X-Git-Url: http://git.cascardo.eti.br/?a=blobdiff_plain;f=lib%2Fstream-ssl.c;h=26996338ac648e2be477bd17598918b971223d89;hb=HEAD;hp=941f77914674abe2b1d21f646dc38c36173f9180;hpb=f6b60e026eed9dcc68850c6f9e3b393e6a18fd49;p=cascardo%2Fovs.git diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 941f77914..26996338a 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2009, 2010 Nicira Networks. + * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016 Nicira, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,33 +17,52 @@ #include #include "stream-ssl.h" #include "dhparams.h" -#include #include #include #include #include +#include +#include #include #include +#include #include #include #include -#include +#include #include #include +#include "coverage.h" #include "dynamic-string.h" -#include "leak-checker.h" +#include "entropy.h" #include "ofpbuf.h" #include "openflow/openflow.h" #include "packets.h" #include "poll-loop.h" -#include "socket-util.h" +#include "shash.h" #include "socket-util.h" #include "util.h" #include "stream-provider.h" #include "stream.h" +#include "timeval.h" +#include "openvswitch/vlog.h" + +#ifdef _WIN32 +/* Ref: https://www.openssl.org/support/faq.html#PROG2 + * Your application must link against the same version of the Win32 C-Runtime + * against which your openssl libraries were linked. The default version for + * OpenSSL is /MD - "Multithreaded DLL". If we compile Open vSwitch with + * something other than /MD, instead of re-compiling OpenSSL + * toolkit, openssl/applink.c can be #included. Also, it is important + * to add CRYPTO_malloc_init prior first call to OpenSSL. + * + * XXX: The behavior of the following #include when Open vSwitch is + * compiled with /MD is not tested. */ +#include +#define SHUT_RDWR SD_BOTH +#endif -#include "vlog.h" -#define THIS_MODULE VLM_stream_ssl +VLOG_DEFINE_THIS_MODULE(stream_ssl); /* Active SSL. */ @@ -61,11 +80,11 @@ struct ssl_stream { struct stream stream; enum ssl_state state; - int connect_error; enum session_type type; int fd; SSL *ssl; struct ofpbuf *txbuf; + unsigned int session_nr; /* rx_want and tx_want record the result of the last call to SSL_read() * and SSL_write(), respectively: @@ -124,25 +143,41 @@ struct ssl_stream * deadlock and livelock situations above. */ int rx_want, tx_want; + + /* A few bytes of header data in case SSL negotiation fails. */ + uint8_t head[2]; + short int n_head; }; /* SSL context created by ssl_init(). */ static SSL_CTX *ctx; -/* Required configuration. */ -static bool has_private_key, has_certificate, has_ca_cert; +struct ssl_config_file { + bool read; /* Whether the file was successfully read. */ + char *file_name; /* Configured file name, if any. */ + struct timespec mtime; /* File mtime as of last time we read it. */ +}; + +/* SSL configuration files. */ +static struct ssl_config_file private_key; +static struct ssl_config_file certificate; +static struct ssl_config_file ca_cert; + +/* Ordinarily, the SSL client and server verify each other's certificates using + * a CA certificate. Setting this to false disables this behavior. (This is a + * security risk.) */ +static bool verify_peer_cert = true; /* Ordinarily, we require a CA certificate for the peer to be locally - * available. 'has_ca_cert' is true when this is the case, and neither of the - * following variables matter. - * - * We can, however, bootstrap the CA certificate from the peer at the beginning - * of our first connection then use that certificate on all subsequent - * connections, saving it to a file for use in future runs also. In this case, - * 'has_ca_cert' is false, 'bootstrap_ca_cert' is true, and 'ca_cert_file' - * names the file to be saved. */ + * available. We can, however, bootstrap the CA certificate from the peer at + * the beginning of our first connection then use that certificate on all + * subsequent connections, saving it to a file for use in future runs also. In + * this case, 'bootstrap_ca_cert' is true. */ static bool bootstrap_ca_cert; -static char *ca_cert_file; + +/* Session number. Used in debug logging messages to uniquely identify a + * session. */ +static unsigned int next_session_nr; /* Who knows what can trigger various SSL errors, so let's throttle them down * quite a bit. */ @@ -153,17 +188,24 @@ static int do_ssl_init(void); static bool ssl_wants_io(int ssl_error); static void ssl_close(struct stream *); static void ssl_clear_txbuf(struct ssl_stream *); +static void interpret_queued_ssl_error(const char *function); static int interpret_ssl_error(const char *function, int ret, int error, int *want); -static DH *tmp_dh_callback(SSL *ssl, int is_export UNUSED, int keylength); +static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength); static void log_ca_cert(const char *file_name, X509 *cert); +static void stream_ssl_set_ca_cert_file__(const char *file_name, + bool bootstrap, bool force); +static void ssl_protocol_cb(int write_p, int version, int content_type, + const void *, size_t, SSL *, void *sslv_); +static bool update_ssl_config(struct ssl_config_file *, const char *file_name); +static int sock_errno(void); static short int want_to_poll_events(int want) { switch (want) { case SSL_NOTHING: - NOT_REACHED(); + OVS_NOT_REACHED(); case SSL_READING: return POLLIN; @@ -172,37 +214,33 @@ want_to_poll_events(int want) return POLLOUT; default: - NOT_REACHED(); + OVS_NOT_REACHED(); } } static int new_ssl_stream(const char *name, int fd, enum session_type type, - enum ssl_state state, const struct sockaddr_in *remote, - struct stream **streamp) + enum ssl_state state, struct stream **streamp) { - struct sockaddr_in local; - socklen_t local_len = sizeof local; struct ssl_stream *sslv; SSL *ssl = NULL; - int on = 1; int retval; /* Check for all the needful configuration. */ retval = 0; - if (!has_private_key) { + if (!private_key.read) { VLOG_ERR("Private key must be configured to use SSL"); retval = ENOPROTOOPT; } - if (!has_certificate) { + if (!certificate.read) { VLOG_ERR("Certificate must be configured to use SSL"); retval = ENOPROTOOPT; } - if (!has_ca_cert && !bootstrap_ca_cert) { + if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) { VLOG_ERR("CA certificate must be configured to use SSL"); retval = ENOPROTOOPT; } - if (!SSL_CTX_check_private_key(ctx)) { + if (!retval && !SSL_CTX_check_private_key(ctx)) { VLOG_ERR("Private key does not match certificate public key: %s", ERR_error_string(ERR_get_error(), NULL)); retval = ENOPROTOOPT; @@ -211,18 +249,11 @@ new_ssl_stream(const char *name, int fd, enum session_type type, goto error; } - /* Get the local IP and port information */ - retval = getsockname(fd, (struct sockaddr *) &local, &local_len); - if (retval) { - memset(&local, 0, sizeof local); - } - - /* Disable Nagle. */ - retval = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof on); - if (retval) { - VLOG_ERR("%s: setsockopt(TCP_NODELAY): %s", name, strerror(errno)); - retval = errno; - goto error; + /* Disable Nagle. + * On windows platforms, this can only be called upon TCP connected. + */ + if (state == STATE_SSL_CONNECTING) { + setsockopt_tcp_nodelay(fd); } /* Create and configure OpenSSL stream. */ @@ -237,23 +268,27 @@ new_ssl_stream(const char *name, int fd, enum session_type type, retval = ENOPROTOOPT; goto error; } - if (bootstrap_ca_cert && type == CLIENT) { + if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) { SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); } /* Create and return the ssl_stream. */ sslv = xmalloc(sizeof *sslv); stream_init(&sslv->stream, &ssl_stream_class, EAGAIN, name); - stream_set_remote_ip(&sslv->stream, remote->sin_addr.s_addr); - stream_set_remote_port(&sslv->stream, remote->sin_port); - stream_set_local_ip(&sslv->stream, local.sin_addr.s_addr); - stream_set_local_port(&sslv->stream, local.sin_port); sslv->state = state; sslv->type = type; sslv->fd = fd; sslv->ssl = ssl; sslv->txbuf = NULL; sslv->rx_want = sslv->tx_want = SSL_NOTHING; + sslv->session_nr = next_session_nr++; + sslv->n_head = 0; + + if (VLOG_IS_DBG_ENABLED()) { + SSL_set_msg_callback(ssl, ssl_protocol_cb); + SSL_set_msg_callback_arg(ssl, sslv); + } + *streamp = &sslv->stream; return 0; @@ -261,7 +296,7 @@ error: if (ssl) { SSL_free(ssl); } - close(fd); + closesocket(fd); return retval; } @@ -273,9 +308,8 @@ ssl_stream_cast(struct stream *stream) } static int -ssl_open(const char *name, char *suffix, struct stream **streamp) +ssl_open(const char *name, char *suffix, struct stream **streamp, uint8_t dscp) { - struct sockaddr_in sin; int error, fd; error = ssl_init(); @@ -283,12 +317,13 @@ ssl_open(const char *name, char *suffix, struct stream **streamp) return error; } - error = inet_open_active(SOCK_STREAM, suffix, OFP_SSL_PORT, &sin, &fd); + error = inet_open_active(SOCK_STREAM, suffix, OFP_PORT, NULL, &fd, + dscp); if (fd >= 0) { int state = error ? STATE_TCP_CONNECTING : STATE_SSL_CONNECTING; - return new_ssl_stream(name, fd, CLIENT, state, &sin, streamp); + return new_ssl_stream(name, fd, CLIENT, state, streamp); } else { - VLOG_ERR("%s: connect: %s", name, strerror(error)); + VLOG_ERR("%s: connect: %s", name, ovs_strerror(error)); return error; } } @@ -298,7 +333,7 @@ do_ca_cert_bootstrap(struct stream *stream) { struct ssl_stream *sslv = ssl_stream_cast(stream); STACK_OF(X509) *chain; - X509 *ca_cert; + X509 *cert; FILE *file; int error; int fd; @@ -309,11 +344,11 @@ do_ca_cert_bootstrap(struct stream *stream) "peer"); return EPROTO; } - ca_cert = sk_X509_value(chain, sk_X509_num(chain) - 1); + cert = sk_X509_value(chain, sk_X509_num(chain) - 1); - /* Check that 'ca_cert' is self-signed. Otherwise it is not a CA + /* Check that 'cert' is self-signed. Otherwise it is not a CA * certificate and we should not attempt to use it as one. */ - error = X509_check_issued(ca_cert, ca_cert); + error = X509_check_issued(cert, cert); if (error) { VLOG_ERR("could not bootstrap CA cert: obtained certificate is " "not self-signed (%s)", @@ -325,53 +360,56 @@ do_ca_cert_bootstrap(struct stream *stream) return EPROTO; } - fd = open(ca_cert_file, O_CREAT | O_EXCL | O_WRONLY, 0444); + fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444); if (fd < 0) { - VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s", - ca_cert_file, strerror(errno)); - return errno; + if (errno == EEXIST) { + VLOG_INFO_RL(&rl, "reading CA cert %s created by another process", + ca_cert.file_name); + stream_ssl_set_ca_cert_file__(ca_cert.file_name, true, true); + return EPROTO; + } else { + VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s", + ca_cert.file_name, ovs_strerror(errno)); + return errno; + } } file = fdopen(fd, "w"); if (!file) { - int error = errno; + error = errno; VLOG_ERR("could not bootstrap CA cert: fdopen failed: %s", - strerror(error)); - unlink(ca_cert_file); + ovs_strerror(error)); + unlink(ca_cert.file_name); return error; } - if (!PEM_write_X509(file, ca_cert)) { + if (!PEM_write_X509(file, cert)) { VLOG_ERR("could not bootstrap CA cert: PEM_write_X509 to %s failed: " - "%s", ca_cert_file, ERR_error_string(ERR_get_error(), NULL)); + "%s", ca_cert.file_name, + ERR_error_string(ERR_get_error(), NULL)); fclose(file); - unlink(ca_cert_file); + unlink(ca_cert.file_name); return EIO; } if (fclose(file)) { - int error = errno; + error = errno; VLOG_ERR("could not bootstrap CA cert: writing %s failed: %s", - ca_cert_file, strerror(error)); - unlink(ca_cert_file); + ca_cert.file_name, ovs_strerror(error)); + unlink(ca_cert.file_name); return error; } - VLOG_INFO("successfully bootstrapped CA cert to %s", ca_cert_file); - log_ca_cert(ca_cert_file, ca_cert); + VLOG_INFO("successfully bootstrapped CA cert to %s", ca_cert.file_name); + log_ca_cert(ca_cert.file_name, cert); bootstrap_ca_cert = false; - has_ca_cert = true; + ca_cert.read = true; - /* SSL_CTX_add_client_CA makes a copy of ca_cert's relevant data. */ - SSL_CTX_add_client_CA(ctx, ca_cert); + /* SSL_CTX_add_client_CA makes a copy of cert's relevant data. */ + SSL_CTX_add_client_CA(ctx, cert); - /* SSL_CTX_use_certificate() takes ownership of the certificate passed in. - * 'ca_cert' is owned by sslv->ssl, so we need to duplicate it. */ - ca_cert = X509_dup(ca_cert); - if (!ca_cert) { - out_of_memory(); - } - if (SSL_CTX_load_verify_locations(ctx, ca_cert_file, NULL) != 1) { + SSL_CTX_set_cert_store(ctx, X509_STORE_new()); + if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) { VLOG_ERR("SSL_CTX_load_verify_locations: %s", ERR_error_string(ERR_get_error(), NULL)); return EPROTO; @@ -393,9 +431,17 @@ ssl_connect(struct stream *stream) return retval; } sslv->state = STATE_SSL_CONNECTING; + setsockopt_tcp_nodelay(sslv->fd); /* Fall through. */ case STATE_SSL_CONNECTING: + /* Capture the first few bytes of received data so that we can guess + * what kind of funny data we've been sent if SSL negotiation fails. */ + if (sslv->n_head <= 0) { + sslv->n_head = recv(sslv->fd, sslv->head, sizeof sslv->head, + MSG_PEEK); + } + retval = (sslv->type == CLIENT ? SSL_connect(sslv->ssl) : SSL_accept(sslv->ssl)); if (retval != 1) { @@ -404,16 +450,20 @@ ssl_connect(struct stream *stream) return EAGAIN; } else { int unused; + interpret_ssl_error((sslv->type == CLIENT ? "SSL_connect" : "SSL_accept"), retval, error, &unused); shutdown(sslv->fd, SHUT_RDWR); + stream_report_content(sslv->head, sslv->n_head, STREAM_SSL, + &this_module, stream_get_name(stream)); return EPROTO; } } else if (bootstrap_ca_cert) { return do_ca_cert_bootstrap(stream); - } else if ((SSL_get_verify_mode(sslv->ssl) - & (SSL_VERIFY_NONE | SSL_VERIFY_PEER)) - != SSL_VERIFY_PEER) { + } else if (verify_peer_cert + && ((SSL_get_verify_mode(sslv->ssl) + & (SSL_VERIFY_NONE | SSL_VERIFY_PEER)) + != SSL_VERIFY_PEER)) { /* Two or more SSL connections completed at the same time while we * were in bootstrap mode. Only one of these can finish the * bootstrap successfully. The other one(s) must be rejected @@ -422,14 +472,14 @@ ssl_connect(struct stream *stream) * certificate, but that's more trouble than it's worth. These * connections will succeed the next time they retry, assuming that * they have a certificate against the correct CA.) */ - VLOG_ERR("rejecting SSL connection during bootstrap race window"); + VLOG_INFO("rejecting SSL connection during bootstrap race window"); return EPROTO; } else { return 0; } } - NOT_REACHED(); + OVS_NOT_REACHED(); } static void @@ -445,11 +495,28 @@ ssl_close(struct stream *stream) * background. */ SSL_shutdown(sslv->ssl); + /* SSL_shutdown() might have signaled an error, in which case we need to + * flush it out of the OpenSSL error queue or the next OpenSSL operation + * will falsely signal an error. */ + ERR_clear_error(); + SSL_free(sslv->ssl); - close(sslv->fd); + closesocket(sslv->fd); free(sslv); } +static void +interpret_queued_ssl_error(const char *function) +{ + int queued_error = ERR_get_error(); + if (queued_error != 0) { + VLOG_WARN_RL(&rl, "%s: %s", + function, ERR_error_string(queued_error, NULL)); + } else { + VLOG_ERR_RL(&rl, "%s: SSL_ERROR_SSL without queued error", function); + } +} + static int interpret_ssl_error(const char *function, int ret, int error, int *want) @@ -492,7 +559,7 @@ interpret_ssl_error(const char *function, int ret, int error, if (ret < 0) { int status = errno; VLOG_WARN_RL(&rl, "%s: system error (%s)", - function, strerror(status)); + function, ovs_strerror(status)); return status; } else { VLOG_WARN_RL(&rl, "%s: unexpected SSL connection close", @@ -506,17 +573,9 @@ interpret_ssl_error(const char *function, int ret, int error, } } - case SSL_ERROR_SSL: { - int queued_error = ERR_get_error(); - if (queued_error != 0) { - VLOG_WARN_RL(&rl, "%s: %s", - function, ERR_error_string(queued_error, NULL)); - } else { - VLOG_ERR_RL(&rl, "%s: SSL_ERROR_SSL without queued error", - function); - } + case SSL_ERROR_SSL: + interpret_queued_ssl_error(function); break; - } default: VLOG_ERR_RL(&rl, "%s: bad SSL error code %d", function, error); @@ -533,7 +592,7 @@ ssl_recv(struct stream *stream, void *buffer, size_t n) ssize_t ret; /* Behavior of zero-byte SSL_read is poorly defined. */ - assert(n > 0); + ovs_assert(n > 0); old_state = SSL_get_state(sslv->ssl); ret = SSL_read(sslv->ssl, buffer, n); @@ -609,7 +668,6 @@ ssl_send(struct stream *stream, const void *buffer, size_t n) ssl_clear_txbuf(sslv); return n; case EAGAIN: - leak_checker_claim(buffer); return n; default: sslv->txbuf = NULL; @@ -657,11 +715,11 @@ ssl_wait(struct stream *stream, enum stream_wait_type wait) /* ssl_connect() called SSL_accept() or SSL_connect(), which * set up the status that we test here. */ poll_fd_wait(sslv->fd, - want_to_poll_events(SSL_want(sslv->ssl))); + want_to_poll_events(SSL_want(sslv->ssl))); break; default: - NOT_REACHED(); + OVS_NOT_REACHED(); } } break; @@ -685,12 +743,13 @@ ssl_wait(struct stream *stream, enum stream_wait_type wait) break; default: - NOT_REACHED(); + OVS_NOT_REACHED(); } } -struct stream_class ssl_stream_class = { +const struct stream_class ssl_stream_class = { "ssl", /* name */ + true, /* needs_probes */ ssl_open, /* open */ ssl_close, /* close */ ssl_connect, /* connect */ @@ -709,7 +768,7 @@ struct pssl_pstream int fd; }; -struct pstream_class pssl_pstream_class; +const struct pstream_class pssl_pstream_class; static struct pssl_pstream * pssl_pstream_cast(struct pstream *pstream) @@ -719,11 +778,14 @@ pssl_pstream_cast(struct pstream *pstream) } static int -pssl_open(const char *name UNUSED, char *suffix, struct pstream **pstreamp) +pssl_open(const char *name OVS_UNUSED, char *suffix, struct pstream **pstreamp, + uint8_t dscp) { + char bound_name[SS_NTOP_BUFSIZE + 16]; + char addrbuf[SS_NTOP_BUFSIZE]; + struct sockaddr_storage ss; struct pssl_pstream *pssl; - struct sockaddr_in sin; - char bound_name[128]; + uint16_t port; int retval; int fd; @@ -732,15 +794,18 @@ pssl_open(const char *name UNUSED, char *suffix, struct pstream **pstreamp) return retval; } - fd = inet_open_passive(SOCK_STREAM, suffix, OFP_SSL_PORT, &sin); + fd = inet_open_passive(SOCK_STREAM, suffix, OFP_PORT, &ss, dscp, true); if (fd < 0) { return -fd; } - sprintf(bound_name, "pssl:%"PRIu16":"IP_FMT, - ntohs(sin.sin_port), IP_ARGS(&sin.sin_addr.s_addr)); + + port = ss_get_port(&ss); + snprintf(bound_name, sizeof bound_name, "pssl:%"PRIu16":%s", + port, ss_format_address(&ss, addrbuf, sizeof addrbuf)); pssl = xmalloc(sizeof *pssl); pstream_init(&pssl->pstream, &pssl_pstream_class, bound_name); + pstream_set_bound_port(&pssl->pstream, htons(port)); pssl->fd = fd; *pstreamp = &pssl->pstream; return 0; @@ -750,7 +815,7 @@ static void pssl_close(struct pstream *pstream) { struct pssl_pstream *pssl = pssl_pstream_cast(pstream); - close(pssl->fd); + closesocket(pssl->fd); free(pssl); } @@ -758,33 +823,38 @@ static int pssl_accept(struct pstream *pstream, struct stream **new_streamp) { struct pssl_pstream *pssl = pssl_pstream_cast(pstream); - struct sockaddr_in sin; - socklen_t sin_len = sizeof sin; - char name[128]; + char name[SS_NTOP_BUFSIZE + 16]; + char addrbuf[SS_NTOP_BUFSIZE]; + struct sockaddr_storage ss; + socklen_t ss_len = sizeof ss; int new_fd; int error; - new_fd = accept(pssl->fd, &sin, &sin_len); + new_fd = accept(pssl->fd, (struct sockaddr *) &ss, &ss_len); if (new_fd < 0) { - int error = errno; + error = sock_errno(); +#ifdef _WIN32 + if (error == WSAEWOULDBLOCK) { + error = EAGAIN; + } +#endif if (error != EAGAIN) { - VLOG_DBG_RL(&rl, "accept: %s", strerror(error)); + VLOG_DBG_RL(&rl, "accept: %s", sock_strerror(error)); } return error; } error = set_nonblocking(new_fd); if (error) { - close(new_fd); + closesocket(new_fd); return error; } - sprintf(name, "ssl:"IP_FMT, IP_ARGS(&sin.sin_addr)); - if (sin.sin_port != htons(OFP_SSL_PORT)) { - sprintf(strchr(name, '\0'), ":%"PRIu16, ntohs(sin.sin_port)); - } - return new_ssl_stream(name, new_fd, SERVER, STATE_SSL_CONNECTING, &sin, - new_streamp); + snprintf(name, sizeof name, "ssl:%s:%"PRIu16, + ss_format_address(&ss, addrbuf, sizeof addrbuf), + ss_get_port(&ss)); + return new_ssl_stream(name, new_fd, SERVER, STATE_SSL_CONNECTING, + new_streamp); } static void @@ -794,8 +864,9 @@ pssl_wait(struct pstream *pstream) poll_fd_wait(pssl->fd, POLLIN); } -struct pstream_class pssl_pstream_class = { +const struct pstream_class pssl_pstream_class = { "pssl", + true, pssl_open, pssl_close, pssl_accept, @@ -820,7 +891,7 @@ ssl_init(void) static int init_status = -1; if (init_status < 0) { init_status = do_ssl_init(); - assert(init_status >= 0); + ovs_assert(init_status >= 0); } return init_status; } @@ -830,10 +901,54 @@ do_ssl_init(void) { SSL_METHOD *method; +#ifdef _WIN32 + /* The following call is needed if we "#include ". */ + CRYPTO_malloc_init(); +#endif SSL_library_init(); SSL_load_error_strings(); - method = TLSv1_method(); + if (!RAND_status()) { + /* We occasionally see OpenSSL fail to seed its random number generator + * in heavily loaded hypervisors. I suspect the following scenario: + * + * 1. OpenSSL calls read() to get 32 bytes from /dev/urandom. + * 2. The kernel generates 10 bytes of randomness and copies it out. + * 3. A signal arrives (perhaps SIGALRM). + * 4. The kernel interrupts the system call to service the signal. + * 5. Userspace gets 10 bytes of entropy. + * 6. OpenSSL doesn't read again to get the final 22 bytes. Therefore + * OpenSSL doesn't have enough entropy to consider itself + * initialized. + * + * The only part I'm not entirely sure about is #6, because the OpenSSL + * code is so hard to read. */ + uint8_t seed[32]; + int retval; + + VLOG_WARN("OpenSSL random seeding failed, reseeding ourselves"); + + retval = get_entropy(seed, sizeof seed); + if (retval) { + VLOG_ERR("failed to obtain entropy (%s)", + ovs_retval_to_string(retval)); + return retval > 0 ? retval : ENOPROTOOPT; + } + + RAND_seed(seed, sizeof seed); + } + + /* OpenSSL has a bunch of "connection methods": SSLv2_method(), + * SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these + * support exactly one version of SSL, e.g. TLSv1_method() supports TLSv1 + * only, not any earlier *or later* version. The only exception is + * SSLv23_method(), which in fact supports *any* version of SSL and TLS. + * We don't want SSLv2 or SSLv3 support, so we turn it off below with + * SSL_CTX_set_options(). + * + * The cast is needed to avoid a warning with newer versions of OpenSSL in + * which SSLv23_method() returns a "const" pointer. */ + method = CONST_CAST(SSL_METHOD *, SSLv23_method()); if (method == NULL) { VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL)); return ENOPROTOOPT; @@ -850,12 +965,13 @@ do_ssl_init(void) SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); return 0; } static DH * -tmp_dh_callback(SSL *ssl UNUSED, int is_export UNUSED, int keylength) +tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength) { struct dh { int keylength; @@ -876,8 +992,7 @@ tmp_dh_callback(SSL *ssl UNUSED, int is_export UNUSED, int keylength) if (!dh->dh) { dh->dh = dh->constructor(); if (!dh->dh) { - ovs_fatal(ENOMEM, "out of memory constructing " - "Diffie-Hellman parameters"); + out_of_memory(); } } return dh->dh; @@ -890,37 +1005,113 @@ tmp_dh_callback(SSL *ssl UNUSED, int is_export UNUSED, int keylength) /* Returns true if SSL is at least partially configured. */ bool -stream_ssl_is_configured(void) +stream_ssl_is_configured(void) { - return has_private_key || has_certificate || has_ca_cert; + return private_key.file_name || certificate.file_name || ca_cert.file_name; } -void -stream_ssl_set_private_key_file(const char *file_name) +static bool +update_ssl_config(struct ssl_config_file *config, const char *file_name) { - if (ssl_init()) { - return; + struct timespec mtime; + int error; + + if (ssl_init() || !file_name) { + return false; + } + + /* If the file name hasn't changed and neither has the file contents, stop + * here. */ + error = get_mtime(file_name, &mtime); + if (error && error != ENOENT) { + VLOG_ERR_RL(&rl, "%s: stat failed (%s)", + file_name, ovs_strerror(error)); + } + if (config->file_name + && !strcmp(config->file_name, file_name) + && mtime.tv_sec == config->mtime.tv_sec + && mtime.tv_nsec == config->mtime.tv_nsec) { + return false; } - if (SSL_CTX_use_PrivateKey_file(ctx, file_name, SSL_FILETYPE_PEM) != 1) { + + /* Update 'config'. */ + config->mtime = mtime; + if (file_name != config->file_name) { + free(config->file_name); + config->file_name = xstrdup(file_name); + } + return true; +} + +static void +stream_ssl_set_private_key_file__(const char *file_name) +{ + if (SSL_CTX_use_PrivateKey_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) { + private_key.read = true; + } else { VLOG_ERR("SSL_use_PrivateKey_file: %s", ERR_error_string(ERR_get_error(), NULL)); - return; } - has_private_key = true; } void -stream_ssl_set_certificate_file(const char *file_name) +stream_ssl_set_private_key_file(const char *file_name) { - if (ssl_init()) { - return; + if (update_ssl_config(&private_key, file_name)) { + stream_ssl_set_private_key_file__(file_name); } - if (SSL_CTX_use_certificate_chain_file(ctx, file_name) != 1) { +} + +static void +stream_ssl_set_certificate_file__(const char *file_name) +{ + if (SSL_CTX_use_certificate_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) { + certificate.read = true; + } else { VLOG_ERR("SSL_use_certificate_file: %s", ERR_error_string(ERR_get_error(), NULL)); - return; } - has_certificate = true; +} + +void +stream_ssl_set_certificate_file(const char *file_name) +{ + if (update_ssl_config(&certificate, file_name)) { + stream_ssl_set_certificate_file__(file_name); + } +} + +/* Sets the private key and certificate files in one operation. Use this + * interface, instead of calling stream_ssl_set_private_key_file() and + * stream_ssl_set_certificate_file() individually, in the main loop of a + * long-running program whose key and certificate might change at runtime. + * + * This is important because of OpenSSL's behavior. If an OpenSSL context + * already has a certificate, and stream_ssl_set_private_key_file() is called + * to install a new private key, OpenSSL will report an error because the new + * private key does not match the old certificate. The other order, of setting + * a new certificate, then setting a new private key, does work. + * + * If this were the only problem, calling stream_ssl_set_certificate_file() + * before stream_ssl_set_private_key_file() would fix it. But, if the private + * key is changed before the certificate (e.g. someone "scp"s or "mv"s the new + * private key in place before the certificate), then OpenSSL would reject that + * change, and then the change of certificate would succeed, but there would be + * no associated private key (because it had only changed once and therefore + * there was no point in re-reading it). + * + * This function avoids both problems by, whenever either the certificate or + * the private key file changes, re-reading both of them, in the correct order. + */ +void +stream_ssl_set_key_and_cert(const char *private_key_file, + const char *certificate_file) +{ + if (update_ssl_config(&private_key, private_key_file) + || update_ssl_config(&certificate, certificate_file)) { + stream_ssl_set_certificate_file__(certificate_file); + stream_ssl_set_private_key_file__(private_key_file); + } } /* Reads the X509 certificate or certificates in file 'file_name'. On success, @@ -942,7 +1133,7 @@ read_cert_file(const char *file_name, X509 ***certs, size_t *n_certs) file = fopen(file_name, "r"); if (!file) { VLOG_ERR("failed to open %s for reading: %s", - file_name, strerror(errno)); + file_name, ovs_strerror(errno)); return errno; } @@ -963,6 +1154,7 @@ read_cert_file(const char *file_name, X509 ***certs, size_t *n_certs) free(*certs); *certs = NULL; *n_certs = 0; + fclose(file); return EIO; } @@ -1030,16 +1222,56 @@ log_ca_cert(const char *file_name, X509 *cert) if (i) { ds_put_char(&fp, ':'); } - ds_put_format(&fp, "%02hhx", digest[i]); + ds_put_format(&fp, "%02x", digest[i]); } } subject = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); VLOG_INFO("Trusting CA cert from %s (%s) (fingerprint %s)", file_name, subject ? subject : "", ds_cstr(&fp)); - free(subject); + OPENSSL_free(subject); ds_destroy(&fp); } +static void +stream_ssl_set_ca_cert_file__(const char *file_name, + bool bootstrap, bool force) +{ + struct stat s; + + if (!update_ssl_config(&ca_cert, file_name) && !force) { + return; + } + + if (!strcmp(file_name, "none")) { + verify_peer_cert = false; + VLOG_WARN("Peer certificate validation disabled " + "(this is a security risk)"); + } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) { + bootstrap_ca_cert = true; + } else { + STACK_OF(X509_NAME) *cert_names = SSL_load_client_CA_file(file_name); + if (cert_names) { + /* Set up list of CAs that the server will accept from the + * client. */ + SSL_CTX_set_client_CA_list(ctx, cert_names); + + /* Set up CAs for OpenSSL to trust in verifying the peer's + * certificate. */ + SSL_CTX_set_cert_store(ctx, X509_STORE_new()); + if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) { + VLOG_ERR("SSL_CTX_load_verify_locations: %s", + ERR_error_string(ERR_get_error(), NULL)); + return; + } + bootstrap_ca_cert = false; + } else { + VLOG_ERR("failed to load client certificates from %s: %s", + file_name, ERR_error_string(ERR_get_error(), NULL)); + } + } + ca_cert.read = true; +} + /* Sets 'file_name' as the name of the file from which to read the CA * certificate used to verify the peer within SSL connections. If 'bootstrap' * is false, the file must exist. If 'bootstrap' is false, then the file is @@ -1048,42 +1280,100 @@ log_ca_cert(const char *file_name, X509 *cert) void stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap) { - X509 **certs; - size_t n_certs; - struct stat s; + stream_ssl_set_ca_cert_file__(file_name, bootstrap, false); +} + +/* SSL protocol logging. */ - if (ssl_init()) { - return; +static const char * +ssl_alert_level_to_string(uint8_t type) +{ + switch (type) { + case 1: return "warning"; + case 2: return "fatal"; + default: return ""; } +} - if (bootstrap && stat(file_name, &s) && errno == ENOENT) { - bootstrap_ca_cert = true; - ca_cert_file = xstrdup(file_name); - } else if (!read_cert_file(file_name, &certs, &n_certs)) { - size_t i; +static const char * +ssl_alert_description_to_string(uint8_t type) +{ + switch (type) { + case 0: return "close_notify"; + case 10: return "unexpected_message"; + case 20: return "bad_record_mac"; + case 21: return "decryption_failed"; + case 22: return "record_overflow"; + case 30: return "decompression_failure"; + case 40: return "handshake_failure"; + case 42: return "bad_certificate"; + case 43: return "unsupported_certificate"; + case 44: return "certificate_revoked"; + case 45: return "certificate_expired"; + case 46: return "certificate_unknown"; + case 47: return "illegal_parameter"; + case 48: return "unknown_ca"; + case 49: return "access_denied"; + case 50: return "decode_error"; + case 51: return "decrypt_error"; + case 60: return "export_restriction"; + case 70: return "protocol_version"; + case 71: return "insufficient_security"; + case 80: return "internal_error"; + case 90: return "user_canceled"; + case 100: return "no_renegotiation"; + default: return ""; + } +} - /* Set up list of CAs that the server will accept from the client. */ - for (i = 0; i < n_certs; i++) { - /* SSL_CTX_add_client_CA makes a copy of the relevant data. */ - if (SSL_CTX_add_client_CA(ctx, certs[i]) != 1) { - VLOG_ERR("failed to add client certificate %d from %s: %s", - i, file_name, - ERR_error_string(ERR_get_error(), NULL)); - } else { - log_ca_cert(file_name, certs[i]); - } - X509_free(certs[i]); - } - free(certs); +static const char * +ssl_handshake_type_to_string(uint8_t type) +{ + switch (type) { + case 0: return "hello_request"; + case 1: return "client_hello"; + case 2: return "server_hello"; + case 11: return "certificate"; + case 12: return "server_key_exchange"; + case 13: return "certificate_request"; + case 14: return "server_hello_done"; + case 15: return "certificate_verify"; + case 16: return "client_key_exchange"; + case 20: return "finished"; + default: return ""; + } +} - /* Set up CAs for OpenSSL to trust in verifying the peer's - * certificate. */ - if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) { - VLOG_ERR("SSL_CTX_load_verify_locations: %s", - ERR_error_string(ERR_get_error(), NULL)); - return; - } +static void +ssl_protocol_cb(int write_p, int version OVS_UNUSED, int content_type, + const void *buf_, size_t len, SSL *ssl OVS_UNUSED, void *sslv_) +{ + const struct ssl_stream *sslv = sslv_; + const uint8_t *buf = buf_; + struct ds details; + + if (!VLOG_IS_DBG_ENABLED()) { + return; + } - has_ca_cert = true; + ds_init(&details); + if (content_type == 20) { + ds_put_cstr(&details, "change_cipher_spec"); + } else if (content_type == 21) { + ds_put_format(&details, "alert: %s, %s", + ssl_alert_level_to_string(buf[0]), + ssl_alert_description_to_string(buf[1])); + } else if (content_type == 22) { + ds_put_format(&details, "handshake: %s", + ssl_handshake_type_to_string(buf[0])); + } else { + ds_put_format(&details, "type %d", content_type); } + + VLOG_DBG("%s%u%s%s %s (%"PRIuSIZE" bytes)", + sslv->type == CLIENT ? "client" : "server", + sslv->session_nr, write_p ? "-->" : "<--", + stream_get_name(&sslv->stream), ds_cstr(&details), len); + + ds_destroy(&details); }