X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=lib%2Fstream-ssl.c;h=70b15f0da9418907c63f884f79ae5d8bf87454aa;hb=refs%2Fheads%2Flts-1.0a;hp=215934d160f27c83bfd822ab2066f7a8ffdb2c2f;hpb=9cb0788702e6187eafccabba0758095ced04552c;p=sliver-openvswitch.git diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 215934d16..70b15f0da 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -30,21 +30,22 @@ #include #include #include +#include "coverage.h" #include "dynamic-string.h" #include "leak-checker.h" #include "ofpbuf.h" #include "openflow/openflow.h" #include "packets.h" #include "poll-loop.h" -#include "socket-util.h" +#include "shash.h" #include "socket-util.h" #include "util.h" #include "stream-provider.h" #include "stream.h" #include "timeval.h" - #include "vlog.h" -#define THIS_MODULE VLM_stream_ssl + +VLOG_DEFINE_THIS_MODULE(stream_ssl) /* Active SSL. */ @@ -62,11 +63,11 @@ struct ssl_stream { struct stream stream; enum ssl_state state; - int connect_error; enum session_type type; int fd; SSL *ssl; struct ofpbuf *txbuf; + unsigned int session_nr; /* rx_want and tx_want record the result of the last call to SSL_read() * and SSL_write(), respectively: @@ -125,11 +126,29 @@ struct ssl_stream * deadlock and livelock situations above. */ int rx_want, tx_want; + + /* A few bytes of header data in case SSL negotiation fails. */ + uint8_t head[2]; + short int n_head; }; /* SSL context created by ssl_init(). */ static SSL_CTX *ctx; +/* Maps from stream target (e.g. "127.0.0.1:1234") to SSL_SESSION *. The + * sessions are those from the last SSL connection to the given target. + * OpenSSL caches server-side sessions internally, so this cache is only used + * for client connections. + * + * The stream_ssl module owns a reference to each of the sessions in this + * table, so they must be freed with SSL_SESSION_free() when they are no + * longer needed. */ +static struct shash client_sessions = SHASH_INITIALIZER(&client_sessions); + +/* Maximum number of client sessions to cache. Ordinarily I'd expect that one + * session would be sufficient but this should cover it. */ +#define MAX_CLIENT_SESSION_CACHE 16 + struct ssl_config_file { bool read; /* Whether the file was successfully read. */ char *file_name; /* Configured file name, if any. */ @@ -141,6 +160,11 @@ static struct ssl_config_file private_key; static struct ssl_config_file certificate; static struct ssl_config_file ca_cert; +/* Ordinarily, the SSL client and server verify each other's certificates using + * a CA certificate. Setting this to false disables this behavior. (This is a + * security risk.) */ +static bool verify_peer_cert = true; + /* Ordinarily, we require a CA certificate for the peer to be locally * available. We can, however, bootstrap the CA certificate from the peer at * the beginning of our first connection then use that certificate on all @@ -148,6 +172,10 @@ static struct ssl_config_file ca_cert; * this case, 'bootstrap_ca_cert' is true. */ static bool bootstrap_ca_cert; +/* Session number. Used in debug logging messages to uniquely identify a + * session. */ +static unsigned int next_session_nr; + /* Who knows what can trigger various SSL errors, so let's throttle them down * quite a bit. */ static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(10, 25); @@ -163,6 +191,8 @@ static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength); static void log_ca_cert(const char *file_name, X509 *cert); static void stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap); +static void ssl_protocol_cb(int write_p, int version, int content_type, + const void *, size_t, SSL *, void *sslv_); static short int want_to_poll_events(int want) @@ -204,7 +234,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type, VLOG_ERR("Certificate must be configured to use SSL"); retval = ENOPROTOOPT; } - if (!ca_cert.read && !bootstrap_ca_cert) { + if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) { VLOG_ERR("CA certificate must be configured to use SSL"); retval = ENOPROTOOPT; } @@ -243,7 +273,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type, retval = ENOPROTOOPT; goto error; } - if (bootstrap_ca_cert && type == CLIENT) { + if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) { SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); } @@ -260,6 +290,14 @@ new_ssl_stream(const char *name, int fd, enum session_type type, sslv->ssl = ssl; sslv->txbuf = NULL; sslv->rx_want = sslv->tx_want = SSL_NOTHING; + sslv->session_nr = next_session_nr++; + sslv->n_head = 0; + + if (VLOG_IS_DBG_ENABLED()) { + SSL_set_msg_callback(ssl, ssl_protocol_cb); + SSL_set_msg_callback_arg(ssl, sslv); + } + *streamp = &sslv->stream; return 0; @@ -334,10 +372,9 @@ do_ca_cert_bootstrap(struct stream *stream) fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444); if (fd < 0) { if (errno == EEXIST) { - VLOG_INFO("CA cert %s created by another process", + VLOG_INFO("reading CA cert %s created by another process", ca_cert.file_name); - /* We'll read it the next time around the main loop because - * update_ssl_config() will see that it now exists. */ + stream_ssl_set_ca_cert_file(ca_cert.file_name, true); return EPROTO; } else { VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s", @@ -395,6 +432,70 @@ do_ca_cert_bootstrap(struct stream *stream) return EPROTO; } +static void +ssl_delete_session(struct shash_node *node) +{ + SSL_SESSION *session = node->data; + SSL_SESSION_free(session); + shash_delete(&client_sessions, node); +} + +/* Find and free any previously cached session for 'stream''s target. */ +static void +ssl_flush_session(struct stream *stream) +{ + struct shash_node *node; + + node = shash_find(&client_sessions, stream_get_name(stream)); + if (node) { + ssl_delete_session(node); + } +} + +/* Add 'stream''s session to the cache for its target, so that it will be + * reused for future SSL connections to the same target. */ +static void +ssl_cache_session(struct stream *stream) +{ + struct ssl_stream *sslv = ssl_stream_cast(stream); + SSL_SESSION *session; + + /* Statistics. */ + COVERAGE_INC(ssl_session); + if (SSL_session_reused(sslv->ssl)) { + COVERAGE_INC(ssl_session_reused); + } + + /* Get session from stream. */ + session = SSL_get1_session(sslv->ssl); + if (session) { + SSL_SESSION *old_session; + + old_session = shash_replace(&client_sessions, stream_get_name(stream), + session); + if (old_session) { + /* Free the session that we replaced. (We might actually have + * session == old_session, but either way we have to free it to + * avoid leaking a reference.) */ + SSL_SESSION_free(old_session); + } else if (shash_count(&client_sessions) > MAX_CLIENT_SESSION_CACHE) { + for (;;) { + struct shash_node *node = shash_random_node(&client_sessions); + if (node->data != session) { + ssl_delete_session(node); + break; + } + } + } + } else { + /* There is no new session. This doesn't really make sense because + * this function is only called upon successful connection and there + * should always be a new session in that case. But I don't trust + * OpenSSL so I'd rather handle this case anyway. */ + ssl_flush_session(stream); + } +} + static int ssl_connect(struct stream *stream) { @@ -411,6 +512,22 @@ ssl_connect(struct stream *stream) /* Fall through. */ case STATE_SSL_CONNECTING: + /* Capture the first few bytes of received data so that we can guess + * what kind of funny data we've been sent if SSL negotation fails. */ + if (sslv->n_head <= 0) { + sslv->n_head = recv(sslv->fd, sslv->head, sizeof sslv->head, + MSG_PEEK); + } + + /* Grab SSL session information from the cache. */ + if (sslv->type == CLIENT) { + SSL_SESSION *session = shash_find_data(&client_sessions, + stream_get_name(stream)); + if (session) { + SSL_set_session(sslv->ssl, session); + } + } + retval = (sslv->type == CLIENT ? SSL_connect(sslv->ssl) : SSL_accept(sslv->ssl)); if (retval != 1) { @@ -419,16 +536,31 @@ ssl_connect(struct stream *stream) return EAGAIN; } else { int unused; + + if (sslv->type == CLIENT) { + /* Delete any cached session for this stream's target. + * Otherwise a single error causes recurring errors that + * don't resolve until the SSL client or server is + * restarted. (It can take dozens of reused connections to + * see this behavior, so this is difficult to test.) If we + * delete the session on the first error, though, the error + * only occurs once and then resolves itself. */ + ssl_flush_session(stream); + } + interpret_ssl_error((sslv->type == CLIENT ? "SSL_connect" : "SSL_accept"), retval, error, &unused); shutdown(sslv->fd, SHUT_RDWR); + stream_report_content(sslv->head, sslv->n_head, STREAM_SSL, + THIS_MODULE, stream_get_name(stream)); return EPROTO; } } else if (bootstrap_ca_cert) { return do_ca_cert_bootstrap(stream); - } else if ((SSL_get_verify_mode(sslv->ssl) - & (SSL_VERIFY_NONE | SSL_VERIFY_PEER)) - != SSL_VERIFY_PEER) { + } else if (verify_peer_cert + && ((SSL_get_verify_mode(sslv->ssl) + & (SSL_VERIFY_NONE | SSL_VERIFY_PEER)) + != SSL_VERIFY_PEER)) { /* Two or more SSL connections completed at the same time while we * were in bootstrap mode. Only one of these can finish the * bootstrap successfully. The other one(s) must be rejected @@ -440,6 +572,9 @@ ssl_connect(struct stream *stream) VLOG_ERR("rejecting SSL connection during bootstrap race window"); return EPROTO; } else { + if (sslv->type == CLIENT) { + ssl_cache_session(stream); + } return 0; } } @@ -460,6 +595,11 @@ ssl_close(struct stream *stream) * background. */ SSL_shutdown(sslv->ssl); + /* SSL_shutdown() might have signaled an error, in which case we need to + * flush it out of the OpenSSL error queue or the next OpenSSL operation + * will falsely signal an error. */ + ERR_clear_error(); + SSL_free(sslv->ssl); close(sslv->fd); free(sslv); @@ -905,31 +1045,11 @@ tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength) /* Returns true if SSL is at least partially configured. */ bool -stream_ssl_is_configured(void) +stream_ssl_is_configured(void) { return private_key.file_name || certificate.file_name || ca_cert.file_name; } -static void -get_mtime(const char *file_name, struct timespec *mtime) -{ - struct stat s; - - if (!stat(file_name, &s)) { - mtime->tv_sec = s.st_mtime; - -#if HAVE_STRUCT_STAT_ST_MTIM_TV_NSEC - mtime->tv_nsec = s.st_mtim.tv_nsec; -#elif HAVE_STRUCT_STAT_ST_MTIMENSEC - mtime->tv_nsec = s.st_mtimensec; -#else - mtime->tv_nsec = 0; -#endif - } else { - mtime->tv_sec = mtime->tv_nsec = 0; - } -} - static bool update_ssl_config(struct ssl_config_file *config, const char *file_name) { @@ -949,38 +1069,84 @@ update_ssl_config(struct ssl_config_file *config, const char *file_name) return false; } + /* Update 'config'. */ config->mtime = mtime; - free(config->file_name); - config->file_name = xstrdup(file_name); + if (file_name != config->file_name) { + free(config->file_name); + config->file_name = xstrdup(file_name); + } return true; } +static void +stream_ssl_set_private_key_file__(const char *file_name) +{ + if (SSL_CTX_use_PrivateKey_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) { + private_key.read = true; + } else { + VLOG_ERR("SSL_use_PrivateKey_file: %s", + ERR_error_string(ERR_get_error(), NULL)); + } +} + void stream_ssl_set_private_key_file(const char *file_name) { - if (!update_ssl_config(&private_key, file_name)) { - return; + if (update_ssl_config(&private_key, file_name)) { + stream_ssl_set_private_key_file__(file_name); } - if (SSL_CTX_use_PrivateKey_file(ctx, file_name, SSL_FILETYPE_PEM) != 1) { - VLOG_ERR("SSL_use_PrivateKey_file: %s", +} + +static void +stream_ssl_set_certificate_file__(const char *file_name) +{ + if (SSL_CTX_use_certificate_chain_file(ctx, file_name) == 1) { + certificate.read = true; + } else { + VLOG_ERR("SSL_use_certificate_file: %s", ERR_error_string(ERR_get_error(), NULL)); - return; } - private_key.read = true; } void stream_ssl_set_certificate_file(const char *file_name) { - if (!update_ssl_config(&certificate, file_name)) { - return; + if (update_ssl_config(&certificate, file_name)) { + stream_ssl_set_certificate_file__(file_name); } - if (SSL_CTX_use_certificate_chain_file(ctx, file_name) != 1) { - VLOG_ERR("SSL_use_certificate_file: %s", - ERR_error_string(ERR_get_error(), NULL)); - return; +} + +/* Sets the private key and certificate files in one operation. Use this + * interface, instead of calling stream_ssl_set_private_key_file() and + * stream_ssl_set_certificate_file() individually, in the main loop of a + * long-running program whose key and certificate might change at runtime. + * + * This is important because of OpenSSL's behavior. If an OpenSSL context + * already has a certificate, and stream_ssl_set_private_key_file() is called + * to install a new private key, OpenSSL will report an error because the new + * private key does not match the old certificate. The other order, of setting + * a new certificate, then setting a new private key, does work. + * + * If this were the only problem, calling stream_ssl_set_certificate_file() + * before stream_ssl_set_private_key_file() would fix it. But, if the private + * key is changed before the certificate (e.g. someone "scp"s or "mv"s the new + * private key in place before the