Re: [Spice-devel] Missing DLL on Windows 64 installer package

[Marc-André Lureau]

- Mensaje original -
> I downloaded the 64 Bit MSI installer, for windows 8 64. It installs but
> there are no entries created in the machine's menus. Also, if you try to run
> virtviewer.exe, it fails with a message "libssp-0.dll missing".
> How do make this run?

Ugh, we have few Windows users, and apparently all of them use remote-viewer. 
It's good you try on Windows 8 too :) It's weird that there are no entries in 
machine menu (you mean the start menu right? I thought it was gone in Win8, 
perhaps there is a different mechanism now), I will have to take a look.

The MSI build is relatively new, and we don't have good means to generate 
dependencies automatically, which is a PITA. So thanks for the reminder, we 
should address that. (I am afraid it will be hard to push the required changes 
atm). In the meantime, you could try with the missing dlls from f19 (I copied 
x64 version here http://elmarco.fedorapeople.org/libssp-0.dll, hopefully it's 
enough)

___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

[Spice-devel] Missing DLL on Windows 64 installer package

[CDR]

I downloaded the 64 Bit MSI installer, for windows 8 64. It installs but
there are no entries created in the machine's menus. Also,  if you try to
run virtviewer.exe, it fails with a message "libssp-0.dll missing".

How do make this run?

Philip Orleans
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] [spice-gtk 0/5] Add support for looking up connection credentials in a file

[Marc-André Lureau]

- Mensaje original -
> On Tue, Jun 04, 2013 at 12:18:12PM -0400, Marc-André Lureau wrote:
> > > I disagree with this statement (even if this will not be solved by this
> > > series). Something that is automatically used by spice-gtk when provided,
> > > but which is not as insecure as putting the password in the URI would be
> > > nice to have in spice-gtk.
> > 
> > The URI or API "password" property are not more insecure than a separate
> > file.
> 
> A separate file with 0600 permissions will be more secure than passing a
> password on the command line (which is then visible by other users using
> ps).

It's not spice-gtk fault if people use password in command line, if the client 
they use doesn't provide other suitable way.

Spice-gtk just provide provides session properties which have nothing to do 
with command line.
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] [spice-gtk 0/5] Add support for looking up connection credentials in a file

[Christophe Fergeau]

On Tue, Jun 04, 2013 at 12:18:12PM -0400, Marc-André Lureau wrote:
> > I disagree with this statement (even if this will not be solved by this
> > series). Something that is automatically used by spice-gtk when provided,
> > but which is not as insecure as putting the password in the URI would be
> > nice to have in spice-gtk.
> 
> The URI or API "password" property are not more insecure than a separate file.

A separate file with 0600 permissions will be more secure than passing a
password on the command line (which is then visible by other users using
ps).

Christophe


pgp0R8uM4pBC0.pgp
Description: PGP signature
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] [spice-gtk 0/5] Add support for looking up connection credentials in a file

[Marc-André Lureau]

- Mensaje original -
> On Tue, Jun 04, 2013 at 11:16:26AM -0400, Marc-André Lureau wrote:
> > Since you can already provide the password via either URI argument or by
> > API, there is no need for an additional way in spice-gtk.
> 
> I disagree with this statement (even if this will not be solved by this
> series). Something that is automatically used by spice-gtk when provided,
> but which is not as insecure as putting the password in the URI would be
> nice to have in spice-gtk.

The URI or API "password" property are not more insecure than a separate file.

Remember that spice-gtk isn't a client, and spicy is only for testing.
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] [spice-gtk 0/5] Add support for looking up connection credentials in a file

[Christophe Fergeau]

On Tue, Jun 04, 2013 at 11:16:26AM -0400, Marc-André Lureau wrote:
> Since you can already provide the password via either URI argument or by
> API, there is no need for an additional way in spice-gtk.

I disagree with this statement (even if this will not be solved by this
series). Something that is automatically used by spice-gtk when provided,
but which is not as insecure as putting the password in the URI would be
nice to have in spice-gtk.

Christophe


pgpfxHqcAJ0kW.pgp
Description: PGP signature
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] [spice-gtk 0/5] Add support for looking up connection credentials in a file

[Daniel P. Berrange]

