TDE
/
libtdevnc
mirror of https://mirror.git.trinitydesktop.org/gitea/TDE/libtdevnc
0
0
Fork 0
Code Issues Releases Wiki Activity

x11vnc: 0.9.6 release. Some strtok bugfixes. rename -tlsvnc

Browse Source 
to -anontls.  Disable ssl caching.  No cert creation prompting
in inetd or bg modes.  waitpid a bit more carefully on ssl
helpers.  Tune ssl initial timeouts.  Let -create user specify
starting X display.  fix -rfbport prompt gui for older tk.
-sslonly option. Error if no -ssl with related options. -rand
option.  -ssl implies -ssl SAVE
pull/1/head
runge 16 years ago
parent e681929159
commit 8bef644d17
18 changed files with 2773 additions and 2350 deletions
Show Stats Download Patch File Download Diff File

9
x11vnc/ChangeLog
Unescape View File

@ -1,3 +1,12 @@
2008-12-10 Karl Runge <runge@karlrunge.com>
* x11vnc: 0.9.6 release. Some strtok bugfixes. rename -tlsvnc
to -anontls. Disable ssl caching. No cert creation prompting
in inetd or bg modes. waitpid a bit more carefully on ssl
helpers. Tune ssl initial timeouts. Let -create user specify
starting X display. fix -rfbport prompt gui for older tk.
-sslonly option. Error if no -ssl with related options. -rand
option. -ssl implies -ssl SAVE
2008-11-22 Karl Runge <runge@karlrunge.com>
* x11vnc: x11vnc.desktop file. -reopen, -dhparams, -sslCRL,
-setdefer options. -rfbport PROMPT VeNCrypt and TLSVNC SSL/TLS

4107
x11vnc/README
View File

File diff suppressed because it is too large Load Diff

47
x11vnc/connections.c
Unescape View File

@ -2338,6 +2338,7 @@ static int do_reverse_connect(char *str_in) {
write(vncsock, prestring, prestring_len);
free(prestring);
}
/* XXX use header */
#define OPENSSL_REVERSE 4
openssl_init(1);
accept_openssl(OPENSSL_REVERSE, vncsock);
@ -2345,6 +2346,7 @@ static int do_reverse_connect(char *str_in) {
free(host);
return 1;
}
if (use_stunnel) {
if(strcmp(host, "localhost") && strcmp(host, "127.0.0.1")) {
if (!getenv("STUNNEL_DISABLE_LOCALHOST")) {
@ -2427,20 +2429,31 @@ void reverse_connect(char *str) {
int sleep_min = 1500, sleep_max = 4500, n_max = 5;
int n, tot, t, dt = 100, cnt = 0;
int nclients0 = client_count;
int lcnt, j;
char **list;
if (unixpw_in_progress) return;
tmp = strdup(str);
list = (char **) calloc( (strlen(tmp)+2) * sizeof (char *), 1);
lcnt = 0;
p = strtok(tmp, ", \t\r\n");
while (p) {
list[lcnt++] = strdup(p);
p = strtok(NULL, ", \t\r\n");
}
free(tmp);
for (j = 0; j < lcnt; j++) {
p = list[j];
if ((n = do_reverse_connect(p)) != 0) {
rfbPE(-1);
}
cnt += n;
p = strtok(NULL, ", \t\r\n");
if (p) {
if (list[j+1] != NULL) {
t = 0;
while (t < sleep_between_host) {
usleep(dt * 1000);
@ -2449,7 +2462,12 @@ void reverse_connect(char *str) {
}
}
}
free(tmp);
for (j = 0; j < lcnt; j++) {
p = list[j];
if (p) free(p);
}
free(list);
if (cnt == 0) {
if (connect_or_exit) {
@ -2739,6 +2757,9 @@ void check_gui_inputs(void) {
for (i=0; i<n; i++) {
int k, fd = icon_mode_socks[socks[i]];
char *p;
char **list;
int lind;
if (! FD_ISSET(fd, &fds)) {
continue;
}
@ -2752,8 +2773,18 @@ void check_gui_inputs(void) {
continue;
}
list = (char **) calloc((strlen(buf)+2) * sizeof(char *), 1);
lind = 0;
p = strtok(buf, "\r\n");
while (p) {
list[lind++] = strdup(p);
p = strtok(NULL, "\r\n");
}
lind = 0;
while (list[lind] != NULL) {
p = list[lind++];
if (strstr(p, "cmd=") == p ||
strstr(p, "qry=") == p) {
char *str = process_remote_cmd(p, 1);
@ -2769,8 +2800,14 @@ void check_gui_inputs(void) {
break;
}
}
p = strtok(NULL, "\r\n");
}
lind = 0;
while (list[lind] != NULL) {
p = list[lind++];
if (p) free(p);
}
free(list);
}
}

264
x11vnc/help.c
Unescape View File

@ -82,10 +82,12 @@ void print_help(int mode) {
" before startup. Same as -xauth file. See Xsecurity(7),\n"
" xauth(1) man pages for more info.\n"
"\n"
"-N If the X display is :N, try to set the VNC display\n"
" to also be :N This just sets the -rfbport option\n"
" to 5900+N. The program will exit immediately if that\n"
" port is not available.\n"
"-N If the X display is :N, try to set the VNC display to\n"
" also be :N This just sets the -rfbport option to 5900+N\n"
" The program will exit immediately if that port is not\n"
" available. The -N option only works with normal -display\n"
" usage, e.g. :0 or :8, -N is ignored in the -display\n"
" WAIT:..., -create, -find, -svc, -redirect, etc modes.\n"
"\n"
"-autoport n Automatically probe for a free VNC port starting at n.\n"
" The default is to start probing at 5900. Use this to\n"
@ -979,13 +981,13 @@ void print_help(int mode) {
" added to get the actual port), if port < 0 then -port\n"
" is used.\n"
"\n"
" Probably the only reason to use the -redirect option is\n"
" in conjunction with SSL support, e.g. -ssl, -ssl SAVE.\n"
" Probably the only reason to use the -redirect option\n"
" is in conjunction with SSL support, e.g. -ssl SAVE.\n"
" This provides an easy way to add SSL encryption to a VNC\n"
" server that does not support SSL (e.g. Xvnc or vnc.so)\n"
" In fact, the protocol does not even need to be VNC,\n"
" and so \"-ssl SAVE -redirect host:port\" can act as a\n"
" replacement for stunnel(1).\n"
" and so \"-rfbport port1 -ssl SAVE -redirect host:port2\"\n"
" can act as a replacement for stunnel(1).\n"
"\n"
" This mode only allows one redirected connection.\n"
" The -forever option does not apply. Use -inetd or\n"
@ -1119,6 +1121,9 @@ void print_help(int mode) {
" for the user. This is the only time x11vnc tries to\n"
" actually start up an X server.\n"
"\n"
" It will start looking for an open display number at :20\n"
" Override via X11VNC_CREATE_STARTING_DISPLAY_NUMBER=n\n"
"\n"
" By default FINDCREATEDISPLAY will try Xdummy and then\n"
" Xvfb:\n"
"\n"
@ -1233,14 +1238,14 @@ void print_help(int mode) {
"-vencrypt mode The VeNCrypt extension to the VNC protocol allows\n"
" encrypted SSL/TLS connections. If the -ssl mode is\n"
" enabled, then VeNCrypt is enabled as well BY DEFAULT\n"
" (they both use the SSL/TLS tunnel, only the protocol\n"
" (they both use a SSL/TLS tunnel, only the protocol\n"
" handshake is a little different.)\n"
"\n"
" To control when and how VeNCrypt is used, specify the\n"
" mode string. If mode is \"never\", then VeNCrypt is\n"
" not used. If mode is \"support\" (the default) then\n"
" VeNCrypt is supported. If mode is \"only\", then the\n"
" similar and older TLSVNC protocol is not simultaneously\n"
" similar and older ANONTLS protocol is not simultaneously\n"
" supported. x11vnc's normal SSL mode (vncs://) will be\n"
" supported under -ssl unless you set mode to \"force\".\n"
"\n"
@ -1250,14 +1255,16 @@ void print_help(int mode) {
"\n"
" To disable all Anonymous Diffie-Hellman access\n"
" (susceptible to Man-In-The-Middle attack) you will need\n"
" to supply \"-vencrypt nodh:support -tlsvnc never\"\n"
" to supply \"-vencrypt nodh:support -anontls never\"\n"
" or \"-vencrypt nodh:only\"\n"
"\n"
" If mode is prefixed with \"newdh:\", then new Diffie\n"
" Hellman parameters are generated for each connection\n"
" (this can be time consuming: 1-60 secs) rather than\n"
" using the fixed values in the program. Using fixed,\n"
" publicly known values is not known to be a security\n"
" problem. This setting applies to TLSVNC as well.\n"
" (this can be time consuming: 1-60 secs; see -dhparams\n"
" below for a faster way) rather than using the\n"
" fixed values in the program. Using fixed, publicly\n"
" known values is not known to be a security problem.\n"
" This setting applies to ANONTLS as well.\n"
"\n"
" Long example: -vencrypt newdh:nox509:support\n"
"\n"
@ -1270,15 +1277,23 @@ void print_help(int mode) {
" You *MUST* supply the -ssl option for VeNCrypt to be\n"
" active. This option only fine-tunes its operation.\n"
"\n"
"-tlsvnc mode The TLSVNC extension to the VNC protocol allows\n"
"-anontls mode The ANONTLS extension to the VNC protocol allows\n"
" encrypted SSL/TLS connections. If the -ssl mode is\n"
" enabled, then TLSVNC is enabled as well BY DEFAULT\n"
" (they both use the SSL/TLS tunnel, only the protocol\n"
" enabled, then ANONTLS is enabled as well BY DEFAULT\n"
" (they both use a SSL/TLS tunnel, only the protocol\n"
" handshake is a little different.)\n"
"\n"
" To control when and how TLSVNC is used, specify the\n"
" mode string. If mode is \"never\", then TLSVNC is not\n"
" used. If mode is \"support\" (the default) then TLSVNC\n"
" ANONTLS is an older SSL/TLS mode introduced by vino.\n"
"\n"
" It is referred to as 'TLS' for its registered VNC\n"
" security-type name, but we use the more descriptive\n"
" 'ANONTLS' here because it provides only Anonymous\n"
" Diffie-Hellman encrypted connections, and hence no\n"
" possibility for certificate authentication.\n"
"\n"
" To control when and how ANONTLS is used, specify the\n"
" mode string. If mode is \"never\", then ANONTLS is not\n"
" used. If mode is \"support\" (the default) then ANONTLS\n"
" is supported. If mode is \"only\", then the similar\n"
" VeNCrypt protocol is not simultaneously supported.\n"
" x11vnc's normal SSL mode (vncs://) will be supported\n"
@ -1286,24 +1301,30 @@ void print_help(int mode) {
"\n"
" If mode is prefixed with \"newdh:\", then new Diffie\n"
" Hellman parameters are generated for each connection\n"
" (this can be time consuming: 1-60 secs) rather than\n"
" using the fixed values in the program. Using fixed,\n"
" publicly known values is not known to be a security\n"
" problem. This setting applies to VeNCrypt as well.\n"
" See the description of \"plain:\" under -vencrypt.\n"
" (this can be time consuming: 1-60 secs; see -dhparams\n"
" below for a faster way) rather than using the\n"
" fixed values in the program. Using fixed, publicly\n"
" known values is not known to be a security problem.\n"
" This setting applies to VeNCrypt as well. See the\n"
" description of \"plain:\" under -vencrypt.\n"
"\n"
" Long example: -tlsvnc newdh:plain:support\n"
" Long example: -anontls newdh:plain:support\n"
"\n"
" You *MUST* supply the -ssl option for TLSVNC to be\n"
" You *MUST* supply the -ssl option for ANONTLS to be\n"
" active. This option only fine-tunes its operation.\n"
"\n"
"-sslonly Same as: \"-vencrypt never -anontls never\" i.e. it\n"
" disables the VeNCrypt and ANONTLS encryption methods\n"
" and only allows standard SSL tunneling. You must also\n"
" supply the -ssl ... option (see below.)\n"
"\n"
"\n"
"-dhparams file For some operations a set of Diffie Hellman parameters\n"
" (prime and generator) is needed. If so, use the\n"
" parameters in \"file\". In particular, the VeNCrypt and\n"
" TLSVNC anonymous DH mode need them. By default a\n"
" ANONTLS anonymous DH mode need them. By default a\n"
" fixed set is used. If you do not want to do that you\n"
" can specify \"newdh:\" to the -vencrypt and -tlsvnc\n"
" can specify \"newdh:\" to the -vencrypt and -anontls\n"
" options to generate a new set each session. If that\n"
" is too slow for you, use -dhparams file to a set you\n"
" created manually via \"openssl dhparam -out file 1024\"\n"
@ -1325,47 +1346,80 @@ void print_help(int mode) {
" http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers\n"
" x11vnc provides an SSL enabled Java viewer applet in\n"
" the classes/ssl directory (-http or -httpdir options.)\n"
" The SSVNC viewer package supports SSL too.\n"
" The SSVNC viewer package supports SSL tunnels too.\n"
"\n"
" If the VNC Viewer supports VeNCrypt or ANONTLS (vino's\n"
" encryption mode) they are also supported by the -ssl\n"
" mode (see the -vencrypt and -anontls options for more\n"
" info; use -sslonly to disable both of them.)\n"
"\n"
" [pem] is optional, use \"-ssl /path/to/mycert.pem\" to\n"
" specify a PEM certificate file to use to identify and\n"
" Use \"-ssl /path/to/mycert.pem\" to specify an SSL\n"
" certificate file in PEM format to use to identify and\n"
" provide a key for this server. See openssl(1) for more\n"
" info about PEMs and the -sslGenCert and \"-ssl SAVE\"\n"
" options below for how to create them.\n"
"\n"
" The connecting VNC viewer SSL tunnel can (optionally)\n"
" authenticate this server if they have the public key\n"
" part of the certificate (or a common certificate\n"
" authority, CA, is a more sophisticated way to\n"
" verify this server's cert, see -sslGenCA below).\n"
" This is used to prevent Man-In-The-Middle attacks.\n"
" Otherwise, if the VNC viewer accepts this server's\n"
" key WITHOUT verification, the traffic is protected\n"
" from passive sniffing on the network, but *NOT* from\n"
" The connecting VNC viewer SSL tunnel can (at its option)\n"
" authenticate this server if it has the public key part\n"
" of the certificate (or a common certificate authority,\n"
" CA, is a more sophisticated way to verify this server's\n"
" cert, see -sslGenCA below). This authentication is\n"
" done to prevent Man-In-The-Middle attacks. Otherwise,\n"
" if the VNC viewer simply accepts this server's key\n"
" WITHOUT verification, the traffic is protected from\n"
" passive sniffing on the network, but *NOT* from\n"
" Man-In-The-Middle attacks. There are hacker tools\n"
" like dsniff/webmitm and cain that implement SSL\n"
" Man-In-The-Middle attacks.\n"
"\n"
" If [pem] is not supplied and the openssl(1) utility\n"
" If [pem] is empty or the string \"SAVE\" then the\n"
" openssl(1) command must be available to generate the\n"
" certificate the first time. A self-signed certificate\n"
" is generated (see -sslGenCA and -sslGenCert for use\n"
" of a Certificate Authority.) It will be saved to the\n"
" file ~/.vnc/certs/server.pem. On subsequent calls if\n"
" that file already exists it will be used directly.\n"
"\n"
" Use \"SAVE_NOPROMPT\" to avoid being prompted to\n"
" protect the generated key with a passphrase. However in\n"
" -inetd and -bg modes there will be no prompting for a\n"
" passphrase in either case.\n"
"\n"
" If [pem] is \"SAVE_PROMPT\" the server.pem certificate\n"
" will be created based on your answers to its prompts for\n"
" all info such as OrganizationalName, CommonName, etc.\n"
"\n"
" Use \"SAVE-<string>\" and \"SAVE_PROMPT-<string>\"\n"
" to refer to the file ~/.vnc/certs/server-<string>.pem\n"
" instead (it will be generated if it does not already\n"
" exist). E.g. \"SAVE-charlie\" will store to the file\n"
" ~/.vnc/certs/server-charlie.pem\n"
"\n"
" Examples: x11vnc -ssl SAVE -display :0 ...\n"
" x11vnc -ssl SAVE-someother -display :0 ...\n"
"\n"
" If [pem] is \"TMP\" and the openssl(1) utility\n"
" command exists in PATH, then a temporary, self-signed\n"
" certificate will be generated for this session\n"
" (this may take 5-30 seconds on very slow machines).\n"
" If openssl(1) cannot be used to generate a temporary\n"
" certificate x11vnc exits immediately.\n"
" certificate will be generated for this session. If\n"
" openssl(1) cannot be used to generate a temporary\n"
" certificate x11vnc exits immediately. The temporary\n"
" cert will be discarded when x11vnc exits.\n"
"\n"
" If successful in using openssl(1) to generate a\n"
" temporary certificate, the public part of it will be\n"
" displayed to stderr (e.g. one could copy it to the\n"
" client-side to provide authentication of the server to\n"
" VNC viewers.)\n"
"\n"
" NOTE: Unless you safely copy the public part of the\n"
" temporary Cert to the viewer for authenticate *every\n"
" time* (unlikely...), then only passive sniffing\n"
" attacks are prevented and you are still open to\n"
" Man-In-The-Middle attacks. See the following\n"
" paragraphs for how to save keys to reuse them when\n"
" x11vnc is restarted. With saved keys AND the VNC viewer\n"
" authenticating them by using the public certificate,\n"
" then Man-In-The-Middle attacks are prevented.\n"
" temporary certificate in \"SAVE\" or \"TMP\" creation\n"
" modes, the public part of it will be displayed to stderr\n"
" (e.g. one could copy it to the client-side to provide\n"
" authentication of the server to VNC viewers.)\n"
"\n"
" NOTE: In \"TMP\" mode, unless you safely copy the\n"
" public part of the temporary Cert to the viewer for\n"
" authenticate *every time* (unlikely...), then only\n"
" passive sniffing attacks are prevented and you are\n"
" still open to Man-In-The-Middle attacks. This is\n"
" why the default \"SAVE\" mode is preferred (and more\n"
" sophisticated CA mode too). Only with saved keys AND\n"
" the VNC viewer authenticating them (via the public\n"
" certificate), are Man-In-The-Middle attacks prevented.\n"
"\n"
" If [pem] is \"ANON\" then the Diffie-Hellman anonymous\n"
" key exchange method is used. In this mode there\n"
@ -1374,34 +1428,16 @@ void print_help(int mode) {
" Thus only passive network sniffing attacks are avoided:\n"
" the \"ANON\" method is susceptible to Man-In-The-Middle\n"
" attacks. \"ANON\" is not recommended; instead use\n"
" a SSL PEM you created or the \"SAVE\" method in the\n"
" next paragraph.\n"
"\n"
" If [pem] is \"SAVE\" then the certificate will be saved\n"
" to the file ~/.vnc/certs/server.pem, or if that file\n"
" exists it will be used directly. Similarly, if [pem]\n"
" is \"SAVE_PROMPT\" the server.pem certificate will be\n"
" made based on your answers to its prompts for info such\n"
" as OrganizationalName, CommonName, etc.\n"
"\n"
" We expect most users to use \"-ssl SAVE\".\n"
"\n"
" Use \"SAVE-<string>\" and \"SAVE_PROMPT-<string>\"\n"
" to refer to the file ~/.vnc/certs/server-<string>.pem\n"
" instead. E.g. \"SAVE-charlie\" will store to the file\n"
" ~/.vnc/certs/server-charlie.pem\n"
"\n"
" Examples: x11vnc -ssl SAVE -display :0 ...\n"
" x11vnc -ssl SAVE-other -display :0 ...\n"
" a SSL PEM you created or the defaut \"SAVE\" method.\n"
"\n"
" See -ssldir below to use a directory besides the\n"
" default ~/.vnc/certs\n"
"\n"
" Misc Info: In temporary cert creation mode, set the\n"
" env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print out\n"
" the entire certificate, including the PRIVATE KEY part,\n"
" to stderr. There are better ways to get/save this info.\n"
" See \"SAVE\" above and \"-sslGenCert\" below.\n"
" Misc Info: In temporary cert creation mode \"TMP\", set\n"
" the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print\n"
" out the entire certificate, including the PRIVATE KEY\n"
" part, to stderr. There are better ways to get/save this\n"
" info. See \"SAVE\" above and \"-sslGenCert\" below.\n"
"\n"
"-ssltimeout n Set SSL read timeout to n seconds. In some situations\n"
" (i.e. an iconified viewer in Windows) the viewer stops\n"
@ -1446,7 +1482,7 @@ void print_help(int mode) {
"\n"
" If [path] is a directory it contains the client (or CA)\n"
" certificates in separate files. If [path] is a file,\n"
" it contains multiple certificates. See special tokens\n"
" it contains one or more certificates. See special tokens\n"
" below. These correspond to the \"CApath = dir\" and\n"
" \"CAfile = file\" stunnel options. See the stunnel(8)\n"
" manpage for details.\n"
@ -1508,19 +1544,19 @@ void print_help(int mode) {
" VNC-ing with x11vnc. (note that they require openssl(1)\n"
" be installed on the system)\n"
"\n"
" However, the simplest usage mode (where x11vnc\n"
" automatically generates its own, self-signed, temporary\n"
" key and the VNC viewers always accept it, e.g. accepting\n"
" via a dialog box) is probably safe enough for most\n"
" scenarios. CA management is not needed.\n"
" However, the simplest usage mode, \"-ssl TMP\" (where\n"
" x11vnc automatically generates its own, self-signed,\n"
" temporary key and the VNC viewers always accept it,\n"
" e.g. accepting via a dialog box) is probably safe enough\n"
" for most scenarios. CA management is not needed.\n"
"\n"
" To protect against Man-In-The-Middle attacks the\n"
" simplest mode can be improved by using \"-ssl SAVE\"\n"
" to have x11vnc create a longer term self-signed\n"
" certificate, and then (safely) copy the corresponding\n"
" public key cert to the desired client machines (care\n"
" must be taken the private key part is not stolen;\n"
" you will be prompted for a passphrase).\n"
" To protect against Man-In-The-Middle attacks the \"TMP\"\n"
" mode can be improved by using \"-ssl SAVE\" (same as\n"
" \"-ssl\", i.e. the default) to have x11vnc create a\n"
" longer term self-signed certificate, and then (safely)\n"
" copy the corresponding public key cert to the desired\n"
" client machines (care must be taken the private key part\n"
" is not stolen; you will be prompted for a passphrase).\n"
"\n"
" So keep in mind no CA key creation or management\n"
" (-sslGenCA and -sslGenCert) is needed for either of\n"
@ -1547,7 +1583,7 @@ void print_help(int mode) {
" be \"imported\" somehow. Web browsers have \"Manage\n"
" Certificates\" actions as does the Java applet plugin\n"
" Control Panel. stunnel can also use these files (see\n"
" the ss_vncviewer example script in the FAQ.)\n"
" the ss_vncviewer example script in the FAQ and SSVNC.)\n"
"\n"
"-sslCRL path Set the Certificate Revocation Lists (CRL) to \"path\".\n"
"\n"
@ -3359,6 +3395,8 @@ void print_help(int mode) {
"-setdefer n When the -wait_ui mechanism cuts down the wait time ms,\n"
" set the defer time to the same ms value. n=1 to enable,\n"
" 0 to disable, and -1 to set defer to 0 (no delay).\n"
" Similarly, 2 and -2 indicate 'urgent_update' mode should\n"
" be used to push the updates even sooner. Default: 1\n"
"-nowait_bog Do not detect if the screen polling is \"bogging down\"\n"
" and sleep more. Some activities with no user input can\n"
" slow things down a lot: consider a large terminal window\n"
@ -3367,10 +3405,11 @@ void print_help(int mode) {
" (3 screen polls in a row each longer than 0.25 sec with\n"
" no user input), and sleep up to 1.5 secs to let things\n"
" \"catch up\". Use this option to disable that detection.\n"
"-slow_fb time Floating point time in seconds delay all screen polling.\n"
" For special purpose usage where a low frame rate is\n"
" acceptable and desirable, but you want the user input\n"
" processed at the normal rate so you cannot use -wait.\n"
"-slow_fb time Floating point time in seconds to delay all screen\n"
" polling. For special purpose usage where a low frame\n"
" rate is acceptable and desirable, but you want the\n"
" user input processed at the normal rate so you cannot\n"
" use -wait.\n"
"-xrefresh time Floating point time in seconds to indicate how often to\n"
" do the equivalent of xrefresh(1) to force all windows\n"
" (in the viewable area if -id, -sid, or -clip is used)\n"
@ -4356,6 +4395,7 @@ void print_help(int mode) {
" defer:n set -defer to n ms,same as deferupdate:n\n"
" wait:n set -wait to n ms.\n"
" wait_ui:f set -wait_ui factor to f.\n"
" setdefer:n set -setdefer to -2,-1,0,1, or 2.\n"
" wait_bog disable -nowait_bog mode.\n"
" nowait_bog enable -nowait_bog mode.\n"
" slow_fb:f set -slow_fb to f seconds.\n"
@ -4515,15 +4555,15 @@ void print_help(int mode) {
" nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area\n"
" scr_skip scr_inc scr_keys scr_term scr_keyrepeat\n"
" scr_parms scrollcopyrect scr noscrollcopyrect noscr\n"
" fixscreen noxrecord xrecord reset_record pointer_mode\n"
" pm input_skip allinput noallinput input grabkbd\n"
" nograbkbd grabptr nograbptr grabalways nograbalways\n"
" grablocal client_input ssltimeout speeds wmdt\n"
" debug_pointer dp nodebug_pointer nodp debug_keyboard\n"
" dk nodebug_keyboard nodk keycode deferupdate defer\n"
" wait_ui wait_bog nowait_bog slow_fb xrefresh wait\n"
" readtimeout nap nonap sb screen_blank fbpm nofbpm dpms\n"
" nodpms clientdpms noclientdpms forcedpms noforcedpms\n"
" fixscreen noxrecord xrecord reset_record pointer_mode pm\n"
" input_skip allinput noallinput input grabkbd nograbkbd\n"
" grabptr nograbptr grabalways nograbalways grablocal\n"
" client_input ssltimeout speeds wmdt debug_pointer dp\n"
" nodebug_pointer nodp debug_keyboard dk nodebug_keyboard\n"
" nodk keycode deferupdate defer setdefer wait_ui\n"
" wait_bog nowait_bog slow_fb xrefresh wait readtimeout\n"
" nap nonap sb screen_blank fbpm nofbpm dpms nodpms\n"
" clientdpms noclientdpms forcedpms noforcedpms\n"
" noserverdpms serverdpms noultraext ultraext chatwindow\n"
" nochatwindow chaton chatoff fs gaps grow fuzz snapfb\n"
" nosnapfb rawfb uinput_accel uinput_thresh uinput_reset\n"

2
x11vnc/options.c
Unescape View File

@ -34,7 +34,7 @@ char *enc_str = NULL;
int vencrypt_mode = VENCRYPT_SUPPORT;
int vencrypt_kx = VENCRYPT_BOTH;
int vencrypt_enable_plain_login = 0;
int tlsvnc_mode = TLSVNC_SUPPORT;
int anontls_mode = ANONTLS_SUPPORT;
int create_fresh_dhparams = 0;
char *dhparams_file = NULL;
int https_port_num = -1;

2
x11vnc/options.h
Unescape View File

@ -34,7 +34,7 @@ extern char *enc_str;
extern int vencrypt_mode;
extern int vencrypt_kx;
extern int vencrypt_enable_plain_login;
extern int tlsvnc_mode;
extern int anontls_mode;
extern int create_fresh_dhparams;
extern char *dhparams_file;
extern int https_port_num;

8
x11vnc/params.h
Unescape View File

@ -63,9 +63,9 @@
#define VENCRYPT_NODH 1
#define VENCRYPT_NOX509 2
#define TLSVNC_NONE 0
#define TLSVNC_SUPPORT 1
#define TLSVNC_SOLE 2
#define TLSVNC_FORCE 3
#define ANONTLS_NONE 0
#define ANONTLS_SUPPORT 1
#define ANONTLS_SOLE 2
#define ANONTLS_FORCE 3
#endif /* _X11VNC_PARAMS_H */

2
x11vnc/remote.c
Unescape View File

@ -327,6 +327,7 @@ int check_httpdir(void) {
if ((q = strrchr(prog, '/')) == NULL) {
rfbLog("check_httpdir: bad program path: %s\n", prog);
free(prog);
rfbLog("check_httpdir: *HTTP disabled* Use -httpdir path\n");
return 0;
}
@ -383,6 +384,7 @@ int check_httpdir(void) {
rfbLog("check_httpdir: bad guess:\n");
rfbLog(" %s\n", httpdir);
rfbLog("check_httpdir: *HTTP disabled* Use -httpdir path\n");
return 0;
}
}

