1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
|
/*
* auth.c - deal with authentication.
*
* This file implements the VNC authentication protocol when setting up an RFB
* connection.
*/
/*
* Copyright (C) 2005 Rohit Kumar, Johannes E. Schindelin
* OSXvnc Copyright (C) 2001 Dan McGuirk <mcguirk@incompleteness.net>.
* Original Xvnc code Copyright (C) 1999 AT&T Laboratories Cambridge.
* All Rights Reserved.
*
* This is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this software; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
* USA.
*/
#include <rfb/rfb.h>
/* RFB 3.8 clients are well informed */
void rfbClientSendString(rfbClientPtr cl, char *reason);
/*
* Handle security types
*/
static rfbSecurityHandler* securityHandlers = NULL;
/*
* This method registers a list of new security types.
* It avoids same security type getting registered multiple times.
* The order is not preserved if multiple security types are
* registered at one-go.
*/
void
rfbRegisterSecurityHandler(rfbSecurityHandler* handler)
{
rfbSecurityHandler *head = securityHandlers, *next = NULL;
if(handler == NULL)
return;
next = handler->next;
while(head != NULL) {
if(head == handler) {
rfbRegisterSecurityHandler(next);
return;
}
head = head->next;
}
handler->next = securityHandlers;
securityHandlers = handler;
rfbRegisterSecurityHandler(next);
}
/*
* This method unregisters a list of security types.
* These security types won't be available for any new
* client connection.
*/
void
rfbUnregisterSecurityHandler(rfbSecurityHandler* handler)
{
rfbSecurityHandler *cur = NULL, *pre = NULL;
if(handler == NULL)
return;
if(securityHandlers == handler) {
securityHandlers = securityHandlers->next;
rfbUnregisterSecurityHandler(handler->next);
return;
}
cur = pre = securityHandlers;
while(cur) {
if(cur == handler) {
pre->next = cur->next;
break;
}
pre = cur;
cur = cur->next;
}
rfbUnregisterSecurityHandler(handler->next);
}
/*
* Send the authentication challenge.
*/
static void
rfbVncAuthSendChallenge(rfbClientPtr cl)
{
/* 4 byte header is alreay sent. Which is rfbSecTypeVncAuth
(same as rfbVncAuth). Just send the challenge. */
rfbRandomBytes(cl->authChallenge);
if (rfbWriteExact(cl, (char *)cl->authChallenge, CHALLENGESIZE) < 0) {
rfbLogPerror("rfbAuthNewClient: write");
rfbCloseClient(cl);
return;
}
/* Dispatch client input to rfbVncAuthProcessResponse. */
cl->state = RFB_AUTHENTICATION;
}
/*
* Send the NO AUTHENTICATION. SCARR
*/
static void
rfbVncAuthNone(rfbClientPtr cl)
{
uint32_t authResult;
if (cl->protocolMajorVersion==3 && cl->protocolMinorVersion > 7) {
rfbLog("rfbProcessClientSecurityType: returning securityResult for client rfb version >= 3.8\n");
authResult = Swap32IfLE(rfbVncAuthOK);
if (rfbWriteExact(cl, (char *)&authResult, 4) < 0) {
rfbLogPerror("rfbAuthProcessClientMessage: write");
rfbCloseClient(cl);
return;
}
}
cl->state = RFB_INITIALISATION;
return;
}
/*
* Advertise the supported security types (protocol 3.7). Here before sending
* the list of security types to the client one more security type is added
* to the list if primaryType is not set to rfbSecTypeInvalid. This security
* type is the standard vnc security type which does the vnc authentication
* or it will be security type for no authentication.
* Different security types will be added by applications using this library.
*/
static rfbSecurityHandler VncSecurityHandlerVncAuth = {
rfbSecTypeVncAuth,
rfbVncAuthSendChallenge,
NULL
};
static rfbSecurityHandler VncSecurityHandlerNone = {
rfbSecTypeNone,
rfbVncAuthNone,
NULL
};
static void
rfbSendSecurityTypeList(rfbClientPtr cl, int primaryType)
{
/* The size of the message is the count of security types +1,
* since the first byte is the number of types. */
int size = 1;
rfbSecurityHandler* handler;
#define MAX_SECURITY_TYPES 255
uint8_t buffer[MAX_SECURITY_TYPES+1];
/* Fill in the list of security types in the client structure. (NOTE: Not really in the client structure) */
switch (primaryType) {
case rfbSecTypeNone:
rfbRegisterSecurityHandler(&VncSecurityHandlerNone);
break;
case rfbSecTypeVncAuth:
rfbRegisterSecurityHandler(&VncSecurityHandlerVncAuth);
break;
}
for (handler = securityHandlers;
handler && size<MAX_SECURITY_TYPES; handler = handler->next) {
buffer[size] = handler->type;
size++;
}
buffer[0] = (unsigned char)size-1;
/* Send the list. */
if (rfbWriteExact(cl, (char *)buffer, size) < 0) {
rfbLogPerror("rfbSendSecurityTypeList: write");
rfbCloseClient(cl);
return;
}
/*
* if count is 0, we need to send the reason and close the connection.
