/* * Copyright (c) 2008, 2009, 2010, 2011 Nicira Networks. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include "stream-ssl.h" #include "dhparams.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "coverage.h" #include "dynamic-string.h" #include "leak-checker.h" #include "ofpbuf.h" #include "openflow/openflow.h" #include "packets.h" #include "poll-loop.h" #include "shash.h" #include "socket-util.h" #include "util.h" #include "stream-provider.h" #include "stream.h" #include "timeval.h" #include "vlog.h" VLOG_DEFINE_THIS_MODULE(stream_ssl); COVERAGE_DEFINE(ssl_session); COVERAGE_DEFINE(ssl_session_reused); /* Active SSL. */ enum ssl_state { STATE_TCP_CONNECTING, STATE_SSL_CONNECTING }; enum session_type { CLIENT, SERVER }; struct ssl_stream { struct stream stream; enum ssl_state state; enum session_type type; int fd; SSL *ssl; struct ofpbuf *txbuf; unsigned int session_nr; /* rx_want and tx_want record the result of the last call to SSL_read() * and SSL_write(), respectively: * * - If the call reported that data needed to be read from the file * descriptor, the corresponding member is set to SSL_READING. * * - If the call reported that data needed to be written to the file * descriptor, the corresponding member is set to SSL_WRITING. * * - Otherwise, the member is set to SSL_NOTHING, indicating that the * call completed successfully (or with an error) and that there is no * need to block. * * These are needed because there is no way to ask OpenSSL what a data read * or write would require without giving it a buffer to receive into or * data to send, respectively. (Note that the SSL_want() status is * overwritten by each SSL_read() or SSL_write() call, so we can't rely on * its value.) * * A single call to SSL_read() or SSL_write() can perform both reading * and writing and thus invalidate not one of these values but actually * both. Consider this situation, for example: * * - SSL_write() blocks on a read, so tx_want gets SSL_READING. * * - SSL_read() laters succeeds reading from 'fd' and clears out the * whole receive buffer, so rx_want gets SSL_READING. * * - Client calls stream_wait(STREAM_RECV) and stream_wait(STREAM_SEND) * and blocks. * * - Now we're stuck blocking until the peer sends us data, even though * SSL_write() could now succeed, which could easily be a deadlock * condition. * * On the other hand, we can't reset both tx_want and rx_want on every call * to SSL_read() or SSL_write(), because that would produce livelock, * e.g. in this situation: * * - SSL_write() blocks, so tx_want gets SSL_READING or SSL_WRITING. * * - SSL_read() blocks, so rx_want gets SSL_READING or SSL_WRITING, * but tx_want gets reset to SSL_NOTHING. * * - Client calls stream_wait(STREAM_RECV) and stream_wait(STREAM_SEND) * and blocks. * * - Client wakes up immediately since SSL_NOTHING in tx_want indicates * that no blocking is necessary. * * The solution we adopt here is to set tx_want to SSL_NOTHING after * calling SSL_read() only if the SSL state of the connection changed, * which indicates that an SSL-level renegotiation made some progress, and * similarly for rx_want and SSL_write(). This prevents both the * deadlock and livelock situations above. */ int rx_want, tx_want; /* A few bytes of header data in case SSL negotiation fails. */ uint8_t head[2]; short int n_head; }; /* SSL context created by ssl_init(). */ static SSL_CTX *ctx; /* Maps from stream target (e.g. "127.0.0.1:1234") to SSL_SESSION *. The * sessions are those from the last SSL connection to the given target. * OpenSSL caches server-side sessions internally, so this cache is only used * for client connections. * * The stream_ssl module owns a reference to each of the sessions in this * table, so they must be freed with SSL_SESSION_free() when they are no * longer needed. */ static struct shash client_sessions = SHASH_INITIALIZER(&client_sessions); /* Maximum number of client sessions to cache. Ordinarily I'd expect that one * session would be sufficient but this should cover it. */ #define MAX_CLIENT_SESSION_CACHE 16 struct ssl_config_file { bool read; /* Whether the file was successfully read. */ char *file_name; /* Configured file name, if any. */ struct timespec mtime; /* File mtime as of last time we read it. */ }; /* SSL configuration files. */ static struct ssl_config_file private_key; static struct ssl_config_file certificate; static struct ssl_config_file ca_cert; /* Ordinarily, the SSL client and server verify each other's certificates using * a CA certificate. Setting this to false disables this behavior. (This is a * security risk.) */ static bool verify_peer_cert = true; /* Ordinarily, we require a CA certificate for the peer to be locally * available. We can, however, bootstrap the CA certificate from the peer at * the beginning of our first connection then use that certificate on all * subsequent connections, saving it to a file for use in future runs also. In * this case, 'bootstrap_ca_cert' is true. */ static bool bootstrap_ca_cert; /* Session number. Used in debug logging messages to uniquely identify a * session. */ static unsigned int next_session_nr; /* Who knows what can trigger various SSL errors, so let's throttle them down * quite a bit. */ static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(10, 25); static int ssl_init(void); static int do_ssl_init(void); static bool ssl_wants_io(int ssl_error); static void ssl_close(struct stream *); static void ssl_clear_txbuf(struct ssl_stream *); static void interpret_queued_ssl_error(const char *function); static int interpret_ssl_error(const char *function, int ret, int error, int *want); static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength); static void log_ca_cert(const char *file_name, X509 *cert); static void stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap); static void ssl_protocol_cb(int write_p, int version, int content_type, const void *, size_t, SSL *, void *sslv_); static short int want_to_poll_events(int want) { switch (want) { case SSL_NOTHING: NOT_REACHED(); case SSL_READING: return POLLIN; case SSL_WRITING: return POLLOUT; default: NOT_REACHED(); } } static int new_ssl_stream(const char *name, int fd, enum session_type type, enum ssl_state state, const struct sockaddr_in *remote, struct stream **streamp) { struct sockaddr_in local; socklen_t local_len = sizeof local; struct ssl_stream *sslv; SSL *ssl = NULL; int on = 1; int retval; /* Check for all the needful configuration. */ retval = 0; if (!private_key.read) { VLOG_ERR("Private key must be configured to use SSL"); retval = ENOPROTOOPT; } if (!certificate.read) { VLOG_ERR("Certificate must be configured to use SSL"); retval = ENOPROTOOPT; } if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) { VLOG_ERR("CA certificate must be configured to use SSL"); retval = ENOPROTOOPT; } if (!SSL_CTX_check_private_key(ctx)) { VLOG_ERR("Private key does not match certificate public key: %s", ERR_error_string(ERR_get_error(), NULL)); retval = ENOPROTOOPT; } if (retval) { goto error; } /* Get the local IP and port information */ retval = getsockname(fd, (struct sockaddr *) &local, &local_len); if (retval) { memset(&local, 0, sizeof local); } /* Disable Nagle. */ retval = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof on); if (retval) { VLOG_ERR("%s: setsockopt(TCP_NODELAY): %s", name, strerror(errno)); retval = errno; goto error; } /* Create and configure OpenSSL stream. */ ssl = SSL_new(ctx); if (ssl == NULL) { VLOG_ERR("SSL_new: %s", ERR_error_string(ERR_get_error(), NULL)); retval = ENOPROTOOPT; goto error; } if (SSL_set_fd(ssl, fd) == 0) { VLOG_ERR("SSL_set_fd: %s", ERR_error_string(ERR_get_error(), NULL)); retval = ENOPROTOOPT; goto error; } if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) { SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); } if (type == CLIENT) { /* Grab SSL session information from the cache. */ SSL_SESSION *session = shash_find_data(&client_sessions, name); if (session && SSL_set_session(ssl, session) != 1) { interpret_queued_ssl_error("SSL_set_session"); } } /* Create and return the ssl_stream. */ sslv = xmalloc(sizeof *sslv); stream_init(&sslv->stream, &ssl_stream_class, EAGAIN, name); stream_set_remote_ip(&sslv->stream, remote->sin_addr.s_addr); stream_set_remote_port(&sslv->stream, remote->sin_port); stream_set_local_ip(&sslv->stream, local.sin_addr.s_addr); stream_set_local_port(&sslv->stream, local.sin_port); sslv->state = state; sslv->type = type; sslv->fd = fd; sslv->ssl = ssl; sslv->txbuf = NULL; sslv->rx_want = sslv->tx_want = SSL_NOTHING; sslv->session_nr = next_session_nr++; sslv->n_head = 0; if (VLOG_IS_DBG_ENABLED()) { SSL_set_msg_callback(ssl, ssl_protocol_cb); SSL_set_msg_callback_arg(ssl, sslv); } *streamp = &sslv->stream; return 0; error: if (ssl) { SSL_free(ssl); } close(fd); return retval; } static struct ssl_stream * ssl_stream_cast(struct stream *stream) { stream_assert_class(stream, &ssl_stream_class); return CONTAINER_OF(stream, struct ssl_stream, stream); } static int ssl_open(const char *name, char *suffix, struct stream **streamp) { struct sockaddr_in sin; int error, fd; error = ssl_init(); if (error) { return error; } error = inet_open_active(SOCK_STREAM, suffix, OFP_SSL_PORT, &sin, &fd); if (fd >= 0) { int state = error ? STATE_TCP_CONNECTING : STATE_SSL_CONNECTING; return new_ssl_stream(name, fd, CLIENT, state, &sin, streamp); } else { VLOG_ERR("%s: connect: %s", name, strerror(error)); return error; } } static int do_ca_cert_bootstrap(struct stream *stream) { struct ssl_stream *sslv = ssl_stream_cast(stream); STACK_OF(X509) *chain; X509 *cert; FILE *file; int error; int fd; chain = SSL_get_peer_cert_chain(sslv->ssl); if (!chain || !sk_X509_num(chain)) { VLOG_ERR("could not bootstrap CA cert: no certificate presented by " "peer"); return EPROTO; } cert = sk_X509_value(chain, sk_X509_num(chain) - 1); /* Check that 'cert' is self-signed. Otherwise it is not a CA * certificate and we should not attempt to use it as one. */ error = X509_check_issued(cert, cert); if (error) { VLOG_ERR("could not bootstrap CA cert: obtained certificate is " "not self-signed (%s)", X509_verify_cert_error_string(error)); if (sk_X509_num(chain) < 2) { VLOG_ERR("only one certificate was received, so probably the peer " "is not configured to send its CA certificate"); } return EPROTO; } fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444); if (fd < 0) { if (errno == EEXIST) { VLOG_INFO("reading CA cert %s created by another process", ca_cert.file_name); stream_ssl_set_ca_cert_file(ca_cert.file_name, true); return EPROTO; } else { VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s", ca_cert.file_name, strerror(errno)); return errno; } } file = fdopen(fd, "w"); if (!file) { error = errno; VLOG_ERR("could not bootstrap CA cert: fdopen failed: %s", strerror(error)); unlink(ca_cert.file_name); return error; } if (!PEM_write_X509(file, cert)) { VLOG_ERR("could not bootstrap CA cert: PEM_write_X509 to %s failed: " "%s", ca_cert.file_name, ERR_error_string(ERR_get_error(), NULL)); fclose(file); unlink(ca_cert.file_name); return EIO; } if (fclose(file)) { error = errno; VLOG_ERR("could not bootstrap CA cert: writing %s failed: %s", ca_cert.file_name, strerror(error)); unlink(ca_cert.file_name); return error; } VLOG_INFO("successfully bootstrapped CA cert to %s", ca_cert.file_name); log_ca_cert(ca_cert.file_name, cert); bootstrap_ca_cert = false; ca_cert.read = true; /* SSL_CTX_add_client_CA makes a copy of cert's relevant data. */ SSL_CTX_add_client_CA(ctx, cert); /* SSL_CTX_use_certificate() takes ownership of the certificate passed in. * 'cert' is owned by sslv->ssl, so we need to duplicate it. */ cert = X509_dup(cert); if (!cert) { out_of_memory(); } SSL_CTX_set_cert_store(ctx, X509_STORE_new()); if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) { VLOG_ERR("SSL_CTX_load_verify_locations: %s", ERR_error_string(ERR_get_error(), NULL)); return EPROTO; } VLOG_INFO("killing successful connection to retry using CA cert"); return EPROTO; } static void ssl_delete_session(struct shash_node *node) { SSL_SESSION *session = node->data; SSL_SESSION_free(session); shash_delete(&client_sessions, node); } /* Find and free any previously cached session for 'stream''s target. */ static void ssl_flush_session(struct stream *stream) { struct shash_node *node; node = shash_find(&client_sessions, stream_get_name(stream)); if (node) { ssl_delete_session(node); } } /* Add 'stream''s session to the cache for its target, so that it will be * reused for future SSL connections to the same target. */ static void ssl_cache_session(struct stream *stream) { struct ssl_stream *sslv = ssl_stream_cast(stream); SSL_SESSION *session; /* Get session from stream. */ session = SSL_get1_session(sslv->ssl); if (session) { SSL_SESSION *old_session; old_session = shash_replace(&client_sessions, stream_get_name(stream), session); if (old_session) { /* Free the session that we replaced. (We might actually have * session == old_session, but either way we have to free it to * avoid leaking a reference.) */ SSL_SESSION_free(old_session); } else if (shash_count(&client_sessions) > MAX_CLIENT_SESSION_CACHE) { for (;;) { struct shash_node *node = shash_random_node(&client_sessions); if (node->data != session) { ssl_delete_session(node); break; } } } } } static int ssl_connect(struct stream *stream) { struct ssl_stream *sslv = ssl_stream_cast(stream); int retval; switch (sslv->state) { case STATE_TCP_CONNECTING: retval = check_connection_completion(sslv->fd); if (retval) { return retval; } sslv->state = STATE_SSL_CONNECTING; /* Fall through. */ case STATE_SSL_CONNECTING: /* Capture the first few bytes of received data so that we can guess * what kind of funny data we've been sent if SSL negotation fails. */ if (sslv->n_head <= 0) { sslv->n_head = recv(sslv->fd, sslv->head, sizeof sslv->head, MSG_PEEK); } retval = (sslv->type == CLIENT ? SSL_connect(sslv->ssl) : SSL_accept(sslv->ssl)); if (retval != 1) { int error = SSL_get_error(sslv->ssl, retval); if (retval < 0 && ssl_wants_io(error)) { return EAGAIN; } else { int unused; if (sslv->type == CLIENT) { /* Delete any cached session for this stream's target. * Otherwise a single error causes recurring errors that * don't resolve until the SSL client or server is * restarted. (It can take dozens of reused connections to * see this behavior, so this is difficult to test.) If we * delete the session on the first error, though, the error * only occurs once and then resolves itself. */ ssl_flush_session(stream); } interpret_ssl_error((sslv->type == CLIENT ? "SSL_connect" : "SSL_accept"), retval, error, &unused); shutdown(sslv->fd, SHUT_RDWR); stream_report_content(sslv->head, sslv->n_head, STREAM_SSL, THIS_MODULE, stream_get_name(stream)); return EPROTO; } } else if (bootstrap_ca_cert) { return do_ca_cert_bootstrap(stream); } else if (verify_peer_cert && ((SSL_get_verify_mode(sslv->ssl) & (SSL_VERIFY_NONE | SSL_VERIFY_PEER)) != SSL_VERIFY_PEER)) { /* Two or more SSL connections completed at the same time while we * were in bootstrap mode. Only one of these can finish the * bootstrap successfully. The other one(s) must be rejected * because they were not verified against the bootstrapped CA * certificate. (Alternatively we could verify them against the CA * certificate, but that's more trouble than it's worth. These * connections will succeed the next time they retry, assuming that * they have a certificate against the correct CA.) */ VLOG_ERR("rejecting SSL connection during bootstrap race window"); return EPROTO; } else { /* Statistics. */ COVERAGE_INC(ssl_session); if (SSL_session_reused(sslv->ssl)) { COVERAGE_INC(ssl_session_reused); } return 0; } } NOT_REACHED(); } static void ssl_close(struct stream *stream) { struct ssl_stream *sslv = ssl_stream_cast(stream); ssl_clear_txbuf(sslv); /* Attempt clean shutdown of the SSL connection. This will work most of * the time, as long as the kernel send buffer has some free space and the * SSL connection isn't renegotiating, etc. That has to be good enough, * since we don't have any way to continue the close operation in the * background. */ SSL_shutdown(sslv->ssl); ssl_cache_session(stream); /* SSL_shutdown() might have signaled an error, in which case we need to * flush it out of the OpenSSL error queue or the next OpenSSL operation * will falsely signal an error. */ ERR_clear_error(); SSL_free(sslv->ssl); close(sslv->fd); free(sslv); } static void interpret_queued_ssl_error(const char *function) { int queued_error = ERR_get_error(); if (queued_error != 0) { VLOG_WARN_RL(&rl, "%s: %s", function, ERR_error_string(queued_error, NULL)); } else { VLOG_ERR_RL(&rl, "%s: SSL_ERROR_SSL without queued error", function); } } static int interpret_ssl_error(const char *function, int ret, int error, int *want) { *want = SSL_NOTHING; switch (error) { case SSL_ERROR_NONE: VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_NONE", function); break; case SSL_ERROR_ZERO_RETURN: VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_ZERO_RETURN", function); break; case SSL_ERROR_WANT_READ: *want = SSL_READING; return EAGAIN; case SSL_ERROR_WANT_WRITE: *want = SSL_WRITING; return EAGAIN; case SSL_ERROR_WANT_CONNECT: VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_CONNECT", function); break; case SSL_ERROR_WANT_ACCEPT: VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_ACCEPT", function); break; case SSL_ERROR_WANT_X509_LOOKUP: VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_X509_LOOKUP", function); break; case SSL_ERROR_SYSCALL: { int queued_error = ERR_get_error(); if (queued_error == 0) { if (ret < 0) { int status = errno; VLOG_WARN_RL(&rl, "%s: system error (%s)", function, strerror(status)); return status; } else { VLOG_WARN_RL(&rl, "%s: unexpected SSL connection close", function); return EPROTO; } } else { VLOG_WARN_RL(&rl, "%s: %s", function, ERR_error_string(queued_error, NULL)); break; } } case SSL_ERROR_SSL: interpret_queued_ssl_error(function); break; default: VLOG_ERR_RL(&rl, "%s: bad SSL error code %d", function, error); break; } return EIO; } static ssize_t ssl_recv(struct stream *stream, void *buffer, size_t n) { struct ssl_stream *sslv = ssl_stream_cast(stream); int old_state; ssize_t ret; /* Behavior of zero-byte SSL_read is poorly defined. */ assert(n > 0); old_state = SSL_get_state(sslv->ssl); ret = SSL_read(sslv->ssl, buffer, n); if (old_state != SSL_get_state(sslv->ssl)) { sslv->tx_want = SSL_NOTHING; } sslv->rx_want = SSL_NOTHING; if (ret > 0) { return ret; } else { int error = SSL_get_error(sslv->ssl, ret); if (error == SSL_ERROR_ZERO_RETURN) { return 0; } else { return -interpret_ssl_error("SSL_read", ret, error, &sslv->rx_want); } } } static void ssl_clear_txbuf(struct ssl_stream *sslv) { ofpbuf_delete(sslv->txbuf); sslv->txbuf = NULL; } static int ssl_do_tx(struct stream *stream) { struct ssl_stream *sslv = ssl_stream_cast(stream); for (;;) { int old_state = SSL_get_state(sslv->ssl); int ret = SSL_write(sslv->ssl, sslv->txbuf->data, sslv->txbuf->size); if (old_state != SSL_get_state(sslv->ssl)) { sslv->rx_want = SSL_NOTHING; } sslv->tx_want = SSL_NOTHING; if (ret > 0) { ofpbuf_pull(sslv->txbuf, ret); if (sslv->txbuf->size == 0) { return 0; } } else { int ssl_error = SSL_get_error(sslv->ssl, ret); if (ssl_error == SSL_ERROR_ZERO_RETURN) { VLOG_WARN_RL(&rl, "SSL_write: connection closed"); return EPIPE; } else { return interpret_ssl_error("SSL_write", ret, ssl_error, &sslv->tx_want); } } } } static ssize_t ssl_send(struct stream *stream, const void *buffer, size_t n) { struct ssl_stream *sslv = ssl_stream_cast(stream); if (sslv->txbuf) { return -EAGAIN; } else { int error; sslv->txbuf = ofpbuf_clone_data(buffer, n); error = ssl_do_tx(stream); switch (error) { case 0: ssl_clear_txbuf(sslv); return n; case EAGAIN: leak_checker_claim(buffer); return n; default: sslv->txbuf = NULL; return -error; } } } static void ssl_run(struct stream *stream) { struct ssl_stream *sslv = ssl_stream_cast(stream); if (sslv->txbuf && ssl_do_tx(stream) != EAGAIN) { ssl_clear_txbuf(sslv); } } static void ssl_run_wait(struct stream *stream) { struct ssl_stream *sslv = ssl_stream_cast(stream); if (sslv->tx_want != SSL_NOTHING) { poll_fd_wait(sslv->fd, want_to_poll_events(sslv->tx_want)); } } static void ssl_wait(struct stream *stream, enum stream_wait_type wait) { struct ssl_stream *sslv = ssl_stream_cast(stream); switch (wait) { case STREAM_CONNECT: if (stream_connect(stream) != EAGAIN) { poll_immediate_wake(); } else { switch (sslv->state) { case STATE_TCP_CONNECTING: poll_fd_wait(sslv->fd, POLLOUT); break; case STATE_SSL_CONNECTING: /* ssl_connect() called SSL_accept() or SSL_connect(), which * set up the status that we test here. */ poll_fd_wait(sslv->fd, want_to_poll_events(SSL_want(sslv->ssl))); break; default: NOT_REACHED(); } } break; case STREAM_RECV: if (sslv->rx_want != SSL_NOTHING) { poll_fd_wait(sslv->fd, want_to_poll_events(sslv->rx_want)); } else { poll_immediate_wake(); } break; case STREAM_SEND: if (!sslv->txbuf) { /* We have room in our tx queue. */ poll_immediate_wake(); } else { /* stream_run_wait() will do the right thing; don't bother with * redundancy. */ } break; default: NOT_REACHED(); } } struct stream_class ssl_stream_class = { "ssl", /* name */ ssl_open, /* open */ ssl_close, /* close */ ssl_connect, /* connect */ ssl_recv, /* recv */ ssl_send, /* send */ ssl_run, /* run */ ssl_run_wait, /* run_wait */ ssl_wait, /* wait */ }; /* Passive SSL. */ struct pssl_pstream { struct pstream pstream; int fd; }; struct pstream_class pssl_pstream_class; static struct pssl_pstream * pssl_pstream_cast(struct pstream *pstream) { pstream_assert_class(pstream, &pssl_pstream_class); return CONTAINER_OF(pstream, struct pssl_pstream, pstream); } static int pssl_open(const char *name OVS_UNUSED, char *suffix, struct pstream **pstreamp) { struct pssl_pstream *pssl; struct sockaddr_in sin; char bound_name[128]; int retval; int fd; retval = ssl_init(); if (retval) { return retval; } fd = inet_open_passive(SOCK_STREAM, suffix, OFP_SSL_PORT, &sin); if (fd < 0) { return -fd; } sprintf(bound_name, "pssl:%"PRIu16":"IP_FMT, ntohs(sin.sin_port), IP_ARGS(&sin.sin_addr.s_addr)); pssl = xmalloc(sizeof *pssl); pstream_init(&pssl->pstream, &pssl_pstream_class, bound_name); pssl->fd = fd; *pstreamp = &pssl->pstream; return 0; } static void pssl_close(struct pstream *pstream) { struct pssl_pstream *pssl = pssl_pstream_cast(pstream); close(pssl->fd); free(pssl); } static int pssl_accept(struct pstream *pstream, struct stream **new_streamp) { struct pssl_pstream *pssl = pssl_pstream_cast(pstream); struct sockaddr_in sin; socklen_t sin_len = sizeof sin; char name[128]; int new_fd; int error; new_fd = accept(pssl->fd, &sin, &sin_len); if (new_fd < 0) { error = errno; if (error != EAGAIN) { VLOG_DBG_RL(&rl, "accept: %s", strerror(error)); } return error; } error = set_nonblocking(new_fd); if (error) { close(new_fd); return error; } sprintf(name, "ssl:"IP_FMT, IP_ARGS(&sin.sin_addr)); if (sin.sin_port != htons(OFP_SSL_PORT)) { sprintf(strchr(name, '\0'), ":%"PRIu16, ntohs(sin.sin_port)); } return new_ssl_stream(name, new_fd, SERVER, STATE_SSL_CONNECTING, &sin, new_streamp); } static void pssl_wait(struct pstream *pstream) { struct pssl_pstream *pssl = pssl_pstream_cast(pstream); poll_fd_wait(pssl->fd, POLLIN); } struct pstream_class pssl_pstream_class = { "pssl", pssl_open, pssl_close, pssl_accept, pssl_wait, }; /* * Returns true if OpenSSL error is WANT_READ or WANT_WRITE, indicating that * OpenSSL is requesting that we call it back when the socket is ready for read * or writing, respectively. */ static bool ssl_wants_io(int ssl_error) { return (ssl_error == SSL_ERROR_WANT_WRITE || ssl_error == SSL_ERROR_WANT_READ); } static int ssl_init(void) { static int init_status = -1; if (init_status < 0) { init_status = do_ssl_init(); assert(init_status >= 0); } return init_status; } static int do_ssl_init(void) { SSL_METHOD *method; SSL_library_init(); SSL_load_error_strings(); /* New OpenSSL changed TLSv1_method() to return a "const" pointer, so the * cast is needed to avoid a warning with those newer versions. */ method = (SSL_METHOD *) TLSv1_method(); if (method == NULL) { VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL)); return ENOPROTOOPT; } ctx = SSL_CTX_new(method); if (ctx == NULL) { VLOG_ERR("SSL_CTX_new: %s", ERR_error_string(ERR_get_error(), NULL)); return ENOPROTOOPT; } SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback); SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); /* We have to set a session context ID string in 'ctx' because OpenSSL * otherwise refuses to use a cached session on the server side when * SSL_VERIFY_PEER is set. And it not only refuses to use the cached * session, it actually generates an error and kills the connection. * According to a comment in ssl_get_prev_session() in OpenSSL's * ssl/ssl_sess.c, this is intentional behavior. * * Any context string is OK, as long as one is set. */ SSL_CTX_set_session_id_context(ctx, (const unsigned char *) PACKAGE, strlen(PACKAGE)); return 0; } static DH * tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength) { struct dh { int keylength; DH *dh; DH *(*constructor)(void); }; static struct dh dh_table[] = { {1024, NULL, get_dh1024}, {2048, NULL, get_dh2048}, {4096, NULL, get_dh4096}, }; struct dh *dh; for (dh = dh_table; dh < &dh_table[ARRAY_SIZE(dh_table)]; dh++) { if (dh->keylength == keylength) { if (!dh->dh) { dh->dh = dh->constructor(); if (!dh->dh) { ovs_fatal(ENOMEM, "out of memory constructing " "Diffie-Hellman parameters"); } } return dh->dh; } } VLOG_ERR_RL(&rl, "no Diffie-Hellman parameters for key length %d", keylength); return NULL; } /* Returns true if SSL is at least partially configured. */ bool stream_ssl_is_configured(void) { return private_key.file_name || certificate.file_name || ca_cert.file_name; } static bool update_ssl_config(struct ssl_config_file *config, const char *file_name) { struct timespec mtime; if (ssl_init() || !file_name) { return false; } /* If the file name hasn't changed and neither has the file contents, stop * here. */ get_mtime(file_name, &mtime); if (config->file_name && !strcmp(config->file_name, file_name) && mtime.tv_sec == config->mtime.tv_sec && mtime.tv_nsec == config->mtime.tv_nsec) { return false; } /* Update 'config'. */ config->mtime = mtime; if (file_name != config->file_name) { free(config->file_name); config->file_name = xstrdup(file_name); } return true; } static void stream_ssl_set_private_key_file__(const char *file_name) { if (SSL_CTX_use_PrivateKey_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) { private_key.read = true; } else { VLOG_ERR("SSL_use_PrivateKey_file: %s", ERR_error_string(ERR_get_error(), NULL)); } } void stream_ssl_set_private_key_file(const char *file_name) { if (update_ssl_config(&private_key, file_name)) { stream_ssl_set_private_key_file__(file_name); } } static