freebsd-skq/usr.sbin/bhyve/rfb.c
araujo 67d8903aad Check if pthread_create(3) successfully created the thread prior to call
pthread_join(3). The variable tid is not yet initialized in case
the authentication fails at early stage, that would lead pthread_join be
called with an uninitialized variable.

CID:		1375950
Reported by:	Coverity, cem
Reviewed by:	cem
MFC after:	3 weeks.
Sponsored by:	iXsystems, Inc.
Differential Revision:	https://reviews.freebsd.org/D11150
2017-06-16 01:26:01 +00:00

1048 lines
23 KiB
C

/*-
* Copyright (c) 2015 Tycho Nightingale <tycho.nightingale@pluribusnetworks.com>
* Copyright (c) 2015 Leon Dang
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/param.h>
#ifndef WITHOUT_CAPSICUM
#include <sys/capsicum.h>
#endif
#include <sys/endian.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <sys/time.h>
#include <arpa/inet.h>
#include <machine/cpufunc.h>
#include <machine/specialreg.h>
#include <netinet/in.h>
#include <assert.h>
#include <err.h>
#include <errno.h>
#include <pthread.h>
#include <pthread_np.h>
#include <signal.h>
#include <stdbool.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sysexits.h>
#include <unistd.h>
#include <zlib.h>
#include "bhyvegc.h"
#include "console.h"
#include "rfb.h"
#include "sockstream.h"
#ifndef NO_OPENSSL
#include <openssl/des.h>
#endif
static int rfb_debug = 0;
#define DPRINTF(params) if (rfb_debug) printf params
#define WPRINTF(params) printf params
#define AUTH_LENGTH 16
#define PASSWD_LENGTH 8
#define SECURITY_TYPE_NONE 1
#define SECURITY_TYPE_VNC_AUTH 2
#define AUTH_FAILED_UNAUTH 1
#define AUTH_FAILED_ERROR 2
struct rfb_softc {
int sfd;
pthread_t tid;
int cfd;
int width, height;
char *password;
bool enc_raw_ok;
bool enc_zlib_ok;
bool enc_resize_ok;
z_stream zstream;
uint8_t *zbuf;
int zbuflen;
int conn_wait;
int sending;
pthread_mutex_t mtx;
pthread_cond_t cond;
int hw_crc;
uint32_t *crc; /* WxH crc cells */
uint32_t *crc_tmp; /* buffer to store single crc row */
int crc_width, crc_height;
};
struct rfb_pixfmt {
uint8_t bpp;
uint8_t depth;
uint8_t bigendian;
uint8_t truecolor;
uint16_t red_max;
uint16_t green_max;
uint16_t blue_max;
uint8_t red_shift;
uint8_t green_shift;
uint8_t blue_shift;
uint8_t pad[3];
};
struct rfb_srvr_info {
uint16_t width;
uint16_t height;
struct rfb_pixfmt pixfmt;
uint32_t namelen;
};
struct rfb_pixfmt_msg {
uint8_t type;
uint8_t pad[3];
struct rfb_pixfmt pixfmt;
};
#define RFB_ENCODING_RAW 0
#define RFB_ENCODING_ZLIB 6
#define RFB_ENCODING_RESIZE -223
#define RFB_MAX_WIDTH 2000
#define RFB_MAX_HEIGHT 1200
#define RFB_ZLIB_BUFSZ RFB_MAX_WIDTH*RFB_MAX_HEIGHT*4
/* percentage changes to screen before sending the entire screen */
#define RFB_SEND_ALL_THRESH 25
struct rfb_enc_msg {
uint8_t type;
uint8_t pad;
uint16_t numencs;
};
struct rfb_updt_msg {
uint8_t type;
uint8_t incremental;
uint16_t x;
uint16_t y;
uint16_t width;
uint16_t height;
};
struct rfb_key_msg {
uint8_t type;
uint8_t down;
uint16_t pad;
uint32_t code;
};
