xref: /openbmc/qemu/ui/vnc.c (revision 0221d73c)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev-core.h"
32 #include "sysemu/sysemu.h"
33 #include "qemu/error-report.h"
34 #include "qemu/main-loop.h"
35 #include "qemu/module.h"
36 #include "qemu/option.h"
37 #include "qemu/sockets.h"
38 #include "qemu/timer.h"
39 #include "authz/list.h"
40 #include "qemu/config-file.h"
41 #include "qapi/qapi-emit-events.h"
42 #include "qapi/qapi-events-ui.h"
43 #include "qapi/error.h"
44 #include "qapi/qapi-commands-ui.h"
45 #include "ui/input.h"
46 #include "crypto/hash.h"
47 #include "crypto/tlscredsanon.h"
48 #include "crypto/tlscredsx509.h"
49 #include "crypto/random.h"
50 #include "qom/object_interfaces.h"
51 #include "qemu/cutils.h"
52 #include "io/dns-resolver.h"
53 
54 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
55 #define VNC_REFRESH_INTERVAL_INC  50
56 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
57 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
58 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
59 
60 #include "vnc_keysym.h"
61 #include "crypto/cipher.h"
62 
63 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
64     QTAILQ_HEAD_INITIALIZER(vnc_displays);
65 
66 static int vnc_cursor_define(VncState *vs);
67 static void vnc_update_throttle_offset(VncState *vs);
68 
69 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
70 {
71 #ifdef _VNC_DEBUG
72     static const char *mn[] = {
73         [0]                           = "undefined",
74         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
75         [VNC_SHARE_MODE_SHARED]       = "shared",
76         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
77         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
78     };
79     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
80             vs->ioc, mn[vs->share_mode], mn[mode]);
81 #endif
82 
83     switch (vs->share_mode) {
84     case VNC_SHARE_MODE_CONNECTING:
85         vs->vd->num_connecting--;
86         break;
87     case VNC_SHARE_MODE_SHARED:
88         vs->vd->num_shared--;
89         break;
90     case VNC_SHARE_MODE_EXCLUSIVE:
91         vs->vd->num_exclusive--;
92         break;
93     default:
94         break;
95     }
96 
97     vs->share_mode = mode;
98 
99     switch (vs->share_mode) {
100     case VNC_SHARE_MODE_CONNECTING:
101         vs->vd->num_connecting++;
102         break;
103     case VNC_SHARE_MODE_SHARED:
104         vs->vd->num_shared++;
105         break;
106     case VNC_SHARE_MODE_EXCLUSIVE:
107         vs->vd->num_exclusive++;
108         break;
109     default:
110         break;
111     }
112 }
113 
114 
115 static void vnc_init_basic_info(SocketAddress *addr,
116                                 VncBasicInfo *info,
117                                 Error **errp)
118 {
119     switch (addr->type) {
120     case SOCKET_ADDRESS_TYPE_INET:
121         info->host = g_strdup(addr->u.inet.host);
122         info->service = g_strdup(addr->u.inet.port);
123         if (addr->u.inet.ipv6) {
124             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
125         } else {
126             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
127         }
128         break;
129 
130     case SOCKET_ADDRESS_TYPE_UNIX:
131         info->host = g_strdup("");
132         info->service = g_strdup(addr->u.q_unix.path);
133         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
134         break;
135 
136     case SOCKET_ADDRESS_TYPE_VSOCK:
137     case SOCKET_ADDRESS_TYPE_FD:
138         error_setg(errp, "Unsupported socket address type %s",
139                    SocketAddressType_str(addr->type));
140         break;
141     default:
142         abort();
143     }
144 
145     return;
146 }
147 
148 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
149                                                  VncBasicInfo *info,
150                                                  Error **errp)
151 {
152     SocketAddress *addr = NULL;
153 
154     if (!ioc) {
155         error_setg(errp, "No listener socket available");
156         return;
157     }
158 
159     addr = qio_channel_socket_get_local_address(ioc, errp);
160     if (!addr) {
161         return;
162     }
163 
164     vnc_init_basic_info(addr, info, errp);
165     qapi_free_SocketAddress(addr);
166 }
167 
168 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
169                                                  VncBasicInfo *info,
170                                                  Error **errp)
171 {
172     SocketAddress *addr = NULL;
173 
174     addr = qio_channel_socket_get_remote_address(ioc, errp);
175     if (!addr) {
176         return;
177     }
178 
179     vnc_init_basic_info(addr, info, errp);
180     qapi_free_SocketAddress(addr);
181 }
182 
183 static const char *vnc_auth_name(VncDisplay *vd) {
184     switch (vd->auth) {
185     case VNC_AUTH_INVALID:
186         return "invalid";
187     case VNC_AUTH_NONE:
188         return "none";
189     case VNC_AUTH_VNC:
190         return "vnc";
191     case VNC_AUTH_RA2:
192         return "ra2";
193     case VNC_AUTH_RA2NE:
194         return "ra2ne";
195     case VNC_AUTH_TIGHT:
196         return "tight";
197     case VNC_AUTH_ULTRA:
198         return "ultra";
199     case VNC_AUTH_TLS:
200         return "tls";
201     case VNC_AUTH_VENCRYPT:
202         switch (vd->subauth) {
203         case VNC_AUTH_VENCRYPT_PLAIN:
204             return "vencrypt+plain";
205         case VNC_AUTH_VENCRYPT_TLSNONE:
206             return "vencrypt+tls+none";
207         case VNC_AUTH_VENCRYPT_TLSVNC:
208             return "vencrypt+tls+vnc";
209         case VNC_AUTH_VENCRYPT_TLSPLAIN:
210             return "vencrypt+tls+plain";
211         case VNC_AUTH_VENCRYPT_X509NONE:
212             return "vencrypt+x509+none";
213         case VNC_AUTH_VENCRYPT_X509VNC:
214             return "vencrypt+x509+vnc";
215         case VNC_AUTH_VENCRYPT_X509PLAIN:
216             return "vencrypt+x509+plain";
217         case VNC_AUTH_VENCRYPT_TLSSASL:
218             return "vencrypt+tls+sasl";
219         case VNC_AUTH_VENCRYPT_X509SASL:
