Re: [PATCH 8/9] Ask for unencrypted tickets if client supports it

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


----- Original Message -----
> When the client advertises support for unencrypted tickets, the server
> can instruct it it should send one. For now, this is restricted to
> encrypted channels as we don't want to expose an unencrypted password over
> a non-TLS channel.
> Clients with unencrypted password support won't send these just yet as the
> server does not expose the required capability.

Right, but it will send an encrypted password with a nul key with this commit? I think both should changes should be made together.

> ---
>  server/reds.c | 15 ++++++++++++---
>  1 file changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/server/reds.c b/server/reds.c
> index ba2a606..88272d9 100644
> --- a/server/reds.c
> +++ b/server/reds.c
> @@ -1382,6 +1382,7 @@ static int reds_send_link_ack(RedLinkInfo *link)
>      RedChannel *channel;
>      RedChannelCapabilities *channel_caps;
>      int ret = FALSE;
> +    bool client_unencrypted_ticket;

The cap name is "plain_text_ticket", I would follow that naming.
I would also consider removing this variable, and just:

  if (reds_stream_is_ssl(link->stream) &&
      test_link_capability(link, SPICE_COMMON_CAP_PROTOCOL_PLAIN_TEXT_TICKET))

it isn't hard to read, imho.



>  
>      header.magic = SPICE_MAGIC;
>      header.size = sizeof(ack);
> @@ -1405,9 +1406,17 @@ static int reds_send_link_ack(RedLinkInfo *link)
>      header.size += (ack.num_common_caps + ack.num_channel_caps) *
>      sizeof(uint32_t);
>      ack.caps_offset = sizeof(SpiceLinkReply);
>  
> -    link->tiTicketing.encryption_type = SPICE_TICKET_ENCRYPTION_RSA;
> -    if (!reds_generate_ticket_pubkey(link, &ack))
> -        goto end;
> +    client_unencrypted_ticket = test_link_capability(link,
> +
> SPICE_COMMON_CAP_PROTOCOL_PLAIN_TEXT_TICKET);
> +    if (reds_stream_is_ssl(link->stream) && client_unencrypted_ticket) {
> +        link->tiTicketing.encryption_type = SPICE_TICKET_ENCRYPTION_NONE;
> +        link->tiTicketing.size =
> sizeof(link->tiTicketing.ticket.encrypted_data);
> +        memset(ack.pub_key, 0, sizeof(ack.pub_key));
> +    } else {
> +        link->tiTicketing.encryption_type = SPICE_TICKET_ENCRYPTION_RSA;
> +        if (!reds_generate_ticket_pubkey(link, &ack))
> +            goto end;
> +    }
>  
>      ack.ticket_encryption = link->tiTicketing.encryption_type;
>      if (!reds_stream_write_all(link->stream, &header, sizeof(header)))
> --
> 1.8.5.3
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> 
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]