From 521b9d98a4b772689061b24bcfd57dcce976aacc Mon Sep 17 00:00:00 2001 From: runge Date: Mon, 22 Feb 2010 22:33:50 -0500 Subject: classes/ssl: Java SSL applet viewer now works with certificate chains. x11vnc: Printout option -sslScripts. Suggest -auth guess in error message. Set fake_screen width and height. Test for +kb in Xvfb. --- classes/ssl/README | 9 +- classes/ssl/SignedUltraViewerSSL.jar | Bin 107710 -> 108090 bytes classes/ssl/SignedVncViewer.jar | Bin 83719 -> 84103 bytes classes/ssl/UltraViewerSSL.jar | Bin 104686 -> 105068 bytes classes/ssl/VncViewer.jar | Bin 80791 -> 81177 bytes .../tightvnc-1.3dev7_javasrc-vncviewer-ssl.patch | 123 +++++++++--------- classes/ssl/ultravnc-102-JavaViewer-ssl-etc.patch | 139 ++++++++++----------- 7 files changed, 129 insertions(+), 142 deletions(-) (limited to 'classes') diff --git a/classes/ssl/README b/classes/ssl/README index a9dcc7a..0767ce9 100644 --- a/classes/ssl/README +++ b/classes/ssl/README @@ -218,8 +218,13 @@ Both TightVNC and UltraVNC Java viewers: yes/no, default: no Automatically trust any cert that the web browsers has accepted. E.g. the user said "Yes" or "Continue" to a web browser dialog - regarding a certificate. If we get the same cert from the VNC - server we trust it without prompting the user. + regarding a certificate. If we get the same cert (chain) from + the VNC server we trust it without prompting the user. + + debugCerts + yes/no, default: no + Print out every cert in the Server, TrustUrl, TrustAll chains. + TightVNC Java viewer only: diff --git a/classes/ssl/SignedUltraViewerSSL.jar b/classes/ssl/SignedUltraViewerSSL.jar index 312b9d6..5a562ff 100644 Binary files a/classes/ssl/SignedUltraViewerSSL.jar and b/classes/ssl/SignedUltraViewerSSL.jar differ diff --git a/classes/ssl/SignedVncViewer.jar b/classes/ssl/SignedVncViewer.jar index 0377714..a795e57 100644 Binary files a/classes/ssl/SignedVncViewer.jar and b/classes/ssl/SignedVncViewer.jar differ diff --git a/classes/ssl/UltraViewerSSL.jar b/classes/ssl/UltraViewerSSL.jar index 13e7b79..15f6867 100644 Binary files a/classes/ssl/UltraViewerSSL.jar and b/classes/ssl/UltraViewerSSL.jar differ diff --git a/classes/ssl/VncViewer.jar b/classes/ssl/VncViewer.jar index d71b9d8..a93d323 100644 Binary files a/classes/ssl/VncViewer.jar and b/classes/ssl/VncViewer.jar differ diff --git a/classes/ssl/tightvnc-1.3dev7_javasrc-vncviewer-ssl.patch b/classes/ssl/tightvnc-1.3dev7_javasrc-vncviewer-ssl.patch index bb70214..f35a4e9 100644 --- a/classes/ssl/tightvnc-1.3dev7_javasrc-vncviewer-ssl.patch +++ b/classes/ssl/tightvnc-1.3dev7_javasrc-vncviewer-ssl.patch @@ -73,8 +73,8 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/RfbProto.java vnc_javasrc/RfbProto serverMajor = (b[4] - '0') * 100 + (b[5] - '0') * 10 + (b[6] - '0'); diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSLSocketToMe.java --- vnc_javasrc.orig/SSLSocketToMe.java 1969-12-31 19:00:00.000000000 -0500 -+++ vnc_javasrc/SSLSocketToMe.java 2009-08-13 09:16:42.000000000 -0400 -@@ -0,0 +1,1727 @@ ++++ vnc_javasrc/SSLSocketToMe.java 2010-02-22 20:03:11.000000000 -0500 +@@ -0,0 +1,1712 @@ +/* + * SSLSocketToMe.java: add SSL encryption to Java VNC Viewer. + * @@ -151,6 +151,7 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL + + boolean use_url_cert_for_auth = true; + boolean user_wants_to_see_cert = true; ++ boolean debug_certs = false; + + /* cert(s) we retrieve from VNC server */ + java.security.cert.Certificate[] trustallCerts = null; @@ -180,6 +181,8 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL + port = p; + viewer = v; + ++ debug_certs = v.debugCerts; ++ + /* we will first try default factory for certification: */ + + factory = (SSLSocketFactory) SSLSocketFactory.getDefault(); @@ -237,21 +240,6 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL + throw new CertificateException( + "No Trust url Certs."); + } -+ if (trusturlCerts.length > 1) { -+ int i; -+ boolean ok = true; -+ for (i = 0; i < trusturlCerts.length - 1; i++) { -+ if (! trusturlCerts[i].equals(trusturlCerts[i+1])) { -+ ok = false; -+ } -+ } -+ if (! ok) { -+ throw new CertificateException( -+ "Too many Trust url Certs: " -+ + trusturlCerts.length -+ ); -+ } -+ } + if (certs == null) { + throw new CertificateException( + "No this-certs array."); @@ -260,26 +248,32 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL + throw new CertificateException( + "No this-certs Certs."); + } -+ if (certs.length > 1) { -+ int i; -+ boolean ok = true; -+ for (i = 0; i < certs.length - 1; i++) { -+ if (! certs[i].equals(certs[i+1])) { -+ ok = false; -+ } ++ if (certs.length != trusturlCerts.length) { ++ throw new CertificateException( ++ "certs.length != trusturlCerts.length " + certs.length + " " + trusturlCerts.length); ++ } ++ boolean ok = true; ++ for (int i = 0; i < certs.length; i++) { ++ if (! trusturlCerts[i].equals(certs[i])) { ++ ok = false; ++ dbg("URL: cert mismatch at i=" + i); ++ dbg("URL: cert mismatch cert" + certs[i]); ++ dbg("URL: cert mismatch url" + trusturlCerts[i]); + } -+ if (! ok) { -+ throw new CertificateException( -+ "Too many this-certs: " -+ + certs.length -+ ); ++ if (debug_certs) { ++ dbg("\n***********************************************"); ++ dbg("URL: cert info at i=" + i); ++ dbg("URL: cert info cert" + certs[i]); ++ dbg("==============================================="); ++ dbg("URL: cert info url" + trusturlCerts[i]); ++ dbg("***********************************************"); + } + } -+ if (! trusturlCerts[0].equals(certs[0])) { ++ if (!ok) { + throw new CertificateException( -+ "Server Cert Changed != URL."); ++ "Server Cert Chain != URL Cert Chain."); + } -+ dbg("URL: trusturlCerts[0] matches certs[0]"); ++ dbg("URL: trusturlCerts[i] matches certs[i] i=0:" + (certs.length-1)); + } + } + }; @@ -309,21 +303,6 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL + throw new CertificateException( + "No Trust All Server Certs."); + } -+ if (trustallCerts.length > 1) { -+ int i; -+ boolean ok = true; -+ for (i = 0; i < trustallCerts.length - 1; i++) { -+ if (! trustallCerts[i].equals(trustallCerts[i+1])) { -+ ok = false; -+ } -+ } -+ if (! ok) { -+ throw new CertificateException( -+ "Too many Trust All Server Certs: " -+ + trustallCerts.length -+ ); -+ } -+ } + if (certs == null) { + throw new CertificateException( + "No this-certs array."); @@ -332,26 +311,32 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL + throw new CertificateException( + "No this-certs Certs."); + } -+ if (certs.length > 1) { -+ int i; -+ boolean ok = true; -+ for (i = 0; i < certs.length - 1; i++) { -+ if (! certs[i].equals(certs[i+1])) { -+ ok = false; -+ } ++ if (certs.length != trustallCerts.length) { ++ throw new CertificateException( ++ "certs.length != trustallCerts.length " + certs.length + " " + trustallCerts.length); ++ } ++ boolean ok = true; ++ for (int i = 0; i < certs.length; i++) { ++ if (! trustallCerts[i].equals(certs[i])) { ++ ok = false; ++ dbg("ONE: cert mismatch at i=" + i); ++ dbg("ONE: cert mismatch cert" + certs[i]); ++ dbg("ONE: cert mismatch all" + trustallCerts[i]); + } -+ if (! ok) { -+ throw new CertificateException( -+ "Too many this-certs: " -+ + certs.length -+ ); ++ if (debug_certs) { ++ dbg("\n***********************************************"); ++ dbg("ONE: cert info at i=" + i); ++ dbg("ONE: cert info cert" + certs[i]); ++ dbg("==============================================="); ++ dbg("ONE: cert info all" + trustallCerts[i]); ++ dbg("***********************************************"); + } + } -+ if (! trustallCerts[0].equals(certs[0])) { ++ if (!ok) { + throw new CertificateException( -+ "Server Cert Changed != TRUSTALL."); ++ "Server Cert Chain != TRUSTALL Cert Chain."); + } -+ dbg("ONE: trustallCerts[0] matches certs[0]"); ++ dbg("ONE: trustallCerts[i] matches certs[i] i=0:" + (certs.length-1)); + } + } + }; @@ -1804,7 +1789,7 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/SSLSocketToMe.java vnc_javasrc/SSL +} diff -x VncCanvas.java -Naur vnc_javasrc.orig/VncViewer.java vnc_javasrc/VncViewer.java --- vnc_javasrc.orig/VncViewer.java 2004-03-04 08:34:25.000000000 -0500 -+++ vnc_javasrc/VncViewer.java 2009-06-19 10:32:03.000000000 -0400 ++++ vnc_javasrc/VncViewer.java 2010-02-22 19:25:19.000000000 -0500 @@ -80,7 +80,7 @@ // Variables read from parameter values. String socketFactory; @@ -1814,7 +1799,7 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/VncViewer.java vnc_javasrc/VncView boolean showControls; boolean offerRelogin; boolean showOfflineDesktop; -@@ -88,6 +88,19 @@ +@@ -88,6 +88,20 @@ int deferCursorUpdates; int deferUpdateRequests; @@ -1830,11 +1815,12 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/VncViewer.java vnc_javasrc/VncView + boolean ignoreProxy; + boolean trustAllVncCerts; + boolean trustUrlVncCert; ++ boolean debugCerts; + // Reference to this applet for inter-applet communication. public static java.applet.Applet refApplet; -@@ -591,8 +604,25 @@ +@@ -591,8 +605,25 @@ } } @@ -1862,7 +1848,7 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/VncViewer.java vnc_javasrc/VncView if (inAnApplet) { str = readParameter("Open New Window", false); -@@ -626,6 +656,96 @@ +@@ -626,6 +657,101 @@ // SocketFactory. socketFactory = readParameter("SocketFactory", false); @@ -1955,6 +1941,11 @@ diff -x VncCanvas.java -Naur vnc_javasrc.orig/VncViewer.java vnc_javasrc/VncView + str = readParameter("trustUrlVncCert", false); + if (str != null && str.equalsIgnoreCase("Yes")) { + trustUrlVncCert = true; ++ } ++ debugCerts = false; ++ str = readParameter("debugCerts", false); ++ if (str != null && str.equalsIgnoreCase("Yes")) { ++ debugCerts = true; + } } diff --git a/classes/ssl/ultravnc-102-JavaViewer-ssl-etc.patch b/classes/ssl/ultravnc-102-JavaViewer-ssl-etc.patch index 6e61cf3..369a221 100644 --- a/classes/ssl/ultravnc-102-JavaViewer-ssl-etc.patch +++ b/classes/ssl/ultravnc-102-JavaViewer-ssl-etc.patch @@ -2644,8 +2644,8 @@ diff -Naur JavaViewer.orig/RfbProto.java JavaViewer/RfbProto.java // } diff -Naur JavaViewer.orig/SSLSocketToMe.java JavaViewer/SSLSocketToMe.java --- JavaViewer.orig/SSLSocketToMe.java 1969-12-31 19:00:00.000000000 -0500 -+++ JavaViewer/SSLSocketToMe.java 2009-08-13 09:16:42.000000000 -0400 -@@ -0,0 +1,1727 @@ ++++ JavaViewer/SSLSocketToMe.java 2010-02-22 20:03:11.000000000 -0500 +@@ -0,0 +1,1712 @@ +/* + * SSLSocketToMe.java: add SSL encryption to Java VNC Viewer. + * @@ -2722,6 +2722,7 @@ diff -Naur JavaViewer.orig/SSLSocketToMe.java JavaViewer/SSLSocketToMe.java + + boolean use_url_cert_for_auth = true; + boolean user_wants_to_see_cert = true; ++ boolean debug_certs = false; + + /* cert(s) we retrieve from VNC server */ + java.security.cert.Certificate[] trustallCerts = null; @@ -2751,6 +2752,8 @@ diff -Naur JavaViewer.orig/SSLSocketToMe.java JavaViewer/SSLSocketToMe.java + port = p; + viewer = v; + ++ debug_certs = v.debugCerts; ++ + /* we will first try default factory for certification: */ + + factory = (SSLSocketFactory) SSLSocketFactory.getDefault(); @@ -2808,21 +2811,6 @@ diff -Naur JavaViewer.orig/SSLSocketToMe.java JavaViewer/SSLSocketToMe.java + throw new CertificateException( + "No Trust url Certs."); + } -+ if (trusturlCerts.length > 1) { -+ int i; -+ boolean ok = true; -+ for (i = 0; i < trusturlCerts.length - 1; i++) { -+ if (! trusturlCerts[i].equals(trusturlCerts[i+1])) { -+ ok = false; -+ } -+ } -+ if (! ok) { -+ throw new CertificateException( -+ "Too many Trust url Certs: " -+ + trusturlCerts.length -+ ); -+ } -+ } + if (certs == null) { + throw new CertificateException( + "No this-certs array."); @@ -2831,26 +2819,32 @@ diff -Naur JavaViewer.orig/SSLSocketToMe.java JavaViewer/SSLSocketToMe.java + throw new CertificateException( + "No this-certs Certs."); + } -+ if (certs.length > 1) { -+ int i; -+ boolean ok = true; -+ for (i = 0; i < certs.length - 1; i++) { -+ if (! certs[i].equals(certs[i+1])) { -+ ok = false; -+ } ++ if (certs.length != trusturlCerts.length) { ++ throw new CertificateException( ++ "certs.length != trusturlCerts.length " + certs.length + " " + trusturlCerts.length); ++ } ++ boolean ok = true; ++ for (int i = 0; i < certs.length; i++) { ++ if (! trusturlCerts[i].equals(certs[i])) { ++ ok = false; ++ dbg("URL: cert mismatch at i=" + i); ++ dbg("URL: cert mismatch cert" + certs[i]); ++ dbg("URL: cert mismatch url" + trusturlCerts[i]); + } -+ if (! ok) { -+ throw new CertificateException( -+ "Too many this-certs: " -+ + certs.length -+ ); ++ if (debug_certs) { ++ dbg("\n***********************************************"); ++ dbg("URL: cert info at i=" + i); ++ dbg("URL: cert info cert" + certs[i]); ++ dbg("==============================================="); ++ dbg("URL: cert info url" + trusturlCerts[i]); ++ dbg("***********************************************"); + } + } -+ if (! trusturlCerts[0].equals(certs[0])) { ++ if (!ok) { + throw new CertificateException( -+ "Server Cert Changed != URL."); ++ "Server Cert Chain != URL Cert Chain."); + } -+ dbg("URL: trusturlCerts[0] matches certs[0]"); ++ dbg("URL: trusturlCerts[i] matches certs[i] i=0:" + (certs.length-1)); + } + } + }; @@ -2880,21 +2874,6 @@ diff -Naur JavaViewer.orig/SSLSocketToMe.java JavaViewer/SSLSocketToMe.java + throw new CertificateException( + "No Trust All Server Certs."); + } -+ if (trustallCerts.length > 1) { -+ int i; -+ boolean ok = true; -+ for (i = 0; i < trustallCerts.length - 1; i++) { -+ if (! trustallCerts[i].equals(trustallCerts[i+1])) { -+ ok = false; -+ } -+ } -+ if (! ok) { -+ throw new CertificateException( -+ "Too many Trust All Server Certs: " -+ + trustallCerts.length -+ ); -+ } -+ } + if (certs == null) { + throw new CertificateException( + "No this-certs array."); @@ -2903,26 +2882,32 @@ diff -Naur JavaViewer.orig/SSLSocketToMe.java JavaViewer/SSLSocketToMe.java + throw new CertificateException( + "No this-certs Certs."); + } -+ if (certs.length > 1) { -+ int i; -+ boolean ok = true; -+ for (i = 0; i < certs.length - 1; i++) { -+ if (! certs[i].equals(certs[i+1])) { -+ ok = false; -+ } ++ if (certs.length != trustallCerts.length) { ++ throw new CertificateException( ++ "certs.length != trustallCerts.length " + certs.length + " " + trustallCerts.length); ++ } ++ boolean ok = true; ++ for (int i = 0; i < certs.length; i++) { ++ if (! trustallCerts[i].equals(certs[i])) { ++ ok = false; ++ dbg("ONE: cert mismatch at i=" + i); ++ dbg("ONE: cert mismatch cert" + certs[i]); ++ dbg("ONE: cert mismatch all" + trustallCerts[i]); + } -+ if (! ok) { -+ throw new CertificateException( -+ "Too many this-certs: " -+ + certs.length -+ ); ++ if (debug_certs) { ++ dbg("\n***********************************************"); ++ dbg("ONE: cert info at i=" + i); ++ dbg("ONE: cert info cert" + certs[i]); ++ dbg("==============================================="); ++ dbg("ONE: cert info all" + trustallCerts[i]); ++ dbg("***********************************************"); + } + } -+ if (! trustallCerts[0].equals(certs[0])) { ++ if (!ok) { + throw new CertificateException( -+ "Server Cert Changed != TRUSTALL."); ++ "Server Cert Chain != TRUSTALL Cert Chain."); + } -+ dbg("ONE: trustallCerts[0] matches certs[0]"); ++ dbg("ONE: trustallCerts[i] matches certs[i] i=0:" + (certs.length-1)); + } + } + }; @@ -4498,7 +4483,7 @@ diff -Naur JavaViewer.orig/VncCanvas.java JavaViewer/VncCanvas.java result = 0; // Transparent pixel diff -Naur JavaViewer.orig/VncViewer.java JavaViewer/VncViewer.java --- JavaViewer.orig/VncViewer.java 2006-05-24 15:14:40.000000000 -0400 -+++ JavaViewer/VncViewer.java 2009-06-19 10:31:23.000000000 -0400 ++++ JavaViewer/VncViewer.java 2010-02-22 21:58:51.000000000 -0500 @@ -80,11 +80,11 @@ GridBagLayout gridbag; ButtonPanel buttonPanel; @@ -4522,7 +4507,7 @@ diff -Naur JavaViewer.orig/VncViewer.java JavaViewer/VncViewer.java String passwordParam; String encPasswordParam; boolean showControls; -@@ -115,28 +115,70 @@ +@@ -115,28 +115,71 @@ int i; // mslogon support 2 end @@ -4540,6 +4525,7 @@ diff -Naur JavaViewer.orig/VncViewer.java JavaViewer/VncViewer.java +boolean ignoreProxy; +boolean