[arch-commits] Commit in x11vnc/repos/extra-x86_64 (11 files)

Gaëtan Bisson bisson at archlinux.org
Thu Dec 7 06:14:20 UTC 2017


    Date: Thursday, December 7, 2017 @ 06:14:18
  Author: bisson
Revision: 311705

archrelease: copy trunk to extra-x86_64

Added:
  x11vnc/repos/extra-x86_64/PKGBUILD
    (from rev 311704, x11vnc/trunk/PKGBUILD)
  x11vnc/repos/extra-x86_64/cursor.patch
    (from rev 311704, x11vnc/trunk/cursor.patch)
  x11vnc/repos/extra-x86_64/fix-buffer-overflows.patch
    (from rev 311704, x11vnc/trunk/fix-buffer-overflows.patch)
  x11vnc/repos/extra-x86_64/openssl-detect.patch
    (from rev 311704, x11vnc/trunk/openssl-detect.patch)
  x11vnc/repos/extra-x86_64/openssl-support.patch
    (from rev 311704, x11vnc/trunk/openssl-support.patch)
  x11vnc/repos/extra-x86_64/service
    (from rev 311704, x11vnc/trunk/service)
Deleted:
  x11vnc/repos/extra-x86_64/0001-Fix-openssl-1.1.x-detection.patch
  x11vnc/repos/extra-x86_64/0002-Support-openssl-1.1.0.patch
  x11vnc/repos/extra-x86_64/PKGBUILD
  x11vnc/repos/extra-x86_64/fix-buffer-overflows.patch
  x11vnc/repos/extra-x86_64/service

----------------------------------------+
 0001-Fix-openssl-1.1.x-detection.patch |   34 --
 0002-Support-openssl-1.1.0.patch       |  481 -------------------------------
 PKGBUILD                               |   99 +++---
 cursor.patch                           |  281 ++++++++++++++++++
 fix-buffer-overflows.patch             |   52 +--
 openssl-detect.patch                   |   34 ++
 openssl-support.patch                  |  481 +++++++++++++++++++++++++++++++
 service                                |   14 
 8 files changed, 880 insertions(+), 596 deletions(-)

Deleted: 0001-Fix-openssl-1.1.x-detection.patch
===================================================================
--- 0001-Fix-openssl-1.1.x-detection.patch	2017-12-07 06:12:43 UTC (rev 311704)
+++ 0001-Fix-openssl-1.1.x-detection.patch	2017-12-07 06:14:18 UTC (rev 311705)
@@ -1,34 +0,0 @@
-From 5889645bd3e63cf02c3fcad942d7edef1b4df472 Mon Sep 17 00:00:00 2001
-From: Bert van Hall <bert.vanhall at avionic-design.de>
-Date: Wed, 7 Dec 2016 10:56:24 +0100
-Subject: [PATCH 1/2] Fix openssl 1.1.x detection
-
-The SSL_library_init function has been renamed to OPENSSL_init_ssl from
-openssl 1.1.0 on. While the old name still exists as a define for
-backwards compatibility, this breaks detection in the library itself.
-Update configure.ac to just detect the library instead of specific
-functions.
-
-Signed-off-by: Bert van Hall <bert.vanhall at avionic-design.de>
----
- configure.ac |    7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
---- a/configure.ac
-+++ b/configure.ac
-@@ -351,12 +351,11 @@ fi
- AH_TEMPLATE(HAVE_X509_PRINT_EX_FP, [open ssl X509_print_ex_fp available])
- if test "x$with_ssl" != "xno"; then
- 	if test "x$HAVE_LIBCRYPTO" = "xtrue"; then
--		AC_CHECK_LIB(ssl, SSL_library_init,
-+		PKG_CHECK_MODULES(OPENSSL, [openssl >= 1.0.0],
- 			SSL_LIBS="-lssl -lcrypto"
--			[AC_DEFINE(HAVE_LIBSSL) HAVE_LIBSSL="true"], ,
--			-lcrypto)
-+			[AC_DEFINE(HAVE_LIBSSL) HAVE_LIBSSL="true"], ,)
- 	else
--		AC_CHECK_LIB(ssl, SSL_library_init,
-+		PKG_CHECK_MODULES(OPENSSL, [openssl >= 1.0.0],
- 			SSL_LIBS="-lssl"
- 			[AC_DEFINE(HAVE_LIBSSL) HAVE_LIBSSL="true"], ,)
- 	fi

Deleted: 0002-Support-openssl-1.1.0.patch
===================================================================
--- 0002-Support-openssl-1.1.0.patch	2017-12-07 06:12:43 UTC (rev 311704)
+++ 0002-Support-openssl-1.1.0.patch	2017-12-07 06:14:18 UTC (rev 311705)
@@ -1,481 +0,0 @@
-From d37dac6963c2fb65cf577a6413657621cbcb406a Mon Sep 17 00:00:00 2001
-From: Bert van Hall <bert.vanhall at avionic-design.de>
-Date: Wed, 7 Dec 2016 14:43:57 +0100
-Subject: [PATCH 2/2] Support openssl 1.1.0
-
-Compatibility patch for openssl 1.1.0 and later. The 1.0.2 API should
-still work. Note that openssl 1.1.0 builds now have SSLv3 disabled per
-default, so clients will have to support TLS to connect securely.
-
-Signed-off-by: Bert van Hall <bert.vanhall at avionic-design.de>
----
- README          |   16 +++++++
- src/enc.h       |   88 +++++++++++++++++++++++++++++++--------
- src/sslhelper.c |  119 +++++++++++++++++++++++++++++++++++++++++------------
- 3 files changed, 179 insertions(+), 44 deletions(-)
-
---- a/README
-+++ b/README
-@@ -871,6 +871,14 @@ make
-    place. As of x11vnc 0.9.4 there is also the --with-ssl=DIR configure
-    option.
- 
-+   Note that from OpenSSL 1.1.0 on SSLv2 support has been dropped and
-+   SSLv3 deactivated at build time per default. This means that unless
-+   explicitly enabled, OpenSSL builds only support TLS (any version).
-+   Since there is a reason for dropping SSLv3 (heard of POODLE?), most
-+   distributions do not enable it for their OpenSSL binary. In summary
-+   this means compiling x11vnc against OpenSSL 1.1.0 or newer is no
-+   problem, but using encryption will require a viewer with TLS support.
-+
-    On Solaris using static archives libssl.a and libcrypto.a instead of
-    .so shared libraries (e.g. from www.sunfreeware.com), we found we
-    needed to also set LDFLAGS as follows to get the configure to work:
-@@ -4228,6 +4236,14 @@ connect = 5900
-    protocol handshake. x11vnc 0.9.6 supports both simultaneously when
-    -ssl is active.
- 
-+   Note: With the advent of OpenSSL 1.1.0, SSLv2 is dropped and SSLv3
-+   deactivated per default. A couple broken ciphers have also gone, most
-+   importantly though is that clients trying to connect to x11vnc will
-+   now have to support TLS if encryption is to be used. You can of
-+   course always cook up your own build and run time OpenSSL 1.1.x if
-+   SSLv3 is absolutely required, but it isn't wise from a security point
-+   of view.
-+
- 
-    SSL VNC Viewers:. Viewer-side will need to use SSL as well. See the
-    next FAQ and here for SSL enabled VNC Viewers, including SSVNC, to
---- a/src/enc.h
-+++ b/src/enc.h
-@@ -454,8 +454,10 @@ extern void enc_do(char *ciph, char *key
- 		p++;
- 		if (strstr(p, "md5+") == p) {
- 			Digest = EVP_md5();        p += strlen("md5+");
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined OPENSSL_NO_SHA0
- 		} else if (strstr(p, "sha+") == p) {
- 			Digest = EVP_sha();        p += strlen("sha+");
-+#endif
- 		} else if (strstr(p, "sha1+") == p) {
- 			Digest = EVP_sha1();       p += strlen("sha1+");
- 		} else if (strstr(p, "ripe+") == p) {
-@@ -696,7 +698,11 @@ static void enc_xfer(int sock_fr, int so
- 	 */
- 	unsigned char E_keystr[EVP_MAX_KEY_LENGTH];
- 	unsigned char D_keystr[EVP_MAX_KEY_LENGTH];
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+	EVP_CIPHER_CTX *E_ctx, *D_ctx;
-+#else
- 	EVP_CIPHER_CTX E_ctx, D_ctx;
-+#endif
- 	EVP_CIPHER_CTX *ctx = NULL;
- 
- 	unsigned char buf[BSIZE], out[BSIZE];
-@@ -739,11 +745,16 @@ static void enc_xfer(int sock_fr, int so
- 	encsym = encrypt ? "+" : "-";
- 
- 	/* use the encryption/decryption context variables below */
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+	E_ctx = EVP_CIPHER_CTX_new();
-+	D_ctx = EVP_CIPHER_CTX_new();
-+	ctx = encrypt ? E_ctx : D_ctx;
-+#else
-+	ctx = encrypt ? &E_ctx : &D_ctx;
-+#endif
- 	if (encrypt) {
--		ctx = &E_ctx;
- 		keystr = E_keystr;
- 	} else {
--		ctx = &D_ctx;
- 		keystr = D_keystr;
- 	}
- 
-@@ -877,9 +888,9 @@ static void enc_xfer(int sock_fr, int so
- 			in_salt = salt;
- 		}
- 
--		if (ivec_size < Cipher->iv_len && !securevnc) {
-+		if (ivec_size < EVP_CIPHER_iv_length(Cipher) && !securevnc) {
- 			fprintf(stderr, "%s: %s - WARNING: short IV %d < %d\n",
--			    prog, encstr, ivec_size, Cipher->iv_len);
-+			    prog, encstr, ivec_size, EVP_CIPHER_iv_length(Cipher));
- 		}
- 
- 		/* make the hashed value and place in keystr */
-@@ -1033,6 +1044,11 @@ static void enc_xfer(int sock_fr, int so
- 	fprintf(stderr,   "%s: %s - close sock_fr\n", prog, encstr);
- 	close(sock_fr);
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+	EVP_CIPHER_CTX_free(E_ctx);
-+	EVP_CIPHER_CTX_free(D_ctx);
-+#endif
-+
- 	/* kill our partner after 2 secs. */
- 	sleep(2);
- 	if (child)  {
-@@ -1101,14 +1117,24 @@ static int securevnc_server_rsa_save_dia
- }
- 
- static char *rsa_md5_sum(unsigned char* rsabuf) {
--	EVP_MD_CTX md;
-+	EVP_MD_CTX *md;
- 	char digest[EVP_MAX_MD_SIZE], tmp[16];
- 	char md5str[EVP_MAX_MD_SIZE * 8];
- 	unsigned int i, size = 0;
- 
--	EVP_DigestInit(&md, EVP_md5());
--	EVP_DigestUpdate(&md, rsabuf, SECUREVNC_RSA_PUBKEY_SIZE);
--	EVP_DigestFinal(&md, (unsigned char *)digest, &size);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+	md = EVP_MD_CTX_new();
-+#else
-+	md = EVP_MD_CTX_create();
-+#endif
-+	EVP_DigestInit(md, EVP_md5());
-+	EVP_DigestUpdate(md, rsabuf, SECUREVNC_RSA_PUBKEY_SIZE);
-+	EVP_DigestFinal(md, (unsigned char *)digest, &size);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+	EVP_MD_CTX_free(md);
-+#else
-+	EVP_MD_CTX_destroy(md);
-+#endif
- 
- 	memset(md5str, 0, sizeof(md5str));
- 	for (i=0; i < size; i++) {
-@@ -1225,7 +1251,7 @@ static void sslexit(char *msg) {
- 
- static void securevnc_setup(int conn1, int conn2) {
- 	RSA *rsa = NULL;
--	EVP_CIPHER_CTX init_ctx;
-+	EVP_CIPHER_CTX *init_ctx;
- 	unsigned char keystr[EVP_MAX_KEY_LENGTH];
- 	unsigned char *rsabuf, *rsasav;
- 	unsigned char *encrypted_keybuf;
-@@ -1364,8 +1390,15 @@ static void securevnc_setup(int conn1, i
- 	/*
- 	 * Back to the work involving the tmp obscuring key:
- 	 */
--	EVP_CIPHER_CTX_init(&init_ctx);
--	rc = EVP_CipherInit_ex(&init_ctx, EVP_rc4(), NULL, initkey, NULL, 1);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+	init_ctx = EVP_CIPHER_CTX_new();
-+#else
-+
-+	EVP_CIPHER_CTX init_ctx_obj;
-+	init_ctx = &init_ctx_obj;
-+#endif
-+	EVP_CIPHER_CTX_init(init_ctx);
-+	rc = EVP_CipherInit_ex(init_ctx, EVP_rc4(), NULL, initkey, NULL, 1);
- 	if (rc == 0) {
- 		sslexit("securevnc_setup: EVP_CipherInit_ex(init_ctx) failed");
- 	}
-@@ -1374,6 +1407,9 @@ static void securevnc_setup(int conn1, i
- 	n = read(server, (char *) buf, BSIZE);
- 	fprintf(stderr, "securevnc_setup: data read: %d\n", n);
- 	if (n < 0) {
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+	EVP_CIPHER_CTX_free(init_ctx);
-+#endif
- 		exit(1);
- 	}
- 	fprintf(stderr, "securevnc_setup: initial data[%d]: ", n);
-@@ -1381,13 +1417,19 @@ static void securevnc_setup(int conn1, i
- 	/* decode with the tmp key */
- 	if (n > 0) {
- 		memset(to_viewer, 0, sizeof(to_viewer));
--		if (EVP_CipherUpdate(&init_ctx, to_viewer, &len, buf, n) == 0) {
-+		if (EVP_CipherUpdate(init_ctx, to_viewer, &len, buf, n) == 0) {
- 			sslexit("securevnc_setup: EVP_CipherUpdate(init_ctx) failed");
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+			EVP_CIPHER_CTX_free(init_ctx);
-+#endif
- 			exit(1);
- 		}
- 		to_viewer_len = len;
- 	}
--	EVP_CIPHER_CTX_cleanup(&init_ctx);
-+	EVP_CIPHER_CTX_cleanup(init_ctx);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+	EVP_CIPHER_CTX_free(init_ctx);
-+#endif
- 	free(initkey);
- 
- 	/* print what we would send to the viewer (sent below): */
-@@ -1448,7 +1490,7 @@ static void securevnc_setup(int conn1, i
- 
- 	if (client_auth_req && client_auth) {
- 		RSA *client_rsa = load_client_auth(client_auth);
--		EVP_MD_CTX dctx;
-+		EVP_MD_CTX *dctx;
- 		unsigned char digest[EVP_MAX_MD_SIZE], *signature;
- 		unsigned int ndig = 0, nsig = 0;
- 
-@@ -1462,8 +1504,13 @@ static void securevnc_setup(int conn1, i
- 			exit(1);
- 		}
- 
--		EVP_DigestInit(&dctx, EVP_sha1());
--		EVP_DigestUpdate(&dctx, keystr, SECUREVNC_KEY_SIZE);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+		dctx = EVP_MD_CTX_new();
-+#else
-+		dctx = EVP_MD_CTX_create();
-+#endif
-+		EVP_DigestInit(dctx, EVP_sha1());
-+		EVP_DigestUpdate(dctx, keystr, SECUREVNC_KEY_SIZE);
- 		/*
- 		 * Without something like the following MITM is still possible.
- 		 * This is because the MITM knows keystr and can use it with
-@@ -1474,7 +1521,7 @@ static void securevnc_setup(int conn1, i
- 		 * he doesn't have Viewer_ClientAuth.pkey.
- 		 */
- 		if (0) {
--			EVP_DigestUpdate(&dctx, rsasav, SECUREVNC_RSA_PUBKEY_SIZE);
-+			EVP_DigestUpdate(dctx, rsasav, SECUREVNC_RSA_PUBKEY_SIZE);
- 			if (!keystore_verified) {
- 				fprintf(stderr, "securevnc_setup:\n");
- 				fprintf(stderr, "securevnc_setup: Warning: even *WITH* Client Authentication in SecureVNC,\n");
-@@ -1497,7 +1544,12 @@ static void securevnc_setup(int conn1, i
- 				fprintf(stderr, "securevnc_setup:\n");
- 			}
- 		}
--		EVP_DigestFinal(&dctx, (unsigned char *)digest, &ndig);
-+		EVP_DigestFinal(dctx, (unsigned char *)digest, &ndig);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+		EVP_MD_CTX_free(dctx);
-+#else
-+		EVP_MD_CTX_destroy(dctx);
-+#endif
- 
- 		signature = (unsigned char *) calloc(RSA_size(client_rsa), 1);
- 		RSA_sign(NID_sha1, digest, ndig, signature, &nsig, client_rsa);
---- a/src/sslhelper.c
-+++ b/src/sslhelper.c
-@@ -799,8 +799,13 @@ static int pem_passwd_callback(char *buf
- 
- /* based on mod_ssl */
- static int crl_callback(X509_STORE_CTX *callback_ctx) {
--	X509_STORE_CTX store_ctx;
-+	const ASN1_INTEGER *revoked_serial;
-+	X509_STORE_CTX *store_ctx;
-+#if OPENSSL_VERSION_NUMBER > 0x10100000L
-+	X509_OBJECT *obj;
-+#else
- 	X509_OBJECT obj;
-+#endif
- 	X509_NAME *subject;
- 	X509_NAME *issuer;
- 	X509 *xs;
-@@ -820,11 +825,19 @@ static int crl_callback(X509_STORE_CTX *
- 	
- 	/* Try to retrieve a CRL corresponding to the _subject_ of
- 	* the current certificate in order to verify it's integrity. */
-+	store_ctx = X509_STORE_CTX_new();
-+	X509_STORE_CTX_init(store_ctx, revocation_store, NULL, NULL);
-+#if OPENSSL_VERSION_NUMBER > 0x10100000L
-+	obj = X509_OBJECT_new();
-+	rc=X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, obj);
-+	crl = X509_OBJECT_get0_X509_CRL(obj);
-+#else
- 	memset((char *)&obj, 0, sizeof(obj));
--	X509_STORE_CTX_init(&store_ctx, revocation_store, NULL, NULL);
--	rc=X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
--	X509_STORE_CTX_cleanup(&store_ctx);
-+	rc=X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, &obj);
- 	crl=obj.data.crl;
-+#endif
-+	X509_STORE_CTX_cleanup(store_ctx);
-+	X509_STORE_CTX_free(store_ctx);
- 
- 	if(rc>0 && crl) {
- 		/* Log information about CRL
-@@ -850,7 +863,11 @@ static int crl_callback(X509_STORE_CTX *
- 			rfbLog("Invalid signature on CRL\n");
- 			X509_STORE_CTX_set_error(callback_ctx,
- 				X509_V_ERR_CRL_SIGNATURE_FAILURE);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+			X509_OBJECT_free(obj);
-+#else
- 			X509_OBJECT_free_contents(&obj);
-+#endif
- 			if(pubkey)
- 				EVP_PKEY_free(pubkey);
- 			return 0; /* Reject connection */
-@@ -864,45 +881,78 @@ static int crl_callback(X509_STORE_CTX *
- 			rfbLog("Found CRL has invalid nextUpdate field\n");
- 			X509_STORE_CTX_set_error(callback_ctx,
- 				X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+			X509_OBJECT_free(obj);
-+#else
- 			X509_OBJECT_free_contents(&obj);
-+#endif
- 			return 0; /* Reject connection */
- 		}
- 		if(X509_cmp_current_time(t)<0) {
- 			rfbLog("Found CRL is expired - "
- 				"revoking all certificates until you get updated CRL\n");
- 			X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+			X509_OBJECT_free(obj);
-+#else
- 			X509_OBJECT_free_contents(&obj);
-+#endif
- 			return 0; /* Reject connection */
- 		}
--		X509_OBJECT_free_contents(&obj);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+			X509_OBJECT_free(obj);
-+#else
-+			X509_OBJECT_free_contents(&obj);
-+#endif
- 	}
- 
- 	/* Try to retrieve a CRL corresponding to the _issuer_ of
- 	 * the current certificate in order to check for revocation. */
-+	store_ctx = X509_STORE_CTX_new();
-+	X509_STORE_CTX_init(store_ctx, revocation_store, NULL, NULL);
-+#if OPENSSL_VERSION_NUMBER > 0x10100000L
-+	obj = X509_OBJECT_new();
-+	rc=X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, obj);
-+	crl = X509_OBJECT_get0_X509_CRL(obj);
-+#else
- 	memset((char *)&obj, 0, sizeof(obj));
--	X509_STORE_CTX_init(&store_ctx, revocation_store, NULL, NULL);
--	rc=X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
--	X509_STORE_CTX_cleanup(&store_ctx);
-+	rc=X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, &obj);
- 	crl=obj.data.crl;
-+#endif
-+	X509_STORE_CTX_cleanup(store_ctx);
-+	X509_STORE_CTX_free(store_ctx);
- 
- 	if(rc>0 && crl) {
- 		/* Check if the current certificate is revoked by this CRL */
- 		n=sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
- 		for(i=0; i<n; i++) {
- 			revoked=sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
--			if(ASN1_INTEGER_cmp(revoked->serialNumber,
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+			revoked_serial = X509_REVOKED_get0_serialNumber(revoked);
-+#else
-+			revoked_serial = revoked->serialNumber;
-+#endif
-+			if(ASN1_INTEGER_cmp(revoked_serial,
- 					X509_get_serialNumber(xs)) == 0) {
--				serial=ASN1_INTEGER_get(revoked->serialNumber);
-+				serial=ASN1_INTEGER_get(revoked_serial);
- 				cp=X509_NAME_oneline(issuer, NULL, 0);
- 				rfbLog("Certificate with serial %ld (0x%lX) "
- 					"revoked per CRL from issuer %s\n", serial, serial, cp);
- 				OPENSSL_free(cp);
- 				X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CERT_REVOKED);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+				X509_OBJECT_free(obj);
-+#else
- 				X509_OBJECT_free_contents(&obj);
-+#endif
- 				return 0; /* Reject connection */
- 			}
- 		}
--		X509_OBJECT_free_contents(&obj);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+			X509_OBJECT_free(obj);
-+#else
-+			X509_OBJECT_free_contents(&obj);
-+#endif
- 	}
- 
- 	return 1; /* Accept connection */
-@@ -951,6 +1001,8 @@ static int switch_to_anon_dh(void);
- 
- void openssl_init(int isclient) {
- 	int db = 0, tmp_pem = 0, do_dh;
-+	const SSL_METHOD *method;
-+	char *method_name;
- 	FILE *in;
- 	double ds;
- 	long mode;
-@@ -992,13 +1044,17 @@ void openssl_init(int isclient) {
- 		ssl_client_mode = 0;
- 	}
- 
--	if (ssl_client_mode) {
--		if (db) fprintf(stderr, "SSLv23_client_method()\n");
--		ctx = SSL_CTX_new( SSLv23_client_method() );
--	} else {
--		if (db) fprintf(stderr, "SSLv23_server_method()\n");
--		ctx = SSL_CTX_new( SSLv23_server_method() );
--	}
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+	method = ssl_client_mode ? TLS_client_method() : TLS_server_method();
-+	if (db)
-+		method_name = ssl_client_mode ? "TLS_client_method()" : "TLS_server_method()";
-+#else
-+	method = ssl_client_mode ? SSLv23_client_method() : SSLv23_server_method();
-+	if (db)
-+		method_name = ssl_client_mode ? "SSLv23_client_method()" : "SSLv23_server_method()";
-+#endif
-+	if (db) fprintf(stderr, "%s\n", method_name);
-+	ctx = SSL_CTX_new(method);
- 
- 	if (ctx == NULL) {
- 		rfbLog("openssl_init: SSL_CTX_new failed.\n");	
-@@ -1520,16 +1576,18 @@ static int add_anon_dh(void) {
- }
- 
- static int switch_to_anon_dh(void) {
-+	const SSL_METHOD *method;
- 	long mode;
- 	
- 	rfbLog("Using Anonymous Diffie-Hellman mode.\n");
- 	rfbLog("WARNING: Anonymous Diffie-Hellman uses encryption but is\n");
- 	rfbLog("WARNING: susceptible to a Man-In-The-Middle attack.\n");
--	if (ssl_client_mode) {
--		ctx = SSL_CTX_new( SSLv23_client_method() );
--	} else {
--		ctx = SSL_CTX_new( SSLv23_server_method() );
--	}
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+	method = ssl_client_mode ? TLS_client_method() : TLS_server_method();
-+#else
-+	method = ssl_client_mode ? SSLv23_client_method() : SSLv23_server_method();
-+#endif
-+	ctx = SSL_CTX_new(method);
- 	if (ctx == NULL) {
- 		return 0;
- 	}
-@@ -1896,6 +1954,7 @@ static void pr_ssl_info(int verb) {
- 	SSL_CIPHER *c;
- 	SSL_SESSION *s;
- 	char *proto = "unknown";
-+	int ssl_version;
- 
- 	if (verb) {}
- 
-@@ -1905,13 +1964,21 @@ static void pr_ssl_info(int verb) {
- 	c = SSL_get_current_cipher(ssl);
- 	s = SSL_get_session(ssl);
- 
-+	if (s) {
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+		ssl_version = SSL_SESSION_get_protocol_version(s);
-+#else
-+		ssl_version = s->ssl_version;
-+#endif
-+	}
-+
- 	if (s == NULL) {
- 		proto = "nosession";
--	} else if (s->ssl_version == SSL2_VERSION) {
-+	} else if (ssl_version == SSL2_VERSION) {
- 		proto = "SSLv2";
--	} else if (s->ssl_version == SSL3_VERSION) {
-+	} else if (ssl_version == SSL3_VERSION) {
- 		proto = "SSLv3";
--	} else if (s->ssl_version == TLS1_VERSION) {
-+	} else if (ssl_version == TLS1_VERSION) {
- 		proto = "TLSv1";
- 	}
- 	if (c != NULL) {

