1 /* 2 * QEMU VNC display driver: Websockets support 3 * 4 * Copyright (C) 2010 Joel Martin 5 * Copyright (C) 2012 Tim Hardeck 6 * 7 * This is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This software is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this software; if not, see <http://www.gnu.org/licenses/>. 19 */ 20 21 #include "vnc.h" 22 #include "qemu/main-loop.h" 23 24 #ifdef CONFIG_VNC_TLS 25 #include "qemu/sockets.h" 26 27 static int vncws_start_tls_handshake(struct VncState *vs) 28 { 29 int ret = gnutls_handshake(vs->tls.session); 30 31 if (ret < 0) { 32 if (!gnutls_error_is_fatal(ret)) { 33 VNC_DEBUG("Handshake interrupted (blocking)\n"); 34 if (!gnutls_record_get_direction(vs->tls.session)) { 35 qemu_set_fd_handler(vs->csock, vncws_tls_handshake_io, 36 NULL, vs); 37 } else { 38 qemu_set_fd_handler(vs->csock, NULL, vncws_tls_handshake_io, 39 vs); 40 } 41 return 0; 42 } 43 VNC_DEBUG("Handshake failed %s\n", gnutls_strerror(ret)); 44 vnc_client_error(vs); 45 return -1; 46 } 47 48 if (vs->vd->tls.x509verify) { 49 if (vnc_tls_validate_certificate(vs) < 0) { 50 VNC_DEBUG("Client verification failed\n"); 51 vnc_client_error(vs); 52 return -1; 53 } else { 54 VNC_DEBUG("Client verification passed\n"); 55 } 56 } 57 58 VNC_DEBUG("Handshake done, switching to TLS data mode\n"); 59 qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read, NULL, vs); 60 61 return 0; 62 } 63 64 void vncws_tls_handshake_io(void *opaque) 65 { 66 struct VncState *vs = (struct VncState *)opaque; 67 68 if (!vs->tls.session) { 69 VNC_DEBUG("TLS Websocket setup\n"); 70 if (vnc_tls_client_setup(vs, vs->vd->tls.x509cert != NULL) < 0) { 71 return; 72 } 73 } 74 VNC_DEBUG("Handshake IO continue\n"); 75 vncws_start_tls_handshake(vs); 76 } 77 #endif /* CONFIG_VNC_TLS */ 78 79 void vncws_handshake_read(void *opaque) 80 { 81 VncState *vs = opaque; 82 uint8_t *handshake_end; 83 long ret; 84 buffer_reserve(&vs->ws_input, 4096); 85 ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096); 86 87 if (!ret) { 88 if (vs->csock == -1) { 89 vnc_disconnect_finish(vs); 90 } 91 return; 92 } 93 vs->ws_input.offset += ret; 94 95 handshake_end = (uint8_t *)g_strstr_len((char *)vs->ws_input.buffer, 96 vs->ws_input.offset, WS_HANDSHAKE_END); 97 if (handshake_end) { 98 qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs); 99 vncws_process_handshake(vs, vs->ws_input.buffer, vs->ws_input.offset); 100 buffer_advance(&vs->ws_input, handshake_end - vs->ws_input.buffer + 101 strlen(WS_HANDSHAKE_END)); 102 } 103 } 104 105 106 long vnc_client_read_ws(VncState *vs) 107 { 108 int ret, err; 109 uint8_t *payload; 110 size_t payload_size, frame_size; 111 VNC_DEBUG("Read websocket %p size %zd offset %zd\n", vs->ws_input.buffer, 112 vs->ws_input.capacity, vs->ws_input.offset); 113 buffer_reserve(&vs->ws_input, 4096); 114 ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096); 115 if (!ret) { 116 return 0; 117 } 118 vs->ws_input.offset += ret; 119 120 /* make sure that nothing is left in the ws_input buffer */ 121 do { 122 err = vncws_decode_frame(&vs->ws_input, &payload, 123 &payload_size, &frame_size); 124 if (err <= 0) { 125 return err; 126 } 127 128 buffer_reserve(&vs->input, payload_size); 129 buffer_append(&vs->input, payload, payload_size); 130 131 buffer_advance(&vs->ws_input, frame_size); 132 } while (vs->ws_input.offset > 0); 133 134 return ret; 135 } 136 137 long vnc_client_write_ws(VncState *vs) 138 { 139 long ret; 140 VNC_DEBUG("Write WS: Pending output %p size %zd offset %zd\n", 141 vs->output.buffer, vs->output.capacity, vs->output.offset); 142 vncws_encode_frame(&vs->ws_output, vs->output.buffer, vs->output.offset); 143 buffer_reset(&vs->output); 144 ret = vnc_client_write_buf(vs, vs->ws_output.buffer, vs->ws_output.offset); 145 if (!ret) { 146 return 0; 147 } 148 149 buffer_advance(&vs->ws_output, ret); 150 151 if (vs->ws_output.offset == 0) { 152 qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs); 153 } 154 155 return ret; 156 } 157 158 static char *vncws_extract_handshake_entry(const char *handshake, 159 size_t handshake_len, const char *name) 160 { 161 char *begin, *end, *ret = NULL; 162 char *line = g_strdup_printf("%s%s: ", WS_HANDSHAKE_DELIM, name); 163 begin = g_strstr_len(handshake, handshake_len, line); 164 if (begin != NULL) { 165 begin += strlen(line); 166 end = g_strstr_len(begin, handshake_len - (begin - handshake), 167 WS_HANDSHAKE_DELIM); 168 if (end != NULL) { 169 ret = g_strndup(begin, end - begin); 170 } 171 } 172 g_free(line); 173 return ret; 174 } 175 176 static void vncws_send_handshake_response(VncState *vs, const char* key) 177 { 178 char combined_key[WS_CLIENT_KEY_LEN + WS_GUID_LEN + 1]; 179 unsigned char hash[SHA1_DIGEST_LEN]; 180 size_t hash_size = sizeof(hash); 181 char *accept = NULL, *response = NULL; 182 gnutls_datum_t in; 183 int ret; 184 185 g_strlcpy(combined_key, key, WS_CLIENT_KEY_LEN + 1); 186 g_strlcat(combined_key, WS_GUID, WS_CLIENT_KEY_LEN + WS_GUID_LEN + 1); 187 188 /* hash and encode it */ 189 in.data = (void *)combined_key; 190 in.size = WS_CLIENT_KEY_LEN + WS_GUID_LEN; 191 ret = gnutls_fingerprint(GNUTLS_DIG_SHA1, &in, hash, &hash_size); 192 if (ret == GNUTLS_E_SUCCESS && hash_size <= SHA1_DIGEST_LEN) { 193 accept = g_base64_encode(hash, hash_size); 194 } 195 if (accept == NULL) { 196 VNC_DEBUG("Hashing Websocket combined key failed\n"); 197 vnc_client_error(vs); 198 return; 199 } 200 201 response = g_strdup_printf(WS_HANDSHAKE, accept); 202 vnc_client_write_buf(vs, (const uint8_t *)response, strlen(response)); 203 204 g_free(accept); 205 g_free(response); 206 207 vs->encode_ws = 1; 208 vnc_init_state(vs); 209 } 210 211 void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size) 212 { 213 char *protocols = vncws_extract_handshake_entry((const char *)line, size, 214 "Sec-WebSocket-Protocol"); 215 char *version = vncws_extract_handshake_entry((const char *)line, size, 216 "Sec-WebSocket-Version"); 217 char *key = vncws_extract_handshake_entry((const char *)line, size, 218 "Sec-WebSocket-Key"); 219 220 if (protocols && version && key 221 && g_strrstr(protocols, "binary") 222 && !strcmp(version, WS_SUPPORTED_VERSION) 223 && strlen(key) == WS_CLIENT_KEY_LEN) { 224 vncws_send_handshake_response(vs, key); 225 } else { 226 VNC_DEBUG("Defective Websockets header or unsupported protocol\n"); 227 vnc_client_error(vs); 228 } 229 230 g_free(protocols); 231 g_free(version); 232 g_free(key); 233 } 234 235 void vncws_encode_frame(Buffer *output, const void *payload, 236 const size_t payload_size) 237 { 238 size_t header_size = 0; 239 unsigned char opcode = WS_OPCODE_BINARY_FRAME; 240 union { 241 char buf[WS_HEAD_MAX_LEN]; 242 WsHeader ws; 243 } header; 244 245 if (!payload_size) { 246 return; 247 } 248 249 header.ws.b0 = 0x80 | (opcode & 0x0f); 250 if (payload_size <= 125) { 251 header.ws.b1 = (uint8_t)payload_size; 252 header_size = 2; 253 } else if (payload_size < 65536) { 254 header.ws.b1 = 0x7e; 255 header.ws.u.s16.l16 = cpu_to_be16((uint16_t)payload_size); 256 header_size = 4; 257 } else { 258 header.ws.b1 = 0x7f; 259 header.ws.u.s64.l64 = cpu_to_be64(payload_size); 260 header_size = 10; 261 } 262 263 buffer_reserve(output, header_size + payload_size); 264 buffer_append(output, header.buf, header_size); 265 buffer_append(output, payload, payload_size); 266 } 267 268 int vncws_decode_frame(Buffer *input, uint8_t **payload, 269 size_t *payload_size, size_t *frame_size) 270 { 271 unsigned char opcode = 0, fin = 0, has_mask = 0; 272 size_t header_size = 0; 273 uint32_t *payload32; 274 WsHeader *header = (WsHeader *)input->buffer; 275 WsMask mask; 276 int i; 277 278 if (input->offset < WS_HEAD_MIN_LEN + 4) { 279 /* header not complete */ 280 return 0; 281 } 282 283 fin = (header->b0 & 0x80) >> 7; 284 opcode = header->b0 & 0x0f; 285 has_mask = (header->b1 & 0x80) >> 7; 286 *payload_size = header->b1 & 0x7f; 287 288 if (opcode == WS_OPCODE_CLOSE) { 289 /* disconnect */ 290 return -1; 291 } 292 293 /* Websocket frame sanity check: 294 * * Websocket fragmentation is not supported. 295 * * All websockets frames sent by a client have to be masked. 296 * * Only binary encoding is supported. 297 */ 298 if (!fin || !has_mask || opcode != WS_OPCODE_BINARY_FRAME) { 299 VNC_DEBUG("Received faulty/unsupported Websocket frame\n"); 300 return -2; 301 } 302 303 if (*payload_size < 126) { 304 header_size = 6; 305 mask = header->u.m; 306 } else if (*payload_size == 126 && input->offset >= 8) { 307 *payload_size = be16_to_cpu(header->u.s16.l16); 308 header_size = 8; 309 mask = header->u.s16.m16; 310 } else if (*payload_size == 127 && input->offset >= 14) { 311 *payload_size = be64_to_cpu(header->u.s64.l64); 312 header_size = 14; 313 mask = header->u.s64.m64; 314 } else { 315 /* header not complete */ 316 return 0; 317 } 318 319 *frame_size = header_size + *payload_size; 320 321 if (input->offset < *frame_size) { 322 /* frame not complete */ 323 return 0; 324 } 325 326 *payload = input->buffer + header_size; 327 328 /* unmask frame */ 329 /* process 1 frame (32 bit op) */ 330 payload32 = (uint32_t *)(*payload); 331 for (i = 0; i < *payload_size / 4; i++) { 332 payload32[i] ^= mask.u; 333 } 334 /* process the remaining bytes (if any) */ 335 for (i *= 4; i < *payload_size; i++) { 336 (*payload)[i] ^= mask.c[i % 4]; 337 } 338 339 return 1; 340 } 341