San Mehat | a430b2b | 2014-09-23 08:30:51 -0700 | [diff] [blame] | 1 | /* |
| 2 | Copyright (C) 2002-2010 Karl J. Runge <runge@karlrunge.com> |
| 3 | All rights reserved. |
| 4 | |
| 5 | This file is part of x11vnc. |
| 6 | |
| 7 | x11vnc is free software; you can redistribute it and/or modify |
| 8 | it under the terms of the GNU General Public License as published by |
| 9 | the Free Software Foundation; either version 2 of the License, or (at |
| 10 | your option) any later version. |
| 11 | |
| 12 | x11vnc is distributed in the hope that it will be useful, |
| 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 15 | GNU General Public License for more details. |
| 16 | |
| 17 | You should have received a copy of the GNU General Public License |
| 18 | along with x11vnc; if not, write to the Free Software |
| 19 | Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA |
| 20 | or see <http://www.gnu.org/licenses/>. |
| 21 | |
| 22 | In addition, as a special exception, Karl J. Runge |
| 23 | gives permission to link the code of its release of x11vnc with the |
| 24 | OpenSSL project's "OpenSSL" library (or with modified versions of it |
| 25 | that use the same license as the "OpenSSL" library), and distribute |
| 26 | the linked executables. You must obey the GNU General Public License |
| 27 | in all respects for all of the code used other than "OpenSSL". If you |
| 28 | modify this file, you may extend this exception to your version of the |
| 29 | file, but you are not obligated to do so. If you do not wish to do |
| 30 | so, delete this exception statement from your version. |
| 31 | */ |
| 32 | |
| 33 | /* -- sslcmds.c -- */ |
| 34 | |
| 35 | #include "x11vnc.h" |
| 36 | #include "inet.h" |
| 37 | #include "cleanup.h" |
| 38 | #include "sslhelper.h" |
| 39 | #include "ssltools.h" |
| 40 | #include "connections.h" |
| 41 | |
| 42 | #if LIBVNCSERVER_HAVE_FORK |
| 43 | #if LIBVNCSERVER_HAVE_SYS_WAIT_H |
| 44 | #if LIBVNCSERVER_HAVE_WAITPID |
| 45 | #define SSLCMDS |
| 46 | #endif |
| 47 | #endif |
| 48 | #endif |
| 49 | |
| 50 | |
| 51 | void check_stunnel(void); |
| 52 | int start_stunnel(int stunnel_port, int x11vnc_port, int hport, int x11vnc_hport); |
| 53 | void stop_stunnel(void); |
| 54 | void setup_stunnel(int rport, int *argc, char **argv); |
| 55 | char *get_Cert_dir(char *cdir_in, char **tmp_in); |
| 56 | void sslScripts(void); |
| 57 | void sslGenCA(char *cdir); |
| 58 | void sslGenCert(char *ty, char *nm); |
| 59 | void sslEncKey(char *path, int info_only); |
| 60 | |
| 61 | static pid_t stunnel_pid = 0; |
| 62 | |
| 63 | void check_stunnel(void) { |
| 64 | static time_t last_check = 0; |
| 65 | time_t now = time(NULL); |
| 66 | |
| 67 | if (last_check + 3 >= now) { |
| 68 | return; |
| 69 | } |
| 70 | last_check = now; |
| 71 | |
| 72 | /* double check that stunnel is still running: */ |
| 73 | |
| 74 | if (stunnel_pid > 0) { |
| 75 | int status; |
| 76 | #ifdef SSLCMDS |
| 77 | waitpid(stunnel_pid, &status, WNOHANG); |
| 78 | #endif |
| 79 | if (kill(stunnel_pid, 0) != 0) { |
| 80 | #ifdef SSLCMDS |
| 81 | waitpid(stunnel_pid, &status, WNOHANG); |
| 82 | #endif |
| 83 | rfbLog("stunnel subprocess %d died.\n", stunnel_pid); |
| 84 | stunnel_pid = 0; |
| 85 | clean_up_exit(1); |
| 86 | } |
| 87 | } |
| 88 | } |
| 89 | |
| 90 | int start_stunnel(int stunnel_port, int x11vnc_port, int hport, int x11vnc_hport) { |
| 91 | #ifdef SSLCMDS |
| 92 | char extra[] = ":/usr/sbin:/usr/local/sbin:/dist/sbin"; |
| 93 | char *path, *p, *exe; |
| 94 | char *stunnel_path = NULL; |
| 95 | struct stat verify_buf; |
| 96 | struct stat crl_buf; |
| 97 | int status, tmp_pem = 0; |
| 98 | |
| 99 | if (stunnel_pid) { |
| 100 | stop_stunnel(); |
| 101 | } |
| 102 | stunnel_pid = 0; |
| 103 | |
| 104 | path = getenv("PATH"); |
| 105 | if (! path) { |
| 106 | path = strdup(extra+1); |
| 107 | } else { |
| 108 | char *pt = path; |
| 109 | path = (char *) malloc(strlen(path)+strlen(extra)+1); |
| 110 | if (! path) { |
| 111 | return 0; |
| 112 | } |
| 113 | strcpy(path, pt); |
| 114 | strcat(path, extra); |
| 115 | } |
| 116 | |
| 117 | exe = (char *) malloc(strlen(path) + 1 + strlen("stunnel4") + 1); |
| 118 | |
| 119 | p = strtok(path, ":"); |
| 120 | |
| 121 | exe[0] = '\0'; |
| 122 | |
| 123 | while (p) { |
| 124 | struct stat sbuf; |
| 125 | |
| 126 | sprintf(exe, "%s/%s", p, "stunnel4"); |
| 127 | if (! stunnel_path && stat(exe, &sbuf) == 0) { |
| 128 | if (! S_ISDIR(sbuf.st_mode)) { |
| 129 | stunnel_path = exe; |
| 130 | break; |
| 131 | } |
| 132 | } |
| 133 | |
| 134 | sprintf(exe, "%s/%s", p, "stunnel"); |
| 135 | if (! stunnel_path && stat(exe, &sbuf) == 0) { |
| 136 | if (! S_ISDIR(sbuf.st_mode)) { |
| 137 | stunnel_path = exe; |
| 138 | break; |
| 139 | } |
| 140 | } |
| 141 | |
| 142 | p = strtok(NULL, ":"); |
| 143 | } |
| 144 | if (path) { |
| 145 | free(path); |
| 146 | } |
| 147 | |
| 148 | if (getenv("STUNNEL_PROG")) { |
| 149 | free(exe); |
| 150 | exe = strdup(getenv("STUNNEL_PROG")); |
| 151 | stunnel_path = exe; |
| 152 | } |
| 153 | |
| 154 | if (! stunnel_path) { |
| 155 | free(exe); |
| 156 | return 0; |
| 157 | } |
| 158 | if (stunnel_path[0] == '\0') { |
| 159 | free(exe); |
| 160 | return 0; |
| 161 | } |
| 162 | |
| 163 | /* stunnel */ |
| 164 | if (no_external_cmds || !cmd_ok("stunnel")) { |
| 165 | rfbLogEnable(1); |
| 166 | rfbLog("start_stunnel: cannot run external commands in -nocmds mode:\n"); |
| 167 | rfbLog(" \"%s\"\n", stunnel_path); |
| 168 | rfbLog(" exiting.\n"); |
| 169 | clean_up_exit(1); |
| 170 | } |
| 171 | |
| 172 | if (! quiet) { |
| 173 | rfbLog("\n"); |
| 174 | rfbLog("starting ssl tunnel: %s %d -> %d\n", stunnel_path, |
| 175 | stunnel_port, x11vnc_port); |
| 176 | } |
| 177 | |
| 178 | if (stunnel_pem && strstr(stunnel_pem, "SAVE") == stunnel_pem) { |
| 179 | stunnel_pem = get_saved_pem(stunnel_pem, 1); |
| 180 | if (! stunnel_pem) { |
| 181 | rfbLog("start_stunnel: could not create or open" |
| 182 | " saved PEM.\n"); |
| 183 | clean_up_exit(1); |
| 184 | } |
| 185 | } else if (!stunnel_pem) { |
| 186 | stunnel_pem = create_tmp_pem(NULL, 0); |
| 187 | if (! stunnel_pem) { |
| 188 | rfbLog("start_stunnel: could not create temporary," |
| 189 | " self-signed PEM.\n"); |
| 190 | clean_up_exit(1); |
| 191 | } |
| 192 | tmp_pem = 1; |
| 193 | if (getenv("X11VNC_SHOW_TMP_PEM")) { |
| 194 | FILE *in = fopen(stunnel_pem, "r"); |
| 195 | if (in != NULL) { |
| 196 | char line[128]; |
| 197 | fprintf(stderr, "\n"); |
| 198 | while (fgets(line, 128, in) != NULL) { |
| 199 | fprintf(stderr, "%s", line); |
| 200 | } |
| 201 | fprintf(stderr, "\n"); |
| 202 | fclose(in); |
| 203 | } |
| 204 | } |
| 205 | } |
| 206 | |
| 207 | if (ssl_verify) { |
| 208 | char *file = get_ssl_verify_file(ssl_verify); |
| 209 | if (file) { |
| 210 | ssl_verify = file; |
| 211 | } |
| 212 | if (stat(ssl_verify, &verify_buf) != 0) { |
| 213 | rfbLog("stunnel: %s does not exist.\n", ssl_verify); |
| 214 | clean_up_exit(1); |
| 215 | } |
| 216 | } |
| 217 | if (ssl_crl) { |
| 218 | if (stat(ssl_crl, &crl_buf) != 0) { |
| 219 | rfbLog("stunnel: %s does not exist.\n", ssl_crl); |
| 220 | clean_up_exit(1); |
| 221 | } |
| 222 | } |
| 223 | |
| 224 | stunnel_pid = fork(); |
| 225 | |
| 226 | if (stunnel_pid < 0) { |
| 227 | stunnel_pid = 0; |
| 228 | free(exe); |
| 229 | return 0; |
| 230 | } |
| 231 | |
| 232 | if (stunnel_pid == 0) { |
| 233 | FILE *in; |
| 234 | char fd[20]; |
| 235 | int i; |
| 236 | char *st_if = getenv("STUNNEL_LISTEN"); |
| 237 | |
| 238 | if (st_if == NULL) { |
| 239 | st_if = ""; |
| 240 | } else { |
| 241 | st_if = (char *) malloc(strlen(st_if) + 2); |
| 242 | sprintf(st_if, "%s:", getenv("STUNNEL_LISTEN")); |
| 243 | } |
| 244 | |
| 245 | |
| 246 | for (i=3; i<256; i++) { |
| 247 | close(i); |
| 248 | } |
| 249 | |
| 250 | if (use_stunnel == 3) { |
| 251 | char sp[30], xp[30], *a = NULL; |
| 252 | char *st = stunnel_path; |
| 253 | char *pm = stunnel_pem; |
| 254 | char *sv = ssl_verify; |
| 255 | |
| 256 | sprintf(sp, "%d", stunnel_port); |
| 257 | sprintf(xp, "%d", x11vnc_port); |
| 258 | |
| 259 | if (ssl_verify) { |
| 260 | if(S_ISDIR(verify_buf.st_mode)) { |
| 261 | a = "-a"; |
| 262 | } else { |
| 263 | a = "-A"; |
| 264 | } |
| 265 | } |
| 266 | |
| 267 | if (ssl_crl) { |
| 268 | rfbLog("stunnel: stunnel3 does not support CRL. %s\n", ssl_crl); |
| 269 | clean_up_exit(1); |
| 270 | } |
| 271 | |
| 272 | if (stunnel_pem && ssl_verify) { |
| 273 | /* XXX double check -v 2 */ |
| 274 | execlp(st, st, "-f", "-d", sp, "-r", xp, "-P", |
| 275 | "none", "-p", pm, a, sv, "-v", "2", |
| 276 | (char *) NULL); |
| 277 | } else if (stunnel_pem && !ssl_verify) { |
| 278 | execlp(st, st, "-f", "-d", sp, "-r", xp, "-P", |
| 279 | "none", "-p", pm, |
| 280 | (char *) NULL); |
| 281 | } else if (!stunnel_pem && ssl_verify) { |
| 282 | execlp(st, st, "-f", "-d", sp, "-r", xp, "-P", |
| 283 | "none", a, sv, "-v", "2", |
| 284 | (char *) NULL); |
| 285 | } else { |
| 286 | execlp(st, st, "-f", "-d", sp, "-r", xp, "-P", |
| 287 | "none", (char *) NULL); |
| 288 | } |
| 289 | exit(1); |
| 290 | } |
| 291 | |
| 292 | in = tmpfile(); |
| 293 | if (! in) { |
| 294 | exit(1); |
| 295 | } |
| 296 | |
| 297 | fprintf(in, "foreground = yes\n"); |
| 298 | fprintf(in, "pid =\n"); |
| 299 | if (stunnel_pem) { |
| 300 | fprintf(in, "cert = %s\n", stunnel_pem); |
| 301 | } |
| 302 | if (ssl_crl) { |
| 303 | if(S_ISDIR(crl_buf.st_mode)) { |
| 304 | fprintf(in, "CRLpath = %s\n", ssl_crl); |
| 305 | } else { |
| 306 | fprintf(in, "CRLfile = %s\n", ssl_crl); |
| 307 | } |
| 308 | } |
| 309 | if (ssl_verify) { |
| 310 | if(S_ISDIR(verify_buf.st_mode)) { |
| 311 | fprintf(in, "CApath = %s\n", ssl_verify); |
| 312 | } else { |
| 313 | fprintf(in, "CAfile = %s\n", ssl_verify); |
| 314 | } |
| 315 | fprintf(in, "verify = 2\n"); |
| 316 | } |
| 317 | fprintf(in, ";debug = 7\n\n"); |
| 318 | fprintf(in, "[x11vnc_stunnel]\n"); |
| 319 | fprintf(in, "accept = %s%d\n", st_if, stunnel_port); |
| 320 | fprintf(in, "connect = %d\n", x11vnc_port); |
| 321 | |
| 322 | if (hport > 0 && x11vnc_hport > 0) { |
| 323 | fprintf(in, "\n[x11vnc_http]\n"); |
| 324 | fprintf(in, "accept = %s%d\n", st_if, hport); |
| 325 | fprintf(in, "connect = %d\n", x11vnc_hport); |
| 326 | } |
| 327 | |
| 328 | fflush(in); |
| 329 | rewind(in); |
| 330 | |
| 331 | if (getenv("STUNNEL_DEBUG")) { |
| 332 | char line[1000]; |
| 333 | fprintf(stderr, "\nstunnel config contents:\n\n"); |
| 334 | while (fgets(line, sizeof(line), in) != NULL) { |
| 335 | fprintf(stderr, "%s", line); |
| 336 | } |
| 337 | fprintf(stderr, "\n"); |
| 338 | rewind(in); |
| 339 | } |
| 340 | |
| 341 | sprintf(fd, "%d", fileno(in)); |
| 342 | execlp(stunnel_path, stunnel_path, "-fd", fd, (char *) NULL); |
| 343 | exit(1); |
| 344 | } |
| 345 | |
| 346 | free(exe); |
| 347 | usleep(750 * 1000); |
| 348 | |
| 349 | waitpid(stunnel_pid, &status, WNOHANG); |
| 350 | |
| 351 | if (ssl_verify && strstr(ssl_verify, "/sslverify-tmp-load-")) { |
| 352 | /* temporary file */ |
| 353 | usleep(1000 * 1000); |
| 354 | unlink(ssl_verify); |
| 355 | } |
| 356 | if (tmp_pem) { |
| 357 | /* temporary cert */ |
| 358 | usleep(1500 * 1000); |
| 359 | unlink(stunnel_pem); |
| 360 | } |
| 361 | |
| 362 | if (kill(stunnel_pid, 0) != 0) { |
| 363 | waitpid(stunnel_pid, &status, WNOHANG); |
| 364 | stunnel_pid = 0; |
| 365 | return 0; |
| 366 | } |
| 367 | |
| 368 | if (! quiet) { |
| 369 | rfbLog("stunnel pid is: %d\n", (int) stunnel_pid); |
| 370 | } |
| 371 | |
| 372 | return 1; |
| 373 | #else |
| 374 | return 0; |
| 375 | #endif |
| 376 | } |
| 377 | |
| 378 | void stop_stunnel(void) { |
| 379 | int status; |
| 380 | if (! stunnel_pid) { |
| 381 | return; |
| 382 | } |
| 383 | #ifdef SSLCMDS |
| 384 | kill(stunnel_pid, SIGTERM); |
| 385 | usleep (150 * 1000); |
| 386 | kill(stunnel_pid, SIGKILL); |
| 387 | usleep (50 * 1000); |
| 388 | waitpid(stunnel_pid, &status, WNOHANG); |
| 389 | #endif |
| 390 | stunnel_pid = 0; |
| 391 | } |
| 392 | |
| 393 | void setup_stunnel(int rport, int *argc, char **argv) { |
| 394 | int i, xport = 0, hport = 0, xhport = 0; |
| 395 | |
| 396 | if (! rport && argc && argv) { |
| 397 | for (i=0; i< *argc; i++) { |
| 398 | if (argv[i] && !strcmp(argv[i], "-rfbport")) { |
| 399 | if (i < *argc - 1) { |
| 400 | rport = atoi(argv[i+1]); |
| 401 | } |
| 402 | } |
| 403 | } |
| 404 | } |
| 405 | |
| 406 | if (! rport) { |
| 407 | /* we do our own autoprobing then... */ |
| 408 | rport = find_free_port(5900, 5999); |
| 409 | if (! rport) { |
| 410 | goto stunnel_fail; |
| 411 | } |
| 412 | } |
| 413 | |
| 414 | xport = find_free_port(5950, 5999); |
| 415 | if (! xport) { |
| 416 | goto stunnel_fail; |
| 417 | } |
| 418 | |
| 419 | if (https_port_num > 0) { |
| 420 | hport = https_port_num; |
| 421 | } |
| 422 | |
| 423 | if (! hport && argc && argv) { |
| 424 | for (i=0; i< *argc; i++) { |
| 425 | if (argv[i] && !strcmp(argv[i], "-httpport")) { |
| 426 | if (i < *argc - 1) { |
| 427 | hport = atoi(argv[i+1]); |
| 428 | } |
| 429 | } |
| 430 | } |
| 431 | } |
| 432 | |
| 433 | if (! hport && http_try_it) { |
| 434 | hport = find_free_port(rport-100, rport-1); |
| 435 | if (! hport) { |
| 436 | goto stunnel_fail; |
| 437 | } |
| 438 | } |
| 439 | if (hport) { |
| 440 | xhport = find_free_port(5850, 5899); |
| 441 | if (! xhport) { |
| 442 | goto stunnel_fail; |
| 443 | } |
| 444 | stunnel_http_port = hport; |
| 445 | } |
| 446 | |
| 447 | |
| 448 | if (start_stunnel(rport, xport, hport, xhport)) { |
| 449 | int tweaked = 0; |
| 450 | char tmp[30]; |
| 451 | sprintf(tmp, "%d", xport); |
| 452 | if (argc && argv) { |
| 453 | for (i=0; i < *argc; i++) { |
| 454 | if (argv[i] && !strcmp(argv[i], "-rfbport")) { |
| 455 | if (i < *argc - 1) { |
| 456 | /* replace orig value */ |
| 457 | argv[i+i] = strdup(tmp); |
| 458 | tweaked = 1; |
| 459 | break; |
| 460 | } |
| 461 | } |
| 462 | } |
| 463 | if (! tweaked) { |
| 464 | i = *argc; |
| 465 | argv[i] = strdup("-rfbport"); |
| 466 | argv[i+1] = strdup(tmp); |
| 467 | *argc += 2; |
| 468 | got_rfbport = 1; |
| 469 | got_rfbport_val = atoi(tmp); |
| 470 | } |
| 471 | } |
| 472 | stunnel_port = rport; |
| 473 | ssl_initialized = 1; |
| 474 | return; |
| 475 | } |
| 476 | |
| 477 | stunnel_fail: |
| 478 | rfbLog("failed to start stunnel.\n"); |
| 479 | clean_up_exit(1); |
| 480 | } |
| 481 | |
| 482 | char *get_Cert_dir(char *cdir_in, char **tmp_in) { |
| 483 | char *cdir, *home, *tmp; |
| 484 | struct stat sbuf; |
| 485 | int i; |
| 486 | char *cases1[] = {"/.vnc", "/.vnc/certs", "/.vnc/certs/CA"}; |
| 487 | char *cases2[] = {"", "/CA", "/tmp"}; |
| 488 | |
| 489 | if (cdir_in != NULL) { |
| 490 | cdir = cdir_in; |
| 491 | } else { |
| 492 | cdir = ssl_certs_dir; |
| 493 | } |
| 494 | |
| 495 | if (cdir == NULL) { |
| 496 | home = get_home_dir(); |
| 497 | if (! home) { |
| 498 | return NULL; |
| 499 | } |
| 500 | cdir = (char *) malloc(strlen(home) + strlen("/.vnc/certs/CA") + 1); |
| 501 | for (i=0; i<3; i++) { |
| 502 | sprintf(cdir, "%s%s", home, cases1[i]); |
| 503 | if (stat(cdir, &sbuf) != 0) { |
| 504 | rfbLog("creating dir: %s\n", cdir); |
| 505 | if (mkdir(cdir, 0755) != 0) { |
| 506 | rfbLog("could not create directory %s\n", cdir); |
| 507 | rfbLogPerror("mkdir"); |
| 508 | return NULL; |
| 509 | } |
| 510 | } else if (! S_ISDIR(sbuf.st_mode)) { |
| 511 | rfbLog("not a directory: %s\n", cdir); |
| 512 | return NULL; |
| 513 | } |
| 514 | } |
| 515 | sprintf(cdir, "%s%s", home, cases1[1]); |
| 516 | } |
| 517 | |
| 518 | tmp = (char *) malloc(strlen(cdir) + strlen("/tmp") + 1); |
| 519 | for (i=0; i<3; i++) { |
| 520 | int ret; |
| 521 | sprintf(tmp, "%s%s", cdir, cases2[i]); |
| 522 | if (stat(tmp, &sbuf) != 0) { |
| 523 | rfbLog("creating dir: %s\n", tmp); |
| 524 | if (! strcmp(cases2[i], "/tmp")) { |
| 525 | ret = mkdir(tmp, 0700); |
| 526 | } else { |
| 527 | ret = mkdir(tmp, 0755); |
| 528 | } |
| 529 | |
| 530 | if (ret != 0) { |
| 531 | rfbLog("could not create directory %s\n", tmp); |
| 532 | rfbLogPerror("mkdir"); |
| 533 | return NULL; |
| 534 | } |
| 535 | } else if (! S_ISDIR(sbuf.st_mode)) { |
| 536 | rfbLog("not a directory: %s\n", tmp); |
| 537 | return NULL; |
| 538 | } |
| 539 | } |
| 540 | sprintf(tmp, "%s/tmp", cdir); |
| 541 | *tmp_in = tmp; |
| 542 | return cdir; |
| 543 | } |
| 544 | |
| 545 | static char *getsslscript(char *cdir, char *name, char *script) { |
| 546 | char *openssl = find_openssl_bin(); |
| 547 | char *tmp, *scr, *cdir_use; |
| 548 | FILE *out; |
| 549 | |
| 550 | if (! openssl || openssl[0] == '\0') { |
| 551 | exit(1); |
| 552 | } |
| 553 | |
| 554 | if (!name || !script) { |
| 555 | exit(1); |
| 556 | } |
| 557 | |
| 558 | cdir_use = get_Cert_dir(cdir, &tmp); |
| 559 | if (!cdir_use || !tmp) { |
| 560 | exit(1); |
| 561 | } |
| 562 | |
| 563 | scr = (char *) malloc(strlen(tmp) + 1 + strlen(name) + 30); |
| 564 | |
| 565 | sprintf(scr, "%s/%s.%d.sh", tmp, name, getpid()); |
| 566 | out = fopen(scr, "w"); |
| 567 | if (! out) { |
