From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-ej1-f50.google.com ([209.85.218.50]) by ewsd; Sat Sep 26 16:42:38 EDT 2020
Received: by mail-ej1-f50.google.com with SMTP id e23so3227868eja.3
        for <9front@9front.org>; Sat, 26 Sep 2020 13:42:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=NHnRHk3fBskyRU4qsiySXTRmsb1UbVHi/Kl8pwMlM1s=;
        b=vRSXrnwnRBSBUdbko6gHqFYffAEJd5SM1JYhJZLb14NEiYhjGZVyEee8LK4741RQP9
         LuP1FuiFxKQdzXwzwAy6A3AYYS69ryYoJbhcsPCseoDKzpwl+R9HkCkLDThJm/USxpmw
         Ub+Ej9Q0z5Cugy6leomUkGDnuzor15W4VpKEaZxolpSLs48meRBYyS8t9BEZFIeAfpIW
         htXK0YI/OH+DaS0HnLdzlhlMpr6lhHNrXrrjlVBjWw5oWnWR5O5rqVaDn4Qf+oa+c85f
         4B0KF39ZusEmd6AkhG5wpfZzFFxC089JaW8at3ikaUPtMzZM42Iyb7czdMDgimNi5hVk
         gv/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=NHnRHk3fBskyRU4qsiySXTRmsb1UbVHi/Kl8pwMlM1s=;
        b=lK3bbc/oKVDGvDrsBtFvXhIDtFNN7k9JIhamtVw/osFWm8pak/fwHgAz7LHTocc5Y0
         kMmdxFKrLFx6+aZzSd1Evk+2yH/5i6+Qwn/jgcyM7KDh4JGdV6Vmjvzc5EP7whGeAfZV
         HXijiS50Nvjg7cZIJAe6W73DXdRNnylJBSSULeDBeM5Z8mnjDqA1Q2s5N6yDmtahP9vO
         OlaE2ksJX64Gl16505Sxm2/59mD4Xmpz0Oa9AYBdt5XF+fPHOEzmPn+W6vz6+JZKjy99
         cJOyse6c7sPVZhy/UCXk1Xw46ya5K1+vbl/U93thI7FdYZsGH8qL11HWNoJoOl2st0jK
         epeA==
X-Gm-Message-State: AOAM531rpiA0eVCKR0xzhnXSvEN/cpBD58bwya2AnHcwXX8XEoy2Jljy
	GjmA8B3dMcsZZ3nz94/H4LIipoy+DtelwnLFl0OXbd2K
X-Google-Smtp-Source: ABdhPJzthpeCA8kRXWHGLy8qHscrZyOF1tisC1dBHCKYSBQuUPH4V74063Xt24vSRRh96uyM33eGeN8GDC6OsKPX45c=
X-Received: by 2002:a17:907:72cc:: with SMTP id du12mr8474126ejc.150.1601152952967;
 Sat, 26 Sep 2020 13:42:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:906:29c2:0:0:0:0 with HTTP; Sat, 26 Sep 2020 13:42:32
 -0700 (PDT)
In-Reply-To: <EF093381C8E99796F1350E8030900B5B@eigenstate.org>
References: <8917ba98-ba07-096f-eaed-3fa98f4c001c@gmail.com> <EF093381C8E99796F1350E8030900B5B@eigenstate.org>
From: hiro <23hiro@gmail.com>
Date: Sat, 26 Sep 2020 22:42:32 +0200
Message-ID: <CAFSF3XPY2saCPCM9BGDtpQ6hG7AicUun1w5w_e8JNoX-1rGssA@mail.gmail.com>
Subject: Re: [9front] vncv(1): support for RFB 3.8
To: 9front@9front.org
Content-Type: text/plain; charset="UTF-8"
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: managed base-oriented SSL component polling grid database 

there have been vnc RFC updates for security? remind me why why are
all tunneling vnc through ssh then!

On 9/26/20, ori@eigenstate.org <ori@eigenstate.org> wrote:
>> On 23/09/2020 01:25, ori@eigenstate.org wrote:
>>> > Hi,
>>> >
>>> > The following patch adds support for RFB 3.8 in vncv(1).
>>> > It has been tested by connecting to a screen shared by gnome3 on
>>> > linux. Please let me know if it introduces any regressions.
>>>
>>> Can you re-generate the patch and either add it as an attachment
>>> or send it through something other than gmail's web interface?
>>>
>>> gmail mangles patches, wrappigng them and replacing tabs with
>>> spaces.
>>>
>> here it goes
>
> First off -- gross, newer versions let the client downgrade
> security. This is the opposite of what should be happening.
> But that's what the RFC says, so I guess we go with it.
>
> Ok with it in the client, but let's never implement it in the
> server.
>
> That said: Looking at the RFC, there are 3 versions of
> the protocol that should not be treated as 3.3:
>
>> Any version reported other than 3.7 or 3.8 should be treated as 3.3.
>
> Accordingly, we should probably recognize and error on 3.7 here, since
> we don't implement it.
>
> +	if(strncmp(msg, "RFB 003.", 8) != 0) {
>  		werrstr("bad rfb version \"%s\"", msg);
>  		return -1;
>  	}
>
> Something like:
>
> 	if(strncmp(msg, "RFB 003.", 8) != 0
> 	|| strncmp(msg, "RFB 003.007", VerLen) == 0)
>  		werrstr("bad rfb version \"%s\"", msg);
>  		return -1;
>  	}
>
> The zero types case also looks like it could be improved too:
> The RFC says:
>
>
>    If number-of-security-types is zero, then for some reason the
>    connection failed (e.g., the server cannot support the desired
>    protocol version).  This is followed by a string describing the
>    reason (where a string is specified as a length followed by that many
>    ASCII characters):
>
>              +---------------+--------------+---------------+
>              | No. of bytes  | Type [Value] | Description   |
>              +---------------+--------------+---------------+
>              | 4             | U32          | reason-length |
>              | reason-length | U8 array     | reason-string |
>              +---------------+--------------+---------------+
>
>    The server closes the connection after sending the reason-string.
>
> It'd be nice to show the server message to the user, it'd help
> with debugging (maybe). Something like:
>
>
> 	char *err;
> 	ntypes = vncrdchar(v);
> 	if (ntypes == 0) {
> 		err = vncrdstring(v);
> 		werrstr("auth error: %s", s);
> 		free(err);
> 		return AFailed;
> 	}
>
> I don't have a vnc 3.8 server set up right now for testing, so if
> you want to look over the proposed changes and test, that'd be
> great.
>
> Thanks for the patch!
>
>