TDE
/
libtdevnc
mirror of https://mirror.git.trinitydesktop.org/gitea/TDE/libtdevnc
0
0
Fork 0
Code Issues Releases Wiki Activity

x11vnc: 0.9.6 release. Some strtok bugfixes. rename -tlsvnc

Browse Source 
to -anontls.  Disable ssl caching.  No cert creation prompting
in inetd or bg modes.  waitpid a bit more carefully on ssl
helpers.  Tune ssl initial timeouts.  Let -create user specify
starting X display.  fix -rfbport prompt gui for older tk.
-sslonly option. Error if no -ssl with related options. -rand
option.  -ssl implies -ssl SAVE
pull/1/head
runge 16 years ago
parent e681929159
commit 8bef644d17
18 changed files with 2773 additions and 2350 deletions
Show Stats Download Patch File Download Diff File

9
x11vnc/ChangeLog
Unescape View File

@ -1,3 +1,12 @@
2008-12-10 Karl Runge <runge@karlrunge.com>
* x11vnc: 0.9.6 release. Some strtok bugfixes. rename -tlsvnc
to -anontls. Disable ssl caching. No cert creation prompting
in inetd or bg modes. waitpid a bit more carefully on ssl
helpers. Tune ssl initial timeouts. Let -create user specify
starting X display. fix -rfbport prompt gui for older tk.
-sslonly option. Error if no -ssl with related options. -rand
option. -ssl implies -ssl SAVE
2008-11-22 Karl Runge <runge@karlrunge.com> 2008-11-22 Karl Runge <runge@karlrunge.com>
* x11vnc: x11vnc.desktop file. -reopen, -dhparams, -sslCRL, * x11vnc: x11vnc.desktop file. -reopen, -dhparams, -sslCRL,
-setdefer options. -rfbport PROMPT VeNCrypt and TLSVNC SSL/TLS -setdefer options. -rfbport PROMPT VeNCrypt and TLSVNC SSL/TLS

4107
x11vnc/README
View File

File diff suppressed because it is too large Load Diff

47
x11vnc/connections.c
Unescape View File

@ -2338,6 +2338,7 @@ static int do_reverse_connect(char *str_in) {
write(vncsock, prestring, prestring_len); write(vncsock, prestring, prestring_len);
free(prestring); free(prestring);
} }
/* XXX use header */
#define OPENSSL_REVERSE 4 #define OPENSSL_REVERSE 4
openssl_init(1); openssl_init(1);
accept_openssl(OPENSSL_REVERSE, vncsock); accept_openssl(OPENSSL_REVERSE, vncsock);
@ -2345,6 +2346,7 @@ static int do_reverse_connect(char *str_in) {
free(host); free(host);
return 1; return 1;
} }
if (use_stunnel) { if (use_stunnel) {
if(strcmp(host, "localhost") && strcmp(host, "127.0.0.1")) { if(strcmp(host, "localhost") && strcmp(host, "127.0.0.1")) {
if (!getenv("STUNNEL_DISABLE_LOCALHOST")) { if (!getenv("STUNNEL_DISABLE_LOCALHOST")) {
@ -2427,20 +2429,31 @@ void reverse_connect(char *str) {
int sleep_min = 1500, sleep_max = 4500, n_max = 5; int sleep_min = 1500, sleep_max = 4500, n_max = 5;
int n, tot, t, dt = 100, cnt = 0; int n, tot, t, dt = 100, cnt = 0;
int nclients0 = client_count; int nclients0 = client_count;
int lcnt, j;
char **list;
if (unixpw_in_progress) return; if (unixpw_in_progress) return;
tmp = strdup(str); tmp = strdup(str);
list = (char **) calloc( (strlen(tmp)+2) * sizeof (char *), 1);
lcnt = 0;
p = strtok(tmp, ", \t\r\n"); p = strtok(tmp, ", \t\r\n");
while (p) { while (p) {
list[lcnt++] = strdup(p);
p = strtok(NULL, ", \t\r\n");
}
free(tmp);
for (j = 0; j < lcnt; j++) {
p = list[j];
if ((n = do_reverse_connect(p)) != 0) { if ((n = do_reverse_connect(p)) != 0) {
rfbPE(-1); rfbPE(-1);
} }
cnt += n; cnt += n;
if (list[j+1] != NULL) {
p = strtok(NULL, ", \t\r\n");
if (p) {
t = 0; t = 0;
while (t < sleep_between_host) { while (t < sleep_between_host) {
usleep(dt * 1000); usleep(dt * 1000);
@ -2449,7 +2462,12 @@ void reverse_connect(char *str) {
} }
} }
} }
free(tmp);
for (j = 0; j < lcnt; j++) {
p = list[j];
if (p) free(p);
}
free(list);
if (cnt == 0) { if (cnt == 0) {
if (connect_or_exit) { if (connect_or_exit) {
@ -2739,6 +2757,9 @@ void check_gui_inputs(void) {
for (i=0; i<n; i++) { for (i=0; i<n; i++) {
int k, fd = icon_mode_socks[socks[i]]; int k, fd = icon_mode_socks[socks[i]];
char *p; char *p;
char **list;
int lind;
if (! FD_ISSET(fd, &fds)) { if (! FD_ISSET(fd, &fds)) {
continue; continue;
} }
@ -2752,8 +2773,18 @@ void check_gui_inputs(void) {
continue; continue;
} }
list = (char **) calloc((strlen(buf)+2) * sizeof(char *), 1);
lind = 0;
p = strtok(buf, "\r\n"); p = strtok(buf, "\r\n");
while (p) { while (p) {
list[lind++] = strdup(p);
p = strtok(NULL, "\r\n");
}
lind = 0;
while (list[lind] != NULL) {
p = list[lind++];
if (strstr(p, "cmd=") == p || if (strstr(p, "cmd=") == p ||
strstr(p, "qry=") == p) { strstr(p, "qry=") == p) {
char *str = process_remote_cmd(p, 1); char *str = process_remote_cmd(p, 1);
@ -2769,8 +2800,14 @@ void check_gui_inputs(void) {
break; break;
} }
} }
p = strtok(NULL, "\r\n");
} }
lind = 0;
while (list[lind] != NULL) {
p = list[lind++];
if (p) free(p);
}
free(list);
} }
} }

