Store the minimum SSF value for TCP connections
in virNetSASLContext and introduce a getter for it.
Signed-off-by: Ján Tomko <jtomko@xxxxxxxxxx>
---
src/libvirt_sasl.syms | 1 +
src/remote/remote_daemon.c | 3 ++-
src/remote/remote_daemon_dispatch.c | 2 +-
src/rpc/virnetsaslcontext.c | 11 ++++++++++-
src/rpc/virnetsaslcontext.h | 5 ++++-
5 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/src/libvirt_sasl.syms b/src/libvirt_sasl.syms
index 723c59787b..405ba1813e 100644
--- a/src/libvirt_sasl.syms
+++ b/src/libvirt_sasl.syms
@@ -7,6 +7,7 @@ virNetClientSetSASLSession;
# rpc/virnetsaslcontext.h
virNetSASLContextCheckIdentity;
+virNetSASLContextGetTCPMinSSF;
virNetSASLContextNewClient;
virNetSASLContextNewServer;
virNetSASLSessionClientStart;
diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
index 7076fe3294..b534cb3e37 100644
--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
@@ -405,7 +405,8 @@ daemonSetupNetworking(virNetServer *srv,
#if WITH_SASL
if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) &&
!(saslCtxt = virNetSASLContextNewServer(
- (const char *const*)config->sasl_allowed_username_list)))
+ (const char *const*)config->sasl_allowed_username_list,
+ 56)))
return -1;
#endif
diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c
index bcfeadc2ae..96983e7937 100644
--- a/src/remote/remote_daemon_dispatch.c
+++ b/src/remote/remote_daemon_dispatch.c
@@ -3695,7 +3695,7 @@ remoteDispatchAuthSaslInit(virNetServer *server G_GNUC_UNUSED,
else
/* Plain TCP, better get an SSF layer */
virNetSASLSessionSecProps(sasl,
- 56, /* Good enough to require kerberos */
+ virNetSASLContextGetTCPMinSSF(saslCtxt),
100000, /* Arbitrary big number */
false); /* No anonymous */
diff --git a/src/rpc/virnetsaslcontext.c b/src/rpc/virnetsaslcontext.c
index 189e70d01a..ede434ed4a 100644
--- a/src/rpc/virnetsaslcontext.c
+++ b/src/rpc/virnetsaslcontext.c
@@ -37,6 +37,7 @@ struct _virNetSASLContext {
virObjectLockable parent;
const char *const *usernameACL;
+ unsigned int tcpMinSSF;
};
struct _virNetSASLSession {
@@ -121,7 +122,8 @@ virNetSASLContext *virNetSASLContextNewClient(void)
return ctxt;
}
-virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL)
+virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL,
+ unsigned int tcpMinSSF)
{
virNetSASLContext *ctxt;
@@ -133,6 +135,7 @@ virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL)
return NULL;
ctxt->usernameACL = usernameACL;
+ ctxt->tcpMinSSF = tcpMinSSF;
return ctxt;
}
@@ -175,6 +178,12 @@ int virNetSASLContextCheckIdentity(virNetSASLContext *ctxt,
}
+unsigned int virNetSASLContextGetTCPMinSSF(virNetSASLContext *ctxt)
+{
+ return ctxt->tcpMinSSF;
+}
+
+
virNetSASLSession *virNetSASLSessionNewClient(virNetSASLContext *ctxt G_GNUC_UNUSED,
const char *service,
const char *hostname,
diff --git a/src/rpc/virnetsaslcontext.h b/src/rpc/virnetsaslcontext.h
index 33a75e71a0..7202822e5b 100644
--- a/src/rpc/virnetsaslcontext.h
+++ b/src/rpc/virnetsaslcontext.h
@@ -36,11 +36,14 @@ enum {
};
virNetSASLContext *virNetSASLContextNewClient(void);
-virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL);
+virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL,
+ unsigned int min_ssf);
int virNetSASLContextCheckIdentity(virNetSASLContext *ctxt,
const char *identity);
+unsigned int virNetSASLContextGetTCPMinSSF(virNetSASLContext *ctxt);
+
virNetSASLSession *virNetSASLSessionNewClient(virNetSASLContext *ctxt,
const char *service,
const char *hostname,
--
2.31.1