220             return "vencrypt+x509+sasl";
221         default:
222             return "vencrypt";
223         }
224     case VNC_AUTH_SASL:
225         return "sasl";
226     }
227     return "unknown";
228 }
229 
230 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
231 {
232     VncServerInfo *info;
233     Error *err = NULL;
234 
235     if (!vd->listener || !vd->listener->nsioc) {
236         return NULL;
237     }
238 
239     info = g_malloc0(sizeof(*info));
240     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
241                                          qapi_VncServerInfo_base(info), &err);
242     info->has_auth = true;
243     info->auth = g_strdup(vnc_auth_name(vd));
244     if (err) {
245         qapi_free_VncServerInfo(info);
246         info = NULL;
247         error_free(err);
248     }
249     return info;
250 }
251 
252 static void vnc_client_cache_auth(VncState *client)
253 {
254     if (!client->info) {
255         return;
256     }
257 
258     if (client->tls) {
259         client->info->x509_dname =
260             qcrypto_tls_session_get_peer_name(client->tls);
261         client->info->has_x509_dname =
262             client->info->x509_dname != NULL;
263     }
264 #ifdef CONFIG_VNC_SASL
265     if (client->sasl.conn &&
266         client->sasl.username) {
267         client->info->has_sasl_username = true;
268         client->info->sasl_username = g_strdup(client->sasl.username);
269     }
270 #endif
271 }
272 
273 static void vnc_client_cache_addr(VncState *client)
274 {
275     Error *err = NULL;
276 
277     client->info = g_malloc0(sizeof(*client->info));
278     vnc_init_basic_info_from_remote_addr(client->sioc,
279                                          qapi_VncClientInfo_base(client->info),
280                                          &err);
281     client->info->websocket = client->websocket;
282     if (err) {
283         qapi_free_VncClientInfo(client->info);
284         client->info = NULL;
285         error_free(err);
286     }
287 }
288 
289 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
290 {
291     VncServerInfo *si;
292 
293     if (!vs->info) {
294         return;
295     }
296 
297     si = vnc_server_info_get(vs->vd);
298     if (!si) {
299         return;
300     }
301 
302     switch (event) {
303     case QAPI_EVENT_VNC_CONNECTED:
304         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
305         break;
306     case QAPI_EVENT_VNC_INITIALIZED:
307         qapi_event_send_vnc_initialized(si, vs->info);
308         break;
309     case QAPI_EVENT_VNC_DISCONNECTED:
310         qapi_event_send_vnc_disconnected(si, vs->info);
311         break;
312     default:
313         break;
314     }
315 
316     qapi_free_VncServerInfo(si);
317 }
318 
319 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
320 {
321     VncClientInfo *info;
322     Error *err = NULL;
323 
324     info = g_malloc0(sizeof(*info));
325 
326     vnc_init_basic_info_from_remote_addr(client->sioc,
327                                          qapi_VncClientInfo_base(info),
328                                          &err);
329     if (err) {
330         error_free(err);
331         qapi_free_VncClientInfo(info);
332         return NULL;
333     }
334 
335     info->websocket = client->websocket;
336 
337     if (client->tls) {
338         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
339         info->has_x509_dname = info->x509_dname != NULL;
340     }
341 #ifdef CONFIG_VNC_SASL
342     if (client->sasl.conn && client->sasl.username) {
343         info->has_sasl_username = true;
344         info->sasl_username = g_strdup(client->sasl.username);
345     }
346 #endif
347 
348     return info;
349 }
350 
351 static VncDisplay *vnc_display_find(const char *id)
352 {
353     VncDisplay *vd;
354 
355     if (id == NULL) {
356         return QTAILQ_FIRST(&vnc_displays);
357     }
358     QTAILQ_FOREACH(vd, &vnc_displays, next) {
359         if (strcmp(id, vd->id) == 0) {
360             return vd;
361         }
362     }
363     return NULL;
364 }
365 
366 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
367 {
368     VncClientInfoList *cinfo, *prev = NULL;
369     VncState *client;
370 
371     QTAILQ_FOREACH(client, &vd->clients, next) {
372         cinfo = g_new0(VncClientInfoList, 1);
373         cinfo->value = qmp_query_vnc_client(client);
374         cinfo->next = prev;
375         prev = cinfo;
376     }
377     return prev;
378 }
379 
380 VncInfo *qmp_query_vnc(Error **errp)
381 {
382     VncInfo *info = g_malloc0(sizeof(*info));
383     VncDisplay *vd = vnc_display_find(NULL);
384     SocketAddress *addr = NULL;
385 
386     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
387         info->enabled = false;
388     } else {
389         info->enabled = true;
390 
391         /* for compatibility with the original command */
392         info->has_clients = true;
393         info->clients = qmp_query_client_list(vd);
394 
395         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
396                                                     errp);
397         if (!addr) {
398             goto out_error;
399         }
400 
401         switch (addr->type) {
402         case SOCKET_ADDRESS_TYPE_INET:
403             info->host = g_strdup(addr->u.inet.host);
404             info->service = g_strdup(addr->u.inet.port);
405             if (addr->u.inet.ipv6) {
406                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
407             } else {
408                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
409             }
410             break;
411 
412         case SOCKET_ADDRESS_TYPE_UNIX:
413             info->host = g_strdup("");
414             info->service = g_strdup(addr->u.q_unix.path);
415             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
416             break;
417 
418         case SOCKET_ADDRESS_TYPE_VSOCK:
419         case SOCKET_ADDRESS_TYPE_FD:
420             error_setg(errp, "Unsupported socket address type %s",
421                        SocketAddressType_str(addr->type));
422             goto out_error;
423         default:
424             abort();
425         }
426 
427         info->has_host = true;
428         info->has_service = true;
429         info->has_family = true;
430 
431         info->has_auth = true;
432         info->auth = g_strdup(vnc_auth_name(vd));
433     }
434 
435     qapi_free_SocketAddress(addr);
436     return info;
437 
438 out_error:
439     qapi_free_SocketAddress(addr);
440     qapi_free_VncInfo(info);
441     return NULL;
442 }
443 
444 
445 static void qmp_query_auth(int auth, int subauth,
446                            VncPrimaryAuth *qmp_auth,
447                            VncVencryptSubAuth *qmp_vencrypt,
448                            bool *qmp_has_vencrypt);
449 
450 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
451                                                   bool websocket,
452                                                   int auth,
453                                                   int subauth,
454                                                   VncServerInfo2List *prev)
455 {
456     VncServerInfo2List *list;
457     VncServerInfo2 *info;
458     Error *err = NULL;
459     SocketAddress *addr;
460 
461     addr = qio_channel_socket_get_local_address(ioc, &err);
462     if (!addr) {
463         error_free(err);
464         return prev;
465     }
466 
467     info = g_new0(VncServerInfo2, 1);
468     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
469     qapi_free_SocketAddress(addr);
470     if (err) {
471         qapi_free_VncServerInfo2(info);
472         error_free(err);
473         return prev;
474     }
475     info->websocket = websocket;
476 
477     qmp_query_auth(auth, subauth, &info->auth,
478                    &info->vencrypt, &info->has_vencrypt);
479 
480     list = g_new0(VncServerInfo2List, 1);
481     list->value = info;
482     list->next = prev;
483     return list;
484 }
485 
486 static void qmp_query_auth(int auth, int subauth,
487                            VncPrimaryAuth *qmp_auth,
488                            VncVencryptSubAuth *qmp_vencrypt,
489                            bool *qmp_has_vencrypt)
490 {
491     switch (auth) {
492     case VNC_AUTH_VNC:
493         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
494         break;
495     case VNC_AUTH_RA2:
496         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
497         break;
498     case VNC_AUTH_RA2NE:
499         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
500         break;
501     case VNC_AUTH_TIGHT:
502         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
503         break;
504     case VNC_AUTH_ULTRA:
505         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
506         break;
507     case VNC_AUTH_TLS:
508         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
509         break;
510     case VNC_AUTH_VENCRYPT:
511         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
512         *qmp_has_vencrypt = true;
513         switch (subauth) {
514         case VNC_AUTH_VENCRYPT_PLAIN:
515             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
516             break;
517         case VNC_AUTH_VENCRYPT_TLSNONE:
518             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
519             break;
520         case VNC_AUTH_VENCRYPT_TLSVNC:
521             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
522             break;
523         case VNC_AUTH_VENCRYPT_TLSPLAIN:
524             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
525             break;
526         case VNC_AUTH_VENCRYPT_X509NONE:
527             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
528             break;
529         case VNC_AUTH_VENCRYPT_X509VNC:
530             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
531             break;
532         case VNC_AUTH_VENCRYPT_X509PLAIN:
533             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
534             break;
535         case VNC_AUTH_VENCRYPT_TLSSASL:
536             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
537             break;
538         case VNC_AUTH_VENCRYPT_X509SASL:
539             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
540             break;
541         default:
542             *qmp_has_vencrypt = false;
543             break;
544         }
545         break;
546     case VNC_AUTH_SASL:
547         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
548         break;
549     case VNC_AUTH_NONE:
550     default:
551         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
552         break;
553     }
554 }
555 
556 VncInfo2List *qmp_query_vnc_servers(Error **errp)
557 {
558     VncInfo2List *item, *prev = NULL;
559     VncInfo2 *info;
560     VncDisplay *vd;
561     DeviceState *dev;
562     size_t i;
563 
564     QTAILQ_FOREACH(vd, &vnc_displays, next) {
565         info = g_new0(VncInfo2, 1);
566         info->id = g_strdup(vd->id);
567         info->clients = qmp_query_client_list(vd);
568         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
569                        &info->vencrypt, &info->has_vencrypt);
570         if (vd->dcl.con) {
571             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
572                                                   "device", NULL));
573             info->has_display = true;
574             info->display = g_strdup(dev->id);
575         }
576         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
577             info->server = qmp_query_server_entry(
578                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
579                 info->server);
580         }
581         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
582             info->server = qmp_query_server_entry(
583                 vd->wslistener->sioc[i], true, vd->ws_auth,
584                 vd->ws_subauth, info->server);
585         }
586 
587         item = g_new0(VncInfo2List, 1);
588         item->value = info;
589         item->next = prev;
590         prev = item;
591     }
592     return prev;
593 }
594 
595 /* TODO
596    1) Get the queue working for IO.
597    2) there is some weirdness when using the -S option (the screen is grey
598       and not totally invalidated
599    3) resolutions > 1024
600 */
601 
602 static int vnc_update_client(VncState *vs, int has_dirty);
603 static void vnc_disconnect_start(VncState *vs);
604 
605 static void vnc_colordepth(VncState *vs);
606 static void framebuffer_update_request(VncState *vs, int incremental,
607                                        int x_position, int y_position,
608                                        int w, int h);
609 static void vnc_refresh(DisplayChangeListener *dcl);
610 static int vnc_refresh_server_surface(VncDisplay *vd);
611 
612 static int vnc_width(VncDisplay *vd)
613 {
614     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
615                                        VNC_DIRTY_PIXELS_PER_BIT));
616 }
617 
618 static int vnc_height(VncDisplay *vd)
619 {
620     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
621 }
622 
623 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
624                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
625                                VncDisplay *vd,
626                                int x, int y, int w, int h)
627 {
628     int width = vnc_width(vd);
629     int height = vnc_height(vd);
630 
631     /* this is needed this to ensure we updated all affected
632      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
633     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
634     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
635 
636     x = MIN(x, width);
637     y = MIN(y, height);
638     w = MIN(x + w, width) - x;
639     h = MIN(y + h, height);
640 
641     for (; y < h; y++) {
642         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
643                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
644     }
645 }
646 
647 static void vnc_dpy_update(DisplayChangeListener *dcl,
648                            int x, int y, int w, int h)
649 {
650     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
651     struct VncSurface *s = &vd->guest;
652 
653     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
654 }
655 
656 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
657                             int32_t encoding)
658 {
659     vnc_write_u16(vs, x);
660     vnc_write_u16(vs, y);
661     vnc_write_u16(vs, w);
662     vnc_write_u16(vs, h);
663 
664     vnc_write_s32(vs, encoding);
665 }
666 
667 
668 static void vnc_desktop_resize(VncState *vs)
669 {
670     if (vs->ioc == NULL || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
671         return;
672     }
673     if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
674         vs->client_height == pixman_image_get_height(vs->vd->server)) {
675         return;
676     }
677 
678     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
679            pixman_image_get_width(vs->vd->server) >= 0);
680     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
681            pixman_image_get_height(vs->vd->server) >= 0);
682     vs->client_width = pixman_image_get_width(vs->vd->server);
683     vs->client_height = pixman_image_get_height(vs->vd->server);
684     vnc_lock_output(vs);
685     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
686     vnc_write_u8(vs, 0);
687     vnc_write_u16(vs, 1); /* number of rects */
688     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
689                            VNC_ENCODING_DESKTOPRESIZE);
690     vnc_unlock_output(vs);
691     vnc_flush(vs);
692 }
693 
694 static void vnc_abort_display_jobs(VncDisplay *vd)
695 {
696     VncState *vs;
697 
698     QTAILQ_FOREACH(vs, &vd->clients, next) {
699         vnc_lock_output(vs);
700         vs->abort = true;
701         vnc_unlock_output(vs);
702     }
703     QTAILQ_FOREACH(vs, &vd->clients, next) {
704         vnc_jobs_join(vs);
705     }
706     QTAILQ_FOREACH(vs, &vd->clients, next) {
707         vnc_lock_output(vs);
708         if (vs->update == VNC_STATE_UPDATE_NONE &&
709             vs->job_update != VNC_STATE_UPDATE_NONE) {
710             /* job aborted before completion */
711             vs->update = vs->job_update;
712             vs->job_update = VNC_STATE_UPDATE_NONE;
713         }
714         vs->abort = false;
715         vnc_unlock_output(vs);
716     }
717 }
718 
719 int vnc_server_fb_stride(VncDisplay *vd)
720 {
721     return pixman_image_get_stride(vd->server);
722 }
723 
724 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
725 {
726     uint8_t *ptr;
727 
728     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
729     ptr += y * vnc_server_fb_stride(vd);
730     ptr += x * VNC_SERVER_FB_BYTES;
731     return ptr;
732 }
733 
734 static void vnc_update_server_surface(VncDisplay *vd)
735 {
736     int width, height;
737 
738     qemu_pixman_image_unref(vd->server);
739     vd->server = NULL;
740 
741     if (QTAILQ_EMPTY(&vd->clients)) {
742         return;
743     }
744 
745     width = vnc_width(vd);
746     height = vnc_height(vd);
747     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
748                                           width, height,
749                                           NULL, 0);
750 
751     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
752     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
753                        width, height);
754 }
755 
756 static bool vnc_check_pageflip(DisplaySurface *s1,
757                                DisplaySurface *s2)
758 {
759     return (s1 != NULL &&
760             s2 != NULL &&
761             surface_width(s1) == surface_width(s2) &&
762             surface_height(s1) == surface_height(s2) &&
763             surface_format(s1) == surface_format(s2));
764 
765 }
766 
767 static void vnc_dpy_switch(DisplayChangeListener *dcl,
768                            DisplaySurface *surface)
769 {
770     static const char placeholder_msg[] =
771         "Display output is not active.";
772     static DisplaySurface *placeholder;
773     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
774     bool pageflip = vnc_check_pageflip(vd->ds, surface);
775     VncState *vs;
776 
777     if (surface == NULL) {
778         if (placeholder == NULL) {
779             placeholder = qemu_create_message_surface(640, 480, placeholder_msg);
780         }
781         surface = placeholder;
782     }
783 
784     vnc_abort_display_jobs(vd);
785     vd->ds = surface;
786 
787     /* guest surface */
788     qemu_pixman_image_unref(vd->guest.fb);
789     vd->guest.fb = pixman_image_ref(surface->image);
790     vd->guest.format = surface->format;
791 
792     if (pageflip) {
793         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
794                            surface_width(surface),
795                            surface_height(surface));
796         return;
797     }
798 
799     /* server surface */
800     vnc_update_server_surface(vd);
801 
802     QTAILQ_FOREACH(vs, &vd->clients, next) {
803         vnc_colordepth(vs);
804         vnc_desktop_resize(vs);
805         if (vs->vd->cursor) {
806             vnc_cursor_define(vs);
807         }
808         memset(vs->dirty, 0x00, sizeof(vs->dirty));
809         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
810                            vnc_width(vd),
811                            vnc_height(vd));
812         vnc_update_throttle_offset(vs);
813     }
814 }
815 
816 /* fastest code */
817 static void vnc_write_pixels_copy(VncState *vs,
818                                   void *pixels, int size)
819 {
820     vnc_write(vs, pixels, size);
821 }
822 
823 /* slowest but generic code. */
824 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
825 {
826     uint8_t r, g, b;
827 
828 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
829     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
830     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
831     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
832 #else
833 # error need some bits here if you change VNC_SERVER_FB_FORMAT
834 #endif
835     v = (r << vs->client_pf.rshift) |
836         (g << vs->client_pf.gshift) |
837         (b << vs->client_pf.bshift);
838     switch (vs->client_pf.bytes_per_pixel) {
839     case 1:
840         buf[0] = v;
841         break;
842     case 2:
843         if (vs->client_be) {
844             buf[0] = v >> 8;
845             buf[1] = v;
846         } else {
847             buf[1] = v >> 8;
848             buf[0] = v;
849         }
850         break;
851     default:
852     case 4:
853         if (vs->client_be) {
854             buf[0] = v >> 24;
855             buf[1] = v >> 16;
856             buf[2] = v >> 8;
857             buf[3] = v;
858         } else {
859             buf[3] = v >> 24;
860             buf[2] = v >> 16;
861             buf[1] = v >> 8;
862             buf[0] = v;
863         }
864         break;
865     }
866 }
867 
868 static void vnc_write_pixels_generic(VncState *vs,
869                                      void *pixels1, int size)
870 {
871     uint8_t buf[4];
872 
873     if (VNC_SERVER_FB_BYTES == 4) {
874         uint32_t *pixels = pixels1;
875         int n, i;
876         n = size >> 2;
877         for (i = 0; i < n; i++) {
878             vnc_convert_pixel(vs, buf, pixels[i]);
879             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
880         }
881     }
882 }
883 
884 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
885 {
886     int i;
887     uint8_t *row;
888     VncDisplay *vd = vs->vd;
889 
890     row = vnc_server_fb_ptr(vd, x, y);
891     for (i = 0; i < h; i++) {
892         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
893         row += vnc_server_fb_stride(vd);
894     }
895     return 1;
896 }
897 
898 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
899 {
900     int n = 0;
901     bool encode_raw = false;
902     size_t saved_offs = vs->output.offset;
903 
904     switch(vs->vnc_encoding) {
905         case VNC_ENCODING_ZLIB:
906             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
907             break;
908         case VNC_ENCODING_HEXTILE:
909             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
910             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
911             break;
912         case VNC_ENCODING_TIGHT:
913             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
914             break;
915         case VNC_ENCODING_TIGHT_PNG:
916             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
917             break;
918         case VNC_ENCODING_ZRLE:
919             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
920             break;
921         case VNC_ENCODING_ZYWRLE:
922             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
923             break;
924         default:
925             encode_raw = true;
926             break;
927     }
928 
929     /* If the client has the same pixel format as our internal buffer and
930      * a RAW encoding would need less space fall back to RAW encoding to
931      * save bandwidth and processing power in the client. */
932     if (!encode_raw && vs->write_pixels == vnc_write_pixels_copy &&
933         12 + h * w * VNC_SERVER_FB_BYTES <= (vs->output.offset - saved_offs)) {
934         vs->output.offset = saved_offs;
935         encode_raw = true;
936     }
937 
938     if (encode_raw) {
939         vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
940         n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
941     }
942 
943     return n;
944 }
945 
946 static void vnc_mouse_set(DisplayChangeListener *dcl,
947                           int x, int y, int visible)
948 {
949     /* can we ask the client(s) to move the pointer ??? */
950 }
951 
952 static int vnc_cursor_define(VncState *vs)
953 {
954     QEMUCursor *c = vs->vd->cursor;
955     int isize;
956 
957     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
958         vnc_lock_output(vs);
959         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
960         vnc_write_u8(vs,  0);  /*  padding     */
961         vnc_write_u16(vs, 1);  /*  # of rects  */
962         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
963                                VNC_ENCODING_RICH_CURSOR);
964         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
965         vnc_write_pixels_generic(vs, c->data, isize);
966         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
967         vnc_unlock_output(vs);
968         return 0;
969     }
970     return -1;
971 }
972 
973 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
974                                   QEMUCursor *c)
975 {
976     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
977     VncState *vs;
978 
979     cursor_put(vd->cursor);
980     g_free(vd->cursor_mask);
981 
982     vd->cursor = c;
983     cursor_get(vd->cursor);
984     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
985     vd->cursor_mask = g_malloc0(vd->cursor_msize);
986     cursor_get_mono_mask(c, 0, vd->cursor_mask);
987 
988     QTAILQ_FOREACH(vs, &vd->clients, next) {
989         vnc_cursor_define(vs);
990     }
991 }
992 
993 static int find_and_clear_dirty_height(VncState *vs,
994                                        int y, int last_x, int x, int height)
995 {
996     int h;
997 
998     for (h = 1; h < (height - y); h++) {
999         if (!test_bit(last_x, vs->dirty[y + h])) {
1000             break;
1001         }
1002         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1003     }
1004 
1005     return h;
1006 }
1007 
1008 /*
1009  * Figure out how much pending data we should allow in the output
1010  * buffer before we throttle incremental display updates, and/or
1011  * drop audio samples.
