xref: /freebsd/usr.sbin/bhyve/rfb.c (revision cddbc3b40812213ff00041f79174cac0be360a2a)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2015 Tycho Nightingale <tycho.nightingale@pluribusnetworks.com>
5  * Copyright (c) 2015 Leon Dang
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  */
29 
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
32 
33 #include <sys/param.h>
34 #ifndef WITHOUT_CAPSICUM
35 #include <sys/capsicum.h>
36 #endif
37 #include <sys/endian.h>
38 #include <sys/socket.h>
39 #include <sys/select.h>
40 #include <sys/time.h>
41 #include <arpa/inet.h>
42 #include <machine/cpufunc.h>
43 #include <machine/specialreg.h>
44 #include <netinet/in.h>
45 #include <netdb.h>
46 
47 #include <assert.h>
48 #ifndef WITHOUT_CAPSICUM
49 #include <capsicum_helpers.h>
50 #endif
51 #include <err.h>
52 #include <errno.h>
53 #include <pthread.h>
54 #include <pthread_np.h>
55 #include <signal.h>
56 #include <stdbool.h>
57 #include <stdlib.h>
58 #include <stdio.h>
59 #include <string.h>
60 #include <sysexits.h>
61 #include <unistd.h>
62 
63 #include <zlib.h>
64 
65 #include "bhyvegc.h"
66 #include "console.h"
67 #include "rfb.h"
68 #include "sockstream.h"
69 
70 #ifndef NO_OPENSSL
71 #include <openssl/des.h>
72 #endif
73 
74 static int rfb_debug = 0;
75 #define	DPRINTF(params) if (rfb_debug) printf params
76 #define	WPRINTF(params) printf params
77 
78 #define AUTH_LENGTH	16
79 #define PASSWD_LENGTH	8
80 
81 #define SECURITY_TYPE_NONE	1
82 #define SECURITY_TYPE_VNC_AUTH	2
83 
84 #define AUTH_FAILED_UNAUTH	1
85 #define AUTH_FAILED_ERROR	2
86 
87 struct rfb_softc {
88 	int		sfd;
89 	pthread_t	tid;
90 
91 	int		cfd;
92 
93 	int		width, height;
94 
95 	char		*password;
96 
97 	bool	enc_raw_ok;
98 	bool	enc_zlib_ok;
99 	bool	enc_resize_ok;
100 
101 	z_stream	zstream;
102 	uint8_t		*zbuf;
103 	int		zbuflen;
104 
105 	int		conn_wait;
106 	int		sending;
107 	pthread_mutex_t mtx;
108 	pthread_cond_t  cond;
109 
110 	int		hw_crc;
111 	uint32_t	*crc;		/* WxH crc cells */
112 	uint32_t	*crc_tmp;	/* buffer to store single crc row */
113 	int		crc_width, crc_height;
114 };
115 
116 struct rfb_pixfmt {
117 	uint8_t		bpp;
118 	uint8_t		depth;
119 	uint8_t		bigendian;
120 	uint8_t		truecolor;
121 	uint16_t	red_max;
122 	uint16_t	green_max;
123 	uint16_t	blue_max;
124 	uint8_t		red_shift;
125 	uint8_t		green_shift;
126 	uint8_t		blue_shift;
127 	uint8_t		pad[3];
128 };
129 
130 struct rfb_srvr_info {
131 	uint16_t		width;
132 	uint16_t		height;
133 	struct rfb_pixfmt	pixfmt;
134 	uint32_t		namelen;
135 };
136 
137 struct rfb_pixfmt_msg {
138 	uint8_t			type;
139 	uint8_t			pad[3];
140 	struct rfb_pixfmt	pixfmt;
141 };
142 
143 #define	RFB_ENCODING_RAW		0
144 #define	RFB_ENCODING_ZLIB		6
145 #define	RFB_ENCODING_RESIZE		-223
146 
147 #define	RFB_MAX_WIDTH			2000
148 #define	RFB_MAX_HEIGHT			1200
149 #define	RFB_ZLIB_BUFSZ			RFB_MAX_WIDTH*RFB_MAX_HEIGHT*4
150 
151 /* percentage changes to screen before sending the entire screen */
152 #define	RFB_SEND_ALL_THRESH		25
153 
154 struct rfb_enc_msg {
155 	uint8_t		type;
156 	uint8_t		pad;
157 	uint16_t	numencs;
158 };
159 
160 struct rfb_updt_msg {
161 	uint8_t		type;
162 	uint8_t		incremental;
163 	uint16_t	x;
164 	uint16_t	y;
165 	uint16_t	width;
166 	uint16_t	height;
167 };
168 
169 struct rfb_key_msg {
170 	uint8_t		type;
171 	uint8_t		down;
172 	uint16_t	pad;
173 	uint32_t	code;
174 };
175 
176 struct rfb_ptr_msg {
177 	uint8_t		type;
178 	uint8_t		button;
179 	uint16_t	x;
180 	uint16_t	y;
181 };
182 
183 struct rfb_srvr_updt_msg {
184 	uint8_t		type;
185 	uint8_t		pad;
186 	uint16_t	numrects;
187 };
188 
189 struct rfb_srvr_rect_hdr {
190 	uint16_t	x;
191 	uint16_t	y;
192 	uint16_t	width;
193 	uint16_t	height;
194 	uint32_t	encoding;
195 };
196 
197 struct rfb_cuttext_msg {
198 	uint8_t		type;
199 	uint8_t		padding[3];
200 	uint32_t	length;
201 };
202 
203 
204 static void
205 rfb_send_server_init_msg(int cfd)
206 {
207 	struct bhyvegc_image *gc_image;
208 	struct rfb_srvr_info sinfo;
209 
210 	gc_image = console_get_image();
211 
212 	sinfo.width = htons(gc_image->width);
213 	sinfo.height = htons(gc_image->height);
214 	sinfo.pixfmt.bpp = 32;
215 	sinfo.pixfmt.depth = 32;
216 	sinfo.pixfmt.bigendian = 0;
217 	sinfo.pixfmt.truecolor = 1;
218 	sinfo.pixfmt.red_max = htons(255);
219 	sinfo.pixfmt.green_max = htons(255);
220 	sinfo.pixfmt.blue_max = htons(255);
221 	sinfo.pixfmt.red_shift = 16;
222 	sinfo.pixfmt.green_shift = 8;
223 	sinfo.pixfmt.blue_shift = 0;
224 	sinfo.namelen = htonl(strlen("bhyve"));
225 	(void)stream_write(cfd, &sinfo, sizeof(sinfo));
226 	(void)stream_write(cfd, "bhyve", strlen("bhyve"));
227 }
228 
229 static void
230 rfb_send_resize_update_msg(struct rfb_softc *rc, int cfd)
231 {
232 	struct rfb_srvr_updt_msg supdt_msg;
233 	struct rfb_srvr_rect_hdr srect_hdr;
234 
235 	/* Number of rectangles: 1 */
236 	supdt_msg.type = 0;
237 	supdt_msg.pad = 0;
238 	supdt_msg.numrects = htons(1);
239 	stream_write(cfd, &supdt_msg, sizeof(struct rfb_srvr_updt_msg));
240 
241 	/* Rectangle header */
242 	srect_hdr.x = htons(0);
243 	srect_hdr.y = htons(0);
244 	srect_hdr.width = htons(rc->width);
245 	srect_hdr.height = htons(rc->height);
246 	srect_hdr.encoding = htonl(RFB_ENCODING_RESIZE);
247 	stream_write(cfd, &srect_hdr, sizeof(struct rfb_srvr_rect_hdr));
248 }
249 
250 static void
251 rfb_recv_set_pixfmt_msg(struct rfb_softc *rc, int cfd)
252 {
253 	struct rfb_pixfmt_msg pixfmt_msg;
254 
255 	(void)stream_read(cfd, ((void *)&pixfmt_msg)+1, sizeof(pixfmt_msg)-1);
256 }
257 
258 
259 static void
260 rfb_recv_set_encodings_msg(struct rfb_softc *rc, int cfd)
261 {
262 	struct rfb_enc_msg enc_msg;
263 	int i;
264 	uint32_t encoding;
265 
266 	assert((sizeof(enc_msg) - 1) == 3);
267 	(void)stream_read(cfd, ((void *)&enc_msg)+1, sizeof(enc_msg)-1);
268 
269 	for (i = 0; i < htons(enc_msg.numencs); i++) {
270 		(void)stream_read(cfd, &encoding, sizeof(encoding));
271 		switch (htonl(encoding)) {
272 		case RFB_ENCODING_RAW:
273 			rc->enc_raw_ok = true;
274 			break;
275 		case RFB_ENCODING_ZLIB:
276 			rc->enc_zlib_ok = true;
277 			deflateInit(&rc->zstream, Z_BEST_SPEED);
278 			break;
279 		case RFB_ENCODING_RESIZE:
280 			rc->enc_resize_ok = true;
281 			break;
282 		}
283 	}
284 }
285 
286 /*
287  * Calculate CRC32 using SSE4.2; Intel or AMD Bulldozer+ CPUs only
288  */
289 static __inline uint32_t
290 fast_crc32(void *buf, int len, uint32_t crcval)
291 {
292 	uint32_t q = len / sizeof(uint32_t);
293 	uint32_t *p = (uint32_t *)buf;
294 
295 	while (q--) {
296 		asm volatile (
297 			".byte 0xf2, 0xf, 0x38, 0xf1, 0xf1;"
298 			:"=S" (crcval)
299 			:"0" (crcval), "c" (*p)
300 		);
301 		p++;
302 	}
303 
304 	return (crcval);
305 }
306 
307 
308 static int
309 rfb_send_rect(struct rfb_softc *rc, int cfd, struct bhyvegc_image *gc,
310               int x, int y, int w, int h)
311 {
312 	struct rfb_srvr_updt_msg supdt_msg;
313 	struct rfb_srvr_rect_hdr srect_hdr;
314 	unsigned long zlen;
315 	ssize_t nwrite, total;
316 	int err;
317 	uint32_t *p;
318 	uint8_t *zbufp;
319 
320 	/*
321 	 * Send a single rectangle of the given x, y, w h dimensions.
322 	 */
323 
324 	/* Number of rectangles: 1 */
325 	supdt_msg.type = 0;
326 	supdt_msg.pad = 0;
327 	supdt_msg.numrects = htons(1);
328 	nwrite = stream_write(cfd, &supdt_msg,
329 	                      sizeof(struct rfb_srvr_updt_msg));
330 	if (nwrite <= 0)
331 		return (nwrite);
332 
333 
334 	/* Rectangle header */
335 	srect_hdr.x = htons(x);
336 	srect_hdr.y = htons(y);
337 	srect_hdr.width = htons(w);
338 	srect_hdr.height = htons(h);
339 
340 	h = y + h;
341 	w *= sizeof(uint32_t);
342 	if (rc->enc_zlib_ok) {
343 		zbufp = rc->zbuf;
344 		rc->zstream.total_in = 0;
345 		rc->zstream.total_out = 0;
346 		for (p = &gc->data[y * gc->width + x]; y < h; y++) {
347 			rc->zstream.next_in = (Bytef *)p;
348 			rc->zstream.avail_in = w;
349 			rc->zstream.next_out = (Bytef *)zbufp;
350 			rc->zstream.avail_out = RFB_ZLIB_BUFSZ + 16 -
351 			                        rc->zstream.total_out;
352 			rc->zstream.data_type = Z_BINARY;
353 
354 			/* Compress with zlib */
355 			err = deflate(&rc->zstream, Z_SYNC_FLUSH);
356 			if (err != Z_OK) {
357 				WPRINTF(("zlib[rect] deflate err: %d\n", err));
358 				rc->enc_zlib_ok = false;
359 				deflateEnd(&rc->zstream);
360 				goto doraw;
361 			}
362 			zbufp = rc->zbuf + rc->zstream.total_out;
363 			p += gc->width;
364 		}
365 		srect_hdr.encoding = htonl(RFB_ENCODING_ZLIB);
366 		nwrite = stream_write(cfd, &srect_hdr,
367 		                      sizeof(struct rfb_srvr_rect_hdr));
368 		if (nwrite <= 0)
369 			return (nwrite);
370 
371 		zlen = htonl(rc->zstream.total_out);
372 		nwrite = stream_write(cfd, &zlen, sizeof(uint32_t));
373 		if (nwrite <= 0)
374 			return (nwrite);
375 		return (stream_write(cfd, rc->zbuf, rc->zstream.total_out));
376 	}
377 
378 doraw:
379 
380 	total = 0;
381 	zbufp = rc->zbuf;
382 	for (p = &gc->data[y * gc->width + x]; y < h; y++) {
383 		memcpy(zbufp, p, w);
384 		zbufp += w;
385 		total += w;
386 		p += gc->width;
387 	}
388 
389 	srect_hdr.encoding = htonl(RFB_ENCODING_RAW);
390 	nwrite = stream_write(cfd, &srect_hdr,
391 	                      sizeof(struct rfb_srvr_rect_hdr));
392 	if (nwrite <= 0)
393 		return (nwrite);
394 
395 	total = stream_write(cfd, rc->zbuf, total);
396 
397 	return (total);
398 }
399 
400 static int
401 rfb_send_all(struct rfb_softc *rc, int cfd, struct bhyvegc_image *gc)
402 {
403 	struct rfb_srvr_updt_msg supdt_msg;
404         struct rfb_srvr_rect_hdr srect_hdr;
405 	ssize_t nwrite;
406 	unsigned long zlen;
407 	int err;
408 
409 	/*
410 	 * Send the whole thing
411 	 */
412 
413 	/* Number of rectangles: 1 */
414 	supdt_msg.type = 0;
415 	supdt_msg.pad = 0;
416 	supdt_msg.numrects = htons(1);
417 	nwrite = stream_write(cfd, &supdt_msg,
418 	                      sizeof(struct rfb_srvr_updt_msg));
419 	if (nwrite <= 0)
420 		return (nwrite);
421 
422 	/* Rectangle header */
423 	srect_hdr.x = 0;
424 	srect_hdr.y = 0;
425 	srect_hdr.width = htons(gc->width);
426 	srect_hdr.height = htons(gc->height);
427 	if (rc->enc_zlib_ok) {
428 		rc->zstream.next_in = (Bytef *)gc->data;
