diff options
author | Daniel P. Berrange <berrange@redhat.com> | 2015-03-17 13:43:00 +0000 |
---|---|---|
committer | Gerd Hoffmann <kraxel@redhat.com> | 2015-03-18 09:25:14 +0100 |
commit | 4a48aaa9f52dbac148be24f591de2f28c58ccb5d (patch) | |
tree | 5d35842c624eb9e2601f0d6b4515b50e19e9ef6d | |
parent | 7b45a00d05cc936d28e36b95932864e8cc095968 (diff) | |
download | qemu-4a48aaa9f52dbac148be24f591de2f28c58ccb5d.zip qemu-4a48aaa9f52dbac148be24f591de2f28c58ccb5d.tar.gz qemu-4a48aaa9f52dbac148be24f591de2f28c58ccb5d.tar.bz2 |
ui: ensure VNC websockets server checks the ACL if requested
If the x509verify option is requested, the VNC websockets server
was failing to validate that the websockets client provided an
x509 certificate matching the ACL rules.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-rw-r--r-- | ui/vnc-ws.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c index 5f9fcc4..85dbb7e 100644 --- a/ui/vnc-ws.c +++ b/ui/vnc-ws.c @@ -45,6 +45,16 @@ static int vncws_start_tls_handshake(struct VncState *vs) return -1; } + if (vs->vd->tls.x509verify) { + if (vnc_tls_validate_certificate(vs) < 0) { + VNC_DEBUG("Client verification failed\n"); + vnc_client_error(vs); + return -1; + } else { + VNC_DEBUG("Client verification passed\n"); + } + } + VNC_DEBUG("Handshake done, switching to TLS data mode\n"); qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read, NULL, vs); |