From: Hannes Laimer <h.laimer@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup v3 2/4][optional] pbs-api-types: make regex for ciphers more strict
Date: Sat, 8 Jan 2022 08:08:07 +0100 [thread overview]
Message-ID: <20220108070809.29315-3-h.laimer@proxmox.com> (raw)
In-Reply-To: <20220108070809.29315-1-h.laimer@proxmox.com>
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
if applied should be squashed with patch 0001
pbs-api-types/src/lib.rs | 30 ++++++++++++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index b4882064..8ad9f23a 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -100,6 +100,20 @@ mod local_macros {
macro_rules! DNS_ALIAS_NAME {
() => (concat!(r"(?:(?:", DNS_ALIAS_LABEL!() , r"\.)*", DNS_ALIAS_LABEL!(), ")"))
}
+ macro_rules! TLS_CIPHERSUITE_RE {
+ () => (
+ r"TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_128_CCM_8_SHA256|TLS_AES_128_CCM_SHA256"
+ )
+ }
+ macro_rules! OPENSSL_CIPHER_STRING_RE {
+ () => (concat!(
+ r"([!\-+]?(COMPLEMENTOFDEFAULT|ALL|COMPLEMENTOFALL|HIGH|MEDIUM|LOW|[ae]?NULL|[ka]?RSA|",
+ "kDH[rdE]?|kEDH|DHE?|EDH|ADH|kEECDH|kECDHE|ECDH|ECDHE|EECDH|AECDH|a?DSS|aDH|a?ECDSA|",
+ "SSLv3|AES(128|256)?|GCM|AESGCM|AESCCM|AESCCM8|ARIA(128|256)?|CAMELLIA(128|256)?|",
+ "CHACHA20|3?DES|RC[24]|IDEA|SEED|MD5|SHA(1|256|384)?|aGOST(01)?|kGOST|GOST94|GOST89MAC|",
+ "[ak]?PSK|kECDHEPSK|kDHEPSK|kRSAPSK|SUITEB(128|128ONLY|192)?|CBC3?|POLY1305))+"
+ ))
+ }
}
const_regex! {
@@ -124,9 +138,21 @@ const_regex! {
pub FINGERPRINT_SHA256_REGEX = r"^(?:[0-9a-fA-F][0-9a-fA-F])(?::[0-9a-fA-F][0-9a-fA-F]){31}$";
- pub OPENSSL_CIPHER_LIST_REGEX = r"^[A-Za-z0-9!\-+=@, :]+$";
+ pub OPENSSL_CIPHER_LIST_REGEX = concat!(
+ r"^((",
+ OPENSSL_CIPHER_STRING_RE!(),
+ ")([: ,](",
+ OPENSSL_CIPHER_STRING_RE!(),
+ "))*)$"
+ );
- pub TLS_CIPHERSUITE_LIST_REGEX = r"^[A-Za-z0-9_:]+$";
+ pub TLS_CIPHERSUITE_LIST_REGEX = concat!(
+ r"^((",
+ TLS_CIPHERSUITE_RE!(),
+ ")(:(",
+ TLS_CIPHERSUITE_RE!(),
+ "))*)$"
+ );
/// Regex for safe identifiers.
///
--
2.30.2
next prev parent reply other threads:[~2022-01-08 7:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-08 7:08 [pbs-devel] [PATCH proxmox-backup v3 0/4] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
2022-01-08 7:08 ` [pbs-devel] [PATCH proxmox-backup v3 1/4] config: add tls ciphers to NodeConfig Hannes Laimer
2022-01-10 5:40 ` Dietmar Maurer
2022-01-10 8:14 ` Fabian Grünbichler
2022-01-08 7:08 ` Hannes Laimer [this message]
2022-01-08 7:08 ` [pbs-devel] [PATCH proxmox-backup v3 3/4] proxy: use ciphers from config if set Hannes Laimer
2022-01-08 7:08 ` [pbs-devel] [PATCH proxmox-backup v3 4/4] api2: make tls ciphers updatable Hannes Laimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220108070809.29315-3-h.laimer@proxmox.com \
--to=h.laimer@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox