[ovs-dev] [PATCH 1/6] stream: store stream peer id with stream state

Ben Pfaff blp at ovn.org
Thu May 4 22:18:28 UTC 2017


On Mon, May 01, 2017 at 10:13:02AM -0400, Lance Richardson wrote:
> Track authenticated stream peer ID. For SSL connections, the
> authenticated ID is the CN (Common Name) field extracted from
> the peer's SSL certificate.
> 
> Signed-off-by: Lance Richardson <lrichard at redhat.com>

Looks good, thanks!

I moved declarations closer to initializations, to make it easier to
convince myself that variables were not used uninitialized, as shown
below, and applied this to master.

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index b083da64d71b..97d6e7464bf5 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -423,32 +423,29 @@ do_ca_cert_bootstrap(struct stream *stream)
 static char *
 get_peer_common_name(const struct ssl_stream *sslv)
 {
-    X509_NAME_ENTRY *cn_entry;
-    ASN1_STRING *cn_data;
-    X509 *peer_cert;
-    int cn_index;
-    const char *cn;
-
-    peer_cert = SSL_get_peer_certificate(sslv->ssl);
+    X509 *peer_cert = SSL_get_peer_certificate(sslv->ssl);
     if (!peer_cert) {
         return NULL;
     }
-    cn_index = X509_NAME_get_index_by_NID(X509_get_subject_name(peer_cert),
-                                          NID_commonName, -1);
+
+    int cn_index = X509_NAME_get_index_by_NID(X509_get_subject_name(peer_cert),
+                                              NID_commonName, -1);
     if (cn_index < 0) {
         return NULL;
     }
 
-    cn_entry = X509_NAME_get_entry(X509_get_subject_name(peer_cert), cn_index);
+    X509_NAME_ENTRY *cn_entry = X509_NAME_get_entry(
+        X509_get_subject_name(peer_cert), cn_index);
     if (!cn_entry) {
         return NULL;
     }
 
-    cn_data = X509_NAME_ENTRY_get_data(cn_entry);
+    ASN1_STRING *cn_data = X509_NAME_ENTRY_get_data(cn_entry);
     if (!cn_data) {
         return NULL;
     }
 
+    const char *cn;
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
     /* ASN1_STRING_data() is deprecated as of OpenSSL version 1.1 */
     cn = (const char *)ASN1_STRING_data(cn_data);


More information about the dev mailing list