x11vnc: add -ssl mode using libssl. Include Xdummy in misc.

e2e93479 · runge · 5e726096 · e2e93479 · e2e93479 · e2e93479
Commit e2e93479 authored Mar 12, 2006 by runge
27 changed files
--- a/configure.ac
+++ b/configure.ac
@@ -175,7 +175,7 @@ if test "$X_CFLAGS" != "-DX_DISPLAY_MISSING"; then
 			esac
 		fi
-		# only x11vnc uses crypt()
+		# currently only x11vnc uses crypt() or libssl:
 		AH_TEMPLATE(HAVE_LIBCRYPT, [libcrypt library present])
 		AC_ARG_WITH(crypt,
 		[  --without-crypt         disable support for libcrypt],,)
@@ -188,6 +188,25 @@ if test "$X_CFLAGS" != "-DX_DISPLAY_MISSING"; then
 					$X_LIBS $X_PRELIBS -lcrypt $X_EXTRA_LIBS)
 			fi
 		fi
+		AH_TEMPLATE(HAVE_LIBSSL, [openssl libssl library present])
+		AC_ARG_WITH(ssl,
+		[  --without-ssl           disable support for openssl libssl],,)
+		if test "x$with_ssl" != "xno"; then
+			AC_CHECK_LIB(ssl, SSL_library_init,
+				X_PRELIBS="$X_PRELIBS -lssl"
+				[AC_DEFINE(HAVE_LIBSSL) HAVE_LIBSSL="true"], ,
+				$X_LIBS $X_PRELIBS -lssl $X_EXTRA_LIBS)
+		fi
+		AH_TEMPLATE(HAVE_LIBCRYPTO, [openssl libcrypto library present])
+		AC_ARG_WITH(crypto,
+		[  --without-crypto        disable support for openssl libcrypto],,)
+		# some OS's need both -lssl and -lcrypto
+		if test "x$HAVE_LIBSSL" = "xtrue"; then
+			AC_CHECK_LIB(crypto, RAND_load_file,
+				X_PRELIBS="$X_PRELIBS -lcrypto"
+				[AC_DEFINE(HAVE_LIBSSL) HAVE_LIBSSL="true"], ,
+				$X_LIBS $X_PRELIBS -lcrypto $X_EXTRA_LIBS)
+		fi
 		X_LIBS="$X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS"

--- a/x11vnc/ChangeLog
+++ b/x11vnc/ChangeLog
+2006-03-11  Karl Runge <runge@karlrunge.com>
+	* x11vnc: add -ssl mode using libssl.  Include Xdummy in misc.
+	  a few more macros for smallerfoot, etc.
 2006-03-08  Karl Runge <runge@karlrunge.com>
 	* x11vnc: manage CLIPBOARD in addition to PRIMARY.  -debug_sel
 	  Make reverse connections require passwords.  -usepw option.

--- a/x11vnc/Makefile.am
+++ b/x11vnc/Makefile.am
@@ -13,7 +13,7 @@ endif
 if HAVE_X
 bin_PROGRAMS=x11vnc
-x11vnc_SOURCES = 8to24.c cleanup.c connections.c cursor.c gui.c help.c inet.c keyboard.c options.c pointer.c rates.c remote.c scan.c screen.c selection.c solid.c sslcmds.c unixpw.c user.c userinput.c util.c win_utils.c x11vnc.c x11vnc_defs.c xdamage.c xevents.c xinerama.c xkb_bell.c xrandr.c xrecord.c xwrappers.c 8to24.h allowed_input_t.h blackout_t.h cleanup.h connections.h cursor.h enums.h gui.h help.h inet.h keyboard.h options.h params.h pointer.h rates.h remote.h scan.h screen.h scrollevent_t.h selection.h solid.h sslcmds.h tkx11vnc.h unixpw.h user.h userinput.h util.h win_utils.h winattr_t.h x11vnc.h xdamage.h xevents.h xinerama.h xkb_bell.h xrandr.h xrecord.h xwrappers.h
+x11vnc_SOURCES = 8to24.c cleanup.c connections.c cursor.c gui.c help.c inet.c keyboard.c options.c pointer.c rates.c remote.c scan.c screen.c selection.c solid.c sslcmds.c sslhelper.c unixpw.c user.c userinput.c util.c win_utils.c x11vnc.c x11vnc_defs.c xdamage.c xevents.c xinerama.c xkb_bell.c xrandr.c xrecord.c xwrappers.c 8to24.h allowed_input_t.h blackout_t.h cleanup.h connections.h cursor.h enums.h gui.h help.h inet.h keyboard.h options.h params.h pointer.h rates.h remote.h scan.h screen.h scrollevent_t.h selection.h solid.h sslcmds.h sslhelper.h tkx11vnc.h unixpw.h user.h userinput.h util.h win_utils.h winattr_t.h x11vnc.h xdamage.h xevents.h xinerama.h xkb_bell.h xrandr.h xrecord.h xwrappers.h
 INCLUDES=@X_CFLAGS@
 x11vnc_LDADD=$(LDADD) @X_LIBS@ $(LD_CYGIPC)
 endif

--- a/x11vnc/README
+++ b/x11vnc/README
--- a/x11vnc/cleanup.c
+++ b/x11vnc/cleanup.c
@@ -10,6 +10,7 @@
 #include "solid.h"
 #include "unixpw.h"
 #include "sslcmds.h"
+#include "sslhelper.h"
 /*
 * Exiting and error handling routines
@@ -133,6 +134,9 @@ void clean_up_exit (int ret) {
 		solid_bg(1);
 	}
 	stop_stunnel();
+	if (use_openssl) {
+		ssh_helper_pid(0, 0);	/* killall */
+	}
 	X_LOCK;
 	XTestDiscard_wr(dpy);

--- a/x11vnc/connections.c
+++ b/x11vnc/connections.c
@@ -11,6 +11,8 @@
 #include "screen.h"
 #include "unixpw.h"
 #include "scan.h"
+#include "sslcmds.h"
+#include "sslhelper.h"
 /*
 * routines for handling incoming, outgoing, etc connections
@@ -542,6 +544,7 @@ static int accepted_client = 0;
 * callback for when a client disconnects
 */
 static void client_gone(rfbClientPtr client) {
+	ClientData *cd = NULL;
 	client_count--;
 	if (client_count < 0) client_count = 0;
@@ -559,17 +562,27 @@ static void client_gone(rfbClientPtr client) {
 		}
 	}
 	if (no_autorepeat && client_count == 0) {
 		autorepeat(1, 0);
 	}
 	if (use_solid_bg && client_count == 0) {
 		solid_bg(1);
 	}
-	if (gone_cmd && *gone_cmd != '\0') {
+	if (client->clientData) {
-		ClientData *cd = NULL;
+		cd = (ClientData *) client->clientData;
-		if (client->clientData) {
+		if (cd->ssh_helper_pid > 0) {
-			cd = (ClientData *) client->clientData;
+			int status;
+			rfbLog("sending SIGTERM to ssh_helper_pid: %d\n",
+			    cd->ssh_helper_pid);
+			kill(cd->ssh_helper_pid, SIGTERM);
+#if LIBVNCSERVER_HAVE_SYS_WAIT_H && LIBVNCSERVER_HAVE_WAITPID 
+			waitpid(cd->ssh_helper_pid, &status, WNOHANG); 
+#endif
+			ssh_helper_pid(cd->ssh_helper_pid, -1);	/* delete */
 		}
+	}
+	if (gone_cmd && *gone_cmd != '\0') {
 		if (strstr(gone_cmd, "popup") == gone_cmd) {
 			int x = -64000, y = -64000, timeout = 120;
 			char *userhost = ident_username(client);
@@ -1452,6 +1465,10 @@ static int do_reverse_connect(char *str) {
 		rfbLog("reverse_connect: screen not setup yet.\n");
 		return 0;
 	}
+	if (use_openssl && !getenv("X11VNC_SSL_ALLOW_REVERSE")) {
+		rfbLog("reverse connections disabled in -ssl mode.\n");
+		return 0;
+	}
 	/* copy in to host */
 	host = (char *) malloc(len+1);
@@ -1476,7 +1493,7 @@ static int do_reverse_connect(char *str) {
 			return 0;
 		}
 	    }
-		if (! getenv("UNIXPW_DISABLE_STUNNEL") && ! have_ssh_env()) {
+		if (! getenv("UNIXPW_DISABLE_SSL") && ! have_ssh_env()) {
 			rfbLog("reverse_connect: in -inetd stunnel/ssh\n");
 			rfbLog("required under -unixpw\n");
 			return 0;
@@ -1824,6 +1841,13 @@ enum rfbNewClientAction new_client(rfbClientPtr client) {
 	clients_served++;
 if (0) fprintf(stderr, "new_client: %s %d\n", client->host, clients_served);
+	if (use_openssl || use_stunnel) {
+		if (! ssl_initialized) {
+			rfbLog("denying additional client: %s ssl not setup"
+			    " yet.\n", client->host);
+			return(RFB_CLIENT_REFUSE);
+		}
+	}
 	if (unixpw && unixpw_in_progress) {
 		rfbLog("denying additional client: %s during -unixpw login.\n",
 		     client->host);
@@ -1857,6 +1881,13 @@ if (0) fprintf(stderr, "new_client: %s %d\n", client->host, clients_served);
 	cd->input[0] = '-';
 	cd->login_viewonly = -1;
 	cd->login_time = time(0);
+	cd->ssh_helper_pid = 0;
+	if (use_openssl && openssl_last_helper_pid) {
+if (0) fprintf(stderr, "SET ssh_helper_pid: %d\n", openssl_last_helper_pid);
+		cd->ssh_helper_pid = openssl_last_helper_pid;
+		openssl_last_helper_pid = 0;
+	}
 	if (! accept_client(client)) {
 		rfbLog("denying client: %s local user rejected connection.\n",

--- a/x11vnc/gui.c
+++ b/x11vnc/gui.c
@@ -188,6 +188,7 @@ static int got_sigusr1 = 0;
 static void sigusr1 (int sig) {
 	got_sigusr1 = 1;
+	if (0) sig = 0;
 }
 static void run_gui(char *gui_xdisplay, int connect_to_x11vnc, int start_x11vnc,

--- a/x11vnc/help.c
+++ b/x11vnc/help.c
--- a/x11vnc/misc/Xdummy
+++ b/x11vnc/misc/Xdummy
--- a/x11vnc/options.c
+++ b/x11vnc/options.c
@@ -21,6 +21,11 @@ char *unixpw_list = NULL;
 int use_stunnel = 0;		/* -stunnel */
 int stunnel_port = 0;
 char *stunnel_pem = NULL;
+int use_openssl = 0;
+char *openssl_pem = NULL;
+char *ssl_verify = NULL;
+int ssl_initialized = 0;
+int usepw = USEPW;
 char *blackout_str = NULL;	/* -blackout */
 int blackout_ptr = 0;
 char *clip_str = NULL;		/* -clip */

--- a/x11vnc/options.h
+++ b/x11vnc/options.h
@@ -21,6 +21,11 @@ extern char *unixpw_list;
 extern int use_stunnel;
 extern int stunnel_port;
 extern char *stunnel_pem;
+extern int use_openssl;
+extern char *openssl_pem;
+extern char *ssl_verify;
+extern int ssl_initialized;
+extern int usepw;
 extern char *blackout_str;
 extern int blackout_ptr;
 extern char *clip_str;

--- a/x11vnc/remote.c
+++ b/x11vnc/remote.c
@@ -3775,10 +3775,18 @@ char *process_remote_cmd(char *cmd, int stringonly) {
 			snprintf(buf, bufn, "aro=%s:%d", p, unixpw_nis);
 		} else if (!strcmp(p, "unixpw_list")) {
 			snprintf(buf, bufn, "aro=%s:%s", p, NONUL(unixpw_list));
+		} else if (!strcmp(p, "ssl")) {
+			snprintf(buf, bufn, "aro=%s:%d", p, use_openssl);
+		} else if (!strcmp(p, "ssl_pem")) {
+			snprintf(buf, bufn, "aro=%s:%s", p, NONUL(openssl_pem));
+		} else if (!strcmp(p, "sslverify")) {
+			snprintf(buf, bufn, "aro=%s:%s", p, NONUL(ssl_verify));
 		} else if (!strcmp(p, "stunnel")) {
 			snprintf(buf, bufn, "aro=%s:%d", p, use_stunnel);
 		} else if (!strcmp(p, "stunnel_pem")) {
 			snprintf(buf, bufn, "aro=%s:%s", p, NONUL(stunnel_pem));
+		} else if (!strcmp(p, "usepw")) {
+			snprintf(buf, bufn, "aro=%s:%d", p, usepw);
 		} else if (!strcmp(p, "using_shm")) {
 			snprintf(buf, bufn, "aro=%s:%d", p, !using_shm);
 		} else if (!strcmp(p, "logfile") || !strcmp(p, "o")) {

--- a/x11vnc/scan.c
+++ b/x11vnc/scan.c
@@ -2146,8 +2146,9 @@ static void ping_clients(int tile_cnt) {
 	}
 	if (tile_cnt) {
 		last_send = now;
-	} else if (now - last_send > 1) {
+	} else if (now - last_send > 2) {
 		/* Send small heartbeat to client */
+if (0) fprintf(stderr, "ping_clients 2\n");
 		mark_rect_as_modified(0, 0, 1, 1, 1);
 		last_send = now;
 	}
@@ -2638,6 +2639,8 @@ int scan_for_updates(int count_only) {
 	/* Work around threaded rfbProcessClientMessage() calls timeouts */
 	if (use_threads) {
 		ping_clients(tile_diffs);
+	} else if (use_openssl && !tile_diffs) {
+		ping_clients(0);
 	}

