x11vnc: improve SSL Java viewer, cleanup -unixpw code.

6f47809a · runge · b9688bb3 · 6f47809a · 6f47809a · 6f47809a
Commit 6f47809a authored Sep 24, 2006 by runge
14 changed files
--- a/classes/ssl/SignedVncViewer.jar
+++ b/classes/ssl/SignedVncViewer.jar
--- a/classes/ssl/VncViewer.jar
+++ b/classes/ssl/VncViewer.jar
--- a/classes/ssl/tightvnc-1.3dev7_javasrc-vncviewer-ssl.patch
+++ b/classes/ssl/tightvnc-1.3dev7_javasrc-vncviewer-ssl.patch
@@ -73,8 +73,8 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/RfbProto.java vnc_javasrc/RfbProto
     serverMajor = (b[4] - '0') * 100 + (b[5] - '0') * 10 + (b[6] - '0');
 diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSLSocketToMe.java
 --- vnc_javasrc.orig/SSLSocketToMe.java	1969-12-31 19:00:00.000000000 -0500
-+++ vnc_javasrc/SSLSocketToMe.java	2006-06-12 00:00:28.000000000 -0400
-@@ -0,0 +1,1276 @@
+++ vnc_javasrc/SSLSocketToMe.java	2006-09-23 18:35:25.000000000 -0400
+@@ -0,0 +1,1301 @@
 +/*
 + * SSLSocketToMe.java: add SSL encryption to Java VNC Viewer.
 + *
@@ -408,8 +408,14 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL
 +	public void check_for_proxy() {
 +		
 +		boolean result = false;
-+		String ustr = "https://" + host + ":" + port;
+		String ustr = "https://" + host + ":";
+		if (viewer.httpsPort != null) {
+			ustr += viewer.httpsPort;
+		} else {
+			ustr += port;	// hmmm
+		}
 +		ustr += viewer.urlPrefix + "/check.https.proxy.connection";
+		dbg("ustr is: " + ustr);
 +
 +		trusturlCerts = null;
 +		proxy_in_use = false;
@@ -429,6 +435,11 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL
 +			https.connect();
 +
 +			trusturlCerts = https.getServerCertificates();
+			if (trusturlCerts == null) {
+				dbg("set trusturlCerts to null...");
+			} else {
+				dbg("set trusturlCerts to non-null");
+			}
 +
 +			if (https.usingProxy()) {
 +				proxy_in_use = true;
@@ -485,9 +496,14 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL
 +		 */
 +		check_for_proxy();
 +		
-+		if (use_url_cert_for_auth && trusturlCerts != null) {
+		if (viewer.trustAllVncCerts) {
+			dbg("viewer.trustAllVncCerts-0 using trustall_ctx");
+			factory = trustall_ctx.getSocketFactory();
+		} else if (use_url_cert_for_auth && trusturlCerts != null) {
+			dbg("using trusturl_ctx");
 +			factory = trusturl_ctx.getSocketFactory();
 +		} else {
+			dbg("using trustloc_ctx");
 +			factory = trustloc_ctx.getSocketFactory();
 +		}
 +
@@ -528,7 +544,9 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL
 +			SSLSession sess = socket.getSession();
 +			currentTrustedCerts = sess.getPeerCertificates();
 +
-+			if (currentTrustedCerts == null || currentTrustedCerts.length < 1) {
+			if (viewer.trustAllVncCerts) {
+				dbg("viewer.trustAllVncCerts-1");
+			} else if (currentTrustedCerts == null || currentTrustedCerts.length < 1) {
 +				socket.close();
 +				socket = null;
 +				throw new SSLHandshakeException("no current certs");
@@ -542,16 +560,21 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL
 +				;
 +			}
 +
-+			bcd = new BrowserCertsDialog(serv, host + ":" + port);
-+			bcd.queryUser();
-+			if (bcd.showCertDialog) {
-+				String msg = "user wants to see cert";
-+				dbg(msg);
-+				user_wants_to_see_cert = true;
-+				throw new SSLHandshakeException(msg);
-+			} else {
+			if (viewer.trustAllVncCerts) {
+				dbg("viewer.trustAllVncCerts-2");
 +				user_wants_to_see_cert = false;
-+				dbg("bcd: user said yes, accept it");
+			} else {
+				bcd = new BrowserCertsDialog(serv, host + ":" + port);
+				bcd.queryUser();
+				if (bcd.showCertDialog) {
+					String msg = "user wants to see cert";
+					dbg(msg);
+					user_wants_to_see_cert = true;
+					throw new SSLHandshakeException(msg);
+				} else {
+					user_wants_to_see_cert = false;
+					dbg("bcd: user said yes, accept it");
+				}
 +			}
 +
 +		} catch (SSLHandshakeException eh)  {
@@ -586,7 +609,9 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL
 +					    "Peer Certificate");	
 +				}
 +
-+				if (! browser_cert_match()) {
+				if (viewer.trustAllVncCerts) {
+					dbg("viewer.trustAllVncCerts-3");
+				} else if (! browser_cert_match()) {
 +					/*
 +					 * close socket now, we will reopen after
 +					 * dialog if user agrees to use the cert.
@@ -636,7 +661,7 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL
 +			}
 +		}
 +
-+		if (socket != null && viewer.GET != null) {
+		if (socket != null && viewer.GET) {
 +			String str = "GET ";
 +			str += viewer.urlPrefix;
 +			str += "/request.https.vnc.connection";
@@ -1353,21 +1378,23 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL
 +}
 diff -x VncCanvas.java -Naur vnc_javasrc.orig/VncViewer.java vnc_javasrc/VncViewer.java
 --- vnc_javasrc.orig/VncViewer.java	2004-03-04 08:34:25.000000000 -0500
-+++ vnc_javasrc/VncViewer.java	2006-04-16 11:21:13.000000000 -0400
-@@ -88,6 +88,12 @@
+++ vnc_javasrc/VncViewer.java	2006-09-23 18:36:42.000000000 -0400
+@@ -88,6 +88,14 @@
   int deferCursorUpdates;
   int deferUpdateRequests;
 
 +  boolean disableSSL;
-+  String GET;
+  boolean GET;
 +  String CONNECT;
 +  String urlPrefix;
+  String httpsPort;
 +  boolean forceProxy;
+  boolean trustAllVncCerts;
 +
   // Reference to this applet for inter-applet communication.
   public static java.applet.Applet refApplet;
 
-@@ -626,6 +632,39 @@
+@@ -626,6 +634,51 @@
 
     // SocketFactory.
     socketFactory = readParameter("SocketFactory", false);
@@ -1378,31 +1405,43 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/VncViewer.java vnc_javasrc/VncView
 +    if (str != null && str.equalsIgnoreCase("Yes"))
 +      disableSSL = true;
 +
+    httpsPort = readParameter("httpsPort", false);
+
 +    // Extra GET, CONNECT string:
 +    CONNECT = readParameter("CONNECT", false);
 +    if (CONNECT != null) {
 +	CONNECT = CONNECT.replaceAll(" ", ":");
 +    }
-+    GET = readParameter("GET", false);
-+    urlPrefix = "";
-+    if (GET != null) {
-+	GET = GET.replaceAll("%2F", "/");
-+	GET = GET.replaceAll("%2f", "/");
-+	GET = GET.replaceAll("_2F_", "/");
-+	if (! GET.equals("1")) {
-+		if (GET.indexOf("/") != 0) {
-+			urlPrefix += "/";
-+		}
-+		urlPrefix += GET;
+
+    GET = false;
+    str = readParameter("GET", false);
+    if (str != null && str.equalsIgnoreCase("Yes")) {
+      GET = true;
+    }
+    if (str != null && str.equalsIgnoreCase("1")) {
+      GET = true;
+    }
+
+    urlPrefix = readParameter("urlPrefix", false);
+    if (urlPrefix != null) {
+	urlPrefix = urlPrefix.replaceAll("%2F", "/");
+	urlPrefix = urlPrefix.replaceAll("%2f", "/");
+	urlPrefix = urlPrefix.replaceAll("_2F_", "/");
+	if (urlPrefix.indexOf("/") != 0) {
+		urlPrefix = "/" + urlPrefix;
 +	}
 +    }
-+    urlPrefix = urlPrefix.replaceAll("%2f", "/");
 +    System.out.println("urlPrefix: " + urlPrefix);
 +
 +    forceProxy = false;
 +    str = readParameter("forceProxy", false);
 +    if (str != null && str.equalsIgnoreCase("Yes")) {
 +      forceProxy = true;
+    }
+    trustAllVncCerts = false;
+    str = readParameter("trustAllVncCerts", false);
+    if (str != null && str.equalsIgnoreCase("Yes")) {
+      trustAllVncCerts = true;
 +    }
   }
 

--- a/x11vnc/ChangeLog
+++ b/x11vnc/ChangeLog
+2006-09-23  Karl Runge <runge@karlrunge.com>
+	* Java viewer: improvements to connection response, faster
+	  connections.
+	* x11vnc: some cleanup for -unixpw login process.
+
 2006-09-20  Karl Runge <runge@karlrunge.com>
 	* x11vnc: -unixpw_cmd, -passwfile cmd:/custom:, -sslnofail,
 	  -ultrafilexfer

--- a/x11vnc/README
+++ b/x11vnc/README
--- a/x11vnc/connections.c
+++ b/x11vnc/connections.c
@@ -1048,7 +1048,7 @@ static unsigned char t2x2_bits[] = {
 		char *ip = addr;
 		char *type = "accept";
 		if (unixpw && strstr(userhost, "UNIX:") != userhost) {
-			type = "unixpw";
+			type = "UNIXPW";
 			if (openssl_last_ip) {
 				ip = openssl_last_ip;
 			}
@@ -2007,7 +2007,6 @@ enum rfbNewClientAction new_client(rfbClientPtr client) {
 	}

 	clients_served++;
-if (getenv("NEW_CLIENT")) fprintf(stderr, "new_client: %s %d\n", client->host, clients_served);

 	if (use_openssl || use_stunnel) {
 		if (! ssl_initialized) {
@@ -2016,7 +2015,7 @@ if (getenv("NEW_CLIENT")) fprintf(stderr, "new_client: %s %d\n", client->host, c
 			return(RFB_CLIENT_REFUSE);
 		}
 	}
-	if (unixpw && unixpw_in_progress) {
+	if (unixpw_in_progress) {
 		rfbLog("denying additional client: %s during -unixpw login.\n",
 		     client->host);
 		return(RFB_CLIENT_REFUSE);
@@ -2052,7 +2051,6 @@ if (getenv("NEW_CLIENT")) fprintf(stderr, "new_client: %s %d\n", client->host, c
 	cd->ssl_helper_pid = 0;

 	if (use_openssl && openssl_last_helper_pid) {
-if (0) fprintf(stderr, "SET ssl_helper_pid: %d\n", openssl_last_helper_pid);
 		cd->ssl_helper_pid = openssl_last_helper_pid;
 		openssl_last_helper_pid = 0;
 	}
@@ -2086,7 +2084,6 @@ if (0) fprintf(stderr, "SET ssl_helper_pid: %d\n", openssl_last_helper_pid);

 	cd->uid = clients_served;

-
 	client->clientGoneHook = client_gone;

 	if (client_count) {
@@ -2131,8 +2128,10 @@ if (0) fprintf(stderr, "SET ssl_helper_pid: %d\n", openssl_last_helper_pid);
 			client->viewOnly = FALSE;
 		}
 		unixpw_last_try_time = time(NULL);
+
 		unixpw_screen(1);
 		unixpw_keystroke(0, 0, 1);
+
 		if (!unixpw_in_rfbPE) {
 			rfbLog("new client: %s in non-unixpw_in_rfbPE.\n",
 			     client->host);

--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -513,8 +513,10 @@ void print_help(int mode) {
 "-unixpw [list]         Use Unix username and password authentication.  x11vnc\n"
 "                       uses the su(1) program to verify the user's password.\n"
 "                       [list] is an optional comma separated list of allowed\n"
-"                       Unix usernames.  See below for per-user options that\n"
-"                       can be applied.\n"
+"                       Unix usernames.  If the [list] string begins with the\n"
+"                       character \"!\" then the entire list is taken as an\n"
+"                       exclude list.  See below for per-user options that can\n"
+"                       be applied.\n"
 "\n"
 "                       A familiar \"login:\" and \"Password:\" dialog is\n"
 "                       presented to the user on a black screen inside the\n"
@@ -613,11 +615,14 @@ void print_help(int mode) {
 "                       \"deny\", e.g. \"karl,wally:viewonly,boss:input=M\".\n"
 "                       For \"input=\" it is the K,M,B,C described under -input.\n"
 "\n"
-"                       If a user in the list is \"*\" that means those\n"
+"                       If an item in the list is \"*\" that means those\n"
 "                       options apply to all users.  It also means all users\n"
 "                       are allowed to log in after supplying a valid password.\n"
 "                       Use \"deny\" to explicitly deny some users if you use\n"
-"                       \"*\" to set a global option.\n"
+"                       \"*\" to set a global option.  If [list] begins with\n"
+"                       the \"!\" character then \"*\" is ignored for checking\n"
+"                       if the user is allowed, but the any value of options\n"
+"                       associated with it does apply as normal.\n"
 "\n"
 "                       There are also some utilities for testing password\n"
 "                       if [list] starts with the \"%\" character.  See the\n"
@@ -656,11 +661,15 @@ void print_help(int mode) {
 "                       line of its stdin will the username and the second line\n"
 "                       the received password.  If the command exits with status\n"
 "                       0 (success) the VNC client will be accepted.  It will be\n"
-"                       rejected for any other return status.  Dynamic passwords\n"
-"                       and non-unix passwords can be implemented this way by\n"
-"                       providing your own custom helper program.  Note that\n"
-"                       under unixpw mode the remote viewer is given 3 tries\n"
-"                       to enter the correct password.\n"
+"                       rejected for any other return status.\n"
+"\n"
+"                       Dynamic passwords and non-unix passwords can be\n"
+"                       implemented this way by providing your own custom helper\n"
+"                       program.  Note that under unixpw mode the remote viewer\n"
+"                       is given 3 tries to enter the correct password.\n"
+"\n"
+"                       If a list of allowed users is needed use -unixpw [list]\n"
+"                       in addition to this option.\n"
 "\n"
 #endif
 "-display WAIT:...      A special usage mode for the normal -display option.\n"
@@ -2707,7 +2716,7 @@ void print_help(int mode) {
 "                       @WxHxB at the end of the string.\n"
 "\n"
 "                       Examples:\n"
-"                           -rawfb console            (same as -rawfb console)\n"
+"                           -rawfb console\n"
 "                           -rawfb /dev/fb0           (same)\n"
 "                           -rawfb console3           (force /dev/tty3)\n"
 "                           -rawfb consolex           (no keystrokes or mouse)\n"

--- a/x11vnc/keyboard.c
+++ b/x11vnc/keyboard.c
@@ -2680,20 +2680,19 @@ void keyboard(rfbBool down, rfbKeySym keysym, rfbClientPtr client) {
 	if (debug_keyboard) {
 		char *str;
 		X_LOCK;
-		str = XKeysymToString(keysym);
+		str = XKeysymToString((KeySym) keysym);
 		X_UNLOCK;
 		rfbLog("# keyboard(%s, 0x%x \"%s\") uip=%d  %.4f\n",
 		    down ? "down":"up", (int) keysym, str ? str : "null",
 		    unixpw_in_progress, tnow - x11vnc_start);
 	}

-
 	if (keysym <= 0) {
 		rfbLog("keyboard: skipping 0x0 keysym\n");
 		return;
 	}
 	
-	if (unixpw && unixpw_in_progress) {
+	if (unixpw_in_progress) {
 		if (unixpw_denied) {
 			rfbLog("keyboard: ignoring keystroke 0x%x in "
 			    "unixpw_denied=1 state\n", (int) keysym);
@@ -2703,7 +2702,9 @@ void keyboard(rfbBool down, rfbKeySym keysym, rfbClientPtr client) {
 			rfbLog("keyboard: skipping other client in unixpw\n");
 			return;
 		}
+
 		unixpw_keystroke(down, keysym, 0);
+
 		return;
 	}


--- a/x11vnc/pointer.c
+++ b/x11vnc/pointer.c
@@ -617,7 +617,6 @@ void pointer(int mask, int x, int y, rfbClientPtr client) {
 	if (mask >= 0) {
 		got_pointer_calls++;
 	}
-	get_allowed_input(client, &input);

 	if (debug_pointer && mask >= 0) {
 		static int show_motion = -1;
@@ -643,10 +642,13 @@ void pointer(int mask, int x, int y, rfbClientPtr client) {
 		last_x = x;
 		last_y = y;
 	}
-	if (unixpw && unixpw_in_progress) {
+
+	if (unixpw_in_progress) {
 		return;
 	}

+	get_allowed_input(client, &input);
+
 	if (rotating) {
 		rotate_coords_inverse(x, y, &x, &y, -1, -1);
 	}

--- a/x11vnc/sslhelper.c
+++ b/x11vnc/sslhelper.c
@@ -1574,6 +1574,7 @@ void accept_openssl(int mode) {
 				 * instead of a direct SSL connection.
 				 */
 				rfbLog("Handling VNC request via https GET. [%d]\n", getpid());
+				rfbLog("-- %s\n", buf);

 				if (strstr(buf, "/reverse.proxy")) {
 					char *buf2;
@@ -1604,6 +1605,9 @@ void accept_openssl(int mode) {
 				    "Content-Type: octet-stream\r\n"
 				    "Pragma: no-cache\r\n\r\n";

+				rfbLog("Handling Check HTTPS request via https GET. [%d]\n", getpid());
+				rfbLog("-- %s\n", buf);
+
 				SSL_write(ssl, reply, strlen(reply));
 				SSL_shutdown(ssl);


--- a/x11vnc/unixpw.c
+++ b/x11vnc/unixpw.c
--- a/x11vnc/x11vnc.1
+++ b/x11vnc/x11vnc.1
@@ -2,7 +2,7 @@
 .TH X11VNC "1" "September 2006" "x11vnc " "User Commands"
 .SH NAME
 x11vnc - allow VNC connections to real X11 displays
-         version: 0.8.3, lastmod: 2006-09-20
+         version: 0.8.3, lastmod: 2006-09-23
 .SH SYNOPSIS
 .B x11vnc
 [OPTION]...
@@ -617,8 +617,10 @@ uses the
 .IR su (1)
 program to verify the user's password.
 [list] is an optional comma separated list of allowed
-Unix usernames.  See below for per-user options that
-can be applied.
+Unix usernames.  If the [list] string begins with the
+character "!" then the entire list is taken as an
+exclude list.  See below for per-user options that can
+be applied.
 .IP
 A familiar "login:" and "Password:" dialog is
 presented to the user on a black screen inside the
@@ -727,11 +729,14 @@ where "opts" is a "+" separated list of
 "deny", e.g. "karl,wally:viewonly,boss:input=M".
 For "input=" it is the K,M,B,C described under \fB-input.\fR
 .IP
-If a user in the list is "*" that means those
+If an item in the list is "*" that means those
 options apply to all users.  It also means all users
 are allowed to log in after supplying a valid password.
 Use "deny" to explicitly deny some users if you use
-"*" to set a global option.
+"*" to set a global option.  If [list] begins with
+the "!" character then "*" is ignored for checking
+if the user is allowed, but the any value of options
+associated with it does apply as normal.
 .IP
 There are also some utilities for testing password
 if [list] starts with the "%" character.  See the
@@ -784,11 +789,15 @@ run the externally supplied command \fIstr\fR.  The first
 line of its stdin will the username and the second line
 the received password.  If the command exits with status
 0 (success) the VNC client will be accepted.  It will be
-rejected for any other return status.  Dynamic passwords
-and non-unix passwords can be implemented this way by
-providing your own custom helper program.  Note that
-under unixpw mode the remote viewer is given 3 tries
-to enter the correct password.
+rejected for any other return status.
+.IP
+Dynamic passwords and non-unix passwords can be
+implemented this way by providing your own custom helper
+program.  Note that under unixpw mode the remote viewer
+is given 3 tries to enter the correct password.
+.IP
+If a list of allowed users is needed use \fB-unixpw\fR [list]
+in addition to this option.
 .PP
 \fB-display\fR \fIWAIT:...\fR
 .IP
@@ -3182,7 +3191,7 @@ gives inaccurate information), specify them with a
 @WxHxB at the end of the string.
 .IP
 Examples:
-\fB-rawfb\fR console            (same as \fB-rawfb\fR console)
+\fB-rawfb\fR console
 \fB-rawfb\fR /dev/fb0           (same)
 \fB-rawfb\fR console3           (force /dev/tty3)
 \fB-rawfb\fR consolex           (no keystrokes or mouse)

--- a/x11vnc/x11vnc.c
+++ b/x11vnc/x11vnc.c
@@ -460,7 +460,7 @@ static void watch_loop(void) {
 		if (! use_threads) {
 			dtime0(&tm);
 			if (! skip_pe) {
-				if (unixpw && unixpw_in_progress) {
+				if (unixpw_in_progress) {
 					rfbClientPtr cl = unixpw_client;
 					if (cl && cl->onHold) {
 						rfbLog(msg, cl->host);
@@ -490,17 +490,19 @@ static void watch_loop(void) {

 				unixpw_in_rfbPE = 0;

-				if (unixpw && unixpw_in_progress) {
+				if (unixpw_in_progress) {
 					/* rfbPE loop until logged in. */
 					skip_pe = 0;
+					check_new_clients();
 					continue;
 				} else {
 					measure_send_rates(0);
 					fb_update_sent(NULL);
 				}
 			} else {
-				if (unixpw && unixpw_in_progress) {
+				if (unixpw_in_progress) {
 					skip_pe = 0;
+					check_new_clients();
 					continue;
 				}
 			}
@@ -528,12 +530,6 @@ static void watch_loop(void) {
 				eat_viewonly_input(10, 3);
 			}
 		} else {
-#if 0
-			if (0 && use_xrecord) {
-				/* XXX not working */
-				check_xrecord();
-			}
-#endif
 			if (wireframe && button_mask) {
 				check_wireframe();
 			}
@@ -544,7 +540,10 @@ static void watch_loop(void) {
 			clean_up_exit(0);
 		}

-		if (unixpw_in_progress) continue;
+		if (unixpw_in_progress) {
+			check_new_clients();
+			continue;
+		}

 		if (! urgent_update) {
 			if (do_copy_screen) {

--- a/x11vnc/x11vnc_defs.c
+++ b/x11vnc/x11vnc_defs.c
@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
 int xdamage_base_event_type = 0;

 /*               date +'lastmod: %Y-%m-%d' */
-char lastmod[] = "0.8.3 lastmod: 2006-09-20";
+char lastmod[] = "0.8.3 lastmod: 2006-09-23";

 /* X display info */