From b4363357f5dbba6ced0faa32e47c19047698e8bd Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Wed, 7 Aug 2024 09:49:22 +0200
Subject: [PATCH] Correctly handle cancelled authentication

We should not be throwing up error messages, or asking to reconnect, if
the user has actively cancelled the authentication attempt.
---
 common/rfb/CSecurityTLS.cxx | 20 ++++++++++----------
 vncviewer/CConn.cxx         |  4 ++++
 vncviewer/UserDialog.cxx    |  2 +-
 3 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
index 8d8b58fd..f9775215 100644
--- a/common/rfb/CSecurityTLS.cxx
+++ b/common/rfb/CSecurityTLS.cxx
@@ -444,7 +444,7 @@ void CSecurityTLS::checkSession()
       if (!msg->showMsgBox(UserMsgBox::M_YESNO,
                            "Unknown certificate issuer",
                            text.c_str()))
-        throw AuthFailureException("Unknown certificate issuer");
+        throw AuthCancelledException();
 
       status &= ~(GNUTLS_CERT_INVALID |
                   GNUTLS_CERT_SIGNER_NOT_FOUND |
@@ -465,7 +465,7 @@ void CSecurityTLS::checkSession()
       if (!msg->showMsgBox(UserMsgBox::M_YESNO,
                            "Certificate is not yet valid",
                            text.c_str()))
-        throw AuthFailureException("Certificate is not yet valid");
+        throw AuthCancelledException();
 
       status &= ~GNUTLS_CERT_NOT_ACTIVATED;
     }
@@ -484,7 +484,7 @@ void CSecurityTLS::checkSession()
       if (!msg->showMsgBox(UserMsgBox::M_YESNO,
                            "Expired certificate",
                            text.c_str()))
-        throw AuthFailureException("Expired certificate");
+        throw AuthCancelledException();
 
       status &= ~GNUTLS_CERT_EXPIRED;
     }
@@ -503,7 +503,7 @@ void CSecurityTLS::checkSession()
       if (!msg->showMsgBox(UserMsgBox::M_YESNO,
                            "Insecure certificate algorithm",
                            text.c_str()))
-        throw AuthFailureException("Insecure certificate algorithm");
+        throw AuthCancelledException();
 
       status &= ~GNUTLS_CERT_INSECURE_ALGORITHM;
     }
@@ -528,7 +528,7 @@ void CSecurityTLS::checkSession()
       if (!msg->showMsgBox(UserMsgBox::M_YESNO,
                            "Certificate hostname mismatch",
                            text.c_str()))
-        throw AuthFailureException("Certificate hostname mismatch");
+        throw AuthCancelledException();
     }
   } else if (err == GNUTLS_E_CERTIFICATE_KEY_MISMATCH) {
     std::string text;
@@ -554,7 +554,7 @@ void CSecurityTLS::checkSession()
       if (!msg->showMsgBox(UserMsgBox::M_YESNO,
                            "Unexpected server certificate",
                            text.c_str()))
-        throw AuthFailureException("Unexpected server certificate");
+        throw AuthCancelledException();
 
       status &= ~(GNUTLS_CERT_INVALID |
                   GNUTLS_CERT_SIGNER_NOT_FOUND |
@@ -577,7 +577,7 @@ void CSecurityTLS::checkSession()
       if (!msg->showMsgBox(UserMsgBox::M_YESNO,
                            "Unexpected server certificate",
                            text.c_str()))
-        throw AuthFailureException("Unexpected server certificate");
+        throw AuthCancelledException();
 
       status &= ~GNUTLS_CERT_NOT_ACTIVATED;
     }
@@ -598,7 +598,7 @@ void CSecurityTLS::checkSession()
       if (!msg->showMsgBox(UserMsgBox::M_YESNO,
                            "Unexpected server certificate",
                            text.c_str()))
-        throw AuthFailureException("Unexpected server certificate");
+        throw AuthCancelledException();
 
       status &= ~GNUTLS_CERT_EXPIRED;
     }
@@ -619,7 +619,7 @@ void CSecurityTLS::checkSession()
       if (!msg->showMsgBox(UserMsgBox::M_YESNO,
                            "Unexpected server certificate",
                            text.c_str()))
-        throw AuthFailureException("Unexpected server certificate");
+        throw AuthCancelledException();
 
       status &= ~GNUTLS_CERT_INSECURE_ALGORITHM;
     }
@@ -646,7 +646,7 @@ void CSecurityTLS::checkSession()
       if (!msg->showMsgBox(UserMsgBox::M_YESNO,
                            "Unexpected server certificate",
                            text.c_str()))
-        throw AuthFailureException("Unexpected server certificate");
+        throw AuthCancelledException();
     }
   }
 
diff --git a/vncviewer/CConn.cxx b/vncviewer/CConn.cxx
index 31f5b74d..1f1a590e 100644
--- a/vncviewer/CConn.cxx
+++ b/vncviewer/CConn.cxx
@@ -29,6 +29,7 @@
 
 #include <rfb/CMsgWriter.h>
 #include <rfb/CSecurity.h>
+#include <rfb/Exception.h>
 #include <rfb/Hostname.h>
 #include <rfb/LogWriter.h>
 #include <rfb/Security.h>
@@ -270,6 +271,9 @@ void CConn::socketEvent(FL_SOCKET fd, void *data)
     } else {
       disconnect();
     }
+  } catch (rfb::AuthCancelledException& e) {
+    vlog.info("%s", e.str());
+    disconnect();
   } catch (rdr::Exception& e) {
     vlog.error("%s", e.str());
     abort_connection_with_unexpected_error(e);
diff --git a/vncviewer/UserDialog.cxx b/vncviewer/UserDialog.cxx
index 958b9d66..2ddc5ecc 100644
--- a/vncviewer/UserDialog.cxx
+++ b/vncviewer/UserDialog.cxx
@@ -204,7 +204,7 @@ void UserDialog::getUserPasswd(bool secure_, std::string* user,
   delete win;
 
   if (ret_val != 0)
-    throw rfb::Exception(_("Authentication cancelled"));
+    throw rfb::AuthCancelledException();
 }
 
 bool UserDialog::showMsgBox(int flags, const char* title, const char* text)
-- 
2.39.5