1012  *
1013  * We allow for equiv of 1 full display's worth of FB updates,
1014  * and 1 second of audio samples. If audio backlog was larger
1015  * than that the client would already suffering awful audio
1016  * glitches, so dropping samples is no worse really).
1017  */
1018 static void vnc_update_throttle_offset(VncState *vs)
1019 {
1020     size_t offset =
1021         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1022 
1023     if (vs->audio_cap) {
1024         int bps;
1025         switch (vs->as.fmt) {
1026         default:
1027         case  AUDIO_FORMAT_U8:
1028         case  AUDIO_FORMAT_S8:
1029             bps = 1;
1030             break;
1031         case  AUDIO_FORMAT_U16:
1032         case  AUDIO_FORMAT_S16:
1033             bps = 2;
1034             break;
1035         case  AUDIO_FORMAT_U32:
1036         case  AUDIO_FORMAT_S32:
1037             bps = 4;
1038             break;
1039         }
1040         offset += vs->as.freq * bps * vs->as.nchannels;
1041     }
1042 
1043     /* Put a floor of 1MB on offset, so that if we have a large pending
1044      * buffer and the display is resized to a small size & back again
1045      * we don't suddenly apply a tiny send limit
1046      */
1047     offset = MAX(offset, 1024 * 1024);
1048 
1049     if (vs->throttle_output_offset != offset) {
1050         trace_vnc_client_throttle_threshold(
1051             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1052             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1053     }
1054 
1055     vs->throttle_output_offset = offset;
1056 }
1057 
1058 static bool vnc_should_update(VncState *vs)
1059 {
1060     switch (vs->update) {
1061     case VNC_STATE_UPDATE_NONE:
1062         break;
1063     case VNC_STATE_UPDATE_INCREMENTAL:
1064         /* Only allow incremental updates if the pending send queue
1065          * is less than the permitted threshold, and the job worker
1066          * is completely idle.
1067          */
1068         if (vs->output.offset < vs->throttle_output_offset &&
1069             vs->job_update == VNC_STATE_UPDATE_NONE) {
1070             return true;
1071         }
1072         trace_vnc_client_throttle_incremental(
1073             vs, vs->ioc, vs->job_update, vs->output.offset);
1074         break;
1075     case VNC_STATE_UPDATE_FORCE:
1076         /* Only allow forced updates if the pending send queue
1077          * does not contain a previous forced update, and the
1078          * job worker is completely idle.
1079          *
1080          * Note this means we'll queue a forced update, even if
1081          * the output buffer size is otherwise over the throttle
1082          * output limit.
1083          */
1084         if (vs->force_update_offset == 0 &&
1085             vs->job_update == VNC_STATE_UPDATE_NONE) {
1086             return true;
1087         }
1088         trace_vnc_client_throttle_forced(
1089             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1090         break;
1091     }
1092     return false;
1093 }
1094 
1095 static int vnc_update_client(VncState *vs, int has_dirty)
1096 {
1097     VncDisplay *vd = vs->vd;
1098     VncJob *job;
1099     int y;
1100     int height, width;
1101     int n = 0;
1102 
1103     if (vs->disconnecting) {
1104         vnc_disconnect_finish(vs);
1105         return 0;
1106     }
1107 
1108     vs->has_dirty += has_dirty;
1109     if (!vnc_should_update(vs)) {
1110         return 0;
1111     }
1112 
1113     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1114         return 0;
1115     }
1116 
1117     /*
1118      * Send screen updates to the vnc client using the server
1119      * surface and server dirty map.  guest surface updates
1120      * happening in parallel don't disturb us, the next pass will
1121      * send them to the client.
1122      */
1123     job = vnc_job_new(vs);
1124 
1125     height = pixman_image_get_height(vd->server);
1126     width = pixman_image_get_width(vd->server);
1127 
1128     y = 0;
1129     for (;;) {
1130         int x, h;
1131         unsigned long x2;
1132         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1133                                              height * VNC_DIRTY_BPL(vs),
1134                                              y * VNC_DIRTY_BPL(vs));
1135         if (offset == height * VNC_DIRTY_BPL(vs)) {
1136             /* no more dirty bits */
1137             break;
1138         }
1139         y = offset / VNC_DIRTY_BPL(vs);
1140         x = offset % VNC_DIRTY_BPL(vs);
1141         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1142                                 VNC_DIRTY_BPL(vs), x);
1143         bitmap_clear(vs->dirty[y], x, x2 - x);
1144         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1145         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1146         if (x2 > x) {
1147             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1148                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1149         }
1150         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1151             y += h;
1152             if (y == height) {
1153                 break;
1154             }
1155         }
1156     }
1157 
1158     vs->job_update = vs->update;
1159     vs->update = VNC_STATE_UPDATE_NONE;
1160     vnc_job_push(job);
1161     vs->has_dirty = 0;
1162     return n;
1163 }
1164 
1165 /* audio */
1166 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1167 {
1168     VncState *vs = opaque;
1169 
1170     assert(vs->magic == VNC_MAGIC);
1171     switch (cmd) {
1172     case AUD_CNOTIFY_DISABLE:
1173         vnc_lock_output(vs);
1174         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1175         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1176         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1177         vnc_unlock_output(vs);
1178         vnc_flush(vs);
1179         break;
1180 
1181     case AUD_CNOTIFY_ENABLE:
1182         vnc_lock_output(vs);
1183         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1184         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1185         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1186         vnc_unlock_output(vs);
1187         vnc_flush(vs);
1188         break;
1189     }
1190 }
1191 
1192 static void audio_capture_destroy(void *opaque)
1193 {
1194 }
1195 
1196 static void audio_capture(void *opaque, void *buf, int size)
1197 {
1198     VncState *vs = opaque;
1199 
1200     assert(vs->magic == VNC_MAGIC);
1201     vnc_lock_output(vs);
1202     if (vs->output.offset < vs->throttle_output_offset) {
1203         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1204         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1205         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1206         vnc_write_u32(vs, size);
1207         vnc_write(vs, buf, size);
1208     } else {
1209         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1210     }
1211     vnc_unlock_output(vs);
1212     vnc_flush(vs);
1213 }
1214 
1215 static void audio_add(VncState *vs)
1216 {
1217     struct audio_capture_ops ops;
1218 
1219     if (vs->audio_cap) {
1220         error_report("audio already running");
1221         return;
1222     }
1223 
1224     ops.notify = audio_capture_notify;
1225     ops.destroy = audio_capture_destroy;
1226     ops.capture = audio_capture;
1227 
1228     vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1229     if (!vs->audio_cap) {
1230         error_report("Failed to add audio capture");
1231     }
1232 }
1233 
1234 static void audio_del(VncState *vs)
1235 {
1236     if (vs->audio_cap) {
1237         AUD_del_capture(vs->audio_cap, vs);
1238         vs->audio_cap = NULL;
1239     }
1240 }
1241 
1242 static void vnc_disconnect_start(VncState *vs)
1243 {
1244     if (vs->disconnecting) {
1245         return;
1246     }
1247     trace_vnc_client_disconnect_start(vs, vs->ioc);
1248     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1249     if (vs->ioc_tag) {
1250         g_source_remove(vs->ioc_tag);
1251         vs->ioc_tag = 0;
1252     }
1253     qio_channel_close(vs->ioc, NULL);
1254     vs->disconnecting = TRUE;
1255 }
1256 
1257 void vnc_disconnect_finish(VncState *vs)
1258 {
1259     int i;
1260 
1261     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1262 
1263     vnc_jobs_join(vs); /* Wait encoding jobs */
1264 
1265     vnc_lock_output(vs);
1266     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1267 
1268     buffer_free(&vs->input);
1269     buffer_free(&vs->output);
1270 
1271     qapi_free_VncClientInfo(vs->info);
1272 
1273     vnc_zlib_clear(vs);
1274     vnc_tight_clear(vs);
1275     vnc_zrle_clear(vs);
1276 
1277 #ifdef CONFIG_VNC_SASL
1278     vnc_sasl_client_cleanup(vs);
1279 #endif /* CONFIG_VNC_SASL */
1280     audio_del(vs);
1281     qkbd_state_lift_all_keys(vs->vd->kbd);
1282 
1283     if (vs->mouse_mode_notifier.notify != NULL) {
1284         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1285     }
1286     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1287     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1288         /* last client gone */
1289         vnc_update_server_surface(vs->vd);
1290     }
1291 
1292     vnc_unlock_output(vs);
1293 
1294     qemu_mutex_destroy(&vs->output_mutex);
1295     if (vs->bh != NULL) {
1296         qemu_bh_delete(vs->bh);
1297     }
1298     buffer_free(&vs->jobs_buffer);
1299 
1300     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1301         g_free(vs->lossy_rect[i]);
1302     }
1303     g_free(vs->lossy_rect);
1304 
1305     object_unref(OBJECT(vs->ioc));
1306     vs->ioc = NULL;
1307     object_unref(OBJECT(vs->sioc));
1308     vs->sioc = NULL;
1309     vs->magic = 0;
1310     g_free(vs->zrle);
1311     g_free(vs->tight);
1312     g_free(vs);
1313 }
1314 
1315 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error **errp)
1316 {
1317     if (ret <= 0) {
1318         if (ret == 0) {
1319             trace_vnc_client_eof(vs, vs->ioc);
1320             vnc_disconnect_start(vs);
1321         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1322             trace_vnc_client_io_error(vs, vs->ioc,
1323                                       errp ? error_get_pretty(*errp) :
1324                                       "Unknown");
1325             vnc_disconnect_start(vs);
1326         }
1327 
1328         if (errp) {
1329             error_free(*errp);
1330             *errp = NULL;
1331         }
1332         return 0;
1333     }
1334     return ret;
1335 }
1336 
1337 
1338 void vnc_client_error(VncState *vs)
1339 {
1340     VNC_DEBUG("Closing down client sock: protocol error\n");
1341     vnc_disconnect_start(vs);
1342 }
1343 
1344 
1345 /*
1346  * Called to write a chunk of data to the client socket. The data may
1347  * be the raw data, or may have already been encoded by SASL.
