2 * Copyright (c) 2013 Cisco Systems, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
9 package org.opendaylight.controller.protocol_plugin.openflow.core.internal;
11 import java.io.FileInputStream;
12 import java.io.FileNotFoundException;
13 import java.io.IOException;
14 import java.nio.ByteBuffer;
15 import java.nio.channels.AsynchronousCloseException;
16 import java.nio.channels.SelectionKey;
17 import java.nio.channels.Selector;
18 import java.nio.channels.SocketChannel;
19 import java.security.KeyStore;
20 import java.security.SecureRandom;
21 import java.util.List;
22 import javax.net.ssl.KeyManagerFactory;
23 import javax.net.ssl.SSLContext;
24 import javax.net.ssl.SSLEngine;
25 import javax.net.ssl.SSLEngineResult;
26 import javax.net.ssl.SSLSession;
27 import javax.net.ssl.TrustManagerFactory;
28 import javax.net.ssl.SSLEngineResult.HandshakeStatus;
29 import org.opendaylight.controller.protocol_plugin.openflow.core.IMessageReadWrite;
30 import org.openflow.protocol.OFMessage;
31 import org.openflow.protocol.factory.BasicFactory;
32 import org.slf4j.Logger;
33 import org.slf4j.LoggerFactory;
36 * This class implements methods to read/write messages over an established
37 * socket channel. The data exchange is encrypted/decrypted by SSLEngine.
39 public class SecureMessageReadWriteService implements IMessageReadWrite {
40 private static final Logger logger = LoggerFactory
41 .getLogger(SecureMessageReadWriteService.class);
43 private Selector selector;
44 private SocketChannel socket;
45 private BasicFactory factory;
47 private SSLEngine sslEngine;
48 private SSLEngineResult sslEngineResult; // results from sslEngine last operation
49 private ByteBuffer myAppData; // clear text message to be sent
50 private ByteBuffer myNetData; // encrypted message to be sent
51 private ByteBuffer peerAppData; // clear text message received from the
53 private ByteBuffer peerNetData; // encrypted message from the switch
54 private FileInputStream kfd = null, tfd = null;
56 public SecureMessageReadWriteService(SocketChannel socket, Selector selector)
59 this.selector = selector;
60 this.factory = new BasicFactory();
63 createSecureChannel(socket);
64 createBuffers(sslEngine);
65 } catch (Exception e) {
72 * Bring up secure channel using SSL Engine
78 private void createSecureChannel(SocketChannel socket) throws Exception {
79 String keyStoreFile = System.getProperty("controllerKeyStore");
80 String keyStorePassword = System
81 .getProperty("controllerKeyStorePassword");
82 String trustStoreFile = System.getProperty("controllerTrustStore");
83 String trustStorePassword = System
84 .getProperty("controllerTrustStorePassword");
86 if (keyStoreFile != null) {
87 keyStoreFile = keyStoreFile.trim();
89 if ((keyStoreFile == null) || keyStoreFile.isEmpty()) {
90 throw new FileNotFoundException(
91 "controllerKeyStore not specified in ./configuration/config.ini");
93 if (keyStorePassword != null) {
94 keyStorePassword = keyStorePassword.trim();
96 if ((keyStorePassword == null) || keyStorePassword.isEmpty()) {
97 throw new FileNotFoundException(
98 "controllerKeyStorePassword not specified in ./configuration/config.ini");
100 if (trustStoreFile != null) {
101 trustStoreFile = trustStoreFile.trim();
103 if ((trustStoreFile == null) || trustStoreFile.isEmpty()) {
104 throw new FileNotFoundException(
105 "controllerTrustStore not specified in ./configuration/config.ini");
107 if (trustStorePassword != null) {
108 trustStorePassword = trustStorePassword.trim();
110 if ((trustStorePassword == null) || trustStorePassword.isEmpty()) {
111 throw new FileNotFoundException(
112 "controllerTrustStorePassword not specified in ./configuration/config.ini");
115 KeyStore ks = KeyStore.getInstance("JKS");
116 KeyStore ts = KeyStore.getInstance("JKS");
117 KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
118 TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
119 kfd = new FileInputStream(keyStoreFile);
120 tfd = new FileInputStream(trustStoreFile);
121 ks.load(kfd, keyStorePassword.toCharArray());
122 ts.load(tfd, trustStorePassword.toCharArray());
123 kmf.init(ks, keyStorePassword.toCharArray());
126 SecureRandom random = new SecureRandom();
129 SSLContext sslContext = SSLContext.getInstance("TLS");
130 sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), random);
131 sslEngine = sslContext.createSSLEngine();
132 sslEngine.setUseClientMode(false);
133 sslEngine.setNeedClientAuth(true);
134 sslEngine.setEnabledCipherSuites(new String[] {
135 "SSL_RSA_WITH_RC4_128_MD5",
136 "SSL_RSA_WITH_RC4_128_SHA",
137 "TLS_RSA_WITH_AES_128_CBC_SHA",
138 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
139 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
140 "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
141 "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
142 "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
143 "SSL_RSA_WITH_DES_CBC_SHA",
144 "SSL_DHE_RSA_WITH_DES_CBC_SHA",
145 "SSL_DHE_DSS_WITH_DES_CBC_SHA",
146 "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
147 "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
148 "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
149 "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
150 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"});
152 // Do initial handshake
153 doHandshake(socket, sslEngine);
155 this.socket.register(this.selector, SelectionKey.OP_READ);
159 * Sends the OF message out over the socket channel. The message is
160 * encrypted by SSL Engine.
163 * OF message to be sent
167 public void asyncSend(OFMessage msg) throws Exception {
168 synchronized (myAppData) {
169 int msgLen = msg.getLengthU();
170 if (myAppData.remaining() < msgLen) {
171 // increase the buffer size so that it can contain this message
172 ByteBuffer newBuffer = ByteBuffer.allocateDirect(myAppData
173 .capacity() + msgLen);
175 newBuffer.put(myAppData);
176 myAppData = newBuffer;
179 synchronized (myAppData) {
180 msg.writeTo(myAppData);
182 sslEngineResult = sslEngine.wrap(myAppData, myNetData);
183 logger.trace("asyncSend sslEngine wrap: {}", sslEngineResult);
184 runDelegatedTasks(sslEngineResult, sslEngine);
186 if (!socket.isOpen()) {
191 socket.write(myNetData);
192 if (myNetData.hasRemaining()) {
198 if (myAppData.hasRemaining()) {
200 this.socket.register(this.selector, SelectionKey.OP_WRITE, this);
203 this.socket.register(this.selector, SelectionKey.OP_READ, this);
206 logger.trace("Message sent: {}", msg);
211 * Resumes sending the remaining messages in the outgoing buffer
216 public void resumeSend() throws Exception {
217 synchronized (myAppData) {
219 sslEngineResult = sslEngine.wrap(myAppData, myNetData);
220 logger.trace("resumeSend sslEngine wrap: {}", sslEngineResult);
221 runDelegatedTasks(sslEngineResult, sslEngine);
223 if (!socket.isOpen()) {
228 socket.write(myNetData);
229 if (myNetData.hasRemaining()) {
235 if (myAppData.hasRemaining()) {
237 this.socket.register(this.selector, SelectionKey.OP_WRITE, this);
240 this.socket.register(this.selector, SelectionKey.OP_READ, this);
246 * Reads the incoming network data from the socket, decryptes them and then
247 * retrieves the OF messages.
249 * @return list of OF messages
253 public List<OFMessage> readMessages() throws Exception {
254 if (!socket.isOpen()) {
258 List<OFMessage> msgs = null;
262 bytesRead = socket.read(peerNetData);
264 logger.debug("Message read operation failed");
265 throw new AsynchronousCloseException();
270 sslEngineResult = sslEngine.unwrap(peerNetData, peerAppData);
271 if (peerNetData.hasRemaining()) {
272 peerNetData.compact();
276 logger.trace("sslEngine unwrap result: {}", sslEngineResult);
277 runDelegatedTasks(sslEngineResult, sslEngine);
278 } while ((sslEngineResult.getStatus() == SSLEngineResult.Status.OK)
279 && peerNetData.hasRemaining() && (--countDown > 0));
281 if (countDown == 0) {
282 logger.trace("countDown reaches 0. peerNetData pos {} lim {}",
283 peerNetData.position(), peerNetData.limit());
287 msgs = factory.parseMessages(peerAppData);
288 if (peerAppData.hasRemaining()) {
289 peerAppData.compact();
294 this.socket.register(this.selector, SelectionKey.OP_READ, this);
300 * If the result indicates that we have outstanding tasks to do, go ahead
301 * and run them in this thread.
303 private void runDelegatedTasks(SSLEngineResult result, SSLEngine engine)
306 if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
308 while ((runnable = engine.getDelegatedTask()) != null) {
309 logger.debug("\trunning delegated task...");
312 HandshakeStatus hsStatus = engine.getHandshakeStatus();
313 if (hsStatus == HandshakeStatus.NEED_TASK) {
314 throw new Exception("handshake shouldn't need additional tasks");
316 logger.debug("\tnew HandshakeStatus: {}", hsStatus);
320 private void doHandshake(SocketChannel socket, SSLEngine engine)
322 SSLSession session = engine.getSession();
323 ByteBuffer myAppData = ByteBuffer.allocate(session
324 .getApplicationBufferSize());
325 ByteBuffer peerAppData = ByteBuffer.allocate(session
326 .getApplicationBufferSize());
327 ByteBuffer myNetData = ByteBuffer.allocate(session
328 .getPacketBufferSize());
329 ByteBuffer peerNetData = ByteBuffer.allocate(session
330 .getPacketBufferSize());
333 engine.beginHandshake();
334 SSLEngineResult.HandshakeStatus hs = engine.getHandshakeStatus();
336 // Process handshaking message
337 while (hs != SSLEngineResult.HandshakeStatus.FINISHED
338 && hs != SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) {
341 // Receive handshaking data from peer
342 if (socket.read(peerNetData) < 0) {
343 throw new AsynchronousCloseException();
346 // Process incoming handshaking data
348 SSLEngineResult res = engine.unwrap(peerNetData, peerAppData);
349 peerNetData.compact();
350 hs = res.getHandshakeStatus();
353 switch (res.getStatus()) {
361 // Empty the local network packet buffer.
364 // Generate handshaking data
365 res = engine.wrap(myAppData, myNetData);
366 hs = res.getHandshakeStatus();
369 switch (res.getStatus()) {
373 // Send the handshaking data to peer
374 while (myNetData.hasRemaining()) {
375 if (socket.write(myNetData) < 0) {
376 throw new AsynchronousCloseException();
384 // Handle blocking tasks
386 while ((runnable = engine.getDelegatedTask()) != null) {
387 logger.debug("\trunning delegated task...");
390 hs = engine.getHandshakeStatus();
391 if (hs == HandshakeStatus.NEED_TASK) {
393 "handshake shouldn't need additional tasks");
395 logger.debug("\tnew HandshakeStatus: {}", hs);
401 private void createBuffers(SSLEngine engine) {
402 SSLSession session = engine.getSession();
403 this.myAppData = ByteBuffer
404 .allocate(session.getApplicationBufferSize());
405 this.peerAppData = ByteBuffer.allocate(session
406 .getApplicationBufferSize());
407 this.myNetData = ByteBuffer.allocate(session.getPacketBufferSize());
408 this.peerNetData = ByteBuffer.allocate(session.getPacketBufferSize());
412 public void stop() throws IOException {
413 this.sslEngine = null;
414 this.sslEngineResult = null;
415 this.myAppData = null;
416 this.myNetData = null;
417 this.peerAppData = null;
418 this.peerNetData = null;
420 if (this.kfd != null) {
424 if (this.tfd != null) {