From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ej1-f50.google.com ([209.85.218.50]) by ewsd; Sat Sep 26 16:42:38 EDT 2020 Received: by mail-ej1-f50.google.com with SMTP id e23so3227868eja.3 for <9front@9front.org>; Sat, 26 Sep 2020 13:42:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=NHnRHk3fBskyRU4qsiySXTRmsb1UbVHi/Kl8pwMlM1s=; b=vRSXrnwnRBSBUdbko6gHqFYffAEJd5SM1JYhJZLb14NEiYhjGZVyEee8LK4741RQP9 LuP1FuiFxKQdzXwzwAy6A3AYYS69ryYoJbhcsPCseoDKzpwl+R9HkCkLDThJm/USxpmw Ub+Ej9Q0z5Cugy6leomUkGDnuzor15W4VpKEaZxolpSLs48meRBYyS8t9BEZFIeAfpIW htXK0YI/OH+DaS0HnLdzlhlMpr6lhHNrXrrjlVBjWw5oWnWR5O5rqVaDn4Qf+oa+c85f 4B0KF39ZusEmd6AkhG5wpfZzFFxC089JaW8at3ikaUPtMzZM42Iyb7czdMDgimNi5hVk gv/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=NHnRHk3fBskyRU4qsiySXTRmsb1UbVHi/Kl8pwMlM1s=; b=lK3bbc/oKVDGvDrsBtFvXhIDtFNN7k9JIhamtVw/osFWm8pak/fwHgAz7LHTocc5Y0 kMmdxFKrLFx6+aZzSd1Evk+2yH/5i6+Qwn/jgcyM7KDh4JGdV6Vmjvzc5EP7whGeAfZV HXijiS50Nvjg7cZIJAe6W73DXdRNnylJBSSULeDBeM5Z8mnjDqA1Q2s5N6yDmtahP9vO OlaE2ksJX64Gl16505Sxm2/59mD4Xmpz0Oa9AYBdt5XF+fPHOEzmPn+W6vz6+JZKjy99 cJOyse6c7sPVZhy/UCXk1Xw46ya5K1+vbl/U93thI7FdYZsGH8qL11HWNoJoOl2st0jK epeA== X-Gm-Message-State: AOAM531rpiA0eVCKR0xzhnXSvEN/cpBD58bwya2AnHcwXX8XEoy2Jljy GjmA8B3dMcsZZ3nz94/H4LIipoy+DtelwnLFl0OXbd2K X-Google-Smtp-Source: ABdhPJzthpeCA8kRXWHGLy8qHscrZyOF1tisC1dBHCKYSBQuUPH4V74063Xt24vSRRh96uyM33eGeN8GDC6OsKPX45c= X-Received: by 2002:a17:907:72cc:: with SMTP id du12mr8474126ejc.150.1601152952967; Sat, 26 Sep 2020 13:42:32 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a17:906:29c2:0:0:0:0 with HTTP; Sat, 26 Sep 2020 13:42:32 -0700 (PDT) In-Reply-To: References: <8917ba98-ba07-096f-eaed-3fa98f4c001c@gmail.com> From: hiro <23hiro@gmail.com> Date: Sat, 26 Sep 2020 22:42:32 +0200 Message-ID: Subject: Re: [9front] vncv(1): support for RFB 3.8 To: 9front@9front.org Content-Type: text/plain; charset="UTF-8" List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: managed base-oriented SSL component polling grid database there have been vnc RFC updates for security? remind me why why are all tunneling vnc through ssh then! On 9/26/20, ori@eigenstate.org wrote: >> On 23/09/2020 01:25, ori@eigenstate.org wrote: >>> > Hi, >>> > >>> > The following patch adds support for RFB 3.8 in vncv(1). >>> > It has been tested by connecting to a screen shared by gnome3 on >>> > linux. Please let me know if it introduces any regressions. >>> >>> Can you re-generate the patch and either add it as an attachment >>> or send it through something other than gmail's web interface? >>> >>> gmail mangles patches, wrappigng them and replacing tabs with >>> spaces. >>> >> here it goes > > First off -- gross, newer versions let the client downgrade > security. This is the opposite of what should be happening. > But that's what the RFC says, so I guess we go with it. > > Ok with it in the client, but let's never implement it in the > server. > > That said: Looking at the RFC, there are 3 versions of > the protocol that should not be treated as 3.3: > >> Any version reported other than 3.7 or 3.8 should be treated as 3.3. > > Accordingly, we should probably recognize and error on 3.7 here, since > we don't implement it. > > + if(strncmp(msg, "RFB 003.", 8) != 0) { > werrstr("bad rfb version \"%s\"", msg); > return -1; > } > > Something like: > > if(strncmp(msg, "RFB 003.", 8) != 0 > || strncmp(msg, "RFB 003.007", VerLen) == 0) > werrstr("bad rfb version \"%s\"", msg); > return -1; > } > > The zero types case also looks like it could be improved too: > The RFC says: > > > If number-of-security-types is zero, then for some reason the > connection failed (e.g., the server cannot support the desired > protocol version). This is followed by a string describing the > reason (where a string is specified as a length followed by that many > ASCII characters): > > +---------------+--------------+---------------+ > | No. of bytes | Type [Value] | Description | > +---------------+--------------+---------------+ > | 4 | U32 | reason-length | > | reason-length | U8 array | reason-string | > +---------------+--------------+---------------+ > > The server closes the connection after sending the reason-string. > > It'd be nice to show the server message to the user, it'd help > with debugging (maybe). Something like: > > > char *err; > ntypes = vncrdchar(v); > if (ntypes == 0) { > err = vncrdstring(v); > werrstr("auth error: %s", s); > free(err); > return AFailed; > } > > I don't have a vnc 3.8 server set up right now for testing, so if > you want to look over the proposed changes and test, that'd be > great. > > Thanks for the patch! > >