When the client advertises support for unencrypted tickets, the server
can instruct it it should send one. For now, this is restricted to
encrypted channels as we don't want to expose an unencrypted password over
a non-TLS channel.
Clients with unencrypted password support won't send these just yet as the
server does not expose the required capability.
---
server/reds.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/server/reds.c b/server/reds.c
index ba2a606..88272d9 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -1382,6 +1382,7 @@ static int reds_send_link_ack(RedLinkInfo *link)
RedChannel *channel;
RedChannelCapabilities *channel_caps;
int ret = FALSE;
+ bool client_unencrypted_ticket;
header.magic = SPICE_MAGIC;
header.size = sizeof(ack);
@@ -1405,9 +1406,17 @@ static int reds_send_link_ack(RedLinkInfo *link)
header.size += (ack.num_common_caps + ack.num_channel_caps) *
sizeof(uint32_t);
ack.caps_offset = sizeof(SpiceLinkReply);
- link->tiTicketing.encryption_type = SPICE_TICKET_ENCRYPTION_RSA;
- if (!reds_generate_ticket_pubkey(link, &ack))
- goto end;
+ client_unencrypted_ticket = test_link_capability(link,
+
SPICE_COMMON_CAP_PROTOCOL_PLAIN_TEXT_TICKET);
+ if (reds_stream_is_ssl(link->stream) && client_unencrypted_ticket) {
+ link->tiTicketing.encryption_type = SPICE_TICKET_ENCRYPTION_NONE;
+ link->tiTicketing.size =
sizeof(link->tiTicketing.ticket.encrypted_data);
+ memset(ack.pub_key, 0, sizeof(ack.pub_key));
+ } else {
+ link->tiTicketing.encryption_type = SPICE_TICKET_ENCRYPTION_RSA;
+ if (!reds_generate_ticket_pubkey(link, &ack))
+ goto end;
+ }
ack.ticket_encryption = link->tiTicketing.encryption_type;
if (!reds_stream_write_all(link->stream, &header, sizeof(header)))
--
1.8.5.3
_______________________________________________
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel
