git://git.onelab.eu
/
sliver-openvswitch.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Merge branch "partner", to simplify partner integration.
[sliver-openvswitch.git]
/
lib
/
vconn-ssl.c
diff --git
a/lib/vconn-ssl.c
b/lib/vconn-ssl.c
index
607d9b9
..
2801c0c
100644
(file)
--- a/
lib/vconn-ssl.c
+++ b/
lib/vconn-ssl.c
@@
-31,6
+31,7
@@
* derivatives without specific, written prior permission.
*/
* derivatives without specific, written prior permission.
*/
+#include <config.h>
#include "vconn-ssl.h"
#include "dhparams.h"
#include <assert.h>
#include "vconn-ssl.h"
#include "dhparams.h"
#include <assert.h>
@@
-42,15
+43,15
@@
#include <openssl/ssl.h>
#include <poll.h>
#include <unistd.h>
#include <openssl/ssl.h>
#include <poll.h>
#include <unistd.h>
-#include "
buffer
.h"
+#include "
ofpbuf
.h"
#include "socket-util.h"
#include "util.h"
#include "openflow.h"
#include "packets.h"
#include "poll-loop.h"
#include "socket-util.h"
#include "util.h"
#include "openflow.h"
#include "packets.h"
#include "poll-loop.h"
-#include "ofp-print.h"
#include "socket-util.h"
#include "vconn.h"
#include "socket-util.h"
#include "vconn.h"
+#include "vconn-provider.h"
#include "vlog.h"
#define THIS_MODULE VLM_vconn_ssl
#include "vlog.h"
#define THIS_MODULE VLM_vconn_ssl
@@
-75,8
+76,8
@@
struct ssl_vconn
enum session_type type;
int fd;
SSL *ssl;
enum session_type type;
int fd;
SSL *ssl;
- struct
buffer
*rxbuf;
- struct
buffer
*txbuf;
+ struct
ofpbuf
*rxbuf;
+ struct
ofpbuf
*txbuf;
struct poll_waiter *tx_waiter;
/* rx_want and tx_want record the result of the last call to SSL_read()
struct poll_waiter *tx_waiter;
/* rx_want and tx_want record the result of the last call to SSL_read()
@@
-144,6
+145,10
@@
static SSL_CTX *ctx;
/* Required configuration. */
static bool has_private_key, has_certificate, has_ca_cert;
/* Required configuration. */
static bool has_private_key, has_certificate, has_ca_cert;
+/* Who knows what can trigger various SSL errors, so let's throttle them down
+ * quite a bit. */
+static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(10, 25);
+
static int ssl_init(void);
static int do_ssl_init(void);
static bool ssl_wants_io(int ssl_error);
static int ssl_init(void);
static int do_ssl_init(void);
static bool ssl_wants_io(int ssl_error);
@@
-221,9
+226,8
@@
new_ssl_vconn(const char *name, int fd, enum session_type type,
/* Create and return the ssl_vconn. */
sslv = xmalloc(sizeof *sslv);
/* Create and return the ssl_vconn. */
sslv = xmalloc(sizeof *sslv);
- sslv->vconn.class = &ssl_vconn_class;
- sslv->vconn.connect_status = EAGAIN;
- sslv->vconn.ip = sin->sin_addr.s_addr;
+ vconn_init(&sslv->vconn, &ssl_vconn_class, EAGAIN, sin->sin_addr.s_addr,
+ name);
sslv->state = state;
sslv->type = type;
sslv->fd = fd;
sslv->state = state;
sslv->type = type;
sslv->fd = fd;
@@
-246,7
+250,7
@@
error:
static struct ssl_vconn *
ssl_vconn_cast(struct vconn *vconn)
{
static struct ssl_vconn *
ssl_vconn_cast(struct vconn *vconn)
{
-
assert(vconn->class ==
&ssl_vconn_class);
+
vconn_assert_class(vconn,
&ssl_vconn_class);
return CONTAINER_OF(vconn, struct ssl_vconn, vconn);
}
return CONTAINER_OF(vconn, struct ssl_vconn, vconn);
}
@@
-270,7
+274,8
@@
ssl_open(const char *name, char *suffix, struct vconn **vconnp)
host_name = strtok_r(suffix, "::", &save_ptr);
port_string = strtok_r(NULL, "::", &save_ptr);
if (!host_name) {
host_name = strtok_r(suffix, "::", &save_ptr);
port_string = strtok_r(NULL, "::", &save_ptr);
if (!host_name) {
- fatal(0, "%s: bad peer name format", name);
+ ofp_error(0, "%s: bad peer name format", name);
+ return EAFNOSUPPORT;
}
memset(&sin, 0, sizeof sin);
}
memset(&sin, 0, sizeof sin);
@@
-366,11
+371,11
@@
interpret_ssl_error(const char *function, int ret, int error,
switch (error) {
case SSL_ERROR_NONE:
switch (error) {
case SSL_ERROR_NONE:
- VLOG_ERR
(
"%s: unexpected SSL_ERROR_NONE", function);
+ VLOG_ERR
_RL(&rl,
"%s: unexpected SSL_ERROR_NONE", function);
break;
case SSL_ERROR_ZERO_RETURN:
break;
case SSL_ERROR_ZERO_RETURN:
- VLOG_ERR
(
"%s: unexpected SSL_ERROR_ZERO_RETURN", function);
+ VLOG_ERR
_RL(&rl,
"%s: unexpected SSL_ERROR_ZERO_RETURN", function);
break;
case SSL_ERROR_WANT_READ:
break;
case SSL_ERROR_WANT_READ:
@@
-382,15
+387,16
@@
interpret_ssl_error(const char *function, int ret, int error,
return EAGAIN;
case SSL_ERROR_WANT_CONNECT:
return EAGAIN;
case SSL_ERROR_WANT_CONNECT:
- VLOG_ERR
(
"%s: unexpected SSL_ERROR_WANT_CONNECT", function);
+ VLOG_ERR
_RL(&rl,
"%s: unexpected SSL_ERROR_WANT_CONNECT", function);
break;
case SSL_ERROR_WANT_ACCEPT:
break;
case SSL_ERROR_WANT_ACCEPT:
- VLOG_ERR
(
"%s: unexpected SSL_ERROR_WANT_ACCEPT", function);
+ VLOG_ERR
_RL(&rl,
"%s: unexpected SSL_ERROR_WANT_ACCEPT", function);
break;
case SSL_ERROR_WANT_X509_LOOKUP:
break;
case SSL_ERROR_WANT_X509_LOOKUP:
- VLOG_ERR("%s: unexpected SSL_ERROR_WANT_X509_LOOKUP", function);
+ VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_X509_LOOKUP",
+ function);
break;
case SSL_ERROR_SYSCALL: {
break;
case SSL_ERROR_SYSCALL: {
@@
-398,14
+404,17
@@
interpret_ssl_error(const char *function, int ret, int error,
if (queued_error == 0) {
if (ret < 0) {
int status = errno;
if (queued_error == 0) {
if (ret < 0) {
int status = errno;
- VLOG_WARN("%s: system error (%s)", function, strerror(status));
+ VLOG_WARN_RL(&rl, "%s: system error (%s)",
+ function, strerror(status));
return status;
} else {
return status;
} else {
- VLOG_WARN("%s: unexpected SSL connection close", function);
+ VLOG_WARN_RL(&rl, "%s: unexpected SSL connection close",
+ function);
return EPROTO;
}
} else {
return EPROTO;
}
} else {
- VLOG_DBG("%s: %s", function, ERR_error_string(queued_error, NULL));
+ VLOG_DBG_RL(&rl, "%s: %s",
+ function, ERR_error_string(queued_error, NULL));
break;
}
}
break;
}
}
@@
-413,31
+422,33
@@
interpret_ssl_error(const char *function, int ret, int error,
case SSL_ERROR_SSL: {
int queued_error = ERR_get_error();
if (queued_error != 0) {
case SSL_ERROR_SSL: {
int queued_error = ERR_get_error();
if (queued_error != 0) {
- VLOG_DBG("%s: %s", function, ERR_error_string(queued_error, NULL));
+ VLOG_DBG_RL(&rl, "%s: %s",
+ function, ERR_error_string(queued_error, NULL));
} else {
} else {
- VLOG_ERR("%s: SSL_ERROR_SSL without queued error", function);
+ VLOG_ERR_RL(&rl, "%s: SSL_ERROR_SSL without queued error",
+ function);
}
break;
}
default:
}
break;
}
default:
- VLOG_ERR
(
"%s: bad SSL error code %d", function, error);
+ VLOG_ERR
_RL(&rl,
"%s: bad SSL error code %d", function, error);
break;
}
return EIO;
}
static int
break;
}
return EIO;
}
static int
-ssl_recv(struct vconn *vconn, struct
buffer
**bufferp)
+ssl_recv(struct vconn *vconn, struct
ofpbuf
**bufferp)
{
struct ssl_vconn *sslv = ssl_vconn_cast(vconn);
{
struct ssl_vconn *sslv = ssl_vconn_cast(vconn);
- struct
buffer
*rx;
+ struct
ofpbuf
*rx;
size_t want_bytes;
int old_state;
ssize_t ret;
if (sslv->rxbuf == NULL) {
size_t want_bytes;
int old_state;
ssize_t ret;
if (sslv->rxbuf == NULL) {
- sslv->rxbuf =
buffer
_new(1564);
+ sslv->rxbuf =
ofpbuf
_new(1564);
}
rx = sslv->rxbuf;
}
rx = sslv->rxbuf;
@@
-448,7
+459,8
@@
again:
struct ofp_header *oh = rx->data;
size_t length = ntohs(oh->length);
if (length < sizeof(struct ofp_header)) {
struct ofp_header *oh = rx->data;
size_t length = ntohs(oh->length);
if (length < sizeof(struct ofp_header)) {
- VLOG_ERR("received too-short ofp_header (%zu bytes)", length);
+ VLOG_ERR_RL(&rl, "received too-short ofp_header (%zu bytes)",
+ length);
return EPROTO;
}
want_bytes = length - rx->size;
return EPROTO;
}
want_bytes = length - rx->size;
@@
-458,13
+470,13
@@
again:
return 0;
}
}
return 0;
}
}
-
buffer
_prealloc_tailroom(rx, want_bytes);
+
ofpbuf
_prealloc_tailroom(rx, want_bytes);
/* Behavior of zero-byte SSL_read is poorly defined. */
assert(want_bytes > 0);
old_state = SSL_get_state(sslv->ssl);
/* Behavior of zero-byte SSL_read is poorly defined. */
assert(want_bytes > 0);
old_state = SSL_get_state(sslv->ssl);
- ret = SSL_read(sslv->ssl,
buffer
_tail(rx), want_bytes);
+ ret = SSL_read(sslv->ssl,
ofpbuf
_tail(rx), want_bytes);
if (old_state != SSL_get_state(sslv->ssl)) {
sslv->tx_want = SSL_NOTHING;
if (sslv->tx_waiter) {
if (old_state != SSL_get_state(sslv->ssl)) {
sslv->tx_want = SSL_NOTHING;
if (sslv->tx_waiter) {
@@
-491,7
+503,7
@@
again:
if (error == SSL_ERROR_ZERO_RETURN) {
/* Connection closed (EOF). */
if (rx->size) {
if (error == SSL_ERROR_ZERO_RETURN) {
/* Connection closed (EOF). */
if (rx->size) {
- VLOG_WARN
(
"SSL_read: unexpected connection close");
+ VLOG_WARN
_RL(&rl,
"SSL_read: unexpected connection close");
return EPROTO;
} else {
return EOF;
return EPROTO;
} else {
return EOF;
@@
-505,7
+517,7
@@
again:
static void
ssl_clear_txbuf(struct ssl_vconn *sslv)
{
static void
ssl_clear_txbuf(struct ssl_vconn *sslv)
{
-
buffer
_delete(sslv->txbuf);
+
ofpbuf
_delete(sslv->txbuf);
sslv->txbuf = NULL;
sslv->tx_waiter = NULL;
}
sslv->txbuf = NULL;
sslv->tx_waiter = NULL;
}
@@
-532,14
+544,14
@@
ssl_do_tx(struct vconn *vconn)
}
sslv->tx_want = SSL_NOTHING;
if (ret > 0) {
}
sslv->tx_want = SSL_NOTHING;
if (ret > 0) {
-
buffer
_pull(sslv->txbuf, ret);
+
ofpbuf
_pull(sslv->txbuf, ret);
if (sslv->txbuf->size == 0) {
return 0;
}
} else {
int ssl_error = SSL_get_error(sslv->ssl, ret);
if (ssl_error == SSL_ERROR_ZERO_RETURN) {
if (sslv->txbuf->size == 0) {
return 0;
}
} else {
int ssl_error = SSL_get_error(sslv->ssl, ret);
if (ssl_error == SSL_ERROR_ZERO_RETURN) {
- VLOG_WARN
(
"SSL_write: connection closed");
+ VLOG_WARN
_RL(&rl,
"SSL_write: connection closed");
return EPIPE;
} else {
return interpret_ssl_error("SSL_write", ret, ssl_error,
return EPIPE;
} else {
return interpret_ssl_error("SSL_write", ret, ssl_error,
@@
-563,7
+575,7
@@
ssl_tx_poll_callback(int fd UNUSED, short int revents UNUSED, void *vconn_)
}
static int
}
static int
-ssl_send(struct vconn *vconn, struct
buffer
*buffer)
+ssl_send(struct vconn *vconn, struct
ofpbuf
*buffer)
{
struct ssl_vconn *sslv = ssl_vconn_cast(vconn);
{
struct ssl_vconn *sslv = ssl_vconn_cast(vconn);
@@
-639,35
+651,37
@@
ssl_wait(struct vconn *vconn, enum vconn_wait_type wait)
}
struct vconn_class ssl_vconn_class = {
}
struct vconn_class ssl_vconn_class = {
- .name = "ssl",
- .open = ssl_open,
- .close = ssl_close,
- .connect = ssl_connect,
- .recv = ssl_recv,
- .send = ssl_send,
- .wait = ssl_wait,
+ "ssl", /* name */
+ ssl_open, /* open */
+ ssl_close, /* close */
+ ssl_connect, /* connect */
+ ssl_recv, /* recv */
+ ssl_send, /* send */
+ ssl_wait, /* wait */
};
\f
/* Passive SSL. */
};
\f
/* Passive SSL. */
-struct pssl_vconn
+struct pssl_
p
vconn
{
{
- struct
vconn
vconn;
+ struct
pvconn p
vconn;
int fd;
};
int fd;
};
-static struct pssl_vconn *
-pssl_vconn_cast(struct vconn *vconn)
+struct pvconn_class pssl_pvconn_class;
+
+static struct pssl_pvconn *
+pssl_pvconn_cast(struct pvconn *pvconn)
{
{
-
assert(vconn->class == &pssl_
vconn_class);
- return CONTAINER_OF(
vconn, struct pssl_vconn,
vconn);
+
pvconn_assert_class(pvconn, &pssl_p
vconn_class);
+ return CONTAINER_OF(
pvconn, struct pssl_pvconn, p
vconn);
}
static int
}
static int
-pssl_open(const char *name, char *suffix, struct
vconn **
vconnp)
+pssl_open(const char *name, char *suffix, struct
pvconn **p
vconnp)
{
struct sockaddr_in sin;
{
struct sockaddr_in sin;
- struct pssl_vconn *pssl;
+ struct pssl_
p
vconn *pssl;
int retval;
int fd;
unsigned int yes = 1;
int retval;
int fd;
unsigned int yes = 1;
@@
-718,25
+732,24
@@
pssl_open(const char *name, char *suffix, struct vconn **vconnp)
}
