ssvnc: SOCKS support, PORT=, Verify all Certs and accepted certs logging. x11vnc SSL debugging output.

x11vnc/ChangeLog

@@ -1,3 +1,8 @@
+2007-05-16  Karl Runge <runge@karlrunge.com>
+	* x11vnc: print out peer host and port for debugging SSL. 
+	* ssvnc: rand check, SOCKS support, PORT=, Verify all Certs
+	  and accepted certs logging.
+
 2007-05-06  Karl Runge <runge@karlrunge.com>
 	* x11vnc: lower -wait and -defer to 20ms.  Change some SSL
 	  debug output.  Drop client doing ultravnc stuff in -unixpw

x11vnc/misc/enhanced_tightvnc_viewer/README

@@ -77,13 +77,19 @@ The enhanced TightVNC viewer features are:
 	- You can also use your own VNC Viewer, e.g. UltraVNC or RealVNC,
 	  with the front-end GUI or scripts if you like.
 
-	- Sets up any additional SSH port redirections that you desire.
+	- Sets up any additional SSH port redirections that you want.
 
 	- Support for native MacOS X usage with bundled Chicken of the
 	  VNC viewer.
 
+	- Reverse (viewer listening) VNC connections via SSL and SSH.
 
-	(these features only apply to the bundled Unix tightvnc viewer)
+	- Dynamic VNC Server Port determination and redirection (using
+	  ssh's builtin SOCKS proxy, -D) for servers like x11vnc that
+	  print out PORT= at startup.
+
+
+	(the following features only apply to the bundled Unix tightvnc viewer)
 
 	- rfbNewFBSize VNC support (screen resizing)
 

x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ss_vncviewer

@@ -325,6 +325,8 @@ if uname | grep Linux > /dev/null; then
 	inuse=`netstat -ant | egrep 'LISTEN|WAIT|ESTABLISH|CLOSE' | awk '{print $4}' | sed 's/^.*://'`
 elif uname | grep SunOS > /dev/null; then
 	inuse=`netstat -an -f inet -P tcp | grep LISTEN | awk '{print $1}' | sed 's/^.*\.//'`
+elif uname | grep -i bsd > /dev/null; then
+	inuse=`netstat -ant -f inet | grep LISTEN | awk '{print $4}' | sed 's/^.*\.//'`
 # add others...
 fi
 
@@ -423,6 +425,31 @@ if echo "$0" | grep vncip > /dev/null; then
 	VNCVIEWERCMD="$VNCIPCMD"
 fi
 
