Commit a1e5d55e authored by runge's avatar runge

x11vnc: make -allow work in -ssl mode.

parent 95d7788e
2008-09-17 Karl Runge <runge@karlrunge.com>
* x11vnc: make -allow work in -ssl mode.
2008-09-14 Karl Runge <runge@karlrunge.com>
* x11vnc: -sleepin m-n for random sleep. More mktemp and mkstemp
protections. SSL_INIT_TIMEOUT=n env. var. Fix macosx console
......
x11vnc README file Date: Sun Sep 14 15:20:38 EDT 2008
x11vnc README file Date: Tue Sep 16 10:02:40 EDT 2008
The following information is taken from these URLs:
......@@ -11808,7 +11808,7 @@ x11vnc: a VNC server for real X displays
Here are all of x11vnc command line options:
% x11vnc -opts (see below for -help long descriptions)
x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-14
x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-16
x11vnc options:
-display disp -auth file -N
......@@ -11928,7 +11928,7 @@ libvncserver-tight-extension options:
% x11vnc -help
x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-14
x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-16
(type "x11vnc -opts" to just list the options.)
......@@ -12475,10 +12475,13 @@ e
Can also be a numerical IP prefix, e.g. "192.168.100."
to match a simple subnet, for more control build
libvncserver with libwrap support (See the FAQ). If the
list contains a "/" it instead is a interpreted as a
file containing addresses or prefixes that is re-read
each time a new client connects. Lines can be commented
out with the "#" character in the usual way.
list contains a "/" it instead is a interpreted
as a file containing addresses or prefixes that is
re-read each time a new client connects. Lines can be
commented out with the "#" character in the usual way.
-allow applies in -ssl mode, but not in -stunnel mode.
-localhost Basically the same as "-allow 127.0.0.1".
Note: if you want to restrict which network interface
......@@ -13601,7 +13604,7 @@ e
For Windows, stunnel has been ported to it and there
are probably other such tools available. See the FAQ
for more examples.
and SSVNC for more examples.
-stunnel3 [pem] Use version 3.x stunnel command line syntax instead of
version 4.x
......@@ -15769,7 +15772,9 @@ n
proxy:host:port set reverse connection proxy (empty to
disable).
allowonce:host For the next connection only, allow
connection from "host".
connection from "host". In -ssl mode
two connections are allowed (i.e. Fetch
Cert) unless X11VNC_NO_SSL_ALLOW_TWICE=1
allow:hostlist set -allow list to (comma separated)
"hostlist". See -allow and -localhost.
Do not use with -allow /path/to/file
......@@ -16100,14 +16105,14 @@ n
nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area
scr_skip scr_inc scr_keys scr_term scr_keyrepeat
scr_parms scrollcopyrect scr noscrollcopyrect noscr
fixscreen noxrecord xrecord reset_record pointer_mode
pm input_skip allinput noallinput input grabkbd
nograbkbd grabptr nograbptr grabalways nograbalways
fixscreen noxrecord xrecord reset_record pointer_mode pm
input_skip allinput noallinput input grabkbd nograbkbd
grabptr nograbptr grabalways nograbalways grablocal
client_input ssltimeout speeds wmdt debug_pointer dp
nodebug_pointer nodp debug_keyboard dk nodebug_keyboard
nodk deferupdate defer wait_ui wait_bog nowait_bog
slow_fb xrefresh wait readtimeout nap nonap sb
screen_blank fbpm nofbpm dpms nodpms clientdpms
nodk keycode deferupdate defer wait_ui wait_bog
nowait_bog slow_fb xrefresh wait readtimeout nap nonap
sb screen_blank fbpm nofbpm dpms nodpms clientdpms
noclientdpms forcedpms noforcedpms noserverdpms
serverdpms noultraext ultraext fs gaps grow fuzz snapfb
nosnapfb rawfb uinput_accel uinput_thresh uinput_reset
......@@ -16123,7 +16128,7 @@ n
nodbg macnosaver macsaver nomacnosaver macnowait macwait
nomacnowait macwheel macnoswap macswap nomacnoswap
macnoresize macresize nomacnoresize maciconanim macmenu
macnomenu nomacmenu noremote
macnomenu nomacmenu macuskbd nomacuskbd noremote
aro= noop display vncdisplay desktopname guess_desktop
http_url auth xauth users rootshift clipshift
......@@ -16141,7 +16146,6 @@ n
dpy_x dpy_y wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y
coff_x coff_y rfbauth passwd viewpasswd
-QD variable Just like -query variable, but returns the default
value for that parameter (no running x11vnc server
is consulted)
......
......@@ -55,10 +55,10 @@ void check_new_clients(void);
int accept_client(rfbClientPtr client);
int run_user_command(char *cmd, rfbClientPtr client, char *mode, char *input,
int len, FILE *output);
int check_access(char *addr);
static rfbClientPtr *client_match(char *str);
static void free_client_data(rfbClientPtr client);
static int check_access(char *addr);
static void ugly_geom(char *p, int *x, int *y);
static int ugly_window(char *addr, char *userhost, int X, int Y,
int timeout, char *mode, int accept);
......@@ -800,10 +800,14 @@ void client_gone(rfbClientPtr client) {
* Simple routine to limit access via string compare. A power user will
* want to compile libvncserver with libwrap support and use /etc/hosts.allow.
*/
static int check_access(char *addr) {
int check_access(char *addr) {
int allowed = 0;
int ssl = 0;
char *p, *list;
if (use_openssl || use_stunnel) {
ssl = 1;
}
if (deny_all) {
rfbLog("check_access: new connections are currently "
"blocked.\n");
......@@ -842,6 +846,10 @@ static int check_access(char *addr) {
len2 = strlen(allow_once) + 2;
len += len2;
}
if (ssl) {
len2 = strlen("127.0.0.1") + 2;
len += len2;
}
list = (char *) malloc(len);
list[0] = '\0';
......@@ -869,11 +877,19 @@ static int check_access(char *addr) {
strcat(list, allow_once);
strcat(list, "\n");
}
if (ssl) {
strcat(list, "\n");
strcat(list, "127.0.0.1");
strcat(list, "\n");
}
} else {
int len = strlen(allow_list) + 1;
if (allow_once) {
len += strlen(allow_once) + 1;
}
if (ssl) {
len += strlen("127.0.0.1") + 1;
}
list = (char *) malloc(len);
list[0] = '\0';
strcat(list, allow_list);
......@@ -881,6 +897,10 @@ static int check_access(char *addr) {
strcat(list, ",");
strcat(list, allow_once);
}
if (ssl) {
strcat(list, ",");
strcat(list, "127.0.0.1");
}
}
if (allow_once) {
......
......@@ -566,10 +566,13 @@ void print_help(int mode) {
" Can also be a numerical IP prefix, e.g. \"192.168.100.\"\n"
" to match a simple subnet, for more control build\n"
" libvncserver with libwrap support (See the FAQ). If the\n"
" list contains a \"/\" it instead is a interpreted as a\n"
" file containing addresses or prefixes that is re-read\n"
" each time a new client connects. Lines can be commented\n"
" out with the \"#\" character in the usual way.\n"
" list contains a \"/\" it instead is a interpreted\n"
" as a file containing addresses or prefixes that is\n"
" re-read each time a new client connects. Lines can be\n"
" commented out with the \"#\" character in the usual way.\n"
"\n"
" -allow applies in -ssl mode, but not in -stunnel mode.\n"
"\n"
"-localhost Basically the same as \"-allow 127.0.0.1\".\n"
"\n"
" Note: if you want to restrict which network interface\n"
......@@ -1707,7 +1710,7 @@ void print_help(int mode) {
"\n"
" For Windows, stunnel has been ported to it and there\n"
" are probably other such tools available. See the FAQ\n"
" for more examples.\n"
" and SSVNC for more examples.\n"
"\n"
"-stunnel3 [pem] Use version 3.x stunnel command line syntax instead of\n"
" version 4.x\n"
......@@ -3879,7 +3882,9 @@ void print_help(int mode) {
" disable).\n"
/* access */
" allowonce:host For the next connection only, allow\n"
" connection from \"host\".\n"
" connection from \"host\". In -ssl mode\n"
" two connections are allowed (i.e. Fetch\n"
" Cert) unless X11VNC_NO_SSL_ALLOW_TWICE=1\n"
/* access */
" allow:hostlist set -allow list to (comma separated)\n"
" \"hostlist\". See -allow and -localhost.\n"
......@@ -4212,14 +4217,14 @@ void print_help(int mode) {
" nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area\n"
" scr_skip scr_inc scr_keys scr_term scr_keyrepeat\n"
" scr_parms scrollcopyrect scr noscrollcopyrect noscr\n"
" fixscreen noxrecord xrecord reset_record pointer_mode\n"
" pm input_skip allinput noallinput input grabkbd\n"
" nograbkbd grabptr nograbptr grabalways nograbalways\n"
" fixscreen noxrecord xrecord reset_record pointer_mode pm\n"
" input_skip allinput noallinput input grabkbd nograbkbd\n"
" grabptr nograbptr grabalways nograbalways grablocal\n"
" client_input ssltimeout speeds wmdt debug_pointer dp\n"
" nodebug_pointer nodp debug_keyboard dk nodebug_keyboard\n"
" nodk deferupdate defer wait_ui wait_bog nowait_bog\n"
" slow_fb xrefresh wait readtimeout nap nonap sb\n"
" screen_blank fbpm nofbpm dpms nodpms clientdpms\n"
" nodk keycode deferupdate defer wait_ui wait_bog\n"
" nowait_bog slow_fb xrefresh wait readtimeout nap nonap\n"
" sb screen_blank fbpm nofbpm dpms nodpms clientdpms\n"
" noclientdpms forcedpms noforcedpms noserverdpms\n"
" serverdpms noultraext ultraext fs gaps grow fuzz snapfb\n"
" nosnapfb rawfb uinput_accel uinput_thresh uinput_reset\n"
......@@ -4235,7 +4240,7 @@ void print_help(int mode) {
" nodbg macnosaver macsaver nomacnosaver macnowait macwait\n"
" nomacnowait macwheel macnoswap macswap nomacnoswap\n"
" macnoresize macresize nomacnoresize maciconanim macmenu\n"
" macnomenu nomacmenu noremote\n"
" macnomenu nomacmenu macuskbd nomacuskbd noremote\n"
"\n"
" aro= noop display vncdisplay desktopname guess_desktop\n"
" http_url auth xauth users rootshift clipshift\n"
......@@ -4253,7 +4258,6 @@ void print_help(int mode) {
" dpy_x dpy_y wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y\n"
" coff_x coff_y rfbauth passwd viewpasswd\n"
"\n"
"\n"
"-QD variable Just like -query variable, but returns the default\n"
" value for that parameter (no running x11vnc server\n"
" is consulted)\n"
......
......@@ -1227,6 +1227,9 @@ static void csock_timeout (int sig) {
}
}
#define PROXY_HACK 0
#if PROXY_HACK
static int wait_conn(int sock) {
int conn;
struct sockaddr_in addr;
......@@ -1247,6 +1250,8 @@ static int wait_conn(int sock) {
return conn;
}
/* no longer used */
int proxy_hack(int vncsock, int listen, int s_in, int s_out, char *cookie,
int mode) {
int sock1, db = 0;
......@@ -1321,6 +1326,31 @@ if (db) fprintf(stderr, "buf: '%s'\n", buf);
return 1;
}
#endif /* PROXY_HACK */
static int check_ssl_access(char *addr) {
static char *save_allow_once = NULL;
static time_t time_allow_once = 0;
/* due to "Fetch Cert" activities for SSL really need to "allow twice" */
if (allow_once != NULL) {
save_allow_once = strdup(allow_once);
time_allow_once = time(NULL);
} else if (save_allow_once != NULL) {
if (getenv("X11VNC_NO_SSL_ALLOW_TWICE")) {
;
} else if (time(NULL) < time_allow_once + 30) {
/* give them 30 secs to check and save the fetched cert. */
allow_once = save_allow_once;
rfbLog("SSL: Permitting 30 sec grace period for allowonce.\n");
rfbLog("SSL: Set X11VNC_NO_SSL_ALLOW_TWICE=1 to disable.\n");
}
save_allow_once = NULL;
time_allow_once = 0;
}
return check_access(addr);
}
void accept_openssl(int mode, int presock) {
int sock = -1, listen = -1, cport, csock, vsock;
......@@ -1407,6 +1437,17 @@ void accept_openssl(int mode, int presock) {
openssl_last_ip = get_remote_host(sock);
}
if (!check_ssl_access(openssl_last_ip)) {
rfbLog("SSL: accept_openssl: denying client %s\n", openssl_last_ip);
rfbLog("SSL: accept_openssl: does not match -allow (or other reason).\n");
close(sock);
sock = -1;
if (ssl_no_fail) {
clean_up_exit(1);
}
return;
}
/* now make a listening socket for child to connect back to us by: */
cport = find_free_port(20000, 0);
......
......@@ -2,7 +2,7 @@
.TH X11VNC "1" "September 2008" "x11vnc " "User Commands"
.SH NAME
x11vnc - allow VNC connections to real X11 displays
version: 0.9.4, lastmod: 2008-09-14
version: 0.9.4, lastmod: 2008-09-16
.SH SYNOPSIS
.B x11vnc
[OPTION]...
......@@ -657,10 +657,12 @@ the comma separated list of hostnames or IP addresses.
Can also be a numerical IP prefix, e.g. "192.168.100."
to match a simple subnet, for more control build
libvncserver with libwrap support (See the FAQ). If the
list contains a "/" it instead is a interpreted as a
file containing addresses or prefixes that is re-read
each time a new client connects. Lines can be commented
out with the "#" character in the usual way.
list contains a "/" it instead is a interpreted
as a file containing addresses or prefixes that is
re-read each time a new client connects. Lines can be
commented out with the "#" character in the usual way.
.IP
\fB-allow\fR applies in \fB-ssl\fR mode, but not in \fB-stunnel\fR mode.
.PP
\fB-localhost\fR
.IP
......@@ -1923,7 +1925,7 @@ on Unix using stunnel 3.x is:
.IP
For Windows, stunnel has been ported to it and there
are probably other such tools available. See the FAQ
for more examples.
and SSVNC for more examples.
.PP
\fB-stunnel3\fR \fI[pem]\fR
.IP
......@@ -4553,7 +4555,9 @@ proxy:host:port set reverse connection proxy (empty to
disable).
.IP
allowonce:host For the next connection only, allow
connection from "host".
connection from "host". In \fB-ssl\fR mode
two connections are allowed (i.e. Fetch
Cert) unless X11VNC_NO_SSL_ALLOW_TWICE=1
.IP
allow:hostlist set \fB-allow\fR list to (comma separated)
"hostlist". See \fB-allow\fR and \fB-localhost.\fR
......@@ -5129,14 +5133,14 @@ nowireframe nowf wireframelocal wfl nowireframelocal
nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area
scr_skip scr_inc scr_keys scr_term scr_keyrepeat
scr_parms scrollcopyrect scr noscrollcopyrect noscr
fixscreen noxrecord xrecord reset_record pointer_mode
pm input_skip allinput noallinput input grabkbd
nograbkbd grabptr nograbptr grabalways nograbalways
fixscreen noxrecord xrecord reset_record pointer_mode pm
input_skip allinput noallinput input grabkbd nograbkbd
grabptr nograbptr grabalways nograbalways grablocal
client_input ssltimeout speeds wmdt debug_pointer dp
nodebug_pointer nodp debug_keyboard dk nodebug_keyboard
nodk deferupdate defer wait_ui wait_bog nowait_bog
slow_fb xrefresh wait readtimeout nap nonap sb
screen_blank fbpm nofbpm dpms nodpms clientdpms
nodk keycode deferupdate defer wait_ui wait_bog
nowait_bog slow_fb xrefresh wait readtimeout nap nonap
sb screen_blank fbpm nofbpm dpms nodpms clientdpms
noclientdpms forcedpms noforcedpms noserverdpms
serverdpms noultraext ultraext fs gaps grow fuzz snapfb
nosnapfb rawfb uinput_accel uinput_thresh uinput_reset
......@@ -5152,7 +5156,7 @@ debug_grabs nodebug_grabs debug_sel nodebug_sel dbg
nodbg macnosaver macsaver nomacnosaver macnowait macwait
nomacnowait macwheel macnoswap macswap nomacnoswap
macnoresize macresize nomacnoresize maciconanim macmenu
macnomenu nomacmenu noremote
macnomenu nomacmenu macuskbd nomacuskbd noremote
.IP
aro= noop display vncdisplay desktopname guess_desktop
http_url auth xauth users rootshift clipshift
......
......@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
int xdamage_base_event_type = 0;
/* date +'lastmod: %Y-%m-%d' */
char lastmod[] = "0.9.4 lastmod: 2008-09-14";
char lastmod[] = "0.9.4 lastmod: 2008-09-16";
/* X display info */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment