Add an option to allow the admin to requet a higher minimum SSF
for connections than the built-in default.
The current default is 56 (single DES equivalent, to support
old kerberos) and will be raised to 112 in the future.
https://bugzilla.redhat.com/show_bug.cgi?id=
1431589
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
@CUT_ENABLE_IP@
| str_entry "auth_tcp"
| str_entry "auth_tls"
+ | int_entry "tcp_min_ssf"
let certificate_entry = str_entry "key_file"
| str_entry "cert_file"
# It is possible to make use of any SASL authentication
# mechanism as well, by using 'sasl' for this option
#auth_tls = "none"
+
+# Enforce a minimum SSF value for TCP sockets
+#
+# The default minimum is currently 56 (single-DES) which will
+# be raised to 112 in the future.
+#
+# This option can be used to set values higher than 112
+#tcp_min_ssf = 112
@END@
int unix_sock_ro_mask = 0;
int unix_sock_rw_mask = 0;
int unix_sock_adm_mask = 0;
+#if WITH_SASL
+ unsigned int tcp_min_ssf = 0;
+#endif /* !WITH_SASL */
g_autoptr(virSystemdActivation) act = NULL;
virSystemdActivationMap actmap[] = {
{ .name = DAEMON_NAME ".socket", .family = AF_UNIX, .path = sock_path },
return -1;
#if WITH_SASL
+# if WITH_IP
+ tcp_min_ssf = config->tcp_min_ssf;
+# endif
if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) &&
!(saslCtxt = virNetSASLContextNewServer(
(const char *const*)config->sasl_allowed_username_list,
- 56)))
+ tcp_min_ssf)))
return -1;
#endif
data->auth_tls = REMOTE_AUTH_NONE;
#endif /* ! WITH_IP */
+#if WITH_IP
+ data->tcp_min_ssf = 56; /* good enough for kerberos */
+#endif
+
data->min_workers = 5;
data->max_workers = 20;
data->max_clients = 5000;
if (virConfGetValueString(conf, "tls_priority", &data->tls_priority) < 0)
return -1;
+
+ if (virConfGetValueUInt(conf, "tcp_min_ssf", &data->tcp_min_ssf) < 0)
+ return -1;
+
+ if (data->tcp_min_ssf < SSF_WARNING_LEVEL) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("minimum SSF levels lower than %d are not supported"),
+ SSF_WARNING_LEVEL);
+ return -1;
+ }
+
#endif /* ! WITH_IP */
if (virConfGetValueStringList(conf, "sasl_allowed_username_list", false,
bool tls_no_sanity_certificate;
char **tls_allowed_dn_list;
char *tls_priority;
+ unsigned int tcp_min_ssf;
char *key_file;
char *cert_file;
@CUT_ENABLE_IP@
{ "auth_tcp" = "sasl" }
{ "auth_tls" = "none" }
+ { "tcp_min_ssf" = "112" }
@END@
{ "access_drivers"
{ "1" = "polkit" }
projects / thirdparty / libvirt.git / commitdiff
