[Spice-devel] [PATCH 8/9] Ask for unencrypted tickets if client supports it
Christophe Fergeau
cfergeau at redhat.com
Wed Mar 12 11:27:42 PDT 2014
When the client advertises support for unencrypted tickets, the server
can instruct it it should send one. For now, this is restricted to
encrypted channels as we don't want to expose an unencrypted password over
a non-TLS channel.
Clients with unencrypted password support won't send these just yet as the
server does not expose the required capability.
---
server/reds.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/server/reds.c b/server/reds.c
index ba2a606..88272d9 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -1382,6 +1382,7 @@ static int reds_send_link_ack(RedLinkInfo *link)
RedChannel *channel;
RedChannelCapabilities *channel_caps;
int ret = FALSE;
+ bool client_unencrypted_ticket;
header.magic = SPICE_MAGIC;
header.size = sizeof(ack);
@@ -1405,9 +1406,17 @@ static int reds_send_link_ack(RedLinkInfo *link)
header.size += (ack.num_common_caps + ack.num_channel_caps) * sizeof(uint32_t);
ack.caps_offset = sizeof(SpiceLinkReply);
- link->tiTicketing.encryption_type = SPICE_TICKET_ENCRYPTION_RSA;
- if (!reds_generate_ticket_pubkey(link, &ack))
- goto end;
+ client_unencrypted_ticket = test_link_capability(link,
+ SPICE_COMMON_CAP_PROTOCOL_PLAIN_TEXT_TICKET);
+ if (reds_stream_is_ssl(link->stream) && client_unencrypted_ticket) {
+ link->tiTicketing.encryption_type = SPICE_TICKET_ENCRYPTION_NONE;
+ link->tiTicketing.size = sizeof(link->tiTicketing.ticket.encrypted_data);
+ memset(ack.pub_key, 0, sizeof(ack.pub_key));
+ } else {
+ link->tiTicketing.encryption_type = SPICE_TICKET_ENCRYPTION_RSA;
+ if (!reds_generate_ticket_pubkey(link, &ack))
+ goto end;
+ }
ack.ticket_encryption = link->tiTicketing.encryption_type;
if (!reds_stream_write_all(link->stream, &header, sizeof(header)))
--
1.8.5.3
More information about the Spice-devel
mailing list