From patchwork Tue Oct 13 12:41:14 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Liuyongqiang (A)" <liu.liuyongqiang@huawei.com>
X-Patchwork-Id: 529720
Return-Path: <dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (li376-54.members.linode.com
	[96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 1C29114016A
	for <incoming@patchwork.ozlabs.org>;
	Tue, 13 Oct 2015 23:41:44 +1100 (AEDT)
Received: from archives.nicira.com (localhost [127.0.0.1])
	by archives.nicira.com (Postfix) with ESMTP id C59151061F;
	Tue, 13 Oct 2015 05:41:42 -0700 (PDT)
X-Original-To: dev@openvswitch.org
Delivered-To: dev@openvswitch.org
Received: from mx3v1.cudamail.com (mx3.cudamail.com [64.34.241.5])
	by archives.nicira.com (Postfix) with ESMTPS id CA3CF1061E
	for <dev@openvswitch.org>; Tue, 13 Oct 2015 05:41:40 -0700 (PDT)
Received: from bar4.cudamail.com (bar2 [192.168.15.2])
	by mx3v1.cudamail.com (Postfix) with ESMTP id 3D904618142
	for <dev@openvswitch.org>; Tue, 13 Oct 2015 06:41:40 -0600 (MDT)
X-ASG-Debug-ID: 1444740099-03dc213abc116610001-byXFYA
Received: from mx3-pf1.cudamail.com ([192.168.14.2]) by bar4.cudamail.com
	with
	ESMTP id F2BL9hZXH9n6ZTJB (version=TLSv1 cipher=DHE-RSA-AES256-SHA
	bits=256 verify=NO) for <dev@openvswitch.org>;
	Tue, 13 Oct 2015 06:41:39 -0600 (MDT)
X-Barracuda-Envelope-From: liu.liuyongqiang@huawei.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.2
Received: from unknown (HELO szxga01-in.huawei.com) (58.251.152.64)
	by mx3-pf1.cudamail.com with ESMTPS (RC4-SHA encrypted);
	13 Oct 2015 12:41:33 -0000
Received-SPF: pass (mx3-pf1.cudamail.com: SPF record at huawei.com designates
	58.251.152.64 as permitted sender)
X-Barracuda-Apparent-Source-IP: 58.251.152.64
X-Barracuda-RBL-IP: 58.251.152.64
Received: from 172.24.1.51 (EHLO nkgeml401-hub.china.huawei.com)
	([172.24.1.51])
	by szxrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued)
	with ESMTP id CWR77161; Tue, 13 Oct 2015 20:41:25 +0800 (CST)
Received: from NKGEML511-MBX.china.huawei.com ([169.254.5.208]) by
	nkgeml401-hub.china.huawei.com ([10.98.56.32]) with mapi id
	14.03.0235.001; Tue, 13 Oct 2015 20:41:15 +0800
X-CudaMail-Envelope-Sender: liu.liuyongqiang@huawei.com
From: "Liuyongqiang (A)" <liu.liuyongqiang@huawei.com>
To: "Liuyongqiang (A)" <liu.liuyongqiang@huawei.com>, "dev@openvswitch.org"
	<dev@openvswitch.org>
X-CudaMail-MID: CM-V1-1012011468
X-CudaMail-DTE: 101315
X-CudaMail-Originating-IP: 58.251.152.64
Thread-Topic: [PATCH] bugfix of ovsdb-client connecting error when updating
	ca_crt.pem file many times
X-ASG-Orig-Subj: [##CM-V1-1012011468##][PATCH] bugfix of ovsdb-client
	connecting error when updating ca_crt.pem file many times
Thread-Index: AQHRBbRyznsCdVNR40mHWxpbsw59dw==
Date: Tue, 13 Oct 2015 12:41:14 +0000
Message-ID: 
 <621FAA8B3DA4E14193D6933FB72489BA5826613A@nkgeml511-mbx.china.huawei.com>
References: 
 <621FAA8B3DA4E14193D6933FB72489BA58265FCF@nkgeml511-mbx.china.huawei.com>
	<20151012163004.GB2651@nicira.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.177.24.199]
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-GBUdb-Analysis: 0, 58.251.152.64, Ugly c=0 p=0 Source New
X-MessageSniffer-Rules: 0-0-0-5731-c
X-Barracuda-Connect: UNKNOWN[192.168.14.2]
X-Barracuda-Start-Time: 1444740099
X-Barracuda-Encrypted: DHE-RSA-AES256-SHA
X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at cudamail.com
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.60
X-Barracuda-Spam-Status: No,
	SCORE=0.60 using per-user scores of TAG_LEVEL=3.0
	QUARANTINE_LEVEL=1000.0 KILL_LEVEL=3.0
	tests=BSF_SC0_SA_TO_FROM_ADDR_MATCH, RDNS_NONE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.23449
	Rule breakdown below
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	0.10 RDNS_NONE Delivered to trusted network by a host with no rDNS
	0.50 BSF_SC0_SA_TO_FROM_ADDR_MATCH Sender Address Matches Recipient
	Address
Cc: "Chengwentao \(Vintorcheng\)" <chengwentao@huawei.com>,
	Lichunhe <lichunhe@huawei.com>, Qianhuibin <qianhuibin@huawei.com>
Subject: [ovs-dev] [PATCH] bugfix of ovsdb-client connecting error when
	updating ca_crt.pem file many times
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: <dev.openvswitch.org>
List-Unsubscribe: <http://openvswitch.org/mailman/options/dev>,
	<mailto:dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://openvswitch.org/pipermail/dev>
List-Post: <mailto:dev@openvswitch.org>
List-Help: <mailto:dev-request@openvswitch.org?subject=help>
List-Subscribe: <http://openvswitch.org/mailman/listinfo/dev>,
	<mailto:dev-request@openvswitch.org?subject=subscribe>
Errors-To: dev-bounces@openvswitch.org
Sender: "dev" <dev-bounces@openvswitch.org>

From 786c6d16ab18197a750f832e4eed1ccfa1183d04 Mon Sep 17 00:00:00 2001
From: YongQiangLiu <liu.liuyongqiang@huawei.com>
Date: Tue, 13 Oct 2015 19:37:32 +0800
Subject: [PATCH] bugfix of ovsdb-client connecting error when updating
 ca_crt.pem file many times

this patch fixed the bug of ovsdb-client connecting failed when user update ca crt
file upto 649 times

Signed-off-by: YongQiangLiu <liu.liuyongqiang@huawei.com>
---
 lib/stream-ssl.c | 21 +++++----------------
 1 file changed, 5 insertions(+), 16 deletions(-)

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 564c94c..a8de4c1 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -1245,6 +1245,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
     X509 **certs;
     size_t n_certs;
     struct stat s;
+    STACK_OF(X509_NAME) *cert_names = NULL;
 
     if (!update_ssl_config(&ca_cert, file_name) && !force) {
         return;
@@ -1256,23 +1257,9 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
                   "(this is a security risk)");
     } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) {
         bootstrap_ca_cert = true;
-    } else if (!read_cert_file(file_name, &certs, &n_certs)) {
-        size_t i;
-
-        /* Set up list of CAs that the server will accept from the client. */
-        for (i = 0; i < n_certs; i++) {
-            /* SSL_CTX_add_client_CA makes a copy of the relevant data. */
-            if (SSL_CTX_add_client_CA(ctx, certs[i]) != 1) {
-                VLOG_ERR("failed to add client certificate %"PRIuSIZE" from %s: %s",
-                         i, file_name,
-                         ERR_error_string(ERR_get_error(), NULL));
-            } else {
-                log_ca_cert(file_name, certs[i]);
-            }
-            X509_free(certs[i]);
-        }
-        free(certs);
+    } else if ((cert_names = SSL_load_client_CA_file(file_name) ) != NULL) {
 
+        SSL_CTX_set_client_CA_list(ctx, cert_names);
         /* Set up CAs for OpenSSL to trust in verifying the peer's
          * certificate. */
         SSL_CTX_set_cert_store(ctx, X509_STORE_new());
@@ -1283,6 +1270,8 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
         }
 
         bootstrap_ca_cert = false;
+    }else if (cert_names == NULL) {
+        VLOG_ERR("failed to load client certificates  from %s: %s", file_name, ERR_error_string(ERR_get_error(), NULL));
     }
     ca_cert.read = true;
 }