X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=lib%2Fstream-ssl.c;h=f2d5037ad32718e18c0ed7e8289bdcf0fd5b1fd4;hb=e0edde6fee279cdbbf3c179f5f50adaf0c7c7f1e;hp=4d7c7c4dd15395dfe214091403be9555667e4587;hpb=932df1237b64fcb80c23acb2177bfe659654220a;p=sliver-openvswitch.git diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 4d7c7c4dd..f2d5037ad 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2009, 2010, 2011 Nicira Networks. + * Copyright (c) 2008, 2009, 2010, 2011 Nicira, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -204,8 +204,8 @@ want_to_poll_events(int want) static int new_ssl_stream(const char *name, int fd, enum session_type type, - enum ssl_state state, const struct sockaddr_in *remote, - struct stream **streamp) + enum ssl_state state, const struct sockaddr_in *remote, + struct stream **streamp) { struct sockaddr_in local; socklen_t local_len = sizeof local; @@ -307,7 +307,7 @@ ssl_stream_cast(struct stream *stream) } static int -ssl_open(const char *name, char *suffix, struct stream **streamp) +ssl_open(const char *name, char *suffix, struct stream **streamp, uint8_t dscp) { struct sockaddr_in sin; int error, fd; @@ -317,7 +317,8 @@ ssl_open(const char *name, char *suffix, struct stream **streamp) return error; } - error = inet_open_active(SOCK_STREAM, suffix, OFP_SSL_PORT, &sin, &fd); + error = inet_open_active(SOCK_STREAM, suffix, OFP_SSL_PORT, &sin, &fd, + dscp); if (fd >= 0) { int state = error ? STATE_TCP_CONNECTING : STATE_SSL_CONNECTING; return new_ssl_stream(name, fd, CLIENT, state, &sin, streamp); @@ -413,6 +414,7 @@ do_ca_cert_bootstrap(struct stream *stream) if (!cert) { out_of_memory(); } + SSL_CTX_set_cert_store(ctx, X509_STORE_new()); if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) { VLOG_ERR("SSL_CTX_load_verify_locations: %s", ERR_error_string(ERR_get_error(), NULL)); @@ -751,8 +753,9 @@ ssl_wait(struct stream *stream, enum stream_wait_type wait) } } -struct stream_class ssl_stream_class = { +const struct stream_class ssl_stream_class = { "ssl", /* name */ + true, /* needs_probes */ ssl_open, /* open */ ssl_close, /* close */ ssl_connect, /* connect */ @@ -771,7 +774,7 @@ struct pssl_pstream int fd; }; -struct pstream_class pssl_pstream_class; +const struct pstream_class pssl_pstream_class; static struct pssl_pstream * pssl_pstream_cast(struct pstream *pstream) @@ -781,7 +784,8 @@ pssl_pstream_cast(struct pstream *pstream) } static int -pssl_open(const char *name OVS_UNUSED, char *suffix, struct pstream **pstreamp) +pssl_open(const char *name OVS_UNUSED, char *suffix, struct pstream **pstreamp, + uint8_t dscp) { struct pssl_pstream *pssl; struct sockaddr_in sin; @@ -794,7 +798,7 @@ pssl_open(const char *name OVS_UNUSED, char *suffix, struct pstream **pstreamp) return retval; } - fd = inet_open_passive(SOCK_STREAM, suffix, OFP_SSL_PORT, &sin); + fd = inet_open_passive(SOCK_STREAM, suffix, OFP_SSL_PORT, &sin, dscp); if (fd < 0) { return -fd; } @@ -846,7 +850,7 @@ pssl_accept(struct pstream *pstream, struct stream **new_streamp) sprintf(strchr(name, '\0'), ":%"PRIu16, ntohs(sin.sin_port)); } return new_ssl_stream(name, new_fd, SERVER, STATE_SSL_CONNECTING, &sin, - new_streamp); + new_streamp); } static void @@ -856,8 +860,9 @@ pssl_wait(struct pstream *pstream) poll_fd_wait(pssl->fd, POLLIN); } -struct pstream_class pssl_pstream_class = { +const struct pstream_class pssl_pstream_class = { "pssl", + true, pssl_open, pssl_close, pssl_accept, @@ -1215,6 +1220,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name, /* Set up CAs for OpenSSL to trust in verifying the peer's * certificate. */ + SSL_CTX_set_cert_store(ctx, X509_STORE_new()); if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) { VLOG_ERR("SSL_CTX_load_verify_locations: %s", ERR_error_string(ERR_get_error(), NULL));