+rchk() {
+	if [ "X$BASH_VERSION" = "X" ]; then
+		RANDOM=`date +%S``sh -c 'echo $$'``ps -elf 2>&1 | sum 2>&1 | awk '{print $1}'`
+	fi
+}
+rchk
+
+mytmp() {
+	tf=$1
+	rm -rf "$tf" || exit 1
+	if [ -d "$tf" ]; then
+		echo "tmp file $tf still exists as a directory."
+		exit 1
+	elif [ -L "$tf" ]; then
+		echo "tmp file $tf still exists as a symlink."
+		exit 1
+	elif [ -f "$tf" ]; then
+		echo "tmp file $tf still exists."
+		exit 1
+	fi
+	touch "$tf" || exit 1
+	chmod 600 "$tf" || exit 1
+	rchk
+}
+
 if [ "X$use_ssh" = "X1" ]; then
 	ssh_port="22"
 	ssh_host="$host"
@@ -483,28 +510,88 @@ if [ "X$use_ssh" = "X1" ]; then
 	if [ "X$SS_VNCVIEWER_USE_C" != "X" ]; then
 		C="-C"
 	fi
-	if [ "X$reverse" = "X" ]; then
+
+	getport=""
+	if echo "$ssh_cmd" | egrep "^(PORT=|P=)" > /dev/null; then
+		getport=1
+		PORT=""
+		ssh_cmd=`echo "$ssh_cmd" | sed -e 's/^PORT=[ 	]*//' -e 's/^P=//'`
+		SSVNC_NO_ENC_WARN=1
+		if [ "X$use_sshssl" = "X" ]; then
+			direct_connect=1
+		fi
+	fi
+	if [ "X$getport" != "X" ]; then
+		ssh_redir="-D ${use}"
+	elif [ "X$reverse" = "X" ]; then
 		ssh_redir="-L ${use}:${vnc_host}:${port}"
 	else
 		ssh_redir="-R ${port}:${vnc_host}:${use}"
 	fi
 	pmark=`sh -c 'echo $$'`
+
 	# the -t option actually speeds up typing response via VNC!!
+
 	if [ "X$SS_VNCVIEWER_SSH_ONLY" != "X" ]; then
 		echo "$ssh -x -p $ssh_port $targ $C $ssh_args $ssh_host \"$info\""
 		echo ""
 		$ssh -x -p $ssh_port $targ $C $ssh_args $ssh_host "$ssh_cmd"
 		exit $?
+
 	elif [ "X$SS_VNCVIEWER_NO_F" != "X" ]; then
 		echo "$ssh -x -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host \"$info\""
 		echo ""
 		$ssh -x -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host "$ssh_cmd"
+		rc=$?
+
+	elif [ "X$getport" != "X" ]; then
+		echo "$ssh -x -f -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host \"$info\""
+		echo ""
+
+		tport=/tmp/tport${RANDOM}.$$
+		mytmp $tport
+		$ssh -x -f -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host "$ssh_cmd" > $tport 
+		rc=$?
+
+		stty sane
+		i=0
+		while [ $i -lt 10 ]; do
+			sleep 1
+			PORT=`grep "^PORT=" $tport | head -1 | sed -e 's/PORT=//' -e 's/\r//g'`
+			if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then
+				break
+			fi
+			vnss=`sed -e 's/\r//g' $tport | egrep -i '^(New.* desktop is|A VNC server is already running).*:[0-9[0-9]*$' | head -1 | awk '{print $NF}'`
+			if [ "X$vnss" != "X" ]; then
+				PORT=`echo "$vnss" | awk -F: '{print $2}'`
+				if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then
+					if [ $PORT -lt 100 ]; then
+						PORT=`expr $PORT + 5900`
+					fi
+				fi
+				if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then
+					break
+				fi
+			fi
+			i=`expr $i + 1`
+		done
+
+		echo "PORT=$PORT" 1>&2
+		PPROXY_SOCKS=1
+		export PPROXY_SOCKS
+		host="localhost"
+		port="$PORT"
+		proxy="localhost:$use"
+		rm -f $tport
+
 	else
 		echo "$ssh -x -f -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host \"$info\""
 		echo ""
 		$ssh -x -f -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host "$ssh_cmd"
+		rc=$?
 	fi
-	if [ "$?" != "0" ]; then
+
+	if [ "$rc" != "0" ]; then
 		echo ""
 		echo "ssh to $ssh_host failed."
 		exit 1
@@ -522,7 +609,9 @@ if [ "X$use_ssh" = "X1" ]; then
 		fi
 		c=`expr $c + 1`
 	done
-	if [ "X$ssh_cmd" = "Xsleep $ssh_sleep" ] ; then
+	if [ "X$getport" != "X" ]; then
+		:
+	elif [ "X$ssh_cmd" = "Xsleep $ssh_sleep" ] ; then
 		sleep 1
 	else
 		# let any command get started a bit.
@@ -532,7 +621,7 @@ if [ "X$use_ssh" = "X1" ]; then
 	#reset
 	stty sane
 	#echo "pssh=\"$pssh\""
-	if [ "X$use_sshssl" = "X" ]; then
+	if [ "X$use_sshssl" = "X" -a "X$getport" = "X" ]; then
 		echo "Running viewer:"
 
 		trap "final" 0 2 15
@@ -558,7 +647,12 @@ if [ "X$use_ssh" = "X1" ]; then
 		port=$use
 		use=$use2
 		N=`expr $use - 5900`
-		proxy=""
+		if [ "X$getport" != "X" ]; then
+			host="$host0"
+			port="$port0"
+		else
+			proxy=""
+		fi
 	fi
 fi
 
@@ -576,53 +670,33 @@ if [ "X$mycert" != "X" ]; then
 	cert="cert = $mycert"
 fi
 
-mytmp() {
-	tf=$1
-	rm -rf "$tf" || exit 1
-	if [ -d "$tf" ]; then
-		echo "tmp file $tf still exists as a directory."
-		exit 1
-	elif [ -L "$tf" ]; then
-		echo "tmp file $tf still exists as a symlink."
-		exit 1
-	elif [ -f "$tf" ]; then
-		echo "tmp file $tf still exists."
-		exit 1
-	fi
-	touch "$tf" || exit 1
-	chmod 600 "$tf" || exit 1
-}
-
-if echo "$RANDOM" | grep '[^0-9]' > /dev/null; then
-	RANDOM=`date +%S`
-fi
-
 pcode() {
 	tf=$1
-	SSVNC_PROXY=$proxy; export SSVNC_PROXY
-	SSVNC_DEST="$host:$port"; export SSVNC_DEST
+	PPROXY_PROXY=$proxy; export PPROXY_PROXY
+	PPROXY_DEST="$host:$port"; export PPROXY_DEST
 	cod='#!/usr/bin/perl
 
