X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=lib%2Fstream-ssl.c;h=153357cd78ea7a27eaa3d0f011455e9cc302cfa8;hb=c6278d208924bb04c41266ddca276712f95533bc;hp=785829085046fb927a4d67b2297c362a29230d9d;hpb=415f6c0b1c61c4d957e14062ca4cf47a732e9a24;p=openvswitch

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 78582908..153357cd 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -133,8 +133,7 @@ static SSL_CTX *ctx;
 struct ssl_config_file {
     bool read;                  /* Whether the file was successfully read. */
     char *file_name;            /* Configured file name, if any. */
-    long long int next_retry;   /* If 'file_name' but not 'read', next time to
-                                 * retry reading.  */
+    struct timespec mtime;      /* File mtime as of last time we read it. */
 };
 
 /* SSL configuration files. */
@@ -142,6 +141,11 @@ static struct ssl_config_file private_key;
 static struct ssl_config_file certificate;
 static struct ssl_config_file ca_cert;
 
+/* Ordinarily, the SSL client and server verify each other's certificates using
+ * a CA certificate.  Setting this to false disables this behavior.  (This is a
+ * security risk.) */
+static bool verify_peer_cert = true;
+
 /* Ordinarily, we require a CA certificate for the peer to be locally
  * available.  We can, however, bootstrap the CA certificate from the peer at
  * the beginning of our first connection then use that certificate on all
@@ -205,7 +209,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type,
         VLOG_ERR("Certificate must be configured to use SSL");
         retval = ENOPROTOOPT;
     }
-    if (!ca_cert.read && !bootstrap_ca_cert) {
+    if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) {
         VLOG_ERR("CA certificate must be configured to use SSL");
         retval = ENOPROTOOPT;
     }
@@ -244,7 +248,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type,
         retval = ENOPROTOOPT;
         goto error;
     }
-    if (bootstrap_ca_cert && type == CLIENT) {
+    if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) {
         SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
     }
 
@@ -337,7 +341,7 @@ do_ca_cert_bootstrap(struct stream *stream)
         if (errno == EEXIST) {
             VLOG_INFO("reading CA cert %s created by another process",
                       ca_cert.file_name);
-            stream_ssl_set_ca_cert_file__(ca_cert.file_name, true);
+            stream_ssl_set_ca_cert_file(ca_cert.file_name, true);
             return EPROTO;
         } else {
             VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s",
@@ -426,9 +430,10 @@ ssl_connect(struct stream *stream)
             }
         } else if (bootstrap_ca_cert) {
             return do_ca_cert_bootstrap(stream);
-        } else if ((SSL_get_verify_mode(sslv->ssl)
-                    & (SSL_VERIFY_NONE | SSL_VERIFY_PEER))
-                   != SSL_VERIFY_PEER) {
+        } else if (verify_peer_cert
+                   && ((SSL_get_verify_mode(sslv->ssl)
+                       & (SSL_VERIFY_NONE | SSL_VERIFY_PEER))
+                       != SSL_VERIFY_PEER)) {
             /* Two or more SSL connections completed at the same time while we
              * were in bootstrap mode.  Only one of these can finish the
              * bootstrap successfully.  The other one(s) must be rejected
@@ -910,18 +915,46 @@ stream_ssl_is_configured(void)
     return private_key.file_name || certificate.file_name || ca_cert.file_name;
 }
 
+static void
+get_mtime(const char *file_name, struct timespec *mtime)
+{
+    struct stat s;
+
+    if (!stat(file_name, &s)) {
+        mtime->tv_sec = s.st_mtime;
+
+#if HAVE_STRUCT_STAT_ST_MTIM_TV_NSEC
+        mtime->tv_nsec = s.st_mtim.tv_nsec;
+#elif HAVE_STRUCT_STAT_ST_MTIMENSEC
+        mtime->tv_nsec = s.st_mtimensec;
+#else
+        mtime->tv_nsec = 0;
+#endif
+    } else {
+        mtime->tv_sec = mtime->tv_nsec = 0;
+    }
+}
+
 static bool
 update_ssl_config(struct ssl_config_file *config, const char *file_name)
 {
-    if (ssl_init()
-        || !file_name
-        || (config->file_name
-            && !strcmp(config->file_name, file_name)
-            && time_msec() < config->next_retry)) {
+    struct timespec mtime;
+
+    if (ssl_init() || !file_name) {
+        return false;
+    }
+
+    /* If the file name hasn't changed and neither has the file contents, stop
+     * here. */
+    get_mtime(file_name, &mtime);
+    if (config->file_name
+        && !strcmp(config->file_name, file_name)
+        && mtime.tv_sec == config->mtime.tv_sec
+        && mtime.tv_nsec == config->mtime.tv_nsec) {
         return false;
     }
 
-    config->next_retry = time_msec() + 60 * 1000;
+    config->mtime = mtime;
     free(config->file_name);
     config->file_name = xstrdup(file_name);
     return true;
@@ -1079,7 +1112,11 @@ stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap)
     size_t n_certs;
     struct stat s;
 
-    if (bootstrap && stat(file_name, &s) && errno == ENOENT) {
+    if (!strcmp(file_name, "none")) {
+        verify_peer_cert = false;
+        VLOG_WARN("Peer certificate validation disabled "
+                  "(this is a security risk)");
+    } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) {
         bootstrap_ca_cert = true;
     } else if (!read_cert_file(file_name, &certs, &n_certs)) {
         size_t i;