429 		rc->zstream.avail_in = gc->width * gc->height *
430 		                   sizeof(uint32_t);
431 		rc->zstream.next_out = (Bytef *)rc->zbuf;
432 		rc->zstream.avail_out = RFB_ZLIB_BUFSZ + 16;
433 		rc->zstream.data_type = Z_BINARY;
434 
435 		rc->zstream.total_in = 0;
436 		rc->zstream.total_out = 0;
437 
438 		/* Compress with zlib */
439 		err = deflate(&rc->zstream, Z_SYNC_FLUSH);
440 		if (err != Z_OK) {
441 			WPRINTF(("zlib deflate err: %d\n", err));
442 			rc->enc_zlib_ok = false;
443 			deflateEnd(&rc->zstream);
444 			goto doraw;
445 		}
446 
447 		srect_hdr.encoding = htonl(RFB_ENCODING_ZLIB);
448 		nwrite = stream_write(cfd, &srect_hdr,
449 		                      sizeof(struct rfb_srvr_rect_hdr));
450 		if (nwrite <= 0)
451 			return (nwrite);
452 
453 		zlen = htonl(rc->zstream.total_out);
454 		nwrite = stream_write(cfd, &zlen, sizeof(uint32_t));
455 		if (nwrite <= 0)
456 			return (nwrite);
457 		return (stream_write(cfd, rc->zbuf, rc->zstream.total_out));
458 	}
459 
460 doraw:
461 	srect_hdr.encoding = htonl(RFB_ENCODING_RAW);
462 	nwrite = stream_write(cfd, &srect_hdr,
463 	                      sizeof(struct rfb_srvr_rect_hdr));
464 	if (nwrite <= 0)
465 		return (nwrite);
466 
467 	nwrite = stream_write(cfd, gc->data,
468 	               gc->width * gc->height * sizeof(uint32_t));
469 
470 	return (nwrite);
471 }
472 
473 #define	PIX_PER_CELL	32
474 #define	PIXCELL_SHIFT	5
475 #define	PIXCELL_MASK	0x1F
476 
477 static int
478 rfb_send_screen(struct rfb_softc *rc, int cfd, int all)
479 {
480 	struct bhyvegc_image *gc_image;
481 	ssize_t nwrite;
482 	int x, y;
483 	int celly, cellwidth;
484 	int xcells, ycells;
485 	int w, h;
486 	uint32_t *p;
487 	int rem_x, rem_y;   /* remainder for resolutions not x32 pixels ratio */
488 	int retval;
489 	uint32_t *crc_p, *orig_crc;
490 	int changes;
491 
492 	console_refresh();
493 	gc_image = console_get_image();
494 
495 	pthread_mutex_lock(&rc->mtx);
496 	if (rc->sending) {
497 		pthread_mutex_unlock(&rc->mtx);
498 		return (1);
499 	}
500 	rc->sending = 1;
501 	pthread_mutex_unlock(&rc->mtx);
502 
503 	retval = 0;
504 
505 	if (all) {
506 		retval = rfb_send_all(rc, cfd, gc_image);
507 		goto done;
508 	}
509 
510 	/*
511 	 * Calculate the checksum for each 32x32 cell. Send each that
512 	 * has changed since the last scan.
513 	 */
514 
515 	/* Resolution changed */
516 
517 	rc->crc_width = gc_image->width;
518 	rc->crc_height = gc_image->height;
519 
520 	w = rc->crc_width;
521 	h = rc->crc_height;
522 	xcells = howmany(rc->crc_width, PIX_PER_CELL);
523 	ycells = howmany(rc->crc_height, PIX_PER_CELL);
524 
525 	rem_x = w & PIXCELL_MASK;
526 
527 	rem_y = h & PIXCELL_MASK;
528 	if (!rem_y)
529 		rem_y = PIX_PER_CELL;
530 
531 	p = gc_image->data;
532 
533 	/*
534 	 * Go through all cells and calculate crc. If significant number
535 	 * of changes, then send entire screen.
536 	 * crc_tmp is dual purpose: to store the new crc and to flag as
537 	 * a cell that has changed.
538 	 */
539 	crc_p = rc->crc_tmp - xcells;
540 	orig_crc = rc->crc - xcells;
541 	changes = 0;
542 	memset(rc->crc_tmp, 0, sizeof(uint32_t) * xcells * ycells);
543 	for (y = 0; y < h; y++) {
544 		if ((y & PIXCELL_MASK) == 0) {
545 			crc_p += xcells;
546 			orig_crc += xcells;
547 		}
548 
549 		for (x = 0; x < xcells; x++) {
550 			if (x == (xcells - 1) && rem_x > 0)
551 				cellwidth = rem_x;
552 			else
553 				cellwidth = PIX_PER_CELL;
554 
555 			if (rc->hw_crc)
556 				crc_p[x] = fast_crc32(p,
557 				             cellwidth * sizeof(uint32_t),
558 				             crc_p[x]);
559 			else
560 				crc_p[x] = (uint32_t)crc32(crc_p[x],
561 				             (Bytef *)p,
562 				             cellwidth * sizeof(uint32_t));
563 
564 			p += cellwidth;
565 
566 			/* check for crc delta if last row in cell */
567 			if ((y & PIXCELL_MASK) == PIXCELL_MASK || y == (h-1)) {
568 				if (orig_crc[x] != crc_p[x]) {
569 					orig_crc[x] = crc_p[x];
570 					crc_p[x] = 1;
571 					changes++;
572 				} else {
573 					crc_p[x] = 0;
574 				}
575 			}
576 		}
577 	}
578 
579 	/* If number of changes is > THRESH percent, send the whole screen */
580 	if (((changes * 100) / (xcells * ycells)) >= RFB_SEND_ALL_THRESH) {
581 		retval = rfb_send_all(rc, cfd, gc_image);
582 		goto done;
583 	}
584 
585 	/* Go through all cells, and send only changed ones */
586 	crc_p = rc->crc_tmp;
587 	for (y = 0; y < h; y += PIX_PER_CELL) {
588 		/* previous cell's row */
589 		celly = (y >> PIXCELL_SHIFT);
590 
591 		/* Delta check crc to previous set */
592 		for (x = 0; x < xcells; x++) {
593 			if (*crc_p++ == 0)
594 				continue;
595 
596 			if (x == (xcells - 1) && rem_x > 0)
597 				cellwidth = rem_x;
598 			else
599 				cellwidth = PIX_PER_CELL;
600 			nwrite = rfb_send_rect(rc, cfd,
601 				gc_image,
602 				x * PIX_PER_CELL,
603 				celly * PIX_PER_CELL,
604 			        cellwidth,
605 				y + PIX_PER_CELL >= h ? rem_y : PIX_PER_CELL);
606 			if (nwrite <= 0) {
607 				retval = nwrite;
608 				goto done;
609 			}
610 		}
611 	}
612 	retval = 1;
613 
614 done:
615 	pthread_mutex_lock(&rc->mtx);
616 	rc->sending = 0;
617 	pthread_mutex_unlock(&rc->mtx);
618 
619 	return (retval);
620 }
621 
622 
623 static void
624 rfb_recv_update_msg(struct rfb_softc *rc, int cfd, int discardonly)
625 {
626 	struct rfb_updt_msg updt_msg;
627 	struct bhyvegc_image *gc_image;
628 
629 	(void)stream_read(cfd, ((void *)&updt_msg) + 1 , sizeof(updt_msg) - 1);
630 
631 	console_refresh();
632 	gc_image = console_get_image();
633 
634 	updt_msg.x = htons(updt_msg.x);
635 	updt_msg.y = htons(updt_msg.y);
636 	updt_msg.width = htons(updt_msg.width);
637 	updt_msg.height = htons(updt_msg.height);
638 
639 	if (updt_msg.width != gc_image->width ||
640 	    updt_msg.height != gc_image->height) {
641 		rc->width = gc_image->width;
642 		rc->height = gc_image->height;
643 		if (rc->enc_resize_ok)
644 			rfb_send_resize_update_msg(rc, cfd);
645 	}
646 
647 	if (discardonly)
648 		return;
649 
650 	rfb_send_screen(rc, cfd, 1);
651 }
652 
653 static void
654 rfb_recv_key_msg(struct rfb_softc *rc, int cfd)
655 {
656 	struct rfb_key_msg key_msg;
657 
658 	(void)stream_read(cfd, ((void *)&key_msg) + 1, sizeof(key_msg) - 1);
659 
660 	console_key_event(key_msg.down, htonl(key_msg.code));
661 }
662 
663 static void
664 rfb_recv_ptr_msg(struct rfb_softc *rc, int cfd)
665 {
666 	struct rfb_ptr_msg ptr_msg;
667 
668 	(void)stream_read(cfd, ((void *)&ptr_msg) + 1, sizeof(ptr_msg) - 1);
669 
670 	console_ptr_event(ptr_msg.button, htons(ptr_msg.x), htons(ptr_msg.y));
671 }
672 
673 static void
674 rfb_recv_cuttext_msg(struct rfb_softc *rc, int cfd)
675 {
676 	struct rfb_cuttext_msg ct_msg;
677 	unsigned char buf[32];
678 	int len;
679 
680 	len = stream_read(cfd, ((void *)&ct_msg) + 1, sizeof(ct_msg) - 1);
681 	ct_msg.length = htonl(ct_msg.length);
682 	while (ct_msg.length > 0) {
683 		len = stream_read(cfd, buf, ct_msg.length > sizeof(buf) ?
684 			sizeof(buf) : ct_msg.length);
685 		ct_msg.length -= len;
686 	}
687 }
688 
689 static int64_t
690 timeval_delta(struct timeval *prev, struct timeval *now)
691 {
692 	int64_t n1, n2;
693 	n1 = now->tv_sec * 1000000 + now->tv_usec;
694 	n2 = prev->tv_sec * 1000000 + prev->tv_usec;
695 	return (n1 - n2);
696 }
697 
698 static void *
699 rfb_wr_thr(void *arg)
700 {
701 	struct rfb_softc *rc;
702 	fd_set rfds;
703 	struct timeval tv;
704 	struct timeval prev_tv;
705 	int64_t tdiff;
706 	int cfd;
707 	int err;
708 
709 	rc = arg;
710 	cfd = rc->cfd;
711 
712 	prev_tv.tv_sec = 0;
713 	prev_tv.tv_usec = 0;
714 	while (rc->cfd >= 0) {
715 		FD_ZERO(&rfds);
716 		FD_SET(cfd, &rfds);
717 		tv.tv_sec = 0;
718 		tv.tv_usec = 10000;
719 
720 		err = select(cfd+1, &rfds, NULL, NULL, &tv);
721 		if (err < 0)
722 			return (NULL);
723 
724 		/* Determine if its time to push screen; ~24hz */
725 		gettimeofday(&tv, NULL);
726 		tdiff = timeval_delta(&prev_tv, &tv);
727 		if (tdiff > 40000) {
728 			prev_tv.tv_sec = tv.tv_sec;
729 			prev_tv.tv_usec = tv.tv_usec;
730 			if (rfb_send_screen(rc, cfd, 0) <= 0) {
731 				return (NULL);
732 			}
733 		} else {
734 			/* sleep */
735 			usleep(40000 - tdiff);
736 		}
737 	}
738 
739 	return (NULL);
740 }
741 
742 void
743 rfb_handle(struct rfb_softc *rc, int cfd)
744 {
745 	const char *vbuf = "RFB 003.008\n";
746 	unsigned char buf[80];
747 	unsigned char *message = NULL;
748 
749 #ifndef NO_OPENSSL
750 	unsigned char challenge[AUTH_LENGTH];
751 	unsigned char keystr[PASSWD_LENGTH];
752 	unsigned char crypt_expected[AUTH_LENGTH];
753 
754 	DES_key_schedule ks;
755 	int i;
756 #endif
757 
758 	pthread_t tid;
759 	uint32_t sres = 0;
760 	int len;
761 	int perror = 1;
762 
763 	rc->cfd = cfd;
764 
765 	/* 1a. Send server version */
766 	stream_write(cfd, vbuf, strlen(vbuf));
767 
768 	/* 1b. Read client version */
769 	len = read(cfd, buf, sizeof(buf));
770 
771 	/* 2a. Send security type */
772 	buf[0] = 1;
773 #ifndef NO_OPENSSL
774 	if (rc->password)
775 		buf[1] = SECURITY_TYPE_VNC_AUTH;
776 	else
777 		buf[1] = SECURITY_TYPE_NONE;
778 #else
779 	buf[1] = SECURITY_TYPE_NONE;
780 #endif
781 
782 	stream_write(cfd, buf, 2);
783 
784 	/* 2b. Read agreed security type */
785 	len = stream_read(cfd, buf, 1);
786 
787 	/* 2c. Do VNC authentication */
788 	switch (buf[0]) {
789 	case SECURITY_TYPE_NONE:
790 		sres = 0;
791 		break;
792 	case SECURITY_TYPE_VNC_AUTH:
793 		/*
794 		 * The client encrypts the challenge with DES, using a password
795 		 * supplied by the user as the key.
796 		 * To form the key, the password is truncated to
797 		 * eight characters, or padded with null bytes on the right.
798 		 * The client then sends the resulting 16-bytes response.
799 		 */
800 #ifndef NO_OPENSSL
801 		strncpy(keystr, rc->password, PASSWD_LENGTH);
802 
803 		/* VNC clients encrypts the challenge with all the bit fields
804 		 * in each byte of the password mirrored.
805 		 * Here we flip each byte of the keystr.
806 		 */
807 		for (i = 0; i < PASSWD_LENGTH; i++) {
808 			keystr[i] = (keystr[i] & 0xF0) >> 4
809 				  | (keystr[i] & 0x0F) << 4;
810 			keystr[i] = (keystr[i] & 0xCC) >> 2
811 				  | (keystr[i] & 0x33) << 2;
812 			keystr[i] = (keystr[i] & 0xAA) >> 1
813 				  | (keystr[i] & 0x55) << 1;
814 		}
815 
816 		/* Initialize a 16-byte random challenge */
817 		arc4random_buf(challenge, sizeof(challenge));
818 		stream_write(cfd, challenge, AUTH_LENGTH);
819 
820 		/* Receive the 16-byte challenge response */
821 		stream_read(cfd, buf, AUTH_LENGTH);
822 
823 		memcpy(crypt_expected, challenge, AUTH_LENGTH);
824 
825 		/* Encrypt the Challenge with DES */
826 		DES_set_key((const_DES_cblock *)keystr, &ks);
827 		DES_ecb_encrypt((const_DES_cblock *)challenge,
828 				(const_DES_cblock *)crypt_expected,
829 				&ks, DES_ENCRYPT);
830 		DES_ecb_encrypt((const_DES_cblock *)(challenge + PASSWD_LENGTH),
831 				(const_DES_cblock *)(crypt_expected +
832 				PASSWD_LENGTH),
833 				&ks, DES_ENCRYPT);
834 
835 		if (memcmp(crypt_expected, buf, AUTH_LENGTH) != 0) {
836 			message = "Auth Failed: Invalid Password.";
837 			sres = htonl(1);
838 		} else
839 			sres = 0;
840 #else
841 		sres = 0;
842 		WPRINTF(("Auth not supported, no OpenSSL in your system"));
843 #endif
844 
845 		break;
846 	}
847 
848 	/* 2d. Write back a status */
849 	stream_write(cfd, &sres, 4);
850 
851 	if (sres) {
852 		be32enc(buf, strlen(message));
853 		stream_write(cfd, buf, 4);
854 		stream_write(cfd, message, strlen(message));
855 		goto done;
856 	}
857 
858 	/* 3a. Read client shared-flag byte */
859 	len = stream_read(cfd, buf, 1);
860 
861 	/* 4a. Write server-init info */
862 	rfb_send_server_init_msg(cfd);
863 
864 	if (!rc->zbuf) {
865 		rc->zbuf = malloc(RFB_ZLIB_BUFSZ + 16);
866 		assert(rc->zbuf != NULL);
867 	}
868 
869 	rfb_send_screen(rc, cfd, 1);
870 
871 	perror = pthread_create(&tid, NULL, rfb_wr_thr, rc);
872 	if (perror == 0)
873 		pthread_set_name_np(tid, "rfbout");
874 
875         /* Now read in client requests. 1st byte identifies type */
876 	for (;;) {
877 		len = read(cfd, buf, 1);
878 		if (len <= 0) {
879 			DPRINTF(("rfb client exiting\r\n"));
880 			break;
881 		}
882 
883 		switch (buf[0]) {
884 		case 0:
885 			rfb_recv_set_pixfmt_msg(rc, cfd);
886 			break;
887 		case 2:
888 			rfb_recv_set_encodings_msg(rc, cfd);
889 			break;
890 		case 3:
891 			rfb_recv_update_msg(rc, cfd, 1);
892 			break;
893 		case 4:
894 			rfb_recv_key_msg(rc, cfd);
895 			break;
896 		case 5:
897 			rfb_recv_ptr_msg(rc, cfd);
898 			break;
899 		case 6:
900 			rfb_recv_cuttext_msg(rc, cfd);
901 			break;
902 		default:
903 			WPRINTF(("rfb unknown cli-code %d!\n", buf[0] & 0xff));
904 			goto done;
905 		}
906 	}
907 done:
908 	rc->cfd = -1;
909 	if (perror == 0)
910 		pthread_join(tid, NULL);
911 	if (rc->enc_zlib_ok)
912 		deflateEnd(&rc->zstream);
913 }
914 
915 static void *
916 rfb_thr(void *arg)
917 {
918 	struct rfb_softc *rc;
919 	sigset_t set;
920 
921 	int cfd;
922 
923 	rc = arg;
924 
925 	sigemptyset(&set);
926 	sigaddset(&set, SIGPIPE);
927 	if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {
928 		perror("pthread_sigmask");
929 		return (NULL);
930 	}
931 
932 	for (;;) {
933 		rc->enc_raw_ok = false;
934 		rc->enc_zlib_ok = false;
935 		rc->enc_resize_ok = false;
936 
937 		cfd = accept(rc->sfd, NULL, NULL);
938 		if (rc->conn_wait) {
939 			pthread_mutex_lock(&rc->mtx);
940 			pthread_cond_signal(&rc->cond);
941 			pthread_mutex_unlock(&rc->mtx);
942 			rc->conn_wait = 0;
943 		}
944 		rfb_handle(rc, cfd);
945 		close(cfd);
946 	}
947 
948 	/* NOTREACHED */
949 	return (NULL);
950 }
951 
952 static int
953 sse42_supported(void)
954 {
955 	u_int cpu_registers[4], ecx;
956 
957 	do_cpuid(1, cpu_registers);
958 
959 	ecx = cpu_registers[2];
960 
961 	return ((ecx & CPUID2_SSE42) != 0);
962 }
963 
964 int
965 rfb_init(char *hostname, int port, int wait, char *password)
966 {
967 	int e;
968 	char servname[6];
969 	struct rfb_softc *rc;
970 	struct addrinfo *ai;
971 	struct addrinfo hints;
972 	int on = 1;
973 #ifndef WITHOUT_CAPSICUM
974 	cap_rights_t rights;
975 #endif
976 
977 	rc = calloc(1, sizeof(struct rfb_softc));
978 
979 	rc->crc = calloc(howmany(RFB_MAX_WIDTH * RFB_MAX_HEIGHT, 32),
980 	                 sizeof(uint32_t));
981 	rc->crc_tmp = calloc(howmany(RFB_MAX_WIDTH * RFB_MAX_HEIGHT, 32),
982 	                     sizeof(uint32_t));
983 	rc->crc_width = RFB_MAX_WIDTH;
984 	rc->crc_height = RFB_MAX_HEIGHT;
985 
986 	rc->password = password;
987 
988 	snprintf(servname, sizeof(servname), "%d", port ? port : 5900);
989 
990 	if (!hostname || strlen(hostname) == 0)
991 #if defined(INET)
992 		hostname = "127.0.0.1";
993 #elif defined(INET6)
994 		hostname = "[::1]";
995 #endif
996 
997 	memset(&hints, 0, sizeof(hints));
998 	hints.ai_family = AF_UNSPEC;
999 	hints.ai_socktype = SOCK_STREAM;
1000 	hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV | AI_PASSIVE;
1001 
1002 	if ((e = getaddrinfo(hostname, servname, &hints, &ai)) != 0) {
1003 		fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
1004 		return(-1);
1005 	}
1006 
1007 	rc->sfd = socket(ai->ai_family, ai->ai_socktype, 0);
1008 	if (rc->sfd < 0) {
1009 		perror("socket");
1010 		freeaddrinfo(ai);
1011 		return (-1);
1012 	}
1013 
1014 	setsockopt(rc->sfd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
1015 
1016 	if (bind(rc->sfd, ai->ai_addr, ai->ai_addrlen) < 0) {
1017 		perror("bind");
1018 		freeaddrinfo(ai);
1019 		return (-1);
1020 	}
1021 
1022 	if (listen(rc->sfd, 1) < 0) {
1023 		perror("listen");
1024 		freeaddrinfo(ai);
1025 		return (-1);
1026 	}
1027 
1028 #ifndef WITHOUT_CAPSICUM
1029 	cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE);
1030 	if (caph_rights_limit(rc->sfd, &rights) == -1)
1031 		errx(EX_OSERR, "Unable to apply rights for sandbox");
1032 #endif
1033 
1034 	rc->hw_crc = sse42_supported();
1035 
1036 	rc->conn_wait = wait;
1037 	if (wait) {
1038 		pthread_mutex_init(&rc->mtx, NULL);
1039 		pthread_cond_init(&rc->cond, NULL);
1040 	}
1041 
1042 	pthread_create(&rc->tid, NULL, rfb_thr, rc);
1043 	pthread_set_name_np(rc->tid, "rfb");
1044 
1045 	if (wait) {
1046 		DPRINTF(("Waiting for rfb client...\n"));
1047 		pthread_mutex_lock(&rc->mtx);
1048 		pthread_cond_wait(&rc->cond, &rc->mtx);
1049 		pthread_mutex_unlock(&rc->mtx);
1050 	}
1051 
1052 	freeaddrinfo(ai);
1053 	return (0);
1054 }
1055