Commit e2e93479 authored by runge's avatar runge

x11vnc: add -ssl mode using libssl. Include Xdummy in misc.

parent 5e726096
...@@ -175,7 +175,7 @@ if test "$X_CFLAGS" != "-DX_DISPLAY_MISSING"; then ...@@ -175,7 +175,7 @@ if test "$X_CFLAGS" != "-DX_DISPLAY_MISSING"; then
esac esac
fi fi
# only x11vnc uses crypt() # currently only x11vnc uses crypt() or libssl:
AH_TEMPLATE(HAVE_LIBCRYPT, [libcrypt library present]) AH_TEMPLATE(HAVE_LIBCRYPT, [libcrypt library present])
AC_ARG_WITH(crypt, AC_ARG_WITH(crypt,
[ --without-crypt disable support for libcrypt],,) [ --without-crypt disable support for libcrypt],,)
...@@ -188,6 +188,25 @@ if test "$X_CFLAGS" != "-DX_DISPLAY_MISSING"; then ...@@ -188,6 +188,25 @@ if test "$X_CFLAGS" != "-DX_DISPLAY_MISSING"; then
$X_LIBS $X_PRELIBS -lcrypt $X_EXTRA_LIBS) $X_LIBS $X_PRELIBS -lcrypt $X_EXTRA_LIBS)
fi fi
fi fi
AH_TEMPLATE(HAVE_LIBSSL, [openssl libssl library present])
AC_ARG_WITH(ssl,
[ --without-ssl disable support for openssl libssl],,)
if test "x$with_ssl" != "xno"; then
AC_CHECK_LIB(ssl, SSL_library_init,
X_PRELIBS="$X_PRELIBS -lssl"
[AC_DEFINE(HAVE_LIBSSL) HAVE_LIBSSL="true"], ,
$X_LIBS $X_PRELIBS -lssl $X_EXTRA_LIBS)
fi
AH_TEMPLATE(HAVE_LIBCRYPTO, [openssl libcrypto library present])
AC_ARG_WITH(crypto,
[ --without-crypto disable support for openssl libcrypto],,)
# some OS's need both -lssl and -lcrypto
if test "x$HAVE_LIBSSL" = "xtrue"; then
AC_CHECK_LIB(crypto, RAND_load_file,
X_PRELIBS="$X_PRELIBS -lcrypto"
[AC_DEFINE(HAVE_LIBSSL) HAVE_LIBSSL="true"], ,
$X_LIBS $X_PRELIBS -lcrypto $X_EXTRA_LIBS)
fi
X_LIBS="$X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS" X_LIBS="$X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS"
......
2006-03-11 Karl Runge <runge@karlrunge.com>
* x11vnc: add -ssl mode using libssl. Include Xdummy in misc.
a few more macros for smallerfoot, etc.
2006-03-08 Karl Runge <runge@karlrunge.com> 2006-03-08 Karl Runge <runge@karlrunge.com>
* x11vnc: manage CLIPBOARD in addition to PRIMARY. -debug_sel * x11vnc: manage CLIPBOARD in addition to PRIMARY. -debug_sel
Make reverse connections require passwords. -usepw option. Make reverse connections require passwords. -usepw option.
......
...@@ -13,7 +13,7 @@ endif ...@@ -13,7 +13,7 @@ endif
if HAVE_X if HAVE_X
bin_PROGRAMS=x11vnc bin_PROGRAMS=x11vnc
x11vnc_SOURCES = 8to24.c cleanup.c connections.c cursor.c gui.c help.c inet.c keyboard.c options.c pointer.c rates.c remote.c scan.c screen.c selection.c solid.c sslcmds.c unixpw.c user.c userinput.c util.c win_utils.c x11vnc.c x11vnc_defs.c xdamage.c xevents.c xinerama.c xkb_bell.c xrandr.c xrecord.c xwrappers.c 8to24.h allowed_input_t.h blackout_t.h cleanup.h connections.h cursor.h enums.h gui.h help.h inet.h keyboard.h options.h params.h pointer.h rates.h remote.h scan.h screen.h scrollevent_t.h selection.h solid.h sslcmds.h tkx11vnc.h unixpw.h user.h userinput.h util.h win_utils.h winattr_t.h x11vnc.h xdamage.h xevents.h xinerama.h xkb_bell.h xrandr.h xrecord.h xwrappers.h x11vnc_SOURCES = 8to24.c cleanup.c connections.c cursor.c gui.c help.c inet.c keyboard.c options.c pointer.c rates.c remote.c scan.c screen.c selection.c solid.c sslcmds.c sslhelper.c unixpw.c user.c userinput.c util.c win_utils.c x11vnc.c x11vnc_defs.c xdamage.c xevents.c xinerama.c xkb_bell.c xrandr.c xrecord.c xwrappers.c 8to24.h allowed_input_t.h blackout_t.h cleanup.h connections.h cursor.h enums.h gui.h help.h inet.h keyboard.h options.h params.h pointer.h rates.h remote.h scan.h screen.h scrollevent_t.h selection.h solid.h sslcmds.h sslhelper.h tkx11vnc.h unixpw.h user.h userinput.h util.h win_utils.h winattr_t.h x11vnc.h xdamage.h xevents.h xinerama.h xkb_bell.h xrandr.h xrecord.h xwrappers.h
INCLUDES=@X_CFLAGS@ INCLUDES=@X_CFLAGS@
x11vnc_LDADD=$(LDADD) @X_LIBS@ $(LD_CYGIPC) x11vnc_LDADD=$(LDADD) @X_LIBS@ $(LD_CYGIPC)
endif endif
......
This source diff could not be displayed because it is too large. You can view the blob instead.
...@@ -10,6 +10,7 @@ ...@@ -10,6 +10,7 @@
#include "solid.h" #include "solid.h"
#include "unixpw.h" #include "unixpw.h"
#include "sslcmds.h" #include "sslcmds.h"
#include "sslhelper.h"
/* /*
* Exiting and error handling routines * Exiting and error handling routines
...@@ -133,6 +134,9 @@ void clean_up_exit (int ret) { ...@@ -133,6 +134,9 @@ void clean_up_exit (int ret) {
solid_bg(1); solid_bg(1);
} }
stop_stunnel(); stop_stunnel();
if (use_openssl) {
ssh_helper_pid(0, 0); /* killall */
}
X_LOCK; X_LOCK;
XTestDiscard_wr(dpy); XTestDiscard_wr(dpy);
......
...@@ -11,6 +11,8 @@ ...@@ -11,6 +11,8 @@
#include "screen.h" #include "screen.h"
#include "unixpw.h" #include "unixpw.h"
#include "scan.h" #include "scan.h"
#include "sslcmds.h"
#include "sslhelper.h"
/* /*
* routines for handling incoming, outgoing, etc connections * routines for handling incoming, outgoing, etc connections
...@@ -542,6 +544,7 @@ static int accepted_client = 0; ...@@ -542,6 +544,7 @@ static int accepted_client = 0;
* callback for when a client disconnects * callback for when a client disconnects
*/ */
static void client_gone(rfbClientPtr client) { static void client_gone(rfbClientPtr client) {
ClientData *cd = NULL;
client_count--; client_count--;
if (client_count < 0) client_count = 0; if (client_count < 0) client_count = 0;
...@@ -559,17 +562,27 @@ static void client_gone(rfbClientPtr client) { ...@@ -559,17 +562,27 @@ static void client_gone(rfbClientPtr client) {
} }
} }
if (no_autorepeat && client_count == 0) { if (no_autorepeat && client_count == 0) {
autorepeat(1, 0); autorepeat(1, 0);
} }
if (use_solid_bg && client_count == 0) { if (use_solid_bg && client_count == 0) {
solid_bg(1); solid_bg(1);
} }
if (gone_cmd && *gone_cmd != '\0') {
ClientData *cd = NULL;
if (client->clientData) { if (client->clientData) {
cd = (ClientData *) client->clientData; cd = (ClientData *) client->clientData;
if (cd->ssh_helper_pid > 0) {
int status;
rfbLog("sending SIGTERM to ssh_helper_pid: %d\n",
cd->ssh_helper_pid);
kill(cd->ssh_helper_pid, SIGTERM);
#if LIBVNCSERVER_HAVE_SYS_WAIT_H && LIBVNCSERVER_HAVE_WAITPID
waitpid(cd->ssh_helper_pid, &status, WNOHANG);
#endif
ssh_helper_pid(cd->ssh_helper_pid, -1); /* delete */
}
} }
if (gone_cmd && *gone_cmd != '\0') {
if (strstr(gone_cmd, "popup") == gone_cmd) { if (strstr(gone_cmd, "popup") == gone_cmd) {
int x = -64000, y = -64000, timeout = 120; int x = -64000, y = -64000, timeout = 120;
char *userhost = ident_username(client); char *userhost = ident_username(client);
...@@ -1452,6 +1465,10 @@ static int do_reverse_connect(char *str) { ...@@ -1452,6 +1465,10 @@ static int do_reverse_connect(char *str) {
rfbLog("reverse_connect: screen not setup yet.\n"); rfbLog("reverse_connect: screen not setup yet.\n");
return 0; return 0;
} }
if (use_openssl && !getenv("X11VNC_SSL_ALLOW_REVERSE")) {
rfbLog("reverse connections disabled in -ssl mode.\n");
return 0;
}
/* copy in to host */ /* copy in to host */
host = (char *) malloc(len+1); host = (char *) malloc(len+1);
...@@ -1476,7 +1493,7 @@ static int do_reverse_connect(char *str) { ...@@ -1476,7 +1493,7 @@ static int do_reverse_connect(char *str) {
return 0; return 0;
} }
} }
if (! getenv("UNIXPW_DISABLE_STUNNEL") && ! have_ssh_env()) { if (! getenv("UNIXPW_DISABLE_SSL") && ! have_ssh_env()) {
rfbLog("reverse_connect: in -inetd stunnel/ssh\n"); rfbLog("reverse_connect: in -inetd stunnel/ssh\n");
rfbLog("required under -unixpw\n"); rfbLog("required under -unixpw\n");
return 0; return 0;
...@@ -1824,6 +1841,13 @@ enum rfbNewClientAction new_client(rfbClientPtr client) { ...@@ -1824,6 +1841,13 @@ enum rfbNewClientAction new_client(rfbClientPtr client) {
clients_served++; clients_served++;
if (0) fprintf(stderr, "new_client: %s %d\n", client->host, clients_served); if (0) fprintf(stderr, "new_client: %s %d\n", client->host, clients_served);
if (use_openssl || use_stunnel) {
if (! ssl_initialized) {
rfbLog("denying additional client: %s ssl not setup"
" yet.\n", client->host);
return(RFB_CLIENT_REFUSE);
}
}
if (unixpw && unixpw_in_progress) { if (unixpw && unixpw_in_progress) {
rfbLog("denying additional client: %s during -unixpw login.\n", rfbLog("denying additional client: %s during -unixpw login.\n",
client->host); client->host);
...@@ -1857,6 +1881,13 @@ if (0) fprintf(stderr, "new_client: %s %d\n", client->host, clients_served); ...@@ -1857,6 +1881,13 @@ if (0) fprintf(stderr, "new_client: %s %d\n", client->host, clients_served);
cd->input[0] = '-'; cd->input[0] = '-';
cd->login_viewonly = -1; cd->login_viewonly = -1;
cd->login_time = time(0); cd->login_time = time(0);
cd->ssh_helper_pid = 0;
if (use_openssl && openssl_last_helper_pid) {
if (0) fprintf(stderr, "SET ssh_helper_pid: %d\n", openssl_last_helper_pid);
cd->ssh_helper_pid = openssl_last_helper_pid;
openssl_last_helper_pid = 0;
}
if (! accept_client(client)) { if (! accept_client(client)) {
rfbLog("denying client: %s local user rejected connection.\n", rfbLog("denying client: %s local user rejected connection.\n",
......
...@@ -188,6 +188,7 @@ static int got_sigusr1 = 0; ...@@ -188,6 +188,7 @@ static int got_sigusr1 = 0;
static void sigusr1 (int sig) { static void sigusr1 (int sig) {
got_sigusr1 = 1; got_sigusr1 = 1;
if (0) sig = 0;
} }
static void run_gui(char *gui_xdisplay, int connect_to_x11vnc, int start_x11vnc, static void run_gui(char *gui_xdisplay, int connect_to_x11vnc, int start_x11vnc,
......
This diff is collapsed.
This diff is collapsed.
...@@ -21,6 +21,11 @@ char *unixpw_list = NULL; ...@@ -21,6 +21,11 @@ char *unixpw_list = NULL;
int use_stunnel = 0; /* -stunnel */ int use_stunnel = 0; /* -stunnel */
int stunnel_port = 0; int stunnel_port = 0;
char *stunnel_pem = NULL; char *stunnel_pem = NULL;
int use_openssl = 0;
char *openssl_pem = NULL;
char *ssl_verify = NULL;
int ssl_initialized = 0;
int usepw = USEPW;
char *blackout_str = NULL; /* -blackout */ char *blackout_str = NULL; /* -blackout */
int blackout_ptr = 0; int blackout_ptr = 0;
char *clip_str = NULL; /* -clip */ char *clip_str = NULL; /* -clip */
......
...@@ -21,6 +21,11 @@ extern char *unixpw_list; ...@@ -21,6 +21,11 @@ extern char *unixpw_list;
extern int use_stunnel; extern int use_stunnel;
extern int stunnel_port; extern int stunnel_port;
extern char *stunnel_pem; extern char *stunnel_pem;
extern int use_openssl;
extern char *openssl_pem;
extern char *ssl_verify;
extern int ssl_initialized;
extern int usepw;
extern char *blackout_str; extern char *blackout_str;
extern int blackout_ptr; extern int blackout_ptr;
extern char *clip_str; extern char *clip_str;
......
...@@ -3775,10 +3775,18 @@ char *process_remote_cmd(char *cmd, int stringonly) { ...@@ -3775,10 +3775,18 @@ char *process_remote_cmd(char *cmd, int stringonly) {
snprintf(buf, bufn, "aro=%s:%d", p, unixpw_nis); snprintf(buf, bufn, "aro=%s:%d", p, unixpw_nis);
} else if (!strcmp(p, "unixpw_list")) { } else if (!strcmp(p, "unixpw_list")) {
snprintf(buf, bufn, "aro=%s:%s", p, NONUL(unixpw_list)); snprintf(buf, bufn, "aro=%s:%s", p, NONUL(unixpw_list));
} else if (!strcmp(p, "ssl")) {
snprintf(buf, bufn, "aro=%s:%d", p, use_openssl);
} else if (!strcmp(p, "ssl_pem")) {
snprintf(buf, bufn, "aro=%s:%s", p, NONUL(openssl_pem));
} else if (!strcmp(p, "sslverify")) {
snprintf(buf, bufn, "aro=%s:%s", p, NONUL(ssl_verify));
} else if (!strcmp(p, "stunnel")) { } else if (!strcmp(p, "stunnel")) {
snprintf(buf, bufn, "aro=%s:%d", p, use_stunnel); snprintf(buf, bufn, "aro=%s:%d", p, use_stunnel);
} else if (!strcmp(p, "stunnel_pem")) { } else if (!strcmp(p, "stunnel_pem")) {
snprintf(buf, bufn, "aro=%s:%s", p, NONUL(stunnel_pem)); snprintf(buf, bufn, "aro=%s:%s", p, NONUL(stunnel_pem));
} else if (!strcmp(p, "usepw")) {
snprintf(buf, bufn, "aro=%s:%d", p, usepw);
} else if (!strcmp(p, "using_shm")) { } else if (!strcmp(p, "using_shm")) {
snprintf(buf, bufn, "aro=%s:%d", p, !using_shm); snprintf(buf, bufn, "aro=%s:%d", p, !using_shm);
} else if (!strcmp(p, "logfile") || !strcmp(p, "o")) { } else if (!strcmp(p, "logfile") || !strcmp(p, "o")) {
......
...@@ -2146,8 +2146,9 @@ static void ping_clients(int tile_cnt) { ...@@ -2146,8 +2146,9 @@ static void ping_clients(int tile_cnt) {
} }
if (tile_cnt) { if (tile_cnt) {
last_send = now; last_send = now;
} else if (now - last_send > 1) { } else if (now - last_send > 2) {
/* Send small heartbeat to client */ /* Send small heartbeat to client */
if (0) fprintf(stderr, "ping_clients 2\n");
mark_rect_as_modified(0, 0, 1, 1, 1); mark_rect_as_modified(0, 0, 1, 1, 1);
last_send = now; last_send = now;
} }
...@@ -2638,6 +2639,8 @@ int scan_for_updates(int count_only) { ...@@ -2638,6 +2639,8 @@ int scan_for_updates(int count_only) {
/* Work around threaded rfbProcessClientMessage() calls timeouts */ /* Work around threaded rfbProcessClientMessage() calls timeouts */
if (use_threads) { if (use_threads) {
ping_clients(tile_diffs); ping_clients(tile_diffs);
} else if (use_openssl && !tile_diffs) {
ping_clients(0);
} }
......
