From nobody Sun Feb  8 20:35:03 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1635945064; cv=none;
	d=zohomail.com; s=zohoarc;
	b=eMS/njUk43rz9KP703Gcp6bIw3trYM2i2dx/emLXXle1h7cn5AhR2affRlS8oap4MCDG32piddaRlro7Xuwzd6ryG8fK3mGdpZC6vU+Y3pk4i4WVBdHyAycLwc5YZ8uP6sjdJVUdsOm+DMqos6840s6rxjhn6NNb+zZ4waua0Rw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1635945064;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=JMaUd3f5FJVHtO2JKAESmPZOJCpRRTaYkgSnhCP0L20=;
	b=bZs2EIjf3jdTvmXFICZ0gDnABdtSKWj/NcMO8U536P2jC1CpKXtsGs4gU1HunoLLjwQcZfRO/fq2l4wPtwFlj49zqbAPpyt+n7kgPvJNxLxLiBXgz4WPqf0ybeTXOX91ajKqSObPlLvmu+/59kdnZeHaKJ0XcAVO1RjTxQ7HfDA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<jtomko@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
	with SMTPS id 163594506408723.337907359214796;
 Wed, 3 Nov 2021 06:11:04 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-599-ONzf4ek3PlmodHquAaZzrw-1; Wed, 03 Nov 2021 09:10:59 -0400
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
 [10.5.11.16])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1FB7C91275;
	Wed,  3 Nov 2021 13:10:54 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id F2A705C1C5;
	Wed,  3 Nov 2021 13:10:53 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id D12451800B9E;
	Wed,  3 Nov 2021 13:10:52 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
	[10.5.11.13])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 1A3D9OL0024975 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 3 Nov 2021 09:09:24 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 2F23B7086D; Wed,  3 Nov 2021 13:09:24 +0000 (UTC)
Received: from fedora.redhat.com (unknown [10.43.2.44])
	by smtp.corp.redhat.com (Postfix) with ESMTP id AC34170886
	for <libvir-list@redhat.com>; Wed,  3 Nov 2021 13:09:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1635945063;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=JMaUd3f5FJVHtO2JKAESmPZOJCpRRTaYkgSnhCP0L20=;
	b=Y3I/7ZPocMuizHB/dvNNEPo8JfoXSNaNH9sV2phTA6Jp5f8f3iaZairsMTqS1/yI/aKjWx
	ajNsZnMevoY/ADYkyB9MrllMep5lR+K4gpCk76DEXv6VJptQuWvyvVHzIM876D+PqW9Vor
	jBOLVXu5eS3FbtYjJHgB68YK9vPN9qc=
X-MC-Unique: ONzf4ek3PlmodHquAaZzrw-1
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 2/3] daemon: virNetSASLContext: store tcpMinSSF
Date: Wed,  3 Nov 2021 14:09:15 +0100
Message-Id: 
 <a1733c9b8bbf87396435301d55c1a8dc36c55f06.1635944931.git.jtomko@redhat.com>
In-Reply-To: <cover.1635944931.git.jtomko@redhat.com>
References: <cover.1635944931.git.jtomko@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1635945064793100001

Store the minimum SSF value for TCP connections
in virNetSASLContext and introduce a getter for it.

Signed-off-by: J=C3=A1n Tomko <jtomko@redhat.com>
---
 src/libvirt_sasl.syms               |  1 +
 src/remote/remote_daemon.c          |  3 ++-
 src/remote/remote_daemon_dispatch.c |  2 +-
 src/rpc/virnetsaslcontext.c         | 11 ++++++++++-
 src/rpc/virnetsaslcontext.h         |  5 ++++-
 5 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/libvirt_sasl.syms b/src/libvirt_sasl.syms
index 723c59787b..405ba1813e 100644
--- a/src/libvirt_sasl.syms
+++ b/src/libvirt_sasl.syms
@@ -7,6 +7,7 @@ virNetClientSetSASLSession;
=20
 # rpc/virnetsaslcontext.h
 virNetSASLContextCheckIdentity;
+virNetSASLContextGetTCPMinSSF;
 virNetSASLContextNewClient;
 virNetSASLContextNewServer;
 virNetSASLSessionClientStart;
diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
index 7076fe3294..b534cb3e37 100644
--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
@@ -405,7 +405,8 @@ daemonSetupNetworking(virNetServer *srv,
 #if WITH_SASL
     if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) &&
         !(saslCtxt =3D virNetSASLContextNewServer(
-              (const char *const*)config->sasl_allowed_username_list)))
+              (const char *const*)config->sasl_allowed_username_list,
+              56)))
         return -1;
 #endif
=20
diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon=
_dispatch.c
index bcfeadc2ae..96983e7937 100644
--- a/src/remote/remote_daemon_dispatch.c
+++ b/src/remote/remote_daemon_dispatch.c
@@ -3695,7 +3695,7 @@ remoteDispatchAuthSaslInit(virNetServer *server G_GNU=
C_UNUSED,
     else
         /* Plain TCP, better get an SSF layer */
         virNetSASLSessionSecProps(sasl,
-                                  56,  /* Good enough to require kerberos =
*/
+                                  virNetSASLContextGetTCPMinSSF(saslCtxt),
                                   100000,  /* Arbitrary big number */
                                   false); /* No anonymous */
=20
diff --git a/src/rpc/virnetsaslcontext.c b/src/rpc/virnetsaslcontext.c
index 189e70d01a..ede434ed4a 100644
--- a/src/rpc/virnetsaslcontext.c
+++ b/src/rpc/virnetsaslcontext.c
@@ -37,6 +37,7 @@ struct _virNetSASLContext {
     virObjectLockable parent;
=20
     const char *const *usernameACL;
+    unsigned int tcpMinSSF;
 };
=20
 struct _virNetSASLSession {
@@ -121,7 +122,8 @@ virNetSASLContext *virNetSASLContextNewClient(void)
     return ctxt;
 }
=20
-virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameA=
CL)
+virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameA=
CL,
+                                              unsigned int tcpMinSSF)
 {
     virNetSASLContext *ctxt;
=20
@@ -133,6 +135,7 @@ virNetSASLContext *virNetSASLContextNewServer(const cha=
r *const *usernameACL)
         return NULL;
=20
     ctxt->usernameACL =3D usernameACL;
+    ctxt->tcpMinSSF =3D tcpMinSSF;
=20
     return ctxt;
 }
@@ -175,6 +178,12 @@ int virNetSASLContextCheckIdentity(virNetSASLContext *=
ctxt,
 }
=20
=20
+unsigned int virNetSASLContextGetTCPMinSSF(virNetSASLContext *ctxt)
+{
+    return ctxt->tcpMinSSF;
+}
+
+
 virNetSASLSession *virNetSASLSessionNewClient(virNetSASLContext *ctxt G_GN=
UC_UNUSED,
                                                 const char *service,
                                                 const char *hostname,
diff --git a/src/rpc/virnetsaslcontext.h b/src/rpc/virnetsaslcontext.h
index 33a75e71a0..7202822e5b 100644
--- a/src/rpc/virnetsaslcontext.h
+++ b/src/rpc/virnetsaslcontext.h
@@ -36,11 +36,14 @@ enum {
 };
=20
 virNetSASLContext *virNetSASLContextNewClient(void);
-virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameA=
CL);
+virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameA=
CL,
+                                              unsigned int min_ssf);
=20
 int virNetSASLContextCheckIdentity(virNetSASLContext *ctxt,
                                    const char *identity);
=20
+unsigned int virNetSASLContextGetTCPMinSSF(virNetSASLContext *ctxt);
+
 virNetSASLSession *virNetSASLSessionNewClient(virNetSASLContext *ctxt,
                                                 const char *service,
                                                 const char *hostname,
--=20
2.31.1