X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=lib%2Fstream-ssl.c;h=84c1a115739918b66a3f6e3e6f1ce0dc2f706f42;hb=6767a2cce9a6412b3a41a927c4d56b9f0e1ec36f;hp=9c7533d1e6346b8e4634f0220262d852dd43c773;hpb=2a022368f4b37559de5d5621a88c648023493f75;p=openvswitch diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 9c7533d1..84c1a115 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2009, 2010 Nicira Networks. + * Copyright (c) 2008, 2009, 2010, 2011 Nicira Networks. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -45,7 +45,10 @@ #include "timeval.h" #include "vlog.h" -VLOG_DEFINE_THIS_MODULE(stream_ssl) +VLOG_DEFINE_THIS_MODULE(stream_ssl); + +COVERAGE_DEFINE(ssl_session); +COVERAGE_DEFINE(ssl_session_reused); /* Active SSL. */ @@ -460,12 +463,6 @@ ssl_cache_session(struct stream *stream) struct ssl_stream *sslv = ssl_stream_cast(stream); SSL_SESSION *session; - /* Statistics. */ - COVERAGE_INC(ssl_session); - if (SSL_session_reused(sslv->ssl)) { - COVERAGE_INC(ssl_session_reused); - } - /* Get session from stream. */ session = SSL_get1_session(sslv->ssl); if (session) { @@ -487,12 +484,6 @@ ssl_cache_session(struct stream *stream) } } } - } else { - /* There is no new session. This doesn't really make sense because - * this function is only called upon successful connection and there - * should always be a new session in that case. But I don't trust - * OpenSSL so I'd rather handle this case anyway. */ - ssl_flush_session(stream); } } @@ -572,8 +563,10 @@ ssl_connect(struct stream *stream) VLOG_ERR("rejecting SSL connection during bootstrap race window"); return EPROTO; } else { - if (sslv->type == CLIENT) { - ssl_cache_session(stream); + /* Statistics. */ + COVERAGE_INC(ssl_session); + if (SSL_session_reused(sslv->ssl)) { + COVERAGE_INC(ssl_session_reused); } return 0; } @@ -595,6 +588,8 @@ ssl_close(struct stream *stream) * background. */ SSL_shutdown(sslv->ssl); + ssl_cache_session(stream); + /* SSL_shutdown() might have signaled an error, in which case we need to * flush it out of the OpenSSL error queue or the next OpenSSL operation * will falsely signal an error. */ @@ -988,7 +983,9 @@ do_ssl_init(void) SSL_library_init(); SSL_load_error_strings(); - method = TLSv1_method(); + /* New OpenSSL changed TLSv1_method() to return a "const" pointer, so the + * cast is needed to avoid a warning with those newer versions. */ + method = (SSL_METHOD *) TLSv1_method(); if (method == NULL) { VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL)); return ENOPROTOOPT; @@ -1006,6 +1003,17 @@ do_ssl_init(void) SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); + /* We have to set a session context ID string in 'ctx' because OpenSSL + * otherwise refuses to use a cached session on the server side when + * SSL_VERIFY_PEER is set. And it not only refuses to use the cached + * session, it actually generates an error and kills the connection. + * According to a comment in ssl_get_prev_session() in OpenSSL's + * ssl/ssl_sess.c, this is intentional behavior. + * + * Any context string is OK, as long as one is set. */ + SSL_CTX_set_session_id_context(ctx, (const unsigned char *) PACKAGE, + strlen(PACKAGE)); + return 0; } @@ -1286,7 +1294,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap) for (i = 0; i < n_certs; i++) { /* SSL_CTX_add_client_CA makes a copy of the relevant data. */ if (SSL_CTX_add_client_CA(ctx, certs[i]) != 1) { - VLOG_ERR("failed to add client certificate %d from %s: %s", + VLOG_ERR("failed to add client certificate %zu from %s: %s", i, file_name, ERR_error_string(ERR_get_error(), NULL)); } else {