From 43f3d6ae193642ffc7cf0712932e9d03b0248237 Mon Sep 17 00:00:00 2001
From: Rohit Yadav <rohit.yadav@shapeblue.com>
Date: Thu, 22 Jan 2015 18:09:16 +0530
Subject: [PATCH] services, awsapi: use better string comparision

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit d08369ad06b6d5ef801f79493c2aa4bdaeab1b83)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

Conflicts:
	awsapi/src/com/cloud/bridge/util/EC2RestAuth.java
	awsapi/src/com/cloud/bridge/util/RestAuth.java
---
 awsapi/src/com/cloud/bridge/util/EC2RestAuth.java            | 4 +++-
 awsapi/src/com/cloud/bridge/util/RestAuth.java               | 3 +++
 services/console-proxy-rdp/rdpconsole/pom.xml                | 5 +++++
 .../main/java/rdpclient/ntlmssp/ClientNtlmsspPubKeyAuth.java | 4 +++-
 .../main/java/rdpclient/ntlmssp/ServerNtlmsspChallenge.java  | 4 +++-
 .../rdpconsole/src/main/java/streamer/SocketWrapperImpl.java | 5 ++++-
 6 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/awsapi/src/com/cloud/bridge/util/EC2RestAuth.java b/awsapi/src/com/cloud/bridge/util/EC2RestAuth.java
index 67b60765a26..fc2077c9ed5 100644
--- a/awsapi/src/com/cloud/bridge/util/EC2RestAuth.java
+++ b/awsapi/src/com/cloud/bridge/util/EC2RestAuth.java
@@ -16,6 +16,8 @@
 // under the License.
 package com.cloud.bridge.util;
 
+import com.cloud.utils.ConstantTimeComparator;
+
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.security.SignatureException;
@@ -200,7 +202,7 @@ public class EC2RestAuth {
 		int offset = signature.indexOf( "%" );
 		if (-1 != offset) signature = URLDecoder.decode( signature, "UTF-8" );
 	
-        boolean match = signature.equals( calSig );
+        boolean match = ConstantTimeComparator.compareStrings(signature, calSig);
         if (!match) logger.error( "Signature mismatch, [" + signature + "] [" + calSig + "] over [" + StringToSign + "]" );
         return match;
 	}
diff --git a/awsapi/src/com/cloud/bridge/util/RestAuth.java b/awsapi/src/com/cloud/bridge/util/RestAuth.java
index 33d2d479a67..f2e20ccc872 100644
--- a/awsapi/src/com/cloud/bridge/util/RestAuth.java
+++ b/awsapi/src/com/cloud/bridge/util/RestAuth.java
@@ -16,6 +16,8 @@
 // under the License.
 package com.cloud.bridge.util;
 
+import com.cloud.utils.ConstantTimeComparator;
+
 import java.security.InvalidKeyException;
 import java.security.SignatureException;
 import java.util.*;
@@ -279,6 +281,7 @@ public class RestAuth {
 		if (-1 != offset) signature = URLDecoder.decode( signature, "UTF-8" );
 	
         boolean match = signature.equals( calSig );
+        boolean match = ConstantTimeComparator.compareStrings(signature, calSig);
         if (!match) 
         	logger.error( "Signature mismatch, [" + signature + "] [" + calSig + "] over [" + StringToSign + "]" );
         
diff --git a/services/console-proxy-rdp/rdpconsole/pom.xml b/services/console-proxy-rdp/rdpconsole/pom.xml
index ff4dd9564d0..413be4f2031 100755
--- a/services/console-proxy-rdp/rdpconsole/pom.xml
+++ b/services/console-proxy-rdp/rdpconsole/pom.xml
@@ -61,6 +61,11 @@
       <version>3.8.1</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.cloudstack</groupId>
+      <artifactId>cloud-utils</artifactId>
+      <version>${project.version}</version>
+    </dependency>
     <!-- Apache Portable Runtime implementation of SSL protocol, which is compatible with broken MS RDP SSL suport.
     NOTE: tomcat-native package with /usr/lib/libtcnative-1.so library is necessary for APR to work. -->
     <dependency>
diff --git a/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ClientNtlmsspPubKeyAuth.java b/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ClientNtlmsspPubKeyAuth.java
index 3d9e0c5f11d..0c79f0c018f 100755
--- a/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ClientNtlmsspPubKeyAuth.java
+++ b/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ClientNtlmsspPubKeyAuth.java
@@ -16,6 +16,8 @@
 // under the License.
 package rdpclient.ntlmssp;
 
+import com.cloud.utils.ConstantTimeComparator;
+
 import java.nio.charset.Charset;
 
 import rdpclient.ntlmssp.asn1.NegoItem;
@@ -605,7 +607,7 @@ public class ClientNtlmsspPubKeyAuth extends OneTimeSwitch implements NtlmConsta
 
     private void dumpNegoToken(ByteBuffer buf) {
         String signature = buf.readVariableString(RdpConstants.CHARSET_8);
-        if (!signature.equals(NTLMSSP))
+        if (!ConstantTimeComparator.compareStrings(signature, NTLMSSP))
             throw new RuntimeException("Unexpected NTLM message singature: \"" + signature + "\". Expected signature: \"" + NTLMSSP + "\". Data: " + buf + ".");
 
         // MessageType (CHALLENGE)
diff --git a/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ServerNtlmsspChallenge.java b/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ServerNtlmsspChallenge.java
index e93f6301ad5..b4dc4f78080 100755
--- a/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ServerNtlmsspChallenge.java
+++ b/services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/ServerNtlmsspChallenge.java
@@ -16,6 +16,8 @@
 // under the License.
 package rdpclient.ntlmssp;
 
+import com.cloud.utils.ConstantTimeComparator;
+
 import java.util.Arrays;
 
 import rdpclient.ntlmssp.asn1.NegoItem;
@@ -70,7 +72,7 @@ public class ServerNtlmsspChallenge extends OneTimeSwitch implements NtlmConstan
 
         // Signature: "NTLMSSP\0"
         String signature = buf.readVariableString(RdpConstants.CHARSET_8);
-        if (!signature.equals(NTLMSSP))
+        if (!ConstantTimeComparator.compareStrings(signature, NTLMSSP))
             throw new RuntimeException("Unexpected NTLM message singature: \"" + signature + "\". Expected signature: \"" + NTLMSSP + "\". Data: " + buf + ".");
 
         // MessageType (CHALLENGE)
diff --git a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
index 9d8a4580a91..4db8beec5b8 100755
--- a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
+++ b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
@@ -32,6 +32,8 @@ import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManager;
 
+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import streamer.debug.MockServer;
 import streamer.debug.MockServer.Packet;
 import streamer.ssl.SSLState;
@@ -140,7 +142,8 @@ public class SocketWrapperImpl extends PipelineImpl implements SocketWrapper {
 
             SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
             sslSocket = (SSLSocket)sslSocketFactory.createSocket(socket, address.getHostName(), address.getPort(), true);
-            sslSocket.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
+            sslSocket.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslSocket.getEnabledProtocols()));
+
             sslSocket.startHandshake();
 
             InputStream sis = sslSocket.getInputStream();