daemon: virNetSASLContext: store tcpMinSSF

Store the minimum SSF value for TCP connections
in virNetSASLContext and introduce a getter for it.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

src/libvirt_sasl.syms

@@ -7,6 +7,7 @@ virNetClientSetSASLSession;
 
 # rpc/virnetsaslcontext.h
 virNetSASLContextCheckIdentity;
+virNetSASLContextGetTCPMinSSF;
 virNetSASLContextNewClient;
 virNetSASLContextNewServer;
 virNetSASLSessionClientStart;

src/remote/remote_daemon.c

@@ -405,7 +405,8 @@ daemonSetupNetworking(virNetServer *srv,
 #if WITH_SASL
     if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) &&
         !(saslCtxt = virNetSASLContextNewServer(
-              (const char *const*)config->sasl_allowed_username_list)))
+              (const char *const*)config->sasl_allowed_username_list,
+              56)))
         return -1;
 #endif
 

src/remote/remote_daemon_dispatch.c

@@ -3695,7 +3695,7 @@ remoteDispatchAuthSaslInit(virNetServer *server G_GNUC_UNUSED,
     else
         /* Plain TCP, better get an SSF layer */
         virNetSASLSessionSecProps(sasl,
-                                  56,  /* Good enough to require kerberos */
+                                  virNetSASLContextGetTCPMinSSF(saslCtxt),
                                   100000,  /* Arbitrary big number */
                                   false); /* No anonymous */
 

src/rpc/virnetsaslcontext.c

@@ -37,6 +37,7 @@ struct _virNetSASLContext {
     virObjectLockable parent;
 
     const char *const *usernameACL;
+    unsigned int tcpMinSSF;
 };
 
 struct _virNetSASLSession {
@@ -121,7 +122,8 @@ virNetSASLContext *virNetSASLContextNewClient(void)
     return ctxt;
 }
 
-virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL)
+virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL,
+                                              unsigned int tcpMinSSF)
 {
     virNetSASLContext *ctxt;
 
@@ -133,6 +135,7 @@ virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL)
         return NULL;
 
     ctxt->usernameACL = usernameACL;
+    ctxt->tcpMinSSF = tcpMinSSF;
 
     return ctxt;
 }
@@ -175,6 +178,12 @@ int virNetSASLContextCheckIdentity(virNetSASLContext *ctxt,
 }
 
 
+unsigned int virNetSASLContextGetTCPMinSSF(virNetSASLContext *ctxt)
+{
+    return ctxt->tcpMinSSF;
+}
+
+
 virNetSASLSession *virNetSASLSessionNewClient(virNetSASLContext *ctxt G_GNUC_UNUSED,
                                                 const char *service,
                                                 const char *hostname,

src/rpc/virnetsaslcontext.h

@@ -36,11 +36,14 @@ enum {
 };
 
 virNetSASLContext *virNetSASLContextNewClient(void);
-virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL);
+virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL,
+                                              unsigned int min_ssf);
 
 int virNetSASLContextCheckIdentity(virNetSASLContext *ctxt,
                                    const char *identity);
 
+unsigned int virNetSASLContextGetTCPMinSSF(virNetSASLContext *ctxt);
+
 virNetSASLSession *virNetSASLSessionNewClient(virNetSASLContext *ctxt,
                                                 const char *service,
                                                 const char *hostname,