CP-29196: Enable FIPS mode if existence of cc preparations (xapi-project#3722)

minli1 · robhoes · commit d22816b5f166 · 2018-10-11T11:12:24.000+01:00
* CP-29196: Enable FIPS mode if existence of cc preparations

* pool-cert-install use trust instead of rehas
* Add uninstall
* Add update ca bundle script
* Rework comments
1. Add function 'update_ca_bundle'.
2. Define 'certificate_path' in xapi instead of Stunnel.
3. Refine 'CC_PREPARATIONS' checking to highlight 'x' dummy
* Use temp file in 'update-ca-bundle.sh' to avoid potential incomplete file

Signed-off-by: Min Li &lt;min.li1@citrix.com&gt;
diff --git a/ocaml/xapi/certificates.ml b/ocaml/xapi/certificates.ml
@@ -28,8 +28,10 @@ let c_rehash = "/usr/bin/c_rehash"
 let pem_certificate_header = "-----BEGIN CERTIFICATE-----"
 let pem_certificate_footer = "-----END CERTIFICATE-----"
 
+let certificate_path = "/etc/stunnel/certs"
+
 let library_path is_cert =
-  if is_cert then Stunnel.certificate_path else Stunnel.crl_path
+  if is_cert then certificate_path else Stunnel.crl_path
 
 let library_filename is_cert name =
   Filename.concat (library_path is_cert) name
@@ -45,6 +47,8 @@ let rehash () =
   rehash' (library_path true);
   rehash' (library_path false)
 
+let update_ca_bundle () = ignore (execute_command_get_output "/opt/xensource/bin/update-ca-bundle.sh" [])
+
 let get_type is_cert =
   if is_cert then "certificate" else "CRL"
 
@@ -130,7 +134,7 @@ let host_install is_cert ~name ~cert =
     mkdir_cert_path is_cert;
     write_string_to_file filename cert;
     Unix.chmod filename (cert_perms is_cert);
-    rehash()
+    update_ca_bundle ()
   with
   | e ->
     warn "Exception installing %s %s: %s" (get_type is_cert) name
@@ -146,7 +150,7 @@ let host_uninstall is_cert ~name =
   debug "Uninstalling %s %s" (get_type is_cert) name;
   try
     Sys.remove filename;
-    rehash()
+    update_ca_bundle ()
   with
   | e ->
     warn "Exception uninstalling %s %s: %s" (get_type is_cert) name
diff --git a/scripts/Makefile b/scripts/Makefile
@@ -66,6 +66,7 @@ install:
 	$(IPROG) generate_ssl_cert $(DESTDIR)$(LIBEXECDIR)
 	$(IPROG) nbd-firewall-config.sh $(DESTDIR)$(LIBEXECDIR)
 	$(IPROG) fix_firewall.sh $(DESTDIR)$(BINDIR)
+	$(IPROG) update-ca-bundle.sh $(DESTDIR)$(BINDIR)
 	mkdir -p $(DESTDIR)$(OPTDIR)/debug
 	$(IPROG) debug_ha_query_liveset $(DESTDIR)$(OPTDIR)/debug
 	$(IPROG) xe-scsi-dev-map $(DESTDIR)$(BINDIR)
diff --git a/scripts/init.d-xapissl b/scripts/init.d-xapissl
@@ -90,7 +90,7 @@ writeconffile () {
     echo "; Autogenerated by ${0}" > $SSLCONFFILE
     writec '; during xapi start-up.'
     writec '; '
-    if [ ${ANCIENT_STUNNEL} = 0 ]; then
+    if [ ${ANCIENT_STUNNEL} = 0 ] && [ x"$CC_PREPARATIONS" != x"true" ]; then
         # stunnel 4.56 fips demands sslVersion = TLSv1 (not "all" or even
         # "TLSv1.2") so we cannot use fips mode.
         writec 'fips = no'
diff --git a/scripts/update-ca-bundle.sh b/scripts/update-ca-bundle.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+#
+# Copyright (c) Citrix Systems 2008. All rights reserved.
+#
+
+set -e
+
+mkdir -p /etc/stunnel
+find /etc/stunnel/certs -name '*.pem' | xargs cat > /etc/stunnel/xapi-stunnel-ca-bundle.pem.tmp
+mv /etc/stunnel/xapi-stunnel-ca-bundle.pem.tmp /etc/stunnel/xapi-stunnel-ca-bundle.pem