Deleted: PKGBUILD
===================================================================
--- PKGBUILD	2017-12-07 06:12:43 UTC (rev 311704)
+++ PKGBUILD	2017-12-07 06:14:18 UTC (rev 311705)
@@ -1,48 +0,0 @@
-# $Id$
-# Maintainer: Gaetan Bisson <bisson at archlinux.org>
-# Contributor: damir <damir at archlinux.org>
-
-pkgname=x11vnc
-epoch=1
-pkgver=0.9.14
-pkgrel=3
-pkgdesc='VNC server for real X displays'
-url='https://github.com/LibVNC/x11vnc'
-arch=('i686' 'x86_64')
-license=('GPL2')
-optdepends=('tk: GUI support'
-            'net-tools: -auth guess'
-            'xf86-video-dummy: Xdummy script')
-depends=('libvncserver' 'openssl' 'libjpeg' 'libxtst' 'libxinerama'
-         'libxdamage' 'libxrandr' 'avahi' 'xorg-xdpyinfo')
-source=("https://github.com/LibVNC/x11vnc/archive/${pkgver}.tar.gz"
-        'fix-buffer-overflows.patch'
-        '0001-Fix-openssl-1.1.x-detection.patch'
-        '0002-Support-openssl-1.1.0.patch'
-        'service')
-sha256sums=('45f87c5e4382988c73e8c7891ac2bfb45d8f9ce1196ae06651c84636684ea143'
-            '1d19edf54c6216b830150e5b05175a81ee8be3288d8584d3de0276df9a38384e'
-            'f356009176a11a793fef4514b26468c04908c961e6be226a83b631b6df5a2fdc'
-            'f9cafe56cb878b067bc95c6bd84aa8d480af6400bea836d87a08e24e0c4eca0b'
-            'cfb19d44e09e960e2fdb958c9258bccf23c2677715314985f7e819f1dcedb6e4')
-
-prepare() {
-	cd "${srcdir}/${pkgname}-${pkgver}"
-	patch -p1 -i ../fix-buffer-overflows.patch
-        patch -p1 -i ../0001-Fix-openssl-1.1.x-detection.patch
-        patch -p1 -i ../0002-Support-openssl-1.1.0.patch
-        autoreconf -fi
-}
-
-build() {
-	cd "${srcdir}/${pkgname}-${pkgver}"
-	./configure --prefix=/usr --mandir=/usr/share/man
-	make
-}
-
-package() {
-	cd "${srcdir}/${pkgname}-${pkgver}"
-	make DESTDIR="${pkgdir}" install
-	install misc/{rx11vnc,Xdummy} "${pkgdir}"/usr/bin
-	install -Dm644 ../service "${pkgdir}/usr/lib/systemd/system/x11vnc.service"
-}

Copied: x11vnc/repos/extra-x86_64/PKGBUILD (from rev 311704, x11vnc/trunk/PKGBUILD)
===================================================================
--- PKGBUILD	                        (rev 0)
+++ PKGBUILD	2017-12-07 06:14:18 UTC (rev 311705)
@@ -0,0 +1,51 @@
+# $Id$
+# Maintainer: Gaetan Bisson <bisson at archlinux.org>
+# Contributor: damir <damir at archlinux.org>
+
+pkgname=x11vnc
+epoch=1
+pkgver=0.9.14
+pkgrel=4
+pkgdesc='VNC server for real X displays'
+url='https://github.com/LibVNC/x11vnc'
+arch=('x86_64')
+license=('GPL2')
+optdepends=('tk: GUI support'
+            'net-tools: -auth guess'
+            'xf86-video-dummy: Xdummy script')
+depends=('libvncserver' 'openssl' 'libjpeg' 'libxtst' 'libxinerama'
+         'libxdamage' 'libxrandr' 'avahi' 'xorg-xdpyinfo')
+source=("https://github.com/LibVNC/x11vnc/archive/${pkgver}.tar.gz"
+        'fix-buffer-overflows.patch'
+        'openssl-detect.patch'
+        'openssl-support.patch'
+        'cursor.patch'
+        'service')
+sha256sums=('45f87c5e4382988c73e8c7891ac2bfb45d8f9ce1196ae06651c84636684ea143'
+            '1d19edf54c6216b830150e5b05175a81ee8be3288d8584d3de0276df9a38384e'
+            'f356009176a11a793fef4514b26468c04908c961e6be226a83b631b6df5a2fdc'
+            'f9cafe56cb878b067bc95c6bd84aa8d480af6400bea836d87a08e24e0c4eca0b'
+            '0559a163f62c308a993a911f5ced5d00cd20afd3e267e9057fe37a2436768f62'
+            'cfb19d44e09e960e2fdb958c9258bccf23c2677715314985f7e819f1dcedb6e4')
+
+prepare() {
+	cd "${srcdir}/${pkgname}-${pkgver}"
+	patch -p1 -i ../fix-buffer-overflows.patch
+	patch -p1 -i ../openssl-detect.patch
+	patch -p1 -i ../openssl-support.patch
+	patch -p1 -i ../cursor.patch
+	autoreconf -fi
+}
+
+build() {
+	cd "${srcdir}/${pkgname}-${pkgver}"
+	./configure --prefix=/usr --mandir=/usr/share/man
+	make
+}
+
+package() {
+	cd "${srcdir}/${pkgname}-${pkgver}"
+	make DESTDIR="${pkgdir}" install
+	install misc/{rx11vnc,Xdummy} "${pkgdir}"/usr/bin
+	install -Dm644 ../service "${pkgdir}/usr/lib/systemd/system/x11vnc.service"
+}

Copied: x11vnc/repos/extra-x86_64/cursor.patch (from rev 311704, x11vnc/trunk/cursor.patch)
===================================================================
--- cursor.patch	                        (rev 0)
+++ cursor.patch	2017-12-07 06:14:18 UTC (rev 311705)
@@ -0,0 +1,281 @@
+From 37c946191a0f36490531624a2d03ec1ce7c714ac Mon Sep 17 00:00:00 2001
+From: Stephan Fuhrmann <stfu_os at freenet.de>
+Date: Tue, 18 Jul 2017 11:28:25 +0200
+Subject: [PATCH] Broken cursor bugfix for 64 bit systems (#49)
+
+* Proper 32 bit types assigned
+
+* The size dependent conversions are not necessary if input type is 32 bit in every case
+
+* Unused variable
+
+* Another type problem 32/64 fixed
+
+* Prototype fixed
+
+* Pointer cast missing
+
+* * Multiple conversions from (unsigned long*) to proper (uint32_t*).
+* Bugfix for XFixesCursorImage type problem. Structure contains (unsigned long*), but protocol says the pixels are just 32 bit.
+  This is a problem for 64 bit systems where (unsigned long) is 64 bits wide.
+---
+ src/cursor.c | 79 ++++++++++++++++++++++++------------------------------------
+ src/cursor.h |  3 +--
+ src/screen.c | 28 ++++++++++-----------
+ 3 files changed, 45 insertions(+), 65 deletions(-)
+
+diff --git a/src/cursor.c b/src/cursor.c
+index 8c14b6c..6e135be 100644
+--- a/src/cursor.c
++++ b/src/cursor.c
+@@ -68,7 +68,7 @@ void set_no_cursor(void);
+ void set_warrow_cursor(void);
+ int set_cursor(int x, int y, int which);
+ int check_x11_pointer(void);
+-int store_cursor(int serial, unsigned long *data, int w, int h, int cbpp, int xhot, int yhot);
++int store_cursor(int serial, uint32_t *data, int w, int h, int cbpp, int xhot, int yhot);
+ unsigned long get_cursor_serial(int mode);
+ rfbCursorPtr pixels2curs(uint32_t *pixels, int w, int h, int xhot, int yhot, int Bpp);
+ void save_under_cursor_buffer(rfbClientPtr cl);
+@@ -1008,14 +1008,13 @@ void initialize_xfixes(void) {
+ rfbCursorPtr pixels2curs(uint32_t *pixels, int w, int h,
+     int xhot, int yhot, int Bpp) {
+ 	rfbCursorPtr c;
+-	static unsigned long black = 0, white = 1;
++	static uint32_t black = 0, white = 1;
+ 	static int first = 1;
+ 	char *bitmap, *rich, *alpha;
+ 	char *pixels_new = NULL;
+ 	int n_opaque, n_trans, n_alpha, len, histo[256];
+ 	int send_alpha = 0, alpha_shift = 0, thresh;
+ 	int i, x, y;
+-
+ 	if (first && dpy) {	/* raw_fb hack */
+ 		X_LOCK;
+ 		black = BlackPixel(dpy, scr);
+@@ -1033,7 +1032,6 @@ rfbCursorPtr pixels2curs(uint32_t *pixels, int w, int h,
+ 	if (scaling_cursor && (scale_cursor_fac_x != 1.0 || scale_cursor_fac_y != 1.0)) {
+ 		int W, H;
+ 		char *pixels_use = (char *) pixels;
+-		unsigned int *pixels32 = NULL;
+ 
+ 		W = w;
+ 		H = h;
+@@ -1043,48 +1041,10 @@ rfbCursorPtr pixels2curs(uint32_t *pixels, int w, int h,
+ 
+ 		pixels_new = (char *) malloc(4*w*h);
+ 
+-		if (sizeof(unsigned long) == 8) {
+-			int i, j, k = 0;
+-			/*
+-			 * to avoid 64bpp code in scale_rect() we knock
+-			 * down to unsigned int on 64bit machines:
+-			 */
+-			pixels32 = (unsigned int*) malloc(4*W*H);
+-			for (j=0; j<H; j++) {
+-			    for (i=0; i<W; i++) {
+-				*(pixels32+k) = 0xffffffff & (*(pixels+k));
+-				k++;
+-			    }
+-			}
+-			pixels_use = (char *) pixels32;
+-		}
+-
+ 		scale_rect(scale_cursor_fac_x, scale_cursor_fac_y, scaling_cursor_blend,
+ 		    scaling_cursor_interpolate,
+ 		    4, pixels_use, 4*W, pixels_new, 4*w,
+ 		    W, H, w, h, 0, 0, W, H, 0);
+-
+-		if (sizeof(unsigned long) == 8) {
+-			int i, j, k = 0;
+-			unsigned long *pixels64;
+-			unsigned int* source = (unsigned int*) pixels_new;
+-			/*
+-			 * now knock it back up to unsigned long:
+-			 */
+-			pixels64 = (unsigned long*) malloc(8*w*h);
+-			for (j=0; j<h; j++) {
+-			    for (i=0; i<w; i++) {
+-				*(pixels64+k) = (unsigned long) (*(source+k));
+-				k++;
+-			    }
+-			}
+-			free(pixels_new);
+-			pixels_new = (char *) pixels64;
+-			if (pixels32) {
+-				free(pixels32);
+-				pixels32 = NULL;
+-			}
+-		}
+ 			
+ 		pixels = (uint32_t *) pixels_new;
+ 
+@@ -1111,7 +1071,7 @@ rfbCursorPtr pixels2curs(uint32_t *pixels, int w, int h,
+ 	i = 0;
+ 	for (y = 0; y < h; y++) {
+ 		for (x = 0; x < w; x++) {
+-			unsigned long a;
++			uint32_t a;
+ 
+ 			a = 0xff000000 & (*(pixels+i));
+ 			a = a >> 24;	/* alpha channel */
+@@ -1154,8 +1114,8 @@ rfbCursorPtr pixels2curs(uint32_t *pixels, int w, int h,
+ 	i = 0;
+ 	for (y = 0; y < h; y++) {
+ 		for (x = 0; x < w; x++) {
+-			unsigned long r, g, b, a;
+-			unsigned int ui;
++			uint32_t r, g, b, a;
++			uint32_t ui;
+ 			char *p;
+ 
+ 			a = 0xff000000 & (*(pixels+i));
+@@ -1322,6 +1282,7 @@ static int get_exact_cursor(int init) {
+ 	}
+ 	if (xfixes_present && dpy) {
+ #if HAVE_LIBXFIXES
++		uint32_t *pixel32 = NULL;
+ 		int last_idx = (int) get_cursor_serial(1);
+ 		XFixesCursorImage *xfc;
+ 
+@@ -1350,15 +1311,37 @@ static int get_exact_cursor(int init) {
+ 
+ 		/* retrieve the cursor info + pixels from server: */
+ 		xfc = XFixesGetCursorImage(dpy);
++		{
++			/* 2017-07-09, Stephan Fuhrmann: This fixes an implementation flaw for 64 bit systems.
++			 * The XFixesCursorImage structure says xfc->pixels is (unsigned long*) in the structure, but
++			 * the protocol spec says it's 32 bit per pixel
++			 * (https://www.x.org/releases/X11R7.6/doc/fixesproto/fixesproto.txt).
++			 * I'm converting the data anyway to 32 bit to be sure. Only necessary for 64 bit systems,
++			 * but doing it anyway for 32 bit.
++			 * */
++			int x,y;
++			pixel32 = malloc(xfc->width * xfc->height * sizeof(uint32_t));
++			for (y = 0; y < xfc->height; y++) {
++				for (x = 0; x < xfc->width; x++) {
++					uint32_t ofs = x + y*xfc->width;
++					*(pixel32 + ofs) = *(xfc->pixels + ofs);
++				}
++			}
++		}
++
+ 		X_UNLOCK;
+ 		if (! xfc) {
+ 			/* failure. */
+ 			return which;
+ 		}
+ 
+-		which = store_cursor(xfc->cursor_serial, xfc->pixels,
++		which = store_cursor(xfc->cursor_serial, pixel32,
+ 		    xfc->width, xfc->height, 32, xfc->xhot, xfc->yhot);
+ 
++		if (pixel32 != NULL) {
++			free(pixel32);
++		}
++
+ 		X_LOCK;
+ 		XFree_wr(xfc);
+ 		X_UNLOCK;
+@@ -1367,7 +1350,7 @@ static int get_exact_cursor(int init) {
+ 	return(which);
+ }
+ 
+-int store_cursor(int serial, unsigned long *data, int w, int h, int cbpp,
++int store_cursor(int serial, uint32_t *data, int w, int h, int cbpp,
+     int xhot, int yhot) {
+ 	int which = CURS_ARROW;
+ 	int use, oldest, i;
+@@ -1453,7 +1436,7 @@ fprintf(stderr, "sc: %d  %d/%d %d - %d %d\n", serial, w, h, cbpp, xhot, yhot);
+ 	}
+ 
+ 	/* place cursor into our collection */
+-	cursors[use]->rfb = pixels2curs((uint32_t*)data, w, h, xhot, yhot, bpp/8);
++	cursors[use]->rfb = pixels2curs(data, w, h, xhot, yhot, bpp/8);
+ 
+ 	/* update time and serial index: */
+ 	curs_times[use] = now;
+diff --git a/src/cursor.h b/src/cursor.h
+index 0cd42d1..e8ed248 100644
+--- a/src/cursor.h
++++ b/src/cursor.h
+@@ -47,7 +47,6 @@ extern int alpha_blend;
+ extern int alt_arrow;
+ extern int alt_arrow_max;
+ 
+-
+ extern void first_cursor(void);
+ extern void setup_cursors_and_push(void);
+ extern void initialize_xfixes(void);
+@@ -64,7 +63,7 @@ extern void set_no_cursor(void);
+ extern void set_warrow_cursor(void);
+ extern int set_cursor(int x, int y, int which);
+ extern int check_x11_pointer(void);
+-extern int store_cursor(int serial, unsigned long *data, int w, int h, int cbpp, int xhot, int yhot);
++extern int store_cursor(int serial, uint32_t *data, int w, int h, int cbpp, int xhot, int yhot);
+ extern unsigned long get_cursor_serial(int mode);
+ extern rfbCursorPtr pixels2curs(uint32_t *pixels, int w, int h, int xhot, int yhot, int Bpp);
+ void save_under_cursor_buffer(rfbClientPtr cl);
+diff --git a/src/screen.c b/src/screen.c
+index bda4690..395b503 100644
+--- a/src/screen.c
++++ b/src/screen.c
+@@ -1206,10 +1206,10 @@ void vnc_reflect_got_update(rfbClient *cl, int x, int y, int w, int h) {
+ void vnc_reflect_got_cursorshape(rfbClient *cl, int xhot, int yhot, int width, int height, int bytesPerPixel) {
+ 	static int serial = 1;
+ 	int i, j;
+-	char *pixels = NULL;
+-	unsigned long r, g, b;
+-	unsigned int ui = 0;
+-	unsigned long red_mask, green_mask, blue_mask;
++	uint32_t *pixels = NULL;
++	uint32_t r, g, b;
++	uint32_t ui = 0;
++	uint32_t red_mask, green_mask, blue_mask;
+ 
+ 	if (cl) {}
+ 	if (unixpw_in_progress) {
+@@ -1230,21 +1230,20 @@ void vnc_reflect_got_cursorshape(rfbClient *cl, int xhot, int yhot, int width, i
+ 	green_mask = (client->format.greenMax << client->format.greenShift);
+ 	blue_mask  = (client->format.blueMax  << client->format.blueShift);
+ 
+-	pixels = (char *)malloc(4*width*height);
++	pixels = (uint32_t *)malloc(4*width*height);
+ 	for (j=0; j<height; j++) {
+ 		for (i=0; i<width; i++) {
+-			unsigned int* uip;
+ 			unsigned char* uic;
+ 			int m;
+ 			if (bytesPerPixel == 1) {
+-				unsigned char* p = (unsigned char *) client->rcSource;
+-				ui = (unsigned long) *(p + j * width + i);
++				uint8_t* p = (uint8_t *) client->rcSource;
++				ui = (uint32_t) *(p + j * width + i);
+ 			} else if (bytesPerPixel == 2) {
+-				unsigned short* p = (unsigned short *) client->rcSource;
+-				ui = (unsigned long) *(p + j * width + i);
++				uint16_t* p = (uint16_t *) client->rcSource;
++				ui = (uint32_t) *(p + j * width + i);
+ 			} else if (bytesPerPixel == 4) {
+-				unsigned int* p = (unsigned int *) client->rcSource;
+-				ui = (unsigned long) *(p + j * width + i);
++				uint32_t* p = (uint32_t *) client->rcSource;
++				ui = (uint32_t) *(p + j * width + i);
+ 			}
+ 			r = (red_mask   & ui) >> client->format.redShift;
+ 			g = (green_mask & ui) >> client->format.greenShift;
+@@ -1261,12 +1260,11 @@ void vnc_reflect_got_cursorshape(rfbClient *cl, int xhot, int yhot, int width, i
+ 			if (m) {
+ 				ui |= 0xff000000;
+ 			}
+-			uip = (unsigned int *)pixels;
+-			*(uip + j * width + i) = ui;
++			*(pixels + j * width + i) = ui;
+ 		}
+ 	}
+ 
+-	store_cursor(serial++, (unsigned long*) pixels, width, height, 32, xhot, yhot);
++	store_cursor(serial++, pixels, width, height, 32, xhot, yhot);
+ 	free(pixels);
+ 	set_cursor(cursor_x, cursor_y, get_which_cursor());
+ }

Deleted: fix-buffer-overflows.patch
===================================================================
--- fix-buffer-overflows.patch	2017-12-07 06:12:43 UTC (rev 311704)
+++ fix-buffer-overflows.patch	2017-12-07 06:14:18 UTC (rev 311705)
@@ -1,26 +0,0 @@
-diff -Naur x11vnc-0.9.13-ori/src/win_utils.c x11vnc-0.9.13/src/win_utils.c
---- x11vnc-0.9.13-ori/src/win_utils.c	2016-10-07 23:26:03.248600761 +0200
-+++ x11vnc-0.9.13/src/win_utils.c	2016-10-07 23:26:51.919256706 +0200
-@@ -262,8 +262,8 @@
- 	}
- 
- 	last_snap = now;
--	if (num > stack_list_len + blackouts) {
--		int n = 2*num;
-+	if (num + blackouts > stack_list_len) {
-+		int n = 2 * (num + blackouts);
- 		free(stack_list);
- 		stack_list = (winattr_t *) malloc(n*sizeof(winattr_t));
- 		stack_list_len = n;
-diff -Naur x11vnc-0.9.13-ori/src/xrecord.c x11vnc-0.9.13/src/xrecord.c
---- x11vnc-0.9.13-ori/src/xrecord.c	2016-10-07 23:26:03.248600761 +0200
-+++ x11vnc-0.9.13/src/xrecord.c	2016-10-07 23:27:49.566700470 +0200
-@@ -964,7 +964,7 @@
- 	data = (char *)req;
- 	data += sz_xConfigureWindowReq;
- 
--	for (i=0; i<req->length; i++) {
-+	for (i = 0; i < req->length -  sz_xConfigureWindowReq / 4 && i < 4; i++) {
- 		unsigned int v;
- 		/*
- 		 * We use unsigned int for the values.  There were

Copied: x11vnc/repos/extra-x86_64/fix-buffer-overflows.patch (from rev 311704, x11vnc/trunk/fix-buffer-overflows.patch)
===================================================================
--- fix-buffer-overflows.patch	                        (rev 0)
+++ fix-buffer-overflows.patch	2017-12-07 06:14:18 UTC (rev 311705)
@@ -0,0 +1,26 @@
+diff -Naur x11vnc-0.9.13-ori/src/win_utils.c x11vnc-0.9.13/src/win_utils.c
+--- x11vnc-0.9.13-ori/src/win_utils.c	2016-10-07 23:26:03.248600761 +0200
++++ x11vnc-0.9.13/src/win_utils.c	2016-10-07 23:26:51.919256706 +0200
+@@ -262,8 +262,8 @@
+ 	}
+ 
+ 	last_snap = now;
+-	if (num > stack_list_len + blackouts) {
+-		int n = 2*num;
++	if (num + blackouts > stack_list_len) {
++		int n = 2 * (num + blackouts);
+ 		free(stack_list);
+ 		stack_list = (winattr_t *) malloc(n*sizeof(winattr_t));
+ 		stack_list_len = n;
+diff -Naur x11vnc-0.9.13-ori/src/xrecord.c x11vnc-0.9.13/src/xrecord.c
+--- x11vnc-0.9.13-ori/src/xrecord.c	2016-10-07 23:26:03.248600761 +0200
++++ x11vnc-0.9.13/src/xrecord.c	2016-10-07 23:27:49.566700470 +0200
+@@ -964,7 +964,7 @@
+ 	data = (char *)req;
+ 	data += sz_xConfigureWindowReq;
+ 
+-	for (i=0; i<req->length; i++) {
++	for (i = 0; i < req->length -  sz_xConfigureWindowReq / 4 && i < 4; i++) {
+ 		unsigned int v;
+ 		/*
+ 		 * We use unsigned int for the values.  There were

Copied: x11vnc/repos/extra-x86_64/openssl-detect.patch (from rev 311704, x11vnc/trunk/openssl-detect.patch)
===================================================================
--- openssl-detect.patch	                        (rev 0)
+++ openssl-detect.patch	2017-12-07 06:14:18 UTC (rev 311705)
@@ -0,0 +1,34 @@
+From 5889645bd3e63cf02c3fcad942d7edef1b4df472 Mon Sep 17 00:00:00 2001
+From: Bert van Hall <bert.vanhall at avionic-design.de>
+Date: Wed, 7 Dec 2016 10:56:24 +0100
+Subject: [PATCH 1/2] Fix openssl 1.1.x detection
+
+The SSL_library_init function has been renamed to OPENSSL_init_ssl from
+openssl 1.1.0 on. While the old name still exists as a define for
+backwards compatibility, this breaks detection in the library itself.
+Update configure.ac to just detect the library instead of specific
+functions.
+
+Signed-off-by: Bert van Hall <bert.vanhall at avionic-design.de>
+---
+ configure.ac |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -351,12 +351,11 @@ fi
+ AH_TEMPLATE(HAVE_X509_PRINT_EX_FP, [open ssl X509_print_ex_fp available])
+ if test "x$with_ssl" != "xno"; then
+ 	if test "x$HAVE_LIBCRYPTO" = "xtrue"; then
+-		AC_CHECK_LIB(ssl, SSL_library_init,
++		PKG_CHECK_MODULES(OPENSSL, [openssl >= 1.0.0],
+ 			SSL_LIBS="-lssl -lcrypto"
+-			[AC_DEFINE(HAVE_LIBSSL) HAVE_LIBSSL="true"], ,
+-			-lcrypto)
++			[AC_DEFINE(HAVE_LIBSSL) HAVE_LIBSSL="true"], ,)
+ 	else
+-		AC_CHECK_LIB(ssl, SSL_library_init,
++		PKG_CHECK_MODULES(OPENSSL, [openssl >= 1.0.0],
+ 			SSL_LIBS="-lssl"
+ 			[AC_DEFINE(HAVE_LIBSSL) HAVE_LIBSSL="true"], ,)
+ 	fi

