You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2015/01/22 13:44:42 UTC
git commit: updated refs/heads/4.3 to 43f3d6a
Repository: cloudstack
Updated Branches:
refs/heads/4.3 53c0ab856 -> 43f3d6ae1
services, awsapi: use better string comparision
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
(cherry picked from commit d08369ad06b6d5ef801f79493c2aa4bdaeab1b83)
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Conflicts:
awsapi/src/com/cloud/bridge/util/EC2RestAuth.java
awsapi/src/com/cloud/bridge/util/RestAuth.java
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/43f3d6ae
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/43f3d6ae
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/43f3d6ae
Branch: refs/heads/4.3
Commit: 43f3d6ae193642ffc7cf0712932e9d03b0248237
Parents: 53c0ab8
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Thu Jan 22 18:09:16 2015 +0530
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Thu Jan 22 18:14:11 2015 +0530
----------------------------------------------------------------------
awsapi/src/com/cloud/bridge/util/EC2RestAuth.java | 4 +++-
awsapi/src/com/cloud/bridge/util/RestAuth.java | 3 +++
services/console-proxy-rdp/rdpconsole/pom.xml | 5 +++++
.../main/java/rdpclient/ntlmssp/ClientNtlmsspPubKeyAuth.java | 4 +++-
.../src/main/java/rdpclient/ntlmssp/ServerNtlmsspChallenge.java | 4 +++-
.../rdpconsole/src/main/java/streamer/SocketWrapperImpl.java | 5 ++++-
6 files changed, 21 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/43f3d6ae/awsapi/src/com/cloud/bridge/util/EC2RestAuth.java
----------------------------------------------------------------------
diff --git a/awsapi/src/com/cloud/bridge/util/EC2RestAuth.java b/awsapi/src/com/cloud/bridge/util/EC2RestAuth.java
index 67b6076..fc2077c 100644
--- a/awsapi/src/com/cloud/bridge/util/EC2RestAuth.java
+++ b/awsapi/src/com/cloud/bridge/util/EC2RestAuth.java
@@ -16,6 +16,8 @@
// under the License.
package com.cloud.bridge.util;
+import com.cloud.utils.ConstantTimeComparator;
+
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.security.SignatureException;
@@ -200,7 +202,7 @@ public class EC2RestAuth {
int offset = signature.indexOf( "%" );
if (-1 != offset) signature = URLDecoder.decode( signature, "UTF-8" );
- boolean match = signature.equals( calSig );
+ boolean match = ConstantTimeComparator.compareStrings(signature, calSig);
if (!match) logger.error( "Signature mismatch, [" + signature + "] [" + calSig + "] over [" + StringToSign + "]" );
return match;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/43f3d6ae/awsapi/src/com/cloud/bridge/util/RestAuth.java
----------------------------------------------------------------------
diff --git a/awsapi/src/com/cloud/bridge/util/RestAuth.java b/awsapi/src/com/cloud/bridge/util/RestAuth.java
index 33d2d47..f2e20cc 100644
--- a/awsapi/src/com/cloud/bridge/util/RestAuth.java
+++ b/awsapi/src/com/cloud/bridge/util/RestAuth.java
@@ -16,6 +16,8 @@
// under the License.
package com.cloud.bridge.util;
+import com.cloud.utils.ConstantTimeComparator;
+
import java.security.InvalidKeyException;
import java.security.SignatureException;
import java.util.*;
@@ -279,6 +281,7 @@ public class RestAuth {
if (-1 != offset) signature = URLDecoder.decode( signature, "UTF-8" );
boolean match = signature.equals( calSig );
+ boolean match = ConstantTimeComparator.compareStrings(signature, calSig);
if (!match)
logger.error( "Signature mismatch, [" + signature + "] [" + calSig + "] over [" + StringToSign + "]" );
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/43f3d6ae/services/console-proxy-rdp/rdpconsole/pom.xml
----------------------------------------------------------------------
diff --git a/services/console-proxy-rdp/rdpconsole/pom.xml b/services/console-proxy-rdp/rdpconsole/pom.xml
index ff4dd95..413be4f 100755
--- a/services/console-proxy-rdp/rdpconsole/pom.xml
+++ b/services/console-proxy-rdp/rdpconsole/pom.xml
@@ -61,6 +61,11 @@
<version>3.8.1</version>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.apache.cloudstack</groupId>
+ <artifactId>cloud-utils</artifactId>
+ <version>${project.version}</version>
+ </dependency>
<!-- Apache Portable Runtime implementation of SSL protocol, which is compatible with broken MS RDP SSL suport.
NOTE: tomcat-native package with /usr/lib/libtcnative-1.so library is necessary for APR to work. -->
<dependency>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/43f3d6ae/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ClientNtlmsspPubKeyAuth.java
----------------------------------------------------------------------
diff --git a/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ClientNtlmsspPubKeyAuth.java b/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ClientNtlmsspPubKeyAuth.java
index 3d9e0c5..0c79f0c 100755
--- a/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ClientNtlmsspPubKeyAuth.java
+++ b/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ClientNtlmsspPubKeyAuth.java
@@ -16,6 +16,8 @@
// under the License.
package rdpclient.ntlmssp;
+import com.cloud.utils.ConstantTimeComparator;
+
import java.nio.charset.Charset;
import rdpclient.ntlmssp.asn1.NegoItem;
@@ -605,7 +607,7 @@ public class ClientNtlmsspPubKeyAuth extends OneTimeSwitch implements NtlmConsta
private void dumpNegoToken(ByteBuffer buf) {
String signature = buf.readVariableString(RdpConstants.CHARSET_8);
- if (!signature.equals(NTLMSSP))
+ if (!ConstantTimeComparator.compareStrings(signature, NTLMSSP))
throw new RuntimeException("Unexpected NTLM message singature: \"" + signature + "\". Expected signature: \"" + NTLMSSP + "\". Data: " + buf + ".");
// MessageType (CHALLENGE)
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/43f3d6ae/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ServerNtlmsspChallenge.java
----------------------------------------------------------------------
diff --git a/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ServerNtlmsspChallenge.java b/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ServerNtlmsspChallenge.java
index e93f630..b4dc4f7 100755
--- a/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ServerNtlmsspChallenge.java
+++ b/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ServerNtlmsspChallenge.java
@@ -16,6 +16,8 @@
// under the License.
package rdpclient.ntlmssp;
+import com.cloud.utils.ConstantTimeComparator;
+
import java.util.Arrays;
import rdpclient.ntlmssp.asn1.NegoItem;
@@ -70,7 +72,7 @@ public class ServerNtlmsspChallenge extends OneTimeSwitch implements NtlmConstan
// Signature: "NTLMSSP\0"
String signature = buf.readVariableString(RdpConstants.CHARSET_8);
- if (!signature.equals(NTLMSSP))
+ if (!ConstantTimeComparator.compareStrings(signature, NTLMSSP))
throw new RuntimeException("Unexpected NTLM message singature: \"" + signature + "\". Expected signature: \"" + NTLMSSP + "\". Data: " + buf + ".");
// MessageType (CHALLENGE)
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/43f3d6ae/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
----------------------------------------------------------------------
diff --git a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
index 9d8a458..4db8bee 100755
--- a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
+++ b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
@@ -32,6 +32,8 @@ import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import streamer.debug.MockServer;
import streamer.debug.MockServer.Packet;
import streamer.ssl.SSLState;
@@ -140,7 +142,8 @@ public class SocketWrapperImpl extends PipelineImpl implements SocketWrapper {
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
sslSocket = (SSLSocket)sslSocketFactory.createSocket(socket, address.getHostName(), address.getPort(), true);
- sslSocket.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
+ sslSocket.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslSocket.getEnabledProtocols()));
+
sslSocket.startHandshake();
InputStream sis = sslSocket.getInputStream();