client: add command line support for ciphers, ca file, and host certificate subject

1 files changed, 91 insertions, 5 deletions

diff --git a/client/application.cpp b/client/application.cpp
index 73a3461f..b9033997 100644
--- a/client/application.cpp
+++ b/client/application.cpp
@@ -321,6 +321,7 @@ enum AppCommands {
 Application::Application()
     : ProcessLoop (this)
     , _client (*this)
+    , _con_ciphers ("DEFAULT")
     , _enabled_channels (SPICE_END_CHANNEL, true)
     , _main_screen (NULL)
     , _active (false)
@@ -363,6 +364,11 @@ Application::Application()
     _canvas_types[0] = CANVAS_OPTION_CAIRO;
 #endif
 
+    _host_auth_opt.type_flags = RedPeer::HostAuthOptions::HOST_AUTH_OP_NAME;
+
+    Platform::get_app_data_dir(_host_auth_opt.CA_file, app_name);
+    Platform::path_append(_host_auth_opt.CA_file, CA_FILE_NAME);
+
     std::auto_ptr<HotKeysParser> parser(new HotKeysParser("toggle-fullscreen=shift+f11"
                                                           ",release-cursor=shift+f12"
 #ifdef RED_DEBUG
@@ -1683,6 +1689,65 @@ bool Application::set_channels_security(CmdLineParser& parser, bool on, char *va
     return true;
 }
 
+bool Application::set_connection_ciphers(const char* ciphers, const char* arg0)
+{
+    _con_ciphers = ciphers;
+    return true;
+}
+
+bool Application::set_ca_file(const char* ca_file, const char* arg0)
+{
+    _host_auth_opt.CA_file = ca_file;
+    return true;
+}
+
+bool Application::set_host_cert_subject(const char* subject, const char* arg0)
+{
+    std::string subject_str(subject);
+    std::string::const_iterator iter = subject_str.begin();
+    std::string entry;
+    _host_auth_opt.type_flags = RedPeer::HostAuthOptions::HOST_AUTH_OP_SUBJECT;
+    _host_auth_opt.host_subject.clear();
+
+    while (true) {
+        if ((iter == subject_str.end()) || (*iter == ',')) {
+            RedPeer::HostAuthOptions::CertFieldValuePair entry_pair;
+            int value_pos = entry.find_first_of('=');
+            if ((value_pos == std::string::npos) || (value_pos == (entry.length() - 1))) {
+                Platform::term_printf("%s: host_subject bad format: assignment for %s is missing\n",
+                                      arg0, entry.c_str());
+                _exit_code = SPICEC_ERROR_CODE_INVALID_ARG;
+                return false;
+            }
+            entry_pair.first = entry.substr(0, value_pos);
+            entry_pair.second = entry.substr(value_pos + 1);
+            _host_auth_opt.host_subject.push_back(entry_pair);
+            DBG(0, "subject entry: %s=%s", entry_pair.first.c_str(), entry_pair.second.c_str());
+            if (iter == subject_str.end()) {
+                break;
+            }
+            entry.clear();
+        } else if (*iter == '\\') {
+            iter++;
+            if (iter == subject_str.end()) {
+                LOG_WARN("single \\ in host subject");
+                entry.append(1, '\\');
+                continue;
+            } else if ((*iter == '\\') || (*iter == ',')) {
+                entry.append(1, *iter);
+            } else {
+                LOG_WARN("single \\ in host subject");
+                entry.append(1, '\\');
+                continue;
+            }
+        } else {
+            entry.append(1, *iter);
+        }
+        iter++;
+    }
+    return true;
+}
+
 bool Application::set_canvas_option(CmdLineParser& parser, char *val, const char* arg0)
 {
     typedef std::map< std::string, CanvasOption> CanvasNamesMap;
@@ -1798,6 +1863,9 @@ bool Application::process_cmd_line(int argc, char** argv)
         SPICE_OPT_FULL_SCREEN,
         SPICE_OPT_SECURE_CHANNELS,
         SPICE_OPT_UNSECURE_CHANNELS,
+        SPICE_OPT_TLS_CIPHERS,
+        SPICE_OPT_CA_FILE,
+        SPICE_OPT_HOST_SUBJECT,
         SPICE_OPT_ENABLE_CHANNELS,
         SPICE_OPT_DISABLE_CHANNELS,
         SPICE_OPT_CANVAS_TYPE,
@@ -1826,6 +1894,14 @@ bool Application::process_cmd_line(int argc, char** argv)
                "force unsecure connection on the specified channels", "channel",
                true);
     parser.set_multi(SPICE_OPT_UNSECURE_CHANNELS, ',');
+    parser.add(SPICE_OPT_TLS_CIPHERS, "tls-ciphers", "ciphers for secure connections",
+               "ciphers", true);
+    parser.add(SPICE_OPT_CA_FILE, "ca-file", "truststore file for secure connections",
+               "ca-file", true);
+    parser.add(SPICE_OPT_HOST_SUBJECT, "host-subject",
+               "subject of the host certifcate. Format: field=value pairs separated"
+               " by commmas. Commas and backslashes within values must be preceded by"
+               " a backslash", "host-subject", true);
     parser.add(SPICE_OPT_PASSWORD, "password", "server password", "password", true, 'w');
     parser.add(SPICE_OPT_FULL_SCREEN, "full-screen", "open in full screen mode", "auto-conf",
                false, 'f');
@@ -1843,11 +1919,6 @@ bool Application::process_cmd_line(int argc, char** argv)
         _peer_con_opt[i] = RedPeer::ConnectionOptions::CON_OP_INVALID;
     }
 
-    _host_auth_opt.type_flags = RedPeer::HostAuthOptions::HOST_AUTH_OP_NAME;
-
-    Platform::get_app_data_dir(_host_auth_opt.CA_file, app_name);
-    Platform::path_append(_host_auth_opt.CA_file, CA_FILE_NAME);
-
     parser.begin(argc, argv);
 
     char* val;
@@ -1894,6 +1965,21 @@ bool Application::process_cmd_line(int argc, char** argv)
                 return false;
             }
             break;
+        case SPICE_OPT_TLS_CIPHERS:
+            if (!set_connection_ciphers(val, argv[0])) {
+                return false;
+            }
+            break;
+        case SPICE_OPT_CA_FILE:
+            if (!set_ca_file(val, argv[0])) {
+                return false;
+            }
+            break;
+        case SPICE_OPT_HOST_SUBJECT:
+            if (!set_host_cert_subject(val, argv[0])) {
+                return false;
+            }
+            break;
         case SPICE_OPT_ENABLE_CHANNELS:
             if (!set_enable_channels(parser, true, val, argv[0])) {
                 return false;