X-Git-Url: https://git.opendaylight.org/gerrit/gitweb?p=controller.git;a=blobdiff_plain;f=opendaylight%2Fprotocol_plugins%2Fopenflow%2Fsrc%2Fmain%2Fjava%2Forg%2Fopendaylight%2Fcontroller%2Fprotocol_plugin%2Fopenflow%2Fcore%2Finternal%2FSecureMessageReadWriteService.java;h=f27d30eaae620312a75a7da2d47fa878936f5ccd;hp=64031fd01212cceeaaed4ae95b65a0db3904f3da;hb=2a4c88aa665a45c5394642cb3604603bebf8c0da;hpb=eb9e1983a0fce7e4a381eff33e40cae957cddf53 diff --git a/opendaylight/protocol_plugins/openflow/src/main/java/org/opendaylight/controller/protocol_plugin/openflow/core/internal/SecureMessageReadWriteService.java b/opendaylight/protocol_plugins/openflow/src/main/java/org/opendaylight/controller/protocol_plugin/openflow/core/internal/SecureMessageReadWriteService.java index 64031fd012..f27d30eaae 100644 --- a/opendaylight/protocol_plugins/openflow/src/main/java/org/opendaylight/controller/protocol_plugin/openflow/core/internal/SecureMessageReadWriteService.java +++ b/opendaylight/protocol_plugins/openflow/src/main/java/org/opendaylight/controller/protocol_plugin/openflow/core/internal/SecureMessageReadWriteService.java @@ -19,13 +19,15 @@ import java.nio.channels.SocketChannel; import java.security.KeyStore; import java.security.SecureRandom; import java.util.List; + import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; +import javax.net.ssl.SSLEngineResult.HandshakeStatus; import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.SSLEngineResult.HandshakeStatus; + import org.opendaylight.controller.protocol_plugin.openflow.core.IMessageReadWrite; import org.openflow.protocol.OFMessage; import org.openflow.protocol.factory.BasicFactory; @@ -41,7 +43,6 @@ public class SecureMessageReadWriteService implements IMessageReadWrite { .getLogger(SecureMessageReadWriteService.class); private Selector selector; - private SelectionKey clientSelectionKey; private SocketChannel socket; private BasicFactory factory; @@ -53,6 +54,12 @@ public class SecureMessageReadWriteService implements IMessageReadWrite { // switch private ByteBuffer peerNetData; // encrypted message from the switch private FileInputStream kfd = null, tfd = null; + private final String keyStoreFileDefault = "./configuration/tlsKeyStore"; + private final String trustStoreFileDefault = "./configuration/tlsTrustStore"; + private final String keyStorePasswordPropName = "controllerKeyStorePassword"; + private final String trustStorePasswordPropName = "controllerTrustStorePassword"; + private static String keyStorePassword = null; + private static String trustStorePassword = null; public SecureMessageReadWriteService(SocketChannel socket, Selector selector) throws Exception { @@ -64,6 +71,7 @@ public class SecureMessageReadWriteService implements IMessageReadWrite { createSecureChannel(socket); createBuffers(sslEngine); } catch (Exception e) { + logger.warn("Failed to setup TLS connection {} {}", socket, e); stop(); throw e; } @@ -78,45 +86,53 @@ public class SecureMessageReadWriteService implements IMessageReadWrite { */ private void createSecureChannel(SocketChannel socket) throws Exception { String keyStoreFile = System.getProperty("controllerKeyStore"); - String keyStorePassword = System - .getProperty("controllerKeyStorePassword"); String trustStoreFile = System.getProperty("controllerTrustStore"); - String trustStorePassword = System - .getProperty("controllerTrustStorePassword"); + String keyStorePasswordProp = System.getProperty(keyStorePasswordPropName); + String trustStorePasswordProp = System.getProperty(trustStorePasswordPropName); if (keyStoreFile != null) { keyStoreFile = keyStoreFile.trim(); + } else { + keyStoreFile = keyStoreFileDefault; } if ((keyStoreFile == null) || keyStoreFile.isEmpty()) { - throw new FileNotFoundException( - "controllerKeyStore not specified in ./configuration/config.ini"); + throw new FileNotFoundException("TLS KeyStore file not found."); + } + + if ((keyStorePassword == null) || ((keyStorePasswordProp != null) && !keyStorePasswordProp.isEmpty())) { + keyStorePassword = keyStorePasswordProp; } if (keyStorePassword != null) { keyStorePassword = keyStorePassword.trim(); + System.setProperty(keyStorePasswordPropName, ""); } if ((keyStorePassword == null) || keyStorePassword.isEmpty()) { - throw new FileNotFoundException( - "controllerKeyStorePassword not specified in ./configuration/config.ini"); + throw new FileNotFoundException("TLS KeyStore Password not provided."); } if (trustStoreFile != null) { trustStoreFile = trustStoreFile.trim(); + } else { + trustStoreFile = trustStoreFileDefault; } if ((trustStoreFile == null) || trustStoreFile.isEmpty()) { - throw