[ovs-dev] [PATCH 1/2] ovs-monitor-ipsec: Various minor cleanups

Justin Pettit jpettit at nicira.com
Wed Dec 29 00:07:29 UTC 2010


A few minor cleanups:

    - Clean out stale peer certs from previous runs
    - Weakly attempt to verify that a certificate is valid, since Racoon
      will refuse to start if it's not.
    - Restart racoon if it can't be reloaded, since it's temperamental

If these changes look good, I'll roll them into the commit that adds
support for certificates, since it hasn't been pushed yet.
---
 debian/ovs-monitor-ipsec |   51 +++++++++++++++++++++++++++++++++++++--------
 1 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec
index 2f0ca2c..360053d 100755
--- a/debian/ovs-monitor-ipsec
+++ b/debian/ovs-monitor-ipsec
@@ -20,9 +20,13 @@
 
 # xxx To-do:
 #  - Doesn't actually check that Interface is connected to bridge
+#  - If a certificate is badly formed, Racoon will refuse to start.  We
+#    should do a better job of verifying certificates are valid before
+#    adding an interface to racoon.conf.
 
 
 import getopt
+import glob
 import logging, logging.handlers
 import os
 import subprocess
@@ -112,13 +116,24 @@ path certificate "%s";
         self.psk_hosts = {}
         self.cert_hosts = {}
 
+        # Clean out stale peer certs from previous runs
+        for ovs_cert in glob.glob("%s/ovs-*.pem" % self.cert_dir):
+            os.remove(ovs_cert)
+
         # Replace racoon's conf file with our template
         self.commit()
 
     def reload(self):
         exitcode = subprocess.call(["/etc/init.d/racoon", "reload"])
         if exitcode != 0:
-            s_log.warning("couldn't reload racoon")
+            # Racoon is finicky about it's configuration file and will
+            # refuse to start if it sees something it doesn't like
+            # (e.g., a certificate file doesn't exist).  Try restarting
+            # the process before giving up.
+            s_log.warning("attempting to restart racoon")
+            exitcode = subprocess.call(["/etc/init.d/racoon", "restart"])
+            if exitcode != 0:
+                s_log.warning("couldn't reload racoon")
 
     def commit(self):
         # Rewrite the Racoon configuration file
@@ -155,6 +170,31 @@ path certificate "%s";
         self.psk_hosts[host] = psk
         self.commit()
 
+    def _verify_certs(self, vals):
+        # Racoon will refuse to start if the certificate files don't
+        # exist, so verify that they're there.
+        if not os.path.isfile(vals["certificate"]):
+            raise error.Error("'certificate' file does not exist: %s"
+                    % vals["certificate"])
+        elif not os.path.isfile(vals["private_key"]):
+            raise error.Error("'private_key' file does not exist: %s"
+                    % vals["private_key"])
+
+        # Racoon won't start if a given certificate or private key isn't
+        # valid.  This is a weak test, but will detect the most flagrant
+        # errors.
+        if vals["peer_cert"].find("-----BEGIN CERTIFICATE-----") == -1:
+            raise error.Error("'peer_cert' is not in valid PEM format")
+
+        cert = open(vals["certificate"]).read()
+        if cert.find("-----BEGIN CERTIFICATE-----") == -1:
+            raise error.Error("'certificate' is not in valid PEM format")
+
+        cert = open(vals["private_key"]).read()
+        if cert.find("-----BEGIN RSA PRIVATE KEY-----") == -1:
+            raise error.Error("'private_key' is not in valid PEM format")
+            
+
     def _add_cert(self, host, vals):
         if host in self.psk_hosts:
             raise error.Error("host %s already defined for psk" % host)
@@ -170,14 +210,7 @@ path certificate "%s";
             vals = vals.copy()
             vals["private_key"] = vals["certificate"]
 
-        # Racoon will refuse to start if the certificate files don't
-        # exist, so verify that they're there.
-        if not os.path.isfile(vals["certificate"]):
-            raise error.Error("'certificate' file does not exist: %s"
-                    % vals["certificate"])
-        elif not os.path.isfile(vals["private_key"]):
-            raise error.Error("'private_key' file does not exist: %s"
-                    % vals["private_key"])
+        self._verify_certs(vals)
 
         # The peer's certificate comes to us in PEM format as a string.
         # Write that string to a file for Racoon to use.
-- 
1.7.1





More information about the dev mailing list