SSL Java viewer work thru proxy. -sslGenCA, etc key/cert management utils...

 SSL Java viewer work thru proxy.  -sslGenCA, etc key/cert management utils for x11vnc.  FBPM "support".

ChangeLog

+2006-04-05  Karl Runge <runge@karlrunge.com>
+	* classes/ssl: SSL Java viewer workarounds for firewall
+	  proxies (signed applet as last resort, proxy.vnc).
+	  include ssl_vncviewer stunnel wrapper script.
+
 2006-03-28  Steven Carr <scarr@jsa-usa.com>
 	* SDLvncviewer.c, rfbproto.c, vncviewer.c, main.c, rfbserver.c,
 	  rfb.h, rfbclient.h, rfbproto.h: add new encoding: KeyboardLedState

classes/ssl/Makefile.am

-EXTRA_DIST=VncViewer.jar  index.vnc
+EXTRA_DIST=VncViewer.jar index.vnc SignedVncViewer.jar proxy.vnc README ssl_vncviewer
 

classes/ssl/README

+This directory contains a patched Java applet VNC viewer that is SSL
+enabled.
+
+The patches in the *.patch files are relative to the source tarball:
+
+	tightvnc-1.3dev7_javasrc.tar.gz  
+
+currently (4/06) available here:
+
+   http://prdownloads.sourceforge.net/vnc-tight/tightvnc-1.3dev7_javasrc.tar.gz?download
+
+It also includes some simple patches to:
+
+	- fix richcursor colors
+
+	- make the Java Applet cursor (not the cursor drawn to the canvas
+	  framebuffer) invisible when it is inside the canvas.
+
+	- allow Tab (and some other) keystrokes to be sent to the vnc
+	  server instead of doing widget traversal.
+
+
+This SSL applet should work with any VNC viewer that has an SSL tunnel in
+front of it.  It has been tested on x11vnc and using the stunnel tunnel
+to other VNC servers.
+
+By default this Vnc Viewer will only do SSL.  To do unencrypted traffic
+see the "DisableSSL" applet parameter (e.g. set it to Yes in index.vnc).
+
+Proxies: they are a general problem with java socket applets (a socket
+connection does not go through the proxy).  See the info in the proxy.vnc
+file for a workaround.  It uses SignedVncViewer.jar which is simply
+a signed version of VncViewer.jar.  The basic idea is the user clicks
+"Yes" to trust the applet and then it can connect directly to the proxy
+and issue a CONNECT request.
+
+This applet has been tested on versions 1.4.2 and 1.5.0 of the Sun
+Java plugin.  It may not work on older releases or different vendor VM's.
+Send full Java Console output for failures.
+
+---------------------------------------------------------------
+Tips:
+
+When doing single-port proxy connections (e.g. both VNC and HTTPS
+thru port 5900) it helps to move through the 'do you trust this site'
+dialogs quickly.   x11vnc has to wait to see if the traffic is VNC or
+HTTP and this can cause timeouts if you don't move thru them quickly.
+
+You may have to restart your browser completely if it gets into a
+weird state.  For one case we saw the JVM requesting VncViewer.class
+even when no such file exists.
+
+
+---------------------------------------------------------------
+Extras:
+
+ssl_vncviewer (not Java):
+
+        Wrapper script for native VNC viewer to connect to x11vnc in
+        SSL mode.  Script launches stunnel(8) and then connects to it
+        via localhost which in turn is then redirected to x11vnc via an
+        SSL tunnel.  stunnel(8) must be installed and available in PATH.
+
+
+Running Java SSL VncViewer from the command line:
+
+	From this directory:
+
+	java -cp ./VncViewer.jar VncViewer HOST <thehost> PORT <theport>
+
+	substitute <thehost> and <theport> with the actual values.
+

classes/ssl/proxy.vnc

+<!-- 
+     index.vnc - default HTML page for TightVNC Java viewer applet, to be
+     used with Xvnc. On any file ending in .vnc, the HTTP server embedded in
+     Xvnc will substitute the following variables when preceded by a dollar:
+     USER, DESKTOP, DISPLAY, APPLETWIDTH, APPLETHEIGHT, WIDTH, HEIGHT, PORT,
+     PARAMS. Use two dollar signs ($$) to get a dollar sign in the generated
+     HTML page.
+
+     NOTE: the $PARAMS variable is not supported by the standard VNC, so
+     make sure you have TightVNC on the server side, if you're using this
+     variable.
+-->
+
+<!--
+The idea behind using the signed applet in SignedVncViewer.jar for
+firewall proxies:
+
+Java socket applets and http proxies do not get along well.
+
+Java security allows the applet to connect back via a socket to the
+originating host, but the browser/plugin Proxy settings are not used for
+socket connections (only http and the like).  So the socket connection
+fails in the proxy environment.
+
+The applet is not allowed to open a socket connection to the proxy (since
+that would let it connect to just about any host, e.g. CONNECT method).
+
+This is indpendent of SSL but of course fails for that socket connection
+as well.  I.e. this is a problem for non-SSL VNC Viewers as well.
+
+Solution?  Sign the applet and have the user click on "Yes" that they
+fully trust the applet.  Then the applet can connect to any host via
+sockets, in particular the proxy.  It next issues the request
+
+	CONNECT host:port HTTP/1.1
+	Host: host:port
+
+and if the proxy supports the CONNECT method we are finally connected to
+the VNC server.
+
+For SSL connections, SSL is layered on top of this socket.  However note
+this scheme will work for non-SSL applet proxy tunnelling as well.
+
+It should be able to get non-SSL VNC connections to work via GET
+command but that has not been done yet.
+
+Note that some proxies only allow CONNECT to only these the ports 443
+(HTTPS) and 563 (SNEWS).  So you would have to run the VNC server on
+those ports.
+
+SignedVncViewer.jar is just a signed version of VncViewer.jar
+
+The URL to use for this file:  https://host:port/proxy.vnc
+
+-->
+
+
+<HTML>
+<TITLE>
+$USER's $DESKTOP desktop ($DISPLAY)
+</TITLE>
+<APPLET CODE=VncViewer.class ARCHIVE=SignedVncViewer.jar
+        WIDTH=$APPLETWIDTH HEIGHT=$APPLETHEIGHT>
+<param name=PORT value=$PORT>
+<param name="Open New Window" value=yes>
+$PARAMS
+</APPLET>
+<BR>
+<A href="http://www.tightvnc.com/">TightVNC site</A>
+</HTML>

classes/ssl/ssl_vncviewer

+#!/bin/sh
+#
+# ssl_vncviewer:  wrapper for vncviewer to use stunnel SSL tunnel.
+#
+# You must have stunnel(8) installed on the system and in your
+# PATH (n.b. stunnel is usually in an sbin subdir).
+#
+# You should have "x11vnc -ssl ..." or "x11vnc -stunnel ..." 
+# running as the VNC server. 
+#
+# usage: ssl_vncviewer [cert-args] host:display <vncviewer-args>
+#
+# e.g.:  ssl_vncviewer snoopy:0
+#        ssl_vncviewer snoopy:0 -encodings "copyrect tight zrle hextile"
+#
+# [cert-args] can be:
+#	-verify /path/to/cacert.pem		
+#	-mycert /path/to/mycert.pem		
+#
+# -verify specifies a CA cert PEM file (or a self-signed one) for
+#         authenticating the VNC server.
+#
+# -mycert specifies this client's cert+key PEM file for the VNC server to
+#	  authenticate this client. 
+#
+
+VNCVIEWERCMD="vncviewer"
+PATH=$PATH:/usr/sbin:/usr/local/sbin:/dist/sbin; export PATH
+
+help() {
+	head -26 $0 | tail +2
+}
+
+# grab our cmdline options:
+while [ "X$1" != "X" ]
+do
+    case $1 in 
+	"-verify")	shift; verify="$1"
+                ;;
+	"-mycert")	shift; mycert="$1"
+                ;;
+	"-h"*)	help; exit 0
+                ;;
+	*)	break
+                ;;
+    esac
+    shift
+done
+
+orig="$1"
+shift
+
+# play around with host:display port:
+if ! echo "$orig" | grep ':' > /dev/null; then
+	orig="$orig:0"
+fi
+
+host=`echo "$orig" | awk -F: '{print $1}'`
+disp=`echo "$orig" | awk -F: '{print $2}'`
+if [ $disp -lt 200 ]; then
+	port=`expr $disp + 5900`
+fi
+
+# try to find an open listening port via netstat(1):
+use=""
+if uname | grep Linux > /dev/null; then
+	inuse=`netstat -ant | grep LISTEN | awk '{print $4}' | sed 's/^.*://'`
+	try=5920
+	while [ $try -lt 6000 ]
+	do
+		if ! echo "$inuse" | grep -w $try > /dev/null; then
+			use=$try
+			break
+		fi
+		try=`expr $try + 1`
+	done
+fi
+if [ "X$use" = "X" ]; then
+	# otherwise choose a "random" one:
+	use=`date +%S`
+	use=`expr $use + 5920`
+fi
+
+# create the stunnel config file:
+if [ "X$verify" != "X" ]; then
+	if [ -d $verify ]; then
+		verify="CApath = $verify"
+	else
+		verify="CAfile = $verify"
+	fi
+	verify="$verify
+verify = 2"
+fi
+if [ "X$mycert" != "X" ]; then
+	cert="cert = $mycert"
+fi
+
+##debug = 7
+tmp=/tmp/ssl_vncviewer.$$
+cat > $tmp <<END
+foreground = yes
+pid =
+client = yes
+$verify
+$cert
+
+[vnc_stunnel]
+accept = $use
+connect= $host:$port
+END
+
+echo ""
+echo "Using this stunnel configuration:"
+cat $tmp
+echo ""
+sleep 1
+
+echo "running: stunnel $tmp"
+stunnel $tmp < /dev/tty > /dev/tty &
+pid=$!
+echo ""
+
+# pause here to let the user supply a possible passphrase for the
+# mycert key:
+if [ "X$mycert" != "X" ]; then
+	sleep 4
+fi
+sleep 2
+rm -f $tmp
+
+if [ $use -ge 5900 ]; then
+	n=`expr $use - 5900`
+fi
+
+if echo "$0" | grep vncip > /dev/null; then
+	# hack for runge's special wrapper script vncip.
+	vncip "$@" localhost:$n
+else
+	$VNCVIEWERCMD "$@" localhost:$n
+fi
+
+kill $pid

configure.ac

@@ -59,6 +59,7 @@ AH_TEMPLATE(HAVE_LIBXTRAP, [DEC-XTRAP extension build environment present])
 AH_TEMPLATE(HAVE_RECORD, [RECORD extension build environment present])
 AH_TEMPLATE(HAVE_SOLARIS_XREADSCREEN, [Solaris XReadScreen available])
 AH_TEMPLATE(HAVE_IRIX_XREADDISPLAY, [IRIX XReadDisplay available])
+AH_TEMPLATE(HAVE_FBPM, [FBPM extension build environment present])
 
