Patchwork [v3] vnc: added initial websocket protocol support

login
register
mail settings
Submitter Tim Hardeck
Date Nov. 23, 2012, 7 p.m.
Message ID <1353697247-20805-1-git-send-email-thardeck@suse.de>
Download mbox | patch
Permalink /patch/201391/
State New
Headers show

Comments

Tim Hardeck - Nov. 23, 2012, 7 p.m.
This patch adds basic Websocket Protocol version 13 - RFC 6455 - support
to QEMU VNC. Binary encoding support on the client side is mandatory.

Because of the GnuTLS requirement the Websockets implementation is
optional (--enable-vnc-ws).

To activate Websocket support the VNC option "websocket"is used, for
example "-vnc :0,websocket".
The listen port for Websocket connections is (5700 + display) so if
QEMU VNC is started with :0 the Websocket port would be 5700.
As an alternative the Websocket port could be manually specified by
using ",websocket=<port>" instead.

Parts of the implementation base on Anthony Liguori's QEMU Websocket
patch from 2010 and on Joel Martin's LibVNC Websocket implementation.

Signed-off-by: Tim Hardeck <thardeck@suse.de>

---

Changes v2
* removed automatic websocket recognition
* added new lwebsock socket on port 5700 + display when the vnc option
  "websocket" is passed on
* adapted vnc_connect vnc_listen_read to differ between websocket
* added separate event handler to read the Websocket handshake

Changes v3
* added manual port specification by using ",websocket=<port>"
* switched from memmem() to g_strstr_len()
* removed masked_size from vncws_decode_frame()
* resetted vnc_tls variable to default in the configure script

QEMU does segfault if a regular VNC client connects to the Websocket
port and then disconnects because of several unitialized lists since
vnc_init_state wasn't run before.
The segfault could be fixed by applying my previously sent patches
"[PATCH 0/2] fix segfaults triggered by failed vnc handshakes".

I have used parts of the LibVNC websockets implementation that's why
I have added the GPL header to the new files.
---
 configure        |   32 ++++++++
 qemu-options.hx  |    8 ++
 ui/Makefile.objs |    1 +
 ui/vnc-ws.c      |  206 +++++++++++++++++++++++++++++++++++++++++++++++++
 ui/vnc-ws.h      |  101 ++++++++++++++++++++++++
 ui/vnc.c         |  226 +++++++++++++++++++++++++++++++++++++++++++++++++-----
 ui/vnc.h         |   21 +++++
 7 files changed, 575 insertions(+), 20 deletions(-)
 create mode 100644 ui/vnc-ws.c
 create mode 100644 ui/vnc-ws.h
Stefan Hajnoczi - Dec. 3, 2012, 4:22 p.m.
On Fri, Nov 23, 2012 at 08:00:47PM +0100, Tim Hardeck wrote:

Thanks for the patch, Tim.  Some general code review comments below.  I
hope someone has time to review the VNC and WebSocket specific stuff.  I
didn't check the details of buffers, whether the WebSocket spec is
correctly implemented, etc.

> QEMU does segfault if a regular VNC client connects to the Websocket
> port and then disconnects because of several unitialized lists since
> vnc_init_state wasn't run before.
> The segfault could be fixed by applying my previously sent patches
> "[PATCH 0/2] fix segfaults triggered by failed vnc handshakes".

The segfault issue should be addressed before merging it.  I think the
response on that email thread was to fix the qemu-queue.h users rather
than making it okay to remove an element that isn't on a list
(especially because this relies on uninitialized elements having a NULL
value).  So is the next step to fix those list users in VNC code?

>  ##########################################
> +# VNC WS detection
> +if test "$vnc" = "yes" -a "$vnc_ws" != "no" ; then
> +  cat > $TMPC <<EOF
> +#include <gnutls/gnutls.h>
> +int main(void) { gnutls_session_t s; gnutls_init(&s, GNUTLS_SERVER); return 0; }
> +EOF
> +  vnc_ws_cflags=`$pkg_config --cflags gnutls 2> /dev/null`
> +  vnc_ws_libs=`$pkg_config --libs gnutls 2> /dev/null`
> +  if compile_prog "$vnc_ws_cflags" "$vnc_ws_libs" ; then
> +    vnc_ws=yes
> +    libs_softmmu="$vnc_ws_libs $libs_softmmu"
> +  else
> +    if test "$vnc_ws" = "yes" ; then
> +      feature_not_found "vnc-ws"
> +    fi
> +    vnc_ws=no
> +  fi
> +fi

This is really testing for GnuTLS rather than WebSockets.  This probing
is duplicated from the VNC TLS option.

I suggest probing GnuTLS once and then using the result for both vnc_tls
and vnc_ws.  That way we don't duplicate the GnuTLS code.

> diff --git a/qemu-options.hx b/qemu-options.hx
> index 9bb29d3..647071e 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -1096,6 +1096,14 @@ client is specified by the @var{display}. For reverse network
>  connections (@var{host}:@var{d},@code{reverse}), the @var{d} argument
>  is a TCP port number, not a display number.
>  
> +@item websocket
> +
> +Opens an additional TCP listening port dedicated to VNC Websocket connections.
> +By defintion the Websocket port is 5700+@var{display}. If @var{host} is

s/defintion/definition/

> +char *vncws_extract_handshake_entry(const char *handshake,
> +    size_t handshake_len, const char *name)

This function should be static.

> +void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size)
> +{
> +    char *protocols = vncws_extract_handshake_entry((const char *)line, size,
> +            "Sec-WebSocket-Protocol: ");
> +    char *version = vncws_extract_handshake_entry((const char *)line, size,
> +            "Sec-WebSocket-Version: ");
> +    char *key = vncws_extract_handshake_entry((const char *)line, size,
> +            "Sec-WebSocket-Key: ");
> +
> +    if (protocols && version && key
> +         && g_strrstr(protocols, "binary") != NULL
> +         && strcmp(version, WS_SUPPORTED_VERSION) == 0
> +         && strlen(key) == WS_CLIENT_KEY_LEN) {
> +            vncws_send_handshake_response(vs, key);

Indentation should be 4 spaces.

> +    } else {
> +        VNC_DEBUG("Defective Websockets header or unsupported protocol\n");
> +        vnc_client_error(vs);
> +    }
> +
> +    g_free(protocols);
> +    g_free(version);
> +    g_free(key);
> +}
> +
> +void vncws_send_handshake_response(VncState *vs, const char* key)

This function should be static.

> +{
> +    char combined_key[WS_CLIENT_KEY_LEN + WS_GUID_LEN + 1];
> +    char response[WS_HANDSHAKE_MAX_LEN];
> +    char hash[SHA1_DIGEST_LEN + 1];

Why +1 if this is a 20-byte SHA1 binary hash?

> +    char *accept = NULL;
> +    size_t hash_size = SHA1_DIGEST_LEN, response_size = 0;
> +    gnutls_datum_t in;
> +
> +    /* create combined key */
> +    pstrcpy(combined_key, WS_CLIENT_KEY_LEN + 1, key);
> +    pstrcat(combined_key, WS_CLIENT_KEY_LEN + WS_GUID_LEN + 1, WS_GUID);
> +
> +    /* hash and encode it */
> +    in.data = (void *)combined_key;
> +    in.size = WS_CLIENT_KEY_LEN + WS_GUID_LEN;
> +    if (gnutls_fingerprint(GNUTLS_DIG_SHA1, &in, hash, &hash_size)
> +            == GNUTLS_E_SUCCESS) {
> +        accept = g_base64_encode((guchar *)hash, SHA1_DIGEST_LEN);
> +    }
> +    if (accept == NULL) {
> +        VNC_DEBUG("Hashing Websocket combined key failed\n");
> +        vnc_client_error(vs);
> +        return;
> +    }
> +
> +    /* create handshake response */
> +    response_size = snprintf(response, WS_HANDSHAKE_MAX_LEN,
> +            WS_HANDSHAKE, accept);

Please use sizeof(response) instead of WS_HANDSHAKE_MAX_LEN.  It's safer
to use sizeof() rather than repeating the constant so that the sizes
still match up if the variable definition is changed.

> +    g_free(accept);
> +
> +    vnc_write(vs, response, response_size);
> +    vnc_flush(vs);
> +
> +    vs->encode_ws = 1;
> +    vnc_init_state(vs);
> +}
> +
> +void vncws_encode_frame(Buffer *output, const void *payload,
> +        const size_t payload_size)
> +{
> +    size_t header_size = 0;
> +    unsigned char opcode = WS_OPCODE_BINARY_FRAME;
> +    char header_buf[WS_HEAD_MAX_LEN];
> +    ws_header_t *header = (ws_header_t *)header_buf;

It's slightly cleaner to use:
union {
    char buf[WS_HEAD_MAX_LEN];
    ws_header_t ws;
} header;

That way the compiler know they are aliased and can even align buf[] so
that ws_header_t field accesses are aligned, if necessary.

> diff --git a/ui/vnc-ws.h b/ui/vnc-ws.h
> new file mode 100644
> index 0000000..0c5e2b5
> --- /dev/null
> +++ b/ui/vnc-ws.h
> @@ -0,0 +1,101 @@
> +/*
> + * QEMU VNC display driver: Websockets support
> + *
> + * Copyright (C) 2010 Joel Martin
> + * Copyright (C) 2012 Tim Hardeck
> + *
> + * This is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation; either version 2 of the License, or
> + * (at your option) any later version.
> + *
> + * This software is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this software; if not, write to the Free Software
> + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
> + * USA.
> + */
> +
> +#ifndef __QEMU_VNC_WS_H
> +#define __QEMU_VNC_WS_H
> +
> +#ifndef CONFIG_VNC_TLS
> +#include <gnutls/gnutls.h>
> +#endif

Your ./configure change does not depend on CONFIG_VNC_TLS.  It would be
possible to say ./configure --disable-vnc-tls --enable-vnc-ws.  I think
the #ifdef here can be dropped.

> +
> +#define B64LEN(__x) (((__x + 2) / 3) * 12 / 3)
> +#define SHA1_DIGEST_LEN 20
> +
> +#define WS_ACCEPT_LEN (B64LEN(SHA1_DIGEST_LEN) + 1)
> +#define WS_CLIENT_KEY_LEN 24
> +#define WS_GUID "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"
> +#define WS_GUID_LEN strlen(WS_GUID)
> +
> +#define WS_HANDSHAKE_MAX_LEN 192
> +#define WS_HANDSHAKE "HTTP/1.1 101 Switching Protocols\r\n\
> +Upgrade: websocket\r\n\
> +Connection: Upgrade\r\n\
> +Sec-WebSocket-Accept: %s\r\n\
> +Sec-WebSocket-Protocol: binary\r\n\
> +\r\n"
> +#define WS_HANDSHAKE_DELIM "\r\n"
> +#define WS_HANDSHAKE_END "\r\n\r\n"
> +#define WS_SUPPORTED_VERSION "13"
> +
> +#define WS_HEAD_MIN_LEN 2
> +#define WS_HEAD_MAX_LEN 14  /* 2 + sizeof(uint64_t) + sizeof(uint32_t) */

Perhaps best to convert the comment into code:

#define WS_HEAD_MAX_LEN (WS_HEAD_MIN_LEN + sizeof(uint64_t) + sizeof(uint32_t))

> +
> +#define WS_HTON64(n) htobe64(n)
> +#define WS_HTON16(n) htobe16(n)
> +#define WS_NTOH16(n) htobe16(n)
> +#define WS_NTOH64(n) htobe64(n)

Why wrapper macros?

> +typedef union ws_mask_s {
> +    char c[4];
> +    uint32_t u;
> +} ws_mask_t;
> +
> +/* XXX: The union and the structs do not need to be named.
> + *      We are working around a bug present in GCC < 4.6 which prevented
> + *      it from recognizing anonymous structs and unions.
> + *      See http://gcc.gnu.org/bugzilla/show_bug.cgi?id=4784
> + */
> +typedef struct __attribute__ ((__packed__)) ws_header_s {
> +    unsigned char b0;
> +    unsigned char b1;
> +    union {
> +        struct __attribute__ ((__packed__)) {
> +            uint16_t l16;
> +            ws_mask_t m16;
> +        } s16;
> +        struct __attribute__ ((__packed__)) {
> +            uint64_t l64;
> +            ws_mask_t m64;
> +        } s64;
> +        ws_mask_t m;
> +    } u;
> +} ws_header_t;

QEMU naming does not allow _t.  This should be WsHeader or WSHeader.

> +
> +enum {
> +    WS_OPCODE_CONTINUATION = 0x0,
> +    WS_OPCODE_TEXT_FRAME = 0x1,
> +    WS_OPCODE_BINARY_FRAME = 0x2,
> +    WS_OPCODE_CLOSE = 0x8,
> +    WS_OPCODE_PING = 0x9,
> +    WS_OPCODE_PONG = 0xA
> +};
> +
> +char *vncws_extract_handshake_entry(const char *header, size_t header_len,
> +            const char *name);
> +void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size);
> +void vncws_send_handshake_response(VncState *vs, const char* key);
> +void vncws_encode_frame(Buffer *output, const void *payload,
> +            const size_t payload_size);
> +int vncws_decode_frame(Buffer *input, uint8_t **payload,
> +                               size_t *payload_size, size_t *frame_size);
> +
> +#endif /* __QEMU_VNC_WS_H */
> diff --git a/ui/vnc.c b/ui/vnc.c
> index 61f120e..676ac0d 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -510,6 +510,13 @@ void buffer_append(Buffer *buffer, const void *data, size_t len)
>      buffer->offset += len;
>  }
>  
> +void buffer_advance(Buffer *buf, size_t len)
> +{
> +    memmove(buf->buffer, buf->buffer + len,
> +            (buf->offset - len));
> +    buf->offset -= len;
> +}

Please introduce this function and convert its callers in a separate
commit.  That makes it easier to review, bisect, revert, etc the
commits.  This change isn't WS-specific.

> +
>  static void vnc_desktop_resize(VncState *vs)
>  {
>      DisplayState *ds = vs->ds;
> @@ -1027,6 +1034,9 @@ static void vnc_disconnect_finish(VncState *vs)
>  
>      buffer_free(&vs->input);
>      buffer_free(&vs->output);
> +#ifdef CONFIG_VNC_WS
> +    buffer_free(&vs->ws_input);
> +#endif
>  
>      qobject_decref(vs->info);
>  
> @@ -1166,8 +1176,7 @@ static long vnc_client_write_plain(VncState *vs)
>      if (!ret)
>          return 0;
>  
> -    memmove(vs->output.buffer, vs->output.buffer + ret, (vs->output.offset - ret));
> -    vs->output.offset -= ret;
> +    buffer_advance(&vs->output, ret);
>  
>      if (vs->output.offset == 0) {
>          qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
> @@ -1280,6 +1289,26 @@ static void vnc_jobs_bh(void *opaque)
>      vnc_jobs_consume_buffer(vs);
>  }
>  
> +#ifdef CONFIG_VNC_WS
> +void vncws_handshake_read(void *opaque)
> +{
> +    VncState *vs = opaque;
> +    long ret = vnc_client_read_plain(vs);
> +    if (!ret) {
> +        if (vs->csock == -1) {
> +            vnc_disconnect_finish(vs);
> +        }
> +        return;
> +    }
> +
> +    if (vs->input.offset > 0) {
> +        qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
> +        vncws_process_handshake(vs, vs->input.buffer, vs->input.offset);
> +        buffer_reset(&vs->input);
> +    }
> +}
> +#endif
> +
>  /*
>   * First function called whenever there is more data to be read from
>   * the client socket. Will delegate actual work according to whether
> @@ -1289,6 +1318,7 @@ void vnc_client_read(void *opaque)
>  {
>      VncState *vs = opaque;
>      long ret;
> +    Buffer *buf;
>  
>  #ifdef CONFIG_VNC_SASL
>      if (vs->sasl.conn && vs->sasl.runSSF)
> @@ -1302,19 +1332,49 @@ void vnc_client_read(void *opaque)
>          return;
>      }
>  
> -    while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
> +#ifdef CONFIG_VNC_WS
> +    if (vs->encode_ws) {
> +        uint8_t *payload;
> +        size_t payload_size, frame_size;
> +
> +        /* make sure that nothing is left in the input buffer */
> +        do {
> +            ret = vncws_decode_frame(&vs->input, &payload,
> +                                  &payload_size, &frame_size);
> +
> +            if (ret == 0) {
> +                /* not enough data to process, wait for more */
> +                return;
> +            } else if (ret == -1) {
> +                vnc_disconnect_start(vs);
> +                return;
> +            } else if (ret == -2) {
> +                vnc_client_error(vs);
> +                return;
> +            }
> +
> +            buffer_reserve(&vs->ws_input, payload_size);
> +            buffer_append(&vs->ws_input, payload, payload_size);
> +
> +            buffer_advance(&vs->input, frame_size);
> +        } while (vs->input.offset > 0);
> +        buf = &vs->ws_input;
> +    } else
> +#endif /* CONFIG_VNC_WS */
> +        buf = &vs->input;

QEMU coding style always requires {}, even if the if/else statement body
is only 1 line.