--- a/x11vnc/screen.c
+++ b/x11vnc/screen.c
@@ -18,11 +18,13 @@
 #include "remote.h"
 #include "unixpw.h"
 #include "sslcmds.h"
+#include "sslhelper.h"
 void set_colormap(int reset);
 void set_nofb_params(int restore);
 void set_raw_fb_params(int restore);
 void do_new_fb(int reset_mem);
+void free_old_fb(char *old_main, char *old_rfb, char *old_8to24);
 void check_padded_fb(void);
 void install_padded_fb(char *geom);
 XImage *initialize_xdisplay_fb(void);
@@ -552,6 +554,18 @@ static void nofb_hook(rfbClientPtr cl) {
 	screen->displayHook = NULL;
 }
+void free_old_fb(char *old_main, char *old_rfb, char *old_8to24) {
+	if (old_main) {
+		free(old_main);
+	}
+	if (old_rfb && old_rfb != old_main) {
+		free(old_rfb);
+	}
+	if (old_8to24 && old_8to24 != old_main && old_8to24 != old_rfb) {
+		free(old_8to24);
+	}
+}
 void do_new_fb(int reset_mem) {
 	XImage *fb;
 	char *old_main  = main_fb;
@@ -580,15 +594,8 @@ void do_new_fb(int reset_mem) {
 		initialize_polling_images();
 	}
-	if (old_main) {
+	free_old_fb(old_main, old_rfb, old_8to24);
-		free(old_main);
-	}
-	if (old_rfb && old_rfb != old_main) {
-		free(old_rfb);
-	}
-	if (old_8to24 && old_8to24 != old_main && old_8to24 != old_rfb) {
-		free(old_8to24);
-	}
 	fb0 = fb;
 }
@@ -1572,7 +1579,9 @@ void initialize_screen(int *argc, char **argv, XImage *fb) {
 	/* n.b. samplesPerPixel (set = 1 here) seems to be unused. */
 	if (create_screen) {
-		if (use_stunnel) {
+		if (use_openssl) {
+			openssl_init();
+		} else if (use_stunnel) {
 			setup_stunnel(0, argc, argv);
 		}
 		screen = rfbGetScreen(argc, argv, width, height,
@@ -1954,6 +1963,10 @@ void initialize_screen(int *argc, char **argv, XImage *fb) {
 	rfbInitServer(screen);
+	if (use_openssl) {
+		openssl_port();
+	}
 	install_passwds();
 }

--- a/x11vnc/screen.h
+++ b/x11vnc/screen.h
@@ -7,6 +7,7 @@ extern void set_colormap(int reset);
 extern void set_nofb_params(int restore);
 extern void set_raw_fb_params(int restore);
 extern void do_new_fb(int reset_mem);
+extern void free_old_fb(char *old_main, char *old_rfb, char *old_8to24);
 extern void check_padded_fb(void);
 extern void install_padded_fb(char *geom);
 extern XImage *initialize_xdisplay_fb(void);

--- a/x11vnc/selection.c
+++ b/x11vnc/selection.c
@@ -302,7 +302,7 @@ void selection_send(XEvent *ev) {
 				    PROP_MAX);
 				break;
 			}
-if (debug_sel) fprintf(stderr, "selection_send: data: '%s' dlen: %d nitems: %d ba: %d\n", data, dlen, nitems, bytes_after);
+if (debug_sel) fprintf(stderr, "selection_send: data: '%s' dlen: %d nitems: %lu ba: %lu\n", data, dlen, nitems, bytes_after);
 			memcpy(selection_str+slen, data, dlen);
 			slen += dlen;
 			selection_str[slen] = '\0';

--- a/x11vnc/sslcmds.c
+++ b/x11vnc/sslcmds.c
@@ -46,6 +46,7 @@ int start_stunnel(int stunnel_port, int x11vnc_port) {
 	char extra[] = ":/usr/sbin:/usr/local/sbin";
 	char *path, *p, *exe;
 	char *stunnel_path = NULL;
+	struct stat verify_buf;
 	int status;
 	if (stunnel_pid) {
@@ -110,13 +111,11 @@ int start_stunnel(int stunnel_port, int x11vnc_port) {
 		    stunnel_port, x11vnc_port);
 	}
-	if (0) {
+	if (ssl_verify) {
-		fprintf(stderr, "foreground = yes\n");
+		if (stat(ssl_verify, &verify_buf) != 0) {
-		fprintf(stderr, "pid =\n");
+			rfbLog("stunnel: %s does not exist.\n", ssl_verify);
-		fprintf(stderr, ";debug = 7\n");
+			return 0;
-		fprintf(stderr, "[x11vnc_stunnel]\n");
+		}
-		fprintf(stderr, "accept = %d\n", stunnel_port);
-		fprintf(stderr, "connect = %d\n", x11vnc_port);
 	}
 	stunnel_pid = fork();
@@ -137,18 +136,37 @@ int start_stunnel(int stunnel_port, int x11vnc_port) {
 		}
 		if (use_stunnel == 3) {
-			char sp[20], xp[20];
+			char sp[20], xp[20], *a = NULL;
+			char *st = stunnel_path;
+			char *pm = stunnel_pem;
+			char *sv = ssl_verify;
 			sprintf(sp, "%d", stunnel_port);
 			sprintf(xp, "%d", x11vnc_port);
+			if (ssl_verify) {
+				if(S_ISDIR(verify_buf.st_mode)) {
+					a = "-a";
+				} else {
+					a = "-A";
+				}
+			}
-			if (stunnel_pem) {
+			if (stunnel_pem && ssl_verify) {
-				execlp(stunnel_path, stunnel_path, "-f", "-d",
+				execlp(st, st, "-f", "-d", sp, "-r", xp, "-P",
-				    sp, "-r", xp, "-P", "none", "-p",
+				    "none", "-p", pm, a, sv, "-v", "2",
-				    stunnel_pem, (char *) NULL);
+				    (char *) NULL);
+			} else if (stunnel_pem && !ssl_verify) {
+				execlp(st, st, "-f", "-d", sp, "-r", xp, "-P",
+				    "none", "-p", pm,
+				    (char *) NULL);
+			} else if (!stunnel_pem && ssl_verify) {
+				execlp(st, st, "-f", "-d", sp, "-r", xp, "-P",
+				    "none", a, sv, "-v", "2",
+				    (char *) NULL);
 			} else {
-				execlp(stunnel_path, stunnel_path, "-f", "-d",
+				execlp(st, st, "-f", "-d", sp, "-r", xp, "-P",
-				    sp, "-r", xp, "-P", "none", (char *) NULL);
+				    "none", (char *) NULL);
 			}
 			exit(1);
 		}
@@ -162,7 +180,15 @@ int start_stunnel(int stunnel_port, int x11vnc_port) {
 		if (stunnel_pem) {
 			fprintf(in, "cert = %s\n", stunnel_pem);
 		}
-		fprintf(in, ";debug = 7\n");
+		if (ssl_verify) {
+			if(S_ISDIR(verify_buf.st_mode)) {
+				fprintf(in, "CApath = %s\n", ssl_verify);
+			} else {
+				fprintf(in, "CAfile = %s\n", ssl_verify);
+			}
+			fprintf(in, "verify = 2\n");
+		}
+		fprintf(in, ";debug = 7\n\n");
 		fprintf(in, "[x11vnc_stunnel]\n");
 		fprintf(in, "accept = %d\n", stunnel_port);
 		fprintf(in, "connect = %d\n", x11vnc_port);
@@ -256,6 +282,7 @@ void setup_stunnel(int rport, int *argc, char **argv) {
 			}
 		}
 		stunnel_port = rport;
+		ssl_initialized = 1;
 		return;
 	}

--- a/x11vnc/sslhelper.c
+++ b/x11vnc/sslhelper.c
--- a/x11vnc/sslhelper.h
+++ b/x11vnc/sslhelper.h
+#ifndef _X11VNC_SSLHELPER_H
+#define _X11VNC_SSLHELPER_H
+/* -- sslhelper.h -- */
+extern int openssl_sock;
+extern pid_t openssl_last_helper_pid;
+extern int openssl_present(void);
+extern void openssl_init(void);
+extern void openssl_port(void);
+extern void check_openssl(void);
+extern void ssh_helper_pid(pid_t pid, int sock);
+#endif /* _X11VNC_SSLHELPER_H */
--- a/x11vnc/tkx11vnc
+++ b/x11vnc/tkx11vnc
@@ -249,6 +249,8 @@ Debugging
 	=GA tail-logfile
 	quiet
 	--
+	=GA show-start-cmd
+	=DG debug_gui
 	=GAL Misc-Debug::
 	debug_xevents
 	debug_xdamage
@@ -259,8 +261,6 @@ Debugging
 	debug_sel
 	dbg
 	=GAL LOFF
-	=GA show-start-cmd
-	=DG debug_gui
 Permissions
 	=DRQA lock
@@ -289,19 +289,22 @@ Permissions
 	unixpw_nis_list:
 	=0 storepasswd
 	=GAL LOFF
-	=GAL Safe::
+	=GAL SSL::
+	ssl
+	=F ssl_pem:
+	stunnel
+	=F stunnel_pem:
+	=F sslverify:
+	=GAL LOFF
+	=GAL Misc-Perms::
 	safer
 	unsafe
 	=RA noremote
-	=GAL LOFF
-	=GAL Misc-Perms::
 	=0S alwaysshared
 	=0S nevershared
 	=0S dontdisconnect
 	=SQA deny_all
 	timeout:
-	stunnel
-	=F stunnel_pem:
 	=GAL LOFF
 Tuning
@@ -568,6 +571,10 @@ Set the -unixpw_nis usernames list value.
 	set helptext(stunnel_pem) "
 Set the -stunnel pem filename value.
+"
+	set helptext(ssl_pem) "
+Set the -ssl pem filename value.
 "
 	set helptext(wireframe_mode) "
@@ -786,6 +793,17 @@ work everywhere.
 Regarding ViewOnly passwords (where a VNC client using that password
 can only watch the screen, not interact with it), this is not available
 with -rfbauth, but only with -passwdfile, -passwd, and -viewpasswd.
+"
+	set helptext(SSL:) "
+In this sub-menu we provide the options related to SSL encrpytion
+and authentication.
+There is a built-in mode (-ssl) using the OpenSSL library, and a 2nd
+using the external stunnel program (-stunnel, that needs to be installed
+on the system).  Either may require or benefit from having PEM certificate
+files specified.
 "
 	set helptext(Misc-Perms:) "
@@ -5584,6 +5602,8 @@ proc get_nitem {item} {
 		set nitem "unixpw_nis"
 	} elseif {$nitem == "stunnel_pem"} {
 		set nitem "stunnel"
+	} elseif {$nitem == "ssl_pem"} {
+		set nitem "ssl"
 	} elseif {$nitem == "wireframe_mode"} {
 		set nitem "wireframe"
 	} elseif {$nitem == "solid_color"} {

--- a/x11vnc/tkx11vnc.h
+++ b/x11vnc/tkx11vnc.h
@@ -260,6 +260,8 @@ char gui_code[] = "";
 "	=GA tail-logfile\n"
 "	quiet\n"
 "	--\n"
+"	=GA show-start-cmd\n"
+"	=DG debug_gui\n"
 "	=GAL Misc-Debug::\n"
 "	debug_xevents\n"
 "	debug_xdamage\n"
@@ -270,8 +272,6 @@ char gui_code[] = "";
 "	debug_sel\n"
 "	dbg\n"
 "	=GAL LOFF\n"
-"	=GA show-start-cmd\n"
-"	=DG debug_gui\n"
 "\n"
 "Permissions\n"
 "	=DRQA lock\n"
@@ -300,19 +300,22 @@ char gui_code[] = "";
 "	unixpw_nis_list:\n"
 "	=0 storepasswd\n"
 "	=GAL LOFF\n"
-"	=GAL Safe::\n"
+"	=GAL SSL::\n"
+"	ssl\n"
+"	=F ssl_pem:\n"
+"	stunnel\n"
+"	=F stunnel_pem:\n"
+"	=F sslverify:\n"
+"	=GAL LOFF\n"
+"	=GAL Misc-Perms::\n"
 "	safer\n"
 "	unsafe\n"
 "	=RA noremote\n"
-"	=GAL LOFF\n"
-"	=GAL Misc-Perms::\n"
 "	=0S alwaysshared\n"
 "	=0S nevershared\n"
 "	=0S dontdisconnect\n"
 "	=SQA deny_all\n"
 "	timeout:\n"
-"	stunnel\n"
-"	=F stunnel_pem:\n"
 "	=GAL LOFF\n"
 "\n"
 "Tuning\n"
@@ -581,6 +584,10 @@ char gui_code[] = "";
 "Set the -stunnel pem filename value.\n"
 "\"\n"
 "\n"
+"	set helptext(ssl_pem) \"\n"
+"Set the -ssl pem filename value.\n"
+"\"\n"
+"\n"
 "	set helptext(wireframe_mode) \"\n"
 "Set the -wireframe mode string value.\n"
 "\"\n"
@@ -799,6 +806,17 @@ char gui_code[] = "";
 "with -rfbauth, but only with -passwdfile, -passwd, and -viewpasswd.\n"
 "\"\n"
 "\n"
+"	set helptext(SSL:) \"\n"
+"In this sub-menu we provide the options related to SSL encrpytion\n"
+"and authentication.\n"
+"\n"
+"There is a built-in mode (-ssl) using the OpenSSL library, and a 2nd\n"
+"using the external stunnel program (-stunnel, that needs to be installed\n"
+"on the system).  Either may require or benefit from having PEM certificate\n"
+"files specified.\n"
+"\n"
+"\"\n"
+"\n"
 "	set helptext(Misc-Perms:) \"\n"
 "In this sub-menu we provide some lesser used permission options.\n"
 "\n"
@@ -5595,6 +5613,8 @@ char gui_code[] = "";
 "		set nitem \"unixpw_nis\"\n"
 "	} elseif {$nitem == \"stunnel_pem\"} {\n"
 "		set nitem \"stunnel\"\n"
+"	} elseif {$nitem == \"ssl_pem\"} {\n"
+"		set nitem \"ssl\"\n"
 "	} elseif {$nitem == \"wireframe_mode\"} {\n"
 "		set nitem \"wireframe\"\n"
 "	} elseif {$nitem == \"solid_color\"} {\n"

--- a/x11vnc/unixpw.c
+++ b/x11vnc/unixpw.c
@@ -279,7 +279,7 @@ void try_to_be_nobody(void) {
 }
-static int slave_fd = -1, alarm_fired = 0;;
+static int slave_fd = -1, alarm_fired = 0;
 static void close_alarm (int sig) {
 	if (slave_fd >= 0) {

--- a/x11vnc/x11vnc.1
+++ b/x11vnc/x11vnc.1
--- a/x11vnc/x11vnc.c
+++ b/x11vnc/x11vnc.c
@@ -140,6 +140,7 @@
 #include "unixpw.h"
 #include "inet.h"
 #include "sslcmds.h"
+#include "sslhelper.h"
 #include "selection.h"
 /*
@@ -471,6 +472,7 @@ if (debug_scroll) fprintf(stderr, "watch_loop: LOOP-BACK: %d\n", ret);
 			check_connect_inputs();		
 			check_gui_inputs();		
 			check_stunnel();		
+			check_openssl();		
 			record_last_fb_update();
 			check_padded_fb();		
 			check_fixscreen();		
@@ -1353,7 +1355,8 @@ static void store_homedir_passwd(void) {
 #define	SHOW_NO_PASSWORD_WARNING \
 	(!got_passwd && !got_rfbauth && (!got_passwdfile || !passwd_list) \
-	    && !query_cmd && !remote_cmd && !unixpw && !got_gui_pw)
+	    && !query_cmd && !remote_cmd && !unixpw && !got_gui_pw \
+	    && ! ssl_verify)
 int main(int argc, char* argv[]) {
@@ -1367,12 +1370,10 @@ int main(int argc, char* argv[]) {
 	int got_gui_pw = 0;
 	int pw_loc = -1, got_passwd = 0, got_rfbauth = 0, nopw = NOPW;
 	int got_viewpasswd = 0, got_localhost = 0, got_passwdfile = 0;
-	int got_stunnel = 0;
 	int vpw_loc = -1;
 	int dt = 0, bg = 0;
 	int got_rfbwait = 0;
 	int got_httpdir = 0, try_http = 0;
-	int usepw = 0;
 	/* used to pass args we do not know about to rfbGetScreen(): */
 	int argc_vnc = 1; char *argv_vnc[128];
@@ -1583,12 +1584,23 @@ int main(int argc, char* argv[]) {
 			}
 			if (strstr(arg, "_unsafe")) {
 				/* hidden option for testing. */
-				set_env("UNIXPW_DISABLE_STUNNEL", "1");
+				set_env("UNIXPW_DISABLE_SSL", "1");
 				set_env("UNIXPW_DISABLE_LOCALHOST", "1");
 			}
+		} else if (!strcmp(arg, "-ssl")) {
+			use_openssl = 1;
+			if (i < argc-1) {
+				char *s = argv[i+1];
+				if (s[0] != '-') {
+					openssl_pem = strdup(s);
+					i++;
+				}
+			}
+		} else if (!strcmp(arg, "-sslverify")) {
+			CHECK_ARGC
+			ssl_verify = strdup(argv[++i]);
 		} else if (!strcmp(arg, "-stunnel")) {
 			use_stunnel = 1;
-			got_stunnel = 1;
 			if (i < argc-1) {
 				char *s = argv[i+1];
 				if (s[0] != '-') {
@@ -1598,7 +1610,6 @@ int main(int argc, char* argv[]) {
 			}
 		} else if (!strcmp(arg, "-stunnel3")) {
 			use_stunnel = 3;
-			got_stunnel = 1;
 			if (i < argc-1) {
 				char *s = argv[i+1];
 				if (s[0] != '-') {
@@ -2301,6 +2312,16 @@ int main(int argc, char* argv[]) {
 		exit(1);
 	}
+	if (ssl_verify) {
+		struct stat sbuf;
+		if (stat(ssl_verify, &sbuf) != 0) {
+			rfbLog("x11vnc: -sslverify %s does not exist\n",
+			    ssl_verify);
+			rfbLogPerror("stat");
+			exit(1);
+		}
+	}
 	/*
 	 * If -passwd was used, clear it out of argv.  This does not
 	 * work on all UNIX, have to use execvp() in general...
@@ -2382,46 +2403,49 @@ int main(int argc, char* argv[]) {
 		launch_gui = 0;
 	}
-	if (! inetd) {
+	if (! inetd && unixpw) {
-	    if (unixpw) {
+		if (! use_stunnel && ! use_openssl) {
-		if (! got_localhost && ! getenv("UNIXPW_DISABLE_LOCALHOST")) {
+			if (have_ssh_env()) {
-			if (! quiet) {
-				rfbLog("Setting -localhost in -unixpw mode.\n");
-			}
-			allow_list = strdup("127.0.0.1");
-			got_localhost = 1;
-		}
-		if (! got_stunnel) {
-			if (! getenv("UNIXPW_DISABLE_STUNNEL") &&
-			    ! have_ssh_env()) {
-				if (! quiet) {
-					rfbLog("Setting -stunnel in -unixpw "
-					    "mode.\n");
-				}
-				use_stunnel = 1;
-			} else if (! getenv("UNIXPW_DISABLE_STUNNEL")) {
 				char *s = getenv("SSH_CONNECTION");
 				if (! s) s = getenv("SSH_CLIENT");
 				if (! s) s = "SSH_CONNECTION";
 				fprintf(stderr, "\n");
-				rfbLog("Skipping -stunnel contraint in -unixpw mode,\n");
+				rfbLog("Skipping -ssl/-stunnel contraint in"
-				rfbLog("assuming your SSH encryption is: %s\n", s);
+				    " -unixpw\n");
+				rfbLog("mode, assuming your SSH encryption"
+				    " is: %s\n", s);
 				fprintf(stderr, "\n");
 				if (! nopw) {
 					usleep(2000*1000);
 				}
+			} else if (getenv("UNIXPW_DISABLE_SSL")) {
+				rfbLog("Skipping -ssl/-stunnel requirement"
+				    " due to\n");
+				rfbLog("UNIXPW_DISABLE_SSL setting.\n");
+			} else {
+				if (openssl_present()) {
+					rfbLog("set -ssl in -unixpw mode.\n");
+					use_openssl = 1;
+				} else {
+					rfbLog("set -stunnel in -unixpw mode.\n");
+					use_stunnel = 1;
+				}
 			}
 		}
-	    } else if (use_stunnel) {
+	}
+	if (use_stunnel && ! got_localhost) {
-		if (! got_localhost && ! getenv("STUNNEL_DISABLE_LOCALHOST")) {
+		if (! getenv("STUNNEL_DISABLE_LOCALHOST") &&
+		    ! getenv("UNIXPW_DISABLE_LOCALHOST")) {
 			if (! quiet) {
 				rfbLog("Setting -localhost in -stunnel mode.\n");
 			}
 			allow_list = strdup("127.0.0.1");
 			got_localhost = 1;
 		}
-	    }
+	}
+	if (ssl_verify && ! use_stunnel && ! use_openssl) {
+		rfbLog("-sslverify must be used with -ssl or -stunnel\n");
+		exit(1);
 	}
 	/* fixup settings that do not make sense */
@@ -3041,7 +3065,7 @@ int main(int argc, char* argv[]) {
 	initialize_allowed_input();
-	if (! inetd) {
+	if (! inetd && ! use_openssl) {
 		if (! screen->port || screen->listenSock < 0) {
 			rfbLogEnable(1);
 			rfbLog("Error: could not obtain listening port.\n");

--- a/x11vnc/x11vnc.h
+++ b/x11vnc/x11vnc.h
@@ -56,6 +56,7 @@
 * -DHARDWIRE_PASSWD=...      hardwired passwords, quoting necessary.
 * -DHARDWIRE_VIEWPASSWD=...
 * -DNOPW=1                   make -nopw the default (skip warning)
+ * -DUSEPW=1                  make -usepw the default
 * -DPASSWD_REQUIRED=1        exit unless a password is supplied.
 * -DPASSWD_UNLESS_NOPW=1     exit unless a password is supplied and no -nopw.
 *
@@ -73,6 +74,9 @@
 * -DSMALL_FOOTPRINT=1  for smaller binary size (no help, no gui, etc) 
 *                      use 2 or 3 for even smaller footprint.
 * -DNOGUI  do not include the gui tkx11vnc.
+ * -DSKIP_HELP=1   smaller.
+ * -DSKIP_XKB=1    a little smaller.
+ * -DSKIP_8to24=1  a little smaller.
 * -DPOLL_8TO24_DELAY=N  
 * -DDEBUG_XEVENTS=1  enable printout for X events.
 *
@@ -93,6 +97,10 @@
 #define NOPW 0
 #endif
+#ifndef USEPW
+#define USEPW 0
+#endif
 #ifndef PASSWD_REQUIRED
 #define PASSWD_REQUIRED 0
 #endif
@@ -116,13 +124,23 @@
 #define SMALL_FOOTPRINT 0
 #endif
+#ifndef SKIP_XKB
+#define SKIP_XKB 0
+#endif
+#ifndef SKIP_8TO24
+#define SKIP_8TO24 0
+#endif
+#ifndef SKIP_HELP
+#define SKIP_HELP 0
+#endif
 #if SMALL_FOOTPRINT
+#undef  NOGUI
 #define NOGUI
+#undef  SKIP_HELP
+#define SKIP_HELP 0
 #endif
-#define SKIP_XKB 0
-#define SKIP_8TO24 0
 #if (SMALL_FOOTPRINT > 1)
 #undef SKIP_XKB
 #undef SKIP_8TO24
@@ -447,6 +465,8 @@ typedef struct _ClientData {
 	int login_viewonly;
 	time_t login_time;
+	pid_t ssh_helper_pid;
 	int had_cursor_shape_updates;
 	int had_cursor_pos_updates;

--- a/x11vnc/x11vnc_defs.c
+++ b/x11vnc/x11vnc_defs.c
@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
 int xdamage_base_event_type = 0;
 /*               date +'lastmod: %Y-%m-%d' */
-char lastmod[] = "0.8.1 lastmod: 2006-03-08";
+char lastmod[] = "0.8.1 lastmod: 2006-03-11";
 /* X display info */

--- a/x11vnc/xevents.c
+++ b/x11vnc/xevents.c
@@ -818,7 +818,7 @@ void check_xevents(void) {
 	/* check for our PRIMARY request notification: */
 	if (watch_primary || watch_clipboard) {
-		int doprimary = 1, doclipboard = 2, which, own;
+		int doprimary = 1, doclipboard = 2, which, own = 0;
 		double delay = 1.0;
 		Atom atom;
 		char *req;