 AC_ARG_WITH(xkeyboard,
 [  --without-xkeyboard     disable xkeyboard extension support],,)
@@ -74,6 +75,8 @@ AC_ARG_WITH(xtrap,
 [  --without-xtrap         disable xtrap extension support],,)
 AC_ARG_WITH(xrecord,
 [  --without-xrecord       disable xrecord extension support],,)
+AC_ARG_WITH(fbpm,
+[  --without-fbpm          disable fbpm extension support],,)
 
 if test "$X_CFLAGS" != "-DX_DISPLAY_MISSING"; then
 	AC_CHECK_LIB(X11, XGetImage, HAVE_X="true",
@@ -95,6 +98,11 @@ if test "$X_CFLAGS" != "-DX_DISPLAY_MISSING"; then
 			[AC_DEFINE(HAVE_IRIX_XREADDISPLAY)], ,
 			[#include <X11/Xlib.h>])
 
+		AC_CHECK_HEADER(X11/extensions/fbpm.h,
+			[AC_DEFINE(HAVE_FBPM)], ,
+			[#include <X11/Xlib.h>
+#include <X11/Xmd.h>])
+
 		AC_CHECK_LIB(Xtst, XTestGrabControl, 
 			X_PRELIBS="-lXtst $X_PRELIBS"
 			[AC_DEFINE(HAVE_XTESTGRABCONTROL) HAVE_XTESTGRABCONTROL="true"], ,

prepare_x11vnc_dist.sh

@@ -62,7 +62,7 @@ cp classes/ssl/Makefile.am classes/ssl/Makefile.am.LibVNCServer
 sed -e 's/EXTRA_DIST=/EXTRA_DIST=tightvnc-1.3dev7_javasrc-vncviewer-ssl.patch tightvnc-1.3dev7_javasrc-vncviewer-cursor-colors+no-tab-traversal.patch /' \
 	classes/ssl/Makefile.am.LibVNCServer > classes/ssl/Makefile.am
 echo 'pkgdatadir = $(datadir)/@PACKAGE@/classes/ssl' >> classes/ssl/Makefile.am
-echo 'pkgdata_DATA=VncViewer.jar index.vnc' >> classes/ssl/Makefile.am
+echo 'pkgdata_DATA=VncViewer.jar index.vnc SignedVncViewer.jar proxy.vnc ssl_vncviewer README' >> classes/ssl/Makefile.am
 
 mv acinclude.m4 acinclude.m4.LibVNCServer
 

x11vnc/ChangeLog

+2006-04-05  Karl Runge <runge@karlrunge.com>
+	* x11vnc: add FBPM support (-fbpm) for Suns. -rawfb ZERO for
+	  testing.  Basic key+cert management utilities: -sslGenCA,
+	  -sslGenCert, -sslEncKey, -sslDelCert, -sslCertInfo, and
+	  addln features.  SSL proxy connection.  -storepasswd with
+	  no args or pw echo.
+
 2006-03-26  Karl Runge <runge@karlrunge.com>
 	* x11vnc: -xinerama now on by default.  In -ssl mode accept https
 	  applet downloads thru VNC port.  -https option for 2nd https

x11vnc/Makefile.am

@@ -13,7 +13,7 @@ endif
 
 if HAVE_X
 bin_PROGRAMS=x11vnc
-x11vnc_SOURCES = 8to24.c cleanup.c connections.c cursor.c gui.c help.c inet.c keyboard.c options.c pointer.c rates.c remote.c scan.c screen.c selection.c solid.c sslcmds.c sslhelper.c unixpw.c user.c userinput.c util.c win_utils.c x11vnc.c x11vnc_defs.c xdamage.c xevents.c xinerama.c xkb_bell.c xrandr.c xrecord.c xwrappers.c 8to24.h allowed_input_t.h blackout_t.h cleanup.h connections.h cursor.h enums.h gui.h help.h inet.h keyboard.h options.h params.h pointer.h rates.h remote.h scan.h screen.h scrollevent_t.h selection.h solid.h sslcmds.h sslhelper.h tkx11vnc.h unixpw.h user.h userinput.h util.h win_utils.h winattr_t.h x11vnc.h xdamage.h xevents.h xinerama.h xkb_bell.h xrandr.h xrecord.h xwrappers.h
+x11vnc_SOURCES = 8to24.c cleanup.c connections.c cursor.c gui.c help.c inet.c keyboard.c options.c pm.c pointer.c rates.c remote.c scan.c screen.c selection.c solid.c sslcmds.c sslhelper.c unixpw.c user.c userinput.c util.c win_utils.c x11vnc.c x11vnc_defs.c xdamage.c xevents.c xinerama.c xkb_bell.c xrandr.c xrecord.c xwrappers.c 8to24.h allowed_input_t.h blackout_t.h cleanup.h connections.h cursor.h enums.h gui.h help.h inet.h keyboard.h options.h params.h pm.h pointer.h rates.h remote.h scan.h screen.h scrollevent_t.h selection.h solid.h sslcmds.h sslhelper.h ssltools.h tkx11vnc.h unixpw.h user.h userinput.h util.h win_utils.h winattr_t.h x11vnc.h xdamage.h xevents.h xinerama.h xkb_bell.h xrandr.h xrecord.h xwrappers.h
 INCLUDES=@X_CFLAGS@
 x11vnc_LDADD=$(LDADD) @X_LIBS@ $(LD_CYGIPC)
 endif

x11vnc/cleanup.c

@@ -33,6 +33,7 @@ int trap_getimage_xerror(Display *d, XErrorEvent *error);
 char *xerror_string(XErrorEvent *error);
 void initialize_crash_handler(void);
 void initialize_signals(void);
+void unset_signals(void);
 int known_sigpipe_mode(char *s);
 
 
@@ -107,8 +108,13 @@ static void clean_icon_mode(void) {
  * Normal exiting
  */
 void clean_up_exit (int ret) {
+	static int depth = 0;
 	exit_flag = 1;
 
+	if (depth++ > 2) {
+		exit(ret);
+	}
+
 	if (icon_mode) {
 		clean_icon_mode();
 	}
@@ -427,6 +433,19 @@ void initialize_signals(void) {
 	X_UNLOCK;
 }
 
+void unset_signals(void) {
+	signal(SIGHUP,  SIG_DFL);
+	signal(SIGINT,  SIG_DFL);
+	signal(SIGQUIT, SIG_DFL);
+	signal(SIGABRT, SIG_DFL);
+	signal(SIGTERM, SIG_DFL);
+	signal(SIGBUS,  SIG_DFL);
+	signal(SIGSEGV, SIG_DFL);
+	signal(SIGFPE,  SIG_DFL);
+	signal(SIGPIPE, SIG_DFL);
+}
+
+
 int known_sigpipe_mode(char *s) {
 /*
  * skip, ignore, exit

x11vnc/cleanup.h

@@ -20,6 +20,7 @@ extern int trap_getimage_xerror(Display *d, XErrorEvent *error);
 extern char *xerror_string(XErrorEvent *error);
 extern void initialize_crash_handler(void);
 extern void initialize_signals(void);
+extern void unset_signals(void);
 extern int known_sigpipe_mode(char *s);
 
 #endif /* _X11VNC_CLEANUP_H */

x11vnc/connections.c

@@ -2190,4 +2190,3 @@ void check_new_clients(void) {
 	}
 }
 
-

x11vnc/options.c

@@ -23,6 +23,7 @@ int stunnel_port = 0;
 char *stunnel_pem = NULL;
 int use_openssl = 0;
 char *openssl_pem = NULL;
+char *ssl_certs_dir = NULL;
 int https_port_num = -1;
 char *ssl_verify = NULL;
 int ssl_initialized = 0;
@@ -279,6 +280,13 @@ int napfac = 4;		/* time = napfac*waitms, cut load with extra waits */
 int napmax = 1500;	/* longest nap in ms. */
 int ui_skip = 10;	/* see watchloop.  negative means ignore input */
 
+
+#if LIBVNCSERVER_HAVE_FBPM
+int watch_fbpm = 1;	/* -nofbpm */
+#else
+int watch_fbpm = 0;
+#endif
+
 int watch_selection = 1;	/* normal selection/cutbuffer maintenance */
 int watch_primary = 1;		/* more dicey, poll for changes in PRIMARY */
 int watch_clipboard = 1;

x11vnc/options.h

@@ -23,6 +23,7 @@ extern int stunnel_port;
 extern char *stunnel_pem;
 extern int use_openssl;
 extern char *openssl_pem;
+extern char *ssl_certs_dir;
 extern int https_port_num;
 extern char *ssl_verify;
 extern int ssl_initialized;
@@ -208,6 +209,8 @@ extern int napfac;
 extern int napmax;
 extern int ui_skip;
 
+extern int watch_fbpm;
+
 extern int watch_selection;
 extern int watch_primary;
 extern int watch_clipboard;

