Merge pull request xapi-project#17 from thomassa/back-compat-switch

CP-12512 A switch to set stunnel protocol version

Author: thomassa

stunnel/stunnel.ml

@@ -13,6 +13,9 @@
  *)
 (* Copyright (C) 2007 XenSource Inc *)
 
+module D=Debug.Make(struct let name="stunnel" end)
+open D
+
 open Printf
 open Pervasiveext
 open Xstringext
@@ -33,6 +36,11 @@ let stunnel_logger = ref ignore
 
 let timeoutidle = ref None
 
+let legacy_protocol_and_ciphersuites_allowed = ref true
+
+let is_legacy_protocol_and_ciphersuites_allowed () =
+	!legacy_protocol_and_ciphersuites_allowed
+
 let init_stunnel_path () =
 	try cached_stunnel_path := Some (Unix.getenv "XE_STUNNEL")
 	with Not_found ->
@@ -116,50 +124,83 @@ type t = { mutable pid: pid; fd: Unix.file_descr; host: string; port: int;
 	   unique_id: int option;
 	   mutable logfile: string;
 	   verified: bool;
+	   legacy: bool;
 	 }
 
-let config_file verify_cert extended_diagnosis host port = 
-	let lines = ["client=yes"; "foreground=yes"; "socket = r:TCP_NODELAY=1"; "socket = r:SO_KEEPALIVE=1"; "socket = a:SO_KEEPALIVE=1";
-							 (match !timeoutidle with None -> "" | Some x -> Printf.sprintf "TIMEOUTidle = %d" x);
-							 Printf.sprintf "connect=%s:%d" host port] @
-    (if extended_diagnosis then
-       ["debug=4"]
-     else
-       []) @
-    (if verify_cert then
-       ["verify=2";
-        sprintf "CApath=%s" certificate_path;
-        sprintf "CRLpath=%s" crl_path]
-     else
-       [])
+let config_file verify_cert extended_diagnosis host port legacy =
+
+    let good_ciphers = "!EXPORT:TLSv1.2" in
+    let back_compat_ciphers = "RSA+AES256-SHA:RSA+AES128-SHA:RSA+RC4-SHA:RSA+RC4-MD5:RSA+DES-CBC3-SHA" in
+
+	let lines = [
+		"client=yes"; "foreground=yes"; "socket = r:TCP_NODELAY=1"; "socket = r:SO_KEEPALIVE=1"; "socket = a:SO_KEEPALIVE=1";
+		(match !timeoutidle with None -> "" | Some x -> Printf.sprintf "TIMEOUTidle = %d" x);
+		Printf.sprintf "connect=%s:%d" host port;
+		"fips = no"; (* stunnel fips-mode stops us using sslVersion other than TLSv1 which means 1.0 only. *)
+	] @	(if extended_diagnosis then
+			["debug=4"]
+		else
+			[]
+	) @ (
+		if verify_cert then
+			["verify=2";
+			sprintf "CApath=%s" certificate_path;
+			sprintf "CRLpath=%s" crl_path]
+		else
+			[]
+	) @ (
+		if legacy then [
+			"sslVersion = all";
+			"options = NO_SSLv2";
+			"options = NO_SSLv3";
+			"ciphers = " ^ good_ciphers ^ ":" ^ back_compat_ciphers;
+		] else [
+			"sslVersion = TLSv1.2";
+			"ciphers = " ^ good_ciphers;
+		]
+	)
   in
     String.concat "" (List.map (fun x -> x ^ "\n") lines)
 
+let set_legacy_protocol_and_ciphersuites_allowed b =
+	legacy_protocol_and_ciphersuites_allowed := b;
+	info "legacy-config %B; example: %s" b
+		(String.escaped (config_file false false "dummyhost" 443 b))
+
 let ignore_exn f x = try f x with _ -> ()
 
-let rec disconnect ?(wait = true) ?(force = false) x = 
+let rec disconnect ?(wait = true) ?(force = false) x =
   List.iter (ignore_exn Unix.close) [ x.fd ];
-  let waiter, pid = match x.pid with
-    | FEFork pid ->
-        (fun () -> 
-           (if wait then Forkhelpers.waitpid 
-            else Forkhelpers.waitpid_nohang) pid),
-        Forkhelpers.getpid pid
-    | StdFork pid -> 
-        (fun () -> 
-           (if wait then Unix.waitpid [] 
-            else Unix.waitpid [Unix.WNOHANG]) pid),
-        pid in
-  let res = 
-    try waiter ()
-    with Unix.Unix_error (Unix.ECHILD, _, _) -> pid, Unix.WEXITED 0 in
-  match res with
-  | 0, _ when force ->
-      (try Unix.kill pid Sys.sigkill 
-       with Unix.Unix_error (Unix.ESRCH, _, _) ->());
-      disconnect ~wait:wait ~force:force x
-  | _ -> ()
 
