xref: /freebsd/usr.sbin/bhyve/rfb.c (revision 9f44a47fd07924afc035991af15d84e6585dea4f)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2015 Tycho Nightingale <tycho.nightingale@pluribusnetworks.com>
5  * Copyright (c) 2015 Leon Dang
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  */
29 
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
32 
33 #include <sys/param.h>
34 #ifndef WITHOUT_CAPSICUM
35 #include <sys/capsicum.h>
36 #endif
37 #include <sys/endian.h>
38 #include <sys/socket.h>
39 #include <sys/select.h>
40 #include <sys/time.h>
41 #include <arpa/inet.h>
42 #include <stdatomic.h>
43 #include <machine/cpufunc.h>
44 #include <machine/specialreg.h>
45 #include <netinet/in.h>
46 #include <netdb.h>
47 
48 #include <assert.h>
49 #ifndef WITHOUT_CAPSICUM
50 #include <capsicum_helpers.h>
51 #endif
52 #include <err.h>
53 #include <errno.h>
54 #include <pthread.h>
55 #include <pthread_np.h>
56 #include <signal.h>
57 #include <stdbool.h>
58 #include <stdlib.h>
59 #include <stdio.h>
60 #include <string.h>
61 #include <sysexits.h>
62 #include <unistd.h>
63 
64 #include <zlib.h>
65 
66 #include "bhyvegc.h"
67 #include "debug.h"
68 #include "console.h"
69 #include "rfb.h"
70 #include "sockstream.h"
71 
72 #ifndef NO_OPENSSL
73 #include <openssl/des.h>
74 #endif
75 
76 /* Delays in microseconds */
77 #define	CFD_SEL_DELAY	10000
78 #define	SCREEN_REFRESH_DELAY	33300	/* 30Hz */
79 #define	SCREEN_POLL_DELAY	(SCREEN_REFRESH_DELAY / 2)
80 
81 static int rfb_debug = 0;
82 #define	DPRINTF(params) if (rfb_debug) PRINTLN params
83 #define	WPRINTF(params) PRINTLN params
84 
85 #define VERSION_LENGTH	12
86 #define AUTH_LENGTH	16
87 #define PASSWD_LENGTH	8
88 
89 /* Protocol versions */
90 #define CVERS_3_3	'3'
91 #define CVERS_3_7	'7'
92 #define CVERS_3_8	'8'
93 
94 /* Client-to-server msg types */
95 #define CS_SET_PIXEL_FORMAT	0
96 #define CS_SET_ENCODINGS	2
97 #define CS_UPDATE_MSG		3
98 #define CS_KEY_EVENT		4
99 #define CS_POINTER_EVENT	5
100 #define CS_CUT_TEXT		6
101 #define CS_MSG_CLIENT_QEMU	255
102 
103 #define SECURITY_TYPE_NONE	1
104 #define SECURITY_TYPE_VNC_AUTH	2
105 
106 #define AUTH_FAILED_UNAUTH	1
107 #define AUTH_FAILED_ERROR	2
108 
109 struct rfb_softc {
110 	int		sfd;
111 	pthread_t	tid;
112 
113 	int		cfd;
114 
115 	int		width, height;
116 
117 	const char	*password;
118 
119 	bool		enc_raw_ok;
120 	bool		enc_zlib_ok;
121 	bool		enc_resize_ok;
122 	bool		enc_extkeyevent_ok;
123 
124 	bool		enc_extkeyevent_send;
125 
126 	z_stream	zstream;
127 	uint8_t		*zbuf;
128 	int		zbuflen;
129 
130 	int		conn_wait;
131 	int		wrcount;
132 
133 	atomic_bool	sending;
134 	atomic_bool	pending;
135 	atomic_bool	update_all;
136 	atomic_bool	input_detected;
137 
138 	pthread_mutex_t mtx;
139 	pthread_cond_t  cond;
140 
141 	int		hw_crc;
142 	uint32_t	*crc;		/* WxH crc cells */
143 	uint32_t	*crc_tmp;	/* buffer to store single crc row */
144 	int		crc_width, crc_height;
145 };
146 
147 struct rfb_pixfmt {
148 	uint8_t		bpp;
149 	uint8_t		depth;
150 	uint8_t		bigendian;
151 	uint8_t		truecolor;
152 	uint16_t	red_max;
153 	uint16_t	green_max;
154 	uint16_t	blue_max;
155 	uint8_t		red_shift;
156 	uint8_t		green_shift;
157 	uint8_t		blue_shift;
158 	uint8_t		pad[3];
159 };
160 
161 struct rfb_srvr_info {
162 	uint16_t		width;
163 	uint16_t		height;
164 	struct rfb_pixfmt	pixfmt;
165 	uint32_t		namelen;
166 };
167 
168 struct rfb_pixfmt_msg {
169 	uint8_t			type;
170 	uint8_t			pad[3];
171 	struct rfb_pixfmt	pixfmt;
172 };
173 
174 #define	RFB_ENCODING_RAW		0
175 #define	RFB_ENCODING_ZLIB		6
176 #define	RFB_ENCODING_RESIZE		-223
177 #define	RFB_ENCODING_EXT_KEYEVENT	-258
178 
179 #define	RFB_CLIENTMSG_EXT_KEYEVENT	0
180 
181 #define	RFB_MAX_WIDTH			2000
182 #define	RFB_MAX_HEIGHT			1200
183 #define	RFB_ZLIB_BUFSZ			RFB_MAX_WIDTH*RFB_MAX_HEIGHT*4
184 
185 /* percentage changes to screen before sending the entire screen */
186 #define	RFB_SEND_ALL_THRESH		25
187 
188 struct rfb_enc_msg {
189 	uint8_t		type;
190 	uint8_t		pad;
191 	uint16_t	numencs;
192 };
193 
194 struct rfb_updt_msg {
195 	uint8_t		type;
196 	uint8_t		incremental;
197 	uint16_t	x;
198 	uint16_t	y;
199 	uint16_t	width;
200 	uint16_t	height;
201 };
202 
203 struct rfb_key_msg {
204 	uint8_t		type;
205 	uint8_t		down;
206 	uint16_t	pad;
207 	uint32_t	sym;
208 };
209 
210 struct rfb_client_msg {
211 	uint8_t		type;
212 	uint8_t		subtype;
213 };
214 
215 struct rfb_extended_key_msg {
216 	uint8_t		type;
217 	uint8_t		subtype;
218 	uint16_t	down;
219 	uint32_t	sym;
220 	uint32_t	code;
221 };
222 
223 struct rfb_ptr_msg {
224 	uint8_t		type;
225 	uint8_t		button;
226 	uint16_t	x;
227 	uint16_t	y;
228 };
229 
230 struct rfb_srvr_updt_msg {
231 	uint8_t		type;
232 	uint8_t		pad;
233 	uint16_t	numrects;
234 };
235 
236 struct rfb_srvr_rect_hdr {
237 	uint16_t	x;
238 	uint16_t	y;
239 	uint16_t	width;
240 	uint16_t	height;
241 	uint32_t	encoding;
242 };
243 
244 struct rfb_cuttext_msg {
245 	uint8_t		type;
246 	uint8_t		padding[3];
247 	uint32_t	length;
248 };
249 
250 static void
251 rfb_send_server_init_msg(int cfd)
252 {
253 	struct bhyvegc_image *gc_image;
254 	struct rfb_srvr_info sinfo;
255 
256 	gc_image = console_get_image();
257 
258 	sinfo.width = htons(gc_image->width);
259 	sinfo.height = htons(gc_image->height);
260 	sinfo.pixfmt.bpp = 32;
261 	sinfo.pixfmt.depth = 32;
262 	sinfo.pixfmt.bigendian = 0;
263 	sinfo.pixfmt.truecolor = 1;
264 	sinfo.pixfmt.red_max = htons(255);
265 	sinfo.pixfmt.green_max = htons(255);
266 	sinfo.pixfmt.blue_max = htons(255);
267 	sinfo.pixfmt.red_shift = 16;
268 	sinfo.pixfmt.green_shift = 8;
269 	sinfo.pixfmt.blue_shift = 0;
270 	sinfo.pixfmt.pad[0] = 0;
271 	sinfo.pixfmt.pad[1] = 0;
272 	sinfo.pixfmt.pad[2] = 0;
273 	sinfo.namelen = htonl(strlen("bhyve"));
274 	(void)stream_write(cfd, &sinfo, sizeof(sinfo));
275 	(void)stream_write(cfd, "bhyve", strlen("bhyve"));
276 }
277 
278 static void
279 rfb_send_resize_update_msg(struct rfb_softc *rc, int cfd)
280 {
281 	struct rfb_srvr_updt_msg supdt_msg;
282 	struct rfb_srvr_rect_hdr srect_hdr;
283 
284 	/* Number of rectangles: 1 */
285 	supdt_msg.type = 0;
286 	supdt_msg.pad = 0;
287 	supdt_msg.numrects = htons(1);
288 	stream_write(cfd, &supdt_msg, sizeof(struct rfb_srvr_updt_msg));
289 
290 	/* Rectangle header */
291 	srect_hdr.x = htons(0);
292 	srect_hdr.y = htons(0);
293 	srect_hdr.width = htons(rc->width);
294 	srect_hdr.height = htons(rc->height);
295 	srect_hdr.encoding = htonl(RFB_ENCODING_RESIZE);
296 	stream_write(cfd, &srect_hdr, sizeof(struct rfb_srvr_rect_hdr));
297 }
298 
299 static void
300 rfb_send_extended_keyevent_update_msg(struct rfb_softc *rc, int cfd)
301 {
302 	struct rfb_srvr_updt_msg supdt_msg;
303 	struct rfb_srvr_rect_hdr srect_hdr;
304 
305 	/* Number of rectangles: 1 */
306 	supdt_msg.type = 0;
307 	supdt_msg.pad = 0;
308 	supdt_msg.numrects = htons(1);
309 	stream_write(cfd, &supdt_msg, sizeof(struct rfb_srvr_updt_msg));
310 
311 	/* Rectangle header */
312 	srect_hdr.x = htons(0);
313 	srect_hdr.y = htons(0);
314 	srect_hdr.width = htons(rc->width);
315 	srect_hdr.height = htons(rc->height);
316 	srect_hdr.encoding = htonl(RFB_ENCODING_EXT_KEYEVENT);
317 	stream_write(cfd, &srect_hdr, sizeof(struct rfb_srvr_rect_hdr));
318 }
319 
320 static void
321 rfb_recv_set_pixfmt_msg(struct rfb_softc *rc __unused, int cfd)
322 {
323 	struct rfb_pixfmt_msg pixfmt_msg;
324 
325 	(void)stream_read(cfd, (uint8_t *)&pixfmt_msg + 1,
326 	    sizeof(pixfmt_msg) - 1);
327 }
328 
329 static void
330 rfb_recv_set_encodings_msg(struct rfb_softc *rc, int cfd)
331 {
332 	struct rfb_enc_msg enc_msg;
333 	int i;
334 	uint32_t encoding;
335 
336 	(void)stream_read(cfd, (uint8_t *)&enc_msg + 1, sizeof(enc_msg) - 1);
337 
338 	for (i = 0; i < htons(enc_msg.numencs); i++) {
339 		(void)stream_read(cfd, &encoding, sizeof(encoding));
340 		switch (htonl(encoding)) {
341 		case RFB_ENCODING_RAW:
342 			rc->enc_raw_ok = true;
343 			break;
344 		case RFB_ENCODING_ZLIB:
345 			if (!rc->enc_zlib_ok) {
346 				deflateInit(&rc->zstream, Z_BEST_SPEED);
347 				rc->enc_zlib_ok = true;
348 			}
349 			break;
350 		case RFB_ENCODING_RESIZE:
351 			rc->enc_resize_ok = true;
352 			break;
353 		case RFB_ENCODING_EXT_KEYEVENT:
354 			rc->enc_extkeyevent_ok = true;
355 			break;
356 		}
357 	}
358 }
359 
360 /*
361  * Calculate CRC32 using SSE4.2; Intel or AMD Bulldozer+ CPUs only
362  */
363 static __inline uint32_t
364 fast_crc32(void *buf, int len, uint32_t crcval)
365 {
366 	uint32_t q = len / sizeof(uint32_t);
367 	uint32_t *p = (uint32_t *)buf;
368 
369 	while (q--) {
370 		asm volatile (
371 			".byte 0xf2, 0xf, 0x38, 0xf1, 0xf1;"
372 			:"=S" (crcval)
373 			:"0" (crcval), "c" (*p)
374 		);
375 		p++;
376 	}
377 
378 	return (crcval);
379 }
380 
381 static int
382 rfb_send_update_header(struct rfb_softc *rc __unused, int cfd, int numrects)
383 {
384 	struct rfb_srvr_updt_msg supdt_msg;
385 
386 	supdt_msg.type = 0;
387 	supdt_msg.pad = 0;
388 	supdt_msg.numrects = htons(numrects);
389 
390 	return stream_write(cfd, &supdt_msg,
391 	    sizeof(struct rfb_srvr_updt_msg));
392 }
393 
394 static int
395 rfb_send_rect(struct rfb_softc *rc, int cfd, struct bhyvegc_image *gc,
396               int x, int y, int w, int h)
397 {
398 	struct rfb_srvr_rect_hdr srect_hdr;
399 	unsigned long zlen;
400 	ssize_t nwrite, total;
401 	int err;
402 	uint32_t *p;
403 	uint8_t *zbufp;
404 
405 	/*
406 	 * Send a single rectangle of the given x, y, w h dimensions.
407 	 */
408 
409 	/* Rectangle header */
410 	srect_hdr.x = htons(x);
411 	srect_hdr.y = htons(y);
412 	srect_hdr.width = htons(w);
413 	srect_hdr.height = htons(h);
414 
415 	h = y + h;
416 	w *= sizeof(uint32_t);
417 	if (rc->enc_zlib_ok) {
418 		zbufp = rc->zbuf;
419 		rc->zstream.total_in = 0;
420 		rc->zstream.total_out = 0;
421 		for (p = &gc->data[y * gc->width + x]; y < h; y++) {
422 			rc->zstream.next_in = (Bytef *)p;
423 			rc->zstream.avail_in = w;
424 			rc->zstream.next_out = (Bytef *)zbufp;
425 			rc->zstream.avail_out = RFB_ZLIB_BUFSZ + 16 -
426 			                        rc->zstream.total_out;
427 			rc->zstream.data_type = Z_BINARY;
428 
429 			/* Compress with zlib */
430 			err = deflate(&rc->zstream, Z_SYNC_FLUSH);
431 			if (err != Z_OK) {
432 				WPRINTF(("zlib[rect] deflate err: %d", err));
433 				rc->enc_zlib_ok = false;
434 				deflateEnd(&rc->zstream);
435 				goto doraw;
436 			}
437 			zbufp = rc->zbuf + rc->zstream.total_out;
438 			p += gc->width;
439 		}
440 		srect_hdr.encoding = htonl(RFB_ENCODING_ZLIB);
441 		nwrite = stream_write(cfd, &srect_hdr,
442 		                      sizeof(struct rfb_srvr_rect_hdr));
443 		if (nwrite <= 0)
444 			return (nwrite);
445 
446 		zlen = htonl(rc->zstream.total_out);
447 		nwrite = stream_write(cfd, &zlen, sizeof(uint32_t));
448 		if (nwrite <= 0)
449 			return (nwrite);
450 		return (stream_write(cfd, rc->zbuf, rc->zstream.total_out));
451 	}
452 
453 doraw:
454 
455 	total = 0;
456 	zbufp = rc->zbuf;
457 	for (p = &gc->data[y * gc->width + x]; y < h; y++) {
458 		memcpy(zbufp, p, w);
459 		zbufp += w;
460 		total += w;
461 		p += gc->width;
462 	}
463 
464 	srect_hdr.encoding = htonl(RFB_ENCODING_RAW);
465 	nwrite = stream_write(cfd, &srect_hdr,
466 	                      sizeof(struct rfb_srvr_rect_hdr));
467 	if (nwrite <= 0)
468 		return (nwrite);
469 
470 	total = stream_write(cfd, rc->zbuf, total);
471 
472 	return (total);
473 }
474 
475 static int
476 rfb_send_all(struct rfb_softc *rc, int cfd, struct bhyvegc_image *gc)
477 {
478 	struct rfb_srvr_updt_msg supdt_msg;
479         struct rfb_srvr_rect_hdr srect_hdr;
480 	ssize_t nwrite;
481 	unsigned long zlen;
482 	int err;
483 
484 	/*
485 	 * Send the whole thing
486 	 */
487 
488 	/* Number of rectangles: 1 */
489 	supdt_msg.type = 0;
490 	supdt_msg.pad = 0;
491 	supdt_msg.numrects = htons(1);
492 	nwrite = stream_write(cfd, &supdt_msg,
493 	                      sizeof(struct rfb_srvr_updt_msg));
494 	if (nwrite <= 0)
495 		return (nwrite);
496 
497 	/* Rectangle header */
498 	srect_hdr.x = 0;
499 	srect_hdr.y = 0;
500 	srect_hdr.width = htons(gc->width);
501 	srect_hdr.height = htons(gc->height);
502 	if (rc->enc_zlib_ok) {
503 		rc->zstream.next_in = (Bytef *)gc->data;
504 		rc->zstream.avail_in = gc->width * gc->height *
505 		                   sizeof(uint32_t);
506 		rc->zstream.next_out = (Bytef *)rc->zbuf;
507 		rc->zstream.avail_out = RFB_ZLIB_BUFSZ + 16;
508 		rc->zstream.data_type = Z_BINARY;
509 
510 		rc->zstream.total_in = 0;
511 		rc->zstream.total_out = 0;
512 
513 		/* Compress with zlib */
514 		err = deflate(&rc->zstream, Z_SYNC_FLUSH);
515 		if (err != Z_OK) {
516 			WPRINTF(("zlib deflate err: %d", err));
517 			rc->enc_zlib_ok = false;
518 			deflateEnd(&rc->zstream);
519 			goto doraw;
520 		}
521 
522 		srect_hdr.encoding = htonl(RFB_ENCODING_ZLIB);
523 		nwrite = stream_write(cfd, &srect_hdr,
524 		                      sizeof(struct rfb_srvr_rect_hdr));
525 		if (nwrite <= 0)
526 			return (nwrite);
527 
528 		zlen = htonl(rc->zstream.total_out);
529 		nwrite = stream_write(cfd, &zlen, sizeof(uint32_t));
530 		if (nwrite <= 0)
531 			return (nwrite);
532 		return (stream_write(cfd, rc->zbuf, rc->zstream.total_out));
533 	}
534 
535 doraw:
536 	srect_hdr.encoding = htonl(RFB_ENCODING_RAW);
537 	nwrite = stream_write(cfd, &srect_hdr,
538 	                      sizeof(struct rfb_srvr_rect_hdr));
539 	if (nwrite <= 0)
540 		return (nwrite);
541 
542 	nwrite = stream_write(cfd, gc->data,
543 	               gc->width * gc->height * sizeof(uint32_t));
544 
545 	return (nwrite);
546 }
547 
548 #define	PIX_PER_CELL	32
549 #define	PIXCELL_SHIFT	5
550 #define	PIXCELL_MASK	0x1F
551 
552 static int
553 rfb_send_screen(struct rfb_softc *rc, int cfd)
554 {
555 	struct bhyvegc_image *gc_image;
556 	ssize_t nwrite;
557 	int x, y;
558 	int celly, cellwidth;
559 	int xcells, ycells;
560 	int w, h;
561 	uint32_t *p;
562 	int rem_x, rem_y;   /* remainder for resolutions not x32 pixels ratio */
563 	int retval;
564 	uint32_t *crc_p, *orig_crc;
565 	int changes;
566 	bool expected;
567 
568 	/* Return if another thread sending */
569 	expected = false;
570 	if (atomic_compare_exchange_strong(&rc->sending, &expected, true) == false)
571 		return (1);
572 
573 	retval = 1;
574 
575 	/* Updates require a preceding update request */
576 	if (atomic_exchange(&rc->pending, false) == false)
577 		goto done;
578 
579 	console_refresh();
580 	gc_image = console_get_image();
581 
582 	/* Clear old CRC values when the size changes */
583 	if (rc->crc_width != gc_image->width ||
584 	    rc->crc_height != gc_image->height) {
585 		memset(rc->crc, 0, sizeof(uint32_t) *
586 		    howmany(RFB_MAX_WIDTH, PIX_PER_CELL) *
587 		    howmany(RFB_MAX_HEIGHT, PIX_PER_CELL));
588 		rc->crc_width = gc_image->width;
589 		rc->crc_height = gc_image->height;
590 	}
591 
592        /* A size update counts as an update in itself */
593        if (rc->width != gc_image->width ||
594            rc->height != gc_image->height) {
595                rc->width = gc_image->width;
596                rc->height = gc_image->height;
597                if (rc->enc_resize_ok) {
598                        rfb_send_resize_update_msg(rc, cfd);
599 		       rc->update_all = true;
600                        goto done;
601                }
602        }
603 
604        if (atomic_exchange(&rc->update_all, false) == true) {
605 	       retval = rfb_send_all(rc, cfd, gc_image);
606 	       goto done;
607        }
608 
609 	/*
610 	 * Calculate the checksum for each 32x32 cell. Send each that
611 	 * has changed since the last scan.
612 	 */
613 
614 	w = rc->crc_width;
615 	h = rc->crc_height;
616 	xcells = howmany(rc->crc_width, PIX_PER_CELL);
617 	ycells = howmany(rc->crc_height, PIX_PER_CELL);
618 
619 	rem_x = w & PIXCELL_MASK;
620 
621 	rem_y = h & PIXCELL_MASK;
622 	if (!rem_y)
623 		rem_y = PIX_PER_CELL;
624 
625 	p = gc_image->data;
626 
627 	/*
628 	 * Go through all cells and calculate crc. If significant number
629 	 * of changes, then send entire screen.
630 	 * crc_tmp is dual purpose: to store the new crc and to flag as
631 	 * a cell that has changed.