pssl = xmalloc(sizeof *pssl);
}
pssl = xmalloc(sizeof *pssl);
- pssl->vconn.class = &pssl_vconn_class;
- pssl->vconn.connect_status = 0;
+ pvconn_init(&pssl->pvconn, &pssl_pvconn_class, name);
pssl->fd = fd;
pssl->fd = fd;
- *
vconnp = &pssl->
vconn;
+ *
pvconnp = &pssl->p
vconn;
return 0;
}
static void
return 0;
}
static void
-pssl_close(struct
vconn *
vconn)
+pssl_close(struct
pvconn *p
vconn)
{
{
- struct pssl_
vconn *pssl = pssl_vconn_cast(
vconn);
+ struct pssl_
pvconn *pssl = pssl_pvconn_cast(p
vconn);
close(pssl->fd);
free(pssl);
}
static int
close(pssl->fd);
free(pssl);
}
static int
-pssl_accept(struct
vconn *
vconn, struct vconn **new_vconnp)
+pssl_accept(struct
pvconn *p
vconn, struct vconn **new_vconnp)
{
{
- struct pssl_
vconn *pssl = pssl_vconn_cast(
vconn);
+ struct pssl_
pvconn *pssl = pssl_pvconn_cast(p
vconn);
struct sockaddr_in sin;
socklen_t sin_len = sizeof sin;
char name[128];
struct sockaddr_in sin;
socklen_t sin_len = sizeof sin;
char name[128];
@@
-747,7
+760,7
@@
pssl_accept(struct vconn *vconn, struct vconn **new_vconnp)
if (new_fd < 0) {
int error = errno;
if (error != EAGAIN) {
if (new_fd < 0) {
int error = errno;
if (error != EAGAIN) {
- VLOG_DBG
(
"accept: %s", strerror(error));
+ VLOG_DBG
_RL(&rl,
"accept: %s", strerror(error));
}
return error;
}
}
return error;
}
@@
-767,19
+780,18
@@
pssl_accept(struct vconn *vconn, struct vconn **new_vconnp)
}
static void
}
static void
-pssl_wait(struct
vconn *vconn, enum vconn_wait_type wait
)
+pssl_wait(struct
pvconn *pvconn
)
{
{
- struct pssl_vconn *pssl = pssl_vconn_cast(vconn);
- assert(wait == WAIT_ACCEPT);
+ struct pssl_pvconn *pssl = pssl_pvconn_cast(pvconn);
poll_fd_wait(pssl->fd, POLLIN);
}
poll_fd_wait(pssl->fd, POLLIN);
}
-struct
vconn_class pssl_
vconn_class = {
-
.name =
"pssl",
-
.open =
pssl_open,
-
.close =
pssl_close,
-
.accept =
pssl_accept,
-
.wait =
pssl_wait,
+struct
pvconn_class pssl_p
vconn_class = {
+ "pssl",
+ pssl_open,
+ pssl_close,
+ pssl_accept,
+ pssl_wait,
};
\f
/*
};
\f
/*
@@
-856,17
+868,25
@@
tmp_dh_callback(SSL *ssl, int is_export UNUSED, int keylength)
if (!dh->dh) {
dh->dh = dh->constructor();
if (!dh->dh) {
if (!dh->dh) {
dh->dh = dh->constructor();
if (!dh->dh) {
- fatal(ENOMEM, "out of memory constructing "
- "Diffie-Hellman parameters");
+
ofp_
fatal(ENOMEM, "out of memory constructing "
+
"Diffie-Hellman parameters");
}
}
return dh->dh;
}
}
}
}
return dh->dh;
}
}
- VLOG_ERR("no Diffie-Hellman parameters for key length %d", keylength);
+ VLOG_ERR_RL(&rl, "no Diffie-Hellman parameters for key length %d",
+ keylength);
return NULL;
}
return NULL;
}
+/* Returns true if SSL is at least partially configured. */
+bool
+vconn_ssl_is_configured(void)
+{
+ return has_private_key || has_certificate || has_ca_cert;
+}
+
void
vconn_ssl_set_private_key_file(const char *file_name)
{
void
vconn_ssl_set_private_key_file(const char *file_name)
{