From 30b947df1b25cf741f6863b4c3f77e0016aa4898 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20=C3=85dahl?= <jadahl@gmail.com>
Date: Mon, 11 Jun 2018 23:50:05 +0200
Subject: [PATCH 2/2] libvncserver: Add channel security handlers

Add another type of security handler that is meant to be used initially
to set up a secure channel. Regular security handlers would be
advertised and processed after any channel security have succeeded.

For example, this, together with the custom I/O functions allows a
LibVNCServer user to implement TLS in combination with VNCAuth. This is
done by adding a single channel security handler with the rfbTLS (18)
with a handler that initiates a TLS session, and when a TLS session is
initiated, the regular security handler list is sent.
---
 libvncserver/auth.c      | 164 ++++++++++++++++++++++++++++++---------
 libvncserver/rfbserver.c |   1 +
 rfb/rfb.h                |  15 +++-
 3 files changed, 142 insertions(+), 38 deletions(-)

diff --git a/libvncserver/auth.c b/libvncserver/auth.c
index 814a8142..55e0b3c9 100644
--- a/libvncserver/auth.c
+++ b/libvncserver/auth.c
@@ -37,18 +37,17 @@ void rfbClientSendString(rfbClientPtr cl, const char *reason);
  * Handle security types
  */
 
+/* Channel security handlers to set up a secure channel, e.g. TLS. */
+static rfbSecurityHandler* channelSecurityHandlers = NULL;
+
+/* Security handlers when channel security is established. */
 static rfbSecurityHandler* securityHandlers = NULL;
 
-/*
- * This method registers a list of new security types.  
- * It avoids same security type getting registered multiple times. 
- * The order is not preserved if multiple security types are
- * registered at one-go.
- */
 void
-rfbRegisterSecurityHandler(rfbSecurityHandler* handler)
+rfbRegisterSecurityHandlerTo(rfbSecurityHandler* handler,
+                             rfbSecurityHandler** handlerList)
 {
-	rfbSecurityHandler *head = securityHandlers, *next = NULL;
+	rfbSecurityHandler *head = *handlerList, *next = NULL;
 
 	if(handler == NULL)
 		return;
@@ -57,39 +56,35 @@ rfbRegisterSecurityHandler(rfbSecurityHandler* handler)
 
 	while(head != NULL) {
 		if(head == handler) {
-			rfbRegisterSecurityHandler(next);
+			rfbRegisterSecurityHandlerTo(next, handlerList);
 			return;
 		}
 
 		head = head->next;
 	}
 
-	handler->next = securityHandlers;
-	securityHandlers = handler;
+	handler->next = *handlerList;
+	*handlerList = handler;
 
-	rfbRegisterSecurityHandler(next);
+	rfbRegisterSecurityHandlerTo(next, handlerList);
 }
 
-/*
- * This method unregisters a list of security types. 
- * These security types won't be available for any new
- * client connection. 
- */
-void
-rfbUnregisterSecurityHandler(rfbSecurityHandler* handler)
+static void
+rfbUnregisterSecurityHandlerFrom(rfbSecurityHandler* handler,
+                                 rfbSecurityHandler** handlerList)
 {
 	rfbSecurityHandler *cur = NULL, *pre = NULL;
 
 	if(handler == NULL)
 		return;
 
-	if(securityHandlers == handler) {
-		securityHandlers = securityHandlers->next;
-		rfbUnregisterSecurityHandler(handler->next);
+	if(*handlerList == handler) {
+		*handlerList = (*handlerList)->next;
+		rfbUnregisterSecurityHandlerFrom(handler->next, handlerList);
 		return;
 	}
 
-	cur = pre = securityHandlers;
+	cur = pre = *handlerList;
 
 	while(cur) {
 		if(cur == handler) {
@@ -99,7 +94,50 @@ rfbUnregisterSecurityHandler(rfbSecurityHandler* handler)
 		pre = cur;
 		cur = cur->next;
 	}
-	rfbUnregisterSecurityHandler(handler->next);
+	rfbUnregisterSecurityHandlerFrom(handler->next, handlerList);
+}
+
+void
+rfbRegisterChannelSecurityHandler(rfbSecurityHandler* handler)
+{
+    rfbRegisterSecurityHandlerTo(handler, &channelSecurityHandlers);
+}
+
+/*
+ * This method unregisters a list of security types.
+ * These security types won't be available for any new
+ * client connection.
+ */
+
+void
+rfbUnregisterChannelSecurityHandler(rfbSecurityHandler* handler)
+{
+    rfbUnregisterSecurityHandlerFrom(handler, &channelSecurityHandlers);
+}
+
+/*
+ * This method registers a list of new security types.
+ * It avoids same security type getting registered multiple times.
+ * The order is not preserved if multiple security types are
+ * registered at one-go.
+ */
+
+void
+rfbRegisterSecurityHandler(rfbSecurityHandler* handler)
+{
+    rfbRegisterSecurityHandlerTo(handler, &securityHandlers);
+}
+
+/*
+ * This method unregisters a list of security types.
+ * These security types won't be available for any new
+ * client connection.
+ */
+
+void
+rfbUnregisterSecurityHandler(rfbSecurityHandler* handler)
+{
+    rfbUnregisterSecurityHandlerFrom(handler, &securityHandlers);
 }
 
 /*
@@ -197,9 +235,22 @@ static rfbSecurityHandler VncSecurityHandlerNone = {
     NULL
 };
                         
+static int32_t
+determinePrimarySecurityType(rfbClientPtr cl)
+{
+    if (!cl->screen->authPasswdData || cl->reverseConnection) {
+        /* chk if this condition is valid or not. */
+        return rfbSecTypeNone;
+    } else if (cl->screen->authPasswdData) {
+        return rfbSecTypeVncAuth;
+    } else {
+        return rfbSecTypeInvalid;
+    }
+}
 
-static void
-rfbSendSecurityTypeList(rfbClientPtr cl, int primaryType)
+void
+rfbSendSecurityTypeList(rfbClientPtr cl,
+                        enum rfbSecurityTag exclude)
 {
     /* The size of the message is the count of security types +1,
      * since the first byte is the number of types. */
@@ -207,9 +258,10 @@ rfbSendSecurityTypeList(rfbClientPtr cl, int primaryType)
     rfbSecurityHandler* handler;
 #define MAX_SECURITY_TYPES 255
     uint8_t buffer[MAX_SECURITY_TYPES+1];
-
+    int32_t primaryType;
 
     /* Fill in the list of security types in the client structure. (NOTE: Not really in the client structure) */
+    primaryType = determinePrimarySecurityType(cl);
     switch (primaryType) {
     case rfbSecTypeNone:
         rfbRegisterSecurityHandler(&VncSecurityHandlerNone);
@@ -221,6 +273,9 @@ rfbSendSecurityTypeList(rfbClientPtr cl, int primaryType)
 
     for (handler = securityHandlers;
 	    handler && size<MAX_SECURITY_TYPES; handler = handler->next) {
+	if (exclude && (handler->securityTags & exclude))
+	    continue;
+
 	buffer[size] = handler->type;
 	size++;
     }
@@ -249,7 +304,29 @@ rfbSendSecurityTypeList(rfbClientPtr cl, int primaryType)
     cl->state = RFB_SECURITY_TYPE;
 }
 
+static void
+rfbSendChannelSecurityTypeList(rfbClientPtr cl)
+{
+    int size = 1;
+    rfbSecurityHandler* handler;
+    uint8_t buffer[MAX_SECURITY_TYPES+1];
+
+    for (handler = channelSecurityHandlers;
+	    handler && size<MAX_SECURITY_TYPES; handler = handler->next) {
+	buffer[size] = handler->type;
+	size++;
+    }
+    buffer[0] = (unsigned char)size-1;
+
+    if (rfbWriteExact(cl, (char *)buffer, size) < 0) {
+	rfbLogPerror("rfbSendSecurityTypeList: write");
+	rfbCloseClient(cl);
+	return;
+    }
 
+    /* Dispatch client input to rfbProcessClientChannelSecurityType. */
+    cl->state = RFB_CHANNEL_SECURITY_TYPE;
+}
 
 
 /*
@@ -297,18 +374,19 @@ rfbSendSecurityType(rfbClientPtr cl, int32_t securityType)
 void
 rfbAuthNewClient(rfbClientPtr cl)
 {
-    int32_t securityType = rfbSecTypeInvalid;
+    int32_t securityType;
 
-    if (!cl->screen->authPasswdData || cl->reverseConnection) {
-	/* chk if this condition is valid or not. */
-	securityType = rfbSecTypeNone;
-    } else if (cl->screen->authPasswdData) {
- 	    securityType = rfbSecTypeVncAuth;
-    }
+    securityType = determinePrimarySecurityType(cl);
 
     if (cl->protocolMajorVersion==3 && cl->protocolMinorVersion < 7)
     {
 	/* Make sure we use only RFB 3.3 compatible security types. */
+	if (channelSecurityHandlers) {
+	    rfbLog("VNC channel security enabled - RFB 3.3 client rejected\n");
+	    rfbClientConnFailed(cl, "Your viewer cannot hnadler required "
+				"security methods");
+	    return;
+	}
 	if (securityType == rfbSecTypeInvalid) {
 	    rfbLog("VNC authentication disabled - RFB 3.3 client rejected\n");
 	    rfbClientConnFailed(cl, "Your viewer cannot handle required "
@@ -316,9 +394,13 @@ rfbAuthNewClient(rfbClientPtr cl)
 	    return;
 	}
 	rfbSendSecurityType(cl, securityType);
+    } else if (channelSecurityHandlers) {
+	rfbLog("Send channel security type list\n");
+	rfbSendChannelSecurityTypeList(cl);
     } else {
 	/* Here it's ok when securityType is set to rfbSecTypeInvalid. */
-	rfbSendSecurityTypeList(cl, securityType);
+	rfbLog("Send channel security type 'none'\n");
+	rfbSendSecurityTypeList(cl, RFB_SECURITY_TAG_NONE);
     }
 }
 
@@ -332,6 +414,7 @@ rfbProcessClientSecurityType(rfbClientPtr cl)
     int n;
     uint8_t chosenType;
     rfbSecurityHandler* handler;
+    rfbSecurityHandler* handlerListHead;
     
     /* Read the security type. */
     n = rfbReadExact(cl, (char *)&chosenType, 1);
@@ -344,8 +427,17 @@ rfbProcessClientSecurityType(rfbClientPtr cl)
 	return;
     }
 
+    switch (cl->state) {
+    case RFB_CHANNEL_SECURITY_TYPE:
+        handlerListHead = channelSecurityHandlers;
+        break;
+    case RFB_SECURITY_TYPE:
+        handlerListHead = securityHandlers;
+        break;
+    }
+
     /* Make sure it was present in the list sent by the server. */
-    for (handler = securityHandlers; handler; handler = handler->next) {
+    for (handler = handlerListHead; handler; handler = handler->next) {
 	if (chosenType == handler->type) {
 	      rfbLog("rfbProcessClientSecurityType: executing handler for type %d\n", chosenType);
 	      handler->handler(cl);
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index cee87dbb..6efede61 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -654,6 +654,7 @@ rfbProcessClientMessage(rfbClientPtr cl)
     case RFB_PROTOCOL_VERSION:
         rfbProcessClientProtocolVersion(cl);
         return;
+    case RFB_CHANNEL_SECURITY_TYPE:
     case RFB_SECURITY_TYPE:
         rfbProcessClientSecurityType(cl);
         return;
diff --git a/rfb/rfb.h b/rfb/rfb.h
index 3c0b25a3..d136f884 100644
--- a/rfb/rfb.h
+++ b/rfb/rfb.h
@@ -144,6 +144,11 @@ typedef struct {
   } data; /**< there have to be count*3 entries */
 } rfbColourMap;
 
+enum rfbSecurityTag {
+    RFB_SECURITY_TAG_NONE = 0,
+    RFB_SECURITY_TAG_CHANNEL = 1 << 0
+};
+
 /**
  * Security handling (RFB protocol version 3.7)
  */
@@ -152,6 +157,7 @@ typedef struct _rfbSecurity {
 	uint8_t type;
 	void (*handler)(struct _rfbClientRec* cl);
 	struct _rfbSecurity* next;
+	enum rfbSecurityTag securityTags;
 } rfbSecurityHandler;
 
 /**
@@ -480,7 +486,7 @@ typedef struct _rfbClientRec {
                                 /** Possible client states: */
     enum {
         RFB_PROTOCOL_VERSION,   /**< establishing protocol version */
-	RFB_SECURITY_TYPE,      /**< negotiating security (RFB v.3.7) */
+        RFB_SECURITY_TYPE,      /**< negotiating security (RFB v.3.7) */
         RFB_AUTHENTICATION,     /**< authenticating */
         RFB_INITIALISATION,     /**< sending initialisation messages */
         RFB_NORMAL,             /**< normal protocol messages */
@@ -488,7 +494,9 @@ typedef struct _rfbClientRec {
         /* Ephemeral internal-use states that will never be seen by software
          * using LibVNCServer to provide services: */
 
-        RFB_INITIALISATION_SHARED /**< sending initialisation messages with implicit shared-flag already true */
+        RFB_INITIALISATION_SHARED, /**< sending initialisation messages with implicit shared-flag already true */
+
+        RFB_CHANNEL_SECURITY_TYPE, /**< negotiating security (RFB v.3.7) */
     } state;
 
     rfbBool reverseConnection;
@@ -840,6 +848,9 @@ extern void rfbProcessClientSecurityType(rfbClientPtr cl);
 extern void rfbAuthProcessClientMessage(rfbClientPtr cl);
 extern void rfbRegisterSecurityHandler(rfbSecurityHandler* handler);
 extern void rfbUnregisterSecurityHandler(rfbSecurityHandler* handler);
+extern void rfbRegisterChannelSecurityHandler(rfbSecurityHandler* handler);
+extern void rfbUnregisterChannelSecurityHandler(rfbSecurityHandler* handler);
+extern void rfbSendSecurityTypeList(rfbClientPtr cl, enum rfbSecurityTag exclude);
 
 /* rre.c */
 
-- 
2.25.4