new FileNotFoundException( - "controllerTrustStore not specified in ./configuration/config.ini"); + throw new FileNotFoundException("TLS TrustStore file not found"); + } + + if ((trustStorePassword == null) || ((trustStorePasswordProp != null) && !trustStorePasswordProp.isEmpty())) { + trustStorePassword = trustStorePasswordProp; } if (trustStorePassword != null) { trustStorePassword = trustStorePassword.trim(); + System.setProperty(trustStorePasswordPropName, ""); } if ((trustStorePassword == null) || trustStorePassword.isEmpty()) { - throw new FileNotFoundException( - "controllerTrustStorePassword not specified in ./configuration/config.ini"); + throw new FileNotFoundException("TLS TrustStore Password not provided."); } KeyStore ks = KeyStore.getInstance("JKS"); KeyStore ts = KeyStore.getInstance("JKS"); - KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); - TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); + KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); + TrustManagerFactory tmf = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kfd = new FileInputStream(keyStoreFile); tfd = new FileInputStream(trustStoreFile); ks.load(kfd, keyStorePassword.toCharArray()); @@ -132,12 +148,28 @@ public class SecureMessageReadWriteService implements IMessageReadWrite { sslEngine = sslContext.createSSLEngine(); sslEngine.setUseClientMode(false); sslEngine.setNeedClientAuth(true); + sslEngine.setEnabledCipherSuites(new String[] { + "SSL_RSA_WITH_RC4_128_MD5", + "SSL_RSA_WITH_RC4_128_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + "SSL_RSA_WITH_3DES_EDE_CBC_SHA", + "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", + "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", + "SSL_RSA_WITH_DES_CBC_SHA", + "SSL_DHE_RSA_WITH_DES_CBC_SHA", + "SSL_DHE_DSS_WITH_DES_CBC_SHA", + "SSL_RSA_EXPORT_WITH_RC4_40_MD5", + "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", + "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", + "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", + "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"}); // Do initial handshake doHandshake(socket, sslEngine); - this.clientSelectionKey = this.socket.register(this.selector, - SelectionKey.OP_READ); + this.socket.register(this.selector, SelectionKey.OP_READ); } /** @@ -182,12 +214,10 @@ public class SecureMessageReadWriteService implements IMessageReadWrite { if (myAppData.hasRemaining()) { myAppData.compact(); - this.clientSelectionKey = this.socket.register(this.selector, - SelectionKey.OP_WRITE, this); + this.socket.register(this.selector, SelectionKey.OP_WRITE, this); } else { myAppData.clear(); - this.clientSelectionKey = this.socket.register(this.selector, - SelectionKey.OP_READ, this); + this.socket.register(this.selector, SelectionKey.OP_READ, this); } logger.trace("Message sent: {}", msg); @@ -221,12 +251,10 @@ public class SecureMessageReadWriteService implements IMessageReadWrite { if (myAppData.hasRemaining()) { myAppData.compact(); - this.clientSelectionKey = this.socket.register(this.selector, - SelectionKey.OP_WRITE, this); + this.socket.register(this.selector, SelectionKey.OP_WRITE, this); } else { myAppData.clear(); - this.clientSelectionKey = this.socket.register(this.selector, - SelectionKey.OP_READ, this); + this.socket.register(this.selector, SelectionKey.OP_READ, this); } } } @@ -272,16 +300,20 @@ public class SecureMessageReadWriteService implements IMessageReadWrite { peerNetData.position(), peerNetData.limit()); } - peerAppData.flip(); - msgs = factory.parseMessages(peerAppData); - if (peerAppData.hasRemaining()) { - peerAppData.compact(); - } else { + try { + peerAppData.flip(); + msgs = factory.parseMessages(peerAppData); + if (peerAppData.hasRemaining()) { + peerAppData.compact(); + } else { + peerAppData.clear(); + } + } catch (Exception e) { peerAppData.clear(); + logger.debug("Caught exception: ", e); } - this.clientSelectionKey = this.socket.register(this.selector, - SelectionKey.OP_READ, this); + this.socket.register(this.selector, SelectionKey.OP_READ, this); return msgs; } @@ -393,9 +425,9 @@ public class SecureMessageReadWriteService implements IMessageReadWrite { this.myAppData = ByteBuffer .allocate(session.getApplicationBufferSize()); this.peerAppData = ByteBuffer.allocate(session - .getApplicationBufferSize()); + .getApplicationBufferSize() * 20); this.myNetData = ByteBuffer.allocate(session.getPacketBufferSize()); - this.peerNetData = ByteBuffer.allocate(session.getPacketBufferSize()); + this.peerNetData = ByteBuffer.allocate(session.getPacketBufferSize() * 20); } @Override