struct rfb_ptr_msg {
uint8_t type;
uint8_t button;
uint16_t x;
uint16_t y;
};
struct rfb_srvr_updt_msg {
uint8_t type;
uint8_t pad;
uint16_t numrects;
};
struct rfb_srvr_rect_hdr {
uint16_t x;
uint16_t y;
uint16_t width;
uint16_t height;
uint32_t encoding;
};
struct rfb_cuttext_msg {
uint8_t type;
uint8_t padding[3];
uint32_t length;
};
static void
rfb_send_server_init_msg(int cfd)
{
struct bhyvegc_image *gc_image;
struct rfb_srvr_info sinfo;
gc_image = console_get_image();
sinfo.width = htons(gc_image->width);
sinfo.height = htons(gc_image->height);
sinfo.pixfmt.bpp = 32;
sinfo.pixfmt.depth = 32;
sinfo.pixfmt.bigendian = 0;
sinfo.pixfmt.truecolor = 1;
sinfo.pixfmt.red_max = htons(255);
sinfo.pixfmt.green_max = htons(255);
sinfo.pixfmt.blue_max = htons(255);
sinfo.pixfmt.red_shift = 16;
sinfo.pixfmt.green_shift = 8;
sinfo.pixfmt.blue_shift = 0;
sinfo.namelen = htonl(strlen("bhyve"));
(void)stream_write(cfd, &sinfo, sizeof(sinfo));
(void)stream_write(cfd, "bhyve", strlen("bhyve"));
}
static void
rfb_send_resize_update_msg(struct rfb_softc *rc, int cfd)
{
struct rfb_srvr_updt_msg supdt_msg;
struct rfb_srvr_rect_hdr srect_hdr;
/* Number of rectangles: 1 */
supdt_msg.type = 0;
supdt_msg.pad = 0;
supdt_msg.numrects = htons(1);
stream_write(cfd, &supdt_msg, sizeof(struct rfb_srvr_updt_msg));
/* Rectangle header */
srect_hdr.x = htons(0);
srect_hdr.y = htons(0);
srect_hdr.width = htons(rc->width);
srect_hdr.height = htons(rc->height);
srect_hdr.encoding = htonl(RFB_ENCODING_RESIZE);
stream_write(cfd, &srect_hdr, sizeof(struct rfb_srvr_rect_hdr));
}
static void
rfb_recv_set_pixfmt_msg(struct rfb_softc *rc, int cfd)
{
struct rfb_pixfmt_msg pixfmt_msg;
(void)stream_read(cfd, ((void *)&pixfmt_msg)+1, sizeof(pixfmt_msg)-1);
}
static void
rfb_recv_set_encodings_msg(struct rfb_softc *rc, int cfd)
{
struct rfb_enc_msg enc_msg;
int i;
uint32_t encoding;
assert((sizeof(enc_msg) - 1) == 3);
(void)stream_read(cfd, ((void *)&enc_msg)+1, sizeof(enc_msg)-1);
for (i = 0; i < htons(enc_msg.numencs); i++) {
(void)stream_read(cfd, &encoding, sizeof(encoding));
switch (htonl(encoding)) {
case RFB_ENCODING_RAW:
rc->enc_raw_ok = true;
break;
case RFB_ENCODING_ZLIB:
rc->enc_zlib_ok = true;
deflateInit(&rc->zstream, Z_BEST_SPEED);
break;
case RFB_ENCODING_RESIZE:
rc->enc_resize_ok = true;
break;
}
}
}
/*
* Calculate CRC32 using SSE4.2; Intel or AMD Bulldozer+ CPUs only
*/
static __inline uint32_t
fast_crc32(void *buf, int len, uint32_t crcval)
{
uint32_t q = len / sizeof(uint32_t);
uint32_t *p = (uint32_t *)buf;
while (q--) {
asm volatile (
".byte 0xf2, 0xf, 0x38, 0xf1, 0xf1;"
:"=S" (crcval)
:"0" (crcval), "c" (*p)
);
p++;
}
return (crcval);
}
static int
rfb_send_rect(struct rfb_softc *rc, int cfd, struct bhyvegc_image *gc,
int x, int y, int w, int h)
{
struct rfb_srvr_updt_msg supdt_msg;
struct rfb_srvr_rect_hdr srect_hdr;
unsigned long zlen;
ssize_t nwrite, total;
int err;
uint32_t *p;
uint8_t *zbufp;
/*
* Send a single rectangle of the given x, y, w h dimensions.
*/
/* Number of rectangles: 1 */
supdt_msg.type = 0;
supdt_msg.pad = 0;
supdt_msg.numrects = htons(1);
nwrite = stream_write(cfd, &supdt_msg,
sizeof(struct rfb_srvr_updt_msg));
if (nwrite <= 0)
return (nwrite);
/* Rectangle header */
srect_hdr.x = htons(x);
srect_hdr.y = htons(y);
srect_hdr.width = htons(w);
srect_hdr.height = htons(h);
h = y + h;
w *= sizeof(uint32_t);
if (rc->enc_zlib_ok) {
zbufp = rc->zbuf;
rc->zstream.total_in = 0;
rc->zstream.total_out = 0;
for (p = &gc->data[y * gc->width + x]; y < h; y++) {
rc->zstream.next_in = (Bytef *)p;
rc->zstream.avail_in = w;
rc->zstream.next_out = (Bytef *)zbufp;
rc->zstream.avail_out = RFB_ZLIB_BUFSZ + 16 -
rc->zstream.total_out;
rc->zstream.data_type = Z_BINARY;
/* Compress with zlib */
err = deflate(&rc->zstream, Z_SYNC_FLUSH);
if (err != Z_OK) {
WPRINTF(("zlib[rect] deflate err: %d\n", err));
rc->enc_zlib_ok = false;
deflateEnd(&rc->zstream);
goto doraw;
}
zbufp = rc->zbuf + rc->zstream.total_out;
p += gc->width;
}
srect_hdr.encoding = htonl(RFB_ENCODING_ZLIB);
nwrite = stream_write(cfd, &srect_hdr,
sizeof(struct rfb_srvr_rect_hdr));
if (nwrite <= 0)
return (nwrite);
zlen = htonl(rc->zstream.total_out);
nwrite = stream_write(cfd, &zlen, sizeof(uint32_t));
if (nwrite <= 0)
return (nwrite);
return (stream_write(cfd, rc->zbuf, rc->zstream.total_out));
}
doraw:
total = 0;
zbufp = rc->zbuf;
for (p = &gc->data[y * gc->width + x]; y < h; y++) {
memcpy(zbufp, p, w);
zbufp += w;
total += w;
p += gc->width;
}
srect_hdr.encoding = htonl(RFB_ENCODING_RAW);
nwrite = stream_write(cfd, &srect_hdr,
sizeof(struct rfb_srvr_rect_hdr));
if (nwrite <= 0)
return (nwrite);
total = stream_write(cfd, rc->zbuf, total);
return (total);
}
static int
rfb_send_all(struct rfb_softc *rc, int cfd, struct bhyvegc_image *gc)
{
struct rfb_srvr_updt_msg supdt_msg;
struct rfb_srvr_rect_hdr srect_hdr;
ssize_t nwrite;
unsigned long zlen;
int err;
/*
* Send the whole thing
*/
/* Number of rectangles: 1 */
supdt_msg.type = 0;
supdt_msg.pad = 0;
supdt_msg.numrects = htons(1);
nwrite = stream_write(cfd, &supdt_msg,
sizeof(struct rfb_srvr_updt_msg));
if (nwrite <= 0)
return (nwrite);
/* Rectangle header */
srect_hdr.x = 0;
srect_hdr.y = 0;
srect_hdr.width = htons(gc->width);
srect_hdr.height = htons(gc->height);
if (rc->enc_zlib_ok) {
rc->zstream.next_in = (Bytef *)gc->data;
rc->zstream.avail_in = gc->width * gc->height *
sizeof(uint32_t);
rc->zstream.next_out = (Bytef *)rc->zbuf;
rc->zstream.avail_out = RFB_ZLIB_BUFSZ + 16;
rc->zstream.data_type = Z_BINARY;
rc->zstream.total_in = 0;
rc->zstream.total_out = 0;
/* Compress with zlib */
err = deflate(&rc->zstream, Z_SYNC_FLUSH);
if (err != Z_OK) {
WPRINTF(("zlib deflate err: %d\n", err));
rc->enc_zlib_ok = false;
deflateEnd(&rc->zstream);
goto doraw;
}
srect_hdr.encoding = htonl(RFB_ENCODING_ZLIB);
nwrite = stream_write(cfd, &srect_hdr,
sizeof(struct rfb_srvr_rect_hdr));
if (nwrite <= 0)
return (nwrite);
zlen = htonl(rc->zstream.total_out);
nwrite = stream_write(cfd, &zlen, sizeof(uint32_t));
if (nwrite <= 0)
return (nwrite);
return (stream_write(cfd, rc->zbuf, rc->zstream.total_out));
}
doraw:
srect_hdr.encoding = htonl(RFB_ENCODING_RAW);
nwrite = stream_write(cfd, &srect_hdr,
sizeof(struct rfb_srvr_rect_hdr));
if (nwrite <= 0)
return (nwrite);
nwrite = stream_write(cfd, gc->data,
gc->width * gc->height * sizeof(uint32_t));
return (nwrite);
}
#define PIX_PER_CELL 32
#define PIXCELL_SHIFT 5
#define PIXCELL_MASK 0x1F
static int
rfb_send_screen(struct rfb_softc *rc, int cfd, int all)
{
struct bhyvegc_image *gc_image;
ssize_t nwrite;
int x, y;
int celly, cellwidth;
int xcells, ycells;
int w, h;
uint32_t *p;
int rem_x, rem_y; /* remainder for resolutions not x32 pixels ratio */
int retval;
uint32_t *crc_p, *orig_crc;
int changes;
console_refresh();
gc_image = console_get_image();
pthread_mutex_lock(&rc->mtx);
if (rc->sending) {
pthread_mutex_unlock(&rc->mtx);
return (1);
}
rc->sending = 1;
pthread_mutex_unlock(&rc->mtx);
retval = 0;
if (all) {
retval = rfb_send_all(rc, cfd, gc_image);
goto done;
}
/*
* Calculate the checksum for each 32x32 cell. Send each that
* has changed since the last scan.
*/
/* Resolution changed */
rc->crc_width = gc_image->width;
rc->crc_height = gc_image->height;
w = rc->crc_width;
h = rc->crc_height;
xcells = howmany(rc->crc_width, PIX_PER_CELL);
ycells = howmany(rc->crc_height, PIX_PER_CELL);
rem_x = w & PIXCELL_MASK;
rem_y = h & PIXCELL_MASK;
if (!rem_y)
rem_y = PIX_PER_CELL;
p = gc_image->data;
/*
* Go through all cells and calculate crc. If significant number
* of changes, then send entire screen.
* crc_tmp is dual purpose: to store the new crc and to flag as
* a cell that has changed.
*/
crc_p = rc->crc_tmp - xcells;
orig_crc = rc->crc - xcells;
changes = 0;
memset(rc->crc_tmp, 0, sizeof(uint32_t) * xcells * ycells);
for (y = 0; y < h; y++) {
if ((y & PIXCELL_MASK) == 0) {
crc_p += xcells;
orig_crc += xcells;
}
for (x = 0; x < xcells; x++) {
if (rc->hw_crc)
crc_p[x] = fast_crc32(p,
PIX_PER_CELL * sizeof(uint32_t),
crc_p[x]);
else
crc_p[x] = (uint32_t)crc32(crc_p[x],
(Bytef *)p,
PIX_PER_CELL * sizeof(uint32_t));
p += PIX_PER_CELL;
/* check for crc delta if last row in cell */
if ((y & PIXCELL_MASK) == PIXCELL_MASK || y == (h-1)) {
if (orig_crc[x] != crc_p[x]) {
orig_crc[x] = crc_p[x];
crc_p[x] = 1;
changes++;
} else {
crc_p[x] = 0;
}
}
}
if (rem_x) {
if (rc->hw_crc)
crc_p[x] = fast_crc32(p,
rem_x * sizeof(uint32_t),
crc_p[x]);
else
crc_p[x] = (uint32_t)crc32(crc_p[x],
(Bytef *)p,
rem_x * sizeof(uint32_t));
p += rem_x;
if ((y & PIXCELL_MASK) == PIXCELL_MASK || y == (h-1)) {
if (orig_crc[x] != crc_p[x]) {
orig_crc[x] = crc_p[x];
crc_p[x] = 1;
changes++;
} else {
crc_p[x] = 0;
}
}
}
}
/* If number of changes is > THRESH percent, send the whole screen */
if (((changes * 100) / (xcells * ycells)) >= RFB_SEND_ALL_THRESH) {
retval = rfb_send_all(rc, cfd, gc_image);
goto done;
}
/* Go through all cells, and send only changed ones */
crc_p = rc->crc_tmp;
for (y = 0; y < h; y += PIX_PER_CELL) {
/* previous cell's row */
celly = (y >> PIXCELL_SHIFT);
/* Delta check crc to previous set */
for (x = 0; x < xcells; x++) {
if (*crc_p++ == 0)
continue;
if (x == (xcells - 1) && rem_x > 0)
cellwidth = rem_x;
else
cellwidth = PIX_PER_CELL;
nwrite = rfb_send_rect(rc, cfd,
gc_image,
x * PIX_PER_CELL,
celly * PIX_PER_CELL,
cellwidth,
y + PIX_PER_CELL >= h ? rem_y : PIX_PER_CELL);
if (nwrite <= 0) {
retval = nwrite;
goto done;
}
}
}
retval = 1;
done:
pthread_mutex_lock(&rc->mtx);
rc->sending = 0;
pthread_mutex_unlock(&rc->mtx);
return (retval);
}
static void
rfb_recv_update_msg(struct rfb_softc *rc, int cfd, int discardonly)
{
struct rfb_updt_msg updt_msg;
struct bhyvegc_image *gc_image;
(void)stream_read(cfd, ((void *)&updt_msg) + 1 , sizeof(updt_msg) - 1);
console_refresh();
gc_image = console_get_image();
updt_msg.x = htons(updt_msg.x);
updt_msg.y = htons(updt_msg.y);
updt_msg.width = htons(updt_msg.width);
updt_msg.height = htons(updt_msg.height);
if (updt_msg.width != gc_image->width ||
updt_msg.height != gc_image->height) {
rc->width = gc_image->width;
rc->height = gc_image->height;
if (rc->enc_resize_ok)
rfb_send_resize_update_msg(rc, cfd);
}
if (discardonly)
return;
rfb_send_screen(rc, cfd, 1);
}
static void
rfb_recv_key_msg(struct rfb_softc *rc, int cfd)
{
struct rfb_key_msg key_msg;
(void)stream_read(cfd, ((void *)&key_msg) + 1, sizeof(key_msg) - 1);
console_key_event(key_msg.down, htonl(key_msg.code));
}
static void
rfb_recv_ptr_msg(struct rfb_softc *rc, int cfd)
{
struct rfb_ptr_msg ptr_msg;
(void)stream_read(cfd, ((void *)&ptr_msg) + 1, sizeof(ptr_msg) - 1);
console_ptr_event(ptr_msg.button, htons(ptr_msg.x), htons(ptr_msg.y));
}
static void
rfb_recv_cuttext_msg(struct rfb_softc *rc, int cfd)
{
struct rfb_cuttext_msg ct_msg;
unsigned char buf[32];
int len;
len = stream_read(cfd, ((void *)&ct_msg) + 1, sizeof(ct_msg) - 1);
ct_msg.length = htonl(ct_msg.length);
while (ct_msg.length > 0) {
len = stream_read(cfd, buf, ct_msg.length > sizeof(buf) ?
