |
483 | return do_ca_cert_bootstrap(stream); | |
ba104a1e BP |
484 | } else if (verify_peer_cert |
485 | && ((SSL_get_verify_mode(sslv->ssl) | |
486 | & (SSL_VERIFY_NONE | SSL_VERIFY_PEER)) | |
487 | != SSL_VERIFY_PEER)) { | |
9467fe62 BP |
488 | /* Two or more SSL connections completed at the same time while we |
489 | * were in bootstrap mode. Only one of these can finish the | |
490 | * bootstrap successfully. The other one(s) must be rejected | |
491 | * because they were not verified against the bootstrapped CA | |
492 | * certificate. (Alternatively we could verify them against the CA | |
493 | * certificate, but that's more trouble than it's worth. These | |
494 | * connections will succeed the next time they retry, assuming that | |
495 | * they have a certificate against the correct CA.) */ | |
1ee62357 | 496 | VLOG_INFO("rejecting SSL connection during bootstrap race window"); |
9467fe62 BP |
497 | return EPROTO; |
498 | } else { | |
499 | return 0; | |
500 | } | |
501 | } | |
502 | ||
428b2edd | 503 | OVS_NOT_REACHED(); |
9467fe62 BP |
504 | } |
505 | ||
506 | static void | |
507 | ssl_close(struct stream *stream) | |
508 | { | |
509 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
510 | ssl_clear_txbuf(sslv); | |
5e4641a1 BP |
511 | |
512 | /* Attempt clean shutdown of the SSL connection. This will work most of | |
513 | * the time, as long as the kernel send buffer has some free space and the | |
514 | * SSL connection isn't renegotiating, etc. That has to be good enough, | |
515 | * since we don't have any way to continue the close operation in the | |
516 | * background. */ | |
517 | SSL_shutdown(sslv->ssl); | |
518 | ||
3d47699c BP |
519 | /* SSL_shutdown() might have signaled an error, in which case we need to |
520 | * flush it out of the OpenSSL error queue or the next OpenSSL operation | |
521 | * will falsely signal an error. */ | |
522 | ERR_clear_error(); | |
523 | ||
9467fe62 | 524 | SSL_free(sslv->ssl); |
5ea1366b GS |
525 | clear_handle(sslv->fd, sslv->wevent); |
526 | closesocket(sslv->fd); | |
9467fe62 BP |
527 | free(sslv); |
528 | } | |
529 | ||
246f5b5e BP |
530 | static void |
531 | interpret_queued_ssl_error(const char *function) | |
532 | { | |
533 | int queued_error = ERR_get_error(); | |
534 | if (queued_error != 0) { | |
535 | VLOG_WARN_RL(&rl, "%s: %s", | |
536 | function, ERR_error_string(queued_error, NULL)); | |
537 | } else { | |
538 | VLOG_ERR_RL(&rl, "%s: SSL_ERROR_SSL without queued error", function); | |
539 | } | |
540 | } | |
541 | ||
9467fe62 BP |
542 | static int |
543 | interpret_ssl_error(const char *function, int ret, int error, | |
544 | int *want) | |
545 | { | |
546 | *want = SSL_NOTHING; | |
547 | ||
548 | switch (error) { | |
549 | case SSL_ERROR_NONE: | |
550 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_NONE", function); | |
551 | break; | |
552 | ||
553 | case SSL_ERROR_ZERO_RETURN: | |
554 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_ZERO_RETURN", function); | |
555 | break; | |
556 | ||
557 | case SSL_ERROR_WANT_READ: | |
558 | *want = SSL_READING; | |
559 | return EAGAIN; | |
560 | ||
561 | case SSL_ERROR_WANT_WRITE: | |
562 | *want = SSL_WRITING; | |
563 | return EAGAIN; | |
564 | ||
565 | case SSL_ERROR_WANT_CONNECT: | |
566 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_CONNECT", function); | |
567 | break; | |
568 | ||
569 | case SSL_ERROR_WANT_ACCEPT: | |
570 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_ACCEPT", function); | |
571 | break; | |
572 | ||
573 | case SSL_ERROR_WANT_X509_LOOKUP: | |
574 | VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_X509_LOOKUP", | |
575 | function); | |
576 | break; | |
577 | ||
578 | case SSL_ERROR_SYSCALL: { | |
579 | int queued_error = ERR_get_error(); | |
580 | if (queued_error == 0) { | |
581 | if (ret < 0) { | |
582 | int status = errno; | |
583 | VLOG_WARN_RL(&rl, "%s: system error (%s)", | |
10a89ef0 | 584 | function, ovs_strerror(status)); |
9467fe62 BP |
585 | return status; |
586 | } else { | |
587 | VLOG_WARN_RL(&rl, "%s: unexpected SSL connection close", | |
588 | function); | |
589 | return EPROTO; | |
590 | } | |
591 | } else { | |
592 | VLOG_WARN_RL(&rl, "%s: %s", | |
593 | function, ERR_error_string(queued_error, NULL)); | |
594 | break; | |
595 | } | |
596 | } | |
