From nobody Sun Feb  8 15:01:41 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1635944983; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NsVxM5lG5uMSuTatvO7pibtmWG8HA4Z9SG8JpbyNm2QtvDh7jha8NhQOFBxaM+i1R+LOpo0nAU2pS1yV32y6p6a/EURVRX9K1/+kvWNArzFP/p9s7Bfk38QJNWC/6QuR7Nde4s3oBNyhXRmaAina9zwD03ZBG/piqnV61TqY+yw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1635944983;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=lNf6TNwVQp7Qi6SKdQN+7uMXk1hKEGGx329SXwLcanU=;
	b=MPbUQLzqiKoOYH6skhlWIz6bUgkUIzX98pi7RshRHXkfsbGw8eKBmy5vOlpVwy4YTB3AQI17QyzyTcSjZBEQlgzsEkrQX4Z1MksdX+O6ZRPXWc0MmVGMdEQ4NrAG0F45oLQKn+Lx5WsOIHa2HwiVPHUn3vxlxCtezpl8lSYL164=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<jtomko@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
	with SMTPS id 1635944983188371.02435612970453;
 Wed, 3 Nov 2021 06:09:43 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-581-IHhY5eqjOl6JJ4Aw4EOUrw-1; Wed, 03 Nov 2021 09:09:38 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 81FC510B395E;
	Wed,  3 Nov 2021 13:09:32 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 9628661291;
	Wed,  3 Nov 2021 13:09:31 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5829D1803B30;
	Wed,  3 Nov 2021 13:09:31 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
	[10.5.11.13])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 1A3D9PiT024989 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 3 Nov 2021 09:09:25 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id F04BA7086D; Wed,  3 Nov 2021 13:09:24 +0000 (UTC)
Received: from fedora.redhat.com (unknown [10.43.2.44])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 7A95870886
	for <libvir-list@redhat.com>; Wed,  3 Nov 2021 13:09:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1635944982;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=lNf6TNwVQp7Qi6SKdQN+7uMXk1hKEGGx329SXwLcanU=;
	b=cKxUQxjRsdkuhvIj02IZGwJNUodtIvepcOkvI0X7QHBgCjtIWEpabjf9RH+WQ4pYDIlrkq
	SBo2cB7LOdAmtYNNEo2k/APWOK2vQ2RGLgtSdmkVbLPG1cj/Gr0V6uwjrCRVwyCirbHFOG
	wkUS9eeZoJULG6H6O+zCfec/S6dZ9As=
X-MC-Unique: IHhY5eqjOl6JJ4Aw4EOUrw-1
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 3/3] daemon: add tcp_min_ssf option
Date: Wed,  3 Nov 2021 14:09:16 +0100
Message-Id: 
 <5e1b1eacec9a93b6bc445c2d39281cc521708445.1635944931.git.jtomko@redhat.com>
In-Reply-To: <cover.1635944931.git.jtomko@redhat.com>
References: <cover.1635944931.git.jtomko@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1635944983532100001

Add an option to allow the admin to requet a higher minimum SSF
for connections than the built-in default.

The current default is 56 (single DES equivalent, to support
old kerberos) and will be raised to 112 in the future.

https://bugzilla.redhat.com/show_bug.cgi?id=3D1431589

Signed-off-by: J=C3=A1n Tomko <jtomko@redhat.com>
---
 src/remote/libvirtd.aug.in        |  1 +
 src/remote/libvirtd.conf.in       |  8 ++++++++
 src/remote/remote_daemon.c        |  6 +++++-
 src/remote/remote_daemon_config.c | 15 +++++++++++++++
 src/remote/remote_daemon_config.h |  1 +
 src/remote/test_libvirtd.aug.in   |  1 +
 6 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/src/remote/libvirtd.aug.in b/src/remote/libvirtd.aug.in
index 61ea8067b9..d744548f41 100644
--- a/src/remote/libvirtd.aug.in
+++ b/src/remote/libvirtd.aug.in
@@ -43,6 +43,7 @@ module @DAEMON_NAME_UC@ =3D
 @CUT_ENABLE_IP@
                             | str_entry "auth_tcp"
                             | str_entry "auth_tls"
+                            | int_entry "tcp_min_ssf"
=20
    let certificate_entry =3D str_entry "key_file"
                          | str_entry "cert_file"
diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in
index ad049f636b..8e709856aa 100644
--- a/src/remote/libvirtd.conf.in
+++ b/src/remote/libvirtd.conf.in
@@ -197,6 +197,14 @@
 # It is possible to make use of any SASL authentication
 # mechanism as well, by using 'sasl' for this option
 #auth_tls =3D "none"
+
+# Enforce a minimum SSF value for TCP sockets
+#
+# The default minimum is currently 56 (single-DES) which will
+# be raised to 112 in the future.
+#
+# This option can be used to set values higher than 112
+#tcp_min_ssf =3D 112
 @END@
=20
=20
diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
index b534cb3e37..28f891f2b0 100644
--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
@@ -210,6 +210,7 @@ daemonSetupNetworking(virNetServer *srv,
     int unix_sock_ro_mask =3D 0;
     int unix_sock_rw_mask =3D 0;
     int unix_sock_adm_mask =3D 0;
+    unsigned int tcp_min_ssf =3D 0;
     g_autoptr(virSystemdActivation) act =3D NULL;
     virSystemdActivationMap actmap[] =3D {
         { .name =3D DAEMON_NAME ".socket", .family =3D AF_UNIX, .path =3D =
sock_path },
@@ -403,10 +404,13 @@ daemonSetupNetworking(virNetServer *srv,
         return -1;
=20
 #if WITH_SASL
+# if WITH_IP
+    tcp_min_ssf =3D config->tcp_min_ssf;
+# endif
     if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) &&
         !(saslCtxt =3D virNetSASLContextNewServer(
               (const char *const*)config->sasl_allowed_username_list,
-              56)))
+              tcp_min_ssf)))
         return -1;
 #endif
=20
diff --git a/src/remote/remote_daemon_config.c b/src/remote/remote_daemon_c=
onfig.c
index a47ec14508..a9961013f2 100644
--- a/src/remote/remote_daemon_config.c
+++ b/src/remote/remote_daemon_config.c
@@ -134,6 +134,10 @@ daemonConfigNew(bool privileged G_GNUC_UNUSED)
     data->auth_tls =3D REMOTE_AUTH_NONE;
 #endif /* ! WITH_IP */
=20
+#if WITH_IP
+    data->tcp_min_ssf =3D 56; /* good enough for kerberos */
+#endif
+
     data->min_workers =3D 5;
     data->max_workers =3D 20;
     data->max_clients =3D 5000;
@@ -298,6 +302,17 @@ daemonConfigLoadOptions(struct daemonConfig *data,
=20
     if (virConfGetValueString(conf, "tls_priority", &data->tls_priority) <=
 0)
         return -1;
+
+    if (virConfGetValueUInt(conf, "tcp_min_ssf", &data->tcp_min_ssf) < 0)
+        return -1;
+
+    if (data->tcp_min_ssf < SSF_WARNING_LEVEL) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                       _("minimum SSF levels lower than %d are not support=
ed"),
+                       SSF_WARNING_LEVEL);
+        return -1;
+    }
+
 #endif /* ! WITH_IP */
=20
     if (virConfGetValueStringList(conf, "sasl_allowed_username_list", fals=
e,
diff --git a/src/remote/remote_daemon_config.h b/src/remote/remote_daemon_c=
onfig.h
index 9cad9da734..47839271d3 100644
--- a/src/remote/remote_daemon_config.h
+++ b/src/remote/remote_daemon_config.h
@@ -56,6 +56,7 @@ struct daemonConfig {
     bool tls_no_sanity_certificate;
     char **tls_allowed_dn_list;
     char *tls_priority;
+    unsigned int tcp_min_ssf;
=20
     char *key_file;
     char *cert_file;
diff --git a/src/remote/test_libvirtd.aug.in b/src/remote/test_libvirtd.aug=
.in
index 56c4487a01..c27680e130 100644
--- a/src/remote/test_libvirtd.aug.in
+++ b/src/remote/test_libvirtd.aug.in
@@ -19,6 +19,7 @@ module Test_@DAEMON_NAME@ =3D
 @CUT_ENABLE_IP@
         { "auth_tcp" =3D "sasl" }
         { "auth_tls" =3D "none" }
+        { "tcp_min_ssf" =3D "112" }
 @END@
         { "access_drivers"
              { "1" =3D "polkit" }
--=20
2.31.1