daemon: virNetSASLContext: store tcpMinSSF

author Ján Tomko <jtomko@redhat.com>

Mon, 3 Jun 2019 13:50:06 +0000 (15:50 +0200)

committer Ján Tomko <jtomko@redhat.com>

Thu, 4 Nov 2021 16:02:56 +0000 (17:02 +0100)
author Ján Tomko <jtomko@redhat.com>
Mon, 3 Jun 2019 13:50:06 +0000 (15:50 +0200)
committer Ján Tomko <jtomko@redhat.com>
Thu, 4 Nov 2021 16:02:56 +0000 (17:02 +0100)
diff --git a/src/libvirt_sasl.syms b/src/libvirt_sasl.syms

index 723c59787b5b4696e227231ad1b8aaf314dc7c9a..405ba1813e16ed03936a020c95184e3dec0a32c6 100644 (file)
--- a/src/libvirt_sasl.syms
+++ b/src/libvirt_sasl.syms
@@ -7,6 +7,7 @@ virNetClientSetSASLSession;
  
  # rpc/virnetsaslcontext.h
  virNetSASLContextCheckIdentity;
+virNetSASLContextGetTCPMinSSF;
  virNetSASLContextNewClient;
  virNetSASLContextNewServer;
  virNetSASLSessionClientStart;
diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c

index 7076fe329447846ad656635b97530d090063c31b..b534cb3e373a59069a013110590b5b83fd8a9f75 100644 (file)
--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
@@ -405,7 +405,8 @@ daemonSetupNetworking(virNetServer *srv,
  #if WITH_SASL
      if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) &&
          !(saslCtxt = virNetSASLContextNewServer(
-              (const char *const*)config->sasl_allowed_username_list)))
+              (const char *const*)config->sasl_allowed_username_list,
+              56)))
          return -1;
  #endif
  
diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c

index bcfeadc2ae5b12e3138a59ab525122b1344cc411..96983e793735c59c807693b356b35896e8f27999 100644 (file)
--- a/src/remote/remote_daemon_dispatch.c
+++ b/src/remote/remote_daemon_dispatch.c
@@ -3695,7 +3695,7 @@ remoteDispatchAuthSaslInit(virNetServer *server G_GNUC_UNUSED,
      else
          /* Plain TCP, better get an SSF layer */
          virNetSASLSessionSecProps(sasl,
-                                  56,  /* Good enough to require kerberos */
+                                  virNetSASLContextGetTCPMinSSF(saslCtxt),
                                    100000,  /* Arbitrary big number */
                                    false); /* No anonymous */
  
diff --git a/src/rpc/virnetsaslcontext.c b/src/rpc/virnetsaslcontext.c

index 189e70d01ad45dbd378cb9289254a0027aefe143..ede434ed4a1ccdbdfd9f67735210c3fdd96f9eef 100644 (file)
--- a/src/rpc/virnetsaslcontext.c
+++ b/src/rpc/virnetsaslcontext.c
@@ -37,6 +37,7 @@ struct _virNetSASLContext {
      virObjectLockable parent;
  
      const char *const *usernameACL;
+    unsigned int tcpMinSSF;
  };
  
  struct _virNetSASLSession {
@@ -121,7 +122,8 @@ virNetSASLContext *virNetSASLContextNewClient(void)
      return ctxt;
  }
  
-virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL)
+virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL,
+                                              unsigned int tcpMinSSF)
  {
      virNetSASLContext *ctxt;
  
@@ -133,6 +135,7 @@ virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL)
          return NULL;
  
      ctxt->usernameACL = usernameACL;
+    ctxt->tcpMinSSF = tcpMinSSF;
  
      return ctxt;
  }
@@ -175,6 +178,12 @@ int virNetSASLContextCheckIdentity(virNetSASLContext *ctxt,
  }
  
  
+unsigned int virNetSASLContextGetTCPMinSSF(virNetSASLContext *ctxt)
+{
+    return ctxt->tcpMinSSF;
+}
+
+
  virNetSASLSession *virNetSASLSessionNewClient(virNetSASLContext *ctxt G_GNUC_UNUSED,
                                                  const char *service,
                                                  const char *hostname,
diff --git a/src/rpc/virnetsaslcontext.h b/src/rpc/virnetsaslcontext.h

index 33a75e71a052c5ae2a915b7985bd6a35c803c5f0..7202822e5b59d09c6594d3cb64b4f5008f85e99b 100644 (file)
--- a/src/rpc/virnetsaslcontext.h
+++ b/src/rpc/virnetsaslcontext.h
@@ -36,11 +36,14 @@ enum {
  };
  
  virNetSASLContext *virNetSASLContextNewClient(void);
-virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL);
+virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL,
+                                              unsigned int min_ssf);
  
  int virNetSASLContextCheckIdentity(virNetSASLContext *ctxt,
                                     const char *identity);
  
+unsigned int virNetSASLContextGetTCPMinSSF(virNetSASLContext *ctxt);
+
  virNetSASLSession *virNetSASLSessionNewClient(virNetSASLContext *ctxt,
                                                  const char *service,
                                                  const char *hostname,
author	Ján Tomko <jtomko@redhat.com>
	Mon, 3 Jun 2019 13:50:06 +0000 (15:50 +0200)
committer	Ján Tomko <jtomko@redhat.com>
	Thu, 4 Nov 2021 16:02:56 +0000 (17:02 +0100)
src/libvirt_sasl.syms		patch \| blob \| blame \| history
src/remote/remote_daemon.c		patch \| blob \| blame \| history
src/remote/remote_daemon_dispatch.c		patch \| blob \| blame \| history
src/rpc/virnetsaslcontext.c		patch \| blob \| blame \| history
src/rpc/virnetsaslcontext.h		patch \| blob \| blame \| history