> +
> +    while (vs->read_handler && buf->offset >= vs->read_handler_expect) {
>          size_t len = vs->read_handler_expect;
>          int ret;
>  
> -        ret = vs->read_handler(vs, vs->input.buffer, len);
> +        ret = vs->read_handler(vs, buf->buffer, len);
>          if (vs->csock == -1) {
>              vnc_disconnect_finish(vs);
>              return;
>          }
>  
>          if (!ret) {
> -            memmove(vs->input.buffer, vs->input.buffer + len, (vs->input.offset - len));
> -            vs->input.offset -= len;
> +            buffer_advance(buf, len);
>          } else {
>              vs->read_handler_expect = ret;
>          }
> @@ -1323,13 +1383,26 @@ void vnc_client_read(void *opaque)
>  
>  void vnc_write(VncState *vs, const void *data, size_t len)
>  {
> -    buffer_reserve(&vs->output, len);
> +#ifdef CONFIG_VNC_WS
> +    if (vs->encode_ws) {
> +        if (vs->csock != -1 && buffer_empty(&vs->output)) {
> +            qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read,
> +                    vnc_client_write, vs);
> +        }

Can this be done unconditionally outside the if statement and #ifdef?
Seems to be duplicated below into the else body.

> +        vncws_encode_frame(&vs->output, data, len);
> +    } else {
> +#endif /* CONFIG_VNC_WS */
> +        buffer_reserve(&vs->output, len);
>  
> -    if (vs->csock != -1 && buffer_empty(&vs->output)) {
> -        qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);
> -    }
> +        if (vs->csock != -1 && buffer_empty(&vs->output)) {
> +            qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read,
> +                    vnc_client_write, vs);
> +        }
>  
> -    buffer_append(&vs->output, data, len);
> +        buffer_append(&vs->output, data, len);
> +#ifdef CONFIG_VNC_WS
> +    }
> +#endif

This #ifdef can be avoided by:
#ifdef CONFIG_VNC_WS
if (...) {
    ...
} else
#endif
{
    ...
}

>  }
>  
>  void vnc_write_s32(VncState *vs, int32_t value)
> @@ -2657,7 +2730,7 @@ static void vnc_remove_timer(VncDisplay *vd)
>      }
>  }
>  
> -static void vnc_connect(VncDisplay *vd, int csock, int skipauth)
> +static void vnc_connect(VncDisplay *vd, int csock, int skipauth, int websocket)

bool websocket

>  {
>      VncState *vs = g_malloc0(sizeof(VncState));
>      int i;
> @@ -2684,13 +2757,33 @@ static void vnc_connect(VncDisplay *vd, int csock, int skipauth)
>      VNC_DEBUG("New client on socket %d\n", csock);
>      dcl->idle = 0;
>      socket_set_nonblock(vs->csock);
> -    qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
> +#ifdef CONFIG_VNC_WS
> +    if (websocket) {
> +        vs->websocket = 1;
> +        qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read, NULL, vs);
> +    } else
> +#endif
> +    {
> +        qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
> +    }
>  
>      vnc_client_cache_addr(vs);
>      vnc_qmp_event(vs, QEVENT_VNC_CONNECTED);
>      vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
>  
>      vs->vd = vd;
> +
> +#ifdef CONFIG_VNC_WS
> +    if (!vs->websocket) {
> +        vnc_init_state(vs);
> +    }
> +}
> +
> +void vnc_init_state(VncState *vs)
> +{
> +    VncDisplay *vd = vs->vd;
> +#endif /* CONFIG_VNC_WS */

Using an #ifdef to split a function at compile time is too ugly IMO.

I suggest splitting the function, always have vnc_init_state().

> +
>      vs->ds = vd->ds;
>      vs->last_x = -1;
>      vs->last_y = -1;
> @@ -2722,21 +2815,41 @@ static void vnc_connect(VncDisplay *vd, int csock, int skipauth)
>      /* vs might be free()ed here */
>  }
>  
> -static void vnc_listen_read(void *opaque)
> +static void vnc_listen_read(void *opaque, int websocket)

s/int/bool/

>  {
>      VncDisplay *vs = opaque;
>      struct sockaddr_in addr;
>      socklen_t addrlen = sizeof(addr);
> +    int csock;
>  
>      /* Catch-up */
>      vga_hw_update();
> +#ifdef CONFIG_VNC_WS
> +    if (websocket) {
> +        csock = qemu_accept(vs->lwebsock, (struct sockaddr *)&addr, &addrlen);
> +    } else
> +#endif
> +    {
> +        csock = qemu_accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
> +    }
>  
> -    int csock = qemu_accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
>      if (csock != -1) {
> -        vnc_connect(vs, csock, 0);
> +        vnc_connect(vs, csock, 0, websocket);
>      }
>  }
>  
> +static void vnc_listen_regular_read(void *opaque)
> +{
> +    vnc_listen_read(opaque, 0);
> +}
> +
> +#ifdef CONFIG_VNC_WS
> +static void vnc_listen_websocket_read(void *opaque)
> +{
> +    vnc_listen_read(opaque, 1);
> +}
> +#endif
> +
>  void vnc_display_init(DisplayState *ds)
>  {
>      VncDisplay *vs = g_malloc0(sizeof(*vs));
> @@ -2748,6 +2861,9 @@ void vnc_display_init(DisplayState *ds)
>      vnc_display = vs;
>  
>      vs->lsock = -1;
> +#ifdef CONFIG_VNC_WS
> +    vs->lwebsock = -1;
> +#endif
>  
>      vs->ds = ds;
>      QTAILQ_INIT(&vs->clients);
> @@ -2789,6 +2905,17 @@ static void vnc_display_close(DisplayState *ds)
>          close(vs->lsock);
>          vs->lsock = -1;
>      }
> +#ifdef CONFIG_VNC_WS
> +    if (vs->ws_display) {
> +        g_free(vs->ws_display);
> +        vs->ws_display = NULL;
> +    }

NULL test not necessary since g_free(NULL) is a nop.

> +    if (vs->lwebsock != -1) {
> +        qemu_set_fd_handler2(vs->lwebsock, NULL, NULL, NULL, NULL);
> +        close(vs->lwebsock);
> +        vs->lwebsock = -1;
> +    }
> +#endif
>      vs->auth = VNC_AUTH_INVALID;
>  #ifdef CONFIG_VNC_TLS
>      vs->subauth = VNC_AUTH_INVALID;
> @@ -2910,6 +3037,36 @@ void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
>          } else if (strncmp(options, "sasl", 4) == 0) {
>              sasl = 1; /* Require SASL auth */
>  #endif
> +#ifdef CONFIG_VNC_WS
> +        } else if (strncmp(options, "websocket", 9) == 0) {
> +            char *start, *end;
> +            vs->websocket = 1;
> +
> +            /* Check for 'websocket=<port> */

s/'websocket=<port>/'websocket=<port>'/

> +            start = strchr(options, '=');
> +            end = strchr(options, ',');
> +            if (start && (!end || (start < end))) {
> +                int len = end ? end-(start+1) : strlen(start+1);
> +                if (len < 6) {
> +                    /* extract the host specification from display */
> +                    char  *host = NULL, *port = NULL, *host_end = NULL;
> +                    port = g_strndup(start + 1, len);
> +
> +                    /* ipv6 host have colons */
> +                    end = strchr(display, ',');
> +                    host_end = g_strrstr_len(display, end - display, ":");
> +
> +                    if (host_end) {
> +                        host = g_strndup(display, host_end - display + 1);
> +                    } else {
> +                        host = g_strndup(":", 1);
> +                    }
> +                    vs->ws_display = g_strconcat(host, port, NULL);
> +                    g_free(host);
> +                    g_free(port);
> +                }
> +            }
> +#endif
>  #ifdef CONFIG_VNC_TLS
>          } else if (strncmp(options, "tls", 3) == 0) {
>              tls = 1; /* Require TLS */
> @@ -3068,6 +3225,9 @@ void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
>          /* connect to viewer */
>          int csock;
>          vs->lsock = -1;
> +#ifdef CONFIG_VNC_WS
> +        vs->lwebsock = -1;
> +#endif
>          if (strncmp(display, "unix:", 5) == 0) {
>              csock = unix_connect(display+5, errp);
>          } else {
> @@ -3076,7 +3236,7 @@ void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
>          if (csock < 0) {
>              goto fail;
>          }
> -        vnc_connect(vs, csock, 0);
> +        vnc_connect(vs, csock, 0, 0);
>      } else {
>          /* listen for connects */
>          char *dpy;
> @@ -3087,25 +3247,51 @@ void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
>          } else {
>              vs->lsock = inet_listen(display, dpy, 256,
>                                      SOCK_STREAM, 5900, errp);
> +#ifdef CONFIG_VNC_WS
> +            if (vs->websocket) {
> +                if (vs->ws_display) {
> +                    vs->lwebsock = inet_listen(vs->ws_display, NULL, 256,
> +                        SOCK_STREAM, 0, errp);
> +                } else {
> +                    vs->lwebsock = inet_listen(vs->display, NULL, 256,
> +                        SOCK_STREAM, 5700, errp);
> +                }
> +            }
> +#endif
>          }
> -        if (vs->lsock < 0) {
> +        if (vs->lsock < 0
> +#ifdef CONFIG_VNC_WS
> +                || (vs->websocket && vs->lwebsock < 0)
> +#endif
> +                ) {
>              g_free(dpy);
>              goto fail;

Will this leak the lsock file descriptor when both a regular VNC port
and a websocket port are given but inet_listen() fails on just the
websocket?

>          }
>          g_free(vs->display);
>          vs->display = dpy;
> -        qemu_set_fd_handler2(vs->lsock, NULL, vnc_listen_read, NULL, vs);
> +        qemu_set_fd_handler2(vs->lsock, NULL,
> +                vnc_listen_regular_read, NULL, vs);
> +#ifdef CONFIG_VNC_WS
> +        if (vs->websocket) {
> +            qemu_set_fd_handler2(vs->lwebsock, NULL,
> +                    vnc_listen_websocket_read, NULL, vs);
> +        }
> +#endif
>      }
>      return;
>  
>  fail:
>      g_free(vs->display);
>      vs->display = NULL;
> +#ifdef CONFIG_VNC_WS
> +    g_free(vs->ws_display);
> +    vs->ws_display = NULL;
> +#endif
>  }
>  
>  void vnc_display_add_client(DisplayState *ds, int csock, int skipauth)
>  {
>      VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
>  
> -    vnc_connect(vs, csock, skipauth);
> +    vnc_connect(vs, csock, skipauth, 0);
>  }
> diff --git a/ui/vnc.h b/ui/vnc.h
> index 6141e88..2c6bfe7 100644
> --- a/ui/vnc.h
> +++ b/ui/vnc.h
> @@ -99,6 +99,9 @@ typedef struct VncDisplay VncDisplay;
>  #ifdef CONFIG_VNC_SASL
>  #include "vnc-auth-sasl.h"
>  #endif
> +#ifdef CONFIG_VNC_WS
> +#include "vnc-ws.h"
> +#endif
>  
>  struct VncRectStat
>  {
> @@ -142,6 +145,11 @@ struct VncDisplay
>      QEMUTimer *timer;
>      int timer_interval;
>      int lsock;
> +#ifdef CONFIG_VNC_WS
> +    int lwebsock;
> +    int websocket;

Please use bool.

> +    char *ws_display;
> +#endif
>      DisplayState *ds;
>      kbd_layout_t *kbd_layout;
>      int lock_key_sync;
> @@ -269,11 +277,18 @@ struct VncState
>  #ifdef CONFIG_VNC_SASL
>      VncStateSASL sasl;
>  #endif
> +#ifdef CONFIG_VNC_WS
> +    int encode_ws;

Please use bool.

> +    int websocket;

Please use bool.
Tim Hardeck - Dec. 5, 2012, 8:39 a.m.
Hi Stefan,

On 12/03/2012 05:22 PM, Stefan Hajnoczi wrote:
> Thanks for the patch, Tim.  Some general code review comments below.
Thanks for the code review. I am going to incorporate them in my new patch.

> I hope someone has time to review the VNC and WebSocket specific stuff. 
> I didn't check the details of buffers, whether the WebSocket spec is
> correctly implemented, etc.
I have mainly tested my websockets implementation with the guest OS
openSUSE 12.2 which worked fine during all my tests on several browsers.
I recently found out though that when I run Firefox in openSUSE 12.1,
noVNC complains about an unsupported VNC encoding and QEMU crashes. I
have attached the back trace at the end of this mail.

This issue could be fixed by not encoding Websocket frames directly in
vnc_write but in vnc_client_write_locked. This should also decrease the
overhead through websocket frame headers.
Nevertheless it looks like QEMU did crash because of the sudden
disconnect which shouldn't happen.

I have created a vnc_client_write_ws function which is used instead of
vnc_client_write_plain. I have also moved the decoding part to
vnc_client_read_ws to keep consistency?
Is this Ok or should I add the websocket en/decoding to the existing vnc
plain functions?

Regards
Tim



#0  0x00007ffff3f92d25 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
        resultvar = 0
        pid = 24308
        selftid = 24312
#1  0x00007ffff3f941a8 in __GI_abort () at abort.c:91
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x5555559153c0
<__func__.4908>, sa_sigaction =
    0x5555559153c0 <__func__.4908>}, sa_mask = {__val =
{140737287809753, 0, 18374686479671623680,
    0, 140737286898450, 131072, 93825010082032, 2064448, 93825010157472,
1989008, 22,
    140737218422160, 1, 140737488346032, 0, 140737218426624}}, sa_flags
= -201457138, sa_restorer =
    0x6d940}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x000055555577b5c2 in error_exit (err=22, msg=0x5555559153c0
<__func__.4908> "qemu_mutex_lock")
    at qemu-thread-posix.c:28
No locals.
#3  0x000055555577b6e1 in qemu_mutex_lock (mutex=0x555556666328) at
qemu-thread-posix.c:59
        err = 22
        __func__ = "qemu_mutex_lock"
#4  0x00005555557bb075 in vnc_lock_output (vs=0x55555665a100) at
ui/vnc-jobs.h:63
No locals.
#5  0x00005555557bb5eb in vnc_jobs_consume_buffer (vs=0x55555665a100) at
ui/vnc-jobs.c:166
        flush = false
#6  0x00005555557bb5ae in vnc_jobs_join (vs=0x55555665a100) at
ui/vnc-jobs.c:159
No locals.
#7  0x00005555557bf9d9 in vnc_update_client_sync (vs=0x55555665a100,
has_dirty=1) at ui/vnc.c:876
        ret = 0
---Type <return> to continue, or q <return> to quit---
#8  0x00005555557bf308 in vnc_dpy_copy (ds=0x555556583240, src_x=99,
src_y=143, dst_x=99, dst_y=
    146, w=8, h=1) at ui/vnc.c:752
        vd = 0x7fffeea48010
        vs = 0x55555665a100
        vn = 0x0
        src_row = 0x1800000000 <Address 0x1800000000 out of bounds>
        dst_row = 0xc0000000c00 <Address 0xc0000000c00 out of bounds>
        i = 768
        x = -1
        y = 24
        pitch = 1024
        inc = 0
        w_lim = 0
        s = 8
        cmp_bytes = 2359296
#9  0x0000555555623e78 in dpy_gfx_copy (s=0x555556583240, src_x=99,
src_y=143, dst_x=99, dst_y=146,
    w=8, h=1) at console.h:275
        dcl = 0x5555565f38e0
#10 0x00005555556281f4 in qemu_console_copy (ds=0x555556583240,
src_x=99, src_y=143, dst_x=99,
    dst_y=146, w=8, h=1) at console.c:1598
No locals.
#11 0x000055555566a79a in cirrus_do_copy (s=0x5555565afc08, dst=448832,
src=439616, w=8, h=1)
    at hw/cirrus_vga.c:732
        sx = 99
        sy = 143
        dx = 99
---Type <return> to continue, or q <return> to quit---
        dy = 146
        depth = 3
        notify = 1
#12 0x000055555566a8f7 in cirrus_bitblt_videotovideo_copy
(s=0x5555565afc08) at hw/cirrus_vga.c:750
No locals.
#13 0x000055555566ae8b in cirrus_bitblt_videotovideo (s=0x5555565afc08)
at hw/cirrus_vga.c:872
        ret = 1
#14 0x000055555566b61c in cirrus_bitblt_start (s=0x5555565afc08) at
hw/cirrus_vga.c:1013
        blt_rop = 13 '\r'
#15 0x000055555566b6c8 in cirrus_write_bitblt (s=0x5555565afc08,
reg_value=2)
    at hw/cirrus_vga.c:1034
        old_value = 0
#16 0x000055555566c589 in cirrus_vga_write_gr (s=0x5555565afc08,
reg_index=49, reg_value=2)
    at hw/cirrus_vga.c:1529
No locals.
#17 0x000055555566cebb in cirrus_mmio_blt_write (s=0x5555565afc08,
address=64, value=2 '\002')
    at hw/cirrus_vga.c:1883
No locals.
#18 0x000055555566ed4c in cirrus_mmio_write (opaque=0x5555565afc08,
addr=320, val=2, size=1)
    at hw/cirrus_vga.c:2659
        s = 0x5555565afc08
#19 0x000055555584b7ca in memory_region_write_accessor
(opaque=0x5555565c0538, addr=320, value=
    0x7fffefe92a98, size=1, shift=0, mask=255) at
/suse/thardeck/Development/qemu/memory.c:334
        mr = 0x5555565c0538
        tmp = 2
#20 0x000055555584b8ac in access_with_adjusted_size (addr=320,
value=0x7fffefe92a98, size=4,
---Type <return> to continue, or q <return> to quit---
    access_size_min=1, access_size_max=1, access=0x55555584b745
<memory_region_write_accessor>,
    opaque=0x5555565c0538) at /suse/thardeck/Development/qemu/memory.c:364
        access_mask = 255
        access_size = 1
        i = 0
#21 0x000055555584e51a in memory_region_dispatch_write
(mr=0x5555565c0538, addr=320, data=
    4294967042, size=4) at /suse/thardeck/Development/qemu/memory.c:916
No locals.
#22 0x000055555585154a in io_mem_write (mr=0x5555565c0538, addr=320,
val=4294967042, size=4)
    at /suse/thardeck/Development/qemu/memory.c:1581
No locals.
#23 0x00005555557ea58f in address_space_rw (as=0x5555564ec440
<address_space_memory>, addr=
    4273930560, buf=0x7ffff7ff2028 "\002\377\377\377", len=4, is_write=true)
    at /suse/thardeck/Development/qemu/exec.c:3397
        addr1 = 320
        d = 0x555556561860
        l = 4
        ptr = 0x555555808a39 <cpu_set_apic_base+128> "H\213E\370dH3\004%("
        val = 4294967042
        page = 4273930240
        section = 0x55555664f1a0
#24 0x00005555557ea953 in cpu_physical_memory_rw (addr=4273930560, buf=
    0x7ffff7ff2028 "\002\377\377\377", len=4, is_write=1)
    at /suse/thardeck/Development/qemu/exec.c:3479
No locals.
#25 0x000055555584886e in kvm_cpu_exec (env=0x555556569300)
---Type <return> to continue, or q <return> to quit---
    at /suse/thardeck/Development/qemu/kvm-all.c:1580
        run = 0x7ffff7ff2000
        ret = 0
        run_ret = 0
#26 0x00005555557dc6a0 in qemu_kvm_cpu_thread_fn (arg=0x555556569300)
    at /suse/thardeck/Development/qemu/cpus.c:757
        env = 0x555556569300
        cpu = 0x5555565692a0
        r = 65536
#27 0x00007ffff4fdce0e in start_thread (arg=0x7fffefe93700) at
pthread_create.c:305
        __res = <optimized out>
        pd = 0x7fffefe93700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140737218426624,
-6613775898926182534, 1,
    140737488346032, 0, 140737218426624, 6613810991376830330,
6613760524492017530},
              mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0},
data = {prev = 0x0,
              cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#28 0x00007ffff40422bd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:115
No locals.

Patch

diff --git a/configure b/configure
index 780b19a..c384138 100755
--- a/configure
+++ b/configure
@@ -158,6 +158,7 @@  vnc_tls=""
 vnc_sasl=""
 vnc_jpeg=""
 vnc_png=""
+vnc_ws=""
 xen=""
 xen_ctrl_version=""
 xen_pci_passthrough=""
@@ -703,6 +704,10 @@  for opt do
   ;;
   --enable-vnc-png) vnc_png="yes"
   ;;
+  --disable-vnc-ws) vnc_ws="no"
+  ;;
+  --enable-vnc-ws) vnc_ws="yes"
+  ;;
   --disable-slirp) slirp="no"
   ;;
   --disable-uuid) uuid="no"
@@ -1048,6 +1053,8 @@  echo "  --disable-vnc-jpeg       disable JPEG lossy compression for VNC server"
 echo "  --enable-vnc-jpeg        enable JPEG lossy compression for VNC server"
 echo "  --disable-vnc-png        disable PNG compression for VNC server (default)"
 echo "  --enable-vnc-png         enable PNG compression for VNC server"
+echo "  --disable-vnc-ws         disable Websockets support for VNC server"
+echo "  --enable-vnc-ws          enable Websockets support for VNC server"
 echo "  --disable-curses         disable curses output"
 echo "  --enable-curses          enable curses output"
 echo "  --disable-curl           disable curl connectivity"
@@ -1772,6 +1779,26 @@  EOF
 fi
 
 ##########################################
+# VNC WS detection
+if test "$vnc" = "yes" -a "$vnc_ws" != "no" ; then
+  cat > $TMPC <<EOF
+#include <gnutls/gnutls.h>
+int main(void) { gnutls_session_t s; gnutls_init(&s, GNUTLS_SERVER); return 0; }
+EOF
+  vnc_ws_cflags=`$pkg_config --cflags gnutls 2> /dev/null`
+  vnc_ws_libs=`$pkg_config --libs gnutls 2> /dev/null`
+  if compile_prog "$vnc_ws_cflags" "$vnc_ws_libs" ; then
+    vnc_ws=yes
+    libs_softmmu="$vnc_ws_libs $libs_softmmu"
+  else
+    if test "$vnc_ws" = "yes" ; then
+      feature_not_found "vnc-ws"
+    fi
+    vnc_ws=no
+  fi
+fi
+
+##########################################
 # fnmatch() probe, used for ACL routines
 fnmatch="no"
 cat > $TMPC << EOF
@@ -3194,6 +3221,7 @@  if test "$vnc" = "yes" ; then
     echo "VNC SASL support  $vnc_sasl"
     echo "VNC JPEG support  $vnc_jpeg"
     echo "VNC PNG support   $vnc_png"
+    echo "VNC WS support    $vnc_ws"
 fi
 if test -n "$sparc_cpu"; then
     echo "Target Sparc Arch $sparc_cpu"
@@ -3370,6 +3398,10 @@  if test "$vnc_png" = "yes" ; then
   echo "CONFIG_VNC_PNG=y" >> $config_host_mak
   echo "VNC_PNG_CFLAGS=$vnc_png_cflags" >> $config_host_mak
 fi
+if test "$vnc_ws" = "yes" ; then
+  echo "CONFIG_VNC_WS=y" >> $config_host_mak
+  echo "VNC_WS_CFLAGS=$vnc_ws_cflags" >> $config_host_mak
+fi
 if test "$fnmatch" = "yes" ; then
   echo "CONFIG_FNMATCH=y" >> $config_host_mak
 fi
diff --git a/qemu-options.hx b/qemu-options.hx
index 9bb29d3..647071e 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1096,6 +1096,14 @@  client is specified by the @var{display}. For reverse network
 connections (@var{host}:@var{d},@code{reverse}), the @var{d} argument
 is a TCP port number, not a display number.
 
+@item websocket
+
+Opens an additional TCP listening port dedicated to VNC Websocket connections.
+By defintion the Websocket port is 5700+@var{display}. If @var{host} is
+specified connections will only be allowed from this host.
+As an alternative the Websocket port could be specified by using
+@code{websocket}=@var{port}.
+
 @item password
 
 Require that password based authentication is used for client connections.
diff --git a/ui/Makefile.objs b/ui/Makefile.objs
index adc07be..58e191b 100644
--- a/ui/Makefile.objs
+++ b/ui/Makefile.objs
@@ -4,6 +4,7 @@  vnc-obj-y += vnc-enc-tight.o vnc-palette.o
 vnc-obj-y += vnc-enc-zrle.o
 vnc-obj-$(CONFIG_VNC_TLS) += vnc-tls.o vnc-auth-vencrypt.o
 vnc-obj-$(CONFIG_VNC_SASL) += vnc-auth-sasl.o
+vnc-obj-$(CONFIG_VNC_WS) += vnc-ws.o
 vnc-obj-y += vnc-jobs.o
 
 common-obj-y += keymaps.o
diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c
new file mode 100644
index 0000000..94435d2
--- /dev/null
+++ b/ui/vnc-ws.c
@@ -0,0 +1,206 @@ 
+/*
+ * QEMU VNC display driver: Websockets support
+ *
+ * Copyright (C) 2010 Joel Martin
+ * Copyright (C) 2012 Tim Hardeck
+ *
+ * This is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this software; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
+ * USA.
+ */
+
+#include "vnc.h"
+
+char *vncws_extract_handshake_entry(const char *handshake,
+    size_t handshake_len, const char *name)
+{
+    char *begin, *end;
+    begin = g_strstr_len(handshake, handshake_len, name);
+    if (begin != NULL) {
+        begin += strlen(name);
+        end = g_strstr_len(begin, handshake_len - (begin - handshake),
+            WS_HANDSHAKE_DELIM);
+        if (end != NULL) {
+            return g_strndup(begin, end - begin);
+        }
+    }
+    return NULL;
+}
+
+void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size)
+{
+    char *protocols = vncws_extract_handshake_entry((const char *)line, size,
+            "Sec-WebSocket-Protocol: ");
+    char *version = vncws_extract_handshake_entry((const char *)line, size,
+            "Sec-WebSocket-Version: ");
+    char *key = vncws_extract_handshake_entry((const char *)line, size,
+            "Sec-WebSocket-Key: ");
+
+    if (protocols && version && key
+         && g_strrstr(protocols, "binary") != NULL
+         && strcmp(version, WS_SUPPORTED_VERSION) == 0
+         && strlen(key) == WS_CLIENT_KEY_LEN) {
+            vncws_send_handshake_response(vs, key);
+    } else {
+        VNC_DEBUG("Defective Websockets header or unsupported protocol\n");
+        vnc_client_error(vs);
+    }
+
+    g_free(protocols);
+    g_free(version);
+    g_free(key);
+}
+
+void vncws_send_handshake_response(VncState *vs, const char* key)
+{
+    char combined_key[WS_CLIENT_KEY_LEN + WS_GUID_LEN + 1];
+    char response[WS_HANDSHAKE_MAX_LEN];
+    char hash[SHA1_DIGEST_LEN + 1];
+    char *accept = NULL;
+    size_t hash_size = SHA1_DIGEST_LEN, response_size = 0;
+    gnutls_datum_t in;
+
+    /* create combined key */
+    pstrcpy(combined_key, WS_CLIENT_KEY_LEN + 1, key);
+    pstrcat(combined_key, WS_CLIENT_KEY_LEN + WS_GUID_LEN + 1, WS_GUID);
+
+    /* hash and encode it */
+    in.data = (void *)combined_key;
+    in.size = WS_CLIENT_KEY_LEN + WS_GUID_LEN;
+    if (gnutls_fingerprint(GNUTLS_DIG_SHA1, &in, hash, &hash_size)
+            == GNUTLS_E_SUCCESS) {
+        accept = g_base64_encode((guchar *)hash, SHA1_DIGEST_LEN);
+    }
+    if (accept == NULL) {
+        VNC_DEBUG("Hashing Websocket combined key failed\n");
+        vnc_client_error(vs);
+        return;
+    }
+
+    /* create handshake response */
+    response_size = snprintf(response, WS_HANDSHAKE_MAX_LEN,
+            WS_HANDSHAKE, accept);
+    g_free(accept);
+
+    vnc_write(vs, response, response_size);
+    vnc_flush(vs);
+
+    vs->encode_ws = 1;
+    vnc_init_state(vs);
+}
+
+void vncws_encode_frame(Buffer *output, const void *payload,
+        const size_t payload_size)
+{
+    size_t header_size = 0;
+    unsigned char opcode = WS_OPCODE_BINARY_FRAME;
+    char header_buf[WS_HEAD_MAX_LEN];
+    ws_header_t *header = (ws_header_t *)header_buf;
+
+    if (!payload_size) {
+        return;
+    }
+
+    header->b0 = 0x80 | (opcode & 0x0f);
+    if (payload_size <= 125) {
+        header->b1 = (uint8_t)payload_size;
+        header_size = 2;
+    } else if (payload_size < 65536) {
+        header->b1 = 0x7e;
+        header->u.s16.l16 = WS_HTON16((uint16_t)payload_size);
+        header_size = 4;
+    } else {
+        header->b1 = 0x7f;
+        header->u.s64.l64 = WS_HTON64(payload_size);
+        header_size = 10;
+    }
+
+    buffer_reserve(output, header_size + payload_size);
+    buffer_append(output, header_buf, header_size);
+    buffer_append(output, payload, payload_size);
+}
+
+int vncws_decode_frame(Buffer *input, uint8_t **payload,
+                           size_t *payload_size, size_t *frame_size)
+{
+    unsigned char opcode = 0, fin = 0, has_mask = 0;
+    size_t header_size = 0;
+    uint32_t *payload32;
+    ws_header_t *header = (ws_header_t *)input->buffer;
+    ws_mask_t mask;
+    int i;
+
+    if (input->offset < WS_HEAD_MIN_LEN + 4) {
+        /* header not complete */
+        return 0;
+    }
+
+    fin = (header->b0 & 0x80) >> 7;
+    opcode = header->b0 & 0x0f;
+    has_mask = (header->b1 & 0x80) >> 7;
+    *payload_size = header->b1 & 0x7f;
+
+    if (opcode == WS_OPCODE_CLOSE) {
+        /* disconnect */
+        return -1;
+    }
+
+    /* Websocket frame sanity check:
+     * * Websocket fragmentation is not supported.
+     * * All  websockets frames sent by a client have to be masked.
+     * * Only binary encoding is supported.
+     */
+    if (!fin || !has_mask || opcode != WS_OPCODE_BINARY_FRAME) {
+        VNC_DEBUG("Received faulty/unsupported Websocket frame\n");
+        return -2;
+    }
+
+    if (*payload_size < 126) {
+        header_size = 6;
+        mask = header->u.m;
+    } else if (*payload_size == 126 && input->offset >= 8) {
+        *payload_size = WS_NTOH16(header->u.s16.l16);
+        header_size = 8;
+        mask = header->u.s16.m16;
+    } else if (*payload_size == 127 && input->offset >= 14) {
+        *payload_size = WS_NTOH64(header->u.s64.l64);
+        header_size = 14;
+        mask = header->u.s64.m64;
+    } else {
+        /* header not complete */
+        return 0;
+    }
+
+    *frame_size = header_size + *payload_size;
+
+    if (input->offset < *frame_size) {
+        /* frame not complete */
+        return 0;
+    }
+
+    *payload = input->buffer + header_size;
+
+    /* unmask frame */
+    /* process 1 frame (32 bit op) */
+    payload32 = (uint32_t *)(*payload);
+    for (i = 0; i < *payload_size / 4; i++) {
+        payload32[i] ^= mask.u;
+    }
+    /* process the remaining bytes (if any) */
+    for (i *= 4; i < *payload_size; i++) {
+        (*payload)[i] ^= mask.c[i % 4];
+    }
+
+    return 1;
+}
diff --git a/ui/vnc-ws.h b/ui/vnc-ws.h
new file mode 100644
index 0000000..0c5e2b5
--- /dev/null
+++ b/ui/vnc-ws.h
@@ -0,0 +1,101 @@ 
+/*
+ * QEMU VNC display driver: Websockets support
+ *
+ * Copyright (C) 2010 Joel Martin
+ * Copyright (C) 2012 Tim Hardeck
+ *
+ * This is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this software; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
+ * USA.
+ */
+
+#ifndef __QEMU_VNC_WS_H
+#define __QEMU_VNC_WS_H
+
+#ifndef CONFIG_VNC_TLS
+#include <gnutls/gnutls.h>
+#endif
+
+#define B64LEN(__x) (((__x + 2) / 3) * 12 / 3)
+#define SHA1_DIGEST_LEN 20
+
+#define WS_ACCEPT_LEN (B64LEN(SHA1_DIGEST_LEN) + 1)
+#define WS_CLIENT_KEY_LEN 24
+#define WS_GUID "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"
+#define WS_GUID_LEN strlen(WS_GUID)
+
+#define WS_HANDSHAKE_MAX_LEN 192
+#define WS_HANDSHAKE "HTTP/1.1 101 Switching Protocols\r\n\
+Upgrade: websocket\r\n\
+Connection: Upgrade\r\n\
+Sec-WebSocket-Accept: %s\r\n\
+Sec-WebSocket-Protocol: binary\r\n\
+\r\n"
+#define WS_HANDSHAKE_DELIM "\r\n"
+#define WS_HANDSHAKE_END "\r\n\r\n"
+#define WS_SUPPORTED_VERSION "13"
+
+#define WS_HEAD_MIN_LEN 2
+#define WS_HEAD_MAX_LEN 14  /* 2 + sizeof(uint64_t) + sizeof(uint32_t) */
+
+#define WS_HTON64(n) htobe64(n)
+#define WS_HTON16(n) htobe16(n)
+#define WS_NTOH16(n) htobe16(n)
+#define WS_NTOH64(n) htobe64(n)
+
+typedef union ws_mask_s {
+    char c[4];
+    uint32_t u;
+} ws_mask_t;
+
+/* XXX: The union and the structs do not need to be named.
+ *      We are working around a bug present in GCC < 4.6 which prevented
+ *      it from recognizing anonymous structs and unions.
+ *      See http://gcc.gnu.org/bugzilla/show_bug.cgi?id=4784
+ */
+typedef struct __attribute__ ((__packed__)) ws_header_s {
+    unsigned char b0;
+    unsigned char b1;
+    union {
+        struct __attribute__ ((__packed__)) {
+            uint16_t l16;
+            ws_mask_t m16;
+        } s16;
+        struct __attribute__ ((__packed__)) {
+            uint64_t l64;
+            ws_mask_t m64;
+        } s64;
+        ws_mask_t m;
+    } u;
+} ws_header_t;
+
+enum {
+    WS_OPCODE_CONTINUATION = 0x0,
+    WS_OPCODE_TEXT_FRAME = 0x1,
+    WS_OPCODE_BINARY_FRAME = 0x2,
+    WS_OPCODE_CLOSE = 0x8,
+    WS_OPCODE_PING = 0x9,
+    WS_OPCODE_PONG = 0xA
+};
+
+char *vncws_extract_handshake_entry(const char *header, size_t header_len,
+            const char *name);
+void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size);
+void vncws_send_handshake_response(VncState *vs, const char* key);
+void vncws_encode_frame(Buffer *output, const void *payload,
+            const size_t payload_size);
+int vncws_decode_frame(Buffer *input, uint8_t **payload,
+                               size_t *payload_size, size_t *frame_size);
+
+#endif /* __QEMU_VNC_WS_H */
diff --git a/ui/vnc.c b/ui/vnc.c
index 61f120e..676ac0d 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -510,6 +510,13 @@  void buffer_append(Buffer *buffer, const void *data, size_t len)
     buffer->offset += len;
 }
 
+void buffer_advance(Buffer *buf, size_t len)
+{
+    memmove(buf->buffer, buf->buffer + len,
+            (buf->offset - len));
+    buf->offset -= len;
+}
+
 static void vnc_desktop_resize(VncState *vs)
 {
     DisplayState *ds = vs->ds;
@@ -1027,6 +1034,9 @@  static void vnc_disconnect_finish(VncState *vs)
 
     buffer_free(&vs->input);
     buffer_free(&vs->output);
+#ifdef CONFIG_VNC_WS
+    buffer_free(&vs->ws_input);
+#endif
 
     qobject_decref(vs->info);
 
@@ -1166,8 +1176,7 @@  static long vnc_client_write_plain(VncState *vs)
     if (!ret)
         return 0;
 
-    memmove(vs->output.buffer, vs->output.buffer + ret, (vs->output.offset - ret));
-    vs->output.offset -= ret;
+    buffer_advance(&vs->output, ret);
 
     if (vs->output.offset == 0) {
         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
@@ -1280,6 +1289,26 @@  static void vnc_jobs_bh(void *opaque)
     vnc_jobs_consume_buffer(vs);
 }
 
+#ifdef CONFIG_VNC_WS
+void vncws_handshake_read(void *opaque)
+{
+    VncState *vs = opaque;
+    long ret = vnc_client_read_plain(vs);
+    if (!ret) {
+        if (vs->csock == -1) {
+            vnc_disconnect_finish(vs);
+        }
+        return;
+    }
+
+    if (vs->input.offset > 0) {
+        qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
+        vncws_process_handshake(vs, vs->input.buffer, vs->input.offset);
+        buffer_reset(&vs->input);
+    }
+}
+#endif
+
 /*
  * First function called whenever there is more data to be read from
  * the client socket. Will delegate actual work according to whether
@@ -1289,6 +1318,7 @@  void vnc_client_read(void *opaque)
 {
     VncState *vs = opaque;
     long ret;
+    Buffer *buf;
 
 #ifdef CONFIG_VNC_SASL
     if (vs->sasl.conn && vs->sasl.runSSF)
@@ -1302,19 +1332,49 @@  void vnc_client_read(void *opaque)
         return;
     }
 
-    while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
+#ifdef CONFIG_VNC_WS
+    if (vs->encode_ws) {
+        uint8_t *payload;
+        size_t payload_size, frame_size;
+
+        /* make sure that nothing is left in the input buffer */
+        do {
+            ret = vncws_decode_frame(&vs->input, &payload,
+                                  &payload_size, &frame_size);
+
+            if (ret == 0) {
+                /* not enough data to process, wait for more */
+                return;
+            } else if (ret == -1) {
+                vnc_disconnect_start(vs);
+                return;
+            } else if (ret == -2) {
+                vnc_client_error(vs);
+                return;
+            }
+
+            buffer_reserve(&vs->ws_input, payload_size);
+            buffer_append(&vs->ws_input, payload, payload_size);
+
+            buffer_advance(&vs->input, frame_size);
+        } while (vs->input.offset > 0);
+        buf = &vs->ws_input;
+    } else
+#endif /* CONFIG_VNC_WS */
+        buf = &vs->input;
+
+    while (vs->read_handler && buf->offset >= vs->read_handler_expect) {
         size_t len = vs->read_handler_expect;
         int ret;
 
-        ret = vs->read_handler(vs, vs->input.buffer, len);
+        ret = vs->read_handler(vs, buf->buffer, len);
         if (vs->csock == -1) {
             vnc_disconnect_finish(vs);
             return;
         }
 
         if (!ret) {
-            memmove(vs->input.buffer, vs->input.buffer + len, (vs->input.offset - len));
-            vs->input.offset -= len;
+            buffer_advance(buf, len);
         } else {
             vs->read_handler_expect = ret;
         }
@@ -1323,13 +1383,26 @@  void vnc_client_read(void *opaque)
 
 void vnc_write(VncState *vs, const void *data, size_t len)
 {
-    buffer_reserve(&vs->output, len);
+#ifdef CONFIG_VNC_WS
+    if (vs->encode_ws) {
+        if (vs->csock != -1 && buffer_empty(&vs->output)) {
+            qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read,
+                    vnc_client_write, vs);
+        }
+        vncws_encode_frame(&vs->output, data, len);
+    } else {
+#endif /* CONFIG_VNC_WS */
+        buffer_reserve(&vs->output, len);
 
-    if (vs->csock != -1 && buffer_empty(&vs->output)) {
-        qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);
-    }
+        if (vs->csock != -1 && buffer_empty(&vs->output)) {
+            qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read,
+                    vnc_client_write, vs);
+        }
 
-    buffer_append(&vs->output, data, len);
+        buffer_append(&vs->output, data, len);
+#ifdef CONFIG_VNC_WS
+    }
+#endif
 }
 
 void vnc_write_s32(VncState *vs, int32_t value)
@@ -2657,7 +2730,7 @@  static void vnc_remove_timer(VncDisplay *vd)
     }
 }
 
-static void vnc_connect(VncDisplay *vd, int csock, int skipauth)
+static void vnc_connect(VncDisplay *vd, int csock, int skipauth, int websocket)
 {
     VncState *vs = g_malloc0(sizeof(VncState));
     int i;
@@ -2684,13 +2757,33 @@  static void vnc_connect(VncDisplay *vd, int csock, int skipauth)
     VNC_DEBUG("New client on socket %d\n", csock);
     dcl->idle = 0;
     socket_set_nonblock(vs->csock);
-    qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
+#ifdef CONFIG_VNC_WS
+    if (websocket) {
+        vs->websocket = 1;
+        qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read, NULL, vs);
+    } else
+#endif
+    {
+        qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
+    }
 
     vnc_client_cache_addr(vs);
     vnc_qmp_event(vs, QEVENT_VNC_CONNECTED);
     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
 
     vs->vd = vd;
+
+#ifdef CONFIG_VNC_WS
+    if (!vs->websocket) {
+        vnc_init_state(vs);
+    }
+}
+
+void vnc_init_state(VncState *vs)
+{
+    VncDisplay *vd = vs->vd;
+#endif /* CONFIG_VNC_WS */
+
     vs->ds = vd->ds;
     vs->last_x = -1;
     vs->last_y = -1;
@@ -2722,21 +2815,41 @@  static void vnc_connect(VncDisplay *vd, int csock, int skipauth)
     /* vs might be free()ed here */
 }
 
-static void vnc_listen_read(void *opaque)
+static void vnc_listen_read(void *opaque, int websocket)
 {
     VncDisplay *vs = opaque;
     struct sockaddr_in addr;
     socklen_t addrlen = sizeof(addr);
+    int csock;
 
     /* Catch-up */
     vga_hw_update();
+#ifdef CONFIG_VNC_WS
+    if (websocket) {
+        csock = qemu_accept(vs->lwebsock, (struct sockaddr *)&addr, &addrlen);
+    } else
+#endif
+    {
+        csock = qemu_accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
+    }
 
-    int csock = qemu_accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
     if (csock != -1) {
-        vnc_connect(vs, csock, 0);
+        vnc_connect(vs, csock, 0, websocket);
     }
 }
 
+static void vnc_listen_regular_read(void *opaque)
+{
+    vnc_listen_read(opaque, 0);
+}
+
+#ifdef CONFIG_VNC_WS
+static void vnc_listen_websocket_read(void *opaque)
+{
+    vnc_listen_read(opaque, 1);
+}
+#endif
+
 void vnc_display_init(DisplayState *ds)
 {
     VncDisplay *vs = g_malloc0(sizeof(*vs));
@@ -2748,6 +2861,9 @@  void vnc_display_init(DisplayState *ds)
     vnc_display = vs;
 
     vs->lsock = -1;
+#ifdef CONFIG_VNC_WS
+    vs->lwebsock = -1;
+#endif
 
     vs->ds = ds;
     QTAILQ_INIT(&vs->clients);
@@ -2789,6 +2905,17 @@  static void vnc_display_close(DisplayState *ds)
         close(vs->lsock);
         vs->lsock = -1;
     }
+#ifdef CONFIG_VNC_WS
+    if (vs->ws_display) {
+        g_free(vs->ws_display);
+        vs->ws_display = NULL;
+    }
+    if (vs->lwebsock != -1) {
+        qemu_set_fd_handler2(vs->lwebsock, NULL, NULL, NULL, NULL);
+        close(vs->lwebsock);
+        vs->lwebsock = -1;
+    }
+#endif
     vs->auth = VNC_AUTH_INVALID;
 #ifdef CONFIG_VNC_TLS
     vs->subauth = VNC_AUTH_INVALID;
@@ -2910,6 +3037,36 @@  void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
         } else if (strncmp(options, "sasl", 4) == 0) {
             sasl = 1; /* Require SASL auth */
 #endif
+#ifdef CONFIG_VNC_WS
+        } else if (strncmp(options, "websocket", 9) == 0) {
+            char *start, *end;
+            vs->websocket = 1;
+
+            /* Check for 'websocket=<port> */
+            start = strchr(options, '=');
+            end = strchr(options, ',');
+            if (start && (!end || (start < end))) {
+                int len = end ? end-(start+1) : strlen(start+1);
+                if (len < 6) {
+                    /* extract the host specification from display */
+                    char  *host = NULL, *port = NULL, *host_end = NULL;
+                    port = g_strndup(start + 1, len);
+
+                    /* ipv6 host have colons */
+                    end = strchr(display, ',');
+                    host_end = g_strrstr_len(display, end - display, ":");
+
+                    if (host_end) {
+                        host = g_strndup(display, host_end - display + 1);
+                    } else {
+                        host = g_strndup(":", 1);
+                    }
+                    vs->ws_display = g_strconcat(host, port, NULL);
+                    g_free(host);
+                    g_free(port);
+                }
+            }
+#endif
 #ifdef CONFIG_VNC_TLS
         } else if (strncmp(options, "tls", 3) == 0) {
             tls = 1; /* Require TLS */
@@ -3068,6 +3225,9 @@  void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
         /* connect to viewer */
         int csock;
         vs->lsock = -1;
+#ifdef CONFIG_VNC_WS
+        vs->lwebsock = -1;
+#endif
         if (strncmp(display, "unix:", 5) == 0) {
             csock = unix_connect(display+5, errp);
         } else {
@@ -3076,7 +3236,7 @@  void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
         if (csock < 0) {
             goto fail;
         }
-        vnc_connect(vs, csock, 0);
+        vnc_connect(vs, csock, 0, 0);
     } else {
         /* listen for connects */
         char *dpy;
@@ -3087,25 +3247,51 @@  void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
         } else {
             vs->lsock = inet_listen(display, dpy, 256,
                                     SOCK_STREAM, 5900, errp);
+#ifdef CONFIG_VNC_WS
+            if (vs->websocket) {
+                if (vs->ws_display) {
+                    vs->lwebsock = inet_listen(vs->ws_display, NULL, 256,
+                        SOCK_STREAM, 0, errp);
+                } else {
+                    vs->lwebsock = inet_listen(vs->display, NULL, 256,
+                        SOCK_STREAM, 5700, errp);
+                }
+            }
+#endif
         }
-        if (vs->lsock < 0) {
+        if (vs->lsock < 0
+#ifdef CONFIG_VNC_WS
+                || (vs->websocket && vs->lwebsock < 0)
+#endif
+                ) {
             g_free(dpy);
             goto fail;
         }
         g_free(vs->display);
         vs->display = dpy;
-        qemu_set_fd_handler2(vs->lsock, NULL, vnc_listen_read, NULL, vs);
+        qemu_set_fd_handler2(vs->lsock, NULL,
+                vnc_listen_regular_read, NULL, vs);
+#ifdef CONFIG_VNC_WS
+        if (vs->websocket) {
+            qemu_set_fd_handler2(vs->lwebsock, NULL,
+                    vnc_listen_websocket_read, NULL, vs);
+        }
+#endif
     }
     return;
 
 fail:
     g_free(vs->display);
     vs->display = NULL;
+#ifdef CONFIG_VNC_WS
+    g_free(vs->ws_display);
+    vs->ws_display = NULL;
+#endif
 }
 
 void vnc_display_add_client(DisplayState *ds, int csock, int skipauth)
 {
     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
 
-    vnc_connect(vs, csock, skipauth);
+    vnc_connect(vs, csock, skipauth, 0);
 }
diff --git a/ui/vnc.h b/ui/vnc.h
index 6141e88..2c6bfe7 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
@@ -99,6 +99,9 @@  typedef struct VncDisplay VncDisplay;
 #ifdef CONFIG_VNC_SASL
 #include "vnc-auth-sasl.h"
 #endif
+#ifdef CONFIG_VNC_WS
+#include "vnc-ws.h"
+#endif
 
 struct VncRectStat
 {
@@ -142,6 +145,11 @@  struct VncDisplay
     QEMUTimer *timer;
     int timer_interval;
     int lsock;
+#ifdef CONFIG_VNC_WS
+    int lwebsock;
+    int websocket;
+    char *ws_display;
+#endif
     DisplayState *ds;
     kbd_layout_t *kbd_layout;
     int lock_key_sync;
@@ -269,11 +277,18 @@  struct VncState
 #ifdef CONFIG_VNC_SASL
     VncStateSASL sasl;
 #endif
+#ifdef CONFIG_VNC_WS
+    int encode_ws;
+    int websocket;
+#endif
 
     QObject *info;
 
     Buffer output;
     Buffer input;
+#ifdef CONFIG_VNC_WS
+    Buffer ws_input;
+#endif
     /* current output mode information */
     VncWritePixels *write_pixels;
     PixelFormat client_pf;
@@ -505,11 +520,17 @@  int vnc_client_io_error(VncState *vs, int ret, int last_errno);
 void start_client_init(VncState *vs);
 void start_auth_vnc(VncState *vs);
 
+#ifdef CONFIG_VNC_WS
+void vncws_handshake_read(void *opaque);
+void vnc_init_state(VncState *vs);
+#endif
+
 /* Buffer management */
 void buffer_reserve(Buffer *buffer, size_t len);
 void buffer_reset(Buffer *buffer);
 void buffer_free(Buffer *buffer);
 void buffer_append(Buffer *buffer, const void *data, size_t len);
+void buffer_advance(Buffer *buf, size_t len);
 
 
 /* Misc helpers */