<div dir="ltr">ack<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 21, 2014 at 3:54 PM, Christophe Fergeau <span dir="ltr"><<a href="mailto:cfergeau@redhat.com" target="_blank">cfergeau@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">If the client advertises the SASL cap, it means it guarantees it will be<br>
able to use SASL if the server supports, and that it does not need a valid<br>
SpiceLinkReply::pub_key field when using SASL.<br>
<br>
When the client cap is set, we thus don't need to create a RSA public key<br>
if SASL is enabled server side.<br>
<br>
The reason for needing client guarantees about not looking at the pub_key<br>
field is that its presence and size is hardcoded in the protocol, but in<br>
some hardened setups (using fips mode), generating a RSA 1024 bit key as<br>
expected is forbidden and fails. With this new capability, the server<br>
knows the client will be able to handle SASL if needed, and can skip<br>
the generation of the key altogether. This means that on the setups<br>
described above, SASL authentication has to be used.<br>
---<br>
Hey,<br>
<br>
This is a resend of <a href="http://lists.freedesktop.org/archives/spice-devel/2014-March/016419.html" target="_blank">http://lists.freedesktop.org/archives/spice-devel/2014-March/016419.html</a><br>
No changes, rebased on top of git master. The previous 2 patches in the series got ACK'ed.<br>
<br>
Christophe<br>
<br>
<br>
 server/reds.c | 61 +++++++++++++++++++++++++++++++++++++----------------------<br>
 1 file changed, 38 insertions(+), 23 deletions(-)<br>
<br>
diff --git a/server/reds.c b/server/reds.c<br>
index 5a95ba0..7ecea13 100644<br>
--- a/server/reds.c<br>
+++ b/server/reds.c<br>
@@ -1352,7 +1352,7 @@ static int reds_send_link_ack(RedLinkInfo *link)<br>
     RedChannel *channel;<br>
     RedChannelCapabilities *channel_caps;<br>
     BUF_MEM *bmBuf;<br>
-    BIO *bio;<br>
+    BIO *bio = NULL;<br>
     int ret = FALSE;<br>
<br>
     header.magic = SPICE_MAGIC;<br>
@@ -1377,31 +1377,45 @@ static int reds_send_link_ack(RedLinkInfo *link)<br>
     ack.num_channel_caps = channel_caps->num_caps;<br>
     header.size += (ack.num_common_caps + ack.num_channel_caps) * sizeof(uint32_t);<br>
     ack.caps_offset = sizeof(SpiceLinkReply);<br>
+    if (!sasl_enabled<br>
+        || !red_link_info_test_capability(link, SPICE_COMMON_CAP_AUTH_SASL)) {<br>
+        if (!(link->tiTicketing.rsa = RSA_new())) {<br>
+            spice_warning("RSA new failed");<br>
+            return FALSE;<br>
+        }<br>
<br>
-    if (!(link->tiTicketing.rsa = RSA_new())) {<br>
-        spice_warning("RSA new failed");<br>
-        return FALSE;<br>
-    }<br>
+        if (!(bio = BIO_new(BIO_s_mem()))) {<br>
+            spice_warning("BIO new failed");<br>
+            return FALSE;<br>
+        }<br>
<br>
-    if (!(bio = BIO_new(BIO_s_mem()))) {<br>
-        spice_warning("BIO new failed");<br>
-        return FALSE;<br>
-    }<br>
+        if (RSA_generate_key_ex(link->tiTicketing.rsa,<br>
+                                SPICE_TICKET_KEY_PAIR_LENGTH,<br>
+                                link->tiTicketing.bn,<br>
+                                NULL) != 1) {<br>
+            spice_warning("Failed to generate %d bits RSA key: %s",<br>
+                          SPICE_TICKET_KEY_PAIR_LENGTH,<br>
+                          ERR_error_string(ERR_get_error(), NULL));<br>
+            goto end;<br>
+        }<br>
+        link->tiTicketing.rsa_size = RSA_size(link->tiTicketing.rsa);<br>
<br>
-    if (RSA_generate_key_ex(link->tiTicketing.rsa,<br>
-                            SPICE_TICKET_KEY_PAIR_LENGTH,<br>
-                            link->tiTicketing.bn,<br>
-                            NULL) != 1) {<br>
-        spice_warning("Failed to generate %d bits RSA key: %s",<br>
-                      SPICE_TICKET_KEY_PAIR_LENGTH,<br>
-                      ERR_error_string(ERR_get_error(), NULL));<br>
-        goto end;<br>
+        i2d_RSA_PUBKEY_bio(bio, link->tiTicketing.rsa);<br>
+        BIO_get_mem_ptr(bio, &bmBuf);<br>
+        memcpy(ack.pub_key, bmBuf->data, sizeof(ack.pub_key));<br>
+    } else {<br>
+        /* if the client sets the AUTH_SASL cap, it indicates that it<br>
+         * supports SASL, and will use it if the server supports SASL as<br>
+         * well. Moreover, a client setting the AUTH_SASL cap also<br>
+         * indicates that it will not try using the RSA-related content<br>
+         * in the SpiceLinkReply message, so we don't need to initialize<br>
+         * it. Reason to avoid this is to fix auth in fips mode where<br>
+         * the generation of a 1024 bit RSA key as we are trying to do<br>
+         * will fail.<br>
+         */<br>
+        spice_warning("not initialising RSA key");<br>
+        memset(ack.pub_key, '\0', sizeof(ack.pub_key));<br>
     }<br>
-    link->tiTicketing.rsa_size = RSA_size(link->tiTicketing.rsa);<br>
-<br>
-    i2d_RSA_PUBKEY_bio(bio, link->tiTicketing.rsa);<br>
-    BIO_get_mem_ptr(bio, &bmBuf);<br>
-    memcpy(ack.pub_key, bmBuf->data, sizeof(ack.pub_key));<br>
<br>
     if (!reds_stream_write_all(link->stream, &header, sizeof(header)))<br>
         goto end;<br>
@@ -1415,7 +1429,8 @@ static int reds_send_link_ack(RedLinkInfo *link)<br>
     ret = TRUE;<br>
<br>
 end:<br>
-    BIO_free(bio);<br>
+    if (bio != NULL)<br>
+        BIO_free(bio);<br>
     return ret;<br>
 }<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
2.1.0<br>
<br>
_______________________________________________<br>
Spice-devel mailing list<br>
<a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a><br>
<a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature">Marc-André Lureau</div>
</div>