<div dir="ltr">ack<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 21, 2014 at 3:54 PM, Christophe Fergeau <span dir="ltr"><<a href="mailto:cfergeau@redhat.com" target="_blank">cfergeau@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">If the client advertises the SASL cap, it means it guarantees it will be<br>
able to use SASL if the server supports, and that it does not need a valid<br>
SpiceLinkReply::pub_key field when using SASL.<br>
<br>
When the client cap is set, we thus don't need to create a RSA public key<br>
if SASL is enabled server side.<br>
<br>
The reason for needing client guarantees about not looking at the pub_key<br>
field is that its presence and size is hardcoded in the protocol, but in<br>
some hardened setups (using fips mode), generating a RSA 1024 bit key as<br>
expected is forbidden and fails. With this new capability, the server<br>
knows the client will be able to handle SASL if needed, and can skip<br>
the generation of the key altogether. This means that on the setups<br>
described above, SASL authentication has to be used.<br>
---<br>
Hey,<br>
<br>
This is a resend of <a href="http://lists.freedesktop.org/archives/spice-devel/2014-March/016419.html" target="_blank">http://lists.freedesktop.org/archives/spice-devel/2014-March/016419.html</a><br>
No changes, rebased on top of git master. The previous 2 patches in the series got ACK'ed.<br>
<br>
Christophe<br>
<br>
<br>
server/reds.c | 61 +++++++++++++++++++++++++++++++++++++----------------------<br>
1 file changed, 38 insertions(+), 23 deletions(-)<br>
<br>
diff --git a/server/reds.c b/server/reds.c<br>
index 5a95ba0..7ecea13 100644<br>
--- a/server/reds.c<br>
+++ b/server/reds.c<br>
@@ -1352,7 +1352,7 @@ static int reds_send_link_ack(RedLinkInfo *link)<br>
RedChannel *channel;<br>
RedChannelCapabilities *channel_caps;<br>
BUF_MEM *bmBuf;<br>
- BIO *bio;<br>
+ BIO *bio = NULL;<br>
int ret = FALSE;<br>
<br>
header.magic = SPICE_MAGIC;<br>
@@ -1377,31 +1377,45 @@ static int reds_send_link_ack(RedLinkInfo *link)<br>
ack.num_channel_caps = channel_caps->num_caps;<br>
header.size += (ack.num_common_caps + ack.num_channel_caps) * sizeof(uint32_t);<br>
ack.caps_offset = sizeof(SpiceLinkReply);<br>
+ if (!sasl_enabled<br>
+ || !red_link_info_test_capability(link, SPICE_COMMON_CAP_AUTH_SASL)) {<br>
+ if (!(link->tiTicketing.rsa = RSA_new())) {<br>
+ spice_warning("RSA new failed");<br>
+ return FALSE;<br>
+ }<br>
<br>
- if (!(link->tiTicketing.rsa = RSA_new())) {<br>
- spice_warning("RSA new failed");<br>
- return FALSE;<br>
- }<br>
+ if (!(bio = BIO_new(BIO_s_mem()))) {<br>
+ spice_warning("BIO new failed");<br>
+ return FALSE;<br>
+ }<br>
<br>
- if (!(bio = BIO_new(BIO_s_mem()))) {<br>
- spice_warning("BIO new failed");<br>
- return FALSE;<br>
- }<br>
+ if (RSA_generate_key_ex(link->tiTicketing.rsa,<br>
+ SPICE_TICKET_KEY_PAIR_LENGTH,<br>
+ link->tiTicketing.bn,<br>
+ NULL) != 1) {<br>
+ spice_warning("Failed to generate %d bits RSA key: %s",<br>
+ SPICE_TICKET_KEY_PAIR_LENGTH,<br>
+ ERR_error_string(ERR_get_error(), NULL));<br>
+ goto end;<br>
+ }<br>
+ link->tiTicketing.rsa_size = RSA_size(link->tiTicketing.rsa);<br>
<br>
- if (RSA_generate_key_ex(link->tiTicketing.rsa,<br>
- SPICE_TICKET_KEY_PAIR_LENGTH,<br>
- link->tiTicketing.bn,<br>
- NULL) != 1) {<br>
- spice_warning("Failed to generate %d bits RSA key: %s",<br>
- SPICE_TICKET_KEY_PAIR_LENGTH,<br>
- ERR_error_string(ERR_get_error(), NULL));<br>
- goto end;<br>
+ i2d_RSA_PUBKEY_bio(bio, link->tiTicketing.rsa);<br>
+ BIO_get_mem_ptr(bio, &bmBuf);<br>
+ memcpy(ack.pub_key, bmBuf->data, sizeof(ack.pub_key));<br>
+ } else {<br>
+ /* if the client sets the AUTH_SASL cap, it indicates that it<br>
+ * supports SASL, and will use it if the server supports SASL as<br>
+ * well. Moreover, a client setting the AUTH_SASL cap also<br>
+ * indicates that it will not try using the RSA-related content<br>
+ * in the SpiceLinkReply message, so we don't need to initialize<br>
+ * it. Reason to avoid this is to fix auth in fips mode where<br>
+ * the generation of a 1024 bit RSA key as we are trying to do<br>
+ * will fail.<br>
+ */<br>
+ spice_warning("not initialising RSA key");<br>
+ memset(ack.pub_key, '\0', sizeof(ack.pub_key));<br>
}<br>
- link->tiTicketing.rsa_size = RSA_size(link->tiTicketing.rsa);<br>
-<br>
- i2d_RSA_PUBKEY_bio(bio, link->tiTicketing.rsa);<br>
- BIO_get_mem_ptr(bio, &bmBuf);<br>
- memcpy(ack.pub_key, bmBuf->data, sizeof(ack.pub_key));<br>
<br>
if (!reds_stream_write_all(link->stream, &header, sizeof(header)))<br>
goto end;<br>
@@ -1415,7 +1429,8 @@ static int reds_send_link_ack(RedLinkInfo *link)<br>
ret = TRUE;<br>
<br>
end:<br>
- BIO_free(bio);<br>
+ if (bio != NULL)<br>
+ BIO_free(bio);<br>
return ret;<br>
}<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
2.1.0<br>
<br>
_______________________________________________<br>
Spice-devel mailing list<br>
<a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a><br>
<a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature">Marc-André Lureau</div>
</div>