sizeof(buf) : ct_msg.length);
ct_msg.length -= len;
}
}
static int64_t
timeval_delta(struct timeval *prev, struct timeval *now)
{
int64_t n1, n2;
n1 = now->tv_sec * 1000000 + now->tv_usec;
n2 = prev->tv_sec * 1000000 + prev->tv_usec;
return (n1 - n2);
}
static void *
rfb_wr_thr(void *arg)
{
struct rfb_softc *rc;
fd_set rfds;
struct timeval tv;
struct timeval prev_tv;
int64_t tdiff;
int cfd;
int err;
rc = arg;
cfd = rc->cfd;
prev_tv.tv_sec = 0;
prev_tv.tv_usec = 0;
while (rc->cfd >= 0) {
FD_ZERO(&rfds);
FD_SET(cfd, &rfds);
tv.tv_sec = 0;
tv.tv_usec = 10000;
err = select(cfd+1, &rfds, NULL, NULL, &tv);
if (err < 0)
return (NULL);
/* Determine if its time to push screen; ~24hz */
gettimeofday(&tv, NULL);
tdiff = timeval_delta(&prev_tv, &tv);
if (tdiff > 40000) {
prev_tv.tv_sec = tv.tv_sec;
prev_tv.tv_usec = tv.tv_usec;
if (rfb_send_screen(rc, cfd, 0) <= 0) {
return (NULL);
}
} else {
/* sleep */
usleep(40000 - tdiff);
}
}
return (NULL);
}
void
rfb_handle(struct rfb_softc *rc, int cfd)
{
const char *vbuf = "RFB 003.008\n";
unsigned char buf[80];
unsigned char *message = NULL;
#ifndef NO_OPENSSL
unsigned char challenge[AUTH_LENGTH];
unsigned char keystr[PASSWD_LENGTH];
unsigned char crypt_expected[AUTH_LENGTH];
DES_key_schedule ks;
int i;
#endif
pthread_t tid;
uint32_t sres = 0;
int len;
int perror = 1;
rc->cfd = cfd;
/* 1a. Send server version */
stream_write(cfd, vbuf, strlen(vbuf));
/* 1b. Read client version */
len = read(cfd, buf, sizeof(buf));
/* 2a. Send security type */
buf[0] = 1;
#ifndef NO_OPENSSL
if (rc->password)
buf[1] = SECURITY_TYPE_VNC_AUTH;
else
buf[1] = SECURITY_TYPE_NONE;
#else
buf[1] = SECURITY_TYPE_NONE;
#endif
stream_write(cfd, buf, 2);
/* 2b. Read agreed security type */
len = stream_read(cfd, buf, 1);
/* 2c. Do VNC authentication */
switch (buf[0]) {
case SECURITY_TYPE_NONE:
sres = 0;
break;
case SECURITY_TYPE_VNC_AUTH:
/*
* The client encrypts the challenge with DES, using a password
* supplied by the user as the key.
* To form the key, the password is truncated to
* eight characters, or padded with null bytes on the right.
* The client then sends the resulting 16-bytes response.
*/
#ifndef NO_OPENSSL
strncpy(keystr, rc->password, PASSWD_LENGTH);
/* VNC clients encrypts the challenge with all the bit fields
* in each byte of the password mirrored.
* Here we flip each byte of the keystr.
*/
for (i = 0; i < PASSWD_LENGTH; i++) {
keystr[i] = (keystr[i] & 0xF0) >> 4
| (keystr[i] & 0x0F) << 4;
keystr[i] = (keystr[i] & 0xCC) >> 2
| (keystr[i] & 0x33) << 2;
keystr[i] = (keystr[i] & 0xAA) >> 1
| (keystr[i] & 0x55) << 1;
}
/* Initialize a 16-byte random challenge */
arc4random_buf(challenge, sizeof(challenge));
stream_write(cfd, challenge, AUTH_LENGTH);
/* Receive the 16-byte challenge response */
stream_read(cfd, buf, AUTH_LENGTH);
memcpy(crypt_expected, challenge, AUTH_LENGTH);
/* Encrypt the Challenge with DES */
DES_set_key((const_DES_cblock *)keystr, &ks);
DES_ecb_encrypt((const_DES_cblock *)challenge,
(const_DES_cblock *)crypt_expected,
&ks, DES_ENCRYPT);
DES_ecb_encrypt((const_DES_cblock *)(challenge + PASSWD_LENGTH),
(const_DES_cblock *)(crypt_expected +
PASSWD_LENGTH),
&ks, DES_ENCRYPT);
if (memcmp(crypt_expected, buf, AUTH_LENGTH) != 0) {
message = "Auth Failed: Invalid Password.";
sres = htonl(1);
} else
sres = 0;
#else
sres = 0;
WPRINTF(("Auth not supported, no OpenSSL in your system"));
#endif
break;
}
/* 2d. Write back a status */
stream_write(cfd, &sres, 4);
if (sres) {
be32enc(buf, strlen(message));
stream_write(cfd, buf, 4);
stream_write(cfd, message, strlen(message));
goto done;
}
/* 3a. Read client shared-flag byte */
len = stream_read(cfd, buf, 1);
/* 4a. Write server-init info */
rfb_send_server_init_msg(cfd);
if (!rc->zbuf) {
rc->zbuf = malloc(RFB_ZLIB_BUFSZ + 16);
assert(rc->zbuf != NULL);
}
rfb_send_screen(rc, cfd, 1);
perror = pthread_create(&tid, NULL, rfb_wr_thr, rc);
if (perror == 0)
pthread_set_name_np(tid, "rfbout");
/* Now read in client requests. 1st byte identifies type */
for (;;) {
len = read(cfd, buf, 1);
if (len <= 0) {
DPRINTF(("rfb client exiting\r\n"));
break;
}
switch (buf[0]) {
case 0:
rfb_recv_set_pixfmt_msg(rc, cfd);
break;
case 2:
rfb_recv_set_encodings_msg(rc, cfd);
break;
case 3:
rfb_recv_update_msg(rc, cfd, 1);
break;
case 4:
rfb_recv_key_msg(rc, cfd);
break;
case 5:
rfb_recv_ptr_msg(rc, cfd);
break;
case 6:
rfb_recv_cuttext_msg(rc, cfd);
break;
default:
WPRINTF(("rfb unknown cli-code %d!\n", buf[0] & 0xff));
goto done;
}
}
done:
rc->cfd = -1;
if (perror == 0)
pthread_join(tid, NULL);
if (rc->enc_zlib_ok)
deflateEnd(&rc->zstream);
}
static void *
rfb_thr(void *arg)
{
struct rfb_softc *rc;
sigset_t set;
int cfd;
rc = arg;
sigemptyset(&set);
sigaddset(&set, SIGPIPE);
if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {
perror("pthread_sigmask");
return (NULL);
}
for (;;) {
rc->enc_raw_ok = false;
rc->enc_zlib_ok = false;
rc->enc_resize_ok = false;
cfd = accept(rc->sfd, NULL, NULL);
if (rc->conn_wait) {
pthread_mutex_lock(&rc->mtx);
pthread_cond_signal(&rc->cond);
pthread_mutex_unlock(&rc->mtx);
rc->conn_wait = 0;
}
rfb_handle(rc, cfd);
close(cfd);
}
/* NOTREACHED */
return (NULL);
}
static int
sse42_supported(void)
{
u_int cpu_registers[4], ecx;
do_cpuid(1, cpu_registers);
ecx = cpu_registers[2];
return ((ecx & CPUID2_SSE42) != 0);
}
int
rfb_init(char *hostname, int port, int wait, char *password)
{
struct rfb_softc *rc;
struct sockaddr_in sin;
int on = 1;
#ifndef WITHOUT_CAPSICUM
cap_rights_t rights;
#endif
rc = calloc(1, sizeof(struct rfb_softc));
rc->crc = calloc(howmany(RFB_MAX_WIDTH * RFB_MAX_HEIGHT, 32),
sizeof(uint32_t));
rc->crc_tmp = calloc(howmany(RFB_MAX_WIDTH * RFB_MAX_HEIGHT, 32),
sizeof(uint32_t));
rc->crc_width = RFB_MAX_WIDTH;
rc->crc_height = RFB_MAX_HEIGHT;
rc->password = password;
rc->sfd = socket(AF_INET, SOCK_STREAM, 0);
if (rc->sfd < 0) {
perror("socket");
return (-1);
}
setsockopt(rc->sfd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
sin.sin_len = sizeof(sin);
sin.sin_family = AF_INET;
sin.sin_port = port ? htons(port) : htons(5900);
if (hostname && strlen(hostname) > 0)
inet_pton(AF_INET, hostname, &(sin.sin_addr));
else
sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
if (bind(rc->sfd, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
perror("bind");
return (-1);
}
if (listen(rc->sfd, 1) < 0) {
perror("listen");
return (-1);
}
#ifndef WITHOUT_CAPSICUM
cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE);
if (cap_rights_limit(rc->sfd, &rights) == -1 && errno != ENOSYS)
errx(EX_OSERR, "Unable to apply rights for sandbox");
#endif
rc->hw_crc = sse42_supported();
rc->conn_wait = wait;
if (wait) {
pthread_mutex_init(&rc->mtx, NULL);
pthread_cond_init(&rc->cond, NULL);
}
pthread_create(&rc->tid, NULL, rfb_thr, rc);
pthread_set_name_np(rc->tid, "rfb");
if (wait) {
DPRINTF(("Waiting for rfb client...\n"));
pthread_mutex_lock(&rc->mtx);
pthread_cond_wait(&rc->cond, &rc->mtx);
pthread_mutex_unlock(&rc->mtx);
}
return (0);
}