TDE
/
libtdevnc
mirror of https://mirror.git.trinitydesktop.org/gitea/TDE/libtdevnc
0
0
Fork 0
Code Issues Releases Wiki Activity

x11vnc: reverse SSL connections. -sleepin option.

Browse Source
pull/1/head
runge 17 years ago
parent f1bfe53f4f
commit 61c56222b3
13 changed files with 1596 additions and 1470 deletions
Show Stats Download Patch File Download Diff File

3
x11vnc/ChangeLog
Unescape View File

@ -1,3 +1,6 @@
2007-03-24 Karl Runge <runge@karlrunge.com>
* x11vnc: reverse SSL connections. -sleepin option.
2007-03-20 Karl Runge <runge@karlrunge.com> 2007-03-20 Karl Runge <runge@karlrunge.com>
* x11vnc: Add -httpsredir option for router port redirs. * x11vnc: Add -httpsredir option for router port redirs.
set Xcursor bg/fg color values to zero. Env var to set Xcursor bg/fg color values to zero. Env var to

2867
x11vnc/README
View File

File diff suppressed because it is too large Load Diff

54
x11vnc/connections.c
Unescape View File

@ -1593,6 +1593,9 @@ static void check_connect_file(char *file) {
/* /*
* Do a reverse connect for a single "host" or "host:port" * Do a reverse connect for a single "host" or "host:port"
*/ */
extern int ssl_client_mode;
static int do_reverse_connect(char *str) { static int do_reverse_connect(char *str) {
rfbClientPtr cl; rfbClientPtr cl;
char *host, *p; char *host, *p;
@ -1609,10 +1612,6 @@ static int do_reverse_connect(char *str) {
rfbLog("reverse_connect: screen not setup yet.\n"); rfbLog("reverse_connect: screen not setup yet.\n");
return 0; return 0;
} }
if (use_openssl && !getenv("X11VNC_SSL_ALLOW_REVERSE")) {
rfbLog("reverse connections disabled in -ssl mode.\n");
return 0;
}
if (unixpw_in_progress) return 0; if (unixpw_in_progress) return 0;
/* copy in to host */ /* copy in to host */
@ -1627,9 +1626,55 @@ static int do_reverse_connect(char *str) {
/* extract port, if any */ /* extract port, if any */
if ((p = strchr(host, ':')) != NULL) { if ((p = strchr(host, ':')) != NULL) {
rport = atoi(p+1); rport = atoi(p+1);
if (rport < 0) {
rport = -rport;
} else if (rport < 20) {
rport = 5500 + rport;
}
*p = '\0'; *p = '\0';
} }
#if 0
if (use_openssl && !getenv("X11VNC_SSL_ALLOW_REVERSE")) {
rfbLog("reverse connections disabled in -ssl mode.\n");
return 0;
}
#endif
if (use_openssl) {
int vncsock = rfbConnectToTcpAddr(host, rport);
if (vncsock < 0) {
rfbLog("reverse_connect: failed to connect to: %s\n", str);
return 0;
}
#define OPENSSL_REVERSE 4
openssl_init(1);
accept_openssl(OPENSSL_REVERSE, vncsock);
openssl_init(0);
return 1;
}
if (unixpw) {
int is_localhost = 0, user_disabled = 0;
if(!strcmp(host, "localhost") || !strcmp(host, "127.0.0.1")) {
is_localhost = 1;
}
if (getenv("UNIXPW_DISABLE_LOCALHOST")) {
user_disabled = 1;
}
if (! is_localhost) {
if (user_disabled ) {
rfbLog("reverse_connect: warning disabling localhost constraint in -unixpw\n");
} else {
rfbLog("reverse_connect: error not localhost in -unixpw\n");
return 0;
}
}
}
#if 0
if (inetd && unixpw) { if (inetd && unixpw) {
if(strcmp(host, "localhost") && strcmp(host, "127.0.0.1")) { if(strcmp(host, "localhost") && strcmp(host, "127.0.0.1")) {
if (! getenv("UNIXPW_DISABLE_LOCALHOST")) { if (! getenv("UNIXPW_DISABLE_LOCALHOST")) {
@ -1644,6 +1689,7 @@ static int do_reverse_connect(char *str) {
return 0; return 0;
} }
} }
#endif
cl = rfbReverseConnection(screen, host, rport); cl = rfbReverseConnection(screen, host, rport);
free(host); free(host);

14
x11vnc/help.c
Unescape View File

@ -342,6 +342,9 @@ void print_help(int mode) {
"\n" "\n"
"-timeout n Exit unless a client connects within the first n seconds\n" "-timeout n Exit unless a client connects within the first n seconds\n"
" after startup.\n" " after startup.\n"
"-sleepin n At startup sleep n seconds before proceeding (e.g. to\n"
" allow redirs and listening clients to start up)\n"
"\n"
"-inetd Launched by inetd(8): stdio instead of listening socket.\n" "-inetd Launched by inetd(8): stdio instead of listening socket.\n"
" Note: if you are not redirecting stderr to a log file\n" " Note: if you are not redirecting stderr to a log file\n"
" (via shell 2> or -o option) you MUST also specify the -q\n" " (via shell 2> or -o option) you MUST also specify the -q\n"
@ -643,7 +646,7 @@ void print_help(int mode) {
" the same as requiring a Unix user login (since a Unix\n" " the same as requiring a Unix user login (since a Unix\n"
" password or the user's public key authentication is\n" " password or the user's public key authentication is\n"
" used by sshd on the machine where x11vnc runs and only\n" " used by sshd on the machine where x11vnc runs and only\n"
" local connections from that machine are accepted)\n" " local connections from that machine are accepted).\n"
"\n" "\n"
" Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n" " Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n"
" requirement in Method 2). One should never do this\n" " requirement in Method 2). One should never do this\n"
@ -656,8 +659,11 @@ void print_help(int mode) {
" to connect to the same machine x11vnc is running on\n" " to connect to the same machine x11vnc is running on\n"
" (default port 5500). Please use a ssh or stunnel port\n" " (default port 5500). Please use a ssh or stunnel port\n"
" redirection to the viewer machine to tunnel the reverse\n" " redirection to the viewer machine to tunnel the reverse\n"
" connection over an encrypted channel. Note that in -ssl\n" " connection over an encrypted channel.\n"
" mode reverse connection are disabled (see below).\n" #if 0
" Note that in -ssl\n"
" mode reverse connection are disabled (see below). XXX\n"
#endif
"\n" "\n"
" In -inetd mode the Method 1) will be enforced (not\n" " In -inetd mode the Method 1) will be enforced (not\n"
" Method 2). With -ssl in effect reverse connections\n" " Method 2). With -ssl in effect reverse connections\n"
@ -986,11 +992,13 @@ void print_help(int mode) {
"\n" "\n"
" Example: x11vnc -ssl SAVE -display :0 ...\n" " Example: x11vnc -ssl SAVE -display :0 ...\n"
"\n" "\n"
#if 0
" Reverse connections are disabled in -ssl mode because\n" " Reverse connections are disabled in -ssl mode because\n"
" there is no way to ensure that data channel will\n" " there is no way to ensure that data channel will\n"
" be encrypted. Set X11VNC_SSL_ALLOW_REVERSE=1 to\n" " be encrypted. Set X11VNC_SSL_ALLOW_REVERSE=1 to\n"
" override this.\n" " override this.\n"
"\n" "\n"
#endif
" Your VNC viewer will also need to be able to connect\n" " Your VNC viewer will also need to be able to connect\n"
" via SSL. See the discussion below under -stunnel and\n" " via SSL. See the discussion below under -stunnel and\n"
" the FAQ (ss_vncviewer script) for how this might be\n" " the FAQ (ss_vncviewer script) for how this might be\n"

2
x11vnc/screen.c
Unescape View File

@ -2430,7 +2430,7 @@ void initialize_screen(int *argc, char **argv, XImage *fb) {
/* n.b. samplesPerPixel (set = 1 here) seems to be unused. */ /* n.b. samplesPerPixel (set = 1 here) seems to be unused. */
if (create_screen) { if (create_screen) {
if (use_openssl) { if (use_openssl) {
openssl_init(); openssl_init(0);
} else if (use_stunnel) { } else if (use_stunnel) {
setup_stunnel(0, argc, argv); setup_stunnel(0, argc, argv);
} }

59
x11vnc/sslhelper.c
Unescape View File

@ -11,6 +11,7 @@
#define OPENSSL_INETD 1 #define OPENSSL_INETD 1
#define OPENSSL_VNC 2 #define OPENSSL_VNC 2
#define OPENSSL_HTTPS 3 #define OPENSSL_HTTPS 3
#define OPENSSL_REVERSE 4
#define DO_DH 0 #define DO_DH 0
@ -43,13 +44,13 @@ static void badnews(void) {
rfbLog("** not compiled with libssl OpenSSL support **\n"); rfbLog("** not compiled with libssl OpenSSL support **\n");
clean_up_exit(1); clean_up_exit(1);
} }
void openssl_init(void) {badnews();} void openssl_init(int isclient) {badnews();}
void openssl_port(void) {badnews();} void openssl_port(void) {badnews();}
void https_port(void) {badnews();} void https_port(void) {badnews();}
void check_openssl(void) {if (use_openssl) badnews();} void check_openssl(void) {if (use_openssl) badnews();}
void check_https(void) {if (use_openssl) badnews();} void check_https(void) {if (use_openssl) badnews();}
void ssl_helper_pid(pid_t pid, int sock) {badnews(); sock = pid;} void ssl_helper_pid(pid_t pid, int sock) {badnews(); sock = pid;}
void accept_openssl(int mode) {mode = 0; badnews();} void accept_openssl(int mode, int presock) {mode = 0; presock = 0; badnews();}
char *find_openssl_bin(void) {badnews(); return NULL;} char *find_openssl_bin(void) {badnews(); return NULL;}
char *get_saved_pem(char *string, int create) {badnews(); return NULL;} char *get_saved_pem(char *string, int create) {badnews(); return NULL;}
#else #else
@ -59,12 +60,12 @@ char *get_saved_pem(char *string, int create) {badnews(); return NULL;}
#include <openssl/rand.h> #include <openssl/rand.h>
int openssl_present(void); int openssl_present(void);
void openssl_init(void); void openssl_init(int isclient);
void openssl_port(void); void openssl_port(void);
void check_openssl(void); void check_openssl(void);
void check_https(void); void check_https(void);
void ssl_helper_pid(pid_t pid, int sock); void ssl_helper_pid(pid_t pid, int sock);
void accept_openssl(int mode); void accept_openssl(int mode, int presock);
char *find_openssl_bin(void); char *find_openssl_bin(void);
char *get_saved_pem(char *string, int create); char *get_saved_pem(char *string, int create);
@ -82,7 +83,7 @@ static int ssl_init(int s_in, int s_out);
static void ssl_xfer(int csock, int s_in, int s_out, int is_https); static void ssl_xfer(int csock, int s_in, int s_out, int is_https);
#ifndef FORK_OK #ifndef FORK_OK
void openssl_init(void) { void openssl_init(int isclient) {
rfbLog("openssl_init: fork is not supported. cannot create" rfbLog("openssl_init: fork is not supported. cannot create"
" ssl helper process.\n"); " ssl helper process.\n");
clean_up_exit(1); clean_up_exit(1);
@ -678,18 +679,22 @@ static char *get_ssl_verify_file(char *str_in) {
return tfile; return tfile;
} }
void openssl_init(void) { static int ssl_client_mode = 0;
void openssl_init(int isclient) {
int db = 0, tmp_pem = 0, do_dh; int db = 0, tmp_pem = 0, do_dh;
FILE *in; FILE *in;
double ds; double ds;
long mode; long mode;
static int first = 1;
do_dh = DO_DH; do_dh = DO_DH;
if (! quiet) { if (! quiet) {
rfbLog("\n"); rfbLog("\n");
rfbLog("Initializing SSL.\n"); rfbLog("Initializing SSL (%s connect mode).\n", isclient ? "client":"server");
} }
if (first) {
if (db) fprintf(stderr, "\nSSL_load_error_strings()\n"); if (db) fprintf(stderr, "\nSSL_load_error_strings()\n");
SSL_load_error_strings(); SSL_load_error_strings();
@ -702,7 +707,22 @@ void openssl_init(void) {
init_prng(); init_prng();
first = 0;
}
if (isclient) {
ssl_client_mode = 1;
} else {
ssl_client_mode = 0;
}
if (ssl_client_mode) {
if (db) fprintf(stderr, "SSLv23_client_method()\n");
ctx = SSL_CTX_new( SSLv23_client_method() );
} else {
if (db) fprintf(stderr, "SSLv23_server_method()\n");
ctx = SSL_CTX_new( SSLv23_server_method() ); ctx = SSL_CTX_new( SSLv23_server_method() );
}
if (ctx == NULL) { if (ctx == NULL) {
rfbLog("openssl_init: SSL_CTX_new failed.\n"); rfbLog("openssl_init: SSL_CTX_new failed.\n");
@ -1288,7 +1308,7 @@ if (db) fprintf(stderr, "buf: '%s'\n", buf);
return 1; return 1;
} }
void accept_openssl(int mode) { void accept_openssl(int mode, int presock) {
int sock = -1, listen = -1, cport, csock, vsock; int sock = -1, listen = -1, cport, csock, vsock;
int status, n, i, db = 0; int status, n, i, db = 0;
struct sockaddr_in addr; struct sockaddr_in addr;
@ -1337,6 +1357,17 @@ void accept_openssl(int mode) {
} }
listen = openssl_sock; listen = openssl_sock;
} else if (mode == OPENSSL_REVERSE) {
sock = presock;
if (sock < 0) {
rfbLog("SSL: accept_openssl: connection failed\n");
if (ssl_no_fail) {
clean_up_exit(1);
}
return;
}
listen = -1;
} else if (mode == OPENSSL_HTTPS) { } else if (mode == OPENSSL_HTTPS) {
sock = accept(https_sock, (struct sockaddr *)&addr, &addrlen); sock = accept(https_sock, (struct sockaddr *)&addr, &addrlen);
if (sock < 0) { if (sock < 0) {
@ -1940,7 +1971,11 @@ if (db > 1) fprintf(stderr, "ssl_init: 1\n");
} }
if (db > 1) fprintf(stderr, "ssl_init: 2\n"); if (db > 1) fprintf(stderr, "ssl_init: 2\n");
if (ssl_client_mode) {
SSL_set_connect_state(ssl);
} else {
SSL_set_accept_state(ssl); SSL_set_accept_state(ssl);
}
if (db > 1) fprintf(stderr, "ssl_init: 3\n"); if (db > 1) fprintf(stderr, "ssl_init: 3\n");
@ -1954,7 +1989,11 @@ if (db > 1) fprintf(stderr, "ssl_init: 4\n");
signal(SIGALRM, ssl_timeout); signal(SIGALRM, ssl_timeout);
alarm(timeout); alarm(timeout);
if (ssl_client_mode) {
rc = SSL_connect(ssl);
} else {
rc = SSL_accept(ssl); rc = SSL_accept(ssl);
}
err = SSL_get_error(ssl, rc); err = SSL_get_error(ssl, rc);
alarm(0); alarm(0);
@ -2425,7 +2464,7 @@ void check_openssl(void) {
} }
rfbLog("SSL: accept_openssl(OPENSSL_VNC)\n"); rfbLog("SSL: accept_openssl(OPENSSL_VNC)\n");
accept_openssl(OPENSSL_VNC); accept_openssl(OPENSSL_VNC, -1);
} }
void check_https(void) { void check_https(void) {
@ -2457,7 +2496,7 @@ void check_https(void) {
return; return;
} }
rfbLog("SSL: accept_openssl(OPENSSL_HTTPS)\n"); rfbLog("SSL: accept_openssl(OPENSSL_HTTPS)\n");
accept_openssl(OPENSSL_HTTPS); accept_openssl(OPENSSL_HTTPS, -1);
} }
#define MSZ 4096 #define MSZ 4096

5
x11vnc/sslhelper.h
Unescape View File

@ -7,6 +7,7 @@
#define OPENSSL_INETD 1 #define OPENSSL_INETD 1
#define OPENSSL_VNC 2 #define OPENSSL_VNC 2
#define OPENSSL_HTTPS 3 #define OPENSSL_HTTPS 3
#define OPENSSL_REVERSE 4
extern int openssl_sock; extern int openssl_sock;
extern int openssl_port_num; extern int openssl_port_num;
@ -17,13 +18,13 @@ extern char *openssl_last_ip;
extern void raw_xfer(int csock, int s_in, int s_out); extern void raw_xfer(int csock, int s_in, int s_out);
extern int openssl_present(void); extern int openssl_present(void);
extern void openssl_init(void); extern void openssl_init(int);
extern void openssl_port(void); extern void openssl_port(void);
extern void https_port(void); extern void https_port(void);
extern void check_openssl(void); extern void check_openssl(void);
extern void check_https(void); extern void check_https(void);
extern void ssl_helper_pid(pid_t pid, int sock); extern void ssl_helper_pid(pid_t pid, int sock);
extern void accept_openssl(int mode); extern void accept_openssl(int mode, int presock);
extern char *find_openssl_bin(void); extern char *find_openssl_bin(void);
extern char *get_saved_pem(char *string, int create); extern char *get_saved_pem(char *string, int create);

3
x11vnc/tkx11vnc
Unescape View File

@ -131,6 +131,8 @@ Clients
=D http =D http
httpdir: httpdir:
httpport: httpport:
https:
httpsredir:
enablehttpproxy enablehttpproxy
=GAL LOFF =GAL LOFF
@ -322,7 +324,6 @@ Permissions
=F ssldir: =F ssldir:
=F sslverify: =F sslverify:
ssltimeout: ssltimeout:
https:
=GAL LOFF =GAL LOFF
=GAL Misc-Perms:: =GAL Misc-Perms::
safer safer

3
x11vnc/tkx11vnc.h
Unescape View File

@ -142,6 +142,8 @@ char gui_code[] = "";
" =D http\n" " =D http\n"
" httpdir:\n" " httpdir:\n"
" httpport:\n" " httpport:\n"
" https:\n"
" httpsredir:\n"
" enablehttpproxy\n" " enablehttpproxy\n"
" =GAL LOFF\n" " =GAL LOFF\n"
"\n" "\n"
@ -333,7 +335,6 @@ char gui_code[] = "";
" =F ssldir:\n" " =F ssldir:\n"
" =F sslverify:\n" " =F sslverify:\n"
" ssltimeout:\n" " ssltimeout:\n"
" https:\n"
" =GAL LOFF\n" " =GAL LOFF\n"
" =GAL Misc-Perms::\n" " =GAL Misc-Perms::\n"
" safer\n" " safer\n"

2
x11vnc/user.c
Unescape View File

@ -1420,7 +1420,7 @@ int wait_for_client(int *argc, char** argv, int http) {
} }
if (inetd && use_openssl) { if (inetd && use_openssl) {
accept_openssl(OPENSSL_INETD); accept_openssl(OPENSSL_INETD, -1);
} }
while (1) { while (1) {

17
x11vnc/x11vnc.1
Unescape View File

@ -2,7 +2,7 @@
.TH X11VNC "1" "March 2007" "x11vnc " "User Commands" .TH X11VNC "1" "March 2007" "x11vnc " "User Commands"
.SH NAME .SH NAME
x11vnc - allow VNC connections to real X11 displays x11vnc - allow VNC connections to real X11 displays
version: 0.8.5, lastmod: 2007-03-19 version: 0.8.5, lastmod: 2007-03-24
.SH SYNOPSIS .SH SYNOPSIS
.B x11vnc .B x11vnc
[OPTION]... [OPTION]...
@ -397,6 +397,11 @@ mode. This usage could use useful: \fB-svc\fR \fB-loopbg\fR
Exit unless a client connects within the first n seconds Exit unless a client connects within the first n seconds
after startup. after startup.
.PP .PP
\fB-sleepin\fR \fIn\fR
.IP
At startup sleep n seconds before proceeding (e.g. to
allow redirs and listening clients to start up)
.PP
\fB-inetd\fR \fB-inetd\fR
.IP .IP
Launched by Launched by
@ -766,7 +771,7 @@ is roughly
the same as requiring a Unix user login (since a Unix the same as requiring a Unix user login (since a Unix
password or the user's public key authentication is password or the user's public key authentication is
used by sshd on the machine where x11vnc runs and only used by sshd on the machine where x11vnc runs and only
local connections from that machine are accepted) local connections from that machine are accepted).
.IP .IP
Set UNIXPW_DISABLE_LOCALHOST=1 to disable the \fB-localhost\fR Set UNIXPW_DISABLE_LOCALHOST=1 to disable the \fB-localhost\fR
requirement in Method 2). One should never do this requirement in Method 2). One should never do this
@ -779,8 +784,7 @@ in effect then reverse connections can only be used
to connect to the same machine x11vnc is running on to connect to the same machine x11vnc is running on
(default port 5500). Please use a ssh or stunnel port (default port 5500). Please use a ssh or stunnel port
redirection to the viewer machine to tunnel the reverse redirection to the viewer machine to tunnel the reverse
connection over an encrypted channel. Note that in \fB-ssl\fR connection over an encrypted channel.
mode reverse connection are disabled (see below).
.IP .IP
In \fB-inetd\fR mode the Method 1) will be enforced (not In \fB-inetd\fR mode the Method 1) will be enforced (not
Method 2). With \fB-ssl\fR in effect reverse connections Method 2). With \fB-ssl\fR in effect reverse connections
@ -1153,11 +1157,6 @@ default ~/.vnc/certs
.IP .IP
Example: x11vnc \fB-ssl\fR SAVE \fB-display\fR :0 ... Example: x11vnc \fB-ssl\fR SAVE \fB-display\fR :0 ...
.IP .IP
Reverse connections are disabled in \fB-ssl\fR mode because
there is no way to ensure that data channel will
be encrypted. Set X11VNC_SSL_ALLOW_REVERSE=1 to
override this.
.IP
Your VNC viewer will also need to be able to connect Your VNC viewer will also need to be able to connect
via SSL. See the discussion below under \fB-stunnel\fR and via SSL. See the discussion below under \fB-stunnel\fR and
the FAQ (ss_vncviewer script) for how this might be the FAQ (ss_vncviewer script) for how this might be

11
x11vnc/x11vnc.c
Unescape View File

@ -1776,6 +1776,13 @@ int main(int argc, char* argv[]) {
} else if (!strcmp(arg, "-timeout")) { } else if (!strcmp(arg, "-timeout")) {
CHECK_ARGC CHECK_ARGC
first_conn_timeout = atoi(argv[++i]); first_conn_timeout = atoi(argv[++i]);
} else if (!strcmp(arg, "-sleepin")) {
int n;
CHECK_ARGC
n = atoi(argv[++i]);
if (n > 0) {
usleep(1000*1000*n);
}
} else if (!strcmp(arg, "-users")) { } else if (!strcmp(arg, "-users")) {
CHECK_ARGC CHECK_ARGC
users_list = strdup(argv[++i]); users_list = strdup(argv[++i]);
@ -3825,7 +3832,7 @@ int main(int argc, char* argv[]) {
if (inetd && use_openssl) { if (inetd && use_openssl) {
if (! waited_for_client) { if (! waited_for_client) {
accept_openssl(OPENSSL_INETD); accept_openssl(OPENSSL_INETD, -1);
} }
} }
if (! inetd && ! use_openssl) { if (! inetd && ! use_openssl) {
@ -3851,7 +3858,7 @@ int main(int argc, char* argv[]) {
} }
set_vnc_desktop_name(); set_vnc_desktop_name();
if (ncache_beta_tester) { if (ncache_beta_tester && ncache != 0) {
ncache_beta_tester_message(); ncache_beta_tester_message();
} }

2
x11vnc/x11vnc_defs.c
Unescape View File

@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
int xdamage_base_event_type = 0; int xdamage_base_event_type = 0;
/* date +'lastmod: %Y-%m-%d' */ /* date +'lastmod: %Y-%m-%d' */
char lastmod[] = "0.8.5 lastmod: 2007-03-19"; char lastmod[] = "0.8.5 lastmod: 2007-03-24";
/* X display info */ /* X display info */

Write Preview
Loading…
Cancel
Save