services, awsapi: use better string comparision

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com> (cherry picked from commit d08369ad06b6d5ef801f79493c2aa4bdaeab1b83) Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2025-10-26 08:42:29 +01:00 · 2015-01-22 18:09:16 +05:30 · 2015-01-22 18:09:16 +05:30 · 607ac8f4f4
commit 607ac8f4f4
parent 8c68ac15c1
6 changed files with 21 additions and 5 deletions
--- a/awsapi/src/com/cloud/bridge/util/EC2RestAuth.java
+++ b/awsapi/src/com/cloud/bridge/util/EC2RestAuth.java
@ -16,6 +16,8 @@
 // under the License.
 package com.cloud.bridge.util;

+import com.cloud.utils.ConstantTimeComparator;
+
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.security.SignatureException;
@ -209,7 +211,7 @@ public class EC2RestAuth {
        if (-1 != offset)
            signature = URLDecoder.decode(signature, "UTF-8");

-        boolean match = signature.equals(calSig);
+        boolean match = ConstantTimeComparator.compareStrings(signature, calSig);
        if (!match)
            logger.error("Signature mismatch, [" + signature + "] [" + calSig + "] over [" + StringToSign + "]");
        return match;
--- a/awsapi/src/com/cloud/bridge/util/RestAuth.java
+++ b/awsapi/src/com/cloud/bridge/util/RestAuth.java
@ -16,6 +16,8 @@
 // under the License.
 package com.cloud.bridge.util;

+import com.cloud.utils.ConstantTimeComparator;
+
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.security.InvalidKeyException;
@ -286,7 +288,7 @@ public class RestAuth {
        if (-1 != offset)
            signature = URLDecoder.decode(signature, "UTF-8");

-        boolean match = signature.equals(calSig);
+        boolean match = ConstantTimeComparator.compareStrings(signature, calSig);
        if (!match)
            logger.error("Signature mismatch, [" + signature + "] [" + calSig + "] over [" + StringToSign + "]");

--- a/services/console-proxy-rdp/rdpconsole/pom.xml
+++ b/services/console-proxy-rdp/rdpconsole/pom.xml
@ -61,6 +61,11 @@
      <version>${cs.junit.version}</version>
      <scope>test</scope>
    </dependency>
+    <dependency>
+      <groupId>org.apache.cloudstack</groupId>
+      <artifactId>cloud-utils</artifactId>
+      <version>${project.version}</version>
+    </dependency>
    <!-- Apache Portable Runtime implementation of SSL protocol, which is compatible with broken MS RDP SSL suport.
    NOTE: tomcat-native package with /usr/lib/libtcnative-1.so library is necessary for APR to work. -->
    <dependency>
--- a/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ClientNtlmsspPubKeyAuth.java
+++ b/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ClientNtlmsspPubKeyAuth.java
@ -16,6 +16,8 @@
 // under the License.
 package rdpclient.ntlmssp;

+import com.cloud.utils.ConstantTimeComparator;
+
 import java.nio.charset.Charset;

 import rdpclient.ntlmssp.asn1.NegoItem;
@ -604,7 +606,7 @@ public class ClientNtlmsspPubKeyAuth extends OneTimeSwitch implements NtlmConsta

    private void dumpNegoToken(ByteBuffer buf) {
        String signature = buf.readVariableString(RdpConstants.CHARSET_8);
-        if (!signature.equals(NTLMSSP))
+        if (!ConstantTimeComparator.compareStrings(signature, NTLMSSP))
            throw new RuntimeException("Unexpected NTLM message singature: \"" + signature + "\". Expected signature: \"" + NTLMSSP + "\". Data: " + buf + ".");

        // MessageType (CHALLENGE)
--- a/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ServerNtlmsspChallenge.java
+++ b/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ServerNtlmsspChallenge.java
@ -16,6 +16,8 @@
 // under the License.
 package rdpclient.ntlmssp;

+import com.cloud.utils.ConstantTimeComparator;
+
 import java.util.Arrays;

 import rdpclient.ntlmssp.asn1.NegoItem;
@ -70,7 +72,7 @@ public class ServerNtlmsspChallenge extends OneTimeSwitch implements NtlmConstan

        // Signature: "NTLMSSP\0"
        String signature = buf.readVariableString(RdpConstants.CHARSET_8);
-        if (!signature.equals(NTLMSSP))
+        if (!ConstantTimeComparator.compareStrings(signature, NTLMSSP))
            throw new RuntimeException("Unexpected NTLM message singature: \"" + signature + "\". Expected signature: \"" + NTLMSSP + "\". Data: " + buf + ".");

        // MessageType (CHALLENGE)
--- a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
+++ b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
@ -32,6 +32,8 @@ import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManager;

+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import streamer.debug.MockServer;
 import streamer.debug.MockServer.Packet;
 import streamer.ssl.SSLState;
@ -139,7 +141,8 @@ public class SocketWrapperImpl extends PipelineImpl implements SocketWrapper {

            SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
            sslSocket = (SSLSocket)sslSocketFactory.createSocket(socket, address.getHostName(), address.getPort(), true);
-            sslSocket.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
+            sslSocket.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslSocket.getEnabledProtocols()));
+
            sslSocket.startHandshake();

            InputStream sis = sslSocket.getInputStream();