-# A hack to glue stunnel to a Web proxy for client connections.
+# A hack to glue stunnel to a Web proxy or SOCKS for client connections.
 
 use IO::Socket::INET;
 
-my ($first, $second) = split(/,/, $ENV{SSVNC_PROXY});
+my ($first, $second) = split(/,/, $ENV{PPROXY_PROXY});
 my ($proxy_host, $proxy_port) = split(/:/, $first);
-my $connect = $ENV{SSVNC_DEST};
+my $connect = $ENV{PPROXY_DEST};
 
-print STDERR "\nperl script for web proxing:\n";
+print STDERR "\nPPROXY v0.0: a tool for Web proxies and SOCKS connections.\n";
 print STDERR "proxy_host:       $proxy_host\n";
 print STDERR "proxy_port:       $proxy_port\n";
 print STDERR "proxy_connect:    $connect\n";
 
 my $listen_handle = "";
-if ($ENV{SSVNC_LISTEN} != "") {
+if ($ENV{PPROXY_LISTEN} != "") {
 	my $listen_sock = IO::Socket::INET->new(
 		Listen    => 2,
 		LocalAddr => "localhost",
-		LocalPort => $ENV{SSVNC_LISTEN},
-		Proto     => "tcp");
+		LocalPort => $ENV{PPROXY_LISTEN},
+		Proto     => "tcp"
+	);
 	if (! $listen_sock) {
 		die "perl proxy: $!\n";
 	}
@@ -636,7 +710,8 @@ if ($ENV{SSVNC_LISTEN} != "") {
 my $sock = IO::Socket::INET->new(
 	PeerAddr => $proxy_host,
 	PeerPort => $proxy_port,
-	Proto => "tcp");
+	Proto => "tcp"
+);
 
 if (! $sock) {
 	unlink($0);
@@ -644,24 +719,77 @@ if (! $sock) {
 }
 
 my $con = "";
-if ($second ne "") {
+my $con0 = "";
+if ($ENV{PPROXY_SOCKS} ne "") {
+	$second = "";
+	my ($h, $p) = split(/:/, $connect);
+	$con .= pack("C", 0x04);
+	$con .= pack("C", 0x01);
+	$con .= pack("n", $p);
+
+	my $SOCKS_4a = 0;
+	if ($h eq "localhost" || $h eq "127.0.0.1") {
+		$con .= pack("C", 127);
+		$con .= pack("C", 0);
+		$con .= pack("C", 0);
+		$con .= pack("C", 1);
+	} elsif ($h =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/) {
+		$con .= pack("C", $1);
+		$con .= pack("C", $2);
+		$con .= pack("C", $3);
+		$con .= pack("C", $4);
+	} else {
+		$con .= pack("C", 0);
+		$con .= pack("C", 0);
+		$con .= pack("C", 0);
+		$con .= pack("C", 3);
+		$SOCKS_4a = 1;
+	}
+
+	$con .= "nobody";
+	$con .= pack("C", 0);
+
+	if ($SOCKS_4a) {
+		$con .= $h;
+		$con .= pack("C", 0);
+	}
+	$con0 = "SOCKS4 via $proxy_host:$proxy_port to $h:$p\n\n";
+
+} elsif ($second ne "") {
 	$con = "CONNECT $second HTTP/1.1\r\n";
 	$con   .= "Host: $second\r\n\r\n";
+	$con0 = $con;
 } else {
 	$con = "CONNECT $connect HTTP/1.1\r\n";
 	$con   .= "Host: $connect\r\n\r\n";
+	$con0 = $con;
 }
 
