Commit d14cf0a8 authored by runge's avatar runge

SSL Java viewer work thru proxy. -sslGenCA, etc key/cert management utils...

 SSL Java viewer work thru proxy.  -sslGenCA, etc key/cert management utils for x11vnc.  FBPM "support".
parent 1602b345
2006-04-05 Karl Runge <runge@karlrunge.com>
* classes/ssl: SSL Java viewer workarounds for firewall
proxies (signed applet as last resort, proxy.vnc).
include ssl_vncviewer stunnel wrapper script.
2006-03-28 Steven Carr <scarr@jsa-usa.com> 2006-03-28 Steven Carr <scarr@jsa-usa.com>
* SDLvncviewer.c, rfbproto.c, vncviewer.c, main.c, rfbserver.c, * SDLvncviewer.c, rfbproto.c, vncviewer.c, main.c, rfbserver.c,
rfb.h, rfbclient.h, rfbproto.h: add new encoding: KeyboardLedState rfb.h, rfbclient.h, rfbproto.h: add new encoding: KeyboardLedState
......
EXTRA_DIST=VncViewer.jar index.vnc EXTRA_DIST=VncViewer.jar index.vnc SignedVncViewer.jar proxy.vnc README ssl_vncviewer
This directory contains a patched Java applet VNC viewer that is SSL
enabled.
The patches in the *.patch files are relative to the source tarball:
tightvnc-1.3dev7_javasrc.tar.gz
currently (4/06) available here:
http://prdownloads.sourceforge.net/vnc-tight/tightvnc-1.3dev7_javasrc.tar.gz?download
It also includes some simple patches to:
- fix richcursor colors
- make the Java Applet cursor (not the cursor drawn to the canvas
framebuffer) invisible when it is inside the canvas.
- allow Tab (and some other) keystrokes to be sent to the vnc
server instead of doing widget traversal.
This SSL applet should work with any VNC viewer that has an SSL tunnel in
front of it. It has been tested on x11vnc and using the stunnel tunnel
to other VNC servers.
By default this Vnc Viewer will only do SSL. To do unencrypted traffic
see the "DisableSSL" applet parameter (e.g. set it to Yes in index.vnc).
Proxies: they are a general problem with java socket applets (a socket
connection does not go through the proxy). See the info in the proxy.vnc
file for a workaround. It uses SignedVncViewer.jar which is simply
a signed version of VncViewer.jar. The basic idea is the user clicks
"Yes" to trust the applet and then it can connect directly to the proxy
and issue a CONNECT request.
This applet has been tested on versions 1.4.2 and 1.5.0 of the Sun
Java plugin. It may not work on older releases or different vendor VM's.
Send full Java Console output for failures.
---------------------------------------------------------------
Tips:
When doing single-port proxy connections (e.g. both VNC and HTTPS
thru port 5900) it helps to move through the 'do you trust this site'
dialogs quickly. x11vnc has to wait to see if the traffic is VNC or
HTTP and this can cause timeouts if you don't move thru them quickly.
You may have to restart your browser completely if it gets into a
weird state. For one case we saw the JVM requesting VncViewer.class
even when no such file exists.
---------------------------------------------------------------
Extras:
ssl_vncviewer (not Java):
Wrapper script for native VNC viewer to connect to x11vnc in
SSL mode. Script launches stunnel(8) and then connects to it
via localhost which in turn is then redirected to x11vnc via an
SSL tunnel. stunnel(8) must be installed and available in PATH.
Running Java SSL VncViewer from the command line:
From this directory:
java -cp ./VncViewer.jar VncViewer HOST <thehost> PORT <theport>
substitute <thehost> and <theport> with the actual values.
<!--
index.vnc - default HTML page for TightVNC Java viewer applet, to be
used with Xvnc. On any file ending in .vnc, the HTTP server embedded in
Xvnc will substitute the following variables when preceded by a dollar:
USER, DESKTOP, DISPLAY, APPLETWIDTH, APPLETHEIGHT, WIDTH, HEIGHT, PORT,
PARAMS. Use two dollar signs ($$) to get a dollar sign in the generated
HTML page.
NOTE: the $PARAMS variable is not supported by the standard VNC, so
make sure you have TightVNC on the server side, if you're using this
variable.
-->
<!--
The idea behind using the signed applet in SignedVncViewer.jar for
firewall proxies:
Java socket applets and http proxies do not get along well.
Java security allows the applet to connect back via a socket to the
originating host, but the browser/plugin Proxy settings are not used for
socket connections (only http and the like). So the socket connection
fails in the proxy environment.
The applet is not allowed to open a socket connection to the proxy (since
that would let it connect to just about any host, e.g. CONNECT method).
This is indpendent of SSL but of course fails for that socket connection
as well. I.e. this is a problem for non-SSL VNC Viewers as well.
Solution? Sign the applet and have the user click on "Yes" that they
fully trust the applet. Then the applet can connect to any host via
sockets, in particular the proxy. It next issues the request
CONNECT host:port HTTP/1.1
Host: host:port
and if the proxy supports the CONNECT method we are finally connected to
the VNC server.
For SSL connections, SSL is layered on top of this socket. However note
this scheme will work for non-SSL applet proxy tunnelling as well.
It should be able to get non-SSL VNC connections to work via GET
command but that has not been done yet.
Note that some proxies only allow CONNECT to only these the ports 443
(HTTPS) and 563 (SNEWS). So you would have to run the VNC server on
those ports.
SignedVncViewer.jar is just a signed version of VncViewer.jar
The URL to use for this file: https://host:port/proxy.vnc
-->
<HTML>
<TITLE>
$USER's $DESKTOP desktop ($DISPLAY)
</TITLE>
<APPLET CODE=VncViewer.class ARCHIVE=SignedVncViewer.jar
WIDTH=$APPLETWIDTH HEIGHT=$APPLETHEIGHT>
<param name=PORT value=$PORT>
<param name="Open New Window" value=yes>
$PARAMS
</APPLET>
<BR>
<A href="http://www.tightvnc.com/">TightVNC site</A>
</HTML>
#!/bin/sh
#
# ssl_vncviewer: wrapper for vncviewer to use stunnel SSL tunnel.
#
# You must have stunnel(8) installed on the system and in your
# PATH (n.b. stunnel is usually in an sbin subdir).
#
# You should have "x11vnc -ssl ..." or "x11vnc -stunnel ..."
# running as the VNC server.
#
# usage: ssl_vncviewer [cert-args] host:display <vncviewer-args>
#
# e.g.: ssl_vncviewer snoopy:0
# ssl_vncviewer snoopy:0 -encodings "copyrect tight zrle hextile"
#
# [cert-args] can be:
# -verify /path/to/cacert.pem
# -mycert /path/to/mycert.pem
#
# -verify specifies a CA cert PEM file (or a self-signed one) for
# authenticating the VNC server.
#
# -mycert specifies this client's cert+key PEM file for the VNC server to
# authenticate this client.
#
VNCVIEWERCMD="vncviewer"
PATH=$PATH:/usr/sbin:/usr/local/sbin:/dist/sbin; export PATH
help() {
head -26 $0 | tail +2
}
# grab our cmdline options:
while [ "X$1" != "X" ]
do
case $1 in
"-verify") shift; verify="$1"
;;
"-mycert") shift; mycert="$1"
;;
"-h"*) help; exit 0
;;
*) break
;;
esac
shift
done
orig="$1"
shift
# play around with host:display port:
if ! echo "$orig" | grep ':' > /dev/null; then
orig="$orig:0"
fi
host=`echo "$orig" | awk -F: '{print $1}'`
disp=`echo "$orig" | awk -F: '{print $2}'`
if [ $disp -lt 200 ]; then
port=`expr $disp + 5900`
fi
# try to find an open listening port via netstat(1):
use=""
if uname | grep Linux > /dev/null; then
inuse=`netstat -ant | grep LISTEN | awk '{print $4}' | sed 's/^.*://'`
try=5920
while [ $try -lt 6000 ]
do
if ! echo "$inuse" | grep -w $try > /dev/null; then
use=$try
break
fi
try=`expr $try + 1`
done
fi
if [ "X$use" = "X" ]; then
# otherwise choose a "random" one:
use=`date +%S`
use=`expr $use + 5920`
fi
# create the stunnel config file:
if [ "X$verify" != "X" ]; then
if [ -d $verify ]; then
verify="CApath = $verify"
else
verify="CAfile = $verify"
fi
verify="$verify
verify = 2"
fi
if [ "X$mycert" != "X" ]; then
cert="cert = $mycert"
fi
##debug = 7
tmp=/tmp/ssl_vncviewer.$$
cat > $tmp <<END
foreground = yes
pid =
client = yes
$verify
$cert
[vnc_stunnel]
accept = $use
connect= $host:$port
END
echo ""
echo "Using this stunnel configuration:"
cat $tmp
echo ""
sleep 1
echo "running: stunnel $tmp"
stunnel $tmp < /dev/tty > /dev/tty &
pid=$!
echo ""
# pause here to let the user supply a possible passphrase for the
# mycert key:
if [ "X$mycert" != "X" ]; then
sleep 4
fi
sleep 2
rm -f $tmp
if [ $use -ge 5900 ]; then
n=`expr $use - 5900`
fi
if echo "$0" | grep vncip > /dev/null; then
# hack for runge's special wrapper script vncip.
vncip "$@" localhost:$n
else
$VNCVIEWERCMD "$@" localhost:$n
fi
kill $pid
...@@ -59,6 +59,7 @@ AH_TEMPLATE(HAVE_LIBXTRAP, [DEC-XTRAP extension build environment present]) ...@@ -59,6 +59,7 @@ AH_TEMPLATE(HAVE_LIBXTRAP, [DEC-XTRAP extension build environment present])
AH_TEMPLATE(HAVE_RECORD, [RECORD extension build environment present]) AH_TEMPLATE(HAVE_RECORD, [RECORD extension build environment present])
AH_TEMPLATE(HAVE_SOLARIS_XREADSCREEN, [Solaris XReadScreen available]) AH_TEMPLATE(HAVE_SOLARIS_XREADSCREEN, [Solaris XReadScreen available])
AH_TEMPLATE(HAVE_IRIX_XREADDISPLAY, [IRIX XReadDisplay available]) AH_TEMPLATE(HAVE_IRIX_XREADDISPLAY, [IRIX XReadDisplay available])
AH_TEMPLATE(HAVE_FBPM, [FBPM extension build environment present])
AC_ARG_WITH(xkeyboard, AC_ARG_WITH(xkeyboard,
[ --without-xkeyboard disable xkeyboard extension support],,) [ --without-xkeyboard disable xkeyboard extension support],,)
...@@ -74,6 +75,8 @@ AC_ARG_WITH(xtrap, ...@@ -74,6 +75,8 @@ AC_ARG_WITH(xtrap,
[ --without-xtrap disable xtrap extension support],,) [ --without-xtrap disable xtrap extension support],,)
AC_ARG_WITH(xrecord, AC_ARG_WITH(xrecord,
[ --without-xrecord disable xrecord extension support],,) [ --without-xrecord disable xrecord extension support],,)
AC_ARG_WITH(fbpm,
[ --without-fbpm disable fbpm extension support],,)
if test "$X_CFLAGS" != "-DX_DISPLAY_MISSING"; then if test "$X_CFLAGS" != "-DX_DISPLAY_MISSING"; then
AC_CHECK_LIB(X11, XGetImage, HAVE_X="true", AC_CHECK_LIB(X11, XGetImage, HAVE_X="true",
...@@ -95,6 +98,11 @@ if test "$X_CFLAGS" != "-DX_DISPLAY_MISSING"; then ...@@ -95,6 +98,11 @@ if test "$X_CFLAGS" != "-DX_DISPLAY_MISSING"; then
[AC_DEFINE(HAVE_IRIX_XREADDISPLAY)], , [AC_DEFINE(HAVE_IRIX_XREADDISPLAY)], ,
[#include <X11/Xlib.h>]) [#include <X11/Xlib.h>])
AC_CHECK_HEADER(X11/extensions/fbpm.h,
[AC_DEFINE(HAVE_FBPM)], ,
[#include <X11/Xlib.h>
#include <X11/Xmd.h>])
AC_CHECK_LIB(Xtst, XTestGrabControl, AC_CHECK_LIB(Xtst, XTestGrabControl,
X_PRELIBS="-lXtst $X_PRELIBS" X_PRELIBS="-lXtst $X_PRELIBS"
[AC_DEFINE(HAVE_XTESTGRABCONTROL) HAVE_XTESTGRABCONTROL="true"], , [AC_DEFINE(HAVE_XTESTGRABCONTROL) HAVE_XTESTGRABCONTROL="true"], ,
......
...@@ -62,7 +62,7 @@ cp classes/ssl/Makefile.am classes/ssl/Makefile.am.LibVNCServer ...@@ -62,7 +62,7 @@ cp classes/ssl/Makefile.am classes/ssl/Makefile.am.LibVNCServer
sed -e 's/EXTRA_DIST=/EXTRA_DIST=tightvnc-1.3dev7_javasrc-vncviewer-ssl.patch tightvnc-1.3dev7_javasrc-vncviewer-cursor-colors+no-tab-traversal.patch /' \ sed -e 's/EXTRA_DIST=/EXTRA_DIST=tightvnc-1.3dev7_javasrc-vncviewer-ssl.patch tightvnc-1.3dev7_javasrc-vncviewer-cursor-colors+no-tab-traversal.patch /' \
classes/ssl/Makefile.am.LibVNCServer > classes/ssl/Makefile.am classes/ssl/Makefile.am.LibVNCServer > classes/ssl/Makefile.am
echo 'pkgdatadir = $(datadir)/@PACKAGE@/classes/ssl' >> classes/ssl/Makefile.am echo 'pkgdatadir = $(datadir)/@PACKAGE@/classes/ssl' >> classes/ssl/Makefile.am
echo 'pkgdata_DATA=VncViewer.jar index.vnc' >> classes/ssl/Makefile.am echo 'pkgdata_DATA=VncViewer.jar index.vnc SignedVncViewer.jar proxy.vnc ssl_vncviewer README' >> classes/ssl/Makefile.am
mv acinclude.m4 acinclude.m4.LibVNCServer mv acinclude.m4 acinclude.m4.LibVNCServer
......
2006-04-05 Karl Runge <runge@karlrunge.com>
* x11vnc: add FBPM support (-fbpm) for Suns. -rawfb ZERO for
testing. Basic key+cert management utilities: -sslGenCA,
-sslGenCert, -sslEncKey, -sslDelCert, -sslCertInfo, and
addln features. SSL proxy connection. -storepasswd with
no args or pw echo.
2006-03-26 Karl Runge <runge@karlrunge.com> 2006-03-26 Karl Runge <runge@karlrunge.com>
* x11vnc: -xinerama now on by default. In -ssl mode accept https * x11vnc: -xinerama now on by default. In -ssl mode accept https
applet downloads thru VNC port. -https option for 2nd https applet downloads thru VNC port. -https option for 2nd https
......
...@@ -13,7 +13,7 @@ endif ...@@ -13,7 +13,7 @@ endif
if HAVE_X if HAVE_X
bin_PROGRAMS=x11vnc bin_PROGRAMS=x11vnc
x11vnc_SOURCES = 8to24.c cleanup.c connections.c cursor.c gui.c help.c inet.c keyboard.c options.c pointer.c rates.c remote.c scan.c screen.c selection.c solid.c sslcmds.c sslhelper.c unixpw.c user.c userinput.c util.c win_utils.c x11vnc.c x11vnc_defs.c xdamage.c xevents.c xinerama.c xkb_bell.c xrandr.c xrecord.c xwrappers.c 8to24.h allowed_input_t.h blackout_t.h cleanup.h connections.h cursor.h enums.h gui.h help.h inet.h keyboard.h options.h params.h pointer.h rates.h remote.h scan.h screen.h scrollevent_t.h selection.h solid.h sslcmds.h sslhelper.h tkx11vnc.h unixpw.h user.h userinput.h util.h win_utils.h winattr_t.h x11vnc.h xdamage.h xevents.h xinerama.h xkb_bell.h xrandr.h xrecord.h xwrappers.h x11vnc_SOURCES = 8to24.c cleanup.c connections.c cursor.c gui.c help.c inet.c keyboard.c options.c pm.c pointer.c rates.c remote.c scan.c screen.c selection.c solid.c sslcmds.c sslhelper.c unixpw.c user.c userinput.c util.c win_utils.c x11vnc.c x11vnc_defs.c xdamage.c xevents.c xinerama.c xkb_bell.c xrandr.c xrecord.c xwrappers.c 8to24.h allowed_input_t.h blackout_t.h cleanup.h connections.h cursor.h enums.h gui.h help.h inet.h keyboard.h options.h params.h pm.h pointer.h rates.h remote.h scan.h screen.h scrollevent_t.h selection.h solid.h sslcmds.h sslhelper.h ssltools.h tkx11vnc.h unixpw.h user.h userinput.h util.h win_utils.h winattr_t.h x11vnc.h xdamage.h xevents.h xinerama.h xkb_bell.h xrandr.h xrecord.h xwrappers.h
INCLUDES=@X_CFLAGS@ INCLUDES=@X_CFLAGS@
x11vnc_LDADD=$(LDADD) @X_LIBS@ $(LD_CYGIPC) x11vnc_LDADD=$(LDADD) @X_LIBS@ $(LD_CYGIPC)
endif endif
......
This diff is collapsed.
...@@ -33,6 +33,7 @@ int trap_getimage_xerror(Display *d, XErrorEvent *error); ...@@ -33,6 +33,7 @@ int trap_getimage_xerror(Display *d, XErrorEvent *error);
char *xerror_string(XErrorEvent *error); char *xerror_string(XErrorEvent *error);
void initialize_crash_handler(void); void initialize_crash_handler(void);
void initialize_signals(void); void initialize_signals(void);
void unset_signals(void);
int known_sigpipe_mode(char *s); int known_sigpipe_mode(char *s);
...@@ -107,8 +108,13 @@ static void clean_icon_mode(void) { ...@@ -107,8 +108,13 @@ static void clean_icon_mode(void) {
* Normal exiting * Normal exiting
*/ */
void clean_up_exit (int ret) { void clean_up_exit (int ret) {
static int depth = 0;
exit_flag = 1; exit_flag = 1;
if (depth++ > 2) {
exit(ret);
}
if (icon_mode) { if (icon_mode) {
clean_icon_mode(); clean_icon_mode();
} }
...@@ -427,6 +433,19 @@ void initialize_signals(void) { ...@@ -427,6 +433,19 @@ void initialize_signals(void) {
X_UNLOCK; X_UNLOCK;
} }
void unset_signals(void) {
signal(SIGHUP, SIG_DFL);
signal(SIGINT, SIG_DFL);
signal(SIGQUIT, SIG_DFL);
signal(SIGABRT, SIG_DFL);
signal(SIGTERM, SIG_DFL);
signal(SIGBUS, SIG_DFL);
signal(SIGSEGV, SIG_DFL);
signal(SIGFPE, SIG_DFL);
signal(SIGPIPE, SIG_DFL);
}
int known_sigpipe_mode(char *s) { int known_sigpipe_mode(char *s) {
/* /*
* skip, ignore, exit * skip, ignore, exit
......
...@@ -20,6 +20,7 @@ extern int trap_getimage_xerror(Display *d, XErrorEvent *error); ...@@ -20,6 +20,7 @@ extern int trap_getimage_xerror(Display *d, XErrorEvent *error);
extern char *xerror_string(XErrorEvent *error); extern char *xerror_string(XErrorEvent *error);
extern void initialize_crash_handler(void); extern void initialize_crash_handler(void);
extern void initialize_signals(void); extern void initialize_signals(void);
extern void unset_signals(void);
extern int known_sigpipe_mode(char *s); extern int known_sigpipe_mode(char *s);
#endif /* _X11VNC_CLEANUP_H */ #endif /* _X11VNC_CLEANUP_H */
...@@ -2190,4 +2190,3 @@ void check_new_clients(void) { ...@@ -2190,4 +2190,3 @@ void check_new_clients(void) {
} }
} }
This diff is collapsed.
...@@ -23,6 +23,7 @@ int stunnel_port = 0; ...@@ -23,6 +23,7 @@ int stunnel_port = 0;
char *stunnel_pem = NULL; char *stunnel_pem = NULL;
int use_openssl = 0; int use_openssl = 0;
char *openssl_pem = NULL; char *openssl_pem = NULL;
char *ssl_certs_dir = NULL;
int https_port_num = -1; int https_port_num = -1;
char *ssl_verify = NULL; char *ssl_verify = NULL;
int ssl_initialized = 0; int ssl_initialized = 0;
...@@ -279,6 +280,13 @@ int napfac = 4; /* time = napfac*waitms, cut load with extra waits */ ...@@ -279,6 +280,13 @@ int napfac = 4; /* time = napfac*waitms, cut load with extra waits */
int napmax = 1500; /* longest nap in ms. */ int napmax = 1500; /* longest nap in ms. */
int ui_skip = 10; /* see watchloop. negative means ignore input */ int ui_skip = 10; /* see watchloop. negative means ignore input */
#if LIBVNCSERVER_HAVE_FBPM
int watch_fbpm = 1; /* -nofbpm */
#else
int watch_fbpm = 0;
#endif
int watch_selection = 1; /* normal selection/cutbuffer maintenance */ int watch_selection = 1; /* normal selection/cutbuffer maintenance */
int watch_primary = 1; /* more dicey, poll for changes in PRIMARY */ int watch_primary = 1; /* more dicey, poll for changes in PRIMARY */
int watch_clipboard = 1; int watch_clipboard = 1;
......
...@@ -23,6 +23,7 @@ extern int stunnel_port; ...@@ -23,6 +23,7 @@ extern int stunnel_port;
extern char *stunnel_pem; extern char *stunnel_pem;
extern int use_openssl; extern int use_openssl;
extern char *openssl_pem; extern char *openssl_pem;
extern char *ssl_certs_dir;
extern int https_port_num; extern int https_port_num;
extern char *ssl_verify; extern char *ssl_verify;
extern int ssl_initialized; extern int ssl_initialized;
...@@ -208,6 +209,8 @@ extern int napfac; ...@@ -208,6 +209,8 @@ extern int napfac;
extern int napmax; extern int napmax;
extern int ui_skip; extern int ui_skip;
extern int watch_fbpm;
extern int watch_selection; extern int watch_selection;
extern int watch_primary; extern int watch_primary;
extern int watch_clipboard; extern int watch_clipboard;
......
/* -- pm.c -- */
#include "x11vnc.h"
#include "cleanup.h"
void check_pm(void);
static void check_fbpm(void);
#if LIBVNCSERVER_HAVE_FBPM
#include <X11/Xmd.h>
#include <X11/extensions/fbpm.h>
#endif
void check_pm(void) {
check_fbpm();
/* someday dpms activities? */
}
static void check_fbpm(void) {
static int init_fbpm = 0;
#if LIBVNCSERVER_HAVE_FBPM
static int fbpm_capable = 0;
static time_t last_fbpm = 0;
int db = 1;
CARD16 level;
BOOL enabled;
if (raw_fb && ! dpy) return; /* raw_fb hack */
if (! init_fbpm) {
if (FBPMCapable(dpy)) {
fbpm_capable = 1;
rfbLog("X display is capable of FBPM.\n");
if (watch_fbpm) {
rfbLog("Preventing low-power FBPM modes when"
" VNC clients are connected.\n");
}
} else {
rfbLog("X display is not capable of FBPM.\n");
fbpm_capable = 0;
}
init_fbpm = 1;
}
if (! watch_fbpm) {
return;
}
if (! fbpm_capable) {
return;
}
if (! client_count) {
return;
}
if (time(0) < last_fbpm + 5) {
return;
}
last_fbpm = time(0);
if (FBPMInfo(dpy, &level, &enabled)) {
if (db) fprintf(stderr, "FBPMInfo level: %d enabled: %d\n", level, enabled);
if (enabled && level != FBPMModeOn) {
char *from = "unknown-fbpm-state";
XErrorHandler old_handler = XSetErrorHandler(trap_xerror);
trapped_xerror = 0;
if (level == FBPMModeStandby) {
from = "FBPMModeStandby";
} else if (level == FBPMModeSuspend) {
from = "FBPMModeSuspend";
} else if (level == FBPMModeOff) {
from = "FBPMModeOff";
}
rfbLog("switching FBPM state from %s to FBPMModeOn\n", from);
FBPMForceLevel(dpy, FBPMModeOn);
XSetErrorHandler(old_handler);
trapped_xerror = 0;
}
} else {
if (db) fprintf(stderr, "FBPMInfo failed.\n");
}
#else
if (raw_fb && ! dpy) return; /* raw_fb hack */
if (! init_fbpm) {
rfbLog("X FBPM extension not supported.\n");
init_fbpm = 1;
}
#endif
}
#ifndef _X11VNC_PM_H
#define _X11VNC_PM_H
/* -- pm.h -- */
extern void check_pm(void);
#endif /* _X11VNC_PM_H */
...@@ -3173,6 +3173,21 @@ char *process_remote_cmd(char *cmd, int stringonly) { ...@@ -3173,6 +3173,21 @@ char *process_remote_cmd(char *cmd, int stringonly) {
screen_blank, w); screen_blank, w);
screen_blank = w; screen_blank = w;
} else if (!strcmp(p, "fbpm")) {
if (query) {
snprintf(buf, bufn, "ans=%s:%d", p, !watch_fbpm);
goto qry;
}
rfbLog("remote_cmd: turning off -nofbpm mode.\n");
watch_fbpm = 0;
} else if (!strcmp(p, "nofbpm")) {
if (query) {
snprintf(buf, bufn, "ans=%s:%d", p, watch_fbpm);
goto qry;
}
rfbLog("remote_cmd: turning on -nofbpm mode.\n");
watch_fbpm = 1;
} else if (strstr(p, "fs") == p) { } else if (strstr(p, "fs") == p) {
COLON_CHECK("fs:") COLON_CHECK("fs:")
if (query) { if (query) {
......
...@@ -2148,7 +2148,6 @@ static void ping_clients(int tile_cnt) { ...@@ -2148,7 +2148,6 @@ static void ping_clients(int tile_cnt) {
last_send = now; last_send = now;
} else if (now - last_send > 2) { } else if (now - last_send > 2) {
/* Send small heartbeat to client */ /* Send small heartbeat to client */
if (0) fprintf(stderr, "ping_clients 2\n");
mark_rect_as_modified(0, 0, 1, 1, 1); mark_rect_as_modified(0, 0, 1, 1, 1);
last_send = now; last_send = now;
} }
......
...@@ -704,7 +704,9 @@ static XImage *initialize_raw_fb(void) { ...@@ -704,7 +704,9 @@ static XImage *initialize_raw_fb(void) {
if (! raw_fb_str) { if (! raw_fb_str) {
return NULL; return NULL;
} }
if (!strcasecmp(raw_fb_str, "NULL") || !strcasecmp(raw_fb_str, "ZERO")) {
raw_fb_str = strdup("map:/dev/zero@640x480x32");
}
if ( (q = strstr(raw_fb_str, "setup:")) == raw_fb_str) { if ( (q = strstr(raw_fb_str, "setup:")) == raw_fb_str) {
FILE *pipe; FILE *pipe;
......
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
#include "x11vnc.h" #include "x11vnc.h"
#include "inet.h" #include "inet.h"
#include "cleanup.h" #include "cleanup.h"
#include "sslhelper.h"
#include "ssltools.h"
#if LIBVNCSERVER_HAVE_FORK #if LIBVNCSERVER_HAVE_FORK
#if LIBVNCSERVER_HAVE_SYS_WAIT_H #if LIBVNCSERVER_HAVE_SYS_WAIT_H
...@@ -17,6 +19,10 @@ void check_stunnel(void); ...@@ -17,6 +19,10 @@ void check_stunnel(void);
int start_stunnel(int stunnel_port, int x11vnc_port); int start_stunnel(int stunnel_port, int x11vnc_port);
void stop_stunnel(void); void stop_stunnel(void);
void setup_stunnel(int rport, int *argc, char **argv); void setup_stunnel(int rport, int *argc, char **argv);
char *get_Cert_dir(char *cdir_in, char **tmp_in);
void sslGenCA(char *cdir);
void sslGenCert(char *ty, char *nm);
void sslEncKey(char *path, int info_only);
static pid_t stunnel_pid = 0; static pid_t stunnel_pid = 0;
...@@ -293,3 +299,381 @@ void setup_stunnel(int rport, int *argc, char **argv) { ...@@ -293,3 +299,381 @@ void setup_stunnel(int rport, int *argc, char **argv) {
clean_up_exit(1); clean_up_exit(1);
} }
char *get_Cert_dir(char *cdir_in, char **tmp_in) {
char *cdir, *home, *tmp;
struct stat sbuf;
int i;
char *cases1[] = {"/.vnc", "/.vnc/certs", "/.vnc/certs/CA"};
char *cases2[] = {"", "/CA", "/tmp"};
if (cdir_in != NULL) {
cdir = cdir_in;
} else {
cdir = ssl_certs_dir;
}
if (cdir == NULL) {
home = get_home_dir();
if (! home) {
return NULL;
}
cdir = (char *) malloc(strlen(home) + strlen("/.vnc/certs/CA") + 1);
for (i=0; i<3; i++) {
sprintf(cdir, "%s%s", home, cases1[i]);
if (stat(cdir, &sbuf) != 0) {
rfbLog("creating dir: %s\n", cdir);
if (mkdir(cdir, 0755) != 0) {
rfbLog("could not create directory %s\n", cdir);
rfbLogPerror("mkdir");
return NULL;
}
} else if (! S_ISDIR(sbuf.st_mode)) {
rfbLog("not a directory: %s\n", cdir);
return NULL;
}
}
sprintf(cdir, "%s%s", home, cases1[1]);
}
tmp = (char *) malloc(strlen(cdir) + 10);
for (i=0; i<3; i++) {
int ret;
sprintf(tmp, "%s%s", cdir, cases2[i]);
if (stat(tmp, &sbuf) != 0) {
rfbLog("creating dir: %s\n", tmp);
if (! strcmp(cases2[i], "/tmp")) {
ret = mkdir(tmp, 0700);
} else {
ret = mkdir(tmp, 0755);
}
if (ret != 0) {
rfbLog("could not create directory %s\n", tmp);
rfbLogPerror("mkdir");
return NULL;
}
} else if (! S_ISDIR(sbuf.st_mode)) {
rfbLog("not a directory: %s\n", tmp);
return NULL;
}
}
sprintf(tmp, "%s/tmp", cdir);
*tmp_in = tmp;
return cdir;
}
void sslGenCA(char *cdir) {
char *openssl = find_openssl_bin();
char *tmp, *cmd, *scr, *cdir_use;
FILE *out;
if (! openssl) {
exit(1);
}
cdir_use = get_Cert_dir(cdir, &tmp);
if (! cdir_use) {
exit(1);
}
cmd = (char *) malloc(strlen(tmp) + 100);
scr = (char *) malloc(strlen(tmp) + 100);
sprintf(cmd, "%s/genca.%d.sh", tmp, getpid());
out = fopen(cmd, "w");
if (! out) {
rfbLog("could not open: %s\n", cmd);
rfbLogPerror("fopen");
exit(1);
}
fprintf(out, "%s", genCA);
fclose(out);
sprintf(scr, "/bin/sh %s", cmd);
rfbLog("Using openssl: %s\n", openssl);
rfbLog("Using certs dir: %s\n", cdir_use);
fprintf(stderr, "\n");
set_env("BASE_DIR", cdir_use);
set_env("OPENSSL", openssl);
system(scr);
unlink(cmd);
}
void sslGenCert(char *ty, char *nm) {
char *openssl = find_openssl_bin();
char *tmp, *cmd, *scr, *cdir_use;
FILE *out;
if (! openssl) {
exit(1);
}
cdir_use = get_Cert_dir(NULL, &tmp);
if (! cdir_use) {
exit(1);
}
cmd = (char *) malloc(strlen(tmp) + 100);
scr = (char *) malloc(strlen(tmp) + 100);
sprintf(cmd, "%s/gencert.%d.sh", tmp, getpid());
out = fopen(cmd, "w");
if (! out) {
rfbLog("could not open: %s\n", cmd);
rfbLogPerror("fopen");
exit(1);
}
fprintf(out, "%s", genCert);
fclose(out);
sprintf(scr, "/bin/sh %s", cmd);
rfbLog("Using openssl: %s\n", openssl);
rfbLog("Using certs dir: %s\n", cdir_use);
fprintf(stderr, "\n");
set_env("BASE_DIR", cdir_use);
set_env("OPENSSL", openssl);
if (! ty) {
set_env("TYPE", "");
} else {
set_env("TYPE", ty);
}
if (! nm) {
set_env("NAME", "");
} else {
char *q = strstr(nm, "SAVE-");
if (!strcmp(nm, "SAVE")) {
set_env("NAME", "");
} else if (q == nm) {
q += strlen("SAVE-");
set_env("NAME", q);
} else {
set_env("NAME", nm);
}
}
system(scr);
unlink(cmd);
}
void sslEncKey(char *path, int mode) {
char *openssl = find_openssl_bin();
char *scr, *cert = NULL, *tca;
char line[1024], tmp[] = "/tmp/x11vnc-tmp.XXXXXX";
char *cdir = NULL;
int tmp_fd, incert, info_only = 0, delete_only = 0;
int listlong = 0;
struct stat sbuf;
FILE *file;
static int depth = 0;
if (depth > 0) {
/* get_saved_pem may call us back. */
return;
}
depth++;
if (mode == 1) {
info_only = 1;
} else if (mode == 2) {
delete_only = 1;
}
if (! openssl) {
exit(1);
}
cdir = get_Cert_dir(NULL, &tca);
if (! cdir) {
fprintf(stderr, "could not find Cert dir\n");
exit(1);
}
if (!strcasecmp(path, "LL") || !strcasecmp(path, "LISTL")) {
listlong = 1;
path = "LIST";
}
if (strstr(path, "SAVE") == path) {
char *p = get_saved_pem(path, 0);
if (p == NULL) {
fprintf(stderr, "could not find saved pem matching: %s\n", path);
exit(1);
}
path = p;
} else if (!strcmp(path, "CA") && cdir) {
tca = (char *) malloc(strlen(cdir) + strlen("/CA/cacert.pem") + 1);
sprintf(tca, "%s/CA/cacert.pem", cdir);
path = tca;
} else if (info_only && (!strcasecmp(path, "LIST") ||
!strcasecmp(path, "ALL"))) {
if (! cdir || strchr(cdir, '\'')) {
fprintf(stderr, "bad certdir char: %s\n", cdir ? cdir : "null");
exit(1);
}
tca = (char *) malloc(2*strlen(cdir) + strlen(program_name) + 1000);
sprintf(tca, "find '%s' -type f | egrep '\\.(crt|pem|key|req)$' "
"| grep -v CA/newcerts", cdir);
if (!strcasecmp(path, "ALL")) {
/* ugh.. */
strcat(tca, " | grep -v private/cakey.pem | xargs -n1 ");
strcat(tca, program_name);
strcat(tca, " -ssldir '");
strcat(tca, cdir);
strcat(tca, "' -sslCertInfo 2>&1 ");
} else if (listlong) {
strcat(tca, " | xargs ls -l ");
}
system(tca);
return;
} else if (info_only && (!strcasecmp(path, "HASHON") ||
!strcasecmp(path, "HASHOFF"))) {
tmp_fd = mkstemp(tmp);
if (tmp_fd < 0) {
exit(1);
}
write(tmp_fd, genCert, strlen(genCert));
close(tmp_fd);
scr = (char *) malloc(strlen(tmp) + 100);
sprintf(scr, "/bin/sh %s", tmp);
set_env("BASE_DIR", cdir);
set_env("OPENSSL", openssl);
set_env("TYPE", "server");
if (!strcasecmp(path, "HASHON")) {
set_env("HASHON", "1");
} else {
set_env("HASHOFF", "1");
}
system(scr);
unlink(tmp);
return;
}
if (stat(path, &sbuf) != 0) {
if (strstr(path, "client") || strchr(path, '/') == NULL) {
int i;
tca = (char *) malloc(strlen(cdir) + strlen("/clients")
+ strlen(path) + 100);
for (i = 1; i <= 15; i++) {
tca[0] = '\0';
if ( i == 1) {
sprintf(tca, "%s/%s", cdir, path);
} else if (i == 2 && mode > 0) {
sprintf(tca, "%s/%s.crt", cdir, path);
} else if (i == 3) {
sprintf(tca, "%s/%s.pem", cdir, path);
} else if (i == 4 && mode > 1) {
sprintf(tca, "%s/%s.req", cdir, path);
} else if (i == 5 && mode > 1) {
sprintf(tca, "%s/%s.key", cdir, path);
} else if (i == 6) {
sprintf(tca, "%s/clients/%s", cdir, path);
} else if (i == 7 && mode > 0) {
sprintf(tca, "%s/clients/%s.crt", cdir, path);
} else if (i == 8) {
sprintf(tca, "%s/clients/%s.pem", cdir, path);
} else if (i == 9 && mode > 1) {
sprintf(tca, "%s/clients/%s.req", cdir, path);
} else if (i == 10 && mode > 1) {
sprintf(tca, "%s/clients/%s.key", cdir, path);
} else if (i == 11) {
sprintf(tca, "%s/server-%s", cdir, path);
} else if (i == 12 && mode > 0) {
sprintf(tca, "%s/server-%s.crt", cdir, path);
} else if (i == 13) {
sprintf(tca, "%s/server-%s.pem", cdir, path);
} else if (i == 14 && mode > 1) {
sprintf(tca, "%s/server-%s.req", cdir, path);
} else if (i == 15 && mode > 1) {
sprintf(tca, "%s/server-%s.key", cdir, path);
}
if (tca[0] == '\0') {
continue;
}
if (stat(tca, &sbuf) == 0) {
path = tca;
break;
}
}
}
}
if (stat(path, &sbuf) != 0) {
rfbLog("sslEncKey: %s\n", path);
rfbLogPerror("stat");
exit(1);
}
if (! info_only) {
cert = (char *) malloc(2*sbuf.st_size);
file = fopen(path, "r");
if (file == NULL) {
rfbLog("sslEncKey: %s\n", path);
rfbLogPerror("fopen");
exit(1);
}
incert = 0;
cert[0] = '\0';
while (fgets(line, 1024, file) != NULL) {
if (strstr(line, "-----BEGIN CERTIFICATE-----") == line) {
incert = 1;
}
if (incert) {
strcat(cert, line);
}
if (strstr(line, "-----END CERTIFICATE-----") == line) {
incert = 0;
}
}
fclose(file);
}
tmp_fd = mkstemp(tmp);
if (tmp_fd < 0) {
exit(1);
}
write(tmp_fd, genCert, strlen(genCert));
close(tmp_fd);
scr = (char *) malloc(strlen(tmp) + 100);
sprintf(scr, "/bin/sh %s", tmp);
set_env("BASE_DIR", "/no/such/dir");
set_env("OPENSSL", openssl);
set_env("TYPE", "server");
if (info_only) {
set_env("INFO_ONLY", path);
} else if (delete_only) {
set_env("DELETE_ONLY", path);
} else {
set_env("ENCRYPT_ONLY", path);
}
system(scr);
unlink(tmp);
if (! mode && cert && cert[0] != '\0') {
file = fopen(path, "a");
if (file == NULL) {
rfbLog("sslEncKey: %s\n", path);
rfbLogPerror("fopen");
exit(1);
}
fprintf(file, cert);
fclose(file);
free(cert);
}
depth--;
}
...@@ -7,6 +7,10 @@ extern void check_stunnel(void); ...@@ -7,6 +7,10 @@ extern void check_stunnel(void);
extern int start_stunnel(int stunnel_port, int x11vnc_port); extern int start_stunnel(int stunnel_port, int x11vnc_port);
extern void stop_stunnel(void); extern void stop_stunnel(void);
extern void setup_stunnel(int rport, int *argc, char **argv); extern void setup_stunnel(int rport, int *argc, char **argv);
extern char *get_Cert_dir(char *cdir_in, char **tmp_in);
extern void sslGenCA(char *cdir);
extern void sslGenCert(char *ty, char *nm);
extern void sslEncKey(char *path, int info_only);
#endif /* _X11VNC_SSLCMDS_H */ #endif /* _X11VNC_SSLCMDS_H */
This diff is collapsed.
...@@ -8,6 +8,8 @@ ...@@ -8,6 +8,8 @@
#define OPENSSL_VNC 2 #define OPENSSL_VNC 2
#define OPENSSL_HTTPS 3 #define OPENSSL_HTTPS 3
#define DO_DH 0
extern int openssl_sock; extern int openssl_sock;
extern int openssl_port_num; extern int openssl_port_num;
extern int https_sock; extern int https_sock;
...@@ -21,6 +23,8 @@ extern void check_openssl(void); ...@@ -21,6 +23,8 @@ extern void check_openssl(void);
extern void check_https(void); extern void check_https(void);
extern void ssl_helper_pid(pid_t pid, int sock); extern void ssl_helper_pid(pid_t pid, int sock);
extern void accept_openssl(int mode); extern void accept_openssl(int mode);
extern char *find_openssl_bin(void);
extern char *get_saved_pem(char *string, int create);
#endif /* _X11VNC_SSLHELPER_H */ #endif /* _X11VNC_SSLHELPER_H */
This diff is collapsed.
...@@ -294,6 +294,7 @@ Permissions ...@@ -294,6 +294,7 @@ Permissions
=F ssl_pem: =F ssl_pem:
stunnel stunnel
=F stunnel_pem: =F stunnel_pem:
=F ssldir:
=F sslverify: =F sslverify:
https: https:
=GAL LOFF =GAL LOFF
...@@ -358,6 +359,7 @@ Tuning ...@@ -358,6 +359,7 @@ Tuning
threads threads
wmdt: wmdt:
rfbwait: rfbwait:
nofbpm
=GAL LOFF =GAL LOFF
" "
} }
......
...@@ -305,6 +305,7 @@ char gui_code[] = ""; ...@@ -305,6 +305,7 @@ char gui_code[] = "";
" =F ssl_pem:\n" " =F ssl_pem:\n"
" stunnel\n" " stunnel\n"
" =F stunnel_pem:\n" " =F stunnel_pem:\n"
" =F ssldir:\n"
" =F sslverify:\n" " =F sslverify:\n"
" https:\n" " https:\n"
" =GAL LOFF\n" " =GAL LOFF\n"
...@@ -369,6 +370,7 @@ char gui_code[] = ""; ...@@ -369,6 +370,7 @@ char gui_code[] = "";
" threads\n" " threads\n"
" wmdt:\n" " wmdt:\n"
" rfbwait:\n" " rfbwait:\n"
" nofbpm\n"
" =GAL LOFF\n" " =GAL LOFF\n"
"\"\n" "\"\n"
"}\n" "}\n"
......
This diff is collapsed.
This diff is collapsed.
...@@ -190,6 +190,8 @@ ...@@ -190,6 +190,8 @@
#include <X11/extensions/XShm.h> #include <X11/extensions/XShm.h>
#endif #endif
#include <dirent.h>
#if LIBVNCSERVER_HAVE_XTEST #if LIBVNCSERVER_HAVE_XTEST
#include <X11/extensions/XTest.h> #include <X11/extensions/XTest.h>
#endif #endif
......
...@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0; ...@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
int xdamage_base_event_type = 0; int xdamage_base_event_type = 0;
/* date +'lastmod: %Y-%m-%d' */ /* date +'lastmod: %Y-%m-%d' */
char lastmod[] = "0.8.1 lastmod: 2006-03-27"; char lastmod[] = "0.8.1 lastmod: 2006-04-05";
/* X display info */ /* X display info */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment