2013-01-21 11:04:44 +01:00
|
|
|
/*
|
|
|
|
* QEMU VNC display driver: Websockets support
|
|
|
|
*
|
|
|
|
* Copyright (C) 2010 Joel Martin
|
|
|
|
* Copyright (C) 2012 Tim Hardeck
|
|
|
|
*
|
|
|
|
* This is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This software is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this software; if not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "vnc.h"
|
2013-08-21 17:02:47 +02:00
|
|
|
#include "qemu/main-loop.h"
|
2015-07-01 19:10:36 +02:00
|
|
|
#include "crypto/hash.h"
|
2013-01-21 11:04:44 +01:00
|
|
|
|
2015-04-08 20:04:12 +02:00
|
|
|
static int vncws_start_tls_handshake(VncState *vs)
|
2013-04-23 16:33:01 +02:00
|
|
|
{
|
ui: convert VNC server to use QCryptoTLSSession
Switch VNC server over to using the QCryptoTLSSession object
for the TLS session. This removes the direct use of gnutls
from the VNC server code. It also removes most knowledge
about TLS certificate handling from the VNC server code.
This has the nice effect that all the CONFIG_VNC_TLS
conditionals go away and the user gets an actual error
message when requesting TLS instead of it being silently
ignored.
With this change, the existing configuration options for
enabling TLS with -vnc are deprecated.
Old syntax for anon-DH credentials:
-vnc hostname:0,tls
New syntax:
-object tls-creds-anon,id=tls0,endpoint=server \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, no client certs:
-vnc hostname:0,tls,x509=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=no \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, requiring client certs:
-vnc hostname:0,tls,x509verify=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=yes \
-vnc hostname:0,tls-creds=tls0
This aligns VNC with the way TLS credentials are to be
configured in the future for chardev, nbd and migration
backends. It also has the benefit that the same TLS
credentials can be shared across multiple VNC server
instances, if desired.
If someone uses the deprecated syntax, it will internally
result in the creation of a 'tls-creds' object with an ID
based on the VNC server ID. This allows backwards compat
with the CLI syntax, while still deleting all the original
TLS code from the VNC server.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-08-06 15:39:32 +02:00
|
|
|
Error *err = NULL;
|
2013-04-23 16:33:01 +02:00
|
|
|
|
ui: convert VNC server to use QCryptoTLSSession
Switch VNC server over to using the QCryptoTLSSession object
for the TLS session. This removes the direct use of gnutls
from the VNC server code. It also removes most knowledge
about TLS certificate handling from the VNC server code.
This has the nice effect that all the CONFIG_VNC_TLS
conditionals go away and the user gets an actual error
message when requesting TLS instead of it being silently
ignored.
With this change, the existing configuration options for
enabling TLS with -vnc are deprecated.
Old syntax for anon-DH credentials:
-vnc hostname:0,tls
New syntax:
-object tls-creds-anon,id=tls0,endpoint=server \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, no client certs:
-vnc hostname:0,tls,x509=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=no \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, requiring client certs:
-vnc hostname:0,tls,x509verify=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=yes \
-vnc hostname:0,tls-creds=tls0
This aligns VNC with the way TLS credentials are to be
configured in the future for chardev, nbd and migration
backends. It also has the benefit that the same TLS
credentials can be shared across multiple VNC server
instances, if desired.
If someone uses the deprecated syntax, it will internally
result in the creation of a 'tls-creds' object with an ID
based on the VNC server ID. This allows backwards compat
with the CLI syntax, while still deleting all the original
TLS code from the VNC server.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-08-06 15:39:32 +02:00
|
|
|
if (qcrypto_tls_session_handshake(vs->tls, &err) < 0) {
|
|
|
|
goto error;
|
2013-04-23 16:33:01 +02:00
|
|
|
}
|
|
|
|
|
ui: convert VNC server to use QCryptoTLSSession
Switch VNC server over to using the QCryptoTLSSession object
for the TLS session. This removes the direct use of gnutls
from the VNC server code. It also removes most knowledge
about TLS certificate handling from the VNC server code.
This has the nice effect that all the CONFIG_VNC_TLS
conditionals go away and the user gets an actual error
message when requesting TLS instead of it being silently
ignored.
With this change, the existing configuration options for
enabling TLS with -vnc are deprecated.
Old syntax for anon-DH credentials:
-vnc hostname:0,tls
New syntax:
-object tls-creds-anon,id=tls0,endpoint=server \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, no client certs:
-vnc hostname:0,tls,x509=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=no \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, requiring client certs:
-vnc hostname:0,tls,x509verify=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=yes \
-vnc hostname:0,tls-creds=tls0
This aligns VNC with the way TLS credentials are to be
configured in the future for chardev, nbd and migration
backends. It also has the benefit that the same TLS
credentials can be shared across multiple VNC server
instances, if desired.
If someone uses the deprecated syntax, it will internally
result in the creation of a 'tls-creds' object with an ID
based on the VNC server ID. This allows backwards compat
with the CLI syntax, while still deleting all the original
TLS code from the VNC server.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-08-06 15:39:32 +02:00
|
|
|
switch (qcrypto_tls_session_get_handshake_status(vs->tls)) {
|
|
|
|
case QCRYPTO_TLS_HANDSHAKE_COMPLETE:
|
|
|
|
VNC_DEBUG("Handshake done, checking credentials\n");
|
|
|
|
if (qcrypto_tls_session_check_credentials(vs->tls, &err) < 0) {
|
|
|
|
goto error;
|
2015-03-17 14:43:00 +01:00
|
|
|
}
|
ui: convert VNC server to use QCryptoTLSSession
Switch VNC server over to using the QCryptoTLSSession object
for the TLS session. This removes the direct use of gnutls
from the VNC server code. It also removes most knowledge
about TLS certificate handling from the VNC server code.
This has the nice effect that all the CONFIG_VNC_TLS
conditionals go away and the user gets an actual error
message when requesting TLS instead of it being silently
ignored.
With this change, the existing configuration options for
enabling TLS with -vnc are deprecated.
Old syntax for anon-DH credentials:
-vnc hostname:0,tls
New syntax:
-object tls-creds-anon,id=tls0,endpoint=server \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, no client certs:
-vnc hostname:0,tls,x509=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=no \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, requiring client certs:
-vnc hostname:0,tls,x509verify=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=yes \
-vnc hostname:0,tls-creds=tls0
This aligns VNC with the way TLS credentials are to be
configured in the future for chardev, nbd and migration
backends. It also has the benefit that the same TLS
credentials can be shared across multiple VNC server
instances, if desired.
If someone uses the deprecated syntax, it will internally
result in the creation of a 'tls-creds' object with an ID
based on the VNC server ID. This allows backwards compat
with the CLI syntax, while still deleting all the original
TLS code from the VNC server.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-08-06 15:39:32 +02:00
|
|
|
VNC_DEBUG("Client verification passed, starting TLS I/O\n");
|
|
|
|
qemu_set_fd_handler(vs->csock, vncws_handshake_read, NULL, vs);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case QCRYPTO_TLS_HANDSHAKE_RECVING:
|
|
|
|
VNC_DEBUG("Handshake interrupted (blocking read)\n");
|
|
|
|
qemu_set_fd_handler(vs->csock, vncws_tls_handshake_io, NULL, vs);
|
|
|
|
break;
|
2015-03-17 14:43:00 +01:00
|
|
|
|
ui: convert VNC server to use QCryptoTLSSession
Switch VNC server over to using the QCryptoTLSSession object
for the TLS session. This removes the direct use of gnutls
from the VNC server code. It also removes most knowledge
about TLS certificate handling from the VNC server code.
This has the nice effect that all the CONFIG_VNC_TLS
conditionals go away and the user gets an actual error
message when requesting TLS instead of it being silently
ignored.
With this change, the existing configuration options for
enabling TLS with -vnc are deprecated.
Old syntax for anon-DH credentials:
-vnc hostname:0,tls
New syntax:
-object tls-creds-anon,id=tls0,endpoint=server \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, no client certs:
-vnc hostname:0,tls,x509=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=no \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, requiring client certs:
-vnc hostname:0,tls,x509verify=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=yes \
-vnc hostname:0,tls-creds=tls0
This aligns VNC with the way TLS credentials are to be
configured in the future for chardev, nbd and migration
backends. It also has the benefit that the same TLS
credentials can be shared across multiple VNC server
instances, if desired.
If someone uses the deprecated syntax, it will internally
result in the creation of a 'tls-creds' object with an ID
based on the VNC server ID. This allows backwards compat
with the CLI syntax, while still deleting all the original
TLS code from the VNC server.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-08-06 15:39:32 +02:00
|
|
|
case QCRYPTO_TLS_HANDSHAKE_SENDING:
|
|
|
|
VNC_DEBUG("Handshake interrupted (blocking write)\n");
|
|
|
|
qemu_set_fd_handler(vs->csock, NULL, vncws_tls_handshake_io, vs);
|
|
|
|
break;
|
|
|
|
}
|
2013-04-23 16:33:01 +02:00
|
|
|
|
|
|
|
return 0;
|
ui: convert VNC server to use QCryptoTLSSession
Switch VNC server over to using the QCryptoTLSSession object
for the TLS session. This removes the direct use of gnutls
from the VNC server code. It also removes most knowledge
about TLS certificate handling from the VNC server code.
This has the nice effect that all the CONFIG_VNC_TLS
conditionals go away and the user gets an actual error
message when requesting TLS instead of it being silently
ignored.
With this change, the existing configuration options for
enabling TLS with -vnc are deprecated.
Old syntax for anon-DH credentials:
-vnc hostname:0,tls
New syntax:
-object tls-creds-anon,id=tls0,endpoint=server \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, no client certs:
-vnc hostname:0,tls,x509=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=no \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, requiring client certs:
-vnc hostname:0,tls,x509verify=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=yes \
-vnc hostname:0,tls-creds=tls0
This aligns VNC with the way TLS credentials are to be
configured in the future for chardev, nbd and migration
backends. It also has the benefit that the same TLS
credentials can be shared across multiple VNC server
instances, if desired.
If someone uses the deprecated syntax, it will internally
result in the creation of a 'tls-creds' object with an ID
based on the VNC server ID. This allows backwards compat
with the CLI syntax, while still deleting all the original
TLS code from the VNC server.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-08-06 15:39:32 +02:00
|
|
|
|
|
|
|
error:
|
|
|
|
VNC_DEBUG("Handshake failed %s\n", error_get_pretty(err));
|
|
|
|
error_free(err);
|
|
|
|
vnc_client_error(vs);
|
|
|
|
return -1;
|
2013-04-23 16:33:01 +02:00
|
|
|
}
|
|
|
|
|
2015-03-17 14:42:58 +01:00
|
|
|
void vncws_tls_handshake_io(void *opaque)
|
2013-04-23 16:33:01 +02:00
|
|
|
{
|
2015-04-08 20:04:12 +02:00
|
|
|
VncState *vs = (VncState *)opaque;
|
ui: convert VNC server to use QCryptoTLSSession
Switch VNC server over to using the QCryptoTLSSession object
for the TLS session. This removes the direct use of gnutls
from the VNC server code. It also removes most knowledge
about TLS certificate handling from the VNC server code.
This has the nice effect that all the CONFIG_VNC_TLS
conditionals go away and the user gets an actual error
message when requesting TLS instead of it being silently
ignored.
With this change, the existing configuration options for
enabling TLS with -vnc are deprecated.
Old syntax for anon-DH credentials:
-vnc hostname:0,tls
New syntax:
-object tls-creds-anon,id=tls0,endpoint=server \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, no client certs:
-vnc hostname:0,tls,x509=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=no \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, requiring client certs:
-vnc hostname:0,tls,x509verify=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=yes \
-vnc hostname:0,tls-creds=tls0
This aligns VNC with the way TLS credentials are to be
configured in the future for chardev, nbd and migration
backends. It also has the benefit that the same TLS
credentials can be shared across multiple VNC server
instances, if desired.
If someone uses the deprecated syntax, it will internally
result in the creation of a 'tls-creds' object with an ID
based on the VNC server ID. This allows backwards compat
with the CLI syntax, while still deleting all the original
TLS code from the VNC server.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-08-06 15:39:32 +02:00
|
|
|
Error *err = NULL;
|
2013-04-23 16:33:01 +02:00
|
|
|
|
ui: convert VNC server to use QCryptoTLSSession
Switch VNC server over to using the QCryptoTLSSession object
for the TLS session. This removes the direct use of gnutls
from the VNC server code. It also removes most knowledge
about TLS certificate handling from the VNC server code.
This has the nice effect that all the CONFIG_VNC_TLS
conditionals go away and the user gets an actual error
message when requesting TLS instead of it being silently
ignored.
With this change, the existing configuration options for
enabling TLS with -vnc are deprecated.
Old syntax for anon-DH credentials:
-vnc hostname:0,tls
New syntax:
-object tls-creds-anon,id=tls0,endpoint=server \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, no client certs:
-vnc hostname:0,tls,x509=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=no \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, requiring client certs:
-vnc hostname:0,tls,x509verify=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=yes \
-vnc hostname:0,tls-creds=tls0
This aligns VNC with the way TLS credentials are to be
configured in the future for chardev, nbd and migration
backends. It also has the benefit that the same TLS
credentials can be shared across multiple VNC server
instances, if desired.
If someone uses the deprecated syntax, it will internally
result in the creation of a 'tls-creds' object with an ID
based on the VNC server ID. This allows backwards compat
with the CLI syntax, while still deleting all the original
TLS code from the VNC server.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-08-06 15:39:32 +02:00
|
|
|
vs->tls = qcrypto_tls_session_new(vs->vd->tlscreds,
|
|
|
|
NULL,
|
|
|
|
vs->vd->tlsaclname,
|
|
|
|
QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
|
|
|
|
&err);
|
|
|
|
if (!vs->tls) {
|
|
|
|
VNC_DEBUG("Failed to setup TLS %s\n",
|
|
|
|
error_get_pretty(err));
|
|
|
|
error_free(err);
|
|
|
|
vnc_client_error(vs);
|
|
|
|
return;
|
2013-04-23 16:33:01 +02:00
|
|
|
}
|
ui: convert VNC server to use QCryptoTLSSession
Switch VNC server over to using the QCryptoTLSSession object
for the TLS session. This removes the direct use of gnutls
from the VNC server code. It also removes most knowledge
about TLS certificate handling from the VNC server code.
This has the nice effect that all the CONFIG_VNC_TLS
conditionals go away and the user gets an actual error
message when requesting TLS instead of it being silently
ignored.
With this change, the existing configuration options for
enabling TLS with -vnc are deprecated.
Old syntax for anon-DH credentials:
-vnc hostname:0,tls
New syntax:
-object tls-creds-anon,id=tls0,endpoint=server \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, no client certs:
-vnc hostname:0,tls,x509=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=no \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, requiring client certs:
-vnc hostname:0,tls,x509verify=/path/to/certs
New syntax:
-object tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=yes \
-vnc hostname:0,tls-creds=tls0
This aligns VNC with the way TLS credentials are to be
configured in the future for chardev, nbd and migration
backends. It also has the benefit that the same TLS
credentials can be shared across multiple VNC server
instances, if desired.
If someone uses the deprecated syntax, it will internally
result in the creation of a 'tls-creds' object with an ID
based on the VNC server ID. This allows backwards compat
with the CLI syntax, while still deleting all the original
TLS code from the VNC server.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-08-06 15:39:32 +02:00
|
|
|
|
|
|
|
qcrypto_tls_session_set_callbacks(vs->tls,
|
|
|
|
vnc_tls_push,
|
|
|
|
vnc_tls_pull,
|
|
|
|
vs);
|
|
|
|
|
|
|
|
VNC_DEBUG("Start TLS WS handshake process\n");
|
2015-03-17 14:42:58 +01:00
|
|
|
vncws_start_tls_handshake(vs);
|
2013-04-23 16:33:01 +02:00
|
|
|
}
|
|
|
|
|
2013-01-21 11:04:44 +01:00
|
|
|
void vncws_handshake_read(void *opaque)
|
|
|
|
{
|
|
|
|
VncState *vs = opaque;
|
|
|
|
uint8_t *handshake_end;
|
|
|
|
long ret;
|
2015-03-23 23:58:22 +01:00
|
|
|
/* Typical HTTP headers from novnc are 512 bytes, so limiting
|
|
|
|
* total header size to 4096 is easily enough. */
|
|
|
|
size_t want = 4096 - vs->ws_input.offset;
|
|
|
|
buffer_reserve(&vs->ws_input, want);
|
|
|
|
ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), want);
|
2013-01-21 11:04:44 +01:00
|
|
|
|
|
|
|
if (!ret) {
|
|
|
|
if (vs->csock == -1) {
|
|
|
|
vnc_disconnect_finish(vs);
|
|
|
|
}
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
vs->ws_input.offset += ret;
|
|
|
|
|
|
|
|
handshake_end = (uint8_t *)g_strstr_len((char *)vs->ws_input.buffer,
|
|
|
|
vs->ws_input.offset, WS_HANDSHAKE_END);
|
|
|
|
if (handshake_end) {
|
Change qemu_set_fd_handler2(..., NULL, ...) to qemu_set_fd_handler
Done with following Coccinelle semantic patch, plus manual cosmetic changes in
net/*.c.
@@
expression E1, E2, E3, E4;
@@
- qemu_set_fd_handler2(E1, NULL, E2, E3, E4);
+ qemu_set_fd_handler(E1, E2, E3, E4);
Signed-off-by: Fam Zheng <famz@redhat.com>
Message-id: 1433400324-7358-8-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-06-04 08:45:18 +02:00
|
|
|
qemu_set_fd_handler(vs->csock, vnc_client_read, NULL, vs);
|
2013-01-21 11:04:44 +01:00
|
|
|
vncws_process_handshake(vs, vs->ws_input.buffer, vs->ws_input.offset);
|
|
|
|
buffer_advance(&vs->ws_input, handshake_end - vs->ws_input.buffer +
|
|
|
|
strlen(WS_HANDSHAKE_END));
|
2015-03-23 23:58:22 +01:00
|
|
|
} else if (vs->ws_input.offset >= 4096) {
|
|
|
|
VNC_DEBUG("End of headers not found in first 4096 bytes\n");
|
|
|
|
vnc_client_error(vs);
|
2013-01-21 11:04:44 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
long vnc_client_read_ws(VncState *vs)
|
|
|
|
{
|
|
|
|
int ret, err;
|
|
|
|
uint8_t *payload;
|
2015-03-23 23:58:21 +01:00
|
|
|
size_t payload_size, header_size;
|
2013-01-21 11:04:44 +01:00
|
|
|
VNC_DEBUG("Read websocket %p size %zd offset %zd\n", vs->ws_input.buffer,
|
|
|
|
vs->ws_input.capacity, vs->ws_input.offset);
|
|
|
|
buffer_reserve(&vs->ws_input, 4096);
|
|
|
|
ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096);
|
|
|
|
if (!ret) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
vs->ws_input.offset += ret;
|
|
|
|
|
2015-03-23 23:58:21 +01:00
|
|
|
ret = 0;
|
|
|
|
/* consume as much of ws_input buffer as possible */
|
2013-01-21 11:04:44 +01:00
|
|
|
do {
|
2015-03-23 23:58:21 +01:00
|
|
|
if (vs->ws_payload_remain == 0) {
|
|
|
|
err = vncws_decode_frame_header(&vs->ws_input,
|
|
|
|
&header_size,
|
|
|
|
&vs->ws_payload_remain,
|
|
|
|
&vs->ws_payload_mask);
|
|
|
|
if (err <= 0) {
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
buffer_advance(&vs->ws_input, header_size);
|
2013-01-21 11:04:44 +01:00
|
|
|
}
|
2015-03-23 23:58:21 +01:00
|
|
|
if (vs->ws_payload_remain != 0) {
|
|
|
|
err = vncws_decode_frame_payload(&vs->ws_input,
|
|
|
|
&vs->ws_payload_remain,
|
|
|
|
&vs->ws_payload_mask,
|
|
|
|
&payload,
|
|
|
|
&payload_size);
|
|
|
|
if (err < 0) {
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
if (err == 0) {
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
ret += err;
|
2013-01-21 11:04:44 +01:00
|
|
|
|
2015-03-23 23:58:21 +01:00
|
|
|
buffer_reserve(&vs->input, payload_size);
|
|
|
|
buffer_append(&vs->input, payload, payload_size);
|
2013-01-21 11:04:44 +01:00
|
|
|
|
2015-03-23 23:58:21 +01:00
|
|
|
buffer_advance(&vs->ws_input, payload_size);
|
|
|
|
}
|
2013-01-21 11:04:44 +01:00
|
|
|
} while (vs->ws_input.offset > 0);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
long vnc_client_write_ws(VncState *vs)
|
|
|
|
{
|
|
|
|
long ret;
|
|
|
|
VNC_DEBUG("Write WS: Pending output %p size %zd offset %zd\n",
|
|
|
|
vs->output.buffer, vs->output.capacity, vs->output.offset);
|
|
|
|
vncws_encode_frame(&vs->ws_output, vs->output.buffer, vs->output.offset);
|
|
|
|
buffer_reset(&vs->output);
|
|
|
|
ret = vnc_client_write_buf(vs, vs->ws_output.buffer, vs->ws_output.offset);
|
|
|
|
if (!ret) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
buffer_advance(&vs->ws_output, ret);
|
|
|
|
|
|
|
|
if (vs->ws_output.offset == 0) {
|
Change qemu_set_fd_handler2(..., NULL, ...) to qemu_set_fd_handler
Done with following Coccinelle semantic patch, plus manual cosmetic changes in
net/*.c.
@@
expression E1, E2, E3, E4;
@@
- qemu_set_fd_handler2(E1, NULL, E2, E3, E4);
+ qemu_set_fd_handler(E1, E2, E3, E4);
Signed-off-by: Fam Zheng <famz@redhat.com>
Message-id: 1433400324-7358-8-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-06-04 08:45:18 +02:00
|
|
|
qemu_set_fd_handler(vs->csock, vnc_client_read, NULL, vs);
|
2013-01-21 11:04:44 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static char *vncws_extract_handshake_entry(const char *handshake,
|
|
|
|
size_t handshake_len, const char *name)
|
|
|
|
{
|
|
|
|
char *begin, *end, *ret = NULL;
|
|
|
|
char *line = g_strdup_printf("%s%s: ", WS_HANDSHAKE_DELIM, name);
|
|
|
|
begin = g_strstr_len(handshake, handshake_len, line);
|
|
|
|
if (begin != NULL) {
|
|
|
|
begin += strlen(line);
|
|
|
|
end = g_strstr_len(begin, handshake_len - (begin - handshake),
|
|
|
|
WS_HANDSHAKE_DELIM);
|
|
|
|
if (end != NULL) {
|
|
|
|
ret = g_strndup(begin, end - begin);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
g_free(line);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void vncws_send_handshake_response(VncState *vs, const char* key)
|
|
|
|
{
|
|
|
|
char combined_key[WS_CLIENT_KEY_LEN + WS_GUID_LEN + 1];
|
|
|
|
char *accept = NULL, *response = NULL;
|
2015-07-01 19:10:36 +02:00
|
|
|
Error *err = NULL;
|
2013-01-21 11:04:44 +01:00
|
|
|
|
|
|
|
g_strlcpy(combined_key, key, WS_CLIENT_KEY_LEN + 1);
|
|
|
|
g_strlcat(combined_key, WS_GUID, WS_CLIENT_KEY_LEN + WS_GUID_LEN + 1);
|
|
|
|
|
|
|
|
/* hash and encode it */
|
2015-07-01 19:10:36 +02:00
|
|
|
if (qcrypto_hash_base64(QCRYPTO_HASH_ALG_SHA1,
|
|
|
|
combined_key,
|
|
|
|
WS_CLIENT_KEY_LEN + WS_GUID_LEN,
|
|
|
|
&accept,
|
|
|
|
&err) < 0) {
|
|
|
|
VNC_DEBUG("Hashing Websocket combined key failed %s\n",
|
|
|
|
error_get_pretty(err));
|
|
|
|
error_free(err);
|
2013-01-21 11:04:44 +01:00
|
|
|
vnc_client_error(vs);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
response = g_strdup_printf(WS_HANDSHAKE, accept);
|
2015-02-26 00:21:39 +01:00
|
|
|
vnc_client_write_buf(vs, (const uint8_t *)response, strlen(response));
|
2013-01-21 11:04:44 +01:00
|
|
|
|
|
|
|
g_free(accept);
|
|
|
|
g_free(response);
|
|
|
|
|
|
|
|
vs->encode_ws = 1;
|
|
|
|
vnc_init_state(vs);
|
|
|
|
}
|
|
|
|
|
|
|
|
void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size)
|
|
|
|
{
|
|
|
|
char *protocols = vncws_extract_handshake_entry((const char *)line, size,
|
|
|
|
"Sec-WebSocket-Protocol");
|
|
|
|
char *version = vncws_extract_handshake_entry((const char *)line, size,
|
|
|
|
"Sec-WebSocket-Version");
|
|
|
|
char *key = vncws_extract_handshake_entry((const char *)line, size,
|
|
|
|
"Sec-WebSocket-Key");
|
|
|
|
|
|
|
|
if (protocols && version && key
|
|
|
|
&& g_strrstr(protocols, "binary")
|
|
|
|
&& !strcmp(version, WS_SUPPORTED_VERSION)
|
|
|
|
&& strlen(key) == WS_CLIENT_KEY_LEN) {
|
|
|
|
vncws_send_handshake_response(vs, key);
|
|
|
|
} else {
|
|
|
|
VNC_DEBUG("Defective Websockets header or unsupported protocol\n");
|
|
|
|
vnc_client_error(vs);
|
|
|
|
}
|
|
|
|
|
|
|
|
g_free(protocols);
|
|
|
|
g_free(version);
|
|
|
|
g_free(key);
|
|
|
|
}
|
|
|
|
|
|
|
|
void vncws_encode_frame(Buffer *output, const void *payload,
|
|
|
|
const size_t payload_size)
|
|
|
|
{
|
|
|
|
size_t header_size = 0;
|
|
|
|
unsigned char opcode = WS_OPCODE_BINARY_FRAME;
|
|
|
|
union {
|
|
|
|
char buf[WS_HEAD_MAX_LEN];
|
|
|
|
WsHeader ws;
|
|
|
|
} header;
|
|
|
|
|
|
|
|
if (!payload_size) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
header.ws.b0 = 0x80 | (opcode & 0x0f);
|
|
|
|
if (payload_size <= 125) {
|
|
|
|
header.ws.b1 = (uint8_t)payload_size;
|
|
|
|
header_size = 2;
|
|
|
|
} else if (payload_size < 65536) {
|
|
|
|
header.ws.b1 = 0x7e;
|
|
|
|
header.ws.u.s16.l16 = cpu_to_be16((uint16_t)payload_size);
|
|
|
|
header_size = 4;
|
|
|
|
} else {
|
|
|
|
header.ws.b1 = 0x7f;
|
|
|
|
header.ws.u.s64.l64 = cpu_to_be64(payload_size);
|
|
|
|
header_size = 10;
|
|
|
|
}
|
|
|
|
|
|
|
|
buffer_reserve(output, header_size + payload_size);
|
|
|
|
buffer_append(output, header.buf, header_size);
|
|
|
|
buffer_append(output, payload, payload_size);
|
|
|
|
}
|
|
|
|
|
2015-03-23 23:58:21 +01:00
|
|
|
int vncws_decode_frame_header(Buffer *input,
|
|
|
|
size_t *header_size,
|
|
|
|
size_t *payload_remain,
|
|
|
|
WsMask *payload_mask)
|
2013-01-21 11:04:44 +01:00
|
|
|
{
|
|
|
|
unsigned char opcode = 0, fin = 0, has_mask = 0;
|
2015-03-23 23:58:21 +01:00
|
|
|
size_t payload_len;
|
2013-01-21 11:04:44 +01:00
|
|
|
WsHeader *header = (WsHeader *)input->buffer;
|
|
|
|
|
|
|
|
if (input->offset < WS_HEAD_MIN_LEN + 4) {
|
|
|
|
/* header not complete */
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
fin = (header->b0 & 0x80) >> 7;
|
|
|
|
opcode = header->b0 & 0x0f;
|
|
|
|
has_mask = (header->b1 & 0x80) >> 7;
|
2015-03-23 23:58:21 +01:00
|
|
|
payload_len = header->b1 & 0x7f;
|
2013-01-21 11:04:44 +01:00
|
|
|
|
|
|
|
if (opcode == WS_OPCODE_CLOSE) {
|
|
|
|
/* disconnect */
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Websocket frame sanity check:
|
|
|
|
* * Websocket fragmentation is not supported.
|
|
|
|
* * All websockets frames sent by a client have to be masked.
|
|
|
|
* * Only binary encoding is supported.
|
|
|
|
*/
|
|
|
|
if (!fin || !has_mask || opcode != WS_OPCODE_BINARY_FRAME) {
|
|
|
|
VNC_DEBUG("Received faulty/unsupported Websocket frame\n");
|
|
|
|
return -2;
|
|
|
|
}
|
|
|
|
|
2015-03-23 23:58:21 +01:00
|
|
|
if (payload_len < 126) {
|
|
|
|
*payload_remain = payload_len;
|
|
|
|
*header_size = 6;
|
|
|
|
*payload_mask = header->u.m;
|
|
|
|
} else if (payload_len == 126 && input->offset >= 8) {
|
|
|
|
*payload_remain = be16_to_cpu(header->u.s16.l16);
|
|
|
|
*header_size = 8;
|
|
|
|
*payload_mask = header->u.s16.m16;
|
|
|
|
} else if (payload_len == 127 && input->offset >= 14) {
|
|
|
|
*payload_remain = be64_to_cpu(header->u.s64.l64);
|
|
|
|
*header_size = 14;
|
|
|
|
*payload_mask = header->u.s64.m64;
|
2013-01-21 11:04:44 +01:00
|
|
|
} else {
|
|
|
|
/* header not complete */
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-03-23 23:58:21 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
int vncws_decode_frame_payload(Buffer *input,
|
|
|
|
size_t *payload_remain, WsMask *payload_mask,
|
|
|
|
uint8_t **payload, size_t *payload_size)
|
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
uint32_t *payload32;
|
2013-01-21 11:04:44 +01:00
|
|
|
|
2015-03-23 23:58:21 +01:00
|
|
|
*payload = input->buffer;
|
|
|
|
/* If we aren't at the end of the payload, then drop
|
|
|
|
* off the last bytes, so we're always multiple of 4
|
|
|
|
* for purpose of unmasking, except at end of payload
|
|
|
|
*/
|
|
|
|
if (input->offset < *payload_remain) {
|
|
|
|
*payload_size = input->offset - (input->offset % 4);
|
|
|
|
} else {
|
|
|
|
*payload_size = *payload_remain;
|
|
|
|
}
|
|
|
|
if (*payload_size == 0) {
|
2013-01-21 11:04:44 +01:00
|
|
|
return 0;
|
|
|
|
}
|
2015-03-23 23:58:21 +01:00
|
|
|
*payload_remain -= *payload_size;
|
2013-01-21 11:04:44 +01:00
|
|
|
|
|
|
|
/* unmask frame */
|
|
|
|
/* process 1 frame (32 bit op) */
|
|
|
|
payload32 = (uint32_t *)(*payload);
|
|
|
|
for (i = 0; i < *payload_size / 4; i++) {
|
2015-03-23 23:58:21 +01:00
|
|
|
payload32[i] ^= payload_mask->u;
|
2013-01-21 11:04:44 +01:00
|
|
|
}
|
|
|
|
/* process the remaining bytes (if any) */
|
|
|
|
for (i *= 4; i < *payload_size; i++) {
|
2015-03-23 23:58:21 +01:00
|
|
|
(*payload)[i] ^= payload_mask->c[i % 4];
|
2013-01-21 11:04:44 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|