diff options
| author | Daniel P. Berrange <berrange@redhat.com> | 2011-12-12 16:52:32 +0000 |
|---|---|---|
| committer | Marc-André Lureau <marcandre.lureau@redhat.com> | 2012-01-09 18:57:57 +0100 |
| commit | bd07dde530d9504e1cfe7ed5837fc00c26f36716 (patch) | |
| tree | 562539ec7c325d10d1c3448b19287423d39c8e47 | |
| parent | d55b68b6b44f2499278fa860fb47ff22f5011faa (diff) | |
| download | spice-bd07dde530d9504e1cfe7ed5837fc00c26f36716.tar.gz spice-bd07dde530d9504e1cfe7ed5837fc00c26f36716.tar.xz spice-bd07dde530d9504e1cfe7ed5837fc00c26f36716.zip | |
Allow auth to be skipped when attaching to pre-accepted clients
When an applications passes in a pre-accepted socket for a
client, they may well have already performed suitable authentication
out of band. They should thus have the option to request that any
spice authentication is skipped.
* server/reds.c, spice.h: Add flag for skipping auth
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
| -rw-r--r-- | server/reds.c | 21 | ||||
| -rw-r--r-- | server/spice.h | 4 |
2 files changed, 15 insertions, 10 deletions
diff --git a/server/reds.c b/server/reds.c index a8c23d3c..b97a061e 100644 --- a/server/reds.c +++ b/server/reds.c @@ -263,6 +263,7 @@ typedef struct RedLinkInfo { int mess_pos; TicketInfo tiTicketing; SpiceLinkAuthMechanism auth_mechanism; + int skip_auth; } RedLinkInfo; typedef struct VDIPortBuf VDIPortBuf; @@ -1387,9 +1388,9 @@ static int sync_write(RedsStream *stream, const void *in_buf, size_t n) return TRUE; } -static void reds_channel_init_auth_caps(RedChannel *channel) +static void reds_channel_init_auth_caps(RedLinkInfo *link, RedChannel *channel) { - if (sasl_enabled) { + if (sasl_enabled && !link->skip_auth) { red_channel_set_common_cap(channel, SPICE_COMMON_CAP_AUTH_SASL); } else { red_channel_set_common_cap(channel, SPICE_COMMON_CAP_AUTH_SPICE); @@ -1421,7 +1422,7 @@ static int reds_send_link_ack(RedLinkInfo *link) channel = &reds->main_channel->base; } - reds_channel_init_auth_caps(channel); /* make sure common caps are set */ + reds_channel_init_auth_caps(link, channel); /* make sure common caps are set */ channel_caps = &channel->local_caps; ack.num_common_caps = channel_caps->num_common_caps; @@ -1822,7 +1823,7 @@ static void reds_handle_ticket(void *opaque) link->tiTicketing.encrypted_ticket.encrypted_data, (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING); - if (ticketing_enabled) { + if (ticketing_enabled && !link->skip_auth) { int expired = taTicket.expiration_time < ltime; if (strlen(taTicket.password) == 0) { @@ -2584,7 +2585,7 @@ static void reds_handle_read_link_done(void *opaque) } if (!auth_selection) { - if (sasl_enabled) { + if (sasl_enabled && !link->skip_auth) { red_printf("SASL enabled, but peer supports only spice authentication"); reds_send_link_error(link, SPICE_LINK_ERR_VERSION_MISMATCH); return; @@ -2812,12 +2813,12 @@ static void reds_accept(int fd, int event, void *data) return; } - if (spice_server_add_client(reds, socket) < 0) + if (spice_server_add_client(reds, socket, 0) < 0) close(socket); } -SPICE_GNUC_VISIBLE int spice_server_add_client(SpiceServer *s, int socket) +SPICE_GNUC_VISIBLE int spice_server_add_client(SpiceServer *s, int socket, int skip_auth) { RedLinkInfo *link; RedsStream *stream; @@ -2828,6 +2829,8 @@ SPICE_GNUC_VISIBLE int spice_server_add_client(SpiceServer *s, int socket) return -1; } + link->skip_auth = skip_auth; + stream = link->stream; stream->read = stream_read_cb; stream->write = stream_write_cb; @@ -2838,7 +2841,7 @@ SPICE_GNUC_VISIBLE int spice_server_add_client(SpiceServer *s, int socket) } -SPICE_GNUC_VISIBLE int spice_server_add_ssl_client(SpiceServer *s, int socket) +SPICE_GNUC_VISIBLE int spice_server_add_ssl_client(SpiceServer *s, int socket, int skip_auth) { RedLinkInfo *link; @@ -2846,6 +2849,8 @@ SPICE_GNUC_VISIBLE int spice_server_add_ssl_client(SpiceServer *s, int socket) if (!(link = reds_init_client_ssl_connection(socket))) { return -1; } + + link->skip_auth = skip_auth; return 0; } diff --git a/server/spice.h b/server/spice.h index fbd409a9..6233a6ca 100644 --- a/server/spice.h +++ b/server/spice.h @@ -425,8 +425,8 @@ int spice_server_set_tls(SpiceServer *s, int port, const char *private_key_file, const char *key_passwd, const char *dh_key_file, const char *ciphersuite); -int spice_server_add_client(SpiceServer *s, int socket); -int spice_server_add_ssl_client(SpiceServer *s, int socket); +int spice_server_add_client(SpiceServer *s, int socket, int skip_auth); +int spice_server_add_ssl_client(SpiceServer *s, int socket, int skip_auth); int spice_server_add_interface(SpiceServer *s, SpiceBaseInstance *sin); |