x11vnc: reverse SSL connections. -sleepin option.

17 years ago · 61c56222b3
parent f1bfe53f4f
commit 61c56222b3
13 changed files with 1596 additions and 1470 deletions
--- a/x11vnc/ChangeLog
+++ b/x11vnc/ChangeLog
@ -1,3 +1,6 @@
+2007-03-24  Karl Runge <runge@karlrunge.com>
+	* x11vnc: reverse SSL connections.  -sleepin option.
+
 2007-03-20  Karl Runge <runge@karlrunge.com>
 	* x11vnc: Add -httpsredir option for router port redirs.
 	  set Xcursor bg/fg color values to zero.  Env var to
--- a/x11vnc/README
+++ b/x11vnc/README
--- a/x11vnc/connections.c
+++ b/x11vnc/connections.c
@ -1593,6 +1593,9 @@ static void check_connect_file(char *file) {
 /*
 * Do a reverse connect for a single "host" or "host:port"
 */
+
+extern int ssl_client_mode;
+
 static int do_reverse_connect(char *str) {
 	rfbClientPtr cl;
 	char *host, *p;
@ -1609,10 +1612,6 @@ static int do_reverse_connect(char *str) {
 		rfbLog("reverse_connect: screen not setup yet.\n");
 		return 0;
 	}
-	if (use_openssl && !getenv("X11VNC_SSL_ALLOW_REVERSE")) {
-		rfbLog("reverse connections disabled in -ssl mode.\n");
-		return 0;
-	}
 	if (unixpw_in_progress) return 0;

 	/* copy in to host */
@ -1627,9 +1626,55 @@ static int do_reverse_connect(char *str) {
 	/* extract port, if any */
 	if ((p = strchr(host, ':')) != NULL) {
 		rport = atoi(p+1);
+		if (rport < 0) {
+			rport = -rport;
+		} else if (rport < 20) {
+			rport = 5500 + rport;
+		}
 		*p = '\0';
 	}

+#if 0
+	if (use_openssl && !getenv("X11VNC_SSL_ALLOW_REVERSE")) {
+		rfbLog("reverse connections disabled in -ssl mode.\n");
+		return 0;
+	}
+#endif
+
+	if (use_openssl) {
+		int vncsock = rfbConnectToTcpAddr(host, rport);
+		if (vncsock < 0) {
+			rfbLog("reverse_connect: failed to connect to: %s\n", str);
+			return 0;
+		}
+#define OPENSSL_REVERSE 4
+		openssl_init(1);
+		accept_openssl(OPENSSL_REVERSE, vncsock);
+		openssl_init(0);
+		return 1;
+	}
+
+	if (unixpw) {
+		int is_localhost = 0, user_disabled = 0;
+
+		if(!strcmp(host, "localhost") || !strcmp(host, "127.0.0.1")) {
+			is_localhost = 1;
+		}
+		if (getenv("UNIXPW_DISABLE_LOCALHOST")) {
+			user_disabled = 1;
+		}
+
+		if (! is_localhost) {
+			if (user_disabled ) {
+				rfbLog("reverse_connect: warning disabling localhost constraint in -unixpw\n");
+			} else {
+				rfbLog("reverse_connect: error not localhost in -unixpw\n");
+				return 0;
+			}
+		}
+	}
+
+#if 0
 	if (inetd && unixpw) {
 		if(strcmp(host, "localhost") && strcmp(host, "127.0.0.1")) {
 			if (! getenv("UNIXPW_DISABLE_LOCALHOST")) {
@ -1644,6 +1689,7 @@ static int do_reverse_connect(char *str) {
 			return 0;
 		}
 	}
+#endif

 	cl = rfbReverseConnection(screen, host, rport);
 	free(host);
--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@ -342,6 +342,9 @@ void print_help(int mode) {
 "\n"
 "-timeout n             Exit unless a client connects within the first n seconds\n"
 "                       after startup.\n"
+"-sleepin n             At startup sleep n seconds before proceeding (e.g. to\n"
+"                       allow redirs and listening clients to start up)\n"
+"\n"
 "-inetd                 Launched by inetd(8): stdio instead of listening socket.\n"
 "                       Note: if you are not redirecting stderr to a log file\n"
 "                       (via shell 2> or -o option) you MUST also specify the -q\n"
@ -643,7 +646,7 @@ void print_help(int mode) {
 "                       the same as requiring a Unix user login (since a Unix\n"
 "                       password or the user's public key authentication is\n"
 "                       used by sshd on the machine where x11vnc runs and only\n"
-"                       local connections from that machine are accepted)\n"
+"                       local connections from that machine are accepted).\n"
 "\n"
 "                       Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n"
 "                       requirement in Method 2).  One should never do this\n"
@ -656,8 +659,11 @@ void print_help(int mode) {
 "                       to connect to the same machine x11vnc is running on\n"
 "                       (default port 5500).  Please use a ssh or stunnel port\n"
 "                       redirection to the viewer machine to tunnel the reverse\n"
-"                       connection over an encrypted channel. Note that in -ssl\n"
-"                       mode reverse connection are disabled (see below).\n"
+"                       connection over an encrypted channel.\n"
+#if 0
+"                       Note that in -ssl\n"
+"                       mode reverse connection are disabled (see below). XXX\n"
+#endif
 "\n"
 "                       In -inetd mode the Method 1) will be enforced (not\n"
 "                       Method 2).  With -ssl in effect reverse connections\n"
@ -986,11 +992,13 @@ void print_help(int mode) {
 "\n"
 "                       Example: x11vnc -ssl SAVE -display :0 ...\n"
 "\n"
+#if 0
 "                       Reverse connections are disabled in -ssl mode because\n"
 "                       there is no way to ensure that data channel will\n"
 "                       be encrypted.  Set X11VNC_SSL_ALLOW_REVERSE=1 to\n"
 "                       override this.\n"
 "\n"
+#endif
 "                       Your VNC viewer will also need to be able to connect\n"
 "                       via SSL.  See the discussion below under -stunnel and\n"
 "                       the FAQ (ss_vncviewer script) for how this might be\n"
--- a/x11vnc/screen.c
+++ b/x11vnc/screen.c
@ -2430,7 +2430,7 @@ void initialize_screen(int *argc, char **argv, XImage *fb) {
 	/* n.b. samplesPerPixel (set = 1 here) seems to be unused. */
 	if (create_screen) {
 		if (use_openssl) {
-			openssl_init();
+			openssl_init(0);
 		} else if (use_stunnel) {
 			setup_stunnel(0, argc, argv);
 		}
--- a/x11vnc/sslhelper.c
+++ b/x11vnc/sslhelper.c
@ -11,6 +11,7 @@
 #define OPENSSL_INETD 1
 #define OPENSSL_VNC   2
 #define OPENSSL_HTTPS 3
+#define OPENSSL_REVERSE 4

 #define DO_DH 0

@ -43,13 +44,13 @@ static void badnews(void) {
 	rfbLog("** not compiled with libssl OpenSSL support **\n");
 	clean_up_exit(1);
 }
-void openssl_init(void) {badnews();}
+void openssl_init(int isclient) {badnews();}
 void openssl_port(void) {badnews();}
 void https_port(void) {badnews();}
 void check_openssl(void) {if (use_openssl) badnews();}
 void check_https(void) {if (use_openssl) badnews();}
 void ssl_helper_pid(pid_t pid, int sock) {badnews(); sock = pid;}
-void accept_openssl(int mode) {mode = 0; badnews();}
+void accept_openssl(int mode, int presock) {mode = 0; presock = 0; badnews();}
 char *find_openssl_bin(void) {badnews(); return NULL;}
 char *get_saved_pem(char *string, int create) {badnews(); return NULL;}
 #else
@ -59,12 +60,12 @@ char *get_saved_pem(char *string, int create) {badnews(); return NULL;}
 #include <openssl/rand.h>

 int openssl_present(void);
-void openssl_init(void);
+void openssl_init(int isclient);
 void openssl_port(void);
 void check_openssl(void);
 void check_https(void);
 void ssl_helper_pid(pid_t pid, int sock);
-void accept_openssl(int mode);
+void accept_openssl(int mode, int presock);
 char *find_openssl_bin(void);
 char *get_saved_pem(char *string, int create);

@ -82,7 +83,7 @@ static int  ssl_init(int s_in, int s_out);
 static void ssl_xfer(int csock, int s_in, int s_out, int is_https);

 #ifndef FORK_OK
-void openssl_init(void) {
+void openssl_init(int isclient) {
 	rfbLog("openssl_init: fork is not supported. cannot create"
 	    " ssl helper process.\n");
 	clean_up_exit(1);
@ -678,31 +679,50 @@ static char *get_ssl_verify_file(char *str_in) {
 	return tfile;
 }

-void openssl_init(void) {
+static int ssl_client_mode = 0;
+
+void openssl_init(int isclient) {
 	int db = 0, tmp_pem = 0, do_dh;
 	FILE *in;
 	double ds;
 	long mode;
+	static int first = 1;

 	do_dh = DO_DH;

 	if (! quiet) {
 		rfbLog("\n");
-		rfbLog("Initializing SSL.\n");
+		rfbLog("Initializing SSL (%s connect mode).\n", isclient ? "client":"server");
 	}
-	if (db) fprintf(stderr, "\nSSL_load_error_strings()\n");
+	if (first) {
+		if (db) fprintf(stderr, "\nSSL_load_error_strings()\n");

-	SSL_load_error_strings();
+		SSL_load_error_strings();

-	if (db) fprintf(stderr, "SSL_library_init()\n");
+		if (db) fprintf(stderr, "SSL_library_init()\n");

-	SSL_library_init();
+		SSL_library_init();

-	if (db) fprintf(stderr, "init_prng()\n");
+		if (db) fprintf(stderr, "init_prng()\n");

-	init_prng();
+		init_prng();
+
+		first = 0;
+	}

-	ctx = SSL_CTX_new( SSLv23_server_method() );
+	if (isclient) {
+		ssl_client_mode = 1;
+	} else {
+		ssl_client_mode = 0;
+	}
+
+	if (ssl_client_mode) {
+		if (db) fprintf(stderr, "SSLv23_client_method()\n");
+		ctx = SSL_CTX_new( SSLv23_client_method() );
+	} else {
+		if (db) fprintf(stderr, "SSLv23_server_method()\n");
+		ctx = SSL_CTX_new( SSLv23_server_method() );
+	}

 	if (ctx == NULL) {
 		rfbLog("openssl_init: SSL_CTX_new failed.\n");	
@ -1288,7 +1308,7 @@ if (db) fprintf(stderr, "buf: '%s'\n", buf);
 	return 1;
 }

-void accept_openssl(int mode) {
+void accept_openssl(int mode, int presock) {
 	int sock = -1, listen = -1, cport, csock, vsock;	
 	int status, n, i, db = 0;
 	struct sockaddr_in addr;
@ -1337,6 +1357,17 @@ void accept_openssl(int mode) {
 		}
 		listen = openssl_sock;

+	} else if (mode == OPENSSL_REVERSE) {
+		sock = presock;
+		if (sock < 0)  {
+			rfbLog("SSL: accept_openssl: connection failed\n");
+			if (ssl_no_fail) {
+				clean_up_exit(1);
+			}
+			return;
+		}
+		listen = -1;
+
 	} else if (mode == OPENSSL_HTTPS) {
 		sock = accept(https_sock, (struct sockaddr *)&addr, &addrlen);
 		if (sock < 0)  {
@ -1940,7 +1971,11 @@ if (db > 1) fprintf(stderr, "ssl_init: 1\n");
 	}
 if (db > 1) fprintf(stderr, "ssl_init: 2\n");

-	SSL_set_accept_state(ssl);
+	if (ssl_client_mode) {
+		SSL_set_connect_state(ssl);
+	} else {
+		SSL_set_accept_state(ssl);
+	}

 if (db > 1) fprintf(stderr, "ssl_init: 3\n");

@ -1954,7 +1989,11 @@ if (db > 1) fprintf(stderr, "ssl_init: 4\n");
 		signal(SIGALRM, ssl_timeout);
 		alarm(timeout);

-		rc = SSL_accept(ssl);
+		if (ssl_client_mode) {
+			rc = SSL_connect(ssl);
+		} else {
+			rc = SSL_accept(ssl);
+		}
 		err = SSL_get_error(ssl, rc);

 		alarm(0);
@ -2425,7 +2464,7 @@ void check_openssl(void) {
 	}
 	
 	rfbLog("SSL: accept_openssl(OPENSSL_VNC)\n");
-	accept_openssl(OPENSSL_VNC);
+	accept_openssl(OPENSSL_VNC, -1);
 }

 void check_https(void) {
@ -2457,7 +2496,7 @@ void check_https(void) {
 		return;
 	}
 	rfbLog("SSL: accept_openssl(OPENSSL_HTTPS)\n");
-	accept_openssl(OPENSSL_HTTPS);
+	accept_openssl(OPENSSL_HTTPS, -1);
 }

 #define MSZ 4096
--- a/x11vnc/sslhelper.h
+++ b/x11vnc/sslhelper.h
@ -4,9 +4,10 @@
 /* -- sslhelper.h -- */


-#define OPENSSL_INETD 1
-#define OPENSSL_VNC   2
-#define OPENSSL_HTTPS 3
+#define OPENSSL_INETD   1
+#define OPENSSL_VNC     2
+#define OPENSSL_HTTPS   3
+#define OPENSSL_REVERSE 4

 extern int openssl_sock;
 extern int openssl_port_num;
@ -17,13 +18,13 @@ extern char *openssl_last_ip;
 extern void raw_xfer(int csock, int s_in, int s_out);

 extern int openssl_present(void);
-extern void openssl_init(void);
+extern void openssl_init(int);
 extern void openssl_port(void);
 extern void https_port(void);
 extern void check_openssl(void);
 extern void check_https(void);
 extern void ssl_helper_pid(pid_t pid, int sock);
-extern void accept_openssl(int mode);
+extern void accept_openssl(int mode, int presock);
 extern char *find_openssl_bin(void);
 extern char *get_saved_pem(char *string, int create);

--- a/x11vnc/tkx11vnc
+++ b/x11vnc/tkx11vnc
@ -131,6 +131,8 @@ Clients
 	=D http
 	httpdir:
 	httpport:
+	https:
+	httpsredir:
 	enablehttpproxy
 	=GAL LOFF

@ -322,7 +324,6 @@ Permissions
 	=F ssldir:
 	=F sslverify:
 	ssltimeout:
-	https:
 	=GAL LOFF
 	=GAL Misc-Perms::
 	safer
--- a/x11vnc/tkx11vnc.h
+++ b/x11vnc/tkx11vnc.h
@ -142,6 +142,8 @@ char gui_code[] = "";
 "	=D http\n"
 "	httpdir:\n"
 "	httpport:\n"
+"	https:\n"
+"	httpsredir:\n"
 "	enablehttpproxy\n"
 "	=GAL LOFF\n"
 "\n"
@ -333,7 +335,6 @@ char gui_code[] = "";
 "	=F ssldir:\n"
 "	=F sslverify:\n"
 "	ssltimeout:\n"
-"	https:\n"
 "	=GAL LOFF\n"
 "	=GAL Misc-Perms::\n"
 "	safer\n"
--- a/x11vnc/user.c
+++ b/x11vnc/user.c
@ -1420,7 +1420,7 @@ int wait_for_client(int *argc, char** argv, int http) {
 	}

 	if (inetd && use_openssl) {
-		accept_openssl(OPENSSL_INETD);
+		accept_openssl(OPENSSL_INETD, -1);
 	}