Copied: x11vnc/repos/extra-x86_64/openssl-support.patch (from rev 311704, x11vnc/trunk/openssl-support.patch)
===================================================================
--- openssl-support.patch	                        (rev 0)
+++ openssl-support.patch	2017-12-07 06:14:18 UTC (rev 311705)
@@ -0,0 +1,481 @@
+From d37dac6963c2fb65cf577a6413657621cbcb406a Mon Sep 17 00:00:00 2001
+From: Bert van Hall <bert.vanhall at avionic-design.de>
+Date: Wed, 7 Dec 2016 14:43:57 +0100
+Subject: [PATCH 2/2] Support openssl 1.1.0
+
+Compatibility patch for openssl 1.1.0 and later. The 1.0.2 API should
+still work. Note that openssl 1.1.0 builds now have SSLv3 disabled per
+default, so clients will have to support TLS to connect securely.
+
+Signed-off-by: Bert van Hall <bert.vanhall at avionic-design.de>
+---
+ README          |   16 +++++++
+ src/enc.h       |   88 +++++++++++++++++++++++++++++++--------
+ src/sslhelper.c |  119 +++++++++++++++++++++++++++++++++++++++++------------
+ 3 files changed, 179 insertions(+), 44 deletions(-)
+
+--- a/README
++++ b/README
+@@ -871,6 +871,14 @@ make
+    place. As of x11vnc 0.9.4 there is also the --with-ssl=DIR configure
+    option.
+ 
++   Note that from OpenSSL 1.1.0 on SSLv2 support has been dropped and
++   SSLv3 deactivated at build time per default. This means that unless
++   explicitly enabled, OpenSSL builds only support TLS (any version).
++   Since there is a reason for dropping SSLv3 (heard of POODLE?), most
++   distributions do not enable it for their OpenSSL binary. In summary
++   this means compiling x11vnc against OpenSSL 1.1.0 or newer is no
++   problem, but using encryption will require a viewer with TLS support.
++
+    On Solaris using static archives libssl.a and libcrypto.a instead of
+    .so shared libraries (e.g. from www.sunfreeware.com), we found we
+    needed to also set LDFLAGS as follows to get the configure to work:
+@@ -4228,6 +4236,14 @@ connect = 5900
+    protocol handshake. x11vnc 0.9.6 supports both simultaneously when
+    -ssl is active.
+ 
++   Note: With the advent of OpenSSL 1.1.0, SSLv2 is dropped and SSLv3
++   deactivated per default. A couple broken ciphers have also gone, most
++   importantly though is that clients trying to connect to x11vnc will
++   now have to support TLS if encryption is to be used. You can of
++   course always cook up your own build and run time OpenSSL 1.1.x if
++   SSLv3 is absolutely required, but it isn't wise from a security point
++   of view.
++
+ 
+    SSL VNC Viewers:. Viewer-side will need to use SSL as well. See the
+    next FAQ and here for SSL enabled VNC Viewers, including SSVNC, to
+--- a/src/enc.h
++++ b/src/enc.h
+@@ -454,8 +454,10 @@ extern void enc_do(char *ciph, char *key
+ 		p++;
+ 		if (strstr(p, "md5+") == p) {
+ 			Digest = EVP_md5();        p += strlen("md5+");
++#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined OPENSSL_NO_SHA0
+ 		} else if (strstr(p, "sha+") == p) {
+ 			Digest = EVP_sha();        p += strlen("sha+");
++#endif
+ 		} else if (strstr(p, "sha1+") == p) {
+ 			Digest = EVP_sha1();       p += strlen("sha1+");
+ 		} else if (strstr(p, "ripe+") == p) {
+@@ -696,7 +698,11 @@ static void enc_xfer(int sock_fr, int so
+ 	 */
+ 	unsigned char E_keystr[EVP_MAX_KEY_LENGTH];
+ 	unsigned char D_keystr[EVP_MAX_KEY_LENGTH];
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	EVP_CIPHER_CTX *E_ctx, *D_ctx;
++#else
+ 	EVP_CIPHER_CTX E_ctx, D_ctx;
++#endif
+ 	EVP_CIPHER_CTX *ctx = NULL;
+ 
+ 	unsigned char buf[BSIZE], out[BSIZE];
+@@ -739,11 +745,16 @@ static void enc_xfer(int sock_fr, int so
+ 	encsym = encrypt ? "+" : "-";
+ 
+ 	/* use the encryption/decryption context variables below */
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	E_ctx = EVP_CIPHER_CTX_new();
++	D_ctx = EVP_CIPHER_CTX_new();
++	ctx = encrypt ? E_ctx : D_ctx;
++#else
++	ctx = encrypt ? &E_ctx : &D_ctx;
++#endif
+ 	if (encrypt) {
+-		ctx = &E_ctx;
+ 		keystr = E_keystr;
+ 	} else {
+-		ctx = &D_ctx;
+ 		keystr = D_keystr;
+ 	}
+ 
+@@ -877,9 +888,9 @@ static void enc_xfer(int sock_fr, int so
+ 			in_salt = salt;
+ 		}
+ 
+-		if (ivec_size < Cipher->iv_len && !securevnc) {
++		if (ivec_size < EVP_CIPHER_iv_length(Cipher) && !securevnc) {
+ 			fprintf(stderr, "%s: %s - WARNING: short IV %d < %d\n",
+-			    prog, encstr, ivec_size, Cipher->iv_len);
++			    prog, encstr, ivec_size, EVP_CIPHER_iv_length(Cipher));
+ 		}
+ 
+ 		/* make the hashed value and place in keystr */
+@@ -1033,6 +1044,11 @@ static void enc_xfer(int sock_fr, int so
+ 	fprintf(stderr,   "%s: %s - close sock_fr\n", prog, encstr);
+ 	close(sock_fr);
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	EVP_CIPHER_CTX_free(E_ctx);
++	EVP_CIPHER_CTX_free(D_ctx);
++#endif
++
+ 	/* kill our partner after 2 secs. */
+ 	sleep(2);
+ 	if (child)  {
+@@ -1101,14 +1117,24 @@ static int securevnc_server_rsa_save_dia
+ }
+ 
+ static char *rsa_md5_sum(unsigned char* rsabuf) {
+-	EVP_MD_CTX md;
++	EVP_MD_CTX *md;
+ 	char digest[EVP_MAX_MD_SIZE], tmp[16];
+ 	char md5str[EVP_MAX_MD_SIZE * 8];
+ 	unsigned int i, size = 0;
+ 
+-	EVP_DigestInit(&md, EVP_md5());
+-	EVP_DigestUpdate(&md, rsabuf, SECUREVNC_RSA_PUBKEY_SIZE);
+-	EVP_DigestFinal(&md, (unsigned char *)digest, &size);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	md = EVP_MD_CTX_new();
++#else
++	md = EVP_MD_CTX_create();
++#endif
++	EVP_DigestInit(md, EVP_md5());
++	EVP_DigestUpdate(md, rsabuf, SECUREVNC_RSA_PUBKEY_SIZE);
++	EVP_DigestFinal(md, (unsigned char *)digest, &size);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	EVP_MD_CTX_free(md);
++#else
++	EVP_MD_CTX_destroy(md);
++#endif
+ 
+ 	memset(md5str, 0, sizeof(md5str));
+ 	for (i=0; i < size; i++) {
+@@ -1225,7 +1251,7 @@ static void sslexit(char *msg) {
+ 
+ static void securevnc_setup(int conn1, int conn2) {
+ 	RSA *rsa = NULL;
+-	EVP_CIPHER_CTX init_ctx;
++	EVP_CIPHER_CTX *init_ctx;
+ 	unsigned char keystr[EVP_MAX_KEY_LENGTH];
+ 	unsigned char *rsabuf, *rsasav;
+ 	unsigned char *encrypted_keybuf;
+@@ -1364,8 +1390,15 @@ static void securevnc_setup(int conn1, i
+ 	/*
+ 	 * Back to the work involving the tmp obscuring key:
+ 	 */
+-	EVP_CIPHER_CTX_init(&init_ctx);
+-	rc = EVP_CipherInit_ex(&init_ctx, EVP_rc4(), NULL, initkey, NULL, 1);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	init_ctx = EVP_CIPHER_CTX_new();
++#else
++
++	EVP_CIPHER_CTX init_ctx_obj;
++	init_ctx = &init_ctx_obj;
++#endif
++	EVP_CIPHER_CTX_init(init_ctx);
++	rc = EVP_CipherInit_ex(init_ctx, EVP_rc4(), NULL, initkey, NULL, 1);
+ 	if (rc == 0) {
+ 		sslexit("securevnc_setup: EVP_CipherInit_ex(init_ctx) failed");
+ 	}
+@@ -1374,6 +1407,9 @@ static void securevnc_setup(int conn1, i
+ 	n = read(server, (char *) buf, BSIZE);
+ 	fprintf(stderr, "securevnc_setup: data read: %d\n", n);
+ 	if (n < 0) {
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	EVP_CIPHER_CTX_free(init_ctx);
++#endif
+ 		exit(1);
+ 	}
+ 	fprintf(stderr, "securevnc_setup: initial data[%d]: ", n);
+@@ -1381,13 +1417,19 @@ static void securevnc_setup(int conn1, i
+ 	/* decode with the tmp key */
+ 	if (n > 0) {
+ 		memset(to_viewer, 0, sizeof(to_viewer));
+-		if (EVP_CipherUpdate(&init_ctx, to_viewer, &len, buf, n) == 0) {
++		if (EVP_CipherUpdate(init_ctx, to_viewer, &len, buf, n) == 0) {
+ 			sslexit("securevnc_setup: EVP_CipherUpdate(init_ctx) failed");
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++			EVP_CIPHER_CTX_free(init_ctx);
++#endif
+ 			exit(1);
+ 		}
+ 		to_viewer_len = len;
+ 	}
+-	EVP_CIPHER_CTX_cleanup(&init_ctx);
++	EVP_CIPHER_CTX_cleanup(init_ctx);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	EVP_CIPHER_CTX_free(init_ctx);
++#endif
+ 	free(initkey);
+ 
+ 	/* print what we would send to the viewer (sent below): */
+@@ -1448,7 +1490,7 @@ static void securevnc_setup(int conn1, i
+ 
+ 	if (client_auth_req && client_auth) {
+ 		RSA *client_rsa = load_client_auth(client_auth);
+-		EVP_MD_CTX dctx;
++		EVP_MD_CTX *dctx;
+ 		unsigned char digest[EVP_MAX_MD_SIZE], *signature;
+ 		unsigned int ndig = 0, nsig = 0;
+ 
+@@ -1462,8 +1504,13 @@ static void securevnc_setup(int conn1, i
+ 			exit(1);
+ 		}
+ 
+-		EVP_DigestInit(&dctx, EVP_sha1());
+-		EVP_DigestUpdate(&dctx, keystr, SECUREVNC_KEY_SIZE);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++		dctx = EVP_MD_CTX_new();
++#else
++		dctx = EVP_MD_CTX_create();
++#endif
++		EVP_DigestInit(dctx, EVP_sha1());
++		EVP_DigestUpdate(dctx, keystr, SECUREVNC_KEY_SIZE);
+ 		/*
+ 		 * Without something like the following MITM is still possible.
+ 		 * This is because the MITM knows keystr and can use it with
+@@ -1474,7 +1521,7 @@ static void securevnc_setup(int conn1, i
+ 		 * he doesn't have Viewer_ClientAuth.pkey.
+ 		 */
+ 		if (0) {
+-			EVP_DigestUpdate(&dctx, rsasav, SECUREVNC_RSA_PUBKEY_SIZE);
++			EVP_DigestUpdate(dctx, rsasav, SECUREVNC_RSA_PUBKEY_SIZE);
+ 			if (!keystore_verified) {
+ 				fprintf(stderr, "securevnc_setup:\n");
+ 				fprintf(stderr, "securevnc_setup: Warning: even *WITH* Client Authentication in SecureVNC,\n");
+@@ -1497,7 +1544,12 @@ static void securevnc_setup(int conn1, i
+ 				fprintf(stderr, "securevnc_setup:\n");
+ 			}
+ 		}
+-		EVP_DigestFinal(&dctx, (unsigned char *)digest, &ndig);
++		EVP_DigestFinal(dctx, (unsigned char *)digest, &ndig);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++		EVP_MD_CTX_free(dctx);
++#else
++		EVP_MD_CTX_destroy(dctx);
++#endif
+ 
+ 		signature = (unsigned char *) calloc(RSA_size(client_rsa), 1);
+ 		RSA_sign(NID_sha1, digest, ndig, signature, &nsig, client_rsa);
+--- a/src/sslhelper.c
++++ b/src/sslhelper.c
+@@ -799,8 +799,13 @@ static int pem_passwd_callback(char *buf
+ 
+ /* based on mod_ssl */
+ static int crl_callback(X509_STORE_CTX *callback_ctx) {
+-	X509_STORE_CTX store_ctx;
++	const ASN1_INTEGER *revoked_serial;
++	X509_STORE_CTX *store_ctx;
++#if OPENSSL_VERSION_NUMBER > 0x10100000L
++	X509_OBJECT *obj;
++#else
+ 	X509_OBJECT obj;
++#endif
+ 	X509_NAME *subject;
+ 	X509_NAME *issuer;
+ 	X509 *xs;
+@@ -820,11 +825,19 @@ static int crl_callback(X509_STORE_CTX *
+ 	
+ 	/* Try to retrieve a CRL corresponding to the _subject_ of
+ 	* the current certificate in order to verify it's integrity. */
++	store_ctx = X509_STORE_CTX_new();
++	X509_STORE_CTX_init(store_ctx, revocation_store, NULL, NULL);
++#if OPENSSL_VERSION_NUMBER > 0x10100000L
++	obj = X509_OBJECT_new();
++	rc=X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, obj);
++	crl = X509_OBJECT_get0_X509_CRL(obj);
++#else
+ 	memset((char *)&obj, 0, sizeof(obj));
+-	X509_STORE_CTX_init(&store_ctx, revocation_store, NULL, NULL);
+-	rc=X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
+-	X509_STORE_CTX_cleanup(&store_ctx);
++	rc=X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, &obj);
+ 	crl=obj.data.crl;
++#endif
++	X509_STORE_CTX_cleanup(store_ctx);
++	X509_STORE_CTX_free(store_ctx);
+ 
+ 	if(rc>0 && crl) {
+ 		/* Log information about CRL
+@@ -850,7 +863,11 @@ static int crl_callback(X509_STORE_CTX *
+ 			rfbLog("Invalid signature on CRL\n");
+ 			X509_STORE_CTX_set_error(callback_ctx,
+ 				X509_V_ERR_CRL_SIGNATURE_FAILURE);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++			X509_OBJECT_free(obj);
++#else
+ 			X509_OBJECT_free_contents(&obj);
++#endif
+ 			if(pubkey)
+ 				EVP_PKEY_free(pubkey);
+ 			return 0; /* Reject connection */
+@@ -864,45 +881,78 @@ static int crl_callback(X509_STORE_CTX *
+ 			rfbLog("Found CRL has invalid nextUpdate field\n");
+ 			X509_STORE_CTX_set_error(callback_ctx,
+ 				X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++			X509_OBJECT_free(obj);
++#else
+ 			X509_OBJECT_free_contents(&obj);
++#endif
+ 			return 0; /* Reject connection */
+ 		}
+ 		if(X509_cmp_current_time(t)<0) {
+ 			rfbLog("Found CRL is expired - "
+ 				"revoking all certificates until you get updated CRL\n");
+ 			X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++			X509_OBJECT_free(obj);
++#else
+ 			X509_OBJECT_free_contents(&obj);
++#endif
+ 			return 0; /* Reject connection */
+ 		}
+-		X509_OBJECT_free_contents(&obj);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++			X509_OBJECT_free(obj);
++#else
++			X509_OBJECT_free_contents(&obj);
++#endif
+ 	}
+ 
+ 	/* Try to retrieve a CRL corresponding to the _issuer_ of
+ 	 * the current certificate in order to check for revocation. */
++	store_ctx = X509_STORE_CTX_new();
++	X509_STORE_CTX_init(store_ctx, revocation_store, NULL, NULL);
++#if OPENSSL_VERSION_NUMBER > 0x10100000L
++	obj = X509_OBJECT_new();
++	rc=X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, obj);
++	crl = X509_OBJECT_get0_X509_CRL(obj);
++#else
+ 	memset((char *)&obj, 0, sizeof(obj));
+-	X509_STORE_CTX_init(&store_ctx, revocation_store, NULL, NULL);
+-	rc=X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
+-	X509_STORE_CTX_cleanup(&store_ctx);
++	rc=X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, &obj);
+ 	crl=obj.data.crl;
++#endif
++	X509_STORE_CTX_cleanup(store_ctx);
++	X509_STORE_CTX_free(store_ctx);
+ 
+ 	if(rc>0 && crl) {
+ 		/* Check if the current certificate is revoked by this CRL */
+ 		n=sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
+ 		for(i=0; i<n; i++) {
+ 			revoked=sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
+-			if(ASN1_INTEGER_cmp(revoked->serialNumber,
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++			revoked_serial = X509_REVOKED_get0_serialNumber(revoked);
++#else
++			revoked_serial = revoked->serialNumber;
++#endif
++			if(ASN1_INTEGER_cmp(revoked_serial,
+ 					X509_get_serialNumber(xs)) == 0) {
+-				serial=ASN1_INTEGER_get(revoked->serialNumber);
++				serial=ASN1_INTEGER_get(revoked_serial);
+ 				cp=X509_NAME_oneline(issuer, NULL, 0);
+ 				rfbLog("Certificate with serial %ld (0x%lX) "
+ 					"revoked per CRL from issuer %s\n", serial, serial, cp);
+ 				OPENSSL_free(cp);
+ 				X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CERT_REVOKED);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++				X509_OBJECT_free(obj);
++#else
+ 				X509_OBJECT_free_contents(&obj);
++#endif
+ 				return 0; /* Reject connection */
+ 			}
+ 		}
+-		X509_OBJECT_free_contents(&obj);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++			X509_OBJECT_free(obj);
++#else
++			X509_OBJECT_free_contents(&obj);
++#endif
+ 	}
+ 
+ 	return 1; /* Accept connection */
+@@ -951,6 +1001,8 @@ static int switch_to_anon_dh(void);
+ 
+ void openssl_init(int isclient) {
+ 	int db = 0, tmp_pem = 0, do_dh;
++	const SSL_METHOD *method;
++	char *method_name;
+ 	FILE *in;
+ 	double ds;
+ 	long mode;
+@@ -992,13 +1044,17 @@ void openssl_init(int isclient) {
+ 		ssl_client_mode = 0;
+ 	}
+ 
+-	if (ssl_client_mode) {
+-		if (db) fprintf(stderr, "SSLv23_client_method()\n");
+-		ctx = SSL_CTX_new( SSLv23_client_method() );
+-	} else {
+-		if (db) fprintf(stderr, "SSLv23_server_method()\n");
+-		ctx = SSL_CTX_new( SSLv23_server_method() );
+-	}
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	method = ssl_client_mode ? TLS_client_method() : TLS_server_method();
++	if (db)
++		method_name = ssl_client_mode ? "TLS_client_method()" : "TLS_server_method()";
++#else
++	method = ssl_client_mode ? SSLv23_client_method() : SSLv23_server_method();
++	if (db)
++		method_name = ssl_client_mode ? "SSLv23_client_method()" : "SSLv23_server_method()";
++#endif
++	if (db) fprintf(stderr, "%s\n", method_name);
++	ctx = SSL_CTX_new(method);
+ 
+ 	if (ctx == NULL) {
+ 		rfbLog("openssl_init: SSL_CTX_new failed.\n");	
+@@ -1520,16 +1576,18 @@ static int add_anon_dh(void) {
+ }
+ 
+ static int switch_to_anon_dh(void) {
++	const SSL_METHOD *method;
+ 	long mode;
+ 	
+ 	rfbLog("Using Anonymous Diffie-Hellman mode.\n");
+ 	rfbLog("WARNING: Anonymous Diffie-Hellman uses encryption but is\n");
+ 	rfbLog("WARNING: susceptible to a Man-In-The-Middle attack.\n");
+-	if (ssl_client_mode) {
+-		ctx = SSL_CTX_new( SSLv23_client_method() );
+-	} else {
+-		ctx = SSL_CTX_new( SSLv23_server_method() );
+-	}
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	method = ssl_client_mode ? TLS_client_method() : TLS_server_method();
++#else
++	method = ssl_client_mode ? SSLv23_client_method() : SSLv23_server_method();
++#endif
++	ctx = SSL_CTX_new(method);
+ 	if (ctx == NULL) {
+ 		return 0;
+ 	}
+@@ -1896,6 +1954,7 @@ static void pr_ssl_info(int verb) {
+ 	SSL_CIPHER *c;
+ 	SSL_SESSION *s;
+ 	char *proto = "unknown";
++	int ssl_version;
+ 
+ 	if (verb) {}
+ 
+@@ -1905,13 +1964,21 @@ static void pr_ssl_info(int verb) {
+ 	c = SSL_get_current_cipher(ssl);
+ 	s = SSL_get_session(ssl);
+ 
++	if (s) {
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++		ssl_version = SSL_SESSION_get_protocol_version(s);
++#else
++		ssl_version = s->ssl_version;
++#endif
++	}
++
+ 	if (s == NULL) {
+ 		proto = "nosession";
+-	} else if (s->ssl_version == SSL2_VERSION) {
++	} else if (ssl_version == SSL2_VERSION) {
+ 		proto = "SSLv2";
+-	} else if (s->ssl_version == SSL3_VERSION) {
++	} else if (ssl_version == SSL3_VERSION) {
+ 		proto = "SSLv3";
+-	} else if (s->ssl_version == TLS1_VERSION) {
++	} else if (ssl_version == TLS1_VERSION) {
+ 		proto = "TLSv1";
+ 	}
+ 	if (c != NULL) {

Deleted: service
===================================================================
--- service	2017-12-07 06:12:43 UTC (rev 311704)
+++ service	2017-12-07 06:14:18 UTC (rev 311705)
@@ -1,7 +0,0 @@
-[Unit]
-Description=VNC Server for X11
-Requires=graphical.target
-After=graphical.target
-
-[Service]
-ExecStart=/usr/bin/x11vnc

Copied: x11vnc/repos/extra-x86_64/service (from rev 311704, x11vnc/trunk/service)
===================================================================
--- service	                        (rev 0)
+++ service	2017-12-07 06:14:18 UTC (rev 311705)
@@ -0,0 +1,7 @@
+[Unit]
+Description=VNC Server for X11
+Requires=graphical.target
+After=graphical.target
+
+[Service]
+ExecStart=/usr/bin/x11vnc



More information about the arch-commits mailing list