From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id B692A1FF163
	for <inbox@lore.proxmox.com>; Thu, 29 Aug 2024 14:22:02 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 65DCA1BB99;
	Thu, 29 Aug 2024 14:22:31 +0200 (CEST)
Date: Thu, 29 Aug 2024 14:21:56 +0200
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Gabriel Goller <g.goller@proxmox.com>
Message-ID: <2ar5pj3cgxwqlyne4p5jfomwu6df3nxsskzul7ew3hcr676rtg@7dklhsjwdam4>
References: <20240829121047.243804-1-g.goller@proxmox.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20240829121047.243804-1-g.goller@proxmox.com>
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.088 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
Subject: Re: [pbs-devel] [PATCH v2] rest-server: check permissions on
 proxy.key and proxy.pem files
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Backup Server development discussion
 <pbs-devel@lists.proxmox.com>
Cc: pbs-devel@lists.proxmox.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pbs-devel-bounces@lists.proxmox.com
Sender: "pbs-devel" <pbs-devel-bounces@lists.proxmox.com>

On Thu, Aug 29, 2024 at 02:10:47PM GMT, Gabriel Goller wrote:
> To avoid openssl's unhelpful error messages when the proxy.key or
> proxy.pem files have the wrong permissions, we open the files. To load
> the private key, we can simply read from the file and pass it to the
> `set_private_key` openssl function. Sadly such a function does not exist
> for loading certificate chains, so we have to open and close the file
> before calling the `set_certificate_chain_file` fn.
> 
> Motivation: https://forum.proxmox.com/threads/proxmox-backup-tailscale-proxmox-backup-proxy-service-wont-boot.153204
> 
> Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
> ---
> 
> v2, thanks @Wolfgang:
>  - move check from proxmox-backup-server to proxmox-rest-server
>  - check permissions by opening files
> 
>  proxmox-rest-server/src/connection.rs | 16 +++++++++++++---
>  1 file changed, 13 insertions(+), 3 deletions(-)
> 
> diff --git a/proxmox-rest-server/src/connection.rs b/proxmox-rest-server/src/connection.rs
> index fbdfe96cdfdb..f985d25f7e63 100644
> --- a/proxmox-rest-server/src/connection.rs
> +++ b/proxmox-rest-server/src/connection.rs
> @@ -12,19 +12,21 @@ use std::pin::{pin, Pin};
>  use std::sync::{Arc, Mutex};
>  use std::time::Duration;
>  
> -use anyhow::{format_err, Context as _, Error};
> +use anyhow::{format_err, Context, Error};
>  use futures::FutureExt;
>  use hyper::server::accept;
>  use openssl::ec::{EcGroup, EcKey};
>  use openssl::nid::Nid;
>  use openssl::pkey::{PKey, Private};
> -use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod};
> +use openssl::ssl::{SslAcceptor, SslMethod};
>  use openssl::x509::X509;
>  use tokio::net::{TcpListener, TcpStream};
>  use tokio::sync::mpsc;
>  use tokio_openssl::SslStream;
>  use tokio_stream::wrappers::ReceiverStream;
>  
> +use proxmox_sys::fs::file_read_string;
> +
>  #[cfg(feature = "rate-limited-stream")]
>  use proxmox_http::{RateLimitedStream, ShareableRateLimit};
>  
> @@ -88,9 +90,17 @@ impl TlsAcceptorBuilder {
>                      .context("failed to set tls acceptor certificate")?;
>              }
>              Some(Tls::FilesPem(key, cert)) => {
> +                let key_content =
> +                    file_read_string(key).context("Failed to read from private key file")?;

Why not `std::fs::read()`? openssl expects bytes below, the utf-8 check
is unnecessary.
(just include the path via `.with_context(|| format!(...))`)

>                  acceptor
> -                    .set_private_key_file(key, SslFiletype::PEM)
> +                    .set_private_key(PKey::private_key_from_pem(key_content.as_bytes())?.as_ref())
>                      .context("failed to set tls acceptor private key file")?;
> +
> +                {
> +                    // Check the permissions by opening the file
> +                    let _cert_fd = std::fs::File::open(&cert)
> +                        .context(format!("Failed to open certificate at {:?}", cert))?;

use `.with_context` to avoid formatting the string when no error
happens.

> +                }
>                  acceptor
>                      .set_certificate_chain_file(cert)
>                      .context("failed to set tls acceptor certificate chain file")?;
> -- 
> 2.39.2


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel