bug 6971: Use PSK length configuration

validate global configurations
2025-10-26 08:42:29 +01:00 · 2010-11-17 16:32:43 -08:00 · 2010-11-17 16:32:43 -08:00 · 4c7bb302bc
commit 4c7bb302bc
parent 6100dc62b5
4 changed files with 36 additions and 7 deletions
--- a/server/src/com/cloud/configuration/Config.java
+++ b/server/src/com/cloud/configuration/Config.java
@ -60,7 +60,7 @@ public enum Config {
 	GuestDomainSuffix("Network", AgentManager.class, String.class, "domain.suffix", "cloud-test.cloud.internal", "Default domain name for vms inside virtualized networks fronted by router", null),
 	
 	//VPN
-	RemoteAccessVpnPskLength("Network", AgentManager.class, Integer.class, "remote.access.vpn.psk.length", "24", "The length of the ipsec preshared key", null),
+	RemoteAccessVpnPskLength("Network", AgentManager.class, Integer.class, "remote.access.vpn.psk.length", "24", "The length of the ipsec preshared key (minimum 8, maximum 256)", null),
 	RemoteAccessVpnClientIpRange("Network", AgentManager.class, String.class, "remote.access.vpn.client.iprange", "10.1.2.1-10.1.2.8", "The range of ips to be allocated to remote access vpn clients. The first ip in the range is used by the VPN server", null),

 	
--- a/server/src/com/cloud/network/NetworkManagerImpl.java
+++ b/server/src/com/cloud/network/NetworkManagerImpl.java
@ -1680,13 +1680,42 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
    	return null;
    }

+    private void validateRemoteAccessVpnConfiguration() throws ConfigurationException {
+    	String ipRange = _configs.get(Config.RemoteAccessVpnClientIpRange.key());
+    	if (ipRange == null) {
+    		s_logger.warn("Remote Access VPN configuration missing client ip range -- ignoring");
+    		return;
+    	}
+    	Integer pskLength = getIntegerConfigValue(Config.RemoteAccessVpnPskLength.key());
+    	if (pskLength != null && (pskLength < 8 || pskLength > 256)) {
+    		throw new ConfigurationException("Remote Access VPN: IPSec preshared key length should be between 8 and 256");
+    	} else if (pskLength == null) {
+    		s_logger.warn("Remote Access VPN configuration missing Preshared Key Length -- ignoring");
+    		return;
+    	}
+    	
+    	String [] range = ipRange.split("-");
+    	if (range.length != 2) {
+    		throw new ConfigurationException("Remote Access VPN: Invalid ip range " + ipRange);
+    	}
+    	if (!NetUtils.isValidIp(range[0]) || !NetUtils.isValidIp(range[1])){
+    		throw new ConfigurationException("Remote Access VPN: Invalid ip in range specification " + ipRange);
+    	}
+    	if (!NetUtils.validIpRange(range[0], range[1])){
+    		throw new ConfigurationException("Remote Access VPN: Invalid ip range " + ipRange);
+    	}
+    	String [] guestIpRange = getGuestIpRange();
+    	if (NetUtils.ipRangesOverlap(range[0], range[1], guestIpRange[0], guestIpRange[1])) {
+    		throw new ConfigurationException("Remote Access VPN: Invalid ip range: " + ipRange + " overlaps with guest ip range " + guestIpRange[0] + "-" + guestIpRange[1]);
+    	}
+    }
    
    @Override
    public boolean configure(final String name, final Map<String, Object> params) throws ConfigurationException {
        _name = name;

        _configs = _configDao.getConfiguration("AgentManager", params);
-        
+        validateRemoteAccessVpnConfiguration();
        Integer rateMbps = getIntegerConfigValue(Config.NetworkThrottlingRate.key());  
        Integer multicastRateMbps = getIntegerConfigValue(Config.MulticastThrottlingRate.key());
       
@ -2728,10 +2757,10 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
        	throw new InvalidParameterValueException("Invalid ip range");
        }
        if (!NetUtils.isValidIp(range[0]) || !NetUtils.isValidIp(range[1])){
-        	throw new InvalidParameterValueException("Invalid ip range " + ipRange);
+        	throw new InvalidParameterValueException("Invalid ip in range specification " + ipRange);
        }
        if (!NetUtils.validIpRange(range[0], range[1])){
-        	throw new InvalidParameterValueException("Invalid ip range");
+        	throw new InvalidParameterValueException("Invalid ip range " + ipRange);
        }
        String [] guestIpRange = getGuestIpRange();
        if (NetUtils.ipRangesOverlap(range[0], range[1], guestIpRange[0], guestIpRange[1])) {
@ -2742,7 +2771,7 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
        
        long startIp = NetUtils.ip2Long(range[0]);
        String newIpRange = NetUtils.long2Ip(++startIp) + "-" + range[1];
-        String sharedSecret = PasswordGenerator.generatePresharedKey(24); //TODO:configurable length
+        String sharedSecret = PasswordGenerator.generatePresharedKey(getIntegerConfigValue(Config.RemoteAccessVpnPskLength.key())); 
        Transaction txn = Transaction.currentTxn();
        txn.start();
        boolean locked = false;
--- a/setup/db/create-schema.sql
+++ b/setup/db/create-schema.sql
@ -964,7 +964,7 @@ CREATE TABLE `cloud`.`remote_access_vpn` (
  `vpn_server_addr` varchar(15) UNIQUE NOT NULL,
  `local_ip` varchar(15) NOT NULL,
  `ip_range` varchar(32) NOT NULL,
-  `ipsec_psk` varchar(255) NOT NULL,
+  `ipsec_psk` varchar(256) NOT NULL,
  PRIMARY KEY  (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

--- a/setup/db/schema-21to22.sql
+++ b/setup/db/schema-21to22.sql
@ -32,7 +32,7 @@ CREATE TABLE `cloud`.`remote_access_vpn` (
  `vpn_server_addr` varchar(15) UNIQUE NOT NULL,
  `local_ip` varchar(15) NOT NULL,
  `ip_range` varchar(32) NOT NULL,
-  `ipsec_psk` varchar(255) NOT NULL,
+  `ipsec_psk` varchar(256) NOT NULL,
  PRIMARY KEY  (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;