...@@ -18,11 +18,13 @@ ...@@ -18,11 +18,13 @@
#include "remote.h" #include "remote.h"
#include "unixpw.h" #include "unixpw.h"
#include "sslcmds.h" #include "sslcmds.h"
#include "sslhelper.h"
void set_colormap(int reset); void set_colormap(int reset);
void set_nofb_params(int restore); void set_nofb_params(int restore);
void set_raw_fb_params(int restore); void set_raw_fb_params(int restore);
void do_new_fb(int reset_mem); void do_new_fb(int reset_mem);
void free_old_fb(char *old_main, char *old_rfb, char *old_8to24);
void check_padded_fb(void); void check_padded_fb(void);
void install_padded_fb(char *geom); void install_padded_fb(char *geom);
XImage *initialize_xdisplay_fb(void); XImage *initialize_xdisplay_fb(void);
...@@ -552,6 +554,18 @@ static void nofb_hook(rfbClientPtr cl) { ...@@ -552,6 +554,18 @@ static void nofb_hook(rfbClientPtr cl) {
screen->displayHook = NULL; screen->displayHook = NULL;
} }
void free_old_fb(char *old_main, char *old_rfb, char *old_8to24) {
if (old_main) {
free(old_main);
}
if (old_rfb && old_rfb != old_main) {
free(old_rfb);
}
if (old_8to24 && old_8to24 != old_main && old_8to24 != old_rfb) {
free(old_8to24);
}
}
void do_new_fb(int reset_mem) { void do_new_fb(int reset_mem) {
XImage *fb; XImage *fb;
char *old_main = main_fb; char *old_main = main_fb;
...@@ -580,15 +594,8 @@ void do_new_fb(int reset_mem) { ...@@ -580,15 +594,8 @@ void do_new_fb(int reset_mem) {
initialize_polling_images(); initialize_polling_images();
} }
if (old_main) { free_old_fb(old_main, old_rfb, old_8to24);
free(old_main);
}
if (old_rfb && old_rfb != old_main) {
free(old_rfb);
}
if (old_8to24 && old_8to24 != old_main && old_8to24 != old_rfb) {
free(old_8to24);
}
fb0 = fb; fb0 = fb;
} }
...@@ -1572,7 +1579,9 @@ void initialize_screen(int *argc, char **argv, XImage *fb) { ...@@ -1572,7 +1579,9 @@ void initialize_screen(int *argc, char **argv, XImage *fb) {
/* n.b. samplesPerPixel (set = 1 here) seems to be unused. */ /* n.b. samplesPerPixel (set = 1 here) seems to be unused. */
if (create_screen) { if (create_screen) {
if (use_stunnel) { if (use_openssl) {
openssl_init();
} else if (use_stunnel) {
setup_stunnel(0, argc, argv); setup_stunnel(0, argc, argv);
} }
screen = rfbGetScreen(argc, argv, width, height, screen = rfbGetScreen(argc, argv, width, height,
...@@ -1954,6 +1963,10 @@ void initialize_screen(int *argc, char **argv, XImage *fb) { ...@@ -1954,6 +1963,10 @@ void initialize_screen(int *argc, char **argv, XImage *fb) {
rfbInitServer(screen); rfbInitServer(screen);
if (use_openssl) {
openssl_port();
}
install_passwds(); install_passwds();
} }
......
...@@ -7,6 +7,7 @@ extern void set_colormap(int reset); ...@@ -7,6 +7,7 @@ extern void set_colormap(int reset);
extern void set_nofb_params(int restore); extern void set_nofb_params(int restore);
extern void set_raw_fb_params(int restore); extern void set_raw_fb_params(int restore);
extern void do_new_fb(int reset_mem); extern void do_new_fb(int reset_mem);
extern void free_old_fb(char *old_main, char *old_rfb, char *old_8to24);
extern void check_padded_fb(void); extern void check_padded_fb(void);
extern void install_padded_fb(char *geom); extern void install_padded_fb(char *geom);
extern XImage *initialize_xdisplay_fb(void); extern XImage *initialize_xdisplay_fb(void);
......
...@@ -302,7 +302,7 @@ void selection_send(XEvent *ev) { ...@@ -302,7 +302,7 @@ void selection_send(XEvent *ev) {
PROP_MAX); PROP_MAX);
break; break;
} }
if (debug_sel) fprintf(stderr, "selection_send: data: '%s' dlen: %d nitems: %d ba: %d\n", data, dlen, nitems, bytes_after); if (debug_sel) fprintf(stderr, "selection_send: data: '%s' dlen: %d nitems: %lu ba: %lu\n", data, dlen, nitems, bytes_after);
memcpy(selection_str+slen, data, dlen); memcpy(selection_str+slen, data, dlen);
slen += dlen; slen += dlen;
selection_str[slen] = '\0'; selection_str[slen] = '\0';
......
...@@ -46,6 +46,7 @@ int start_stunnel(int stunnel_port, int x11vnc_port) { ...@@ -46,6 +46,7 @@ int start_stunnel(int stunnel_port, int x11vnc_port) {
char extra[] = ":/usr/sbin:/usr/local/sbin"; char extra[] = ":/usr/sbin:/usr/local/sbin";
char *path, *p, *exe; char *path, *p, *exe;
char *stunnel_path = NULL; char *stunnel_path = NULL;
struct stat verify_buf;
int status; int status;
if (stunnel_pid) { if (stunnel_pid) {
...@@ -110,13 +111,11 @@ int start_stunnel(int stunnel_port, int x11vnc_port) { ...@@ -110,13 +111,11 @@ int start_stunnel(int stunnel_port, int x11vnc_port) {
stunnel_port, x11vnc_port); stunnel_port, x11vnc_port);
} }
if (0) { if (ssl_verify) {
fprintf(stderr, "foreground = yes\n"); if (stat(ssl_verify, &verify_buf) != 0) {
fprintf(stderr, "pid =\n"); rfbLog("stunnel: %s does not exist.\n", ssl_verify);
fprintf(stderr, ";debug = 7\n"); return 0;
fprintf(stderr, "[x11vnc_stunnel]\n"); }
fprintf(stderr, "accept = %d\n", stunnel_port);
fprintf(stderr, "connect = %d\n", x11vnc_port);
} }
stunnel_pid = fork(); stunnel_pid = fork();
...@@ -137,18 +136,37 @@ int start_stunnel(int stunnel_port, int x11vnc_port) { ...@@ -137,18 +136,37 @@ int start_stunnel(int stunnel_port, int x11vnc_port) {
} }
if (use_stunnel == 3) { if (use_stunnel == 3) {
char sp[20], xp[20]; char sp[20], xp[20], *a = NULL;
char *st = stunnel_path;
char *pm = stunnel_pem;
char *sv = ssl_verify;
sprintf(sp, "%d", stunnel_port); sprintf(sp, "%d", stunnel_port);
sprintf(xp, "%d", x11vnc_port); sprintf(xp, "%d", x11vnc_port);
if (stunnel_pem) { if (ssl_verify) {
execlp(stunnel_path, stunnel_path, "-f", "-d", if(S_ISDIR(verify_buf.st_mode)) {
sp, "-r", xp, "-P", "none", "-p", a = "-a";
stunnel_pem, (char *) NULL); } else {
a = "-A";
}
}
if (stunnel_pem && ssl_verify) {
execlp(st, st, "-f", "-d", sp, "-r", xp, "-P",
"none", "-p", pm, a, sv, "-v", "2",
(char *) NULL);
} else if (stunnel_pem && !ssl_verify) {
execlp(st, st, "-f", "-d", sp, "-r", xp, "-P",
"none", "-p", pm,
(char *) NULL);
} else if (!stunnel_pem && ssl_verify) {
execlp(st, st, "-f", "-d", sp, "-r", xp, "-P",
"none", a, sv, "-v", "2",
(char *) NULL);
} else { } else {
execlp(stunnel_path, stunnel_path, "-f", "-d", execlp(st, st, "-f", "-d", sp, "-r", xp, "-P",
sp, "-r", xp, "-P", "none", (char *) NULL); "none", (char *) NULL);
} }
exit(1); exit(1);
} }
...@@ -162,7 +180,15 @@ int start_stunnel(int stunnel_port, int x11vnc_port) { ...@@ -162,7 +180,15 @@ int start_stunnel(int stunnel_port, int x11vnc_port) {
if (stunnel_pem) { if (stunnel_pem) {
fprintf(in, "cert = %s\n", stunnel_pem); fprintf(in, "cert = %s\n", stunnel_pem);
} }
fprintf(in, ";debug = 7\n"); if (ssl_verify) {
if(S_ISDIR(verify_buf.st_mode)) {
fprintf(in, "CApath = %s\n", ssl_verify);
} else {
fprintf(in, "CAfile = %s\n", ssl_verify);
}
fprintf(in, "verify = 2\n");
}
fprintf(in, ";debug = 7\n\n");
fprintf(in, "[x11vnc_stunnel]\n"); fprintf(in, "[x11vnc_stunnel]\n");
fprintf(in, "accept = %d\n", stunnel_port); fprintf(in, "accept = %d\n", stunnel_port);
fprintf(in, "connect = %d\n", x11vnc_port); fprintf(in, "connect = %d\n", x11vnc_port);
...@@ -256,6 +282,7 @@ void setup_stunnel(int rport, int *argc, char **argv) { ...@@ -256,6 +282,7 @@ void setup_stunnel(int rport, int *argc, char **argv) {
} }
} }
stunnel_port = rport; stunnel_port = rport;
ssl_initialized = 1;
return; return;
} }
......
This diff is collapsed.
#ifndef _X11VNC_SSLHELPER_H
#define _X11VNC_SSLHELPER_H
/* -- sslhelper.h -- */
extern int openssl_sock;
extern pid_t openssl_last_helper_pid;
extern int openssl_present(void);
extern void openssl_init(void);
extern void openssl_port(void);
extern void check_openssl(void);
extern void ssh_helper_pid(pid_t pid, int sock);
#endif /* _X11VNC_SSLHELPER_H */
...@@ -249,6 +249,8 @@ Debugging ...@@ -249,6 +249,8 @@ Debugging
=GA tail-logfile =GA tail-logfile
quiet quiet
-- --
=GA show-start-cmd
=DG debug_gui
=GAL Misc-Debug:: =GAL Misc-Debug::
debug_xevents debug_xevents
debug_xdamage debug_xdamage
...@@ -259,8 +261,6 @@ Debugging ...@@ -259,8 +261,6 @@ Debugging
debug_sel debug_sel
dbg dbg
=GAL LOFF =GAL LOFF
=GA show-start-cmd
=DG debug_gui
Permissions Permissions
=DRQA lock =DRQA lock
...@@ -289,19 +289,22 @@ Permissions ...@@ -289,19 +289,22 @@ Permissions
unixpw_nis_list: unixpw_nis_list:
=0 storepasswd =0 storepasswd
=GAL LOFF =GAL LOFF
=GAL Safe:: =GAL SSL::
ssl
=F ssl_pem:
stunnel
=F stunnel_pem:
=F sslverify:
=GAL LOFF
=GAL Misc-Perms::
safer safer
unsafe unsafe
=RA noremote =RA noremote
=GAL LOFF
=GAL Misc-Perms::
=0S alwaysshared =0S alwaysshared
=0S nevershared =0S nevershared
=0S dontdisconnect =0S dontdisconnect
=SQA deny_all =SQA deny_all
timeout: timeout:
stunnel
=F stunnel_pem:
=GAL LOFF =GAL LOFF
Tuning Tuning
...@@ -568,6 +571,10 @@ Set the -unixpw_nis usernames list value. ...@@ -568,6 +571,10 @@ Set the -unixpw_nis usernames list value.
set helptext(stunnel_pem) " set helptext(stunnel_pem) "
Set the -stunnel pem filename value. Set the -stunnel pem filename value.
"
set helptext(ssl_pem) "
Set the -ssl pem filename value.
" "
set helptext(wireframe_mode) " set helptext(wireframe_mode) "
...@@ -786,6 +793,17 @@ work everywhere. ...@@ -786,6 +793,17 @@ work everywhere.
Regarding ViewOnly passwords (where a VNC client using that password Regarding ViewOnly passwords (where a VNC client using that password
can only watch the screen, not interact with it), this is not available can only watch the screen, not interact with it), this is not available
with -rfbauth, but only with -passwdfile, -passwd, and -viewpasswd. with -rfbauth, but only with -passwdfile, -passwd, and -viewpasswd.
"
set helptext(SSL:) "
In this sub-menu we provide the options related to SSL encrpytion
and authentication.
There is a built-in mode (-ssl) using the OpenSSL library, and a 2nd
using the external stunnel program (-stunnel, that needs to be installed
on the system). Either may require or benefit from having PEM certificate
files specified.
" "
set helptext(Misc-Perms:) " set helptext(Misc-Perms:) "
...@@ -5584,6 +5602,8 @@ proc get_nitem {item} { ...@@ -5584,6 +5602,8 @@ proc get_nitem {item} {
set nitem "unixpw_nis" set nitem "unixpw_nis"
} elseif {$nitem == "stunnel_pem"} { } elseif {$nitem == "stunnel_pem"} {
set nitem "stunnel" set nitem "stunnel"
} elseif {$nitem == "ssl_pem"} {
set nitem "ssl"
} elseif {$nitem == "wireframe_mode"} { } elseif {$nitem == "wireframe_mode"} {
set nitem "wireframe" set nitem "wireframe"
} elseif {$nitem == "solid_color"} { } elseif {$nitem == "solid_color"} {
......
