From 58d6dff5e52010bfe49659fe4bc2bad329a9888e Mon Sep 17 00:00:00 2001 From: Andri Yngvason Date: Fri, 29 Sep 2023 19:23:15 +0000 Subject: [PATCH] API: Consolidate setup of security constraints --- include/common.h | 6 ++++-- include/neatvnc.h | 19 +++++++++---------- src/server.c | 28 +++++++++++++++++----------- 3 files changed, 30 insertions(+), 23 deletions(-) diff --git a/include/common.h b/include/common.h index 608f01a..2b488e2 100644 --- a/include/common.h +++ b/include/common.h @@ -152,10 +152,12 @@ struct nvnc { } cursor; uint32_t cursor_seq; -#ifdef ENABLE_TLS - gnutls_certificate_credentials_t tls_creds; + enum nvnc_auth_flags auth_flags; nvnc_auth_fn auth_fn; void* auth_ud; + +#ifdef ENABLE_TLS + gnutls_certificate_credentials_t tls_creds; #endif #ifdef HAVE_CRYPTO diff --git a/include/neatvnc.h b/include/neatvnc.h index 246e2f2..1b4edb1 100644 --- a/include/neatvnc.h +++ b/include/neatvnc.h @@ -97,6 +97,11 @@ enum nvnc_log_level { NVNC_LOG_TRACE = 5, }; +enum nvnc_auth_flags { + NVNC_AUTH_REQUIRE_AUTH = 1 << 0, + NVNC_AUTH_REQUIRE_ENCRYPTION = 1 << 1, +}; + struct nvnc_log_data { enum nvnc_log_level level; const char* file; @@ -157,17 +162,11 @@ void nvnc_set_client_cleanup_fn(struct nvnc_client* self, nvnc_client_fn fn); void nvnc_set_cut_text_fn(struct nvnc*, nvnc_cut_text_fn fn); void nvnc_set_desktop_layout_fn(struct nvnc* self, nvnc_desktop_layout_fn); -/* TODO: Changes this interface so that we have enable_auth(auth_fn), - * set_tls_creds(key, cert), and has_tls() -> bool - */ - bool nvnc_has_auth(void); - -int nvnc_enable_auth(struct nvnc* self, const char* privkey_path, - const char* cert_path, nvnc_auth_fn, void* userdata); - -int nvnc_enable_auth2(struct nvnc* self, nvnc_auth_fn, void* userdata); - +int nvnc_enable_auth(struct nvnc* self, enum nvnc_auth_flags flags, + nvnc_auth_fn, void* userdata); +int nvnc_set_tls_creds(struct nvnc* self, const char* privkey_path, + const char* cert_path); int nvnc_set_rsa_creds(struct nvnc* self, const char* private_key_path); struct nvnc_fb* nvnc_fb_new(uint16_t width, uint16_t height, diff --git a/src/server.c b/src/server.c index ed72e5e..d98c7a6 100644 --- a/src/server.c +++ b/src/server.c @@ -227,7 +227,9 @@ static int on_version_message(struct nvnc_client* client) (struct rfb_security_types_msg*)buf; security->n = 0; - if (client->server->auth_fn) { + if (server->auth_flags & NVNC_AUTH_REQUIRE_AUTH) { + assert(server->auth_fn); + #ifdef ENABLE_TLS if (server->tls_creds) { security->types[security->n++] = RFB_SECURITY_TYPE_VENCRYPT; @@ -237,13 +239,18 @@ static int on_version_message(struct nvnc_client* client) #ifdef HAVE_CRYPTO security->types[security->n++] = RFB_SECURITY_TYPE_RSA_AES256; security->types[security->n++] = RFB_SECURITY_TYPE_RSA_AES; - security->types[security->n++] = RFB_SECURITY_TYPE_APPLE_DH; + + if (!(server->auth_flags & NVNC_AUTH_REQUIRE_ENCRYPTION)) { + security->types[security->n++] = RFB_SECURITY_TYPE_APPLE_DH; + } #endif + } else { + security->n = 1; + security->types[0] = RFB_SECURITY_TYPE_NONE; } if (security->n == 0) { - security->n = 1; - security->types[0] = RFB_SECURITY_TYPE_NONE; + nvnc_log(NVNC_LOG_PANIC, "Failed to satisfy requested security constraints"); } stream_write(client->net_stream, security, sizeof(*security) + @@ -2293,9 +2300,8 @@ bool nvnc_has_auth(void) } EXPORT -int nvnc_enable_auth(struct nvnc* self, const char* privkey_path, - const char* cert_path, nvnc_auth_fn auth_fn, - void* userdata) +int nvnc_set_tls_creds(struct nvnc* self, const char* privkey_path, + const char* cert_path) { #ifdef ENABLE_TLS if (self->tls_creds) @@ -2326,9 +2332,6 @@ int nvnc_enable_auth(struct nvnc* self, const char* privkey_path, goto cert_set_failure; } - self->auth_fn = auth_fn; - self->auth_ud = userdata; - return 0; cert_set_failure: @@ -2341,10 +2344,13 @@ cert_alloc_failure: } EXPORT -int nvnc_enable_auth2(struct nvnc* self, nvnc_auth_fn auth_fn, void* userdata) +int nvnc_enable_auth(struct nvnc* self, enum nvnc_auth_flags flags, + nvnc_auth_fn auth_fn, void* userdata) { #ifdef HAVE_CRYPTO + self->auth_flags = flags; self->auth_fn = auth_fn; + self->auth_ud = userdata; return 0; #endif return -1;