[Spice-devel] [PATCH 8/9] Ask for unencrypted tickets if client supports it
Marc-André Lureau
mlureau at redhat.com
Wed Mar 12 12:51:14 PDT 2014
----- Original Message -----
> When the client advertises support for unencrypted tickets, the server
> can instruct it it should send one. For now, this is restricted to
> encrypted channels as we don't want to expose an unencrypted password over
> a non-TLS channel.
> Clients with unencrypted password support won't send these just yet as the
> server does not expose the required capability.
Right, but it will send an encrypted password with a nul key with this commit? I think both should changes should be made together.
> ---
> server/reds.c | 15 ++++++++++++---
> 1 file changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/server/reds.c b/server/reds.c
> index ba2a606..88272d9 100644
> --- a/server/reds.c
> +++ b/server/reds.c
> @@ -1382,6 +1382,7 @@ static int reds_send_link_ack(RedLinkInfo *link)
> RedChannel *channel;
> RedChannelCapabilities *channel_caps;
> int ret = FALSE;
> + bool client_unencrypted_ticket;
The cap name is "plain_text_ticket", I would follow that naming.
I would also consider removing this variable, and just:
if (reds_stream_is_ssl(link->stream) &&
test_link_capability(link, SPICE_COMMON_CAP_PROTOCOL_PLAIN_TEXT_TICKET))
it isn't hard to read, imho.
>
> header.magic = SPICE_MAGIC;
> header.size = sizeof(ack);
> @@ -1405,9 +1406,17 @@ static int reds_send_link_ack(RedLinkInfo *link)
> header.size += (ack.num_common_caps + ack.num_channel_caps) *
> sizeof(uint32_t);
> ack.caps_offset = sizeof(SpiceLinkReply);
>
> - link->tiTicketing.encryption_type = SPICE_TICKET_ENCRYPTION_RSA;
> - if (!reds_generate_ticket_pubkey(link, &ack))
> - goto end;
> + client_unencrypted_ticket = test_link_capability(link,
> +
> SPICE_COMMON_CAP_PROTOCOL_PLAIN_TEXT_TICKET);
> + if (reds_stream_is_ssl(link->stream) && client_unencrypted_ticket) {
> + link->tiTicketing.encryption_type = SPICE_TICKET_ENCRYPTION_NONE;
> + link->tiTicketing.size =
> sizeof(link->tiTicketing.ticket.encrypted_data);
> + memset(ack.pub_key, 0, sizeof(ack.pub_key));
> + } else {
> + link->tiTicketing.encryption_type = SPICE_TICKET_ENCRYPTION_RSA;
> + if (!reds_generate_ticket_pubkey(link, &ack))
> + goto end;
> + }
>
> ack.ticket_encryption = link->tiTicketing.encryption_type;
> if (!reds_stream_write_all(link->stream, &header, sizeof(header)))
> --
> 1.8.5.3
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
More information about the Spice-devel
mailing list