server,client: server authentication for secured channels. #527411 #549673.

3 available mechanisms:  by public key, by host name, and by certificate subject name.
    In the former method, chain of trust verification is not performed.
    The CA certificate files are looked for under <spice-config-dir>/spice_truststore.pem

    windows <spice-config-dir>=%APPDATA%\spicec\
    linux <spice-config-dir>=$HOME/.spicec

1 files changed, 8 insertions, 2 deletions

diff --git a/client/application.cpp b/client/application.cpp
index c253cccc..3566adba 100644
--- a/client/application.cpp
+++ b/client/application.cpp
@@ -49,6 +49,8 @@
 #define STICKY_KEY_PIXMAP ALT_IMAGE_RES_ID
 #define STICKY_KEY_TIMEOUT 750
 
+#define CA_FILE_NAME "spice_truststore.pem"
+
 #ifdef CAIRO_CANVAS_CACH_IS_SHARED
 mutex_t cairo_surface_user_data_mutex;
 #endif
@@ -1596,6 +1598,11 @@ bool Application::process_cmd_line(int argc, char** argv)
     _peer_con_opt[RED_CHANNEL_PLAYBACK] = RedPeer::ConnectionOptions::CON_OP_INVALID;
     _peer_con_opt[RED_CHANNEL_RECORD] = RedPeer::ConnectionOptions::CON_OP_INVALID;
 
+    _host_auth_opt.type_flags = RedPeer::HostAuthOptions::HOST_AUTH_OP_NAME;
+
+    Platform::get_spice_config_dir(_host_auth_opt.CA_file);
+    _host_auth_opt.CA_file += CA_FILE_NAME;
+
     parser.begin(argc, argv);
 
     char* val;
@@ -1614,12 +1621,11 @@ bool Application::process_cmd_line(int argc, char** argv)
             break;
         }
         case SPICE_OPT_SPORT: {
-            if ((port = str_to_port(val)) == -1) {
+            if ((sport = str_to_port(val)) == -1) {
                 std::cout << "invalid secure port " << val << "\n";
                 _exit_code = SPICEC_ERROR_CODE_INVALID_ARG;
                 return false;
             }
-            sport = port;
             break;
         }
         case SPICE_OPT_FULL_SCREEN: