1 /* Copyright (c) 2008 The Board of Trustees of The Leland Stanford
4 * We are making the OpenFlow specification and associated documentation
5 * (Software) available for public use and benefit with the expectation
6 * that others will use, modify and enhance the Software and contribute
7 * those enhancements back to the community. However, since we would
8 * like to make the Software available for broadest use, with as few
9 * restrictions as possible permission is hereby granted, free of
10 * charge, to any person obtaining a copy of this Software to deal in
11 * the Software under the copyrights without restriction, including
12 * without limitation the rights to use, copy, modify, merge, publish,
13 * distribute, sublicense, and/or sell copies of the Software, and to
14 * permit persons to whom the Software is furnished to do so, subject to
15 * the following conditions:
17 * The above copyright notice and this permission notice shall be
18 * included in all copies or substantial portions of the Software.
20 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
21 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
22 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
23 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
24 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
25 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
26 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
29 * The name and trademarks of copyright holder(s) may NOT be used in
30 * advertising or publicity pertaining to the Software or any
31 * derivatives without specific, written prior permission.
35 #include "vconn-ssl.h"
41 #include <netinet/tcp.h>
42 #include <openssl/err.h>
43 #include <openssl/ssl.h>
47 #include "socket-util.h"
51 #include "poll-loop.h"
52 #include "socket-util.h"
54 #include "vconn-provider.h"
57 #define THIS_MODULE VLM_vconn_ssl
76 enum session_type type;
81 struct poll_waiter *tx_waiter;
83 /* rx_want and tx_want record the result of the last call to SSL_read()
84 * and SSL_write(), respectively:
86 * - If the call reported that data needed to be read from the file
87 * descriptor, the corresponding member is set to SSL_READING.
89 * - If the call reported that data needed to be written to the file
90 * descriptor, the corresponding member is set to SSL_WRITING.
92 * - Otherwise, the member is set to SSL_NOTHING, indicating that the
93 * call completed successfully (or with an error) and that there is no
96 * These are needed because there is no way to ask OpenSSL what a data read
97 * or write would require without giving it a buffer to receive into or
98 * data to send, respectively. (Note that the SSL_want() status is
99 * overwritten by each SSL_read() or SSL_write() call, so we can't rely on
102 * A single call to SSL_read() or SSL_write() can perform both reading
103 * and writing and thus invalidate not one of these values but actually
104 * both. Consider this situation, for example:
106 * - SSL_write() blocks on a read, so tx_want gets SSL_READING.
108 * - SSL_read() laters succeeds reading from 'fd' and clears out the
109 * whole receive buffer, so rx_want gets SSL_READING.
111 * - Client calls vconn_wait(WAIT_RECV) and vconn_wait(WAIT_SEND) and
114 * - Now we're stuck blocking until the peer sends us data, even though
115 * SSL_write() could now succeed, which could easily be a deadlock
118 * On the other hand, we can't reset both tx_want and rx_want on every call
119 * to SSL_read() or SSL_write(), because that would produce livelock,
120 * e.g. in this situation:
122 * - SSL_write() blocks, so tx_want gets SSL_READING or SSL_WRITING.
124 * - SSL_read() blocks, so rx_want gets SSL_READING or SSL_WRITING,
125 * but tx_want gets reset to SSL_NOTHING.
127 * - Client calls vconn_wait(WAIT_RECV) and vconn_wait(WAIT_SEND) and
130 * - Client wakes up immediately since SSL_NOTHING in tx_want indicates
131 * that no blocking is necessary.
133 * The solution we adopt here is to set tx_want to SSL_NOTHING after
134 * calling SSL_read() only if the SSL state of the connection changed,
135 * which indicates that an SSL-level renegotiation made some progress, and
136 * similarly for rx_want and SSL_write(). This prevents both the
137 * deadlock and livelock situations above.
