|
 |
d8e4b3 |
From 5e4d810d62da0f2048ce78b3a7812e9e13968162 Mon Sep 17 00:00:00 2001
|
|
|
dde763 |
From: =?UTF-8?q?Jonas=20=C3=85dahl?= <jadahl@gmail.com>
|
|
|
dde763 |
Date: Mon, 11 Jun 2018 23:50:05 +0200
|
|
|
dde763 |
Subject: [PATCH 2/2] libvncserver: Add channel security handlers
|
|
|
dde763 |
|
|
|
dde763 |
Add another type of security handler that is meant to be used initially
|
|
|
dde763 |
to set up a secure channel. Regular security handlers would be
|
|
|
dde763 |
advertised and processed after any channel security have succeeded.
|
|
|
dde763 |
|
|
|
dde763 |
For example, this, together with the custom I/O functions allows a
|
|
|
dde763 |
LibVNCServer user to implement TLS in combination with VNCAuth. This is
|
|
|
dde763 |
done by adding a single channel security handler with the rfbTLS (18)
|
|
|
dde763 |
with a handler that initiates a TLS session, and when a TLS session is
|
|
|
dde763 |
initiated, the regular security handler list is sent.
|
|
|
dde763 |
---
|
|
|
d8e4b3 |
libvncserver/auth.c | 164 ++++++++++++++++++++++++++++++---------
|
|
|
dde763 |
libvncserver/rfbserver.c | 1 +
|
|
|
dde763 |
rfb/rfb.h | 15 +++-
|
|
|
d8e4b3 |
3 files changed, 142 insertions(+), 38 deletions(-)
|
|
|
dde763 |
|
|
|
dde763 |
diff --git a/libvncserver/auth.c b/libvncserver/auth.c
|
|
|
d8e4b3 |
index 814a8142..55e0b3c9 100644
|
|
|
dde763 |
--- a/libvncserver/auth.c
|
|
|
dde763 |
+++ b/libvncserver/auth.c
|
|
|
dde763 |
@@ -37,18 +37,17 @@ void rfbClientSendString(rfbClientPtr cl, const char *reason);
|
|
|
dde763 |
* Handle security types
|
|
|
dde763 |
*/
|
|
|
dde763 |
|
|
|
dde763 |
+/* Channel security handlers to set up a secure channel, e.g. TLS. */
|
|
|
dde763 |
+static rfbSecurityHandler* channelSecurityHandlers = NULL;
|
|
|
dde763 |
+
|
|
|
dde763 |
+/* Security handlers when channel security is established. */
|
|
|
dde763 |
static rfbSecurityHandler* securityHandlers = NULL;
|
|
|
dde763 |
|
|
|
dde763 |
-/*
|
|
|
dde763 |
- * This method registers a list of new security types.
|
|
|
dde763 |
- * It avoids same security type getting registered multiple times.
|
|
|
dde763 |
- * The order is not preserved if multiple security types are
|
|
|
dde763 |
- * registered at one-go.
|
|
|
dde763 |
- */
|
|
|
dde763 |
void
|
|
|
dde763 |
-rfbRegisterSecurityHandler(rfbSecurityHandler* handler)
|
|
|
dde763 |
+rfbRegisterSecurityHandlerTo(rfbSecurityHandler* handler,
|
|
|
dde763 |
+ rfbSecurityHandler** handlerList)
|
|
|
dde763 |
{
|
|
|
dde763 |
- rfbSecurityHandler *head = securityHandlers, *next = NULL;
|
|
|
dde763 |
+ rfbSecurityHandler *head = *handlerList, *next = NULL;
|
|
|
dde763 |
|
|
|
dde763 |
if(handler == NULL)
|
|
|
dde763 |
return;
|
|
|
dde763 |
@@ -57,39 +56,35 @@ rfbRegisterSecurityHandler(rfbSecurityHandler* handler)
|
|
|
dde763 |
|
|
|
dde763 |
while(head != NULL) {
|
|
|
dde763 |
if(head == handler) {
|
|
|
dde763 |
- rfbRegisterSecurityHandler(next);
|
|
|
dde763 |
+ rfbRegisterSecurityHandlerTo(next, handlerList);
|
|
|
dde763 |
return;
|
|
|
dde763 |
}
|
|
|
dde763 |
|
|
|
dde763 |
head = head->next;
|
|
|
dde763 |
}
|
|
|
dde763 |
|
|
|
dde763 |
- handler->next = securityHandlers;
|
|
|
dde763 |
- securityHandlers = handler;
|
|
|
dde763 |
+ handler->next = *handlerList;
|
|
|
dde763 |
+ *handlerList = handler;
|
|
|
dde763 |
|
|
|
dde763 |
- rfbRegisterSecurityHandler(next);
|
|
|
dde763 |
+ rfbRegisterSecurityHandlerTo(next, handlerList);
|
|
|
dde763 |
}
|
|
|
dde763 |
|
|
|
dde763 |
-/*
|
|
|
dde763 |
- * This method unregisters a list of security types.
|
|
|
dde763 |
- * These security types won't be available for any new
|
|
|
dde763 |
- * client connection.
|
|
|
dde763 |
- */
|
|
|
dde763 |
-void
|
|
|
dde763 |
-rfbUnregisterSecurityHandler(rfbSecurityHandler* handler)
|
|
|
dde763 |
+static void
|
|
|
dde763 |
+rfbUnregisterSecurityHandlerFrom(rfbSecurityHandler* handler,
|
|
|
dde763 |
+ rfbSecurityHandler** handlerList)
|
|
|
dde763 |
{
|
|
|
dde763 |
rfbSecurityHandler *cur = NULL, *pre = NULL;
|
|
|
dde763 |
|
|
|
dde763 |
if(handler == NULL)
|
|
|
dde763 |
return;
|
|
|
dde763 |
|
|
|
dde763 |
- if(securityHandlers == handler) {
|
|
|
dde763 |
- securityHandlers = securityHandlers->next;
|
|
|
dde763 |
- rfbUnregisterSecurityHandler(handler->next);
|
|
|
dde763 |
+ if(*handlerList == handler) {
|
|
|
dde763 |
+ *handlerList = (*handlerList)->next;
|
|
|
dde763 |
+ rfbUnregisterSecurityHandlerFrom(handler->next, handlerList);
|
|
|
dde763 |
return;
|
|
|
dde763 |
}
|
|
|
dde763 |
|
|
|
dde763 |
- cur = pre = securityHandlers;
|
|
|
dde763 |
+ cur = pre = *handlerList;
|
|
|
dde763 |
|
|
|
dde763 |
while(cur) {
|
|
|
dde763 |
if(cur == handler) {
|
|
|
dde763 |
@@ -99,7 +94,50 @@ rfbUnregisterSecurityHandler(rfbSecurityHandler* handler)
|
|
|
dde763 |
pre = cur;
|
|
|
dde763 |
cur = cur->next;
|
|
|
dde763 |
}
|
|
|
dde763 |
- rfbUnregisterSecurityHandler(handler->next);
|
|
|
dde763 |
+ rfbUnregisterSecurityHandlerFrom(handler->next, handlerList);
|
|
|
dde763 |
+}
|
|
|
dde763 |
+
|
|
|
dde763 |
+void
|
|
|
dde763 |
+rfbRegisterChannelSecurityHandler(rfbSecurityHandler* handler)
|
|
|
dde763 |
+{
|
|
|
dde763 |
+ rfbRegisterSecurityHandlerTo(handler, &channelSecurityHandlers);
|
|
|
dde763 |
+}
|
|
|
dde763 |
+
|
|
|
dde763 |
+/*
|
|
|
dde763 |
+ * This method unregisters a list of security types.
|
|
|
dde763 |
+ * These security types won't be available for any new
|
|
|
dde763 |
+ * client connection.
|
|
|
dde763 |
+ */
|
|
|
dde763 |
+
|
|
|
dde763 |
+void
|
|
|
dde763 |
+rfbUnregisterChannelSecurityHandler(rfbSecurityHandler* handler)
|
|
|
dde763 |
+{
|
|
|
dde763 |
+ rfbUnregisterSecurityHandlerFrom(handler, &channelSecurityHandlers);
|
|
|
dde763 |
+}
|
|
|
dde763 |
+
|
|
|
dde763 |
+/*
|
|
|
dde763 |
+ * This method registers a list of new security types.
|
|
|
dde763 |
+ * It avoids same security type getting registered multiple times.
|
|
|
dde763 |
+ * The order is not preserved if multiple security types are
|
|
|
dde763 |
+ * registered at one-go.
|
|
|
dde763 |
+ */
|
|
|
dde763 |
+
|
|
|
dde763 |
+void
|
|
|
dde763 |
+rfbRegisterSecurityHandler(rfbSecurityHandler* handler)
|
|
|
dde763 |
+{
|
|
|
dde763 |
+ rfbRegisterSecurityHandlerTo(handler, &securityHandlers);
|
|
|
dde763 |
+}
|
|
|
dde763 |
+
|
|
|
dde763 |
+/*
|
|
|
dde763 |
+ * This method unregisters a list of security types.
|
|
|
dde763 |
+ * These security types won't be available for any new
|
|
|
dde763 |
+ * client connection.
|
|
|
dde763 |
+ */
|
|
|
dde763 |
+
|
|
|
dde763 |
+void
|
|
|
dde763 |
+rfbUnregisterSecurityHandler(rfbSecurityHandler* handler)
|
|
|
dde763 |
+{
|
|
|
dde763 |
+ rfbUnregisterSecurityHandlerFrom(handler, &securityHandlers);
|
|
|
dde763 |
}
|
|
|
dde763 |
|
|
|
dde763 |
/*
|
|
|
dde763 |
@@ -197,9 +235,22 @@ static rfbSecurityHandler VncSecurityHandlerNone = {
|
|
|
dde763 |
NULL
|
|
|
dde763 |
};
|
|
|
dde763 |
|
|
|
dde763 |
+static int32_t
|
|
|
dde763 |
+determinePrimarySecurityType(rfbClientPtr cl)
|
|
|
dde763 |
+{
|
|
|
dde763 |
+ if (!cl->screen->authPasswdData || cl->reverseConnection) {
|
|
|
dde763 |
+ /* chk if this condition is valid or not. */
|
|
|
dde763 |
+ return rfbSecTypeNone;
|
|
|
dde763 |
+ } else if (cl->screen->authPasswdData) {
|
|
|
dde763 |
+ return rfbSecTypeVncAuth;
|
|
|
dde763 |
+ } else {
|
|
|
dde763 |
+ return rfbSecTypeInvalid;
|
|
|
dde763 |
+ }
|
|
|
dde763 |
+}
|
|
|
dde763 |
|
|
|
dde763 |
-static void
|
|
|
dde763 |
-rfbSendSecurityTypeList(rfbClientPtr cl, int primaryType)
|
|
|
dde763 |
+void
|
|
|
dde763 |
+rfbSendSecurityTypeList(rfbClientPtr cl,
|
|
|
dde763 |
+ enum rfbSecurityTag exclude)
|
|
|
dde763 |
{
|
|
|
dde763 |
/* The size of the message is the count of security types +1,
|
|
|
dde763 |
* since the first byte is the number of types. */
|
|
|
dde763 |
@@ -207,9 +258,10 @@ rfbSendSecurityTypeList(rfbClientPtr cl, int primaryType)
|
|
|
dde763 |
rfbSecurityHandler* handler;
|
|
|
dde763 |
#define MAX_SECURITY_TYPES 255
|
|
|
dde763 |
uint8_t buffer[MAX_SECURITY_TYPES+1];
|
|
|
dde763 |
-
|
|
|
dde763 |
+ int32_t primaryType;
|
|
|
dde763 |
|
|
|
dde763 |
/* Fill in the list of security types in the client structure. (NOTE: Not really in the client structure) */
|
|
|
dde763 |
+ primaryType = determinePrimarySecurityType(cl);
|
|
|
dde763 |
switch (primaryType) {
|
|
|
dde763 |
case rfbSecTypeNone:
|
|
|
dde763 |
rfbRegisterSecurityHandler(&VncSecurityHandlerNone);
|
|
|
dde763 |
@@ -221,6 +273,9 @@ rfbSendSecurityTypeList(rfbClientPtr cl, int primaryType)
|
|
|
dde763 |
|
|
|
dde763 |
for (handler = securityHandlers;
|
|
|
dde763 |
handler && size<MAX_SECURITY_TYPES; handler = handler->next) {
|
|
|
dde763 |
+ if (exclude && (handler->securityTags & exclude))
|
|
|
dde763 |
+ continue;
|
|
|
dde763 |
+
|
|
|
dde763 |
buffer[size] = handler->type;
|
|
|
dde763 |
size++;
|
|
|
dde763 |
}
|
|
|
dde763 |
@@ -249,7 +304,29 @@ rfbSendSecurityTypeList(rfbClientPtr cl, int primaryType)
|
|
|
dde763 |
cl->state = RFB_SECURITY_TYPE;
|
|
|
dde763 |
}
|
|
|
dde763 |
|
|
|
dde763 |
+static void
|
|
|
dde763 |
+rfbSendChannelSecurityTypeList(rfbClientPtr cl)
|
|
|
dde763 |
+{
|
|
|
dde763 |
+ int size = 1;
|
|
|
dde763 |
+ rfbSecurityHandler* handler;
|
|
|
dde763 |
+ uint8_t buffer[MAX_SECURITY_TYPES+1];
|
|
|
dde763 |
+
|
|
|
dde763 |
+ for (handler = channelSecurityHandlers;
|
|
|
dde763 |
+ handler && size<MAX_SECURITY_TYPES; handler = handler->next) {
|
|
|
dde763 |
+ buffer[size] = handler->type;
|
|
|
dde763 |
+ size++;
|
|
|
dde763 |
+ }
|
|
|
dde763 |
+ buffer[0] = (unsigned char)size-1;
|
|
|
dde763 |
+
|
|
|
dde763 |
+ if (rfbWriteExact(cl, (char *)buffer, size) < 0) {
|
|
|
dde763 |
+ rfbLogPerror("rfbSendSecurityTypeList: write");
|
|
|
dde763 |
+ rfbCloseClient(cl);
|
|
|
dde763 |
+ return;
|
|
|
dde763 |
+ }
|
|
|
dde763 |
|
|
|
dde763 |
+ /* Dispatch client input to rfbProcessClientChannelSecurityType. */
|
|
|
dde763 |
+ cl->state = RFB_CHANNEL_SECURITY_TYPE;
|
|
|
dde763 |
+}
|
|
|
dde763 |
|
|
|
dde763 |
|
|
|
dde763 |
/*
|
|
|
dde763 |
@@ -297,18 +374,19 @@ rfbSendSecurityType(rfbClientPtr cl, int32_t securityType)
|
|
|
dde763 |
void
|
|
|
dde763 |
rfbAuthNewClient(rfbClientPtr cl)
|
|
|
dde763 |
{
|
|
|
dde763 |
- int32_t securityType = rfbSecTypeInvalid;
|
|
|
dde763 |
+ int32_t securityType;
|
|
|
dde763 |
|
|
|
dde763 |
- if (!cl->screen->authPasswdData || cl->reverseConnection) {
|
|
|
dde763 |
- /* chk if this condition is valid or not. */
|
|
|
dde763 |
- securityType = rfbSecTypeNone;
|
|
|
dde763 |
- } else if (cl->screen->authPasswdData) {
|
|
|
dde763 |
- securityType = rfbSecTypeVncAuth;
|
|
|
dde763 |
- }
|
|
|
dde763 |
+ securityType = determinePrimarySecurityType(cl);
|
|
|
dde763 |
|
|
|
dde763 |
if (cl->protocolMajorVersion==3 && cl->protocolMinorVersion < 7)
|
|
|
dde763 |
{
|
|
|
dde763 |
/* Make sure we use only RFB 3.3 compatible security types. */
|
|
|
dde763 |
+ if (channelSecurityHandlers) {
|
|
|
dde763 |
+ rfbLog("VNC channel security enabled - RFB 3.3 client rejected\n");
|
|
|
dde763 |
+ rfbClientConnFailed(cl, "Your viewer cannot hnadler required "
|
|
|
dde763 |
+ "security methods");
|
|
|
dde763 |
+ return;
|
|
|
dde763 |
+ }
|
|
|
dde763 |
if (securityType == rfbSecTypeInvalid) {
|
|
|
dde763 |
rfbLog("VNC authentication disabled - RFB 3.3 client rejected\n");
|
|
|
dde763 |
rfbClientConnFailed(cl, "Your viewer cannot handle required "
|
|
|
d8e4b3 |
@@ -316,9 +394,13 @@ rfbAuthNewClient(rfbClientPtr cl)
|
|
|
dde763 |
return;
|
|
|
dde763 |
}
|
|
|
dde763 |
rfbSendSecurityType(cl, securityType);
|
|
|
dde763 |
+ } else if (channelSecurityHandlers) {
|
|
|
d8e4b3 |
+ rfbLog("Send channel security type list\n");
|
|
|
dde763 |
+ rfbSendChannelSecurityTypeList(cl);
|
|
|
dde763 |
} else {
|
|
|
dde763 |
/* Here it's ok when securityType is set to rfbSecTypeInvalid. */
|
|
|
dde763 |
- rfbSendSecurityTypeList(cl, securityType);
|
|
|
d8e4b3 |
+ rfbLog("Send channel security type 'none'\n");
|
|
|
dde763 |
+ rfbSendSecurityTypeList(cl, RFB_SECURITY_TAG_NONE);
|
|
|
dde763 |
}
|
|
|
dde763 |
}
|
|
|
dde763 |
|
|
|
d8e4b3 |
@@ -332,6 +414,7 @@ rfbProcessClientSecurityType(rfbClientPtr cl)
|
|
|
dde763 |
int n;
|
|
|
dde763 |
uint8_t chosenType;
|
|
|
dde763 |
rfbSecurityHandler* handler;
|
|
|
dde763 |
+ rfbSecurityHandler* handlerListHead;
|
|
|
dde763 |
|
|
|
dde763 |
/* Read the security type. */
|
|
|
dde763 |
n = rfbReadExact(cl, (char *)&chosenType, 1);
|
|
|
d8e4b3 |
@@ -344,8 +427,17 @@ rfbProcessClientSecurityType(rfbClientPtr cl)
|
|
|
dde763 |
return;
|
|
|
dde763 |
}
|
|
|
dde763 |
|
|
|
dde763 |
+ switch (cl->state) {
|
|
|
dde763 |
+ case RFB_CHANNEL_SECURITY_TYPE:
|
|
|
dde763 |
+ handlerListHead = channelSecurityHandlers;
|
|
|
dde763 |
+ break;
|
|
|
dde763 |
+ case RFB_SECURITY_TYPE:
|
|
|
dde763 |
+ handlerListHead = securityHandlers;
|
|
|
dde763 |
+ break;
|
|
|
dde763 |
+ }
|
|
|
dde763 |
+
|
|
|
dde763 |
/* Make sure it was present in the list sent by the server. */
|
|
|
dde763 |
- for (handler = securityHandlers; handler; handler = handler->next) {
|
|
|
dde763 |
+ for (handler = handlerListHead; handler; handler = handler->next) {
|
|
|
dde763 |
if (chosenType == handler->type) {
|
|
|
dde763 |
rfbLog("rfbProcessClientSecurityType: executing handler for type %d\n", chosenType);
|
|
|
dde763 |
handler->handler(cl);
|
|
|
dde763 |
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
|
|
|
d8e4b3 |
index 0c8ee735..421d8c7f 100644
|
|
|
dde763 |
--- a/libvncserver/rfbserver.c
|
|
|
dde763 |
+++ b/libvncserver/rfbserver.c
|
|
|
d8e4b3 |
@@ -640,6 +640,7 @@ rfbProcessClientMessage(rfbClientPtr cl)
|
|
|
dde763 |
case RFB_PROTOCOL_VERSION:
|
|
|
dde763 |
rfbProcessClientProtocolVersion(cl);
|
|
|
dde763 |
return;
|
|
|
dde763 |
+ case RFB_CHANNEL_SECURITY_TYPE:
|
|
|
dde763 |
case RFB_SECURITY_TYPE:
|
|
|
dde763 |
rfbProcessClientSecurityType(cl);
|
|
|
dde763 |
return;
|
|
|
dde763 |
diff --git a/rfb/rfb.h b/rfb/rfb.h
|
|
|
d8e4b3 |
index 2e5597a9..d2a7c9fb 100644
|
|
|
dde763 |
--- a/rfb/rfb.h
|
|
|
dde763 |
+++ b/rfb/rfb.h
|
|
|
d8e4b3 |
@@ -181,6 +181,11 @@ typedef struct {
|
|
|
dde763 |
} data; /**< there have to be count*3 entries */
|
|
|
dde763 |
} rfbColourMap;
|
|
|
dde763 |
|
|
|
dde763 |
+enum rfbSecurityTag {
|
|
|
dde763 |
+ RFB_SECURITY_TAG_NONE = 0,
|
|
|
dde763 |
+ RFB_SECURITY_TAG_CHANNEL = 1 << 0
|
|
|
dde763 |
+};
|
|
|
dde763 |
+
|
|
|
dde763 |
/**
|
|
|
dde763 |
* Security handling (RFB protocol version 3.7)
|
|
|
dde763 |
*/
|
|
|
d8e4b3 |
@@ -189,6 +194,7 @@ typedef struct _rfbSecurity {
|
|
|
dde763 |
uint8_t type;
|
|
|
dde763 |
void (*handler)(struct _rfbClientRec* cl);
|
|
|
dde763 |
struct _rfbSecurity* next;
|
|
|
dde763 |
+ enum rfbSecurityTag securityTags;
|
|
|
dde763 |
} rfbSecurityHandler;
|
|
|
dde763 |
|
|
|
dde763 |
/**
|
|
|
d8e4b3 |
@@ -505,7 +511,7 @@ typedef struct _rfbClientRec {
|
|
|
dde763 |
/** Possible client states: */
|
|
|
dde763 |
enum {
|
|
|
dde763 |
RFB_PROTOCOL_VERSION, /**< establishing protocol version */
|
|
|
dde763 |
- RFB_SECURITY_TYPE, /**< negotiating security (RFB v.3.7) */
|
|
|
dde763 |
+ RFB_SECURITY_TYPE, /**< negotiating security (RFB v.3.7) */
|
|
|
dde763 |
RFB_AUTHENTICATION, /**< authenticating */
|
|
|
dde763 |
RFB_INITIALISATION, /**< sending initialisation messages */
|
|
|
dde763 |
RFB_NORMAL, /**< normal protocol messages */
|
|
|
d8e4b3 |
@@ -513,7 +519,9 @@ typedef struct _rfbClientRec {
|
|
|
dde763 |
/* Ephemeral internal-use states that will never be seen by software
|
|
|
dde763 |
* using LibVNCServer to provide services: */
|
|
|
dde763 |
|
|
|
dde763 |
- RFB_INITIALISATION_SHARED /**< sending initialisation messages with implicit shared-flag already true */
|
|
|
dde763 |
+ RFB_INITIALISATION_SHARED, /**< sending initialisation messages with implicit shared-flag already true */
|
|
|
dde763 |
+
|
|
|
dde763 |
+ RFB_CHANNEL_SECURITY_TYPE, /**< negotiating security (RFB v.3.7) */
|
|
|
dde763 |
} state;
|
|
|
dde763 |
|
|
|
dde763 |
rfbBool reverseConnection;
|
|
|
d8e4b3 |
@@ -854,6 +862,9 @@ extern void rfbProcessClientSecurityType(rfbClientPtr cl);
|
|
|
dde763 |
extern void rfbAuthProcessClientMessage(rfbClientPtr cl);
|
|
|
dde763 |
extern void rfbRegisterSecurityHandler(rfbSecurityHandler* handler);
|
|
|
dde763 |
extern void rfbUnregisterSecurityHandler(rfbSecurityHandler* handler);
|
|
|
dde763 |
+extern void rfbRegisterChannelSecurityHandler(rfbSecurityHandler* handler);
|
|
|
dde763 |
+extern void rfbUnregisterChannelSecurityHandler(rfbSecurityHandler* handler);
|
|
|
dde763 |
+extern void rfbSendSecurityTypeList(rfbClientPtr cl, enum rfbSecurityTag exclude);
|
|
|
dde763 |
|
|
|
dde763 |
/* rre.c */
|
|
|
dde763 |
|
|
|
dde763 |
--
|
|
|
d8e4b3 |
2.23.0
|
|
|
dde763 |
|