search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix bug in TLS authentication ("Daniel P. Berrange")
[sniper_test.git] / vnc.c
blob816923410bd0293586d9dc7f404ae91a024ddc1d
1 /*
2 * QEMU VNC display driver
3 *
4 * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5 * Copyright (C) 2006 Fabrice Bellard
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
20 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
23 * THE SOFTWARE.
24 */
25
26 #include "qemu-common.h"
27 #include "monitor.h"
28 #include "console.h"
29 #include "sysemu.h"
30 #include "qemu_socket.h"
31 #include "qemu-timer.h"
32 #include "audio/audio.h"
33 #include <zlib.h>
34
35 #define VNC_REFRESH_INTERVAL (1000 / 30)
36
37 #include "vnc.h"
38 #include "vnc_keysym.h"
39 #include "keymaps.c"
40 #include "d3des.h"
41
42 #ifdef CONFIG_VNC_TLS
43 #include <gnutls/gnutls.h>
44 #include <gnutls/x509.h>
45 #endif /* CONFIG_VNC_TLS */
46
47 // #define _VNC_DEBUG 1
48
49 #ifdef _VNC_DEBUG
50 #define VNC_DEBUG(fmt, ...) do { fprintf(stderr, fmt, ## __VA_ARGS__); } while (0)
51
52 #if defined(CONFIG_VNC_TLS) && _VNC_DEBUG >= 2
53 /* Very verbose, so only enabled for _VNC_DEBUG >= 2 */
54 static void vnc_debug_gnutls_log(int level, const char* str) {
55 VNC_DEBUG("%d %s", level, str);
56 }
57 #endif /* CONFIG_VNC_TLS && _VNC_DEBUG */
58 #else
59 #define VNC_DEBUG(fmt, ...) do { } while (0)
60 #endif
61
62 #define count_bits(c, v) { \
63 for (c = 0; v; v >>= 1) \
64 { \
65 c += v & 1; \
66 } \
67 }
68
69 typedef struct Buffer
70 {
71 size_t capacity;
72 size_t offset;
73 uint8_t *buffer;
74 } Buffer;
75
76 typedef struct VncState VncState;
77
78 typedef int VncReadEvent(VncState *vs, uint8_t *data, size_t len);
79
80 typedef void VncWritePixels(VncState *vs, void *data, int size);
81
82 typedef void VncSendHextileTile(VncState *vs,
83 int x, int y, int w, int h,
84 void *last_bg,
85 void *last_fg,
86 int *has_bg, int *has_fg);
87
88 #define VNC_MAX_WIDTH 2048
89 #define VNC_MAX_HEIGHT 2048
90 #define VNC_DIRTY_WORDS (VNC_MAX_WIDTH / (16 * 32))
91
92 #define VNC_AUTH_CHALLENGE_SIZE 16
93
94 typedef struct VncDisplay VncDisplay;
95
96 struct VncDisplay
97 {
98 int lsock;
99 DisplayState *ds;
100 VncState *clients;
101 kbd_layout_t *kbd_layout;
102
103 char *display;
104 char *password;
105 int auth;
106 #ifdef CONFIG_VNC_TLS
107 int subauth;
108 int x509verify;
109
110 char *x509cacert;
111 char *x509cacrl;
112 char *x509cert;
113 char *x509key;
114 #endif
115 };
116
117 struct VncState
118 {
119 QEMUTimer *timer;
120 int csock;
121 DisplayState *ds;
122 VncDisplay *vd;
123 int need_update;
124 uint32_t dirty_row[VNC_MAX_HEIGHT][VNC_DIRTY_WORDS];
125 char *old_data;
126 uint32_t features;
127 int absolute;
128 int last_x;
129 int last_y;
130
131 uint32_t vnc_encoding;
132 uint8_t tight_quality;
133 uint8_t tight_compression;
134
135 int major;
136 int minor;
137
138 char challenge[VNC_AUTH_CHALLENGE_SIZE];
139
140 #ifdef CONFIG_VNC_TLS
141 int wiremode;
142 gnutls_session_t tls_session;
143 #endif
144
145 Buffer output;
146 Buffer input;
147 /* current output mode information */
148 VncWritePixels *write_pixels;
149 VncSendHextileTile *send_hextile_tile;
150 DisplaySurface clientds, serverds;
151
152 CaptureVoiceOut *audio_cap;
153 struct audsettings as;
154
155 VncReadEvent *read_handler;
156 size_t read_handler_expect;
157 /* input */
158 uint8_t modifiers_state[256];
159
160 Buffer zlib;
161 Buffer zlib_tmp;
162 z_stream zlib_stream[4];
163
164 VncState *next;
165 };
166
167 static VncDisplay *vnc_display; /* needed for info vnc */
168 static DisplayChangeListener *dcl;
169
170 void do_info_vnc(Monitor *mon)
171 {
172 if (vnc_display == NULL || vnc_display->display == NULL)
173 monitor_printf(mon, "VNC server disabled\n");
174 else {
175 monitor_printf(mon, "VNC server active on: ");
176 monitor_print_filename(mon, vnc_display->display);
177 monitor_printf(mon, "\n");
178
179 if (vnc_display->clients == NULL)
180 monitor_printf(mon, "No client connected\n");
181 else
182 monitor_printf(mon, "Client connected\n");
183 }
184 }
185
186 static inline uint32_t vnc_has_feature(VncState *vs, int feature) {
187 return (vs->features & (1 << feature));
188 }
189
190 /* TODO
191 1) Get the queue working for IO.
192 2) there is some weirdness when using the -S option (the screen is grey
193 and not totally invalidated
194 3) resolutions > 1024
195 */
196
197 static void vnc_write(VncState *vs, const void *data, size_t len);
198 static void vnc_write_u32(VncState *vs, uint32_t value);
199 static void vnc_write_s32(VncState *vs, int32_t value);
200 static void vnc_write_u16(VncState *vs, uint16_t value);
201 static void vnc_write_u8(VncState *vs, uint8_t value);
202 static void vnc_flush(VncState *vs);
203 static void vnc_update_client(void *opaque);
204 static void vnc_client_read(void *opaque);
205
206 static void vnc_colordepth(VncState *vs);
207
208 static inline void vnc_set_bit(uint32_t *d, int k)
209 {
210 d[k >> 5] |= 1 << (k & 0x1f);
211 }
212
213 static inline void vnc_clear_bit(uint32_t *d, int k)
214 {
215 d[k >> 5] &= ~(1 << (k & 0x1f));
216 }
217
218 static inline void vnc_set_bits(uint32_t *d, int n, int nb_words)
219 {
220 int j;
221
222 j = 0;
223 while (n >= 32) {
224 d[j++] = -1;
225 n -= 32;
226 }
227 if (n > 0)
228 d[j++] = (1 << n) - 1;
229 while (j < nb_words)
230 d[j++] = 0;
231 }
232
233 static inline int vnc_get_bit(const uint32_t *d, int k)
234 {
235 return (d[k >> 5] >> (k & 0x1f)) & 1;
236 }
237
238 static inline int vnc_and_bits(const uint32_t *d1, const uint32_t *d2,
239 int nb_words)
240 {
241 int i;
242 for(i = 0; i < nb_words; i++) {
243 if ((d1[i] & d2[i]) != 0)
244 return 1;
245 }
246 return 0;
247 }
248
249 static void vnc_update(VncState *vs, int x, int y, int w, int h)
250 {
251 int i;
252
253 h += y;
254
255 /* round x down to ensure the loop only spans one 16-pixel block per,
256 iteration. otherwise, if (x % 16) != 0, the last iteration may span
257 two 16-pixel blocks but we only mark the first as dirty
258 */
259 w += (x % 16);
260 x -= (x % 16);
261
262 x = MIN(x, vs->serverds.width);
263 y = MIN(y, vs->serverds.height);
264 w = MIN(x + w, vs->serverds.width) - x;
265 h = MIN(h, vs->serverds.height);
266
267 for (; y < h; y++)
268 for (i = 0; i < w; i += 16)
269 vnc_set_bit(vs->dirty_row[y], (x + i) / 16);
270 }
271
272 static void vnc_dpy_update(DisplayState *ds, int x, int y, int w, int h)
273 {
274 VncDisplay *vd = ds->opaque;
275 VncState *vs = vd->clients;
276 while (vs != NULL) {
277 vnc_update(vs, x, y, w, h);
278 vs = vs->next;
279 }
280 }
281
282 static void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
283 int32_t encoding)
284 {
285 vnc_write_u16(vs, x);
286 vnc_write_u16(vs, y);
287 vnc_write_u16(vs, w);
288 vnc_write_u16(vs, h);
289
290 vnc_write_s32(vs, encoding);
291 }
292
293 static void buffer_reserve(Buffer *buffer, size_t len)
294 {
295 if ((buffer->capacity - buffer->offset) < len) {
296 buffer->capacity += (len + 1024);
297 buffer->buffer = qemu_realloc(buffer->buffer, buffer->capacity);
298 if (buffer->buffer == NULL) {
299 fprintf(stderr, "vnc: out of memory\n");
300 exit(1);
301 }
302 }
303 }
304
305 static int buffer_empty(Buffer *buffer)
306 {
307 return buffer->offset == 0;
308 }
309
310 static uint8_t *buffer_end(Buffer *buffer)
311 {
312 return buffer->buffer + buffer->offset;
313 }
314
315 static void buffer_reset(Buffer *buffer)
316 {
317 buffer->offset = 0;
318 }
319
320 static void buffer_append(Buffer *buffer, const void *data, size_t len)
321 {
322 memcpy(buffer->buffer + buffer->offset, data, len);
323 buffer->offset += len;
324 }
325
326 static void vnc_resize(VncState *vs)
327 {
328 DisplayState *ds = vs->ds;
329
330 int size_changed;
331
332 vs->old_data = qemu_realloc(vs->old_data, ds_get_linesize(ds) * ds_get_height(ds));
333
334 if (vs->old_data == NULL) {
335 fprintf(stderr, "vnc: memory allocation failed\n");
336 exit(1);
337 }
338
339 if (ds_get_bytes_per_pixel(ds) != vs->serverds.pf.bytes_per_pixel)
340 console_color_init(ds);
341 vnc_colordepth(vs);
342 size_changed = ds_get_width(ds) != vs->serverds.width ||
343 ds_get_height(ds) != vs->serverds.height;
344 vs->serverds = *(ds->surface);
345 if (size_changed) {
346 if (vs->csock != -1 && vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
347 vnc_write_u8(vs, 0); /* msg id */
348 vnc_write_u8(vs, 0);
349 vnc_write_u16(vs, 1); /* number of rects */
350 vnc_framebuffer_update(vs, 0, 0, ds_get_width(ds), ds_get_height(ds),
351 VNC_ENCODING_DESKTOPRESIZE);
352 vnc_flush(vs);
353 }
354 }
355
356 memset(vs->dirty_row, 0xFF, sizeof(vs->dirty_row));
357 memset(vs->old_data, 42, ds_get_linesize(vs->ds) * ds_get_height(vs->ds));
358 }
359
360 static void vnc_dpy_resize(DisplayState *ds)
361 {
362 VncDisplay *vd = ds->opaque;
363 VncState *vs = vd->clients;
364 while (vs != NULL) {
365 vnc_resize(vs);
366 vs = vs->next;
367 }
368 }
369
370 /* fastest code */
371 static void vnc_write_pixels_copy(VncState *vs, void *pixels, int size)
372 {
373 vnc_write(vs, pixels, size);
374 }
375
376 /* slowest but generic code. */
377 static void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
378 {
379 uint8_t r, g, b;
380
381 r = ((((v & vs->serverds.pf.rmask) >> vs->serverds.pf.rshift) << vs->clientds.pf.rbits) >>
382 vs->serverds.pf.rbits);
383 g = ((((v & vs->serverds.pf.gmask) >> vs->serverds.pf.gshift) << vs->clientds.pf.gbits) >>
384 vs->serverds.pf.gbits);
385 b = ((((v & vs->serverds.pf.bmask) >> vs->serverds.pf.bshift) << vs->clientds.pf.bbits) >>
386 vs->serverds.pf.bbits);
387 v = (r << vs->clientds.pf.rshift) |
388 (g << vs->clientds.pf.gshift) |
389 (b << vs->clientds.pf.bshift);
390 switch(vs->clientds.pf.bytes_per_pixel) {
391 case 1:
392 buf[0] = v;
393 break;
394 case 2:
395 if (vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) {
396 buf[0] = v >> 8;
397 buf[1] = v;
398 } else {
399 buf[1] = v >> 8;
400 buf[0] = v;
401 }
402 break;
403 default:
404 case 4:
405 if (vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) {
406 buf[0] = v >> 24;
407 buf[1] = v >> 16;
408 buf[2] = v >> 8;
409 buf[3] = v;
410 } else {
411 buf[3] = v >> 24;
412 buf[2] = v >> 16;
413 buf[1] = v >> 8;
414 buf[0] = v;
415 }
416 break;
417 }
418 }
419
420 static void vnc_write_pixels_generic(VncState *vs, void *pixels1, int size)
421 {
422 uint8_t buf[4];
423
424 if (vs->serverds.pf.bytes_per_pixel == 4) {
425 uint32_t *pixels = pixels1;
426 int n, i;
427 n = size >> 2;
428 for(i = 0; i < n; i++) {
429 vnc_convert_pixel(vs, buf, pixels[i]);
430 vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);
431 }
432 } else if (vs->serverds.pf.bytes_per_pixel == 2) {
433 uint16_t *pixels = pixels1;
434 int n, i;
435 n = size >> 1;
436 for(i = 0; i < n; i++) {
437 vnc_convert_pixel(vs, buf, pixels[i]);
438 vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);
439 }
440 } else if (vs->serverds.pf.bytes_per_pixel == 1) {
441 uint8_t *pixels = pixels1;
442 int n, i;
443 n = size;
444 for(i = 0; i < n; i++) {
445 vnc_convert_pixel(vs, buf, pixels[i]);
446 vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);
447 }
448 } else {
449 fprintf(stderr, "vnc_write_pixels_generic: VncState color depth not supported\n");
450 }
451 }
452
453 static void send_framebuffer_update_raw(VncState *vs, int x, int y, int w, int h)
454 {
455 int i;
456 uint8_t *row;
457
458 row = ds_get_data(vs->ds) + y * ds_get_linesize(vs->ds) + x * ds_get_bytes_per_pixel(vs->ds);
459 for (i = 0; i < h; i++) {
460 vs->write_pixels(vs, row, w * ds_get_bytes_per_pixel(vs->ds));
461 row += ds_get_linesize(vs->ds);
462 }
463 }
464
465 static void hextile_enc_cord(uint8_t *ptr, int x, int y, int w, int h)
466 {
467 ptr[0] = ((x & 0x0F) << 4) | (y & 0x0F);
468 ptr[1] = (((w - 1) & 0x0F) << 4) | ((h - 1) & 0x0F);
469 }
470
471 #define BPP 8
472 #include "vnchextile.h"
473 #undef BPP
474
475 #define BPP 16
476 #include "vnchextile.h"
477 #undef BPP
478
479 #define BPP 32
480 #include "vnchextile.h"
481 #undef BPP
482
483 #define GENERIC
484 #define BPP 8
485 #include "vnchextile.h"
486 #undef BPP
487 #undef GENERIC
488
489 #define GENERIC
490 #define BPP 16
491 #include "vnchextile.h"
492 #undef BPP
493 #undef GENERIC
494
495 #define GENERIC
496 #define BPP 32
497 #include "vnchextile.h"
498 #undef BPP
499 #undef GENERIC
500
501 static void send_framebuffer_update_hextile(VncState *vs, int x, int y, int w, int h)
502 {
503 int i, j;
504 int has_fg, has_bg;
505 uint8_t *last_fg, *last_bg;
506
507 last_fg = (uint8_t *) qemu_malloc(vs->serverds.pf.bytes_per_pixel);
508 last_bg = (uint8_t *) qemu_malloc(vs->serverds.pf.bytes_per_pixel);
509 has_fg = has_bg = 0;
510 for (j = y; j < (y + h); j += 16) {
511 for (i = x; i < (x + w); i += 16) {
512 vs->send_hextile_tile(vs, i, j,
513 MIN(16, x + w - i), MIN(16, y + h - j),
514 last_bg, last_fg, &has_bg, &has_fg);
515 }
516 }
517 free(last_fg);
518 free(last_bg);
519
520 }
521
522 static void vnc_zlib_init(VncState *vs)
523 {
524 int i;
525 for (i=0; i<(sizeof(vs->zlib_stream) / sizeof(z_stream)); i++)
526 vs->zlib_stream[i].opaque = NULL;
527 }
528
529 static void vnc_zlib_start(VncState *vs)
530 {
531 buffer_reset(&vs->zlib);
532
533 // make the output buffer be the zlib buffer, so we can compress it later
534 vs->zlib_tmp = vs->output;
535 vs->output = vs->zlib;
536 }
537
538 static int vnc_zlib_stop(VncState *vs, int stream_id)
539 {
540 z_streamp zstream = &vs->zlib_stream[stream_id];
541 int previous_out;
542
543 // switch back to normal output/zlib buffers
544 vs->zlib = vs->output;
545 vs->output = vs->zlib_tmp;
546
547 // compress the zlib buffer
548
549 // initialize the stream
550 // XXX need one stream per session
551 if (zstream->opaque != vs) {
552 int err;
553
554 VNC_DEBUG("VNC: initializing zlib stream %d\n", stream_id);
555 VNC_DEBUG("VNC: opaque = %p | vs = %p\n", zstream->opaque, vs);
556 zstream->zalloc = Z_NULL;
557 zstream->zfree = Z_NULL;
558
559 err = deflateInit2(zstream, vs->tight_compression, Z_DEFLATED, MAX_WBITS,
560 MAX_MEM_LEVEL, Z_DEFAULT_STRATEGY);
561
562 if (err != Z_OK) {
563 fprintf(stderr, "VNC: error initializing zlib\n");
564 return -1;
565 }
566
567 zstream->opaque = vs;
568 }
569
570 // XXX what to do if tight_compression changed in between?
571
572 // reserve memory in output buffer
573 buffer_reserve(&vs->output, vs->zlib.offset + 64);
574
575 // set pointers
576 zstream->next_in = vs->zlib.buffer;
577 zstream->avail_in = vs->zlib.offset;
578 zstream->next_out = vs->output.buffer + vs->output.offset;
579 zstream->avail_out = vs->output.capacity - vs->output.offset;
580 zstream->data_type = Z_BINARY;
581 previous_out = zstream->total_out;
582
583 // start encoding
584 if (deflate(zstream, Z_SYNC_FLUSH) != Z_OK) {
585 fprintf(stderr, "VNC: error during zlib compression\n");
586 return -1;
587 }
588
589 vs->output.offset = vs->output.capacity - zstream->avail_out;
590 return zstream->total_out - previous_out;
591 }
592
593 static void send_framebuffer_update_zlib(VncState *vs, int x, int y, int w, int h)
594 {
595 int old_offset, new_offset, bytes_written;
596
597 vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_ZLIB);
598
599 // remember where we put in the follow-up size
600 old_offset = vs->output.offset;
601 vnc_write_s32(vs, 0);
602
603 // compress the stream
604 vnc_zlib_start(vs);
605 send_framebuffer_update_raw(vs, x, y, w, h);
606 bytes_written = vnc_zlib_stop(vs, 0);
607
608 if (bytes_written == -1)
609 return;
610
611 // hack in the size
612 new_offset = vs->output.offset;
613 vs->output.offset = old_offset;
614 vnc_write_u32(vs, bytes_written);
615 vs->output.offset = new_offset;
616 }
617
618 static void send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
619 {
620 switch(vs->vnc_encoding) {
621 case VNC_ENCODING_ZLIB:
622 send_framebuffer_update_zlib(vs, x, y, w, h);
623 break;
624 case VNC_ENCODING_HEXTILE:
625 vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
626 send_framebuffer_update_hextile(vs, x, y, w, h);
627 break;
628 default:
629 vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
630 send_framebuffer_update_raw(vs, x, y, w, h);
631 break;
632 }
633 }
634
635 static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
636 {
637 vnc_update_client(vs);
638
639 vnc_write_u8(vs, 0); /* msg id */
640 vnc_write_u8(vs, 0);
641 vnc_write_u16(vs, 1); /* number of rects */
642 vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
643 vnc_write_u16(vs, src_x);
644 vnc_write_u16(vs, src_y);
645 vnc_flush(vs);
646 }
647
648 static void vnc_dpy_copy(DisplayState *ds, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
649 {
650 VncDisplay *vd = ds->opaque;
651 VncState *vs = vd->clients;
652 while (vs != NULL) {
653 if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT))
654 vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
655 else /* TODO */
656 vnc_update(vs, dst_x, dst_y, w, h);
657 vs = vs->next;
658 }
659 }
660
661 static int find_dirty_height(VncState *vs, int y, int last_x, int x)
662 {
663 int h;
664
665 for (h = 1; h < (vs->serverds.height - y); h++) {
666 int tmp_x;
667 if (!vnc_get_bit(vs->dirty_row[y + h], last_x))
668 break;
669 for (tmp_x = last_x; tmp_x < x; tmp_x++)
670 vnc_clear_bit(vs->dirty_row[y + h], tmp_x);
671 }
672
673 return h;
674 }
675
676 static void vnc_update_client(void *opaque)
677 {
678 VncState *vs = opaque;
679 if (vs->need_update && vs->csock != -1) {
680 int y;
681 uint8_t *row;
682 char *old_row;
683 uint32_t width_mask[VNC_DIRTY_WORDS];
684 int n_rectangles;
685 int saved_offset;
686 int has_dirty = 0;
687
688 vga_hw_update();
689
690 vnc_set_bits(width_mask, (ds_get_width(vs->ds) / 16), VNC_DIRTY_WORDS);
691
692 /* Walk through the dirty map and eliminate tiles that
693 really aren't dirty */
694 row = ds_get_data(vs->ds);
695 old_row = vs->old_data;
696
697 for (y = 0; y < ds_get_height(vs->ds); y++) {
698 if (vnc_and_bits(vs->dirty_row[y], width_mask, VNC_DIRTY_WORDS)) {
699 int x;
700 uint8_t *ptr;
701 char *old_ptr;
702
703 ptr = row;
704 old_ptr = (char*)old_row;
705
706 for (x = 0; x < ds_get_width(vs->ds); x += 16) {
707 if (memcmp(old_ptr, ptr, 16 * ds_get_bytes_per_pixel(vs->ds)) == 0) {
708 vnc_clear_bit(vs->dirty_row[y], (x / 16));
709 } else {
710 has_dirty = 1;
711 memcpy(old_ptr, ptr, 16 * ds_get_bytes_per_pixel(vs->ds));
712 }
713
714 ptr += 16 * ds_get_bytes_per_pixel(vs->ds);
715 old_ptr += 16 * ds_get_bytes_per_pixel(vs->ds);
716 }
717 }
718
719 row += ds_get_linesize(vs->ds);
720 old_row += ds_get_linesize(vs->ds);
721 }
722
723 if (!has_dirty && !vs->audio_cap) {
724 qemu_mod_timer(vs->timer, qemu_get_clock(rt_clock) + VNC_REFRESH_INTERVAL);
725 return;
726 }
727
728 /* Count rectangles */
729 n_rectangles = 0;
730 vnc_write_u8(vs, 0); /* msg id */
731 vnc_write_u8(vs, 0);
732 saved_offset = vs->output.offset;
733 vnc_write_u16(vs, 0);
734
735 for (y = 0; y < vs->serverds.height; y++) {
736 int x;
737 int last_x = -1;
738 for (x = 0; x < vs->serverds.width / 16; x++) {
739 if (vnc_get_bit(vs->dirty_row[y], x)) {
740 if (last_x == -1) {
741 last_x = x;
742 }
743 vnc_clear_bit(vs->dirty_row[y], x);
744 } else {
745 if (last_x != -1) {
746 int h = find_dirty_height(vs, y, last_x, x);
747 send_framebuffer_update(vs, last_x * 16, y, (x - last_x) * 16, h);
748 n_rectangles++;
749 }
750 last_x = -1;
751 }
752 }
753 if (last_x != -1) {
754 int h = find_dirty_height(vs, y, last_x, x);
755 send_framebuffer_update(vs, last_x * 16, y, (x - last_x) * 16, h);
756 n_rectangles++;
757 }
758 }
759 vs->output.buffer[saved_offset] = (n_rectangles >> 8) & 0xFF;
760 vs->output.buffer[saved_offset + 1] = n_rectangles & 0xFF;
761 vnc_flush(vs);
762
763 }
764
765 if (vs->csock != -1) {
766 qemu_mod_timer(vs->timer, qemu_get_clock(rt_clock) + VNC_REFRESH_INTERVAL);
767 }
768
769 }
770
771 /* audio */
772 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
773 {
774 VncState *vs = opaque;
775
776 switch (cmd) {
777 case AUD_CNOTIFY_DISABLE:
778 vnc_write_u8(vs, 255);
779 vnc_write_u8(vs, 1);
780 vnc_write_u16(vs, 0);
781 vnc_flush(vs);
782 break;
783
784 case AUD_CNOTIFY_ENABLE:
785 vnc_write_u8(vs, 255);
786 vnc_write_u8(vs, 1);
787 vnc_write_u16(vs, 1);
788 vnc_flush(vs);
789 break;
790 }
791 }
792
793 static void audio_capture_destroy(void *opaque)
794 {
795 }
796
797 static void audio_capture(void *opaque, void *buf, int size)
798 {
799 VncState *vs = opaque;
800
801 vnc_write_u8(vs, 255);
802 vnc_write_u8(vs, 1);
803 vnc_write_u16(vs, 2);
804 vnc_write_u32(vs, size);
805 vnc_write(vs, buf, size);
806 vnc_flush(vs);
807 }
808
809 static void audio_add(VncState *vs)
810 {
811 Monitor *mon = cur_mon;
812 struct audio_capture_ops ops;
813
814 if (vs->audio_cap) {
815 monitor_printf(mon, "audio already running\n");
816 return;
817 }
818
819 ops.notify = audio_capture_notify;
820 ops.destroy = audio_capture_destroy;
821 ops.capture = audio_capture;
822
823 vs->audio_cap = AUD_add_capture(NULL, &vs->as, &ops, vs);
824 if (!vs->audio_cap) {
825 monitor_printf(mon, "Failed to add audio capture\n");
826 }
827 }
828
829 static void audio_del(VncState *vs)
830 {
831 if (vs->audio_cap) {
832 AUD_del_capture(vs->audio_cap, vs);
833 vs->audio_cap = NULL;
834 }
835 }
836
837 static int vnc_client_io_error(VncState *vs, int ret, int last_errno)
838 {
839 if (ret == 0 || ret == -1) {
840 if (ret == -1) {
841 switch (last_errno) {
842 case EINTR:
843 case EAGAIN:
844 #ifdef _WIN32
845 case WSAEWOULDBLOCK:
846 #endif
847 return 0;
848 default:
849 break;
850 }
851 }
852
853 VNC_DEBUG("Closing down client sock %d %d\n", ret, ret < 0 ? last_errno : 0);
854 qemu_set_fd_handler2(vs->csock, NULL, NULL, NULL, NULL);
855 closesocket(vs->csock);
856 qemu_del_timer(vs->timer);
857 qemu_free_timer(vs->timer);
858 if (vs->input.buffer) qemu_free(vs->input.buffer);
859 if (vs->output.buffer) qemu_free(vs->output.buffer);
860 #ifdef CONFIG_VNC_TLS
861 if (vs->tls_session) {
862 gnutls_deinit(vs->tls_session);
863 vs->tls_session = NULL;
864 }
865 #endif /* CONFIG_VNC_TLS */
866 audio_del(vs);
867
868 VncState *p, *parent = NULL;
869 for (p = vs->vd->clients; p != NULL; p = p->next) {
870 if (p == vs) {
871 if (parent)
872 parent->next = p->next;
873 else
874 vs->vd->clients = p->next;
875 break;
876 }
877 parent = p;
878 }
879 if (!vs->vd->clients)
880 dcl->idle = 1;
881
882 qemu_free(vs->old_data);
883 qemu_free(vs);
884
885 return 0;
886 }
887 return ret;
888 }
889
890 static void vnc_client_error(VncState *vs)
891 {
892 vnc_client_io_error(vs, -1, EINVAL);
893 }
894
895 static void vnc_client_write(void *opaque)
896 {
897 long ret;
898 VncState *vs = opaque;
899
900 #ifdef CONFIG_VNC_TLS
901 if (vs->tls_session) {
902 ret = gnutls_write(vs->tls_session, vs->output.buffer, vs->output.offset);
903 if (ret < 0) {
904 if (ret == GNUTLS_E_AGAIN)
905 errno = EAGAIN;
906 else
907 errno = EIO;
908 ret = -1;
909 }
910 } else
911 #endif /* CONFIG_VNC_TLS */
912 ret = send(vs->csock, vs->output.buffer, vs->output.offset, 0);
913 ret = vnc_client_io_error(vs, ret, socket_error());
914 if (!ret)
915 return;
916
917 memmove(vs->output.buffer, vs->output.buffer + ret, (vs->output.offset - ret));
918 vs->output.offset -= ret;
919
920 if (vs->output.offset == 0) {
921 qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
922 }
923 }
924
925 static void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
926 {
927 vs->read_handler = func;
928 vs->read_handler_expect = expecting;
929 }
930
931 static void vnc_client_read(void *opaque)
932 {
933 VncState *vs = opaque;
934 long ret;
935
936 buffer_reserve(&vs->input, 4096);
937
938 #ifdef CONFIG_VNC_TLS
939 if (vs->tls_session) {
940 ret = gnutls_read(vs->tls_session, buffer_end(&vs->input), 4096);
941 if (ret < 0) {
942 if (ret == GNUTLS_E_AGAIN)
943 errno = EAGAIN;
944 else
945 errno = EIO;
946 ret = -1;
947 }
948 } else
949 #endif /* CONFIG_VNC_TLS */
950 ret = recv(vs->csock, buffer_end(&vs->input), 4096, 0);
951 ret = vnc_client_io_error(vs, ret, socket_error());
952 if (!ret)
953 return;
954
955 vs->input.offset += ret;
956
957 while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
958 size_t len = vs->read_handler_expect;
959 int ret;
960
961 ret = vs->read_handler(vs, vs->input.buffer, len);
962 if (vs->csock == -1)
963 return;
964
965 if (!ret) {
966 memmove(vs->input.buffer, vs->input.buffer + len, (vs->input.offset - len));
967 vs->input.offset -= len;
968 } else {
969 vs->read_handler_expect = ret;
970 }
971 }
972 }
973
974 static void vnc_write(VncState *vs, const void *data, size_t len)
975 {
976 buffer_reserve(&vs->output, len);
977
978 if (buffer_empty(&vs->output)) {
979 qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);
980 }
981
982 buffer_append(&vs->output, data, len);
983 }
984
985 static void vnc_write_s32(VncState *vs, int32_t value)
986 {
987 vnc_write_u32(vs, *(uint32_t *)&value);
988 }
989
990 static void vnc_write_u32(VncState *vs, uint32_t value)
991 {
992 uint8_t buf[4];
993
994 buf[0] = (value >> 24) & 0xFF;
995 buf[1] = (value >> 16) & 0xFF;
996 buf[2] = (value >> 8) & 0xFF;
997 buf[3] = value & 0xFF;
998
999 vnc_write(vs, buf, 4);
1000 }
1001
1002 static void vnc_write_u16(VncState *vs, uint16_t value)
1003 {
1004 uint8_t buf[2];
1005
1006 buf[0] = (value >> 8) & 0xFF;
1007 buf[1] = value & 0xFF;
1008
1009 vnc_write(vs, buf, 2);
1010 }
1011
1012 static void vnc_write_u8(VncState *vs, uint8_t value)
1013 {
1014 vnc_write(vs, (char *)&value, 1);
1015 }
1016
1017 static void vnc_flush(VncState *vs)
1018 {
1019 if (vs->output.offset)
1020 vnc_client_write(vs);
1021 }
1022
1023 static uint8_t read_u8(uint8_t *data, size_t offset)
1024 {
1025 return data[offset];
1026 }
1027
1028 static uint16_t read_u16(uint8_t *data, size_t offset)
1029 {
1030 return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1031 }
1032
1033 static int32_t read_s32(uint8_t *data, size_t offset)
1034 {
1035 return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1036 (data[offset + 2] << 8) | data[offset + 3]);
1037 }
1038
1039 static uint32_t read_u32(uint8_t *data, size_t offset)
1040 {
1041 return ((data[offset] << 24) | (data[offset + 1] << 16) |
1042 (data[offset + 2] << 8) | data[offset + 3]);
1043 }
1044
1045 #ifdef CONFIG_VNC_TLS
1046 static ssize_t vnc_tls_push(gnutls_transport_ptr_t transport,
1047 const void *data,
1048 size_t len) {
1049 struct VncState *vs = (struct VncState *)transport;
1050 int ret;
1051
1052 retry:
1053 ret = send(vs->csock, data, len, 0);
1054 if (ret < 0) {
1055 if (errno == EINTR)
1056 goto retry;
1057 return -1;
1058 }
1059 return ret;
1060 }
1061
1062
1063 static ssize_t vnc_tls_pull(gnutls_transport_ptr_t transport,
1064 void *data,
1065 size_t len) {
1066 struct VncState *vs = (struct VncState *)transport;
1067 int ret;
1068
1069 retry:
1070 ret = recv(vs->csock, data, len, 0);
1071 if (ret < 0) {
1072 if (errno == EINTR)
1073 goto retry;
1074 return -1;
1075 }
1076 return ret;
1077 }
1078 #endif /* CONFIG_VNC_TLS */
1079
1080 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1081 {
1082 }
1083
1084 static void check_pointer_type_change(VncState *vs, int absolute)
1085 {
1086 if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1087 vnc_write_u8(vs, 0);
1088 vnc_write_u8(vs, 0);
1089 vnc_write_u16(vs, 1);
1090 vnc_framebuffer_update(vs, absolute, 0,
1091 ds_get_width(vs->ds), ds_get_height(vs->ds),
1092 VNC_ENCODING_POINTER_TYPE_CHANGE);
1093 vnc_flush(vs);
1094 }
1095 vs->absolute = absolute;
1096 }
1097
1098 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1099 {
1100 int buttons = 0;
1101 int dz = 0;
1102
1103 if (button_mask & 0x01)
1104 buttons |= MOUSE_EVENT_LBUTTON;
1105 if (button_mask & 0x02)
1106 buttons |= MOUSE_EVENT_MBUTTON;
1107 if (button_mask & 0x04)
1108 buttons |= MOUSE_EVENT_RBUTTON;
1109 if (button_mask & 0x08)
1110 dz = -1;
1111 if (button_mask & 0x10)
1112 dz = 1;
1113
1114 if (vs->absolute) {
1115 kbd_mouse_event(x * 0x7FFF / (ds_get_width(vs->ds) - 1),
1116 y * 0x7FFF / (ds_get_height(vs->ds) - 1),
1117 dz, buttons);
1118 } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1119 x -= 0x7FFF;
1120 y -= 0x7FFF;
1121
1122 kbd_mouse_event(x, y, dz, buttons);
1123 } else {
1124 if (vs->last_x != -1)
1125 kbd_mouse_event(x - vs->last_x,
1126 y - vs->last_y,
1127 dz, buttons);
1128 vs->last_x = x;
1129 vs->last_y = y;
1130 }
1131
1132 check_pointer_type_change(vs, kbd_mouse_is_absolute());
1133 }
1134
1135 static void reset_keys(VncState *vs)
1136 {
1137 int i;
1138 for(i = 0; i < 256; i++) {
1139 if (vs->modifiers_state[i]) {
1140 if (i & 0x80)
1141 kbd_put_keycode(0xe0);
1142 kbd_put_keycode(i | 0x80);
1143 vs->modifiers_state[i] = 0;
1144 }
1145 }
1146 }
1147
1148 static void press_key(VncState *vs, int keysym)
1149 {
1150 kbd_put_keycode(keysym2scancode(vs->vd->kbd_layout, keysym) & 0x7f);
1151 kbd_put_keycode(keysym2scancode(vs->vd->kbd_layout, keysym) | 0x80);
1152 }
1153
1154 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1155 {
1156 /* QEMU console switch */
1157 switch(keycode) {
1158 case 0x2a: /* Left Shift */
1159 case 0x36: /* Right Shift */
1160 case 0x1d: /* Left CTRL */
1161 case 0x9d: /* Right CTRL */
1162 case 0x38: /* Left ALT */
1163 case 0xb8: /* Right ALT */
1164 if (down)
1165 vs->modifiers_state[keycode] = 1;
1166 else
1167 vs->modifiers_state[keycode] = 0;
1168 break;
1169 case 0x02 ... 0x0a: /* '1' to '9' keys */
1170 if (down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
1171 /* Reset the modifiers sent to the current console */
1172 reset_keys(vs);
1173 console_select(keycode - 0x02);
1174 return;
1175 }
1176 break;
1177 case 0x3a: /* CapsLock */
1178 case 0x45: /* NumLock */
1179 if (!down)
1180 vs->modifiers_state[keycode] ^= 1;
1181 break;
1182 }
1183
1184 if (keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1185 /* If the numlock state needs to change then simulate an additional
1186 keypress before sending this one. This will happen if the user
1187 toggles numlock away from the VNC window.
1188 */
1189 if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1190 if (!vs->modifiers_state[0x45]) {
1191 vs->modifiers_state[0x45] = 1;
1192 press_key(vs, 0xff7f);
1193 }
1194 } else {
1195 if (vs->modifiers_state[0x45]) {
1196 vs->modifiers_state[0x45] = 0;
1197 press_key(vs, 0xff7f);
1198 }
1199 }
1200 }
1201
1202 if (is_graphic_console()) {
1203 if (keycode & 0x80)
1204 kbd_put_keycode(0xe0);
1205 if (down)
1206 kbd_put_keycode(keycode & 0x7f);
1207 else
1208 kbd_put_keycode(keycode | 0x80);
1209 } else {
1210 /* QEMU console emulation */
1211 if (down) {
1212 switch (keycode) {
1213 case 0x2a: /* Left Shift */
1214 case 0x36: /* Right Shift */
1215 case 0x1d: /* Left CTRL */
1216 case 0x9d: /* Right CTRL */
1217 case 0x38: /* Left ALT */
1218 case 0xb8: /* Right ALT */
1219 break;
1220 case 0xc8:
1221 kbd_put_keysym(QEMU_KEY_UP);
1222 break;
1223 case 0xd0:
1224 kbd_put_keysym(QEMU_KEY_DOWN);
1225 break;
1226 case 0xcb:
1227 kbd_put_keysym(QEMU_KEY_LEFT);
1228 break;
1229 case 0xcd:
1230 kbd_put_keysym(QEMU_KEY_RIGHT);
1231 break;
1232 case 0xd3:
1233 kbd_put_keysym(QEMU_KEY_DELETE);
1234 break;
1235 case 0xc7:
1236 kbd_put_keysym(QEMU_KEY_HOME);
1237 break;
1238 case 0xcf:
1239 kbd_put_keysym(QEMU_KEY_END);
1240 break;
1241 case 0xc9:
1242 kbd_put_keysym(QEMU_KEY_PAGEUP);
1243 break;
1244 case 0xd1:
1245 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1246 break;
1247 default:
1248 kbd_put_keysym(sym);
1249 break;
1250 }
1251 }
1252 }
1253 }
1254
1255 static void key_event(VncState *vs, int down, uint32_t sym)
1256 {
1257 int keycode;
1258
1259 if (sym >= 'A' && sym <= 'Z' && is_graphic_console())
1260 sym = sym - 'A' + 'a';
1261
1262 keycode = keysym2scancode(vs->vd->kbd_layout, sym & 0xFFFF);
1263 do_key_event(vs, down, keycode, sym);
1264 }
1265
1266 static void ext_key_event(VncState *vs, int down,
1267 uint32_t sym, uint16_t keycode)
1268 {
1269 /* if the user specifies a keyboard layout, always use it */
1270 if (keyboard_layout)
1271 key_event(vs, down, sym);
1272 else
1273 do_key_event(vs, down, keycode, sym);
1274 }
1275
1276 static void framebuffer_update_request(VncState *vs, int incremental,
1277 int x_position, int y_position,
1278 int w, int h)
1279 {
1280 if (x_position > ds_get_width(vs->ds))
1281 x_position = ds_get_width(vs->ds);
1282 if (y_position > ds_get_height(vs->ds))
1283 y_position = ds_get_height(vs->ds);
1284 if (x_position + w >= ds_get_width(vs->ds))
1285 w = ds_get_width(vs->ds) - x_position;
1286 if (y_position + h >= ds_get_height(vs->ds))
1287 h = ds_get_height(vs->ds) - y_position;
1288
1289 int i;
1290 vs->need_update = 1;
1291 if (!incremental) {
1292 char *old_row = vs->old_data + y_position * ds_get_linesize(vs->ds);
1293
1294 for (i = 0; i < h; i++) {
1295 vnc_set_bits(vs->dirty_row[y_position + i],
1296 (ds_get_width(vs->ds) / 16), VNC_DIRTY_WORDS);
1297 memset(old_row, 42, ds_get_width(vs->ds) * ds_get_bytes_per_pixel(vs->ds));
1298 old_row += ds_get_linesize(vs->ds);
1299 }
1300 }
1301 }
1302
1303 static void send_ext_key_event_ack(VncState *vs)
1304 {
1305 vnc_write_u8(vs, 0);
1306 vnc_write_u8(vs, 0);
1307 vnc_write_u16(vs, 1);
1308 vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds), ds_get_height(vs->ds),
1309 VNC_ENCODING_EXT_KEY_EVENT);
1310 vnc_flush(vs);
1311 }
1312
1313 static void send_ext_audio_ack(VncState *vs)
1314 {
1315 vnc_write_u8(vs, 0);
1316 vnc_write_u8(vs, 0);
1317 vnc_write_u16(vs, 1);
1318 vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds), ds_get_height(vs->ds),
1319 VNC_ENCODING_AUDIO);
1320 vnc_flush(vs);
1321 }
1322
1323 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
1324 {
1325 int i;
1326 unsigned int enc = 0;
1327
1328 vnc_zlib_init(vs);
1329 vs->features = 0;
1330 vs->vnc_encoding = 0;
1331 vs->tight_compression = 9;
1332 vs->tight_quality = 9;
1333 vs->absolute = -1;
1334
1335 for (i = n_encodings - 1; i >= 0; i--) {
1336 enc = encodings[i];
1337 switch (enc) {
1338 case VNC_ENCODING_RAW:
1339 vs->vnc_encoding = enc;
1340 break;
1341 case VNC_ENCODING_COPYRECT:
1342 vs->features |= VNC_FEATURE_COPYRECT_MASK;
1343 break;
1344 case VNC_ENCODING_HEXTILE:
1345 vs->features |= VNC_FEATURE_HEXTILE_MASK;
1346 vs->vnc_encoding = enc;
1347 break;
1348 case VNC_ENCODING_ZLIB:
1349 vs->features |= VNC_FEATURE_ZLIB_MASK;
1350 vs->vnc_encoding = enc;
1351 break;
1352 case VNC_ENCODING_DESKTOPRESIZE:
1353 vs->features |= VNC_FEATURE_RESIZE_MASK;
1354 break;
1355 case VNC_ENCODING_POINTER_TYPE_CHANGE:
1356 vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
1357 break;
1358 case VNC_ENCODING_EXT_KEY_EVENT:
1359 send_ext_key_event_ack(vs);
1360 break;
1361 case VNC_ENCODING_AUDIO:
1362 send_ext_audio_ack(vs);
1363 break;
1364 case VNC_ENCODING_WMVi:
1365 vs->features |= VNC_FEATURE_WMVI_MASK;
1366 break;
1367 case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
1368 vs->tight_compression = (enc & 0x0F);
1369 break;
1370 case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
1371 vs->tight_quality = (enc & 0x0F);
1372 break;
1373 default:
1374 VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
1375 break;
1376 }
1377 }
1378
1379 check_pointer_type_change(vs, kbd_mouse_is_absolute());
1380 }
1381
1382 static void set_pixel_conversion(VncState *vs)
1383 {
1384 if ((vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) ==
1385 (vs->ds->surface->flags & QEMU_BIG_ENDIAN_FLAG) &&
1386 !memcmp(&(vs->clientds.pf), &(vs->ds->surface->pf), sizeof(PixelFormat))) {
1387 vs->write_pixels = vnc_write_pixels_copy;
1388 switch (vs->ds->surface->pf.bits_per_pixel) {
1389 case 8:
1390 vs->send_hextile_tile = send_hextile_tile_8;
1391 break;
1392 case 16:
1393 vs->send_hextile_tile = send_hextile_tile_16;
1394 break;
1395 case 32:
1396 vs->send_hextile_tile = send_hextile_tile_32;
1397 break;
1398 }
1399 } else {
1400 vs->write_pixels = vnc_write_pixels_generic;
1401 switch (vs->ds->surface->pf.bits_per_pixel) {
1402 case 8:
1403 vs->send_hextile_tile = send_hextile_tile_generic_8;
1404 break;
1405 case 16:
1406 vs->send_hextile_tile = send_hextile_tile_generic_16;
1407 break;
1408 case 32:
1409 vs->send_hextile_tile = send_hextile_tile_generic_32;
1410 break;
1411 }
1412 }
1413 }
1414
1415 static void set_pixel_format(VncState *vs,
1416 int bits_per_pixel, int depth,
1417 int big_endian_flag, int true_color_flag,
1418 int red_max, int green_max, int blue_max,
1419 int red_shift, int green_shift, int blue_shift)
1420 {
1421 if (!true_color_flag) {
1422 vnc_client_error(vs);
1423 return;
1424 }
1425
1426 vs->clientds = vs->serverds;
1427 vs->clientds.pf.rmax = red_max;
1428 count_bits(vs->clientds.pf.rbits, red_max);
1429 vs->clientds.pf.rshift = red_shift;
1430 vs->clientds.pf.rmask = red_max << red_shift;
1431 vs->clientds.pf.gmax = green_max;
1432 count_bits(vs->clientds.pf.gbits, green_max);
1433 vs->clientds.pf.gshift = green_shift;
1434 vs->clientds.pf.gmask = green_max << green_shift;
1435 vs->clientds.pf.bmax = blue_max;
1436 count_bits(vs->clientds.pf.bbits, blue_max);
1437 vs->clientds.pf.bshift = blue_shift;
1438 vs->clientds.pf.bmask = blue_max << blue_shift;
1439 vs->clientds.pf.bits_per_pixel = bits_per_pixel;
1440 vs->clientds.pf.bytes_per_pixel = bits_per_pixel / 8;
1441 vs->clientds.pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
1442 vs->clientds.flags = big_endian_flag ? QEMU_BIG_ENDIAN_FLAG : 0x00;
1443
1444 set_pixel_conversion(vs);
1445
1446 vga_hw_invalidate();
1447 vga_hw_update();
1448 }
1449
1450 static void pixel_format_message (VncState *vs) {
1451 char pad[3] = { 0, 0, 0 };
1452
1453 vnc_write_u8(vs, vs->ds->surface->pf.bits_per_pixel); /* bits-per-pixel */
1454 vnc_write_u8(vs, vs->ds->surface->pf.depth); /* depth */
1455
1456 #ifdef WORDS_BIGENDIAN
1457 vnc_write_u8(vs, 1); /* big-endian-flag */
1458 #else
1459 vnc_write_u8(vs, 0); /* big-endian-flag */
1460 #endif
1461 vnc_write_u8(vs, 1); /* true-color-flag */
1462 vnc_write_u16(vs, vs->ds->surface->pf.rmax); /* red-max */
1463 vnc_write_u16(vs, vs->ds->surface->pf.gmax); /* green-max */
1464 vnc_write_u16(vs, vs->ds->surface->pf.bmax); /* blue-max */
1465 vnc_write_u8(vs, vs->ds->surface->pf.rshift); /* red-shift */
1466 vnc_write_u8(vs, vs->ds->surface->pf.gshift); /* green-shift */
1467 vnc_write_u8(vs, vs->ds->surface->pf.bshift); /* blue-shift */
1468 if (vs->ds->surface->pf.bits_per_pixel == 32)
1469 vs->send_hextile_tile = send_hextile_tile_32;
1470 else if (vs->ds->surface->pf.bits_per_pixel == 16)
1471 vs->send_hextile_tile = send_hextile_tile_16;
1472 else if (vs->ds->surface->pf.bits_per_pixel == 8)
1473 vs->send_hextile_tile = send_hextile_tile_8;
1474 vs->clientds = *(vs->ds->surface);
1475 vs->clientds.flags |= ~QEMU_ALLOCATED_FLAG;
1476 vs->write_pixels = vnc_write_pixels_copy;
1477
1478 vnc_write(vs, pad, 3); /* padding */
1479 }
1480
1481 static void vnc_dpy_setdata(DisplayState *ds)
1482 {
1483 /* We don't have to do anything */
1484 }
1485
1486 static void vnc_colordepth(VncState *vs)
1487 {
1488 if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
1489 /* Sending a WMVi message to notify the client*/
1490 vnc_write_u8(vs, 0); /* msg id */
1491 vnc_write_u8(vs, 0);
1492 vnc_write_u16(vs, 1); /* number of rects */
1493 vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds),
1494 ds_get_height(vs->ds), VNC_ENCODING_WMVi);
1495 pixel_format_message(vs);
1496 vnc_flush(vs);
1497 } else {
1498 set_pixel_conversion(vs);
1499 }
1500 }
1501
1502 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
1503 {
1504 int i;
1505 uint16_t limit;
1506
1507 switch (data[0]) {
1508 case 0:
1509 if (len == 1)
1510 return 20;
1511
1512 set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5),
1513 read_u8(data, 6), read_u8(data, 7),
1514 read_u16(data, 8), read_u16(data, 10),
1515 read_u16(data, 12), read_u8(data, 14),
1516 read_u8(data, 15), read_u8(data, 16));
1517 break;
1518 case 2:
1519 if (len == 1)
1520 return 4;
1521
1522 if (len == 4) {
1523 limit = read_u16(data, 2);
1524 if (limit > 0)
1525 return 4 + (limit * 4);
1526 } else
1527 limit = read_u16(data, 2);
1528
1529 for (i = 0; i < limit; i++) {
1530 int32_t val = read_s32(data, 4 + (i * 4));
1531 memcpy(data + 4 + (i * 4), &val, sizeof(val));
1532 }
1533
1534 set_encodings(vs, (int32_t *)(data + 4), limit);
1535 break;
1536 case 3:
1537 if (len == 1)
1538 return 10;
1539
1540 framebuffer_update_request(vs,
1541 read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
1542 read_u16(data, 6), read_u16(data, 8));
1543 break;
1544 case 4:
1545 if (len == 1)
1546 return 8;
1547
1548 key_event(vs, read_u8(data, 1), read_u32(data, 4));
1549 break;
1550 case 5:
1551 if (len == 1)
1552 return 6;
1553
1554 pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
1555 break;
1556 case 6:
1557 if (len == 1)
1558 return 8;
1559
1560 if (len == 8) {
1561 uint32_t dlen = read_u32(data, 4);
1562 if (dlen > 0)
1563 return 8 + dlen;
1564 }
1565
1566 client_cut_text(vs, read_u32(data, 4), data + 8);
1567 break;
1568 case 255:
1569 if (len == 1)
1570 return 2;
1571
1572 switch (read_u8(data, 1)) {
1573 case 0:
1574 if (len == 2)
1575 return 12;
1576
1577 ext_key_event(vs, read_u16(data, 2),
1578 read_u32(data, 4), read_u32(data, 8));
1579 break;
1580 case 1:
1581 if (len == 2)
1582 return 4;
1583
1584 switch (read_u16 (data, 2)) {
1585 case 0:
1586 audio_add(vs);
1587 break;
1588 case 1:
1589 audio_del(vs);
1590 break;
1591 case 2:
1592 if (len == 4)
1593 return 10;
1594 switch (read_u8(data, 4)) {
1595 case 0: vs->as.fmt = AUD_FMT_U8; break;
1596 case 1: vs->as.fmt = AUD_FMT_S8; break;
1597 case 2: vs->as.fmt = AUD_FMT_U16; break;
1598 case 3: vs->as.fmt = AUD_FMT_S16; break;
1599 case 4: vs->as.fmt = AUD_FMT_U32; break;
1600 case 5: vs->as.fmt = AUD_FMT_S32; break;
1601 default:
1602 printf("Invalid audio format %d\n", read_u8(data, 4));
1603 vnc_client_error(vs);
1604 break;
1605 }
1606 vs->as.nchannels = read_u8(data, 5);
1607 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
1608 printf("Invalid audio channel coount %d\n",
1609 read_u8(data, 5));
1610 vnc_client_error(vs);
1611 break;
1612 }
1613 vs->as.freq = read_u32(data, 6);
1614 break;
1615 default:
1616 printf ("Invalid audio message %d\n", read_u8(data, 4));
1617 vnc_client_error(vs);
1618 break;
1619 }
1620 break;
1621
1622 default:
1623 printf("Msg: %d\n", read_u16(data, 0));
1624 vnc_client_error(vs);
1625 break;
1626 }
1627 break;
1628 default:
1629 printf("Msg: %d\n", data[0]);
1630 vnc_client_error(vs);
1631 break;
1632 }
1633
1634 vnc_read_when(vs, protocol_client_msg, 1);
1635 return 0;
1636 }
1637
1638 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
1639 {
1640 char buf[1024];
1641 int size;
1642
1643 vnc_write_u16(vs, ds_get_width(vs->ds));
1644 vnc_write_u16(vs, ds_get_height(vs->ds));
1645
1646 pixel_format_message(vs);
1647
1648 if (qemu_name)
1649 size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
1650 else
1651 size = snprintf(buf, sizeof(buf), "QEMU");
1652
1653 vnc_write_u32(vs, size);
1654 vnc_write(vs, buf, size);
1655 vnc_flush(vs);
1656
1657 vnc_read_when(vs, protocol_client_msg, 1);
1658
1659 return 0;
1660 }
1661
1662 static void make_challenge(VncState *vs)
1663 {
1664 int i;
1665
1666 srand(time(NULL)+getpid()+getpid()*987654+rand());
1667
1668 for (i = 0 ; i < sizeof(vs->challenge) ; i++)
1669 vs->challenge[i] = (int) (256.0*rand()/(RAND_MAX+1.0));
1670 }
1671
1672 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
1673 {
1674 unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
1675 int i, j, pwlen;
1676 unsigned char key[8];
1677
1678 if (!vs->vd->password || !vs->vd->password[0]) {
1679 VNC_DEBUG("No password configured on server");
1680 vnc_write_u32(vs, 1); /* Reject auth */
1681 if (vs->minor >= 8) {
1682 static const char err[] = "Authentication failed";
1683 vnc_write_u32(vs, sizeof(err));
1684 vnc_write(vs, err, sizeof(err));
1685 }
1686 vnc_flush(vs);
1687 vnc_client_error(vs);
1688 return 0;
1689 }
1690
1691 memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
1692
1693 /* Calculate the expected challenge response */
1694 pwlen = strlen(vs->vd->password);
1695 for (i=0; i<sizeof(key); i++)
1696 key[i] = i<pwlen ? vs->vd->password[i] : 0;
1697 deskey(key, EN0);
1698 for (j = 0; j < VNC_AUTH_CHALLENGE_SIZE; j += 8)
1699 des(response+j, response+j);
1700
1701 /* Compare expected vs actual challenge response */
1702 if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
1703 VNC_DEBUG("Client challenge reponse did not match\n");
1704 vnc_write_u32(vs, 1); /* Reject auth */
1705 if (vs->minor >= 8) {
1706 static const char err[] = "Authentication failed";
1707 vnc_write_u32(vs, sizeof(err));
1708 vnc_write(vs, err, sizeof(err));
1709 }
1710 vnc_flush(vs);
1711 vnc_client_error(vs);
1712 } else {
1713 VNC_DEBUG("Accepting VNC challenge response\n");
1714 vnc_write_u32(vs, 0); /* Accept auth */
1715 vnc_flush(vs);
1716
1717 vnc_read_when(vs, protocol_client_init, 1);
1718 }
1719 return 0;
1720 }
1721
1722 static int start_auth_vnc(VncState *vs)
1723 {
1724 make_challenge(vs);
1725 /* Send client a 'random' challenge */
1726 vnc_write(vs, vs->challenge, sizeof(vs->challenge));
1727 vnc_flush(vs);
1728
1729 vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
1730 return 0;
1731 }
1732
1733
1734 #ifdef CONFIG_VNC_TLS
1735 #define DH_BITS 1024
1736 static gnutls_dh_params_t dh_params;
1737
1738 static int vnc_tls_initialize(void)
1739 {
1740 static int tlsinitialized = 0;
1741
1742 if (tlsinitialized)
1743 return 1;
1744
1745 if (gnutls_global_init () < 0)
1746 return 0;
1747
1748 /* XXX ought to re-generate diffie-hellmen params periodically */
1749 if (gnutls_dh_params_init (&dh_params) < 0)
1750 return 0;
1751 if (gnutls_dh_params_generate2 (dh_params, DH_BITS) < 0)
1752 return 0;
1753
1754 #if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2
1755 gnutls_global_set_log_level(10);
1756 gnutls_global_set_log_function(vnc_debug_gnutls_log);
1757 #endif
1758
1759 tlsinitialized = 1;
1760
1761 return 1;
1762 }
1763
1764 static gnutls_anon_server_credentials vnc_tls_initialize_anon_cred(void)
1765 {
1766 gnutls_anon_server_credentials anon_cred;
1767 int ret;
1768
1769 if ((ret = gnutls_anon_allocate_server_credentials(&anon_cred)) < 0) {
1770 VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));
1771 return NULL;
1772 }
1773
1774 gnutls_anon_set_server_dh_params(anon_cred, dh_params);
1775
1776 return anon_cred;
1777 }
1778
1779
1780 static gnutls_certificate_credentials_t vnc_tls_initialize_x509_cred(VncState *vs)
1781 {
1782 gnutls_certificate_credentials_t x509_cred;
1783 int ret;
1784
1785 if (!vs->vd->x509cacert) {
1786 VNC_DEBUG("No CA x509 certificate specified\n");
1787 return NULL;
1788 }
1789 if (!vs->vd->x509cert) {
1790 VNC_DEBUG("No server x509 certificate specified\n");
1791 return NULL;
1792 }
1793 if (!vs->vd->x509key) {
1794 VNC_DEBUG("No server private key specified\n");
1795 return NULL;
1796 }
1797
1798 if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) {
1799 VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));
1800 return NULL;
1801 }
1802 if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred,
1803 vs->vd->x509cacert,
1804 GNUTLS_X509_FMT_PEM)) < 0) {
1805 VNC_DEBUG("Cannot load CA certificate %s\n", gnutls_strerror(ret));
1806 gnutls_certificate_free_credentials(x509_cred);
1807 return NULL;
1808 }
1809
1810 if ((ret = gnutls_certificate_set_x509_key_file (x509_cred,
1811 vs->vd->x509cert,
1812 vs->vd->x509key,
1813 GNUTLS_X509_FMT_PEM)) < 0) {
1814 VNC_DEBUG("Cannot load certificate & key %s\n", gnutls_strerror(ret));
1815 gnutls_certificate_free_credentials(x509_cred);
1816 return NULL;
1817 }
1818
1819 if (vs->vd->x509cacrl) {
1820 if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred,
1821 vs->vd->x509cacrl,
1822 GNUTLS_X509_FMT_PEM)) < 0) {
1823 VNC_DEBUG("Cannot load CRL %s\n", gnutls_strerror(ret));
1824 gnutls_certificate_free_credentials(x509_cred);
1825 return NULL;
1826 }
1827 }
1828
1829 gnutls_certificate_set_dh_params (x509_cred, dh_params);
1830
1831 return x509_cred;
1832 }
1833
1834 static int vnc_validate_certificate(struct VncState *vs)
1835 {
1836 int ret;
1837 unsigned int status;
1838 const gnutls_datum_t *certs;
1839 unsigned int nCerts, i;
1840 time_t now;
1841
1842 VNC_DEBUG("Validating client certificate\n");
1843 if ((ret = gnutls_certificate_verify_peers2 (vs->tls_session, &status)) < 0) {
1844 VNC_DEBUG("Verify failed %s\n", gnutls_strerror(ret));
1845 return -1;
1846 }
1847
1848 if ((now = time(NULL)) == ((time_t)-1)) {
1849 return -1;
1850 }
1851
1852 if (status != 0) {
1853 if (status & GNUTLS_CERT_INVALID)
1854 VNC_DEBUG("The certificate is not trusted.\n");
1855
1856 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
1857 VNC_DEBUG("The certificate hasn't got a known issuer.\n");
1858
1859 if (status & GNUTLS_CERT_REVOKED)
1860 VNC_DEBUG("The certificate has been revoked.\n");
1861
1862 if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
1863 VNC_DEBUG("The certificate uses an insecure algorithm\n");
1864
1865 return -1;
1866 } else {
1867 VNC_DEBUG("Certificate is valid!\n");
1868 }
1869
1870 /* Only support x509 for now */
1871 if (gnutls_certificate_type_get(vs->tls_session) != GNUTLS_CRT_X509)
1872 return -1;
1873
1874 if (!(certs = gnutls_certificate_get_peers(vs->tls_session, &nCerts)))
1875 return -1;
1876
1877 for (i = 0 ; i < nCerts ; i++) {
1878 gnutls_x509_crt_t cert;
1879 VNC_DEBUG ("Checking certificate chain %d\n", i);
1880 if (gnutls_x509_crt_init (&cert) < 0)
1881 return -1;
1882
1883 if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) {
1884 gnutls_x509_crt_deinit (cert);
1885 return -1;
1886 }
1887
1888 if (gnutls_x509_crt_get_expiration_time (cert) < now) {
1889 VNC_DEBUG("The certificate has expired\n");
1890 gnutls_x509_crt_deinit (cert);
1891 return -1;
1892 }
1893
1894 if (gnutls_x509_crt_get_activation_time (cert) > now) {
1895 VNC_DEBUG("The certificate is not yet activated\n");
1896 gnutls_x509_crt_deinit (cert);
1897 return -1;
1898 }
1899
1900 if (gnutls_x509_crt_get_activation_time (cert) > now) {
1901 VNC_DEBUG("The certificate is not yet activated\n");
1902 gnutls_x509_crt_deinit (cert);
1903 return -1;
1904 }
1905
1906 gnutls_x509_crt_deinit (cert);
1907 }
1908
1909 return 0;
1910 }
1911
1912
1913 static int start_auth_vencrypt_subauth(VncState *vs)
1914 {
1915 switch (vs->vd->subauth) {
1916 case VNC_AUTH_VENCRYPT_TLSNONE:
1917 case VNC_AUTH_VENCRYPT_X509NONE:
1918 VNC_DEBUG("Accept TLS auth none\n");
1919 vnc_write_u32(vs, 0); /* Accept auth completion */
1920 vnc_read_when(vs, protocol_client_init, 1);
1921 break;
1922
1923 case VNC_AUTH_VENCRYPT_TLSVNC:
1924 case VNC_AUTH_VENCRYPT_X509VNC:
1925 VNC_DEBUG("Start TLS auth VNC\n");
1926 return start_auth_vnc(vs);
1927
1928 default: /* Should not be possible, but just in case */
1929 VNC_DEBUG("Reject auth %d\n", vs->vd->auth);
1930 vnc_write_u8(vs, 1);
1931 if (vs->minor >= 8) {
1932 static const char err[] = "Unsupported authentication type";
1933 vnc_write_u32(vs, sizeof(err));
1934 vnc_write(vs, err, sizeof(err));
1935 }
1936 vnc_client_error(vs);
1937 }
1938
1939 return 0;
1940 }
1941
1942 static void vnc_handshake_io(void *opaque);
1943
1944 static int vnc_continue_handshake(struct VncState *vs) {
1945 int ret;
1946
1947 if ((ret = gnutls_handshake(vs->tls_session)) < 0) {
1948 if (!gnutls_error_is_fatal(ret)) {
1949 VNC_DEBUG("Handshake interrupted (blocking)\n");
1950 if (!gnutls_record_get_direction(vs->tls_session))
1951 qemu_set_fd_handler(vs->csock, vnc_handshake_io, NULL, vs);
1952 else
1953 qemu_set_fd_handler(vs->csock, NULL, vnc_handshake_io, vs);
1954 return 0;
1955 }
1956 VNC_DEBUG("Handshake failed %s\n", gnutls_strerror(ret));
1957 vnc_client_error(vs);
1958 return -1;
1959 }
1960
1961 if (vs->vd->x509verify) {
1962 if (vnc_validate_certificate(vs) < 0) {
1963 VNC_DEBUG("Client verification failed\n");
1964 vnc_client_error(vs);
1965 return -1;
1966 } else {
1967 VNC_DEBUG("Client verification passed\n");
1968 }
1969 }
1970
1971 VNC_DEBUG("Handshake done, switching to TLS data mode\n");
1972 vs->wiremode = VNC_WIREMODE_TLS;
1973 qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);
1974
1975 return start_auth_vencrypt_subauth(vs);
1976 }
1977
1978 static void vnc_handshake_io(void *opaque) {
1979 struct VncState *vs = (struct VncState *)opaque;
1980
1981 VNC_DEBUG("Handshake IO continue\n");
1982 vnc_continue_handshake(vs);
1983 }
1984
1985 #define NEED_X509_AUTH(vs) \
1986 ((vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509NONE || \
1987 (vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509VNC || \
1988 (vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509PLAIN)
1989
1990
1991 static int vnc_start_tls(struct VncState *vs) {
1992 static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
1993 static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
1994 static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
1995 static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
1996
1997 VNC_DEBUG("Do TLS setup\n");
1998 if (vnc_tls_initialize() < 0) {
1999 VNC_DEBUG("Failed to init TLS\n");
2000 vnc_client_error(vs);
2001 return -1;
2002 }
2003 if (vs->tls_session == NULL) {
2004 if (gnutls_init(&vs->tls_session, GNUTLS_SERVER) < 0) {
2005 vnc_client_error(vs);
2006 return -1;
2007 }
2008
2009 if (gnutls_set_default_priority(vs->tls_session) < 0) {
2010 gnutls_deinit(vs->tls_session);
2011 vs->tls_session = NULL;
2012 vnc_client_error(vs);
2013 return -1;
2014 }
2015
2016 if (gnutls_kx_set_priority(vs->tls_session, NEED_X509_AUTH(vs) ? kx_x509 : kx_anon) < 0) {
2017 gnutls_deinit(vs->tls_session);
2018 vs->tls_session = NULL;
2019 vnc_client_error(vs);
2020 return -1;
2021 }
2022
2023 if (gnutls_certificate_type_set_priority(vs->tls_session, cert_type_priority) < 0) {
2024 gnutls_deinit(vs->tls_session);
2025 vs->tls_session = NULL;
2026 vnc_client_error(vs);
2027 return -1;
2028 }
2029
2030 if (gnutls_protocol_set_priority(vs->tls_session, protocol_priority) < 0) {
2031 gnutls_deinit(vs->tls_session);
2032 vs->tls_session = NULL;
2033 vnc_client_error(vs);
2034 return -1;
2035 }
2036
2037 if (NEED_X509_AUTH(vs)) {
2038 gnutls_certificate_server_credentials x509_cred = vnc_tls_initialize_x509_cred(vs);
2039 if (!x509_cred) {
2040 gnutls_deinit(vs->tls_session);
2041 vs->tls_session = NULL;
2042 vnc_client_error(vs);
2043 return -1;
2044 }
2045 if (gnutls_credentials_set(vs->tls_session, GNUTLS_CRD_CERTIFICATE, x509_cred) < 0) {
2046 gnutls_deinit(vs->tls_session);
2047 vs->tls_session = NULL;
2048 gnutls_certificate_free_credentials(x509_cred);
2049 vnc_client_error(vs);
2050 return -1;
2051 }
2052 if (vs->vd->x509verify) {
2053 VNC_DEBUG("Requesting a client certificate\n");
2054 gnutls_certificate_server_set_request (vs->tls_session, GNUTLS_CERT_REQUEST);
2055 }
2056
2057 } else {
2058 gnutls_anon_server_credentials anon_cred = vnc_tls_initialize_anon_cred();
2059 if (!anon_cred) {
2060 gnutls_deinit(vs->tls_session);
2061 vs->tls_session = NULL;
2062 vnc_client_error(vs);
2063 return -1;
2064 }
2065 if (gnutls_credentials_set(vs->tls_session, GNUTLS_CRD_ANON, anon_cred) < 0) {
2066 gnutls_deinit(vs->tls_session);
2067 vs->tls_session = NULL;
2068 gnutls_anon_free_server_credentials(anon_cred);
2069 vnc_client_error(vs);
2070 return -1;
2071 }
2072 }
2073
2074 gnutls_transport_set_ptr(vs->tls_session, (gnutls_transport_ptr_t)vs);
2075 gnutls_transport_set_push_function(vs->tls_session, vnc_tls_push);
2076 gnutls_transport_set_pull_function(vs->tls_session, vnc_tls_pull);
2077 }
2078
2079 VNC_DEBUG("Start TLS handshake process\n");
2080 return vnc_continue_handshake(vs);
2081 }
2082
2083 static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len)
2084 {
2085 int auth = read_u32(data, 0);
2086
2087 if (auth != vs->vd->subauth) {
2088 VNC_DEBUG("Rejecting auth %d\n", auth);
2089 vnc_write_u8(vs, 0); /* Reject auth */
2090 vnc_flush(vs);
2091 vnc_client_error(vs);
2092 } else {
2093 VNC_DEBUG("Accepting auth %d, starting handshake\n", auth);
2094 vnc_write_u8(vs, 1); /* Accept auth */
2095 vnc_flush(vs);
2096
2097 if (vnc_start_tls(vs) < 0) {
2098 VNC_DEBUG("Failed to complete TLS\n");
2099 return 0;
2100 }
2101 }
2102 return 0;
2103 }
2104
2105 static int protocol_client_vencrypt_init(VncState *vs, uint8_t *data, size_t len)
2106 {
2107 if (data[0] != 0 ||
2108 data[1] != 2) {
2109 VNC_DEBUG("Unsupported VeNCrypt protocol %d.%d\n", (int)data[0], (int)data[1]);
2110 vnc_write_u8(vs, 1); /* Reject version */
2111 vnc_flush(vs);
2112 vnc_client_error(vs);
2113 } else {
2114 VNC_DEBUG("Sending allowed auth %d\n", vs->vd->subauth);
2115 vnc_write_u8(vs, 0); /* Accept version */
2116 vnc_write_u8(vs, 1); /* Number of sub-auths */
2117 vnc_write_u32(vs, vs->vd->subauth); /* The supported auth */
2118 vnc_flush(vs);
2119 vnc_read_when(vs, protocol_client_vencrypt_auth, 4);
2120 }
2121 return 0;
2122 }
2123
2124 static int start_auth_vencrypt(VncState *vs)
2125 {
2126 /* Send VeNCrypt version 0.2 */
2127 vnc_write_u8(vs, 0);
2128 vnc_write_u8(vs, 2);
2129
2130 vnc_read_when(vs, protocol_client_vencrypt_init, 2);
2131 return 0;
2132 }
2133 #endif /* CONFIG_VNC_TLS */
2134
2135 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2136 {
2137 /* We only advertise 1 auth scheme at a time, so client
2138 * must pick the one we sent. Verify this */
2139 if (data[0] != vs->vd->auth) { /* Reject auth */
2140 VNC_DEBUG("Reject auth %d\n", (int)data[0]);
2141 vnc_write_u32(vs, 1);
2142 if (vs->minor >= 8) {
2143 static const char err[] = "Authentication failed";
2144 vnc_write_u32(vs, sizeof(err));
2145 vnc_write(vs, err, sizeof(err));
2146 }
2147 vnc_client_error(vs);
2148 } else { /* Accept requested auth */
2149 VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
2150 switch (vs->vd->auth) {
2151 case VNC_AUTH_NONE:
2152 VNC_DEBUG("Accept auth none\n");
2153 if (vs->minor >= 8) {
2154 vnc_write_u32(vs, 0); /* Accept auth completion */
2155 vnc_flush(vs);
2156 }
2157 vnc_read_when(vs, protocol_client_init, 1);
2158 break;
2159
2160 case VNC_AUTH_VNC:
2161 VNC_DEBUG("Start VNC auth\n");
2162 return start_auth_vnc(vs);
2163
2164 #ifdef CONFIG_VNC_TLS
2165 case VNC_AUTH_VENCRYPT:
2166 VNC_DEBUG("Accept VeNCrypt auth\n");;
2167 return start_auth_vencrypt(vs);
2168 #endif /* CONFIG_VNC_TLS */
2169
2170 default: /* Should not be possible, but just in case */
2171 VNC_DEBUG("Reject auth %d\n", vs->vd->auth);
2172 vnc_write_u8(vs, 1);
2173 if (vs->minor >= 8) {
2174 static const char err[] = "Authentication failed";
2175 vnc_write_u32(vs, sizeof(err));
2176 vnc_write(vs, err, sizeof(err));
2177 }
2178 vnc_client_error(vs);
2179 }
2180 }
2181 return 0;
2182 }
2183
2184 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2185 {
2186 char local[13];
2187
2188 memcpy(local, version, 12);
2189 local[12] = 0;
2190
2191 if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2192 VNC_DEBUG("Malformed protocol version %s\n", local);
2193 vnc_client_error(vs);
2194 return 0;
2195 }
2196 VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2197 if (vs->major != 3 ||
2198 (vs->minor != 3 &&
2199 vs->minor != 4 &&
2200 vs->minor != 5 &&
2201 vs->minor != 7 &&
2202 vs->minor != 8)) {
2203 VNC_DEBUG("Unsupported client version\n");
2204 vnc_write_u32(vs, VNC_AUTH_INVALID);
2205 vnc_flush(vs);
2206 vnc_client_error(vs);
2207 return 0;
2208 }
2209 /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2210 * as equivalent to v3.3 by servers
2211 */
2212 if (vs->minor == 4 || vs->minor == 5)
2213 vs->minor = 3;
2214
2215 if (vs->minor == 3) {
2216 if (vs->vd->auth == VNC_AUTH_NONE) {
2217 VNC_DEBUG("Tell client auth none\n");
2218 vnc_write_u32(vs, vs->vd->auth);
2219 vnc_flush(vs);
2220 vnc_read_when(vs, protocol_client_init, 1);
2221 } else if (vs->vd->auth == VNC_AUTH_VNC) {
2222 VNC_DEBUG("Tell client VNC auth\n");
2223 vnc_write_u32(vs, vs->vd->auth);
2224 vnc_flush(vs);
2225 start_auth_vnc(vs);
2226 } else {
2227 VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->vd->auth);
2228 vnc_write_u32(vs, VNC_AUTH_INVALID);
2229 vnc_flush(vs);
2230 vnc_client_error(vs);
2231 }
2232 } else {
2233 VNC_DEBUG("Telling client we support auth %d\n", vs->vd->auth);
2234 vnc_write_u8(vs, 1); /* num auth */
2235 vnc_write_u8(vs, vs->vd->auth);
2236 vnc_read_when(vs, protocol_client_auth, 1);
2237 vnc_flush(vs);
2238 }
2239
2240 return 0;
2241 }
2242
2243 static void vnc_connect(VncDisplay *vd, int csock)
2244 {
2245 VncState *vs = qemu_mallocz(sizeof(VncState));
2246 vs->csock = csock;
2247
2248 VNC_DEBUG("New client on socket %d\n", csock);
2249 dcl->idle = 0;
2250 socket_set_nonblock(vs->csock);
2251 qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
2252
2253 vs->vd = vd;
2254 vs->ds = vd->ds;
2255 vs->timer = qemu_new_timer(rt_clock, vnc_update_client, vs);
2256 vs->last_x = -1;
2257 vs->last_y = -1;
2258
2259 vs->as.freq = 44100;
2260 vs->as.nchannels = 2;
2261 vs->as.fmt = AUD_FMT_S16;
2262 vs->as.endianness = 0;
2263
2264 vnc_resize(vs);
2265 vnc_write(vs, "RFB 003.008\n", 12);
2266 vnc_flush(vs);
2267 vnc_read_when(vs, protocol_version, 12);
2268 memset(vs->old_data, 0, ds_get_linesize(vs->ds) * ds_get_height(vs->ds));
2269 memset(vs->dirty_row, 0xFF, sizeof(vs->dirty_row));
2270 vnc_update_client(vs);
2271 reset_keys(vs);
2272
2273 vs->next = vd->clients;
2274 vd->clients = vs;
2275 }
2276
2277 static void vnc_listen_read(void *opaque)
2278 {
2279 VncDisplay *vs = opaque;
2280 struct sockaddr_in addr;
2281 socklen_t addrlen = sizeof(addr);
2282
2283 /* Catch-up */
2284 vga_hw_update();
2285
2286 int csock = accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
2287 if (csock != -1) {
2288 vnc_connect(vs, csock);
2289 }
2290 }
2291
2292 void vnc_display_init(DisplayState *ds)
2293 {
2294 VncDisplay *vs;
2295
2296 vs = qemu_mallocz(sizeof(VncState));
2297 dcl = qemu_mallocz(sizeof(DisplayChangeListener));
2298
2299 ds->opaque = vs;
2300 dcl->idle = 1;
2301 vnc_display = vs;
2302
2303 vs->lsock = -1;
2304
2305 vs->ds = ds;
2306
2307 if (keyboard_layout)
2308 vs->kbd_layout = init_keyboard_layout(keyboard_layout);
2309 else
2310 vs->kbd_layout = init_keyboard_layout("en-us");
2311
2312 if (!vs->kbd_layout)
2313 exit(1);
2314
2315 dcl->dpy_copy = vnc_dpy_copy;
2316 dcl->dpy_update = vnc_dpy_update;
2317 dcl->dpy_resize = vnc_dpy_resize;
2318 dcl->dpy_setdata = vnc_dpy_setdata;
2319 register_displaychangelistener(ds, dcl);
2320 }
2321
2322 #ifdef CONFIG_VNC_TLS
2323 static int vnc_set_x509_credential(VncDisplay *vs,
2324 const char *certdir,
2325 const char *filename,
2326 char **cred,
2327 int ignoreMissing)
2328 {
2329 struct stat sb;
2330
2331 if (*cred) {
2332 qemu_free(*cred);
2333 *cred = NULL;
2334 }
2335
2336 *cred = qemu_malloc(strlen(certdir) + strlen(filename) + 2);
2337
2338 strcpy(*cred, certdir);
2339 strcat(*cred, "/");
2340 strcat(*cred, filename);
2341
2342 VNC_DEBUG("Check %s\n", *cred);
2343 if (stat(*cred, &sb) < 0) {
2344 qemu_free(*cred);
2345 *cred = NULL;
2346 if (ignoreMissing && errno == ENOENT)
2347 return 0;
2348 return -1;
2349 }
2350
2351 return 0;
2352 }
2353
2354 static int vnc_set_x509_credential_dir(VncDisplay *vs,
2355 const char *certdir)
2356 {
2357 if (vnc_set_x509_credential(vs, certdir, X509_CA_CERT_FILE, &vs->x509cacert, 0) < 0)
2358 goto cleanup;
2359 if (vnc_set_x509_credential(vs, certdir, X509_CA_CRL_FILE, &vs->x509cacrl, 1) < 0)
2360 goto cleanup;
2361 if (vnc_set_x509_credential(vs, certdir, X509_SERVER_CERT_FILE, &vs->x509cert, 0) < 0)
2362 goto cleanup;
2363 if (vnc_set_x509_credential(vs, certdir, X509_SERVER_KEY_FILE, &vs->x509key, 0) < 0)
2364 goto cleanup;
2365
2366 return 0;
2367
2368 cleanup:
2369 qemu_free(vs->x509cacert);
2370 qemu_free(vs->x509cacrl);
2371 qemu_free(vs->x509cert);
2372 qemu_free(vs->x509key);
2373 vs->x509cacert = vs->x509cacrl = vs->x509cert = vs->x509key = NULL;
2374 return -1;
2375 }
2376 #endif /* CONFIG_VNC_TLS */
2377
2378 void vnc_display_close(DisplayState *ds)
2379 {
2380 VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2381
2382 if (!vs)
2383 return;
2384 if (vs->display) {
2385 qemu_free(vs->display);
2386 vs->display = NULL;
2387 }
2388 if (vs->lsock != -1) {
2389 qemu_set_fd_handler2(vs->lsock, NULL, NULL, NULL, NULL);
2390 close(vs->lsock);
2391 vs->lsock = -1;
2392 }
2393 vs->auth = VNC_AUTH_INVALID;
2394 #ifdef CONFIG_VNC_TLS
2395 vs->subauth = VNC_AUTH_INVALID;
2396 vs->x509verify = 0;
2397 #endif
2398 }
2399
2400 int vnc_display_password(DisplayState *ds, const char *password)
2401 {
2402 VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2403
2404 if (vs->password) {
2405 qemu_free(vs->password);
2406 vs->password = NULL;
2407 }
2408 if (password && password[0]) {
2409 if (!(vs->password = qemu_strdup(password)))
2410 return -1;
2411 }
2412
2413 return 0;
2414 }
2415
2416 int vnc_display_open(DisplayState *ds, const char *display)
2417 {
2418 VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2419 const char *options;
2420 int password = 0;
2421 int reverse = 0;
2422 int to_port = 0;
2423 #ifdef CONFIG_VNC_TLS
2424 int tls = 0, x509 = 0;
2425 #endif
2426
2427 if (!vnc_display)
2428 return -1;
2429 vnc_display_close(ds);
2430 if (strcmp(display, "none") == 0)
2431 return 0;
2432
2433 if (!(vs->display = strdup(display)))
2434 return -1;
2435
2436 options = display;
2437 while ((options = strchr(options, ','))) {
2438 options++;
2439 if (strncmp(options, "password", 8) == 0) {
2440 password = 1; /* Require password auth */
2441 } else if (strncmp(options, "reverse", 7) == 0) {
2442 reverse = 1;
2443 } else if (strncmp(options, "to=", 3) == 0) {
2444 to_port = atoi(options+3) + 5900;
2445 #ifdef CONFIG_VNC_TLS
2446 } else if (strncmp(options, "tls", 3) == 0) {
2447 tls = 1; /* Require TLS */
2448 } else if (strncmp(options, "x509", 4) == 0) {
2449 char *start, *end;
2450 x509 = 1; /* Require x509 certificates */
2451 if (strncmp(options, "x509verify", 10) == 0)
2452 vs->x509verify = 1; /* ...and verify client certs */
2453
2454 /* Now check for 'x509=/some/path' postfix
2455 * and use that to setup x509 certificate/key paths */
2456 start = strchr(options, '=');
2457 end = strchr(options, ',');
2458 if (start && (!end || (start < end))) {
2459 int len = end ? end-(start+1) : strlen(start+1);
2460 char *path = qemu_strndup(start + 1, len);
2461
2462 VNC_DEBUG("Trying certificate path '%s'\n", path);
2463 if (vnc_set_x509_credential_dir(vs, path) < 0) {
2464 fprintf(stderr, "Failed to find x509 certificates/keys in %s\n", path);
2465 qemu_free(path);
2466 qemu_free(vs->display);
2467 vs->display = NULL;
2468 return -1;
2469 }
2470 qemu_free(path);
2471 } else {
2472 fprintf(stderr, "No certificate path provided\n");
2473 qemu_free(vs->display);
2474 vs->display = NULL;
2475 return -1;
2476 }
2477 #endif
2478 }
2479 }
2480
2481 if (password) {
2482 #ifdef CONFIG_VNC_TLS
2483 if (tls) {
2484 vs->auth = VNC_AUTH_VENCRYPT;
2485 if (x509) {
2486 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
2487 vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
2488 } else {
2489 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
2490 vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
2491 }
2492 } else {
2493 #endif
2494 VNC_DEBUG("Initializing VNC server with password auth\n");
2495 vs->auth = VNC_AUTH_VNC;
2496 #ifdef CONFIG_VNC_TLS
2497 vs->subauth = VNC_AUTH_INVALID;
2498 }
2499 #endif
2500 } else {
2501 #ifdef CONFIG_VNC_TLS
2502 if (tls) {
2503 vs->auth = VNC_AUTH_VENCRYPT;
2504 if (x509) {
2505 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
2506 vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
2507 } else {
2508 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
2509 vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
2510 }
2511 } else {
2512 #endif
2513 VNC_DEBUG("Initializing VNC server with no auth\n");
2514 vs->auth = VNC_AUTH_NONE;
2515 #ifdef CONFIG_VNC_TLS
2516 vs->subauth = VNC_AUTH_INVALID;
2517 }
2518 #endif
2519 }
2520
2521 if (reverse) {
2522 /* connect to viewer */
2523 if (strncmp(display, "unix:", 5) == 0)
2524 vs->lsock = unix_connect(display+5);
2525 else
2526 vs->lsock = inet_connect(display, SOCK_STREAM);
2527 if (-1 == vs->lsock) {
2528 free(vs->display);
2529 vs->display = NULL;
2530 return -1;
2531 } else {
2532 int csock = vs->lsock;
2533 vs->lsock = -1;
2534 vnc_connect(vs, csock);
2535 }
2536 return 0;
2537
2538 } else {
2539 /* listen for connects */
2540 char *dpy;
2541 dpy = qemu_malloc(256);
2542 if (strncmp(display, "unix:", 5) == 0) {
2543 pstrcpy(dpy, 256, "unix:");
2544 vs->lsock = unix_listen(display+5, dpy+5, 256-5);
2545 } else {
2546 vs->lsock = inet_listen(display, dpy, 256, SOCK_STREAM, 5900);
2547 }
2548 if (-1 == vs->lsock) {
2549 free(dpy);
2550 return -1;
2551 } else {
2552 free(vs->display);
2553 vs->display = dpy;
2554 }
2555 }
2556 return qemu_set_fd_handler2(vs->lsock, NULL, vnc_listen_read, NULL, vs);
2557 }