From d458926645cbc53968eb80923407723ef5624d6f Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Fri, 23 Feb 2024 12:30:11 +0100 Subject: [PATCH] FIPS: Empty VNC password in FIPS mode ALTER TABLE `cloud`.`vm_instance` MODIFY COLUMN `vnc_password` varchar(255) COMMENT 'vnc password'; --- .../resources/META-INF/db/schema-41810to41900.sql | 3 +++ .../java/com/cloud/consoleproxy/AgentHookBase.java | 4 +++- .../main/java/com/cloud/vm/UserVmManagerImpl.java | 3 +++ .../cloud/consoleproxy/ConsoleProxyNoVNCHandler.java | 7 ++++++- .../java/com/cloud/utils/component/ManagerBase.java | 12 ++++++++++++ 5 files changed, 27 insertions(+), 2 deletions(-) diff --git a/engine/schema/src/main/resources/META-INF/db/schema-41810to41900.sql b/engine/schema/src/main/resources/META-INF/db/schema-41810to41900.sql index a6f45c261ce2..c1b0753c4f61 100644 --- a/engine/schema/src/main/resources/META-INF/db/schema-41810to41900.sql +++ b/engine/schema/src/main/resources/META-INF/db/schema-41810to41900.sql @@ -323,3 +323,6 @@ CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.quarantined_ips', 'remover_account_i -- Explicitly add support for VMware 8.0b (8.0.0.2), 8.0c (8.0.0.3) INSERT IGNORE INTO `cloud`.`hypervisor_capabilities` (uuid, hypervisor_type, hypervisor_version, max_guests_limit, security_group_enabled, max_data_volumes_limit, max_hosts_per_cluster, storage_motion_supported, vm_snapshot_enabled) values (UUID(), 'VMware', '8.0.0.2', 1024, 0, 59, 64, 1, 1); INSERT IGNORE INTO `cloud`.`hypervisor_capabilities` (uuid, hypervisor_type, hypervisor_version, max_guests_limit, security_group_enabled, max_data_volumes_limit, max_hosts_per_cluster, storage_motion_supported, vm_snapshot_enabled) values (UUID(), 'VMware', '8.0.0.3', 1024, 0, 59, 64, 1, 1); + +-- Allow empty VNC password in FIPS mode +ALTER TABLE `cloud`.`vm_instance` MODIFY COLUMN `vnc_password` varchar(255) COMMENT 'vnc password'; diff --git a/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java b/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java index efc5a1b5d84b..0907a97192e7 100644 --- a/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java +++ b/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java @@ -159,7 +159,9 @@ public AgentControlAnswer onConsoleAccessAuthentication(ConsoleAccessAuthenticat } String sid = cmd.getSid(); - if (sid == null || !sid.equals(vm.getVncPassword())) { + if (StringUtils.isBlank(vm.getVncPassword())) { + s_logger.info("VM VNC password is null. VM is probably running in a FIPS-compliant CloudStack environment"); + } else if (sid == null || !sid.equals(vm.getVncPassword())) { s_logger.warn("sid " + sid + " in url does not match stored sid."); return new ConsoleAccessAuthenticationAnswer(cmd, false); } diff --git a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java index 2927db638abc..99a0c0fd8b17 100644 --- a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java @@ -8432,6 +8432,9 @@ public Boolean getDestroyRootVolumeOnVmDestruction(Long domainId){ } private void setVncPasswordForKvmIfAvailable(Map customParameters, UserVmVO vm){ + if (isFIPS()) { + return; + } if (customParameters.containsKey(VmDetailConstants.KVM_VNC_PASSWORD) && StringUtils.isNotEmpty(customParameters.get(VmDetailConstants.KVM_VNC_PASSWORD))) { vm.setVncPassword(customParameters.get(VmDetailConstants.KVM_VNC_PASSWORD)); diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java index 849042e7ec45..f6d0f4441eac 100644 --- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java +++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java @@ -25,6 +25,7 @@ import com.cloud.consoleproxy.util.Logger; +import org.apache.commons.lang3.StringUtils; import org.eclipse.jetty.server.Request; import org.eclipse.jetty.websocket.api.Session; import org.eclipse.jetty.websocket.api.annotations.OnWebSocketClose; @@ -98,8 +99,12 @@ public void onConnect(final Session session) throws IOException, InterruptedExce long ajaxSessionId = 0; int port; - if (host == null || portStr == null || sid == null) + if (host == null || portStr == null) { throw new IllegalArgumentException(); + } + if (StringUtils.isBlank(sid)) { + s_logger.info("sid is null. VM is probably running in a FIPS-compliant CloudStack environment"); + } try { port = Integer.parseInt(portStr); diff --git a/utils/src/main/java/com/cloud/utils/component/ManagerBase.java b/utils/src/main/java/com/cloud/utils/component/ManagerBase.java index 01e4f405d2b1..a885835c6e5f 100644 --- a/utils/src/main/java/com/cloud/utils/component/ManagerBase.java +++ b/utils/src/main/java/com/cloud/utils/component/ManagerBase.java @@ -19,10 +19,22 @@ package com.cloud.utils.component; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; + public class ManagerBase extends ComponentLifecycleBase implements ComponentMethodInterceptable { public ManagerBase() { super(); // set default run level for manager components setRunLevel(ComponentLifecycle.RUN_LEVEL_COMPONENT_BOOTSTRAP); } + + public boolean isFIPS() { + try { + SecureRandom.getInstance("NativePRNG"); + return false; + } catch (NoSuchAlgorithmException ex) { + return true; + } + } }