ui: ensure VNC websockets server checks the ACL if requested

If the x509verify option is requested, the VNC websockets server was failing to validate that the websockets client provided an x509 certificate matching the ACL rules. Signed-off-by: N Daniel P. Berrange <berrange@redhat.com> Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>

ui: ensure VNC websockets server checks the ACL if requested
If the x509verify option is requested, the VNC websockets server was failing to validate that the websockets client provided an x509 certificate matching the ACL rules. Signed-off-by: N Daniel P. Berrange <berrange@redhat.com> Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>
4a48aaa9 · Daniel P. Berrange · Gerd Hoffmann · 7b45a00d · 4a48aaa9
隐藏空白更改
内联并排

Showing with 10 addition and 0 deletion

ui/vnc-ws.c ui/vnc-ws.c +10 -0

未找到文件。
--- a/ui/vnc-ws.c
+++ b/ui/vnc-ws.c
@@ -45,6 +45,16 @@ static int vncws_start_tls_handshake(struct VncState *vs)
        return -1;
    }

+    if (vs->vd->tls.x509verify) {
+        if (vnc_tls_validate_certificate(vs) < 0) {
+            VNC_DEBUG("Client verification failed\n");
+            vnc_client_error(vs);
+            return -1;
+        } else {
+            VNC_DEBUG("Client verification passed\n");
+        }
+    }
+
    VNC_DEBUG("Handshake done, switching to TLS data mode\n");
    qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read, NULL, vs);