x11vnc: Add symmetric key encryption -enc cipher:keyfile,

works with SSVNC.  Make -remap work on MacOSX console.
update to 0.9.5 strings.  Add a couple menu items to tkx11vnc.

prepare_x11vnc_dist.sh

 #!/bin/bash
 
-VERSION="0.9.4"
+VERSION="0.9.5"
 
 cd "$(dirname "$0")"
 

x11vnc/ChangeLog

+2008-09-21  Karl Runge <runge@karlrunge.com>
+	* x11vnc: Add symmetric key encryption -enc cipher:keyfile,
+	  works with SSVNC.  Make -remap work on MacOSX console.
+	  update to 0.9.5 strings.  Add a couple menu items to tkx11vnc.
+
 2008-09-17  Karl Runge <runge@karlrunge.com>
 	* x11vnc: make -allow work in -ssl mode.
 

x11vnc/Makefile.am

@@ -21,7 +21,7 @@ LD_CYGIPC=-lcygipc
 endif
 
 bin_PROGRAMS=x11vnc
-x11vnc_SOURCES = 8to24.c avahi.c cleanup.c connections.c cursor.c gui.c help.c inet.c keyboard.c linuxfb.c macosx.c macosxCG.c macosxCGP.c macosxCGS.c options.c pm.c pointer.c rates.c remote.c scan.c screen.c selection.c solid.c sslcmds.c sslhelper.c uinput.c unixpw.c user.c userinput.c util.c v4l.c win_utils.c x11vnc.c x11vnc_defs.c xdamage.c xevents.c xinerama.c xkb_bell.c xrandr.c xrecord.c xwrappers.c 8to24.h allowed_input_t.h avahi.h blackout_t.h cleanup.h connections.h cursor.h enums.h gui.h help.h inet.h keyboard.h linuxfb.h macosx.h macosxCG.h macosxCGP.h macosxCGS.h nox11.h nox11_funcs.h options.h params.h pm.h pointer.h rates.h remote.h scan.h screen.h scrollevent_t.h selection.h solid.h sslcmds.h sslhelper.h ssltools.h tkx11vnc.h uinput.h unixpw.h user.h userinput.h util.h v4l.h win_utils.h winattr_t.h x11vnc.h xdamage.h xevents.h xinerama.h xkb_bell.h xrandr.h xrecord.h xwrappers.h
+x11vnc_SOURCES = 8to24.c avahi.c cleanup.c connections.c cursor.c gui.c help.c inet.c keyboard.c linuxfb.c macosx.c macosxCG.c macosxCGP.c macosxCGS.c options.c pm.c pointer.c rates.c remote.c scan.c screen.c selection.c solid.c sslcmds.c sslhelper.c uinput.c unixpw.c user.c userinput.c util.c v4l.c win_utils.c x11vnc.c x11vnc_defs.c xdamage.c xevents.c xinerama.c xkb_bell.c xrandr.c xrecord.c xwrappers.c 8to24.h allowed_input_t.h avahi.h blackout_t.h cleanup.h connections.h cursor.h enc.h enums.h gui.h help.h inet.h keyboard.h linuxfb.h macosx.h macosxCG.h macosxCGP.h macosxCGS.h nox11.h nox11_funcs.h options.h params.h pm.h pointer.h rates.h remote.h scan.h screen.h scrollevent_t.h selection.h solid.h sslcmds.h sslhelper.h ssltools.h tkx11vnc.h uinput.h unixpw.h user.h userinput.h util.h v4l.h win_utils.h winattr_t.h x11vnc.h xdamage.h xevents.h xinerama.h xkb_bell.h xrandr.h xrecord.h xwrappers.h
 