On Tue, Jun 04, 2013 at 11:16:26AM -0400, Marc-André Lureau wrote:
> 
> 
> - Mensaje original -
> > On Tue, Jun 04, 2013 at 10:44:45AM -0400, Marc-André Lureau wrote:
> > > > This patch series adds support for something similar to what is 
> > > > described
> > > > in http://libvirt.org/auth.html: when a password is needed but it hasn't
> > > > been provided, we search for a file containing the auth info. It can be
> > > > specified through an environment variable, in the SPICE URI, then it's
> > > > looked up in XDG_CONFIG_DIR, and finally in /etc/libvirt/auth.conf.
> > > > There
> > > > are a few things that may deserve polishing in this scheme:
> > > > - it's quite libvirt centered with respects to the naming of the env 
> > > > var,
> > > >   of the default dir locations, ...
> > > > - the port number needs to be added to the auth-$SERVICE-$HOSTNAME 
> > > > scheme
> > > >   described on http://libvirt.org/auth.html as multiple VMs can run on
> > > >   the
> > > >   same host
> > > > - it does not go very well with libvirt automatic spice port allocation
> > > > as
> > > >   the credential file has to hardcode the port numbers, but the port
> > > >   number
> > > >   is not fixed when using automatic allocation
> > > > 
> > > > I still think this can be useful to people who are looking for a way to
> > > > pass spice password to the client without passing it on the command line
> > > > as
> > > > was suggested in https://bugzilla.redhat.com/show_bug.cgi?id=794644#c6
> > > 
> > > Spice-gtk is a library. Each Spice client may decide to provide
> > > credentials in its own way.
> > > 
> > > Why should spice-gtk bypass that? Since it's so libvirt-centered, why did
> > > you look for a solution in spice-gtk instead of virt-viewer?
> > 
> > In my opinion this fits best in spice-gtk so that we can document this in
> > one place, and have all applications using spice-gtk benefits from this
> > This is better than letting each application reinvent the wheel.
> 
> I don't think it is the right place to solve the problem.
> 
> virt-viewer has to auth against several servers, spice, vnc, libvirt, ovirt, 
> (and could soon support rdp etc)
> 
> > What is libvirt-centered in these patches is just the env var/file names
> > (LIBVIRT_AUTH_FILE, $XDG_CONFIG_DIR/libvirt/auth.conf,
> > /etc/libvirt/auth.conf), this is trivial to change to something else if we
> > don't like it.
> 
> Then maybe we should get rid of that, and perhaps libvirt format doesn't fit 
> well spice-gtk.
> 
> Since you can already provide the password via either URI argument or by API, 
> there is no need for an additional way in spice-gtk.
> 
> Also, as you noted, it doesn't fit well with dynamic ports usually used with 
> remote desktop protocols, we better keep password handling at 
> application/virt-viewer level.

Yep, I really think this belongs at the virt-viewer level so that the
auth file records passwords against the VM names or UUIDs, not the TCP
port numbers or hosts. That way the same password can be setup to
work regardless of what host the VM is currently running on.

Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

[Spice-devel] Windows Guest Tools 0.59

[Christophe Fergeau]

Hi,

A new release of the SPICE Guest Tools for Windows is now available at
http://spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-0.59.exe
It contains the latest virtio-win drivers (0.59), as well as spice-vdagent
0.7.1. The QXL driver is unchanged.

The release is signed with GPG key:
A525 E3EA 186A AB45 DD0F  86AF 24A4 69FB 7A56 F78E

Cheers,

Christophe
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] [spice-gtk 0/5] Add support for looking up connection credentials in a file

[Marc-André Lureau]

- Mensaje original -
> On Tue, Jun 04, 2013 at 10:44:45AM -0400, Marc-André Lureau wrote:
> > > This patch series adds support for something similar to what is described
> > > in http://libvirt.org/auth.html: when a password is needed but it hasn't
> > > been provided, we search for a file containing the auth info. It can be
> > > specified through an environment variable, in the SPICE URI, then it's
> > > looked up in XDG_CONFIG_DIR, and finally in /etc/libvirt/auth.conf.
> > > There
> > > are a few things that may deserve polishing in this scheme:
> > > - it's quite libvirt centered with respects to the naming of the env var,
> > >   of the default dir locations, ...
> > > - the port number needs to be added to the auth-$SERVICE-$HOSTNAME scheme
> > >   described on http://libvirt.org/auth.html as multiple VMs can run on
> > >   the
> > >   same host
> > > - it does not go very well with libvirt automatic spice port allocation
> > > as
> > >   the credential file has to hardcode the port numbers, but the port
> > >   number
> > >   is not fixed when using automatic allocation
> > > 
> > > I still think this can be useful to people who are looking for a way to
> > > pass spice password to the client without passing it on the command line
> > > as
> > > was suggested in https://bugzilla.redhat.com/show_bug.cgi?id=794644#c6
> > 
> > Spice-gtk is a library. Each Spice client may decide to provide
> > credentials in its own way.
> > 
> > Why should spice-gtk bypass that? Since it's so libvirt-centered, why did
> > you look for a solution in spice-gtk instead of virt-viewer?
> 
> In my opinion this fits best in spice-gtk so that we can document this in
> one place, and have all applications using spice-gtk benefits from this
> This is better than letting each application reinvent the wheel.

I don't think it is the right place to solve the problem.

virt-viewer has to auth against several servers, spice, vnc, libvirt, ovirt, 
(and could soon support rdp etc)

> What is libvirt-centered in these patches is just the env var/file names
> (LIBVIRT_AUTH_FILE, $XDG_CONFIG_DIR/libvirt/auth.conf,
> /etc/libvirt/auth.conf), this is trivial to change to something else if we
> don't like it.

Then maybe we should get rid of that, and perhaps libvirt format doesn't fit 
well spice-gtk.

Since you can already provide the password via either URI argument or by API, 
there is no need for an additional way in spice-gtk.

Also, as you noted, it doesn't fit well with dynamic ports usually used with 
remote desktop protocols, we better keep password handling at 
application/virt-viewer level.

___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] [spice-gtk 0/5] Add support for looking up connection credentials in a file

[Christophe Fergeau]

On Tue, Jun 04, 2013 at 10:44:45AM -0400, Marc-André Lureau wrote:
> 
> 
> - Mensaje original -
> > Hey,
> > 
> > This patch series adds support for something similar to what is described
> > in http://libvirt.org/auth.html: when a password is needed but it hasn't
> > been provided, we search for a file containing the auth info. It can be
> > specified through an environment variable, in the SPICE URI, then it's
> > looked up in XDG_CONFIG_DIR, and finally in /etc/libvirt/auth.conf.  There
> > are a few things that may deserve polishing in this scheme:
> > - it's quite libvirt centered with respects to the naming of the env var,
> >   of the default dir locations, ...
> > - the port number needs to be added to the auth-$SERVICE-$HOSTNAME scheme
> >   described on http://libvirt.org/auth.html as multiple VMs can run on the
> >   same host
> > - it does not go very well with libvirt automatic spice port allocation as
> >   the credential file has to hardcode the port numbers, but the port number
> >   is not fixed when using automatic allocation
> > 
> > I still think this can be useful to people who are looking for a way to
> > pass spice password to the client without passing it on the command line as
> > was suggested in https://bugzilla.redhat.com/show_bug.cgi?id=794644#c6
> 
> Spice-gtk is a library. Each Spice client may decide to provide
> credentials in its own way.
> 
> Why should spice-gtk bypass that? Since it's so libvirt-centered, why did
> you look for a solution in spice-gtk instead of virt-viewer?

In my opinion this fits best in spice-gtk so that we can document this in
one place, and have all applications using spice-gtk benefits from this
This is better than letting each application reinvent the wheel.

What is libvirt-centered in these patches is just the env var/file names
(LIBVIRT_AUTH_FILE, $XDG_CONFIG_DIR/libvirt/auth.conf,
/etc/libvirt/auth.conf), this is trivial to change to something else if we
don't like it.

Christophe


pgpsav9BFof3v.pgp
Description: PGP signature
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] [spice-gtk 0/5] Add support for looking up connection credentials in a file

[Marc-André Lureau]

- Mensaje original -
> Hey,
> 
> This patch series adds support for something similar to what is described
> in http://libvirt.org/auth.html: when a password is needed but it hasn't
> been provided, we search for a file containing the auth info. It can be
> specified through an environment variable, in the SPICE URI, then it's
> looked up in XDG_CONFIG_DIR, and finally in /etc/libvirt/auth.conf.  There
> are a few things that may deserve polishing in this scheme:
> - it's quite libvirt centered with respects to the naming of the env var,
>   of the default dir locations, ...
> - the port number needs to be added to the auth-$SERVICE-$HOSTNAME scheme
>   described on http://libvirt.org/auth.html as multiple VMs can run on the
>   same host
> - it does not go very well with libvirt automatic spice port allocation as
>   the credential file has to hardcode the port numbers, but the port number
>   is not fixed when using automatic allocation
> 
> I still think this can be useful to people who are looking for a way to
> pass spice password to the client without passing it on the command line as
> was suggested in https://bugzilla.redhat.com/show_bug.cgi?id=794644#c6

Spice-gtk is a library. Each Spice client may decide to provide credentials in 
its own way.

Why should spice-gtk bypass that? Since it's so libvirt-centered, why did you 
look for a solution in spice-gtk instead of virt-viewer?
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

[Spice-devel] [spice-gtk 5/5] Use credentials from config file

[Christophe Fergeau]

When a ticket is needed to during a connection to a SPICE channel,
if there is no ticket set in the current SPICE session, we can now
use the SpiceAuthFile class to lookup credentials for the connection
stored in a config file, as described on http://libvirt.org/auth.html
---
 gtk/spice-channel.c  | 67 ++--
 gtk/spice-session-priv.h |  2 ++
 gtk/spice-session.c  | 18 +
 3 files changed, 79 insertions(+), 8 deletions(-)

diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index 74a02fb..335f8e5 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -19,6 +19,7 @@
 #include "spice-common.h"
 #include "glib-compat.h"
 
+#include "spice-auth-file.h"
 #include "spice-channel-priv.h"
 #include "spice-session-priv.h"
 #include "spice-marshal.h"
@@ -1018,6 +1019,40 @@ static int spice_channel_read(SpiceChannel *channel, 
void *data, size_t length)
 return length;
 }
 
+static char *spice_channel_get_session_password(SpiceChannel *channel)
+{
+const char *password;
+const char *hostname;
+const char *port;
+char *host;
+const char *auth_file;
+SpiceChannelPrivate *priv = channel->priv;
+
+password = spice_session_get_password(priv->session);
+if (password != NULL)
+return g_strdup(password);
+
+hostname = spice_session_get_host(priv->session);
+if (hostname == NULL)
+return NULL;
+
+if (priv->tls) {
+port = spice_session_get_tls_port(priv->session);
+} else {
+port = spice_session_get_port(priv->session);
+}
+if (port == NULL)
+return NULL;
+
+auth_file = spice_session_get_auth_file(priv->session);
+host = g_strdup_printf("%s:%s", hostname, port);
+password = spice_auth_file_lookup_credential(auth_file, host,
+ "password", NULL);
+g_free(host);
+
+return (char *)password;
+}
+
 /* coroutine context */
 static void spice_channel_send_spice_ticket(SpiceChannel *channel)
 {
@@ -1045,7 +1080,7 @@ static void spice_channel_send_spice_ticket(SpiceChannel 
*channel)
   The use of RSA encryption limit the potential maximum password length.
   for RSA_PKCS1_OAEP_PADDING it is RSA_size(rsa) - 41.
 */
-g_object_get(c->session, "password", &password, NULL);
+password = spice_channel_get_session_password(channel);
 if (password == NULL)
 password = g_strdup("");
 rc = RSA_public_encrypt(strlen(password) + 1, (uint8_t*)password,
@@ -1242,18 +1277,29 @@ static gchar *addr_to_string(GSocketAddress *addr)
 return ret;
 }
 
+static void
+spice_channel_free_sasl_credentials(sasl_interact_t *interact)
+{
+unsigned int ninteract;
+
+if (interact == NULL)
+return;
+
+for (ninteract = 0 ; interact[ninteract].id != 0 ; ninteract++) {
+if (interact[ninteract].id == SASL_CB_PASS)
+g_free((char *)interact[ninteract].result);
+}
+}
+
 static gboolean
 spice_channel_gather_sasl_credentials(SpiceChannel *channel,
-  sasl_interact_t *interact)
+ sasl_interact_t *interact)
 {
-SpiceChannelPrivate *c;
 int ninteract;
 
 g_return_val_if_fail(channel != NULL, FALSE);
 g_return_val_if_fail(channel->priv != NULL, FALSE);
 
-c = channel->priv;
-
 /* FIXME: we could keep connection open and ask connection details if 
missing */
 
 for (ninteract = 0 ; interact[ninteract].id != 0 ; ninteract++) {
@@ -1263,14 +1309,17 @@ spice_channel_gather_sasl_credentials(SpiceChannel 
*channel,
 g_warn_if_reached();
 break;
 
-case SASL_CB_PASS:
-if (spice_session_get_password(c->session) == NULL)
+case SASL_CB_PASS: {
+char *password;
+password = spice_channel_get_session_password(channel);
+if (password == NULL)
 return FALSE;
 
-interact[ninteract].result =  
spice_session_get_password(c->session);
+interact[ninteract].result =  password;
 interact[ninteract].len = strlen(interact[ninteract].result);
 break;
 }
+}
 }
 
 CHANNEL_DEBUG(channel, "Filled SASL interact");
@@ -1631,6 +1680,7 @@ restart:
 }
 
 complete:
+spice_channel_free_sasl_credentials(interact);
 CHANNEL_DEBUG(channel, "%s", "SASL authentication complete");
 spice_channel_read(channel, &len, sizeof(len));
 if (len != SPICE_LINK_ERR_OK)
@@ -1643,6 +1693,7 @@ complete:
 return ret;
 
 error:
+spice_channel_free_sasl_credentials(interact);
 g_clear_object(&addr);
 if (saslconn)
 sasl_dispose(&saslconn);
diff --git a/gtk/spice-session-priv.h b/gtk/spice-session-priv.h
index 218f5c3..8423d0f 100644
--- a/gtk/spice-session-priv.h
+++ b/gtk/spice-session-priv.h
@@ -139,6 +139,8 @@ guint spice_session_get_verify(SpiceSession *session);
 const gchar* spice_session_get_passwor

[Spice-devel] [spice-gtk 4/5] Add SpiceAuthFile class

[Christophe Fergeau]

This class can parse the configuration file format described at
http://libvirt.org/auth.html to get SPICE authentication information.
This uses 'spice' as the service name for the auth-$SERVICE-$HOSTNAME
groups.
---
 Makefile.am|   2 +-
 configure.ac   |   1 +
 gtk/Makefile.am|   2 +
 gtk/map-file   |   5 +
 gtk/spice-auth-file.c  | 192 +
 gtk/spice-auth-file.h  |  62 +++
 gtk/spice-glib-sym-file|   5 +
 po/POTFILES.in |   1 +
 tests/Makefile.am  |  26 +++
 tests/test-spice-auth-file-data/libvirt/auth.conf  |   6 +
 .../test-spice-auth-file.conf  |  25 +++
 tests/test-spice-auth-file.c   | 144 
 12 files changed, 470 insertions(+), 1 deletion(-)
 create mode 100644 gtk/spice-auth-file.c
 create mode 100644 gtk/spice-auth-file.h
 create mode 100644 tests/Makefile.am
 create mode 100644 tests/test-spice-auth-file-data/libvirt/auth.conf
 create mode 100644 tests/test-spice-auth-file-data/test-spice-auth-file.conf
 create mode 100644 tests/test-spice-auth-file.c

diff --git a/Makefile.am b/Makefile.am
index ffa1649..ab10f5f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,7 @@
 ACLOCAL_AMFLAGS = -I m4
 NULL =
 
-SUBDIRS = spice-common gtk po doc data
+SUBDIRS = spice-common gtk po doc data tests
 
 if HAVE_INTROSPECTION
 if WITH_VALA
diff --git a/configure.ac b/configure.ac
index 8ab5b6b..4637bd5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -669,6 +669,7 @@ gtk/Makefile
 gtk/controller/Makefile
 doc/Makefile
 doc/reference/Makefile
+tests/Makefile
 vapi/Makefile
 ])
 
diff --git a/gtk/Makefile.am b/gtk/Makefile.am
index d31a396..34ea0c2 100644
--- a/gtk/Makefile.am
+++ b/gtk/Makefile.am
@@ -212,6 +212,7 @@ libspice_client_glib_2_0_la_SOURCES =   
\
glib-compat.h   \
spice-audio.c   \
spice-audio-priv.h  \
+   spice-auth-file.c   \
spice-common.h  \
spice-util.c\
spice-util-priv.h   \
@@ -277,6 +278,7 @@ nodist_libspice_client_glib_2_0_la_SOURCES =\
 libspice_client_glibincludedir = $(includedir)/spice-client-glib-2.0
 libspice_client_glibinclude_HEADERS =  \
spice-audio.h   \
+   spice-auth-file.h   \
spice-client.h  \
spice-types.h   \
spice-session.h \
diff --git a/gtk/map-file b/gtk/map-file
index 03648a8..3d470f4 100644
--- a/gtk/map-file
+++ b/gtk/map-file
@@ -3,6 +3,11 @@ global:
 spice_audio_get;
 spice_audio_get_type;
 spice_audio_new;
+spice_auth_file_get_credential;
+spice_auth_file_get_type;
+spice_auth_file_lookup_credential;
+spice_auth_file_new;
+spice_auth_file_new_from_file;
 spice_channel_connect;
 spice_channel_destroy;
 spice_channel_disconnect;
diff --git a/gtk/spice-auth-file.c b/gtk/spice-auth-file.c
new file mode 100644
index 000..bee3467
--- /dev/null
+++ b/gtk/spice-auth-file.c
@@ -0,0 +1,192 @@
+/* -*- Mode: C; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+   Copyright (C) 2013 Red Hat, Inc.
+
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see .
+*/
+#include 
+#include 
+
+#include "spice-auth-file.h"
+
+struct _SpiceAuthFilePrivate {
+GKeyFile* keyfile;
+};
+
+G_DEFINE_TYPE(SpiceAuthFile, spice_auth_file, G_TYPE_OBJECT);
+
+#define SPICE_AUTH_FILE_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE((o), 
SPICE_TYPE_AUTH_FILE, SpiceAuthFilePrivate))
+
+/* Lookup auth.conf in this order:
+ *  - The file path specified by the $LIBVIRT_AUTH_FILE environment variable.
+ *  - The file path specified by the "authfile=/some/file" URI query
+ *parameter
+ *  - The file $XDG_CONFIG_HOME/libvirt/auth.conf
+ *  - The file /etc/libvirt/auth.conf
+ */
+static SpiceAuthFile*
+spice_auth_file_new_with_user_file(const char *user_file, GError** error)
+{
+SpiceAuthFile *auth_file;
+char *lo

[Spice-devel] [spice-gtk 1/5] Fix typo in debug log

[Christophe Fergeau]

---
 gtk/spice-channel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index 0a32d6c..74a02fb 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -1497,7 +1497,7 @@ restart:
 if (c->has_error)
 goto error;
 
-CHANNEL_DEBUG(channel, "Getting sever start negotiation reply");
+CHANNEL_DEBUG(channel, "Getting server start negotiation reply");
 /* Read the 'START' message reply from server */
 spice_channel_read(channel, &len, sizeof(len));
 if (c->has_error)
-- 
1.8.2.1

___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

[Spice-devel] [spice-gtk 3/5] Add SpiceSession::auth-file

[Christophe Fergeau]

This property is parsed from the 'authfile' parameter in SPICE URI, and
points to a file containing credentials to use when establishing the SPICE
connection, see http://libvirt.org/auth.html
---
 gtk/spice-session-priv.h |  2 ++
 gtk/spice-session.c  | 44 +++-
 2 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/gtk/spice-session-priv.h b/gtk/spice-session-priv.h
index 5ed48dd..218f5c3 100644
--- a/gtk/spice-session-priv.h
+++ b/gtk/spice-session-priv.h
@@ -38,6 +38,7 @@ struct _SpiceSessionPrivate {
 char  *port;
 char  *tls_port;
 char  *password;
+char  *auth_file;
 char  *ca_file;
 char  *ciphers;
 GByteArray*pubkey;
@@ -136,6 +137,7 @@ void spice_session_set_port(SpiceSession *session, int 
port, gboolean tls);
 void spice_session_get_pubkey(SpiceSession *session, guint8 **pubkey, guint 
*size);
 guint spice_session_get_verify(SpiceSession *session);
 const gchar* spice_session_get_password(SpiceSession *session);
+const gchar* spice_session_get_auth_file(SpiceSession *session);
 const gchar* spice_session_get_host(SpiceSession *session);
 const gchar* spice_session_get_cert_subject(SpiceSession *session);
 const gchar* spice_session_get_ciphers(SpiceSession *session);
diff --git a/gtk/spice-session.c b/gtk/spice-session.c
index 83b91db..9746051 100644
--- a/gtk/spice-session.c
+++ b/gtk/spice-session.c
@@ -108,7 +108,8 @@ enum {
 PROP_NAME,
 PROP_CA,
 PROP_PROXY,
-PROP_SECURE_CHANNELS
+PROP_SECURE_CHANNELS,
+PROP_AUTH_FILE,
 };
 
 /* signals */
@@ -266,6 +267,7 @@ spice_session_finalize(GObject *gobject)
 g_free(s->smartcard_db);
 g_strfreev(s->disable_effects);
 g_strfreev(s->secure_channels);
+g_free(s->auth_file);
 
 spice_session_palettes_clear(session);
 spice_session_images_clear(session);
@@ -303,6 +305,7 @@ static int spice_uri_parse(SpiceSession *session, const 
char *original_uri)
 {
 SpiceSessionPrivate *s = SPICE_SESSION_GET_PRIVATE(session);
 gchar *host = NULL, *port = NULL, *tls_port = NULL, *uri = NULL, *password 
= NULL;
+gchar *auth_file = NULL;
 gchar *path = NULL;
 gchar *unescaped_path = NULL;
 gchar *authority = NULL;
@@ -384,6 +387,8 @@ static int spice_uri_parse(SpiceSession *session, const 
char *original_uri)
 target_key = &port;
 } else if (g_str_equal(key, "tls-port")) {
 target_key = &tls_port;
+} else if (g_str_equal(key, "authfile")) {
+target_key = &auth_file;
 } else if (g_str_equal(key, "password")) {
 target_key = &password;
 g_warning("password may be visible in process listings");
@@ -412,10 +417,12 @@ static int spice_uri_parse(SpiceSession *session, const 
char *original_uri)
 g_free(s->port);
 g_free(s->tls_port);
 g_free(s->password);
+g_free(s->auth_file);
 s->host = host;
 s->port = port;
 s->tls_port = tls_port;
 s->password = password;
+s->auth_file = auth_file;
 return 0;
 
 fail:
@@ -425,6 +432,7 @@ fail:
 g_free(port);
 g_free(tls_port);
 g_free(password);
+g_free(auth_file);
 return -1;
 }
 
@@ -527,6 +535,9 @@ static void spice_session_get_property(GObject*gobject,
 case PROP_PROXY:
 g_value_take_string(value, spice_proxy_to_string(s->proxy));
break;
+case PROP_AUTH_FILE:
+g_value_set_string(value, s->auth_file);
+break;
 default:
G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
break;
@@ -649,6 +660,10 @@ static void spice_session_set_property(GObject  
*gobject,
 case PROP_PROXY:
 update_proxy(session, g_value_get_string(value));
 break;
+case PROP_AUTH_FILE:
+g_free(s->auth_file);
+s->auth_file = g_value_dup_string(value);
+break;
 default:
 G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
 break;
@@ -1193,6 +1208,22 @@ static void spice_session_class_init(SpiceSessionClass 
*klass)
  G_PARAM_READWRITE |
  G_PARAM_STATIC_STRINGS));
 
+/**
+ * SpiceSession:auth-file:
+ *
+ * File containing authentication credentials, see
+ * http://libvirt.org/auth.html
+ *
+ **/
+g_object_class_install_property
+(gobject_class, PROP_AUTH_FILE,
+ g_param_spec_string("auth-file",
+ "Auth configuration file",
+ "",
+ NULL,
+ G_PARAM_READWRITE |
+ G_PARAM_STATIC_STRINGS));
+
 g_type_class_add_private(klass, sizeof(SpiceSessionPrivate));
 }
 
@@ -1231,11 +1262,13 @@ SpiceSession 
*spice_session_new_from_session(SpiceSession *session)
 g_warn_if_fail(c->pubkey == NULL);
 g_warn_if_fail(c->pu

[Spice-devel] [spice-gtk 2/5] session: Lookup URI query part before path part

[Christophe Fergeau]

When parsing an URI, spice_uri_parse currently first looks up for
'/' to detect the 'path' part of the URI
(http://foo.example.com/some/path) and then the query part (starting
with '&' is looked up).
However, this does not work as expected when the host name is not
followed by a path, but the query part contains a path:
http://foo.example.com&my_param=/some/path
This commit starts inverts the path detection/query detection step,
it first detects the beginning of the query part and splits it out,
and then looks for '/' in the part which came before the query part.
---
 gtk/spice-session.c | 19 +++
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/gtk/spice-session.c b/gtk/spice-session.c
index 8cb2d39..83b91db 100644
--- a/gtk/spice-session.c
+++ b/gtk/spice-session.c
@@ -281,7 +281,6 @@ spice_session_finalize(GObject *gobject)
 
 #define URI_SCHEME_SPICE "spice://"
 #define URI_QUERY_START ";?"
-#define URI_QUERY_SEP   ";&"
 
 static int spice_uri_create(SpiceSession *session, char *dest, int len)
 {
@@ -322,24 +321,20 @@ static int spice_uri_parse(SpiceSession *session, const 
char *original_uri)
 goto fail;
 }
 authority = uri + strlen(URI_SCHEME_SPICE);
+
+query = authority + strcspn(authority, URI_QUERY_START);
+if (query[0]) {
+query[0] = '\0';
+query++;
+}
+
 path = strchr(authority, '/');
 if (path) {
 path[0] = '\0';
 path++;
 }
 
-if (path) {
-size_t prefix = strcspn(path, URI_QUERY_START);
-query = path + prefix;
-} else {
-size_t prefix = strcspn(authority, URI_QUERY_START);
-query = authority + prefix;
-}
 
-if (query && query[0]) {
-query[0] = '\0';
-query++;
-}
 
 /* Now process the individual parts */
 
-- 
1.8.2.1

___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

[Spice-devel] [spice-gtk 0/5] Add support for looking up connection credentials in a file

[Christophe Fergeau]

Hey,

This patch series adds support for something similar to what is described
in http://libvirt.org/auth.html: when a password is needed but it hasn't
been provided, we search for a file containing the auth info. It can be
specified through an environment variable, in the SPICE URI, then it's
looked up in XDG_CONFIG_DIR, and finally in /etc/libvirt/auth.conf.  There
are a few things that may deserve polishing in this scheme:
- it's quite libvirt centered with respects to the naming of the env var,
  of the default dir locations, ...
- the port number needs to be added to the auth-$SERVICE-$HOSTNAME scheme
  described on http://libvirt.org/auth.html as multiple VMs can run on the
  same host
- it does not go very well with libvirt automatic spice port allocation as
  the credential file has to hardcode the port numbers, but the port number
  is not fixed when using automatic allocation

I still think this can be useful to people who are looking for a way to
pass spice password to the client without passing it on the command line as
was suggested in https://bugzilla.redhat.com/show_bug.cgi?id=794644#c6

There is also one thing I'd like to fix before committing but I was not
sure if there is a nice way to achieve that: at the moment, the only reason
SpiceAuthFile is public is because of the unit test that goes with patch 4/5,
I don't know if it's possible to achieve the same without exporting the 
symbols..

Christophe

___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] Status of USB redirection

[Han Pilmeyer]

On 04/06/2013 14:59, Hans de Goede wrote:

Hi,

On 06/04/2013 02:27 PM, Han Pilmeyer wrote:


Perhaps the default for the USB controller in virt-manager should be 
changed from "default" to "USB 2"?


Yes, good idea, can you please file an RFE for this?


