API: Consolidate setup of security constraints

2023-09-29 19:23:15 +00:00 · 2023-09-29 19:23:15 +00:00 · 58d6dff5e5
parent 373e5a0f9e
commit 58d6dff5e5
3 changed files with 30 additions and 23 deletions
--- a/include/common.h
+++ b/include/common.h
@ -152,10 +152,12 @@ struct nvnc {
 	} cursor;
 	uint32_t cursor_seq;
-#ifdef ENABLE_TLS
+	enum nvnc_auth_flags auth_flags;
 	gnutls_certificate_credentials_t tls_creds;
 	nvnc_auth_fn auth_fn;
 	void* auth_ud;
 #ifdef ENABLE_TLS
 	gnutls_certificate_credentials_t tls_creds;
 #endif
 #ifdef HAVE_CRYPTO
--- a/include/neatvnc.h
+++ b/include/neatvnc.h
@ -97,6 +97,11 @@ enum nvnc_log_level {
 	NVNC_LOG_TRACE = 5,
 };
 enum nvnc_auth_flags {
 	NVNC_AUTH_REQUIRE_AUTH = 1 << 0,
 	NVNC_AUTH_REQUIRE_ENCRYPTION = 1 << 1,
 };
 struct nvnc_log_data {
 	enum nvnc_log_level level;
 	const char* file;
@ -157,17 +162,11 @@ void nvnc_set_client_cleanup_fn(struct nvnc_client* self, nvnc_client_fn fn);
 void nvnc_set_cut_text_fn(struct nvnc*, nvnc_cut_text_fn fn);
 void nvnc_set_desktop_layout_fn(struct nvnc* self, nvnc_desktop_layout_fn);
 /* TODO: Changes this interface so that we have enable_auth(auth_fn),
 * set_tls_creds(key, cert), and has_tls() -> bool
 */
 bool nvnc_has_auth(void);
-
+int nvnc_enable_auth(struct nvnc* self, enum nvnc_auth_flags flags,
-int nvnc_enable_auth(struct nvnc* self, const char* privkey_path,
+		nvnc_auth_fn, void* userdata);
-                     const char* cert_path, nvnc_auth_fn, void* userdata);
+int nvnc_set_tls_creds(struct nvnc* self, const char* privkey_path,
-
+                     const char* cert_path);
 int nvnc_enable_auth2(struct nvnc* self, nvnc_auth_fn, void* userdata);
 int nvnc_set_rsa_creds(struct nvnc* self, const char* private_key_path);
 struct nvnc_fb* nvnc_fb_new(uint16_t width, uint16_t height,
--- a/src/server.c
+++ b/src/server.c
@ -227,7 +227,9 @@ static int on_version_message(struct nvnc_client* client)
 		(struct rfb_security_types_msg*)buf;
 	security->n = 0;
-	if (client->server->auth_fn) {
+	if (server->auth_flags & NVNC_AUTH_REQUIRE_AUTH) {
 		assert(server->auth_fn);
 #ifdef ENABLE_TLS
 		if (server->tls_creds) {
 			security->types[security->n++] = RFB_SECURITY_TYPE_VENCRYPT;
@ -237,13 +239,18 @@ static int on_version_message(struct nvnc_client* client)
 #ifdef HAVE_CRYPTO
 		security->types[security->n++] = RFB_SECURITY_TYPE_RSA_AES256;
 		security->types[security->n++] = RFB_SECURITY_TYPE_RSA_AES;
-		security->types[security->n++] = RFB_SECURITY_TYPE_APPLE_DH;
+
 		if (!(server->auth_flags & NVNC_AUTH_REQUIRE_ENCRYPTION)) {
 			security->types[security->n++] = RFB_SECURITY_TYPE_APPLE_DH;
 		}
 #endif
 	} else {
 		security->n = 1;
 		security->types[0] = RFB_SECURITY_TYPE_NONE;
 	}
 	if (security->n == 0) {
-		security->n = 1;
+		nvnc_log(NVNC_LOG_PANIC, "Failed to satisfy requested security constraints");
 		security->types[0] = RFB_SECURITY_TYPE_NONE;
 	}
 	stream_write(client->net_stream, security, sizeof(*security) +
@ -2293,9 +2300,8 @@ bool nvnc_has_auth(void)
 }
 EXPORT
-int nvnc_enable_auth(struct nvnc* self, const char* privkey_path,
+int nvnc_set_tls_creds(struct nvnc* self, const char* privkey_path,
-                     const char* cert_path, nvnc_auth_fn auth_fn,
+                     const char* cert_path)
                     void* userdata)
 {
 #ifdef ENABLE_TLS
 	if (self->tls_creds)
@ -2326,9 +2332,6 @@ int nvnc_enable_auth(struct nvnc* self, const char* privkey_path,
 		goto cert_set_failure;
 	}
 	self->auth_fn = auth_fn;
 	self->auth_ud = userdata;
 	return 0;
 cert_set_failure:
@ -2341,10 +2344,13 @@ cert_alloc_failure:
 }
 EXPORT
-int nvnc_enable_auth2(struct nvnc* self, nvnc_auth_fn auth_fn, void* userdata)
+int nvnc_enable_auth(struct nvnc* self, enum nvnc_auth_flags flags,
 		nvnc_auth_fn auth_fn, void* userdata)
 {
 #ifdef HAVE_CRYPTO
 	self->auth_flags = flags;
 	self->auth_fn = auth_fn;
 	self->auth_ud = userdata;
 	return 0;
 #endif
 	return -1;