 if HAVE_SYSTEM_LIBVNCSERVER
 INCLUDES=@SYSTEM_LIBVNCSERVER_CFLAGS@ @X_CFLAGS@ @AVAHI_CFLAGS@

x11vnc/help.c

@@ -1715,6 +1715,79 @@ void print_help(int mode) {
 "-stunnel3  [pem]       Use version 3.x stunnel command line syntax instead of\n"
 "                       version 4.x\n"
 "\n"
+"-enc cipher:keyfile    Use symmetric encryption with cipher \"cipher\"\n"
+"                       and secret key data in \"keyfile\".  If keyfile is\n"
+"                       pw=<string> then \"string\" is used as the key data.\n"
+"\n"
+"                       NOTE: It is recommended that you use SSL via the -ssl\n"
+"                       option instead of this option because SSL is well\n"
+"                       understood and takes great care to establish unique\n"
+"                       session keys and is more compatible with other software.\n"
+"                       Use this option if you do not want to deal with SSL\n"
+"                       certificates for authentication and do not want to\n"
+"                       use SSH but want some encryption for your VNC session.\n"
+"                       Or if you must interface with some symmetric key tunnel.\n"
+"\n"
+"                       Note that this mode will NOT work with the UltraVNC DSM\n"
+"                       plugins because they alter the RFB protocol in addition\n"
+"                       to tunnelling with the symmetric cipher (an unfortunate\n"
+"                       choice of implementation).\n"
+"\n"
+"                       cipher can be one of:  arc4, aesv2, aes-cfb, blowfish,\n"
+"                       or 3des.  See the OpenSSL documentation for more info.\n"
+"                       The keysize is 128 bits.  Here is one way to make a\n"
+"                       keyfile with that many bits:\n"
+"\n"
+"                            dd if=/dev/random of=./my.key bs=16 count=1\n"
+"\n"
+"                       you will need to securely share this key with the other\n"
+"                       side of the VNC connection (See SSVNC for examples).\n"
+"\n"
+"                       Example:  -enc blowfish:./my.key\n"
+"                       Example:  -enc blowfish:pw=swordfish\n"
+"\n"
+"                       By default 16 bytes of random salt followed by 16 bytes\n"
+"                       of random initialization vector are sent at the very\n"
+"                       beginning of the stream.  The other side must read these\n"
+"                       and initialize their cipher with them.  These values\n"
+"                       make the session key unique (without them the security\n"
+"                       is minimal).  Similarly, the other side must send us\n"
+"                       its random salt and IV with those same lengths.\n"
+"\n"
+"                       The salt and key data are combined to create a session\n"
+"                       key using an md5 hash as described in EVP_BytesToKey(3).\n"
+"\n"
+"                       The exact call is: EVP_BytesToKey(Cipher, EVP_md5(),\n"
+"                       salt, keydata, len, 1, keystr, NULL);  where salt is\n"
+"                       the random data as described above, and keydata is the\n"
+"                       shared secret key data.  keystr is the resulting session\n"
+"                       key.  The cipher is then seeded with keystr and uses\n"
+"                       the random initialization vector as its first block.\n"
+"\n"
+"                       To modify the amount of random salt and initialization\n"
+"                       vector use cipher@n,m where n is the salt length and\n"
+"                       m the initialization vector length.  E.g.\n"
+"\n"
+"                                 -enc aes-cfb@8,16:./my.key\n"
+"\n"
+"                       It is not a good idea to set either one to zero,\n"
+"                       although you may be forced to if the other side of the\n"
+"                       tunnel is not under your control.\n"
+"\n"
+"                       The SSVNC vnc viewer project supplies a symmetric\n"
+"                       encryption tool named \"ultravnc_dsm_helper\" that can\n"
+"                       be used on the viewer side.  For example:\n"
+"\n"
+"                       ssvncviewer exec='ultravnc_dsm_helper arc4 my.key 0 h:p'\n"
+"\n"
+"                       where h:p is the hostname and port of the x11vnc server.\n"
+"                       ultravnc_dsm_helper may also be used standalone to\n"
+"                       provide a symmetric encryption tunnel for any viewer\n"
+"                       or server (VNC or otherwise.)\n"
+"\n"
+"                       Also see the 'Non-Ultra DSM' SSVNC option for the\n"
+"                       'UltraVNC DSM Encryption Plugin' advanced option.\n"
+"\n"
 "-https [port]          Choose a separate HTTPS port (-ssl mode only).\n"
 "\n"
 "                       In -ssl mode, it turns out you can use the\n"
@@ -2542,6 +2615,9 @@ void print_help(int mode) {
 "                       initial state of the modifier is ignored and not reset)\n"
 "                       To include button events use \"Button1\", ... etc.\n"
 "\n"
+"                       -buttonmap currently does not work on MacOSX console\n"
+"                       or in -rawfb mode.\n"
+"\n"
 "-nodragging            Do not update the display during mouse dragging events\n"
 "                       (mouse button held down).  Greatly improves response on\n"
 "                       slow setups, but you lose all visual feedback for drags,\n"

x11vnc/keyboard.c

@@ -2710,15 +2710,20 @@ static void modifier_tweak_keyboard(rfbBool down, rfbKeySym keysym,
 
 void initialize_keyboard_and_pointer(void) {
 
+#ifdef MACOSX
+	if (macosx_console) {
+		initialize_remap(remap_file);
+		initialize_pointer_map(pointer_remap);
+	}
+#endif
+
 	RAWFB_RET_VOID
 
 	if (use_modifier_tweak) {
 		initialize_modtweak();
 	}
-	if (remap_file != NULL) {
-		initialize_remap(remap_file);
-	}
 
+	initialize_remap(remap_file);
 	initialize_pointer_map(pointer_remap);
 
 	clear_modifiers(1);
@@ -2783,13 +2788,67 @@ if (0) fprintf(stderr, "GAI: %s - %s\n", str, cd->input);
 	}
 }
 
+static void apply_remap(rfbKeySym *keysym, int *isbutton) {
+	if (keyremaps) {
+		keyremap_t *remap = keyremaps;
+		while (remap != NULL) {
+			if (remap->before == *keysym) {
+				*keysym = remap->after;
+				*isbutton = remap->isbutton;
+				if (debug_keyboard) {
+					char *str1, *str2;
+					X_LOCK;
+					str1 = XKeysymToString(remap->before);
+					str2 = XKeysymToString(remap->after);
+					rfbLog("keyboard(): remapping keysym: "
+					    "0x%x \"%s\" -> 0x%x \"%s\"\n",
+					    (int) remap->before,
+					    str1 ? str1 : "null",
+					    (int) remap->after,
+					    remap->isbutton ? "button" :
+					    str2 ? str2 : "null");
+					X_UNLOCK;
+				}
+				break;
+			}
+			remap = remap->next;
+		}
+	}
+}
+
 /* for -pipeinput mode */
 static void pipe_keyboard(rfbBool down, rfbKeySym keysym, rfbClientPtr client) {
-	int can_input = 0, uid = 0;
+	int can_input = 0, uid = 0, isbutton = 0;
 	allowed_input_t input;
 	char *name;
 	ClientData *cd = (ClientData *) client->clientData;
 
+	apply_remap(&keysym, &isbutton);
+
+	if (isbutton) {
+		int mask, button = (int) keysym;
+		int x = cursor_x, y = cursor_y;
+		if (!down) {
+			return;
+		}
+		if (debug_keyboard) {
+			rfbLog("keyboard(): remapping keystroke to button %d"
+			    " click\n", button);
+		}
+		dtime0(&last_key_to_button_remap_time);
+
+		/*
+		 * This in principle can be a little dicey... i.e. even
+		 * remap the button click to keystroke sequences!
+		 * Usually just will simulate the button click.
+		 */
+		mask = 1<<(button-1);
+		pointer(mask, x, y, client);
+		mask = 0;
+		pointer(mask, x, y, client);
+		return;
+	}
+
 	if (pipeinput_int == PIPEINPUT_VID) {
 		v4l_key_command(down, keysym, client);
 	} else if (pipeinput_int == PIPEINPUT_CONSOLE) {
@@ -3184,31 +3243,8 @@ void keyboard(rfbBool down, rfbKeySym keysym, rfbClientPtr client) {
 	
 	RAWFB_RET_VOID
 
-	if (keyremaps) {
-		keyremap_t *remap = keyremaps;
-		while (remap != NULL) {
-			if (remap->before == keysym) {
-				keysym = remap->after;
-				isbutton = remap->isbutton;
-				if (debug_keyboard) {
-					char *str1, *str2;
-					X_LOCK;
-					str1 = XKeysymToString(remap->before);
-					str2 = XKeysymToString(remap->after);
-					rfbLog("keyboard(): remapping keysym: "
-					    "0x%x \"%s\" -> 0x%x \"%s\"\n",
-					    (int) remap->before,
-					    str1 ? str1 : "null",
-					    (int) remap->after,
-					    remap->isbutton ? "button" :
-					    str2 ? str2 : "null");
-					X_UNLOCK;
-				}
-				break;
-			}
-			remap = remap->next;
-		}
-	}
+
+	apply_remap(&keysym, &isbutton);
 
 	if (use_xrecord && ! xrecording && down) {
 

x11vnc/options.c

@@ -30,6 +30,7 @@ int http_ssl = 0;
 int ssl_no_fail = 0;
 char *openssl_pem = NULL;
 char *ssl_certs_dir = NULL;
+char *enc_str = NULL;
 int https_port_num = -1;
 int https_port_redir = 0;
 char *ssl_verify = NULL;

x11vnc/options.h

@@ -30,6 +30,7 @@ extern int http_ssl;
 extern int ssl_no_fail;
 extern char *openssl_pem;
 extern char *ssl_certs_dir;
+extern char *enc_str;
 extern int https_port_num;
 extern int https_port_redir;
 extern char *ssl_verify;

x11vnc/pointer.c

@@ -54,7 +54,7 @@ static prtremap_t pointer_map[MAX_BUTTONS+1][MAX_BUTTON_EVENTS];
  * For parsing the -buttonmap sections, e.g. "4" or ":Up+Up+Up:"
  */
 static void buttonparse(int from, char **s) {
-#if NO_X11
+#if (0 && NO_X11)
 	if (!from || !s) {}
 	return;
 #else
@@ -130,7 +130,11 @@ static void buttonparse(int from, char **s) {
 				 */
 				char *str;
 				X_LOCK;
+#if NO_X11
+				kcode = NoSymbol;
+#else
 				kcode = XKeysymToKeycode(dpy, ksym);
+#endif
 
 				pointer_map[from][n].keysym  = ksym;
 				pointer_map[from][n].keycode = kcode;
@@ -216,10 +220,6 @@ static void buttonparse(int from, char **s) {
  * process the -buttonmap string
  */
 void initialize_pointer_map(char *pointer_remap) {
-#if NO_X11
-	if (!pointer_remap) {}
-	return;
-#else
 	unsigned char map[MAX_BUTTONS];
 	int i, k;
 	/*
@@ -230,9 +230,13 @@ void initialize_pointer_map(char *pointer_remap) {
 	 */
 	
 	if (!raw_fb_str) {
+#if NO_X11
+		num_buttons = 5;
+#else
 		X_LOCK;
 		num_buttons = XGetPointerMapping(dpy, map, MAX_BUTTONS);
 		X_UNLOCK;
+#endif
 	} else {
 		num_buttons = 5;
 	}
@@ -295,7 +299,6 @@ void initialize_pointer_map(char *pointer_remap) {
 		}
 		free(remap);
 	}
-#endif	/* NO_X11 */
 }
 
 /*

x11vnc/screen.c

@@ -3080,7 +3080,11 @@ void announce(int lport, int ssl, char *iface) {
 	if (! ssl) {
 		tvdt = "The VNC desktop is:     ";
 	} else {
-		tvdt = "The SSL VNC desktop is: ";
+		if (enc_str) {
+			tvdt = "The ENC VNC desktop is: ";
+		} else {
+			tvdt = "The SSL VNC desktop is: ";
+		}
 	}
 
 	if (iface != NULL && *iface != '\0' && strcmp(iface, "any")) {
@@ -3209,7 +3213,11 @@ void set_vnc_desktop_name(void) {
 			if (stunnel_port) {
 				fprintf(stdout, "SSLPORT=%d\n", stunnel_port);
 			} else if (use_openssl) {
-				fprintf(stdout, "SSLPORT=%d\n", screen->port);
+				if (enc_str) {
+					fprintf(stdout, "ENCPORT=%d\n", screen->port);
+				} else {
+					fprintf(stdout, "SSLPORT=%d\n", screen->port);
+				}
 			}
 			fflush(stdout);	
 			if (flagfile) {

x11vnc/sslhelper.c

@@ -702,6 +702,14 @@ void openssl_init(int isclient) {
 
 	do_dh = DO_DH;
 
+	if (enc_str != NULL) {
+		if (first) {
+			init_prng();
+		}
+		first = 0;
+		return;
+	}
+
 	if (! quiet) {
 		rfbLog("\n");
 		rfbLog("Initializing SSL (%s connect mode).\n", isclient ? "client":"server");
@@ -2079,6 +2087,9 @@ static int ssl_init(int s_in, int s_out) {
 	double start = dnow();
 	int timeout = 20;
 
+	if (enc_str != NULL) {
+		return 1;
+	}
 	if (getenv("SSL_DEBUG")) {
 		db = atoi(getenv("SSL_DEBUG"));
 	}
@@ -2247,6 +2258,8 @@ if (db > 1) fprintf(stderr, "ssl_init: 4\n");
 	return 1;
 }
 
