securing the openflow channel

Change-Id: Ifae379e7e372baeb14a4ad919f014c64752c3a7f

@@ -39,9 +39,15 @@ import org.projectfloodlight.openflow.protocol.OFVersion;
 import org.slf4j.Logger;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.slf4j.LoggerFactory;
 
 
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.FileInputStream;
 import java.lang.management.ManagementFactory;
 import java.lang.management.ManagementFactory;
 import java.lang.management.RuntimeMXBean;
 import java.lang.management.RuntimeMXBean;
 import java.net.InetSocketAddress;
 import java.net.InetSocketAddress;
+import java.security.KeyStore;
 import java.util.Dictionary;
 import java.util.Dictionary;
 import java.util.HashMap;
 import java.util.HashMap;
 import java.util.List;
 import java.util.List;
@@ -66,6 +72,8 @@ public class Controller {
 
 
     protected static final OFFactory FACTORY13 = OFFactories.getFactory(OFVersion.OF_13);
     protected static final OFFactory FACTORY13 = OFFactories.getFactory(OFVersion.OF_13);
     protected static final OFFactory FACTORY10 = OFFactories.getFactory(OFVersion.OF_10);
     protected static final OFFactory FACTORY10 = OFFactories.getFactory(OFVersion.OF_10);
+    private static final boolean TLS_DISABLED = false;
+    private static final short MIN_KS_LENGTH = 6;
 
 
     protected HashMap<String, String> controllerNodeIPsCache;
     protected HashMap<String, String> controllerNodeIPsCache;
 
 
@@ -82,9 +90,16 @@ public class Controller {
 
 
     private NioServerSocketChannelFactory execFactory;
     private NioServerSocketChannelFactory execFactory;
 
 
+    protected String ksLocation;
+    protected String tsLocation;
+    protected char[] ksPwd;
+    protected char[] tsPwd;
+    private SSLEngine serverSSLEngine;
+
     // Perf. related configuration
     // Perf. related configuration
     protected static final int SEND_BUFFER_SIZE = 4 * 1024 * 1024;
     protected static final int SEND_BUFFER_SIZE = 4 * 1024 * 1024;
     private DriverService driverService;
     private DriverService driverService;
+    private boolean enableOFTLS = TLS_DISABLED;
 
 
     // ***************
     // ***************
     // Getters/Setters
     // Getters/Setters
@@ -134,7 +149,7 @@ public class Controller {
             bootstrap.setOption("child.sendBufferSize", Controller.SEND_BUFFER_SIZE);
             bootstrap.setOption("child.sendBufferSize", Controller.SEND_BUFFER_SIZE);
 
 
             ChannelPipelineFactory pfact =
             ChannelPipelineFactory pfact =
-                    new OpenflowPipelineFactory(this, null);
+                    new OpenflowPipelineFactory(this, null, serverSSLEngine);
             bootstrap.setPipelineFactory(pfact);
             bootstrap.setPipelineFactory(pfact);
             cg = new DefaultChannelGroup();
             cg = new DefaultChannelGroup();
             openFlowPorts.forEach(port -> {
             openFlowPorts.forEach(port -> {
@@ -189,6 +204,68 @@ public class Controller {
         this.controllerNodeIPsCache = new HashMap<>();
         this.controllerNodeIPsCache = new HashMap<>();
 
 
         this.systemStartTime = System.currentTimeMillis();
         this.systemStartTime = System.currentTimeMillis();
+
+        try {
+            getTLSParameters();
+            if (enableOFTLS) {
+                initSSL();
+            }
+        } catch (Exception ex) {
+            log.error("SSL init failed: {}", ex.getMessage());
+        }
+
+    }
+
+    private void getTLSParameters() {
+        String tempString = System.getProperty("enableOFTLS");
+        enableOFTLS = Strings.isNullOrEmpty(tempString) ? TLS_DISABLED : Boolean.parseBoolean(tempString);
+        log.info("OpenFlow Security is {}", enableOFTLS ? "enabled" : "disabled");
+        if (enableOFTLS) {
+            ksLocation = System.getProperty("javax.net.ssl.keyStore");
+            if (Strings.isNullOrEmpty(ksLocation)) {
+                enableOFTLS = TLS_DISABLED;
+                return;
+            }
+            tsLocation = System.getProperty("javax.net.ssl.trustStore");
+            if (Strings.isNullOrEmpty(tsLocation)) {
+                enableOFTLS = TLS_DISABLED;
+                return;
+            }
+            ksPwd = System.getProperty("javax.net.ssl.keyStorePassword").toCharArray();
+            if (MIN_KS_LENGTH > ksPwd.length) {
+                enableOFTLS = TLS_DISABLED;
+                return;
+            }
+            tsPwd = System.getProperty("javax.net.ssl.trustStorePassword").toCharArray();
+            if (MIN_KS_LENGTH > tsPwd.length) {
+                enableOFTLS = TLS_DISABLED;
+                return;
+            }
+        }
+    }
+
+    private void initSSL() throws Exception {
+
+        TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        KeyStore ts = KeyStore.getInstance("JKS");
+        ts.load(new FileInputStream(tsLocation), tsPwd);
+        tmFactory.init(ts);
+
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+        KeyStore ks = KeyStore.getInstance("JKS");
+        ks.load(new FileInputStream(ksLocation), ksPwd);
+        kmf.init(ks, ksPwd);
+
+        SSLContext serverContext = SSLContext.getInstance("TLS");
+        serverContext.init(kmf.getKeyManagers(), tmFactory.getTrustManagers(), null);
+
+        serverSSLEngine = serverContext.createSSLEngine();
+
+        serverSSLEngine.setNeedClientAuth(true);
+        serverSSLEngine.setUseClientMode(false);
+        serverSSLEngine.setEnabledProtocols(serverSSLEngine.getSupportedProtocols());
+        serverSSLEngine.setEnabledCipherSuites(serverSSLEngine.getSupportedCipherSuites());
+        serverSSLEngine.setEnableSessionCreation(true);
     }
     }
 
 
     // **************
     // **************

@@ -27,6 +27,10 @@ import org.jboss.netty.handler.timeout.ReadTimeoutHandler;
 import org.jboss.netty.util.ExternalResourceReleasable;
 import org.jboss.netty.util.ExternalResourceReleasable;
 import org.jboss.netty.util.HashedWheelTimer;
 import org.jboss.netty.util.HashedWheelTimer;
 import org.jboss.netty.util.Timer;
 import org.jboss.netty.util.Timer;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.net.ssl.SSLEngine;
 
 
 /**
 /**
  * Creates a ChannelPipeline for a server-side openflow channel.
  * Creates a ChannelPipeline for a server-side openflow channel.
@@ -34,6 +38,9 @@ import org.jboss.netty.util.Timer;
 public class OpenflowPipelineFactory
 public class OpenflowPipelineFactory
     implements ChannelPipelineFactory, ExternalResourceReleasable {
     implements ChannelPipelineFactory, ExternalResourceReleasable {
 
 
+    private final Logger log = LoggerFactory.getLogger(getClass());
+
+    private final SSLEngine sslEngine;
     protected Controller controller;
     protected Controller controller;
     protected ThreadPoolExecutor pipelineExecutor;
     protected ThreadPoolExecutor pipelineExecutor;
     protected Timer timer;
     protected Timer timer;
@@ -41,13 +48,15 @@ public class OpenflowPipelineFactory
     protected ReadTimeoutHandler readTimeoutHandler;
     protected ReadTimeoutHandler readTimeoutHandler;
 
 
     public OpenflowPipelineFactory(Controller controller,
     public OpenflowPipelineFactory(Controller controller,
-                                   ThreadPoolExecutor pipelineExecutor) {
+                                   ThreadPoolExecutor pipelineExecutor,
+                                   SSLEngine sslEngine) {
         super();
         super();
         this.controller = controller;
         this.controller = controller;
         this.pipelineExecutor = pipelineExecutor;
         this.pipelineExecutor = pipelineExecutor;
         this.timer = new HashedWheelTimer();
         this.timer = new HashedWheelTimer();
         this.idleHandler = new IdleStateHandler(timer, 20, 25, 0);
         this.idleHandler = new IdleStateHandler(timer, 20, 25, 0);
         this.readTimeoutHandler = new ReadTimeoutHandler(timer, 30);
         this.readTimeoutHandler = new ReadTimeoutHandler(timer, 30);
+        this.sslEngine = sslEngine;
     }
     }
 
 
     @Override
     @Override
@@ -55,6 +64,13 @@ public class OpenflowPipelineFactory
         OFChannelHandler handler = new OFChannelHandler(controller);
         OFChannelHandler handler = new OFChannelHandler(controller);
 
 
         ChannelPipeline pipeline = Channels.pipeline();
         ChannelPipeline pipeline = Channels.pipeline();
+        if (sslEngine != null) {
+            log.info("OpenFlow SSL enabled.");
+            pipeline.addLast("ssl",
+                             new org.jboss.netty.handler.ssl.SslHandler(sslEngine));
+        } else {
+            log.info("OpenFlow SSL disabled");
+        }
         pipeline.addLast("ofmessagedecoder", new OFMessageDecoder());
         pipeline.addLast("ofmessagedecoder", new OFMessageDecoder());
         pipeline.addLast("ofmessageencoder", new OFMessageEncoder());
         pipeline.addLast("ofmessageencoder", new OFMessageEncoder());
         pipeline.addLast("idle", idleHandler);
         pipeline.addLast("idle", idleHandler);