Add SSL support to "stream" library and OVSDB.

lib/automake.mk

@@ -122,6 +122,7 @@ lib_libopenvswitch_a_SOURCES = \
 	lib/stream-fd.c \
 	lib/stream-fd.h \
 	lib/stream-provider.h \
+	lib/stream-ssl.h \
 	lib/stream-tcp.c \
 	lib/stream-unix.c \
 	lib/stream.c \
@@ -168,6 +169,7 @@ endif
 
 if HAVE_OPENSSL
 lib_libopenvswitch_a_SOURCES += \
+	lib/stream-ssl.c \
 	lib/vconn-ssl.c 
 nodist_lib_libopenvswitch_a_SOURCES += lib/dhparams.c
 lib/dhparams.c: lib/dh1024.pem lib/dh2048.pem lib/dh4096.pem
@@ -193,8 +195,10 @@ EXTRA_DIST += \
 	lib/dpif.man \
 	lib/leak-checker.man \
 	lib/ssl-bootstrap.man \
+	lib/ssl-bootstrap-syn.man \
 	lib/ssl-peer-ca-cert.man \
 	lib/ssl.man \
+	lib/ssl-syn.man \
 	lib/vconn-active.man \
 	lib/vconn-passive.man \
 	lib/vlog-unixctl.man \

lib/ssl-bootstrap-syn.man

@@ -0,0 +1,2 @@
+.br
+[\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem]

lib/ssl-syn.man

@@ -0,0 +1,6 @@
+.IP "Public key infrastructure options:"
+[\fB\-\-private\-key=\fIprivkey.pem\fR]
+.br
+[\fB\-\-certificate=\fIcert.pem\fR]
+.br
+[\fB\-\-ca\-cert=\fIswitch\-cacert.pem\fR]

lib/stream-provider.h

@@ -181,5 +181,9 @@ extern struct stream_class tcp_stream_class;
 extern struct pstream_class ptcp_pstream_class;
 extern struct stream_class unix_stream_class;
 extern struct pstream_class punix_pstream_class;
+#ifdef HAVE_OPENSSL
+extern struct stream_class ssl_stream_class;
+extern struct pstream_class pssl_pstream_class;
+#endif
 
 #endif /* stream-provider.h */

lib/stream-ssl.h

@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 2008, 2009 Nicira Networks.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef STREAM_SSL_H
+#define STREAM_SSL_H 1
+
+#include <stdbool.h>
+
+#ifdef HAVE_OPENSSL
+bool stream_ssl_is_configured(void);
+void stream_ssl_set_private_key_file(const char *file_name);
+void stream_ssl_set_certificate_file(const char *file_name);
+void stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap);
+void stream_ssl_set_peer_ca_cert_file(const char *file_name);
+
+#define STREAM_SSL_LONG_OPTIONS                     \
+        {"private-key", required_argument, 0, 'p'}, \
+        {"certificate", required_argument, 0, 'c'}, \
+        {"ca-cert",     required_argument, 0, 'C'},
+
+#define STREAM_SSL_OPTION_HANDLERS                      \
+        case 'p':                                       \
+            stream_ssl_set_private_key_file(optarg);    \
+            break;                                      \
+                                                        \
+        case 'c':                                       \
+            stream_ssl_set_certificate_file(optarg);    \
+            break;                                      \
+                                                        \
+        case 'C':                                       \
+            stream_ssl_set_ca_cert_file(optarg, false); \
+            break;
+#else /* !HAVE_OPENSSL */
+static inline bool stream_ssl_is_configured(void) 
+{
+    return false;
+}
+#define STREAM_SSL_LONG_OPTIONS
+#define STREAM_SSL_OPTION_HANDLERS
+#endif /* !HAVE_OPENSSL */
+
+#endif /* stream-ssl.h */

