[ovs-dev] [PATCH 1/7] stream-ssl: Permit race in bootstrapping CA certificate.

Ben Pfaff blp at nicira.com
Fri Mar 19 00:13:14 UTC 2010


If two processes were both configured to bootstrap the CA certificate, then
one of them would succeed in writing it to a file and use it, and the other
one would fail to use it because the file was created behind its back.
This commit fixes the problem by making the bootstrap code accept a CA
certificate file that exists at the time that bootstrapping tries to create
it.
---
 lib/stream-ssl.c |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 51ce306..004a5e4 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -327,9 +327,16 @@ do_ca_cert_bootstrap(struct stream *stream)
 
     fd = open(ca_cert_file, O_CREAT | O_EXCL | O_WRONLY, 0444);
     if (fd < 0) {
-        VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s",
-                 ca_cert_file, strerror(errno));
-        return errno;
+        if (errno == EEXIST) {
+            VLOG_INFO("reading CA cert %s created by another process",
+                      ca_cert_file);
+            stream_ssl_set_ca_cert_file(ca_cert_file, true);
+            return EPROTO;
+        } else {
+            VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s",
+                     ca_cert_file, strerror(errno));
+            return errno;
+        }
     }
 
     file = fdopen(fd, "w");
-- 
1.6.6.1





More information about the dev mailing list