140
x11vnc/sslhelper.c
Unescape View File

@ -91,7 +91,7 @@ static void init_prng(void);
static void sslerrexit(void);
static char *get_input(char *tag, char **in);
static char *create_tmp_pem(char *path, int prompt);
static int ssl_init(int s_in, int s_out);
static int ssl_init(int s_in, int s_out, int skip_vnc_tls);
static void ssl_xfer(int csock, int s_in, int s_out, int is_https);
#ifndef FORK_OK
@ -142,6 +142,7 @@ char *get_saved_pem(char *save, int create) {
clean_up_exit(1);
}
cdir = get_Cert_dir(NULL, &tmp);
if (! cdir || ! tmp) {
rfbLog("get_saved_pem: could not find Cert dir.\n");
@ -156,8 +157,11 @@ char *get_saved_pem(char *save, int create) {
if (stat(path, &sbuf) != 0) {
char *new = NULL;
if (create) {
if (inetd || opts_bg) {
set_env("GENCERT_NOPROMPT", "1");
}
new = create_tmp_pem(path, prompt);
if (! getenv("X11VNC_SSL_NO_PASSPHRASE") && ! inetd) {
if (!getenv("X11VNC_SSL_NO_PASSPHRASE") && !inetd && !opts_bg) {
sslEncKey(new, 0);
}
}
@ -842,7 +846,7 @@ static int verify_callback(int ok, X509_STORE_CTX *callback_ctx) {
return 1;
}
#define rfbSecTypeTlsVnc 18
#define rfbSecTypeAnonTls 18
#define rfbSecTypeVencrypt 19
#define rfbVencryptPlain 256
@ -854,7 +858,7 @@ static int verify_callback(int ok, X509_STORE_CTX *callback_ctx) {
#define rfbVencryptX509Plain 262
static int vencrypt_selected = 0;
static int tlsvnc_selected = 0;
static int anontls_selected = 0;
static int ssl_client_mode = 0;
@ -946,8 +950,14 @@ void openssl_init(int isclient) {
mode |= SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
SSL_CTX_set_mode(ctx, mode);
#define ssl_cache 0
#if ssl_cache
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH);
SSL_CTX_set_timeout(ctx, 300);
#else
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_timeout(ctx, 1);
#endif
ds = dnow();
if (! openssl_pem) {
@ -1255,16 +1265,31 @@ void ssl_helper_pid(pid_t pid, int sock) {
continue;
}
if (kill(helpers[i], 0) == 0) {
int kret = -2;
pid_t wret;
if (sock != -2) {
if (sockets[i] >= 0) {
close(sockets[i]);
}
kill(helpers[i], SIGTERM);
kret = kill(helpers[i], SIGTERM);
if (kret == 0) {
usleep(20 * 1000);
}
}
#if LIBVNCSERVER_HAVE_SYS_WAIT_H && LIBVNCSERVER_HAVE_WAITPID
if (db) fprintf(stderr, "waitpid(%d)\n", helpers[i]);
waitpid(helpers[i], &status, WNOHANG);
wret = waitpid(helpers[i], &status, WNOHANG);
if (kret == 0 && wret != helpers[i]) {
int k;
for (k=0; k < 10; k++) {
usleep(100 * 1000);
wret = waitpid(helpers[i], &status, WNOHANG);
if (wret == helpers[i]) {
break;
}
}
}
#endif
if (sock == -2) {
continue;
@ -1350,7 +1375,7 @@ static int is_ssl_readable(int s_in, time_t last_https, char *last_get,
* for each socket (and some clients send requests
* rapid fire).
*/
tv.tv_sec = 6;
tv.tv_sec = 6;
}
/*
@ -1358,9 +1383,9 @@ static int is_ssl_readable(int s_in, time_t last_https, char *last_get,
* recently:
*/
if (time(NULL) < last_https + 30) {
tv.tv_sec = 8;
tv.tv_sec = 10;
if (last_get && strstr(last_get, "VncViewer")) {
tv.tv_sec = 4;
tv.tv_sec = 5;
}
}
if (getenv("X11VNC_HTTPS_VS_VNC_TIMEOUT")) {
@ -1543,7 +1568,7 @@ int proxy_hack(int vncsock, int listen, int s_in, int s_out, char *cookie,
if (db) fprintf(stderr, "got applet input sock1: %d\n", sock1);
if (! ssl_init(sock1, sock1)) {
if (! ssl_init(sock1, sock1, 0)) {
if (db) fprintf(stderr, "ssl_init FAILED\n");
exit(1);
}
@ -1715,7 +1740,7 @@ void accept_openssl(int mode, int presock) {
char uniq[] = "_evilrats_";
char cookie[256], rcookie[256], *name = NULL;
int vencrypt_sel = 0;
int tlsvnc_sel = 0;
int anontls_sel = 0;
static time_t last_https = 0;
static char last_get[256];
static int first = 1;
@ -1832,7 +1857,7 @@ void accept_openssl(int mode, int presock) {
* but hard to guess exactly (just worrying about local lusers
* here, since we use INADDR_LOOPBACK).
*/
rb = (unsigned char *) malloc(6);
rb = (unsigned char *) calloc(6, 1);
RAND_bytes((char *)rb, 6);
sprintf(cookie, "RB=%d%d%d%d%d%d/%f%f/0x%x",
rb[0], rb[1], rb[2], rb[3], rb[4], rb[5],
@ -1915,6 +1940,7 @@ void accept_openssl(int mode, int presock) {
int i, have_httpd = 0;
int f_in = fileno(stdin);
int f_out = fileno(stdout);
int skip_vnc_tls = mode == OPENSSL_HTTPS ? 1 : 0;
if (db) fprintf(stderr, "helper pid in: %d %d %d %d\n", f_in, f_out, sock, listen);
@ -1962,7 +1988,7 @@ void accept_openssl(int mode, int presock) {
s_in = s_out = sock;
}
if (! ssl_init(s_in, s_out)) {
if (! ssl_init(s_in, s_out, skip_vnc_tls)) {
close(vncsock);
exit(1);
}
@ -1973,10 +1999,10 @@ void accept_openssl(int mode, int presock) {
sprintf(tbuf, "%s,VENCRYPT=%d,%s", uniq, vencrypt_selected, cookie);
write(vncsock, tbuf, strlen(cookie));
goto wrote_cookie;
} else if (tlsvnc_selected != 0) {
} else if (anontls_selected != 0) {
char *tbuf;
tbuf = (char *) malloc(strlen(cookie) + 100);
sprintf(tbuf, "%s,TLSVNC=%d,%s", uniq, tlsvnc_selected, cookie);
sprintf(tbuf, "%s,ANONTLS=%d,%s", uniq, anontls_selected, cookie);
write(vncsock, tbuf, strlen(cookie));
goto wrote_cookie;
}
@ -2005,7 +2031,7 @@ void accept_openssl(int mode, int presock) {
}
if (have_httpd) {
int n = 0, is_http;
int n = 0, is_http = 0;
int hport = screen->httpPort;
char *iface = NULL;
char *buf, *tbuf;
@ -2348,7 +2374,7 @@ void accept_openssl(int mode, int presock) {
char *q = strstr(rcookie, "RB=");
if (q && strstr(cookie, q) == cookie) {
vencrypt_sel = 0;
tlsvnc_sel = 0;
anontls_sel = 0;
q = strstr(rcookie, "VENCRYPT=");
if (q && sscanf(q, "VENCRYPT=%d,", &vencrypt_sel) == 1) {
if (vencrypt_sel != 0) {
@ -2356,10 +2382,10 @@ void accept_openssl(int mode, int presock) {
goto accept_client;
}
}
q = strstr(rcookie, "TLSVNC=");
if (q && sscanf(q, "TLSVNC=%d,", &tlsvnc_sel) == 1) {
if (tlsvnc_sel != 0) {
rfbLog("SSL: TLSVNC mode=%d accepted.\n", tlsvnc_sel);
q = strstr(rcookie, "ANONTLS=");
if (q && sscanf(q, "ANONTLS=%d,", &anontls_sel) == 1) {
if (anontls_sel != 0) {
rfbLog("SSL: ANONTLS mode=%d accepted.\n", anontls_sel);
goto accept_client;
}
}
@ -2508,7 +2534,7 @@ void accept_openssl(int mode, int presock) {
if (!finish_vencrypt_auth(client, vencrypt_sel)) {
rfbCloseClient(client);
}
} else if (tlsvnc_sel != 0) {
} else if (anontls_sel != 0) {
client->protocolMajorVersion = 3;
client->protocolMinorVersion = 8;
rfbAuthNewClient(client);
@ -2744,12 +2770,12 @@ static int switch_to_anon_dh(void) {
return 1;
}
static int tlsvnc_dialog(int s_in, int s_out) {
static int anontls_dialog(int s_in, int s_out) {
tlsvnc_selected = 1;
anontls_selected = 1;
if (!switch_to_anon_dh()) {
rfbLog("tlsvnc: Anonymous Diffie-Hellman failed.\n");
rfbLog("anontls: Anonymous Diffie-Hellman failed.\n");
return 0;
}
@ -2924,27 +2950,27 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
char buf[256];
vencrypt_selected = 0;
tlsvnc_selected = 0;
anontls_selected = 0;
if (vencrypt_mode == VENCRYPT_NONE && tlsvnc_mode == TLSVNC_NONE) {
if (vencrypt_mode == VENCRYPT_NONE && anontls_mode == ANONTLS_NONE) {
/* only normal SSL */
return 1;
}
if (ssl_client_mode) {
/* XXX check if this can be done in SSL client mode. */
if (vencrypt_mode == VENCRYPT_FORCE || tlsvnc_mode == TLSVNC_FORCE) {
rfbLog("check_vnc_tls_mode: VENCRYPT_FORCE/TLSVNC_FORCE prevents normal SSL\n");
if (vencrypt_mode == VENCRYPT_FORCE || anontls_mode == ANONTLS_FORCE) {
rfbLog("check_vnc_tls_mode: VENCRYPT_FORCE/ANONTLS_FORCE prevents normal SSL\n");
return 0;
}
return 1;
}
if (ssl_verify && vencrypt_mode != VENCRYPT_FORCE && tlsvnc_mode == TLSVNC_FORCE) {
rfbLog("check_vnc_tls_mode: Cannot use TLSVNC_FORCE with -sslverify (Anon DH only)\n");
if (ssl_verify && vencrypt_mode != VENCRYPT_FORCE && anontls_mode == ANONTLS_FORCE) {
rfbLog("check_vnc_tls_mode: Cannot use ANONTLS_FORCE with -sslverify (Anon DH only)\n");
/* fallback to normal SSL */
return 1;
}
while (waited < 0.7) {
while (waited < 1.1) {
fd_set rfds;
FD_ZERO(&rfds);
FD_SET(s_in, &rfds);
@ -2962,8 +2988,8 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
if (input) {
/* got SSL client hello, can only assume normal SSL */
if (vencrypt_mode == VENCRYPT_FORCE || tlsvnc_mode == TLSVNC_FORCE) {
rfbLog("check_vnc_tls_mode: VENCRYPT_FORCE/TLSVNC_FORCE prevents normal SSL\n");
if (vencrypt_mode == VENCRYPT_FORCE || anontls_mode == ANONTLS_FORCE) {
rfbLog("check_vnc_tls_mode: VENCRYPT_FORCE/ANONTLS_FORCE prevents normal SSL\n");
return 0;
}
return 1;
@ -2982,7 +3008,12 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
}
if (sscanf(buf, "RFB %03d.%03d\n", &major, &minor) != 2) {
rfbLog("check_vnc_tls_mode: abnormal handshake: '%s'\n", buf);
int i;
rfbLog("check_vnc_tls_mode: abnormal handshake: '%s'\nbytes: ", buf);
for (i=0; i < 12; i++) {
fprintf(stderr, "%x.", (int) buf[i]);
}
fprintf(stderr, "\n");
close(s_in); close(s_out);
return 0;
}
@ -2996,18 +3027,18 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
n = 1;
if (vencrypt_mode == VENCRYPT_FORCE) {
buf[n++] = rfbSecTypeVencrypt;
} else if (tlsvnc_mode == TLSVNC_FORCE && !ssl_verify) {
buf[n++] = rfbSecTypeTlsVnc;
} else if (anontls_mode == ANONTLS_FORCE && !ssl_verify) {
buf[n++] = rfbSecTypeAnonTls;
} else if (vencrypt_mode == VENCRYPT_SOLE) {
buf[n++] = rfbSecTypeVencrypt;
} else if (tlsvnc_mode == TLSVNC_SOLE && !ssl_verify) {
buf[n++] = rfbSecTypeTlsVnc;
} else if (anontls_mode == ANONTLS_SOLE && !ssl_verify) {
buf[n++] = rfbSecTypeAnonTls;
} else {
if (vencrypt_mode == VENCRYPT_SUPPORT) {
buf[n++] = rfbSecTypeVencrypt;
}
if (tlsvnc_mode == TLSVNC_SUPPORT && !ssl_verify) {
buf[n++] = rfbSecTypeTlsVnc;
if (anontls_mode == ANONTLS_SUPPORT && !ssl_verify) {
buf[n++] = rfbSecTypeAnonTls;
}
}
@ -3026,7 +3057,7 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
}
if (buf[0] == rfbSecTypeVencrypt) stype = "VeNCrypt";
if (buf[0] == rfbSecTypeTlsVnc) stype = "TLSVNC";
if (buf[0] == rfbSecTypeAnonTls) stype = "ANONTLS";
rfbLog("check_vnc_tls_mode: reply: %d (%s)\n", (int) buf[0], stype);
@ -3051,8 +3082,8 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
if (sectype == rfbSecTypeVencrypt) {
return vencrypt_dialog(s_in, s_out);
} else if (sectype == rfbSecTypeTlsVnc) {
return tlsvnc_dialog(s_in, s_out);
} else if (sectype == rfbSecTypeAnonTls) {
return anontls_dialog(s_in, s_out);
} else {
return 0;
}
@ -3088,11 +3119,15 @@ static void pr_ssl_info(int verb) {
}
static void ssl_timeout (int sig) {
rfbLog("sig: %d, ssl_init timed out.\n", sig);
int i;
rfbLog("sig: %d, ssl_init[%d] timed out.\n", sig, getpid());
for (i=0; i < 256; i) {
close(i);
}
exit(1);
}
static int ssl_init(int s_in, int s_out) {
static int ssl_init(int s_in, int s_out, int skip_vnc_tls) {
unsigned char *sid = (unsigned char *) "x11vnc SID";
char *name;
int peerport = 0;
@ -3112,7 +3147,10 @@ static int ssl_init(int s_in, int s_out) {
}
if (db) fprintf(stderr, "ssl_init: %d/%d\n", s_in, s_out);
if (!check_vnc_tls_mode(s_in, s_out)) {
if (skip_vnc_tls) {
rfbLog("SSL: ssl_helper[%d]: HTTPS mode, skipping check_vnc_tls_mode()\n",
getpid(), name, peerport);
} else if (!check_vnc_tls_mode(s_in, s_out)) {
return 0;
}
@ -3305,7 +3343,7 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
time_t start;
int tv_https_early = 60;
int tv_https_later = 20;
int tv_vnc_early = 25;
int tv_vnc_early = 40;
int tv_vnc_later = 43200; /* was 300, stunnel: 43200 */
int tv_cutover = 70;
int tv_closing = 60;
@ -3374,7 +3412,7 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
cptr = 0; /* offsets into ABSIZE buffers */
sptr = 0;
if (vencrypt_selected > 0 || tlsvnc_selected > 0) {
if (vencrypt_selected > 0 || anontls_selected > 0) {
char tmp[16];
/* read and discard the extra RFB version */
memset(tmp, 0, sizeof(tmp));
@ -3501,8 +3539,8 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
}
continue;
}
rfbLog("SSL: ssl_xfer[%d]: connection timedout. %d\n",
getpid(), ndata);
rfbLog("SSL: ssl_xfer[%d]: connection timedout. %d tv_use: %d\n",
getpid(), ndata, tv_use);
/* connection finished */
return;
}

34
x11vnc/ssltools.h
Unescape View File

@ -394,7 +394,7 @@ char genCert[] =
" else\n"
" echo \"the key and pretend to be your VNC client. The downside is it is\"\n"
" fi\n"
" echo \"inconvenient because you will have to supply the passphrase every\"\n"
" echo \"inconvenient because you will need to supply the passphrase EVERY\"\n"
" if [ \"x$type\" = \"xserver\" ]; then\n"
" echo \"time you start x11vnc using this key.\"\n"
" else\n"
@ -402,9 +402,24 @@ char genCert[] =
" fi\n"
" echo \"\"\n"
" if [ \"X$GENCERT_NOPROMPT\" = \"X\" ]; then\n"
" printf \"Protect key with a passphrase? [y]/n \"\n"
" read x\n"
" x=\"\"\n"
" for tp in 1 2 3\n"
" do\n"
" printf \"Protect key with a passphrase? y/n \"\n"
" read x\n"
" x=`echo \"$x\" | tr 'A-Z' 'a-z' | sed -e 's/[ ]//g'`\n"
" if [ \"X$x\" = \"Xy\" -o \"X$x\" = \"Xn\" ]; then\n"
" break;\n"
" else \n"
" echo \"Please reply with \\\"y\\\" or \\\"n\\\".\"\n"
" fi\n"
" done\n"
" if [ \"X$x\" != \"Xy\" -a \"X$x\" != \"Xn\" ]; then\n"
" echo \"Assuming reply \\\"n\\\".\"\n"
" x=n\n"
" fi\n"
" else\n"
" echo \"NOT protecting private key with passphrase.\"\n"
" x=n\n"
" fi\n"
" estr=\" *unencrypted*\"\n"
@ -1273,12 +1288,17 @@ char create_display[] =
"\n"
"findfree() {\n"
" try=20\n"
" sry=99\n"
" if [ \"X$X11VNC_CREATE_STARTING_DISPLAY_NUMBER\" != \"X\" ]; then\n"
" try=$X11VNC_CREATE_STARTING_DISPLAY_NUMBER\n"
" sry=`expr $try + 99`\n"
" fi\n"
" n=\"\"\n"
" nsout=\"\"\n"
" if [ \"X$have_netstat\" != \"X\" ]; then\n"
" nsout=`$have_netstat -an`\n"
" fi\n"
" while [ $try -lt 99 ]\n"
" while [ $try -lt $sry ]\n"
" do\n"
" if [ ! -f \"/tmp/.X${try}-lock\" ]; then\n"
" if echo \"$nsout\" | grep \"/tmp/.X11-unix/X${try}[ ]*\\$\" > /dev/null; then\n"
@ -1517,6 +1537,7 @@ char create_display[] =
" sess=\"env $sess\"\n"
" fi\n"
" redir_daemon=`echo \"$redir_daemon\" | sed -e 's/^,*//'`\n"
" echo \"redir_daemon=$redir_daemon\" 1>&2\n"
"}\n"
"\n"
"rchk() {\n"
@ -1730,12 +1751,13 @@ char create_display[] =
"# fi\n"
"\n"
" if [ \"X$redir_daemon\" != \"X\" -a \"X$result\" = \"X1\" ]; then\n"
" redir_daemon=`echo \"$redir_daemon\" | sed -e 's|[^A-z0-9:,/]||g'`\n"
" redir_daemon=`echo \"$redir_daemon\" | sed -e 's/[~!$&*()|;?<>\"]//g' -e \"s/'//g\"`\n"
" xprog=$X11VNC_PROG\n"
" if [ \"X$xprog\" = \"X\" ]; then\n"
" xprog=x11vnc\n"
" fi\n"
" $have_nohup sh -c \"$xprog -sleepin 10 -auth $authfile -tsd $redir_daemon\" 2>.tsd.log.$USER 1>&2 &\n"
" echo \"running: $xprog -sleepin 10 -auth $authfile -tsd '$redir_daemon'\" 1>&2\n"
" $have_nohup sh -c \"$xprog -sleepin 10 -auth $authfile -tsd '$redir_daemon' &\" 2>.tsd.log.$USER 1>&2 &\n"
" fi\n"
"}\n"
"\n"

33
x11vnc/tkx11vnc
Unescape View File

@ -414,6 +414,7 @@ Tuning
grow:
fuzz:
wait_ui:
setdefer:
nowait_bog
slow_fb:
xrefresh:
@ -6460,8 +6461,11 @@ proc do_port_prompt {} {
vncviewer $hn:0
vncviewer $hn:1
etc.
Your firewall may block incoming connections to TCP ports;
if it does you may need to reconfigure it.
You may also set some additional parameters:
You can also set some additional parameters:
- Enable SSL encryption.
(requires an SSL enabled vncviewer, such as SSVNC)
@ -6477,9 +6481,24 @@ proc do_port_prompt {} {
wm protocol . WM_DELETE_WINDOW "destroy .; exit"
wm protocol .pp WM_DELETE_WINDOW "destroy .pp; exit"
label .pp.m -text "$text" -justify left -font $ffont
label .pp.m -text "$text" -relief ridge -justify left -font $ffont
global tk_version
set tkold 0
if [info exists tk_version] {
if [regexp {^8\.[0-3]$} $tk_version] {
set tkold 1
}
if [regexp {^[3-7]\.} $tk_version] {
set tkold 1
}
}
frame .pp.f -bd 1 -relief ridge -pady 2
if {$tkold} {
frame .pp.f -bd 1 -relief ridge
} else {
frame .pp.f -bd 1 -relief ridge -pady 2
}
label .pp.f.l -text "Port: "
entry .pp.f.e -width 8 -textvariable port_set
global enable_ssl; set enable_ssl 0
@ -6495,7 +6514,11 @@ proc do_port_prompt {} {
pack .pp.f.l .pp.f.e -side left
pack .pp.f.loc .pp.f.ssl -side right
frame .pp.t -bd 1 -relief ridge -pady 2
if {$tkold} {
frame .pp.t -bd 1 -relief ridge
} else {
frame .pp.t -bd 1 -relief ridge -pady 2
}
global file_transfer; set file_transfer "none"
if [info exists env(X11VNC_FILETRANSFER_ENABLED)] {
set file_transfer $env(X11VNC_FILETRANSFER_ENABLED)
@ -7077,7 +7100,7 @@ proc check_setpasswd {} {
set m "${m} 'Apply' to allow incoming connections.\n"
set m "${m}\n"
set m "${m} The passwords are only for this x11vnc\n"
set m "${m} session and are not saved. Run x11vnc\n"
set m "${m} session and are not saved. Run x11vnc\n"
set m "${m} manually for more control.\n"
set m "${m}\n"
set m "${m} See 'Help' for details on each option.\n"

33
x11vnc/tkx11vnc.h
Unescape View File

@ -425,6 +425,7 @@ char gui_code[] = "";
" grow:\n"
" fuzz:\n"
" wait_ui:\n"
" setdefer:\n"
" nowait_bog\n"
" slow_fb:\n"
" xrefresh:\n"
@ -6471,8 +6472,11 @@ char gui_code[] = "";
" vncviewer $hn:0\n"
" vncviewer $hn:1\n"
" etc.\n"
"\n"
" Your firewall may block incoming connections to TCP ports;\n"
" if it does you may need to reconfigure it. \n"
" \n"
" You may also set some additional parameters:\n"
" You can also set some additional parameters:\n"
"\n"
" - Enable SSL encryption.\n"
" (requires an SSL enabled vncviewer, such as SSVNC) \n"
@ -6488,9 +6492,24 @@ char gui_code[] = "";
" wm protocol . WM_DELETE_WINDOW \"destroy .; exit\"\n"
" wm protocol .pp WM_DELETE_WINDOW \"destroy .pp; exit\"\n"
"\n"
" label .pp.m -text \"$text\" -justify left -font $ffont\n"
" label .pp.m -text \"$text\" -relief ridge -justify left -font $ffont\n"
"\n"
" global tk_version\n"
" set tkold 0\n"
" if [info exists tk_version] {\n"
" if [regexp {^8\\.[0-3]$} $tk_version] {\n"
" set tkold 1\n"
" }\n"
" if [regexp {^[3-7]\\.} $tk_version] {\n"
" set tkold 1\n"
" }\n"
" }\n"
"\n"
" frame .pp.f -bd 1 -relief ridge -pady 2\n"
" if {$tkold} {\n"
" frame .pp.f -bd 1 -relief ridge\n"
" } else {\n"
" frame .pp.f -bd 1 -relief ridge -pady 2\n"
" }\n"
" label .pp.f.l -text \"Port: \"\n"
" entry .pp.f.e -width 8 -textvariable port_set\n"
" global enable_ssl; set enable_ssl 0\n"
@ -6506,7 +6525,11 @@ char gui_code[] = "";
" pack .pp.f.l .pp.f.e -side left\n"
" pack .pp.f.loc .pp.f.ssl -side right\n"
"\n"
" frame .pp.t -bd 1 -relief ridge -pady 2\n"
" if {$tkold} {\n"
" frame .pp.t -bd 1 -relief ridge\n"
" } else {\n"
" frame .pp.t -bd 1 -relief ridge -pady 2\n"
" }\n"
" global file_transfer; set file_transfer \"none\"\n"
" if [info exists env(X11VNC_FILETRANSFER_ENABLED)] {\n"
" set file_transfer $env(X11VNC_FILETRANSFER_ENABLED)\n"
@ -7088,7 +7111,7 @@ char gui_code[] = "";
" set m \"${m} 'Apply' to allow incoming connections.\\n\" \n"
" set m \"${m}\\n\" \n"
" set m \"${m} The passwords are only for this x11vnc\\n\" \n"
" set m \"${m} session and are not saved. Run x11vnc\\n\" \n"
" set m \"${m} session and are not saved. Run x11vnc\\n\" \n"
" set m \"${m} manually for more control.\\n\" \n"
" set m \"${m}\\n\" \n"
" set m \"${m} See 'Help' for details on each option.\\n\" \n"

45
x11vnc/user.c
Unescape View File

@ -224,12 +224,12 @@ static char **user_list(char *user_str) {
n++;
}
}
list = (char **) malloc((n+1)*sizeof(char *));
list = (char **) calloc((n+1)*sizeof(char *), 1);
p = strtok(user_str, ",");
i = 0;
while (p) {
list[i++] = p;
list[i++] = strdup(p);
p = strtok(NULL, ",");
}
list[i] = NULL;
@ -327,6 +327,8 @@ static int lurk(char **users) {
gid_t gid;
int success = 0, dmin = -1, dmax = -1;
char *p, *logins, **u;
char **list;
int lind;
if ((u = users) != NULL && *u != NULL && *(*u) == ':') {
int len;
@ -402,12 +404,23 @@ static int lurk(char **users) {
} else {
logins = get_login_list(1);
}
list = (char **) calloc((strlen(logins)+2)*sizeof(char *), 1);
lind = 0;
p = strtok(logins, ",");
while (p) {
list[lind++] = strdup(p);
p = strtok(NULL, ",");
}
free(logins);
lind = 0;
while (list[lind] != NULL) {
char *user, *name, *home, dpystr[10];
char *q, *t;
int ok = 1, dn;
p = list[lind++];
t = strdup(p); /* bob:0 */
q = strchr(t, ':');
@ -442,7 +455,6 @@ static int lurk(char **users) {
}
if (! ok) {
p = strtok(NULL, ",");
continue;
}
@ -464,10 +476,14 @@ static int lurk(char **users) {
if (success) {
break;
}
}
p = strtok(NULL, ",");
lind = 0;
while (list[lind] != NULL) {
free(list[lind]);
lind++;
}
free(logins);
return success;
}
@ -502,6 +518,8 @@ static int guess_user_and_switch(char *str, int fb_mode) {
char *dstr, *d;
char *p, *tstr = NULL, *allowed = NULL, *logins, **users = NULL;
int dpy1, ret = 0;
char **list;
int lind;
RAWFB_RET(0)
@ -528,11 +546,22 @@ static int guess_user_and_switch(char *str, int fb_mode) {
/* loop over the utmpx entries looking for this display */
logins = get_login_list(1);
list = (char **) calloc((strlen(logins)+2)*sizeof(char *), 1);
lind = 0;
p = strtok(logins, ",");
while (p) {
list[lind++] = strdup(p);
p = strtok(NULL, ",");
}
lind = 0;
while (list[lind] != NULL) {
char *user, *q, *t;
int dpy2, ok = 1;
p = list[lind++];
t = strdup(p);
q = strchr(t, ':');
if (! q) {
@ -559,7 +588,6 @@ static int guess_user_and_switch(char *str, int fb_mode) {
if (! ok) {
free(t);
p = strtok(NULL, ",");
continue;
}
if (switch_user(user, fb_mode)) {
@ -568,8 +596,6 @@ static int guess_user_and_switch(char *str, int fb_mode) {
ret = 1;
break;
}
p = strtok(NULL, ",");
}
if (tstr) {
free(tstr);
@ -1479,6 +1505,7 @@ static void loop_for_connect(int did_client_connect) {
}
if (use_openssl && !inetd) {
check_openssl();
check_https();
/*
* This is to handle an initial verify cert from viewer,
* they disconnect right after fetching the cert.

10
x11vnc/userinput.c
Unescape View File

@ -177,9 +177,9 @@ static double scr_key_bdpush_time, scr_mouse_bdpush_time;
static void parse_scroll_copyrect_str(char *scr) {
char *p, *str;
int i;
char *part[10];
char *part[16];
for (i=0; i<10; i++) {
for (i=0; i<16; i++) {
part[i] = NULL;
}
@ -194,6 +194,7 @@ static void parse_scroll_copyrect_str(char *scr) {
while (p) {
part[i++] = strdup(p);
p = strtok(NULL, ",");
if (i >= 16) break;
}
free(str);
@ -301,9 +302,9 @@ static char *wireframe_mods = NULL;
static void parse_wireframe_str(char *wf) {
char *p, *str;
int i;
char *part[10];
char *part[16];
for (i=0; i<10; i++) {
for (i=0; i<16; i++) {
part[i] = NULL;
}
@ -327,6 +328,7 @@ static void parse_wireframe_str(char *wf) {
while (p) {
part[i++] = strdup(p);
p = strtok(NULL, ",");
if (i >= 16) break;
}
free(str);

5
x11vnc/util.c
Unescape View File

@ -333,10 +333,7 @@ char **create_str_list(char *cslist) {
}
/* the extra last one holds NULL */
list = (char **) malloc( (n+1)*sizeof(char *) );
for(i=0; i < n+1; i++) {
list[i] = NULL;
}
list = (char **) calloc((n+1)*sizeof(char *), 1);
p = strtok(str, ",");
i = 0;