trustAllVncCerts; +boolean trustUrlVncCert; ++boolean debugCerts; + +boolean ignoreMSLogonCheck; +boolean delayAuthPanel; @@ -4599,7 +4585,7 @@ diff -Naur JavaViewer.orig/VncViewer.java JavaViewer/VncViewer.java // authenticator = new AuthPanel(false); // mslogon support : go to connectAndAuthenticate() if (RecordingFrame.checkSecurity()) rec = new RecordingFrame(this); -@@ -147,10 +189,11 @@ +@@ -147,10 +190,11 @@ cursorUpdatesDef = null; eightBitColorsDef = null; @@ -4613,7 +4599,7 @@ diff -Naur JavaViewer.orig/VncViewer.java JavaViewer/VncViewer.java rfbThread = new Thread(this); rfbThread.start(); } -@@ -186,6 +229,30 @@ +@@ -186,6 +230,30 @@ gbc.weightx = 1.0; gbc.weighty = 1.0; @@ -4644,7 +4630,7 @@ diff -Naur JavaViewer.orig/VncViewer.java JavaViewer/VncViewer.java // Add ScrollPanel to applet mode // Create a panel which itself is resizeable and can hold -@@ -286,6 +353,24 @@ +@@ -286,6 +354,24 @@ void connectAndAuthenticate() throws Exception { @@ -4669,7 +4655,7 @@ diff -Naur JavaViewer.orig/VncViewer.java JavaViewer/VncViewer.java // If "ENCPASSWORD" parameter is set, decrypt the password into // the passwordParam string. -@@ -336,7 +421,22 @@ +@@ -336,7 +422,22 @@ // @@ -4693,7 +4679,7 @@ diff -Naur JavaViewer.orig/VncViewer.java JavaViewer/VncViewer.java authenticator = new AuthPanel(mslogon); -@@ -390,6 +490,10 @@ +@@ -390,6 +491,10 @@ break; //mslogon support end @@ -4704,7 +4690,7 @@ diff -Naur JavaViewer.orig/VncViewer.java JavaViewer/VncViewer.java // Retry on authentication failure. authenticator.retry(); } -@@ -405,9 +509,11 @@ +@@ -405,9 +510,11 @@ void prologueDetectAuthProtocol() throws Exception { @@ -4718,7 +4704,7 @@ diff -Naur JavaViewer.orig/VncViewer.java JavaViewer/VncViewer.java System.out.println("RFB server supports protocol version " + rfb.serverMajor + "." + rfb.serverMinor); -@@ -431,16 +537,36 @@ +@@ -431,16 +538,36 @@ boolean tryAuthenticate(String us, String pw) throws Exception { @@ -4761,7 +4747,7 @@ diff -Naur JavaViewer.orig/VncViewer.java JavaViewer/VncViewer.java switch (authScheme) { -@@ -629,6 +755,10 @@ +@@ -629,6 +756,10 @@ void doProtocolInitialisation() throws IOException { @@ -4772,7 +4758,7 @@ diff -Naur JavaViewer.orig/VncViewer.java JavaViewer/VncViewer.java rfb.writeClientInit(); rfb.readServerInit(); -@@ -775,8 +905,25 @@ +@@ -775,8 +906,25 @@ } } @@ -4800,7 +4786,7 @@ diff -Naur JavaViewer.orig/VncViewer.java JavaViewer/VncViewer.java if (inAnApplet) { str = readParameter("Open New Window", false); -@@ -804,6 +951,133 @@ +@@ -804,6 +952,138 @@ deferScreenUpdates = readIntParameter("Defer screen updates", 20); deferCursorUpdates = readIntParameter("Defer cursor updates", 10); deferUpdateRequests = readIntParameter("Defer update requests", 50); @@ -4905,6 +4891,11 @@ diff -Naur JavaViewer.orig/VncViewer.java JavaViewer/VncViewer.java + if (str != null && str.equalsIgnoreCase("Yes")) { + trustUrlVncCert = true; + } ++ debugCerts = false; ++ str = readParameter("debugCerts", false); ++ if (str != null && str.equalsIgnoreCase("Yes")) { ++ debugCerts = true; ++ } + ignoreMSLogonCheck = false; + str = readParameter("ignoreMSLogonCheck", false); + if (str != null && str.equalsIgnoreCase("Yes")) { -- cgit v1.2.1