From a1e5d55e356f4913169f6dd746b14548cc51695d Mon Sep 17 00:00:00 2001 From: runge Date: Wed, 17 Sep 2008 13:35:07 +0000 Subject: x11vnc: make -allow work in -ssl mode. --- x11vnc/sslhelper.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) (limited to 'x11vnc/sslhelper.c') diff --git a/x11vnc/sslhelper.c b/x11vnc/sslhelper.c index 2b07535..d7fb06b 100644 --- a/x11vnc/sslhelper.c +++ b/x11vnc/sslhelper.c @@ -1227,6 +1227,9 @@ static void csock_timeout (int sig) { } } +#define PROXY_HACK 0 +#if PROXY_HACK + static int wait_conn(int sock) { int conn; struct sockaddr_in addr; @@ -1247,6 +1250,8 @@ static int wait_conn(int sock) { return conn; } +/* no longer used */ + int proxy_hack(int vncsock, int listen, int s_in, int s_out, char *cookie, int mode) { int sock1, db = 0; @@ -1321,6 +1326,31 @@ if (db) fprintf(stderr, "buf: '%s'\n", buf); return 1; } +#endif /* PROXY_HACK */ + +static int check_ssl_access(char *addr) { + static char *save_allow_once = NULL; + static time_t time_allow_once = 0; + + /* due to "Fetch Cert" activities for SSL really need to "allow twice" */ + if (allow_once != NULL) { + save_allow_once = strdup(allow_once); + time_allow_once = time(NULL); + } else if (save_allow_once != NULL) { + if (getenv("X11VNC_NO_SSL_ALLOW_TWICE")) { + ; + } else if (time(NULL) < time_allow_once + 30) { + /* give them 30 secs to check and save the fetched cert. */ + allow_once = save_allow_once; + rfbLog("SSL: Permitting 30 sec grace period for allowonce.\n"); + rfbLog("SSL: Set X11VNC_NO_SSL_ALLOW_TWICE=1 to disable.\n"); + } + save_allow_once = NULL; + time_allow_once = 0; + } + + return check_access(addr); +} void accept_openssl(int mode, int presock) { int sock = -1, listen = -1, cport, csock, vsock; @@ -1407,6 +1437,17 @@ void accept_openssl(int mode, int presock) { openssl_last_ip = get_remote_host(sock); } + if (!check_ssl_access(openssl_last_ip)) { + rfbLog("SSL: accept_openssl: denying client %s\n", openssl_last_ip); + rfbLog("SSL: accept_openssl: does not match -allow (or other reason).\n"); + close(sock); + sock = -1; + if (ssl_no_fail) { + clean_up_exit(1); + } + return; + } + /* now make a listening socket for child to connect back to us by: */ cport = find_free_port(20000, 0); -- cgit v1.2.1