+  let do_disc waiter pid =
+    let res =
+      try waiter ()
+      with Unix.Unix_error (Unix.ECHILD, _, _) -> pid, Unix.WEXITED 0 in
+    match res with
+    | 0, _ when force ->
+        (try Unix.kill pid Sys.sigkill 
+         with Unix.Unix_error (Unix.ESRCH, _, _) ->());
+        disconnect ~wait:wait ~force:force x
+    | _ -> ()
+  in
+  let verbose = x.legacy && not (!legacy_protocol_and_ciphersuites_allowed) in
+  match x.pid with
+    | FEFork fpid ->
+        let pid_int = Forkhelpers.getpid fpid in
+        if verbose then info "Disconnecting FEFork %d" pid_int;
+        do_disc
+          (fun () ->
+             (if wait then Forkhelpers.waitpid 
+              else Forkhelpers.waitpid_nohang) fpid)
+          pid_int
+    | StdFork pid ->
+        if verbose then info "Disconnecting StdFork %d" pid;
+        do_disc
+          (fun () ->
+             (if wait then Unix.waitpid []
+              else Unix.waitpid [Unix.WNOHANG]) pid)
+          pid
+    | Nopid -> if verbose then info "Disconnecting Nopid"
 
 (* With some probability, stunnel fails during its startup code before it reads
    the config data from us. Therefore we get a SIGPIPE writing the config data.
@@ -189,10 +230,13 @@ let attempt_one_connect ?unique_id ?(use_fork_exec_helper = true)
       ["-fd"; if use_fork_exec_helper then config_out_uuid else config_out_fd]
     end in
   let data_out,data_in = Unix.socketpair Unix.PF_UNIX Unix.SOCK_STREAM 0 in
+  (* Dereference just once to ensure we are consistent in t and config_file *)
+  let legacy = !legacy_protocol_and_ciphersuites_allowed in
   let t = 
     { pid = Nopid; fd = data_out; host = host; port = port; 
       connected_time = Unix.gettimeofday (); unique_id = unique_id; 
-      logfile = ""; verified = verify_cert } in
+      logfile = ""; verified = verify_cert;
+	  legacy = legacy } in
   let result = Forkhelpers.with_logfile_fd "stunnel"
     ~delete:(not extended_diagnosis)
     (fun logfd ->
@@ -218,7 +262,7 @@ let attempt_one_connect ?unique_id ?(use_fork_exec_helper = true)
 	       (fun () ->
             match config_in with
             | Some fd -> begin
-	              let config = config_file verify_cert extended_diagnosis host port in
+	              let config = config_file verify_cert extended_diagnosis host port legacy in
 	              (* Catch the occasional initialisation failure of stunnel: *)
 	              try
 	                let n = Unix.write fd config 0 (String.length config) in

stunnel/stunnel.mli

@@ -37,6 +37,7 @@ type t = { mutable pid: pid;
 	   unique_id: int option;
 	   mutable logfile: string;
 	   verified: bool;
+	   legacy: bool;
 	 }
 
 (** Connects via stunnel (optionally via an external 'fork/exec' helper) to
@@ -60,3 +61,7 @@ val diagnose_failure : t -> unit
 val test : string -> int -> unit
 
 val must_verify_cert : bool option -> bool
+
+val set_legacy_protocol_and_ciphersuites_allowed : bool -> unit
+
+val is_legacy_protocol_and_ciphersuites_allowed : unit -> bool

stunnel/stunnel_cache.ml

@@ -78,19 +78,22 @@ let unlocked_gc () =
   let all_ids = Hashtbl.fold (fun k _ acc -> k :: acc) !stunnels [] in
 
   let to_gc = ref [] in
-  (* Find the ones which are too old *)
+  (* Find the ones which are too old or have unwanted legacy config *)
   let now = Unix.gettimeofday () in
   Hashtbl.iter
     (fun idx stunnel ->
        let time = Hashtbl.find !times idx in
        let idle = now -. time in
        let age = now -. stunnel.Stunnel.connected_time in
-       if age > max_age then begin
-	 debug "Expiring stunnel id %s; age (%.2f) > limit (%.2f)" (id_of_stunnel stunnel) age max_age;
-	 to_gc := idx :: !to_gc
+       if stunnel.Stunnel.legacy && not (Stunnel.is_legacy_protocol_and_ciphersuites_allowed ()) then (
+         info "Expiring stunnel id %s because it is legacy-mode." (id_of_stunnel stunnel);
+         to_gc := idx :: !to_gc
+       ) else if age > max_age then begin
+         debug "Expiring stunnel id %s; age (%.2f) > limit (%.2f)" (id_of_stunnel stunnel) age max_age;
+         to_gc := idx :: !to_gc
        end else if idle > max_idle then begin
-	 debug "Expiring stunnel id %s; idle (%.2f) > limit (%.2f)" (id_of_stunnel stunnel) age max_idle;
-	 to_gc := idx :: !to_gc
+         debug "Expiring stunnel id %s; idle (%.2f) > limit (%.2f)" (id_of_stunnel stunnel) age max_idle;
+         to_gc := idx :: !to_gc
        end) !stunnels;
   let num_remaining = List.length all_ids - (List.length !to_gc) in
   if num_remaining > max_stunnel then begin
@@ -132,27 +135,32 @@ let gc () = Mutex.execute m unlocked_gc
 
 let counter = ref 0
 
-let add (x: Stunnel.t) = 
-  let now = Unix.gettimeofday () in
-  Mutex.execute m
-    (fun () ->
-       let idx = !counter in
-       incr counter;
-       Hashtbl.add !times idx now;
-       Hashtbl.add !stunnels idx x;
-       let ep = { host = x.Stunnel.host; port = x.Stunnel.port; verified = x.Stunnel.verified } in
-       let existing = 
-	 if Hashtbl.mem !index ep
-	 then Hashtbl.find !index ep
-	 else [] in
-       Hashtbl.replace !index ep (idx :: existing);
-       debug "Adding stunnel id %s (idle %.2f) to the cache"
-	     (id_of_stunnel x) 0.;
-       unlocked_gc ()
-    )
-  
+let add (x: Stunnel.t) =
+	if x.Stunnel.legacy && not (Stunnel.is_legacy_protocol_and_ciphersuites_allowed ()) then (
+		info "Legacy-protocol stunnel (id=%s) not allowed in cache: disconnecting." (id_of_stunnel x);
+		Stunnel.disconnect ~force:true x
+	) else (
+		let now = Unix.gettimeofday () in
+		Mutex.execute m (fun () ->
+			let idx = !counter in
+			incr counter;
+			Hashtbl.add !times idx now;
+			Hashtbl.add !stunnels idx x;
+			let ep = { host = x.Stunnel.host; port = x.Stunnel.port; verified = x.Stunnel.verified } in
+			let existing =
+				if Hashtbl.mem !index ep
+				then Hashtbl.find !index ep
+				else [] in
+			Hashtbl.replace !index ep (idx :: existing);
+			debug "Adding stunnel id %s (idle %.2f) to the cache"
+				(id_of_stunnel x) 0.;
+			unlocked_gc ()
+		)
+	)
+
 (** Returns an Stunnel.t for this endpoint (oldest first), raising Not_found
-    if none can be found *)
+    if none can be found. First performs a garbage-collection, which discards
+    legacy-config and expired stunnels if needed. *)
 let remove host port verified =
   let ep = { host = host; port = port; verified = verified } in
   Mutex.execute m
@@ -179,7 +187,7 @@ let remove host port verified =
 let flush () =
   Mutex.execute m 
     (fun () ->
-      info "Flushing cache";
+      info "Flushing cache of all %d stunnels." (Hashtbl.length !stunnels);
       Hashtbl.iter (fun id st -> Stunnel.disconnect st) !stunnels;
       Hashtbl.clear !stunnels;
       Hashtbl.clear !times;
@@ -191,6 +199,5 @@ let connect ?use_fork_exec_helper ?write_to_log host port verify_cert =
   try
     remove host port verify_cert
   with Not_found ->
-    error "Failed to find stunnel in cache for endpoint %s:%d" host port;
+    info "connect did not find cached stunnel for endpoint %s:%d" host port;
     Stunnel.connect ?use_fork_exec_helper ?write_to_log ~verify_cert host port
-