From: "Daniel P. Berrange" <[email protected]> When an applications passes in a pre-accepted socket for a client, they may well have already performed suitable authentication out of band. They should thus have the option to request that any spice authentication is skipped.
* server/reds.c, spice.h: Add flag for skipping auth Signed-off-by: Daniel P. Berrange <[email protected]> --- server/reds.c | 19 ++++++++++++------- server/spice.h | 4 ++-- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/server/reds.c b/server/reds.c index 3321111..4ceecda 100644 --- a/server/reds.c +++ b/server/reds.c @@ -258,6 +258,7 @@ typedef struct RedLinkInfo { int mess_pos; TicketInfo tiTicketing; SpiceLinkAuthMechanism auth_mechanism; + int skipAuth; } RedLinkInfo; typedef struct VDIPortBuf VDIPortBuf; @@ -1404,9 +1405,9 @@ static void reds_channel_set_common_caps(RedsChannel *channel, int cap, int acti } } -static void reds_channel_init_auth_caps(RedsChannel *channel) +static void reds_channel_init_auth_caps(RedLinkInfo *link, RedsChannel *channel) { - if (sasl_enabled) { + if (sasl_enabled && !link->skipAuth) { reds_channel_set_common_caps(channel, SPICE_COMMON_CAP_AUTH_SASL, TRUE); } else { reds_channel_set_common_caps(channel, SPICE_COMMON_CAP_AUTH_SPICE, TRUE); @@ -1443,7 +1444,7 @@ static int reds_send_link_ack(RedLinkInfo *link) channel = &common_caps; } - reds_channel_init_auth_caps(channel); /* make sure common caps are set */ + reds_channel_init_auth_caps(link, channel); /* make sure common caps are set */ ack.num_common_caps = channel->num_common_caps; ack.num_channel_caps = channel->base ? channel->base->num_caps : 0; @@ -1716,7 +1717,7 @@ static void reds_handle_ticket(void *opaque) link->tiTicketing.encrypted_ticket.encrypted_data, (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING); - if (ticketing_enabled) { + if (ticketing_enabled && !link->skipAuth) { int expired = !link->link_mess->connection_id && taTicket.expiration_time < ltime; char *actual_sever_pass = link->link_mess->connection_id ? reds->taTicket.password : taTicket.password; @@ -2479,7 +2480,7 @@ static void reds_handle_read_link_done(void *opaque) } if (!auth_selection) { - if (sasl_enabled) { + if (sasl_enabled && !link->skipAuth) { red_printf("SASL enabled, but peer supports only spice authentication"); reds_send_link_error(link, SPICE_LINK_ERR_VERSION_MISMATCH); return; @@ -2725,7 +2726,7 @@ static void reds_accept(int fd, int event, void *data) } -int spice_server_add_client(SpiceServer *s, int socket) +SPICE_GNUC_VISIBLE int spice_server_add_client(SpiceServer *s, int socket, int skipAuth) { RedLinkInfo *link; RedsStream *stream; @@ -2735,6 +2736,8 @@ int spice_server_add_client(SpiceServer *s, int socket) return -1; } + link->skipAuth = skipAuth; + stream = link->stream; stream->read = stream_read_cb; stream->write = stream_write_cb; @@ -2745,13 +2748,15 @@ int spice_server_add_client(SpiceServer *s, int socket) } -int spice_server_add_ssl_client(SpiceServer *s, int socket) +SPICE_GNUC_VISIBLE int spice_server_add_ssl_client(SpiceServer *s, int socket, int skipAuth) { RedLinkInfo *link; if (!(link = reds_init_client_ssl_connection(socket))) { return -1; } + + link->skipAuth = skipAuth; return 0; } diff --git a/server/spice.h b/server/spice.h index 25c9278..b41c7ef 100644 --- a/server/spice.h +++ b/server/spice.h @@ -425,8 +425,8 @@ int spice_server_set_tls(SpiceServer *s, int port, const char *private_key_file, const char *key_passwd, const char *dh_key_file, const char *ciphersuite); -int spice_server_add_client(SpiceServer *s, int socket); -int spice_server_add_ssl_client(SpiceServer *s, int socket); +int spice_server_add_client(SpiceServer *s, int socket, int skipAuth); +int spice_server_add_ssl_client(SpiceServer *s, int socket, int skipAuth); int spice_server_add_interface(SpiceServer *s, SpiceBaseInstance *sin); -- 1.7.6.4 _______________________________________________ Spice-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/spice-devel
