[Spice-devel] [spice-gtk] Advertise SASL cap from client

Christophe Fergeau cfergeau at redhat.com
Thu Mar 20 03:23:36 PDT 2014


A client setting this capability indicates to the server that it's able
to handle SASL authentication, and it also indicates that if SASL is
to be used for authentication, then it won't expect a valid 'pub_key' field
in SpiceLinkReply.

The reason for making guarantees about not looking at the pub_key field is
that its presence and size is hardcoded in the protocol, but in some
hardened setups (using fips mode), generating a RSA 1024 bit key as
expected is forbidden and fails. With this new capability, the server
knows the client will be able to handle SASL if needed, and can skip
the generation of the key altogether. This means that on the setups
described above, SASL authentication has to be used.
---
 gtk/spice-channel.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index 83c7006..1498162 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -114,6 +114,9 @@ static void spice_channel_init(SpiceChannel *channel)
     c->remote_common_caps = g_array_new(FALSE, TRUE, sizeof(guint32));
     spice_channel_set_common_capability(channel, SPICE_COMMON_CAP_PROTOCOL_AUTH_SELECTION);
     spice_channel_set_common_capability(channel, SPICE_COMMON_CAP_MINI_HEADER);
+#if HAVE_SASL
+    spice_channel_set_common_capability(channel, SPICE_COMMON_CAP_AUTH_SASL);
+#endif
     g_queue_init(&c->xmit_queue);
     STATIC_MUTEX_INIT(c->xmit_queue_lock);
 }
-- 
1.8.5.3



More information about the Spice-devel mailing list