Yes, will do.
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] Status of USB redirection

[Hans de Goede]

Hi,

On 06/04/2013 02:27 PM, Han Pilmeyer wrote:

Hoi Hans,

On 03/06/2013 13:42, Hans de Goede wrote:

* How do I setup redirection (or I need just the spice connection) ?


In virt-manager make sure you're using a spice connection, that the 
usb-controller
model is set to "Usb 2" and then add a number of USB Redirection devices, (up 
to 4,
having more then 1 allows you to redirect more then 1 USB device 
simultaneously).

Until now I didn't realize how important this bit of advice really was! I use virt-manager to manage my KVM guests and 
had added the USB controller as "default". The only alternative was "USB 2". I expected that both 
were the doing the same. This is not the case however. As soon as I changed the USB controller of the guest from 
"default" to "USB 2", USB redirection started to work (this is with a Windows 7 guest).

Perhaps the default for the USB controller in virt-manager should be changed from 
"default" to "USB 2"?


Yes, good idea, can you please file an RFE for this?

Regards,

Hans
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] Status of USB redirection

[Han Pilmeyer]

Hoi Hans,

On 03/06/2013 13:42, Hans de Goede wrote:

* How do I setup redirection (or I need just the spice connection) ?


In virt-manager make sure you're using a spice connection, that the 
usb-controller
model is set to "Usb 2" and then add a number of USB Redirection 
devices, (up to 4,
having more then 1 allows you to redirect more then 1 USB device 
simultaneously). 
Until now I didn't realize how important this bit of advice really was! 
I use virt-manager to manage my KVM guests and had added the USB 
controller as "default". The only alternative was "USB 2". I expected 
that both were the doing the same. This is not the case however. As soon 
as I changed the USB controller of the guest from "default" to "USB 2", 
USB redirection started to work (this is with a Windows 7 guest).


Perhaps the default for the USB controller in virt-manager should be 
changed from "default" to "USB 2"? Hmmm... :-)


-Han
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] German keymap in Windows 7

[Marc-André Lureau]

- Mensaje original -
> On Mon, Jun 03, 2013 at 07:29:23AM -1000, INVITU wrote:
> > 
> >   
> >  >   http-equiv="Content-Type">
> >   
> >   
> > Hello
> >   
> >   Alt-Gr combinations do dot work with french keymap : ~#{[|^@]}
> 
> This is likely fixed by
> http://cgit.freedesktop.org/spice/spice-gtk/commit/?id=6e180217428ffd6e8c0f835fb9c97e6e49998630
> which is not part of a spice-gtk release/build yet.

Last time I checked, it didn't work.

Anyway, as I explained in the thread about that patch, it would be only partial 
fix, since it's only filtering the key when the the widget has the grab. A 
better fix needs to be done at Gdk level 
https://bugzilla.gnome.org/show_bug.cgi?id=699787 (which also would fix other 
apps). That fix isn't upstream, and not included in the current MSI.
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] Status of USB redirection

[Alexander Todorov]

На  3.06.2013 23:42, Fabio Fantoni написа:

* Can SPICE and the USB redir code work on bare-metal or non KVM virtual
machines ?


No (not atm, and unlikely to change soon)

Work also on xen, used for one year on test system without problem.
I'll do the xl patch probably for xen 4.4.




Hi Fabio,
can you describe what is required for this to work with Xen?

--
Alex
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] Spicy keyboard shortcuts.

[Christophe Fergeau]

On Mon, Jun 03, 2013 at 05:07:25PM +0100, Chris Bull wrote:
> Hi,
> 
> With the spicy client, there is an ability to press LShift + Ctrl + F12 to
> break out of full screen.

spicy is not a SPICE client, it's just a test program for the spice-gtk
library, remote-viewer (part of the virt-viewer package) is the recommended
spice client to use.

> 
> I would like to suppress this ability for a kiosk type application, I'm
> experimenting with xmodmaps to remap the keypress to a less "dangerous"
> one, but was hoping that there might be a way to suppress this behaviour or
> remap it from within spicy itself, I've not managed to find anything from
> existing documentation.

Recent remote viewer versions have a --hotkeys command line option which
can be used to remap the shortcut, I don't know if it also works to disable
it.

Christophe


pgpkLLqVi2Kxi.pgp
Description: PGP signature
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] German keymap in Windows 7

[Christophe Fergeau]

On Mon, Jun 03, 2013 at 07:29:23AM -1000, INVITU wrote:
> 
>   
>http-equiv="Content-Type">
>   
>   
> Hello
>   
>   Alt-Gr combinations do dot work with french keymap : ~#{[|^@]}

This is likely fixed by
http://cgit.freedesktop.org/spice/spice-gtk/commit/?id=6e180217428ffd6e8c0f835fb9c97e6e49998630
which is not part of a spice-gtk release/build yet.

Christophe


pgpA43_XYmzU1.pgp
Description: PGP signature
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel