[Spice-devel] [PATCH 5/6] Allow auth to be skipped when attaching to pre-accepted clients

Marc-André Lureau marcandre.lureau at gmail.com
Wed Oct 26 06:30:12 PDT 2011 

Hi

On Fri, Oct 21, 2011 at 5:11 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
>
> When an applications passes in a pre-accepted socket for a
> client, they may well have already performed suitable authentication
> out of band. They should thus have the option to request that any
> spice authentication is skipped.
>
> * server/reds.c, spice.h: Add flag for skipping auth
>
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
>  server/reds.c  |   19 ++++++++++++-------
>  server/spice.h |    4 ++--
>  2 files changed, 14 insertions(+), 9 deletions(-)
>
> diff --git a/server/reds.c b/server/reds.c
> index 3321111..4ceecda 100644
> --- a/server/reds.c
> +++ b/server/reds.c
> @@ -258,6 +258,7 @@ typedef struct RedLinkInfo {
>     int mess_pos;
>     TicketInfo tiTicketing;
>     SpiceLinkAuthMechanism auth_mechanism;
> +    int skipAuth;

Even if there are plenty of exceptions, I think we prefer "skip_auth"
in lower_case.

>  } RedLinkInfo;
>
>  typedef struct VDIPortBuf VDIPortBuf;
> @@ -1404,9 +1405,9 @@ static void reds_channel_set_common_caps(RedsChannel *channel, int cap, int acti
>     }
>  }
>
> -static void reds_channel_init_auth_caps(RedsChannel *channel)
> +static void reds_channel_init_auth_caps(RedLinkInfo *link, RedsChannel *channel)
>  {
> -    if (sasl_enabled) {
> +    if (sasl_enabled && !link->skipAuth) {
>         reds_channel_set_common_caps(channel, SPICE_COMMON_CAP_AUTH_SASL, TRUE);
>     } else {
>         reds_channel_set_common_caps(channel, SPICE_COMMON_CAP_AUTH_SPICE, TRUE);
> @@ -1443,7 +1444,7 @@ static int reds_send_link_ack(RedLinkInfo *link)
>         channel = &common_caps;
>     }
>
> -    reds_channel_init_auth_caps(channel); /* make sure common caps are set */
> +    reds_channel_init_auth_caps(link, channel); /* make sure common caps are set */
>
>     ack.num_common_caps = channel->num_common_caps;
>     ack.num_channel_caps = channel->base ? channel->base->num_caps : 0;
> @@ -1716,7 +1717,7 @@ static void reds_handle_ticket(void *opaque)
>                         link->tiTicketing.encrypted_ticket.encrypted_data,
>                         (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING);
>
> -    if (ticketing_enabled) {
> +    if (ticketing_enabled && !link->skipAuth) {
>         int expired = !link->link_mess->connection_id && taTicket.expiration_time < ltime;
>         char *actual_sever_pass = link->link_mess->connection_id ? reds->taTicket.password :
>                                                                    taTicket.password;
> @@ -2479,7 +2480,7 @@ static void reds_handle_read_link_done(void *opaque)
>     }
>
>     if (!auth_selection) {
> -        if (sasl_enabled) {
> +        if (sasl_enabled && !link->skipAuth) {
>             red_printf("SASL enabled, but peer supports only spice authentication");
>             reds_send_link_error(link, SPICE_LINK_ERR_VERSION_MISMATCH);
>             return;
> @@ -2725,7 +2726,7 @@ static void reds_accept(int fd, int event, void *data)
>  }
>
>
> -int spice_server_add_client(SpiceServer *s, int socket)
> +SPICE_GNUC_VISIBLE int spice_server_add_client(SpiceServer *s, int socket, int skipAuth)
>  {
>     RedLinkInfo *link;
>     RedsStream *stream;
> @@ -2735,6 +2736,8 @@ int spice_server_add_client(SpiceServer *s, int socket)
>         return -1;
>     }
>
> +    link->skipAuth = skipAuth;
> +
>     stream = link->stream;
>     stream->read = stream_read_cb;
>     stream->write = stream_write_cb;
> @@ -2745,13 +2748,15 @@ int spice_server_add_client(SpiceServer *s, int socket)
>  }
>
>
> -int spice_server_add_ssl_client(SpiceServer *s, int socket)
> +SPICE_GNUC_VISIBLE int spice_server_add_ssl_client(SpiceServer *s, int socket, int skipAuth)
>  {
>     RedLinkInfo *link;
>
>     if (!(link = reds_init_client_ssl_connection(socket))) {
>         return -1;
>     }
> +
> +    link->skipAuth = skipAuth;
>     return 0;
>  }
>
> diff --git a/server/spice.h b/server/spice.h
> index 25c9278..b41c7ef 100644
> --- a/server/spice.h
> +++ b/server/spice.h
> @@ -425,8 +425,8 @@ int spice_server_set_tls(SpiceServer *s, int port,
>                          const char *private_key_file, const char *key_passwd,
>                          const char *dh_key_file, const char *ciphersuite);
>
> -int spice_server_add_client(SpiceServer *s, int socket);
> -int spice_server_add_ssl_client(SpiceServer *s, int socket);
> +int spice_server_add_client(SpiceServer *s, int socket, int skipAuth);
> +int spice_server_add_ssl_client(SpiceServer *s, int socket, int skipAuth);
>
>  int spice_server_add_interface(SpiceServer *s,
>                                SpiceBaseInstance *sin);
> --
> 1.7.6.4
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>



-- 
Marc-André Lureau

More information about the Spice-devel mailing list