X-Git-Url: http://git.cascardo.eti.br/?a=blobdiff_plain;f=lib%2Fstream-ssl.c;h=dd400102c16eb3c837e64b4230ce0c5788782aef;hb=b7ccaf673e7669499155ccf2cacdfeb9971417b7;hp=f2bd5137c9028ce828561968c8c37f46fa9d99cd;hpb=34582733d9aad82bba60f4bf986b62d58412502a;p=cascardo%2Fovs.git diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index f2bd5137c..dd400102c 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc. + * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -29,7 +29,7 @@ #include #include #include -#include +#include #include #include #include "coverage.h" @@ -47,6 +47,21 @@ #include "timeval.h" #include "vlog.h" +#ifdef _WIN32 +/* Ref: https://www.openssl.org/support/faq.html#PROG2 + * Your application must link against the same version of the Win32 C-Runtime + * against which your openssl libraries were linked. The default version for + * OpenSSL is /MD - "Multithreaded DLL". If we compile Open vSwitch with + * something other than /MD, instead of re-compiling OpenSSL + * toolkit, openssl/applink.c can be #included. Also, it is important + * to add CRYPTO_malloc_init prior first call to OpenSSL. + * + * XXX: The behavior of the following #include when Open vSwitch is + * compiled with /MD is not tested. */ +#include +#define SHUT_RDWR SD_BOTH +#endif + VLOG_DEFINE_THIS_MODULE(stream_ssl); /* Active SSL. */ @@ -183,13 +198,14 @@ static void stream_ssl_set_ca_cert_file__(const char *file_name, static void ssl_protocol_cb(int write_p, int version, int content_type, const void *, size_t, SSL *, void *sslv_); static bool update_ssl_config(struct ssl_config_file *, const char *file_name); +static int sock_errno(void); static short int want_to_poll_events(int want) { switch (want) { case SSL_NOTHING: - NOT_REACHED(); + OVS_NOT_REACHED(); case SSL_READING: return POLLIN; @@ -198,20 +214,32 @@ want_to_poll_events(int want) return POLLOUT; default: - NOT_REACHED(); + OVS_NOT_REACHED(); + } +} + +static int +setsockopt_tcp_nodelay(int fd) +{ + int on = 1; + int retval; + + retval = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof on); + if (retval) { + retval = sock_errno(); + VLOG_ERR("setsockopt(TCP_NODELAY): %s", sock_strerror(retval)); } + return retval; } static int new_ssl_stream(const char *name, int fd, enum session_type type, - enum ssl_state state, const struct sockaddr_in *remote, - struct stream **streamp) + enum ssl_state state, struct stream **streamp) { - struct sockaddr_in local; + struct sockaddr_storage local; socklen_t local_len = sizeof local; struct ssl_stream *sslv; SSL *ssl = NULL; - int on = 1; int retval; /* Check for all the needful configuration. */ @@ -243,12 +271,14 @@ new_ssl_stream(const char *name, int fd, enum session_type type, memset(&local, 0, sizeof local); } - /* Disable Nagle. */ - retval = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof on); - if (retval) { - VLOG_ERR("%s: setsockopt(TCP_NODELAY): %s", name, ovs_strerror(errno)); - retval = errno; - goto error; + /* Disable Nagle. + * On windows platforms, this can only be called upon TCP connected. + */ + if (state == STATE_SSL_CONNECTING) { + retval = setsockopt_tcp_nodelay(fd); + if (retval) { + goto error; + } } /* Create and configure OpenSSL stream. */ @@ -270,10 +300,6 @@ new_ssl_stream(const char *name, int fd, enum session_type type, /* Create and return the ssl_stream. */ sslv = xmalloc(sizeof *sslv); stream_init(&sslv->stream, &ssl_stream_class, EAGAIN, name); - stream_set_remote_ip(&sslv->stream, remote->sin_addr.s_addr); - stream_set_remote_port(&sslv->stream, remote->sin_port); - stream_set_local_ip(&sslv->stream, local.sin_addr.s_addr); - stream_set_local_port(&sslv->stream, local.sin_port); sslv->state = state; sslv->type = type; sslv->fd = fd; @@ -295,7 +321,7 @@ error: if (ssl) { SSL_free(ssl); } - close(fd); + closesocket(fd); return retval; } @@ -309,7 +335,6 @@ ssl_stream_cast(struct stream *stream) static int ssl_open(const char *name, char *suffix, struct stream **streamp, uint8_t dscp) { - struct sockaddr_in sin; int error, fd; error = ssl_init(); @@ -317,11 +342,11 @@ ssl_open(const char *name, char *suffix, struct stream **streamp, uint8_t dscp) return error; } - error = inet_open_active(SOCK_STREAM, suffix, OFP_OLD_PORT, &sin, &fd, + error = inet_open_active(SOCK_STREAM, suffix, OFP_OLD_PORT, NULL, &fd, dscp); if (fd >= 0) { int state = error ? STATE_TCP_CONNECTING : STATE_SSL_CONNECTING; - return new_ssl_stream(name, fd, CLIENT, state, &sin, streamp); + return new_ssl_stream(name, fd, CLIENT, state, streamp); } else { VLOG_ERR("%s: connect: %s", name, ovs_strerror(error)); return error; @@ -437,6 +462,10 @@ ssl_connect(struct stream *stream) return retval; } sslv->state = STATE_SSL_CONNECTING; + retval = setsockopt_tcp_nodelay(sslv->fd); + if (retval) { + return retval; + } /* Fall through. */ case STATE_SSL_CONNECTING: @@ -484,7 +513,7 @@ ssl_connect(struct stream *stream) } } - NOT_REACHED(); + OVS_NOT_REACHED(); } static void @@ -506,7 +535,7 @@ ssl_close(struct stream *stream) ERR_clear_error(); SSL_free(sslv->ssl); - close(sslv->fd); + closesocket(sslv->fd); free(sslv); } @@ -633,14 +662,15 @@ ssl_do_tx(struct stream *stream) for (;;) { int old_state = SSL_get_state(sslv->ssl); - int ret = SSL_write(sslv->ssl, sslv->txbuf->data, sslv->txbuf->size); + int ret = SSL_write(sslv->ssl, + ofpbuf_data(sslv->txbuf), ofpbuf_size(sslv->txbuf)); if (old_state != SSL_get_state(sslv->ssl)) { sslv->rx_want = SSL_NOTHING; } sslv->tx_want = SSL_NOTHING; if (ret > 0) { ofpbuf_pull(sslv->txbuf, ret); - if (sslv->txbuf->size == 0) { + if (ofpbuf_size(sslv->txbuf) == 0) { return 0; } } else { @@ -720,11 +750,11 @@ ssl_wait(struct stream *stream, enum stream_wait_type wait) /* ssl_connect() called SSL_accept() or SSL_connect(), which * set up the status that we test here. */ poll_fd_wait(sslv->fd, - want_to_poll_events(SSL_want(sslv->ssl))); + want_to_poll_events(SSL_want(sslv->ssl))); break; default: - NOT_REACHED(); + OVS_NOT_REACHED(); } } break; @@ -748,7 +778,7 @@ ssl_wait(struct stream *stream, enum stream_wait_type wait) break; default: - NOT_REACHED(); + OVS_NOT_REACHED(); } } @@ -786,9 +816,11 @@ static int pssl_open(const char *name OVS_UNUSED, char *suffix, struct pstream **pstreamp, uint8_t dscp) { + char bound_name[SS_NTOP_BUFSIZE + 16]; + char addrbuf[SS_NTOP_BUFSIZE]; + struct sockaddr_storage ss; struct pssl_pstream *pssl; - struct sockaddr_in sin; - char bound_name[128]; + uint16_t port; int retval; int fd; @@ -797,16 +829,18 @@ pssl_open(const char *name OVS_UNUSED, char *suffix, struct pstream **pstreamp, return retval; } - fd = inet_open_passive(SOCK_STREAM, suffix, OFP_OLD_PORT, &sin, dscp); + fd = inet_open_passive(SOCK_STREAM, suffix, OFP_OLD_PORT, &ss, dscp, true); if (fd < 0) { return -fd; } - sprintf(bound_name, "pssl:%"PRIu16":"IP_FMT, - ntohs(sin.sin_port), IP_ARGS(sin.sin_addr.s_addr)); + + port = ss_get_port(&ss); + snprintf(bound_name, sizeof bound_name, "ptcp:%"PRIu16":%s", + port, ss_format_address(&ss, addrbuf, sizeof addrbuf)); pssl = xmalloc(sizeof *pssl); pstream_init(&pssl->pstream, &pssl_pstream_class, bound_name); - pstream_set_bound_port(&pssl->pstream, sin.sin_port); + pstream_set_bound_port(&pssl->pstream, htons(port)); pssl->fd = fd; *pstreamp = &pssl->pstream; return 0; @@ -816,7 +850,7 @@ static void pssl_close(struct pstream *pstream) { struct pssl_pstream *pssl = pssl_pstream_cast(pstream); - close(pssl->fd); + closesocket(pssl->fd); free(pssl); } @@ -824,32 +858,37 @@ static int pssl_accept(struct pstream *pstream, struct stream **new_streamp) { struct pssl_pstream *pssl = pssl_pstream_cast(pstream); - struct sockaddr_in sin; - socklen_t sin_len = sizeof sin; - char name[128]; + char name[SS_NTOP_BUFSIZE + 16]; + char addrbuf[SS_NTOP_BUFSIZE]; + struct sockaddr_storage ss; + socklen_t ss_len = sizeof ss; int new_fd; int error; - new_fd = accept(pssl->fd, (struct sockaddr *) &sin, &sin_len); + new_fd = accept(pssl->fd, (struct sockaddr *) &ss, &ss_len); if (new_fd < 0) { - error = errno; + error = sock_errno(); +#ifdef _WIN32 + if (error == WSAEWOULDBLOCK) { + error = EAGAIN; + } +#endif if (error != EAGAIN) { - VLOG_DBG_RL(&rl, "accept: %s", ovs_strerror(error)); + VLOG_DBG_RL(&rl, "accept: %s", sock_strerror(error)); } return error; } error = set_nonblocking(new_fd); if (error) { - close(new_fd); + closesocket(new_fd); return error; } - sprintf(name, "ssl:"IP_FMT, IP_ARGS(sin.sin_addr.s_addr)); - if (sin.sin_port != htons(OFP_OLD_PORT)) { - sprintf(strchr(name, '\0'), ":%"PRIu16, ntohs(sin.sin_port)); - } - return new_ssl_stream(name, new_fd, SERVER, STATE_SSL_CONNECTING, &sin, + snprintf(name, sizeof name, "tcp:%s:%"PRIu16, + ss_format_address(&ss, addrbuf, sizeof addrbuf), + ss_get_port(&ss)); + return new_ssl_stream(name, new_fd, SERVER, STATE_SSL_CONNECTING, new_streamp); } @@ -905,6 +944,10 @@ do_ssl_init(void) { SSL_METHOD *method; +#ifdef _WIN32 + /* The following call is needed if we "#include ". */ + CRYPTO_malloc_init(); +#endif SSL_library_init(); SSL_load_error_strings(); @@ -938,9 +981,17 @@ do_ssl_init(void) RAND_seed(seed, sizeof seed); } - /* New OpenSSL changed TLSv1_method() to return a "const" pointer, so the - * cast is needed to avoid a warning with those newer versions. */ - method = CONST_CAST(SSL_METHOD *, TLSv1_method()); + /* OpenSSL has a bunch of "connection methods": SSLv2_method(), + * SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these + * support exactly one version of SSL, e.g. TLSv1_method() supports TLSv1 + * only, not any earlier *or later* version. The only exception is + * SSLv23_method(), which in fact supports *any* version of SSL and TLS. + * We don't want SSLv2 or SSLv3 support, so we turn it off below with + * SSL_CTX_set_options(). + * + * The cast is needed to avoid a warning with newer versions of OpenSSL in + * which SSLv23_method() returns a "const" pointer. */ + method = CONST_CAST(SSL_METHOD *, SSLv23_method()); if (method == NULL) { VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL)); return ENOPROTOOPT; @@ -1145,6 +1196,7 @@ read_cert_file(const char *file_name, X509 ***certs, size_t *n_certs) free(*certs); *certs = NULL; *n_certs = 0; + fclose(file); return EIO; }