From a1e5d55e356f4913169f6dd746b14548cc51695d Mon Sep 17 00:00:00 2001 From: runge Date: Wed, 17 Sep 2008 13:35:07 +0000 Subject: x11vnc: make -allow work in -ssl mode. --- x11vnc/ChangeLog | 3 +++ x11vnc/README | 38 +++++++++++++++++++++----------------- x11vnc/connections.c | 24 ++++++++++++++++++++++-- x11vnc/help.c | 32 ++++++++++++++++++-------------- x11vnc/sslhelper.c | 41 +++++++++++++++++++++++++++++++++++++++++ x11vnc/x11vnc.1 | 32 ++++++++++++++++++-------------- x11vnc/x11vnc_defs.c | 2 +- 7 files changed, 124 insertions(+), 48 deletions(-) diff --git a/x11vnc/ChangeLog b/x11vnc/ChangeLog index ca77aea..9dfcbc3 100644 --- a/x11vnc/ChangeLog +++ b/x11vnc/ChangeLog @@ -1,3 +1,6 @@ +2008-09-17 Karl Runge + * x11vnc: make -allow work in -ssl mode. + 2008-09-14 Karl Runge * x11vnc: -sleepin m-n for random sleep. More mktemp and mkstemp protections. SSL_INIT_TIMEOUT=n env. var. Fix macosx console diff --git a/x11vnc/README b/x11vnc/README index dbbf5d0..83ef17b 100644 --- a/x11vnc/README +++ b/x11vnc/README @@ -1,5 +1,5 @@ -x11vnc README file Date: Sun Sep 14 15:20:38 EDT 2008 +x11vnc README file Date: Tue Sep 16 10:02:40 EDT 2008 The following information is taken from these URLs: @@ -11808,7 +11808,7 @@ x11vnc: a VNC server for real X displays Here are all of x11vnc command line options: % x11vnc -opts (see below for -help long descriptions) -x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-14 +x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-16 x11vnc options: -display disp -auth file -N @@ -11928,7 +11928,7 @@ libvncserver-tight-extension options: % x11vnc -help -x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-14 +x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-09-16 (type "x11vnc -opts" to just list the options.) @@ -12475,10 +12475,13 @@ e Can also be a numerical IP prefix, e.g. "192.168.100." to match a simple subnet, for more control build libvncserver with libwrap support (See the FAQ). If the - list contains a "/" it instead is a interpreted as a - file containing addresses or prefixes that is re-read - each time a new client connects. Lines can be commented - out with the "#" character in the usual way. + list contains a "/" it instead is a interpreted + as a file containing addresses or prefixes that is + re-read each time a new client connects. Lines can be + commented out with the "#" character in the usual way. + + -allow applies in -ssl mode, but not in -stunnel mode. + -localhost Basically the same as "-allow 127.0.0.1". Note: if you want to restrict which network interface @@ -13601,7 +13604,7 @@ e For Windows, stunnel has been ported to it and there are probably other such tools available. See the FAQ - for more examples. + and SSVNC for more examples. -stunnel3 [pem] Use version 3.x stunnel command line syntax instead of version 4.x @@ -15769,7 +15772,9 @@ n proxy:host:port set reverse connection proxy (empty to disable). allowonce:host For the next connection only, allow - connection from "host". + connection from "host". In -ssl mode + two connections are allowed (i.e. Fetch + Cert) unless X11VNC_NO_SSL_ALLOW_TWICE=1 allow:hostlist set -allow list to (comma separated) "hostlist". See -allow and -localhost. Do not use with -allow /path/to/file @@ -16100,14 +16105,14 @@ n nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area scr_skip scr_inc scr_keys scr_term scr_keyrepeat scr_parms scrollcopyrect scr noscrollcopyrect noscr - fixscreen noxrecord xrecord reset_record pointer_mode - pm input_skip allinput noallinput input grabkbd - nograbkbd grabptr nograbptr grabalways nograbalways + fixscreen noxrecord xrecord reset_record pointer_mode pm + input_skip allinput noallinput input grabkbd nograbkbd + grabptr nograbptr grabalways nograbalways grablocal client_input ssltimeout speeds wmdt debug_pointer dp nodebug_pointer nodp debug_keyboard dk nodebug_keyboard - nodk deferupdate defer wait_ui wait_bog nowait_bog - slow_fb xrefresh wait readtimeout nap nonap sb - screen_blank fbpm nofbpm dpms nodpms clientdpms + nodk keycode deferupdate defer wait_ui wait_bog + nowait_bog slow_fb xrefresh wait readtimeout nap nonap + sb screen_blank fbpm nofbpm dpms nodpms clientdpms noclientdpms forcedpms noforcedpms noserverdpms serverdpms noultraext ultraext fs gaps grow fuzz snapfb nosnapfb rawfb uinput_accel uinput_thresh uinput_reset @@ -16123,7 +16128,7 @@ n nodbg macnosaver macsaver nomacnosaver macnowait macwait nomacnowait macwheel macnoswap macswap nomacnoswap macnoresize macresize nomacnoresize maciconanim macmenu - macnomenu nomacmenu noremote + macnomenu nomacmenu macuskbd nomacuskbd noremote aro= noop display vncdisplay desktopname guess_desktop http_url auth xauth users rootshift clipshift @@ -16141,7 +16146,6 @@ n dpy_x dpy_y wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y coff_x coff_y rfbauth passwd viewpasswd - -QD variable Just like -query variable, but returns the default value for that parameter (no running x11vnc server is consulted) diff --git a/x11vnc/connections.c b/x11vnc/connections.c index aa656df..1f06f3a 100644 --- a/x11vnc/connections.c +++ b/x11vnc/connections.c @@ -55,10 +55,10 @@ void check_new_clients(void); int accept_client(rfbClientPtr client); int run_user_command(char *cmd, rfbClientPtr client, char *mode, char *input, int len, FILE *output); +int check_access(char *addr); static rfbClientPtr *client_match(char *str); static void free_client_data(rfbClientPtr client); -static int check_access(char *addr); static void ugly_geom(char *p, int *x, int *y); static int ugly_window(char *addr, char *userhost, int X, int Y, int timeout, char *mode, int accept); @@ -800,10 +800,14 @@ void client_gone(rfbClientPtr client) { * Simple routine to limit access via string compare. A power user will * want to compile libvncserver with libwrap support and use /etc/hosts.allow. */ -static int check_access(char *addr) { +int check_access(char *addr) { int allowed = 0; + int ssl = 0; char *p, *list; + if (use_openssl || use_stunnel) { + ssl = 1; + } if (deny_all) { rfbLog("check_access: new connections are currently " "blocked.\n"); @@ -842,6 +846,10 @@ static int check_access(char *addr) { len2 = strlen(allow_once) + 2; len += len2; } + if (ssl) { + len2 = strlen("127.0.0.1") + 2; + len += len2; + } list = (char *) malloc(len); list[0] = '\0'; @@ -869,11 +877,19 @@ static int check_access(char *addr) { strcat(list, allow_once); strcat(list, "\n"); } + if (ssl) { + strcat(list, "\n"); + strcat(list, "127.0.0.1"); + strcat(list, "\n"); + } } else { int len = strlen(allow_list) + 1; if (allow_once) { len += strlen(allow_once) + 1; } + if (ssl) { + len += strlen("127.0.0.1") + 1; + } list = (char *) malloc(len); list[0] = '\0'; strcat(list, allow_list); @@ -881,6 +897,10 @@ static int check_access(char *addr) { strcat(list, ","); strcat(list, allow_once); } + if (ssl) { + strcat(list, ","); + strcat(list, "127.0.0.1"); + } } if (allow_once) { diff --git a/x11vnc/help.c b/x11vnc/help.c index 0e185c4..06ce6a3 100644 --- a/x11vnc/help.c +++ b/x11vnc/help.c @@ -566,10 +566,13 @@ void print_help(int mode) { " Can also be a numerical IP prefix, e.g. \"192.168.100.\"\n" " to match a simple subnet, for more control build\n" " libvncserver with libwrap support (See the FAQ). If the\n" -" list contains a \"/\" it instead is a interpreted as a\n" -" file containing addresses or prefixes that is re-read\n" -" each time a new client connects. Lines can be commented\n" -" out with the \"#\" character in the usual way.\n" +" list contains a \"/\" it instead is a interpreted\n" +" as a file containing addresses or prefixes that is\n" +" re-read each time a new client connects. Lines can be\n" +" commented out with the \"#\" character in the usual way.\n" +"\n" +" -allow applies in -ssl mode, but not in -stunnel mode.\n" +"\n" "-localhost Basically the same as \"-allow 127.0.0.1\".\n" "\n" " Note: if you want to restrict which network interface\n" @@ -1707,7 +1710,7 @@ void print_help(int mode) { "\n" " For Windows, stunnel has been ported to it and there\n" " are probably other such tools available. See the FAQ\n" -" for more examples.\n" +" and SSVNC for more examples.\n" "\n" "-stunnel3 [pem] Use version 3.x stunnel command line syntax instead of\n" " version 4.x\n" @@ -3879,7 +3882,9 @@ void print_help(int mode) { " disable).\n" /* access */ " allowonce:host For the next connection only, allow\n" -" connection from \"host\".\n" +" connection from \"host\". In -ssl mode\n" +" two connections are allowed (i.e. Fetch\n" +" Cert) unless X11VNC_NO_SSL_ALLOW_TWICE=1\n" /* access */ " allow:hostlist set -allow list to (comma separated)\n" " \"hostlist\". See -allow and -localhost.\n" @@ -4212,14 +4217,14 @@ void print_help(int mode) { " nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area\n" " scr_skip scr_inc scr_keys scr_term scr_keyrepeat\n" " scr_parms scrollcopyrect scr noscrollcopyrect noscr\n" -" fixscreen noxrecord xrecord reset_record pointer_mode\n" -" pm input_skip allinput noallinput input grabkbd\n" -" nograbkbd grabptr nograbptr grabalways nograbalways\n" +" fixscreen noxrecord xrecord reset_record pointer_mode pm\n" +" input_skip allinput noallinput input grabkbd nograbkbd\n" +" grabptr nograbptr grabalways nograbalways grablocal\n" " client_input ssltimeout speeds wmdt debug_pointer dp\n" " nodebug_pointer nodp debug_keyboard dk nodebug_keyboard\n" -" nodk deferupdate defer wait_ui wait_bog nowait_bog\n" -" slow_fb xrefresh wait readtimeout nap nonap sb\n" -" screen_blank fbpm nofbpm dpms nodpms clientdpms\n" +" nodk keycode deferupdate defer wait_ui wait_bog\n" +" nowait_bog slow_fb xrefresh wait readtimeout nap nonap\n" +" sb screen_blank fbpm nofbpm dpms nodpms clientdpms\n" " noclientdpms forcedpms noforcedpms noserverdpms\n" " serverdpms noultraext ultraext fs gaps grow fuzz snapfb\n" " nosnapfb rawfb uinput_accel uinput_thresh uinput_reset\n" @@ -4235,7 +4240,7 @@ void print_help(int mode) { " nodbg macnosaver macsaver nomacnosaver macnowait macwait\n" " nomacnowait macwheel macnoswap macswap nomacnoswap\n" " macnoresize macresize nomacnoresize maciconanim macmenu\n" -" macnomenu nomacmenu noremote\n" +" macnomenu nomacmenu macuskbd nomacuskbd noremote\n" "\n" " aro= noop display vncdisplay desktopname guess_desktop\n" " http_url auth xauth users rootshift clipshift\n" @@ -4253,7 +4258,6 @@ void print_help(int mode) { " dpy_x dpy_y wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y\n" " coff_x coff_y rfbauth passwd viewpasswd\n" "\n" -"\n" "-QD variable Just like -query variable, but returns the default\n" " value for that parameter (no running x11vnc server\n" " is consulted)\n" diff --git a/x11vnc/sslhelper.c b/x11vnc/sslhelper.c index 2b07535..d7fb06b 100644 --- a/x11vnc/sslhelper.c +++ b/x11vnc/sslhelper.c @@ -1227,6 +1227,9 @@ static void csock_timeout (int sig) { } } +#define PROXY_HACK 0 +#if PROXY_HACK + static int wait_conn(int sock) { int conn; struct sockaddr_in addr; @@ -1247,6 +1250,8 @@ static int wait_conn(int sock) { return conn; } +/* no longer used */ + int proxy_hack(int vncsock, int listen, int s_in, int s_out, char *cookie, int mode) { int sock1, db = 0; @@ -1321,6 +1326,31 @@ if (db) fprintf(stderr, "buf: '%s'\n", buf); return 1; } +#endif /* PROXY_HACK */ + +static int check_ssl_access(char *addr) { + static char *save_allow_once = NULL; + static time_t time_allow_once = 0; + + /* due to "Fetch Cert" activities for SSL really need to "allow twice" */ + if (allow_once != NULL) { + save_allow_once = strdup(allow_once); + time_allow_once = time(NULL); + } else if (save_allow_once != NULL) { + if (getenv("X11VNC_NO_SSL_ALLOW_TWICE")) { + ; + } else if (time(NULL) < time_allow_once + 30) { + /* give them 30 secs to check and save the fetched cert. */ + allow_once = save_allow_once; + rfbLog("SSL: Permitting 30 sec grace period for allowonce.\n"); + rfbLog("SSL: Set X11VNC_NO_SSL_ALLOW_TWICE=1 to disable.\n"); + } + save_allow_once = NULL; + time_allow_once = 0; + } + + return check_access(addr); +} void accept_openssl(int mode, int presock) { int sock = -1, listen = -1, cport, csock, vsock; @@ -1407,6 +1437,17 @@ void accept_openssl(int mode, int presock) { openssl_last_ip = get_remote_host(sock); } + if (!check_ssl_access(openssl_last_ip)) { + rfbLog("SSL: accept_openssl: denying client %s\n", openssl_last_ip); + rfbLog("SSL: accept_openssl: does not match -allow (or other reason).\n"); + close(sock); + sock = -1; + if (ssl_no_fail) { + clean_up_exit(1); + } + return; + } + /* now make a listening socket for child to connect back to us by: */ cport = find_free_port(20000, 0); diff --git a/x11vnc/x11vnc.1 b/x11vnc/x11vnc.1 index c3ba2bb..5317c1a 100644 --- a/x11vnc/x11vnc.1 +++ b/x11vnc/x11vnc.1 @@ -2,7 +2,7 @@ .TH X11VNC "1" "September 2008" "x11vnc " "User Commands" .SH NAME x11vnc - allow VNC connections to real X11 displays - version: 0.9.4, lastmod: 2008-09-14 + version: 0.9.4, lastmod: 2008-09-16 .SH SYNOPSIS .B x11vnc [OPTION]... @@ -657,10 +657,12 @@ the comma separated list of hostnames or IP addresses. Can also be a numerical IP prefix, e.g. "192.168.100." to match a simple subnet, for more control build libvncserver with libwrap support (See the FAQ). If the -list contains a "/" it instead is a interpreted as a -file containing addresses or prefixes that is re-read -each time a new client connects. Lines can be commented -out with the "#" character in the usual way. +list contains a "/" it instead is a interpreted +as a file containing addresses or prefixes that is +re-read each time a new client connects. Lines can be +commented out with the "#" character in the usual way. +.IP +\fB-allow\fR applies in \fB-ssl\fR mode, but not in \fB-stunnel\fR mode. .PP \fB-localhost\fR .IP @@ -1923,7 +1925,7 @@ on Unix using stunnel 3.x is: .IP For Windows, stunnel has been ported to it and there are probably other such tools available. See the FAQ -for more examples. +and SSVNC for more examples. .PP \fB-stunnel3\fR \fI[pem]\fR .IP @@ -4553,7 +4555,9 @@ proxy:host:port set reverse connection proxy (empty to disable). .IP allowonce:host For the next connection only, allow -connection from "host". +connection from "host". In \fB-ssl\fR mode +two connections are allowed (i.e. Fetch +Cert) unless X11VNC_NO_SSL_ALLOW_TWICE=1 .IP allow:hostlist set \fB-allow\fR list to (comma separated) "hostlist". See \fB-allow\fR and \fB-localhost.\fR @@ -5129,14 +5133,14 @@ nowireframe nowf wireframelocal wfl nowireframelocal nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area scr_skip scr_inc scr_keys scr_term scr_keyrepeat scr_parms scrollcopyrect scr noscrollcopyrect noscr -fixscreen noxrecord xrecord reset_record pointer_mode -pm input_skip allinput noallinput input grabkbd -nograbkbd grabptr nograbptr grabalways nograbalways +fixscreen noxrecord xrecord reset_record pointer_mode pm +input_skip allinput noallinput input grabkbd nograbkbd +grabptr nograbptr grabalways nograbalways grablocal client_input ssltimeout speeds wmdt debug_pointer dp nodebug_pointer nodp debug_keyboard dk nodebug_keyboard -nodk deferupdate defer wait_ui wait_bog nowait_bog -slow_fb xrefresh wait readtimeout nap nonap sb -screen_blank fbpm nofbpm dpms nodpms clientdpms +nodk keycode deferupdate defer wait_ui wait_bog +nowait_bog slow_fb xrefresh wait readtimeout nap nonap +sb screen_blank fbpm nofbpm dpms nodpms clientdpms noclientdpms forcedpms noforcedpms noserverdpms serverdpms noultraext ultraext fs gaps grow fuzz snapfb nosnapfb rawfb uinput_accel uinput_thresh uinput_reset @@ -5152,7 +5156,7 @@ debug_grabs nodebug_grabs debug_sel nodebug_sel dbg nodbg macnosaver macsaver nomacnosaver macnowait macwait nomacnowait macwheel macnoswap macswap nomacnoswap macnoresize macresize nomacnoresize maciconanim macmenu -macnomenu nomacmenu noremote +macnomenu nomacmenu macuskbd nomacuskbd noremote .IP aro= noop display vncdisplay desktopname guess_desktop http_url auth xauth users rootshift clipshift diff --git a/x11vnc/x11vnc_defs.c b/x11vnc/x11vnc_defs.c index 4674c2e..d7448d4 100644 --- a/x11vnc/x11vnc_defs.c +++ b/x11vnc/x11vnc_defs.c @@ -15,7 +15,7 @@ int xtrap_base_event_type = 0; int xdamage_base_event_type = 0; /* date +'lastmod: %Y-%m-%d' */ -char lastmod[] = "0.9.4 lastmod: 2008-09-14"; +char lastmod[] = "0.9.4 lastmod: 2008-09-16"; /* X display info */ -- cgit v1.2.3