X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=lib%2Fstream-ssl.c;h=0ca5b18dfb775e3bc12419a7c8b30cc50605f6e8;hb=aabf5352bbf7e6fdc3d8da9f7f0b2e268da6ea68;hp=f2d5037ad32718e18c0ed7e8289bdcf0fd5b1fd4;hpb=e0edde6fee279cdbbf3c179f5f50adaf0c7c7f1e;p=openvswitch diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index f2d5037a..0ca5b18d 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2009, 2010, 2011 Nicira, Inc. + * Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,6 +26,7 @@ #include #include #include +#include #include #include #include @@ -34,6 +35,7 @@ #include #include "coverage.h" #include "dynamic-string.h" +#include "entropy.h" #include "leak-checker.h" #include "ofpbuf.h" #include "openflow/openflow.h" @@ -228,7 +230,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type, VLOG_ERR("CA certificate must be configured to use SSL"); retval = ENOPROTOOPT; } - if (!SSL_CTX_check_private_key(ctx)) { + if (!retval && !SSL_CTX_check_private_key(ctx)) { VLOG_ERR("Private key does not match certificate public key: %s", ERR_error_string(ERR_get_error(), NULL)); retval = ENOPROTOOPT; @@ -477,7 +479,7 @@ ssl_connect(struct stream *stream) * certificate, but that's more trouble than it's worth. These * connections will succeed the next time they retry, assuming that * they have a certificate against the correct CA.) */ - VLOG_ERR("rejecting SSL connection during bootstrap race window"); + VLOG_INFO("rejecting SSL connection during bootstrap race window"); return EPROTO; } else { return 0; @@ -860,6 +862,13 @@ pssl_wait(struct pstream *pstream) poll_fd_wait(pssl->fd, POLLIN); } +static int +pssl_set_dscp(struct pstream *pstream, uint8_t dscp) +{ + struct pssl_pstream *pssl = pssl_pstream_cast(pstream); + return set_dscp(pssl->fd, dscp); +} + const struct pstream_class pssl_pstream_class = { "pssl", true, @@ -867,6 +876,7 @@ const struct pstream_class pssl_pstream_class = { pssl_close, pssl_accept, pssl_wait, + pssl_set_dscp, }; /* @@ -900,9 +910,39 @@ do_ssl_init(void) SSL_library_init(); SSL_load_error_strings(); + if (!RAND_status()) { + /* We occasionally see OpenSSL fail to seed its random number generator + * in heavily loaded hypervisors. I suspect the following scenario: + * + * 1. OpenSSL calls read() to get 32 bytes from /dev/urandom. + * 2. The kernel generates 10 bytes of randomness and copies it out. + * 3. A signal arrives (perhaps SIGALRM). + * 4. The kernel interrupts the system call to service the signal. + * 5. Userspace gets 10 bytes of entropy. + * 6. OpenSSL doesn't read again to get the final 22 bytes. Therefore + * OpenSSL doesn't have enough entropy to consider itself + * initialized. + * + * The only part I'm not entirely sure about is #6, because the OpenSSL + * code is so hard to read. */ + uint8_t seed[32]; + int retval; + + VLOG_WARN("OpenSSL random seeding failed, reseeding ourselves"); + + retval = get_entropy(seed, sizeof seed); + if (retval) { + VLOG_ERR("failed to obtain entropy (%s)", + ovs_retval_to_string(retval)); + return retval > 0 ? retval : ENOPROTOOPT; + } + + RAND_seed(seed, sizeof seed); + } + /* New OpenSSL changed TLSv1_method() to return a "const" pointer, so the * cast is needed to avoid a warning with those newer versions. */ - method = (SSL_METHOD *) TLSv1_method(); + method = CONST_CAST(SSL_METHOD *, TLSv1_method()); if (method == NULL) { VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL)); return ENOPROTOOPT;