From 8f5bd25249e73390ddde9eced6bf32cf2bc05a24 Mon Sep 17 00:00:00 2001 From: Christophe Fergeau Date: Thu, 13 Mar 2014 17:15:04 +0100 Subject: Advertise SASL cap from client A client setting this capability indicates to the server that it's able to handle SASL authentication, and it also indicates that if SASL is to be used for authentication, then it won't expect a valid 'pub_key' field in SpiceLinkReply. The reason for making guarantees about not looking at the pub_key field is that its presence and size is hardcoded in the protocol, but in some hardened setups (using fips mode), generating a RSA 1024 bit key as expected is forbidden and fails. With this new capability, the server knows the client will be able to handle SASL if needed, and can skip the generation of the key altogether. This means that on the setups described above, SASL authentication has to be used. --- gtk/spice-channel.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c index 46c51b0..6f3f689 100644 --- a/gtk/spice-channel.c +++ b/gtk/spice-channel.c @@ -114,6 +114,9 @@ static void spice_channel_init(SpiceChannel *channel) c->remote_common_caps = g_array_new(FALSE, TRUE, sizeof(guint32)); spice_channel_set_common_capability(channel, SPICE_COMMON_CAP_PROTOCOL_AUTH_SELECTION); spice_channel_set_common_capability(channel, SPICE_COMMON_CAP_MINI_HEADER); +#if HAVE_SASL + spice_channel_set_common_capability(channel, SPICE_COMMON_CAP_AUTH_SASL); +#endif g_queue_init(&c->xmit_queue); STATIC_MUTEX_INIT(c->xmit_queue_lock); } -- cgit