1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2015 Tycho Nightingale <tycho.nightingale@pluribusnetworks.com> 5 * Copyright (c) 2015 Leon Dang 6 * Copyright 2020 Joyent, Inc. 7 * Copyright 2021 OmniOS Community Edition (OmniOSce) Association. 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 __FBSDID("$FreeBSD$"); 34 35 #include <sys/param.h> 36 #ifndef WITHOUT_CAPSICUM 37 #include <sys/capsicum.h> 38 #endif 39 #include <sys/endian.h> 40 #include <sys/socket.h> 41 #include <sys/select.h> 42 #include <sys/time.h> 43 #include <arpa/inet.h> 44 #include <stdatomic.h> 45 #include <machine/cpufunc.h> 46 #include <machine/specialreg.h> 47 #include <netinet/in.h> 48 #include <netdb.h> 49 50 #include <assert.h> 51 #ifndef WITHOUT_CAPSICUM 52 #include <capsicum_helpers.h> 53 #endif 54 #include <err.h> 55 #include <errno.h> 56 #include <pthread.h> 57 #include <pthread_np.h> 58 #include <signal.h> 59 #include <stdbool.h> 60 #include <stdlib.h> 61 #include <stdio.h> 62 #include <string.h> 63 #include <sysexits.h> 64 #include <unistd.h> 65 66 #include <zlib.h> 67 68 #ifndef __FreeBSD__ 69 #include <sys/debug.h> 70 #endif 71 72 #include "bhyvegc.h" 73 #include "debug.h" 74 #include "console.h" 75 #include "rfb.h" 76 #include "sockstream.h" 77 78 #ifndef NO_OPENSSL 79 #include <openssl/des.h> 80 #endif 81 82 /* Delays in microseconds */ 83 #define CFD_SEL_DELAY 10000 84 #define SCREEN_REFRESH_DELAY 33300 /* 30Hz */ 85 #define SCREEN_POLL_DELAY (SCREEN_REFRESH_DELAY / 2) 86 87 static int rfb_debug = 0; 88 #define DPRINTF(params) if (rfb_debug) PRINTLN params 89 #define WPRINTF(params) PRINTLN params 90 91 #define VERSION_LENGTH 12 92 #define AUTH_LENGTH 16 93 #define PASSWD_LENGTH 8 94 95 /* Protocol versions */ 96 #define CVERS_3_3 '3' 97 #define CVERS_3_7 '7' 98 #define CVERS_3_8 '8' 99 100 /* Client-to-server msg types */ 101 #define CS_SET_PIXEL_FORMAT 0 102 #define CS_SET_ENCODINGS 2 103 #define CS_UPDATE_MSG 3 104 #define CS_KEY_EVENT 4 105 #define CS_POINTER_EVENT 5 106 #define CS_CUT_TEXT 6 107 #define CS_MSG_CLIENT_QEMU 255 108 109 #define SECURITY_TYPE_NONE 1 110 #define SECURITY_TYPE_VNC_AUTH 2 111 112 #define AUTH_FAILED_UNAUTH 1 113 #define AUTH_FAILED_ERROR 2 114 115 struct rfb_softc { 116 int sfd; 117 pthread_t tid; 118 119 int cfd; 120 121 int width, height; 122 123 char *password; 124 125 bool enc_raw_ok; 126 bool enc_zlib_ok; 127 bool enc_resize_ok; 128 bool enc_extkeyevent_ok; 129 130 bool enc_extkeyevent_send; 131 132 z_stream zstream; 133 uint8_t *zbuf; 134 int zbuflen; 135 136 int conn_wait; 137 int wrcount; 138 139 atomic_bool sending; 140 atomic_bool pending; 141 atomic_bool update_all; 142 atomic_bool input_detected; 143 144 pthread_mutex_t mtx; 145 pthread_cond_t cond; 146 147 int hw_crc; 148 uint32_t *crc; /* WxH crc cells */ 149 uint32_t *crc_tmp; /* buffer to store single crc row */ 150 int crc_width, crc_height; 151 #ifndef __FreeBSD__ 152 const char *name; 153 #endif 154 }; 155 156 struct rfb_pixfmt { 157 uint8_t bpp; 158 uint8_t depth; 159 uint8_t bigendian; 160 uint8_t truecolor; 161 uint16_t red_max; 162 uint16_t green_max; 163 uint16_t blue_max; 164 uint8_t red_shift; 165 uint8_t green_shift; 166 uint8_t blue_shift; 167 uint8_t pad[3]; 168 }; 169 170 struct rfb_srvr_info { 171 uint16_t width; 172 uint16_t height; 173 struct rfb_pixfmt pixfmt; 174 uint32_t namelen; 175 }; 176 177 struct rfb_pixfmt_msg { 178 uint8_t type; 179 uint8_t pad[3]; 180 struct rfb_pixfmt pixfmt; 181 }; 182 183 #define RFB_ENCODING_RAW 0 184 #define RFB_ENCODING_ZLIB 6 185 #define RFB_ENCODING_RESIZE -223 186 #define RFB_ENCODING_EXT_KEYEVENT -258 187 188 #define RFB_CLIENTMSG_EXT_KEYEVENT 0 189 190 #define RFB_MAX_WIDTH 2000 191 #define RFB_MAX_HEIGHT 1200 192 #define RFB_ZLIB_BUFSZ RFB_MAX_WIDTH*RFB_MAX_HEIGHT*4 193 194 /* percentage changes to screen before sending the entire screen */ 195 #define RFB_SEND_ALL_THRESH 25 196 197 struct rfb_enc_msg { 198 uint8_t type; 199 uint8_t pad; 200 uint16_t numencs; 201 }; 202 203 struct rfb_updt_msg { 204 uint8_t type; 205 uint8_t incremental; 206 uint16_t x; 207 uint16_t y; 208 uint16_t width; 209 uint16_t height; 210 }; 211 212 struct rfb_key_msg { 213 uint8_t type; 214 uint8_t down; 215 uint16_t pad; 216 uint32_t sym; 217 }; 218 219 struct rfb_client_msg { 220 uint8_t type; 221 uint8_t subtype; 222 }; 223 224 struct rfb_extended_key_msg { 225 uint8_t type; 226 uint8_t subtype; 227 uint16_t down; 228 uint32_t sym; 229 uint32_t code; 230 }; 231 232 struct rfb_ptr_msg { 233 uint8_t type; 234 uint8_t button; 235 uint16_t x; 236 uint16_t y; 237 }; 238 239 struct rfb_srvr_updt_msg { 240 uint8_t type; 241 uint8_t pad; 242 uint16_t numrects; 243 }; 244 245 struct rfb_srvr_rect_hdr { 246 uint16_t x; 247 uint16_t y; 248 uint16_t width; 249 uint16_t height; 250 uint32_t encoding; 251 }; 252 253 struct rfb_cuttext_msg { 254 uint8_t type; 255 uint8_t padding[3]; 256 uint32_t length; 257 }; 258 259 static void 260 #ifndef __FreeBSD__ 261 rfb_send_server_init_msg(int cfd, struct rfb_softc *rc) 262 #else 263 rfb_send_server_init_msg(int cfd) 264 #endif 265 { 266 struct bhyvegc_image *gc_image; 267 struct rfb_srvr_info sinfo; 268 269 gc_image = console_get_image(); 270 271 sinfo.width = htons(gc_image->width); 272 sinfo.height = htons(gc_image->height); 273 sinfo.pixfmt.bpp = 32; 274 sinfo.pixfmt.depth = 32; 275 sinfo.pixfmt.bigendian = 0; 276 sinfo.pixfmt.truecolor = 1; 277 sinfo.pixfmt.red_max = htons(255); 278 sinfo.pixfmt.green_max = htons(255); 279 sinfo.pixfmt.blue_max = htons(255); 280 sinfo.pixfmt.red_shift = 16; 281 sinfo.pixfmt.green_shift = 8; 282 sinfo.pixfmt.blue_shift = 0; 283 sinfo.pixfmt.pad[0] = 0; 284 sinfo.pixfmt.pad[1] = 0; 285 sinfo.pixfmt.pad[2] = 0; 286 287 #ifndef __FreeBSD__ 288 const char *name = rc->name != NULL ? rc->name : "bhyve"; 289 290 sinfo.namelen = htonl(strlen(name)); 291 (void)stream_write(cfd, &sinfo, sizeof(sinfo)); 292 (void)stream_write(cfd, name, strlen(name)); 293 #else 294 sinfo.namelen = htonl(strlen("bhyve")); 295 (void)stream_write(cfd, &sinfo, sizeof(sinfo)); 296 (void)stream_write(cfd, "bhyve", strlen("bhyve")); 297 #endif 298 } 299 300 static void 301 rfb_send_resize_update_msg(struct rfb_softc *rc, int cfd) 302 { 303 struct rfb_srvr_updt_msg supdt_msg; 304 struct rfb_srvr_rect_hdr srect_hdr; 305 306 /* Number of rectangles: 1 */ 307 supdt_msg.type = 0; 308 supdt_msg.pad = 0; 309 supdt_msg.numrects = htons(1); 310 stream_write(cfd, &supdt_msg, sizeof(struct rfb_srvr_updt_msg)); 311 312 /* Rectangle header */ 313 srect_hdr.x = htons(0); 314 srect_hdr.y = htons(0); 315 srect_hdr.width = htons(rc->width); 316 srect_hdr.height = htons(rc->height); 317 srect_hdr.encoding = htonl(RFB_ENCODING_RESIZE); 318 stream_write(cfd, &srect_hdr, sizeof(struct rfb_srvr_rect_hdr)); 319 } 320 321 static void 322 rfb_send_extended_keyevent_update_msg(struct rfb_softc *rc, int cfd) 323 { 324 struct rfb_srvr_updt_msg supdt_msg; 325 struct rfb_srvr_rect_hdr srect_hdr; 326 327 /* Number of rectangles: 1 */ 328 supdt_msg.type = 0; 329 supdt_msg.pad = 0; 330 supdt_msg.numrects = htons(1); 331 stream_write(cfd, &supdt_msg, sizeof(struct rfb_srvr_updt_msg)); 332 333 /* Rectangle header */ 334 srect_hdr.x = htons(0); 335 srect_hdr.y = htons(0); 336 srect_hdr.width = htons(rc->width); 337 srect_hdr.height = htons(rc->height); 338 srect_hdr.encoding = htonl(RFB_ENCODING_EXT_KEYEVENT); 339 stream_write(cfd, &srect_hdr, sizeof(struct rfb_srvr_rect_hdr)); 340 } 341 342 static void 343 rfb_recv_set_pixfmt_msg(struct rfb_softc *rc, int cfd) 344 { 345 struct rfb_pixfmt_msg pixfmt_msg; 346 347 (void)stream_read(cfd, ((void *)&pixfmt_msg)+1, sizeof(pixfmt_msg)-1); 348 } 349 350 351 static void 352 rfb_recv_set_encodings_msg(struct rfb_softc *rc, int cfd) 353 { 354 struct rfb_enc_msg enc_msg; 355 int i; 356 uint32_t encoding; 357 358 (void)stream_read(cfd, ((void *)&enc_msg)+1, sizeof(enc_msg)-1); 359 360 for (i = 0; i < htons(enc_msg.numencs); i++) { 361 (void)stream_read(cfd, &encoding, sizeof(encoding)); 362 switch (htonl(encoding)) { 363 case RFB_ENCODING_RAW: 364 rc->enc_raw_ok = true; 365 break; 366 case RFB_ENCODING_ZLIB: 367 if (!rc->enc_zlib_ok) { 368 deflateInit(&rc->zstream, Z_BEST_SPEED); 369 rc->enc_zlib_ok = true; 370 } 371 break; 372 case RFB_ENCODING_RESIZE: 373 rc->enc_resize_ok = true; 374 break; 375 case RFB_ENCODING_EXT_KEYEVENT: 376 rc->enc_extkeyevent_ok = true; 377 break; 378 } 379 } 380 } 381 382 /* 383 * Calculate CRC32 using SSE4.2; Intel or AMD Bulldozer+ CPUs only 384 */ 385 static __inline uint32_t 386 fast_crc32(void *buf, int len, uint32_t crcval) 387 { 388 uint32_t q = len / sizeof(uint32_t); 389 uint32_t *p = (uint32_t *)buf; 390 391 while (q--) { 392 asm volatile ( 393 ".byte 0xf2, 0xf, 0x38, 0xf1, 0xf1;" 394 :"=S" (crcval) 395 :"0" (crcval), "c" (*p) 396 ); 397 p++; 398 } 399 400 return (crcval); 401 } 402 403 static int 404 rfb_send_update_header(struct rfb_softc *rc, int cfd, int numrects) 405 { 406 struct rfb_srvr_updt_msg supdt_msg; 407 408 supdt_msg.type = 0; 409 supdt_msg.pad = 0; 410 supdt_msg.numrects = htons(numrects); 411 412 return stream_write(cfd, &supdt_msg, 413 sizeof(struct rfb_srvr_updt_msg)); 414 } 415 416 static int 417 rfb_send_rect(struct rfb_softc *rc, int cfd, struct bhyvegc_image *gc, 418 int x, int y, int w, int h) 419 { 420 struct rfb_srvr_rect_hdr srect_hdr; 421 unsigned long zlen; 422 ssize_t nwrite, total; 423 int err; 424 uint32_t *p; 425 uint8_t *zbufp; 426 427 /* 428 * Send a single rectangle of the given x, y, w h dimensions. 429 */ 430 431 /* Rectangle header */ 432 srect_hdr.x = htons(x); 433 srect_hdr.y = htons(y); 434 srect_hdr.width = htons(w); 435 srect_hdr.height = htons(h); 436 437 h = y + h; 438 w *= sizeof(uint32_t); 439 if (rc->enc_zlib_ok) { 440 zbufp = rc->zbuf; 441 rc->zstream.total_in = 0; 442 rc->zstream.total_out = 0; 443 for (p = &gc->data[y * gc->width + x]; y < h; y++) { 444 rc->zstream.next_in = (Bytef *)p; 445 rc->zstream.avail_in = w; 446 rc->zstream.next_out = (Bytef *)zbufp; 447 rc->zstream.avail_out = RFB_ZLIB_BUFSZ + 16 - 448 rc->zstream.total_out; 449 rc->zstream.data_type = Z_BINARY; 450 451 /* Compress with zlib */ 452 err = deflate(&rc->zstream, Z_SYNC_FLUSH); 453 if (err != Z_OK) { 454 WPRINTF(("zlib[rect] deflate err: %d", err)); 455 rc->enc_zlib_ok = false; 456 deflateEnd(&rc->zstream); 457 goto doraw; 458 } 459 zbufp = rc->zbuf + rc->zstream.total_out; 460 p += gc->width; 461 } 462 srect_hdr.encoding = htonl(RFB_ENCODING_ZLIB); 463 nwrite = stream_write(cfd, &srect_hdr, 464 sizeof(struct rfb_srvr_rect_hdr)); 465 if (nwrite <= 0) 466 return (nwrite); 467 468 zlen = htonl(rc->zstream.total_out); 469 nwrite = stream_write(cfd, &zlen, sizeof(uint32_t)); 470 if (nwrite <= 0) 471 return (nwrite); 472 return (stream_write(cfd, rc->zbuf, rc->zstream.total_out)); 473 } 474 475 doraw: 476 477 total = 0; 478 zbufp = rc->zbuf; 479 for (p = &gc->data[y * gc->width + x]; y < h; y++) { 480 memcpy(zbufp, p, w); 481 zbufp += w; 482 total += w; 483 p += gc->width; 484 } 485 486 srect_hdr.encoding = htonl(RFB_ENCODING_RAW); 487 nwrite = stream_write(cfd, &srect_hdr, 488 sizeof(struct rfb_srvr_rect_hdr)); 489 if (nwrite <= 0) 490 return (nwrite); 491 492 total = stream_write(cfd, rc->zbuf, total); 493 494 return (total); 495 } 496 497 static int 498 rfb_send_all(struct rfb_softc *rc, int cfd, struct bhyvegc_image *gc) 499 { 500 struct rfb_srvr_updt_msg supdt_msg; 501 struct rfb_srvr_rect_hdr srect_hdr; 502 ssize_t nwrite; 503 unsigned long zlen; 504 int err; 505 506 /* 507 * Send the whole thing 508 */ 509 510 /* Number of rectangles: 1 */ 511 supdt_msg.type = 0; 512 supdt_msg.pad = 0; 513 supdt_msg.numrects = htons(1); 514 nwrite = stream_write(cfd, &supdt_msg, 515 sizeof(struct rfb_srvr_updt_msg)); 516 if (nwrite <= 0) 517 return (nwrite); 518 519 /* Rectangle header */ 520 srect_hdr.x = 0; 521 srect_hdr.y = 0; 522 srect_hdr.width = htons(gc->width); 523 srect_hdr.height = htons(gc->height); 524 if (rc->enc_zlib_ok) { 525 rc->zstream.next_in = (Bytef *)gc->data; 526 rc->zstream.avail_in = gc->width * gc->height * 527 sizeof(uint32_t); 528 rc->zstream.next_out = (Bytef *)rc->zbuf; 529 rc->zstream.avail_out = RFB_ZLIB_BUFSZ + 16; 530 rc->zstream.data_type = Z_BINARY; 531 532 rc->zstream.total_in = 0; 533 rc->zstream.total_out = 0; 534 535 /* Compress with zlib */ 536 err = deflate(&rc->zstream, Z_SYNC_FLUSH); 537 if (err != Z_OK) { 538 WPRINTF(("zlib deflate err: %d", err)); 539 rc->enc_zlib_ok = false; 540 deflateEnd(&rc->zstream); 541 goto doraw; 542 } 543 544 srect_hdr.encoding = htonl(RFB_ENCODING_ZLIB); 545 nwrite = stream_write(cfd, &srect_hdr, 546 sizeof(struct rfb_srvr_rect_hdr)); 547 if (nwrite <= 0) 548 return (nwrite); 549 550 zlen = htonl(rc->zstream.total_out); 551 nwrite = stream_write(cfd, &zlen, sizeof(uint32_t)); 552 if (nwrite <= 0) 553 return (nwrite); 554 return (stream_write(cfd, rc->zbuf, rc->zstream.total_out)); 555 } 556 557 doraw: 558 srect_hdr.encoding = htonl(RFB_ENCODING_RAW); 559 nwrite = stream_write(cfd, &srect_hdr, 560 sizeof(struct rfb_srvr_rect_hdr)); 561 if (nwrite <= 0) 562 return (nwrite); 563 564 nwrite = stream_write(cfd, gc->data, 565 gc->width * gc->height * sizeof(uint32_t)); 566 567 return (nwrite); 568 } 569 570 #define PIX_PER_CELL 32 571 #define PIXCELL_SHIFT 5 572 #define PIXCELL_MASK 0x1F 573 574 static int 575 rfb_send_screen(struct rfb_softc *rc, int cfd) 576 { 577 struct bhyvegc_image *gc_image; 578 ssize_t nwrite; 579 int x, y; 580 int celly, cellwidth; 581 int xcells, ycells; 582 int w, h; 583 uint32_t *p; 584 int rem_x, rem_y; /* remainder for resolutions not x32 pixels ratio */ 585 int retval; 586 uint32_t *crc_p, *orig_crc; 587 int changes; 588 bool expected; 589 590 /* Return if another thread sending */ 591 expected = false; 592 if (atomic_compare_exchange_strong(&rc->sending, &expected, true) == false) 593 return (1); 594 595 retval = 1; 596 597 /* Updates require a preceding update request */ 598 if (atomic_exchange(&rc->pending, false) == false) 599 goto done; 600 601 console_refresh(); 602 gc_image = console_get_image(); 603 604 /* Clear old CRC values when the size changes */ 605 if (rc->crc_width != gc_image->width || 606 rc->crc_height != gc_image->height) { 607 memset(rc->crc, 0, sizeof(uint32_t) * 608 howmany(RFB_MAX_WIDTH, PIX_PER_CELL) * 609 howmany(RFB_MAX_HEIGHT, PIX_PER_CELL)); 610 rc->crc_width = gc_image->width; 611 rc->crc_height = gc_image->height; 612 } 613 614 /* A size update counts as an update in itself */ 615 if (rc->width != gc_image->width || 616 rc->height != gc_image->height) { 617 rc->width = gc_image->width; 618 rc->height = gc_image->height; 619 if (rc->enc_resize_ok) { 620 rfb_send_resize_update_msg(rc, cfd); 621 rc->update_all = true; 622 goto done; 623 } 624 } 625 626 if (atomic_exchange(&rc->update_all, false) == true) { 627 retval = rfb_send_all(rc, cfd, gc_image); 628 goto done; 629 } 630 631 /* 632 * Calculate the checksum for each 32x32 cell. Send each that 633 * has changed since the last scan. 634 */ 635 636 w = rc->crc_width; 637 h = rc->crc_height; 638 xcells = howmany(rc->crc_width, PIX_PER_CELL); 639 ycells = howmany(rc->crc_height, PIX_PER_CELL); 640 641 rem_x = w & PIXCELL_MASK; 642 643 rem_y = h & PIXCELL_MASK; 644 if (!rem_y) 645 rem_y = PIX_PER_CELL; 646 647 p = gc_image->data; 648 649 /* 650 * Go through all cells and calculate crc. If significant number 651 * of changes, then send entire screen. 652 * crc_tmp is dual purpose: to store the new crc and to flag as 653 * a cell that has changed. 654 */ 655 crc_p = rc->crc_tmp - xcells; 656 orig_crc = rc->crc - xcells; 657 changes = 0; 658 memset(rc->crc_tmp, 0, sizeof(uint32_t) * xcells * ycells); 659 for (y = 0; y < h; y++) { 660 if ((y & PIXCELL_MASK) == 0) { 661 crc_p += xcells; 662 orig_crc += xcells; 663 } 664 665 for (x = 0; x < xcells; x++) { 666 if (x == (xcells - 1) && rem_x > 0) 667 cellwidth = rem_x; 668 else 669 cellwidth = PIX_PER_CELL; 670 671 if (rc->hw_crc) 672 crc_p[x] = fast_crc32(p, 673 cellwidth * sizeof(uint32_t), 674 crc_p[x]); 675 else 676 crc_p[x] = (uint32_t)crc32(crc_p[x], 677 (Bytef *)p, 678 cellwidth * sizeof(uint32_t)); 679 680 p += cellwidth; 681 682 /* check for crc delta if last row in cell */ 683 if ((y & PIXCELL_MASK) == PIXCELL_MASK || y == (h-1)) { 684 if (orig_crc[x] != crc_p[x]) { 685 orig_crc[x] = crc_p[x]; 686 crc_p[x] = 1; 687 changes++; 688 } else { 689 crc_p[x] = 0; 690 } 691 } 692 } 693 } 694 695 /* 696 * We only send the update if there are changes. 697 * Restore the pending flag since it was unconditionally cleared 698 * above. 699 */ 700 if (!changes) { 701 rc->pending = true; 702 goto done; 703 } 704 705 /* If number of changes is > THRESH percent, send the whole screen */ 706 if (((changes * 100) / (xcells * ycells)) >= RFB_SEND_ALL_THRESH) { 707 retval = rfb_send_all(rc, cfd, gc_image); 708 goto done; 709 } 710 711 rfb_send_update_header(rc, cfd, changes); 712 713 /* Go through all cells, and send only changed ones */ 714 crc_p = rc->crc_tmp; 715 for (y = 0; y < h; y += PIX_PER_CELL) { 716 /* previous cell's row */ 717 celly = (y >> PIXCELL_SHIFT); 718 719 /* Delta check crc to previous set */ 720 for (x = 0; x < xcells; x++) { 721 if (*crc_p++ == 0) 722 continue; 723 724 if (x == (xcells - 1) && rem_x > 0) 725 cellwidth = rem_x; 726 else 727 cellwidth = PIX_PER_CELL; 728 nwrite = rfb_send_rect(rc, cfd, 729 gc_image, 730 x * PIX_PER_CELL, 731 celly * PIX_PER_CELL, 732 cellwidth, 733 y + PIX_PER_CELL >= h ? rem_y : PIX_PER_CELL); 734 if (nwrite <= 0) { 735 retval = nwrite; 736 goto done; 737 } 738 } 739 } 740 741 done: 742 rc->sending = false; 743 744 return (retval); 745 } 746 747 748 static void 749 rfb_recv_update_msg(struct rfb_softc *rc, int cfd) 750 { 751 struct rfb_updt_msg updt_msg; 752 753 (void)stream_read(cfd, ((void *)&updt_msg) + 1 , sizeof(updt_msg) - 1); 754 755 if (rc->enc_extkeyevent_ok && (!rc->enc_extkeyevent_send)) { 756 rfb_send_extended_keyevent_update_msg(rc, cfd); 757 rc->enc_extkeyevent_send = true; 758 } 759 760 rc->pending = true; 761 if (!updt_msg.incremental) 762 rc->update_all = true; 763 } 764 765 static void 766 rfb_recv_key_msg(struct rfb_softc *rc, int cfd) 767 { 768 struct rfb_key_msg key_msg; 769 770 (void)stream_read(cfd, ((void *)&key_msg) + 1, sizeof(key_msg) - 1); 771 772 console_key_event(key_msg.down, htonl(key_msg.sym), htonl(0)); 773 rc->input_detected = true; 774 } 775 776 static void 777 rfb_recv_client_msg(struct rfb_softc *rc, int cfd) 778 { 779 struct rfb_client_msg client_msg; 780 struct rfb_extended_key_msg extkey_msg; 781 782 (void)stream_read(cfd, ((void *)&client_msg) + 1, sizeof(client_msg) - 1); 783 784 if (client_msg.subtype == RFB_CLIENTMSG_EXT_KEYEVENT ) { 785 (void)stream_read(cfd, ((void *)&extkey_msg) + 2, sizeof(extkey_msg) - 2); 786 console_key_event((int)extkey_msg.down, htonl(extkey_msg.sym), htonl(extkey_msg.code)); 787 rc->input_detected = true; 788 } 789 } 790 791 static void 792 rfb_recv_ptr_msg(struct rfb_softc *rc, int cfd) 793 { 794 struct rfb_ptr_msg ptr_msg; 795 796 (void)stream_read(cfd, ((void *)&ptr_msg) + 1, sizeof(ptr_msg) - 1); 797 798 console_ptr_event(ptr_msg.button, htons(ptr_msg.x), htons(ptr_msg.y)); 799 rc->input_detected = true; 800 } 801 802 static void 803 rfb_recv_cuttext_msg(struct rfb_softc *rc, int cfd) 804 { 805 struct rfb_cuttext_msg ct_msg; 806 unsigned char buf[32]; 807 int len; 808 809 len = stream_read(cfd, ((void *)&ct_msg) + 1, sizeof(ct_msg) - 1); 810 ct_msg.length = htonl(ct_msg.length); 811 while (ct_msg.length > 0) { 812 len = stream_read(cfd, buf, ct_msg.length > sizeof(buf) ? 813 sizeof(buf) : ct_msg.length); 814 ct_msg.length -= len; 815 } 816 } 817 818 static int64_t 819 timeval_delta(struct timeval *prev, struct timeval *now) 820 { 821 int64_t n1, n2; 822 n1 = now->tv_sec * 1000000 + now->tv_usec; 823 n2 = prev->tv_sec * 1000000 + prev->tv_usec; 824 return (n1 - n2); 825 } 826 827 static void * 828 rfb_wr_thr(void *arg) 829 { 830 struct rfb_softc *rc; 831 fd_set rfds; 832 struct timeval tv; 833 struct timeval prev_tv; 834 int64_t tdiff; 835 int cfd; 836 int err; 837 838 rc = arg; 839 cfd = rc->cfd; 840 841 prev_tv.tv_sec = 0; 842 prev_tv.tv_usec = 0; 843 while (rc->cfd >= 0) { 844 FD_ZERO(&rfds); 845 FD_SET(cfd, &rfds); 846 tv.tv_sec = 0; 847 tv.tv_usec = CFD_SEL_DELAY; 848 849 err = select(cfd+1, &rfds, NULL, NULL, &tv); 850 if (err < 0) 851 return (NULL); 852 853 /* Determine if its time to push screen; ~24hz */ 854 gettimeofday(&tv, NULL); 855 tdiff = timeval_delta(&prev_tv, &tv); 856 if (tdiff >= SCREEN_POLL_DELAY) { 857 bool input; 858 prev_tv.tv_sec = tv.tv_sec; 859 prev_tv.tv_usec = tv.tv_usec; 860 input = atomic_exchange(&rc->input_detected, false); 861 /* 862 * Refresh the screen on every second trip through the loop, 863 * or if keyboard/mouse input has been detected. 864 */ 865 if ((++rc->wrcount & 1) || input) { 866 if (rfb_send_screen(rc, cfd) <= 0) { 867 return (NULL); 868 } 869 } 870 } else { 871 /* sleep */ 872 usleep(SCREEN_POLL_DELAY - tdiff); 873 } 874 } 875 876 return (NULL); 877 } 878 879 void 880 rfb_handle(struct rfb_softc *rc, int cfd) 881 { 882 const char *vbuf = "RFB 003.008\n"; 883 unsigned char buf[80]; 884 unsigned char *message = NULL; 885 886 #ifndef NO_OPENSSL 887 unsigned char challenge[AUTH_LENGTH]; 888 unsigned char keystr[PASSWD_LENGTH]; 889 unsigned char crypt_expected[AUTH_LENGTH]; 890 891 DES_key_schedule ks; 892 int i; 893 #endif 894 uint8_t client_ver; 895 uint8_t auth_type; 896 pthread_t tid; 897 uint32_t sres = 0; 898 int len; 899 int perror = 1; 900 901 rc->cfd = cfd; 902 903 /* 1a. Send server version */ 904 stream_write(cfd, vbuf, strlen(vbuf)); 905 906 /* 1b. Read client version */ 907 len = stream_read(cfd, buf, VERSION_LENGTH); 908 #ifdef __FreeBSD__ 909 if (len == VERSION_LENGTH && !strncmp(vbuf, buf, VERSION_LENGTH - 2)) { 910 client_ver = buf[VERSION_LENGTH - 2]; 911 } 912 #else 913 /* Work around gcc7 maybe-uninitialized warning */ 914 client_ver = CVERS_3_3; 915 if (len == VERSION_LENGTH && !strncmp(vbuf, (char *)buf, 916 VERSION_LENGTH - 2)) { 917 client_ver = buf[VERSION_LENGTH - 2]; 918 } 919 #endif 920 if (client_ver != CVERS_3_8 && client_ver != CVERS_3_7) { 921 /* only recognize 3.3, 3.7 & 3.8. Others dflt to 3.3 */ 922 client_ver = CVERS_3_3; 923 } 924 925 /* 2a. Send security type */ 926 buf[0] = 1; 927 928 /* In versions 3.7 & 3.8, it's 2-way handshake */ 929 /* For version 3.3, server says what the authentication type must be */ 930 #ifndef NO_OPENSSL 931 if (rc->password) { 932 auth_type = SECURITY_TYPE_VNC_AUTH; 933 } else { 934 auth_type = SECURITY_TYPE_NONE; 935 } 936 #else 937 auth_type = SECURITY_TYPE_NONE; 938 #endif 939 940 switch (client_ver) { 941 case CVERS_3_7: 942 case CVERS_3_8: 943 buf[0] = 1; 944 buf[1] = auth_type; 945 stream_write(cfd, buf, 2); 946 947 /* 2b. Read agreed security type */ 948 len = stream_read(cfd, buf, 1); 949 if (buf[0] != auth_type) { 950 /* deny */ 951 sres = htonl(1); 952 #ifdef __FreeBSD__ 953 message = "Auth failed: authentication type mismatch"; 954 #else 955 message = (unsigned char *) 956 "Auth failed: authentication type mismatch"; 957 #endif 958 goto report_and_done; 959 } 960 break; 961 case CVERS_3_3: 962 default: 963 be32enc(buf, auth_type); 964 stream_write(cfd, buf, 4); 965 break; 966 } 967 968 /* 2c. Do VNC authentication */ 969 switch (auth_type) { 970 case SECURITY_TYPE_NONE: 971 break; 972 case SECURITY_TYPE_VNC_AUTH: 973 /* 974 * The client encrypts the challenge with DES, using a password 975 * supplied by the user as the key. 976 * To form the key, the password is truncated to 977 * eight characters, or padded with null bytes on the right. 978 * The client then sends the resulting 16-bytes response. 979 */ 980 #ifndef NO_OPENSSL 981 #ifdef __FreeBSD__ 982 strncpy(keystr, rc->password, PASSWD_LENGTH); 983 #else 984 strncpy((char *)keystr, rc->password, PASSWD_LENGTH); 985 #endif 986 987 /* VNC clients encrypts the challenge with all the bit fields 988 * in each byte of the password mirrored. 989 * Here we flip each byte of the keystr. 990 */ 991 for (i = 0; i < PASSWD_LENGTH; i++) { 992 keystr[i] = (keystr[i] & 0xF0) >> 4 993 | (keystr[i] & 0x0F) << 4; 994 keystr[i] = (keystr[i] & 0xCC) >> 2 995 | (keystr[i] & 0x33) << 2; 996 keystr[i] = (keystr[i] & 0xAA) >> 1 997 | (keystr[i] & 0x55) << 1; 998 } 999 1000 /* Initialize a 16-byte random challenge */ 1001 arc4random_buf(challenge, sizeof(challenge)); 1002 stream_write(cfd, challenge, AUTH_LENGTH); 1003 1004 /* Receive the 16-byte challenge response */ 1005 stream_read(cfd, buf, AUTH_LENGTH); 1006 1007 memcpy(crypt_expected, challenge, AUTH_LENGTH); 1008 1009 /* Encrypt the Challenge with DES */ 1010 DES_set_key((const_DES_cblock *)keystr, &ks); 1011 DES_ecb_encrypt((const_DES_cblock *)challenge, 1012 (const_DES_cblock *)crypt_expected, 1013 &ks, DES_ENCRYPT); 1014 DES_ecb_encrypt((const_DES_cblock *)(challenge + PASSWD_LENGTH), 1015 (const_DES_cblock *)(crypt_expected + 1016 PASSWD_LENGTH), 1017 &ks, DES_ENCRYPT); 1018 1019 if (memcmp(crypt_expected, buf, AUTH_LENGTH) != 0) { 1020 #ifdef __FreeBSD__ 1021 message = "Auth Failed: Invalid Password."; 1022 #else 1023 message = 1024 (unsigned char *)"Auth Failed: Invalid Password."; 1025 #endif 1026 sres = htonl(1); 1027 } else { 1028 sres = 0; 1029 } 1030 #else 1031 sres = htonl(1); 1032 WPRINTF(("Auth