-print STDERR "proxy_request1:\n$con";
+print STDERR "proxy_request1:\n$con0";
 print $sock $con;
 
 unlink($0);
 
 my $rep = "";
-while ($rep !~ /\r\n\r\n/) {
-	my $c = getc($sock);
-	print STDERR $c;
-	$rep .= $c;
+if ($ENV{PPROXY_SOCKS} ne "") {
+	$rep = "HTTP/1.0 200";
+	for (my $i = 0; $i < 8; $i++) {
+		my $c;
+		sysread($sock, $c, 1);
+		my $s = unpack("C", $c);
+		if ($i == 0) {
+			$rep = "" if $s != 0x0;
+		} elsif ($i == 1) {
+			$rep = "" if $s != 0x5a;
+		}
+	}
+} else {
+	while ($rep !~ /\r\n\r\n/) {
+		my $c;
+		sysread($sock, $c, 1);
+		print STDERR $c;
+		$rep .= $c;
+	}
 }
 if ($rep !~ m,HTTP/.* 200,) {
 	die "proxy error: $rep\n";
@@ -676,7 +804,8 @@ if ($second ne "") {
 
 	$rep = "";
 	while ($rep !~ /\r\n\r\n/) {
-		my $c = getc($sock);
+		my $c;
+		sysread($sock, $c, 1);
 		print STDERR $c;
 		$rep .= $c;
 	}
@@ -754,8 +883,8 @@ if [ "X$proxy" != "X" ]; then
 	if [ "X$showcert" != "X1" -a "X$direct_connect" = "X" ]; then
 		if uname | grep Darwin >/dev/null; then
 			nd=`expr $use + 333`
-			SSVNC_LISTEN=$nd
-			export SSVNC_LISTEN
+			PPROXY_LISTEN=$nd
+			export PPROXY_LISTEN
 			$ptmp 2>/dev/null &
 			sleep 3
 			host="localhost"
@@ -773,8 +902,8 @@ fi
 
 if [ "X$showcert" = "X1" ]; then
 	if [ "X$proxy" != "X" ]; then
-		SSVNC_LISTEN=$use
-		export SSVNC_LISTEN
+		PPROXY_LISTEN=$use
+		export PPROXY_LISTEN
 		$ptmp 2>/dev/null &
 		sleep 3
 		host="localhost"
@@ -785,11 +914,13 @@ if [ "X$showcert" = "X1" ]; then
 fi
 
 if [ "X$direct_connect" != "X" ]; then
-	echo ""
-	echo "Running viewer for direct connection:"
-	echo ""
-	echo "** NOTE: THERE WILL BE NO SSL OR SSH ENCRYPTION **"
-	echo ""
+	if [ "X$getport" = "X" ]; then
+		echo ""
+		echo "Running viewer for direct connection:"
+		echo ""
+		echo "** NOTE: THERE WILL BE NO SSL OR SSH ENCRYPTION **"
+		echo ""
+	fi
 	if [ "X$SSVNC_NO_ENC_WARN" != "X" ]; then
 		sleep 1
 	elif type printf > /dev/null 2>&1; then
@@ -804,8 +935,8 @@ if [ "X$direct_connect" != "X" ]; then
 	fi
 	echo ""
 	if [ "X$ptmp" != "X" ]; then
-		SSVNC_LISTEN=$use
-		export SSVNC_LISTEN
+		PPROXY_LISTEN=$use
+		export PPROXY_LISTEN
 		$ptmp &
 		if [ "X$reverse" = "X" ]; then
 			sleep 2
@@ -830,8 +961,6 @@ if [ "X$direct_connect" != "X" ]; then
 	exit $?
 fi
 
-##debug = 7
-## debug = 6
 tmp=/tmp/ss_vncviewer${RANDOM}.$$
 mytmp "$tmp"
 

x11vnc/sslhelper.c

@@ -1322,6 +1322,7 @@ char *certret_str = NULL;
 
 void accept_openssl(int mode, int presock) {
 	int sock = -1, listen = -1, cport, csock, vsock;	
+	int peerport = 0;
 	int status, n, i, db = 0;
 	struct sockaddr_in addr;
 #ifdef __hpux
@@ -1441,8 +1442,10 @@ void accept_openssl(int mode, int presock) {
 
 	if (mode != OPENSSL_INETD) {
 		name = get_remote_host(sock);
+		peerport = get_remote_port(sock);
 	} else {
 		openssl_last_ip = get_remote_host(fileno(stdin));
+		peerport = get_remote_port(fileno(stdin));
 		if (openssl_last_ip) {
 			name = strdup(openssl_last_ip);
 		} else {
@@ -1452,10 +1455,10 @@ void accept_openssl(int mode, int presock) {
 	if (name) {
 		if (mode == OPENSSL_INETD) {
 			rfbLog("SSL: (inetd) spawning helper process "
-			    "to handle: %s\n", name);
+			    "to handle: %s:%d\n", name, peerport);
 		} else {
 			rfbLog("SSL: spawning helper process to handle: "
-			    "%s\n", name);
+			    "%s:%d\n", name, peerport);
 		}
 		free(name);
 		name = NULL;
@@ -1996,6 +1999,7 @@ static void ssl_timeout (int sig) {
 static int ssl_init(int s_in, int s_out) {
 	unsigned char *sid = (unsigned char *) "x11vnc SID";
 	char *name;
+	int peerport = 0;
 	int db = 0, rc, err;
 	int ssock = s_in;
 	double start = dnow();
@@ -2041,6 +2045,7 @@ if (db > 1) fprintf(stderr, "ssl_init: 2\n");
 if (db > 1) fprintf(stderr, "ssl_init: 3\n");
 
 	name = get_remote_host(ssock);
+	peerport = get_remote_port(ssock);
 
 if (db > 1) fprintf(stderr, "ssl_init: 4\n");
 
@@ -2066,29 +2071,29 @@ if (db > 1) fprintf(stderr, "ssl_init: 4\n");
 		} else if (err == SSL_ERROR_WANT_READ) {
 
 			if (db) fprintf(stderr, "got SSL_ERROR_WANT_READ\n");
-			rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s\n",
-			    getpid(), name);
+			rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s:%d\n",
+			    getpid(), name, peerport);
 			return 0;
 			
 		} else if (err == SSL_ERROR_WANT_WRITE) {
 
 			if (db) fprintf(stderr, "got SSL_ERROR_WANT_WRITE\n");
-			rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s\n",
-			    getpid(), name);
+			rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s:%d\n",
+			    getpid(), name, peerport);
 			return 0;
 
 		} else if (err == SSL_ERROR_SYSCALL) {
 
 			if (db) fprintf(stderr, "got SSL_ERROR_SYSCALL\n");
-			rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s\n",
-			    getpid(), name);
+			rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s:%d\n",
+			    getpid(), name, peerport);
 			return 0;
 
 		} else if (err == SSL_ERROR_ZERO_RETURN) {
 
 			if (db) fprintf(stderr, "got SSL_ERROR_ZERO_RETURN\n");
-			rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s\n",
-			    getpid(), name);
+			rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s:%d\n",
+			    getpid(), name, peerport);
 			return 0;
 
 		} else if (rc < 0) {
@@ -2118,7 +2123,7 @@ if (db > 1) fprintf(stderr, "ssl_init: 4\n");
 		usleep(10 * 1000);
 	}
 
-	rfbLog("SSL: ssl_helper[%d]: SSL_accept() succeeded for: %s\n", getpid(), name);
+	rfbLog("SSL: ssl_helper[%d]: SSL_accept() succeeded for: %s:%d\n", getpid(), name, peerport);
 
 	if (SSL_get_verify_result(ssl) == X509_V_OK) {
 		X509 *x;

x11vnc/x11vnc.1

@@ -2,7 +2,7 @@
 .TH X11VNC "1" "May 2007" "x11vnc " "User Commands"
 .SH NAME
 x11vnc - allow VNC connections to real X11 displays
-         version: 0.9.1, lastmod: 2007-05-06
+         version: 0.9.1, lastmod: 2007-05-16
 .SH SYNOPSIS
 .B x11vnc
 [OPTION]...

x11vnc/x11vnc.c

@@ -3230,7 +3230,7 @@ int main(int argc, char* argv[]) {
 		rfbLog("rfbRegisterTightVNCFileTransferExtension: 6\n");
 		rfbRegisterTightVNCFileTransferExtension();
 	} else {
-		rfbLog("rfbUnregisterTightVNCFileTransferExtension: 3\n");
+		if (0) rfbLog("rfbUnregisterTightVNCFileTransferExtension: 3\n");
 		rfbUnregisterTightVNCFileTransferExtension();
 	}
 #endif

x11vnc/x11vnc_defs.c

@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
 int xdamage_base_event_type = 0;
 
 /*               date +'lastmod: %Y-%m-%d' */
-char lastmod[] = "0.9.1 lastmod: 2007-05-06";
+char lastmod[] = "0.9.1 lastmod: 2007-05-16";
 
 /* X display info */