diff mbox

[ovs-dev] bugfix of ovsdb-client connecting error when updating ca_crt.pem file many times

Message ID 621FAA8B3DA4E14193D6933FB72489BA5826613A@nkgeml511-mbx.china.huawei.com
State Changes Requested
Headers show

Commit Message

Liuyongqiang (A) Oct. 13, 2015, 12:41 p.m. UTC 
From 786c6d16ab18197a750f832e4eed1ccfa1183d04 Mon Sep 17 00:00:00 2001
From: YongQiangLiu <liu.liuyongqiang@huawei.com>
Date: Tue, 13 Oct 2015 19:37:32 +0800
Subject: [PATCH] bugfix of ovsdb-client connecting error when updating
 ca_crt.pem file many times

this patch fixed the bug of ovsdb-client connecting failed when user update ca crt
file upto 649 times

Signed-off-by: YongQiangLiu <liu.liuyongqiang@huawei.com>
---
 lib/stream-ssl.c | 21 +++++----------------
 1 file changed, 5 insertions(+), 16 deletions(-)

Comments

Ben Pfaff Nov. 4, 2015, 4:01 a.m. UTC | #1 
On Tue, Oct 13, 2015 at 12:41:14PM +0000, Liuyongqiang (A) wrote:
> From 786c6d16ab18197a750f832e4eed1ccfa1183d04 Mon Sep 17 00:00:00 2001
> From: YongQiangLiu <liu.liuyongqiang@huawei.com>
> Date: Tue, 13 Oct 2015 19:37:32 +0800
> Subject: [PATCH] bugfix of ovsdb-client connecting error when updating
>  ca_crt.pem file many times
> 
> this patch fixed the bug of ovsdb-client connecting failed when user update ca crt
> file upto 649 times
> 
> Signed-off-by: YongQiangLiu <liu.liuyongqiang@huawei.com>

This patch adds two warnings:

../lib/stream-ssl.c:1245:12: error: unused variable 'certs'
      [-Werror,-Wunused-variable]
    X509 **certs;
           ^
../lib/stream-ssl.c:1246:12: error: unused variable 'n_certs'
      [-Werror,-Wunused-variable]
    size_t n_certs;

Please fix them, and please honor the existing code style.
diff mbox

Patch

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 564c94c..a8de4c1 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -1245,6 +1245,7 @@  stream_ssl_set_ca_cert_file__(const char *file_name,
     X509 **certs;
     size_t n_certs;
     struct stat s;
+    STACK_OF(X509_NAME) *cert_names = NULL;
 
     if (!update_ssl_config(&ca_cert, file_name) && !force) {
         return;
@@ -1256,23 +1257,9 @@  stream_ssl_set_ca_cert_file__(const char *file_name,
                   "(this is a security risk)");
     } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) {
         bootstrap_ca_cert = true;
-    } else if (!read_cert_file(file_name, &certs, &n_certs)) {
-        size_t i;
-
-        /* Set up list of CAs that the server will accept from the client. */
-        for (i = 0; i < n_certs; i++) {
-            /* SSL_CTX_add_client_CA makes a copy of the relevant data. */
-            if (SSL_CTX_add_client_CA(ctx, certs[i]) != 1) {
-                VLOG_ERR("failed to add client certificate %"PRIuSIZE" from %s: %s",
-                         i, file_name,
-                         ERR_error_string(ERR_get_error(), NULL));
-            } else {
-                log_ca_cert(file_name, certs[i]);
-            }
-            X509_free(certs[i]);
-        }
-        free(certs);
+    } else if ((cert_names = SSL_load_client_CA_file(file_name) ) != NULL) {
 
+        SSL_CTX_set_client_CA_list(ctx, cert_names);
         /* Set up CAs for OpenSSL to trust in verifying the peer's
          * certificate. */
         SSL_CTX_set_cert_store(ctx, X509_STORE_new());
@@ -1283,6 +1270,8 @@  stream_ssl_set_ca_cert_file__(const char *file_name,
         }
 
         bootstrap_ca_cert = false;
+    }else if (cert_names == NULL) {
+        VLOG_ERR("failed to load client certificates  from %s: %s", file_name, ERR_error_string(ERR_get_error(), NULL));
     }
     ca_cert.read = true;
 }