void stream_ssl_set_certificate_file__(const char *file_name) { if (SSL_CTX_use_certificate_chain_file(ctx, file_name) == 1) { certificate.read = true; } else { VLOG_ERR("SSL_use_certificate_file: %s", ERR_error_string(ERR_get_error(), NULL)); } } void stream_ssl_set_certificate_file(const char *file_name) { if (update_ssl_config(&certificate, file_name)) { stream_ssl_set_certificate_file__(file_name); } } /* Sets the private key and certificate files in one operation. Use this * interface, instead of calling stream_ssl_set_private_key_file() and * stream_ssl_set_certificate_file() individually, in the main loop of a * long-running program whose key and certificate might change at runtime. * * This is important because of OpenSSL's behavior. If an OpenSSL context * already has a certificate, and stream_ssl_set_private_key_file() is called * to install a new private key, OpenSSL will report an error because the new * private key does not match the old certificate. The other order, of setting * a new certificate, then setting a new private key, does work. * * If this were the only problem, calling stream_ssl_set_certificate_file() * before stream_ssl_set_private_key_file() would fix it. But, if the private * key is changed before the certificate (e.g. someone "scp"s or "mv"s the new * private key in place before the certificate), then OpenSSL would reject that * change, and then the change of certificate would succeed, but there would be * no associated private key (because it had only changed once and therefore * there was no point in re-reading it). * * This function avoids both problems by, whenever either the certificate or * the private key file changes, re-reading both of them, in the correct order. */ void stream_ssl_set_key_and_cert(const char *private_key_file, const char *certificate_file) { if (update_ssl_config(&private_key, private_key_file) || update_ssl_config(&certificate, certificate_file)) { stream_ssl_set_certificate_file__(certificate_file); stream_ssl_set_private_key_file__(private_key_file); } } /* Reads the X509 certificate or certificates in file 'file_name'. On success, * stores the address of the first element in an array of pointers to * certificates in '*certs' and the number of certificates in the array in * '*n_certs', and returns 0. On failure, stores a null pointer in '*certs', 0 * in '*n_certs', and returns a positive errno value. * * The caller is responsible for freeing '*certs'. */ static int read_cert_file(const char *file_name, X509 ***certs, size_t *n_certs) { FILE *file; size_t allocated_certs = 0; *certs = NULL; *n_certs = 0; file = fopen(file_name, "r"); if (!file) { VLOG_ERR("failed to open %s for reading: %s", file_name, strerror(errno)); return errno; } for (;;) { X509 *certificate; int c; /* Read certificate from file. */ certificate = PEM_read_X509(file, NULL, NULL, NULL); if (!certificate) { size_t i; VLOG_ERR("PEM_read_X509 failed reading %s: %s", file_name, ERR_error_string(ERR_get_error(), NULL)); for (i = 0; i < *n_certs; i++) { X509_free((*certs)[i]); } free(*certs); *certs = NULL; *n_certs = 0; return EIO; } /* Add certificate to array. */ if (*n_certs >= allocated_certs) { *certs = x2nrealloc(*certs, &allocated_certs, sizeof **certs); } (*certs)[(*n_certs)++] = certificate; /* Are there additional certificates in the file? */ do { c = getc(file); } while (isspace(c)); if (c == EOF) { break; } ungetc(c, file); } fclose(file); return 0; } /* Sets 'file_name' as the name of a file containing one or more X509 * certificates to send to the peer. Typical use in OpenFlow is to send the CA * certificate to the peer, which enables a switch to pick up the controller's * CA certificate on its first connection. */ void stream_ssl_set_peer_ca_cert_file(const char *file_name) { X509 **certs; size_t n_certs; size_t i; if (ssl_init()) { return; } if (!read_cert_file(file_name, &certs, &n_certs)) { for (i = 0; i < n_certs; i++) { if (SSL_CTX_add_extra_chain_cert(ctx, certs[i]) != 1) { VLOG_ERR("SSL_CTX_add_extra_chain_cert: %s", ERR_error_string(ERR_get_error(), NULL)); } } free(certs); } } /* Logs fingerprint of CA certificate 'cert' obtained from 'file_name'. */ static void log_ca_cert(const char *file_name, X509 *cert) { unsigned char digest[EVP_MAX_MD_SIZE]; unsigned int n_bytes; struct ds fp; char *subject; ds_init(&fp); if (!X509_digest(cert, EVP_sha1(), digest, &n_bytes)) { ds_put_cstr(&fp, ""); } else { unsigned int i; for (i = 0; i < n_bytes; i++) { if (i) { ds_put_char(&fp, ':'); } ds_put_format(&fp, "%02hhx", digest[i]); } } subject = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); VLOG_INFO("Trusting CA cert from %s (%s) (fingerprint %s)", file_name, subject ? subject : "", ds_cstr(&fp)); OPENSSL_free(subject); ds_destroy(&fp); } static void stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap) { X509 **certs; size_t n_certs; struct stat s; if (!strcmp(file_name, "none")) { verify_peer_cert = false; VLOG_WARN("Peer certificate validation disabled " "(this is a security risk)"); } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) { bootstrap_ca_cert = true; } else if (!read_cert_file(file_name, &certs, &n_certs)) { size_t i; /* Set up list of CAs that the server will accept from the client. */ for (i = 0; i < n_certs; i++) { /* SSL_CTX_add_client_CA makes a copy of the relevant data. */ if (SSL_CTX_add_client_CA(ctx, certs[i]) != 1) { VLOG_ERR("failed to add client certificate %zu from %s: %s", i, file_name, ERR_error_string(ERR_get_error(), NULL)); } else { log_ca_cert(file_name, certs[i]); } X509_free(certs[i]); } free(certs); /* Set up CAs for OpenSSL to trust in verifying the peer's * certificate. */ SSL_CTX_set_cert_store(ctx, X509_STORE_new()); if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) { VLOG_ERR("SSL_CTX_load_verify_locations: %s", ERR_error_string(ERR_get_error(), NULL)); return; } bootstrap_ca_cert = false; } ca_cert.read = true; } /* Sets 'file_name' as the name of the file from which to read the CA * certificate used to verify the peer within SSL connections. If 'bootstrap' * is false, the file must exist. If 'bootstrap' is false, then the file is * read if it is exists; if it does not, then it will be created from the CA * certificate received from the peer on the first SSL connection. */ void stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap) { if (!update_ssl_config(&ca_cert, file_name)) { return; } stream_ssl_set_ca_cert_file__(file_name, bootstrap); } /* SSL protocol logging. */ static const char * ssl_alert_level_to_string(uint8_t type) { switch (type) { case 1: return "warning"; case 2: return "fatal"; default: return ""; } } static const char * ssl_alert_description_to_string(uint8_t type) { switch (type) { case 0: return "close_notify"; case 10: return "unexpected_message"; case 20: return "bad_record_mac"; case 21: return "decryption_failed"; case 22: return "record_overflow"; case 30: return "decompression_failure"; case 40: return "handshake_failure"; case 42: return "bad_certificate"; case 43: return "unsupported_certificate"; case 44: return "certificate_revoked"; case 45: return "certificate_expired"; case 46: return "certificate_unknown"; case 47: return "illegal_parameter"; case 48: return "unknown_ca"; case 49: return "access_denied"; case 50: return "decode_error"; case 51: return "decrypt_error"; case 60: return "export_restriction"; case 70: return "protocol_version"; case 71: return "insufficient_security"; case 80: return "internal_error"; case 90: return "user_canceled"; case 100: return "no_renegotiation"; default: return ""; } } static const char * ssl_handshake_type_to_string(uint8_t type) { switch (type) { case 0: return "hello_request"; case 1: return "client_hello"; case 2: return "server_hello"; case 11: return "certificate"; case 12: return "server_key_exchange"; case 13: return "certificate_request"; case 14: return "server_hello_done"; case 15: return "certificate_verify"; case 16: return "client_key_exchange"; case 20: return "finished"; default: return ""; } } static void ssl_protocol_cb(int write_p, int version OVS_UNUSED, int content_type, const void *buf_, size_t len, SSL *ssl OVS_UNUSED, void *sslv_) { const struct ssl_stream *sslv = sslv_; const uint8_t *buf = buf_; struct ds details; if (!VLOG_IS_DBG_ENABLED()) { return; } ds_init(&details); if (content_type == 20) { ds_put_cstr(&details, "change_cipher_spec"); } else if (content_type == 21) { ds_put_format(&details, "alert: %s, %s", ssl_alert_level_to_string(buf[0]), ssl_alert_description_to_string(buf[1])); } else if (content_type == 22) { ds_put_format(&details, "handshake: %s", ssl_handshake_type_to_string(buf[0])); } else { ds_put_format(&details, "type %d", content_type); } VLOG_DBG("%s%u%s%s %s (%zu bytes)", sslv->type == CLIENT ? "client" : "server", sslv->session_nr, write_p ? "-->" : "<--", stream_get_name(&sslv->stream), ds_cstr(&details), len); ds_destroy(&details); }