ui: ensure VNC websockets server checks the ACL if requested

If the x509verify option is requested, the VNC websockets server was failing to validate that the websockets client provided an x509 certificate matching the ACL rules. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
author: Daniel P. Berrange <berrange@redhat.com> 2015-03-17 13:43:00 +0000
committer: Gerd Hoffmann <kraxel@redhat.com> 2015-03-18 09:25:14 +0100
commit: 4a48aaa9f52dbac148be24f591de2f28c58ccb5d (patch)
tree: 5d35842c624eb9e2601f0d6b4515b50e19e9ef6d /ui/vnc-ws.c
parent: 7b45a00d05cc936d28e36b95932864e8cc095968 (diff)
download: qemu-4a48aaa9f52dbac148be24f591de2f28c58ccb5d.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c
index 5f9fcc42db..85dbb7e6ae 100644
--- a/ui/vnc-ws.c
+++ b/ui/vnc-ws.c
@@ -45,6 +45,16 @@ static int vncws_start_tls_handshake(struct VncState *vs)
         return -1;
     }
 
+    if (vs->vd->tls.x509verify) {
+        if (vnc_tls_validate_certificate(vs) < 0) {
+            VNC_DEBUG("Client verification failed\n");
+            vnc_client_error(vs);
+            return -1;
+        } else {
+            VNC_DEBUG("Client verification passed\n");
+        }
+    }
+
     VNC_DEBUG("Handshake done, switching to TLS data mode\n");
     qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read, NULL, vs);
author	Daniel P. Berrange <berrange@redhat.com>	2015-03-17 13:43:00 +0000
committer	Gerd Hoffmann <kraxel@redhat.com>	2015-03-18 09:25:14 +0100
commit	4a48aaa9f52dbac148be24f591de2f28c58ccb5d (patch)
tree	5d35842c624eb9e2601f0d6b4515b50e19e9ef6d /ui/vnc-ws.c
parent	7b45a00d05cc936d28e36b95932864e8cc095968 (diff)
download	qemu-4a48aaa9f52dbac148be24f591de2f28c58ccb5d.tar.gz