summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--x11vnc/ChangeLog3
-rw-r--r--x11vnc/README38
-rw-r--r--x11vnc/connections.c24
-rw-r--r--x11vnc/help.c32
-rw-r--r--x11vnc/sslhelper.c41
-rw-r--r--x11vnc/x11vnc.132
-rw-r--r--x11vnc/x11vnc_defs.c2
7 files changed, 124 insertions, 48 deletions
diff --git a/x11vnc/ChangeLog b/x11vnc/ChangeLog
index ca77aea..9dfcbc3 100644
--- a/x11vnc/ChangeLog
+++ b/x11vnc/ChangeLog
@@ -1,3 +1,6 @@
+2008-09-17 Karl Runge <runge@karlrunge.com>
+ * x11vnc: make -allow work in -ssl mode.
+
2008-09-14 Karl Runge <runge@karlrunge.com>
* x11vnc: -sleepin m-n for random sleep. More mktemp and mkstemp
protections. SSL_INIT_TIMEOUT=n env. var. Fix macosx console
diff --git a/x11vnc/README b/x11vnc/README
index dbbf5d0..83ef17b 100644
--- a/x11vnc/README
+++ b/x11vnc/README
@@ -1,5 +1,5 @@
-x11vnc README file Date: Sun Sep 14 15:20:38 EDT 2008
+x11vnc README file Date: Tue Sep 16 10:02:40 EDT 2008
The following information is taken from these URLs:
@@ -11808,7 +11808,7 @@ x11vnc: a VNC server for real X displays
Here are all of x11vnc command line options:
% x11vnc -opts (see below for -help long descriptions)
-x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-14
+x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-16
x11vnc options:
-display disp -auth file -N
@@ -11928,7 +11928,7 @@ libvncserver-tight-extension options:
% x11vnc -help
-x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-14
+x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-16
(type "x11vnc -opts" to just list the options.)
@@ -12475,10 +12475,13 @@ e
Can also be a numerical IP prefix, e.g. "192.168.100."
to match a simple subnet, for more control build
libvncserver with libwrap support (See the FAQ). If the
- list contains a "/" it instead is a interpreted as a
- file containing addresses or prefixes that is re-read
- each time a new client connects. Lines can be commented
- out with the "#" character in the usual way.
+ list contains a "/" it instead is a interpreted
+ as a file containing addresses or prefixes that is
+ re-read each time a new client connects. Lines can be
+ commented out with the "#" character in the usual way.
+
+ -allow applies in -ssl mode, but not in -stunnel mode.
+
-localhost Basically the same as "-allow 127.0.0.1".
Note: if you want to restrict which network interface
@@ -13601,7 +13604,7 @@ e
For Windows, stunnel has been ported to it and there
are probably other such tools available. See the FAQ
- for more examples.
+ and SSVNC for more examples.
-stunnel3 [pem] Use version 3.x stunnel command line syntax instead of
version 4.x
@@ -15769,7 +15772,9 @@ n
proxy:host:port set reverse connection proxy (empty to
disable).
allowonce:host For the next connection only, allow
- connection from "host".
+ connection from "host". In -ssl mode
+ two connections are allowed (i.e. Fetch
+ Cert) unless X11VNC_NO_SSL_ALLOW_TWICE=1
allow:hostlist set -allow list to (comma separated)
"hostlist". See -allow and -localhost.
Do not use with -allow /path/to/file
@@ -16100,14 +16105,14 @@ n
nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area
scr_skip scr_inc scr_keys scr_term scr_keyrepeat
scr_parms scrollcopyrect scr noscrollcopyrect noscr
- fixscreen noxrecord xrecord reset_record pointer_mode
- pm input_skip allinput noallinput input grabkbd
- nograbkbd grabptr nograbptr grabalways nograbalways
+ fixscreen noxrecord xrecord reset_record pointer_mode pm
+ input_skip allinput noallinput input grabkbd nograbkbd
+ grabptr nograbptr grabalways nograbalways grablocal
client_input ssltimeout speeds wmdt debug_pointer dp
nodebug_pointer nodp debug_keyboard dk nodebug_keyboard
- nodk deferupdate defer wait_ui wait_bog nowait_bog
- slow_fb xrefresh wait readtimeout nap nonap sb
- screen_blank fbpm nofbpm dpms nodpms clientdpms
+ nodk keycode deferupdate defer wait_ui wait_bog
+ nowait_bog slow_fb xrefresh wait readtimeout nap nonap
+ sb screen_blank fbpm nofbpm dpms nodpms clientdpms
noclientdpms forcedpms noforcedpms noserverdpms
serverdpms noultraext ultraext fs gaps grow fuzz snapfb
nosnapfb rawfb uinput_accel uinput_thresh uinput_reset
@@ -16123,7 +16128,7 @@ n
nodbg macnosaver macsaver nomacnosaver macnowait macwait
nomacnowait macwheel macnoswap macswap nomacnoswap
macnoresize macresize nomacnoresize maciconanim macmenu
- macnomenu nomacmenu noremote
+ macnomenu nomacmenu macuskbd nomacuskbd noremote
aro= noop display vncdisplay desktopname guess_desktop
http_url auth xauth users rootshift clipshift
@@ -16141,7 +16146,6 @@ n
dpy_x dpy_y wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y
coff_x coff_y rfbauth passwd viewpasswd
-
-QD variable Just like -query variable, but returns the default
value for that parameter (no running x11vnc server
is consulted)
diff --git a/x11vnc/connections.c b/x11vnc/connections.c
index aa656df..1f06f3a 100644
--- a/x11vnc/connections.c
+++ b/x11vnc/connections.c
@@ -55,10 +55,10 @@ void check_new_clients(void);
int accept_client(rfbClientPtr client);
int run_user_command(char *cmd, rfbClientPtr client, char *mode, char *input,
int len, FILE *output);
+int check_access(char *addr);
static rfbClientPtr *client_match(char *str);
static void free_client_data(rfbClientPtr client);
-static int check_access(char *addr);
static void ugly_geom(char *p, int *x, int *y);
static int ugly_window(char *addr, char *userhost, int X, int Y,
int timeout, char *mode, int accept);
@@ -800,10 +800,14 @@ void client_gone(rfbClientPtr client) {
* Simple routine to limit access via string compare. A power user will
* want to compile libvncserver with libwrap support and use /etc/hosts.allow.
*/
-static int check_access(char *addr) {
+int check_access(char *addr) {
int allowed = 0;
+ int ssl = 0;
char *p, *list;
+ if (use_openssl || use_stunnel) {
+ ssl = 1;
+ }
if (deny_all) {
rfbLog("check_access: new connections are currently "
"blocked.\n");
@@ -842,6 +846,10 @@ static int check_access(char *addr) {
len2 = strlen(allow_once) + 2;
len += len2;
}
+ if (ssl) {
+ len2 = strlen("127.0.0.1") + 2;
+ len += len2;
+ }
list = (char *) malloc(len);
list[0] = '\0';
@@ -869,11 +877,19 @@ static int check_access(char *addr) {
strcat(list, allow_once);
strcat(list, "\n");
}
+ if (ssl) {
+ strcat(list, "\n");
+ strcat(list, "127.0.0.1");
+ strcat(list, "\n");
+ }
} else {
int len = strlen(allow_list) + 1;
if (allow_once) {
len += strlen(allow_once) + 1;
}
+ if (ssl) {
+ len += strlen("127.0.0.1") + 1;
+ }
list = (char *) malloc(len);
list[0] = '\0';
strcat(list, allow_list);
@@ -881,6 +897,10 @@ static int check_access(char *addr) {
strcat(list, ",");
strcat(list, allow_once);
}
+ if (ssl) {
+ strcat(list, ",");
+ strcat(list, "127.0.0.1");
+ }
}
if (allow_once) {
diff --git a/x11vnc/help.c b/x11vnc/help.c
index 0e185c4..06ce6a3 100644
--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -566,10 +566,13 @@ void print_help(int mode) {
" Can also be a numerical IP prefix, e.g. \"192.168.100.\"\n"
" to match a simple subnet, for more control build\n"
" libvncserver with libwrap support (See the FAQ). If the\n"
-" list contains a \"/\" it instead is a interpreted as a\n"
-" file containing addresses or prefixes that is re-read\n"
-" each time a new client connects. Lines can be commented\n"
-" out with the \"#\" character in the usual way.\n"
+" list contains a \"/\" it instead is a interpreted\n"
+" as a file containing addresses or prefixes that is\n"
+" re-read each time a new client connects. Lines can be\n"
+" commented out with the \"#\" character in the usual way.\n"
+"\n"
+" -allow applies in -ssl mode, but not in -stunnel mode.\n"
+"\n"
"-localhost Basically the same as \"-allow 127.0.0.1\".\n"
"\n"
" Note: if you want to restrict which network interface\n"
@@ -1707,7 +1710,7 @@ void print_help(int mode) {
"\n"
" For Windows, stunnel has been ported to it and there\n"
" are probably other such tools available. See the FAQ\n"
-" for more examples.\n"
+" and SSVNC for more examples.\n"
"\n"
"-stunnel3 [pem] Use version 3.x stunnel command line syntax instead of\n"
" version 4.x\n"
@@ -3879,7 +3882,9 @@ void print_help(int mode) {
" disable).\n"
/* access */
" allowonce:host For the next connection only, allow\n"
-" connection from \"host\".\n"
+" connection from \"host\". In -ssl mode\n"
+" two connections are allowed (i.e. Fetch\n"
+" Cert) unless X11VNC_NO_SSL_ALLOW_TWICE=1\n"
/* access */
" allow:hostlist set -allow list to (comma separated)\n"
" \"hostlist\". See -allow and -localhost.\n"
@@ -4212,14 +4217,14 @@ void print_help(int mode) {
" nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area\n"
" scr_skip scr_inc scr_keys scr_term scr_keyrepeat\n"
" scr_parms scrollcopyrect scr noscrollcopyrect noscr\n"
-" fixscreen noxrecord xrecord reset_record pointer_mode\n"
-" pm input_skip allinput noallinput input grabkbd\n"
-" nograbkbd grabptr nograbptr grabalways nograbalways\n"
+" fixscreen noxrecord xrecord reset_record pointer_mode pm\n"
+" input_skip allinput noallinput input grabkbd nograbkbd\n"
+" grabptr nograbptr grabalways nograbalways grablocal\n"
" client_input ssltimeout speeds wmdt debug_pointer dp\n"
" nodebug_pointer nodp debug_keyboard dk nodebug_keyboard\n"
-" nodk deferupdate defer wait_ui wait_bog nowait_bog\n"
-" slow_fb xrefresh wait readtimeout nap nonap sb\n"
-" screen_blank fbpm nofbpm dpms nodpms clientdpms\n"
+" nodk keycode deferupdate defer wait_ui wait_bog\n"
+" nowait_bog slow_fb xrefresh wait readtimeout nap nonap\n"
+" sb screen_blank fbpm nofbpm dpms nodpms clientdpms\n"
" noclientdpms forcedpms noforcedpms noserverdpms\n"
" serverdpms noultraext ultraext fs gaps grow fuzz snapfb\n"
" nosnapfb rawfb uinput_accel uinput_thresh uinput_reset\n"
@@ -4235,7 +4240,7 @@ void print_help(int mode) {
" nodbg macnosaver macsaver nomacnosaver macnowait macwait\n"
" nomacnowait macwheel macnoswap macswap nomacnoswap\n"
" macnoresize macresize nomacnoresize maciconanim macmenu\n"
-" macnomenu nomacmenu noremote\n"
+" macnomenu nomacmenu macuskbd nomacuskbd noremote\n"
"\n"
" aro= noop display vncdisplay desktopname guess_desktop\n"
" http_url auth xauth users rootshift clipshift\n"
@@ -4253,7 +4258,6 @@ void print_help(int mode) {
" dpy_x dpy_y wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y\n"
" coff_x coff_y rfbauth passwd viewpasswd\n"
"\n"
-"\n"
"-QD variable Just like -query variable, but returns the default\n"
" value for that parameter (no running x11vnc server\n"
" is consulted)\n"
diff --git a/x11vnc/sslhelper.c b/x11vnc/sslhelper.c
index 2b07535..d7fb06b 100644
--- a/x11vnc/sslhelper.c
+++ b/x11vnc/sslhelper.c
@@ -1227,6 +1227,9 @@ static void csock_timeout (int sig) {
}
}
+#define PROXY_HACK 0
+#if PROXY_HACK
+
static int wait_conn(int sock) {
int conn;
struct sockaddr_in addr;
@@ -1247,6 +1250,8 @@ static int wait_conn(int sock) {
return conn;
}
+/* no longer used */
+
int proxy_hack(int vncsock, int listen, int s_in, int s_out, char *cookie,
int mode) {
int sock1, db = 0;
@@ -1321,6 +1326,31 @@ if (db) fprintf(stderr, "buf: '%s'\n", buf);
return 1;
}
+#endif /* PROXY_HACK */
+
+static int check_ssl_access(char *addr) {
+ static char *save_allow_once = NULL;
+ static time_t time_allow_once = 0;
+
+ /* due to "Fetch Cert" activities for SSL really need to "allow twice" */
+ if (allow_once != NULL) {
+ save_allow_once = strdup(allow_once);
+ time_allow_once = time(NULL);
+ } else if (save_allow_once != NULL) {
+ if (getenv("X11VNC_NO_SSL_ALLOW_TWICE")) {
+ ;
+ } else if (time(NULL) < time_allow_once + 30) {
+ /* give them 30 secs to check and save the fetched cert. */
+ allow_once = save_allow_once;
+ rfbLog("SSL: Permitting 30 sec grace period for allowonce.\n");
+ rfbLog("SSL: Set X11VNC_NO_SSL_ALLOW_TWICE=1 to disable.\n");
+ }
+ save_allow_once = NULL;
+ time_allow_once = 0;
+ }
+
+ return check_access(addr);
+}
void accept_openssl(int mode, int presock) {
int sock = -1, listen = -1, cport, csock, vsock;
@@ -1407,6 +1437,17 @@ void accept_openssl(int mode, int presock) {
openssl_last_ip = get_remote_host(sock);
}
+ if (!check_ssl_access(openssl_last_ip)) {
+ rfbLog("SSL: accept_openssl: denying client %s\n", openssl_last_ip);
+ rfbLog("SSL: accept_openssl: does not match -allow (or other reason).\n");
+ close(sock);
+ sock = -1;
+ if (ssl_no_fail) {
+ clean_up_exit(1);
+ }
+ return;
+ }
+
/* now make a listening socket for child to connect back to us by: */
cport = find_free_port(20000, 0);
diff --git a/x11vnc/x11vnc.1 b/x11vnc/x11vnc.1
index c3ba2bb..5317c1a 100644
--- a/x11vnc/x11vnc.1
+++ b/x11vnc/x11vnc.1
@@ -2,7 +2,7 @@
.TH X11VNC "1" "September 2008" "x11vnc " "User Commands"
.SH NAME
x11vnc - allow VNC connections to real X11 displays
- version: 0.9.4, lastmod: 2008-09-14
+ version: 0.9.4, lastmod: 2008-09-16
.SH SYNOPSIS
.B x11vnc
[OPTION]...
@@ -657,10 +657,12 @@ the comma separated list of hostnames or IP addresses.
Can also be a numerical IP prefix, e.g. "192.168.100."
to match a simple subnet, for more control build
libvncserver with libwrap support (See the FAQ). If the
-list contains a "/" it instead is a interpreted as a
-file containing addresses or prefixes that is re-read
-each time a new client connects. Lines can be commented
-out with the "#" character in the usual way.
+list contains a "/" it instead is a interpreted
+as a file containing addresses or prefixes that is
+re-read each time a new client connects. Lines can be
+commented out with the "#" character in the usual way.
+.IP
+\fB-allow\fR applies in \fB-ssl\fR mode, but not in \fB-stunnel\fR mode.
.PP
\fB-localhost\fR
.IP
@@ -1923,7 +1925,7 @@ on Unix using stunnel 3.x is:
.IP
For Windows, stunnel has been ported to it and there
are probably other such tools available. See the FAQ
-for more examples.
+and SSVNC for more examples.
.PP
\fB-stunnel3\fR \fI[pem]\fR
.IP
@@ -4553,7 +4555,9 @@ proxy:host:port set reverse connection proxy (empty to
disable).
.IP
allowonce:host For the next connection only, allow
-connection from "host".
+connection from "host". In \fB-ssl\fR mode
+two connections are allowed (i.e. Fetch
+Cert) unless X11VNC_NO_SSL_ALLOW_TWICE=1
.IP
allow:hostlist set \fB-allow\fR list to (comma separated)
"hostlist". See \fB-allow\fR and \fB-localhost.\fR
@@ -5129,14 +5133,14 @@ nowireframe nowf wireframelocal wfl nowireframelocal
nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area
scr_skip scr_inc scr_keys scr_term scr_keyrepeat
scr_parms scrollcopyrect scr noscrollcopyrect noscr
-fixscreen noxrecord xrecord reset_record pointer_mode
-pm input_skip allinput noallinput input grabkbd
-nograbkbd grabptr nograbptr grabalways nograbalways
+fixscreen noxrecord xrecord reset_record pointer_mode pm
+input_skip allinput noallinput input grabkbd nograbkbd
+grabptr nograbptr grabalways nograbalways grablocal
client_input ssltimeout speeds wmdt debug_pointer dp
nodebug_pointer nodp debug_keyboard dk nodebug_keyboard
-nodk deferupdate defer wait_ui wait_bog nowait_bog
-slow_fb xrefresh wait readtimeout nap nonap sb
-screen_blank fbpm nofbpm dpms nodpms clientdpms
+nodk keycode deferupdate defer wait_ui wait_bog
+nowait_bog slow_fb xrefresh wait readtimeout nap nonap
+sb screen_blank fbpm nofbpm dpms nodpms clientdpms
noclientdpms forcedpms noforcedpms noserverdpms
serverdpms noultraext ultraext fs gaps grow fuzz snapfb
nosnapfb rawfb uinput_accel uinput_thresh uinput_reset
@@ -5152,7 +5156,7 @@ debug_grabs nodebug_grabs debug_sel nodebug_sel dbg
nodbg macnosaver macsaver nomacnosaver macnowait macwait
nomacnowait macwheel macnoswap macswap nomacnoswap
macnoresize macresize nomacnoresize maciconanim macmenu
-macnomenu nomacmenu noremote
+macnomenu nomacmenu macuskbd nomacuskbd noremote
.IP
aro= noop display vncdisplay desktopname guess_desktop
http_url auth xauth users rootshift clipshift
diff --git a/x11vnc/x11vnc_defs.c b/x11vnc/x11vnc_defs.c
index 4674c2e..d7448d4 100644
--- a/x11vnc/x11vnc_defs.c
+++ b/x11vnc/x11vnc_defs.c
@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
int xdamage_base_event_type = 0;
/* date +'lastmod: %Y-%m-%d' */
-char lastmod[] = "0.9.4 lastmod: 2008-09-14";
+char lastmod[] = "0.9.4 lastmod: 2008-09-16";
/* X display info */