Prepare for deprecating old kerberos ciphers by warning users with a SSF lower than 112. Signed-off-by: Ján Tomko <jtomko@redhat.com> --- src/remote/remote_driver.c | 5 +++++ src/remote/remote_driver.h | 2 ++ 2 files changed, 7 insertions(+) diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 719fcf4297..c0bb44b2cd 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -4186,6 +4186,11 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv, _("negotiation SSF %d was not strong enough"), ssf); goto cleanup; } + if (ssf < SSF_WARNING_LEVEL) { + VIR_WARN("negotiation SSF %d lower than %d will be deprecated. " + "Please upgrade your ciphers.", + ssf, SSF_WARNING_LEVEL); + } priv->is_secure = 1; } diff --git a/src/remote/remote_driver.h b/src/remote/remote_driver.h index 1fab5a6cc4..5e9b04da63 100644 --- a/src/remote/remote_driver.h +++ b/src/remote/remote_driver.h @@ -39,3 +39,5 @@ unsigned long remoteVersion(void); #define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem" #define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem" #define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem" + +#define SSF_WARNING_LEVEL 112 -- 2.31.1

Add an option to allow the admin to requet a higher minimum SSF for connections than the built-in default. The current default is 56 (single DES equivalent, to support old kerberos) and will be raised to 112 in the future. https://bugzilla.redhat.com/show_bug.cgi?id=1431589 Signed-off-by: Ján Tomko <jtomko@redhat.com> --- src/remote/libvirtd.aug.in | 1 + src/remote/libvirtd.conf.in | 8 ++++++++ src/remote/remote_daemon.c | 6 +++++- src/remote/remote_daemon_config.c | 15 +++++++++++++++ src/remote/remote_daemon_config.h | 1 + src/remote/test_libvirtd.aug.in | 1 + 6 files changed, 31 insertions(+), 1 deletion(-) diff --git a/src/remote/libvirtd.aug.in b/src/remote/libvirtd.aug.in index 61ea8067b9..d744548f41 100644 --- a/src/remote/libvirtd.aug.in +++ b/src/remote/libvirtd.aug.in @@ -43,6 +43,7 @@ module @DAEMON_NAME_UC@ = @CUT_ENABLE_IP@ | str_entry "auth_tcp" | str_entry "auth_tls" + | int_entry "tcp_min_ssf" let certificate_entry = str_entry "key_file" | str_entry "cert_file" diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in index ad049f636b..8e709856aa 100644 --- a/src/remote/libvirtd.conf.in +++ b/src/remote/libvirtd.conf.in @@ -197,6 +197,14 @@ # It is possible to make use of any SASL authentication # mechanism as well, by using 'sasl' for this option #auth_tls = "none" + +# Enforce a minimum SSF value for TCP sockets +# +# The default minimum is currently 56 (single-DES) which will +# be raised to 112 in the future. +# +# This option can be used to set values higher than 112 +#tcp_min_ssf = 112 @END@ diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c index b534cb3e37..28f891f2b0 100644 --- a/src/remote/remote_daemon.c +++ b/src/remote/remote_daemon.c @@ -210,6 +210,7 @@ daemonSetupNetworking(virNetServer *srv, int unix_sock_ro_mask = 0; int unix_sock_rw_mask = 0; int unix_sock_adm_mask = 0; + unsigned int tcp_min_ssf = 0; g_autoptr(virSystemdActivation) act = NULL; virSystemdActivationMap actmap[] = { { .name = DAEMON_NAME ".socket", .family = AF_UNIX, .path = sock_path }, @@ -403,10 +404,13 @@ daemonSetupNetworking(virNetServer *srv, return -1; #if WITH_SASL +# if WITH_IP + tcp_min_ssf = config->tcp_min_ssf; +# endif if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) && !(saslCtxt = virNetSASLContextNewServer( (const char *const*)config->sasl_allowed_username_list, - 56))) + tcp_min_ssf))) return -1; #endif diff --git a/src/remote/remote_daemon_config.c b/src/remote/remote_daemon_config.c index a47ec14508..a9961013f2 100644 --- a/src/remote/remote_daemon_config.c +++ b/src/remote/remote_daemon_config.c @@ -134,6 +134,10 @@ daemonConfigNew(bool privileged G_GNUC_UNUSED) data->auth_tls = REMOTE_AUTH_NONE; #endif /* ! WITH_IP */ +#if WITH_IP + data->tcp_min_ssf = 56; /* good enough for kerberos */ +#endif + data->min_workers = 5; data->max_workers = 20; data->max_clients = 5000; @@ -298,6 +302,17 @@ daemonConfigLoadOptions(struct daemonConfig *data, if (virConfGetValueString(conf, "tls_priority", &data->tls_priority) < 0) return -1; + + if (virConfGetValueUInt(conf, "tcp_min_ssf", &data->tcp_min_ssf) < 0) + return -1; + + if (data->tcp_min_ssf < SSF_WARNING_LEVEL) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("minimum SSF levels lower than %d are not supported"), + SSF_WARNING_LEVEL); + return -1; + } + #endif /* ! WITH_IP */ if (virConfGetValueStringList(conf, "sasl_allowed_username_list", false, diff --git a/src/remote/remote_daemon_config.h b/src/remote/remote_daemon_config.h index 9cad9da734..47839271d3 100644 --- a/src/remote/remote_daemon_config.h +++ b/src/remote/remote_daemon_config.h @@ -56,6 +56,7 @@ struct daemonConfig { bool tls_no_sanity_certificate; char **tls_allowed_dn_list; char *tls_priority; + unsigned int tcp_min_ssf; char *key_file; char *cert_file; diff --git a/src/remote/test_libvirtd.aug.in b/src/remote/test_libvirtd.aug.in index 56c4487a01..c27680e130 100644 --- a/src/remote/test_libvirtd.aug.in +++ b/src/remote/test_libvirtd.aug.in @@ -19,6 +19,7 @@ module Test_@DAEMON_NAME@ = @CUT_ENABLE_IP@ { "auth_tcp" = "sasl" } { "auth_tls" = "none" } + { "tcp_min_ssf" = "112" } @END@ { "access_drivers" { "1" = "polkit" } -- 2.31.1