X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=lib%2Fstream-ssl.c;h=27c9d4c92de6a440df9e41e8ada5978953f4a992;hb=26efd2563bf76547cf38da49ec83997e091b2517;hp=215934d160f27c83bfd822ab2066f7a8ffdb2c2f;hpb=9cb0788702e6187eafccabba0758095ced04552c;p=openvswitch diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 215934d1..27c9d4c9 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -37,7 +37,6 @@ #include "packets.h" #include "poll-loop.h" #include "socket-util.h" -#include "socket-util.h" #include "util.h" #include "stream-provider.h" #include "stream.h" @@ -141,6 +140,11 @@ static struct ssl_config_file private_key; static struct ssl_config_file certificate; static struct ssl_config_file ca_cert; +/* Ordinarily, the SSL client and server verify each other's certificates using + * a CA certificate. Setting this to false disables this behavior. (This is a + * security risk.) */ +static bool verify_peer_cert = true; + /* Ordinarily, we require a CA certificate for the peer to be locally * available. We can, however, bootstrap the CA certificate from the peer at * the beginning of our first connection then use that certificate on all @@ -204,7 +208,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type, VLOG_ERR("Certificate must be configured to use SSL"); retval = ENOPROTOOPT; } - if (!ca_cert.read && !bootstrap_ca_cert) { + if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) { VLOG_ERR("CA certificate must be configured to use SSL"); retval = ENOPROTOOPT; } @@ -243,7 +247,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type, retval = ENOPROTOOPT; goto error; } - if (bootstrap_ca_cert && type == CLIENT) { + if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) { SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); } @@ -334,10 +338,9 @@ do_ca_cert_bootstrap(struct stream *stream) fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444); if (fd < 0) { if (errno == EEXIST) { - VLOG_INFO("CA cert %s created by another process", + VLOG_INFO("reading CA cert %s created by another process", ca_cert.file_name); - /* We'll read it the next time around the main loop because - * update_ssl_config() will see that it now exists. */ + stream_ssl_set_ca_cert_file(ca_cert.file_name, true); return EPROTO; } else { VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s", @@ -426,9 +429,10 @@ ssl_connect(struct stream *stream) } } else if (bootstrap_ca_cert) { return do_ca_cert_bootstrap(stream); - } else if ((SSL_get_verify_mode(sslv->ssl) - & (SSL_VERIFY_NONE | SSL_VERIFY_PEER)) - != SSL_VERIFY_PEER) { + } else if (verify_peer_cert + && ((SSL_get_verify_mode(sslv->ssl) + & (SSL_VERIFY_NONE | SSL_VERIFY_PEER)) + != SSL_VERIFY_PEER)) { /* Two or more SSL connections completed at the same time while we * were in bootstrap mode. Only one of these can finish the * bootstrap successfully. The other one(s) must be rejected @@ -910,26 +914,6 @@ stream_ssl_is_configured(void) return private_key.file_name || certificate.file_name || ca_cert.file_name; } -static void -get_mtime(const char *file_name, struct timespec *mtime) -{ - struct stat s; - - if (!stat(file_name, &s)) { - mtime->tv_sec = s.st_mtime; - -#if HAVE_STRUCT_STAT_ST_MTIM_TV_NSEC - mtime->tv_nsec = s.st_mtim.tv_nsec; -#elif HAVE_STRUCT_STAT_ST_MTIMENSEC - mtime->tv_nsec = s.st_mtimensec; -#else - mtime->tv_nsec = 0; -#endif - } else { - mtime->tv_sec = mtime->tv_nsec = 0; - } -} - static bool update_ssl_config(struct ssl_config_file *config, const char *file_name) { @@ -949,9 +933,12 @@ update_ssl_config(struct ssl_config_file *config, const char *file_name) return false; } + /* Update 'config'. */ config->mtime = mtime; - free(config->file_name); - config->file_name = xstrdup(file_name); + if (file_name != config->file_name) { + free(config->file_name); + config->file_name = xstrdup(file_name); + } return true; } @@ -1107,7 +1094,11 @@ stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap) size_t n_certs; struct stat s; - if (bootstrap && stat(file_name, &s) && errno == ENOENT) { + if (!strcmp(file_name, "none")) { + verify_peer_cert = false; + VLOG_WARN("Peer certificate validation disabled " + "(this is a security risk)"); + } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) { bootstrap_ca_cert = true; } else if (!read_cert_file(file_name, &certs, &n_certs)) { size_t i;