597 | ||
246f5b5e BP |
598 | case SSL_ERROR_SSL: |
599 | interpret_queued_ssl_error(function); | |
9467fe62 | 600 | break; |
9467fe62 BP |
601 | |
602 | default: | |
603 | VLOG_ERR_RL(&rl, "%s: bad SSL error code %d", function, error); | |
604 | break; | |
605 | } | |
606 | return EIO; | |
607 | } | |
608 | ||
609 | static ssize_t | |
610 | ssl_recv(struct stream *stream, void *buffer, size_t n) | |
611 | { | |
612 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
613 | int old_state; | |
614 | ssize_t ret; | |
615 | ||
616 | /* Behavior of zero-byte SSL_read is poorly defined. */ | |
cb22974d | 617 | ovs_assert(n > 0); |
9467fe62 BP |
618 | |
619 | old_state = SSL_get_state(sslv->ssl); | |
620 | ret = SSL_read(sslv->ssl, buffer, n); | |
621 | if (old_state != SSL_get_state(sslv->ssl)) { | |
622 | sslv->tx_want = SSL_NOTHING; | |
623 | } | |
624 | sslv->rx_want = SSL_NOTHING; | |
625 | ||
626 | if (ret > 0) { | |
627 | return ret; | |
628 | } else { | |
629 | int error = SSL_get_error(sslv->ssl, ret); | |
630 | if (error == SSL_ERROR_ZERO_RETURN) { | |
631 | return 0; | |
632 | } else { | |
2b494771 BP |
633 | return -interpret_ssl_error("SSL_read", ret, error, |
634 | &sslv->rx_want); | |
9467fe62 BP |
635 | } |
636 | } | |
637 | } | |
638 | ||
639 | static void | |
640 | ssl_clear_txbuf(struct ssl_stream *sslv) | |
641 | { | |
642 | ofpbuf_delete(sslv->txbuf); | |
643 | sslv->txbuf = NULL; | |
644 | } | |
645 | ||
646 | static int | |
647 | ssl_do_tx(struct stream *stream) | |
648 | { | |
649 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
650 | ||
651 | for (;;) { | |
652 | int old_state = SSL_get_state(sslv->ssl); | |
1f317cb5 PS |
653 | int ret = SSL_write(sslv->ssl, |
654 | ofpbuf_data(sslv->txbuf), ofpbuf_size(sslv->txbuf)); | |
9467fe62 BP |
655 | if (old_state != SSL_get_state(sslv->ssl)) { |
656 | sslv->rx_want = SSL_NOTHING; | |
657 | } | |
658 | sslv->tx_want = SSL_NOTHING; | |
659 | if (ret > 0) { | |
660 | ofpbuf_pull(sslv->txbuf, ret); | |
1f317cb5 | 661 | if (ofpbuf_size(sslv->txbuf) == 0) { |
9467fe62 BP |
662 | return 0; |
663 | } | |
664 | } else { | |
665 | int ssl_error = SSL_get_error(sslv->ssl, ret); | |
666 | if (ssl_error == SSL_ERROR_ZERO_RETURN) { | |
667 | VLOG_WARN_RL(&rl, "SSL_write: connection closed"); | |
668 | return EPIPE; | |
669 | } else { | |
670 | return interpret_ssl_error("SSL_write", ret, ssl_error, | |
671 | &sslv->tx_want); | |
672 | } | |
673 | } | |
674 | } | |
675 | } | |
676 | ||
677 | static ssize_t | |
678 | ssl_send(struct stream *stream, const void *buffer, size_t n) | |
679 | { | |
680 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
681 | ||
682 | if (sslv->txbuf) { | |
2b494771 | 683 | return -EAGAIN; |
9467fe62 BP |
684 | } else { |
685 | int error; | |
686 | ||
687 | sslv->txbuf = ofpbuf_clone_data(buffer, n); | |
688 | error = ssl_do_tx(stream); | |
689 | switch (error) { | |
690 | case 0: | |
691 | ssl_clear_txbuf(sslv); | |
2b494771 | 692 | return n; |
9467fe62 | 693 | case EAGAIN: |
2b494771 | 694 | return n; |
9467fe62 BP |
695 | default: |
696 | sslv->txbuf = NULL; | |
2b494771 | 697 | return -error; |
9467fe62 BP |
698 | } |
699 | } | |
700 | } | |
701 | ||
702 | static void | |
703 | ssl_run(struct stream *stream) | |
704 | { | |
705 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
706 | ||
707 | if (sslv->txbuf && ssl_do_tx(stream) != EAGAIN) { | |
708 | ssl_clear_txbuf(sslv); | |
709 | } | |
710 | } | |
711 | ||
712 | static void | |
713 | ssl_run_wait(struct stream *stream) | |
714 | { | |
715 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
716 | ||
717 | if (sslv->tx_want != SSL_NOTHING) { | |
5ea1366b GS |
718 | poll_fd_wait_event(sslv->fd, sslv->wevent, |
719 | want_to_poll_events(sslv->tx_want)); | |
9467fe62 BP |
720 | } |
721 | } | |
722 | ||
723 | static void | |
724 | ssl_wait(struct stream *stream, enum stream_wait_type wait) | |
725 | { | |
726 | struct ssl_stream *sslv = ssl_stream_cast(stream); | |
727 | ||
728 | switch (wait) { | |
729 | case STREAM_CONNECT: | |
730 | if (stream_connect(stream) != EAGAIN) { | |
731 | poll_immediate_wake(); | |
732 | } else { | |
733 | switch (sslv->state) { | |
734 | case STATE_TCP_CONNECTING: | |
5ea1366b | 735 | poll_fd_wait_event(sslv->fd, sslv->wevent, POLLOUT); |
9467fe62 BP |