| 568 | rfbLog("could not open: %s\n", scr); |
| 569 | rfbLogPerror("fopen"); |
| 570 | exit(1); |
| 571 | } |
| 572 | fprintf(out, "%s", script); |
| 573 | fclose(out); |
| 574 | |
| 575 | rfbLog("Using openssl: %s\n", openssl); |
| 576 | rfbLog("Using certs dir: %s\n", cdir_use); |
| 577 | fprintf(stderr, "\n"); |
| 578 | |
| 579 | set_env("BASE_DIR", cdir_use); |
| 580 | set_env("OPENSSL", openssl); |
| 581 | |
| 582 | return scr; |
| 583 | } |
| 584 | |
| 585 | void sslScripts(void) { |
| 586 | fprintf(stdout, "======================================================\n"); |
| 587 | fprintf(stdout, "genCA script for '-sslGenCA':\n\n"); |
| 588 | fprintf(stdout, "%s\n", genCA); |
| 589 | fprintf(stdout, "======================================================\n"); |
| 590 | fprintf(stdout, "genCert script for '-sslGenCert', etc.:\n\n"); |
| 591 | fprintf(stdout, "%s\n", genCert); |
| 592 | } |
| 593 | |
| 594 | void sslGenCA(char *cdir) { |
| 595 | char *cmd, *scr = getsslscript(cdir, "genca", genCA); |
| 596 | |
| 597 | if (! scr) { |
| 598 | exit(1); |
| 599 | } |
| 600 | |
| 601 | cmd = (char *)malloc(strlen("/bin/sh ") + strlen(scr) + 1); |
| 602 | sprintf(cmd, "/bin/sh %s", scr); |
| 603 | |
| 604 | system(cmd); |
| 605 | unlink(scr); |
| 606 | |
| 607 | free(cmd); |
| 608 | free(scr); |
| 609 | } |
| 610 | |
| 611 | void sslGenCert(char *ty, char *nm) { |
| 612 | char *cmd, *scr = getsslscript(NULL, "gencert", genCert); |
| 613 | |
| 614 | if (! scr) { |
| 615 | exit(1); |
| 616 | } |
| 617 | |
| 618 | cmd = (char *)malloc(strlen("/bin/sh ") + strlen(scr) + 1); |
| 619 | sprintf(cmd, "/bin/sh %s", scr); |
| 620 | |
| 621 | if (! ty) { |
| 622 | set_env("TYPE", ""); |
| 623 | } else { |
| 624 | set_env("TYPE", ty); |
| 625 | } |
| 626 | if (! nm) { |
| 627 | set_env("NAME", ""); |
| 628 | } else { |
| 629 | char *q = strstr(nm, "SAVE-"); |
| 630 | if (!strcmp(nm, "SAVE")) { |
| 631 | set_env("NAME", ""); |
| 632 | } else if (q == nm) { |
| 633 | q += strlen("SAVE-"); |
| 634 | set_env("NAME", q); |
| 635 | } else { |
| 636 | set_env("NAME", nm); |
| 637 | } |
| 638 | } |
| 639 | |
| 640 | system(cmd); |
| 641 | unlink(scr); |
| 642 | |
| 643 | free(cmd); |
| 644 | free(scr); |
| 645 | } |
| 646 | |
| 647 | void sslEncKey(char *path, int mode) { |
| 648 | char *openssl = find_openssl_bin(); |
| 649 | char *scr, *cert = NULL, *tca, *cdir = NULL; |
| 650 | char line[1024], tmp[] = "/tmp/x11vnc-tmp.XXXXXX"; |
| 651 | int tmp_fd, incert, info_only = 0, delete_only = 0, listlong = 0; |
| 652 | struct stat sbuf; |
| 653 | FILE *file; |
| 654 | static int depth = 0; |
| 655 | |
| 656 | if (depth > 0) { |
| 657 | /* get_saved_pem may call us back. */ |
| 658 | return; |
| 659 | } |
| 660 | |
| 661 | if (! path) { |
| 662 | return; |
| 663 | } |
| 664 | |
| 665 | depth++; |
| 666 | |
| 667 | if (mode == 1) { |
| 668 | info_only = 1; |
| 669 | } else if (mode == 2) { |
| 670 | delete_only = 1; |
| 671 | } |
| 672 | |
| 673 | if (! openssl) { |
| 674 | exit(1); |
| 675 | } |
| 676 | |
| 677 | cdir = get_Cert_dir(NULL, &tca); |
| 678 | if (! cdir || ! tca) { |
| 679 | fprintf(stderr, "could not find Cert dir\n"); |
| 680 | exit(1); |
| 681 | } |
| 682 | |
| 683 | if (!strcasecmp(path, "LL") || !strcasecmp(path, "LISTL")) { |
| 684 | listlong = 1; |
| 685 | path = "LIST"; |
| 686 | } |
| 687 | |
| 688 | if (strstr(path, "SAVE") == path) { |
| 689 | char *p = get_saved_pem(path, 0); |
