[libvirt PATCH 3/3] daemon: add tcp_min_ssf option

Ján Tomko jtomko at redhat.com
Wed Nov 3 13:09:16 UTC 2021 

Add an option to allow the admin to requet a higher minimum SSF
for connections than the built-in default.

The current default is 56 (single DES equivalent, to support
old kerberos) and will be raised to 112 in the future.

https://bugzilla.redhat.com/show_bug.cgi?id=1431589

Signed-off-by: Ján Tomko <jtomko at redhat.com>
---
 src/remote/libvirtd.aug.in        |  1 +
 src/remote/libvirtd.conf.in       |  8 ++++++++
 src/remote/remote_daemon.c        |  6 +++++-
 src/remote/remote_daemon_config.c | 15 +++++++++++++++
 src/remote/remote_daemon_config.h |  1 +
 src/remote/test_libvirtd.aug.in   |  1 +
 6 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/src/remote/libvirtd.aug.in b/src/remote/libvirtd.aug.in
index 61ea8067b9..d744548f41 100644
--- a/src/remote/libvirtd.aug.in
+++ b/src/remote/libvirtd.aug.in
@@ -43,6 +43,7 @@ module @DAEMON_NAME_UC@ =
 @CUT_ENABLE_IP@
                             | str_entry "auth_tcp"
                             | str_entry "auth_tls"
+                            | int_entry "tcp_min_ssf"
 
    let certificate_entry = str_entry "key_file"
                          | str_entry "cert_file"
diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in
index ad049f636b..8e709856aa 100644
--- a/src/remote/libvirtd.conf.in
+++ b/src/remote/libvirtd.conf.in
@@ -197,6 +197,14 @@
 # It is possible to make use of any SASL authentication
 # mechanism as well, by using 'sasl' for this option
 #auth_tls = "none"
+
+# Enforce a minimum SSF value for TCP sockets
+#
+# The default minimum is currently 56 (single-DES) which will
+# be raised to 112 in the future.
+#
+# This option can be used to set values higher than 112
+#tcp_min_ssf = 112
 @END@
 
 
diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
index b534cb3e37..28f891f2b0 100644
--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
@@ -210,6 +210,7 @@ daemonSetupNetworking(virNetServer *srv,
     int unix_sock_ro_mask = 0;
     int unix_sock_rw_mask = 0;
     int unix_sock_adm_mask = 0;
+    unsigned int tcp_min_ssf = 0;
     g_autoptr(virSystemdActivation) act = NULL;
     virSystemdActivationMap actmap[] = {
         { .name = DAEMON_NAME ".socket", .family = AF_UNIX, .path = sock_path },
@@ -403,10 +404,13 @@ daemonSetupNetworking(virNetServer *srv,
         return -1;
 
 #if WITH_SASL
+# if WITH_IP
+    tcp_min_ssf = config->tcp_min_ssf;
+# endif
     if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) &&
         !(saslCtxt = virNetSASLContextNewServer(
               (const char *const*)config->sasl_allowed_username_list,
-              56)))
+              tcp_min_ssf)))
         return -1;
 #endif
 
diff --git a/src/remote/remote_daemon_config.c b/src/remote/remote_daemon_config.c
index a47ec14508..a9961013f2 100644
--- a/src/remote/remote_daemon_config.c
+++ b/src/remote/remote_daemon_config.c
@@ -134,6 +134,10 @@ daemonConfigNew(bool privileged G_GNUC_UNUSED)
     data->auth_tls = REMOTE_AUTH_NONE;
 #endif /* ! WITH_IP */
 
+#if WITH_IP
+    data->tcp_min_ssf = 56; /* good enough for kerberos */
+#endif
+
     data->min_workers = 5;
     data->max_workers = 20;
     data->max_clients = 5000;
@@ -298,6 +302,17 @@ daemonConfigLoadOptions(struct daemonConfig *data,
 
     if (virConfGetValueString(conf, "tls_priority", &data->tls_priority) < 0)
         return -1;
+
+    if (virConfGetValueUInt(conf, "tcp_min_ssf", &data->tcp_min_ssf) < 0)
+        return -1;
+
+    if (data->tcp_min_ssf < SSF_WARNING_LEVEL) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                       _("minimum SSF levels lower than %d are not supported"),
+                       SSF_WARNING_LEVEL);
+        return -1;
+    }
+
 #endif /* ! WITH_IP */
 
     if (virConfGetValueStringList(conf, "sasl_allowed_username_list", false,
diff --git a/src/remote/remote_daemon_config.h b/src/remote/remote_daemon_config.h
index 9cad9da734..47839271d3 100644
--- a/src/remote/remote_daemon_config.h
+++ b/src/remote/remote_daemon_config.h
@@ -56,6 +56,7 @@ struct daemonConfig {
     bool tls_no_sanity_certificate;
     char **tls_allowed_dn_list;
     char *tls_priority;
+    unsigned int tcp_min_ssf;
 
     char *key_file;
     char *cert_file;
diff --git a/src/remote/test_libvirtd.aug.in b/src/remote/test_libvirtd.aug.in
index 56c4487a01..c27680e130 100644
--- a/src/remote/test_libvirtd.aug.in
+++ b/src/remote/test_libvirtd.aug.in
@@ -19,6 +19,7 @@ module Test_ at DAEMON_NAME@ =
 @CUT_ENABLE_IP@
         { "auth_tcp" = "sasl" }
         { "auth_tls" = "none" }
+        { "tcp_min_ssf" = "112" }
 @END@
         { "access_drivers"
              { "1" = "polkit" }
-- 
2.31.1

More information about the libvir-list mailing list