632 	 */
633 	crc_p = rc->crc_tmp - xcells;
634 	orig_crc = rc->crc - xcells;
635 	changes = 0;
636 	memset(rc->crc_tmp, 0, sizeof(uint32_t) * xcells * ycells);
637 	for (y = 0; y < h; y++) {
638 		if ((y & PIXCELL_MASK) == 0) {
639 			crc_p += xcells;
640 			orig_crc += xcells;
641 		}
642 
643 		for (x = 0; x < xcells; x++) {
644 			if (x == (xcells - 1) && rem_x > 0)
645 				cellwidth = rem_x;
646 			else
647 				cellwidth = PIX_PER_CELL;
648 
649 			if (rc->hw_crc)
650 				crc_p[x] = fast_crc32(p,
651 				             cellwidth * sizeof(uint32_t),
652 				             crc_p[x]);
653 			else
654 				crc_p[x] = (uint32_t)crc32(crc_p[x],
655 				             (Bytef *)p,
656 				             cellwidth * sizeof(uint32_t));
657 
658 			p += cellwidth;
659 
660 			/* check for crc delta if last row in cell */
661 			if ((y & PIXCELL_MASK) == PIXCELL_MASK || y == (h-1)) {
662 				if (orig_crc[x] != crc_p[x]) {
663 					orig_crc[x] = crc_p[x];
664 					crc_p[x] = 1;
665 					changes++;
666 				} else {
667 					crc_p[x] = 0;
668 				}
669 			}
670 		}
671 	}
672 
673        /*
674 	* We only send the update if there are changes.
675 	* Restore the pending flag since it was unconditionally cleared
676 	* above.
677 	*/
678 	if (!changes) {
679 		rc->pending = true;
680 		goto done;
681 	}
682 
683 	/* If number of changes is > THRESH percent, send the whole screen */
684 	if (((changes * 100) / (xcells * ycells)) >= RFB_SEND_ALL_THRESH) {
685 		retval = rfb_send_all(rc, cfd, gc_image);
686 		goto done;
687 	}
688 
689 	rfb_send_update_header(rc, cfd, changes);
690 
691 	/* Go through all cells, and send only changed ones */
692 	crc_p = rc->crc_tmp;
693 	for (y = 0; y < h; y += PIX_PER_CELL) {
694 		/* previous cell's row */
695 		celly = (y >> PIXCELL_SHIFT);
696 
697 		/* Delta check crc to previous set */
698 		for (x = 0; x < xcells; x++) {
699 			if (*crc_p++ == 0)
700 				continue;
701 
702 			if (x == (xcells - 1) && rem_x > 0)
703 				cellwidth = rem_x;
704 			else
705 				cellwidth = PIX_PER_CELL;
706 			nwrite = rfb_send_rect(rc, cfd,
707 				gc_image,
708 				x * PIX_PER_CELL,
709 				celly * PIX_PER_CELL,
710 			        cellwidth,
711 				y + PIX_PER_CELL >= h ? rem_y : PIX_PER_CELL);
712 			if (nwrite <= 0) {
713 				retval = nwrite;
714 				goto done;
715 			}
716 		}
717 	}
718 
719 done:
720 	rc->sending = false;
721 
722 	return (retval);
723 }
724 
725 
726 static void
727 rfb_recv_update_msg(struct rfb_softc *rc, int cfd)
728 {
729 	struct rfb_updt_msg updt_msg;
730 
731 	(void)stream_read(cfd, (uint8_t *)&updt_msg + 1 , sizeof(updt_msg) - 1);
732 
733 	if (rc->enc_extkeyevent_ok && (!rc->enc_extkeyevent_send)) {
734 		rfb_send_extended_keyevent_update_msg(rc, cfd);
735 		rc->enc_extkeyevent_send = true;
736 	}
737 
738 	rc->pending = true;
739 	if (!updt_msg.incremental)
740 		rc->update_all = true;
741 }
742 
743 static void
744 rfb_recv_key_msg(struct rfb_softc *rc, int cfd)
745 {
746 	struct rfb_key_msg key_msg;
747 
748 	(void)stream_read(cfd, (uint8_t *)&key_msg + 1, sizeof(key_msg) - 1);
749 
750 	console_key_event(key_msg.down, htonl(key_msg.sym), htonl(0));
751 	rc->input_detected = true;
752 }
753 
754 static void
755 rfb_recv_client_msg(struct rfb_softc *rc, int cfd)
756 {
757 	struct rfb_client_msg client_msg;
758 	struct rfb_extended_key_msg extkey_msg;
759 
760 	(void)stream_read(cfd, (uint8_t *)&client_msg + 1,
761 	    sizeof(client_msg) - 1);
762 
763 	if (client_msg.subtype == RFB_CLIENTMSG_EXT_KEYEVENT) {
764 		(void)stream_read(cfd, (uint8_t *)&extkey_msg + 2,
765 		    sizeof(extkey_msg) - 2);
766 		console_key_event((int)extkey_msg.down, htonl(extkey_msg.sym), htonl(extkey_msg.code));
767 		rc->input_detected = true;
768 	}
769 }
770 
771 static void
772 rfb_recv_ptr_msg(struct rfb_softc *rc, int cfd)
773 {
774 	struct rfb_ptr_msg ptr_msg;
775 
776 	(void)stream_read(cfd, (uint8_t *)&ptr_msg + 1, sizeof(ptr_msg) - 1);
777 
778 	console_ptr_event(ptr_msg.button, htons(ptr_msg.x), htons(ptr_msg.y));
779 	rc->input_detected = true;
780 }
781 
782 static void
783 rfb_recv_cuttext_msg(struct rfb_softc *rc __unused, int cfd)
784 {
785 	struct rfb_cuttext_msg ct_msg;
786 	unsigned char buf[32];
787 	int len;
788 
789 	len = stream_read(cfd, (uint8_t *)&ct_msg + 1, sizeof(ct_msg) - 1);
790 	ct_msg.length = htonl(ct_msg.length);
791 	while (ct_msg.length > 0) {
792 		len = stream_read(cfd, buf, ct_msg.length > sizeof(buf) ?
793 			sizeof(buf) : ct_msg.length);
794 		ct_msg.length -= len;
795 	}
796 }
797 
798 static int64_t
799 timeval_delta(struct timeval *prev, struct timeval *now)
800 {
801 	int64_t n1, n2;
802 	n1 = now->tv_sec * 1000000 + now->tv_usec;
803 	n2 = prev->tv_sec * 1000000 + prev->tv_usec;
804 	return (n1 - n2);
805 }
806 
807 static void *
808 rfb_wr_thr(void *arg)
809 {
810 	struct rfb_softc *rc;
811 	fd_set rfds;
812 	struct timeval tv;
813 	struct timeval prev_tv;
814 	int64_t tdiff;
815 	int cfd;
816 	int err;
817 
818 	rc = arg;
819 	cfd = rc->cfd;
820 
821 	prev_tv.tv_sec = 0;
822 	prev_tv.tv_usec = 0;
823 	while (rc->cfd >= 0) {
824 		FD_ZERO(&rfds);
825 		FD_SET(cfd, &rfds);
826 		tv.tv_sec = 0;
827 		tv.tv_usec = CFD_SEL_DELAY;
828 
829 		err = select(cfd+1, &rfds, NULL, NULL, &tv);
830 		if (err < 0)
831 			return (NULL);
832 
833 		/* Determine if its time to push screen; ~24hz */
834 		gettimeofday(&tv, NULL);
835 		tdiff = timeval_delta(&prev_tv, &tv);
836 		if (tdiff >= SCREEN_POLL_DELAY) {
837 			bool input;
838 			prev_tv.tv_sec = tv.tv_sec;
839 			prev_tv.tv_usec = tv.tv_usec;
840 			input = atomic_exchange(&rc->input_detected, false);
841 			/*
842 			 * Refresh the screen on every second trip through the loop,
843 			 * or if keyboard/mouse input has been detected.
844 			 */
845 			if ((++rc->wrcount & 1) || input) {
846 				if (rfb_send_screen(rc, cfd) <= 0) {
847 					return (NULL);
848 				}
849 			}
850 		} else {
851 			/* sleep */
852 			usleep(SCREEN_POLL_DELAY - tdiff);
853 		}
854 	}
855 
856 	return (NULL);
857 }
858 
859 static void
860 rfb_handle(struct rfb_softc *rc, int cfd)
861 {
862 	const char *vbuf = "RFB 003.008\n";
863 	unsigned char buf[80];
864 	unsigned const char *message;
865 
866 #ifndef NO_OPENSSL
867 	unsigned char challenge[AUTH_LENGTH];
868 	unsigned char keystr[PASSWD_LENGTH];
869 	unsigned char crypt_expected[AUTH_LENGTH];
870 
871 	DES_key_schedule ks;
872 	int i;
873 #endif
874 	uint8_t client_ver;
875 	uint8_t auth_type;
876 	pthread_t tid;
877 	uint32_t sres = 0;
878 	int len;
879 	int perror = 1;
880 
881 	rc->cfd = cfd;
882 
883 	/* 1a. Send server version */
884 	stream_write(cfd, vbuf, strlen(vbuf));
885 
886 	/* 1b. Read client version */
887 	len = stream_read(cfd, buf, VERSION_LENGTH);
888 	if (len != VERSION_LENGTH ||
889 	    strncmp(vbuf, buf, VERSION_LENGTH - 2) != 0) {
890 		goto done;
891 	}
892 
893 	client_ver = buf[VERSION_LENGTH - 2];
894 	if (client_ver != CVERS_3_8 && client_ver != CVERS_3_7) {
895 		/* only recognize 3.3, 3.7 & 3.8. Others dflt to 3.3 */
896 		client_ver = CVERS_3_3;
897 	}
898 
899 	/* 2a. Send security type */
900 	buf[0] = 1;
901 
902 	/* In versions 3.7 & 3.8, it's 2-way handshake */
903 	/* For version 3.3, server says what the authentication type must be */
904 #ifndef NO_OPENSSL
905 	if (rc->password) {
906 		auth_type = SECURITY_TYPE_VNC_AUTH;
907 	} else {
908 		auth_type = SECURITY_TYPE_NONE;
909 	}
910 #else
911 	auth_type = SECURITY_TYPE_NONE;
912 #endif
913 
914 	switch (client_ver) {
915 	case CVERS_3_7:
916 	case CVERS_3_8:
917 		buf[0] = 1;
918 		buf[1] = auth_type;
919 		stream_write(cfd, buf, 2);
920 
921 		/* 2b. Read agreed security type */
922 		len = stream_read(cfd, buf, 1);
923 		if (buf[0] != auth_type) {
924 			/* deny */
925 			sres = htonl(1);
926 			message = "Auth failed: authentication type mismatch";
927 			goto report_and_done;
928 		}
929 		break;
930 	case CVERS_3_3:
931 	default:
932 		be32enc(buf, auth_type);
933 		stream_write(cfd, buf, 4);
934 		break;
935 	}
936 
937 	/* 2c. Do VNC authentication */
938 	switch (auth_type) {
939 	case SECURITY_TYPE_NONE:
940 		break;
941 	case SECURITY_TYPE_VNC_AUTH:
942 		/*
943 		 * The client encrypts the challenge with DES, using a password
944 		 * supplied by the user as the key.
945 		 * To form the key, the password is truncated to
946 		 * eight characters, or padded with null bytes on the right.
947 		 * The client then sends the resulting 16-bytes response.
948 		 */
949 #ifndef NO_OPENSSL
950 		strncpy(keystr, rc->password, PASSWD_LENGTH);
951 
952 		/* VNC clients encrypts the challenge with all the bit fields
953 		 * in each byte of the password mirrored.
954 		 * Here we flip each byte of the keystr.
955 		 */
956 		for (i = 0; i < PASSWD_LENGTH; i++) {
957 			keystr[i] = (keystr[i] & 0xF0) >> 4
958 				  | (keystr[i] & 0x0F) << 4;
959 			keystr[i] = (keystr[i] & 0xCC) >> 2
960 				  | (keystr[i] & 0x33) << 2;
961 			keystr[i] = (keystr[i] & 0xAA) >> 1
962 				  | (keystr[i] & 0x55) << 1;
963 		}
964 
965 		/* Initialize a 16-byte random challenge */
966 		arc4random_buf(challenge, sizeof(challenge));
967 		stream_write(cfd, challenge, AUTH_LENGTH);
968 
969 		/* Receive the 16-byte challenge response */
970 		stream_read(cfd, buf, AUTH_LENGTH);
971 
972 		memcpy(crypt_expected, challenge, AUTH_LENGTH);
973 
974 		/* Encrypt the Challenge with DES */
975 		DES_set_key((const_DES_cblock *)keystr, &ks);
976 		DES_ecb_encrypt((const_DES_cblock *)challenge,
977 				(const_DES_cblock *)crypt_expected,
978 				&ks, DES_ENCRYPT);
979 		DES_ecb_encrypt((const_DES_cblock *)(challenge + PASSWD_LENGTH),
980 				(const_DES_cblock *)(crypt_expected +
981 				PASSWD_LENGTH),
982 				&ks, DES_ENCRYPT);
983 
984 		if (memcmp(crypt_expected, buf, AUTH_LENGTH) != 0) {
985 			message = "Auth Failed: Invalid Password.";
986 			sres = htonl(1);
987 		} else {
988 			sres = 0;
989 		}
990 #else
991 		sres = htonl(1);
992 		WPRINTF(("Auth not supported, no OpenSSL in your system"));
993 #endif
994 
995 		break;
996 	}
997 
998 	switch (client_ver) {
999 	case CVERS_3_7:
1000 	case CVERS_3_8:
1001 report_and_done:
1002 		/* 2d. Write back a status */
1003 		stream_write(cfd, &sres, 4);
1004 
1005 		if (sres) {
1006 			/* 3.7 does not want string explaining cause */
1007 			if (client_ver == CVERS_3_8) {
1008 				be32enc(buf, strlen(message));
1009 				stream_write(cfd, buf, 4);
1010 				stream_write(cfd, message, strlen(message));
1011 			}
1012 			goto done;
1013 		}
1014 		break;
1015 	case CVERS_3_3:
1016 	default:
1017 		/* for VNC auth case send status */
1018 		if (auth_type == SECURITY_TYPE_VNC_AUTH) {
1019 			/* 2d. Write back a status */
1020 			stream_write(cfd, &sres, 4);
1021 		}
1022 		if (sres) {
1023 			goto done;
1024 		}
1025 		break;
1026 	}
1027 	/* 3a. Read client shared-flag byte */
1028 	len = stream_read(cfd, buf, 1);
1029 
1030 	/* 4a. Write server-init info */
1031 	rfb_send_server_init_msg(cfd);
1032 
1033 	if (!rc->zbuf) {
1034 		rc->zbuf = malloc(RFB_ZLIB_BUFSZ + 16);
1035 		assert(rc->zbuf != NULL);
1036 	}
1037 
1038 	perror = pthread_create(&tid, NULL, rfb_wr_thr, rc);
1039 	if (perror == 0)
1040 		pthread_set_name_np(tid, "rfbout");
1041 
1042         /* Now read in client requests. 1st byte identifies type */
1043 	for (;;) {
1044 		len = read(cfd, buf, 1);
1045 		if (len <= 0) {
1046 			DPRINTF(("rfb client exiting"));
1047 			break;
1048 		}
1049 
1050 		switch (buf[0]) {
1051 		case CS_SET_PIXEL_FORMAT:
1052 			rfb_recv_set_pixfmt_msg(rc, cfd);
1053 			break;
1054 		case CS_SET_ENCODINGS:
1055 			rfb_recv_set_encodings_msg(rc, cfd);
1056 			break;
1057 		case CS_UPDATE_MSG:
1058 			rfb_recv_update_msg(rc, cfd);
1059 			break;
1060 		case CS_KEY_EVENT:
1061 			rfb_recv_key_msg(rc, cfd);
1062 			break;
1063 		case CS_POINTER_EVENT:
1064 			rfb_recv_ptr_msg(rc, cfd);
1065 			break;
1066 		case CS_CUT_TEXT:
1067 			rfb_recv_cuttext_msg(rc, cfd);
1068 			break;
1069 		case CS_MSG_CLIENT_QEMU:
1070 			rfb_recv_client_msg(rc, cfd);
1071 			break;
1072 		default:
1073 			WPRINTF(("rfb unknown cli-code %d!", buf[0] & 0xff));
1074 			goto done;
1075 		}
1076 	}
1077 done:
1078 	rc->cfd = -1;
1079 	if (perror == 0)
1080 		pthread_join(tid, NULL);
1081 	if (rc->enc_zlib_ok)
1082 		deflateEnd(&rc->zstream);
1083 }
1084 
1085 static void *
1086 rfb_thr(void *arg)
1087 {
1088 	struct rfb_softc *rc;
1089 	sigset_t set;
1090 
1091 	int cfd;
1092 
1093 	rc = arg;
1094 
1095 	sigemptyset(&set);
1096 	sigaddset(&set, SIGPIPE);
1097 	if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {
1098 		perror("pthread_sigmask");
1099 		return (NULL);
1100 	}
1101 
1102 	for (;;) {
1103 		rc->enc_raw_ok = false;
1104 		rc->enc_zlib_ok = false;
1105 		rc->enc_resize_ok = false;
1106 		rc->enc_extkeyevent_ok = false;
1107 
1108 		rc->enc_extkeyevent_send = false;
1109 
1110 		cfd = accept(rc->sfd, NULL, NULL);
1111 		if (rc->conn_wait) {
1112 			pthread_mutex_lock(&rc->mtx);
1113 			pthread_cond_signal(&rc->cond);
1114 			pthread_mutex_unlock(&rc->mtx);
1115 			rc->conn_wait = 0;
1116 		}
1117 		rfb_handle(rc, cfd);
1118 		close(cfd);
1119 	}
1120 
1121 	/* NOTREACHED */
1122 	return (NULL);
1123 }
1124 
1125 static int
1126 sse42_supported(void)
1127 {
1128 	u_int cpu_registers[4], ecx;
1129 
1130 	do_cpuid(1, cpu_registers);
1131 
1132 	ecx = cpu_registers[2];
1133 
1134 	return ((ecx & CPUID2_SSE42) != 0);
1135 }
1136 
1137 int
1138 rfb_init(const char *hostname, int port, int wait, const char *password)
1139 {
1140 	int e;
1141 	char servname[6];
1142 	struct rfb_softc *rc;
1143 	struct addrinfo *ai = NULL;
1144 	struct addrinfo hints;
1145 	int on = 1;
1146 	int cnt;
1147 #ifndef WITHOUT_CAPSICUM
1148 	cap_rights_t rights;
1149 #endif
1150 
1151 	rc = calloc(1, sizeof(struct rfb_softc));
1152 
1153 	cnt = howmany(RFB_MAX_WIDTH, PIX_PER_CELL) *
1154 	    howmany(RFB_MAX_HEIGHT, PIX_PER_CELL);
1155 	rc->crc = calloc(cnt, sizeof(uint32_t));
1156 	rc->crc_tmp = calloc(cnt, sizeof(uint32_t));
1157 	rc->crc_width = RFB_MAX_WIDTH;
1158 	rc->crc_height = RFB_MAX_HEIGHT;
1159 	rc->sfd = -1;
1160 
1161 	rc->password = password;
1162 
1163 	snprintf(servname, sizeof(servname), "%d", port ? port : 5900);
1164 
1165 	if (!hostname || strlen(hostname) == 0)
1166 #if defined(INET)
1167 		hostname = "127.0.0.1";
1168 #elif defined(INET6)
1169 		hostname = "[::1]";
1170 #endif
1171 
1172 	memset(&hints, 0, sizeof(hints));
1173 	hints.ai_family = AF_UNSPEC;
1174 	hints.ai_socktype = SOCK_STREAM;
1175 	hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV | AI_PASSIVE;
1176 
1177 	if ((e = getaddrinfo(hostname, servname, &hints, &ai)) != 0) {
1178 		EPRINTLN("getaddrinfo: %s", gai_strerror(e));
1179 		goto error;
1180 	}
1181 
1182 	rc->sfd = socket(ai->ai_family, ai->ai_socktype, 0);
1183 	if (rc->sfd < 0) {
1184 		perror("socket");
1185 		goto error;
1186 	}
1187 
1188 	setsockopt(rc->sfd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
1189 
1190 	if (bind(rc->sfd, ai->ai_addr, ai->ai_addrlen) < 0) {
1191 		perror("bind");
1192 		goto error;
1193 	}
1194 
1195 	if (listen(rc->sfd, 1) < 0) {
1196 		perror("listen");
1197 		goto error;
1198 	}
1199 
1200 #ifndef WITHOUT_CAPSICUM
1201 	cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE);
1202 	if (caph_rights_limit(rc->sfd, &rights) == -1)
1203 		errx(EX_OSERR, "Unable to apply rights for sandbox");
1204 #endif
1205 
1206 	rc->hw_crc = sse42_supported();
1207 
1208 	rc->conn_wait = wait;
1209 	if (wait) {
1210 		pthread_mutex_init(&rc->mtx, NULL);
1211 		pthread_cond_init(&rc->cond, NULL);
1212 	}
1213 
1214 	pthread_create(&rc->tid, NULL, rfb_thr, rc);
1215 	pthread_set_name_np(rc->tid, "rfb");
1216 
1217 	if (wait) {
1218 		DPRINTF(("Waiting for rfb client..."));
1219 		pthread_mutex_lock(&rc->mtx);
1220 		pthread_cond_wait(&rc->cond, &rc->mtx);
1221 		pthread_mutex_unlock(&rc->mtx);
1222 		DPRINTF(("rfb client connected"));
1223 	}
1224 
1225 	freeaddrinfo(ai);
1226 	return (0);
1227 
1228  error:
1229 	if (ai != NULL)
1230 		freeaddrinfo(ai);
1231 	if (rc->sfd != -1)
1232 		close(rc->sfd);
1233 	free(rc->crc);
1234 	free(rc->crc_tmp);
1235 	free(rc);
1236 	return (-1);
1237 }
1238