Skip to content

stream-ssl.c stream_ssl_set_key_and_cert logic seems to be wrong #365

New issue
New issue
Open
Open
stream-ssl.c stream_ssl_set_key_and_cert logic seems to be wrong#365
@rmb938

Description

@rmb938
rmb938
opened on Apr 27, 2025

Function stream_ssl_set_key_and_cert defined here https://github.com/openvswitch/ovs/blob/e017142d1b34d3aba3c0962d40575c2e3d6bebcc/lib/stream-ssl.c#L1214

Has this in the function doc

 * This function avoids both problems by, whenever either the certificate or
 * the private key file changes, re-reading both of them, in the correct order.

However the code of the function looks like this, which is doing an AND not an OR. Both files would have to be updated at the same exact time for this logic to work, which doesn't match what the function doc says. If the private key file is updated, then a few moments later the certificate file is updated, this function will always return false and never set the new key or certificate.

if (update_ssl_config(&private_key, private_key_file)
        && update_ssl_config(&certificate, certificate_file)) {

Details from unanswered mailing list post from 2020 https://mail.openvswitch.org/pipermail/ovs-discuss/2020-December/050859.html

It looks to me that the function stream_ssl_set_key_and_cert() in
lib/stream-ssl.c is incorrect.

void
stream_ssl_set_key_and_cert(const char *private_key_file,
const char *certificate_file)
{
if (update_ssl_config(&private_key, private_key_file)
&& update_ssl_config(&certificate, certificate_file)) {
stream_ssl_set_certificate_file__(certificate_file);
stream_ssl_set_private_key_file__(private_key_file);
}
}

  1. Say, the private key and the corresponding certificate file was replaced
    on the file system at T0 and T2 respectively.
  2. At T1, the ovn-controller code calls update_ssl_config(private_key) and
    update_ssl_config(certificate_file)
    2a: The first call to update_ssl_config(private_key) returns true and the
    file mtime is updated. The second call to
    update_ssl_config(certificate_file) returns False
  3. At T3, the ovn-controller code calls to update_ssl_config(private_key)
    will return False, and the modified certifcate file will never be picked?

Because of 1 - 3 above, the new files will never be picked by the
ovn-controller. What we have found is that if I delete both the files and
then copy over the private key and certificate files, then it works. This
may be because of how we handle the ENOENT case in update_ssl_config()

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions