spice: add config options for channel security.

This allows to enforce tls or plaintext usage for certain spice channels. [ v2: code style fixup ]

spice: add config options for channel security.
This allows to enforce tls or plaintext usage for certain spice channels. [ v2: code style fixup ]
17b6dea0 · Gerd Hoffmann · 9f04e09e · 17b6dea0 · 17b6dea0 · 17b6dea0
隐藏空白更改
内联并排

Showing with 42 addition and 0 deletion

qemu-config.c qemu-config.c +6 -0

qemu-options.hx qemu-options.hx +8 -0

ui/spice-core.c ui/spice-core.c +28 -0

未找到文件。
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -391,6 +391,12 @@ QemuOptsList qemu_spice_opts = {
        },{
            .name = "tls-ciphers",
            .type = QEMU_OPT_STRING,
+        },{
+            .name = "tls-channel",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "plaintext-channel",
+            .type = QEMU_OPT_STRING,
        },{
            .name = "image-compression",
            .type = QEMU_OPT_STRING,

--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -704,6 +704,14 @@ The x509 file names can also be configured individually.
 @item tls-ciphers=<list>
 Specify which ciphers to use.

+@item tls-channel=[main|display|inputs|record|playback|tunnel]
+@item plaintext-channel=[main|display|inputs|record|playback|tunnel]
+Force specific channel to be used with or without TLS encryption.  The
+options can be specified multiple times to configure multiple
+channels.  The special name "default" can be used to set the default
+mode.  For channels which are not explicitly forced into one mode the
+spice client is allowed to pick tls/plaintext as he pleases.
+
 @item image-compression=[auto_glz|auto_lz|quic|glz|lz|off]
 Configure image compression (lossless).
 Default is auto_glz.

--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -192,6 +192,32 @@ static const char *wan_compression_names[] = {

 /* functions for the rest of qemu */

+static int add_channel(const char *name, const char *value, void *opaque)
+{
+    int security = 0;
+    int rc;
+
+    if (strcmp(name, "tls-channel") == 0) {
+        security = SPICE_CHANNEL_SECURITY_SSL;
+    }
+    if (strcmp(name, "plaintext-channel") == 0) {
+        security = SPICE_CHANNEL_SECURITY_NONE;
+    }
+    if (security == 0) {
+        return 0;
+    }
+    if (strcmp(value, "default") == 0) {
+        rc = spice_server_set_channel_security(spice_server, NULL, security);
+    } else {
+        rc = spice_server_set_channel_security(spice_server, value, security);
+    }
+    if (rc != 0) {
+        fprintf(stderr, "spice: failed to set channel security for %s\n", value);
+        exit(1);
+    }
+    return 0;
+}
+
 void qemu_spice_init(void)
 {
    QemuOpts *opts = QTAILQ_FIRST(&qemu_spice_opts.head);
@@ -293,6 +319,8 @@ void qemu_spice_init(void)
    }
    spice_server_set_zlib_glz_compression(spice_server, wan_compr);

+    qemu_opt_foreach(opts, add_channel, NULL, 0);
+
    spice_server_init(spice_server, &core_interface);
    using_spice = 1;