[Spice-devel] [PATCH 5/9] Add support for SpiceLinkReply::ticket_encryption

Wed Mar 12 11:27:39 PDT 2014

Currently, SPICE tickets sent to the server are encrypted using a 1024 bit
public RSA key provided by the server. This key type/size is unfortunately
set in stone in the SPICE protocol as part of the SpiceLinkReply message,
and the key is sent by the server early in the link process (before the
server and the client agree on a SpiceLinkAuthMechanism).

This can be an issue if the server can't create a 1024 bit RSA key (for
example, if it was disabled because it's deemed not secure enough by the
server administrator). This happens for example in fips mode
( http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf )

Luckily, the server gets the client caps before sending it this RSA key,
and it sends its caps in message containing this RSA key. By advertising a
new capability on the client and the server, it's thus possible to indicate
that other ways of encrypting the SPICE ticket are supported by both client
and server, and use that when available. When the capability is present, an
additional 'ticket_encryption' field is added to the SpiceLinkReply
structure to indicate that the SPICE ticket is not encrypted using
the legacy RSA 1024 bit key.

As the situation described above would happen in hardened setups, I've
added support for an unencrypted SPICE ticket which is only used for TLS
channels. For non-TLS channels, the old method is still used in order to
not send the ticket in plain text on unencrypted connections.

This commit is a first step towards that. It sends an additional field as
part of SpiceLinkReply. The size of the SpiceLinkReply message is sent to
the client, and the client accesses the caps by using the caps_offset
field, so we can safely send this additional field to older clients as they
will not look at it.
---
 server/reds.c | 1 +
 spice-common  | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/reds.c b/server/reds.c
index f45092b..fbeb1a5 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -1404,6 +1404,7 @@ static int reds_send_link_ack(RedLinkInfo *link)
     ack.num_channel_caps = channel_caps->num_caps;
     header.size += (ack.num_common_caps + ack.num_channel_caps) * sizeof(uint32_t);
     ack.caps_offset = sizeof(SpiceLinkReply);
+    ack.ticket_encryption = SPICE_TICKET_ENCRYPTION_RSA;
     if (!reds_generate_ticket_pubkey(link, &ack))
         goto end;
 
diff --git a/spice-common b/spice-common
index 57ce430..a26bc7b 160000
--- a/spice-common
+++ b/spice-common
@@ -1 +1 @@
-Subproject commit 57ce430ccd66bd1ca2447c14503234cfb88e2365
+Subproject commit a26bc7befc3d4f15f4bd8ea05f01e63ee0308350
-- 
1.8.5.3

