From e51df7a73141c4d378d12e4a3ade12776e48ebff Mon Sep 17 00:00:00 2001
From: Marek 'marx' Grac <mgrac@redhat.com>
Date: Wed, 5 Mar 2014 12:49:17 +0100
Subject: [PATCH] fencing: Add new options --ssl-secure and --ssl-insecure

These new options extends current --ssl (same as --ssl-secure). Until now certificate of the fence device
was not validated what can possibly lead to attack on infrastructe. With this patch, user can decide
if certificate should (--ssl-secure) or should not (--ssl-insecure) be verified.
---
 fence/agents/cisco_ucs/fence_cisco_ucs.py     |   10 ++++++-
 fence/agents/lib/fencing.py.py                |   29 ++++++++++++++++++---
 fence/agents/rhevm/fence_rhevm.py             |   11 ++++++--
 4 files changed, 70 insertions(+), 14 deletions(-)

diff --git a/fence/agents/cisco_ucs/fence_cisco_ucs.py b/fence/agents/cisco_ucs/fence_cisco_ucs.py
index 71782cb..1e9d983 100644
--- a/fence/agents/cisco_ucs/fence_cisco_ucs.py
+++ b/fence/agents/cisco_ucs/fence_cisco_ucs.py
@@ -85,8 +85,14 @@ def send_command(opt, command, timeout):
 	c.setopt(pycurl.POSTFIELDS, command)
 	c.setopt(pycurl.WRITEFUNCTION, b.write)
 	c.setopt(pycurl.TIMEOUT, timeout)
-	c.setopt(pycurl.SSL_VERIFYPEER, 0)
-	c.setopt(pycurl.SSL_VERIFYHOST, 0)
+	if opt.has_key("--ssl") or opt.has_key("--ssl-secure"):
+		c.setopt(pycurl.SSL_VERIFYPEER, 1)
+		c.setopt(pycurl.SSL_VERIFYHOST, 2)
+
+	if opt.has_key("--ssl-insecure"):
+		c.setopt(pycurl.SSL_VERIFYPEER, 0)
+		c.setopt(pycurl.SSL_VERIFYHOST, 0)
+		
 	c.perform()
 	result = b.getvalue()
 
diff --git a/fence/agents/lib/fencing.py.py b/fence/agents/lib/fencing.py.py
index 2006f0d..e40cbb2 100644
--- a/fence/agents/lib/fencing.py.py
+++ b/fence/agents/lib/fencing.py.py
@@ -170,6 +170,20 @@ all_opt = {
 		"required" : "0",
 		"shortdesc" : "SSL connection",
 		"order" : 1 },
+	"ssl_insecure" : {
+		"getopt" : "9",
+		"longopt" : "ssl-insecure",
+		"help" : "--ssl-insecure                 Use ssl connection without verifying certificate",
+		"required" : "0",
+		"shortdesc" : "SSL connection without verifying fence device's certificate",
+		"order" : 1 },
+	"ssl_secure" : {
+		"getopt" : "9",
+		"longopt" : "ssl-secure",
+		"help" : "--ssl-secure                   Use ssl connection with verifying certificate",
+		"required" : "0",
+		"shortdesc" : "SSL connection with verifying fence device's certificate",
+		"order" : 1 },
 	"notls" : {
 		"getopt" : "t",
 		"longopt" : "notls",
@@ -370,6 +384,7 @@ DEPENDENCY_OPT = {
 		"secure" : [ "identity_file", "ssh_options" ],
 		"ipaddr" : [ "ipport", "inet4_only", "inet6_only" ],
 		"port" : [ "separator" ],
+		"ssl" : [ "ssl_secure", "ssl_insecure" ],
 		"community" : [ "snmp_auth_prot", "snmp_sec_level", "snmp_priv_prot", \
 			"snmp_priv_passwd", "snmp_priv_passwd_script" ]
 	}
@@ -645,7 +660,7 @@ def check_input(device_opt, opt):
 		elif options.has_key("--ssh"):
 			all_opt["ipport"]["default"] = 22
 			all_opt["ipport"]["help"] = "-u, --ipport=[port]            TCP/UDP port to use (default 22)"
-		elif options.has_key("--ssl"):
+		elif options.has_key("--ssl") or options.has_key("--ssl-secure") or options.has_key("--ssl-insecure"):
 			all_opt["ipport"]["default"] = 443
 			all_opt["ipport"]["help"] = "-u, --ipport=[port]            TCP/UDP port to use (default 443)"
 		elif device_opt.count("web"):
@@ -738,7 +753,7 @@ def check_input(device_opt, opt):
 	if options.has_key("--ipport") == False:
 		if options.has_key("--ssh"):
 			options["--ipport"] = 22
-		elif options.has_key("--ssl"):
+		elif options.has_key("--ssl") or options.has_key("--ssl-secure") or options.has_key("--ssl-insecure"):
 			options["--ipport"] = 443
 		elif device_opt.count("web"):
 			options["--ipport"] = 80
@@ -968,11 +983,17 @@ def fence_login(options, re_login_string = "(login\s*: )|(Login Name:  )|(userna
 		re_pass  = re.compile("(password)|(pass phrase)", re.IGNORECASE)
 
 		if options.has_key("--ssl"):
-			gnutls_opts=""
+			gnutls_opts = ""
+			ssl_opts = ""
+
 			if options.has_key("--notls"):
 				gnutls_opts = "--priority \"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0\""
 
-			command = '%s %s --insecure --crlf -p %s %s' % (SSL_PATH, gnutls_opts, options["--ipport"], options["--ip"])
+			# --ssl is same as the --ssl-secure
+			if options.has_key("--ssl-insecure"):
+				ssl_opts = "--insecure"
+
+			command = '%s %s %s --crlf -p %s %s' % (SSL_PATH, gnutls_opts, ssl_opts, options["--ipport"], options["--ip"])
 			try:
 				conn = fspawn(options, command)
 			except pexpect.ExceptionPexpect, ex:
diff --git a/fence/agents/rhevm/fence_rhevm.py b/fence/agents/rhevm/fence_rhevm.py
index ff3d19f..6098071 100644
--- a/fence/agents/rhevm/fence_rhevm.py
+++ b/fence/agents/rhevm/fence_rhevm.py
@@ -84,9 +84,14 @@ def send_command(opt, command, method = "GET"):
 	c.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_BASIC)
 	c.setopt(pycurl.USERPWD, opt["--username"] + ":" + opt["--password"])
 	c.setopt(pycurl.TIMEOUT, int(opt["--shell-timeout"]))
-	c.setopt(pycurl.SSL_VERIFYPEER, 0)
-	c.setopt(pycurl.SSL_VERIFYHOST, 0)
-
+	if opt.has_key("--ssl") or opt.has_key("--ssl-secure"):
+		c.setopt(pycurl.SSL_VERIFYPEER, 1)
+		c.setopt(pycurl.SSL_VERIFYHOST, 2)
+
+	if opt.has_key("--ssl-insecure"):
+		c.setopt(pycurl.SSL_VERIFYPEER, 0)
+		c.setopt(pycurl.SSL_VERIFYHOST, 0)
+                                                                               
 	if (method == "POST"):
 		c.setopt(pycurl.POSTFIELDS, "<action />")