certificate), then OpenSSL would reject that + * change, and then the change of certificate would succeed, but there would be + * no associated private key (because it had only changed once and therefore + * there was no point in re-reading it). + * + * This function avoids both problems by, whenever either the certificate or + * the private key file changes, re-reading both of them, in the correct order. + */ +void +stream_ssl_set_key_and_cert(const char *private_key_file, + const char *certificate_file) +{ + if (update_ssl_config(&private_key, private_key_file) + || update_ssl_config(&certificate, certificate_file)) { + stream_ssl_set_certificate_file__(certificate_file); + stream_ssl_set_private_key_file__(private_key_file); } - certificate.read = true; } /* Reads the X509 certificate or certificates in file 'file_name'. On success, @@ -1096,7 +1262,7 @@ log_ca_cert(const char *file_name, X509 *cert) subject = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); VLOG_INFO("Trusting CA cert from %s (%s) (fingerprint %s)", file_name, subject ? subject : "", ds_cstr(&fp)); - free(subject); + OPENSSL_free(subject); ds_destroy(&fp); } @@ -1107,7 +1273,11 @@ stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap) size_t n_certs; struct stat s; - if (bootstrap && stat(file_name, &s) && errno == ENOENT) { + if (!strcmp(file_name, "none")) { + verify_peer_cert = false; + VLOG_WARN("Peer certificate validation disabled " + "(this is a security risk)"); + } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) { bootstrap_ca_cert = true; } else if (!read_cert_file(file_name, &certs, &n_certs)) { size_t i; @@ -1153,5 +1323,98 @@ stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap) stream_ssl_set_ca_cert_file__(file_name, bootstrap); } + +/* SSL protocol logging. */ + +static const char * +ssl_alert_level_to_string(uint8_t type) +{ + switch (type) { + case 1: return "warning"; + case 2: return "fatal"; + default: return ""; + } +} + +static const char * +ssl_alert_description_to_string(uint8_t type) +{ + switch (type) { + case 0: return "close_notify"; + case 10: return "unexpected_message"; + case 20: return "bad_record_mac"; + case 21: return "decryption_failed"; + case 22: return "record_overflow"; + case 30: return "decompression_failure"; + case 40: return "handshake_failure"; + case 42: return "bad_certificate"; + case 43: return "unsupported_certificate"; + case 44: return "certificate_revoked"; + case 45: return "certificate_expired"; + case 46: return "certificate_unknown"; + case 47: return "illegal_parameter"; + case 48: return "unknown_ca"; + case 49: return "access_denied"; + case 50: return "decode_error"; + case 51: return "decrypt_error"; + case 60: return "export_restriction"; + case 70: return "protocol_version"; + case 71: return "insufficient_security"; + case 80: return "internal_error"; + case 90: return "user_canceled"; + case 100: return "no_renegotiation"; + default: return ""; + } +} + +static const char * +ssl_handshake_type_to_string(uint8_t type) +{ + switch (type) { + case 0: return "hello_request"; + case 1: return "client_hello"; + case 2: return "server_hello"; + case 11: return "certificate"; + case 12: return "server_key_exchange"; + case 13: return "certificate_request"; + case 14: return "server_hello_done"; + case 15: return "certificate_verify"; + case 16: return "client_key_exchange"; + case 20: return "finished"; + default: return ""; + } +} +static void +ssl_protocol_cb(int write_p, int version OVS_UNUSED, int content_type, + const void *buf_, size_t len, SSL *ssl OVS_UNUSED, void *sslv_) +{ + const struct ssl_stream *sslv = sslv_; + const uint8_t *buf = buf_; + struct ds details; + if (!VLOG_IS_DBG_ENABLED()) { + return; + } + + ds_init(&details); + if (content_type == 20) { + ds_put_cstr(&details, "change_cipher_spec"); + } else if (content_type == 21) { + ds_put_format(&details, "alert: %s, %s", + ssl_alert_level_to_string(buf[0]), + ssl_alert_description_to_string(buf[1])); + } else if (content_type == 22) { + ds_put_format(&details, "handshake: %s", + ssl_handshake_type_to_string(buf[0])); + } else { + ds_put_format(&details, "type %d", content_type); + } + + VLOG_DBG("%s%u%s%s %s (%zu bytes)", + sslv->type == CLIENT ? "client" : "server", + sslv->session_nr, write_p ? "-->" : "<--", + stream_get_name(&sslv->stream), ds_cstr(&details), len); + + ds_destroy(&details); +}