From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NKD8R-0005wY-Qo
	for qemu-devel@nongnu.org; Mon, 14 Dec 2009 10:46:55 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1NKD8N-0005uh-60
	for qemu-devel@nongnu.org; Mon, 14 Dec 2009 10:46:55 -0500
Received: from [199.232.76.173] (port=42231 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NKD8N-0005ud-2p
	for qemu-devel@nongnu.org; Mon, 14 Dec 2009 10:46:51 -0500
Received: from mail-yx0-f188.google.com ([209.85.210.188]:64242)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <anthony@codemonkey.ws>) id 1NKD8M-0004k7-PM
	for qemu-devel@nongnu.org; Mon, 14 Dec 2009 10:46:50 -0500
Received: by yxe26 with SMTP id 26so3007838yxe.4
	for <qemu-devel@nongnu.org>; Mon, 14 Dec 2009 07:46:50 -0800 (PST)
Message-ID: <4B265DE7.1060309@codemonkey.ws>
Date: Mon, 14 Dec 2009 09:46:47 -0600
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] Re: Spice project is now open
References: <4B231182.1080208@codemonkey.ws>
	<20091212144433.GA26966@random.random>
	<4B23B0BE.7080408@codemonkey.ws>
	<20091212160626.GB26966@random.random>
	<4B23D585.70400@codemonkey.ws> <4B241A99.2000704@redhat.com>
	<4B242B40.4050409@codemonkey.ws> <4B24C5EF.2090607@redhat.com>
	<4B264EC4.7020500@codemonkey.ws> <4B265153.3050705@redhat.com>
	<20091214151705.GH23733@redhat.com> <4B265814.7060801@redhat.com>
In-Reply-To: <4B265814.7060801@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Avi Kivity <avi@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>, dlaor@redhat.com, qemu-devel@nongnu.org

Avi Kivity wrote:
> On 12/14/2009 05:17 PM, Daniel P. Berrange wrote:
>>
>>> Yes - need to pass the encryption state.  Hopefully the crypto stacks
>>> support this.
>>>      
>> There's no mechanism for this in the SASL libraries. With GNUTLS 
>> there is
>> the ability to preserve negotiated session state from one TLS 
>> conenection
>> and used it upon opening the next connection to fast-track the handshake
>> phase. This doesn't allow you to pass the state for an existing 
>> connection
>> to a new process though and have it carry on
>>    
>
> This sucks.  But we can ask the client to reauthenticate.

Or instead of passing the socket file descriptor, pass over a socketpair 
and encrypt the traffic in the server.  The encryption requires no 
knowledge of the protocol so it can be done easily enough in the server.

You're already paying the cost for copying the data.  Adding in one copy 
shouldn't be the end of the world.

Regards,

Anthony Liguori