static int
ssl_connect(struct vconn *vconn)
{
struct ssl_vconn *sslv = ssl_vconn_cast(vconn);
int retval;
switch (sslv->state) {
case STATE_TCP_CONNECTING:
retval = check_connection_completion(sslv->fd);
if (retval) {
return retval;
}
sslv->state = STATE_SSL_CONNECTING;
/* Fall through. */
case STATE_SSL_CONNECTING:
retval = (sslv->type == CLIENT
? SSL_connect(sslv->ssl) : SSL_accept(sslv->ssl));
if (retval != 1) {
int error = SSL_get_error(sslv->ssl, retval);
if (retval < 0 && ssl_wants_io(error)) {
return EAGAIN;
} else {
int unused;
interpret_ssl_error((sslv->type == CLIENT ? "SSL_connect"
: "SSL_accept"), retval, error, &unused);
shutdown(sslv->fd, SHUT_RDWR);
return EPROTO;
}
} else if (bootstrap_ca_cert) {
return do_ca_cert_bootstrap(vconn);
} else if ((SSL_get_verify_mode(sslv->ssl)
& (SSL_VERIFY_NONE | SSL_VERIFY_PEER))
!= SSL_VERIFY_PEER) {
/* Two or more SSL connections completed at the same time while we
* were in bootstrap mode. Only one of these can finish the
* bootstrap successfully. The other one(s) must be rejected
* because they were not verified against the bootstrapped CA
* certificate. (Alternatively we could verify them against the CA
* certificate, but that's more trouble than it's worth. These
* connections will succeed the next time they retry, assuming that
* they have a certificate against the correct CA.) */
VLOG_ERR("rejecting SSL connection during bootstrap race window");
return EPROTO;
} else {
return 0;
}
}
NOT_REACHED();
}
static int
unix_open(const char *name, char *suffix, struct vconn **vconnp)
{
const char *connect_path = suffix;
char bind_path[128];
int fd;
sprintf(bind_path, "/tmp/vconn-unix.%ld.%d",
(long int) getpid(), n_unix_sockets++);
fd = make_unix_socket(SOCK_STREAM, true, false, bind_path, connect_path);
if (fd < 0) {
VLOG_ERR("%s: connection to %s failed: %s",
bind_path, connect_path, strerror(-fd));
return -fd;
}
return new_stream_vconn(name, fd, check_connection_completion(fd),
0, vconnp);
}
static int
unix_open(const char *name, char *suffix, struct stream **streamp,
uint8_t dscp OVS_UNUSED)
{
char *connect_path;
int fd;
connect_path = abs_file_name(ovs_rundir(), suffix);
fd = make_unix_socket(SOCK_STREAM, true, NULL, connect_path);
if (fd < 0) {
VLOG_DBG("%s: connection failed (%s)",
connect_path, ovs_strerror(-fd));
free(connect_path);
return -fd;
}
free(connect_path);
return new_fd_stream(name, fd, check_connection_completion(fd), streamp);
}
static int
unix_open(const char *name, char *suffix, struct stream **streamp)
{
const char *connect_path = suffix;
char *bind_path;
int fd;
bind_path = xasprintf("/tmp/stream-unix.%ld.%d",
(long int) getpid(), n_unix_sockets++);
fd = make_unix_socket(SOCK_STREAM, true, false, bind_path, connect_path);
if (fd < 0) {
VLOG_ERR("%s: connection to %s failed: %s",
bind_path, connect_path, strerror(-fd));
free(bind_path);
return -fd;
}
return new_fd_stream(name, fd, check_connection_completion(fd),
bind_path, streamp);
}
static int
stream_connect(struct vconn *vconn)
{
struct stream_vconn *s = stream_vconn_cast(vconn);
return check_connection_completion(s->fd);
}
static int
ssl_connect(struct stream *stream)
{
struct ssl_stream *sslv = ssl_stream_cast(stream);
int retval;
switch (sslv->state) {
case STATE_TCP_CONNECTING:
retval = check_connection_completion(sslv->fd);
if (retval) {
return retval;
}
sslv->state = STATE_SSL_CONNECTING;
setsockopt_tcp_nodelay(sslv->fd);
/* Fall through. */
case STATE_SSL_CONNECTING:
/* Capture the first few bytes of received data so that we can guess
* what kind of funny data we've been sent if SSL negotiation fails. */
if (sslv->n_head <= 0) {
sslv->n_head = recv(sslv->fd, sslv->head, sizeof sslv->head,
MSG_PEEK);
}
retval = (sslv->type == CLIENT
? SSL_connect(sslv->ssl) : SSL_accept(sslv->ssl));
if (retval != 1) {
int error = SSL_get_error(sslv->ssl, retval);
if (retval < 0 && ssl_wants_io(error)) {
return EAGAIN;
} else {
int unused;
interpret_ssl_error((sslv->type == CLIENT ? "SSL_connect"
: "SSL_accept"), retval, error, &unused);
shutdown(sslv->fd, SHUT_RDWR);
stream_report_content(sslv->head, sslv->n_head, STREAM_SSL,
&this_module, stream_get_name(stream));
return EPROTO;
}
} else if (bootstrap_ca_cert) {
return do_ca_cert_bootstrap(stream);
} else if (verify_peer_cert
&& ((SSL_get_verify_mode(sslv->ssl)
& (SSL_VERIFY_NONE | SSL_VERIFY_PEER))
!= SSL_VERIFY_PEER)) {
/* Two or more SSL connections completed at the same time while we
* were in bootstrap mode. Only one of these can finish the
* bootstrap successfully. The other one(s) must be rejected
* because they were not verified against the bootstrapped CA
* certificate. (Alternatively we could verify them against the CA
* certificate, but that's more trouble than it's worth. These
* connections will succeed the next time they retry, assuming that
* they have a certificate against the correct CA.) */
VLOG_INFO("rejecting SSL connection during bootstrap race window");
return EPROTO;
} else {
return 0;
}
}
OVS_NOT_REACHED();
}
static int
fd_connect(struct stream *stream)
{
struct stream_fd *s = stream_fd_cast(stream);
return check_connection_completion(s->fd);
}