| 690 | if (p == NULL) { |
| 691 | fprintf(stderr, "could not find saved pem " |
| 692 | "matching: %s\n", path); |
| 693 | exit(1); |
| 694 | } |
| 695 | path = p; |
| 696 | |
| 697 | } else if (!strcmp(path, "CA")) { |
| 698 | tca = (char *) malloc(strlen(cdir)+strlen("/CA/cacert.pem")+1); |
| 699 | sprintf(tca, "%s/CA/cacert.pem", cdir); |
| 700 | path = tca; |
| 701 | |
| 702 | } else if (info_only && (!strcasecmp(path, "LIST") || |
| 703 | !strcasecmp(path, "LS") || !strcasecmp(path, "ALL"))) { |
| 704 | |
| 705 | if (! program_name || strchr(program_name, ' ')) { |
| 706 | fprintf(stderr, "bad program name.\n"); |
| 707 | exit(1); |
| 708 | } |
| 709 | if (strchr(cdir, '\'')) { |
| 710 | fprintf(stderr, "bad certdir char: %s\n", cdir); |
| 711 | exit(1); |
| 712 | } |
| 713 | |
| 714 | tca = (char *) malloc(2*strlen(cdir)+strlen(program_name)+1000); |
| 715 | |
| 716 | sprintf(tca, "find '%s' | egrep '/(CA|tmp|clients)$|" |
| 717 | "\\.(crt|pem|key|req)$' | grep -v CA/newcerts", cdir); |
| 718 | |
| 719 | if (!strcasecmp(path, "ALL")) { |
| 720 | /* ugh.. */ |
| 721 | strcat(tca, " | egrep -v 'private/cakey.pem|" |
| 722 | "(CA|tmp|clients)$' | xargs -n1 "); |
| 723 | strcat(tca, program_name); |
| 724 | strcat(tca, " -ssldir '"); |
| 725 | strcat(tca, cdir); |
| 726 | strcat(tca, "' -sslCertInfo 2>&1 "); |
| 727 | } else if (listlong) { |
| 728 | strcat(tca, " | xargs ls -ld "); |
| 729 | } |
| 730 | system(tca); |
| 731 | free(tca); |
| 732 | |
| 733 | depth--; |
| 734 | return; |
| 735 | |
| 736 | } else if (info_only && (!strcasecmp(path, "HASHON") |
| 737 | || !strcasecmp(path, "HASHOFF"))) { |
| 738 | |
| 739 | tmp_fd = mkstemp(tmp); |
| 740 | if (tmp_fd < 0) { |
| 741 | exit(1); |
| 742 | } |
| 743 | |
| 744 | write(tmp_fd, genCert, strlen(genCert)); |
| 745 | close(tmp_fd); |
| 746 | |
| 747 | scr = (char *) malloc(strlen("/bin/sh ") + strlen(tmp) + 1); |
| 748 | sprintf(scr, "/bin/sh %s", tmp); |
| 749 | |
| 750 | set_env("BASE_DIR", cdir); |
| 751 | set_env("OPENSSL", openssl); |
| 752 | set_env("TYPE", "server"); |
| 753 | if (!strcasecmp(path, "HASHON")) { |
| 754 | set_env("HASHON", "1"); |
| 755 | } else { |
| 756 | set_env("HASHOFF", "1"); |
| 757 | } |
| 758 | system(scr); |
| 759 | unlink(tmp); |
| 760 | free(scr); |
| 761 | |
| 762 | depth--; |
| 763 | return; |
| 764 | } |
| 765 | |
| 766 | |
| 767 | if (stat(path, &sbuf) != 0) { |
| 768 | if (strstr(path, "client") || strchr(path, '/') == NULL) { |
| 769 | int i; |
| 770 | tca = (char *) malloc(strlen(cdir) + strlen(path) + 100); |
| 771 | for (i = 1; i <= 15; i++) { |
| 772 | tca[0] = '\0'; |
| 773 | if ( i == 1) { |
| 774 | sprintf(tca, "%s/%s", cdir, path); |
| 775 | } else if (i == 2 && mode > 0) { |
| 776 | sprintf(tca, "%s/%s.crt", cdir, path); |
| 777 | } else if (i == 3) { |
| 778 | sprintf(tca, "%s/%s.pem", cdir, path); |
| 779 | } else if (i == 4 && mode > 1) { |
| 780 | sprintf(tca, "%s/%s.req", cdir, path); |
| 781 | } else if (i == 5 && mode > 1) { |
| 782 | sprintf(tca, "%s/%s.key", cdir, path); |
| 783 | } else if (i == 6) { |
| 784 | sprintf(tca, "%s/clients/%s", cdir, path); |
| 785 | } else if (i == 7 && mode > 0) { |
| 786 | sprintf(tca, "%s/clients/%s.crt", cdir, path); |
| 787 | } else if (i == 8) { |
| 788 | sprintf(tca, "%s/clients/%s.pem", cdir, path); |
| 789 | } else if (i == 9 && mode > 1) { |
