From nobody Fri May 3 08:32:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1635945321; cv=none; d=zohomail.com; s=zohoarc; b=eWOcugokEMBOvdE+XbLSHi9Y40yFxsYebMiwx1vxzNZxbEx2DG7F3MEAtiUVljR7+yz5f811OK0eldCUOJ1L+n6s00SqnLYaeVoDFaD1Q9FQ5PBOXzN23n8/dpfBuT78WbAgcLskRRcUOgNFFiZhWwn5pZt5bkFz+JttmQVUunA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1635945321; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=/Lu1IurT+rtnbonP60Yby4vLQKKLuc2hB1/rrSpxY/w=; b=XcuY4txR0RemfWGSAmWSZlFBj0woFvnv8tHG+Y11Ya9qXbah2j/F6qupybXmUCw6GntfiYdjH5gMCB3tdz39p/l7AGfi6OxTKz2YmuBw9cAE4tOT437d7VWR36i9FlhFGkV8AC7D8Itld4SjxlYCUGhdGKYPNkQKY4aia/DHqm4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1635945321206803.4872208151571; Wed, 3 Nov 2021 06:15:21 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-37-cvZMijpxMnqBddERS4g9WQ-1; Wed, 03 Nov 2021 09:15:18 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 67DC58042E0; Wed, 3 Nov 2021 13:15:12 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4B06B6784E; Wed, 3 Nov 2021 13:15:12 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 19BBA1818480; Wed, 3 Nov 2021 13:15:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1A3D9N62024969 for ; Wed, 3 Nov 2021 09:09:23 -0400 Received: by smtp.corp.redhat.com (Postfix) id 5F28970886; Wed, 3 Nov 2021 13:09:23 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.43.2.44]) by smtp.corp.redhat.com (Postfix) with ESMTP id DE3047086D for ; Wed, 3 Nov 2021 13:09:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1635945320; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=/Lu1IurT+rtnbonP60Yby4vLQKKLuc2hB1/rrSpxY/w=; b=S12sJcgJhKgnj3jgeL1nxksbjyzUCSW52yClu6cihbNjKd2RqGFsqtG1DQbvP00/xBNddg vAvi6xxBg9TnNheALv5SKHURUU+NHoF3VjI5EGrulfBMS94s7EKayL0kGkboWa6n+UNTVg 4qtIC7J/880NMiRVf0XQULmlRLAul6Y= X-MC-Unique: cvZMijpxMnqBddERS4g9WQ-1 From: =?UTF-8?q?J=C3=A1n=20Tomko?= To: libvir-list@redhat.com Subject: [libvirt PATCH 1/3] remote: warn on low SSF Date: Wed, 3 Nov 2021 14:09:14 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1635945323381100001 Prepare for deprecating old kerberos ciphers by warning users with a SSF lower than 112. Signed-off-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/remote/remote_driver.c | 5 +++++ src/remote/remote_driver.h | 2 ++ 2 files changed, 7 insertions(+) diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 719fcf4297..c0bb44b2cd 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -4186,6 +4186,11 @@ remoteAuthSASL(virConnectPtr conn, struct private_da= ta *priv, _("negotiation SSF %d was not strong enough"), = ssf); goto cleanup; } + if (ssf < SSF_WARNING_LEVEL) { + VIR_WARN("negotiation SSF %d lower than %d will be deprecated.= " + "Please upgrade your ciphers.", + ssf, SSF_WARNING_LEVEL); + } priv->is_secure =3D 1; } =20 diff --git a/src/remote/remote_driver.h b/src/remote/remote_driver.h index 1fab5a6cc4..5e9b04da63 100644 --- a/src/remote/remote_driver.h +++ b/src/remote/remote_driver.h @@ -39,3 +39,5 @@ unsigned long remoteVersion(void); #define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem" #define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem" #define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem" + +#define SSF_WARNING_LEVEL 112 --=20 2.31.1 From nobody Fri May 3 08:32:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1635945064; cv=none; d=zohomail.com; s=zohoarc; b=eMS/njUk43rz9KP703Gcp6bIw3trYM2i2dx/emLXXle1h7cn5AhR2affRlS8oap4MCDG32piddaRlro7Xuwzd6ryG8fK3mGdpZC6vU+Y3pk4i4WVBdHyAycLwc5YZ8uP6sjdJVUdsOm+DMqos6840s6rxjhn6NNb+zZ4waua0Rw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1635945064; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=JMaUd3f5FJVHtO2JKAESmPZOJCpRRTaYkgSnhCP0L20=; b=bZs2EIjf3jdTvmXFICZ0gDnABdtSKWj/NcMO8U536P2jC1CpKXtsGs4gU1HunoLLjwQcZfRO/fq2l4wPtwFlj49zqbAPpyt+n7kgPvJNxLxLiBXgz4WPqf0ybeTXOX91ajKqSObPlLvmu+/59kdnZeHaKJ0XcAVO1RjTxQ7HfDA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 163594506408723.337907359214796; Wed, 3 Nov 2021 06:11:04 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-599-ONzf4ek3PlmodHquAaZzrw-1; Wed, 03 Nov 2021 09:10:59 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1FB7C91275; Wed, 3 Nov 2021 13:10:54 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id F2A705C1C5; Wed, 3 Nov 2021 13:10:53 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id D12451800B9E; Wed, 3 Nov 2021 13:10:52 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1A3D9OL0024975 for ; Wed, 3 Nov 2021 09:09:24 -0400 Received: by smtp.corp.redhat.com (Postfix) id 2F23B7086D; Wed, 3 Nov 2021 13:09:24 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.43.2.44]) by smtp.corp.redhat.com (Postfix) with ESMTP id AC34170886 for ; Wed, 3 Nov 2021 13:09:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1635945063; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=JMaUd3f5FJVHtO2JKAESmPZOJCpRRTaYkgSnhCP0L20=; b=Y3I/7ZPocMuizHB/dvNNEPo8JfoXSNaNH9sV2phTA6Jp5f8f3iaZairsMTqS1/yI/aKjWx ajNsZnMevoY/ADYkyB9MrllMep5lR+K4gpCk76DEXv6VJptQuWvyvVHzIM876D+PqW9Vor jBOLVXu5eS3FbtYjJHgB68YK9vPN9qc= X-MC-Unique: ONzf4ek3PlmodHquAaZzrw-1 From: =?UTF-8?q?J=C3=A1n=20Tomko?= To: libvir-list@redhat.com Subject: [libvirt PATCH 2/3] daemon: virNetSASLContext: store tcpMinSSF Date: Wed, 3 Nov 2021 14:09:15 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1635945064793100001 Store the minimum SSF value for TCP connections in virNetSASLContext and introduce a getter for it. Signed-off-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/libvirt_sasl.syms | 1 + src/remote/remote_daemon.c | 3 ++- src/remote/remote_daemon_dispatch.c | 2 +- src/rpc/virnetsaslcontext.c | 11 ++++++++++- src/rpc/virnetsaslcontext.h | 5 ++++- 5 files changed, 18 insertions(+), 4 deletions(-) diff --git a/src/libvirt_sasl.syms b/src/libvirt_sasl.syms index 723c59787b..405ba1813e 100644 --- a/src/libvirt_sasl.syms +++ b/src/libvirt_sasl.syms @@ -7,6 +7,7 @@ virNetClientSetSASLSession; =20 # rpc/virnetsaslcontext.h virNetSASLContextCheckIdentity; +virNetSASLContextGetTCPMinSSF; virNetSASLContextNewClient; virNetSASLContextNewServer; virNetSASLSessionClientStart; diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c index 7076fe3294..b534cb3e37 100644 --- a/src/remote/remote_daemon.c +++ b/src/remote/remote_daemon.c @@ -405,7 +405,8 @@ daemonSetupNetworking(virNetServer *srv, #if WITH_SASL if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) && !(saslCtxt =3D virNetSASLContextNewServer( - (const char *const*)config->sasl_allowed_username_list))) + (const char *const*)config->sasl_allowed_username_list, + 56))) return -1; #endif =20 diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon= _dispatch.c index bcfeadc2ae..96983e7937 100644 --- a/src/remote/remote_daemon_dispatch.c +++ b/src/remote/remote_daemon_dispatch.c @@ -3695,7 +3695,7 @@ remoteDispatchAuthSaslInit(virNetServer *server G_GNU= C_UNUSED, else /* Plain TCP, better get an SSF layer */ virNetSASLSessionSecProps(sasl, - 56, /* Good enough to require kerberos = */ + virNetSASLContextGetTCPMinSSF(saslCtxt), 100000, /* Arbitrary big number */ false); /* No anonymous */ =20 diff --git a/src/rpc/virnetsaslcontext.c b/src/rpc/virnetsaslcontext.c index 189e70d01a..ede434ed4a 100644 --- a/src/rpc/virnetsaslcontext.c +++ b/src/rpc/virnetsaslcontext.c @@ -37,6 +37,7 @@ struct _virNetSASLContext { virObjectLockable parent; =20 const char *const *usernameACL; + unsigned int tcpMinSSF; }; =20 struct _virNetSASLSession { @@ -121,7 +122,8 @@ virNetSASLContext *virNetSASLContextNewClient(void) return ctxt; } =20 -virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameA= CL) +virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameA= CL, + unsigned int tcpMinSSF) { virNetSASLContext *ctxt; =20 @@ -133,6 +135,7 @@ virNetSASLContext *virNetSASLContextNewServer(const cha= r *const *usernameACL) return NULL; =20 ctxt->usernameACL =3D usernameACL; + ctxt->tcpMinSSF =3D tcpMinSSF; =20 return ctxt; } @@ -175,6 +178,12 @@ int virNetSASLContextCheckIdentity(virNetSASLContext *= ctxt, } =20 =20 +unsigned int virNetSASLContextGetTCPMinSSF(virNetSASLContext *ctxt) +{ + return ctxt->tcpMinSSF; +} + + virNetSASLSession *virNetSASLSessionNewClient(virNetSASLContext *ctxt G_GN= UC_UNUSED, const char *service, const char *hostname, diff --git a/src/rpc/virnetsaslcontext.h b/src/rpc/virnetsaslcontext.h index 33a75e71a0..7202822e5b 100644 --- a/src/rpc/virnetsaslcontext.h +++ b/src/rpc/virnetsaslcontext.h @@ -36,11 +36,14 @@ enum { }; =20 virNetSASLContext *virNetSASLContextNewClient(void); -virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameA= CL); +virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameA= CL, + unsigned int min_ssf); =20 int virNetSASLContextCheckIdentity(virNetSASLContext *ctxt, const char *identity); =20 +unsigned int virNetSASLContextGetTCPMinSSF(virNetSASLContext *ctxt); + virNetSASLSession *virNetSASLSessionNewClient(virNetSASLContext *ctxt, const char *service, const char *hostname, --=20 2.31.1 From nobody Fri May 3 08:32:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1635944983; cv=none; d=zohomail.com; s=zohoarc; b=NsVxM5lG5uMSuTatvO7pibtmWG8HA4Z9SG8JpbyNm2QtvDh7jha8NhQOFBxaM+i1R+LOpo0nAU2pS1yV32y6p6a/EURVRX9K1/+kvWNArzFP/p9s7Bfk38QJNWC/6QuR7Nde4s3oBNyhXRmaAina9zwD03ZBG/piqnV61TqY+yw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1635944983; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=lNf6TNwVQp7Qi6SKdQN+7uMXk1hKEGGx329SXwLcanU=; b=MPbUQLzqiKoOYH6skhlWIz6bUgkUIzX98pi7RshRHXkfsbGw8eKBmy5vOlpVwy4YTB3AQI17QyzyTcSjZBEQlgzsEkrQX4Z1MksdX+O6ZRPXWc0MmVGMdEQ4NrAG0F45oLQKn+Lx5WsOIHa2HwiVPHUn3vxlxCtezpl8lSYL164= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1635944983188371.02435612970453; Wed, 3 Nov 2021 06:09:43 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-581-IHhY5eqjOl6JJ4Aw4EOUrw-1; Wed, 03 Nov 2021 09:09:38 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 81FC510B395E; Wed, 3 Nov 2021 13:09:32 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9628661291; Wed, 3 Nov 2021 13:09:31 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5829D1803B30; Wed, 3 Nov 2021 13:09:31 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1A3D9PiT024989 for ; Wed, 3 Nov 2021 09:09:25 -0400 Received: by smtp.corp.redhat.com (Postfix) id F04BA7086D; Wed, 3 Nov 2021 13:09:24 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.43.2.44]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7A95870886 for ; Wed, 3 Nov 2021 13:09:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1635944982; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=lNf6TNwVQp7Qi6SKdQN+7uMXk1hKEGGx329SXwLcanU=; b=cKxUQxjRsdkuhvIj02IZGwJNUodtIvepcOkvI0X7QHBgCjtIWEpabjf9RH+WQ4pYDIlrkq SBo2cB7LOdAmtYNNEo2k/APWOK2vQ2RGLgtSdmkVbLPG1cj/Gr0V6uwjrCRVwyCirbHFOG wkUS9eeZoJULG6H6O+zCfec/S6dZ9As= X-MC-Unique: IHhY5eqjOl6JJ4Aw4EOUrw-1 From: =?UTF-8?q?J=C3=A1n=20Tomko?= To: libvir-list@redhat.com Subject: [libvirt PATCH 3/3] daemon: add tcp_min_ssf option Date: Wed, 3 Nov 2021 14:09:16 +0100 Message-Id: <5e1b1eacec9a93b6bc445c2d39281cc521708445.1635944931.git.jtomko@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1635944983532100001 Add an option to allow the admin to requet a higher minimum SSF for connections than the built-in default. The current default is 56 (single DES equivalent, to support old kerberos) and will be raised to 112 in the future. https://bugzilla.redhat.com/show_bug.cgi?id=3D1431589 Signed-off-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/remote/libvirtd.aug.in | 1 + src/remote/libvirtd.conf.in | 8 ++++++++ src/remote/remote_daemon.c | 6 +++++- src/remote/remote_daemon_config.c | 15 +++++++++++++++ src/remote/remote_daemon_config.h | 1 + src/remote/test_libvirtd.aug.in | 1 + 6 files changed, 31 insertions(+), 1 deletion(-) diff --git a/src/remote/libvirtd.aug.in b/src/remote/libvirtd.aug.in index 61ea8067b9..d744548f41 100644 --- a/src/remote/libvirtd.aug.in +++ b/src/remote/libvirtd.aug.in @@ -43,6 +43,7 @@ module @DAEMON_NAME_UC@ =3D @CUT_ENABLE_IP@ | str_entry "auth_tcp" | str_entry "auth_tls" + | int_entry "tcp_min_ssf" =20 let certificate_entry =3D str_entry "key_file" | str_entry "cert_file" diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in index ad049f636b..8e709856aa 100644 --- a/src/remote/libvirtd.conf.in +++ b/src/remote/libvirtd.conf.in @@ -197,6 +197,14 @@ # It is possible to make use of any SASL authentication # mechanism as well, by using 'sasl' for this option #auth_tls =3D "none" + +# Enforce a minimum SSF value for TCP sockets +# +# The default minimum is currently 56 (single-DES) which will +# be raised to 112 in the future. +# +# This option can be used to set values higher than 112 +#tcp_min_ssf =3D 112 @END@ =20 =20 diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c index b534cb3e37..28f891f2b0 100644 --- a/src/remote/remote_daemon.c +++ b/src/remote/remote_daemon.c @@ -210,6 +210,7 @@ daemonSetupNetworking(virNetServer *srv, int unix_sock_ro_mask =3D 0; int unix_sock_rw_mask =3D 0; int unix_sock_adm_mask =3D 0; + unsigned int tcp_min_ssf =3D 0; g_autoptr(virSystemdActivation) act =3D NULL; virSystemdActivationMap actmap[] =3D { { .name =3D DAEMON_NAME ".socket", .family =3D AF_UNIX, .path =3D = sock_path }, @@ -403,10 +404,13 @@ daemonSetupNetworking(virNetServer *srv, return -1; =20 #if WITH_SASL +# if WITH_IP + tcp_min_ssf =3D config->tcp_min_ssf; +# endif if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) && !(saslCtxt =3D virNetSASLContextNewServer( (const char *const*)config->sasl_allowed_username_list, - 56))) + tcp_min_ssf))) return -1; #endif =20 diff --git a/src/remote/remote_daemon_config.c b/src/remote/remote_daemon_c= onfig.c index a47ec14508..a9961013f2 100644 --- a/src/remote/remote_daemon_config.c +++ b/src/remote/remote_daemon_config.c @@ -134,6 +134,10 @@ daemonConfigNew(bool privileged G_GNUC_UNUSED) data->auth_tls =3D REMOTE_AUTH_NONE; #endif /* ! WITH_IP */ =20 +#if WITH_IP + data->tcp_min_ssf =3D 56; /* good enough for kerberos */ +#endif + data->min_workers =3D 5; data->max_workers =3D 20; data->max_clients =3D 5000; @@ -298,6 +302,17 @@ daemonConfigLoadOptions(struct daemonConfig *data, =20 if (virConfGetValueString(conf, "tls_priority", &data->tls_priority) <= 0) return -1; + + if (virConfGetValueUInt(conf, "tcp_min_ssf", &data->tcp_min_ssf) < 0) + return -1; + + if (data->tcp_min_ssf < SSF_WARNING_LEVEL) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("minimum SSF levels lower than %d are not support= ed"), + SSF_WARNING_LEVEL); + return -1; + } + #endif /* ! WITH_IP */ =20 if (virConfGetValueStringList(conf, "sasl_allowed_username_list", fals= e, diff --git a/src/remote/remote_daemon_config.h b/src/remote/remote_daemon_c= onfig.h index 9cad9da734..47839271d3 100644 --- a/src/remote/remote_daemon_config.h +++ b/src/remote/remote_daemon_config.h @@ -56,6 +56,7 @@ struct daemonConfig { bool tls_no_sanity_certificate; char **tls_allowed_dn_list; char *tls_priority; + unsigned int tcp_min_ssf; =20 char *key_file; char *cert_file; diff --git a/src/remote/test_libvirtd.aug.in b/src/remote/test_libvirtd.aug= .in index 56c4487a01..c27680e130 100644 --- a/src/remote/test_libvirtd.aug.in +++ b/src/remote/test_libvirtd.aug.in @@ -19,6 +19,7 @@ module Test_@DAEMON_NAME@ =3D @CUT_ENABLE_IP@ { "auth_tcp" =3D "sasl" } { "auth_tls" =3D "none" } + { "tcp_min_ssf" =3D "112" } @END@ { "access_drivers" { "1" =3D "polkit" } --=20 2.31.1