[Spice-devel] [PATCH 5/6] Allow auth to be skipped when attaching to pre-accepted clients

Daniel P. Berrange berrange at redhat.com
Fri Oct 28 05:09:49 PDT 2011 

From: "Daniel P. Berrange" <berrange at redhat.com>

When an applications passes in a pre-accepted socket for a
client, they may well have already performed suitable authentication
out of band. They should thus have the option to request that any
spice authentication is skipped.

* server/reds.c, spice.h: Add flag for skipping auth

Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
---
 server/reds.c  |   21 +++++++++++++--------
 server/spice.h |    4 ++--
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/server/reds.c b/server/reds.c
index 6c93a40..2242a47 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -258,6 +258,7 @@ typedef struct RedLinkInfo {
     int mess_pos;
     TicketInfo tiTicketing;
     SpiceLinkAuthMechanism auth_mechanism;
+    int skip_auth;
 } RedLinkInfo;
 
 typedef struct VDIPortBuf VDIPortBuf;
@@ -1404,9 +1405,9 @@ static void reds_channel_set_common_caps(RedsChannel *channel, int cap, int acti
     }
 }
 
-static void reds_channel_init_auth_caps(RedsChannel *channel)
+static void reds_channel_init_auth_caps(RedLinkInfo *link, RedsChannel *channel)
 {
-    if (sasl_enabled) {
+    if (sasl_enabled && !link->skip_auth) {
         reds_channel_set_common_caps(channel, SPICE_COMMON_CAP_AUTH_SASL, TRUE);
     } else {
         reds_channel_set_common_caps(channel, SPICE_COMMON_CAP_AUTH_SPICE, TRUE);
@@ -1443,7 +1444,7 @@ static int reds_send_link_ack(RedLinkInfo *link)
         channel = &common_caps;
     }
 
-    reds_channel_init_auth_caps(channel); /* make sure common caps are set */
+    reds_channel_init_auth_caps(link, channel); /* make sure common caps are set */
 
     ack.num_common_caps = channel->num_common_caps;
     ack.num_channel_caps = channel->base ? channel->base->num_caps : 0;
@@ -1716,7 +1717,7 @@ static void reds_handle_ticket(void *opaque)
                         link->tiTicketing.encrypted_ticket.encrypted_data,
                         (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING);
 
-    if (ticketing_enabled) {
+    if (ticketing_enabled && !link->skip_auth) {
         int expired = !link->link_mess->connection_id && taTicket.expiration_time < ltime;
         char *actual_sever_pass = link->link_mess->connection_id ? reds->taTicket.password :
                                                                    taTicket.password;
@@ -2479,7 +2480,7 @@ static void reds_handle_read_link_done(void *opaque)
     }
 
     if (!auth_selection) {
-        if (sasl_enabled) {
+        if (sasl_enabled && !link->skip_auth) {
             red_printf("SASL enabled, but peer supports only spice authentication");
             reds_send_link_error(link, SPICE_LINK_ERR_VERSION_MISMATCH);
             return;
@@ -2707,12 +2708,12 @@ static void reds_accept(int fd, int event, void *data)
         return;
     }
 
-    if (spice_server_add_client(reds, socket) < 0)
+    if (spice_server_add_client(reds, socket, 0) < 0)
         close(socket);
 }
 
 
-SPICE_GNUC_VISIBLE int spice_server_add_client(SpiceServer *s, int socket)
+SPICE_GNUC_VISIBLE int spice_server_add_client(SpiceServer *s, int socket, int skip_auth)
 {
     RedLinkInfo *link;
     RedsStream *stream;
@@ -2723,6 +2724,8 @@ SPICE_GNUC_VISIBLE int spice_server_add_client(SpiceServer *s, int socket)
         return -1;
     }
 
+    link->skip_auth = skip_auth;
+
     stream = link->stream;
     stream->read = stream_read_cb;
     stream->write = stream_write_cb;
@@ -2733,7 +2736,7 @@ SPICE_GNUC_VISIBLE int spice_server_add_client(SpiceServer *s, int socket)
 }
 
 
-SPICE_GNUC_VISIBLE int spice_server_add_ssl_client(SpiceServer *s, int socket)
+SPICE_GNUC_VISIBLE int spice_server_add_ssl_client(SpiceServer *s, int socket, int skip_auth)
 {
     RedLinkInfo *link;
 
@@ -2741,6 +2744,8 @@ SPICE_GNUC_VISIBLE int spice_server_add_ssl_client(SpiceServer *s, int socket)
     if (!(link = reds_init_client_ssl_connection(socket))) {
         return -1;
     }
+
+    link->skip_auth = skip_auth;
     return 0;
 }
 
diff --git a/server/spice.h b/server/spice.h
index 25c9278..03fdf89 100644
--- a/server/spice.h
+++ b/server/spice.h
@@ -425,8 +425,8 @@ int spice_server_set_tls(SpiceServer *s, int port,
                          const char *private_key_file, const char *key_passwd,
                          const char *dh_key_file, const char *ciphersuite);
 
-int spice_server_add_client(SpiceServer *s, int socket);
-int spice_server_add_ssl_client(SpiceServer *s, int socket);
+int spice_server_add_client(SpiceServer *s, int socket, int skip_auth);
+int spice_server_add_ssl_client(SpiceServer *s, int socket, int skip_auth);
 
 int spice_server_add_interface(SpiceServer *s,
                                SpiceBaseInstance *sin);
-- 
1.7.6.4

More information about the Spice-devel mailing list