| /* |
| * QEMU VNC display driver: Websockets support |
| * |
| * Copyright (C) 2010 Joel Martin |
| * Copyright (C) 2012 Tim Hardeck |
| * |
| * This is free software; you can redistribute it and/or modify |
| * it under the terms of the GNU General Public License as published by |
| * the Free Software Foundation; either version 2 of the License, or |
| * (at your option) any later version. |
| * |
| * This software is distributed in the hope that it will be useful, |
| * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| * GNU General Public License for more details. |
| * |
| * You should have received a copy of the GNU General Public License |
| * along with this software; if not, see <http://www.gnu.org/licenses/>. |
| */ |
| |
| #include "vnc.h" |
| |
| void vncws_handshake_read(void *opaque) |
| { |
| VncState *vs = opaque; |
| uint8_t *handshake_end; |
| long ret; |
| buffer_reserve(&vs->ws_input, 4096); |
| ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096); |
| |
| if (!ret) { |
| if (vs->csock == -1) { |
| vnc_disconnect_finish(vs); |
| } |
| return; |
| } |
| vs->ws_input.offset += ret; |
| |
| handshake_end = (uint8_t *)g_strstr_len((char *)vs->ws_input.buffer, |
| vs->ws_input.offset, WS_HANDSHAKE_END); |
| if (handshake_end) { |
| qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs); |
| vncws_process_handshake(vs, vs->ws_input.buffer, vs->ws_input.offset); |
| buffer_advance(&vs->ws_input, handshake_end - vs->ws_input.buffer + |
| strlen(WS_HANDSHAKE_END)); |
| } |
| } |
| |
| |
| long vnc_client_read_ws(VncState *vs) |
| { |
| int ret, err; |
| uint8_t *payload; |
| size_t payload_size, frame_size; |
| VNC_DEBUG("Read websocket %p size %zd offset %zd\n", vs->ws_input.buffer, |
| vs->ws_input.capacity, vs->ws_input.offset); |
| buffer_reserve(&vs->ws_input, 4096); |
| ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096); |
| if (!ret) { |
| return 0; |
| } |
| vs->ws_input.offset += ret; |
| |
| /* make sure that nothing is left in the ws_input buffer */ |
| do { |
| err = vncws_decode_frame(&vs->ws_input, &payload, |
| &payload_size, &frame_size); |
| if (err <= 0) { |
| return err; |
| } |
| |
| buffer_reserve(&vs->input, payload_size); |
| buffer_append(&vs->input, payload, payload_size); |
| |
| buffer_advance(&vs->ws_input, frame_size); |
| } while (vs->ws_input.offset > 0); |
| |
| return ret; |
| } |
| |
| long vnc_client_write_ws(VncState *vs) |
| { |
| long ret; |
| VNC_DEBUG("Write WS: Pending output %p size %zd offset %zd\n", |
| vs->output.buffer, vs->output.capacity, vs->output.offset); |
| vncws_encode_frame(&vs->ws_output, vs->output.buffer, vs->output.offset); |
| buffer_reset(&vs->output); |
| ret = vnc_client_write_buf(vs, vs->ws_output.buffer, vs->ws_output.offset); |
| if (!ret) { |
| return 0; |
| } |
| |
| buffer_advance(&vs->ws_output, ret); |
| |
| if (vs->ws_output.offset == 0) { |
| qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs); |
| } |
| |
| return ret; |
| } |
| |
| static char *vncws_extract_handshake_entry(const char *handshake, |
| size_t handshake_len, const char *name) |
| { |
| char *begin, *end, *ret = NULL; |
| char *line = g_strdup_printf("%s%s: ", WS_HANDSHAKE_DELIM, name); |
| begin = g_strstr_len(handshake, handshake_len, line); |
| if (begin != NULL) { |
| begin += strlen(line); |
| end = g_strstr_len(begin, handshake_len - (begin - handshake), |
| WS_HANDSHAKE_DELIM); |
| if (end != NULL) { |
| ret = g_strndup(begin, end - begin); |
| } |
| } |
| g_free(line); |
| return ret; |
| } |
| |
| static void vncws_send_handshake_response(VncState *vs, const char* key) |
| { |
| char combined_key[WS_CLIENT_KEY_LEN + WS_GUID_LEN + 1]; |
| unsigned char hash[SHA1_DIGEST_LEN]; |
| size_t hash_size = sizeof(hash); |
| char *accept = NULL, *response = NULL; |
| gnutls_datum_t in; |
| int ret; |
| |
| g_strlcpy(combined_key, key, WS_CLIENT_KEY_LEN + 1); |
| g_strlcat(combined_key, WS_GUID, WS_CLIENT_KEY_LEN + WS_GUID_LEN + 1); |
| |
| /* hash and encode it */ |
| in.data = (void *)combined_key; |
| in.size = WS_CLIENT_KEY_LEN + WS_GUID_LEN; |
| ret = gnutls_fingerprint(GNUTLS_DIG_SHA1, &in, hash, &hash_size); |