139 int rx_want, tx_want;
142 /* SSL context created by ssl_init(). */
145 /* Required configuration. */
146 static bool has_private_key, has_certificate, has_ca_cert;
148 /* Who knows what can trigger various SSL errors, so let's throttle them down
150 static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(10, 25);
152 static int ssl_init(void);
153 static int do_ssl_init(void);
154 static bool ssl_wants_io(int ssl_error);
155 static void ssl_close(struct vconn *);
156 static int interpret_ssl_error(const char *function, int ret, int error,
158 static void ssl_tx_poll_callback(int fd, short int revents, void *vconn_);
159 static DH *tmp_dh_callback(SSL *ssl, int is_export UNUSED, int keylength);
162 want_to_poll_events(int want)
180 new_ssl_vconn(const char *name, int fd, enum session_type type,
181 enum ssl_state state, const struct sockaddr_in *sin,
182 struct vconn **vconnp)
184 struct ssl_vconn *sslv;
189 /* Check for all the needful configuration. */
190 if (!has_private_key) {
191 VLOG_ERR("Private key must be configured to use SSL");
194 if (!has_certificate) {
195 VLOG_ERR("Certificate must be configured to use SSL");
199 VLOG_ERR("CA certificate must be configured to use SSL");
202 if (!SSL_CTX_check_private_key(ctx)) {
203 VLOG_ERR("Private key does not match certificate public key");
208 retval = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof on);
210 VLOG_ERR("%s: setsockopt(TCP_NODELAY): %s", name, strerror(errno));
215 /* Create and configure OpenSSL stream. */
218 VLOG_ERR("SSL_new: %s", ERR_error_string(ERR_get_error(), NULL));
222 if (SSL_set_fd(ssl, fd) == 0) {
223 VLOG_ERR("SSL_set_fd: %s", ERR_error_string(ERR_get_error(), NULL));
227 /* Create and return the ssl_vconn. */
228 sslv = xmalloc(sizeof *sslv);
229 vconn_init(&sslv->vconn, &ssl_vconn_class, EAGAIN, sin->sin_addr.s_addr,
237 sslv->tx_waiter = NULL;
238 sslv->rx_want = sslv->tx_want = SSL_NOTHING;
239 *vconnp = &sslv->vconn;
250 static struct ssl_vconn *
251 ssl_vconn_cast(struct vconn *vconn)
253 assert(vconn->class == &ssl_vconn_class);
254 return CONTAINER_OF(vconn, struct ssl_vconn, vconn);
258 ssl_open(const char *name, char *suffix, struct vconn **vconnp)
260 char *save_ptr, *host_name, *port_string;
261 struct sockaddr_in sin;
270 /* Glibc 2.7 has a bug in strtok_r when compiling with optimization that
271 * can cause segfaults here:
272 * http://sources.redhat.com/bugzilla/show_bug.cgi?id=5614.
273 * Using "::" instead of the obvious ":" works around it. */
274 host_name = strtok_r(suffix, "::", &save_ptr);
275 port_string = strtok_r(NULL, "::", &save_ptr);
277 ofp_error(0, "%s: bad peer name format", name);
281 memset(&sin, 0, sizeof sin);
282 sin.sin_family = AF_INET;
283 if (lookup_ip(host_name, &sin.sin_addr)) {
286 sin.sin_port = htons(port_string && *port_string ? atoi(port_string)
290 fd = socket(AF_INET, SOCK_STREAM, 0);
292 VLOG_ERR("%s: socket: %s", name, strerror(errno));
295 retval = set_nonblocking(fd);
301 /* Connect socket. */
302 retval = connect(fd, (struct sockaddr *) &sin, sizeof sin);
304 if (errno == EINPROGRESS) {
305 return new_ssl_vconn(name, fd, CLIENT, STATE_TCP_CONNECTING,
309 VLOG_ERR("%s: connect: %s", name, strerror(error));
314 return new_ssl_vconn(name, fd, CLIENT, STATE_SSL_CONNECTING,
320 ssl_connect(struct vconn *vconn)
322 struct ssl_vconn *sslv = ssl_vconn_cast(vconn);
325 switch (sslv->state) {
326 case STATE_TCP_CONNECTING:
327 retval = check_connection_completion(sslv->fd);
331 sslv->state = STATE_SSL_CONNECTING;
334 case STATE_SSL_CONNECTING:
335 retval = (sslv->type == CLIENT
336 ? SSL_connect(sslv->ssl) : SSL_accept(sslv->ssl));
338 int error = SSL_get_error(sslv->ssl, retval);
339 if (retval < 0 && ssl_wants_io(error)) {
343 interpret_ssl_error((sslv->type == CLIENT ? "SSL_connect"
344 : "SSL_accept"), retval, error, &unused);
345 shutdown(sslv->fd, SHUT_RDWR);
357 ssl_close(struct vconn *vconn)
359 struct ssl_vconn *sslv = ssl_vconn_cast(vconn);
360 poll_cancel(sslv->tx_waiter);
367 interpret_ssl_error(const char *function, int ret, int error,
374 VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_NONE", function);
377 case SSL_ERROR_ZERO_RETURN:
378 VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_ZERO_RETURN", function);
381 case SSL_ERROR_WANT_READ:
385 case SSL_ERROR_WANT_WRITE:
389 case SSL_ERROR_WANT_CONNECT:
390 VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_CONNECT", function);
393 case SSL_ERROR_WANT_ACCEPT:
394 VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_ACCEPT", function);
397 case SSL_ERROR_WANT_X509_LOOKUP:
398 VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_X509_LOOKUP",
402 case SSL_ERROR_SYSCALL: {
403 int queued_error = ERR_get_error();
404 if (queued_error == 0) {
407 VLOG_WARN_RL(&rl, "%s: system error (%s)",
408 function, strerror(status));
411 VLOG_WARN_RL(&rl, "%s: unexpected SSL connection close",
416 VLOG_DBG_RL(&rl, "%s: %s",
417 function, ERR_error_string(queued_error, NULL));
422 case SSL_ERROR_SSL: {
423 int queued_error = ERR_get_error();
424 if (queued_error != 0) {
425 VLOG_DBG_RL(&rl, "%s: %s",
426 function, ERR_error_string(queued_error, NULL));
428 VLOG_ERR_RL(&rl, "%s: SSL_ERROR_SSL without queued error",
435 VLOG_ERR_RL(&rl, "%s: bad SSL error code %d", function, error);
442 ssl_recv(struct vconn *vconn, struct ofpbuf **bufferp)
444 struct ssl_vconn *sslv = ssl_vconn_cast(vconn);
450 if (sslv->rxbuf == NULL) {
451 sslv->rxbuf = ofpbuf_new(1564);
456 if (sizeof(struct ofp_header) > rx->size) {
457 want_bytes = sizeof(struct ofp_header) - rx->size;
459 struct ofp_header *oh = rx->data;
460 size_t length = ntohs(oh->length);
461 if (length < sizeof(struct ofp_header)) {
462 VLOG_ERR_RL(&rl, "received too-short ofp_header (%zu bytes)",
466 want_bytes = length - rx->size;
473 ofpbuf_prealloc_tailroom(rx, want_bytes);
475 /* Behavior of zero-byte SSL_read is poorly defined. */
476 assert(want_bytes > 0);
478 old_state = SSL_get_state(sslv->ssl);
479 ret = SSL_read(sslv->ssl, ofpbuf_tail(rx), want_bytes);
480 if (old_state != SSL_get_state(sslv->ssl)) {
481 sslv->tx_want = SSL_NOTHING;
482 if (sslv->tx_waiter) {
483 poll_cancel(sslv->tx_waiter);
484 ssl_tx_poll_callback(sslv->fd, POLLIN, vconn);
487 sslv->rx_want = SSL_NOTHING;
491 if (ret == want_bytes) {
492 if (rx->size > sizeof(struct ofp_header)) {
502 int error = SSL_get_error(sslv->ssl, ret);
503 if (error == SSL_ERROR_ZERO_RETURN) {
504 /* Connection closed (EOF). */
506 VLOG_WARN_RL(&rl, "SSL_read: unexpected connection close");
512 return interpret_ssl_error("SSL_read", ret, error, &sslv->rx_want);
518 ssl_clear_txbuf(struct ssl_vconn *sslv)
520 ofpbuf_delete(sslv->txbuf);
522 sslv->tx_waiter = NULL;
526 ssl_register_tx_waiter(struct vconn *vconn)
528 struct ssl_vconn *sslv = ssl_vconn_cast(vconn);
529 sslv->tx_waiter = poll_fd_callback(sslv->fd,
530 want_to_poll_events(sslv->tx_want),
531 ssl_tx_poll_callback, vconn);
535 ssl_do_tx(struct vconn *vconn)
537 struct ssl_vconn *sslv = ssl_vconn_cast(vconn);
540 int old_state = SSL_get_state(sslv->ssl);
541 int ret = SSL_write(sslv->ssl, sslv->txbuf->data, sslv->txbuf->size);
542 if (old_state != SSL_get_state(sslv->ssl)) {
543 sslv->rx_want = SSL_NOTHING;
545 sslv->tx_want = SSL_NOTHING;
547 ofpbuf_pull(sslv->txbuf, ret);
548 if (sslv->txbuf->size == 0) {
552 int ssl_error = SSL_get_error(sslv->ssl, ret);
553 if (ssl_error == SSL_ERROR_ZERO_RETURN) {
554 VLOG_WARN_RL(&rl, "SSL_write: connection closed");
557 return interpret_ssl_error("SSL_write", ret, ssl_error,
565 ssl_tx_poll_callback(int fd UNUSED, short int revents UNUSED, void *vconn_)
567 struct vconn *vconn = vconn_;
568 struct ssl_vconn *sslv = ssl_vconn_cast(vconn);
569 int error = ssl_do_tx(vconn);
570 if (error != EAGAIN) {
571 ssl_clear_txbuf(sslv);
573 ssl_register_tx_waiter(vconn);
578 ssl_send(struct vconn *vconn, struct ofpbuf *buffer)
580 struct ssl_vconn *sslv = ssl_vconn_cast(vconn);
587 sslv->txbuf = buffer;
588 error = ssl_do_tx(vconn);
591 ssl_clear_txbuf(sslv);
594 ssl_register_tx_waiter(vconn);
604 ssl_wait(struct vconn *vconn, enum vconn_wait_type wait)
606 struct ssl_vconn *sslv = ssl_vconn_cast(vconn);
610 if (vconn_connect(vconn) != EAGAIN) {
611 poll_immediate_wake();
613 switch (sslv->state) {
614 case STATE_TCP_CONNECTING:
615 poll_fd_wait(sslv->fd, POLLOUT);
618 case STATE_SSL_CONNECTING:
619 /* ssl_connect() called SSL_accept() or SSL_connect(), which
620 * set up the status that we test here. */
621 poll_fd_wait(sslv->fd,
622 want_to_poll_events(SSL_want(sslv->ssl)));
632 if (sslv->rx_want != SSL_NOTHING) {
633 poll_fd_wait(sslv->fd, want_to_poll_events(sslv->rx_want));
635 poll_immediate_wake();
641 /* We have room in our tx queue. */
642 poll_immediate_wake();
644 /* The call to ssl_tx_poll_callback() will wake us up. */
653 struct vconn_class ssl_vconn_class = {
656 ssl_close, /* close */
657 ssl_connect, /* connect */
672 static struct pssl_vconn *
673 pssl_vconn_cast(struct vconn *vconn)
675 assert(vconn->class == &pssl_vconn_class);
676 return CONTAINER_OF(vconn, struct pssl_vconn, vconn);
680 pssl_open(const char *name, char *suffix, struct vconn **vconnp)
682 struct sockaddr_in sin;
683 struct pssl_vconn *pssl;
686 unsigned int yes = 1;
694 fd = socket(AF_INET, SOCK_STREAM, 0);
697 VLOG_ERR("%s: socket: %s", name, strerror(error));
701 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof yes) < 0) {
703 VLOG_ERR("%s: setsockopt(SO_REUSEADDR): %s", name, strerror(errno));
707 memset(&sin, 0, sizeof sin);
708 sin.sin_family = AF_INET;
709 sin.sin_addr.s_addr = htonl(INADDR_ANY);
710 sin.sin_port = htons(atoi(suffix) ? atoi(suffix) : OFP_SSL_PORT);
711 retval = bind(fd, (struct sockaddr *) &sin, sizeof sin);
714 VLOG_ERR("%s: bind: %s", name, strerror(error));
719 retval = listen(fd, 10);
722 VLOG_ERR("%s: listen: %s", name, strerror(error));
727 retval = set_nonblocking(fd);
733 pssl = xmalloc(sizeof *pssl);
734 vconn_init(&pssl->vconn, &pssl_vconn_class, 0, 0, name);
736 *vconnp = &pssl->vconn;
741 pssl_close(struct vconn *vconn)
743 struct pssl_vconn *pssl = pssl_vconn_cast(vconn);
749 pssl_accept(struct vconn *vconn, struct vconn **new_vconnp)
751 struct pssl_vconn *pssl = pssl_vconn_cast(vconn);
752 struct sockaddr_in sin;
753 socklen_t sin_len = sizeof sin;
758 new_fd = accept(pssl->fd, &sin, &sin_len);
761 if (error != EAGAIN) {
762 VLOG_DBG_RL(&rl, "accept: %s", strerror(error));
767 error = set_nonblocking(new_fd);
773 sprintf(name, "ssl:"IP_FMT, IP_ARGS(&sin.sin_addr));
774 if (sin.sin_port != htons(OFP_SSL_PORT)) {
775 sprintf(strchr(name, '\0'), ":%"PRIu16, ntohs(sin.sin_port));
777 return new_ssl_vconn(name, new_fd, SERVER, STATE_SSL_CONNECTING, &sin,
782 pssl_wait(struct vconn *vconn, enum vconn_wait_type wait)
784 struct pssl_vconn *pssl = pssl_vconn_cast(vconn);
785 assert(wait == WAIT_ACCEPT);
786 poll_fd_wait(pssl->fd, POLLIN);
789 struct vconn_class pssl_vconn_class = {
791 pssl_open, /* open */
792 pssl_close, /* close */
794 pssl_accept, /* accept */
797 pssl_wait, /* wait */
801 * Returns true if OpenSSL error is WANT_READ or WANT_WRITE, indicating that
802 * OpenSSL is requesting that we call it back when the socket is ready for read
803 * or writing, respectively.
806 ssl_wants_io(int ssl_error)
808 return (ssl_error == SSL_ERROR_WANT_WRITE
809 || ssl_error == SSL_ERROR_WANT_READ);
815 static int init_status = -1;
816 if (init_status < 0) {
817 init_status = do_ssl_init();
818 assert(init_status >= 0);
829 SSL_load_error_strings();
831 method = TLSv1_method();
832 if (method == NULL) {
833 VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL));
837 ctx = SSL_CTX_new(method);
839 VLOG_ERR("SSL_CTX_new: %s", ERR_error_string(ERR_get_error(), NULL));
842 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
843 SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback);
844 SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
845 SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
846 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
853 tmp_dh_callback(SSL *ssl, int is_export UNUSED, int keylength)
858 DH *(*constructor)(void);
861 static struct dh dh_table[] = {
862 {1024, NULL, get_dh1024},
863 {2048, NULL, get_dh2048},
864 {4096, NULL, get_dh4096},
869 for (dh = dh_table; dh < &dh_table[ARRAY_SIZE(dh_table)]; dh++) {
870 if (dh->keylength == keylength) {
872 dh->dh = dh->constructor();
874 ofp_fatal(ENOMEM, "out of memory constructing "
875 "Diffie-Hellman parameters");
881 VLOG_ERR_RL(&rl, "no Diffie-Hellman parameters for key length %d",
886 /* Returns true if SSL is at least partially configured. */
888 vconn_ssl_is_configured(void)
890 return has_private_key || has_certificate || has_ca_cert;
894 vconn_ssl_set_private_key_file(const char *file_name)
899 if (SSL_CTX_use_PrivateKey_file(ctx, file_name, SSL_FILETYPE_PEM) != 1) {
900 VLOG_ERR("SSL_use_PrivateKey_file: %s",
901 ERR_error_string(ERR_get_error(), NULL));
904 has_private_key = true;
908 vconn_ssl_set_certificate_file(const char *file_name)
913 if (SSL_CTX_use_certificate_chain_file(ctx, file_name) != 1) {
914 VLOG_ERR("SSL_use_certificate_file: %s",
915 ERR_error_string(ERR_get_error(), NULL));
918 has_certificate = true;
922 vconn_ssl_set_ca_cert_file(const char *file_name)
924 STACK_OF(X509_NAME) *ca_list;
930 /* Set up list of CAs that the server will accept from the client. */
931 ca_list = SSL_load_client_CA_file(file_name);
932 if (ca_list == NULL) {
933 VLOG_ERR("SSL_load_client_CA_file: %s",
934 ERR_error_string(ERR_get_error(), NULL));
937 SSL_CTX_set_client_CA_list(ctx, ca_list);
939 /* Set up CAs for OpenSSL to trust in verifying the peer's certificate. */
940 if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) {
941 VLOG_ERR("SSL_CTX_load_verify_locations: %s",
942 ERR_error_string(ERR_get_error(), NULL));