Currently, SPICE tickets sent to the server are encrypted using a 1024 bit public RSA key provided by the server. This key type/size is unfortunately set in stone in the SPICE protocol as part of the SpiceLinkReply message, and the key is sent by the server early in the link process (before the server and the client agree on a SpiceLinkAuthMechanism). This can be an issue if the server can't create a 1024 bit RSA key (for example, if it was disabled because it's deemed not secure enough by the server administrator). This happens for example in fips mode ( http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf ) Luckily, the server gets the client caps before sending it this RSA key, and it sends its caps in message containing this RSA key. By advertising a new capability on the client and the server, it's thus possible to indicate that other ways of encrypting the SPICE ticket are supported by both client and server, and use that when available. When the capability is present, an additional 'ticket_encryption' field is added to the SpiceLinkReply structure to indicate that the SPICE ticket is not encrypted using the legacy RSA 1024 bit key. As the situation described above would happen in hardened setups, I've added support for an unencrypted SPICE ticket which is only used for TLS channels. For non-TLS channels, the old method is still used in order to not send the ticket in plain text on unencrypted connections. This commit is a first step towards that. It sends an additional field as part of SpiceLinkReply. The size of the SpiceLinkReply message is sent to the client, and the client accesses the caps by using the caps_offset field, so we can safely send this additional field to older clients as they will not look at it. --- server/reds.c | 1 + spice-common | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/server/reds.c b/server/reds.c index f45092b..fbeb1a5 100644 --- a/server/reds.c +++ b/server/reds.c @@ -1404,6 +1404,7 @@ static int reds_send_link_ack(RedLinkInfo *link) ack.num_channel_caps = channel_caps->num_caps; header.size += (ack.num_common_caps + ack.num_channel_caps) * sizeof(uint32_t); ack.caps_offset = sizeof(SpiceLinkReply); + ack.ticket_encryption = SPICE_TICKET_ENCRYPTION_RSA; if (!reds_generate_ticket_pubkey(link, &ack)) goto end; diff --git a/spice-common b/spice-common index 57ce430..a26bc7b 160000 --- a/spice-common +++ b/spice-common @@ -1 +1 @@ -Subproject commit 57ce430ccd66bd1ca2447c14503234cfb88e2365 +Subproject commit a26bc7befc3d4f15f4bd8ea05f01e63ee0308350 -- 1.8.5.3 _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel