x11vnc: make -allow work in -ssl mode.

a1e5d55e · runge · 95d7788e · a1e5d55e · a1e5d55e · a1e5d55e
Commit a1e5d55e authored Sep 17, 2008 by runge
7 changed files
--- a/x11vnc/ChangeLog
+++ b/x11vnc/ChangeLog
+2008-09-17  Karl Runge <runge@karlrunge.com>
+	* x11vnc: make -allow work in -ssl mode.
 2008-09-14  Karl Runge <runge@karlrunge.com>
 	* x11vnc: -sleepin m-n for random sleep. More mktemp and mkstemp
 	  protections. SSL_INIT_TIMEOUT=n env. var.  Fix macosx console

--- a/x11vnc/README
+++ b/x11vnc/README
-x11vnc README file                         Date: Sun Sep 14 15:20:38 EDT 2008
+x11vnc README file                         Date: Tue Sep 16 10:02:40 EDT 2008
 The following information is taken from these URLs:
@@ -11808,7 +11808,7 @@ x11vnc: a VNC server for real X displays
   Here are all of x11vnc command line options:
 % x11vnc -opts      (see below for -help long descriptions)
-x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-14
+x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-16
 x11vnc options:
  -display disp            -auth file               -N                     
@@ -11928,7 +11928,7 @@ libvncserver-tight-extension options:
 % x11vnc -help
-x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-14
+x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-16
 (type "x11vnc -opts" to just list the options.)
@@ -12475,10 +12475,13 @@ e
                       Can also be a numerical IP prefix, e.g. "192.168.100."
                       to match a simple subnet, for more control build
                       libvncserver with libwrap support (See the FAQ).  If the
-                       list contains a "/" it instead is a interpreted as a
+                       list contains a "/" it instead is a interpreted
-                       file containing addresses or prefixes that is re-read
+                       as a file containing addresses or prefixes that is
-                       each time a new client connects.  Lines can be commented
+                       re-read each time a new client connects.  Lines can be
-                       out with the "#" character in the usual way.
+                       commented out with the "#" character in the usual way.
+                       -allow applies in -ssl mode, but not in -stunnel mode.
 -localhost             Basically the same as "-allow 127.0.0.1".
                       Note: if you want to restrict which network interface
@@ -13601,7 +13604,7 @@ e
                       For Windows, stunnel has been ported to it and there
                       are probably other such tools available.  See the FAQ
-                       for more examples.
+                       and SSVNC for more examples.
 -stunnel3  [pem]       Use version 3.x stunnel command line syntax instead of
                       version 4.x
@@ -15769,7 +15772,9 @@ n
                       proxy:host:port set reverse connection proxy (empty to
                                       disable).
                       allowonce:host  For the next connection only, allow
-                                       connection from "host".
+                                       connection from "host". In -ssl mode
+                                       two connections are allowed (i.e. Fetch
+                                       Cert) unless X11VNC_NO_SSL_ALLOW_TWICE=1
                       allow:hostlist  set -allow list to (comma separated)
                                       "hostlist". See -allow and -localhost.
                                       Do not use with -allow /path/to/file
@@ -16100,14 +16105,14 @@ n
                       nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area
                       scr_skip scr_inc scr_keys scr_term scr_keyrepeat
                       scr_parms scrollcopyrect scr noscrollcopyrect noscr
-                       fixscreen noxrecord xrecord reset_record pointer_mode
+                       fixscreen noxrecord xrecord reset_record pointer_mode pm
-                       pm input_skip allinput noallinput input grabkbd
+                       input_skip allinput noallinput input grabkbd nograbkbd
-                       nograbkbd grabptr nograbptr grabalways nograbalways
+                       grabptr nograbptr grabalways nograbalways grablocal
                       client_input ssltimeout speeds wmdt debug_pointer dp
                       nodebug_pointer nodp debug_keyboard dk nodebug_keyboard
-                       nodk deferupdate defer wait_ui wait_bog nowait_bog
+                       nodk keycode deferupdate defer wait_ui wait_bog
-                       slow_fb xrefresh wait readtimeout nap nonap sb
+                       nowait_bog slow_fb xrefresh wait readtimeout nap nonap
-                       screen_blank fbpm nofbpm dpms nodpms clientdpms
+                       sb screen_blank fbpm nofbpm dpms nodpms clientdpms
                       noclientdpms forcedpms noforcedpms noserverdpms
                       serverdpms noultraext ultraext fs gaps grow fuzz snapfb
                       nosnapfb rawfb uinput_accel uinput_thresh uinput_reset
@@ -16123,7 +16128,7 @@ n
                       nodbg macnosaver macsaver nomacnosaver macnowait macwait
                       nomacnowait macwheel macnoswap macswap nomacnoswap
                       macnoresize macresize nomacnoresize maciconanim macmenu
-                       macnomenu nomacmenu noremote
+                       macnomenu nomacmenu macuskbd nomacuskbd noremote
                       aro=  noop display vncdisplay desktopname guess_desktop
                       http_url auth xauth users rootshift clipshift
@@ -16141,7 +16146,6 @@ n
                       dpy_x dpy_y wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y
                       coff_x coff_y rfbauth passwd viewpasswd
 -QD variable           Just like -query variable, but returns the default
                       value for that parameter (no running x11vnc server
                       is consulted)

--- a/x11vnc/connections.c
+++ b/x11vnc/connections.c
@@ -55,10 +55,10 @@ void check_new_clients(void);
 int accept_client(rfbClientPtr client);
 int run_user_command(char *cmd, rfbClientPtr client, char *mode, char *input,
    int len, FILE *output);
+int check_access(char *addr);
 static rfbClientPtr *client_match(char *str);
 static void free_client_data(rfbClientPtr client);
-static int check_access(char *addr);
 static void ugly_geom(char *p, int *x, int *y);
 static int ugly_window(char *addr, char *userhost, int X, int Y,
    int timeout, char *mode, int accept);
@@ -800,10 +800,14 @@ void client_gone(rfbClientPtr client) {
 * Simple routine to limit access via string compare.  A power user will
 * want to compile libvncserver with libwrap support and use /etc/hosts.allow.
 */
-static int check_access(char *addr) {
+int check_access(char *addr) {
 	int allowed = 0;
+	int ssl = 0;
 	char *p, *list;
+	if (use_openssl || use_stunnel) {
+		ssl = 1;
+	}
 	if (deny_all) {
 		rfbLog("check_access: new connections are currently "
 		    "blocked.\n");
@@ -842,6 +846,10 @@ static int check_access(char *addr) {
 			len2 = strlen(allow_once) + 2;
 			len += len2;
 		}
+		if (ssl) {
+			len2 = strlen("127.0.0.1") + 2;
+			len += len2;
+		}
 		list = (char *) malloc(len);
 		list[0] = '\0';
@@ -869,11 +877,19 @@ static int check_access(char *addr) {
 			strcat(list, allow_once);
 			strcat(list, "\n");
 		}
+		if (ssl) {
+			strcat(list, "\n");
+			strcat(list, "127.0.0.1");
+			strcat(list, "\n");
+		}
 	} else {
 		int len = strlen(allow_list) + 1;
 		if (allow_once) {
 			len += strlen(allow_once) + 1;
 		}
+		if (ssl) {
+			len += strlen("127.0.0.1") + 1;
+		}
 		list = (char *) malloc(len);
 		list[0] = '\0';
 		strcat(list, allow_list);
@@ -881,6 +897,10 @@ static int check_access(char *addr) {
 			strcat(list, ",");
 			strcat(list, allow_once);
 		}
+		if (ssl) {
+			strcat(list, ",");
+			strcat(list, "127.0.0.1");
+		}
 	}
 	if (allow_once) {

--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -566,10 +566,13 @@ void print_help(int mode) {
 "                       Can also be a numerical IP prefix, e.g. \"192.168.100.\"\n"
 "                       to match a simple subnet, for more control build\n"
 "                       libvncserver with libwrap support (See the FAQ).  If the\n"
-"                       list contains a \"/\" it instead is a interpreted as a\n"
+"                       list contains a \"/\" it instead is a interpreted\n"
-"                       file containing addresses or prefixes that is re-read\n"
+"                       as a file containing addresses or prefixes that is\n"
-"                       each time a new client connects.  Lines can be commented\n"
+"                       re-read each time a new client connects.  Lines can be\n"
-"                       out with the \"#\" character in the usual way.\n"
+"                       commented out with the \"#\" character in the usual way.\n"
+"\n"
+"                       -allow applies in -ssl mode, but not in -stunnel mode.\n"
+"\n"
 "-localhost             Basically the same as \"-allow 127.0.0.1\".\n"
 "\n"
 "                       Note: if you want to restrict which network interface\n"
@@ -1707,7 +1710,7 @@ void print_help(int mode) {
 "\n"
 "                       For Windows, stunnel has been ported to it and there\n"
 "                       are probably other such tools available.  See the FAQ\n"
-"                       for more examples.\n"
+"                       and SSVNC for more examples.\n"
 "\n"
 "-stunnel3  [pem]       Use version 3.x stunnel command line syntax instead of\n"
 "                       version 4.x\n"
@@ -3879,7 +3882,9 @@ void print_help(int mode) {
 "                                       disable).\n"
 /* access */
 "                       allowonce:host  For the next connection only, allow\n"
-"                                       connection from \"host\".\n"
+"                                       connection from \"host\". In -ssl mode\n"
+"                                       two connections are allowed (i.e. Fetch\n"
+"                                       Cert) unless X11VNC_NO_SSL_ALLOW_TWICE=1\n"
 /* access */
 "                       allow:hostlist  set -allow list to (comma separated)\n"
 "                                       \"hostlist\". See -allow and -localhost.\n"
@@ -4212,14 +4217,14 @@ void print_help(int mode) {
 "                       nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area\n"
 "                       scr_skip scr_inc scr_keys scr_term scr_keyrepeat\n"
 "                       scr_parms scrollcopyrect scr noscrollcopyrect noscr\n"
-"                       fixscreen noxrecord xrecord reset_record pointer_mode\n"
+"                       fixscreen noxrecord xrecord reset_record pointer_mode pm\n"
-"                       pm input_skip allinput noallinput input grabkbd\n"
+"                       input_skip allinput noallinput input grabkbd nograbkbd\n"
-"                       nograbkbd grabptr nograbptr grabalways nograbalways\n"
+"                       grabptr nograbptr grabalways nograbalways grablocal\n"
 "                       client_input ssltimeout speeds wmdt debug_pointer dp\n"
 "                       nodebug_pointer nodp debug_keyboard dk nodebug_keyboard\n"
-"                       nodk deferupdate defer wait_ui wait_bog nowait_bog\n"
+"                       nodk keycode deferupdate defer wait_ui wait_bog\n"
-"                       slow_fb xrefresh wait readtimeout nap nonap sb\n"
+"                       nowait_bog slow_fb xrefresh wait readtimeout nap nonap\n"
-"                       screen_blank fbpm nofbpm dpms nodpms clientdpms\n"
+"                       sb screen_blank fbpm nofbpm dpms nodpms clientdpms\n"
 "                       noclientdpms forcedpms noforcedpms noserverdpms\n"
 "                       serverdpms noultraext ultraext fs gaps grow fuzz snapfb\n"
 "                       nosnapfb rawfb uinput_accel uinput_thresh uinput_reset\n"
@@ -4235,7 +4240,7 @@ void print_help(int mode) {
 "                       nodbg macnosaver macsaver nomacnosaver macnowait macwait\n"
 "                       nomacnowait macwheel macnoswap macswap nomacnoswap\n"
 "                       macnoresize macresize nomacnoresize maciconanim macmenu\n"
-"                       macnomenu nomacmenu noremote\n"
+"                       macnomenu nomacmenu macuskbd nomacuskbd noremote\n"
 "\n"
 "                       aro=  noop display vncdisplay desktopname guess_desktop\n"
 "                       http_url auth xauth users rootshift clipshift\n"
@@ -4253,7 +4258,6 @@ void print_help(int mode) {
 "                       dpy_x dpy_y wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y\n"
 "                       coff_x coff_y rfbauth passwd viewpasswd\n"
 "\n"
-"\n"
 "-QD variable           Just like -query variable, but returns the default\n"
 "                       value for that parameter (no running x11vnc server\n"
 "                       is consulted)\n"

--- a/x11vnc/sslhelper.c
+++ b/x11vnc/sslhelper.c
@@ -1227,6 +1227,9 @@ static void csock_timeout (int sig) {
 	}
 }
+#define PROXY_HACK 0
+#if PROXY_HACK
 static int wait_conn(int sock) {
 	int conn;
 	struct sockaddr_in addr;
@@ -1247,6 +1250,8 @@ static int wait_conn(int sock) {
 	return conn;
 }
+/* no longer used */
 int proxy_hack(int vncsock, int listen, int s_in, int s_out, char *cookie,
    int mode) {
 	int sock1, db = 0;
@@ -1321,6 +1326,31 @@ if (db) fprintf(stderr, "buf: '%s'\n", buf);
 	return 1;
 }
+#endif	/* PROXY_HACK */
+static int check_ssl_access(char *addr) {
+	static char *save_allow_once = NULL;
+	static time_t time_allow_once = 0;
+	/* due to "Fetch Cert" activities for SSL really need to "allow twice" */
+	if (allow_once != NULL) {
+		save_allow_once = strdup(allow_once);
+		time_allow_once = time(NULL);
+	} else if (save_allow_once != NULL) {
+		if (getenv("X11VNC_NO_SSL_ALLOW_TWICE")) {
+			;
+		} else if (time(NULL) < time_allow_once + 30) {
+			/* give them 30 secs to check and save the fetched cert. */
+			allow_once = save_allow_once; 
+			rfbLog("SSL: Permitting 30 sec grace period for allowonce.\n");
+			rfbLog("SSL: Set X11VNC_NO_SSL_ALLOW_TWICE=1 to disable.\n");
+		}
+		save_allow_once = NULL;
+		time_allow_once = 0;
+	}
+	return check_access(addr);
+}
 void accept_openssl(int mode, int presock) {
 	int sock = -1, listen = -1, cport, csock, vsock;	
@@ -1407,6 +1437,17 @@ void accept_openssl(int mode, int presock) {
 		openssl_last_ip = get_remote_host(sock);
 	}
+	if (!check_ssl_access(openssl_last_ip)) {
+		rfbLog("SSL: accept_openssl: denying client %s\n", openssl_last_ip);
+		rfbLog("SSL: accept_openssl: does not match -allow (or other reason).\n");
+		close(sock);
+		sock = -1;
+		if (ssl_no_fail) {
+			clean_up_exit(1);
+		}
+		return;
+	}
 	/* now make a listening socket for child to connect back to us by: */
 	cport = find_free_port(20000, 0);

--- a/x11vnc/x11vnc.1
+++ b/x11vnc/x11vnc.1
@@ -2,7 +2,7 @@
 .TH X11VNC "1" "September 2008" "x11vnc " "User Commands"
 .SH NAME
 x11vnc - allow VNC connections to real X11 displays
-         version: 0.9.4, lastmod: 2008-09-14
+         version: 0.9.4, lastmod: 2008-09-16
 .SH SYNOPSIS
 .B x11vnc
 [OPTION]...
@@ -657,10 +657,12 @@ the comma separated list of hostnames or IP addresses.
 Can also be a numerical IP prefix, e.g. "192.168.100."
 to match a simple subnet, for more control build
 libvncserver with libwrap support (See the FAQ).  If the
-list contains a "/" it instead is a interpreted as a
+list contains a "/" it instead is a interpreted
-file containing addresses or prefixes that is re-read
+as a file containing addresses or prefixes that is
-each time a new client connects.  Lines can be commented
+re-read each time a new client connects.  Lines can be
-out with the "#" character in the usual way.
+commented out with the "#" character in the usual way.
+.IP
+\fB-allow\fR applies in \fB-ssl\fR mode, but not in \fB-stunnel\fR mode.
 .PP
 \fB-localhost\fR
 .IP
@@ -1923,7 +1925,7 @@ on Unix using stunnel 3.x is:
 .IP
 For Windows, stunnel has been ported to it and there
 are probably other such tools available.  See the FAQ
-for more examples.
+and SSVNC for more examples.
 .PP
 \fB-stunnel3\fR \fI[pem]\fR
 .IP
@@ -4553,7 +4555,9 @@ proxy:host:port set reverse connection proxy (empty to
 disable).
 .IP
 allowonce:host  For the next connection only, allow
-connection from "host".
+connection from "host". In \fB-ssl\fR mode
+two connections are allowed (i.e. Fetch
+Cert) unless X11VNC_NO_SSL_ALLOW_TWICE=1
 .IP
 allow:hostlist  set \fB-allow\fR list to (comma separated)
 "hostlist". See \fB-allow\fR and \fB-localhost.\fR
@@ -5129,14 +5133,14 @@ nowireframe nowf wireframelocal wfl nowireframelocal
 nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area
 scr_skip scr_inc scr_keys scr_term scr_keyrepeat
 scr_parms scrollcopyrect scr noscrollcopyrect noscr
-fixscreen noxrecord xrecord reset_record pointer_mode
+fixscreen noxrecord xrecord reset_record pointer_mode pm
-pm input_skip allinput noallinput input grabkbd
+input_skip allinput noallinput input grabkbd nograbkbd
-nograbkbd grabptr nograbptr grabalways nograbalways
+grabptr nograbptr grabalways nograbalways grablocal
 client_input ssltimeout speeds wmdt debug_pointer dp
 nodebug_pointer nodp debug_keyboard dk nodebug_keyboard
-nodk deferupdate defer wait_ui wait_bog nowait_bog
+nodk keycode deferupdate defer wait_ui wait_bog
-slow_fb xrefresh wait readtimeout nap nonap sb
+nowait_bog slow_fb xrefresh wait readtimeout nap nonap
-screen_blank fbpm nofbpm dpms nodpms clientdpms
+sb screen_blank fbpm nofbpm dpms nodpms clientdpms
 noclientdpms forcedpms noforcedpms noserverdpms
 serverdpms noultraext ultraext fs gaps grow fuzz snapfb
 nosnapfb rawfb uinput_accel uinput_thresh uinput_reset
@@ -5152,7 +5156,7 @@ debug_grabs nodebug_grabs debug_sel nodebug_sel dbg
 nodbg macnosaver macsaver nomacnosaver macnowait macwait
 nomacnowait macwheel macnoswap macswap nomacnoswap
 macnoresize macresize nomacnoresize maciconanim macmenu
-macnomenu nomacmenu noremote
+macnomenu nomacmenu macuskbd nomacuskbd noremote
 .IP
 aro=  noop display vncdisplay desktopname guess_desktop
 http_url auth xauth users rootshift clipshift

--- a/x11vnc/x11vnc_defs.c
+++ b/x11vnc/x11vnc_defs.c
@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
 int xdamage_base_event_type = 0;
 /*               date +'lastmod: %Y-%m-%d' */
-char lastmod[] = "0.9.4 lastmod: 2008-09-14";
+char lastmod[] = "0.9.4 lastmod: 2008-09-16";
 /* X display info */