[pve-devel] [PATCH proxmox-offline-mirror 2/2] fix #4632: allow escape hatches for legacy repositories
Thomas Lamprecht
t.lamprecht at proxmox.com
Thu Apr 6 13:23:00 CEST 2023
Am 04/04/2023 um 09:48 schrieb Fabian Grünbichler:
> there are still repositories out there that are using things like DSA/RSA-1024
> and SHA1, so let's allow POM users to opt into accepting those insecure
> cryptographic parameters, but keep the default settings secure.
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> src/bin/proxmox-offline-mirror.rs | 2 +
> src/bin/proxmox_offline_mirror_cmds/config.rs | 4 ++
> src/config.rs | 42 ++++++++++++++++++-
> src/helpers/verifier.rs | 20 ++++++++-
> src/mirror.rs | 17 +++++++-
> 5 files changed, 81 insertions(+), 4 deletions(-)
>
> diff --git a/src/bin/proxmox-offline-mirror.rs b/src/bin/proxmox-offline-mirror.rs
> index 3af33bb..bec366a 100644
> --- a/src/bin/proxmox-offline-mirror.rs
> +++ b/src/bin/proxmox-offline-mirror.rs
> @@ -423,6 +423,7 @@ fn action_add_mirror(config: &SectionConfigData) -> Result<Vec<MirrorConfig>, Er
> use_subscription: None,
> ignore_errors: false,
> skip,
> + weak_crypto: None,
> });
> }
> }
> @@ -438,6 +439,7 @@ fn action_add_mirror(config: &SectionConfigData) -> Result<Vec<MirrorConfig>, Er
> use_subscription,
> ignore_errors: false,
> skip,
> + weak_crypto: None,
> };
>
> configs.push(main_config);
> diff --git a/src/bin/proxmox_offline_mirror_cmds/config.rs b/src/bin/proxmox_offline_mirror_cmds/config.rs
> index 3ebf4ad..696da11 100644
> --- a/src/bin/proxmox_offline_mirror_cmds/config.rs
> +++ b/src/bin/proxmox_offline_mirror_cmds/config.rs
> @@ -274,6 +274,10 @@ pub fn update_mirror(
> data.skip.skip_sections = Some(skip_sections);
> }
>
> + if let Some(weak_crypto) = update.weak_crypto {
> + data.weak_crypto = Some(weak_crypto);
> + }
> +
> config.set_data(&id, "mirror", &data)?;
> proxmox_offline_mirror::config::save_config(&config_file, &config)?;
>
> diff --git a/src/config.rs b/src/config.rs
> index 39b1193..0e19c77 100644
> --- a/src/config.rs
> +++ b/src/config.rs
> @@ -5,7 +5,7 @@ use lazy_static::lazy_static;
> use proxmox_subscription::{sign::ServerBlob, SubscriptionInfo};
> use serde::{Deserialize, Serialize};
>
> -use proxmox_schema::{api, ApiType, Schema, Updater};
> +use proxmox_schema::{api, ApiStringFormat, ApiType, Schema, Updater};
> use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
> use proxmox_sys::fs::{replace_file, CreateOptions};
>
> @@ -46,6 +46,38 @@ pub struct SkipConfig {
> pub skip_packages: Option<Vec<String>>,
> }
>
> +#[api(
> + properties: {
> + "allow-sha1": {
> + type: bool,
> + default: false,
> + optional: true,
> + },
> + "min-dsa-key-size": {
> + type: u64,
> + optional: true,
could we encode minimum value and default of 2048 here? As the existance of the option
indicates that there is some minimum, and not knowing what that is, could be IMO slightly
confusing for users.
I don't found a quick/easy way to get the actual value from sequioa, but raising this limit
is probably either a breaking change or will be highlighted in any release notes so we
should be made aware for when to update it if we just hard-code it here.
> + },
> + "min-rsa-key-size": {
> + type: u64,
> + optional: true,
same here.
More information about the pve-devel
mailing list