| 790 | sprintf(tca, "%s/clients/%s.req", cdir, path); |
| 791 | } else if (i == 10 && mode > 1) { |
| 792 | sprintf(tca, "%s/clients/%s.key", cdir, path); |
| 793 | } else if (i == 11) { |
| 794 | sprintf(tca, "%s/server-%s", cdir, path); |
| 795 | } else if (i == 12 && mode > 0) { |
| 796 | sprintf(tca, "%s/server-%s.crt", cdir, path); |
| 797 | } else if (i == 13) { |
| 798 | sprintf(tca, "%s/server-%s.pem", cdir, path); |
| 799 | } else if (i == 14 && mode > 1) { |
| 800 | sprintf(tca, "%s/server-%s.req", cdir, path); |
| 801 | } else if (i == 15 && mode > 1) { |
| 802 | sprintf(tca, "%s/server-%s.key", cdir, path); |
| 803 | } |
| 804 | if (tca[0] == '\0') { |
| 805 | continue; |
| 806 | } |
| 807 | if (stat(tca, &sbuf) == 0) { |
| 808 | path = tca; |
| 809 | break; |
| 810 | } |
| 811 | } |
| 812 | } |
| 813 | } |
| 814 | |
| 815 | if (stat(path, &sbuf) != 0) { |
| 816 | rfbLog("sslEncKey: %s\n", path); |
| 817 | rfbLogPerror("stat"); |
| 818 | exit(1); |
| 819 | } |
| 820 | |
| 821 | if (! info_only) { |
| 822 | cert = (char *) malloc(2*(sbuf.st_size + 1024)); |
| 823 | file = fopen(path, "r"); |
| 824 | if (file == NULL) { |
| 825 | rfbLog("sslEncKey: %s\n", path); |
| 826 | rfbLogPerror("fopen"); |
| 827 | exit(1); |
| 828 | } |
| 829 | incert = 0; |
| 830 | cert[0] = '\0'; |
| 831 | while (fgets(line, 1024, file) != NULL) { |
| 832 | if (strstr(line, "-----BEGIN CERTIFICATE-----") |
| 833 | == line) { |
| 834 | incert = 1; |
| 835 | } |
| 836 | if (incert) { |
| 837 | if (strlen(cert)+strlen(line) < |
| 838 | 2 * (size_t) sbuf.st_size) { |
| 839 | strcat(cert, line); |
| 840 | } |
| 841 | } |
| 842 | if (strstr(line, "-----END CERTIFICATE-----") |
| 843 | == line) { |
| 844 | incert = 0; |
| 845 | } |
| 846 | } |
| 847 | fclose(file); |
| 848 | } |
| 849 | |
| 850 | tmp_fd = mkstemp(tmp); |
| 851 | if (tmp_fd < 0) { |
| 852 | exit(1); |
| 853 | } |
| 854 | |
| 855 | write(tmp_fd, genCert, strlen(genCert)); |
| 856 | close(tmp_fd); |
| 857 | |
| 858 | scr = (char *) malloc(strlen("/bin/sh ") + strlen(tmp) + 1); |
| 859 | sprintf(scr, "/bin/sh %s", tmp); |
| 860 | |
| 861 | set_env("BASE_DIR", "/no/such/dir"); |
| 862 | set_env("OPENSSL", openssl); |
| 863 | set_env("TYPE", "server"); |
| 864 | if (info_only) { |
| 865 | set_env("INFO_ONLY", path); |
| 866 | } else if (delete_only) { |
| 867 | set_env("DELETE_ONLY", path); |
| 868 | } else { |
| 869 | set_env("ENCRYPT_ONLY", path); |
| 870 | } |
| 871 | system(scr); |
| 872 | unlink(tmp); |
| 873 | |
| 874 | if (! mode && cert && cert[0] != '\0') { |
| 875 | int got_cert = 0; |
| 876 | file = fopen(path, "r"); |
| 877 | if (file == NULL) { |
| 878 | rfbLog("sslEncKey: %s\n", path); |
| 879 | rfbLogPerror("fopen"); |
| 880 | exit(1); |
| 881 | } |
| 882 | while (fgets(line, 1024, file) != NULL) { |
| 883 | if (strstr(line, "-----BEGIN CERTIFICATE-----") |
| 884 | == line) { |
| 885 | got_cert++; |
| 886 | } |
| 887 | if (strstr(line, "-----END CERTIFICATE-----") |
| 888 | == line) { |
| 889 | got_cert++; |
| 890 | } |
| 891 | } |
| 892 | fclose(file); |
| 893 | if (got_cert < 2) { |
| 894 | file = fopen(path, "a"); |
| 895 | if (file == NULL) { |
| 896 | rfbLog("sslEncKey: %s\n", path); |
| 897 | rfbLogPerror("fopen"); |
| 898 | exit(1); |
| 899 | } |
| 900 | fprintf(file, "%s", cert); |
| 901 | fclose(file); |
| 902 | } |
| 903 | free(cert); |
| 904 | } |
| 905 | |
| 906 | depth--; |
| 907 | } |
| 908 | |