diff options
author | Pierre Ossman <ossman@cendio.se> | 2022-08-18 15:01:52 +0200 |
---|---|---|
committer | Pierre Ossman <ossman@cendio.se> | 2022-08-18 16:26:27 +0200 |
commit | 795494ade1bab6a14fd45e02dbaba52301df65f1 (patch) | |
tree | 18c83e04857cb64e88046ca573cee96c6a9e69c1 | |
parent | e1174e813b617062c77491c01130c38b45f15311 (diff) | |
download | novnc-795494ade1bab6a14fd45e02dbaba52301df65f1.tar.gz |
Prefer security types in the server's order
This is how TigerVNC has been behaving for years and has worked well
there, so let's follow them.
-rw-r--r-- | core/rfb.js | 42 | ||||
-rw-r--r-- | tests/test.rfb.js | 14 |
2 files changed, 29 insertions, 27 deletions
diff --git a/core/rfb.js b/core/rfb.js index 2d7e77f..b10b502 100644 --- a/core/rfb.js +++ b/core/rfb.js @@ -1354,6 +1354,21 @@ export default class RFB extends EventTargetMixin { this._rfbInitState = 'Security'; } + _isSupportedSecurityType(type) { + const clientTypes = [ + securityTypeNone, + securityTypeVNCAuth, + securityTypeRA2ne, + securityTypeTight, + securityTypeVeNCrypt, + securityTypeXVP, + securityTypeARD, + securityTypePlain, + ]; + + return clientTypes.includes(type); + } + _negotiateSecurity() { if (this._rfbVersion >= 3.7) { // Server sends supported list, client decides @@ -1370,22 +1385,17 @@ export default class RFB extends EventTargetMixin { const types = this._sock.rQshiftBytes(numTypes); Log.Debug("Server security types: " + types); - // Look for each auth in preferred order - if (types.includes(securityTypeNone)) { - this._rfbAuthScheme = securityTypeNone; - } else if (types.includes(securityTypeXVP)) { - this._rfbAuthScheme = securityTypeXVP; - } else if (types.includes(securityTypeTight)) { - this._rfbAuthScheme = securityTypeTight; - } else if (types.includes(securityTypeRA2ne)) { - this._rfbAuthScheme = securityTypeRA2ne; - } else if (types.includes(securityTypeVNCAuth)) { - this._rfbAuthScheme = securityTypeVNCAuth; - } else if (types.includes(securityTypeARD)) { - this._rfbAuthScheme = securityTypeARD; - } else if (types.includes(securityTypeVeNCrypt)) { - this._rfbAuthScheme = securityTypeVeNCrypt; - } else { + // Look for a matching security type in the order that the + // server prefers + this._rfbAuthScheme = -1; + for (let type of types) { + if (this._isSupportedSecurityType(type)) { + this._rfbAuthScheme = type; + break; + } + } + + if (this._rfbAuthScheme === -1) { return this._fail("Unsupported security types (types: " + types + ")"); } diff --git a/tests/test.rfb.js b/tests/test.rfb.js index e7d6040..0e46ff4 100644 --- a/tests/test.rfb.js +++ b/tests/test.rfb.js @@ -1135,18 +1135,10 @@ describe('Remote Frame Buffer Protocol Client', function () { client._sock._websocket._getSentData(); }); - it('should prefer no authentication is possible', function () { - const authSchemes = [2, 1, 3]; + it('should respect server preference order', function () { + const authSchemes = [ 6, 79, 30, 188, 16, 6, 1 ]; client._sock._websocket._receiveData(new Uint8Array(authSchemes)); - expect(client._rfbAuthScheme).to.equal(1); - expect(client._sock).to.have.sent(new Uint8Array([1])); - }); - - it('should choose for the most prefered scheme possible', function () { - const authSchemes = [2, 22, 16]; - client._sock._websocket._receiveData(new Uint8Array(authSchemes)); - expect(client._rfbAuthScheme).to.equal(22); - expect(client._sock).to.have.sent(new Uint8Array([22])); + expect(client._sock).to.have.sent(new Uint8Array([30])); }); it('should fail if there are no supported schemes', function () { |