aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel P. Berrange <berrange@redhat.com>2015-03-17 13:43:00 +0000
committerGerd Hoffmann <kraxel@redhat.com>2015-03-18 09:25:14 +0100
commit4a48aaa9f52dbac148be24f591de2f28c58ccb5d (patch)
tree5d35842c624eb9e2601f0d6b4515b50e19e9ef6d
parent7b45a00d05cc936d28e36b95932864e8cc095968 (diff)
downloadqemu-4a48aaa9f52dbac148be24f591de2f28c58ccb5d.zip
qemu-4a48aaa9f52dbac148be24f591de2f28c58ccb5d.tar.gz
qemu-4a48aaa9f52dbac148be24f591de2f28c58ccb5d.tar.bz2
ui: ensure VNC websockets server checks the ACL if requested
If the x509verify option is requested, the VNC websockets server was failing to validate that the websockets client provided an x509 certificate matching the ACL rules. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-rw-r--r--ui/vnc-ws.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c
index 5f9fcc4..85dbb7e 100644
--- a/ui/vnc-ws.c
+++ b/ui/vnc-ws.c
@@ -45,6 +45,16 @@ static int vncws_start_tls_handshake(struct VncState *vs)
return -1;
}
+ if (vs->vd->tls.x509verify) {
+ if (vnc_tls_validate_certificate(vs) < 0) {
+ VNC_DEBUG("Client verification failed\n");
+ vnc_client_error(vs);
+ return -1;
+ } else {
+ VNC_DEBUG("Client verification passed\n");
+ }
+ }
+
VNC_DEBUG("Handshake done, switching to TLS data mode\n");
qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read, NULL, vs);