From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 69A2B918AF for ; Thu, 15 Feb 2024 16:20:14 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 52BDC16680 for ; Thu, 15 Feb 2024 16:20:14 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 15 Feb 2024 16:20:13 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 8191F4840B for ; Thu, 15 Feb 2024 16:20:13 +0100 (CET) From: Stefan Sterz To: pbs-devel@lists.proxmox.com Date: Thu, 15 Feb 2024 16:19:49 +0100 Message-Id: <20240215152001.269490-1-s.sterz@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.083 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [user.rs, ticket.rs, lib.rs, mod.rs, access.rs, crypt.rs, types.rs, auth.rs] Subject: [pbs-devel] [PATCH proxmox{, -backup} 00/12] authentication cleanup and X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Feb 2024 15:20:14 -0000 this series adds some more functionality to `proxmox-auth-api` and tries to clean it up a little. the first commit tries to move signing into the keyring itself, instead of exposing the openssl's `Signer` further. the second commit replaces our old P-256 ec signatures with Ed25519 which offers similar security but is a bit more modern and tries to avoid common implementation pitfalls. the third commit adds hmac signing to the `proxmox-auth-api`'s `Keyring` which is useful for applications where only one daemon is issueing and verifying tickets. hmac uses symmetric keys and is much more efficient than asymetric signature schemes. the downside being that the verifier and the signer need to be the exact same party, as the verification key can also be used to issue new signatures. the fourth commit uses the hmac functionality to sign csrf tokens. here we previously used a self-rolled potentially insecure method of generating these tokens. hmac avoids common pitfalls here. the commit also provides a fallback to avoid compatability issues. the next three commits move our password hashing scheme to yescrypt, implement a constant time comparison for password hashes and add a method to enable us to upgrade existing hashes respectively. the final commit for `proxmox-auth-api` cleans up some test cases that were failing for the wrong reasons. the four commits on the proxmox backup server side do the following: - use hmac keys when generating new csrf tokens - upgrade password hashes on log in if they are not using the latest password hash function already - add a `proxmox-backup-manager` command to upgrade existing hashes - use Ed25519 keys when generating new auth keys the first and the last commit here will require a bump of `proxmox-auth-api`, while the middle two patches will require a bump to `proxmox-sys`. proxmox: Stefan Sterz (8): auth-api: move signing into the private key auth-api: move to Ed25519 signatures auth-api: add ability to use hmac singing in keyring auth-api: move to hmac signing for csrf tokens sys: crypt: move to yescrypt for password hashing sys: crypt: use constant time comparison for password verification sys: crypt: add helper to allow upgrading hashes auth-api: fix types `compilefail` test proxmox-auth-api/src/api/access.rs | 88 ++++++++-- proxmox-auth-api/src/api/mod.rs | 6 +- proxmox-auth-api/src/auth_key.rs | 211 +++++++++++++++++----- proxmox-auth-api/src/lib.rs | 2 +- proxmox-auth-api/src/ticket.rs | 40 ++--- proxmox-auth-api/src/types.rs | 10 +- proxmox-sys/Cargo.toml | 3 +- proxmox-sys/src/crypt.rs | 271 ++++++++++++++++++++++++++++- 8 files changed, 540 insertions(+), 91 deletions(-) proxmox-backup: Stefan Sterz (4): auth: move to hmac keys for csrf tokens auth: upgrade hashes on user log in auth/manager: add manager command to upgrade hashes auth: us ec keys as auth keys src/auth.rs | 32 +++-- src/auth_helpers.rs | 176 ++++++++++--------------- src/bin/proxmox_backup_manager/user.rs | 34 ++++- 3 files changed, 122 insertions(+), 120 deletions(-) Summary over all repositories: 11 files changed, 662 insertions(+), 211 deletions(-) -- Generated by git-murpp 0.5.0