264
x11vnc/help.c
Unescape View File

@ -82,10 +82,12 @@ void print_help(int mode) {
" before startup. Same as -xauth file. See Xsecurity(7),\n" " before startup. Same as -xauth file. See Xsecurity(7),\n"
" xauth(1) man pages for more info.\n" " xauth(1) man pages for more info.\n"
"\n" "\n"
"-N If the X display is :N, try to set the VNC display\n" "-N If the X display is :N, try to set the VNC display to\n"
" to also be :N This just sets the -rfbport option\n" " also be :N This just sets the -rfbport option to 5900+N\n"
" to 5900+N. The program will exit immediately if that\n" " The program will exit immediately if that port is not\n"
" port is not available.\n" " available. The -N option only works with normal -display\n"
" usage, e.g. :0 or :8, -N is ignored in the -display\n"
" WAIT:..., -create, -find, -svc, -redirect, etc modes.\n"
"\n" "\n"
"-autoport n Automatically probe for a free VNC port starting at n.\n" "-autoport n Automatically probe for a free VNC port starting at n.\n"
" The default is to start probing at 5900. Use this to\n" " The default is to start probing at 5900. Use this to\n"
@ -979,13 +981,13 @@ void print_help(int mode) {
" added to get the actual port), if port < 0 then -port\n" " added to get the actual port), if port < 0 then -port\n"
" is used.\n" " is used.\n"
"\n" "\n"
" Probably the only reason to use the -redirect option is\n" " Probably the only reason to use the -redirect option\n"
" in conjunction with SSL support, e.g. -ssl, -ssl SAVE.\n" " is in conjunction with SSL support, e.g. -ssl SAVE.\n"
" This provides an easy way to add SSL encryption to a VNC\n" " This provides an easy way to add SSL encryption to a VNC\n"
" server that does not support SSL (e.g. Xvnc or vnc.so)\n" " server that does not support SSL (e.g. Xvnc or vnc.so)\n"
" In fact, the protocol does not even need to be VNC,\n" " In fact, the protocol does not even need to be VNC,\n"
" and so \"-ssl SAVE -redirect host:port\" can act as a\n" " and so \"-rfbport port1 -ssl SAVE -redirect host:port2\"\n"
" replacement for stunnel(1).\n" " can act as a replacement for stunnel(1).\n"
"\n" "\n"
" This mode only allows one redirected connection.\n" " This mode only allows one redirected connection.\n"
" The -forever option does not apply. Use -inetd or\n" " The -forever option does not apply. Use -inetd or\n"
@ -1119,6 +1121,9 @@ void print_help(int mode) {
" for the user. This is the only time x11vnc tries to\n" " for the user. This is the only time x11vnc tries to\n"
" actually start up an X server.\n" " actually start up an X server.\n"
"\n" "\n"
" It will start looking for an open display number at :20\n"
" Override via X11VNC_CREATE_STARTING_DISPLAY_NUMBER=n\n"
"\n"
" By default FINDCREATEDISPLAY will try Xdummy and then\n" " By default FINDCREATEDISPLAY will try Xdummy and then\n"
" Xvfb:\n" " Xvfb:\n"
"\n" "\n"
@ -1233,14 +1238,14 @@ void print_help(int mode) {
"-vencrypt mode The VeNCrypt extension to the VNC protocol allows\n" "-vencrypt mode The VeNCrypt extension to the VNC protocol allows\n"
" encrypted SSL/TLS connections. If the -ssl mode is\n" " encrypted SSL/TLS connections. If the -ssl mode is\n"
" enabled, then VeNCrypt is enabled as well BY DEFAULT\n" " enabled, then VeNCrypt is enabled as well BY DEFAULT\n"
" (they both use the SSL/TLS tunnel, only the protocol\n" " (they both use a SSL/TLS tunnel, only the protocol\n"
" handshake is a little different.)\n" " handshake is a little different.)\n"
"\n" "\n"
" To control when and how VeNCrypt is used, specify the\n" " To control when and how VeNCrypt is used, specify the\n"
" mode string. If mode is \"never\", then VeNCrypt is\n" " mode string. If mode is \"never\", then VeNCrypt is\n"
" not used. If mode is \"support\" (the default) then\n" " not used. If mode is \"support\" (the default) then\n"
" VeNCrypt is supported. If mode is \"only\", then the\n" " VeNCrypt is supported. If mode is \"only\", then the\n"
" similar and older TLSVNC protocol is not simultaneously\n" " similar and older ANONTLS protocol is not simultaneously\n"
" supported. x11vnc's normal SSL mode (vncs://) will be\n" " supported. x11vnc's normal SSL mode (vncs://) will be\n"
" supported under -ssl unless you set mode to \"force\".\n" " supported under -ssl unless you set mode to \"force\".\n"
"\n" "\n"
@ -1250,14 +1255,16 @@ void print_help(int mode) {
"\n" "\n"
" To disable all Anonymous Diffie-Hellman access\n" " To disable all Anonymous Diffie-Hellman access\n"
" (susceptible to Man-In-The-Middle attack) you will need\n" " (susceptible to Man-In-The-Middle attack) you will need\n"
" to supply \"-vencrypt nodh:support -tlsvnc never\"\n" " to supply \"-vencrypt nodh:support -anontls never\"\n"
" or \"-vencrypt nodh:only\"\n"
"\n" "\n"
" If mode is prefixed with \"newdh:\", then new Diffie\n" " If mode is prefixed with \"newdh:\", then new Diffie\n"
" Hellman parameters are generated for each connection\n" " Hellman parameters are generated for each connection\n"
" (this can be time consuming: 1-60 secs) rather than\n" " (this can be time consuming: 1-60 secs; see -dhparams\n"
" using the fixed values in the program. Using fixed,\n" " below for a faster way) rather than using the\n"
" publicly known values is not known to be a security\n" " fixed values in the program. Using fixed, publicly\n"
" problem. This setting applies to TLSVNC as well.\n" " known values is not known to be a security problem.\n"
" This setting applies to ANONTLS as well.\n"
"\n" "\n"
" Long example: -vencrypt newdh:nox509:support\n" " Long example: -vencrypt newdh:nox509:support\n"
"\n" "\n"
@ -1270,15 +1277,23 @@ void print_help(int mode) {
" You *MUST* supply the -ssl option for VeNCrypt to be\n" " You *MUST* supply the -ssl option for VeNCrypt to be\n"
" active. This option only fine-tunes its operation.\n" " active. This option only fine-tunes its operation.\n"
"\n" "\n"
"-tlsvnc mode The TLSVNC extension to the VNC protocol allows\n" "-anontls mode The ANONTLS extension to the VNC protocol allows\n"
" encrypted SSL/TLS connections. If the -ssl mode is\n" " encrypted SSL/TLS connections. If the -ssl mode is\n"
" enabled, then TLSVNC is enabled as well BY DEFAULT\n" " enabled, then ANONTLS is enabled as well BY DEFAULT\n"
" (they both use the SSL/TLS tunnel, only the protocol\n" " (they both use a SSL/TLS tunnel, only the protocol\n"
" handshake is a little different.)\n" " handshake is a little different.)\n"
"\n" "\n"
" To control when and how TLSVNC is used, specify the\n" " ANONTLS is an older SSL/TLS mode introduced by vino.\n"
" mode string. If mode is \"never\", then TLSVNC is not\n" "\n"
" used. If mode is \"support\" (the default) then TLSVNC\n" " It is referred to as 'TLS' for its registered VNC\n"
" security-type name, but we use the more descriptive\n"
" 'ANONTLS' here because it provides only Anonymous\n"
" Diffie-Hellman encrypted connections, and hence no\n"
" possibility for certificate authentication.\n"
"\n"
" To control when and how ANONTLS is used, specify the\n"
" mode string. If mode is \"never\", then ANONTLS is not\n"
" used. If mode is \"support\" (the default) then ANONTLS\n"
" is supported. If mode is \"only\", then the similar\n" " is supported. If mode is \"only\", then the similar\n"
" VeNCrypt protocol is not simultaneously supported.\n" " VeNCrypt protocol is not simultaneously supported.\n"
" x11vnc's normal SSL mode (vncs://) will be supported\n" " x11vnc's normal SSL mode (vncs://) will be supported\n"
@ -1286,24 +1301,30 @@ void print_help(int mode) {
"\n" "\n"
" If mode is prefixed with \"newdh:\", then new Diffie\n" " If mode is prefixed with \"newdh:\", then new Diffie\n"
" Hellman parameters are generated for each connection\n" " Hellman parameters are generated for each connection\n"
" (this can be time consuming: 1-60 secs) rather than\n" " (this can be time consuming: 1-60 secs; see -dhparams\n"
" using the fixed values in the program. Using fixed,\n" " below for a faster way) rather than using the\n"
" publicly known values is not known to be a security\n" " fixed values in the program. Using fixed, publicly\n"
" problem. This setting applies to VeNCrypt as well.\n" " known values is not known to be a security problem.\n"
" See the description of \"plain:\" under -vencrypt.\n" " This setting applies to VeNCrypt as well. See the\n"
" description of \"plain:\" under -vencrypt.\n"
"\n" "\n"
" Long example: -tlsvnc newdh:plain:support\n" " Long example: -anontls newdh:plain:support\n"
"\n" "\n"
" You *MUST* supply the -ssl option for TLSVNC to be\n" " You *MUST* supply the -ssl option for ANONTLS to be\n"
" active. This option only fine-tunes its operation.\n" " active. This option only fine-tunes its operation.\n"
"\n" "\n"
"-sslonly Same as: \"-vencrypt never -anontls never\" i.e. it\n"
" disables the VeNCrypt and ANONTLS encryption methods\n"
" and only allows standard SSL tunneling. You must also\n"
" supply the -ssl ... option (see below.)\n"
"\n"
"\n" "\n"
"-dhparams file For some operations a set of Diffie Hellman parameters\n" "-dhparams file For some operations a set of Diffie Hellman parameters\n"
" (prime and generator) is needed. If so, use the\n" " (prime and generator) is needed. If so, use the\n"
" parameters in \"file\". In particular, the VeNCrypt and\n" " parameters in \"file\". In particular, the VeNCrypt and\n"
" TLSVNC anonymous DH mode need them. By default a\n" " ANONTLS anonymous DH mode need them. By default a\n"
" fixed set is used. If you do not want to do that you\n" " fixed set is used. If you do not want to do that you\n"
" can specify \"newdh:\" to the -vencrypt and -tlsvnc\n" " can specify \"newdh:\" to the -vencrypt and -anontls\n"
" options to generate a new set each session. If that\n" " options to generate a new set each session. If that\n"
" is too slow for you, use -dhparams file to a set you\n" " is too slow for you, use -dhparams file to a set you\n"
" created manually via \"openssl dhparam -out file 1024\"\n" " created manually via \"openssl dhparam -out file 1024\"\n"
@ -1325,47 +1346,80 @@ void print_help(int mode) {
" http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers\n" " http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers\n"
" x11vnc provides an SSL enabled Java viewer applet in\n" " x11vnc provides an SSL enabled Java viewer applet in\n"
" the classes/ssl directory (-http or -httpdir options.)\n" " the classes/ssl directory (-http or -httpdir options.)\n"
" The SSVNC viewer package supports SSL too.\n" " The SSVNC viewer package supports SSL tunnels too.\n"
"\n"
" If the VNC Viewer supports VeNCrypt or ANONTLS (vino's\n"
" encryption mode) they are also supported by the -ssl\n"
" mode (see the -vencrypt and -anontls options for more\n"
" info; use -sslonly to disable both of them.)\n"
"\n" "\n"
" [pem] is optional, use \"-ssl /path/to/mycert.pem\" to\n" " Use \"-ssl /path/to/mycert.pem\" to specify an SSL\n"
" specify a PEM certificate file to use to identify and\n" " certificate file in PEM format to use to identify and\n"
" provide a key for this server. See openssl(1) for more\n" " provide a key for this server. See openssl(1) for more\n"
" info about PEMs and the -sslGenCert and \"-ssl SAVE\"\n" " info about PEMs and the -sslGenCert and \"-ssl SAVE\"\n"
" options below for how to create them.\n" " options below for how to create them.\n"
"\n" "\n"
" The connecting VNC viewer SSL tunnel can (optionally)\n" " The connecting VNC viewer SSL tunnel can (at its option)\n"
" authenticate this server if they have the public key\n" " authenticate this server if it has the public key part\n"
" part of the certificate (or a common certificate\n" " of the certificate (or a common certificate authority,\n"
" authority, CA, is a more sophisticated way to\n" " CA, is a more sophisticated way to verify this server's\n"
" verify this server's cert, see -sslGenCA below).\n" " cert, see -sslGenCA below). This authentication is\n"
" This is used to prevent Man-In-The-Middle attacks.\n" " done to prevent Man-In-The-Middle attacks. Otherwise,\n"
" Otherwise, if the VNC viewer accepts this server's\n" " if the VNC viewer simply accepts this server's key\n"
" key WITHOUT verification, the traffic is protected\n" " WITHOUT verification, the traffic is protected from\n"
" from passive sniffing on the network, but *NOT* from\n" " passive sniffing on the network, but *NOT* from\n"
" Man-In-The-Middle attacks. There are hacker tools\n"
" like dsniff/webmitm and cain that implement SSL\n"
" Man-In-The-Middle attacks.\n" " Man-In-The-Middle attacks.\n"
"\n" "\n"
" If [pem] is not supplied and the openssl(1) utility\n" " If [pem] is empty or the string \"SAVE\" then the\n"
" openssl(1) command must be available to generate the\n"
" certificate the first time. A self-signed certificate\n"
" is generated (see -sslGenCA and -sslGenCert for use\n"
" of a Certificate Authority.) It will be saved to the\n"
" file ~/.vnc/certs/server.pem. On subsequent calls if\n"
" that file already exists it will be used directly.\n"
"\n"
" Use \"SAVE_NOPROMPT\" to avoid being prompted to\n"
" protect the generated key with a passphrase. However in\n"
" -inetd and -bg modes there will be no prompting for a\n"
" passphrase in either case.\n"
"\n"
" If [pem] is \"SAVE_PROMPT\" the server.pem certificate\n"
" will be created based on your answers to its prompts for\n"
" all info such as OrganizationalName, CommonName, etc.\n"
"\n"
" Use \"SAVE-<string>\" and \"SAVE_PROMPT-<string>\"\n"
" to refer to the file ~/.vnc/certs/server-<string>.pem\n"
" instead (it will be generated if it does not already\n"
" exist). E.g. \"SAVE-charlie\" will store to the file\n"
" ~/.vnc/certs/server-charlie.pem\n"
"\n"
" Examples: x11vnc -ssl SAVE -display :0 ...\n"
" x11vnc -ssl SAVE-someother -display :0 ...\n"
"\n"
" If [pem] is \"TMP\" and the openssl(1) utility\n"
" command exists in PATH, then a temporary, self-signed\n" " command exists in PATH, then a temporary, self-signed\n"
" certificate will be generated for this session\n" " certificate will be generated for this session. If\n"
" (this may take 5-30 seconds on very slow machines).\n" " openssl(1) cannot be used to generate a temporary\n"
" If openssl(1) cannot be used to generate a temporary\n" " certificate x11vnc exits immediately. The temporary\n"
" certificate x11vnc exits immediately.\n" " cert will be discarded when x11vnc exits.\n"
"\n" "\n"
" If successful in using openssl(1) to generate a\n" " If successful in using openssl(1) to generate a\n"
" temporary certificate, the public part of it will be\n" " temporary certificate in \"SAVE\" or \"TMP\" creation\n"
" displayed to stderr (e.g. one could copy it to the\n" " modes, the public part of it will be displayed to stderr\n"
" client-side to provide authentication of the server to\n" " (e.g. one could copy it to the client-side to provide\n"
" VNC viewers.)\n" " authentication of the server to VNC viewers.)\n"
"\n" "\n"
" NOTE: Unless you safely copy the public part of the\n" " NOTE: In \"TMP\" mode, unless you safely copy the\n"
" temporary Cert to the viewer for authenticate *every\n" " public part of the temporary Cert to the viewer for\n"
" time* (unlikely...), then only passive sniffing\n" " authenticate *every time* (unlikely...), then only\n"
" attacks are prevented and you are still open to\n" " passive sniffing attacks are prevented and you are\n"
" Man-In-The-Middle attacks. See the following\n" " still open to Man-In-The-Middle attacks. This is\n"
" paragraphs for how to save keys to reuse them when\n" " why the default \"SAVE\" mode is preferred (and more\n"
" x11vnc is restarted. With saved keys AND the VNC viewer\n" " sophisticated CA mode too). Only with saved keys AND\n"
" authenticating them by using the public certificate,\n" " the VNC viewer authenticating them (via the public\n"
" then Man-In-The-Middle attacks are prevented.\n" " certificate), are Man-In-The-Middle attacks prevented.\n"
"\n" "\n"
" If [pem] is \"ANON\" then the Diffie-Hellman anonymous\n" " If [pem] is \"ANON\" then the Diffie-Hellman anonymous\n"
" key exchange method is used. In this mode there\n" " key exchange method is used. In this mode there\n"
@ -1374,34 +1428,16 @@ void print_help(int mode) {
" Thus only passive network sniffing attacks are avoided:\n" " Thus only passive network sniffing attacks are avoided:\n"
" the \"ANON\" method is susceptible to Man-In-The-Middle\n" " the \"ANON\" method is susceptible to Man-In-The-Middle\n"
" attacks. \"ANON\" is not recommended; instead use\n" " attacks. \"ANON\" is not recommended; instead use\n"
" a SSL PEM you created or the \"SAVE\" method in the\n" " a SSL PEM you created or the defaut \"SAVE\" method.\n"
" next paragraph.\n"
"\n"
" If [pem] is \"SAVE\" then the certificate will be saved\n"
" to the file ~/.vnc/certs/server.pem, or if that file\n"
" exists it will be used directly. Similarly, if [pem]\n"
" is \"SAVE_PROMPT\" the server.pem certificate will be\n"
" made based on your answers to its prompts for info such\n"
" as OrganizationalName, CommonName, etc.\n"
"\n"
" We expect most users to use \"-ssl SAVE\".\n"
"\n"
" Use \"SAVE-<string>\" and \"SAVE_PROMPT-<string>\"\n"
" to refer to the file ~/.vnc/certs/server-<string>.pem\n"
" instead. E.g. \"SAVE-charlie\" will store to the file\n"
" ~/.vnc/certs/server-charlie.pem\n"
"\n"
" Examples: x11vnc -ssl SAVE -display :0 ...\n"
" x11vnc -ssl SAVE-other -display :0 ...\n"
"\n" "\n"
" See -ssldir below to use a directory besides the\n" " See -ssldir below to use a directory besides the\n"
" default ~/.vnc/certs\n" " default ~/.vnc/certs\n"
"\n" "\n"
" Misc Info: In temporary cert creation mode, set the\n" " Misc Info: In temporary cert creation mode \"TMP\", set\n"
" env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print out\n" " the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print\n"
" the entire certificate, including the PRIVATE KEY part,\n" " out the entire certificate, including the PRIVATE KEY\n"
" to stderr. There are better ways to get/save this info.\n" " part, to stderr. There are better ways to get/save this\n"
" See \"SAVE\" above and \"-sslGenCert\" below.\n" " info. See \"SAVE\" above and \"-sslGenCert\" below.\n"
"\n" "\n"
"-ssltimeout n Set SSL read timeout to n seconds. In some situations\n" "-ssltimeout n Set SSL read timeout to n seconds. In some situations\n"
" (i.e. an iconified viewer in Windows) the viewer stops\n" " (i.e. an iconified viewer in Windows) the viewer stops\n"
@ -1446,7 +1482,7 @@ void print_help(int mode) {
"\n" "\n"
" If [path] is a directory it contains the client (or CA)\n" " If [path] is a directory it contains the client (or CA)\n"
" certificates in separate files. If [path] is a file,\n" " certificates in separate files. If [path] is a file,\n"
" it contains multiple certificates. See special tokens\n" " it contains one or more certificates. See special tokens\n"
" below. These correspond to the \"CApath = dir\" and\n" " below. These correspond to the \"CApath = dir\" and\n"
" \"CAfile = file\" stunnel options. See the stunnel(8)\n" " \"CAfile = file\" stunnel options. See the stunnel(8)\n"
" manpage for details.\n" " manpage for details.\n"
@ -1508,19 +1544,19 @@ void print_help(int mode) {
" VNC-ing with x11vnc. (note that they require openssl(1)\n" " VNC-ing with x11vnc. (note that they require openssl(1)\n"
" be installed on the system)\n" " be installed on the system)\n"
"\n" "\n"
" However, the simplest usage mode (where x11vnc\n" " However, the simplest usage mode, \"-ssl TMP\" (where\n"
" automatically generates its own, self-signed, temporary\n" " x11vnc automatically generates its own, self-signed,\n"
" key and the VNC viewers always accept it, e.g. accepting\n" " temporary key and the VNC viewers always accept it,\n"
" via a dialog box) is probably safe enough for most\n" " e.g. accepting via a dialog box) is probably safe enough\n"
" scenarios. CA management is not needed.\n" " for most scenarios. CA management is not needed.\n"
"\n" "\n"
" To protect against Man-In-The-Middle attacks the\n" " To protect against Man-In-The-Middle attacks the \"TMP\"\n"
" simplest mode can be improved by using \"-ssl SAVE\"\n" " mode can be improved by using \"-ssl SAVE\" (same as\n"
" to have x11vnc create a longer term self-signed\n" " \"-ssl\", i.e. the default) to have x11vnc create a\n"
" certificate, and then (safely) copy the corresponding\n" " longer term self-signed certificate, and then (safely)\n"
" public key cert to the desired client machines (care\n" " copy the corresponding public key cert to the desired\n"
" must be taken the private key part is not stolen;\n" " client machines (care must be taken the private key part\n"
" you will be prompted for a passphrase).\n" " is not stolen; you will be prompted for a passphrase).\n"
"\n" "\n"
" So keep in mind no CA key creation or management\n" " So keep in mind no CA key creation or management\n"
" (-sslGenCA and -sslGenCert) is needed for either of\n" " (-sslGenCA and -sslGenCert) is needed for either of\n"
@ -1547,7 +1583,7 @@ void print_help(int mode) {
" be \"imported\" somehow. Web browsers have \"Manage\n" " be \"imported\" somehow. Web browsers have \"Manage\n"
" Certificates\" actions as does the Java applet plugin\n" " Certificates\" actions as does the Java applet plugin\n"
" Control Panel. stunnel can also use these files (see\n" " Control Panel. stunnel can also use these files (see\n"
" the ss_vncviewer example script in the FAQ.)\n" " the ss_vncviewer example script in the FAQ and SSVNC.)\n"
"\n" "\n"
"-sslCRL path Set the Certificate Revocation Lists (CRL) to \"path\".\n" "-sslCRL path Set the Certificate Revocation Lists (CRL) to \"path\".\n"
"\n" "\n"
@ -3359,6 +3395,8 @@ void print_help(int mode) {
"-setdefer n When the -wait_ui mechanism cuts down the wait time ms,\n" "-setdefer n When the -wait_ui mechanism cuts down the wait time ms,\n"
" set the defer time to the same ms value. n=1 to enable,\n" " set the defer time to the same ms value. n=1 to enable,\n"
" 0 to disable, and -1 to set defer to 0 (no delay).\n" " 0 to disable, and -1 to set defer to 0 (no delay).\n"
" Similarly, 2 and -2 indicate 'urgent_update' mode should\n"
" be used to push the updates even sooner. Default: 1\n"
"-nowait_bog Do not detect if the screen polling is \"bogging down\"\n" "-nowait_bog Do not detect if the screen polling is \"bogging down\"\n"
" and sleep more. Some activities with no user input can\n" " and sleep more. Some activities with no user input can\n"
" slow things down a lot: consider a large terminal window\n" " slow things down a lot: consider a large terminal window\n"
@ -3367,10 +3405,11 @@ void print_help(int mode) {
" (3 screen polls in a row each longer than 0.25 sec with\n" " (3 screen polls in a row each longer than 0.25 sec with\n"
" no user input), and sleep up to 1.5 secs to let things\n" " no user input), and sleep up to 1.5 secs to let things\n"
" \"catch up\". Use this option to disable that detection.\n" " \"catch up\". Use this option to disable that detection.\n"
"-slow_fb time Floating point time in seconds delay all screen polling.\n" "-slow_fb time Floating point time in seconds to delay all screen\n"
" For special purpose usage where a low frame rate is\n" " polling. For special purpose usage where a low frame\n"
" acceptable and desirable, but you want the user input\n" " rate is acceptable and desirable, but you want the\n"
" processed at the normal rate so you cannot use -wait.\n" " user input processed at the normal rate so you cannot\n"
" use -wait.\n"
"-xrefresh time Floating point time in seconds to indicate how often to\n" "-xrefresh time Floating point time in seconds to indicate how often to\n"
" do the equivalent of xrefresh(1) to force all windows\n" " do the equivalent of xrefresh(1) to force all windows\n"
" (in the viewable area if -id, -sid, or -clip is used)\n" " (in the viewable area if -id, -sid, or -clip is used)\n"
@ -4356,6 +4395,7 @@ void print_help(int mode) {
" defer:n set -defer to n ms,same as deferupdate:n\n" " defer:n set -defer to n ms,same as deferupdate:n\n"
" wait:n set -wait to n ms.\n" " wait:n set -wait to n ms.\n"
" wait_ui:f set -wait_ui factor to f.\n" " wait_ui:f set -wait_ui factor to f.\n"
" setdefer:n set -setdefer to -2,-1,0,1, or 2.\n"
" wait_bog disable -nowait_bog mode.\n" " wait_bog disable -nowait_bog mode.\n"
" nowait_bog enable -nowait_bog mode.\n" " nowait_bog enable -nowait_bog mode.\n"
" slow_fb:f set -slow_fb to f seconds.\n" " slow_fb:f set -slow_fb to f seconds.\n"
@ -4515,15 +4555,15 @@ void print_help(int mode) {
" nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area\n" " nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area\n"
" scr_skip scr_inc scr_keys scr_term scr_keyrepeat\n" " scr_skip scr_inc scr_keys scr_term scr_keyrepeat\n"
" scr_parms scrollcopyrect scr noscrollcopyrect noscr\n" " scr_parms scrollcopyrect scr noscrollcopyrect noscr\n"
" fixscreen noxrecord xrecord reset_record pointer_mode\n" " fixscreen noxrecord xrecord reset_record pointer_mode pm\n"
" pm input_skip allinput noallinput input grabkbd\n" " input_skip allinput noallinput input grabkbd nograbkbd\n"
" nograbkbd grabptr nograbptr grabalways nograbalways\n" " grabptr nograbptr grabalways nograbalways grablocal\n"
" grablocal client_input ssltimeout speeds wmdt\n" " client_input ssltimeout speeds wmdt debug_pointer dp\n"
" debug_pointer dp nodebug_pointer nodp debug_keyboard\n" " nodebug_pointer nodp debug_keyboard dk nodebug_keyboard\n"
" dk nodebug_keyboard nodk keycode deferupdate defer\n" " nodk keycode deferupdate defer setdefer wait_ui\n"
" wait_ui wait_bog nowait_bog slow_fb xrefresh wait\n" " wait_bog nowait_bog slow_fb xrefresh wait readtimeout\n"
" readtimeout nap nonap sb screen_blank fbpm nofbpm dpms\n" " nap nonap sb screen_blank fbpm nofbpm dpms nodpms\n"
" nodpms clientdpms noclientdpms forcedpms noforcedpms\n" " clientdpms noclientdpms forcedpms noforcedpms\n"
" noserverdpms serverdpms noultraext ultraext chatwindow\n" " noserverdpms serverdpms noultraext ultraext chatwindow\n"
" nochatwindow chaton chatoff fs gaps grow fuzz snapfb\n" " nochatwindow chaton chatoff fs gaps grow fuzz snapfb\n"
" nosnapfb rawfb uinput_accel uinput_thresh uinput_reset\n" " nosnapfb rawfb uinput_accel uinput_thresh uinput_reset\n"

2
x11vnc/options.c
Unescape View File

@ -34,7 +34,7 @@ char *enc_str = NULL;
int vencrypt_mode = VENCRYPT_SUPPORT; int vencrypt_mode = VENCRYPT_SUPPORT;
int vencrypt_kx = VENCRYPT_BOTH; int vencrypt_kx = VENCRYPT_BOTH;
int vencrypt_enable_plain_login = 0; int vencrypt_enable_plain_login = 0;
int tlsvnc_mode = TLSVNC_SUPPORT; int anontls_mode = ANONTLS_SUPPORT;
int create_fresh_dhparams = 0; int create_fresh_dhparams = 0;
char *dhparams_file = NULL; char *dhparams_file = NULL;
int https_port_num = -1; int https_port_num = -1;

2
x11vnc/options.h
Unescape View File

@ -34,7 +34,7 @@ extern char *enc_str;
extern int vencrypt_mode; extern int vencrypt_mode;
extern int vencrypt_kx; extern int vencrypt_kx;
extern int vencrypt_enable_plain_login; extern int vencrypt_enable_plain_login;
extern int tlsvnc_mode; extern int anontls_mode;
extern int create_fresh_dhparams; extern int create_fresh_dhparams;
extern char *dhparams_file; extern char *dhparams_file;
extern int https_port_num; extern int https_port_num;

8
x11vnc/params.h
Unescape View File

@ -63,9 +63,9 @@
#define VENCRYPT_NODH 1 #define VENCRYPT_NODH 1
#define VENCRYPT_NOX509 2 #define VENCRYPT_NOX509 2
#define TLSVNC_NONE 0 #define ANONTLS_NONE 0
#define TLSVNC_SUPPORT 1 #define ANONTLS_SUPPORT 1
#define TLSVNC_SOLE 2 #define ANONTLS_SOLE 2
#define TLSVNC_FORCE 3 #define ANONTLS_FORCE 3
#endif /* _X11VNC_PARAMS_H */ #endif /* _X11VNC_PARAMS_H */

2
x11vnc/remote.c
Unescape View File

@ -327,6 +327,7 @@ int check_httpdir(void) {
if ((q = strrchr(prog, '/')) == NULL) { if ((q = strrchr(prog, '/')) == NULL) {
rfbLog("check_httpdir: bad program path: %s\n", prog); rfbLog("check_httpdir: bad program path: %s\n", prog);
free(prog); free(prog);
rfbLog("check_httpdir: *HTTP disabled* Use -httpdir path\n");
return 0; return 0;
} }
@ -383,6 +384,7 @@ int check_httpdir(void) {
rfbLog("check_httpdir: bad guess:\n"); rfbLog("check_httpdir: bad guess:\n");
rfbLog(" %s\n", httpdir); rfbLog(" %s\n", httpdir);
rfbLog("check_httpdir: *HTTP disabled* Use -httpdir path\n");
return 0; return 0;
} }
} }

138
x11vnc/sslhelper.c
Unescape View File

@ -91,7 +91,7 @@ static void init_prng(void);
static void sslerrexit(void); static void sslerrexit(void);
static char *get_input(char *tag, char **in); static char *get_input(char *tag, char **in);
static char *create_tmp_pem(char *path, int prompt); static char *create_tmp_pem(char *path, int prompt);
static int ssl_init(int s_in, int s_out); static int ssl_init(int s_in, int s_out, int skip_vnc_tls);
static void ssl_xfer(int csock, int s_in, int s_out, int is_https); static void ssl_xfer(int csock, int s_in, int s_out, int is_https);
#ifndef FORK_OK #ifndef FORK_OK
@ -142,6 +142,7 @@ char *get_saved_pem(char *save, int create) {
clean_up_exit(1); clean_up_exit(1);
} }
cdir = get_Cert_dir(NULL, &tmp); cdir = get_Cert_dir(NULL, &tmp);
if (! cdir || ! tmp) { if (! cdir || ! tmp) {
rfbLog("get_saved_pem: could not find Cert dir.\n"); rfbLog("get_saved_pem: could not find Cert dir.\n");
@ -156,8 +157,11 @@ char *get_saved_pem(char *save, int create) {
if (stat(path, &sbuf) != 0) { if (stat(path, &sbuf) != 0) {
char *new = NULL; char *new = NULL;
if (create) { if (create) {
if (inetd || opts_bg) {
set_env("GENCERT_NOPROMPT", "1");
}
new = create_tmp_pem(path, prompt); new = create_tmp_pem(path, prompt);
if (! getenv("X11VNC_SSL_NO_PASSPHRASE") && ! inetd) { if (!getenv("X11VNC_SSL_NO_PASSPHRASE") && !inetd && !opts_bg) {
sslEncKey(new, 0); sslEncKey(new, 0);
} }
} }
@ -842,7 +846,7 @@ static int verify_callback(int ok, X509_STORE_CTX *callback_ctx) {
return 1; return 1;
} }
#define rfbSecTypeTlsVnc 18 #define rfbSecTypeAnonTls 18
#define rfbSecTypeVencrypt 19 #define rfbSecTypeVencrypt 19
#define rfbVencryptPlain 256 #define rfbVencryptPlain 256
@ -854,7 +858,7 @@ static int verify_callback(int ok, X509_STORE_CTX *callback_ctx) {
#define rfbVencryptX509Plain 262 #define rfbVencryptX509Plain 262
static int vencrypt_selected = 0; static int vencrypt_selected = 0;
static int tlsvnc_selected = 0; static int anontls_selected = 0;
static int ssl_client_mode = 0; static int ssl_client_mode = 0;
@ -946,8 +950,14 @@ void openssl_init(int isclient) {
mode |= SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; mode |= SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
SSL_CTX_set_mode(ctx, mode); SSL_CTX_set_mode(ctx, mode);
#define ssl_cache 0
#if ssl_cache
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH);
SSL_CTX_set_timeout(ctx, 300); SSL_CTX_set_timeout(ctx, 300);
#else
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_timeout(ctx, 1);
#endif
ds = dnow(); ds = dnow();
if (! openssl_pem) { if (! openssl_pem) {
@ -1255,16 +1265,31 @@ void ssl_helper_pid(pid_t pid, int sock) {
continue; continue;
} }
if (kill(helpers[i], 0) == 0) { if (kill(helpers[i], 0) == 0) {
int kret = -2;
pid_t wret;
if (sock != -2) { if (sock != -2) {
if (sockets[i] >= 0) { if (sockets[i] >= 0) {
close(sockets[i]); close(sockets[i]);
} }
kill(helpers[i], SIGTERM); kret = kill(helpers[i], SIGTERM);
if (kret == 0) {
usleep(20 * 1000);
}
} }
#if LIBVNCSERVER_HAVE_SYS_WAIT_H && LIBVNCSERVER_HAVE_WAITPID #if LIBVNCSERVER_HAVE_SYS_WAIT_H && LIBVNCSERVER_HAVE_WAITPID
if (db) fprintf(stderr, "waitpid(%d)\n", helpers[i]); if (db) fprintf(stderr, "waitpid(%d)\n", helpers[i]);
waitpid(helpers[i], &status, WNOHANG); wret = waitpid(helpers[i], &status, WNOHANG);
if (kret == 0 && wret != helpers[i]) {
int k;
for (k=0; k < 10; k++) {
usleep(100 * 1000);
wret = waitpid(helpers[i], &status, WNOHANG);
if (wret == helpers[i]) {
break;
}
}
}
#endif #endif
if (sock == -2) { if (sock == -2) {
continue; continue;
@ -1358,9 +1383,9 @@ static int is_ssl_readable(int s_in, time_t last_https, char *last_get,
* recently: * recently:
*/ */
if (time(NULL) < last_https + 30) { if (time(NULL) < last_https + 30) {
tv.tv_sec = 8; tv.tv_sec = 10;
if (last_get && strstr(last_get, "VncViewer")) { if (last_get && strstr(last_get, "VncViewer")) {
tv.tv_sec = 4; tv.tv_sec = 5;
} }
} }
if (getenv("X11VNC_HTTPS_VS_VNC_TIMEOUT")) { if (getenv("X11VNC_HTTPS_VS_VNC_TIMEOUT")) {
@ -1543,7 +1568,7 @@ int proxy_hack(int vncsock, int listen, int s_in, int s_out, char *cookie,
if (db) fprintf(stderr, "got applet input sock1: %d\n", sock1); if (db) fprintf(stderr, "got applet input sock1: %d\n", sock1);
if (! ssl_init(sock1, sock1)) { if (! ssl_init(sock1, sock1, 0)) {
if (db) fprintf(stderr, "ssl_init FAILED\n"); if (db) fprintf(stderr, "ssl_init FAILED\n");
exit(1); exit(1);
} }
@ -1715,7 +1740,7 @@ void accept_openssl(int mode, int presock) {
char uniq[] = "_evilrats_"; char uniq[] = "_evilrats_";
char cookie[256], rcookie[256], *name = NULL; char cookie[256], rcookie[256], *name = NULL;
int vencrypt_sel = 0; int vencrypt_sel = 0;
int tlsvnc_sel = 0; int anontls_sel = 0;
static time_t last_https = 0; static time_t last_https = 0;
static char last_get[256]; static char last_get[256];
static int first = 1; static int first = 1;
@ -1832,7 +1857,7 @@ void accept_openssl(int mode, int presock) {
* but hard to guess exactly (just worrying about local lusers * but hard to guess exactly (just worrying about local lusers
* here, since we use INADDR_LOOPBACK). * here, since we use INADDR_LOOPBACK).
*/ */
rb = (unsigned char *) malloc(6); rb = (unsigned char *) calloc(6, 1);
RAND_bytes((char *)rb, 6); RAND_bytes((char *)rb, 6);
sprintf(cookie, "RB=%d%d%d%d%d%d/%f%f/0x%x", sprintf(cookie, "RB=%d%d%d%d%d%d/%f%f/0x%x",
rb[0], rb[1], rb[2], rb[3], rb[4], rb[5], rb[0], rb[1], rb[2], rb[3], rb[4], rb[5],
@ -1915,6 +1940,7 @@ void accept_openssl(int mode, int presock) {
int i, have_httpd = 0; int i, have_httpd = 0;
int f_in = fileno(stdin); int f_in = fileno(stdin);
int f_out = fileno(stdout); int f_out = fileno(stdout);
int skip_vnc_tls = mode == OPENSSL_HTTPS ? 1 : 0;
if (db) fprintf(stderr, "helper pid in: %d %d %d %d\n", f_in, f_out, sock, listen); if (db) fprintf(stderr, "helper pid in: %d %d %d %d\n", f_in, f_out, sock, listen);
@ -1962,7 +1988,7 @@ void accept_openssl(int mode, int presock) {
s_in = s_out = sock; s_in = s_out = sock;
} }
if (! ssl_init(s_in, s_out)) { if (! ssl_init(s_in, s_out, skip_vnc_tls)) {
close(vncsock); close(vncsock);
exit(1); exit(1);
} }
@ -1973,10 +1999,10 @@ void accept_openssl(int mode, int presock) {
sprintf(tbuf, "%s,VENCRYPT=%d,%s", uniq, vencrypt_selected, cookie); sprintf(tbuf, "%s,VENCRYPT=%d,%s", uniq, vencrypt_selected, cookie);
write(vncsock, tbuf, strlen(cookie)); write(vncsock, tbuf, strlen(cookie));
goto wrote_cookie; goto wrote_cookie;
} else if (tlsvnc_selected != 0) { } else if (anontls_selected != 0) {
char *tbuf; char *tbuf;
tbuf = (char *) malloc(strlen(cookie) + 100); tbuf = (char *) malloc(strlen(cookie) + 100);
sprintf(tbuf, "%s,TLSVNC=%d,%s", uniq, tlsvnc_selected, cookie); sprintf(tbuf, "%s,ANONTLS=%d,%s", uniq, anontls_selected, cookie);
write(vncsock, tbuf, strlen(cookie)); write(vncsock, tbuf, strlen(cookie));
goto wrote_cookie; goto wrote_cookie;
} }
@ -2005,7 +2031,7 @@ void accept_openssl(int mode, int presock) {
} }
if (have_httpd) { if (have_httpd) {
int n = 0, is_http; int n = 0, is_http = 0;
int hport = screen->httpPort; int hport = screen->httpPort;
char *iface = NULL; char *iface = NULL;
char *buf, *tbuf; char *buf, *tbuf;
@ -2348,7 +2374,7 @@ void accept_openssl(int mode, int presock) {
char *q = strstr(rcookie, "RB="); char *q = strstr(rcookie, "RB=");
if (q && strstr(cookie, q) == cookie) { if (q && strstr(cookie, q) == cookie) {
vencrypt_sel = 0; vencrypt_sel = 0;
tlsvnc_sel = 0; anontls_sel = 0;
q = strstr(rcookie, "VENCRYPT="); q = strstr(rcookie, "VENCRYPT=");
if (q && sscanf(q, "VENCRYPT=%d,", &vencrypt_sel) == 1) { if (q && sscanf(q, "VENCRYPT=%d,", &vencrypt_sel) == 1) {
if (vencrypt_sel != 0) { if (vencrypt_sel != 0) {
@ -2356,10 +2382,10 @@ void accept_openssl(int mode, int presock) {
goto accept_client; goto accept_client;
} }
} }
q = strstr(rcookie, "TLSVNC="); q = strstr(rcookie, "ANONTLS=");
if (q && sscanf(q, "TLSVNC=%d,", &tlsvnc_sel) == 1) { if (q && sscanf(q, "ANONTLS=%d,", &anontls_sel) == 1) {
if (tlsvnc_sel != 0) { if (anontls_sel != 0) {
rfbLog("SSL: TLSVNC mode=%d accepted.\n", tlsvnc_sel); rfbLog("SSL: ANONTLS mode=%d accepted.\n", anontls_sel);
goto accept_client; goto accept_client;
} }
} }
@ -2508,7 +2534,7 @@ void accept_openssl(int mode, int presock) {
if (!finish_vencrypt_auth(client, vencrypt_sel)) { if (!finish_vencrypt_auth(client, vencrypt_sel)) {
rfbCloseClient(client); rfbCloseClient(client);
} }
} else if (tlsvnc_sel != 0) { } else if (anontls_sel != 0) {
client->protocolMajorVersion = 3; client->protocolMajorVersion = 3;
client->protocolMinorVersion = 8; client->protocolMinorVersion = 8;
rfbAuthNewClient(client); rfbAuthNewClient(client);
@ -2744,12 +2770,12 @@ static int switch_to_anon_dh(void) {
return 1; return 1;
} }
static int tlsvnc_dialog(int s_in, int s_out) { static int anontls_dialog(int s_in, int s_out) {
tlsvnc_selected = 1; anontls_selected = 1;
if (!switch_to_anon_dh()) { if (!switch_to_anon_dh()) {
rfbLog("tlsvnc: Anonymous Diffie-Hellman failed.\n"); rfbLog("anontls: Anonymous Diffie-Hellman failed.\n");
return 0; return 0;
} }
@ -2924,27 +2950,27 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
char buf[256]; char buf[256];
vencrypt_selected = 0; vencrypt_selected = 0;
tlsvnc_selected = 0; anontls_selected = 0;
if (vencrypt_mode == VENCRYPT_NONE && tlsvnc_mode == TLSVNC_NONE) { if (vencrypt_mode == VENCRYPT_NONE && anontls_mode == ANONTLS_NONE) {
/* only normal SSL */ /* only normal SSL */
return 1; return 1;
} }
if (ssl_client_mode) { if (ssl_client_mode) {
/* XXX check if this can be done in SSL client mode. */ /* XXX check if this can be done in SSL client mode. */
if (vencrypt_mode == VENCRYPT_FORCE || tlsvnc_mode == TLSVNC_FORCE) { if (vencrypt_mode == VENCRYPT_FORCE || anontls_mode == ANONTLS_FORCE) {
rfbLog("check_vnc_tls_mode: VENCRYPT_FORCE/TLSVNC_FORCE prevents normal SSL\n"); rfbLog("check_vnc_tls_mode: VENCRYPT_FORCE/ANONTLS_FORCE prevents normal SSL\n");
return 0; return 0;
} }
return 1; return 1;
} }
if (ssl_verify && vencrypt_mode != VENCRYPT_FORCE && tlsvnc_mode == TLSVNC_FORCE) { if (ssl_verify && vencrypt_mode != VENCRYPT_FORCE && anontls_mode == ANONTLS_FORCE) {
rfbLog("check_vnc_tls_mode: Cannot use TLSVNC_FORCE with -sslverify (Anon DH only)\n"); rfbLog("check_vnc_tls_mode: Cannot use ANONTLS_FORCE with -sslverify (Anon DH only)\n");
/* fallback to normal SSL */ /* fallback to normal SSL */
return 1; return 1;
} }
while (waited < 0.7) { while (waited < 1.1) {
fd_set rfds; fd_set rfds;
FD_ZERO(&rfds); FD_ZERO(&rfds);
FD_SET(s_in, &rfds); FD_SET(s_in, &rfds);
@ -2962,8 +2988,8 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
if (input) { if (input) {
/* got SSL client hello, can only assume normal SSL */ /* got SSL client hello, can only assume normal SSL */
if (vencrypt_mode == VENCRYPT_FORCE || tlsvnc_mode == TLSVNC_FORCE) { if (vencrypt_mode == VENCRYPT_FORCE || anontls_mode == ANONTLS_FORCE) {
rfbLog("check_vnc_tls_mode: VENCRYPT_FORCE/TLSVNC_FORCE prevents normal SSL\n"); rfbLog("check_vnc_tls_mode: VENCRYPT_FORCE/ANONTLS_FORCE prevents normal SSL\n");
return 0; return 0;
} }
return 1; return 1;
@ -2982,7 +3008,12 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
} }
if (sscanf(buf, "RFB %03d.%03d\n", &major, &minor) != 2) { if (sscanf(buf, "RFB %03d.%03d\n", &major, &minor) != 2) {
rfbLog("check_vnc_tls_mode: abnormal handshake: '%s'\n", buf); int i;
rfbLog("check_vnc_tls_mode: abnormal handshake: '%s'\nbytes: ", buf);
for (i=0; i < 12; i++) {
fprintf(stderr, "%x.", (int) buf[i]);
}
fprintf(stderr, "\n");
close(s_in); close(s_out); close(s_in); close(s_out);
return 0; return 0;
} }
@ -2996,18 +3027,18 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
n = 1; n = 1;
if (vencrypt_mode == VENCRYPT_FORCE) { if (vencrypt_mode == VENCRYPT_FORCE) {
buf[n++] = rfbSecTypeVencrypt; buf[n++] = rfbSecTypeVencrypt;
} else if (tlsvnc_mode == TLSVNC_FORCE && !ssl_verify) { } else if (anontls_mode == ANONTLS_FORCE && !ssl_verify) {
buf[n++] = rfbSecTypeTlsVnc; buf[n++] = rfbSecTypeAnonTls;
} else if (vencrypt_mode == VENCRYPT_SOLE) { } else if (vencrypt_mode == VENCRYPT_SOLE) {
buf[n++] = rfbSecTypeVencrypt; buf[n++] = rfbSecTypeVencrypt;
} else if (tlsvnc_mode == TLSVNC_SOLE && !ssl_verify) { } else if (anontls_mode == ANONTLS_SOLE && !ssl_verify) {
buf[n++] = rfbSecTypeTlsVnc; buf[n++] = rfbSecTypeAnonTls;
} else { } else {
if (vencrypt_mode == VENCRYPT_SUPPORT) { if (vencrypt_mode == VENCRYPT_SUPPORT) {
buf[n++] = rfbSecTypeVencrypt; buf[n++] = rfbSecTypeVencrypt;
} }
if (tlsvnc_mode == TLSVNC_SUPPORT && !ssl_verify) { if (anontls_mode == ANONTLS_SUPPORT && !ssl_verify) {
buf[n++] = rfbSecTypeTlsVnc; buf[n++] = rfbSecTypeAnonTls;
} }
} }
@ -3026,7 +3057,7 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
} }
if (buf[0] == rfbSecTypeVencrypt) stype = "VeNCrypt"; if (buf[0] == rfbSecTypeVencrypt) stype = "VeNCrypt";
if (buf[0] == rfbSecTypeTlsVnc) stype = "TLSVNC"; if (buf[0] == rfbSecTypeAnonTls) stype = "ANONTLS";
rfbLog("check_vnc_tls_mode: reply: %d (%s)\n", (int) buf[0], stype); rfbLog("check_vnc_tls_mode: reply: %d (%s)\n", (int) buf[0], stype);
@ -3051,8 +3082,8 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
if (sectype == rfbSecTypeVencrypt) { if (sectype == rfbSecTypeVencrypt) {
return vencrypt_dialog(s_in, s_out); return vencrypt_dialog(s_in, s_out);
} else if (sectype == rfbSecTypeTlsVnc) { } else if (sectype == rfbSecTypeAnonTls) {
return tlsvnc_dialog(s_in, s_out); return anontls_dialog(s_in, s_out);
} else { } else {
return 0; return 0;
} }
@ -3088,11 +3119,15 @@ static void pr_ssl_info(int verb) {
} }
static void ssl_timeout (int sig) { static void ssl_timeout (int sig) {
rfbLog("sig: %d, ssl_init timed out.\n", sig); int i;
rfbLog("sig: %d, ssl_init[%d] timed out.\n", sig, getpid());
for (i=0; i < 256; i) {
close(i);
}
exit(1); exit(1);
} }
static int ssl_init(int s_in, int s_out) { static int ssl_init(int s_in, int s_out, int skip_vnc_tls) {
unsigned char *sid = (unsigned char *) "x11vnc SID"; unsigned char *sid = (unsigned char *) "x11vnc SID";
char *name; char *name;
int peerport = 0; int peerport = 0;
@ -3112,7 +3147,10 @@ static int ssl_init(int s_in, int s_out) {
} }
if (db) fprintf(stderr, "ssl_init: %d/%d\n", s_in, s_out); if (db) fprintf(stderr, "ssl_init: %d/%d\n", s_in, s_out);
if (!check_vnc_tls_mode(s_in, s_out)) { if (skip_vnc_tls) {
rfbLog("SSL: ssl_helper[%d]: HTTPS mode, skipping check_vnc_tls_mode()\n",
getpid(), name, peerport);
} else if (!check_vnc_tls_mode(s_in, s_out)) {
return 0; return 0;
} }
@ -3305,7 +3343,7 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
time_t start; time_t start;
int tv_https_early = 60; int tv_https_early = 60;
int tv_https_later = 20; int tv_https_later = 20;
int tv_vnc_early = 25; int tv_vnc_early = 40;
int tv_vnc_later = 43200; /* was 300, stunnel: 43200 */ int tv_vnc_later = 43200; /* was 300, stunnel: 43200 */
int tv_cutover = 70; int tv_cutover = 70;
int tv_closing = 60; int tv_closing = 60;
@ -3374,7 +3412,7 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
cptr = 0; /* offsets into ABSIZE buffers */ cptr = 0; /* offsets into ABSIZE buffers */
sptr = 0; sptr = 0;
if (vencrypt_selected > 0 || tlsvnc_selected > 0) { if (vencrypt_selected > 0 || anontls_selected > 0) {
char tmp[16]; char tmp[16];
/* read and discard the extra RFB version */ /* read and discard the extra RFB version */
memset(tmp, 0, sizeof(tmp)); memset(tmp, 0, sizeof(tmp));
@ -3501,8 +3539,8 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
} }
continue; continue;
} }
rfbLog("SSL: ssl_xfer[%d]: connection timedout. %d\n", rfbLog("SSL: ssl_xfer[%d]: connection timedout. %d tv_use: %d\n",
getpid(), ndata); getpid(), ndata, tv_use);
/* connection finished */ /* connection finished */
return; return;
} }

32
x11vnc/ssltools.h
Unescape View File

@ -394,7 +394,7 @@ char genCert[] =
" else\n" " else\n"
" echo \"the key and pretend to be your VNC client. The downside is it is\"\n" " echo \"the key and pretend to be your VNC client. The downside is it is\"\n"
" fi\n" " fi\n"
" echo \"inconvenient because you will have to supply the passphrase every\"\n" " echo \"inconvenient because you will need to supply the passphrase EVERY\"\n"
" if [ \"x$type\" = \"xserver\" ]; then\n" " if [ \"x$type\" = \"xserver\" ]; then\n"
" echo \"time you start x11vnc using this key.\"\n" " echo \"time you start x11vnc using this key.\"\n"
" else\n" " else\n"
@ -402,9 +402,24 @@ char genCert[] =
" fi\n" " fi\n"
" echo \"\"\n" " echo \"\"\n"
" if [ \"X$GENCERT_NOPROMPT\" = \"X\" ]; then\n" " if [ \"X$GENCERT_NOPROMPT\" = \"X\" ]; then\n"
" printf \"Protect key with a passphrase? [y]/n \"\n" " x=\"\"\n"
" for tp in 1 2 3\n"
" do\n"
" printf \"Protect key with a passphrase? y/n \"\n"
" read x\n" " read x\n"
" x=`echo \"$x\" | tr 'A-Z' 'a-z' | sed -e 's/[ ]//g'`\n"
" if [ \"X$x\" = \"Xy\" -o \"X$x\" = \"Xn\" ]; then\n"
" break;\n"
" else \n" " else \n"
" echo \"Please reply with \\\"y\\\" or \\\"n\\\".\"\n"
" fi\n"
" done\n"
" if [ \"X$x\" != \"Xy\" -a \"X$x\" != \"Xn\" ]; then\n"
" echo \"Assuming reply \\\"n\\\".\"\n"
" x=n\n"
" fi\n"
" else\n"
" echo \"NOT protecting private key with passphrase.\"\n"
" x=n\n" " x=n\n"
" fi\n" " fi\n"
" estr=\" *unencrypted*\"\n" " estr=\" *unencrypted*\"\n"
@ -1273,12 +1288,17 @@ char create_display[] =
"\n" "\n"
"findfree() {\n" "findfree() {\n"
" try=20\n" " try=20\n"
" sry=99\n"
" if [ \"X$X11VNC_CREATE_STARTING_DISPLAY_NUMBER\" != \"X\" ]; then\n"
" try=$X11VNC_CREATE_STARTING_DISPLAY_NUMBER\n"
" sry=`expr $try + 99`\n"
" fi\n"
" n=\"\"\n" " n=\"\"\n"
" nsout=\"\"\n" " nsout=\"\"\n"
" if [ \"X$have_netstat\" != \"X\" ]; then\n" " if [ \"X$have_netstat\" != \"X\" ]; then\n"
" nsout=`$have_netstat -an`\n" " nsout=`$have_netstat -an`\n"
" fi\n" " fi\n"
" while [ $try -lt 99 ]\n" " while [ $try -lt $sry ]\n"
" do\n" " do\n"
" if [ ! -f \"/tmp/.X${try}-lock\" ]; then\n" " if [ ! -f \"/tmp/.X${try}-lock\" ]; then\n"
" if echo \"$nsout\" | grep \"/tmp/.X11-unix/X${try}[ ]*\\$\" > /dev/null; then\n" " if echo \"$nsout\" | grep \"/tmp/.X11-unix/X${try}[ ]*\\$\" > /dev/null; then\n"
@ -1517,6 +1537,7 @@ char create_display[] =
" sess=\"env $sess\"\n" " sess=\"env $sess\"\n"
" fi\n" " fi\n"
" redir_daemon=`echo \"$redir_daemon\" | sed -e 's/^,*//'`\n" " redir_daemon=`echo \"$redir_daemon\" | sed -e 's/^,*//'`\n"
" echo \"redir_daemon=$redir_daemon\" 1>&2\n"
"}\n" "}\n"
"\n" "\n"
"rchk() {\n" "rchk() {\n"
@ -1730,12 +1751,13 @@ char create_display[] =
"# fi\n" "# fi\n"
"\n" "\n"
" if [ \"X$redir_daemon\" != \"X\" -a \"X$result\" = \"X1\" ]; then\n" " if [ \"X$redir_daemon\" != \"X\" -a \"X$result\" = \"X1\" ]; then\n"
" redir_daemon=`echo \"$redir_daemon\" | sed -e 's|[^A-z0-9:,/]||g'`\n" " redir_daemon=`echo \"$redir_daemon\" | sed -e 's/[~!$&*()|;?<>\"]//g' -e \"s/'//g\"`\n"
" xprog=$X11VNC_PROG\n" " xprog=$X11VNC_PROG\n"
" if [ \"X$xprog\" = \"X\" ]; then\n" " if [ \"X$xprog\" = \"X\" ]; then\n"
" xprog=x11vnc\n" " xprog=x11vnc\n"
" fi\n" " fi\n"
" $have_nohup sh -c \"$xprog -sleepin 10 -auth $authfile -tsd $redir_daemon\" 2>.tsd.log.$USER 1>&2 &\n" " echo \"running: $xprog -sleepin 10 -auth $authfile -tsd '$redir_daemon'\" 1>&2\n"
" $have_nohup sh -c \"$xprog -sleepin 10 -auth $authfile -tsd '$redir_daemon' &\" 2>.tsd.log.$USER 1>&2 &\n"
" fi\n" " fi\n"
"}\n" "}\n"
"\n" "\n"

27
x11vnc/tkx11vnc
Unescape View File

@ -414,6 +414,7 @@ Tuning
grow: grow:
fuzz: fuzz:
wait_ui: wait_ui:
setdefer:
nowait_bog nowait_bog
slow_fb: slow_fb:
xrefresh: xrefresh:
@ -6461,7 +6462,10 @@ proc do_port_prompt {} {
vncviewer $hn:1 vncviewer $hn:1
etc. etc.
You may also set some additional parameters: Your firewall may block incoming connections to TCP ports;
if it does you may need to reconfigure it.
You can also set some additional parameters:
- Enable SSL encryption. - Enable SSL encryption.
(requires an SSL enabled vncviewer, such as SSVNC) (requires an SSL enabled vncviewer, such as SSVNC)
@ -6477,9 +6481,24 @@ proc do_port_prompt {} {
wm protocol . WM_DELETE_WINDOW "destroy .; exit" wm protocol . WM_DELETE_WINDOW "destroy .; exit"
wm protocol .pp WM_DELETE_WINDOW "destroy .pp; exit" wm protocol .pp WM_DELETE_WINDOW "destroy .pp; exit"
label .pp.m -text "$text" -justify left -font $ffont label .pp.m -text "$text" -relief ridge -justify left -font $ffont
global tk_version
set tkold 0
if [info exists tk_version] {
if [regexp {^8\.[0-3]$} $tk_version] {
set tkold 1
}
if [regexp {^[3-7]\.} $tk_version] {
set tkold 1
}
}
if {$tkold} {
frame .pp.f -bd 1 -relief ridge
} else {
frame .pp.f -bd 1 -relief ridge -pady 2 frame .pp.f -bd 1 -relief ridge -pady 2
}
label .pp.f.l -text "Port: " label .pp.f.l -text "Port: "
entry .pp.f.e -width 8 -textvariable port_set entry .pp.f.e -width 8 -textvariable port_set
global enable_ssl; set enable_ssl 0 global enable_ssl; set enable_ssl 0
@ -6495,7 +6514,11 @@ proc do_port_prompt {} {
pack .pp.f.l .pp.f.e -side left pack .pp.f.l .pp.f.e -side left
pack .pp.f.loc .pp.f.ssl -side right pack .pp.f.loc .pp.f.ssl -side right
if {$tkold} {
frame .pp.t -bd 1 -relief ridge
} else {
frame .pp.t -bd 1 -relief ridge -pady 2 frame .pp.t -bd 1 -relief ridge -pady 2
}
global file_transfer; set file_transfer "none" global file_transfer; set file_transfer "none"
if [info exists env(X11VNC_FILETRANSFER_ENABLED)] { if [info exists env(X11VNC_FILETRANSFER_ENABLED)] {
set file_transfer $env(X11VNC_FILETRANSFER_ENABLED) set file_transfer $env(X11VNC_FILETRANSFER_ENABLED)

27
x11vnc/tkx11vnc.h
Unescape View File

@ -425,6 +425,7 @@ char gui_code[] = "";
" grow:\n" " grow:\n"
" fuzz:\n" " fuzz:\n"
" wait_ui:\n" " wait_ui:\n"
" setdefer:\n"
" nowait_bog\n" " nowait_bog\n"
" slow_fb:\n" " slow_fb:\n"
" xrefresh:\n" " xrefresh:\n"
@ -6472,7 +6473,10 @@ char gui_code[] = "";
" vncviewer $hn:1\n" " vncviewer $hn:1\n"
" etc.\n" " etc.\n"
"\n" "\n"
" You may also set some additional parameters:\n" " Your firewall may block incoming connections to TCP ports;\n"
" if it does you may need to reconfigure it. \n"
" \n"
" You can also set some additional parameters:\n"
"\n" "\n"
" - Enable SSL encryption.\n" " - Enable SSL encryption.\n"
" (requires an SSL enabled vncviewer, such as SSVNC) \n" " (requires an SSL enabled vncviewer, such as SSVNC) \n"
@ -6488,9 +6492,24 @@ char gui_code[] = "";
" wm protocol . WM_DELETE_WINDOW \"destroy .; exit\"\n" " wm protocol . WM_DELETE_WINDOW \"destroy .; exit\"\n"
" wm protocol .pp WM_DELETE_WINDOW \"destroy .pp; exit\"\n" " wm protocol .pp WM_DELETE_WINDOW \"destroy .pp; exit\"\n"
"\n" "\n"
" label .pp.m -text \"$text\" -justify left -font $ffont\n" " label .pp.m -text \"$text\" -relief ridge -justify left -font $ffont\n"
"\n"
" global tk_version\n"
" set tkold 0\n"
" if [info exists tk_version] {\n"
" if [regexp {^8\\.[0-3]$} $tk_version] {\n"
" set tkold 1\n"
" }\n"
" if [regexp {^[3-7]\\.} $tk_version] {\n"
" set tkold 1\n"
" }\n"
" }\n"
"\n" "\n"
" if {$tkold} {\n"
" frame .pp.f -bd 1 -relief ridge\n"
" } else {\n"
" frame .pp.f -bd 1 -relief ridge -pady 2\n" " frame .pp.f -bd 1 -relief ridge -pady 2\n"
" }\n"
" label .pp.f.l -text \"Port: \"\n" " label .pp.f.l -text \"Port: \"\n"
" entry .pp.f.e -width 8 -textvariable port_set\n" " entry .pp.f.e -width 8 -textvariable port_set\n"
" global enable_ssl; set enable_ssl 0\n" " global enable_ssl; set enable_ssl 0\n"
@ -6506,7 +6525,11 @@ char gui_code[] = "";
" pack .pp.f.l .pp.f.e -side left\n" " pack .pp.f.l .pp.f.e -side left\n"
" pack .pp.f.loc .pp.f.ssl -side right\n" " pack .pp.f.loc .pp.f.ssl -side right\n"
"\n" "\n"
" if {$tkold} {\n"
" frame .pp.t -bd 1 -relief ridge\n"
" } else {\n"
" frame .pp.t -bd 1 -relief ridge -pady 2\n" " frame .pp.t -bd 1 -relief ridge -pady 2\n"
" }\n"
" global file_transfer; set file_transfer \"none\"\n" " global file_transfer; set file_transfer \"none\"\n"
" if [info exists env(X11VNC_FILETRANSFER_ENABLED)] {\n" " if [info exists env(X11VNC_FILETRANSFER_ENABLED)] {\n"
" set file_transfer $env(X11VNC_FILETRANSFER_ENABLED)\n" " set file_transfer $env(X11VNC_FILETRANSFER_ENABLED)\n"

43
x11vnc/user.c
Unescape View File

@ -224,12 +224,12 @@ static char **user_list(char *user_str) {
n++; n++;
} }
} }
list = (char **) malloc((n+1)*sizeof(char *)); list = (char **) calloc((n+1)*sizeof(char *), 1);
p = strtok(user_str, ","); p = strtok(user_str, ",");
i = 0; i = 0;
while (p) { while (p) {
list[i++] = p; list[i++] = strdup(p);
p = strtok(NULL, ","); p = strtok(NULL, ",");
} }
list[i] = NULL; list[i] = NULL;
@ -327,6 +327,8 @@ static int lurk(char **users) {
gid_t gid; gid_t gid;
int success = 0, dmin = -1, dmax = -1; int success = 0, dmin = -1, dmax = -1;
char *p, *logins, **u; char *p, *logins, **u;
char **list;
int lind;
if ((u = users) != NULL && *u != NULL && *(*u) == ':') { if ((u = users) != NULL && *u != NULL && *(*u) == ':') {
int len; int len;
@ -403,12 +405,23 @@ static int lurk(char **users) {
logins = get_login_list(1); logins = get_login_list(1);
} }
list = (char **) calloc((strlen(logins)+2)*sizeof(char *), 1);
lind = 0;
p = strtok(logins, ","); p = strtok(logins, ",");
while (p) { while (p) {
list[lind++] = strdup(p);
p = strtok(NULL, ",");
}
free(logins);
lind = 0;
while (list[lind] != NULL) {
char *user, *name, *home, dpystr[10]; char *user, *name, *home, dpystr[10];
char *q, *t; char *q, *t;
int ok = 1, dn; int ok = 1, dn;
p = list[lind++];
t = strdup(p); /* bob:0 */ t = strdup(p); /* bob:0 */
q = strchr(t, ':'); q = strchr(t, ':');
if (! q) { if (! q) {
@ -442,7 +455,6 @@ static int lurk(char **users) {
} }
if (! ok) { if (! ok) {
p = strtok(NULL, ",");
continue; continue;
} }
@ -464,10 +476,14 @@ static int lurk(char **users) {
if (success) { if (success) {
break; break;
} }
}
p = strtok(NULL, ","); lind = 0;
while (list[lind] != NULL) {
free(list[lind]);
lind++;
} }
free(logins);
return success; return success;
} }
@ -502,6 +518,8 @@ static int guess_user_and_switch(char *str, int fb_mode) {
char *dstr, *d; char *dstr, *d;
char *p, *tstr = NULL, *allowed = NULL, *logins, **users = NULL; char *p, *tstr = NULL, *allowed = NULL, *logins, **users = NULL;
int dpy1, ret = 0; int dpy1, ret = 0;
char **list;
int lind;
RAWFB_RET(0) RAWFB_RET(0)
@ -528,11 +546,22 @@ static int guess_user_and_switch(char *str, int fb_mode) {
/* loop over the utmpx entries looking for this display */ /* loop over the utmpx entries looking for this display */
logins = get_login_list(1); logins = get_login_list(1);
list = (char **) calloc((strlen(logins)+2)*sizeof(char *), 1);
lind = 0;
p = strtok(logins, ","); p = strtok(logins, ",");
while (p) { while (p) {
list[lind++] = strdup(p);
p = strtok(NULL, ",");
}
lind = 0;
while (list[lind] != NULL) {
char *user, *q, *t; char *user, *q, *t;
int dpy2, ok = 1; int dpy2, ok = 1;
p = list[lind++];
t = strdup(p); t = strdup(p);
q = strchr(t, ':'); q = strchr(t, ':');
if (! q) { if (! q) {
@ -559,7 +588,6 @@ static int guess_user_and_switch(char *str, int fb_mode) {
if (! ok) { if (! ok) {
free(t); free(t);
p = strtok(NULL, ",");
continue; continue;
} }
if (switch_user(user, fb_mode)) { if (switch_user(user, fb_mode)) {
@ -568,8 +596,6 @@ static int guess_user_and_switch(char *str, int fb_mode) {
ret = 1; ret = 1;
break; break;
} }
p = strtok(NULL, ",");
} }
if (tstr) { if (tstr) {
free(tstr); free(tstr);
@ -1479,6 +1505,7 @@ static void loop_for_connect(int did_client_connect) {
} }
if (use_openssl && !inetd) { if (use_openssl && !inetd) {
check_openssl(); check_openssl();
check_https();
/* /*
* This is to handle an initial verify cert from viewer, * This is to handle an initial verify cert from viewer,
* they disconnect right after fetching the cert. * they disconnect right after fetching the cert.

10
x11vnc/userinput.c
Unescape View File

@ -177,9 +177,9 @@ static double scr_key_bdpush_time, scr_mouse_bdpush_time;
static void parse_scroll_copyrect_str(char *scr) { static void parse_scroll_copyrect_str(char *scr) {
char *p, *str; char *p, *str;
int i; int i;
char *part[10]; char *part[16];
for (i=0; i<10; i++) { for (i=0; i<16; i++) {
part[i] = NULL; part[i] = NULL;
} }
@ -194,6 +194,7 @@ static void parse_scroll_copyrect_str(char *scr) {
while (p) { while (p) {
part[i++] = strdup(p); part[i++] = strdup(p);
p = strtok(NULL, ","); p = strtok(NULL, ",");
if (i >= 16) break;
} }
free(str); free(str);
@ -301,9 +302,9 @@ static char *wireframe_mods = NULL;
static void parse_wireframe_str(char *wf) { static void parse_wireframe_str(char *wf) {
char *p, *str; char *p, *str;
int i; int i;
char *part[10]; char *part[16];
for (i=0; i<10; i++) { for (i=0; i<16; i++) {
part[i] = NULL; part[i] = NULL;
} }
@ -327,6 +328,7 @@ static void parse_wireframe_str(char *wf) {
while (p) { while (p) {
part[i++] = strdup(p); part[i++] = strdup(p);
p = strtok(NULL, ","); p = strtok(NULL, ",");
if (i >= 16) break;
} }
free(str); free(str);

5
x11vnc/util.c
Unescape View File

@ -333,10 +333,7 @@ char **create_str_list(char *cslist) {
} }
/* the extra last one holds NULL */ /* the extra last one holds NULL */
list = (char **) malloc( (n+1)*sizeof(char *) ); list = (char **) calloc((n+1)*sizeof(char *), 1);
for(i=0; i < n+1; i++) {
list[i] = NULL;
}
p = strtok(str, ","); p = strtok(str, ",");
i = 0; i = 0;

273
x11vnc/x11vnc.1
Unescape View File

@ -1,8 +1,8 @@
.\" This file was automatically generated from x11vnc -help output. .\" This file was automatically generated from x11vnc -help output.
.TH X11VNC "1" "November 2008" "x11vnc " "User Commands" .TH X11VNC "1" "December 2008" "x11vnc " "User Commands"
.SH NAME .SH NAME
x11vnc - allow VNC connections to real X11 displays x11vnc - allow VNC connections to real X11 displays
version: 0.9.6, lastmod: 2008-11-22 version: 0.9.6, lastmod: 2008-12-08
.SH SYNOPSIS .SH SYNOPSIS
.B x11vnc .B x11vnc
[OPTION]... [OPTION]...
@ -79,10 +79,12 @@ man pages for more info.
.PP .PP
\fB-N\fR \fB-N\fR
.IP .IP
If the X display is :N, try to set the VNC display If the X display is :N, try to set the VNC display to
to also be :N This just sets the \fB-rfbport\fR option also be :N This just sets the \fB-rfbport\fR option to 5900+N
to 5900+N. The program will exit immediately if that The program will exit immediately if that port is not
port is not available. available. The \fB-N\fR option only works with normal \fB-display\fR
usage, e.g. :0 or :8, \fB-N\fR is ignored in the \fB-display\fR
WAIT:..., \fB-create,\fR \fB-find,\fR \fB-svc,\fR \fB-redirect,\fR etc modes.
.PP .PP
\fB-autoport\fR \fIn\fR \fB-autoport\fR \fIn\fR
.IP .IP
@ -1156,13 +1158,13 @@ If 0 <= port < 200 it is taken as a VNC display (5900 is
added to get the actual port), if port < 0 then \fB-port\fR added to get the actual port), if port < 0 then \fB-port\fR
is used. is used.
.IP .IP
Probably the only reason to use the \fB-redirect\fR option is Probably the only reason to use the \fB-redirect\fR option
in conjunction with SSL support, e.g. \fB-ssl,\fR \fB-ssl\fR SAVE. is in conjunction with SSL support, e.g. \fB-ssl\fR SAVE.
This provides an easy way to add SSL encryption to a VNC This provides an easy way to add SSL encryption to a VNC
server that does not support SSL (e.g. Xvnc or vnc.so) server that does not support SSL (e.g. Xvnc or vnc.so)
In fact, the protocol does not even need to be VNC, In fact, the protocol does not even need to be VNC,
and so "\fB-ssl\fR \fISAVE \fB-redirect\fR host:port\fR" can act as a and so "\fB-rfbport\fR \fIport1 \fB-ssl\fR SAVE \fB-redirect\fR host:port2\fR"
replacement for can act as a replacement for
.IR stunnel (1). .IR stunnel (1).
.IP .IP
This mode only allows one redirected connection. This mode only allows one redirected connection.
@ -1304,6 +1306,9 @@ find one it will try to *start* up an X server session
for the user. This is the only time x11vnc tries to for the user. This is the only time x11vnc tries to
actually start up an X server. actually start up an X server.
.IP .IP
It will start looking for an open display number at :20
Override via X11VNC_CREATE_STARTING_DISPLAY_NUMBER=n
.IP
By default FINDCREATEDISPLAY will try Xdummy and then By default FINDCREATEDISPLAY will try Xdummy and then
Xvfb: Xvfb:
.IP .IP
@ -1429,14 +1434,14 @@ logged into the X console.
The VeNCrypt extension to the VNC protocol allows The VeNCrypt extension to the VNC protocol allows
encrypted SSL/TLS connections. If the \fB-ssl\fR mode is encrypted SSL/TLS connections. If the \fB-ssl\fR mode is
enabled, then VeNCrypt is enabled as well BY DEFAULT enabled, then VeNCrypt is enabled as well BY DEFAULT
(they both use the SSL/TLS tunnel, only the protocol (they both use a SSL/TLS tunnel, only the protocol
handshake is a little different.) handshake is a little different.)
.IP .IP
To control when and how VeNCrypt is used, specify the To control when and how VeNCrypt is used, specify the
mode string. If mode is "never", then VeNCrypt is mode string. If mode is "never", then VeNCrypt is
not used. If mode is "support" (the default) then not used. If mode is "support" (the default) then
VeNCrypt is supported. If mode is "only", then the VeNCrypt is supported. If mode is "only", then the
similar and older TLSVNC protocol is not simultaneously similar and older ANONTLS protocol is not simultaneously
supported. x11vnc's normal SSL mode (vncs://) will be supported. x11vnc's normal SSL mode (vncs://) will be
supported under \fB-ssl\fR unless you set mode to "force". supported under \fB-ssl\fR unless you set mode to "force".
.IP .IP
@ -1446,14 +1451,16 @@ with "nox509:", then X509 key exchange is disabled.
.IP .IP
To disable all Anonymous Diffie-Hellman access To disable all Anonymous Diffie-Hellman access
(susceptible to Man-In-The-Middle attack) you will need (susceptible to Man-In-The-Middle attack) you will need
to supply "\fB-vencrypt\fR \fInodh:support \fB-tlsvnc\fR never\fR" to supply "\fB-vencrypt\fR \fInodh:support \fB-anontls\fR never\fR"
or "\fB-vencrypt\fR \fInodh:only\fR"
.IP .IP
If mode is prefixed with "newdh:", then new Diffie If mode is prefixed with "newdh:", then new Diffie
Hellman parameters are generated for each connection Hellman parameters are generated for each connection
(this can be time consuming: 1-60 secs) rather than (this can be time consuming: 1-60 secs; see \fB-dhparams\fR
using the fixed values in the program. Using fixed, below for a faster way) rather than using the
publicly known values is not known to be a security fixed values in the program. Using fixed, publicly
problem. This setting applies to TLSVNC as well. known values is not known to be a security problem.
This setting applies to ANONTLS as well.
.IP .IP
Long example: \fB-vencrypt\fR newdh:nox509:support Long example: \fB-vencrypt\fR newdh:nox509:support
.IP .IP
@ -1466,17 +1473,25 @@ provided.
You *MUST* supply the \fB-ssl\fR option for VeNCrypt to be You *MUST* supply the \fB-ssl\fR option for VeNCrypt to be
active. This option only fine-tunes its operation. active. This option only fine-tunes its operation.
.PP .PP
\fB-tlsvnc\fR \fImode\fR \fB-anontls\fR \fImode\fR
.IP .IP
The TLSVNC extension to the VNC protocol allows The ANONTLS extension to the VNC protocol allows
encrypted SSL/TLS connections. If the \fB-ssl\fR mode is encrypted SSL/TLS connections. If the \fB-ssl\fR mode is
enabled, then TLSVNC is enabled as well BY DEFAULT enabled, then ANONTLS is enabled as well BY DEFAULT
(they both use the SSL/TLS tunnel, only the protocol (they both use a SSL/TLS tunnel, only the protocol
handshake is a little different.) handshake is a little different.)
.IP .IP
To control when and how TLSVNC is used, specify the ANONTLS is an older SSL/TLS mode introduced by vino.
mode string. If mode is "never", then TLSVNC is not .IP
used. If mode is "support" (the default) then TLSVNC It is referred to as 'TLS' for its registered VNC
security-type name, but we use the more descriptive
\'ANONTLS' here because it provides only Anonymous
Diffie-Hellman encrypted connections, and hence no
possibility for certificate authentication.
.IP
To control when and how ANONTLS is used, specify the
mode string. If mode is "never", then ANONTLS is not
used. If mode is "support" (the default) then ANONTLS
is supported. If mode is "only", then the similar is supported. If mode is "only", then the similar
VeNCrypt protocol is not simultaneously supported. VeNCrypt protocol is not simultaneously supported.
x11vnc's normal SSL mode (vncs://) will be supported x11vnc's normal SSL mode (vncs://) will be supported
@ -1484,25 +1499,33 @@ under \fB-ssl\fR unless you set mode to "force".
.IP .IP
If mode is prefixed with "newdh:", then new Diffie If mode is prefixed with "newdh:", then new Diffie
Hellman parameters are generated for each connection Hellman parameters are generated for each connection
(this can be time consuming: 1-60 secs) rather than (this can be time consuming: 1-60 secs; see \fB-dhparams\fR
using the fixed values in the program. Using fixed, below for a faster way) rather than using the
publicly known values is not known to be a security fixed values in the program. Using fixed, publicly
problem. This setting applies to VeNCrypt as well. known values is not known to be a security problem.
See the description of "plain:" under \fB-vencrypt.\fR This setting applies to VeNCrypt as well. See the
description of "plain:" under \fB-vencrypt.\fR
.IP .IP
Long example: \fB-tlsvnc\fR newdh:plain:support Long example: \fB-anontls\fR newdh:plain:support
.IP .IP
You *MUST* supply the \fB-ssl\fR option for TLSVNC to be You *MUST* supply the \fB-ssl\fR option for ANONTLS to be
active. This option only fine-tunes its operation. active. This option only fine-tunes its operation.
.PP .PP
\fB-sslonly\fR
.IP
Same as: "\fB-vencrypt\fR \fInever \fB-anontls\fR never\fR" i.e. it
disables the VeNCrypt and ANONTLS encryption methods
and only allows standard SSL tunneling. You must also
supply the \fB-ssl\fR ... option (see below.)
.PP
\fB-dhparams\fR \fIfile\fR \fB-dhparams\fR \fIfile\fR
.IP .IP
For some operations a set of Diffie Hellman parameters For some operations a set of Diffie Hellman parameters
(prime and generator) is needed. If so, use the (prime and generator) is needed. If so, use the
parameters in \fIfile\fR. In particular, the VeNCrypt and parameters in \fIfile\fR. In particular, the VeNCrypt and
TLSVNC anonymous DH mode need them. By default a ANONTLS anonymous DH mode need them. By default a
fixed set is used. If you do not want to do that you fixed set is used. If you do not want to do that you
can specify "newdh:" to the \fB-vencrypt\fR and \fB-tlsvnc\fR can specify "newdh:" to the \fB-vencrypt\fR and \fB-anontls\fR
options to generate a new set each session. If that options to generate a new set each session. If that
is too slow for you, use \fB-dhparams\fR file to a set you is too slow for you, use \fB-dhparams\fR file to a set you
created manually via "openssl dhparam \fB-out\fR file 1024" created manually via "openssl dhparam \fB-out\fR file 1024"
@ -1528,55 +1551,88 @@ ideas on how to enable SSL support for the viewer:
http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers
x11vnc provides an SSL enabled Java viewer applet in x11vnc provides an SSL enabled Java viewer applet in
the classes/ssl directory (-http or \fB-httpdir\fR options.) the classes/ssl directory (-http or \fB-httpdir\fR options.)
The SSVNC viewer package supports SSL too. The SSVNC viewer package supports SSL tunnels too.
.IP
If the VNC Viewer supports VeNCrypt or ANONTLS (vino's
encryption mode) they are also supported by the \fB-ssl\fR
mode (see the \fB-vencrypt\fR and \fB-anontls\fR options for more
info; use \fB-sslonly\fR to disable both of them.)
.IP .IP
[pem] is optional, use "\fB-ssl\fR \fI/path/to/mycert.pem\fR" to Use "\fB-ssl\fR \fI/path/to/mycert.pem\fR" to specify an SSL
specify a PEM certificate file to use to identify and certificate file in PEM format to use to identify and
provide a key for this server. See provide a key for this server. See
.IR openssl (1) .IR openssl (1)
for more for more
info about PEMs and the \fB-sslGenCert\fR and "\fB-ssl\fR \fISAVE\fR" info about PEMs and the \fB-sslGenCert\fR and "\fB-ssl\fR \fISAVE\fR"
options below for how to create them. options below for how to create them.
.IP .IP
The connecting VNC viewer SSL tunnel can (optionally) The connecting VNC viewer SSL tunnel can (at its option)
authenticate this server if they have the public key authenticate this server if it has the public key part
part of the certificate (or a common certificate of the certificate (or a common certificate authority,
authority, CA, is a more sophisticated way to CA, is a more sophisticated way to verify this server's
verify this server's cert, see \fB-sslGenCA\fR below). cert, see \fB-sslGenCA\fR below). This authentication is
This is used to prevent Man-In-The-Middle attacks. done to prevent Man-In-The-Middle attacks. Otherwise,
Otherwise, if the VNC viewer accepts this server's if the VNC viewer simply accepts this server's key
key WITHOUT verification, the traffic is protected WITHOUT verification, the traffic is protected from
from passive sniffing on the network, but *NOT* from passive sniffing on the network, but *NOT* from
Man-In-The-Middle attacks. There are hacker tools
like dsniff/webmitm and cain that implement SSL
Man-In-The-Middle attacks. Man-In-The-Middle attacks.
.IP .IP
If [pem] is not supplied and the If [pem] is empty or the string "SAVE" then the
.IR openssl (1)
command must be available to generate the
certificate the first time. A self-signed certificate
is generated (see \fB-sslGenCA\fR and \fB-sslGenCert\fR for use
of a Certificate Authority.) It will be saved to the
file ~/.vnc/certs/server.pem. On subsequent calls if
that file already exists it will be used directly.
.IP
Use "SAVE_NOPROMPT" to avoid being prompted to
protect the generated key with a passphrase. However in
\fB-inetd\fR and \fB-bg\fR modes there will be no prompting for a
passphrase in either case.
.IP
If [pem] is "SAVE_PROMPT" the server.pem certificate
will be created based on your answers to its prompts for
all info such as OrganizationalName, CommonName, etc.
.IP
Use "SAVE-<string>" and "SAVE_PROMPT-<string>"
to refer to the file ~/.vnc/certs/server-<string>.pem
instead (it will be generated if it does not already
exist). E.g. "SAVE-charlie" will store to the file
~/.vnc/certs/server-charlie.pem
.IP
Examples: x11vnc \fB-ssl\fR SAVE \fB-display\fR :0 ...
x11vnc \fB-ssl\fR SAVE-someother \fB-display\fR :0 ...
.IP
If [pem] is "TMP" and the
.IR openssl (1) .IR openssl (1)
utility utility
command exists in PATH, then a temporary, self-signed command exists in PATH, then a temporary, self-signed
certificate will be generated for this session certificate will be generated for this session. If
(this may take 5-30 seconds on very slow machines).
If
.IR openssl (1) .IR openssl (1)
cannot be used to generate a temporary cannot be used to generate a temporary
certificate x11vnc exits immediately. certificate x11vnc exits immediately. The temporary
cert will be discarded when x11vnc exits.
.IP .IP
If successful in using If successful in using
.IR openssl (1) .IR openssl (1)
to generate a to generate a
temporary certificate, the public part of it will be temporary certificate in "SAVE" or "TMP" creation
displayed to stderr (e.g. one could copy it to the modes, the public part of it will be displayed to stderr
client-side to provide authentication of the server to (e.g. one could copy it to the client-side to provide
VNC viewers.) authentication of the server to VNC viewers.)
.IP .IP
NOTE: Unless you safely copy the public part of the NOTE: In "TMP" mode, unless you safely copy the
temporary Cert to the viewer for authenticate *every public part of the temporary Cert to the viewer for
time* (unlikely...), then only passive sniffing authenticate *every time* (unlikely...), then only
attacks are prevented and you are still open to passive sniffing attacks are prevented and you are
Man-In-The-Middle attacks. See the following still open to Man-In-The-Middle attacks. This is
paragraphs for how to save keys to reuse them when why the default "SAVE" mode is preferred (and more
x11vnc is restarted. With saved keys AND the VNC viewer sophisticated CA mode too). Only with saved keys AND
authenticating them by using the public certificate, the VNC viewer authenticating them (via the public
then Man-In-The-Middle attacks are prevented. certificate), are Man-In-The-Middle attacks prevented.
.IP .IP
If [pem] is "ANON" then the Diffie-Hellman anonymous If [pem] is "ANON" then the Diffie-Hellman anonymous
key exchange method is used. In this mode there key exchange method is used. In this mode there
@ -1585,34 +1641,16 @@ to authenticate either the VNC server or VNC client.
Thus only passive network sniffing attacks are avoided: Thus only passive network sniffing attacks are avoided:
the "ANON" method is susceptible to Man-In-The-Middle the "ANON" method is susceptible to Man-In-The-Middle
attacks. "ANON" is not recommended; instead use attacks. "ANON" is not recommended; instead use
a SSL PEM you created or the "SAVE" method in the a SSL PEM you created or the defaut "SAVE" method.
next paragraph.
.IP
If [pem] is "SAVE" then the certificate will be saved
to the file ~/.vnc/certs/server.pem, or if that file
exists it will be used directly. Similarly, if [pem]
is "SAVE_PROMPT" the server.pem certificate will be
made based on your answers to its prompts for info such
as OrganizationalName, CommonName, etc.
.IP
We expect most users to use "\fB-ssl\fR \fISAVE\fR".
.IP
Use "SAVE-<string>" and "SAVE_PROMPT-<string>"
to refer to the file ~/.vnc/certs/server-<string>.pem
instead. E.g. "SAVE-charlie" will store to the file
~/.vnc/certs/server-charlie.pem
.IP
Examples: x11vnc \fB-ssl\fR SAVE \fB-display\fR :0 ...
x11vnc \fB-ssl\fR SAVE-other \fB-display\fR :0 ...
.IP .IP
See \fB-ssldir\fR below to use a directory besides the See \fB-ssldir\fR below to use a directory besides the
default ~/.vnc/certs default ~/.vnc/certs
.IP .IP
Misc Info: In temporary cert creation mode, set the Misc Info: In temporary cert creation mode "TMP", set
env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print out the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print
the entire certificate, including the PRIVATE KEY part, out the entire certificate, including the PRIVATE KEY
to stderr. There are better ways to get/save this info. part, to stderr. There are better ways to get/save this
See "SAVE" above and "\fB-sslGenCert\fR" below. info. See "SAVE" above and "\fB-sslGenCert\fR" below.
.PP .PP
\fB-ssltimeout\fR \fIn\fR \fB-ssltimeout\fR \fIn\fR
.IP .IP
@ -1665,7 +1703,7 @@ to replace standard password authentication of clients.
.IP .IP
If [path] is a directory it contains the client (or CA) If [path] is a directory it contains the client (or CA)
certificates in separate files. If [path] is a file, certificates in separate files. If [path] is a file,
it contains multiple certificates. See special tokens it contains one or more certificates. See special tokens
below. These correspond to the "CApath = dir" and below. These correspond to the "CApath = dir" and
"CAfile = file" stunnel options. See the "CAfile = file" stunnel options. See the
.IR stunnel (8) .IR stunnel (8)
@ -1727,19 +1765,19 @@ VNC-ing with x11vnc. (note that they require
.IR openssl (1) .IR openssl (1)
be installed on the system) be installed on the system)
.IP .IP
However, the simplest usage mode (where x11vnc However, the simplest usage mode, "\fB-ssl\fR \fITMP\fR" (where
automatically generates its own, self-signed, temporary x11vnc automatically generates its own, self-signed,
key and the VNC viewers always accept it, e.g. accepting temporary key and the VNC viewers always accept it,
via a dialog box) is probably safe enough for most e.g. accepting via a dialog box) is probably safe enough
scenarios. CA management is not needed. for most scenarios. CA management is not needed.
.IP .IP
To protect against Man-In-The-Middle attacks the To protect against Man-In-The-Middle attacks the "TMP"
simplest mode can be improved by using "\fB-ssl\fR \fISAVE\fR" mode can be improved by using "\fB-ssl\fR \fISAVE\fR" (same as
to have x11vnc create a longer term self-signed "\fB-ssl\fR", i.e. the default) to have x11vnc create a
certificate, and then (safely) copy the corresponding longer term self-signed certificate, and then (safely)
public key cert to the desired client machines (care copy the corresponding public key cert to the desired
must be taken the private key part is not stolen; client machines (care must be taken the private key part
you will be prompted for a passphrase). is not stolen; you will be prompted for a passphrase).
.IP .IP
So keep in mind no CA key creation or management So keep in mind no CA key creation or management
(-sslGenCA and \fB-sslGenCert)\fR is needed for either of (-sslGenCA and \fB-sslGenCert)\fR is needed for either of
@ -1766,7 +1804,7 @@ key files. On the VNC client side, they will need to
be "imported" somehow. Web browsers have "Manage be "imported" somehow. Web browsers have "Manage
Certificates" actions as does the Java applet plugin Certificates" actions as does the Java applet plugin
Control Panel. stunnel can also use these files (see Control Panel. stunnel can also use these files (see
the ss_vncviewer example script in the FAQ.) the ss_vncviewer example script in the FAQ and SSVNC.)
.PP .PP
\fB-sslCRL\fR \fIpath\fR \fB-sslCRL\fR \fIpath\fR
.IP .IP
@ -3898,6 +3936,8 @@ are moving the mouse or typing. Default: 2.00
When the \fB-wait_ui\fR mechanism cuts down the wait time ms, When the \fB-wait_ui\fR mechanism cuts down the wait time ms,
set the defer time to the same ms value. n=1 to enable, set the defer time to the same ms value. n=1 to enable,
0 to disable, and -1 to set defer to 0 (no delay). 0 to disable, and -1 to set defer to 0 (no delay).
Similarly, 2 and -2 indicate 'urgent_update' mode should
be used to push the updates even sooner. Default: 1
.PP .PP
\fB-nowait_bog\fR \fB-nowait_bog\fR
.IP .IP
@ -3912,10 +3952,11 @@ no user input), and sleep up to 1.5 secs to let things
.PP .PP
\fB-slow_fb\fR \fItime\fR \fB-slow_fb\fR \fItime\fR
.IP .IP
Floating point time in seconds delay all screen polling. Floating point time in seconds to delay all screen
For special purpose usage where a low frame rate is polling. For special purpose usage where a low frame
acceptable and desirable, but you want the user input rate is acceptable and desirable, but you want the
processed at the normal rate so you cannot use \fB-wait.\fR user input processed at the normal rate so you cannot
use \fB-wait.\fR
.PP .PP
\fB-xrefresh\fR \fItime\fR \fB-xrefresh\fR \fItime\fR
.IP .IP
@ -5219,6 +5260,8 @@ wait:n set \fB-wait\fR to n ms.
.IP .IP
wait_ui:f set \fB-wait_ui\fR factor to f. wait_ui:f set \fB-wait_ui\fR factor to f.
.IP .IP
setdefer:n set \fB-setdefer\fR to \fB-2,-1,0,1,\fR or 2.
.IP
wait_bog disable \fB-nowait_bog\fR mode. wait_bog disable \fB-nowait_bog\fR mode.
.IP .IP
nowait_bog enable \fB-nowait_bog\fR mode. nowait_bog enable \fB-nowait_bog\fR mode.
@ -5476,15 +5519,15 @@ nowireframe nowf wireframelocal wfl nowireframelocal
nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area
scr_skip scr_inc scr_keys scr_term scr_keyrepeat scr_skip scr_inc scr_keys scr_term scr_keyrepeat
scr_parms scrollcopyrect scr noscrollcopyrect noscr scr_parms scrollcopyrect scr noscrollcopyrect noscr
fixscreen noxrecord xrecord reset_record pointer_mode fixscreen noxrecord xrecord reset_record pointer_mode pm
pm input_skip allinput noallinput input grabkbd input_skip allinput noallinput input grabkbd nograbkbd
nograbkbd grabptr nograbptr grabalways nograbalways grabptr nograbptr grabalways nograbalways grablocal
grablocal client_input ssltimeout speeds wmdt client_input ssltimeout speeds wmdt debug_pointer dp
debug_pointer dp nodebug_pointer nodp debug_keyboard nodebug_pointer nodp debug_keyboard dk nodebug_keyboard
dk nodebug_keyboard nodk keycode deferupdate defer nodk keycode deferupdate defer setdefer wait_ui
wait_ui wait_bog nowait_bog slow_fb xrefresh wait wait_bog nowait_bog slow_fb xrefresh wait readtimeout
readtimeout nap nonap sb screen_blank fbpm nofbpm dpms nap nonap sb screen_blank fbpm nofbpm dpms nodpms
nodpms clientdpms noclientdpms forcedpms noforcedpms clientdpms noclientdpms forcedpms noforcedpms
noserverdpms serverdpms noultraext ultraext chatwindow noserverdpms serverdpms noultraext ultraext chatwindow
nochatwindow chaton chatoff fs gaps grow fuzz snapfb nochatwindow chaton chatoff fs gaps grow fuzz snapfb
nosnapfb rawfb uinput_accel uinput_thresh uinput_reset nosnapfb rawfb uinput_accel uinput_thresh uinput_reset