lib/stream.c

@@ -95,7 +95,8 @@ check_stream_classes(void)
 /* Prints information on active (if 'active') and passive (if 'passive')
  * connection methods supported by the stream. */
 void
-stream_usage(const char *name, bool active, bool passive)
+stream_usage(const char *name, bool active, bool passive,
+             bool bootstrap UNUSED)
 {
     /* Really this should be implemented via callbacks into the stream
      * providers, but that seems too heavy-weight to bother with at the
@@ -106,6 +107,10 @@ stream_usage(const char *name, bool active, bool passive)
         printf("Active %s connection methods:\n", name);
         printf("  tcp:IP:PORT             "
                "PORT at remote IP\n");
+#ifdef HAVE_OPENSSL
+        printf("  ssl:IP:PORT             "
+               "SSL PORT at remote IP\n");
+#endif
         printf("  unix:FILE               "
                "Unix domain socket named FILE\n");
     }
@@ -114,9 +119,24 @@ stream_usage(const char *name, bool active, bool passive)
         printf("Passive %s connection methods:\n", name);
         printf("  ptcp:PORT[:IP]          "
                "listen to TCP PORT on IP\n");
+#ifdef HAVE_OPENSSL
+        printf("  pssl:PORT[:IP]          "
+               "listen for SSL on PORT on IP\n");
+#endif
         printf("  punix:FILE              "
                "listen on Unix domain socket FILE\n");
     }
+
+#ifdef HAVE_OPENSSL
+    printf("PKI configuration (required to use SSL):\n"
+           "  -p, --private-key=FILE  file with private key\n"
+           "  -c, --certificate=FILE  file with certificate for private key\n"
+           "  -C, --ca-cert=FILE      file with peer CA certificate\n");
+    if (bootstrap) {
+        printf("  --bootstrap-ca-cert=FILE  file with peer CA certificate "
+               "to read or create\n");
+    }
+#endif
 }
 
 /* Attempts to connect a stream to a remote peer.  'name' is a connection name

lib/stream.h

@@ -27,7 +27,7 @@
 struct pstream;
 struct stream;
 
-void stream_usage(const char *name, bool active, bool passive);
+void stream_usage(const char *name, bool active, bool passive, bool bootstrap);
 
 /* Bidirectional byte streams. */
 int stream_open(const char *name, struct stream **);

lib/vlog-modules.def

@@ -70,6 +70,7 @@ VLOG_MODULE(reconnect)
 VLOG_MODULE(rtnetlink)
 VLOG_MODULE(stp)
 VLOG_MODULE(stream_fd)
+VLOG_MODULE(stream_ssl)
 VLOG_MODULE(stream_tcp)
 VLOG_MODULE(stream_unix)
 VLOG_MODULE(stream)

ovsdb/automake.mk

@@ -27,6 +27,9 @@ ovsdb_libovsdb_a_SOURCES = \
 	ovsdb/trigger.h \
 	ovsdb/transaction.c \
 	ovsdb/transaction.h
+EXTRA_DIST += \
+	ovsdb/remote-active.man \
+	ovsdb/remote-passive.man
 
 # ovsdb-tool
 bin_PROGRAMS += ovsdb/ovsdb-tool
@@ -40,7 +43,7 @@ EXTRA_DIST += ovsdb/ovsdb-tool.1.in
 # ovsdb-client
 bin_PROGRAMS += ovsdb/ovsdb-client
 ovsdb_ovsdb_client_SOURCES = ovsdb/ovsdb-client.c
-ovsdb_ovsdb_client_LDADD = ovsdb/libovsdb.a lib/libopenvswitch.a
+ovsdb_ovsdb_client_LDADD = ovsdb/libovsdb.a lib/libopenvswitch.a $(SSL_LIBS)
 # ovsdb-client.1
 man_MANS += ovsdb/ovsdb-client.1
 DISTCLEANFILES += ovsdb/ovsdb-client.1
@@ -49,7 +52,11 @@ EXTRA_DIST += ovsdb/ovsdb-client.1.in
 # ovsdb-server
 sbin_PROGRAMS += ovsdb/ovsdb-server
 ovsdb_ovsdb_server_SOURCES = ovsdb/ovsdb-server.c
-ovsdb_ovsdb_server_LDADD = ovsdb/libovsdb.a lib/libopenvswitch.a $(FAULT_LIBS)
+ovsdb_ovsdb_server_LDADD = \
+	ovsdb/libovsdb.a \
+	lib/libopenvswitch.a \
+	$(FAULT_LIBS) \
+	$(SSL_LIBS)
 # ovsdb-server.1
 man_MANS += ovsdb/ovsdb-server.1
 DISTCLEANFILES += ovsdb/ovsdb-server.1

ovsdb/ovsdb-client.1.in

@@ -31,6 +31,8 @@ ovsdb\-client \- command-line interface to \fBovsdb-server\fR(1)
 [\fB--no-heading\fR]
 .so lib/daemon-syn.man
 .so lib/vlog-syn.man
+.so lib/ssl-syn.man
+.so lib/ssl-bootstrap-syn.man
 .so lib/common-syn.man
 .
 .SH DESCRIPTION
@@ -38,18 +40,10 @@ The \fBovsdb\-client\fR program is a command-line client for
 interacting with a running \fBovsdb\-server\fR process.  For each
 command, the \fIserver\fR to connect to must be specified in one of
 the following forms:
-.IP "\fBtcp:\fIip\fB:\fIport\fR"
-Connect to the given TCP \fIport\fR on \fIip\fR.
-.IP "\fBunix:\fIfile\fR"
-Connect to the Unix domain server socket named \fIfile\fR.
-.IP "\fBptcp:\fIport\fR[\fB:\fIip\fR]"
-Listen on the given TCP \fIport\fR for a connection.  By default,
-\fB\*(PN\fR listens for connections to any local IP address, but
-\fIip\fR may be specified to listen only for connections to the given
-\fIip\fR.
-.IP "\fBpunix:\fIfile\fR"
-Listen on the Unix domain server socket named \fIfile\fR for a
-connection.
+.RS
+.so ovsdb/remote-active.man
+.so ovsdb/remote-passive.man
+.RE
 .
 .SS "Commands"
 The following commands are implemented:
@@ -135,8 +129,8 @@ other command, they have no effect.
 .so lib/daemon.man
 .SS "Logging Options"
 .so lib/vlog.man
-.SS "Logging Options"
-.so lib/vlog.man
+.so lib/ssl.man
+.so lib/ssl-bootstrap.man
 .SS "Other Options"
 .so lib/common.man
 .SH "SEE ALSO"

ovsdb/ovsdb-client.c

@@ -34,6 +34,7 @@
 #include "ovsdb.h"
 #include "ovsdb-error.h"
 #include "stream.h"
+#include "stream-ssl.h"
 #include "table.h"
 #include "timeval.h"
 #include "util.h"
@@ -77,6 +78,9 @@ main(int argc, char *argv[])
 static void
 parse_options(int argc, char *argv[])
 {
+    enum {
+        OPT_BOOTSTRAP_CA_CERT = UCHAR_MAX + 1
+    };
     static struct option long_options[] = {
         {"wide", no_argument, &output_width, INT_MAX},
         {"format", required_argument, 0, 'f'},
@@ -86,6 +90,10 @@ parse_options(int argc, char *argv[])
         {"help", no_argument, 0, 'h'},
         {"version", no_argument, 0, 'V'},
         DAEMON_LONG_OPTIONS,
+#ifdef HAVE_OPENSSL
+        {"bootstrap-ca-cert", required_argument, 0, OPT_BOOTSTRAP_CA_CERT},
+        STREAM_SSL_LONG_OPTIONS
+#endif
         {0, 0, 0, 0},
     };
     char *short_options = long_options_to_short_options(long_options);
@@ -129,6 +137,14 @@ parse_options(int argc, char *argv[])
 
         DAEMON_OPTION_HANDLERS
 
+#ifdef HAVE_OPENSSL
+        STREAM_SSL_OPTION_HANDLERS
+
+        case OPT_BOOTSTRAP_CA_CERT:
+            stream_ssl_set_ca_cert_file(optarg, true);
+            break;
+#endif
+
         case '?':
             exit(EXIT_FAILURE);
 
@@ -162,7 +178,7 @@ usage(void)
            "    monitor contents of (COLUMNs in) TABLE on SERVER\n"
            "    Valid SELECTs are: initial, insert, delete, modify\n",
            program_name, program_name);
-    stream_usage("SERVER", true, true);
+    stream_usage("SERVER", true, true, true);
     printf("\nOutput formatting options:\n"
            "  -f, --format=FORMAT         set output formatting to FORMAT\n"
            "                              (\"table\", \"html\", or \"csv\"\n"

ovsdb/ovsdb-server.1.in

@@ -29,37 +29,15 @@ Adds \fIremote\fR as a connection method used by \fBovsdb\-server\fR.
 \fIremote\fR must take one of the following forms:
 .
 .RS
-.IP "\fBptcp:\fIport\fR[\fB:\fIip\fR]"
-Listens for JSON-RPC connections on the given TCP \fIport\fR.  By
-default, \fB\*(PN\fR listens for connections to any local IP address,
-but \fIip\fR may be specified to listen only for connections to the
-given \fIip\fR.
-.
-.IP "\fBpunix:\fIfile\fR"
-Listens for JSON-RPC connections on the Unix domain server socket
-named \fIfile\fR.
-.
-.IP "\fBtcp:\fIip\fB:\fIport\fR"
-Initiates a JSON-RPC connection to the given TCP \fIport\fR on
-\fIip\fR and reconnects as necessary.
-.
-.IP "\fBunix:\fIfile\fR"
-Initiates a JSON-RPC connection to the Unix domain server socket named
-\fIfile\fR as reconnects as necessary.
-.
-.IP "\fBdb:\fItable\fB,\fIcolumn\fR"
-Reads additional connection methods from \fIcolumn\fR in all of the
-rows in \fItable\fR within the \fBovsdb\-server\fR database.  The
-\fIcolumn\fR must have type string or set of strings.  The connection
-methods in the column must have one of the forms described above.  As
-the contents of \fIcolumn\fR changes, \fBovsdb\-server\fR also adds
-and drops connection methods accordingly.
+.so ovsdb/remote-passive.man
+.so ovsdb/remote-active.man
 .RE
 .
 .SS "Daemon Options"
 .so lib/daemon.man
 .SS "Logging Options"
 .so lib/vlog.man
+.so lib/ssl.man
 .SS "Other Options"
 .so lib/common.man
 .SH "RUNTIME MANAGEMENT COMMANDS"

ovsdb/ovsdb-server.c

@@ -38,6 +38,7 @@
 #include "poll-loop.h"
 #include "process.h"
 #include "row.h"
+#include "stream-ssl.h"
 #include "stream.h"
 #include "svec.h"
 #include "table.h"
@@ -204,6 +205,7 @@ parse_options(int argc, char *argv[], char **file_namep,
         OPT_DUMMY = UCHAR_MAX + 1,
         OPT_REMOTE,
         OPT_UNIXCTL,
+        OPT_BOOTSTRAP_CA_CERT,
         VLOG_OPTION_ENUMS,
         LEAK_CHECKER_OPTION_ENUMS
     };
@@ -215,6 +217,10 @@ parse_options(int argc, char *argv[], char **file_namep,
         DAEMON_LONG_OPTIONS,
         VLOG_LONG_OPTIONS,
         LEAK_CHECKER_LONG_OPTIONS,
+#ifdef HAVE_OPENSSL
+        {"bootstrap-ca-cert", required_argument, 0, OPT_BOOTSTRAP_CA_CERT},
+        STREAM_SSL_LONG_OPTIONS
+#endif
         {0, 0, 0, 0},
     };
     char *short_options = long_options_to_short_options(long_options);
@@ -248,6 +254,15 @@ parse_options(int argc, char *argv[], char **file_namep,
         DAEMON_OPTION_HANDLERS
         LEAK_CHECKER_OPTION_HANDLERS
 
+#ifdef HAVE_OPENSSL
+        STREAM_SSL_OPTION_HANDLERS
+
+        case OPT_BOOTSTRAP_CA_CERT:
+            stream_ssl_set_ca_cert_file(optarg, true);
+            break;
+#endif
+
+
         case '?':
             exit(EXIT_FAILURE);
 
@@ -279,7 +294,7 @@ usage(void)
            program_name, program_name);
     printf("\nJSON-RPC options (may be specified any number of times):\n"
            "  --remote=REMOTE         connect or listen to REMOTE\n");
-    stream_usage("JSON-RPC", true, true);
+    stream_usage("JSON-RPC", true, true, true);
     daemon_usage();
     vlog_usage();
     printf("\nOther options:\n"

ovsdb/remote-active.man

@@ -0,0 +1,11 @@
+.IP "\fBssl:\fIip\fB:\fIport\fR"
+The specified SSL \fIport\fR on the host at the given \fIip\fR, which
+must be expressed as an IP address (not a DNS name).  The
+\fB\-\-private\-key\fR, \fB\-\-certificate\fR, and \fB\-\-ca\-cert\fR
+options are mandatory when this form is used.
+.
+.IP "\fBtcp:\fIip\fB:\fIport\fR"
+Connect to the given TCP \fIport\fR on \fIip\fR.
+.
+.IP "\fBunix:\fIfile\fR"
+Connect to the Unix domain server socket named \fIfile\fR.

ovsdb/remote-passive.man

@@ -0,0 +1,16 @@
+.IP "\fBpssl:\fIport\fR[\fB:\fIip\fR]"
+Listen on the given SSL \fIport\fR for a connection.  By default,
+\fB\*(PN\fR listens for connections to any local IP address, but
+specifying \fIip\fR limits connections to those from the given
+\fIip\fR.  The \fB\-\-private\-key\fR, \fB\-\-certificate\fR, and
+\fB\-\-ca\-cert\fR options are mandatory when this form is used.
+.
+.IP "\fBptcp:\fIport\fR[\fB:\fIip\fR]"
+Listen on the given TCP \fIport\fR for a connection.  By default,
+\fB\*(PN\fR listens for connections to any local IP address, but
+\fIip\fR may be specified to listen only for connections to the given
+\fIip\fR.
+.
+.IP "\fBpunix:\fIfile\fR"
+Listen on the Unix domain server socket named \fIfile\fR for a
+connection.

tests/automake.mk

@@ -97,7 +97,7 @@ tests_test_json_LDADD = lib/libopenvswitch.a
 
 noinst_PROGRAMS += tests/test-jsonrpc
 tests_test_jsonrpc_SOURCES = tests/test-jsonrpc.c
-tests_test_jsonrpc_LDADD = lib/libopenvswitch.a
+tests_test_jsonrpc_LDADD = lib/libopenvswitch.a $(SSL_LIBS)
 
 noinst_PROGRAMS += tests/test-list
 tests_test_list_SOURCES = tests/test-list.c

tests/test-jsonrpc.c

@@ -28,6 +28,7 @@
 #include "daemon.h"
 #include "json.h"
 #include "poll-loop.h"
+#include "stream-ssl.h"
 #include "stream.h"
 #include "timeval.h"
 #include "util.h"
@@ -52,10 +53,17 @@ main(int argc, char *argv[])
 static void
 parse_options(int argc, char *argv[])
 {
+    enum {
+        OPT_BOOTSTRAP_CA_CERT = UCHAR_MAX + 1
+    };
     static struct option long_options[] = {
         {"verbose", optional_argument, 0, 'v'},
         {"help", no_argument, 0, 'h'},
         DAEMON_LONG_OPTIONS,
+#ifdef HAVE_OPENSSL
+        {"bootstrap-ca-cert", required_argument, 0, OPT_BOOTSTRAP_CA_CERT},
+        STREAM_SSL_LONG_OPTIONS
+#endif
         {0, 0, 0, 0},
     };
     char *short_options = long_options_to_short_options(long_options);
@@ -76,6 +84,14 @@ parse_options(int argc, char *argv[])
 
         DAEMON_OPTION_HANDLERS
 
+#ifdef HAVE_OPENSSL
+        STREAM_SSL_OPTION_HANDLERS
+
+        case OPT_BOOTSTRAP_CA_CERT:
+            stream_ssl_set_ca_cert_file(optarg, true);
+            break;
+#endif
+
         case '?':
             exit(EXIT_FAILURE);
 
@@ -95,7 +111,7 @@ usage(void)
            "  request REMOTE METHOD PARAMS   send request, print reply\n"
            "  notify REMOTE METHOD PARAMS  send notification and exit\n",
            program_name, program_name);
-    stream_usage("JSON-RPC", true, true);
+    stream_usage("JSON-RPC", true, true, true);
     daemon_usage();
     vlog_usage();
     printf("\nOther options:\n"

utilities/ovs-vsctl.8.in

@@ -74,11 +74,9 @@ contacts to query or modify configuration.  The default is
 \fBunix:@RUNDIR@/ovsdb\-server\fR.  \fIserver\fR must take one of the
 following forms:
 .RS
-.IP "\fBtcp:\fIip\fB:\fIport\fR"
-Connect to the given TCP \fIport\fR on \fIip\fR.
-.IP "\fBunix:\fIfile\fR"
-Connect to the Unix domain server socket named \fIfile\fR.
+.so ovsdb/remote-active.man
 .RE
+.
 .IP "\fB\-\-no\-wait\fR"
 Prevents \fBovs\-vsctl\fR from waiting for \fBovs\-vswitchd\fR to
 reconfigure itself according to the the modified database.  This

vswitchd/ovs-brcompatd.8.in

@@ -15,12 +15,9 @@ the \fBbrctl\fR program) to add or remove datapaths and the interfaces
 that attach to them.  
 .PP
 The mandatory \fIdatabase\fR argument specifies the
-\fBovsdb\-server\fR from which \fBovs\-vswitchd\fR's configuration
-is retrieved.  It takes one of the following forms:
-.IP "\fBtcp:\fIip\fB:\fIport\fR"
-Connect to the given TCP \fIport\fR on \fIip\fR.
-.IP "\fBunix:\fIfile\fR"
-Connect to the Unix domain server socket named \fIfile\fR.
+\fBovsdb\-server\fR from which \fBovs\-vswitchd\fR's configuration is
+retrieved.  It should take the form \fBunix:\fIfile\fR, to connect to
+the Unix domain server socket named \fIfile\fR.
 .PP
 .SH OPTIONS
 .IP "\fB--appctl-command=\fIcommand\fR"

vswitchd/ovs-vswitchd.c

@@ -219,7 +219,7 @@ usage(void)
            "usage: %s [OPTIONS] DATABASE\n"
            "where DATABASE is a socket on which ovsdb-server is listening.\n",
            program_name, program_name);
-    stream_usage("DATABASE", true, false);
+    stream_usage("DATABASE", true, false, true);
     daemon_usage();
     vlog_usage();
     printf("\nLegacy compatibility options:\n"