From: Ján Tomko <jtomko@redhat.com>
Date: Wed, 16 Jan 2019 15:29:44 +0000 (+0100)
Subject: remote: warn on low SSF
X-Git-Tag: v7.10.0-rc1~213
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de7288ae974082139226775f13a2dfd2256d916b;p=thirdparty%2Flibvirt.git

remote: warn on low SSF

Prepare for deprecating old kerberos ciphers by warning users
with a SSF lower than 112.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---

diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 719fcf4297..c0bb44b2cd 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -4186,6 +4186,11 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv,
                            _("negotiation SSF %d was not strong enough"), ssf);
             goto cleanup;
         }
+        if (ssf < SSF_WARNING_LEVEL) {
+            VIR_WARN("negotiation SSF %d lower than %d will be deprecated. "
+                     "Please upgrade your ciphers.",
+                     ssf, SSF_WARNING_LEVEL);
+        }
         priv->is_secure = 1;
     }
 
diff --git a/src/remote/remote_driver.h b/src/remote/remote_driver.h
index 1fab5a6cc4..5e9b04da63 100644
--- a/src/remote/remote_driver.h
+++ b/src/remote/remote_driver.h
@@ -39,3 +39,5 @@ unsigned long remoteVersion(void);
 #define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
 #define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem"
 #define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem"
+
+#define SSF_WARNING_LEVEL 112