From 4c7bb302bcdf4d2ecb85b5f06b5908d613ee3176 Mon Sep 17 00:00:00 2001 From: Chiradeep Vittal Date: Wed, 17 Nov 2010 16:32:43 -0800 Subject: [PATCH] bug 6971: Use PSK length configuration validate global configurations --- .../src/com/cloud/configuration/Config.java | 2 +- .../com/cloud/network/NetworkManagerImpl.java | 37 +++++++++++++++++-- setup/db/create-schema.sql | 2 +- setup/db/schema-21to22.sql | 2 +- 4 files changed, 36 insertions(+), 7 deletions(-) diff --git a/server/src/com/cloud/configuration/Config.java b/server/src/com/cloud/configuration/Config.java index a057956dd9f..9ef06e0af5e 100644 --- a/server/src/com/cloud/configuration/Config.java +++ b/server/src/com/cloud/configuration/Config.java @@ -60,7 +60,7 @@ public enum Config { GuestDomainSuffix("Network", AgentManager.class, String.class, "domain.suffix", "cloud-test.cloud.internal", "Default domain name for vms inside virtualized networks fronted by router", null), //VPN - RemoteAccessVpnPskLength("Network", AgentManager.class, Integer.class, "remote.access.vpn.psk.length", "24", "The length of the ipsec preshared key", null), + RemoteAccessVpnPskLength("Network", AgentManager.class, Integer.class, "remote.access.vpn.psk.length", "24", "The length of the ipsec preshared key (minimum 8, maximum 256)", null), RemoteAccessVpnClientIpRange("Network", AgentManager.class, String.class, "remote.access.vpn.client.iprange", "10.1.2.1-10.1.2.8", "The range of ips to be allocated to remote access vpn clients. The first ip in the range is used by the VPN server", null), diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java index 5e3ddbc37d3..9e8766ff0c0 100755 --- a/server/src/com/cloud/network/NetworkManagerImpl.java +++ b/server/src/com/cloud/network/NetworkManagerImpl.java @@ -1680,13 +1680,42 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag return null; } + private void validateRemoteAccessVpnConfiguration() throws ConfigurationException { + String ipRange = _configs.get(Config.RemoteAccessVpnClientIpRange.key()); + if (ipRange == null) { + s_logger.warn("Remote Access VPN configuration missing client ip range -- ignoring"); + return; + } + Integer pskLength = getIntegerConfigValue(Config.RemoteAccessVpnPskLength.key()); + if (pskLength != null && (pskLength < 8 || pskLength > 256)) { + throw new ConfigurationException("Remote Access VPN: IPSec preshared key length should be between 8 and 256"); + } else if (pskLength == null) { + s_logger.warn("Remote Access VPN configuration missing Preshared Key Length -- ignoring"); + return; + } + + String [] range = ipRange.split("-"); + if (range.length != 2) { + throw new ConfigurationException("Remote Access VPN: Invalid ip range " + ipRange); + } + if (!NetUtils.isValidIp(range[0]) || !NetUtils.isValidIp(range[1])){ + throw new ConfigurationException("Remote Access VPN: Invalid ip in range specification " + ipRange); + } + if (!NetUtils.validIpRange(range[0], range[1])){ + throw new ConfigurationException("Remote Access VPN: Invalid ip range " + ipRange); + } + String [] guestIpRange = getGuestIpRange(); + if (NetUtils.ipRangesOverlap(range[0], range[1], guestIpRange[0], guestIpRange[1])) { + throw new ConfigurationException("Remote Access VPN: Invalid ip range: " + ipRange + " overlaps with guest ip range " + guestIpRange[0] + "-" + guestIpRange[1]); + } + } @Override public boolean configure(final String name, final Map params) throws ConfigurationException { _name = name; _configs = _configDao.getConfiguration("AgentManager", params); - + validateRemoteAccessVpnConfiguration(); Integer rateMbps = getIntegerConfigValue(Config.NetworkThrottlingRate.key()); Integer multicastRateMbps = getIntegerConfigValue(Config.MulticastThrottlingRate.key()); @@ -2728,10 +2757,10 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag throw new InvalidParameterValueException("Invalid ip range"); } if (!NetUtils.isValidIp(range[0]) || !NetUtils.isValidIp(range[1])){ - throw new InvalidParameterValueException("Invalid ip range " + ipRange); + throw new InvalidParameterValueException("Invalid ip in range specification " + ipRange); } if (!NetUtils.validIpRange(range[0], range[1])){ - throw new InvalidParameterValueException("Invalid ip range"); + throw new InvalidParameterValueException("Invalid ip range " + ipRange); } String [] guestIpRange = getGuestIpRange(); if (NetUtils.ipRangesOverlap(range[0], range[1], guestIpRange[0], guestIpRange[1])) { @@ -2742,7 +2771,7 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag long startIp = NetUtils.ip2Long(range[0]); String newIpRange = NetUtils.long2Ip(++startIp) + "-" + range[1]; - String sharedSecret = PasswordGenerator.generatePresharedKey(24); //TODO:configurable length + String sharedSecret = PasswordGenerator.generatePresharedKey(getIntegerConfigValue(Config.RemoteAccessVpnPskLength.key())); Transaction txn = Transaction.currentTxn(); txn.start(); boolean locked = false; diff --git a/setup/db/create-schema.sql b/setup/db/create-schema.sql index cc5f609e945..424a970a61c 100755 --- a/setup/db/create-schema.sql +++ b/setup/db/create-schema.sql @@ -964,7 +964,7 @@ CREATE TABLE `cloud`.`remote_access_vpn` ( `vpn_server_addr` varchar(15) UNIQUE NOT NULL, `local_ip` varchar(15) NOT NULL, `ip_range` varchar(32) NOT NULL, - `ipsec_psk` varchar(255) NOT NULL, + `ipsec_psk` varchar(256) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; diff --git a/setup/db/schema-21to22.sql b/setup/db/schema-21to22.sql index 8b2a9b3467d..4531dc85700 100644 --- a/setup/db/schema-21to22.sql +++ b/setup/db/schema-21to22.sql @@ -32,7 +32,7 @@ CREATE TABLE `cloud`.`remote_access_vpn` ( `vpn_server_addr` varchar(15) UNIQUE NOT NULL, `local_ip` varchar(15) NOT NULL, `ip_range` varchar(32) NOT NULL, - `ipsec_psk` varchar(255) NOT NULL, + `ipsec_psk` varchar(256) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;