 	while (1) {
--- a/x11vnc/x11vnc.1
+++ b/x11vnc/x11vnc.1
@ -2,7 +2,7 @@
 .TH X11VNC "1" "March 2007" "x11vnc " "User Commands"
 .SH NAME
 x11vnc - allow VNC connections to real X11 displays
-         version: 0.8.5, lastmod: 2007-03-19
+         version: 0.8.5, lastmod: 2007-03-24
 .SH SYNOPSIS
 .B x11vnc
 [OPTION]...
@ -397,6 +397,11 @@ mode.  This usage could use useful:  \fB-svc\fR \fB-loopbg\fR
 Exit unless a client connects within the first n seconds
 after startup.
 .PP
+\fB-sleepin\fR \fIn\fR
+.IP
+At startup sleep n seconds before proceeding (e.g. to
+allow redirs and listening clients to start up)
+.PP
 \fB-inetd\fR
 .IP
 Launched by 
@ -766,7 +771,7 @@ is roughly
 the same as requiring a Unix user login (since a Unix
 password or the user's public key authentication is
 used by sshd on the machine where x11vnc runs and only
-local connections from that machine are accepted)
+local connections from that machine are accepted).
 .IP
 Set UNIXPW_DISABLE_LOCALHOST=1 to disable the \fB-localhost\fR
 requirement in Method 2).  One should never do this
@ -779,8 +784,7 @@ in effect then reverse connections can only be used
 to connect to the same machine x11vnc is running on
 (default port 5500).  Please use a ssh or stunnel port
 redirection to the viewer machine to tunnel the reverse
-connection over an encrypted channel. Note that in \fB-ssl\fR
-mode reverse connection are disabled (see below).
+connection over an encrypted channel.
 .IP
 In \fB-inetd\fR mode the Method 1) will be enforced (not
 Method 2).  With \fB-ssl\fR in effect reverse connections
@ -1153,11 +1157,6 @@ default ~/.vnc/certs
 .IP
 Example: x11vnc \fB-ssl\fR SAVE \fB-display\fR :0 ...
 .IP
-Reverse connections are disabled in \fB-ssl\fR mode because
-there is no way to ensure that data channel will
-be encrypted.  Set X11VNC_SSL_ALLOW_REVERSE=1 to
-override this.
-.IP
 Your VNC viewer will also need to be able to connect
 via SSL.  See the discussion below under \fB-stunnel\fR and
 the FAQ (ss_vncviewer script) for how this might be
--- a/x11vnc/x11vnc.c
+++ b/x11vnc/x11vnc.c
@ -1776,6 +1776,13 @@ int main(int argc, char* argv[]) {
 		} else if (!strcmp(arg, "-timeout")) {
 			CHECK_ARGC
 			first_conn_timeout = atoi(argv[++i]);
+		} else if (!strcmp(arg, "-sleepin")) {
+			int n;
+			CHECK_ARGC
+			n = atoi(argv[++i]);
+			if (n > 0) {
+				usleep(1000*1000*n);
+			}
 		} else if (!strcmp(arg, "-users")) {
 			CHECK_ARGC
 			users_list = strdup(argv[++i]);
@ -3825,7 +3832,7 @@ int main(int argc, char* argv[]) {

 	if (inetd && use_openssl) {
 		if (! waited_for_client) {
-			accept_openssl(OPENSSL_INETD);
+			accept_openssl(OPENSSL_INETD, -1);
 		}
 	}
 	if (! inetd && ! use_openssl) {
@ -3851,7 +3858,7 @@ int main(int argc, char* argv[]) {
 	}
 	set_vnc_desktop_name();

-	if (ncache_beta_tester) {
+	if (ncache_beta_tester && ncache != 0) {
 		ncache_beta_tester_message();
 	}

--- a/x11vnc/x11vnc_defs.c
+++ b/x11vnc/x11vnc_defs.c
@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
 int xdamage_base_event_type = 0;

 /*               date +'lastmod: %Y-%m-%d' */
-char lastmod[] = "0.8.5 lastmod: 2007-03-19";
+char lastmod[] = "0.8.5 lastmod: 2007-03-24";

 /* X display info */