ia64/xen-unstable

changeset 17534:1e169f4e8e72

Add SSL/TLS support to relocation

* SSL/TLS support is disabled by default, as other server did.

* If "xend-relocation-server-ssl-key-file" and
"xend-relocation-server-ssl-cert-file" exist, SSL/TLS is enabled
automatically.

* "xend-relocation-tls" is used by relocation client only.

Signed-off-by: Zhigang Wang <zhigang.x.wang@oracle.com>
author Keir Fraser <keir.fraser@citrix.com>
date Thu May 01 09:50:16 2008 +0100 (2008-05-01)
parents 013a47065e8c
children eb111919e8e0
files tools/examples/xend-config.sxp tools/python/xen/web/tcp.py tools/python/xen/xend/XendDomain.py tools/python/xen/xend/XendOptions.py tools/python/xen/xend/server/relocate.py
line diff
     1.1 --- a/tools/examples/xend-config.sxp	Thu May 01 09:45:44 2008 +0100
     1.2 +++ b/tools/examples/xend-config.sxp	Thu May 01 09:50:16 2008 +0100
     1.3 @@ -82,6 +82,15 @@
     1.4  # is set.
     1.5  #(xend-relocation-port 8002)
     1.6  
     1.7 +# Whether to use tls when relocating.
     1.8 +#(xend-relocation-tls no)
     1.9 +
    1.10 +# SSL key and certificate to use for the relocation interface.
    1.11 +# Setting these will mean that this port serves only SSL connections as
    1.12 +# opposed to plaintext ones.
    1.13 +#(xend-relocation-server-ssl-key-file  /etc/xen/xmlrpc.key)
    1.14 +#(xend-relocation-server-ssl-cert-file  /etc/xen/xmlrpc.crt)
    1.15 +
    1.16  # Address xend should listen on for HTTP connections, if xend-http-server is
    1.17  # set.
    1.18  # Specifying 'localhost' prevents remote connections.
     2.1 --- a/tools/python/xen/web/tcp.py	Thu May 01 09:45:44 2008 +0100
     2.2 +++ b/tools/python/xen/web/tcp.py	Thu May 01 09:50:16 2008 +0100
     2.3 @@ -22,6 +22,8 @@ import re
     2.4  import socket
     2.5  import time
     2.6  
     2.7 +from OpenSSL import SSL
     2.8 +
     2.9  import connection
    2.10  
    2.11  from xen.xend.XendLogging import log
    2.12 @@ -64,3 +66,42 @@ class TCPListener(connection.SocketListe
    2.13                  sock.close()
    2.14              except:
    2.15                  pass
    2.16 +
    2.17 +class SSLTCPListener(TCPListener):
    2.18 +
    2.19 +    def __init__(self, protocol_class, port, interface, hosts_allow,
    2.20 +                 ssl_key_file = None, ssl_cert_file = None):
    2.21 +        if not ssl_key_file or not ssl_cert_file:
    2.22 +            raise ValueError("SSLXMLRPCServer requires ssl_key_file "
    2.23 +                             "and ssl_cert_file to be set.")
    2.24 +
    2.25 +        self.ssl_key_file = ssl_key_file
    2.26 +        self.ssl_cert_file = ssl_cert_file
    2.27 +
    2.28 +        TCPListener.__init__(self, protocol_class, port, interface, hosts_allow)
    2.29 +
    2.30 +
    2.31 +    def createSocket(self):
    2.32 +        # make a SSL socket
    2.33 +        ctx = SSL.Context(SSL.SSLv23_METHOD)
    2.34 +        ctx.set_options(SSL.OP_NO_SSLv2)
    2.35 +        ctx.use_privatekey_file (self.ssl_key_file)
    2.36 +        ctx.use_certificate_file(self.ssl_cert_file)
    2.37 +        sock = SSL.Connection(ctx,
    2.38 +                              socket.socket(socket.AF_INET, socket.SOCK_STREAM))
    2.39 +        sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    2.40 +
    2.41 +        # SO_REUSEADDR does not always ensure that we do not get an address
    2.42 +        # in use error when restarted quickly
    2.43 +        # we implement a timeout to try and avoid failing unnecessarily
    2.44 +        timeout = time.time() + 30
    2.45 +        while True:
    2.46 +            try:
    2.47 +                sock.bind((self.interface, self.port))
    2.48 +                return sock
    2.49 +            except socket.error, (_errno, strerrno):
    2.50 +                if _errno == errno.EADDRINUSE and time.time() < timeout:
    2.51 +                    time.sleep(0.5)
    2.52 +                else:
    2.53 +                    raise
    2.54 +
     3.1 --- a/tools/python/xen/xend/XendDomain.py	Thu May 01 09:45:44 2008 +0100
     3.2 +++ b/tools/python/xen/xend/XendDomain.py	Thu May 01 09:50:16 2008 +0100
     3.3 @@ -1293,8 +1293,16 @@ class XendDomain:
     3.4  
     3.5          if port == 0:
     3.6              port = xoptions.get_xend_relocation_port()
     3.7 +
     3.8          try:
     3.9 -            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    3.10 +            tls = xoptions.get_xend_relocation_tls()
    3.11 +            if tls:
    3.12 +                from OpenSSL import SSL
    3.13 +                ctx = SSL.Context(SSL.SSLv23_METHOD)
    3.14 +                sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
    3.15 +                sock.set_connect_state()
    3.16 +            else:
    3.17 +                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    3.18              sock.connect((dst, port))
    3.19          except socket.error, err:
    3.20              raise XendError("can't connect: %s" % err[1])
     4.1 --- a/tools/python/xen/xend/XendOptions.py	Thu May 01 09:45:44 2008 +0100
     4.2 +++ b/tools/python/xen/xend/XendOptions.py	Thu May 01 09:50:16 2008 +0100
     4.3 @@ -192,6 +192,12 @@ class XendOptions:
     4.4          return self.get_config_bool("xend-relocation-server",
     4.5                                      self.xend_relocation_server_default)
     4.6  
     4.7 +    def get_xend_relocation_server_ssl_key_file(self):
     4.8 +        return self.get_config_string("xend-relocation-server-ssl-key-file")
     4.9 +
    4.10 +    def get_xend_relocation_server_ssl_cert_file(self):
    4.11 +        return self.get_config_string("xend-relocation-server-ssl-cert-file")
    4.12 +
    4.13      def get_xend_port(self):
    4.14          """Get the port xend listens at for its HTTP interface.
    4.15          """
    4.16 @@ -203,6 +209,11 @@ class XendOptions:
    4.17          return self.get_config_int('xend-relocation-port',
    4.18                                     self.xend_relocation_port_default)
    4.19  
    4.20 +    def get_xend_relocation_tls(self):
    4.21 +        """Whether to use tls when relocating.
    4.22 +        """
    4.23 +        return self.get_config_bool('xend-relocation-tls', 'no')
    4.24 +
    4.25      def get_xend_relocation_hosts_allow(self):
    4.26          return self.get_config_string("xend-relocation-hosts-allow",
    4.27                                       self.xend_relocation_hosts_allow_default)
     5.1 --- a/tools/python/xen/xend/server/relocate.py	Thu May 01 09:45:44 2008 +0100
     5.2 +++ b/tools/python/xen/xend/server/relocate.py	Thu May 01 09:50:16 2008 +0100
     5.3 @@ -132,5 +132,14 @@ def listenRelocation():
     5.4          else:
     5.5              hosts_allow = map(re.compile, hosts_allow.split(" "))
     5.6  
     5.7 -        tcp.TCPListener(RelocationProtocol, port, interface = interface,
     5.8 -                        hosts_allow = hosts_allow)
     5.9 +        ssl_key_file = xoptions.get_xend_relocation_server_ssl_key_file()
    5.10 +        ssl_cert_file = xoptions.get_xend_relocation_server_ssl_cert_file()
    5.11 +
    5.12 +        if ssl_key_file and ssl_cert_file:
    5.13 +            tcp.SSLTCPListener(RelocationProtocol, port, interface = interface,
    5.14 +                               hosts_allow = hosts_allow,
    5.15 +                               ssl_key_file = ssl_key_file,
    5.16 +                               ssl_cert_file = ssl_cert_file)
    5.17 +        else:
    5.18 +            tcp.TCPListener(RelocationProtocol, port, interface = interface,
    5.19 +                            hosts_allow = hosts_allow)