x11vnc/pm.c

+/* -- pm.c -- */
+#include "x11vnc.h"
+#include "cleanup.h"
+
+void check_pm(void);
+static void check_fbpm(void);
+
+#if LIBVNCSERVER_HAVE_FBPM
+#include <X11/Xmd.h>
+#include <X11/extensions/fbpm.h>
+#endif
+
+void check_pm(void) {
+	check_fbpm();
+	/* someday dpms activities? */
+}
+
+static void check_fbpm(void) {
+	static int init_fbpm = 0;
+#if LIBVNCSERVER_HAVE_FBPM
+	static int fbpm_capable = 0;
+	static time_t last_fbpm = 0;
+	int db = 1;
+
+	CARD16 level;
+	BOOL enabled;
+
+	if (raw_fb && ! dpy) return;	/* raw_fb hack */
+
+	if (! init_fbpm) {
+		if (FBPMCapable(dpy)) {
+			fbpm_capable = 1;
+			rfbLog("X display is capable of FBPM.\n");
+			if (watch_fbpm) {
+				rfbLog("Preventing low-power FBPM modes when"
+				    " VNC clients are connected.\n");
+			}
+		} else {
+			rfbLog("X display is not capable of FBPM.\n");
+			fbpm_capable = 0;
+		}
+		init_fbpm = 1;
+	}
+
+	if (! watch_fbpm) {
+		return;
+	}
+	if (! fbpm_capable) {
+		return;
+	}
+	if (! client_count) {
+		return;
+	}
+	if (time(0) < last_fbpm + 5) {
+		return;
+	}
+	last_fbpm = time(0);
+
+	if (FBPMInfo(dpy, &level, &enabled)) {
+		if (db) fprintf(stderr, "FBPMInfo level: %d enabled: %d\n", level, enabled);
+
+		if (enabled && level != FBPMModeOn) {
+			char *from = "unknown-fbpm-state";
+			XErrorHandler old_handler = XSetErrorHandler(trap_xerror);
+			trapped_xerror = 0;
+
+			if (level == FBPMModeStandby) {
+				from = "FBPMModeStandby";
+			} else if (level == FBPMModeSuspend) {
+				from = "FBPMModeSuspend";
+			} else if (level == FBPMModeOff) {
+				from = "FBPMModeOff";
+			}
+
+			rfbLog("switching FBPM state from %s to FBPMModeOn\n", from);
+			
+			FBPMForceLevel(dpy, FBPMModeOn);
+		
+			XSetErrorHandler(old_handler);
+			trapped_xerror = 0;
+		}
+	} else {
+		if (db) fprintf(stderr, "FBPMInfo failed.\n");
+	}
+#else
+	if (raw_fb && ! dpy) return;	/* raw_fb hack */
+	if (! init_fbpm) {
+		rfbLog("X FBPM extension not supported.\n");
+		init_fbpm = 1;
+	}
+#endif
+}
+

x11vnc/pm.h

+#ifndef _X11VNC_PM_H
+#define _X11VNC_PM_H
+
+/* -- pm.h -- */
+extern void check_pm(void);
+
+#endif /* _X11VNC_PM_H */

x11vnc/remote.c

@@ -3173,6 +3173,21 @@ char *process_remote_cmd(char *cmd, int stringonly) {
 		    screen_blank, w);
 		screen_blank = w;
 
+	} else if (!strcmp(p, "fbpm")) {
+		if (query) {
+			snprintf(buf, bufn, "ans=%s:%d", p, !watch_fbpm);
+			    goto qry;
+		}
+		rfbLog("remote_cmd: turning off -nofbpm mode.\n");
+		watch_fbpm = 0;
+	} else if (!strcmp(p, "nofbpm")) {
+		if (query) {
+			snprintf(buf, bufn, "ans=%s:%d", p, watch_fbpm);
+			    goto qry;
+		}
+		rfbLog("remote_cmd: turning on -nofbpm mode.\n");
+		watch_fbpm = 1;
+
 	} else if (strstr(p, "fs") == p) {
 		COLON_CHECK("fs:")
 		if (query) {

x11vnc/scan.c

@@ -2148,7 +2148,6 @@ static void ping_clients(int tile_cnt) {
 		last_send = now;
 	} else if (now - last_send > 2) {
 		/* Send small heartbeat to client */
-if (0) fprintf(stderr, "ping_clients 2\n");
 		mark_rect_as_modified(0, 0, 1, 1, 1);
 		last_send = now;
 	}

x11vnc/screen.c

@@ -704,7 +704,9 @@ static XImage *initialize_raw_fb(void) {
 	if (! raw_fb_str) {
 		return NULL;
 	}
-
+	if (!strcasecmp(raw_fb_str, "NULL") || !strcasecmp(raw_fb_str, "ZERO")) {
+		raw_fb_str = strdup("map:/dev/zero@640x480x32");
+	}
 
 	if ( (q = strstr(raw_fb_str, "setup:")) == raw_fb_str) {
 		FILE *pipe;

x11vnc/sslcmds.c

@@ -3,6 +3,8 @@
 #include "x11vnc.h"
 #include "inet.h"
 #include "cleanup.h"
+#include "sslhelper.h"
+#include "ssltools.h"
 
 #if LIBVNCSERVER_HAVE_FORK
 #if LIBVNCSERVER_HAVE_SYS_WAIT_H
@@ -17,6 +19,10 @@ void check_stunnel(void);
 int start_stunnel(int stunnel_port, int x11vnc_port);
 void stop_stunnel(void);
 void setup_stunnel(int rport, int *argc, char **argv);
+char *get_Cert_dir(char *cdir_in, char **tmp_in);
+void sslGenCA(char *cdir);
+void sslGenCert(char *ty, char *nm);
+void sslEncKey(char *path, int info_only);
 
 static pid_t stunnel_pid = 0;
 
@@ -293,3 +299,381 @@ void setup_stunnel(int rport, int *argc, char **argv) {
 	clean_up_exit(1);
 }
 
+char *get_Cert_dir(char *cdir_in, char **tmp_in) {
+	char *cdir, *home, *tmp;
+	struct stat sbuf;
+	int i;
+	char *cases1[] = {"/.vnc", "/.vnc/certs", "/.vnc/certs/CA"};
+	char *cases2[] = {"", "/CA", "/tmp"};
+
+	if (cdir_in != NULL) {
+		cdir = cdir_in;
+	} else {
+		cdir = ssl_certs_dir;
+	}
+
+	if (cdir == NULL) {
+		home = get_home_dir();
+		if (! home) {
+			return NULL;
+		}
+		cdir = (char *) malloc(strlen(home) + strlen("/.vnc/certs/CA") + 1);
+		for (i=0; i<3; i++) {
+			sprintf(cdir, "%s%s", home, cases1[i]);
+			if (stat(cdir, &sbuf) != 0) {
+				rfbLog("creating dir: %s\n", cdir);
+				if (mkdir(cdir, 0755) != 0) {
+					rfbLog("could not create directory %s\n", cdir);
+					rfbLogPerror("mkdir");
+					return NULL;
+				}
+			} else if (! S_ISDIR(sbuf.st_mode)) {
+				rfbLog("not a directory: %s\n", cdir);
+				return NULL;
+			}
+		}
+		sprintf(cdir, "%s%s", home, cases1[1]);
+	}
+
+	tmp = (char *) malloc(strlen(cdir) + 10);
+	for (i=0; i<3; i++) {
+		int ret;
+		sprintf(tmp, "%s%s", cdir, cases2[i]);
+		if (stat(tmp, &sbuf) != 0) {
+			rfbLog("creating dir: %s\n", tmp);
+			if (! strcmp(cases2[i], "/tmp")) {
+				ret = mkdir(tmp, 0700);
+			} else {
+				ret = mkdir(tmp, 0755);
+			}
+				
+			if (ret != 0) {
+				rfbLog("could not create directory %s\n", tmp);
+				rfbLogPerror("mkdir");
+				return NULL;
+			}
+		} else if (! S_ISDIR(sbuf.st_mode)) {
+			rfbLog("not a directory: %s\n", tmp);
+			return NULL;
+		}
+	}
+	sprintf(tmp, "%s/tmp", cdir);
+	*tmp_in = tmp;
+	return cdir;
+}
+
+void sslGenCA(char *cdir) {
+	char *openssl = find_openssl_bin();
+	char *tmp, *cmd, *scr, *cdir_use;
+	FILE *out;
+
+	if (! openssl) {
+		exit(1);
+	}
+
+	cdir_use = get_Cert_dir(cdir, &tmp);
+	if (! cdir_use) {
+		exit(1);
+	}
+
+	cmd = (char *) malloc(strlen(tmp) + 100);
+	scr = (char *) malloc(strlen(tmp) + 100);
+
+	sprintf(cmd, "%s/genca.%d.sh", tmp, getpid());
+	out = fopen(cmd, "w");
+	if (! out) {
+		rfbLog("could not open: %s\n", cmd);
+		rfbLogPerror("fopen");
+		exit(1);
+	}
+	fprintf(out, "%s", genCA);
+	fclose(out);
+
+	sprintf(scr, "/bin/sh %s", cmd);
+
+	rfbLog("Using openssl:   %s\n", openssl);
+	rfbLog("Using certs dir: %s\n", cdir_use);
+	fprintf(stderr, "\n");
+
+	set_env("BASE_DIR", cdir_use);
+	set_env("OPENSSL", openssl);
+
+	system(scr);
+	unlink(cmd);
+}
+
+void sslGenCert(char *ty, char *nm) {
+	char *openssl = find_openssl_bin();
+	char *tmp, *cmd, *scr, *cdir_use;
+	FILE *out;
+
+	if (! openssl) {
+		exit(1);
+	}
+
+	cdir_use = get_Cert_dir(NULL, &tmp);
+	if (! cdir_use) {
+		exit(1);
+	}
+
+	cmd = (char *) malloc(strlen(tmp) + 100);
+	scr = (char *) malloc(strlen(tmp) + 100);
+
+	sprintf(cmd, "%s/gencert.%d.sh", tmp, getpid());
+	out = fopen(cmd, "w");
+	if (! out) {
+		rfbLog("could not open: %s\n", cmd);
+		rfbLogPerror("fopen");
+		exit(1);
+	}
+	fprintf(out, "%s", genCert);
+	fclose(out);
+
+	sprintf(scr, "/bin/sh %s", cmd);
+
+	rfbLog("Using openssl:   %s\n", openssl);
+	rfbLog("Using certs dir: %s\n", cdir_use);
+	fprintf(stderr, "\n");
+
+	set_env("BASE_DIR", cdir_use);
+	set_env("OPENSSL", openssl);
+	if (! ty) {
+		set_env("TYPE", "");
+	} else {
+		set_env("TYPE", ty);
+	}
+	if (! nm) {
+		set_env("NAME", "");
+	} else {
+		char *q = strstr(nm, "SAVE-");
+		if (!strcmp(nm, "SAVE")) {
+			set_env("NAME", "");
+		} else if (q == nm) {
+			q += strlen("SAVE-");
+			set_env("NAME", q);
+		} else {
+			set_env("NAME", nm);
+		}
+	}
+
+	system(scr);
+	unlink(cmd);
+}
+
+void sslEncKey(char *path, int mode) {
+	char *openssl = find_openssl_bin();
+	char *scr, *cert = NULL, *tca;
+	char line[1024], tmp[] = "/tmp/x11vnc-tmp.XXXXXX";
+	char *cdir = NULL;
+	int tmp_fd, incert, info_only = 0, delete_only = 0;
+	int listlong = 0;
+	struct stat sbuf;
+	FILE *file;
+	static int depth = 0;
+
+	if (depth > 0) {
+		/* get_saved_pem may call us back. */
+		return;
+	}
+	depth++;
+
+	if (mode == 1) {
+		info_only = 1;
+	} else if (mode == 2) {
+		delete_only = 1;
+	}
+
+	if (! openssl) {
+		exit(1);
+	}
+	cdir = get_Cert_dir(NULL, &tca);
+	if (! cdir) {
+		fprintf(stderr, "could not find Cert dir\n");
+		exit(1);
+	}
+
+	if (!strcasecmp(path, "LL") || !strcasecmp(path, "LISTL")) {
+		listlong = 1;
+		path = "LIST";
+	}
+
+	if (strstr(path, "SAVE") == path) {
+		char *p = get_saved_pem(path, 0);
+		if (p == NULL) {
+			fprintf(stderr, "could not find saved pem matching: %s\n", path);
+			exit(1);
+		}
+		path = p;
+
+	} else if (!strcmp(path, "CA") && cdir) {
+		tca = (char *) malloc(strlen(cdir) + strlen("/CA/cacert.pem") + 1);
+		sprintf(tca, "%s/CA/cacert.pem", cdir);
+		path = tca;
+
+	} else if (info_only && (!strcasecmp(path, "LIST") ||
+	    !strcasecmp(path, "ALL"))) {
+		if (! cdir || strchr(cdir, '\'')) {
+			fprintf(stderr, "bad certdir char: %s\n", cdir ? cdir : "null");
+			exit(1);
+		}
+		tca = (char *) malloc(2*strlen(cdir) + strlen(program_name) + 1000);
+		sprintf(tca, "find '%s' -type f | egrep '\\.(crt|pem|key|req)$' "
+		    "| grep -v CA/newcerts", cdir);
+		if (!strcasecmp(path, "ALL")) {
+			/* ugh.. */
+			strcat(tca, " | grep -v private/cakey.pem | xargs -n1 ");
+			strcat(tca, program_name);
+			strcat(tca, " -ssldir '");
+			strcat(tca, cdir);
+			strcat(tca, "' -sslCertInfo 2>&1 ");
+		} else if (listlong) {
+			strcat(tca, " | xargs ls -l ");
+		}
+		system(tca);
+		return;
+
+	} else if (info_only && (!strcasecmp(path, "HASHON") ||
+	    !strcasecmp(path, "HASHOFF"))) {
+
+		tmp_fd = mkstemp(tmp);
+		if (tmp_fd < 0) {
+			exit(1);
+		}
+
+		write(tmp_fd, genCert, strlen(genCert));
+		close(tmp_fd);
+
+		scr = (char *) malloc(strlen(tmp) + 100);
+		sprintf(scr, "/bin/sh %s", tmp);
+
+		set_env("BASE_DIR", cdir);
+		set_env("OPENSSL", openssl);
+		set_env("TYPE", "server");
+		if (!strcasecmp(path, "HASHON")) {
+			set_env("HASHON", "1");
+		} else {
+			set_env("HASHOFF", "1");
+		}
+		system(scr);
+		unlink(tmp);
+		return;
+	}
+
+	if (stat(path, &sbuf) != 0) {
+		if (strstr(path, "client") || strchr(path, '/') == NULL) {
+			int i;
+			tca = (char *) malloc(strlen(cdir) + strlen("/clients")
+			    + strlen(path) + 100);
+			for (i = 1; i <= 15; i++)  {
+				tca[0] = '\0';
+				if (       i == 1) {
+				    sprintf(tca, "%s/%s", cdir, path); 
+				} else if (i == 2 && mode > 0) {
+				    sprintf(tca, "%s/%s.crt", cdir, path); 
+				} else if (i == 3) {
+				    sprintf(tca, "%s/%s.pem", cdir, path); 
+				} else if (i == 4 && mode > 1) {
+				    sprintf(tca, "%s/%s.req", cdir, path); 
+				} else if (i == 5 && mode > 1) {
+				    sprintf(tca, "%s/%s.key", cdir, path); 
+				} else if (i == 6) {
+				    sprintf(tca, "%s/clients/%s", cdir, path); 
+				} else if (i == 7 && mode > 0) {
+				    sprintf(tca, "%s/clients/%s.crt", cdir, path); 
+				} else if (i == 8) {
+				    sprintf(tca, "%s/clients/%s.pem", cdir, path); 
+				} else if (i == 9 && mode > 1) {
+				    sprintf(tca, "%s/clients/%s.req", cdir, path); 
+				} else if (i == 10 && mode > 1) {
+				    sprintf(tca, "%s/clients/%s.key", cdir, path); 
+				} else if (i == 11) {
+				    sprintf(tca, "%s/server-%s", cdir, path); 
+				} else if (i == 12 && mode > 0) {
+				    sprintf(tca, "%s/server-%s.crt", cdir, path); 
+				} else if (i == 13) {
+				    sprintf(tca, "%s/server-%s.pem", cdir, path); 
+				} else if (i == 14 && mode > 1) {
+				    sprintf(tca, "%s/server-%s.req", cdir, path); 
+				} else if (i == 15 && mode > 1) {
+				    sprintf(tca, "%s/server-%s.key", cdir, path); 
+				}
+				if (tca[0] == '\0') {
+					continue;
+				}
+				if (stat(tca, &sbuf) == 0) {
+					path = tca;
+					break;
+				}
+			}
+		}
+	}
+
+	if (stat(path, &sbuf) != 0) {
+		rfbLog("sslEncKey: %s\n", path);
+		rfbLogPerror("stat");
+		exit(1);
+	}
+
+	if (! info_only) {
+		cert = (char *) malloc(2*sbuf.st_size);
+		file = fopen(path, "r");
+		if (file == NULL) {
+			rfbLog("sslEncKey: %s\n", path);
+			rfbLogPerror("fopen");
+			exit(1);
+		}
+		incert = 0;
+		cert[0] = '\0';
+		while (fgets(line, 1024, file) != NULL) {
+			if (strstr(line, "-----BEGIN CERTIFICATE-----") == line) {
+				incert = 1;
+			}
+			if (incert) {
+				strcat(cert, line);
+			}
+			if (strstr(line, "-----END CERTIFICATE-----") == line) {
+				incert = 0;
+			}
+		}
+		fclose(file);
+	}
+
+	tmp_fd = mkstemp(tmp);
+	if (tmp_fd < 0) {
+		exit(1);
+	}
+
+	write(tmp_fd, genCert, strlen(genCert));
+	close(tmp_fd);
+
+        scr = (char *) malloc(strlen(tmp) + 100);
+	sprintf(scr, "/bin/sh %s", tmp);
+
+	set_env("BASE_DIR", "/no/such/dir");
+	set_env("OPENSSL", openssl);
+	set_env("TYPE", "server");
+	if (info_only) {
+		set_env("INFO_ONLY", path);
+	} else if (delete_only) {
+		set_env("DELETE_ONLY", path);
+	} else {
+		set_env("ENCRYPT_ONLY", path);
+	}
+	system(scr);
+	unlink(tmp);
+
+	if (! mode && cert && cert[0] != '\0') {
+		file = fopen(path, "a");
+		if (file == NULL) {
+			rfbLog("sslEncKey: %s\n", path);
+			rfbLogPerror("fopen");
+			exit(1);
+		}
+		fprintf(file, cert);
+		fclose(file);
+		free(cert);
+	}
+
+	depth--;
+}
+

x11vnc/sslcmds.h

@@ -7,6 +7,10 @@ extern void check_stunnel(void);
 extern int start_stunnel(int stunnel_port, int x11vnc_port);
 extern void stop_stunnel(void);
 extern void setup_stunnel(int rport, int *argc, char **argv);
+extern char *get_Cert_dir(char *cdir_in, char **tmp_in);
+extern void sslGenCA(char *cdir);
+extern void sslGenCert(char *ty, char *nm);
+extern void sslEncKey(char *path, int info_only);
 
 
 #endif /* _X11VNC_SSLCMDS_H */

x11vnc/sslhelper.h

@@ -8,6 +8,8 @@
 #define OPENSSL_VNC   2
 #define OPENSSL_HTTPS 3
 
+#define DO_DH 0
+
 extern int openssl_sock;
 extern int openssl_port_num;
 extern int https_sock;
@@ -21,6 +23,8 @@ extern void check_openssl(void);
 extern void check_https(void);
 extern void ssl_helper_pid(pid_t pid, int sock);
 extern void accept_openssl(int mode);
+extern char *find_openssl_bin(void);
+extern char *get_saved_pem(char *string, int create);
 
 
 #endif /* _X11VNC_SSLHELPER_H */

x11vnc/tkx11vnc

@@ -294,6 +294,7 @@ Permissions
 	=F ssl_pem:
 	stunnel
 	=F stunnel_pem:
+	=F ssldir:
 	=F sslverify:
 	https:
 	=GAL LOFF
@@ -358,6 +359,7 @@ Tuning
 	threads
 	wmdt:
 	rfbwait:
+	nofbpm
 	=GAL LOFF
 "
 }

x11vnc/tkx11vnc.h

@@ -305,6 +305,7 @@ char gui_code[] = "";
 "	=F ssl_pem:\n"
 "	stunnel\n"
 "	=F stunnel_pem:\n"
+"	=F ssldir:\n"
 "	=F sslverify:\n"
 "	https:\n"
 "	=GAL LOFF\n"
@@ -369,6 +370,7 @@ char gui_code[] = "";
 "	threads\n"
 "	wmdt:\n"
 "	rfbwait:\n"
+"	nofbpm\n"
 "	=GAL LOFF\n"
 "\"\n"
 "}\n"

x11vnc/x11vnc.h

@@ -190,6 +190,8 @@
 #include <X11/extensions/XShm.h>
 #endif
 
+#include <dirent.h>
+
 #if LIBVNCSERVER_HAVE_XTEST
 #include <X11/extensions/XTest.h>
 #endif

x11vnc/x11vnc_defs.c

@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
 int xdamage_base_event_type = 0;
 
 /*               date +'lastmod: %Y-%m-%d' */
-char lastmod[] = "0.8.1 lastmod: 2006-03-27";
+char lastmod[] = "0.8.1 lastmod: 2006-04-05";
 
 /* X display info */