not supported, no OpenSSL in your system")); 1033 #endif 1034 1035 break; 1036 } 1037 1038 switch (client_ver) { 1039 case CVERS_3_7: 1040 case CVERS_3_8: 1041 report_and_done: 1042 /* 2d. Write back a status */ 1043 stream_write(cfd, &sres, 4); 1044 1045 if (sres) { 1046 /* 3.7 does not want string explaining cause */ 1047 if (client_ver == CVERS_3_8) { 1048 #ifdef __FreeBSD__ 1049 be32enc(buf, strlen(message)); 1050 stream_write(cfd, buf, 4); 1051 stream_write(cfd, message, strlen(message)); 1052 #else 1053 be32enc(buf, strlen((char *)message)); 1054 stream_write(cfd, buf, 4); 1055 stream_write(cfd, message, 1056 strlen((char *)message)); 1057 #endif 1058 } 1059 goto done; 1060 } 1061 break; 1062 case CVERS_3_3: 1063 default: 1064 /* for VNC auth case send status */ 1065 if (auth_type == SECURITY_TYPE_VNC_AUTH) { 1066 /* 2d. Write back a status */ 1067 stream_write(cfd, &sres, 4); 1068 } 1069 if (sres) { 1070 goto done; 1071 } 1072 break; 1073 } 1074 /* 3a. Read client shared-flag byte */ 1075 len = stream_read(cfd, buf, 1); 1076 1077 /* 4a. Write server-init info */ 1078 #ifndef __FreeBSD__ 1079 rfb_send_server_init_msg(cfd, rc); 1080 #else 1081 rfb_send_server_init_msg(cfd); 1082 #endif 1083 1084 if (!rc->zbuf) { 1085 rc->zbuf = malloc(RFB_ZLIB_BUFSZ + 16); 1086 assert(rc->zbuf != NULL); 1087 } 1088 1089 perror = pthread_create(&tid, NULL, rfb_wr_thr, rc); 1090 if (perror == 0) 1091 pthread_set_name_np(tid, "rfbout"); 1092 1093 /* Now read in client requests. 1st byte identifies type */ 1094 for (;;) { 1095 len = read(cfd, buf, 1); 1096 if (len <= 0) { 1097 DPRINTF(("rfb client exiting")); 1098 break; 1099 } 1100 1101 switch (buf[0]) { 1102 case CS_SET_PIXEL_FORMAT: 1103 rfb_recv_set_pixfmt_msg(rc, cfd); 1104 break; 1105 case CS_SET_ENCODINGS: 1106 rfb_recv_set_encodings_msg(rc, cfd); 1107 break; 1108 case CS_UPDATE_MSG: 1109 rfb_recv_update_msg(rc, cfd); 1110 break; 1111 case CS_KEY_EVENT: 1112 rfb_recv_key_msg(rc, cfd); 1113 break; 1114 case CS_POINTER_EVENT: 1115 rfb_recv_ptr_msg(rc, cfd); 1116 break; 1117 case CS_CUT_TEXT: 1118 rfb_recv_cuttext_msg(rc, cfd); 1119 break; 1120 case CS_MSG_CLIENT_QEMU: 1121 rfb_recv_client_msg(rc, cfd); 1122 break; 1123 default: 1124 WPRINTF(("rfb unknown cli-code %d!", buf[0] & 0xff)); 1125 goto done; 1126 } 1127 } 1128 done: 1129 rc->cfd = -1; 1130 if (perror == 0) 1131 pthread_join(tid, NULL); 1132 if (rc->enc_zlib_ok) 1133 deflateEnd(&rc->zstream); 1134 } 1135 1136 static void * 1137 rfb_thr(void *arg) 1138 { 1139 struct rfb_softc *rc; 1140 sigset_t set; 1141 1142 int cfd; 1143 1144 rc = arg; 1145 1146 sigemptyset(&set); 1147 sigaddset(&set, SIGPIPE); 1148 if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) { 1149 perror("pthread_sigmask"); 1150 return (NULL); 1151 } 1152 1153 for (;;) { 1154 rc->enc_raw_ok = false; 1155 rc->enc_zlib_ok = false; 1156 rc->enc_resize_ok = false; 1157 rc->enc_extkeyevent_ok = false; 1158 1159 rc->enc_extkeyevent_send = false; 1160 1161 cfd = accept(rc->sfd, NULL, NULL); 1162 if (rc->conn_wait) { 1163 pthread_mutex_lock(&rc->mtx); 1164 pthread_cond_signal(&rc->cond); 1165 pthread_mutex_unlock(&rc->mtx); 1166 rc->conn_wait = 0; 1167 } 1168 rfb_handle(rc, cfd); 1169 close(cfd); 1170 } 1171 1172 /* NOTREACHED */ 1173 return (NULL); 1174 } 1175 1176 static int 1177 sse42_supported(void) 1178 { 1179 u_int cpu_registers[4], ecx; 1180 1181 do_cpuid(1, cpu_registers); 1182 1183 ecx = cpu_registers[2]; 1184 1185 return ((ecx & CPUID2_SSE42) != 0); 1186 } 1187 1188 int 1189 #ifndef __FreeBSD__ 1190 rfb_init(char *hostname, int port, int wait, char *password, const char *name) 1191 #else 1192 rfb_init(char *hostname, int port, int wait, char *password) 1193 #endif 1194 { 1195 int e; 1196 char servname[6]; 1197 struct rfb_softc *rc; 1198 struct addrinfo *ai = NULL; 1199 struct addrinfo hints; 1200 int on = 1; 1201 int cnt; 1202 #ifndef WITHOUT_CAPSICUM 1203 cap_rights_t rights; 1204 #endif 1205 1206 rc = calloc(1, sizeof(struct rfb_softc)); 1207 1208 cnt = howmany(RFB_MAX_WIDTH, PIX_PER_CELL) * 1209 howmany(RFB_MAX_HEIGHT, PIX_PER_CELL); 1210 rc->crc = calloc(cnt, sizeof(uint32_t)); 1211 rc->crc_tmp = calloc(cnt, sizeof(uint32_t)); 1212 rc->crc_width = RFB_MAX_WIDTH; 1213 rc->crc_height = RFB_MAX_HEIGHT; 1214 rc->sfd = -1; 1215 1216 rc->password = password; 1217 1218 #ifndef __FreeBSD__ 1219 rc->name = name; 1220 #endif 1221 1222 snprintf(servname, sizeof(servname), "%d", port ? port : 5900); 1223 1224 if (!hostname || strlen(hostname) == 0) 1225 #if defined(INET) 1226 hostname = "127.0.0.1"; 1227 #elif defined(INET6) 1228 hostname = "[::1]"; 1229 #endif 1230 1231 memset(&hints, 0, sizeof(hints)); 1232 hints.ai_family = AF_UNSPEC; 1233 hints.ai_socktype = SOCK_STREAM; 1234 hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV | AI_PASSIVE; 1235 1236 if ((e = getaddrinfo(hostname, servname, &hints, &ai)) != 0) { 1237 EPRINTLN("getaddrinfo: %s", gai_strerror(e)); 1238 goto error; 1239 } 1240 1241 rc->sfd = socket(ai->ai_family, ai->ai_socktype, 0); 1242 if (rc->sfd < 0) { 1243 perror("socket"); 1244 goto error; 1245 } 1246 1247 setsockopt(rc->sfd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); 1248 1249 if (bind(rc->sfd, ai->ai_addr, ai->ai_addrlen) < 0) { 1250 perror("bind"); 1251 goto error; 1252 } 1253 1254 if (listen(rc->sfd, 1) < 0) { 1255 perror("listen"); 1256 goto error; 1257 } 1258 1259 #ifndef WITHOUT_CAPSICUM 1260 cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE); 1261 if (caph_rights_limit(rc->sfd, &rights) == -1) 1262 errx(EX_OSERR, "Unable to apply rights for sandbox"); 1263 #endif 1264 1265 rc->hw_crc = sse42_supported(); 1266 1267 rc->conn_wait = wait; 1268 if (wait) { 1269 pthread_mutex_init(&rc->mtx, NULL); 1270 pthread_cond_init(&rc->cond, NULL); 1271 } 1272 1273 pthread_create(&rc->tid, NULL, rfb_thr, rc); 1274 pthread_set_name_np(rc->tid, "rfb"); 1275 1276 if (wait) { 1277 DPRINTF(("Waiting for rfb client...")); 1278 pthread_mutex_lock(&rc->mtx); 1279 pthread_cond_wait(&rc->cond, &rc->mtx); 1280 pthread_mutex_unlock(&rc->mtx); 1281 DPRINTF(("rfb client connected")); 1282 } 1283 1284 freeaddrinfo(ai); 1285 return (0); 1286 1287 error: 1288 if (ai != NULL) 1289 freeaddrinfo(ai); 1290 if (rc->sfd != -1) 1291 close(rc->sfd); 1292 free(rc->crc); 1293 free(rc->crc_tmp); 1294 free(rc); 1295 return (-1); 1296 } 1297 1298 #ifndef __FreeBSD__ 1299 int 1300 rfb_init_unix(const char *path, int wait, char *password, const char *name) 1301 { 1302 struct rfb_softc *rc; 1303 struct sockaddr_un sock; 1304 1305 if ((rc = calloc(1, sizeof (struct rfb_softc))) == NULL) { 1306 perror("calloc"); 1307 return (-1); 1308 } 1309 rc->sfd = -1; 1310 1311 if ((rc->crc = calloc(howmany(RFB_MAX_WIDTH * RFB_MAX_HEIGHT, 32), 1312 sizeof (uint32_t))) == NULL) { 1313 perror("calloc"); 1314 goto fail; 1315 } 1316 if ((rc->crc_tmp = calloc(howmany(RFB_MAX_WIDTH * RFB_MAX_HEIGHT, 32), 1317 sizeof (uint32_t))) == NULL) { 1318 perror("calloc"); 1319 goto fail; 1320 } 1321 rc->crc_width = RFB_MAX_WIDTH; 1322 rc->crc_height = RFB_MAX_HEIGHT; 1323 1324 rc->password = password; 1325 rc->name = name; 1326 1327 rc->sfd = socket(PF_UNIX, SOCK_STREAM, 0); 1328 if (rc->sfd < 0) { 1329 perror("socket"); 1330 goto fail; 1331 } 1332 1333 sock.sun_family = AF_UNIX; 1334 if (strlcpy(sock.sun_path, path, sizeof (sock.sun_path)) >= 1335 sizeof (sock.sun_path)) { 1336 (void) fprintf(stderr, "socket path '%s' too long\n", path); 1337 goto fail; 1338 } 1339 1340 (void) unlink(path); 1341 if (bind(rc->sfd, (struct sockaddr *)&sock, sizeof (sock)) < 0) { 1342 perror("bind"); 1343 goto fail; 1344 } 1345 1346 if (listen(rc->sfd, 1) < 0) { 1347 perror("listen"); 1348 goto fail; 1349 } 1350 1351 rc->hw_crc = sse42_supported(); 1352 1353 rc->conn_wait = wait; 1354 if (wait) { 1355 VERIFY3S(pthread_mutex_init(&rc->mtx, NULL), ==, 0); 1356 VERIFY3S(pthread_cond_init(&rc->cond, NULL), ==, 0); 1357 } 1358 1359 VERIFY3S(pthread_create(&rc->tid, NULL, rfb_thr, rc), ==, 0); 1360 pthread_set_name_np(rc->tid, "rfb"); 1361 1362 if (wait) { 1363 DPRINTF(("Waiting for rfb client...\n")); 1364 VERIFY3S(pthread_mutex_lock(&rc->mtx), ==, 0); 1365 VERIFY3S(pthread_cond_wait(&rc->cond, &rc->mtx), ==, 0); 1366 VERIFY3S(pthread_mutex_unlock(&rc->mtx), ==, 0); 1367 } 1368 1369 return (0); 1370 1371 fail: 1372 if (rc->sfd != -1) { 1373 VERIFY3S(close(rc->sfd), ==, 0); 1374 } 1375 free(rc->crc); 1376 free(rc->crc_tmp); 1377 free(rc); 1378 return (-1); 1379 } 1380 #endif 1381