[Spice-devel] [PATCH] Report invalid password as a special auth error
Christophe Fergeau
cfergeau at redhat.com
Tue May 26 09:11:29 PDT 2015
On Tue, May 26, 2015 at 04:14:02PM +0200, Christophe Fergeau wrote:
> Hey,
>
> I think you should report an error somehow in
> spice_channel_send_spice_ticket() if SpiceSession::password is too
> long.
Hmm looking at this some more, things seem messy :(
The on-wire encrypted password seems to have a max length (see
reds_get_spice_ticket() in server/reds.c).
spice_channel_send_spice_ticket() in spice-gtk also has a comment saying
/* The use of RSA encryption limit the potential maximum password
length.
For RSA_PKCS1_OAEP_PADDING it is RSA_size(rsa) - 41.
*/
so some 'password too long' check would be nice to have before sending
too much data on the wire on the spice-gtk side.
Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20150526/8bbbba23/attachment.sig>
More information about the Spice-devel
mailing list