+static symmetric_encryption_xfer(int csock, int s_in, int s_out);
+
 static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
 	int dbxfer = 0, db = 0, check_pending, fdmax, nfd, n, i, err;
 	char cbuf[ABSIZE], sbuf[ABSIZE];
@@ -2274,6 +2287,10 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
 		raw_xfer(csock, s_in, s_out);
 		return;
 	}
+	if (enc_str != NULL) {
+		symmetric_encryption_xfer(csock, s_in, s_out);
+		return;
+	}
 	if (getenv("SSL_DEBUG")) {
 		db = atoi(getenv("SSL_DEBUG"));
 	}
@@ -2685,8 +2702,8 @@ void check_https(void) {
 
 #define MSZ 4096
 static void init_prng(void) {
-	int db = 0, bytes;
-	char file[MSZ];
+	int db = 0, bytes, ubytes, fd;
+	char file[MSZ], dtmp[100];
 
 	RAND_file_name(file, MSZ);
 
@@ -2695,19 +2712,42 @@ static void init_prng(void) {
 	bytes = RAND_load_file(file, -1);
 	if (db) fprintf(stderr, "bytes read: %d\n", bytes);
 	
-	bytes += RAND_load_file("/dev/urandom", 64);
-	if (db) fprintf(stderr, "bytes read: %d\n", bytes);
+	ubytes = RAND_load_file("/dev/urandom", 64);
+	bytes += ubytes;
+	if (db) fprintf(stderr, "bytes read: %d / %d\n", bytes, ubytes);
+
+	/* mix in more predictable stuff as well for fallback */
+	sprintf(dtmp, "/tmp/p%.8f.XXXXXX", dnow());
+	fd = mkstemp(dtmp);
+	RAND_add(dtmp, strlen(dtmp), 0);
+	if (fd >= 0) {
+		close(fd);
+		unlink(dtmp);
+	}
+	sprintf(dtmp, "%d-%.8f", (int) getpid(), dnow());
+	RAND_add(dtmp, strlen(dtmp), 0);
+
+	if (!RAND_status()) {
+		ubytes = -1;
+		rfbLog("calling RAND_poll()\n");
+		RAND_poll();
+	}
 	
 	if (bytes > 0) {
 		if (! quiet) {
 			rfbLog("initialized PRNG with %d random bytes.\n",
 			    bytes);
 		}
+		if (ubytes > 32 && rnow() < 0.25) {
+			RAND_write_file(file);
+		}
 		return;
 	}
 
 	bytes += RAND_load_file("/dev/random", 8);
 	if (db) fprintf(stderr, "bytes read: %d\n", bytes);
+	RAND_poll();
+
 	if (! quiet) {
 		rfbLog("initialized PRNG with %d random bytes.\n", bytes);
 	}
@@ -2800,3 +2840,36 @@ if (db) fprintf(stderr, "raw_xfer bad write:  %d -> %d | %d/%d  errno=%d\n", cso
 #endif	/* FORK_OK */
 }
 
+#define ENC_MODULE
+#if LIBVNCSERVER_HAVE_LIBSSL
+#define ENC_HAVE_OPENSSL 1
+#else
+#define ENC_HAVE_OPENSSL 0
+#endif
+#include "enc.h"
+
+static symmetric_encryption_xfer(int csock, int s_in, int s_out) {
+	char tmp[100];
+	char *cipher, *keyfile, *q;
+	if (! enc_str) {
+		return;
+	}
+	cipher = (char *) malloc(strlen(enc_str) + 100);
+	q = strchr(enc_str, ':');
+	if (!q) return;
+	*q = '\0';
+	if (getenv("X11VNC_USE_ULTRADSM_IV")) {
+		sprintf(cipher, "rev:%s", enc_str);
+	} else {
+		sprintf(cipher, "noultra:rev:%s", enc_str);
+	}
+	keyfile = strdup(q+1);
+	*q = ':';
+
+
+	/* TBD: s_in != s_out */
+	sprintf(tmp, "fd=%d,%d", s_in, csock);
+
+	enc_do(cipher, keyfile, "-1", tmp);
+}
+

x11vnc/tkx11vnc

@@ -127,6 +127,7 @@ Clients
 	-- D
 	tightfilexfer
 	ultrafilexfer
+	proxy:
 	=GAL Java-applet::
 	=D http
 	httpdir:
@@ -142,6 +143,7 @@ Displays
 	=S reflect:
 	=D desktop:
 	=D rfbport:
+	=S autoport
 	=0 gui:
 
 Screen
@@ -267,6 +269,7 @@ Misc
 	bg
 	=S loop
 	=S loopbg
+	=S sleepin:
 	=-C:ignore,exit sigpipe:
 	=0 inetd
 
@@ -327,6 +330,8 @@ Permissions
 	=F ssldir:
 	=F sslverify:
 	ssltimeout:
+	--
+	enc:
 	=GAL LOFF
 	=GAL Misc-Perms::
 	safer

x11vnc/tkx11vnc.h

@@ -138,6 +138,7 @@ char gui_code[] = "";
 "	-- D\n"
 "	tightfilexfer\n"
 "	ultrafilexfer\n"
+"	proxy:\n"
 "	=GAL Java-applet::\n"
 "	=D http\n"
 "	httpdir:\n"
@@ -153,6 +154,7 @@ char gui_code[] = "";
 "	=S reflect:\n"
 "	=D desktop:\n"
 "	=D rfbport:\n"
+"	=S autoport\n"
 "	=0 gui:\n"
 "\n"
 "Screen\n"
@@ -278,6 +280,7 @@ char gui_code[] = "";
 "	bg\n"
 "	=S loop\n"
 "	=S loopbg\n"
+"	=S sleepin:\n"
 "	=-C:ignore,exit sigpipe:\n"
 "	=0 inetd\n"
 "\n"
@@ -338,6 +341,8 @@ char gui_code[] = "";
 "	=F ssldir:\n"
 "	=F sslverify:\n"
 "	ssltimeout:\n"
+"	--\n"
+"	enc:\n"
 "	=GAL LOFF\n"
 "	=GAL Misc-Perms::\n"
 "	safer\n"

x11vnc/util.c

@@ -388,7 +388,7 @@ double dnowx(void) {
 }
 
 double rnow(void) {
-	double t = dnowx();
+	double t = dnow();
 	t = t - ((int) t); 
 	if (t > 1.0) {
 		t = 1.0;

x11vnc/x11vnc.1

@@ -2,7 +2,7 @@
 .TH X11VNC "1" "September 2008" "x11vnc " "User Commands"
 .SH NAME
 x11vnc - allow VNC connections to real X11 displays
-         version: 0.9.4, lastmod: 2008-09-16
+         version: 0.9.5, lastmod: 2008-09-21
 .SH SYNOPSIS
 .B x11vnc
 [OPTION]...
@@ -1932,6 +1932,82 @@ and SSVNC for more examples.
 Use version 3.x stunnel command line syntax instead of
 version 4.x
 .PP
+\fB-enc\fR \fIcipher:keyfile\fR
+.IP
+Use symmetric encryption with cipher "cipher"
+and secret key data in "keyfile".  If keyfile is
+pw=<string> then "string" is used as the key data.
+.IP
+NOTE: It is recommended that you use SSL via the \fB-ssl\fR
+option instead of this option because SSL is well
+understood and takes great care to establish unique
+session keys and is more compatible with other software.
+Use this option if you do not want to deal with SSL
+certificates for authentication and do not want to
+use SSH but want some encryption for your VNC session.
+Or if you must interface with some symmetric key tunnel.
+.IP
+Note that this mode will NOT work with the UltraVNC DSM
+plugins because they alter the RFB protocol in addition
+to tunnelling with the symmetric cipher (an unfortunate
+choice of implementation).
+.IP
+cipher can be one of:  arc4, aesv2, aes-cfb, blowfish,
+or 3des.  See the OpenSSL documentation for more info.
+The keysize is 128 bits.  Here is one way to make a
+keyfile with that many bits:
+.IP
+dd if=/dev/random of=./my.key bs=16 count=1
+.IP
+you will need to securely share this key with the other
+side of the VNC connection (See SSVNC for examples).
+.IP
+Example:  \fB-enc\fR blowfish:./my.key
+Example:  \fB-enc\fR blowfish:pw=swordfish
+.IP
+By default 16 bytes of random salt followed by 16 bytes
+of random initialization vector are sent at the very
+beginning of the stream.  The other side must read these
+and initialize their cipher with them.  These values
+make the session key unique (without them the security
+is minimal).  Similarly, the other side must send us
+its random salt and IV with those same lengths.
+.IP
+The salt and key data are combined to create a session
+key using an md5 hash as described in 
+.IR EVP_BytesToKey (3).
+.IP
+The exact call is: EVP_BytesToKey(Cipher, EVP_md5(),
+salt, keydata, len, 1, keystr, NULL);  where salt is
+the random data as described above, and keydata is the
+shared secret key data.  keystr is the resulting session
+key.  The cipher is then seeded with keystr and uses
+the random initialization vector as its first block.
+.IP
+To modify the amount of random salt and initialization
+vector use cipher@n,m where n is the salt length and
+m the initialization vector length.  E.g.
+.IP
+\fB-enc\fR aes-cfb@8,16:./my.key
+.IP
+It is not a good idea to set either one to zero,
+although you may be forced to if the other side of the
+tunnel is not under your control.
+.IP
+The SSVNC vnc viewer project supplies a symmetric
+encryption tool named "ultravnc_dsm_helper" that can
+be used on the viewer side.  For example:
+.IP
+ssvncviewer exec='ultravnc_dsm_helper arc4 my.key 0 h:p'
+.IP
+where h:p is the hostname and port of the x11vnc server.
+ultravnc_dsm_helper may also be used standalone to
+provide a symmetric encryption tunnel for any viewer
+or server (VNC or otherwise.)
+.IP
+Also see the 'Non-Ultra DSM' SSVNC option for the
+\'UltraVNC DSM Encryption Plugin' advanced option.
+.PP
 \fB-https\fR \fI[port]\fR
 .IP
 Choose a separate HTTPS port (-ssl mode only).
@@ -2961,6 +3037,10 @@ modifier's up/down state is toggled, e.g. to send
 shift down and the 2nd one is shift up). (note: the
 initial state of the modifier is ignored and not reset)
 To include button events use "Button1", ... etc.
+.IP
+.IP
+\fB-buttonmap\fR currently does not work on MacOSX console
+or in \fB-rawfb\fR mode.
 .PP
 \fB-nodragging\fR
 .IP

x11vnc/x11vnc.c

@@ -1443,7 +1443,7 @@ static int argc2 = 0;
 static char **argv2;
 
 static void check_rcfile(int argc, char **argv) {
-	int i, j, pwlast, norc = 0, argmax = 1024;
+	int i, j, pwlast, enclast, norc = 0, argmax = 1024;
 	char *infile = NULL;
 	char rcfile[1024];
 	FILE *rc = NULL; 
@@ -1661,6 +1661,7 @@ static void check_rcfile(int argc, char **argv) {
 		free(buf);
 	}
 	pwlast = 0;
+	enclast = 0;
 	for (i=1; i < argc; i++) {
 		argv2[argc2++] = strdup(argv[i]);
 
@@ -1674,6 +1675,18 @@ static void check_rcfile(int argc, char **argv) {
 			}
 			strzero(p);
 		}
+		if (enclast || !strcmp("-enc", argv[i])) {
+			char *q, *p = argv[i];		
+			if (enclast) {
+				enclast = 0;
+			} else {
+				enclast = 1;
+			}
+			q = strstr(p, "pw=");
+			if (q) {
+				strzero(q);
+			}
+		}
 		if (argc2 >= argmax) {
 			fprintf(stderr, "too many rcfile options\n");
 			exit(1);
@@ -2760,6 +2773,11 @@ int main(int argc, char* argv[]) {
 					i++;
 				}
 			}
+		} else if (!strcmp(arg, "-enc")) {
+			char *q;
+			use_openssl = 1;
+			CHECK_ARGC
+			enc_str = strdup(argv[++i]);
 		} else if (!strcmp(arg, "-ssltimeout")) {
 			CHECK_ARGC
 			ssl_timeout_secs = atoi(argv[++i]);
@@ -4949,3 +4967,5 @@ if (0) fprintf(stderr, "XA: %s\n", getenv("XAUTHORITY"));
 #undef argv
 
 }
+
+

x11vnc/x11vnc_defs.c

@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
 int xdamage_base_event_type = 0;
 
 /*               date +'lastmod: %Y-%m-%d' */
-char lastmod[] = "0.9.4 lastmod: 2008-09-16";
+char lastmod[] = "0.9.5 lastmod: 2008-09-21";
 
 /* X display info */