273
x11vnc/x11vnc.1
Unescape View File

@ -1,8 +1,8 @@
.\" This file was automatically generated from x11vnc -help output.
.TH X11VNC "1" "November 2008" "x11vnc " "User Commands"
.TH X11VNC "1" "December 2008" "x11vnc " "User Commands"
.SH NAME
x11vnc - allow VNC connections to real X11 displays
version: 0.9.6, lastmod: 2008-11-22
version: 0.9.6, lastmod: 2008-12-08
.SH SYNOPSIS
.B x11vnc
[OPTION]...
@ -79,10 +79,12 @@ man pages for more info.
.PP
\fB-N\fR
.IP
If the X display is :N, try to set the VNC display
to also be :N This just sets the \fB-rfbport\fR option
to 5900+N. The program will exit immediately if that
port is not available.
If the X display is :N, try to set the VNC display to
also be :N This just sets the \fB-rfbport\fR option to 5900+N
The program will exit immediately if that port is not
available. The \fB-N\fR option only works with normal \fB-display\fR
usage, e.g. :0 or :8, \fB-N\fR is ignored in the \fB-display\fR
WAIT:..., \fB-create,\fR \fB-find,\fR \fB-svc,\fR \fB-redirect,\fR etc modes.
.PP
\fB-autoport\fR \fIn\fR
.IP
@ -1156,13 +1158,13 @@ If 0 <= port < 200 it is taken as a VNC display (5900 is
added to get the actual port), if port < 0 then \fB-port\fR
is used.
.IP
Probably the only reason to use the \fB-redirect\fR option is
in conjunction with SSL support, e.g. \fB-ssl,\fR \fB-ssl\fR SAVE.
Probably the only reason to use the \fB-redirect\fR option
is in conjunction with SSL support, e.g. \fB-ssl\fR SAVE.
This provides an easy way to add SSL encryption to a VNC
server that does not support SSL (e.g. Xvnc or vnc.so)
In fact, the protocol does not even need to be VNC,
and so "\fB-ssl\fR \fISAVE \fB-redirect\fR host:port\fR" can act as a
replacement for
and so "\fB-rfbport\fR \fIport1 \fB-ssl\fR SAVE \fB-redirect\fR host:port2\fR"
can act as a replacement for
.IR stunnel (1).
.IP
This mode only allows one redirected connection.
@ -1304,6 +1306,9 @@ find one it will try to *start* up an X server session
for the user. This is the only time x11vnc tries to
actually start up an X server.
.IP
It will start looking for an open display number at :20
Override via X11VNC_CREATE_STARTING_DISPLAY_NUMBER=n
.IP
By default FINDCREATEDISPLAY will try Xdummy and then
Xvfb:
.IP
@ -1429,14 +1434,14 @@ logged into the X console.
The VeNCrypt extension to the VNC protocol allows
encrypted SSL/TLS connections. If the \fB-ssl\fR mode is
enabled, then VeNCrypt is enabled as well BY DEFAULT
(they both use the SSL/TLS tunnel, only the protocol
(they both use a SSL/TLS tunnel, only the protocol
handshake is a little different.)
.IP
To control when and how VeNCrypt is used, specify the
mode string. If mode is "never", then VeNCrypt is
not used. If mode is "support" (the default) then
VeNCrypt is supported. If mode is "only", then the
similar and older TLSVNC protocol is not simultaneously
similar and older ANONTLS protocol is not simultaneously
supported. x11vnc's normal SSL mode (vncs://) will be
supported under \fB-ssl\fR unless you set mode to "force".
.IP
@ -1446,14 +1451,16 @@ with "nox509:", then X509 key exchange is disabled.
.IP
To disable all Anonymous Diffie-Hellman access
(susceptible to Man-In-The-Middle attack) you will need
to supply "\fB-vencrypt\fR \fInodh:support \fB-tlsvnc\fR never\fR"
to supply "\fB-vencrypt\fR \fInodh:support \fB-anontls\fR never\fR"
or "\fB-vencrypt\fR \fInodh:only\fR"
.IP
If mode is prefixed with "newdh:", then new Diffie
Hellman parameters are generated for each connection
(this can be time consuming: 1-60 secs) rather than
using the fixed values in the program. Using fixed,
publicly known values is not known to be a security
problem. This setting applies to TLSVNC as well.
(this can be time consuming: 1-60 secs; see \fB-dhparams\fR
below for a faster way) rather than using the
fixed values in the program. Using fixed, publicly
known values is not known to be a security problem.
This setting applies to ANONTLS as well.
.IP
Long example: \fB-vencrypt\fR newdh:nox509:support
.IP
@ -1466,17 +1473,25 @@ provided.
You *MUST* supply the \fB-ssl\fR option for VeNCrypt to be
active. This option only fine-tunes its operation.
.PP
\fB-tlsvnc\fR \fImode\fR
\fB-anontls\fR \fImode\fR
.IP
The TLSVNC extension to the VNC protocol allows
The ANONTLS extension to the VNC protocol allows
encrypted SSL/TLS connections. If the \fB-ssl\fR mode is
enabled, then TLSVNC is enabled as well BY DEFAULT
(they both use the SSL/TLS tunnel, only the protocol
enabled, then ANONTLS is enabled as well BY DEFAULT
(they both use a SSL/TLS tunnel, only the protocol
handshake is a little different.)
.IP
To control when and how TLSVNC is used, specify the
mode string. If mode is "never", then TLSVNC is not
used. If mode is "support" (the default) then TLSVNC
ANONTLS is an older SSL/TLS mode introduced by vino.
.IP
It is referred to as 'TLS' for its registered VNC
security-type name, but we use the more descriptive
\'ANONTLS' here because it provides only Anonymous
Diffie-Hellman encrypted connections, and hence no
possibility for certificate authentication.
.IP
To control when and how ANONTLS is used, specify the
mode string. If mode is "never", then ANONTLS is not
used. If mode is "support" (the default) then ANONTLS
is supported. If mode is "only", then the similar
VeNCrypt protocol is not simultaneously supported.
x11vnc's normal SSL mode (vncs://) will be supported
@ -1484,25 +1499,33 @@ under \fB-ssl\fR unless you set mode to "force".
.IP
If mode is prefixed with "newdh:", then new Diffie
Hellman parameters are generated for each connection
(this can be time consuming: 1-60 secs) rather than
using the fixed values in the program. Using fixed,
publicly known values is not known to be a security
problem. This setting applies to VeNCrypt as well.
See the description of "plain:" under \fB-vencrypt.\fR
(this can be time consuming: 1-60 secs; see \fB-dhparams\fR
below for a faster way) rather than using the
fixed values in the program. Using fixed, publicly
known values is not known to be a security problem.
This setting applies to VeNCrypt as well. See the
description of "plain:" under \fB-vencrypt.\fR
.IP
Long example: \fB-tlsvnc\fR newdh:plain:support
Long example: \fB-anontls\fR newdh:plain:support
.IP
You *MUST* supply the \fB-ssl\fR option for TLSVNC to be
You *MUST* supply the \fB-ssl\fR option for ANONTLS to be
active. This option only fine-tunes its operation.
.PP
\fB-sslonly\fR
.IP
Same as: "\fB-vencrypt\fR \fInever \fB-anontls\fR never\fR" i.e. it
disables the VeNCrypt and ANONTLS encryption methods
and only allows standard SSL tunneling. You must also
supply the \fB-ssl\fR ... option (see below.)
.PP
\fB-dhparams\fR \fIfile\fR
.IP
For some operations a set of Diffie Hellman parameters
(prime and generator) is needed. If so, use the
parameters in \fIfile\fR. In particular, the VeNCrypt and
TLSVNC anonymous DH mode need them. By default a
ANONTLS anonymous DH mode need them. By default a
fixed set is used. If you do not want to do that you
can specify "newdh:" to the \fB-vencrypt\fR and \fB-tlsvnc\fR
can specify "newdh:" to the \fB-vencrypt\fR and \fB-anontls\fR
options to generate a new set each session. If that
is too slow for you, use \fB-dhparams\fR file to a set you
created manually via "openssl dhparam \fB-out\fR file 1024"
@ -1528,55 +1551,88 @@ ideas on how to enable SSL support for the viewer:
http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers
x11vnc provides an SSL enabled Java viewer applet in
the classes/ssl directory (-http or \fB-httpdir\fR options.)
The SSVNC viewer package supports SSL too.
The SSVNC viewer package supports SSL tunnels too.
.IP
If the VNC Viewer supports VeNCrypt or ANONTLS (vino's
encryption mode) they are also supported by the \fB-ssl\fR
mode (see the \fB-vencrypt\fR and \fB-anontls\fR options for more
info; use \fB-sslonly\fR to disable both of them.)
.IP
[pem] is optional, use "\fB-ssl\fR \fI/path/to/mycert.pem\fR" to
specify a PEM certificate file to use to identify and
Use "\fB-ssl\fR \fI/path/to/mycert.pem\fR" to specify an SSL
certificate file in PEM format to use to identify and
provide a key for this server. See
.IR openssl (1)
for more
info about PEMs and the \fB-sslGenCert\fR and "\fB-ssl\fR \fISAVE\fR"
options below for how to create them.
.IP
The connecting VNC viewer SSL tunnel can (optionally)
authenticate this server if they have the public key
part of the certificate (or a common certificate
authority, CA, is a more sophisticated way to
verify this server's cert, see \fB-sslGenCA\fR below).
This is used to prevent Man-In-The-Middle attacks.
Otherwise, if the VNC viewer accepts this server's
key WITHOUT verification, the traffic is protected
from passive sniffing on the network, but *NOT* from
The connecting VNC viewer SSL tunnel can (at its option)
authenticate this server if it has the public key part
of the certificate (or a common certificate authority,
CA, is a more sophisticated way to verify this server's
cert, see \fB-sslGenCA\fR below). This authentication is
done to prevent Man-In-The-Middle attacks. Otherwise,
if the VNC viewer simply accepts this server's key
WITHOUT verification, the traffic is protected from
passive sniffing on the network, but *NOT* from
Man-In-The-Middle attacks. There are hacker tools
like dsniff/webmitm and cain that implement SSL
Man-In-The-Middle attacks.
.IP
If [pem] is not supplied and the
If [pem] is empty or the string "SAVE" then the
.IR openssl (1)
command must be available to generate the
certificate the first time. A self-signed certificate
is generated (see \fB-sslGenCA\fR and \fB-sslGenCert\fR for use
of a Certificate Authority.) It will be saved to the
file ~/.vnc/certs/server.pem. On subsequent calls if
that file already exists it will be used directly.
.IP
Use "SAVE_NOPROMPT" to avoid being prompted to
protect the generated key with a passphrase. However in
\fB-inetd\fR and \fB-bg\fR modes there will be no prompting for a
passphrase in either case.
.IP
If [pem] is "SAVE_PROMPT" the server.pem certificate
will be created based on your answers to its prompts for
all info such as OrganizationalName, CommonName, etc.
.IP
Use "SAVE-<string>" and "SAVE_PROMPT-<string>"
to refer to the file ~/.vnc/certs/server-<string>.pem
instead (it will be generated if it does not already
exist). E.g. "SAVE-charlie" will store to the file
~/.vnc/certs/server-charlie.pem
.IP
Examples: x11vnc \fB-ssl\fR SAVE \fB-display\fR :0 ...
x11vnc \fB-ssl\fR SAVE-someother \fB-display\fR :0 ...
.IP
If [pem] is "TMP" and the
.IR openssl (1)
utility
command exists in PATH, then a temporary, self-signed
certificate will be generated for this session
(this may take 5-30 seconds on very slow machines).
If
certificate will be generated for this session. If
.IR openssl (1)
cannot be used to generate a temporary
certificate x11vnc exits immediately.
certificate x11vnc exits immediately. The temporary
cert will be discarded when x11vnc exits.
.IP
If successful in using
.IR openssl (1)
to generate a
temporary certificate, the public part of it will be
displayed to stderr (e.g. one could copy it to the
client-side to provide authentication of the server to
VNC viewers.)
.IP
NOTE: Unless you safely copy the public part of the
temporary Cert to the viewer for authenticate *every
time* (unlikely...), then only passive sniffing
attacks are prevented and you are still open to
Man-In-The-Middle attacks. See the following
paragraphs for how to save keys to reuse them when
x11vnc is restarted. With saved keys AND the VNC viewer
authenticating them by using the public certificate,
then Man-In-The-Middle attacks are prevented.
temporary certificate in "SAVE" or "TMP" creation
modes, the public part of it will be displayed to stderr
(e.g. one could copy it to the client-side to provide
authentication of the server to VNC viewers.)
.IP
NOTE: In "TMP" mode, unless you safely copy the
public part of the temporary Cert to the viewer for
authenticate *every time* (unlikely...), then only
passive sniffing attacks are prevented and you are
still open to Man-In-The-Middle attacks. This is
why the default "SAVE" mode is preferred (and more
sophisticated CA mode too). Only with saved keys AND
the VNC viewer authenticating them (via the public
certificate), are Man-In-The-Middle attacks prevented.
.IP
If [pem] is "ANON" then the Diffie-Hellman anonymous
key exchange method is used. In this mode there
@ -1585,34 +1641,16 @@ to authenticate either the VNC server or VNC client.
Thus only passive network sniffing attacks are avoided:
the "ANON" method is susceptible to Man-In-The-Middle
attacks. "ANON" is not recommended; instead use
a SSL PEM you created or the "SAVE" method in the
next paragraph.
.IP
If [pem] is "SAVE" then the certificate will be saved
to the file ~/.vnc/certs/server.pem, or if that file
exists it will be used directly. Similarly, if [pem]
is "SAVE_PROMPT" the server.pem certificate will be
made based on your answers to its prompts for info such
as OrganizationalName, CommonName, etc.
.IP
We expect most users to use "\fB-ssl\fR \fISAVE\fR".
.IP
Use "SAVE-<string>" and "SAVE_PROMPT-<string>"
to refer to the file ~/.vnc/certs/server-<string>.pem
instead. E.g. "SAVE-charlie" will store to the file
~/.vnc/certs/server-charlie.pem
.IP
Examples: x11vnc \fB-ssl\fR SAVE \fB-display\fR :0 ...
x11vnc \fB-ssl\fR SAVE-other \fB-display\fR :0 ...
a SSL PEM you created or the defaut "SAVE" method.
.IP
See \fB-ssldir\fR below to use a directory besides the
default ~/.vnc/certs
.IP
Misc Info: In temporary cert creation mode, set the
env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print out
the entire certificate, including the PRIVATE KEY part,
to stderr. There are better ways to get/save this info.
See "SAVE" above and "\fB-sslGenCert\fR" below.
Misc Info: In temporary cert creation mode "TMP", set
the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print
out the entire certificate, including the PRIVATE KEY
part, to stderr. There are better ways to get/save this
info. See "SAVE" above and "\fB-sslGenCert\fR" below.
.PP
\fB-ssltimeout\fR \fIn\fR
.IP
@ -1665,7 +1703,7 @@ to replace standard password authentication of clients.
.IP
If [path] is a directory it contains the client (or CA)
certificates in separate files. If [path] is a file,
it contains multiple certificates. See special tokens
it contains one or more certificates. See special tokens
below. These correspond to the "CApath = dir" and
"CAfile = file" stunnel options. See the
.IR stunnel (8)
@ -1727,19 +1765,19 @@ VNC-ing with x11vnc. (note that they require
.IR openssl (1)
be installed on the system)
.IP
However, the simplest usage mode (where x11vnc
automatically generates its own, self-signed, temporary
key and the VNC viewers always accept it, e.g. accepting
via a dialog box) is probably safe enough for most
scenarios. CA management is not needed.
However, the simplest usage mode, "\fB-ssl\fR \fITMP\fR" (where
x11vnc automatically generates its own, self-signed,
temporary key and the VNC viewers always accept it,
e.g. accepting via a dialog box) is probably safe enough
for most scenarios. CA management is not needed.
.IP
To protect against Man-In-The-Middle attacks the
simplest mode can be improved by using "\fB-ssl\fR \fISAVE\fR"
to have x11vnc create a longer term self-signed
certificate, and then (safely) copy the corresponding
public key cert to the desired client machines (care
must be taken the private key part is not stolen;
you will be prompted for a passphrase).
To protect against Man-In-The-Middle attacks the "TMP"
mode can be improved by using "\fB-ssl\fR \fISAVE\fR" (same as
"\fB-ssl\fR", i.e. the default) to have x11vnc create a
longer term self-signed certificate, and then (safely)
copy the corresponding public key cert to the desired
client machines (care must be taken the private key part
is not stolen; you will be prompted for a passphrase).
.IP
So keep in mind no CA key creation or management
(-sslGenCA and \fB-sslGenCert)\fR is needed for either of
@ -1766,7 +1804,7 @@ key files. On the VNC client side, they will need to
be "imported" somehow. Web browsers have "Manage
Certificates" actions as does the Java applet plugin
Control Panel. stunnel can also use these files (see
the ss_vncviewer example script in the FAQ.)
the ss_vncviewer example script in the FAQ and SSVNC.)
.PP
\fB-sslCRL\fR \fIpath\fR
.IP
@ -3898,6 +3936,8 @@ are moving the mouse or typing. Default: 2.00
When the \fB-wait_ui\fR mechanism cuts down the wait time ms,
set the defer time to the same ms value. n=1 to enable,
0 to disable, and -1 to set defer to 0 (no delay).
Similarly, 2 and -2 indicate 'urgent_update' mode should
be used to push the updates even sooner. Default: 1
.PP
\fB-nowait_bog\fR
.IP
@ -3912,10 +3952,11 @@ no user input), and sleep up to 1.5 secs to let things
.PP
\fB-slow_fb\fR \fItime\fR
.IP
Floating point time in seconds delay all screen polling.
For special purpose usage where a low frame rate is
acceptable and desirable, but you want the user input
processed at the normal rate so you cannot use \fB-wait.\fR
Floating point time in seconds to delay all screen
polling. For special purpose usage where a low frame
rate is acceptable and desirable, but you want the
user input processed at the normal rate so you cannot
use \fB-wait.\fR
.PP
\fB-xrefresh\fR \fItime\fR
.IP
@ -5219,6 +5260,8 @@ wait:n set \fB-wait\fR to n ms.
.IP
wait_ui:f set \fB-wait_ui\fR factor to f.
.IP
setdefer:n set \fB-setdefer\fR to \fB-2,-1,0,1,\fR or 2.
.IP
wait_bog disable \fB-nowait_bog\fR mode.
.IP
nowait_bog enable \fB-nowait_bog\fR mode.
@ -5476,15 +5519,15 @@ nowireframe nowf wireframelocal wfl nowireframelocal
nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area
scr_skip scr_inc scr_keys scr_term scr_keyrepeat
scr_parms scrollcopyrect scr noscrollcopyrect noscr
fixscreen noxrecord xrecord reset_record pointer_mode
pm input_skip allinput noallinput input grabkbd
nograbkbd grabptr nograbptr grabalways nograbalways
grablocal client_input ssltimeout speeds wmdt
debug_pointer dp nodebug_pointer nodp debug_keyboard
dk nodebug_keyboard nodk keycode deferupdate defer
wait_ui wait_bog nowait_bog slow_fb xrefresh wait
readtimeout nap nonap sb screen_blank fbpm nofbpm dpms
nodpms clientdpms noclientdpms forcedpms noforcedpms
fixscreen noxrecord xrecord reset_record pointer_mode pm
input_skip allinput noallinput input grabkbd nograbkbd
grabptr nograbptr grabalways nograbalways grablocal
client_input ssltimeout speeds wmdt debug_pointer dp
nodebug_pointer nodp debug_keyboard dk nodebug_keyboard
nodk keycode deferupdate defer setdefer wait_ui
wait_bog nowait_bog slow_fb xrefresh wait readtimeout
nap nonap sb screen_blank fbpm nofbpm dpms nodpms
clientdpms noclientdpms forcedpms noforcedpms
noserverdpms serverdpms noultraext ultraext chatwindow
nochatwindow chaton chatoff fs gaps grow fuzz snapfb
nosnapfb rawfb uinput_accel uinput_thresh uinput_reset

107
x11vnc/x11vnc.c
Unescape View File

@ -243,6 +243,7 @@ void set_redir_properties(void);
#define TSMAX 32
#define TSSTK 16
void terminal_services(char *list) {
int i, j, n = 0, db = 1;
char *p, *q, *r, *str = strdup(list);
@ -257,6 +258,10 @@ void terminal_services(char *list) {
char num[32];
time_t last_clean = time(NULL);
if (getenv("TS_REDIR_DEBUG")) {
db = 2;
}
if (! dpy) {
return;
}
@ -268,6 +273,8 @@ void terminal_services(char *list) {
PropModeReplace, (unsigned char *)list, strlen(list));
XSync(dpy, False);
}
if (db) fprintf(stderr, "TS_REDIR_LIST Atom: %d.\n");
for (i=0; i<TASKMAX; i++) {
ts_tasks[i] = 0;
}
@ -544,12 +551,19 @@ void do_tsd(void) {
char *cmd;
int n, sz = 0;
char *disp = DisplayString(dpy);
int db = 0;
if (getenv("TS_REDIR_DEBUG")) {
db = 1;
}
if (db) fprintf(stderr, "do_tsd() in.\n");
prop[0] = '\0';
a = XInternAtom(dpy, "TS_REDIR_LIST", False);
if (a != None) {
get_prop(prop, 512, a);
}
if (db) fprintf(stderr, "TS_REDIR_LIST Atom: %d = '%s'\n", a, prop);
if (prop[0] == '\0') {
return;
@ -662,6 +676,13 @@ static void check_redir_services(void) {
time_t tsd_last;
int restart = 0;
pid_t pid = 0;
int db = 0;
db = 0;
if (getenv("TS_REDIR_DEBUG")) {
db = 1;
}
if (db) fprintf(stderr, "check_redir_services in.\n");
if (! dpy) {
return;
@ -675,6 +696,7 @@ static void check_redir_services(void) {
pid = (pid_t) atoi(prop);
}
}
if (db) fprintf(stderr, "TS_REDIR_PID Atom: %d = '%s'\n", a, prop);
if (getenv("FD_TAG")) {
a = XInternAtom(dpy, "FD_TAG", False);
@ -685,6 +707,7 @@ static void check_redir_services(void) {
PropModeReplace, (unsigned char *)tag, strlen(tag));
XSync(dpy, False);
}
if (db) fprintf(stderr, "FD_TAG Atom: %d = '%s'\n", a, prop);
}
prop[0] = '\0';
@ -692,6 +715,7 @@ static void check_redir_services(void) {
if (a != None) {
get_prop(prop, 512, a);
}
if (db) fprintf(stderr, "TS_REDIR Atom: %d = '%s'\n", a, prop);
if (prop[0] == '\0') {
rfbLog("TS_REDIR is empty, restarting...\n");
restart = 1;
@ -718,9 +742,11 @@ static void check_redir_services(void) {
kill(pid, SIGKILL);
}
do_tsd();
if (db) fprintf(stderr, "check_redir_services restarted.\n");
return;
}
if (db) fprintf(stderr, "check_redir_services, no restart, calling set_redir_properties.\n");
set_redir_properties();
#endif
}
@ -1805,6 +1831,7 @@ int main(int argc, char* argv[]) {
int ncache_msg = 0;
char *got_rfbport_str = NULL;
int got_rfbport_pos = -1;
int got_tls = 0;
/* used to pass args we do not know about to rfbGetScreen(): */
int argc_vnc_max = 1024;
@ -2188,6 +2215,7 @@ int main(int argc, char* argv[]) {
if (!strcmp(arg, "-http_ssl")) {
try_http = 1;
http_ssl = 1;
got_tls++;
continue;
}
if (!strcmp(arg, "-avahi") || !strcmp(arg, "-mdns") || !strcmp(arg, "-zeroconf")) {
@ -2357,6 +2385,7 @@ int main(int argc, char* argv[]) {
char *s;
CHECK_ARGC
s = strdup(argv[++i]);
got_tls++;
if (strstr(s, "never")) {
vencrypt_mode = VENCRYPT_NONE;
} else if (strstr(s, "support")) {
@ -2385,18 +2414,19 @@ int main(int argc, char* argv[]) {
free(s);
continue;
}
if (!strcmp(arg, "-tlsvnc")) {
if (!strcmp(arg, "-anontls")) {
char *s;
CHECK_ARGC
s = strdup(argv[++i]);
got_tls++;
if (strstr(s, "never")) {
tlsvnc_mode = TLSVNC_NONE;
anontls_mode = ANONTLS_NONE;
} else if (strstr(s, "support")) {
tlsvnc_mode = TLSVNC_SUPPORT;
anontls_mode = ANONTLS_SUPPORT;
} else if (strstr(s, "only")) {
tlsvnc_mode = TLSVNC_SOLE;
anontls_mode = ANONTLS_SOLE;
} else if (strstr(s, "force")) {
tlsvnc_mode = TLSVNC_FORCE;
anontls_mode = ANONTLS_FORCE;
} else {
fprintf(stderr, "invalid %s arg: %s\n", arg, s);
exit(1);
@ -2407,14 +2437,22 @@ int main(int argc, char* argv[]) {
free(s);
continue;
}
if (!strcmp(arg, "-sslonly")) {
vencrypt_mode = VENCRYPT_NONE;
anontls_mode = ANONTLS_NONE;
got_tls++;
continue;
}
if (!strcmp(arg, "-dhparams")) {
CHECK_ARGC
dhparams_file = strdup(argv[++i]);
got_tls++;
continue;
}
if (!strcmp(arg, "-nossl")) {
use_openssl = 0;
openssl_pem = NULL;
got_tls = -1000;
continue;
}
if (!strcmp(arg, "-ssl")) {
@ -2422,9 +2460,21 @@ int main(int argc, char* argv[]) {
if (i < argc-1) {
char *s = argv[i+1];
if (s[0] != '-') {
openssl_pem = strdup(s);
if (!strcmp(s, "ADH")) {
openssl_pem = strdup("ANON");
} else if (!strcmp(s, "ANONDH")) {
openssl_pem = strdup("ANON");
} else if (!strcmp(s, "TMP")) {
openssl_pem = NULL;
} else {
openssl_pem = strdup(s);
}
i++;
} else {
openssl_pem = strdup("SAVE");
}
} else {
openssl_pem = strdup("SAVE");
}
continue;
}
@ -2458,11 +2508,13 @@ int main(int argc, char* argv[]) {
if (!strcmp(arg, "-sslverify")) {
CHECK_ARGC
ssl_verify = strdup(argv[++i]);
got_tls++;
continue;
}
if (!strcmp(arg, "-sslCRL")) {
CHECK_ARGC
ssl_crl = strdup(argv[++i]);
got_tls++;
continue;
}
if (!strcmp(arg, "-sslGenCA")) {
@ -2522,15 +2574,19 @@ int main(int argc, char* argv[]) {
sslEncKey(s, 2);
}
exit(0);
continue;
}
if (!strcmp(arg, "-stunnel")) {
use_stunnel = 1;
got_tls = -1000;
if (i < argc-1) {
char *s = argv[i+1];
if (s[0] != '-') {
stunnel_pem = strdup(s);
if (!strcmp(s, "TMP")) {
stunnel_pem = NULL;
} else {
stunnel_pem = strdup(s);
}
i++;
}
}
@ -2538,10 +2594,15 @@ int main(int argc, char* argv[]) {
}
if (!strcmp(arg, "-stunnel3")) {
use_stunnel = 3;
got_tls = -1000;
if (i < argc-1) {
char *s = argv[i+1];
if (s[0] != '-') {
stunnel_pem = strdup(s);
if (!strcmp(s, "TMP")) {
stunnel_pem = NULL;
} else {
stunnel_pem = strdup(s);
}
i++;
}
}
@ -2550,6 +2611,7 @@ int main(int argc, char* argv[]) {
if (!strcmp(arg, "-https")) {
https_port_num = 0;
try_http = 1;
got_tls++;
if (i < argc-1) {
char *s = argv[i+1];
if (s[0] != '-') {
@ -2561,6 +2623,7 @@ int main(int argc, char* argv[]) {
}
if (!strcmp(arg, "-httpsredir")) {
https_port_redir = -1;
got_tls++;
if (i < argc-1) {
char *s = argv[i+1];
if (s[0] != '-') {
@ -3410,6 +3473,12 @@ int main(int argc, char* argv[]) {
use_snapfb = 1;
continue;
}
if (!strcmp(arg, "-rand")) {
/* equiv. to -nopw -rawfb rand for quick tests */
raw_fb_str = strdup("rand");
nopw = 1;
continue;
}
if (!strcmp(arg, "-rawfb")) {
CHECK_ARGC
raw_fb_str = strdup(argv[++i]);
@ -4091,6 +4160,18 @@ int main(int argc, char* argv[]) {
if (db) fprintf(stderr, "users_list: %s\n", users_list);
}
if (got_tls > 0 && !use_openssl) {
rfbLog("SSL: Error: you did not supply the '-ssl ...' option even\n");
rfbLog("SSL: though you supplied one of these related options:\n");
rfbLog("SSL: -sslonly, -sslverify, -sslCRL, -vencrypt, -anontls,\n");
rfbLog("SSL: -dhparams, -https, -http_ssl, or -httpsredir.\n");
rfbLog("SSL: Restart with, for example, '-ssl SAVE' on the cmd line.\n");
rfbLog("SSL: See the '-ssl' x11vnc -help description for more info.\n");
if (!getenv("X11VNC_FORCE_NO_OPENSSL")) {
exit(1);
}
}
if (unixpw) {
if (inetd) {
use_stunnel = 0;
@ -5049,12 +5130,12 @@ if (0) fprintf(stderr, "XA: %s\n", getenv("XAUTHORITY"));
initialize_speeds();
if (speeds_read_rate_measured > 100) {
/* framebuffer read is fast at > 100 MB/sec */
if (speeds_read_rate_measured > 80) {
/* framebuffer read is fast at > 80 MB/sec */
if (! got_waitms) {
waitms /= 2;
if (waitms < 10) {
waitms = 10;
if (waitms < 5) {
waitms = 5;
}
if (!quiet) {
rfbLog("fast read: reset wait ms to: %d\n", waitms);

2
x11vnc/x11vnc_defs.c
Unescape View File

@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
int xdamage_base_event_type = 0;
/* date +'lastmod: %Y-%m-%d' */
char lastmod[] = "0.9.6 lastmod: 2008-11-22";
char lastmod[] = "0.9.6 lastmod: 2008-12-08";
/* X display info */

Write Preview
Loading…
Cancel
Save