...@@ -260,6 +260,8 @@ char gui_code[] = ""; ...@@ -260,6 +260,8 @@ char gui_code[] = "";
" =GA tail-logfile\n" " =GA tail-logfile\n"
" quiet\n" " quiet\n"
" --\n" " --\n"
" =GA show-start-cmd\n"
" =DG debug_gui\n"
" =GAL Misc-Debug::\n" " =GAL Misc-Debug::\n"
" debug_xevents\n" " debug_xevents\n"
" debug_xdamage\n" " debug_xdamage\n"
...@@ -270,8 +272,6 @@ char gui_code[] = ""; ...@@ -270,8 +272,6 @@ char gui_code[] = "";
" debug_sel\n" " debug_sel\n"
" dbg\n" " dbg\n"
" =GAL LOFF\n" " =GAL LOFF\n"
" =GA show-start-cmd\n"
" =DG debug_gui\n"
"\n" "\n"
"Permissions\n" "Permissions\n"
" =DRQA lock\n" " =DRQA lock\n"
...@@ -300,19 +300,22 @@ char gui_code[] = ""; ...@@ -300,19 +300,22 @@ char gui_code[] = "";
" unixpw_nis_list:\n" " unixpw_nis_list:\n"
" =0 storepasswd\n" " =0 storepasswd\n"
" =GAL LOFF\n" " =GAL LOFF\n"
" =GAL Safe::\n" " =GAL SSL::\n"
" ssl\n"
" =F ssl_pem:\n"
" stunnel\n"
" =F stunnel_pem:\n"
" =F sslverify:\n"
" =GAL LOFF\n"
" =GAL Misc-Perms::\n"
" safer\n" " safer\n"
" unsafe\n" " unsafe\n"
" =RA noremote\n" " =RA noremote\n"
" =GAL LOFF\n"
" =GAL Misc-Perms::\n"
" =0S alwaysshared\n" " =0S alwaysshared\n"
" =0S nevershared\n" " =0S nevershared\n"
" =0S dontdisconnect\n" " =0S dontdisconnect\n"
" =SQA deny_all\n" " =SQA deny_all\n"
" timeout:\n" " timeout:\n"
" stunnel\n"
" =F stunnel_pem:\n"
" =GAL LOFF\n" " =GAL LOFF\n"
"\n" "\n"
"Tuning\n" "Tuning\n"
...@@ -581,6 +584,10 @@ char gui_code[] = ""; ...@@ -581,6 +584,10 @@ char gui_code[] = "";
"Set the -stunnel pem filename value.\n" "Set the -stunnel pem filename value.\n"
"\"\n" "\"\n"
"\n" "\n"
" set helptext(ssl_pem) \"\n"
"Set the -ssl pem filename value.\n"
"\"\n"
"\n"
" set helptext(wireframe_mode) \"\n" " set helptext(wireframe_mode) \"\n"
"Set the -wireframe mode string value.\n" "Set the -wireframe mode string value.\n"
"\"\n" "\"\n"
...@@ -799,6 +806,17 @@ char gui_code[] = ""; ...@@ -799,6 +806,17 @@ char gui_code[] = "";
"with -rfbauth, but only with -passwdfile, -passwd, and -viewpasswd.\n" "with -rfbauth, but only with -passwdfile, -passwd, and -viewpasswd.\n"
"\"\n" "\"\n"
"\n" "\n"
" set helptext(SSL:) \"\n"
"In this sub-menu we provide the options related to SSL encrpytion\n"
"and authentication.\n"
"\n"
"There is a built-in mode (-ssl) using the OpenSSL library, and a 2nd\n"
"using the external stunnel program (-stunnel, that needs to be installed\n"
"on the system). Either may require or benefit from having PEM certificate\n"
"files specified.\n"
"\n"
"\"\n"
"\n"
" set helptext(Misc-Perms:) \"\n" " set helptext(Misc-Perms:) \"\n"
"In this sub-menu we provide some lesser used permission options.\n" "In this sub-menu we provide some lesser used permission options.\n"
"\n" "\n"
...@@ -5595,6 +5613,8 @@ char gui_code[] = ""; ...@@ -5595,6 +5613,8 @@ char gui_code[] = "";
" set nitem \"unixpw_nis\"\n" " set nitem \"unixpw_nis\"\n"
" } elseif {$nitem == \"stunnel_pem\"} {\n" " } elseif {$nitem == \"stunnel_pem\"} {\n"
" set nitem \"stunnel\"\n" " set nitem \"stunnel\"\n"
" } elseif {$nitem == \"ssl_pem\"} {\n"
" set nitem \"ssl\"\n"
" } elseif {$nitem == \"wireframe_mode\"} {\n" " } elseif {$nitem == \"wireframe_mode\"} {\n"
" set nitem \"wireframe\"\n" " set nitem \"wireframe\"\n"
" } elseif {$nitem == \"solid_color\"} {\n" " } elseif {$nitem == \"solid_color\"} {\n"
......
...@@ -279,7 +279,7 @@ void try_to_be_nobody(void) { ...@@ -279,7 +279,7 @@ void try_to_be_nobody(void) {
} }
static int slave_fd = -1, alarm_fired = 0;; static int slave_fd = -1, alarm_fired = 0;
static void close_alarm (int sig) { static void close_alarm (int sig) {
if (slave_fd >= 0) { if (slave_fd >= 0) {
......
This diff is collapsed.
...@@ -140,6 +140,7 @@ ...@@ -140,6 +140,7 @@
#include "unixpw.h" #include "unixpw.h"
#include "inet.h" #include "inet.h"
#include "sslcmds.h" #include "sslcmds.h"
#include "sslhelper.h"
#include "selection.h" #include "selection.h"
/* /*
...@@ -471,6 +472,7 @@ if (debug_scroll) fprintf(stderr, "watch_loop: LOOP-BACK: %d\n", ret); ...@@ -471,6 +472,7 @@ if (debug_scroll) fprintf(stderr, "watch_loop: LOOP-BACK: %d\n", ret);
check_connect_inputs(); check_connect_inputs();
check_gui_inputs(); check_gui_inputs();
check_stunnel(); check_stunnel();
check_openssl();
record_last_fb_update(); record_last_fb_update();
check_padded_fb(); check_padded_fb();
check_fixscreen(); check_fixscreen();
...@@ -1353,7 +1355,8 @@ static void store_homedir_passwd(void) { ...@@ -1353,7 +1355,8 @@ static void store_homedir_passwd(void) {
#define SHOW_NO_PASSWORD_WARNING \ #define SHOW_NO_PASSWORD_WARNING \
(!got_passwd && !got_rfbauth && (!got_passwdfile || !passwd_list) \ (!got_passwd && !got_rfbauth && (!got_passwdfile || !passwd_list) \
&& !query_cmd && !remote_cmd && !unixpw && !got_gui_pw) && !query_cmd && !remote_cmd && !unixpw && !got_gui_pw \
&& ! ssl_verify)
int main(int argc, char* argv[]) { int main(int argc, char* argv[]) {
...@@ -1367,12 +1370,10 @@ int main(int argc, char* argv[]) { ...@@ -1367,12 +1370,10 @@ int main(int argc, char* argv[]) {
int got_gui_pw = 0; int got_gui_pw = 0;
int pw_loc = -1, got_passwd = 0, got_rfbauth = 0, nopw = NOPW; int pw_loc = -1, got_passwd = 0, got_rfbauth = 0, nopw = NOPW;
int got_viewpasswd = 0, got_localhost = 0, got_passwdfile = 0; int got_viewpasswd = 0, got_localhost = 0, got_passwdfile = 0;
int got_stunnel = 0;
int vpw_loc = -1; int vpw_loc = -1;
int dt = 0, bg = 0; int dt = 0, bg = 0;
int got_rfbwait = 0; int got_rfbwait = 0;
int got_httpdir = 0, try_http = 0; int got_httpdir = 0, try_http = 0;
int usepw = 0;
/* used to pass args we do not know about to rfbGetScreen(): */ /* used to pass args we do not know about to rfbGetScreen(): */
int argc_vnc = 1; char *argv_vnc[128]; int argc_vnc = 1; char *argv_vnc[128];
...@@ -1583,12 +1584,23 @@ int main(int argc, char* argv[]) { ...@@ -1583,12 +1584,23 @@ int main(int argc, char* argv[]) {
} }
if (strstr(arg, "_unsafe")) { if (strstr(arg, "_unsafe")) {
/* hidden option for testing. */ /* hidden option for testing. */
set_env("UNIXPW_DISABLE_STUNNEL", "1"); set_env("UNIXPW_DISABLE_SSL", "1");
set_env("UNIXPW_DISABLE_LOCALHOST", "1"); set_env("UNIXPW_DISABLE_LOCALHOST", "1");
} }
} else if (!strcmp(arg, "-ssl")) {
use_openssl = 1;
if (i < argc-1) {
char *s = argv[i+1];
if (s[0] != '-') {
openssl_pem = strdup(s);
i++;
}
}
} else if (!strcmp(arg, "-sslverify")) {
CHECK_ARGC
ssl_verify = strdup(argv[++i]);
} else if (!strcmp(arg, "-stunnel")) { } else if (!strcmp(arg, "-stunnel")) {
use_stunnel = 1; use_stunnel = 1;
got_stunnel = 1;
if (i < argc-1) { if (i < argc-1) {
char *s = argv[i+1]; char *s = argv[i+1];
if (s[0] != '-') { if (s[0] != '-') {
...@@ -1598,7 +1610,6 @@ int main(int argc, char* argv[]) { ...@@ -1598,7 +1610,6 @@ int main(int argc, char* argv[]) {
} }
} else if (!strcmp(arg, "-stunnel3")) { } else if (!strcmp(arg, "-stunnel3")) {
use_stunnel = 3; use_stunnel = 3;
got_stunnel = 1;
if (i < argc-1) { if (i < argc-1) {
char *s = argv[i+1]; char *s = argv[i+1];
if (s[0] != '-') { if (s[0] != '-') {
...@@ -2301,6 +2312,16 @@ int main(int argc, char* argv[]) { ...@@ -2301,6 +2312,16 @@ int main(int argc, char* argv[]) {
exit(1); exit(1);
} }
if (ssl_verify) {
struct stat sbuf;
if (stat(ssl_verify, &sbuf) != 0) {
rfbLog("x11vnc: -sslverify %s does not exist\n",
ssl_verify);
rfbLogPerror("stat");
exit(1);
}
}
/* /*
* If -passwd was used, clear it out of argv. This does not * If -passwd was used, clear it out of argv. This does not
* work on all UNIX, have to use execvp() in general... * work on all UNIX, have to use execvp() in general...
...@@ -2382,39 +2403,39 @@ int main(int argc, char* argv[]) { ...@@ -2382,39 +2403,39 @@ int main(int argc, char* argv[]) {
launch_gui = 0; launch_gui = 0;
} }
if (! inetd) { if (! inetd && unixpw) {
if (unixpw) { if (! use_stunnel && ! use_openssl) {
if (! got_localhost && ! getenv("UNIXPW_DISABLE_LOCALHOST")) { if (have_ssh_env()) {
if (! quiet) {
rfbLog("Setting -localhost in -unixpw mode.\n");
}
allow_list = strdup("127.0.0.1");
got_localhost = 1;
}
if (! got_stunnel) {
if (! getenv("UNIXPW_DISABLE_STUNNEL") &&
! have_ssh_env()) {
if (! quiet) {
rfbLog("Setting -stunnel in -unixpw "
"mode.\n");
}
use_stunnel = 1;
} else if (! getenv("UNIXPW_DISABLE_STUNNEL")) {
char *s = getenv("SSH_CONNECTION"); char *s = getenv("SSH_CONNECTION");
if (! s) s = getenv("SSH_CLIENT"); if (! s) s = getenv("SSH_CLIENT");
if (! s) s = "SSH_CONNECTION"; if (! s) s = "SSH_CONNECTION";
fprintf(stderr, "\n"); fprintf(stderr, "\n");
rfbLog("Skipping -stunnel contraint in -unixpw mode,\n"); rfbLog("Skipping -ssl/-stunnel contraint in"
rfbLog("assuming your SSH encryption is: %s\n", s); " -unixpw\n");
rfbLog("mode, assuming your SSH encryption"
" is: %s\n", s);
fprintf(stderr, "\n"); fprintf(stderr, "\n");
if (! nopw) { if (! nopw) {
usleep(2000*1000); usleep(2000*1000);
} }
} else if (getenv("UNIXPW_DISABLE_SSL")) {
rfbLog("Skipping -ssl/-stunnel requirement"
" due to\n");
rfbLog("UNIXPW_DISABLE_SSL setting.\n");
} else {
if (openssl_present()) {
rfbLog("set -ssl in -unixpw mode.\n");
use_openssl = 1;
} else {
rfbLog("set -stunnel in -unixpw mode.\n");
use_stunnel = 1;
} }
} }
} else if (use_stunnel) { }
}
if (! got_localhost && ! getenv("STUNNEL_DISABLE_LOCALHOST")) { if (use_stunnel && ! got_localhost) {
if (! getenv("STUNNEL_DISABLE_LOCALHOST") &&
! getenv("UNIXPW_DISABLE_LOCALHOST")) {
if (! quiet) { if (! quiet) {
rfbLog("Setting -localhost in -stunnel mode.\n"); rfbLog("Setting -localhost in -stunnel mode.\n");
} }
...@@ -2422,6 +2443,9 @@ int main(int argc, char* argv[]) { ...@@ -2422,6 +2443,9 @@ int main(int argc, char* argv[]) {
got_localhost = 1; got_localhost = 1;
} }
} }
if (ssl_verify && ! use_stunnel && ! use_openssl) {
rfbLog("-sslverify must be used with -ssl or -stunnel\n");
exit(1);
} }
/* fixup settings that do not make sense */ /* fixup settings that do not make sense */
...@@ -3041,7 +3065,7 @@ int main(int argc, char* argv[]) { ...@@ -3041,7 +3065,7 @@ int main(int argc, char* argv[]) {
initialize_allowed_input(); initialize_allowed_input();
if (! inetd) { if (! inetd && ! use_openssl) {
if (! screen->port || screen->listenSock < 0) { if (! screen->port || screen->listenSock < 0) {
rfbLogEnable(1); rfbLogEnable(1);
rfbLog("Error: could not obtain listening port.\n"); rfbLog("Error: could not obtain listening port.\n");
......