*/
if(size <= 1) {
/* This means total count is Zero and so reason msg should be sent */
/* The execution should never reach here */
char* reason = "No authentication mode is registered!";
rfbClientSendString(cl, reason);
return;
}
/* Dispatch client input to rfbProcessClientSecurityType. */
cl->state = RFB_SECURITY_TYPE;
}
/*
* Tell the client what security type will be used (protocol 3.3).
*/
static void
rfbSendSecurityType(rfbClientPtr cl, int32_t securityType)
{
uint32_t value32;
/* Send the value. */
value32 = Swap32IfLE(securityType);
if (rfbWriteExact(cl, (char *)&value32, 4) < 0) {
rfbLogPerror("rfbSendSecurityType: write");
rfbCloseClient(cl);
return;
}
/* Decide what to do next. */
switch (securityType) {
case rfbSecTypeNone:
/* Dispatch client input to rfbProcessClientInitMessage. */
cl->state = RFB_INITIALISATION;
break;
case rfbSecTypeVncAuth:
/* Begin the standard VNC authentication procedure. */
rfbVncAuthSendChallenge(cl);
break;
default:
/* Impossible case (hopefully). */
rfbLogPerror("rfbSendSecurityType: assertion failed");
rfbCloseClient(cl);
}
}
/*
* rfbAuthNewClient is called right after negotiating the protocol
* version. Depending on the protocol version, we send either a code
* for authentication scheme to be used (protocol 3.3), or a list of
* possible "security types" (protocol 3.7).
*/
void
rfbAuthNewClient(rfbClientPtr cl)
{
int32_t securityType = rfbSecTypeInvalid;
if (!cl->screen->authPasswdData || cl->reverseConnection) {
/* chk if this condition is valid or not. */
securityType = rfbSecTypeNone;
} else if (cl->screen->authPasswdData) {
securityType = rfbSecTypeVncAuth;
}
if (cl->protocolMajorVersion==3 && cl->protocolMinorVersion < 7)
{
/* Make sure we use only RFB 3.3 compatible security types. */
if (securityType == rfbSecTypeInvalid) {
rfbLog("VNC authentication disabled - RFB 3.3 client rejected\n");
rfbClientConnFailed(cl, "Your viewer cannot handle required "
"authentication methods");
return;
}
rfbSendSecurityType(cl, securityType);
} else {
/* Here it's ok when securityType is set to rfbSecTypeInvalid. */
rfbSendSecurityTypeList(cl, securityType);
}
}
/*
* Read the security type chosen by the client (protocol 3.7).
*/
void
rfbProcessClientSecurityType(rfbClientPtr cl)
{
int n;
uint8_t chosenType;
rfbSecurityHandler* handler;
/* Read the security type. */
n = rfbReadExact(cl, (char *)&chosenType, 1);
if (n <= 0) {
if (n == 0)
rfbLog("rfbProcessClientSecurityType: client gone\n");
else
rfbLogPerror("rfbProcessClientSecurityType: read");
rfbCloseClient(cl);
return;
}
/* Make sure it was present in the list sent by the server. */
for (handler = securityHandlers; handler; handler = handler->next) {
if (chosenType == handler->type) {
rfbLog("rfbProcessClientSecurityType: executing handler for type %d\n", chosenType);
handler->handler(cl);
return;
}
}
rfbLog("rfbProcessClientSecurityType: wrong security type (%d) requested\n", chosenType);
rfbCloseClient(cl);
}
/*
* rfbAuthProcessClientMessage is called when the client sends its
* authentication response.
*/
void
rfbAuthProcessClientMessage(rfbClientPtr cl)
{
int n;
uint8_t response[CHALLENGESIZE];
uint32_t authResult;
if ((n = rfbReadExact(cl, (char *)response, CHALLENGESIZE)) <= 0) {
if (n != 0)
rfbLogPerror("rfbAuthProcessClientMessage: read");
rfbCloseClient(cl);
return;
}
if(!cl->screen->passwordCheck(cl,(const char*)response,CHALLENGESIZE)) {
rfbErr("rfbAuthProcessClientMessage: password check failed\n");
authResult = Swap32IfLE(rfbVncAuthFailed);
if (rfbWriteExact(cl, (char *)&authResult, 4) < 0) {
rfbLogPerror("rfbAuthProcessClientMessage: write");
}
/* support RFB 3.8 clients, they expect a reason *why* it was disconnected */
if (cl->protocolMinorVersion > 7) {
rfbClientSendString(cl, "password check failed!");
}
else
rfbCloseClient(cl);
return;
}
authResult = Swap32IfLE(rfbVncAuthOK);
if (rfbWriteExact(cl, (char *)&authResult, 4) < 0) {
rfbLogPerror("rfbAuthProcessClientMessage: write");
rfbCloseClient(cl);
return;
}
cl->state = RFB_INITIALISATION;
}
|