static int
new_tcp_stream(const char *name, int fd, int connect_status,
const struct sockaddr_in *remote, struct stream **streamp)
{
struct sockaddr_in local;
socklen_t local_len = sizeof local;
int on = 1;
int retval;
/* Get the local IP and port information */
retval = getsockname(fd, (struct sockaddr *)&local, &local_len);
if (retval) {
memset(&local, 0, sizeof local);
}
retval = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof on);
if (retval) {
VLOG_ERR("%s: setsockopt(TCP_NODELAY): %s", name, strerror(errno));
close(fd);
return errno;
}
retval = new_fd_stream(name, fd, connect_status, streamp);
if (!retval) {
struct stream *stream = *streamp;
stream_set_remote_ip(stream, remote->sin_addr.s_addr);
stream_set_remote_port(stream, remote->sin_port);
stream_set_local_ip(stream, local.sin_addr.s_addr);
stream_set_local_port(stream, local.sin_port);
}
return retval;
}
static int
new_ssl_stream(const char *name, int fd, enum session_type type,
enum ssl_state state, const struct sockaddr_in *remote,
struct stream **streamp)
{
struct sockaddr_in local;
socklen_t local_len = sizeof local;
struct ssl_stream *sslv;
SSL *ssl = NULL;
int on = 1;
int retval;
/* Check for all the needful configuration. */
retval = 0;
if (!private_key.read) {
VLOG_ERR("Private key must be configured to use SSL");
retval = ENOPROTOOPT;
}
if (!certificate.read) {
VLOG_ERR("Certificate must be configured to use SSL");
retval = ENOPROTOOPT;
}
if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) {
VLOG_ERR("CA certificate must be configured to use SSL");
retval = ENOPROTOOPT;
}
if (!retval && !SSL_CTX_check_private_key(ctx)) {
VLOG_ERR("Private key does not match certificate public key: %s",
ERR_error_string(ERR_get_error(), NULL));
retval = ENOPROTOOPT;
}
if (retval) {
goto error;
}
/* Get the local IP and port information */
retval = getsockname(fd, (struct sockaddr *) &local, &local_len);
if (retval) {
memset(&local, 0, sizeof local);
}
/* Disable Nagle. */
retval = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof on);
if (retval) {
VLOG_ERR("%s: setsockopt(TCP_NODELAY): %s", name, strerror(errno));
retval = errno;
goto error;
}
/* Create and configure OpenSSL stream. */
ssl = SSL_new(ctx);
if (ssl == NULL) {
VLOG_ERR("SSL_new: %s", ERR_error_string(ERR_get_error(), NULL));
retval = ENOPROTOOPT;
goto error;
}
if (SSL_set_fd(ssl, fd) == 0) {
VLOG_ERR("SSL_set_fd: %s", ERR_error_string(ERR_get_error(), NULL));
retval = ENOPROTOOPT;
goto error;
}
if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) {
SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
}
/* Create and return the ssl_stream. */
sslv = xmalloc(sizeof *sslv);
stream_init(&sslv->stream, &ssl_stream_class, EAGAIN, name);
stream_set_remote_ip(&sslv->stream, remote->sin_addr.s_addr);
stream_set_remote_port(&sslv->stream, remote->sin_port);
stream_set_local_ip(&sslv->stream, local.sin_addr.s_addr);
stream_set_local_port(&sslv->stream, local.sin_port);
sslv->state = state;
sslv->type = type;
sslv->fd = fd;
sslv->ssl = ssl;
sslv->txbuf = NULL;
sslv->rx_want = sslv->tx_want = SSL_NOTHING;
sslv->session_nr = next_session_nr++;
sslv->n_head = 0;
if (VLOG_IS_DBG_ENABLED()) {
SSL_set_msg_callback(ssl, ssl_protocol_cb);
SSL_set_msg_callback_arg(ssl, sslv);
}
*streamp = &sslv->stream;
return 0;
error:
if (ssl) {
SSL_free(ssl);
}
close(fd);
return retval;
}