...@@ -56,6 +56,7 @@ ...@@ -56,6 +56,7 @@
* -DHARDWIRE_PASSWD=... hardwired passwords, quoting necessary. * -DHARDWIRE_PASSWD=... hardwired passwords, quoting necessary.
* -DHARDWIRE_VIEWPASSWD=... * -DHARDWIRE_VIEWPASSWD=...
* -DNOPW=1 make -nopw the default (skip warning) * -DNOPW=1 make -nopw the default (skip warning)
* -DUSEPW=1 make -usepw the default
* -DPASSWD_REQUIRED=1 exit unless a password is supplied. * -DPASSWD_REQUIRED=1 exit unless a password is supplied.
* -DPASSWD_UNLESS_NOPW=1 exit unless a password is supplied and no -nopw. * -DPASSWD_UNLESS_NOPW=1 exit unless a password is supplied and no -nopw.
* *
...@@ -73,6 +74,9 @@ ...@@ -73,6 +74,9 @@
* -DSMALL_FOOTPRINT=1 for smaller binary size (no help, no gui, etc) * -DSMALL_FOOTPRINT=1 for smaller binary size (no help, no gui, etc)
* use 2 or 3 for even smaller footprint. * use 2 or 3 for even smaller footprint.
* -DNOGUI do not include the gui tkx11vnc. * -DNOGUI do not include the gui tkx11vnc.
* -DSKIP_HELP=1 smaller.
* -DSKIP_XKB=1 a little smaller.
* -DSKIP_8to24=1 a little smaller.
* -DPOLL_8TO24_DELAY=N * -DPOLL_8TO24_DELAY=N
* -DDEBUG_XEVENTS=1 enable printout for X events. * -DDEBUG_XEVENTS=1 enable printout for X events.
* *
...@@ -93,6 +97,10 @@ ...@@ -93,6 +97,10 @@
#define NOPW 0 #define NOPW 0
#endif #endif
#ifndef USEPW
#define USEPW 0
#endif
#ifndef PASSWD_REQUIRED #ifndef PASSWD_REQUIRED
#define PASSWD_REQUIRED 0 #define PASSWD_REQUIRED 0
#endif #endif
...@@ -116,13 +124,23 @@ ...@@ -116,13 +124,23 @@
#define SMALL_FOOTPRINT 0 #define SMALL_FOOTPRINT 0
#endif #endif
#ifndef SKIP_XKB
#define SKIP_XKB 0
#endif
#ifndef SKIP_8TO24
#define SKIP_8TO24 0
#endif
#ifndef SKIP_HELP
#define SKIP_HELP 0
#endif
#if SMALL_FOOTPRINT #if SMALL_FOOTPRINT
#undef NOGUI
#define NOGUI #define NOGUI
#undef SKIP_HELP
#define SKIP_HELP 0
#endif #endif
#define SKIP_XKB 0
#define SKIP_8TO24 0
#if (SMALL_FOOTPRINT > 1) #if (SMALL_FOOTPRINT > 1)
#undef SKIP_XKB #undef SKIP_XKB
#undef SKIP_8TO24 #undef SKIP_8TO24
...@@ -447,6 +465,8 @@ typedef struct _ClientData { ...@@ -447,6 +465,8 @@ typedef struct _ClientData {
int login_viewonly; int login_viewonly;
time_t login_time; time_t login_time;
pid_t ssh_helper_pid;
int had_cursor_shape_updates; int had_cursor_shape_updates;
int had_cursor_pos_updates; int had_cursor_pos_updates;
......
...@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0; ...@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
int xdamage_base_event_type = 0; int xdamage_base_event_type = 0;
/* date +'lastmod: %Y-%m-%d' */ /* date +'lastmod: %Y-%m-%d' */
char lastmod[] = "0.8.1 lastmod: 2006-03-08"; char lastmod[] = "0.8.1 lastmod: 2006-03-11";
/* X display info */ /* X display info */
......
...@@ -818,7 +818,7 @@ void check_xevents(void) { ...@@ -818,7 +818,7 @@ void check_xevents(void) {
/* check for our PRIMARY request notification: */ /* check for our PRIMARY request notification: */
if (watch_primary || watch_clipboard) { if (watch_primary || watch_clipboard) {
int doprimary = 1, doclipboard = 2, which, own; int doprimary = 1, doclipboard = 2, which, own = 0;
double delay = 1.0; double delay = 1.0;
Atom atom; Atom atom;
char *req; char *req;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment