[pve-devel] [PATCH proxmox-offline-mirror 2/2] fix #4632: allow escape hatches for legacy repositories
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Apr 4 09:48:21 CEST 2023
there are still repositories out there that are using things like DSA/RSA-1024
and SHA1, so let's allow POM users to opt into accepting those insecure
cryptographic parameters, but keep the default settings secure.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
src/bin/proxmox-offline-mirror.rs | 2 +
src/bin/proxmox_offline_mirror_cmds/config.rs | 4 ++
src/config.rs | 42 ++++++++++++++++++-
src/helpers/verifier.rs | 20 ++++++++-
src/mirror.rs | 17 +++++++-
5 files changed, 81 insertions(+), 4 deletions(-)
diff --git a/src/bin/proxmox-offline-mirror.rs b/src/bin/proxmox-offline-mirror.rs
index 3af33bb..bec366a 100644
--- a/src/bin/proxmox-offline-mirror.rs
+++ b/src/bin/proxmox-offline-mirror.rs
@@ -423,6 +423,7 @@ fn action_add_mirror(config: &SectionConfigData) -> Result<Vec<MirrorConfig>, Er
use_subscription: None,
ignore_errors: false,
skip,
+ weak_crypto: None,
});
}
}
@@ -438,6 +439,7 @@ fn action_add_mirror(config: &SectionConfigData) -> Result<Vec<MirrorConfig>, Er
use_subscription,
ignore_errors: false,
skip,
+ weak_crypto: None,
};
configs.push(main_config);
diff --git a/src/bin/proxmox_offline_mirror_cmds/config.rs b/src/bin/proxmox_offline_mirror_cmds/config.rs
index 3ebf4ad..696da11 100644
--- a/src/bin/proxmox_offline_mirror_cmds/config.rs
+++ b/src/bin/proxmox_offline_mirror_cmds/config.rs
@@ -274,6 +274,10 @@ pub fn update_mirror(
data.skip.skip_sections = Some(skip_sections);
}
+ if let Some(weak_crypto) = update.weak_crypto {
+ data.weak_crypto = Some(weak_crypto);
+ }
+
config.set_data(&id, "mirror", &data)?;
proxmox_offline_mirror::config::save_config(&config_file, &config)?;
diff --git a/src/config.rs b/src/config.rs
index 39b1193..0e19c77 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -5,7 +5,7 @@ use lazy_static::lazy_static;
use proxmox_subscription::{sign::ServerBlob, SubscriptionInfo};
use serde::{Deserialize, Serialize};
-use proxmox_schema::{api, ApiType, Schema, Updater};
+use proxmox_schema::{api, ApiStringFormat, ApiType, Schema, Updater};
use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
use proxmox_sys::fs::{replace_file, CreateOptions};
@@ -46,6 +46,38 @@ pub struct SkipConfig {
pub skip_packages: Option<Vec<String>>,
}
+#[api(
+ properties: {
+ "allow-sha1": {
+ type: bool,
+ default: false,
+ optional: true,
+ },
+ "min-dsa-key-size": {
+ type: u64,
+ optional: true,
+ },
+ "min-rsa-key-size": {
+ type: u64,
+ optional: true,
+ },
+ },
+)]
+#[derive(Default, Serialize, Deserialize, Updater, Clone, Debug)]
+#[serde(rename_all = "kebab-case")]
+/// Weak Cryptography Configuration
+pub struct WeakCryptoConfig {
+ /// Whether to allow SHA-1 based signatures
+ #[serde(default)]
+ pub allow_sha1: bool,
+ /// Whether to lower the key size cutoff for DSA-based signatures
+ #[serde(default)]
+ pub min_dsa_key_size: Option<u64>,
+ /// Whether to lower the key size cutoff for RSA-based signatures
+ #[serde(default)]
+ pub min_rsa_key_size: Option<u64>,
+}
+
#[api(
properties: {
id: {
@@ -81,6 +113,11 @@ pub struct SkipConfig {
"skip": {
type: SkipConfig,
},
+ "weak-crypto": {
+ type: String,
+ optional: true,
+ format: &ApiStringFormat::PropertyString(&WeakCryptoConfig::API_SCHEMA),
+ },
}
)]
#[derive(Clone, Debug, Serialize, Deserialize, Updater)]
@@ -111,6 +148,9 @@ pub struct MirrorConfig {
/// Skip package files using these criteria
#[serde(default, flatten)]
pub skip: SkipConfig,
+ /// Whether to allow using weak cryptography algorithms or parameters, deviating from the default policy.
+ #[serde(default)]
+ pub weak_crypto: Option<String>,
}
#[api(
diff --git a/src/helpers/verifier.rs b/src/helpers/verifier.rs
index 131bccd..e38ef40 100644
--- a/src/helpers/verifier.rs
+++ b/src/helpers/verifier.rs
@@ -9,10 +9,13 @@ use sequoia_openpgp::{
Parse,
},
policy::StandardPolicy,
+ types::HashAlgorithm,
Cert, KeyHandle,
};
use std::io;
+use crate::config::WeakCryptoConfig;
+
struct Helper<'a> {
cert: &'a Cert,
}
@@ -91,10 +94,25 @@ pub(crate) fn verify_signature<'msg>(
msg: &'msg [u8],
key: &[u8],
detached_sig: Option<&[u8]>,
+ weak_crypto: &WeakCryptoConfig,
) -> Result<Vec<u8>, Error> {
let cert = Cert::from_bytes(key)?;
- let policy = StandardPolicy::new();
+ let mut policy = StandardPolicy::new();
+ if weak_crypto.allow_sha1 {
+ policy.accept_hash(HashAlgorithm::SHA1);
+ }
+ if let Some(min_dsa) = weak_crypto.min_dsa_key_size {
+ if min_dsa <= 1024 {
+ policy.accept_asymmetric_algo(sequoia_openpgp::policy::AsymmetricAlgorithm::DSA1024);
+ }
+ }
+ if let Some(min_rsa) = weak_crypto.min_dsa_key_size {
+ if min_rsa <= 1024 {
+ policy.accept_asymmetric_algo(sequoia_openpgp::policy::AsymmetricAlgorithm::RSA1024);
+ }
+ }
+
let helper = Helper { cert: &cert };
let verified = if let Some(sig) = detached_sig {
diff --git a/src/mirror.rs b/src/mirror.rs
index 0dc0751..3766f23 100644
--- a/src/mirror.rs
+++ b/src/mirror.rs
@@ -10,10 +10,11 @@ use flate2::bufread::GzDecoder;
use globset::{Glob, GlobSet, GlobSetBuilder};
use nix::libc;
use proxmox_http::{client::sync::Client, HttpClient, HttpOptions, ProxyConfig};
+use proxmox_schema::{ApiType, Schema};
use proxmox_sys::fs::file_get_contents;
use crate::{
- config::{MirrorConfig, SkipConfig, SubscriptionKey},
+ config::{MirrorConfig, SkipConfig, SubscriptionKey, WeakCryptoConfig},
convert_repo_line,
pool::Pool,
types::{Diff, Snapshot, SNAPSHOT_REGEX},
@@ -50,6 +51,7 @@ struct ParsedMirrorConfig {
pub client: Client,
pub ignore_errors: bool,
pub skip: SkipConfig,
+ pub weak_crypto: WeakCryptoConfig,
}
impl TryInto<ParsedMirrorConfig> for MirrorConfig {
@@ -72,6 +74,15 @@ impl TryInto<ParsedMirrorConfig> for MirrorConfig {
let client = Client::new(options);
+ let weak_crypto = match self.weak_crypto {
+ Some(property_string) => {
+ let value = (WeakCryptoConfig::API_SCHEMA as Schema)
+ .parse_property_string(&property_string)?;
+ serde_json::from_value(value)?
+ }
+ None => WeakCryptoConfig::default(),
+ };
+
Ok(ParsedMirrorConfig {
repository,
architectures: self.architectures,
@@ -83,6 +94,7 @@ impl TryInto<ParsedMirrorConfig> for MirrorConfig {
client,
ignore_errors: self.ignore_errors,
skip: self.skip,
+ weak_crypto,
})
}
}
@@ -208,7 +220,8 @@ fn fetch_release(
println!("Verifying '{name}' signature using provided repository key..");
let content = fetched.data_ref();
- let verified = helpers::verify_signature(content, &config.key, sig.as_deref())?;
+ let verified =
+ helpers::verify_signature(content, &config.key, sig.as_deref(), &config.weak_crypto)?;
println!("Success");
let sha512 = Some(openssl::sha::sha512(content));
--
2.30.2
More information about the pve-devel
mailing list