| if (ret == GNUTLS_E_SUCCESS && hash_size <= SHA1_DIGEST_LEN) { |
| accept = g_base64_encode(hash, hash_size); |
| } |
| if (accept == NULL) { |
| VNC_DEBUG("Hashing Websocket combined key failed\n"); |
| vnc_client_error(vs); |
| return; |
| } |
| |
| response = g_strdup_printf(WS_HANDSHAKE, accept); |
| vnc_write(vs, response, strlen(response)); |
| vnc_flush(vs); |
| |
| g_free(accept); |
| g_free(response); |
| |
| vs->encode_ws = 1; |
| vnc_init_state(vs); |
| } |
| |
| void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size) |
| { |
| char *protocols = vncws_extract_handshake_entry((const char *)line, size, |
| "Sec-WebSocket-Protocol"); |
| char *version = vncws_extract_handshake_entry((const char *)line, size, |
| "Sec-WebSocket-Version"); |
| char *key = vncws_extract_handshake_entry((const char *)line, size, |
| "Sec-WebSocket-Key"); |
| |
| if (protocols && version && key |
| && g_strrstr(protocols, "binary") |
| && !strcmp(version, WS_SUPPORTED_VERSION) |
| && strlen(key) == WS_CLIENT_KEY_LEN) { |
| vncws_send_handshake_response(vs, key); |
| } else { |
| VNC_DEBUG("Defective Websockets header or unsupported protocol\n"); |
| vnc_client_error(vs); |
| } |
| |
| g_free(protocols); |
| g_free(version); |
| g_free(key); |
| } |
| |
| void vncws_encode_frame(Buffer *output, const void *payload, |
| const size_t payload_size) |
| { |
| size_t header_size = 0; |
| unsigned char opcode = WS_OPCODE_BINARY_FRAME; |
| union { |
| char buf[WS_HEAD_MAX_LEN]; |
| WsHeader ws; |
| } header; |
| |
| if (!payload_size) { |
| return; |
| } |
| |
| header.ws.b0 = 0x80 | (opcode & 0x0f); |
| if (payload_size <= 125) { |
| header.ws.b1 = (uint8_t)payload_size; |
| header_size = 2; |
| } else if (payload_size < 65536) { |
| header.ws.b1 = 0x7e; |
| header.ws.u.s16.l16 = cpu_to_be16((uint16_t)payload_size); |
| header_size = 4; |
| } else { |
| header.ws.b1 = 0x7f; |
| header.ws.u.s64.l64 = cpu_to_be64(payload_size); |
| header_size = 10; |
| } |
| |
| buffer_reserve(output, header_size + payload_size); |
| buffer_append(output, header.buf, header_size); |
| buffer_append(output, payload, payload_size); |
| } |
| |
| int vncws_decode_frame(Buffer *input, uint8_t **payload, |
| size_t *payload_size, size_t *frame_size) |
| { |
| unsigned char opcode = 0, fin = 0, has_mask = 0; |
| size_t header_size = 0; |
| uint32_t *payload32; |
| WsHeader *header = (WsHeader *)input->buffer; |
| WsMask mask; |
| int i; |
| |
| if (input->offset < WS_HEAD_MIN_LEN + 4) { |
| /* header not complete */ |
| return 0; |
| } |
| |
| fin = (header->b0 & 0x80) >> 7; |
| opcode = header->b0 & 0x0f; |
| has_mask = (header->b1 & 0x80) >> 7; |
| *payload_size = header->b1 & 0x7f; |
| |
| if (opcode == WS_OPCODE_CLOSE) { |
| /* disconnect */ |
| return -1; |
| } |
| |
| /* Websocket frame sanity check: |
| * * Websocket fragmentation is not supported. |
| * * All websockets frames sent by a client have to be masked. |
| * * Only binary encoding is supported. |
| */ |
| if (!fin || !has_mask || opcode != WS_OPCODE_BINARY_FRAME) { |
| VNC_DEBUG("Received faulty/unsupported Websocket frame\n"); |
| return -2; |
| } |
| |
| if (*payload_size < 126) { |
| header_size = 6; |
| mask = header->u.m; |
| } else if (*payload_size == 126 && input->offset >= 8) { |
| *payload_size = be16_to_cpu(header->u.s16.l16); |
| header_size = 8; |
| mask = header->u.s16.m16; |
| } else if (*payload_size == 127 && input->offset >= 14) { |
| *payload_size = be64_to_cpu(header->u.s64.l64); |
| header_size = 14; |
| mask = header->u.s64.m64; |
| } else { |
| /* header not complete */ |
| return 0; |
| } |
| |
| *frame_size = header_size + *payload_size; |
| |
| if (input->offset < *frame_size) { |
| /* frame not complete */ |
| return 0; |
| } |
| |
| *payload = input->buffer + header_size; |
| |
| /* unmask frame */ |
| /* process 1 frame (32 bit op) */ |
| payload32 = (uint32_t *)(*payload); |
| for (i = 0; i < *payload_size / 4; i++) { |
| payload32[i] ^= mask.u; |
| } |
| /* process the remaining bytes (if any) */ |
| for (i *= 4; i < *payload_size; i++) { |
| (*payload)[i] ^= mask.c[i % 4]; |
| } |
| |
| return 1; |
| } |