[Spice-devel] [PATCHv2 0/3] Fix use of SPICE in fips mode

Christophe Fergeau cfergeau at redhat.com
Thu Mar 20 03:23:04 PDT 2014


In FIPS mode, the 1024 bit RSA key which is hardcoded in the protocol through
SpiceLinkReply::pub_key cannot be created, causing any connection attempt to fail
as it's unconditionnally generated.

However, when using SASL, we don't need that key. Unfortunately, we don't have
way of knowing if the client can use SASL or not before the key is generated
and sent. In this series, we introduce the use of a client-side
SPICE_COMMON_CAP_AUTH_SASL, which indicates that the client will be able to
use SASL authentication if needed, and that it does not need
SpiceLinkReply::pub_key to be set in this case.

This replaces my previous attempt which was much more invasive, and
not much better than this approach. This approach has the drawback that
fips mode has to use SASL auth as the 1024 bit RSA keys are disabled in
such setups.

Christophe








More information about the Spice-devel mailing list