xref: /openbmc/qemu/ui/vnc.c (revision 01afdadc)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "vnc.h"
28 #include "vnc-jobs.h"
29 #include "sysemu.h"
30 #include "qemu_socket.h"
31 #include "qemu-timer.h"
32 #include "acl.h"
33 #include "qemu-objects.h"
34 #include "qmp-commands.h"
35 #include "osdep.h"
36 
37 #define VNC_REFRESH_INTERVAL_BASE 30
38 #define VNC_REFRESH_INTERVAL_INC  50
39 #define VNC_REFRESH_INTERVAL_MAX  2000
40 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
41 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
42 
43 #include "vnc_keysym.h"
44 #include "d3des.h"
45 
46 static VncDisplay *vnc_display; /* needed for info vnc */
47 static DisplayChangeListener *dcl;
48 
49 static int vnc_cursor_define(VncState *vs);
50 static void vnc_release_modifiers(VncState *vs);
51 
52 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
53 {
54 #ifdef _VNC_DEBUG
55     static const char *mn[] = {
56         [0]                           = "undefined",
57         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
58         [VNC_SHARE_MODE_SHARED]       = "shared",
59         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
60         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
61     };
62     fprintf(stderr, "%s/%d: %s -> %s\n", __func__,
63             vs->csock, mn[vs->share_mode], mn[mode]);
64 #endif
65 
66     if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
67         vs->vd->num_exclusive--;
68     }
69     vs->share_mode = mode;
70     if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
71         vs->vd->num_exclusive++;
72     }
73 }
74 
75 static char *addr_to_string(const char *format,
76                             struct sockaddr_storage *sa,
77                             socklen_t salen) {
78     char *addr;
79     char host[NI_MAXHOST];
80     char serv[NI_MAXSERV];
81     int err;
82     size_t addrlen;
83 
84     if ((err = getnameinfo((struct sockaddr *)sa, salen,
85                            host, sizeof(host),
86                            serv, sizeof(serv),
87                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
88         VNC_DEBUG("Cannot resolve address %d: %s\n",
89                   err, gai_strerror(err));
90         return NULL;
91     }
92 
93     /* Enough for the existing format + the 2 vars we're
94      * substituting in. */
95     addrlen = strlen(format) + strlen(host) + strlen(serv);
96     addr = g_malloc(addrlen + 1);
97     snprintf(addr, addrlen, format, host, serv);
98     addr[addrlen] = '\0';
99 
100     return addr;
101 }
102 
103 
104 char *vnc_socket_local_addr(const char *format, int fd) {
105     struct sockaddr_storage sa;
106     socklen_t salen;
107 
108     salen = sizeof(sa);
109     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0)
110         return NULL;
111 
112     return addr_to_string(format, &sa, salen);
113 }
114 
115 char *vnc_socket_remote_addr(const char *format, int fd) {
116     struct sockaddr_storage sa;
117     socklen_t salen;
118 
119     salen = sizeof(sa);
120     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0)
121         return NULL;
122 
123     return addr_to_string(format, &sa, salen);
124 }
125 
126 static int put_addr_qdict(QDict *qdict, struct sockaddr_storage *sa,
127                           socklen_t salen)
128 {
129     char host[NI_MAXHOST];
130     char serv[NI_MAXSERV];
131     int err;
132 
133     if ((err = getnameinfo((struct sockaddr *)sa, salen,
134                            host, sizeof(host),
135                            serv, sizeof(serv),
136                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
137         VNC_DEBUG("Cannot resolve address %d: %s\n",
138                   err, gai_strerror(err));
139         return -1;
140     }
141 
142     qdict_put(qdict, "host", qstring_from_str(host));
143     qdict_put(qdict, "service", qstring_from_str(serv));
144     qdict_put(qdict, "family",qstring_from_str(inet_strfamily(sa->ss_family)));
145 
146     return 0;
147 }
148 
149 static int vnc_server_addr_put(QDict *qdict, int fd)
150 {
151     struct sockaddr_storage sa;
152     socklen_t salen;
153 
154     salen = sizeof(sa);
155     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0) {
156         return -1;
157     }
158 
159     return put_addr_qdict(qdict, &sa, salen);
160 }
161 
162 static int vnc_qdict_remote_addr(QDict *qdict, int fd)
163 {
164     struct sockaddr_storage sa;
165     socklen_t salen;
166 
167     salen = sizeof(sa);
168     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0) {
169         return -1;
170     }
171 
172     return put_addr_qdict(qdict, &sa, salen);
173 }
174 
175 static const char *vnc_auth_name(VncDisplay *vd) {
176     switch (vd->auth) {
177     case VNC_AUTH_INVALID:
178         return "invalid";
179     case VNC_AUTH_NONE:
180         return "none";
181     case VNC_AUTH_VNC:
182         return "vnc";
183     case VNC_AUTH_RA2:
184         return "ra2";
185     case VNC_AUTH_RA2NE:
186         return "ra2ne";
187     case VNC_AUTH_TIGHT:
188         return "tight";
189     case VNC_AUTH_ULTRA:
190         return "ultra";
191     case VNC_AUTH_TLS:
192         return "tls";
193     case VNC_AUTH_VENCRYPT:
194 #ifdef CONFIG_VNC_TLS
195         switch (vd->subauth) {
196         case VNC_AUTH_VENCRYPT_PLAIN:
197             return "vencrypt+plain";
198         case VNC_AUTH_VENCRYPT_TLSNONE:
199             return "vencrypt+tls+none";
200         case VNC_AUTH_VENCRYPT_TLSVNC:
201             return "vencrypt+tls+vnc";
202         case VNC_AUTH_VENCRYPT_TLSPLAIN:
203             return "vencrypt+tls+plain";
204         case VNC_AUTH_VENCRYPT_X509NONE:
205             return "vencrypt+x509+none";
206         case VNC_AUTH_VENCRYPT_X509VNC:
207             return "vencrypt+x509+vnc";
208         case VNC_AUTH_VENCRYPT_X509PLAIN:
209             return "vencrypt+x509+plain";
210         case VNC_AUTH_VENCRYPT_TLSSASL:
211             return "vencrypt+tls+sasl";
212         case VNC_AUTH_VENCRYPT_X509SASL:
213             return "vencrypt+x509+sasl";
214         default:
215             return "vencrypt";
216         }
217 #else
218         return "vencrypt";
219 #endif
220     case VNC_AUTH_SASL:
221         return "sasl";
222     }
223     return "unknown";
224 }
225 
226 static int vnc_server_info_put(QDict *qdict)
227 {
228     if (vnc_server_addr_put(qdict, vnc_display->lsock) < 0) {
229         return -1;
230     }
231 
232     qdict_put(qdict, "auth", qstring_from_str(vnc_auth_name(vnc_display)));
233     return 0;
234 }
235 
236 static void vnc_client_cache_auth(VncState *client)
237 {
238 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
239     QDict *qdict;
240 #endif
241 
242     if (!client->info) {
243         return;
244     }
245 
246 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
247     qdict = qobject_to_qdict(client->info);
248 #endif
249 
250 #ifdef CONFIG_VNC_TLS
251     if (client->tls.session &&
252         client->tls.dname) {
253         qdict_put(qdict, "x509_dname", qstring_from_str(client->tls.dname));
254     }
255 #endif
256 #ifdef CONFIG_VNC_SASL
257     if (client->sasl.conn &&
258         client->sasl.username) {
259         qdict_put(qdict, "sasl_username",
260                   qstring_from_str(client->sasl.username));
261     }
262 #endif
263 }
264 
265 static void vnc_client_cache_addr(VncState *client)
266 {
267     QDict *qdict;
268 
269     qdict = qdict_new();
270     if (vnc_qdict_remote_addr(qdict, client->csock) < 0) {
271         QDECREF(qdict);
272         /* XXX: how to report the error? */
273         return;
274     }
275 
276     client->info = QOBJECT(qdict);
277 }
278 
279 static void vnc_qmp_event(VncState *vs, MonitorEvent event)
280 {
281     QDict *server;
282     QObject *data;
283 
284     if (!vs->info) {
285         return;
286     }
287 
288     server = qdict_new();
289     if (vnc_server_info_put(server) < 0) {
290         QDECREF(server);
291         return;
292     }
293 
294     data = qobject_from_jsonf("{ 'client': %p, 'server': %p }",
295                               vs->info, QOBJECT(server));
296 
297     monitor_protocol_event(event, data);
298 
299     qobject_incref(vs->info);
300     qobject_decref(data);
301 }
302 
303 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
304 {
305     struct sockaddr_storage sa;
306     socklen_t salen = sizeof(sa);
307     char host[NI_MAXHOST];
308     char serv[NI_MAXSERV];
309     VncClientInfo *info;
310 
311     if (getpeername(client->csock, (struct sockaddr *)&sa, &salen) < 0) {
312         return NULL;
313     }
314 
315     if (getnameinfo((struct sockaddr *)&sa, salen,
316                     host, sizeof(host),
317                     serv, sizeof(serv),
318                     NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
319         return NULL;
320     }
321 
322     info = g_malloc0(sizeof(*info));
323     info->host = g_strdup(host);
324     info->service = g_strdup(serv);
325     info->family = g_strdup(inet_strfamily(sa.ss_family));
326 
327 #ifdef CONFIG_VNC_TLS
328     if (client->tls.session && client->tls.dname) {
329         info->has_x509_dname = true;
330         info->x509_dname = g_strdup(client->tls.dname);
331     }
332 #endif
333 #ifdef CONFIG_VNC_SASL
334     if (client->sasl.conn && client->sasl.username) {
335         info->has_sasl_username = true;
336         info->sasl_username = g_strdup(client->sasl.username);
337     }
338 #endif
339 
340     return info;
341 }
342 
343 VncInfo *qmp_query_vnc(Error **errp)
344 {
345     VncInfo *info = g_malloc0(sizeof(*info));
346 
347     if (vnc_display == NULL || vnc_display->display == NULL) {
348         info->enabled = false;
349     } else {
350         VncClientInfoList *cur_item = NULL;
351         struct sockaddr_storage sa;
352         socklen_t salen = sizeof(sa);
353         char host[NI_MAXHOST];
354         char serv[NI_MAXSERV];
355         VncState *client;
356 
357         info->enabled = true;
358 
359         /* for compatibility with the original command */
360         info->has_clients = true;
361 
362         QTAILQ_FOREACH(client, &vnc_display->clients, next) {
363             VncClientInfoList *cinfo = g_malloc0(sizeof(*info));
364             cinfo->value = qmp_query_vnc_client(client);
365 
366             /* XXX: waiting for the qapi to support GSList */
367             if (!cur_item) {
368                 info->clients = cur_item = cinfo;
369             } else {
370                 cur_item->next = cinfo;
371                 cur_item = cinfo;
372             }
373         }
374 
375         if (getsockname(vnc_display->lsock, (struct sockaddr *)&sa,
376                         &salen) == -1) {
377             error_set(errp, QERR_UNDEFINED_ERROR);
378             goto out_error;
379         }
380 
381         if (getnameinfo((struct sockaddr *)&sa, salen,
382                         host, sizeof(host),
383                         serv, sizeof(serv),
384                         NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
385             error_set(errp, QERR_UNDEFINED_ERROR);
386             goto out_error;
387         }
388 
389         info->has_host = true;
390         info->host = g_strdup(host);
391 
392         info->has_service = true;
393         info->service = g_strdup(serv);
394 
395         info->has_family = true;
396         info->family = g_strdup(inet_strfamily(sa.ss_family));
397 
398         info->has_auth = true;
399         info->auth = g_strdup(vnc_auth_name(vnc_display));
400     }
401 
402     return info;
403 
404 out_error:
405     qapi_free_VncInfo(info);
406     return NULL;
407 }
408 
409 /* TODO
410    1) Get the queue working for IO.
411    2) there is some weirdness when using the -S option (the screen is grey
412       and not totally invalidated
413    3) resolutions > 1024
414 */
415 
416 static int vnc_update_client(VncState *vs, int has_dirty);
417 static int vnc_update_client_sync(VncState *vs, int has_dirty);
418 static void vnc_disconnect_start(VncState *vs);
419 static void vnc_disconnect_finish(VncState *vs);
420 static void vnc_init_timer(VncDisplay *vd);
421 static void vnc_remove_timer(VncDisplay *vd);
422 
423 static void vnc_colordepth(VncState *vs);
424 static void framebuffer_update_request(VncState *vs, int incremental,
425                                        int x_position, int y_position,
426                                        int w, int h);
427 static void vnc_refresh(void *opaque);
428 static int vnc_refresh_server_surface(VncDisplay *vd);
429 
430 static void vnc_dpy_update(DisplayState *ds, int x, int y, int w, int h)
431 {
432     int i;
433     VncDisplay *vd = ds->opaque;
434     struct VncSurface *s = &vd->guest;
435 
436     h += y;
437 
438     /* round x down to ensure the loop only spans one 16-pixel block per,
439        iteration.  otherwise, if (x % 16) != 0, the last iteration may span
440        two 16-pixel blocks but we only mark the first as dirty
441     */
442     w += (x % 16);
443     x -= (x % 16);
444 
445     x = MIN(x, s->ds->width);
446     y = MIN(y, s->ds->height);
447     w = MIN(x + w, s->ds->width) - x;
448     h = MIN(h, s->ds->height);
449 
450     for (; y < h; y++)
451         for (i = 0; i < w; i += 16)
452             set_bit((x + i) / 16, s->dirty[y]);
453 }
454 
455 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
456                             int32_t encoding)
457 {
458     vnc_write_u16(vs, x);
459     vnc_write_u16(vs, y);
460     vnc_write_u16(vs, w);
461     vnc_write_u16(vs, h);
462 
463     vnc_write_s32(vs, encoding);
464 }
465 
466 void buffer_reserve(Buffer *buffer, size_t len)
467 {
468     if ((buffer->capacity - buffer->offset) < len) {
469         buffer->capacity += (len + 1024);
470         buffer->buffer = g_realloc(buffer->buffer, buffer->capacity);
471         if (buffer->buffer == NULL) {
472             fprintf(stderr, "vnc: out of memory\n");
473             exit(1);
474         }
475     }
476 }
477 
478 int buffer_empty(Buffer *buffer)
479 {
480     return buffer->offset == 0;
481 }
482 
483 uint8_t *buffer_end(Buffer *buffer)
484 {
485     return buffer->buffer + buffer->offset;
486 }
487 
488 void buffer_reset(Buffer *buffer)
489 {
490         buffer->offset = 0;
491 }
492 
493 void buffer_free(Buffer *buffer)
494 {
495     g_free(buffer->buffer);
496     buffer->offset = 0;
497     buffer->capacity = 0;
498     buffer->buffer = NULL;
499 }
500 
501 void buffer_append(Buffer *buffer, const void *data, size_t len)
502 {
503     memcpy(buffer->buffer + buffer->offset, data, len);
504     buffer->offset += len;
505 }
506 
507 static void vnc_desktop_resize(VncState *vs)
508 {
509     DisplayState *ds = vs->ds;
510 
511     if (vs->csock == -1 || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
512         return;
513     }
514     if (vs->client_width == ds_get_width(ds) &&
515         vs->client_height == ds_get_height(ds)) {
516         return;
517     }
518     vs->client_width = ds_get_width(ds);
519     vs->client_height = ds_get_height(ds);
520     vnc_lock_output(vs);
521     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
522     vnc_write_u8(vs, 0);
523     vnc_write_u16(vs, 1); /* number of rects */
524     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
525                            VNC_ENCODING_DESKTOPRESIZE);
526     vnc_unlock_output(vs);
527     vnc_flush(vs);
528 }
529 
530 static void vnc_abort_display_jobs(VncDisplay *vd)
531 {
532     VncState *vs;
533 
534     QTAILQ_FOREACH(vs, &vd->clients, next) {
535         vnc_lock_output(vs);
536         vs->abort = true;
537         vnc_unlock_output(vs);
538     }
539     QTAILQ_FOREACH(vs, &vd->clients, next) {
540         vnc_jobs_join(vs);
541     }
542     QTAILQ_FOREACH(vs, &vd->clients, next) {
543         vnc_lock_output(vs);
544         vs->abort = false;
545         vnc_unlock_output(vs);
546     }
547 }
548 
549 static void vnc_dpy_resize(DisplayState *ds)
550 {
551     VncDisplay *vd = ds->opaque;
552     VncState *vs;
553 
554     vnc_abort_display_jobs(vd);
555 
556     /* server surface */
557     if (!vd->server)
558         vd->server = g_malloc0(sizeof(*vd->server));
559     if (vd->server->data)
560         g_free(vd->server->data);
561     *(vd->server) = *(ds->surface);
562     vd->server->data = g_malloc0(vd->server->linesize *
563                                     vd->server->height);
564 
565     /* guest surface */
566     if (!vd->guest.ds)
567         vd->guest.ds = g_malloc0(sizeof(*vd->guest.ds));
568     if (ds_get_bytes_per_pixel(ds) != vd->guest.ds->pf.bytes_per_pixel)
569         console_color_init(ds);
570     *(vd->guest.ds) = *(ds->surface);
571     memset(vd->guest.dirty, 0xFF, sizeof(vd->guest.dirty));
572 
573     QTAILQ_FOREACH(vs, &vd->clients, next) {
574         vnc_colordepth(vs);
575         vnc_desktop_resize(vs);
576         if (vs->vd->cursor) {
577             vnc_cursor_define(vs);
578         }
579         memset(vs->dirty, 0xFF, sizeof(vs->dirty));
580     }
581 }
582 
583 /* fastest code */
584 static void vnc_write_pixels_copy(VncState *vs, struct PixelFormat *pf,
585                                   void *pixels, int size)
586 {
587     vnc_write(vs, pixels, size);
588 }
589 
590 /* slowest but generic code. */
591 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
592 {
593     uint8_t r, g, b;
594     VncDisplay *vd = vs->vd;
595 
596     r = ((((v & vd->server->pf.rmask) >> vd->server->pf.rshift) << vs->clientds.pf.rbits) >>
597         vd->server->pf.rbits);
598     g = ((((v & vd->server->pf.gmask) >> vd->server->pf.gshift) << vs->clientds.pf.gbits) >>
599         vd->server->pf.gbits);
600     b = ((((v & vd->server->pf.bmask) >> vd->server->pf.bshift) << vs->clientds.pf.bbits) >>
601         vd->server->pf.bbits);
602     v = (r << vs->clientds.pf.rshift) |
603         (g << vs->clientds.pf.gshift) |
604         (b << vs->clientds.pf.bshift);
605     switch(vs->clientds.pf.bytes_per_pixel) {
606     case 1:
607         buf[0] = v;
608         break;
609     case 2:
610         if (vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) {
611             buf[0] = v >> 8;
612             buf[1] = v;
613         } else {
614             buf[1] = v >> 8;
615             buf[0] = v;
616         }
617         break;
618     default:
619     case 4:
620         if (vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) {
621             buf[0] = v >> 24;
622             buf[1] = v >> 16;
623             buf[2] = v >> 8;
624             buf[3] = v;
625         } else {
626             buf[3] = v >> 24;
627             buf[2] = v >> 16;
628             buf[1] = v >> 8;
629             buf[0] = v;
630         }
631         break;
632     }
633 }
634 
635 static void vnc_write_pixels_generic(VncState *vs, struct PixelFormat *pf,
636                                      void *pixels1, int size)
637 {
638     uint8_t buf[4];
639 
640     if (pf->bytes_per_pixel == 4) {
641         uint32_t *pixels = pixels1;
642         int n, i;
643         n = size >> 2;
644         for(i = 0; i < n; i++) {
645             vnc_convert_pixel(vs, buf, pixels[i]);
646             vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);
647         }
648     } else if (pf->bytes_per_pixel == 2) {
649         uint16_t *pixels = pixels1;
650         int n, i;
651         n = size >> 1;
652         for(i = 0; i < n; i++) {
653             vnc_convert_pixel(vs, buf, pixels[i]);
654             vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);
655         }
656     } else if (pf->bytes_per_pixel == 1) {
657         uint8_t *pixels = pixels1;
658         int n, i;
659         n = size;
660         for(i = 0; i < n; i++) {
661             vnc_convert_pixel(vs, buf, pixels[i]);
662             vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);
663         }
664     } else {
665         fprintf(stderr, "vnc_write_pixels_generic: VncState color depth not supported\n");
666     }
667 }
668 
669 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
670 {
671     int i;
672     uint8_t *row;
673     VncDisplay *vd = vs->vd;
674 
675     row = vd->server->data + y * ds_get_linesize(vs->ds) + x * ds_get_bytes_per_pixel(vs->ds);
676     for (i = 0; i < h; i++) {
677         vs->write_pixels(vs, &vd->server->pf, row, w * ds_get_bytes_per_pixel(vs->ds));
678         row += ds_get_linesize(vs->ds);
679     }
680     return 1;
681 }
682 
683 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
684 {
685     int n = 0;
686 
687     switch(vs->vnc_encoding) {
688         case VNC_ENCODING_ZLIB:
689             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
690             break;
691         case VNC_ENCODING_HEXTILE:
692             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
693             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
694             break;
695         case VNC_ENCODING_TIGHT:
696             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
697             break;
698         case VNC_ENCODING_TIGHT_PNG:
699             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
700             break;
701         case VNC_ENCODING_ZRLE:
702             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
703             break;
704         case VNC_ENCODING_ZYWRLE:
705             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
706             break;
707         default:
708             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
709             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
710             break;
711     }
712     return n;
713 }
714 
715 static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
716 {
717     /* send bitblit op to the vnc client */
718     vnc_lock_output(vs);
719     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
720     vnc_write_u8(vs, 0);
721     vnc_write_u16(vs, 1); /* number of rects */
722     vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
723     vnc_write_u16(vs, src_x);
724     vnc_write_u16(vs, src_y);
725     vnc_unlock_output(vs);
726     vnc_flush(vs);
727 }
728 
729 static void vnc_dpy_copy(DisplayState *ds, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
730 {
731     VncDisplay *vd = ds->opaque;
732     VncState *vs, *vn;
733     uint8_t *src_row;
734     uint8_t *dst_row;
735     int i,x,y,pitch,depth,inc,w_lim,s;
736     int cmp_bytes;
737 
738     vnc_refresh_server_surface(vd);
739     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
740         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
741             vs->force_update = 1;
742             vnc_update_client_sync(vs, 1);
743             /* vs might be free()ed here */
744         }
745     }
746 
747     /* do bitblit op on the local surface too */
748     pitch = ds_get_linesize(vd->ds);
749     depth = ds_get_bytes_per_pixel(vd->ds);
750     src_row = vd->server->data + pitch * src_y + depth * src_x;
751     dst_row = vd->server->data + pitch * dst_y + depth * dst_x;
752     y = dst_y;
753     inc = 1;
754     if (dst_y > src_y) {
755         /* copy backwards */
756         src_row += pitch * (h-1);
757         dst_row += pitch * (h-1);
758         pitch = -pitch;
759         y = dst_y + h - 1;
760         inc = -1;
761     }
762     w_lim = w - (16 - (dst_x % 16));
763     if (w_lim < 0)
764         w_lim = w;
765     else
766         w_lim = w - (w_lim % 16);
767     for (i = 0; i < h; i++) {
768         for (x = 0; x <= w_lim;
769                 x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
770             if (x == w_lim) {
771                 if ((s = w - w_lim) == 0)
772                     break;
773             } else if (!x) {
774                 s = (16 - (dst_x % 16));
775                 s = MIN(s, w_lim);
776             } else {
777                 s = 16;
778             }
779             cmp_bytes = s * depth;
780             if (memcmp(src_row, dst_row, cmp_bytes) == 0)
781                 continue;
782             memmove(dst_row, src_row, cmp_bytes);
783             QTAILQ_FOREACH(vs, &vd->clients, next) {
784                 if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
785                     set_bit(((x + dst_x) / 16), vs->dirty[y]);
786                 }
787             }
788         }
789         src_row += pitch - w * depth;
790         dst_row += pitch - w * depth;
791         y += inc;
792     }
793 
794     QTAILQ_FOREACH(vs, &vd->clients, next) {
795         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
796             vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
797         }
798     }
799 }
800 
801 static void vnc_mouse_set(int x, int y, int visible)
802 {
803     /* can we ask the client(s) to move the pointer ??? */
804 }
805 
806 static int vnc_cursor_define(VncState *vs)
807 {
808     QEMUCursor *c = vs->vd->cursor;
809     PixelFormat pf = qemu_default_pixelformat(32);
810     int isize;
811 
812     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
813         vnc_lock_output(vs);
814         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
815         vnc_write_u8(vs,  0);  /*  padding     */
816         vnc_write_u16(vs, 1);  /*  # of rects  */
817         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
818                                VNC_ENCODING_RICH_CURSOR);
819         isize = c->width * c->height * vs->clientds.pf.bytes_per_pixel;
820         vnc_write_pixels_generic(vs, &pf, c->data, isize);
821         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
822         vnc_unlock_output(vs);
823         return 0;
824     }
825     return -1;
826 }
827 
828 static void vnc_dpy_cursor_define(QEMUCursor *c)
829 {
830     VncDisplay *vd = vnc_display;
831     VncState *vs;
832 
833     cursor_put(vd->cursor);
834     g_free(vd->cursor_mask);
835 
836     vd->cursor = c;
837     cursor_get(vd->cursor);
838     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
839     vd->cursor_mask = g_malloc0(vd->cursor_msize);
840     cursor_get_mono_mask(c, 0, vd->cursor_mask);
841 
842     QTAILQ_FOREACH(vs, &vd->clients, next) {
843         vnc_cursor_define(vs);
844     }
845 }
846 
847 static int find_and_clear_dirty_height(struct VncState *vs,
848                                        int y, int last_x, int x, int height)
849 {
850     int h;
851 
852     for (h = 1; h < (height - y); h++) {
853         int tmp_x;
854         if (!test_bit(last_x, vs->dirty[y + h])) {
855             break;
856         }
857         for (tmp_x = last_x; tmp_x < x; tmp_x++) {
858             clear_bit(tmp_x, vs->dirty[y + h]);
859         }
860     }
861 
862     return h;
863 }
864 
865 static int vnc_update_client_sync(VncState *vs, int has_dirty)
866 {
867     int ret = vnc_update_client(vs, has_dirty);
868     vnc_jobs_join(vs);
869     return ret;
870 }
871 
872 static int vnc_update_client(VncState *vs, int has_dirty)
873 {
874     if (vs->need_update && vs->csock != -1) {
875         VncDisplay *vd = vs->vd;
876         VncJob *job;
877         int y;
878         int width, height;
879         int n = 0;
880 
881 
882         if (vs->output.offset && !vs->audio_cap && !vs->force_update)
883             /* kernel send buffers are full -> drop frames to throttle */
884             return 0;
885 
886         if (!has_dirty && !vs->audio_cap && !vs->force_update)
887             return 0;
888 
889         /*
890          * Send screen updates to the vnc client using the server
891          * surface and server dirty map.  guest surface updates
892          * happening in parallel don't disturb us, the next pass will
893          * send them to the client.
894          */
895         job = vnc_job_new(vs);
896 
897         width = MIN(vd->server->width, vs->client_width);
898         height = MIN(vd->server->height, vs->client_height);
899 
900         for (y = 0; y < height; y++) {
901             int x;
902             int last_x = -1;
903             for (x = 0; x < width / 16; x++) {
904                 if (test_and_clear_bit(x, vs->dirty[y])) {
905                     if (last_x == -1) {
906                         last_x = x;
907                     }
908                 } else {
909                     if (last_x != -1) {
910                         int h = find_and_clear_dirty_height(vs, y, last_x, x,
911                                                             height);
912 
913                         n += vnc_job_add_rect(job, last_x * 16, y,
914                                               (x - last_x) * 16, h);
915                     }
916                     last_x = -1;
917                 }
918             }
919             if (last_x != -1) {
920                 int h = find_and_clear_dirty_height(vs, y, last_x, x, height);
921                 n += vnc_job_add_rect(job, last_x * 16, y,
922                                       (x - last_x) * 16, h);
923             }
924         }
925 
926         vnc_job_push(job);
927         vs->force_update = 0;
928         return n;
929     }
930 
931     if (vs->csock == -1)
932         vnc_disconnect_finish(vs);
933 
934     return 0;
935 }
936 
937 /* audio */
938 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
939 {
940     VncState *vs = opaque;
941 
942     switch (cmd) {
943     case AUD_CNOTIFY_DISABLE:
944         vnc_lock_output(vs);
945         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
946         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
947         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
948         vnc_unlock_output(vs);
949         vnc_flush(vs);
950         break;
951 
952     case AUD_CNOTIFY_ENABLE:
953         vnc_lock_output(vs);
954         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
955         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
956         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
957         vnc_unlock_output(vs);
958         vnc_flush(vs);
959         break;
960     }
961 }
962 
963 static void audio_capture_destroy(void *opaque)
964 {
965 }
966 
967 static void audio_capture(void *opaque, void *buf, int size)
968 {
969     VncState *vs = opaque;
970 
971     vnc_lock_output(vs);
972     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
973     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
974     vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
975     vnc_write_u32(vs, size);
976     vnc_write(vs, buf, size);
977     vnc_unlock_output(vs);
978     vnc_flush(vs);
979 }
980 
981 static void audio_add(VncState *vs)
982 {
983     struct audio_capture_ops ops;
984 
985     if (vs->audio_cap) {
986         monitor_printf(default_mon, "audio already running\n");
987         return;
988     }
989 
990     ops.notify = audio_capture_notify;
991     ops.destroy = audio_capture_destroy;
992     ops.capture = audio_capture;
993 
994     vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);
995     if (!vs->audio_cap) {
996         monitor_printf(default_mon, "Failed to add audio capture\n");
997     }
998 }
999 
1000 static void audio_del(VncState *vs)
1001 {
1002     if (vs->audio_cap) {
1003         AUD_del_capture(vs->audio_cap, vs);
1004         vs->audio_cap = NULL;
1005     }
1006 }
1007 
1008 static void vnc_disconnect_start(VncState *vs)
1009 {
1010     if (vs->csock == -1)
1011         return;
1012     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1013     qemu_set_fd_handler2(vs->csock, NULL, NULL, NULL, NULL);
1014     closesocket(vs->csock);
1015     vs->csock = -1;
1016 }
1017 
1018 static void vnc_disconnect_finish(VncState *vs)
1019 {
1020     int i;
1021 
1022     vnc_jobs_join(vs); /* Wait encoding jobs */
1023 
1024     vnc_lock_output(vs);
1025     vnc_qmp_event(vs, QEVENT_VNC_DISCONNECTED);
1026 
1027     buffer_free(&vs->input);
1028     buffer_free(&vs->output);
1029 
1030     qobject_decref(vs->info);
1031 
1032     vnc_zlib_clear(vs);
1033     vnc_tight_clear(vs);
1034     vnc_zrle_clear(vs);
1035 
1036 #ifdef CONFIG_VNC_TLS
1037     vnc_tls_client_cleanup(vs);
1038 #endif /* CONFIG_VNC_TLS */
1039 #ifdef CONFIG_VNC_SASL
1040     vnc_sasl_client_cleanup(vs);
1041 #endif /* CONFIG_VNC_SASL */
1042     audio_del(vs);
1043     vnc_release_modifiers(vs);
1044 
1045     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1046 
1047     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1048         dcl->idle = 1;
1049     }
1050 
1051     qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1052     vnc_remove_timer(vs->vd);
1053     if (vs->vd->lock_key_sync)
1054         qemu_remove_led_event_handler(vs->led);
1055     vnc_unlock_output(vs);
1056 
1057     qemu_mutex_destroy(&vs->output_mutex);
1058     qemu_bh_delete(vs->bh);
1059     buffer_free(&vs->jobs_buffer);
1060 
1061     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1062         g_free(vs->lossy_rect[i]);
1063     }
1064     g_free(vs->lossy_rect);
1065     g_free(vs);
1066 }
1067 
1068 int vnc_client_io_error(VncState *vs, int ret, int last_errno)
1069 {
1070     if (ret == 0 || ret == -1) {
1071         if (ret == -1) {
1072             switch (last_errno) {
1073                 case EINTR:
1074                 case EAGAIN:
1075 #ifdef _WIN32
1076                 case WSAEWOULDBLOCK:
1077 #endif
1078                     return 0;
1079                 default:
1080                     break;
1081             }
1082         }
1083 
1084         VNC_DEBUG("Closing down client sock: ret %d, errno %d\n",
1085                   ret, ret < 0 ? last_errno : 0);
1086         vnc_disconnect_start(vs);
1087 
1088         return 0;
1089     }
1090     return ret;
1091 }
1092 
1093 
1094 void vnc_client_error(VncState *vs)
1095 {
1096     VNC_DEBUG("Closing down client sock: protocol error\n");
1097     vnc_disconnect_start(vs);
1098 }
1099 
1100 
1101 /*
1102  * Called to write a chunk of data to the client socket. The data may
1103  * be the raw data, or may have already been encoded by SASL.
1104  * The data will be written either straight onto the socket, or
1105  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1106  *
1107  * NB, it is theoretically possible to have 2 layers of encryption,
1108  * both SASL, and this TLS layer. It is highly unlikely in practice
1109  * though, since SASL encryption will typically be a no-op if TLS
1110  * is active
1111  *
1112  * Returns the number of bytes written, which may be less than
1113  * the requested 'datalen' if the socket would block. Returns
1114  * -1 on error, and disconnects the client socket.
1115  */
1116 long vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1117 {
1118     long ret;
1119 #ifdef CONFIG_VNC_TLS
1120     if (vs->tls.session) {
1121         ret = gnutls_write(vs->tls.session, data, datalen);
1122         if (ret < 0) {
1123             if (ret == GNUTLS_E_AGAIN)
1124                 errno = EAGAIN;
1125             else
1126                 errno = EIO;
1127             ret = -1;
1128         }
1129     } else
1130 #endif /* CONFIG_VNC_TLS */
1131         ret = send(vs->csock, (const void *)data, datalen, 0);
1132     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1133     return vnc_client_io_error(vs, ret, socket_error());
1134 }
1135 
1136 
1137 /*
1138  * Called to write buffered data to the client socket, when not
1139  * using any SASL SSF encryption layers. Will write as much data
1140  * as possible without blocking. If all buffered data is written,
1141  * will switch the FD poll() handler back to read monitoring.
1142  *
1143  * Returns the number of bytes written, which may be less than
1144  * the buffered output data if the socket would block. Returns
1145  * -1 on error, and disconnects the client socket.
1146  */
1147 static long vnc_client_write_plain(VncState *vs)
1148 {
1149     long ret;
1150 
1151 #ifdef CONFIG_VNC_SASL
1152     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1153               vs->output.buffer, vs->output.capacity, vs->output.offset,
1154               vs->sasl.waitWriteSSF);
1155 
1156     if (vs->sasl.conn &&
1157         vs->sasl.runSSF &&
1158         vs->sasl.waitWriteSSF) {
1159         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1160         if (ret)
1161             vs->sasl.waitWriteSSF -= ret;
1162     } else
1163 #endif /* CONFIG_VNC_SASL */
1164         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1165     if (!ret)
1166         return 0;
1167 
1168     memmove(vs->output.buffer, vs->output.buffer + ret, (vs->output.offset - ret));
1169     vs->output.offset -= ret;
1170 
1171     if (vs->output.offset == 0) {
1172         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
1173     }
1174 
1175     return ret;
1176 }
1177 
1178 
1179 /*
1180  * First function called whenever there is data to be written to
1181  * the client socket. Will delegate actual work according to whether
1182  * SASL SSF layers are enabled (thus requiring encryption calls)
1183  */
1184 static void vnc_client_write_locked(void *opaque)
1185 {
1186     VncState *vs = opaque;
1187 
1188 #ifdef CONFIG_VNC_SASL
1189     if (vs->sasl.conn &&
1190         vs->sasl.runSSF &&
1191         !vs->sasl.waitWriteSSF) {
1192         vnc_client_write_sasl(vs);
1193     } else
1194 #endif /* CONFIG_VNC_SASL */
1195         vnc_client_write_plain(vs);
1196 }
1197 
1198 void vnc_client_write(void *opaque)
1199 {
1200     VncState *vs = opaque;
1201 
1202     vnc_lock_output(vs);
1203     if (vs->output.offset) {
1204         vnc_client_write_locked(opaque);
1205     } else if (vs->csock != -1) {
1206         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
1207     }
1208     vnc_unlock_output(vs);
1209 }
1210 
1211 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1212 {
1213     vs->read_handler = func;
1214     vs->read_handler_expect = expecting;
1215 }
1216 
1217 
1218 /*
1219  * Called to read a chunk of data from the client socket. The data may
1220  * be the raw data, or may need to be further decoded by SASL.
1221  * The data will be read either straight from to the socket, or
1222  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1223  *
1224  * NB, it is theoretically possible to have 2 layers of encryption,
1225  * both SASL, and this TLS layer. It is highly unlikely in practice
1226  * though, since SASL encryption will typically be a no-op if TLS
1227  * is active
1228  *
1229  * Returns the number of bytes read, which may be less than
1230  * the requested 'datalen' if the socket would block. Returns
1231  * -1 on error, and disconnects the client socket.
1232  */
1233 long vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1234 {
1235     long ret;
1236 #ifdef CONFIG_VNC_TLS
1237     if (vs->tls.session) {
1238         ret = gnutls_read(vs->tls.session, data, datalen);
1239         if (ret < 0) {
1240             if (ret == GNUTLS_E_AGAIN)
1241                 errno = EAGAIN;
1242             else
1243                 errno = EIO;
1244             ret = -1;
1245         }
1246     } else
1247 #endif /* CONFIG_VNC_TLS */
1248         ret = qemu_recv(vs->csock, data, datalen, 0);
1249     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1250     return vnc_client_io_error(vs, ret, socket_error());
1251 }
1252 
1253 
1254 /*
1255  * Called to read data from the client socket to the input buffer,
1256  * when not using any SASL SSF encryption layers. Will read as much
1257  * data as possible without blocking.
1258  *
1259  * Returns the number of bytes read. Returns -1 on error, and
1260  * disconnects the client socket.
1261  */
1262 static long vnc_client_read_plain(VncState *vs)
1263 {
1264     int ret;
1265     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1266               vs->input.buffer, vs->input.capacity, vs->input.offset);
1267     buffer_reserve(&vs->input, 4096);
1268     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1269     if (!ret)
1270         return 0;
1271     vs->input.offset += ret;
1272     return ret;
1273 }
1274 
1275 static void vnc_jobs_bh(void *opaque)
1276 {
1277     VncState *vs = opaque;
1278 
1279     vnc_jobs_consume_buffer(vs);
1280 }
1281 
1282 /*
1283  * First function called whenever there is more data to be read from
1284  * the client socket. Will delegate actual work according to whether
1285  * SASL SSF layers are enabled (thus requiring decryption calls)
1286  */
1287 void vnc_client_read(void *opaque)
1288 {
1289     VncState *vs = opaque;
1290     long ret;
1291 
1292 #ifdef CONFIG_VNC_SASL
1293     if (vs->sasl.conn && vs->sasl.runSSF)
1294         ret = vnc_client_read_sasl(vs);
1295     else
1296 #endif /* CONFIG_VNC_SASL */
1297         ret = vnc_client_read_plain(vs);
1298     if (!ret) {
1299         if (vs->csock == -1)
1300             vnc_disconnect_finish(vs);
1301         return;
1302     }
1303 
1304     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1305         size_t len = vs->read_handler_expect;
1306         int ret;
1307 
1308         ret = vs->read_handler(vs, vs->input.buffer, len);
1309         if (vs->csock == -1) {
1310             vnc_disconnect_finish(vs);
1311             return;
1312         }
1313 
1314         if (!ret) {
1315             memmove(vs->input.buffer, vs->input.buffer + len, (vs->input.offset - len));
1316             vs->input.offset -= len;
1317         } else {
1318             vs->read_handler_expect = ret;
1319         }
1320     }
1321 }
1322 
1323 void vnc_write(VncState *vs, const void *data, size_t len)
1324 {
1325     buffer_reserve(&vs->output, len);
1326 
1327     if (vs->csock != -1 && buffer_empty(&vs->output)) {
1328         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);
1329     }
1330 
1331     buffer_append(&vs->output, data, len);
1332 }
1333 
1334 void vnc_write_s32(VncState *vs, int32_t value)
1335 {
1336     vnc_write_u32(vs, *(uint32_t *)&value);
1337 }
1338 
1339 void vnc_write_u32(VncState *vs, uint32_t value)
1340 {
1341     uint8_t buf[4];
1342 
1343     buf[0] = (value >> 24) & 0xFF;
1344     buf[1] = (value >> 16) & 0xFF;
1345     buf[2] = (value >>  8) & 0xFF;
1346     buf[3] = value & 0xFF;
1347 
1348     vnc_write(vs, buf, 4);
1349 }
1350 
1351 void vnc_write_u16(VncState *vs, uint16_t value)
1352 {
1353     uint8_t buf[2];
1354 
1355     buf[0] = (value >> 8) & 0xFF;
1356     buf[1] = value & 0xFF;
1357 
1358     vnc_write(vs, buf, 2);
1359 }
1360 
1361 void vnc_write_u8(VncState *vs, uint8_t value)
1362 {
1363     vnc_write(vs, (char *)&value, 1);
1364 }
1365 
1366 void vnc_flush(VncState *vs)
1367 {
1368     vnc_lock_output(vs);
1369     if (vs->csock != -1 && vs->output.offset) {
1370         vnc_client_write_locked(vs);
1371     }
1372     vnc_unlock_output(vs);
1373 }
1374 
1375 uint8_t read_u8(uint8_t *data, size_t offset)
1376 {
1377     return data[offset];
1378 }
1379 
1380 uint16_t read_u16(uint8_t *data, size_t offset)
1381 {
1382     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1383 }
1384 
1385 int32_t read_s32(uint8_t *data, size_t offset)
1386 {
1387     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1388                      (data[offset + 2] << 8) | data[offset + 3]);
1389 }
1390 
1391 uint32_t read_u32(uint8_t *data, size_t offset)
1392 {
1393     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1394             (data[offset + 2] << 8) | data[offset + 3]);
1395 }
1396 
1397 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1398 {
1399 }
1400 
1401 static void check_pointer_type_change(Notifier *notifier, void *data)
1402 {
1403     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1404     int absolute = kbd_mouse_is_absolute();
1405 
1406     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1407         vnc_lock_output(vs);
1408         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1409         vnc_write_u8(vs, 0);
1410         vnc_write_u16(vs, 1);
1411         vnc_framebuffer_update(vs, absolute, 0,
1412                                ds_get_width(vs->ds), ds_get_height(vs->ds),
1413                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1414         vnc_unlock_output(vs);
1415         vnc_flush(vs);
1416     }
1417     vs->absolute = absolute;
1418 }
1419 
1420 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1421 {
1422     int buttons = 0;
1423     int dz = 0;
1424 
1425     if (button_mask & 0x01)
1426         buttons |= MOUSE_EVENT_LBUTTON;
1427     if (button_mask & 0x02)
1428         buttons |= MOUSE_EVENT_MBUTTON;
1429     if (button_mask & 0x04)
1430         buttons |= MOUSE_EVENT_RBUTTON;
1431     if (button_mask & 0x08)
1432         dz = -1;
1433     if (button_mask & 0x10)
1434         dz = 1;
1435 
1436     if (vs->absolute) {
1437         kbd_mouse_event(ds_get_width(vs->ds) > 1 ?
1438                           x * 0x7FFF / (ds_get_width(vs->ds) - 1) : 0x4000,
1439                         ds_get_height(vs->ds) > 1 ?
1440                           y * 0x7FFF / (ds_get_height(vs->ds) - 1) : 0x4000,
1441                         dz, buttons);
1442     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1443         x -= 0x7FFF;
1444         y -= 0x7FFF;
1445 
1446         kbd_mouse_event(x, y, dz, buttons);
1447     } else {
1448         if (vs->last_x != -1)
1449             kbd_mouse_event(x - vs->last_x,
1450                             y - vs->last_y,
1451                             dz, buttons);
1452         vs->last_x = x;
1453         vs->last_y = y;
1454     }
1455 }
1456 
1457 static void reset_keys(VncState *vs)
1458 {
1459     int i;
1460     for(i = 0; i < 256; i++) {
1461         if (vs->modifiers_state[i]) {
1462             if (i & SCANCODE_GREY)
1463                 kbd_put_keycode(SCANCODE_EMUL0);
1464             kbd_put_keycode(i | SCANCODE_UP);
1465             vs->modifiers_state[i] = 0;
1466         }
1467     }
1468 }
1469 
1470 static void press_key(VncState *vs, int keysym)
1471 {
1472     int keycode = keysym2scancode(vs->vd->kbd_layout, keysym) & SCANCODE_KEYMASK;
1473     if (keycode & SCANCODE_GREY)
1474         kbd_put_keycode(SCANCODE_EMUL0);
1475     kbd_put_keycode(keycode & SCANCODE_KEYCODEMASK);
1476     if (keycode & SCANCODE_GREY)
1477         kbd_put_keycode(SCANCODE_EMUL0);
1478     kbd_put_keycode(keycode | SCANCODE_UP);
1479 }
1480 
1481 static void kbd_leds(void *opaque, int ledstate)
1482 {
1483     VncState *vs = opaque;
1484     int caps, num;
1485 
1486     caps = ledstate & QEMU_CAPS_LOCK_LED ? 1 : 0;
1487     num  = ledstate & QEMU_NUM_LOCK_LED  ? 1 : 0;
1488 
1489     if (vs->modifiers_state[0x3a] != caps) {
1490         vs->modifiers_state[0x3a] = caps;
1491     }
1492     if (vs->modifiers_state[0x45] != num) {
1493         vs->modifiers_state[0x45] = num;
1494     }
1495 }
1496 
1497 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1498 {
1499     /* QEMU console switch */
1500     switch(keycode) {
1501     case 0x2a:                          /* Left Shift */
1502     case 0x36:                          /* Right Shift */
1503     case 0x1d:                          /* Left CTRL */
1504     case 0x9d:                          /* Right CTRL */
1505     case 0x38:                          /* Left ALT */
1506     case 0xb8:                          /* Right ALT */
1507         if (down)
1508             vs->modifiers_state[keycode] = 1;
1509         else
1510             vs->modifiers_state[keycode] = 0;
1511         break;
1512     case 0x02 ... 0x0a: /* '1' to '9' keys */
1513         if (down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
1514             /* Reset the modifiers sent to the current console */
1515             reset_keys(vs);
1516             console_select(keycode - 0x02);
1517             return;
1518         }
1519         break;
1520     case 0x3a:                        /* CapsLock */
1521     case 0x45:                        /* NumLock */
1522         if (down)
1523             vs->modifiers_state[keycode] ^= 1;
1524         break;
1525     }
1526 
1527     if (down && vs->vd->lock_key_sync &&
1528         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1529         /* If the numlock state needs to change then simulate an additional
1530            keypress before sending this one.  This will happen if the user
1531            toggles numlock away from the VNC window.
1532         */
1533         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1534             if (!vs->modifiers_state[0x45]) {
1535                 vs->modifiers_state[0x45] = 1;
1536                 press_key(vs, 0xff7f);
1537             }
1538         } else {
1539             if (vs->modifiers_state[0x45]) {
1540                 vs->modifiers_state[0x45] = 0;
1541                 press_key(vs, 0xff7f);
1542             }
1543         }
1544     }
1545 
1546     if (down && vs->vd->lock_key_sync &&
1547         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1548         /* If the capslock state needs to change then simulate an additional
1549            keypress before sending this one.  This will happen if the user
1550            toggles capslock away from the VNC window.
1551         */
1552         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1553         int shift = !!(vs->modifiers_state[0x2a] | vs->modifiers_state[0x36]);
1554         int capslock = !!(vs->modifiers_state[0x3a]);
1555         if (capslock) {
1556             if (uppercase == shift) {
1557                 vs->modifiers_state[0x3a] = 0;
1558                 press_key(vs, 0xffe5);
1559             }
1560         } else {
1561             if (uppercase != shift) {
1562                 vs->modifiers_state[0x3a] = 1;
1563                 press_key(vs, 0xffe5);
1564             }
1565         }
1566     }
1567 
1568     if (is_graphic_console()) {
1569         if (keycode & SCANCODE_GREY)
1570             kbd_put_keycode(SCANCODE_EMUL0);
1571         if (down)
1572             kbd_put_keycode(keycode & SCANCODE_KEYCODEMASK);
1573         else
1574             kbd_put_keycode(keycode | SCANCODE_UP);
1575     } else {
1576         bool numlock = vs->modifiers_state[0x45];
1577         bool control = (vs->modifiers_state[0x1d] ||
1578                         vs->modifiers_state[0x9d]);
1579         /* QEMU console emulation */
1580         if (down) {
1581             switch (keycode) {
1582             case 0x2a:                          /* Left Shift */
1583             case 0x36:                          /* Right Shift */
1584             case 0x1d:                          /* Left CTRL */
1585             case 0x9d:                          /* Right CTRL */
1586             case 0x38:                          /* Left ALT */
1587             case 0xb8:                          /* Right ALT */
1588                 break;
1589             case 0xc8:
1590                 kbd_put_keysym(QEMU_KEY_UP);
1591                 break;
1592             case 0xd0:
1593                 kbd_put_keysym(QEMU_KEY_DOWN);
1594                 break;
1595             case 0xcb:
1596                 kbd_put_keysym(QEMU_KEY_LEFT);
1597                 break;
1598             case 0xcd:
1599                 kbd_put_keysym(QEMU_KEY_RIGHT);
1600                 break;
1601             case 0xd3:
1602                 kbd_put_keysym(QEMU_KEY_DELETE);
1603                 break;
1604             case 0xc7:
1605                 kbd_put_keysym(QEMU_KEY_HOME);
1606                 break;
1607             case 0xcf:
1608                 kbd_put_keysym(QEMU_KEY_END);
1609                 break;
1610             case 0xc9:
1611                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1612                 break;
1613             case 0xd1:
1614                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1615                 break;
1616 
1617             case 0x47:
1618                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1619                 break;
1620             case 0x48:
1621                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1622                 break;
1623             case 0x49:
1624                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1625                 break;
1626             case 0x4b:
1627                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1628                 break;
1629             case 0x4c:
1630                 kbd_put_keysym('5');
1631                 break;
1632             case 0x4d:
1633                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1634                 break;
1635             case 0x4f:
1636                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1637                 break;
1638             case 0x50:
1639                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1640                 break;
1641             case 0x51:
1642                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1643                 break;
1644             case 0x52:
1645                 kbd_put_keysym('0');
1646                 break;
1647             case 0x53:
1648                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1649                 break;
1650 
1651             case 0xb5:
1652                 kbd_put_keysym('/');
1653                 break;
1654             case 0x37:
1655                 kbd_put_keysym('*');
1656                 break;
1657             case 0x4a:
1658                 kbd_put_keysym('-');
1659                 break;
1660             case 0x4e:
1661                 kbd_put_keysym('+');
1662                 break;
1663             case 0x9c:
1664                 kbd_put_keysym('\n');
1665                 break;
1666 
1667             default:
1668                 if (control) {
1669                     kbd_put_keysym(sym & 0x1f);
1670                 } else {
1671                     kbd_put_keysym(sym);
1672                 }
1673                 break;
1674             }
1675         }
1676     }
1677 }
1678 
1679 static void vnc_release_modifiers(VncState *vs)
1680 {
1681     static const int keycodes[] = {
1682         /* shift, control, alt keys, both left & right */
1683         0x2a, 0x36, 0x1d, 0x9d, 0x38, 0xb8,
1684     };
1685     int i, keycode;
1686 
1687     if (!is_graphic_console()) {
1688         return;
1689     }
1690     for (i = 0; i < ARRAY_SIZE(keycodes); i++) {
1691         keycode = keycodes[i];
1692         if (!vs->modifiers_state[keycode]) {
1693             continue;
1694         }
1695         if (keycode & SCANCODE_GREY) {
1696             kbd_put_keycode(SCANCODE_EMUL0);
1697         }
1698         kbd_put_keycode(keycode | SCANCODE_UP);
1699     }
1700 }
1701 
1702 static void key_event(VncState *vs, int down, uint32_t sym)
1703 {
1704     int keycode;
1705     int lsym = sym;
1706 
1707     if (lsym >= 'A' && lsym <= 'Z' && is_graphic_console()) {
1708         lsym = lsym - 'A' + 'a';
1709     }
1710 
1711     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF) & SCANCODE_KEYMASK;
1712     do_key_event(vs, down, keycode, sym);
1713 }
1714 
1715 static void ext_key_event(VncState *vs, int down,
1716                           uint32_t sym, uint16_t keycode)
1717 {
1718     /* if the user specifies a keyboard layout, always use it */
1719     if (keyboard_layout)
1720         key_event(vs, down, sym);
1721     else
1722         do_key_event(vs, down, keycode, sym);
1723 }
1724 
1725 static void framebuffer_update_request(VncState *vs, int incremental,
1726                                        int x_position, int y_position,
1727                                        int w, int h)
1728 {
1729     int i;
1730     const size_t width = ds_get_width(vs->ds) / 16;
1731 
1732     if (y_position > ds_get_height(vs->ds))
1733         y_position = ds_get_height(vs->ds);
1734     if (y_position + h >= ds_get_height(vs->ds))
1735         h = ds_get_height(vs->ds) - y_position;
1736 
1737     vs->need_update = 1;
1738     if (!incremental) {
1739         vs->force_update = 1;
1740         for (i = 0; i < h; i++) {
1741             bitmap_set(vs->dirty[y_position + i], 0, width);
1742             bitmap_clear(vs->dirty[y_position + i], width,
1743                          VNC_DIRTY_BITS - width);
1744         }
1745     }
1746 }
1747 
1748 static void send_ext_key_event_ack(VncState *vs)
1749 {
1750     vnc_lock_output(vs);
1751     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1752     vnc_write_u8(vs, 0);
1753     vnc_write_u16(vs, 1);
1754     vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds), ds_get_height(vs->ds),
1755                            VNC_ENCODING_EXT_KEY_EVENT);
1756     vnc_unlock_output(vs);
1757     vnc_flush(vs);
1758 }
1759 
1760 static void send_ext_audio_ack(VncState *vs)
1761 {
1762     vnc_lock_output(vs);
1763     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1764     vnc_write_u8(vs, 0);
1765     vnc_write_u16(vs, 1);
1766     vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds), ds_get_height(vs->ds),
1767                            VNC_ENCODING_AUDIO);
1768     vnc_unlock_output(vs);
1769     vnc_flush(vs);
1770 }
1771 
1772 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
1773 {
1774     int i;
1775     unsigned int enc = 0;
1776 
1777     vs->features = 0;
1778     vs->vnc_encoding = 0;
1779     vs->tight.compression = 9;
1780     vs->tight.quality = -1; /* Lossless by default */
1781     vs->absolute = -1;
1782 
1783     /*
1784      * Start from the end because the encodings are sent in order of preference.
1785      * This way the preferred encoding (first encoding defined in the array)
1786      * will be set at the end of the loop.
1787      */
1788     for (i = n_encodings - 1; i >= 0; i--) {
1789         enc = encodings[i];
1790         switch (enc) {
1791         case VNC_ENCODING_RAW:
1792             vs->vnc_encoding = enc;
1793             break;
1794         case VNC_ENCODING_COPYRECT:
1795             vs->features |= VNC_FEATURE_COPYRECT_MASK;
1796             break;
1797         case VNC_ENCODING_HEXTILE:
1798             vs->features |= VNC_FEATURE_HEXTILE_MASK;
1799             vs->vnc_encoding = enc;
1800             break;
1801         case VNC_ENCODING_TIGHT:
1802             vs->features |= VNC_FEATURE_TIGHT_MASK;
1803             vs->vnc_encoding = enc;
1804             break;
1805         case VNC_ENCODING_TIGHT_PNG:
1806             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
1807             vs->vnc_encoding = enc;
1808             break;
1809         case VNC_ENCODING_ZLIB:
1810             vs->features |= VNC_FEATURE_ZLIB_MASK;
1811             vs->vnc_encoding = enc;
1812             break;
1813         case VNC_ENCODING_ZRLE:
1814             vs->features |= VNC_FEATURE_ZRLE_MASK;
1815             vs->vnc_encoding = enc;
1816             break;
1817         case VNC_ENCODING_ZYWRLE:
1818             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
1819             vs->vnc_encoding = enc;
1820             break;
1821         case VNC_ENCODING_DESKTOPRESIZE:
1822             vs->features |= VNC_FEATURE_RESIZE_MASK;
1823             break;
1824         case VNC_ENCODING_POINTER_TYPE_CHANGE:
1825             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
1826             break;
1827         case VNC_ENCODING_RICH_CURSOR:
1828             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
1829             break;
1830         case VNC_ENCODING_EXT_KEY_EVENT:
1831             send_ext_key_event_ack(vs);
1832             break;
1833         case VNC_ENCODING_AUDIO:
1834             send_ext_audio_ack(vs);
1835             break;
1836         case VNC_ENCODING_WMVi:
1837             vs->features |= VNC_FEATURE_WMVI_MASK;
1838             break;
1839         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
1840             vs->tight.compression = (enc & 0x0F);
1841             break;
1842         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
1843             if (vs->vd->lossy) {
1844                 vs->tight.quality = (enc & 0x0F);
1845             }
1846             break;
1847         default:
1848             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
1849             break;
1850         }
1851     }
1852     vnc_desktop_resize(vs);
1853     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
1854 }
1855 
1856 static void set_pixel_conversion(VncState *vs)
1857 {
1858     if ((vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) ==
1859         (vs->ds->surface->flags & QEMU_BIG_ENDIAN_FLAG) &&
1860         !memcmp(&(vs->clientds.pf), &(vs->ds->surface->pf), sizeof(PixelFormat))) {
1861         vs->write_pixels = vnc_write_pixels_copy;
1862         vnc_hextile_set_pixel_conversion(vs, 0);
1863     } else {
1864         vs->write_pixels = vnc_write_pixels_generic;
1865         vnc_hextile_set_pixel_conversion(vs, 1);
1866     }
1867 }
1868 
1869 static void set_pixel_format(VncState *vs,
1870                              int bits_per_pixel, int depth,
1871                              int big_endian_flag, int true_color_flag,
1872                              int red_max, int green_max, int blue_max,
1873                              int red_shift, int green_shift, int blue_shift)
1874 {
1875     if (!true_color_flag) {
1876         vnc_client_error(vs);
1877         return;
1878     }
1879 
1880     vs->clientds = *(vs->vd->guest.ds);
1881     vs->clientds.pf.rmax = red_max;
1882     vs->clientds.pf.rbits = hweight_long(red_max);
1883     vs->clientds.pf.rshift = red_shift;
1884     vs->clientds.pf.rmask = red_max << red_shift;
1885     vs->clientds.pf.gmax = green_max;
1886     vs->clientds.pf.gbits = hweight_long(green_max);
1887     vs->clientds.pf.gshift = green_shift;
1888     vs->clientds.pf.gmask = green_max << green_shift;
1889     vs->clientds.pf.bmax = blue_max;
1890     vs->clientds.pf.bbits = hweight_long(blue_max);
1891     vs->clientds.pf.bshift = blue_shift;
1892     vs->clientds.pf.bmask = blue_max << blue_shift;
1893     vs->clientds.pf.bits_per_pixel = bits_per_pixel;
1894     vs->clientds.pf.bytes_per_pixel = bits_per_pixel / 8;
1895     vs->clientds.pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
1896     vs->clientds.flags = big_endian_flag ? QEMU_BIG_ENDIAN_FLAG : 0x00;
1897 
1898     set_pixel_conversion(vs);
1899 
1900     vga_hw_invalidate();
1901     vga_hw_update();
1902 }
1903 
1904 static void pixel_format_message (VncState *vs) {
1905     char pad[3] = { 0, 0, 0 };
1906 
1907     vnc_write_u8(vs, vs->ds->surface->pf.bits_per_pixel); /* bits-per-pixel */
1908     vnc_write_u8(vs, vs->ds->surface->pf.depth); /* depth */
1909 
1910 #ifdef HOST_WORDS_BIGENDIAN
1911     vnc_write_u8(vs, 1);             /* big-endian-flag */
1912 #else
1913     vnc_write_u8(vs, 0);             /* big-endian-flag */
1914 #endif
1915     vnc_write_u8(vs, 1);             /* true-color-flag */
1916     vnc_write_u16(vs, vs->ds->surface->pf.rmax);     /* red-max */
1917     vnc_write_u16(vs, vs->ds->surface->pf.gmax);     /* green-max */
1918     vnc_write_u16(vs, vs->ds->surface->pf.bmax);     /* blue-max */
1919     vnc_write_u8(vs, vs->ds->surface->pf.rshift);    /* red-shift */
1920     vnc_write_u8(vs, vs->ds->surface->pf.gshift);    /* green-shift */
1921     vnc_write_u8(vs, vs->ds->surface->pf.bshift);    /* blue-shift */
1922 
1923     vnc_hextile_set_pixel_conversion(vs, 0);
1924 
1925     vs->clientds = *(vs->ds->surface);
1926     vs->clientds.flags &= ~QEMU_ALLOCATED_FLAG;
1927     vs->write_pixels = vnc_write_pixels_copy;
1928 
1929     vnc_write(vs, pad, 3);           /* padding */
1930 }
1931 
1932 static void vnc_dpy_setdata(DisplayState *ds)
1933 {
1934     VncDisplay *vd = ds->opaque;
1935 
1936     *(vd->guest.ds) = *(ds->surface);
1937     vnc_dpy_update(ds, 0, 0, ds_get_width(ds), ds_get_height(ds));
1938 }
1939 
1940 static void vnc_colordepth(VncState *vs)
1941 {
1942     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
1943         /* Sending a WMVi message to notify the client*/
1944         vnc_lock_output(vs);
1945         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1946         vnc_write_u8(vs, 0);
1947         vnc_write_u16(vs, 1); /* number of rects */
1948         vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds),
1949                                ds_get_height(vs->ds), VNC_ENCODING_WMVi);
1950         pixel_format_message(vs);
1951         vnc_unlock_output(vs);
1952         vnc_flush(vs);
1953     } else {
1954         set_pixel_conversion(vs);
1955     }
1956 }
1957 
1958 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
1959 {
1960     int i;
1961     uint16_t limit;
1962     VncDisplay *vd = vs->vd;
1963 
1964     if (data[0] > 3) {
1965         vd->timer_interval = VNC_REFRESH_INTERVAL_BASE;
1966         if (!qemu_timer_expired(vd->timer, qemu_get_clock_ms(rt_clock) + vd->timer_interval))
1967             qemu_mod_timer(vd->timer, qemu_get_clock_ms(rt_clock) + vd->timer_interval);
1968     }
1969 
1970     switch (data[0]) {
1971     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
1972         if (len == 1)
1973             return 20;
1974 
1975         set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5),
1976                          read_u8(data, 6), read_u8(data, 7),
1977                          read_u16(data, 8), read_u16(data, 10),
1978                          read_u16(data, 12), read_u8(data, 14),
1979                          read_u8(data, 15), read_u8(data, 16));
1980         break;
1981     case VNC_MSG_CLIENT_SET_ENCODINGS:
1982         if (len == 1)
1983             return 4;
1984 
1985         if (len == 4) {
1986             limit = read_u16(data, 2);
1987             if (limit > 0)
1988                 return 4 + (limit * 4);
1989         } else
1990             limit = read_u16(data, 2);
1991 
1992         for (i = 0; i < limit; i++) {
1993             int32_t val = read_s32(data, 4 + (i * 4));
1994             memcpy(data + 4 + (i * 4), &val, sizeof(val));
1995         }
1996 
1997         set_encodings(vs, (int32_t *)(data + 4), limit);
1998         break;
1999     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2000         if (len == 1)
2001             return 10;
2002 
2003         framebuffer_update_request(vs,
2004                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2005                                    read_u16(data, 6), read_u16(data, 8));
2006         break;
2007     case VNC_MSG_CLIENT_KEY_EVENT:
2008         if (len == 1)
2009             return 8;
2010 
2011         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2012         break;
2013     case VNC_MSG_CLIENT_POINTER_EVENT:
2014         if (len == 1)
2015             return 6;
2016 
2017         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2018         break;
2019     case VNC_MSG_CLIENT_CUT_TEXT:
2020         if (len == 1)
2021             return 8;
2022 
2023         if (len == 8) {
2024             uint32_t dlen = read_u32(data, 4);
2025             if (dlen > 0)
2026                 return 8 + dlen;
2027         }
2028 
2029         client_cut_text(vs, read_u32(data, 4), data + 8);
2030         break;
2031     case VNC_MSG_CLIENT_QEMU:
2032         if (len == 1)
2033             return 2;
2034 
2035         switch (read_u8(data, 1)) {
2036         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2037             if (len == 2)
2038                 return 12;
2039 
2040             ext_key_event(vs, read_u16(data, 2),
2041                           read_u32(data, 4), read_u32(data, 8));
2042             break;
2043         case VNC_MSG_CLIENT_QEMU_AUDIO:
2044             if (len == 2)
2045                 return 4;
2046 
2047             switch (read_u16 (data, 2)) {
2048             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2049                 audio_add(vs);
2050                 break;
2051             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2052                 audio_del(vs);
2053                 break;
2054             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2055                 if (len == 4)
2056                     return 10;
2057                 switch (read_u8(data, 4)) {
2058                 case 0: vs->as.fmt = AUD_FMT_U8; break;
2059                 case 1: vs->as.fmt = AUD_FMT_S8; break;
2060                 case 2: vs->as.fmt = AUD_FMT_U16; break;
2061                 case 3: vs->as.fmt = AUD_FMT_S16; break;
2062                 case 4: vs->as.fmt = AUD_FMT_U32; break;
2063                 case 5: vs->as.fmt = AUD_FMT_S32; break;
2064                 default:
2065                     printf("Invalid audio format %d\n", read_u8(data, 4));
2066                     vnc_client_error(vs);
2067                     break;
2068                 }
2069                 vs->as.nchannels = read_u8(data, 5);
2070                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2071                     printf("Invalid audio channel coount %d\n",
2072                            read_u8(data, 5));
2073                     vnc_client_error(vs);
2074                     break;
2075                 }
2076                 vs->as.freq = read_u32(data, 6);
2077                 break;
2078             default:
2079                 printf ("Invalid audio message %d\n", read_u8(data, 4));
2080                 vnc_client_error(vs);
2081                 break;
2082             }
2083             break;
2084 
2085         default:
2086             printf("Msg: %d\n", read_u16(data, 0));
2087             vnc_client_error(vs);
2088             break;
2089         }
2090         break;
2091     default:
2092         printf("Msg: %d\n", data[0]);
2093         vnc_client_error(vs);
2094         break;
2095     }
2096 
2097     vnc_read_when(vs, protocol_client_msg, 1);
2098     return 0;
2099 }
2100 
2101 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2102 {
2103     char buf[1024];
2104     VncShareMode mode;
2105     int size;
2106 
2107     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2108     switch (vs->vd->share_policy) {
2109     case VNC_SHARE_POLICY_IGNORE:
2110         /*
2111          * Ignore the shared flag.  Nothing to do here.
2112          *
2113          * Doesn't conform to the rfb spec but is traditional qemu
2114          * behavior, thus left here as option for compatibility
2115          * reasons.
2116          */
2117         break;
2118     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2119         /*
2120          * Policy: Allow clients ask for exclusive access.
2121          *
2122          * Implementation: When a client asks for exclusive access,
2123          * disconnect all others. Shared connects are allowed as long
2124          * as no exclusive connection exists.
2125          *
2126          * This is how the rfb spec suggests to handle the shared flag.
2127          */
2128         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2129             VncState *client;
2130             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2131                 if (vs == client) {
2132                     continue;
2133                 }
2134                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2135                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2136                     continue;
2137                 }
2138                 vnc_disconnect_start(client);
2139             }
2140         }
2141         if (mode == VNC_SHARE_MODE_SHARED) {
2142             if (vs->vd->num_exclusive > 0) {
2143                 vnc_disconnect_start(vs);
2144                 return 0;
2145             }
2146         }
2147         break;
2148     case VNC_SHARE_POLICY_FORCE_SHARED:
2149         /*
2150          * Policy: Shared connects only.
2151          * Implementation: Disallow clients asking for exclusive access.
2152          *
2153          * Useful for shared desktop sessions where you don't want
2154          * someone forgetting to say -shared when running the vnc
2155          * client disconnect everybody else.
2156          */
2157         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2158             vnc_disconnect_start(vs);
2159             return 0;
2160         }
2161         break;
2162     }
2163     vnc_set_share_mode(vs, mode);
2164 
2165     vs->client_width = ds_get_width(vs->ds);
2166     vs->client_height = ds_get_height(vs->ds);
2167     vnc_write_u16(vs, vs->client_width);
2168     vnc_write_u16(vs, vs->client_height);
2169 
2170     pixel_format_message(vs);
2171 
2172     if (qemu_name)
2173         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2174     else
2175         size = snprintf(buf, sizeof(buf), "QEMU");
2176 
2177     vnc_write_u32(vs, size);
2178     vnc_write(vs, buf, size);
2179     vnc_flush(vs);
2180 
2181     vnc_client_cache_auth(vs);
2182     vnc_qmp_event(vs, QEVENT_VNC_INITIALIZED);
2183 
2184     vnc_read_when(vs, protocol_client_msg, 1);
2185 
2186     return 0;
2187 }
2188 
2189 void start_client_init(VncState *vs)
2190 {
2191     vnc_read_when(vs, protocol_client_init, 1);
2192 }
2193 
2194 static void make_challenge(VncState *vs)
2195 {
2196     int i;
2197 
2198     srand(time(NULL)+getpid()+getpid()*987654+rand());
2199 
2200     for (i = 0 ; i < sizeof(vs->challenge) ; i++)
2201         vs->challenge[i] = (int) (256.0*rand()/(RAND_MAX+1.0));
2202 }
2203 
2204 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2205 {
2206     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2207     int i, j, pwlen;
2208     unsigned char key[8];
2209     time_t now = time(NULL);
2210 
2211     if (!vs->vd->password) {
2212         VNC_DEBUG("No password configured on server");
2213         goto reject;
2214     }
2215     if (vs->vd->expires < now) {
2216         VNC_DEBUG("Password is expired");
2217         goto reject;
2218     }
2219 
2220     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2221 
2222     /* Calculate the expected challenge response */
2223     pwlen = strlen(vs->vd->password);
2224     for (i=0; i<sizeof(key); i++)
2225         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2226     deskey(key, EN0);
2227     for (j = 0; j < VNC_AUTH_CHALLENGE_SIZE; j += 8)
2228         des(response+j, response+j);
2229 
2230     /* Compare expected vs actual challenge response */
2231     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2232         VNC_DEBUG("Client challenge response did not match\n");
2233         goto reject;
2234     } else {
2235         VNC_DEBUG("Accepting VNC challenge response\n");
2236         vnc_write_u32(vs, 0); /* Accept auth */
2237         vnc_flush(vs);
2238 
2239         start_client_init(vs);
2240     }
2241     return 0;
2242 
2243 reject:
2244     vnc_write_u32(vs, 1); /* Reject auth */
2245     if (vs->minor >= 8) {
2246         static const char err[] = "Authentication failed";
2247         vnc_write_u32(vs, sizeof(err));
2248         vnc_write(vs, err, sizeof(err));
2249     }
2250     vnc_flush(vs);
2251     vnc_client_error(vs);
2252     return 0;
2253 }
2254 
2255 void start_auth_vnc(VncState *vs)
2256 {
2257     make_challenge(vs);
2258     /* Send client a 'random' challenge */
2259     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2260     vnc_flush(vs);
2261 
2262     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2263 }
2264 
2265 
2266 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2267 {
2268     /* We only advertise 1 auth scheme at a time, so client
2269      * must pick the one we sent. Verify this */
2270     if (data[0] != vs->auth) { /* Reject auth */
2271        VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
2272        vnc_write_u32(vs, 1);
2273        if (vs->minor >= 8) {
2274            static const char err[] = "Authentication failed";
2275            vnc_write_u32(vs, sizeof(err));
2276            vnc_write(vs, err, sizeof(err));
2277        }
2278        vnc_client_error(vs);
2279     } else { /* Accept requested auth */
2280        VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
2281        switch (vs->auth) {
2282        case VNC_AUTH_NONE:
2283            VNC_DEBUG("Accept auth none\n");
2284            if (vs->minor >= 8) {
2285                vnc_write_u32(vs, 0); /* Accept auth completion */
2286                vnc_flush(vs);
2287            }
2288            start_client_init(vs);
2289            break;
2290 
2291        case VNC_AUTH_VNC:
2292            VNC_DEBUG("Start VNC auth\n");
2293            start_auth_vnc(vs);
2294            break;
2295 
2296 #ifdef CONFIG_VNC_TLS
2297        case VNC_AUTH_VENCRYPT:
2298            VNC_DEBUG("Accept VeNCrypt auth\n");
2299            start_auth_vencrypt(vs);
2300            break;
2301 #endif /* CONFIG_VNC_TLS */
2302 
2303 #ifdef CONFIG_VNC_SASL
2304        case VNC_AUTH_SASL:
2305            VNC_DEBUG("Accept SASL auth\n");
2306            start_auth_sasl(vs);
2307            break;
2308 #endif /* CONFIG_VNC_SASL */
2309 
2310        default: /* Should not be possible, but just in case */
2311            VNC_DEBUG("Reject auth %d server code bug\n", vs->auth);
2312            vnc_write_u8(vs, 1);
2313            if (vs->minor >= 8) {
2314                static const char err[] = "Authentication failed";
2315                vnc_write_u32(vs, sizeof(err));
2316                vnc_write(vs, err, sizeof(err));
2317            }
2318            vnc_client_error(vs);
2319        }
2320     }
2321     return 0;
2322 }
2323 
2324 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2325 {
2326     char local[13];
2327 
2328     memcpy(local, version, 12);
2329     local[12] = 0;
2330 
2331     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2332         VNC_DEBUG("Malformed protocol version %s\n", local);
2333         vnc_client_error(vs);
2334         return 0;
2335     }
2336     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2337     if (vs->major != 3 ||
2338         (vs->minor != 3 &&
2339          vs->minor != 4 &&
2340          vs->minor != 5 &&
2341          vs->minor != 7 &&
2342          vs->minor != 8)) {
2343         VNC_DEBUG("Unsupported client version\n");
2344         vnc_write_u32(vs, VNC_AUTH_INVALID);
2345         vnc_flush(vs);
2346         vnc_client_error(vs);
2347         return 0;
2348     }
2349     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2350      * as equivalent to v3.3 by servers
2351      */
2352     if (vs->minor == 4 || vs->minor == 5)
2353         vs->minor = 3;
2354 
2355     if (vs->minor == 3) {
2356         if (vs->auth == VNC_AUTH_NONE) {
2357             VNC_DEBUG("Tell client auth none\n");
2358             vnc_write_u32(vs, vs->auth);
2359             vnc_flush(vs);
2360             start_client_init(vs);
2361        } else if (vs->auth == VNC_AUTH_VNC) {
2362             VNC_DEBUG("Tell client VNC auth\n");
2363             vnc_write_u32(vs, vs->auth);
2364             vnc_flush(vs);
2365             start_auth_vnc(vs);
2366        } else {
2367             VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth);
2368             vnc_write_u32(vs, VNC_AUTH_INVALID);
2369             vnc_flush(vs);
2370             vnc_client_error(vs);
2371        }
2372     } else {
2373         VNC_DEBUG("Telling client we support auth %d\n", vs->auth);
2374         vnc_write_u8(vs, 1); /* num auth */
2375         vnc_write_u8(vs, vs->auth);
2376         vnc_read_when(vs, protocol_client_auth, 1);
2377         vnc_flush(vs);
2378     }
2379 
2380     return 0;
2381 }
2382 
2383 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2384 {
2385     struct VncSurface *vs = &vd->guest;
2386 
2387     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2388 }
2389 
2390 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2391 {
2392     int i, j;
2393 
2394     w = (x + w) / VNC_STAT_RECT;
2395     h = (y + h) / VNC_STAT_RECT;
2396     x /= VNC_STAT_RECT;
2397     y /= VNC_STAT_RECT;
2398 
2399     for (j = y; j <= h; j++) {
2400         for (i = x; i <= w; i++) {
2401             vs->lossy_rect[j][i] = 1;
2402         }
2403     }
2404 }
2405 
2406 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2407 {
2408     VncState *vs;
2409     int sty = y / VNC_STAT_RECT;
2410     int stx = x / VNC_STAT_RECT;
2411     int has_dirty = 0;
2412 
2413     y = y / VNC_STAT_RECT * VNC_STAT_RECT;
2414     x = x / VNC_STAT_RECT * VNC_STAT_RECT;
2415 
2416     QTAILQ_FOREACH(vs, &vd->clients, next) {
2417         int j;
2418 
2419         /* kernel send buffers are full -> refresh later */
2420         if (vs->output.offset) {
2421             continue;
2422         }
2423 
2424         if (!vs->lossy_rect[sty][stx]) {
2425             continue;
2426         }
2427 
2428         vs->lossy_rect[sty][stx] = 0;
2429         for (j = 0; j < VNC_STAT_RECT; ++j) {
2430             bitmap_set(vs->dirty[y + j], x / 16, VNC_STAT_RECT / 16);
2431         }
2432         has_dirty++;
2433     }
2434 
2435     return has_dirty;
2436 }
2437 
2438 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2439 {
2440     int x, y;
2441     struct timeval res;
2442     int has_dirty = 0;
2443 
2444     for (y = 0; y < vd->guest.ds->height; y += VNC_STAT_RECT) {
2445         for (x = 0; x < vd->guest.ds->width; x += VNC_STAT_RECT) {
2446             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2447 
2448             rect->updated = false;
2449         }
2450     }
2451 
2452     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2453 
2454     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2455         return has_dirty;
2456     }
2457     vd->guest.last_freq_check = *tv;
2458 
2459     for (y = 0; y < vd->guest.ds->height; y += VNC_STAT_RECT) {
2460         for (x = 0; x < vd->guest.ds->width; x += VNC_STAT_RECT) {
2461             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2462             int count = ARRAY_SIZE(rect->times);
2463             struct timeval min, max;
2464 
2465             if (!timerisset(&rect->times[count - 1])) {
2466                 continue ;
2467             }
2468 
2469             max = rect->times[(rect->idx + count - 1) % count];
2470             qemu_timersub(tv, &max, &res);
2471 
2472             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2473                 rect->freq = 0;
2474                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2475                 memset(rect->times, 0, sizeof (rect->times));
2476                 continue ;
2477             }
2478 
2479             min = rect->times[rect->idx];
2480             max = rect->times[(rect->idx + count - 1) % count];
2481             qemu_timersub(&max, &min, &res);
2482 
2483             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2484             rect->freq /= count;
2485             rect->freq = 1. / rect->freq;
2486         }
2487     }
2488     return has_dirty;
2489 }
2490 
2491 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2492 {
2493     int i, j;
2494     double total = 0;
2495     int num = 0;
2496 
2497     x =  (x / VNC_STAT_RECT) * VNC_STAT_RECT;
2498     y =  (y / VNC_STAT_RECT) * VNC_STAT_RECT;
2499 
2500     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2501         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2502             total += vnc_stat_rect(vs->vd, i, j)->freq;
2503             num++;
2504         }
2505     }
2506 
2507     if (num) {
2508         return total / num;
2509     } else {
2510         return 0;
2511     }
2512 }
2513 
2514 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2515 {
2516     VncRectStat *rect;
2517 
2518     rect = vnc_stat_rect(vd, x, y);
2519     if (rect->updated) {
2520         return ;
2521     }
2522     rect->times[rect->idx] = *tv;
2523     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2524     rect->updated = true;
2525 }
2526 
2527 static int vnc_refresh_server_surface(VncDisplay *vd)
2528 {
2529     int y;
2530     uint8_t *guest_row;
2531     uint8_t *server_row;
2532     int cmp_bytes;
2533     VncState *vs;
2534     int has_dirty = 0;
2535 
2536     struct timeval tv = { 0, 0 };
2537 
2538     if (!vd->non_adaptive) {
2539         gettimeofday(&tv, NULL);
2540         has_dirty = vnc_update_stats(vd, &tv);
2541     }
2542 
2543     /*
2544      * Walk through the guest dirty map.
2545      * Check and copy modified bits from guest to server surface.
2546      * Update server dirty map.
2547      */
2548     cmp_bytes = 16 * ds_get_bytes_per_pixel(vd->ds);
2549     if (cmp_bytes > vd->ds->surface->linesize) {
2550         cmp_bytes = vd->ds->surface->linesize;
2551     }
2552     guest_row  = vd->guest.ds->data;
2553     server_row = vd->server->data;
2554     for (y = 0; y < vd->guest.ds->height; y++) {
2555         if (!bitmap_empty(vd->guest.dirty[y], VNC_DIRTY_BITS)) {
2556             int x;
2557             uint8_t *guest_ptr;
2558             uint8_t *server_ptr;
2559 
2560             guest_ptr  = guest_row;
2561             server_ptr = server_row;
2562 
2563             for (x = 0; x + 15 < vd->guest.ds->width;
2564                     x += 16, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2565                 if (!test_and_clear_bit((x / 16), vd->guest.dirty[y]))
2566                     continue;
2567                 if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0)
2568                     continue;
2569                 memcpy(server_ptr, guest_ptr, cmp_bytes);
2570                 if (!vd->non_adaptive)
2571                     vnc_rect_updated(vd, x, y, &tv);
2572                 QTAILQ_FOREACH(vs, &vd->clients, next) {
2573                     set_bit((x / 16), vs->dirty[y]);
2574                 }
2575                 has_dirty++;
2576             }
2577         }
2578         guest_row  += ds_get_linesize(vd->ds);
2579         server_row += ds_get_linesize(vd->ds);
2580     }
2581     return has_dirty;
2582 }
2583 
2584 static void vnc_refresh(void *opaque)
2585 {
2586     VncDisplay *vd = opaque;
2587     VncState *vs, *vn;
2588     int has_dirty, rects = 0;
2589 
2590     vga_hw_update();
2591 
2592     if (vnc_trylock_display(vd)) {
2593         vd->timer_interval = VNC_REFRESH_INTERVAL_BASE;
2594         qemu_mod_timer(vd->timer, qemu_get_clock_ms(rt_clock) +
2595                        vd->timer_interval);
2596         return;
2597     }
2598 
2599     has_dirty = vnc_refresh_server_surface(vd);
2600     vnc_unlock_display(vd);
2601 
2602     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
2603         rects += vnc_update_client(vs, has_dirty);
2604         /* vs might be free()ed here */
2605     }
2606 
2607     /* vd->timer could be NULL now if the last client disconnected,
2608      * in this case don't update the timer */
2609     if (vd->timer == NULL)
2610         return;
2611 
2612     if (has_dirty && rects) {
2613         vd->timer_interval /= 2;
2614         if (vd->timer_interval < VNC_REFRESH_INTERVAL_BASE)
2615             vd->timer_interval = VNC_REFRESH_INTERVAL_BASE;
2616     } else {
2617         vd->timer_interval += VNC_REFRESH_INTERVAL_INC;
2618         if (vd->timer_interval > VNC_REFRESH_INTERVAL_MAX)
2619             vd->timer_interval = VNC_REFRESH_INTERVAL_MAX;
2620     }
2621     qemu_mod_timer(vd->timer, qemu_get_clock_ms(rt_clock) + vd->timer_interval);
2622 }
2623 
2624 static void vnc_init_timer(VncDisplay *vd)
2625 {
2626     vd->timer_interval = VNC_REFRESH_INTERVAL_BASE;
2627     if (vd->timer == NULL && !QTAILQ_EMPTY(&vd->clients)) {
2628         vd->timer = qemu_new_timer_ms(rt_clock, vnc_refresh, vd);
2629         vnc_dpy_resize(vd->ds);
2630         vnc_refresh(vd);
2631     }
2632 }
2633 
2634 static void vnc_remove_timer(VncDisplay *vd)
2635 {
2636     if (vd->timer != NULL && QTAILQ_EMPTY(&vd->clients)) {
2637         qemu_del_timer(vd->timer);
2638         qemu_free_timer(vd->timer);
2639         vd->timer = NULL;
2640     }
2641 }
2642 
2643 static void vnc_connect(VncDisplay *vd, int csock, int skipauth)
2644 {
2645     VncState *vs = g_malloc0(sizeof(VncState));
2646     int i;
2647 
2648     vs->csock = csock;
2649 
2650     if (skipauth) {
2651 	vs->auth = VNC_AUTH_NONE;
2652 #ifdef CONFIG_VNC_TLS
2653 	vs->subauth = VNC_AUTH_INVALID;
2654 #endif
2655     } else {
2656 	vs->auth = vd->auth;
2657 #ifdef CONFIG_VNC_TLS
2658 	vs->subauth = vd->subauth;
2659 #endif
2660     }
2661 
2662     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
2663     for (i = 0; i < VNC_STAT_ROWS; ++i) {
2664         vs->lossy_rect[i] = g_malloc0(VNC_STAT_COLS * sizeof (uint8_t));
2665     }
2666 
2667     VNC_DEBUG("New client on socket %d\n", csock);
2668     dcl->idle = 0;
2669     socket_set_nonblock(vs->csock);
2670     qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
2671 
2672     vnc_client_cache_addr(vs);
2673     vnc_qmp_event(vs, QEVENT_VNC_CONNECTED);
2674     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
2675 
2676     vs->vd = vd;
2677     vs->ds = vd->ds;
2678     vs->last_x = -1;
2679     vs->last_y = -1;
2680 
2681     vs->as.freq = 44100;
2682     vs->as.nchannels = 2;
2683     vs->as.fmt = AUD_FMT_S16;
2684     vs->as.endianness = 0;
2685 
2686     qemu_mutex_init(&vs->output_mutex);
2687     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
2688 
2689     QTAILQ_INSERT_HEAD(&vd->clients, vs, next);
2690 
2691     vga_hw_update();
2692 
2693     vnc_write(vs, "RFB 003.008\n", 12);
2694     vnc_flush(vs);
2695     vnc_read_when(vs, protocol_version, 12);
2696     reset_keys(vs);
2697     if (vs->vd->lock_key_sync)
2698         vs->led = qemu_add_led_event_handler(kbd_leds, vs);
2699 
2700     vs->mouse_mode_notifier.notify = check_pointer_type_change;
2701     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
2702 
2703     vnc_init_timer(vd);
2704 
2705     /* vs might be free()ed here */
2706 }
2707 
2708 static void vnc_listen_read(void *opaque)
2709 {
2710     VncDisplay *vs = opaque;
2711     struct sockaddr_in addr;
2712     socklen_t addrlen = sizeof(addr);
2713 
2714     /* Catch-up */
2715     vga_hw_update();
2716 
2717     int csock = qemu_accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
2718     if (csock != -1) {
2719         vnc_connect(vs, csock, 0);
2720     }
2721 }
2722 
2723 void vnc_display_init(DisplayState *ds)
2724 {
2725     VncDisplay *vs = g_malloc0(sizeof(*vs));
2726 
2727     dcl = g_malloc0(sizeof(DisplayChangeListener));
2728 
2729     ds->opaque = vs;
2730     dcl->idle = 1;
2731     vnc_display = vs;
2732 
2733     vs->lsock = -1;
2734 
2735     vs->ds = ds;
2736     QTAILQ_INIT(&vs->clients);
2737     vs->expires = TIME_MAX;
2738 
2739     if (keyboard_layout)
2740         vs->kbd_layout = init_keyboard_layout(name2keysym, keyboard_layout);
2741     else
2742         vs->kbd_layout = init_keyboard_layout(name2keysym, "en-us");
2743 
2744     if (!vs->kbd_layout)
2745         exit(1);
2746 
2747     qemu_mutex_init(&vs->mutex);
2748     vnc_start_worker_thread();
2749 
2750     dcl->dpy_copy = vnc_dpy_copy;
2751     dcl->dpy_update = vnc_dpy_update;
2752     dcl->dpy_resize = vnc_dpy_resize;
2753     dcl->dpy_setdata = vnc_dpy_setdata;
2754     register_displaychangelistener(ds, dcl);
2755     ds->mouse_set = vnc_mouse_set;
2756     ds->cursor_define = vnc_dpy_cursor_define;
2757 }
2758 
2759 
2760 void vnc_display_close(DisplayState *ds)
2761 {
2762     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2763 
2764     if (!vs)
2765         return;
2766     if (vs->display) {
2767         g_free(vs->display);
2768         vs->display = NULL;
2769     }
2770     if (vs->lsock != -1) {
2771         qemu_set_fd_handler2(vs->lsock, NULL, NULL, NULL, NULL);
2772         close(vs->lsock);
2773         vs->lsock = -1;
2774     }
2775     vs->auth = VNC_AUTH_INVALID;
2776 #ifdef CONFIG_VNC_TLS
2777     vs->subauth = VNC_AUTH_INVALID;
2778     vs->tls.x509verify = 0;
2779 #endif
2780 }
2781 
2782 int vnc_display_disable_login(DisplayState *ds)
2783 {
2784     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2785 
2786     if (!vs) {
2787         return -1;
2788     }
2789 
2790     if (vs->password) {
2791         g_free(vs->password);
2792     }
2793 
2794     vs->password = NULL;
2795     if (vs->auth == VNC_AUTH_NONE) {
2796         vs->auth = VNC_AUTH_VNC;
2797     }
2798 
2799     return 0;
2800 }
2801 
2802 int vnc_display_password(DisplayState *ds, const char *password)
2803 {
2804     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2805 
2806     if (!vs) {
2807         return -EINVAL;
2808     }
2809 
2810     if (!password) {
2811         /* This is not the intention of this interface but err on the side
2812            of being safe */
2813         return vnc_display_disable_login(ds);
2814     }
2815 
2816     if (vs->password) {
2817         g_free(vs->password);
2818         vs->password = NULL;
2819     }
2820     vs->password = g_strdup(password);
2821     if (vs->auth == VNC_AUTH_NONE) {
2822         vs->auth = VNC_AUTH_VNC;
2823     }
2824 
2825     return 0;
2826 }
2827 
2828 int vnc_display_pw_expire(DisplayState *ds, time_t expires)
2829 {
2830     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2831 
2832     if (!vs) {
2833         return -EINVAL;
2834     }
2835 
2836     vs->expires = expires;
2837     return 0;
2838 }
2839 
2840 char *vnc_display_local_addr(DisplayState *ds)
2841 {
2842     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2843 
2844     return vnc_socket_local_addr("%s:%s", vs->lsock);
2845 }
2846 
2847 int vnc_display_open(DisplayState *ds, const char *display)
2848 {
2849     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2850     const char *options;
2851     int password = 0;
2852     int reverse = 0;
2853 #ifdef CONFIG_VNC_TLS
2854     int tls = 0, x509 = 0;
2855 #endif
2856 #ifdef CONFIG_VNC_SASL
2857     int sasl = 0;
2858     int saslErr;
2859 #endif
2860 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
2861     int acl = 0;
2862 #endif
2863     int lock_key_sync = 1;
2864 
2865     if (!vnc_display)
2866         return -1;
2867     vnc_display_close(ds);
2868     if (strcmp(display, "none") == 0)
2869         return 0;
2870 
2871     if (!(vs->display = strdup(display)))
2872         return -1;
2873     vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
2874 
2875     options = display;
2876     while ((options = strchr(options, ','))) {
2877         options++;
2878         if (strncmp(options, "password", 8) == 0) {
2879             if (fips_get_state()) {
2880                 fprintf(stderr,
2881                         "VNC password auth disabled due to FIPS mode, "
2882                         "consider using the VeNCrypt or SASL authentication "
2883                         "methods as an alternative\n");
2884                 g_free(vs->display);
2885                 vs->display = NULL;
2886                 return -1;
2887             }
2888             password = 1; /* Require password auth */
2889         } else if (strncmp(options, "reverse", 7) == 0) {
2890             reverse = 1;
2891         } else if (strncmp(options, "no-lock-key-sync", 16) == 0) {
2892             lock_key_sync = 0;
2893 #ifdef CONFIG_VNC_SASL
2894         } else if (strncmp(options, "sasl", 4) == 0) {
2895             sasl = 1; /* Require SASL auth */
2896 #endif
2897 #ifdef CONFIG_VNC_TLS
2898         } else if (strncmp(options, "tls", 3) == 0) {
2899             tls = 1; /* Require TLS */
2900         } else if (strncmp(options, "x509", 4) == 0) {
2901             char *start, *end;
2902             x509 = 1; /* Require x509 certificates */
2903             if (strncmp(options, "x509verify", 10) == 0)
2904                 vs->tls.x509verify = 1; /* ...and verify client certs */
2905 
2906             /* Now check for 'x509=/some/path' postfix
2907              * and use that to setup x509 certificate/key paths */
2908             start = strchr(options, '=');
2909             end = strchr(options, ',');
2910             if (start && (!end || (start < end))) {
2911                 int len = end ? end-(start+1) : strlen(start+1);
2912                 char *path = g_strndup(start + 1, len);
2913 
2914                 VNC_DEBUG("Trying certificate path '%s'\n", path);
2915                 if (vnc_tls_set_x509_creds_dir(vs, path) < 0) {
2916                     fprintf(stderr, "Failed to find x509 certificates/keys in %s\n", path);
2917                     g_free(path);
2918                     g_free(vs->display);
2919                     vs->display = NULL;
2920                     return -1;
2921                 }
2922                 g_free(path);
2923             } else {
2924                 fprintf(stderr, "No certificate path provided\n");
2925                 g_free(vs->display);
2926                 vs->display = NULL;
2927                 return -1;
2928             }
2929 #endif
2930 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
2931         } else if (strncmp(options, "acl", 3) == 0) {
2932             acl = 1;
2933 #endif
2934         } else if (strncmp(options, "lossy", 5) == 0) {
2935             vs->lossy = true;
2936         } else if (strncmp(options, "non-adapative", 13) == 0) {
2937             vs->non_adaptive = true;
2938         } else if (strncmp(options, "share=", 6) == 0) {
2939             if (strncmp(options+6, "ignore", 6) == 0) {
2940                 vs->share_policy = VNC_SHARE_POLICY_IGNORE;
2941             } else if (strncmp(options+6, "allow-exclusive", 15) == 0) {
2942                 vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
2943             } else if (strncmp(options+6, "force-shared", 12) == 0) {
2944                 vs->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
2945             } else {
2946                 fprintf(stderr, "unknown vnc share= option\n");
2947                 g_free(vs->display);
2948                 vs->display = NULL;
2949                 return -1;
2950             }
2951         }
2952     }
2953 
2954 #ifdef CONFIG_VNC_TLS
2955     if (acl && x509 && vs->tls.x509verify) {
2956         if (!(vs->tls.acl = qemu_acl_init("vnc.x509dname"))) {
2957             fprintf(stderr, "Failed to create x509 dname ACL\n");
2958             exit(1);
2959         }
2960     }
2961 #endif
2962 #ifdef CONFIG_VNC_SASL
2963     if (acl && sasl) {
2964         if (!(vs->sasl.acl = qemu_acl_init("vnc.username"))) {
2965             fprintf(stderr, "Failed to create username ACL\n");
2966             exit(1);
2967         }
2968     }
2969 #endif
2970 
2971     /*
2972      * Combinations we support here:
2973      *
2974      *  - no-auth                (clear text, no auth)
2975      *  - password               (clear text, weak auth)
2976      *  - sasl                   (encrypt, good auth *IF* using Kerberos via GSSAPI)
2977      *  - tls                    (encrypt, weak anonymous creds, no auth)
2978      *  - tls + password         (encrypt, weak anonymous creds, weak auth)
2979      *  - tls + sasl             (encrypt, weak anonymous creds, good auth)
2980      *  - tls + x509             (encrypt, good x509 creds, no auth)
2981      *  - tls + x509 + password  (encrypt, good x509 creds, weak auth)
2982      *  - tls + x509 + sasl      (encrypt, good x509 creds, good auth)
2983      *
2984      * NB1. TLS is a stackable auth scheme.
2985      * NB2. the x509 schemes have option to validate a client cert dname
2986      */
2987     if (password) {
2988 #ifdef CONFIG_VNC_TLS
2989         if (tls) {
2990             vs->auth = VNC_AUTH_VENCRYPT;
2991             if (x509) {
2992                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
2993                 vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
2994             } else {
2995                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
2996                 vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
2997             }
2998         } else {
2999 #endif /* CONFIG_VNC_TLS */
3000             VNC_DEBUG("Initializing VNC server with password auth\n");
3001             vs->auth = VNC_AUTH_VNC;
3002 #ifdef CONFIG_VNC_TLS
3003             vs->subauth = VNC_AUTH_INVALID;
3004         }
3005 #endif /* CONFIG_VNC_TLS */
3006 #ifdef CONFIG_VNC_SASL
3007     } else if (sasl) {
3008 #ifdef CONFIG_VNC_TLS
3009         if (tls) {
3010             vs->auth = VNC_AUTH_VENCRYPT;
3011             if (x509) {
3012                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3013                 vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
3014             } else {
3015                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3016                 vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3017             }
3018         } else {
3019 #endif /* CONFIG_VNC_TLS */
3020             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3021             vs->auth = VNC_AUTH_SASL;
3022 #ifdef CONFIG_VNC_TLS
3023             vs->subauth = VNC_AUTH_INVALID;
3024         }
3025 #endif /* CONFIG_VNC_TLS */
3026 #endif /* CONFIG_VNC_SASL */
3027     } else {
3028 #ifdef CONFIG_VNC_TLS
3029         if (tls) {
3030             vs->auth = VNC_AUTH_VENCRYPT;
3031             if (x509) {
3032                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3033                 vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
3034             } else {
3035                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3036                 vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3037             }
3038         } else {
3039 #endif
3040             VNC_DEBUG("Initializing VNC server with no auth\n");
3041             vs->auth = VNC_AUTH_NONE;
3042 #ifdef CONFIG_VNC_TLS
3043             vs->subauth = VNC_AUTH_INVALID;
3044         }
3045 #endif
3046     }
3047 
3048 #ifdef CONFIG_VNC_SASL
3049     if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
3050         fprintf(stderr, "Failed to initialize SASL auth %s",
3051                 sasl_errstring(saslErr, NULL, NULL));
3052         g_free(vs->display);
3053         vs->display = NULL;
3054         return -1;
3055     }
3056 #endif
3057     vs->lock_key_sync = lock_key_sync;
3058 
3059     if (reverse) {
3060         /* connect to viewer */
3061         if (strncmp(display, "unix:", 5) == 0)
3062             vs->lsock = unix_connect(display+5);
3063         else
3064             vs->lsock = inet_connect(display, true, NULL);
3065         if (-1 == vs->lsock) {
3066             g_free(vs->display);
3067             vs->display = NULL;
3068             return -1;
3069         } else {
3070             int csock = vs->lsock;
3071             vs->lsock = -1;
3072             vnc_connect(vs, csock, 0);
3073         }
3074         return 0;
3075 
3076     } else {
3077         /* listen for connects */
3078         char *dpy;
3079         dpy = g_malloc(256);
3080         if (strncmp(display, "unix:", 5) == 0) {
3081             pstrcpy(dpy, 256, "unix:");
3082             vs->lsock = unix_listen(display+5, dpy+5, 256-5);
3083         } else {
3084             vs->lsock = inet_listen(display, dpy, 256,
3085                                     SOCK_STREAM, 5900, NULL);
3086         }
3087         if (-1 == vs->lsock) {
3088             g_free(dpy);
3089             return -1;
3090         } else {
3091             g_free(vs->display);
3092             vs->display = dpy;
3093         }
3094     }
3095     return qemu_set_fd_handler2(vs->lsock, NULL, vnc_listen_read, NULL, vs);
3096 }
3097 
3098 void vnc_display_add_client(DisplayState *ds, int csock, int skipauth)
3099 {
3100     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
3101 
3102     vnc_connect(vs, csock, skipauth);
3103 }
3104