Commit Graph

2550 Commits

Author SHA1 Message Date
Dietmar Maurer
c5731f916b acme-api: make register_account directory parameter optional
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-06-03 10:50:12 +02:00
Dietmar Maurer
95ea61183f acme-api: export known directories
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-06-03 10:40:12 +02:00
Dietmar Maurer
0582a13281 acme-api: export api types at top-level
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-06-03 10:03:06 +02:00
Dietmar Maurer
5250493e05 syslog-api: add debian control file
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-06-03 09:32:11 +02:00
Dietmar Maurer
a334886f14 network-api: add debian control file
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-06-03 09:29:57 +02:00
Dietmar Maurer
6c1798fb31 time-api: add copyright file
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-06-03 09:27:38 +02:00
Dietmar Maurer
bd5c1ade4b dns-api: add debian control file
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-06-03 09:24:26 +02:00
Dietmar Maurer
ba49720837 dns-api: avoid auto-generated cargo features
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-06-03 09:21:42 +02:00
Dietmar Maurer
3de2812254 product-config: add debian control file
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-06-03 09:14:14 +02:00
Dietmar Maurer
2665b566c0 acme-api: remove stale feature gate and always compile api types
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-06-03 09:08:16 +02:00
Dietmar Maurer
79a6f97c39 acme-api: commit missing file
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-31 12:35:42 +02:00
Dietmar Maurer
5e00ee7bb0 acme-api: remove useless api-types feature
We always need those types, so there is no need to make this a feature.

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-31 12:23:05 +02:00
Dietmar Maurer
d152e47d78 acme-api: add init method to setup directories
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-31 12:12:23 +02:00
Dietmar Maurer
e913330e09 product-config: simplify by removing the configuration directory
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-31 11:29:59 +02:00
Dietmar Maurer
40f812f324 remove system-management-api
Which is now split into separate crates:

- time-api
- network-api
- dns-api
- syslog-api
2024-05-30 09:53:59 +02:00
Dietmar Maurer
f6bcb6b50b syslog-api: new crate, split out from system-management-api 2024-05-30 09:44:48 +02:00
Dietmar Maurer
6bb74338b4 network-api: new crate, split out from system-management-api
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-30 09:27:49 +02:00
Dietmar Maurer
83b6f673b3 time-api: new crate, split out from system-managent-api
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-30 09:06:19 +02:00
Dietmar Maurer
b7f0cc7c1e dns-api: new crate, split out from system-management-api
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-30 08:44:50 +02:00
Dietmar Maurer
4768ad2200 product-config: remove digest implementation (move to proxmox-config-digest crate)
And use the new proxmox-config-digest crate instead.

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-29 18:41:28 +02:00
Dietmar Maurer
34b21106dd config-digest: split out config digest api type into separate crate
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-29 17:59:03 +02:00
Dietmar Maurer
3497e9edc7 sys: use 0750 as default directory permissions
Should not make a difference because default umask is 022 ...

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-29 11:04:41 +02:00
Dietmar Maurer
06d25870ed product-config: remove functions to check permissions, which are now in proxmox-sys.
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-29 10:22:05 +02:00
Dietmar Maurer
57723e98fd sys: add helpers to check file and directory permissions
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-29 10:14:24 +02:00
Dietmar Maurer
37c9dbf1eb sys: create options: make file parameter generic
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-29 09:32:48 +02:00
Dietmar Maurer
237f6218b0 product-config: factor out methods to create different file creation options
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-29 07:47:17 +02:00
Dietmar Maurer
7cd240bbad product-config: use Path instead of str everywhere
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-29 06:52:04 +02:00
Wolfgang Bumiller
484f12f3aa lang: drop commented-out c_str! implementation variants
This was an old version of a const-fn compatible checked c_str
implementation which was never enabled.

When we get rust 1.72, `CStr::from_bytes_with_nul` becomes usable in
const contexts.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2024-05-24 12:58:06 +02:00
Gabriel Goller
1d68cc33a3 metrics: influxdb test uri creation
Extract the URI creation for write and health URIs. Add unit test to
test the encoding of special characters in the organization and bucket
parameters.

Follow-up-to: bfa73aad ("metrics: encode influxdb org and bucket parameters")

Signed-off-by: Gabriel Goller <g.goller@proxmox.com>

FG: downgraded form_urlencoded version to packaged one
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2024-05-24 10:10:38 +02:00
Wolfgang Bumiller
aae8a03dc4 auth-api: bump version to 0.4.0
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2024-05-22 16:04:04 +02:00
Wolfgang Bumiller
bf9dc73246 sys: bump version to 0.5.5-1
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2024-05-22 15:48:34 +02:00
Wolfgang Bumiller
9c95b4d66e auth-api: rustfmt
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2024-05-22 15:41:56 +02:00
Wolfgang Bumiller
fc75d98cb3 auth-api: cleanup a warning
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2024-05-22 15:40:12 +02:00
Wolfgang Bumiller
a6dc4d322d auth-api: remove unnecessary allocation
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2024-05-22 15:38:26 +02:00
Stefan Sterz
5b4cb9b124 auth-api: fix types compilefail test
due to missing `use` statements they failed, as they should, but for
the wrong reasons. also adapt a test case that presumably was meant
to test whether `TokennameRef` can be compared, but instead
duplicated the `UsernameRef` test case.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2024-05-22 10:26:44 +02:00
Stefan Sterz
eef12f91a1 sys: crypt: use constant time comparison for password verification
by using `openssl::memcmp::eq()` we can avoid potential timing side
channels as its runtime only depends on the length of the arrays, not
the contents. this requires the two arrays to have the same length, but
that should be a given since the hashes should always have the same
length.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2024-05-22 10:26:43 +02:00
Stefan Sterz
f82bb2fc2b sys: crypt: move to yescrypt for password hashing
previously we used `sha256scrypt` for password hashing. while this may
by safe if used with the correct parameters, we used the default
parameters which are considered unsafe. according to `man crypt(5)`:

> The default CPU time cost parameter is 5000, which is too low for
> modern hardware.

hence, we needed to adapt this code anyway. conveniently, verification
with crypt also works for older hashes as the parameters for the
hashing function are encoded in the output of crypt. so this is a drop
in replacement that will simply use yescrypt for new hashes while
old hashes will still verify properly.

this commit also adds a wrapper for `crypt_gensalt_rn` to more easily
generate correctly formatted salt strings. this is also useful for
switching the cpu time hardness parameter, as otherwise we'd need to
encode that ourselves.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2024-05-22 10:26:41 +02:00
Stefan Sterz
4d6922e2c4 auth-api: move to hmac signing for csrf tokens
previously we used our own hmac-like implementation for csrf token
signing that simply appended the key to the message (csrf token).
however, this is possibly insecure as an attacker that finds a
collision in the hash function can easily forge a signature. after all,
two messages would then produce the same start conditions before
hashing the key. while this is probably a theoretic attack on our csrf
implementation, it does not hurt to move to the safer standard hmac
implementation that avoids such pitfalls.

this commit re-uses the hmac key wrapper used for the keyring. it also
keeps the old construction around so we can use it for a transition
period between old and new csrf token implementations.

this is a breaking change as it changes the signature of the
`csrf_secret` method of the `AuthContext` trait to return an hmac
key.

also exposes `assemble_csrf_prevention_toke` so we can re-use this
code here instead of duplicating it in e.g. proxmox-backup's
auth_helpers.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2024-05-22 10:26:40 +02:00
Stefan Sterz
8609fb58ef auth-api: use constant time comparison for csrf tokens
by using openssl's `memcmp::eq()` we can avoid potential side-channel
attack on the csrf token comparison. this comparison's runtime only
depends on the length of the two byte vectors, not their contents.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2024-05-22 10:26:38 +02:00
Stefan Sterz
b926ea1f5c auth-api: add ability to use hmac singing in keyring
previously we only used asymmetric cryptographic schemes to
authenticate tickets. this is fairly costly and not necessary in every
instance. imagine a service that runs as a single daemon. this daemon
is then the only party that needs to sign and verify tickets. this
makes hmac perfectly suitable for such usecases. hmac has some
advantages over asymmetric schemes:

- much simpler and well reviewed construction
- much faster and better optimized crypto primitives (hash functions)

this commit first introduces a new hmac key wrapper that uses openssl's
hmac implementation and can easily be reused by other parts of the
code. it also refactors the keyring code to make it easier to rotate
new hmac keys into place so switching to hmac keys is easier.

hmac keys are symmetric, so the verification key is the same key as the
signing key. this breaks the previous assumption by the keyring that
these correspond to public and private keys. thus, this commit
introduces two wrapper enums to distinguish between hmac and asymmetric
signature schemes.

the verification of hmac keys is also done via `openssl::memcmp::eq()`
to avoid potential timing side-channel attacks.

below are some simple benchmarks done with criterion.rs to show how much
faster hmac is, no matter the actual hash function:

rsa 4096 + sha256        time:   [2.7825 ms 2.7907 ms 2.7995 ms]
ed25519                  time:   [94.411 µs 94.840 µs 95.324 µs]
hmac sha256              time:   [5.7202 µs 5.7412 µs 5.7645 µs]
hmac sha384              time:   [6.6577 µs 6.6780 µs 6.7006 µs]
hmac sha3_256            time:   [5.6930 µs 5.7114 µs 5.7322 µs]

rsa with 4096 bit keys and a sha256 digest is our current default. the
test itself consists of a single sign + verification cycle. criterion
repeats this test as it sees fit to arrive at the above numbers.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2024-05-22 10:26:36 +02:00
Stefan Sterz
09d31a1a8b auth-api: move to Ed25519 signatures
previously we used P-256 as the curve of our choice for ec signatures.
however, in the meantime Ed25519 has become a lot more wide-spread.
this simplifies our ec generation code significantly while keeping the
same security level. Ed25519 was also specifically designed and
reviewed to avoid implementation errors likely making it a more secure
choice

note that Ed25519 as a signature scheme always uses sha512, so signing
or verifying with a chosen digest is not supported.

as this mostly affects newly generated keys, this should not break any
existing setups.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2024-05-22 10:26:35 +02:00
Stefan Sterz
8e566591d5 auth-api: move signing into the private key
this commit moves the current ticket signing code into the private key
implementation. the upside is that the caller does not need to deal
with openssl's `Signer` directly. it also simplifies and unifies the
code by using the same helper for verifying a signature and creating it.

also derive `Clone` on `PrivateKey` and `PublicKey`. as they are
essentially thin wrappers around `openssl::pkey::PKey<Private>` and
`openssl::pkey::PKey<Public>`, which can be cloned, deriving `Clone`
just makes them easier to use.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2024-05-22 10:26:33 +02:00
Dietmar Maurer
f240a2bfaa acme-api: add debian packaging
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-17 12:13:02 +02:00
Dietmar Maurer
7c899090e4 acme-api: use product-config instead of custom acme api configuration
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-17 11:52:57 +02:00
Dietmar Maurer
0ffe40fcfa bump proxmox-section-config to 2.0.2-1
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-17 11:04:10 +02:00
Dietmar Maurer
a2693c7046 section-config: pass filesystem paths as AsRef<Path>
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-17 10:59:20 +02:00
Dietmar Maurer
cfc155a06b acme-api: reusable ACME api implementation.
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-16 12:35:14 +02:00
Dietmar Maurer
870948f1d7 bump proxmox-acme to 0.5.2
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-16 11:53:52 +02:00
Dietmar Maurer
c07c46cd82 acme: add async-client feature
The client code is copied from propxmox-backup, without the load/safe
account functionality.

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-16 11:48:17 +02:00
Dietmar Maurer
c2450691c6 acme: allow to compile/use api types separately.
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2024-05-16 11:23:19 +02:00