8:09 a.m.
https://bugzilla.redhat.com/show_bug.cgi?id=1431589
Ján Tomko (3):
remote: warn on low SSF
daemon: virNetSASLContext: store tcpMinSSF
daemon: add tcp_min_ssf option
src/libvirt_sasl.syms | 1 +
src/remote/libvirtd.aug.in | 1 +
src/remote/libvirtd.conf.in | 8 ++++++++
src/remote/remote_daemon.c | 7 ++++++-
src/remote/remote_daemon_config.c | 15 +++++++++++++++
src/remote/remote_daemon_config.h | 1 +
src/remote/remote_daemon_dispatch.c | 2 +-
src/remote/remote_driver.c | 5 +++++
src/remote/remote_driver.h | 2 ++
src/remote/test_libvirtd.aug.in | 1 +
src/rpc/virnetsaslcontext.c | 11 ++++++++++-
src/rpc/virnetsaslcontext.h | 5 ++++-
12 files changed, 55 insertions(+), 4 deletions(-)
--
2.31.1
8:09 a.m.
New subject: [libvirt PATCH 1/3] remote: warn on low SSF
Prepare for deprecating old kerberos ciphers by warning users
with a SSF lower than 112.
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
src/remote/remote_driver.c | 5 +++++
src/remote/remote_driver.h | 2 ++
2 files changed, 7 insertions(+)
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 719fcf4297..c0bb44b2cd 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -4186,6 +4186,11 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv,
_("negotiation SSF %d was not strong enough"),
ssf);
goto cleanup;
}
+ if (ssf < SSF_WARNING_LEVEL) {
+ VIR_WARN("negotiation SSF %d lower than %d will be deprecated. "
+ "Please upgrade your ciphers.",
+ ssf, SSF_WARNING_LEVEL);
+ }
priv->is_secure = 1;
}
diff --git a/src/remote/remote_driver.h b/src/remote/remote_driver.h
index 1fab5a6cc4..5e9b04da63 100644
--- a/src/remote/remote_driver.h
+++ b/src/remote/remote_driver.h
@@ -39,3 +39,5 @@ unsigned long remoteVersion(void);
#define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
#define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem"
#define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem"
+
+#define SSF_WARNING_LEVEL 112
--
2.31.1
8:09 a.m.
New subject: [libvirt PATCH 2/3] daemon: virNetSASLContext: store tcpMinSSF
Store the minimum SSF value for TCP connections
in virNetSASLContext and introduce a getter for it.
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
src/libvirt_sasl.syms | 1 +
src/remote/remote_daemon.c | 3 ++-
src/remote/remote_daemon_dispatch.c | 2 +-
src/rpc/virnetsaslcontext.c | 11 ++++++++++-
src/rpc/virnetsaslcontext.h | 5 ++++-
5 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/src/libvirt_sasl.syms b/src/libvirt_sasl.syms
index 723c59787b..405ba1813e 100644
--- a/src/libvirt_sasl.syms
+++ b/src/libvirt_sasl.syms
@@ -7,6 +7,7 @@ virNetClientSetSASLSession;
# rpc/virnetsaslcontext.h
virNetSASLContextCheckIdentity;
+virNetSASLContextGetTCPMinSSF;
virNetSASLContextNewClient;
virNetSASLContextNewServer;
virNetSASLSessionClientStart;
diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
index 7076fe3294..b534cb3e37 100644
--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
@@ -405,7 +405,8 @@ daemonSetupNetworking(virNetServer *srv,
#if WITH_SASL
if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) &&
!(saslCtxt = virNetSASLContextNewServer(
- (const char *const*)config->sasl_allowed_username_list)))
+ (const char *const*)config->sasl_allowed_username_list,
+ 56)))
return -1;
#endif
diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c
index bcfeadc2ae..96983e7937 100644
--- a/src/remote/remote_daemon_dispatch.c
+++ b/src/remote/remote_daemon_dispatch.c
@@ -3695,7 +3695,7 @@ remoteDispatchAuthSaslInit(virNetServer *server G_GNUC_UNUSED,
else
/* Plain TCP, better get an SSF layer */
virNetSASLSessionSecProps(sasl,
- 56, /* Good enough to require kerberos */
+ virNetSASLContextGetTCPMinSSF(saslCtxt),
100000, /* Arbitrary big number */
false); /* No anonymous */
diff --git a/src/rpc/virnetsaslcontext.c b/src/rpc/virnetsaslcontext.c
index 189e70d01a..ede434ed4a 100644
--- a/src/rpc/virnetsaslcontext.c
+++ b/src/rpc/virnetsaslcontext.c
@@ -37,6 +37,7 @@ struct _virNetSASLContext {
virObjectLockable parent;
const char *const *usernameACL;
+ unsigned int tcpMinSSF;
};
struct _virNetSASLSession {
@@ -121,7 +122,8 @@ virNetSASLContext *virNetSASLContextNewClient(void)
return ctxt;
}
-virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL)
+virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL,
+ unsigned int tcpMinSSF)
{
virNetSASLContext *ctxt;
@@ -133,6 +135,7 @@ virNetSASLContext *virNetSASLContextNewServer(const char *const
*usernameACL)
return NULL;
ctxt->usernameACL = usernameACL;
+ ctxt->tcpMinSSF = tcpMinSSF;
return ctxt;
}
@@ -175,6 +178,12 @@ int virNetSASLContextCheckIdentity(virNetSASLContext *ctxt,
}
+unsigned int virNetSASLContextGetTCPMinSSF(virNetSASLContext *ctxt)
+{
+ return ctxt->tcpMinSSF;
+}
+
+
virNetSASLSession *virNetSASLSessionNewClient(virNetSASLContext *ctxt G_GNUC_UNUSED,
const char *service,
const char *hostname,
diff --git a/src/rpc/virnetsaslcontext.h b/src/rpc/virnetsaslcontext.h
index 33a75e71a0..7202822e5b 100644
--- a/src/rpc/virnetsaslcontext.h
+++ b/src/rpc/virnetsaslcontext.h
@@ -36,11 +36,14 @@ enum {
};
virNetSASLContext *virNetSASLContextNewClient(void);
-virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL);
+virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL,
+ unsigned int min_ssf);
int virNetSASLContextCheckIdentity(virNetSASLContext *ctxt,
const char *identity);
+unsigned int virNetSASLContextGetTCPMinSSF(virNetSASLContext *ctxt);
+
virNetSASLSession *virNetSASLSessionNewClient(virNetSASLContext *ctxt,
const char *service,
const char *hostname,
--
2.31.1
8:09 a.m.
New subject: [libvirt PATCH 3/3] daemon: add tcp_min_ssf option
Add an option to allow the admin to requet a higher minimum SSF
for connections than the built-in default.
The current default is 56 (single DES equivalent, to support
old kerberos) and will be raised to 112 in the future.
https://bugzilla.redhat.com/show_bug.cgi?id=1431589
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
src/remote/libvirtd.aug.in | 1 +
src/remote/libvirtd.conf.in | 8 ++++++++
src/remote/remote_daemon.c | 6 +++++-
src/remote/remote_daemon_config.c | 15 +++++++++++++++
src/remote/remote_daemon_config.h | 1 +
src/remote/test_libvirtd.aug.in | 1 +
6 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/src/remote/libvirtd.aug.in b/src/remote/libvirtd.aug.in
index 61ea8067b9..d744548f41 100644
--- a/src/remote/libvirtd.aug.in
+++ b/src/remote/libvirtd.aug.in
@@ -43,6 +43,7 @@ module @DAEMON_NAME_UC@ =
@CUT_ENABLE_IP@
| str_entry "auth_tcp"
| str_entry "auth_tls"
+ | int_entry "tcp_min_ssf"
let certificate_entry = str_entry "key_file"
| str_entry "cert_file"
diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in
index ad049f636b..8e709856aa 100644
--- a/src/remote/libvirtd.conf.in
+++ b/src/remote/libvirtd.conf.in
@@ -197,6 +197,14 @@
# It is possible to make use of any SASL authentication
# mechanism as well, by using 'sasl' for this option
#auth_tls = "none"
+
+# Enforce a minimum SSF value for TCP sockets
+#
+# The default minimum is currently 56 (single-DES) which will
+# be raised to 112 in the future.
+#
+# This option can be used to set values higher than 112
+#tcp_min_ssf = 112
@END@
diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
index b534cb3e37..28f891f2b0 100644
--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
@@ -210,6 +210,7 @@ daemonSetupNetworking(virNetServer *srv,
int unix_sock_ro_mask = 0;
int unix_sock_rw_mask = 0;
int unix_sock_adm_mask = 0;
+ unsigned int tcp_min_ssf = 0;
g_autoptr(virSystemdActivation) act = NULL;
virSystemdActivationMap actmap[] = {
{ .name = DAEMON_NAME ".socket", .family = AF_UNIX, .path = sock_path
},
@@ -403,10 +404,13 @@ daemonSetupNetworking(virNetServer *srv,
return -1;
#if WITH_SASL
+# if WITH_IP
+ tcp_min_ssf = config->tcp_min_ssf;
+# endif
if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) &&
!(saslCtxt = virNetSASLContextNewServer(
(const char *const*)config->sasl_allowed_username_list,
- 56)))
+ tcp_min_ssf)))
return -1;
#endif
diff --git a/src/remote/remote_daemon_config.c b/src/remote/remote_daemon_config.c
index a47ec14508..a9961013f2 100644
--- a/src/remote/remote_daemon_config.c
+++ b/src/remote/remote_daemon_config.c
@@ -134,6 +134,10 @@ daemonConfigNew(bool privileged G_GNUC_UNUSED)
data->auth_tls = REMOTE_AUTH_NONE;
#endif /* ! WITH_IP */
+#if WITH_IP
+ data->tcp_min_ssf = 56; /* good enough for kerberos */
+#endif
+
data->min_workers = 5;
data->max_workers = 20;
data->max_clients = 5000;
@@ -298,6 +302,17 @@ daemonConfigLoadOptions(struct daemonConfig *data,
if (virConfGetValueString(conf, "tls_priority", &data->tls_priority)
< 0)
return -1;
+
+ if (virConfGetValueUInt(conf, "tcp_min_ssf", &data->tcp_min_ssf)
< 0)
+ return -1;
+
+ if (data->tcp_min_ssf < SSF_WARNING_LEVEL) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("minimum SSF levels lower than %d are not
supported"),
+ SSF_WARNING_LEVEL);
+ return -1;
+ }
+
#endif /* ! WITH_IP */
if (virConfGetValueStringList(conf, "sasl_allowed_username_list", false,
diff --git a/src/remote/remote_daemon_config.h b/src/remote/remote_daemon_config.h
index 9cad9da734..47839271d3 100644
--- a/src/remote/remote_daemon_config.h
+++ b/src/remote/remote_daemon_config.h
@@ -56,6 +56,7 @@ struct daemonConfig {
bool tls_no_sanity_certificate;
char **tls_allowed_dn_list;
char *tls_priority;
+ unsigned int tcp_min_ssf;
char *key_file;
char *cert_file;
diff --git a/src/remote/test_libvirtd.aug.in b/src/remote/test_libvirtd.aug.in
index 56c4487a01..c27680e130 100644
--- a/src/remote/test_libvirtd.aug.in
+++ b/src/remote/test_libvirtd.aug.in
@@ -19,6 +19,7 @@ module Test_@DAEMON_NAME@ =
@CUT_ENABLE_IP@
{ "auth_tcp" = "sasl" }
{ "auth_tls" = "none" }
+ { "tcp_min_ssf" = "112" }
@END@
{ "access_drivers"
{ "1" = "polkit" }
--
2.31.1
10:29 a.m.
On 11/3/21 2:09 PM, Ján Tomko wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=1431589
Ján Tomko (3):
remote: warn on low SSF
daemon: virNetSASLContext: store tcpMinSSF
daemon: add tcp_min_ssf option
src/libvirt_sasl.syms | 1 +
src/remote/libvirtd.aug.in | 1 +
src/remote/libvirtd.conf.in | 8 ++++++++
src/remote/remote_daemon.c | 7 ++++++-
src/remote/remote_daemon_config.c | 15 +++++++++++++++
src/remote/remote_daemon_config.h | 1 +
src/remote/remote_daemon_dispatch.c | 2 +-
src/remote/remote_driver.c | 5 +++++
src/remote/remote_driver.h | 2 ++
src/remote/test_libvirtd.aug.in | 1 +
src/rpc/virnetsaslcontext.c | 11 ++++++++++-
src/rpc/virnetsaslcontext.h | 5 ++++-
12 files changed, 55 insertions(+), 4 deletions(-)
Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com>
Michal
1104
days inactive
1105
days old
4 comments
2 participants
participants (2)
-
Ján Tomko -
Michal Prívozník