736 | break; |
737 | ||
738 | case STATE_SSL_CONNECTING: | |
739 | /* ssl_connect() called SSL_accept() or SSL_connect(), which | |
740 | * set up the status that we test here. */ | |
5ea1366b GS |
741 | poll_fd_wait_event(sslv->fd, sslv->wevent, |
742 | want_to_poll_events(SSL_want(sslv->ssl))); | |
9467fe62 BP |
743 | break; |
744 | ||
745 | default: | |
428b2edd | 746 | OVS_NOT_REACHED(); |
9467fe62 BP |
747 | } |
748 | } | |
749 | break; | |
750 | ||
751 | case STREAM_RECV: | |
752 | if (sslv->rx_want != SSL_NOTHING) { | |
5ea1366b GS |
753 | poll_fd_wait_event(sslv->fd, sslv->wevent, |
754 | want_to_poll_events(sslv->rx_want)); | |
9467fe62 BP |
755 | } else { |
756 | poll_immediate_wake(); | |
757 | } | |
758 | break; | |
759 | ||
760 | case STREAM_SEND: | |
761 | if (!sslv->txbuf) { | |
762 | /* We have room in our tx queue. */ | |
763 | poll_immediate_wake(); | |
764 | } else { | |
765 | /* stream_run_wait() will do the right thing; don't bother with | |
766 | * redundancy. */ | |
767 | } | |
768 | break; | |
769 | ||
770 | default: | |
428b2edd | 771 | OVS_NOT_REACHED(); |
9467fe62 BP |
772 | } |
773 | } | |
774 | ||
da327b18 | 775 | const struct stream_class ssl_stream_class = { |
9467fe62 | 776 | "ssl", /* name */ |
f1936eb6 | 777 | true, /* needs_probes */ |
9467fe62 BP |
778 | ssl_open, /* open */ |
779 | ssl_close, /* close */ | |
780 | ssl_connect, /* connect */ | |
781 | ssl_recv, /* recv */ | |
782 | ssl_send, /* send */ | |
783 | ssl_run, /* run */ | |
784 | ssl_run_wait, /* run_wait */ | |
785 | ssl_wait, /* wait */ | |
786 | }; | |
787 | \f | |
788 | /* Passive SSL. */ | |
789 | ||
790 | struct pssl_pstream | |
791 | { | |
792 | struct pstream pstream; | |
793 | int fd; | |
5ea1366b | 794 | HANDLE wevent; |
9467fe62 BP |
795 | }; |
796 | ||
da327b18 | 797 | const struct pstream_class pssl_pstream_class; |
9467fe62 BP |
798 | |
799 | static struct pssl_pstream * | |
800 | pssl_pstream_cast(struct pstream *pstream) | |
801 | { | |
802 | pstream_assert_class(pstream, &pssl_pstream_class); | |
803 | return CONTAINER_OF(pstream, struct pssl_pstream, pstream); | |
804 | } | |
805 | ||
806 | static int | |
f125905c MM |
807 | pssl_open(const char *name OVS_UNUSED, char *suffix, struct pstream **pstreamp, |
808 | uint8_t dscp) | |
9467fe62 | 809 | { |
e731d71b AS |
810 | char bound_name[SS_NTOP_BUFSIZE + 16]; |
811 | char addrbuf[SS_NTOP_BUFSIZE]; | |
812 | struct sockaddr_storage ss; | |
9467fe62 | 813 | struct pssl_pstream *pssl; |
e731d71b | 814 | uint16_t port; |
9467fe62 BP |
815 | int retval; |
816 | int fd; | |
817 | ||
818 | retval = ssl_init(); | |
819 | if (retval) { | |
820 | return retval; | |
821 | } | |
822 | ||
e731d71b | 823 | fd = inet_open_passive(SOCK_STREAM, suffix, OFP_OLD_PORT, &ss, dscp); |
9467fe62 BP |
824 | if (fd < 0) { |
825 | return -fd; | |
826 | } | |
e731d71b AS |
827 | |
828 | port = ss_get_port(&ss); | |
829 | snprintf(bound_name, sizeof bound_name, "ptcp:%"PRIu16":%s", | |
830 | port, ss_format_address(&ss, addrbuf, sizeof addrbuf)); | |
9467fe62 BP |
831 | |
832 | pssl = xmalloc(sizeof *pssl); | |
42967038 | 833 | pstream_init(&pssl->pstream, &pssl_pstream_class, bound_name); |
e731d71b | 834 | pstream_set_bound_port(&pssl->pstream, htons(port)); |
9467fe62 | 835 | pssl->fd = fd; |
5ea1366b GS |
836 | #ifdef _WIN32 |
837 | pssl->wevent = CreateEvent(NULL, FALSE, FALSE, NULL); | |
838 | #endif | |
9467fe62 BP |
839 | *pstreamp = &pssl->pstream; |
840 | return 0; | |
841 | } | |
842 | ||
843 | static void | |
844 | pssl_close(struct pstream *pstream) | |
845 | { | |
846 | struct pssl_pstream *pssl = pssl_pstream_cast(pstream); | |
5ea1366b GS |
847 | clear_handle(pssl->fd, pssl->wevent); |
848 | closesocket(pssl->fd); | |
9467fe62 BP |
849 | free(pssl); |
850 | } | |
851 | ||
852 | static int | |
853 | pssl_accept(struct pstream *pstream, struct stream **new_streamp) | |
854 | { | |
855 | struct pssl_pstream *pssl = pssl_pstream_cast(pstream); | |
e731d71b AS |
856 | char name[SS_NTOP_BUFSIZE + 16]; |
857 | char addrbuf[SS_NTOP_BUFSIZE]; | |
858 | struct sockaddr_storage ss; | |
859 | socklen_t ss_len = sizeof ss; | |
9467fe62 BP |
860 | int new_fd; |
861 | int error; | |
862 | ||
e731d71b | 863 | new_fd = accept(pssl->fd, (struct sockaddr *) &ss, &ss_len); |
9467fe62 | 864 | if (new_fd < 0) { |
5ea1366b GS |
865 | error = sock_errno(); |
866 | #ifdef _WIN32 | |
867 | if (error == WSAEWOULDBLOCK) { | |
868 | error = EAGAIN; | |
869 | } | |
870 | #endif | |
9467fe62 | 871 | if (error != EAGAIN) { |
5ea1366b | 872 | VLOG_DBG_RL(&rl, "accept: %s", sock_strerror(error)); |
9467fe62 BP |
873 | } |
874 | return error; | |
875 | } | |
876 | ||
877 | error = set_nonblocking(new_fd); | |
878 | if (error) { | |
5ea1366b | 879 | closesocket(new_fd); |
9467fe62 BP |
880 | return error; |
881 | } | |
882 | ||
e731d71b AS |
883 | snprintf(name, sizeof name, "tcp:%s:%"PRIu16, |
884 | ss_format_address(&ss, addrbuf, sizeof addrbuf), | |
885 | ss_get_port(&ss)); | |
a8d81967 | 886 | return new_ssl_stream(name, new_fd, SERVER, STATE_SSL_CONNECTING, |
f125905c | 887 | new_streamp); |
9467fe62 BP |
888 | } |
889 | ||
890 | static void | |
891 | pssl_wait(struct pstream *pstream) | |
892 | { | |
893 | struct pssl_pstream *pssl = pssl_pstream_cast(pstream); | |
5ea1366b | 894 | poll_fd_wait_event(pssl->fd, pssl->wevent, POLLIN); |
9467fe62 BP |
895 | } |
896 | ||
f89b7ce5 IY |
897 | static int |
898 | pssl_set_dscp(struct pstream *pstream, uint8_t dscp) | |
899 | { | |
900 | struct pssl_pstream *pssl = pssl_pstream_cast(pstream); | |
901 | return set_dscp(pssl->fd, dscp); | |
902 | } | |
903 | ||
da327b18 | 904 | const struct pstream_class pssl_pstream_class = { |
9467fe62 | 905 | "pssl", |
f1936eb6 | 906 | true, |
9467fe62 BP |
907 | pssl_open, |
908 | pssl_close, | |
909 | pssl_accept, | |
910 | pssl_wait, | |
f89b7ce5 | 911 | pssl_set_dscp, |
9467fe62 BP |
912 | }; |
913 | \f | |
914 | /* | |
915 | * Returns true if OpenSSL error is WANT_READ or WANT_WRITE, indicating that | |
916 | * OpenSSL is requesting that we call it back when the socket is ready for read | |
917 | * or writing, respectively. | |
918 | */ | |
919 | static bool | |
920 | ssl_wants_io(int ssl_error) | |
921 | { | |
922 | return (ssl_error == SSL_ERROR_WANT_WRITE | |
923 | || ssl_error == SSL_ERROR_WANT_READ); | |
924 | } | |
925 | ||
926 | static int | |
927 | ssl_init(void) | |
928 | { | |
929 | static int init_status = -1; | |
930 | if (init_status < 0) { | |
931 | init_status = do_ssl_init(); | |
cb22974d | 932 | ovs_assert(init_status >= 0); |
9467fe62 BP |
933 | } |
934 | return init_status; | |
935 | } | |
936 | ||
937 | static int | |
938 | do_ssl_init(void) | |
939 | { | |
940 | SSL_METHOD *method; | |
941 | ||
5ea1366b GS |
942 | #ifdef _WIN32 |
943 | /* The following call is needed if we "#include <openssl/applink.c>". */ | |
944 | CRYPTO_malloc_init(); | |
945 | #endif | |
9467fe62 BP |
946 | SSL_library_init(); |
947 | SSL_load_error_strings(); | |
948 | ||
47ebcf25 BP |
949 | if (!RAND_status()) { |
950 | /* We occasionally see OpenSSL fail to seed its random number generator | |
951 | * in heavily loaded hypervisors. I suspect the following scenario: | |
952 | * | |
953 | * 1. OpenSSL calls read() to get 32 bytes from /dev/urandom. | |
954 | * 2. The kernel generates 10 bytes of randomness and copies it out. | |
955 | * 3. A signal arrives (perhaps SIGALRM). | |
956 | * 4. The kernel interrupts the system call to service the signal. | |
957 | * 5. Userspace gets 10 bytes of entropy. | |
958 | * 6. OpenSSL doesn't read again to get the final 22 bytes. Therefore | |
959 | * OpenSSL doesn't have enough entropy to consider itself | |
960 | * initialized. | |
961 | * | |
962 | * The only part I'm not entirely sure about is #6, because the OpenSSL | |
963 | * code is so hard to read. */ | |
964 | uint8_t seed[32]; | |
965 | int retval; | |
966 | ||
967 | VLOG_WARN("OpenSSL random seeding failed, reseeding ourselves"); | |
968 | ||
969 | retval = get_entropy(seed, sizeof seed); | |
970 | if (retval) { | |
971 | VLOG_ERR("failed to obtain entropy (%s)", | |
972 | ovs_retval_to_string(retval)); | |
973 | return retval > 0 ? retval : ENOPROTOOPT; | |
974 | } | |
975 | ||
976 | RAND_seed(seed, sizeof seed); | |
977 | } | |
978 | ||
444b381e BP |
979 | /* New OpenSSL changed TLSv1_method() to return a "const" pointer, so the |
980 | * cast is needed to avoid a warning with those newer versions. */ | |
ebc56baa | 981 | method = CONST_CAST(SSL_METHOD *, TLSv1_method()); |
9467fe62 BP |
982 | if (method == NULL) { |
983 | VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL)); | |
984 | return ENOPROTOOPT; | |
985 | } | |
986 | ||
987 | ctx = SSL_CTX_new(method); | |
988 | if (ctx == NULL) { | |
989 | VLOG_ERR("SSL_CTX_new: %s", ERR_error_string(ERR_get_error(), NULL)); | |
990 | return ENOPROTOOPT; | |
991 | } | |
992 | SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); | |
993 | SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback); | |
994 | SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); | |
995 | SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); | |
996 | SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, | |
997 | NULL); | |
998 | ||
999 | return 0; | |
1000 | } | |
1001 | ||
1002 | static DH * | |
67a4917b | 1003 | tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength) |
9467fe62 BP |
1004 | { |
1005 | struct dh { | |
1006 | int keylength; | |
1007 | DH *dh; | |
1008 | DH *(*constructor)(void); | |
1009 | }; | |
1010 | ||
1011 | static struct dh dh_table[] = { | |
1012 | {1024, NULL, get_dh1024}, | |
1013 | {2048, NULL, get_dh2048}, | |
1014 | {4096, NULL, get_dh4096}, | |
1015 | }; | |
1016 | ||
1017 | struct dh *dh; | |
1018 | ||
1019 | for (dh = dh_table; dh < &dh_table[ARRAY_SIZE(dh_table)]; dh++) { | |
1020 | if (dh->keylength == keylength) { | |
1021 | if (!dh->dh) { | |
1022 | dh->dh = dh->constructor(); | |
1023 | if (!dh->dh) { | |
1d2c568d | 1024 | out_of_memory(); |
9467fe62 BP |
1025 | } |
1026 | } | |
1027 | return dh->dh; | |
1028 | } | |
1029 | } | |
1030 | VLOG_ERR_RL(&rl, "no Diffie-Hellman parameters for key length %d", | |
1031 | keylength); | |
1032 | return NULL; | |
1033 | } | |
1034 | ||
1035 | /* Returns true if SSL is at least partially configured. */ | |
1036 | bool | |
d295e8e9 | 1037 | stream_ssl_is_configured(void) |
9467fe62 | 1038 | { |
415f6c0b BP |
1039 | return private_key.file_name || certificate.file_name || ca_cert.file_name; |
1040 | } | |
1041 | ||
1042 | static bool | |
1043 | update_ssl_config(struct ssl_config_file *config, const char *file_name) | |
1044 | { | |
9cb07887 | 1045 | struct timespec mtime; |
e68f6dea | 1046 | int error; |
9cb07887 BP |
1047 | |
1048 | if (ssl_init() || !file_name) { | |
1049 | return false; | |
1050 | } | |
1051 | ||
1052 | /* If the file name hasn't changed and neither has the file contents, stop | |
1053 | * here. */ | |
e68f6dea BP |
1054 | error = get_mtime(file_name, &mtime); |
1055 | if (error && error != ENOENT) { | |
10a89ef0 BP |
1056 | VLOG_ERR_RL(&rl, "%s: stat failed (%s)", |
1057 | file_name, ovs_strerror(error)); | |
e68f6dea | 1058 | } |
9cb07887 BP |
1059 | if (config->file_name |
1060 | && !strcmp(config->file_name, file_name) | |
1061 | && mtime.tv_sec == config->mtime.tv_sec | |
1062 | && mtime.tv_nsec == config->mtime.tv_nsec) { | |
415f6c0b BP |
1063 | return false; |
1064 | } | |
1065 | ||
2b1a27a1 | 1066 | /* Update 'config'. */ |
9cb07887 | 1067 | config->mtime = mtime; |
2b1a27a1 BP |
1068 | if (file_name != config->file_name) { |
1069 | free(config->file_name); | |
1070 | config->file_name = xstrdup(file_name); | |
1071 | } | |
415f6c0b | 1072 | return true; |
9467fe62 BP |
1073 | } |
1074 | ||
6f1e91b1 BP |
1075 | static void |
1076 | stream_ssl_set_private_key_file__(const char *file_name) | |
1077 | { | |
1078 | if (SSL_CTX_use_PrivateKey_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) { | |
1079 | private_key.read = true; | |
1080 | } else { | |
1081 | VLOG_ERR("SSL_use_PrivateKey_file: %s", | |
1082 | ERR_error_string(ERR_get_error(), NULL)); | |
1083 | } | |
1084 | } | |
1085 | ||
9467fe62 BP |
1086 | void |
1087 | stream_ssl_set_private_key_file(const char *file_name) | |
1088 | { | |
6f1e91b1 BP |
1089 | if (update_ssl_config(&private_key, file_name)) { |
1090 | stream_ssl_set_private_key_file__(file_name); | |
9467fe62 | 1091 | } |
6f1e91b1 BP |
1092 | } |
1093 | ||
1094 | static void | |
1095 | stream_ssl_set_certificate_file__(const char *file_name) | |
1096 | { | |
1097 | if (SSL_CTX_use_certificate_chain_file(ctx, file_name) == 1) { | |
1098 | certificate.read = true; | |
1099 | } else { | |
1100 | VLOG_ERR("SSL_use_certificate_file: %s", | |
9467fe62 | 1101 | ERR_error_string(ERR_get_error(), NULL)); |
9467fe62 | 1102 | } |
9467fe62 BP |
1103 | } |
1104 | ||
1105 | void | |
1106 | stream_ssl_set_certificate_file(const char *file_name) | |
1107 | { | |
6f1e91b1 BP |
1108 | if (update_ssl_config(&certificate, file_name)) { |
1109 | stream_ssl_set_certificate_file__(file_name); | |
9467fe62 | 1110 | } |
6f1e91b1 BP |
1111 | } |
1112 | ||
1113 | /* Sets the private key and certificate files in one operation. Use this | |
1114 | * interface, instead of calling stream_ssl_set_private_key_file() and | |
1115 | * stream_ssl_set_certificate_file() individually, in the main loop of a | |
1116 | * long-running program whose key and certificate might change at runtime. | |
1117 | * | |
1118 | * This is important because of OpenSSL's behavior. If an OpenSSL context | |
1119 | * already has a certificate, and stream_ssl_set_private_key_file() is called | |
1120 | * to install a new private key, OpenSSL will report an error because the new | |
1121 | * private key does not match the old certificate. The other order, of setting | |
1122 | * a new certificate, then setting a new private key, does work. | |
1123 | * | |
1124 | * If this were the only problem, calling stream_ssl_set_certificate_file() | |
1125 | * before stream_ssl_set_private_key_file() would fix it. But, if the private | |
1126 | * key is changed before the certificate (e.g. someone "scp"s or "mv"s the new | |
1127 | * private key in place before the certificate), then OpenSSL would reject that | |
1128 | * change, and then the change of certificate would succeed, but there would be | |
1129 | * no associated private key (because it had only changed once and therefore | |
1130 | * there was no point in re-reading it). | |
1131 | * | |
1132 | * This function avoids both problems by, whenever either the certificate or | |
1133 | * the private key file changes, re-reading both of them, in the correct order. | |
1134 | */ | |
1135 | void | |
1136 | stream_ssl_set_key_and_cert(const char *private_key_file, | |
1137 | const char *certificate_file) | |
1138 | { | |
1139 | if (update_ssl_config(&private_key, private_key_file) | |
1140 | || update_ssl_config(&certificate, certificate_file)) { | |
1141 | stream_ssl_set_certificate_file__(certificate_file); | |
1142 | stream_ssl_set_private_key_file__(private_key_file); | |
9467fe62 | 1143 | } |
9467fe62 BP |
1144 | } |
1145 | ||
1146 | /* Reads the X509 certificate or certificates in file 'file_name'. On success, | |
1147 | * stores the address of the first element in an array of pointers to | |
1148 | * certificates in '*certs' and the number of certificates in the array in | |
1149 | * '*n_certs', and returns 0. On failure, stores a null pointer in '*certs', 0 | |
1150 | * in '*n_certs', and returns a positive errno value. | |
1151 | * | |
1152 | * The caller is responsible for freeing '*certs'. */ | |
1153 | static int | |
1154 | read_cert_file(const char *file_name, X509 ***certs, size_t *n_certs) | |
1155 | { | |
1156 | FILE *file; | |
1157 | size_t allocated_certs = 0; | |
1158 | ||
1159 | *certs = NULL; | |
1160 | *n_certs = 0; | |
1161 | ||
1162 | file = fopen(file_name, "r"); | |
1163 | if (!file) { | |
1164 | VLOG_ERR("failed to open %s for reading: %s", | |
10a89ef0 | 1165 | file_name, ovs_strerror(errno)); |
9467fe62 BP |
1166 | return errno; |
1167 | } | |
1168 | ||
1169 | for (;;) { | |
1170 | X509 *certificate; | |
1171 | int c; | |
1172 | ||
1173 | /* Read certificate from file. */ | |
1174 | certificate = PEM_read_X509(file, NULL, NULL, NULL); | |
1175 | if (!certificate) { | |
1176 | size_t i; | |
1177 | ||
1178 | VLOG_ERR("PEM_read_X509 failed reading %s: %s", | |
1179 | file_name, ERR_error_string(ERR_get_error(), NULL)); | |
1180 | for (i = 0; i < *n_certs; i++) { | |
1181 | X509_free((*certs)[i]); | |
1182 | } | |
1183 | free(*certs); | |
1184 | *certs = NULL; | |
1185 | *n_certs = 0; | |
1186 | return EIO; | |
1187 | } | |
1188 | ||
1189 | /* Add certificate to array. */ | |
1190 | if (*n_certs >= allocated_certs) { | |
1191 | *certs = x2nrealloc(*certs, &allocated_certs, sizeof **certs); | |
1192 | } | |
1193 | (*certs)[(*n_certs)++] = certificate; | |
1194 | ||
1195 | /* Are there additional certificates in the file? */ | |
1196 | do { | |
1197 | c = getc(file); | |
1198 | } while (isspace(c)); | |
1199 | if (c == EOF) { | |
1200 | break; | |
1201 | } | |
1202 | ungetc(c, file); | |
1203 | } | |
1204 | fclose(file); | |
1205 | return 0; | |
1206 | } | |
1207 | ||
1208 | ||
1209 | /* Sets 'file_name' as the name of a file containing one or more X509 | |
1210 | * certificates to send to the peer. Typical use in OpenFlow is to send the CA | |
1211 | * certificate to the peer, which enables a switch to pick up the controller's | |
1212 | * CA certificate on its first connection. */ | |
1213 | void | |
1214 | stream_ssl_set_peer_ca_cert_file(const char *file_name) | |
1215 | { | |
1216 | X509 **certs; | |
1217 | size_t n_certs; | |
1218 | size_t i; | |
1219 | ||
1220 | if (ssl_init()) { | |
1221 | return; | |
1222 | } | |
1223 | ||
1224 | if (!read_cert_file(file_name, &certs, &n_certs)) { | |
1225 | for (i = 0; i < n_certs; i++) { | |
1226 | if (SSL_CTX_add_extra_chain_cert(ctx, certs[i]) != 1) { | |
1227 | VLOG_ERR("SSL_CTX_add_extra_chain_cert: %s", | |
1228 | ERR_error_string(ERR_get_error(), NULL)); | |
1229 | } | |
1230 | } | |
1231 | free(certs); | |
1232 | } | |
1233 | } | |
1234 | ||
1235 | /* Logs fingerprint of CA certificate 'cert' obtained from 'file_name'. */ | |
1236 | static void | |
1237 | log_ca_cert(const char *file_name, X509 *cert) | |
1238 | { | |
1239 | unsigned char digest[EVP_MAX_MD_SIZE]; | |
1240 | unsigned int n_bytes; | |
1241 | struct ds fp; | |
1242 | char *subject; | |
1243 | ||
1244 | ds_init(&fp); | |
1245 | if (!X509_digest(cert, EVP_sha1(), digest, &n_bytes)) { | |
1246 | ds_put_cstr(&fp, "<out of memory>"); | |
1247 | } else { | |
1248 | unsigned int i; | |
1249 | for (i = 0; i < n_bytes; i++) { | |
1250 | if (i) { | |
1251 | ds_put_char(&fp, ':'); | |
1252 | } | |
34582733 | 1253 | ds_put_format(&fp, "%02x", digest[i]); |
9467fe62 BP |
1254 | } |
1255 | } | |
1256 | subject = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); | |
1257 | VLOG_INFO("Trusting CA cert from %s (%s) (fingerprint %s)", file_name, | |
1258 | subject ? subject : "<out of memory>", ds_cstr(&fp)); | |
3c7b5c2d | 1259 | OPENSSL_free(subject); |
9467fe62 BP |
1260 | ds_destroy(&fp); |
1261 | } | |
1262 | ||
415f6c0b | 1263 | static void |
f1484874 BP |
1264 | stream_ssl_set_ca_cert_file__(const char *file_name, |
1265 | bool bootstrap, bool force) | |
9467fe62 BP |
1266 | { |
1267 | X509 **certs; | |
1268 | size_t n_certs; | |
1269 | struct stat s; | |
1270 | ||
f1484874 BP |
1271 | if (!update_ssl_config(&ca_cert, file_name) && !force) { |
1272 | return; | |
1273 | } | |
1274 | ||
ba104a1e BP |
1275 | if (!strcmp(file_name, "none")) { |
1276 | verify_peer_cert = false; | |
1277 | VLOG_WARN("Peer certificate validation disabled " | |
1278 | "(this is a security risk)"); | |
1279 | } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) { | |
9467fe62 | 1280 | bootstrap_ca_cert = true; |
9467fe62 BP |
1281 | } else if (!read_cert_file(file_name, &certs, &n_certs)) { |
1282 | size_t i; | |
1283 | ||
1284 | /* Set up list of CAs that the server will accept from the client. */ | |
1285 | for (i = 0; i < n_certs; i++) { | |
1286 | /* SSL_CTX_add_client_CA makes a copy of the relevant data. */ | |
1287 | if (SSL_CTX_add_client_CA(ctx, certs[i]) != 1) { | |
34582733 | 1288 | VLOG_ERR("failed to add client certificate %"PRIuSIZE" from %s: %s", |
9467fe62 BP |
1289 | i, file_name, |
1290 | ERR_error_string(ERR_get_error(), NULL)); | |
1291 | } else { | |
1292 | log_ca_cert(file_name, certs[i]); | |
1293 | } | |
1294 | X509_free(certs[i]); | |
1295 | } | |
f6b60e02 | 1296 | free(certs); |
9467fe62 BP |
1297 | |
1298 | /* Set up CAs for OpenSSL to trust in verifying the peer's | |
1299 | * certificate. */ | |
e6a8ca62 | 1300 | SSL_CTX_set_cert_store(ctx, X509_STORE_new()); |
9467fe62 BP |
1301 | if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) { |
1302 | VLOG_ERR("SSL_CTX_load_verify_locations: %s", | |
1303 | ERR_error_string(ERR_get_error(), NULL)); | |
1304 | return; | |
1305 | } | |
1306 | ||
415f6c0b | 1307 | bootstrap_ca_cert = false; |
9467fe62 | 1308 | } |
415f6c0b | 1309 | ca_cert.read = true; |
9467fe62 | 1310 | } |
415f6c0b BP |
1311 | |
1312 | /* Sets 'file_name' as the name of the file from which to read the CA | |
1313 | * certificate used to verify the peer within SSL connections. If 'bootstrap' | |
1314 | * is false, the file must exist. If 'bootstrap' is false, then the file is | |
1315 | * read if it is exists; if it does not, then it will be created from the CA | |
1316 | * certificate received from the peer on the first SSL connection. */ | |
1317 | void | |
1318 | stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap) | |
1319 | { | |
f1484874 | 1320 | stream_ssl_set_ca_cert_file__(file_name, bootstrap, false); |
415f6c0b | 1321 | } |
ff1760f1 BP |
1322 | \f |
1323 | /* SSL protocol logging. */ | |
1324 | ||
1325 | static const char * | |
1326 | ssl_alert_level_to_string(uint8_t type) | |
1327 | { | |
1328 | switch (type) { | |
1329 | case 1: return "warning"; | |
1330 | case 2: return "fatal"; | |
1331 | default: return "<unknown>"; | |
1332 | } | |
1333 | } | |
415f6c0b | 1334 | |
ff1760f1 BP |
1335 | static const char * |
1336 | ssl_alert_description_to_string(uint8_t type) | |
1337 | { | |
1338 | switch (type) { | |
1339 | case 0: return "close_notify"; | |
1340 | case 10: return "unexpected_message"; | |
1341 | case 20: return "bad_record_mac"; | |
1342 | case 21: return "decryption_failed"; | |
1343 | case 22: return "record_overflow"; | |
1344 | case 30: return "decompression_failure"; | |
1345 | case 40: return "handshake_failure"; | |
1346 | case 42: return "bad_certificate"; | |
1347 | case 43: return "unsupported_certificate"; | |
1348 | case 44: return "certificate_revoked"; | |
1349 | case 45: return "certificate_expired"; | |
1350 | case 46: return "certificate_unknown"; | |
1351 | case 47: return "illegal_parameter"; | |
1352 | case 48: return "unknown_ca"; | |
1353 | case 49: return "access_denied"; | |
1354 | case 50: return "decode_error"; | |
1355 | case 51: return "decrypt_error"; | |
1356 | case 60: return "export_restriction"; | |
1357 | case 70: return "protocol_version"; | |
1358 | case 71: return "insufficient_security"; | |
1359 | case 80: return "internal_error"; | |
1360 | case 90: return "user_canceled"; | |
1361 | case 100: return "no_renegotiation"; | |
1362 | default: return "<unknown>"; | |
1363 | } | |
1364 | } | |
415f6c0b | 1365 | |
ff1760f1 BP |
1366 | static const char * |
1367 | ssl_handshake_type_to_string(uint8_t type) | |
1368 | { | |
1369 | switch (type) { | |
1370 | case 0: return "hello_request"; | |
1371 | case 1: return "client_hello"; | |
1372 | case 2: return "server_hello"; | |
1373 | case 11: return "certificate"; | |
1374 | case 12: return "server_key_exchange"; | |
1375 | case 13: return "certificate_request"; | |
1376 | case 14: return "server_hello_done"; | |
1377 | case 15: return "certificate_verify"; | |
1378 | case 16: return "client_key_exchange"; | |
1379 | case 20: return "finished"; | |
1380 | default: return "<unknown>"; | |
1381 | } | |
1382 | } | |
1383 | ||
1384 | static void | |
1385 | ssl_protocol_cb(int write_p, int version OVS_UNUSED, int content_type, | |
1386 | const void *buf_, size_t len, SSL *ssl OVS_UNUSED, void *sslv_) | |
1387 | { | |
1388 | const struct ssl_stream *sslv = sslv_; | |
1389 | const uint8_t *buf = buf_; | |
1390 | struct ds details; | |
1391 | ||
1392 | if (!VLOG_IS_DBG_ENABLED()) { | |
1393 | return; | |
1394 | } | |
1395 | ||
1396 | ds_init(&details); | |
1397 | if (content_type == 20) { | |
1398 | ds_put_cstr(&details, "change_cipher_spec"); | |
1399 | } else if (content_type == 21) { | |
1400 | ds_put_format(&details, "alert: %s, %s", | |
1401 | ssl_alert_level_to_string(buf[0]), | |
1402 | ssl_alert_description_to_string(buf[1])); | |
1403 | } else if (content_type == 22) { | |
1404 | ds_put_format(&details, "handshake: %s", | |
1405 | ssl_handshake_type_to_string(buf[0])); | |
1406 | } else { | |
1407 | ds_put_format(&details, "type %d", content_type); | |
1408 | } | |
1409 | ||
34582733 | 1410 | VLOG_DBG("%s%u%s%s %s (%"PRIuSIZE" bytes)", |
ff1760f1 BP |
1411 | sslv->type == CLIENT ? "client" : "server", |
1412 | sslv->session_nr, write_p ? "-->" : "<--", | |
1413 | stream_get_name(&sslv->stream), ds_cstr(&details), len); | |
1414 | ||
1415 | ds_destroy(&details); | |
1416 | } | |
5ea1366b | 1417 | |
5ea1366b GS |
1418 | static void |
1419 | clear_handle(int fd OVS_UNUSED, HANDLE wevent OVS_UNUSED) | |
1420 | { | |
1421 | #ifdef _WIN32 | |
1422 | if (fd) { | |
1423 | WSAEventSelect(fd, NULL, 0); | |
1424 | } | |
1425 | if (wevent) { | |
1426 | CloseHandle(wevent); | |
1427 | } | |
1428 | #endif | |
1429 | } |