101
x11vnc/x11vnc.c
Unescape View File

@ -243,6 +243,7 @@ void set_redir_properties(void);
#define TSMAX 32 #define TSMAX 32
#define TSSTK 16 #define TSSTK 16
void terminal_services(char *list) { void terminal_services(char *list) {
int i, j, n = 0, db = 1; int i, j, n = 0, db = 1;
char *p, *q, *r, *str = strdup(list); char *p, *q, *r, *str = strdup(list);
@ -257,6 +258,10 @@ void terminal_services(char *list) {
char num[32]; char num[32];
time_t last_clean = time(NULL); time_t last_clean = time(NULL);
if (getenv("TS_REDIR_DEBUG")) {
db = 2;
}
if (! dpy) { if (! dpy) {
return; return;
} }
@ -268,6 +273,8 @@ void terminal_services(char *list) {
PropModeReplace, (unsigned char *)list, strlen(list)); PropModeReplace, (unsigned char *)list, strlen(list));
XSync(dpy, False); XSync(dpy, False);
} }
if (db) fprintf(stderr, "TS_REDIR_LIST Atom: %d.\n");
for (i=0; i<TASKMAX; i++) { for (i=0; i<TASKMAX; i++) {
ts_tasks[i] = 0; ts_tasks[i] = 0;
} }
@ -544,12 +551,19 @@ void do_tsd(void) {
char *cmd; char *cmd;
int n, sz = 0; int n, sz = 0;
char *disp = DisplayString(dpy); char *disp = DisplayString(dpy);
int db = 0;
if (getenv("TS_REDIR_DEBUG")) {
db = 1;
}
if (db) fprintf(stderr, "do_tsd() in.\n");
prop[0] = '\0'; prop[0] = '\0';
a = XInternAtom(dpy, "TS_REDIR_LIST", False); a = XInternAtom(dpy, "TS_REDIR_LIST", False);
if (a != None) { if (a != None) {
get_prop(prop, 512, a); get_prop(prop, 512, a);
} }
if (db) fprintf(stderr, "TS_REDIR_LIST Atom: %d = '%s'\n", a, prop);
if (prop[0] == '\0') { if (prop[0] == '\0') {
return; return;
@ -662,6 +676,13 @@ static void check_redir_services(void) {
time_t tsd_last; time_t tsd_last;
int restart = 0; int restart = 0;
pid_t pid = 0; pid_t pid = 0;
int db = 0;
db = 0;
if (getenv("TS_REDIR_DEBUG")) {
db = 1;
}
if (db) fprintf(stderr, "check_redir_services in.\n");
if (! dpy) { if (! dpy) {
return; return;
@ -675,6 +696,7 @@ static void check_redir_services(void) {
pid = (pid_t) atoi(prop); pid = (pid_t) atoi(prop);
} }
} }
if (db) fprintf(stderr, "TS_REDIR_PID Atom: %d = '%s'\n", a, prop);
if (getenv("FD_TAG")) { if (getenv("FD_TAG")) {
a = XInternAtom(dpy, "FD_TAG", False); a = XInternAtom(dpy, "FD_TAG", False);
@ -685,6 +707,7 @@ static void check_redir_services(void) {
PropModeReplace, (unsigned char *)tag, strlen(tag)); PropModeReplace, (unsigned char *)tag, strlen(tag));
XSync(dpy, False); XSync(dpy, False);
} }
if (db) fprintf(stderr, "FD_TAG Atom: %d = '%s'\n", a, prop);
} }
prop[0] = '\0'; prop[0] = '\0';
@ -692,6 +715,7 @@ static void check_redir_services(void) {
if (a != None) { if (a != None) {
get_prop(prop, 512, a); get_prop(prop, 512, a);
} }
if (db) fprintf(stderr, "TS_REDIR Atom: %d = '%s'\n", a, prop);
if (prop[0] == '\0') { if (prop[0] == '\0') {
rfbLog("TS_REDIR is empty, restarting...\n"); rfbLog("TS_REDIR is empty, restarting...\n");
restart = 1; restart = 1;
@ -718,9 +742,11 @@ static void check_redir_services(void) {
kill(pid, SIGKILL); kill(pid, SIGKILL);
} }
do_tsd(); do_tsd();
if (db) fprintf(stderr, "check_redir_services restarted.\n");
return; return;
} }
if (db) fprintf(stderr, "check_redir_services, no restart, calling set_redir_properties.\n");
set_redir_properties(); set_redir_properties();
#endif #endif
} }
@ -1805,6 +1831,7 @@ int main(int argc, char* argv[]) {
int ncache_msg = 0; int ncache_msg = 0;
char *got_rfbport_str = NULL; char *got_rfbport_str = NULL;
int got_rfbport_pos = -1; int got_rfbport_pos = -1;
int got_tls = 0;
/* used to pass args we do not know about to rfbGetScreen(): */ /* used to pass args we do not know about to rfbGetScreen(): */
int argc_vnc_max = 1024; int argc_vnc_max = 1024;
@ -2188,6 +2215,7 @@ int main(int argc, char* argv[]) {
if (!strcmp(arg, "-http_ssl")) { if (!strcmp(arg, "-http_ssl")) {
try_http = 1; try_http = 1;
http_ssl = 1; http_ssl = 1;
got_tls++;
continue; continue;
} }
if (!strcmp(arg, "-avahi") || !strcmp(arg, "-mdns") || !strcmp(arg, "-zeroconf")) { if (!strcmp(arg, "-avahi") || !strcmp(arg, "-mdns") || !strcmp(arg, "-zeroconf")) {
@ -2357,6 +2385,7 @@ int main(int argc, char* argv[]) {
char *s; char *s;
CHECK_ARGC CHECK_ARGC
s = strdup(argv[++i]); s = strdup(argv[++i]);
got_tls++;
if (strstr(s, "never")) { if (strstr(s, "never")) {
vencrypt_mode = VENCRYPT_NONE; vencrypt_mode = VENCRYPT_NONE;
} else if (strstr(s, "support")) { } else if (strstr(s, "support")) {
@ -2385,18 +2414,19 @@ int main(int argc, char* argv[]) {
free(s); free(s);
continue; continue;
} }
if (!strcmp(arg, "-tlsvnc")) { if (!strcmp(arg, "-anontls")) {
char *s; char *s;
CHECK_ARGC CHECK_ARGC
s = strdup(argv[++i]); s = strdup(argv[++i]);
got_tls++;
if (strstr(s, "never")) { if (strstr(s, "never")) {
tlsvnc_mode = TLSVNC_NONE; anontls_mode = ANONTLS_NONE;
} else if (strstr(s, "support")) { } else if (strstr(s, "support")) {
tlsvnc_mode = TLSVNC_SUPPORT; anontls_mode = ANONTLS_SUPPORT;
} else if (strstr(s, "only")) { } else if (strstr(s, "only")) {
tlsvnc_mode = TLSVNC_SOLE; anontls_mode = ANONTLS_SOLE;
} else if (strstr(s, "force")) { } else if (strstr(s, "force")) {
tlsvnc_mode = TLSVNC_FORCE; anontls_mode = ANONTLS_FORCE;
} else { } else {
fprintf(stderr, "invalid %s arg: %s\n", arg, s); fprintf(stderr, "invalid %s arg: %s\n", arg, s);
exit(1); exit(1);
@ -2407,14 +2437,22 @@ int main(int argc, char* argv[]) {
free(s); free(s);
continue; continue;
} }
if (!strcmp(arg, "-sslonly")) {
vencrypt_mode = VENCRYPT_NONE;
anontls_mode = ANONTLS_NONE;
got_tls++;
continue;
}
if (!strcmp(arg, "-dhparams")) { if (!strcmp(arg, "-dhparams")) {
CHECK_ARGC CHECK_ARGC
dhparams_file = strdup(argv[++i]); dhparams_file = strdup(argv[++i]);
got_tls++;
continue; continue;
} }
if (!strcmp(arg, "-nossl")) { if (!strcmp(arg, "-nossl")) {
use_openssl = 0; use_openssl = 0;
openssl_pem = NULL; openssl_pem = NULL;
got_tls = -1000;
continue; continue;
} }
if (!strcmp(arg, "-ssl")) { if (!strcmp(arg, "-ssl")) {
@ -2422,9 +2460,21 @@ int main(int argc, char* argv[]) {
if (i < argc-1) { if (i < argc-1) {
char *s = argv[i+1]; char *s = argv[i+1];
if (s[0] != '-') { if (s[0] != '-') {
if (!strcmp(s, "ADH")) {
openssl_pem = strdup("ANON");
} else if (!strcmp(s, "ANONDH")) {
openssl_pem = strdup("ANON");
} else if (!strcmp(s, "TMP")) {
openssl_pem = NULL;
} else {
openssl_pem = strdup(s); openssl_pem = strdup(s);
}
i++; i++;
} else {
openssl_pem = strdup("SAVE");
} }
} else {
openssl_pem = strdup("SAVE");
} }
continue; continue;
} }
@ -2458,11 +2508,13 @@ int main(int argc, char* argv[]) {
if (!strcmp(arg, "-sslverify")) { if (!strcmp(arg, "-sslverify")) {
CHECK_ARGC CHECK_ARGC
ssl_verify = strdup(argv[++i]); ssl_verify = strdup(argv[++i]);
got_tls++;
continue; continue;
} }
if (!strcmp(arg, "-sslCRL")) { if (!strcmp(arg, "-sslCRL")) {
CHECK_ARGC CHECK_ARGC
ssl_crl = strdup(argv[++i]); ssl_crl = strdup(argv[++i]);
got_tls++;
continue; continue;
} }
if (!strcmp(arg, "-sslGenCA")) { if (!strcmp(arg, "-sslGenCA")) {
@ -2522,15 +2574,19 @@ int main(int argc, char* argv[]) {
sslEncKey(s, 2); sslEncKey(s, 2);
} }
exit(0); exit(0);
continue; continue;
} }
if (!strcmp(arg, "-stunnel")) { if (!strcmp(arg, "-stunnel")) {
use_stunnel = 1; use_stunnel = 1;
got_tls = -1000;
if (i < argc-1) { if (i < argc-1) {
char *s = argv[i+1]; char *s = argv[i+1];
if (s[0] != '-') { if (s[0] != '-') {
if (!strcmp(s, "TMP")) {
stunnel_pem = NULL;
} else {
stunnel_pem = strdup(s); stunnel_pem = strdup(s);
}
i++; i++;
} }
} }
@ -2538,10 +2594,15 @@ int main(int argc, char* argv[]) {
} }
if (!strcmp(arg, "-stunnel3")) { if (!strcmp(arg, "-stunnel3")) {
use_stunnel = 3; use_stunnel = 3;
got_tls = -1000;
if (i < argc-1) { if (i < argc-1) {
char *s = argv[i+1]; char *s = argv[i+1];
if (s[0] != '-') { if (s[0] != '-') {
if (!strcmp(s, "TMP")) {
stunnel_pem = NULL;
} else {
stunnel_pem = strdup(s); stunnel_pem = strdup(s);
}
i++; i++;
} }
} }
@ -2550,6 +2611,7 @@ int main(int argc, char* argv[]) {
if (!strcmp(arg, "-https")) { if (!strcmp(arg, "-https")) {
https_port_num = 0; https_port_num = 0;
try_http = 1; try_http = 1;
got_tls++;
if (i < argc-1) { if (i < argc-1) {
char *s = argv[i+1]; char *s = argv[i+1];
if (s[0] != '-') { if (s[0] != '-') {
@ -2561,6 +2623,7 @@ int main(int argc, char* argv[]) {
} }
if (!strcmp(arg, "-httpsredir")) { if (!strcmp(arg, "-httpsredir")) {
https_port_redir = -1; https_port_redir = -1;
got_tls++;
if (i < argc-1) { if (i < argc-1) {
char *s = argv[i+1]; char *s = argv[i+1];
if (s[0] != '-') { if (s[0] != '-') {
@ -3410,6 +3473,12 @@ int main(int argc, char* argv[]) {
use_snapfb = 1; use_snapfb = 1;
continue; continue;
} }
if (!strcmp(arg, "-rand")) {
/* equiv. to -nopw -rawfb rand for quick tests */
raw_fb_str = strdup("rand");
nopw = 1;
continue;
}
if (!strcmp(arg, "-rawfb")) { if (!strcmp(arg, "-rawfb")) {
CHECK_ARGC CHECK_ARGC
raw_fb_str = strdup(argv[++i]); raw_fb_str = strdup(argv[++i]);
@ -4091,6 +4160,18 @@ int main(int argc, char* argv[]) {
if (db) fprintf(stderr, "users_list: %s\n", users_list); if (db) fprintf(stderr, "users_list: %s\n", users_list);
} }
if (got_tls > 0 && !use_openssl) {
rfbLog("SSL: Error: you did not supply the '-ssl ...' option even\n");
rfbLog("SSL: though you supplied one of these related options:\n");
rfbLog("SSL: -sslonly, -sslverify, -sslCRL, -vencrypt, -anontls,\n");
rfbLog("SSL: -dhparams, -https, -http_ssl, or -httpsredir.\n");
rfbLog("SSL: Restart with, for example, '-ssl SAVE' on the cmd line.\n");
rfbLog("SSL: See the '-ssl' x11vnc -help description for more info.\n");
if (!getenv("X11VNC_FORCE_NO_OPENSSL")) {
exit(1);
}
}
if (unixpw) { if (unixpw) {
if (inetd) { if (inetd) {
use_stunnel = 0; use_stunnel = 0;
@ -5049,12 +5130,12 @@ if (0) fprintf(stderr, "XA: %s\n", getenv("XAUTHORITY"));
initialize_speeds(); initialize_speeds();
if (speeds_read_rate_measured > 100) { if (speeds_read_rate_measured > 80) {
/* framebuffer read is fast at > 100 MB/sec */ /* framebuffer read is fast at > 80 MB/sec */
if (! got_waitms) { if (! got_waitms) {
waitms /= 2; waitms /= 2;
if (waitms < 10) { if (waitms < 5) {
waitms = 10; waitms = 5;
} }
if (!quiet) { if (!quiet) {
rfbLog("fast read: reset wait ms to: %d\n", waitms); rfbLog("fast read: reset wait ms to: %d\n", waitms);

2
x11vnc/x11vnc_defs.c
Unescape View File

@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
int xdamage_base_event_type = 0; int xdamage_base_event_type = 0;
/* date +'lastmod: %Y-%m-%d' */ /* date +'lastmod: %Y-%m-%d' */
char lastmod[] = "0.9.6 lastmod: 2008-11-22"; char lastmod[] = "0.9.6 lastmod: 2008-12-08";
/* X display info */ /* X display info */

Write Preview
Loading…
Cancel
Save