1348  * The data will be written either straight onto the socket, or
1349  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1350  *
1351  * NB, it is theoretically possible to have 2 layers of encryption,
1352  * both SASL, and this TLS layer. It is highly unlikely in practice
1353  * though, since SASL encryption will typically be a no-op if TLS
1354  * is active
1355  *
1356  * Returns the number of bytes written, which may be less than
1357  * the requested 'datalen' if the socket would block. Returns
1358  * 0 on I/O error, and disconnects the client socket.
1359  */
1360 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1361 {
1362     Error *err = NULL;
1363     ssize_t ret;
1364     ret = qio_channel_write(
1365         vs->ioc, (const char *)data, datalen, &err);
1366     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1367     return vnc_client_io_error(vs, ret, &err);
1368 }
1369 
1370 
1371 /*
1372  * Called to write buffered data to the client socket, when not
1373  * using any SASL SSF encryption layers. Will write as much data
1374  * as possible without blocking. If all buffered data is written,
1375  * will switch the FD poll() handler back to read monitoring.
1376  *
1377  * Returns the number of bytes written, which may be less than
1378  * the buffered output data if the socket would block.  Returns
1379  * 0 on I/O error, and disconnects the client socket.
1380  */
1381 static size_t vnc_client_write_plain(VncState *vs)
1382 {
1383     size_t offset;
1384     size_t ret;
1385 
1386 #ifdef CONFIG_VNC_SASL
1387     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1388               vs->output.buffer, vs->output.capacity, vs->output.offset,
1389               vs->sasl.waitWriteSSF);
1390 
1391     if (vs->sasl.conn &&
1392         vs->sasl.runSSF &&
1393         vs->sasl.waitWriteSSF) {
1394         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1395         if (ret)
1396             vs->sasl.waitWriteSSF -= ret;
1397     } else
1398 #endif /* CONFIG_VNC_SASL */
1399         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1400     if (!ret)
1401         return 0;
1402 
1403     if (ret >= vs->force_update_offset) {
1404         if (vs->force_update_offset != 0) {
1405             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1406         }
1407         vs->force_update_offset = 0;
1408     } else {
1409         vs->force_update_offset -= ret;
1410     }
1411     offset = vs->output.offset;
1412     buffer_advance(&vs->output, ret);
1413     if (offset >= vs->throttle_output_offset &&
1414         vs->output.offset < vs->throttle_output_offset) {
1415         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1416     }
1417 
1418     if (vs->output.offset == 0) {
1419         if (vs->ioc_tag) {
1420             g_source_remove(vs->ioc_tag);
1421         }
1422         vs->ioc_tag = qio_channel_add_watch(
1423             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1424     }
1425 
1426     return ret;
1427 }
1428 
1429 
1430 /*
1431  * First function called whenever there is data to be written to
1432  * the client socket. Will delegate actual work according to whether
1433  * SASL SSF layers are enabled (thus requiring encryption calls)
1434  */
1435 static void vnc_client_write_locked(VncState *vs)
1436 {
1437 #ifdef CONFIG_VNC_SASL
1438     if (vs->sasl.conn &&
1439         vs->sasl.runSSF &&
1440         !vs->sasl.waitWriteSSF) {
1441         vnc_client_write_sasl(vs);
1442     } else
1443 #endif /* CONFIG_VNC_SASL */
1444     {
1445         vnc_client_write_plain(vs);
1446     }
1447 }
1448 
1449 static void vnc_client_write(VncState *vs)
1450 {
1451     assert(vs->magic == VNC_MAGIC);
1452     vnc_lock_output(vs);
1453     if (vs->output.offset) {
1454         vnc_client_write_locked(vs);
1455     } else if (vs->ioc != NULL) {
1456         if (vs->ioc_tag) {
1457             g_source_remove(vs->ioc_tag);
1458         }
1459         vs->ioc_tag = qio_channel_add_watch(
1460             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1461     }
1462     vnc_unlock_output(vs);
1463 }
1464 
1465 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1466 {
1467     vs->read_handler = func;
1468     vs->read_handler_expect = expecting;
1469 }
1470 
1471 
1472 /*
1473  * Called to read a chunk of data from the client socket. The data may
1474  * be the raw data, or may need to be further decoded by SASL.
1475  * The data will be read either straight from to the socket, or
1476  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1477  *
1478  * NB, it is theoretically possible to have 2 layers of encryption,
1479  * both SASL, and this TLS layer. It is highly unlikely in practice
1480  * though, since SASL encryption will typically be a no-op if TLS
1481  * is active
1482  *
1483  * Returns the number of bytes read, which may be less than
1484  * the requested 'datalen' if the socket would block. Returns
1485  * 0 on I/O error or EOF, and disconnects the client socket.
1486  */
1487 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1488 {
1489     ssize_t ret;
1490     Error *err = NULL;
1491     ret = qio_channel_read(
1492         vs->ioc, (char *)data, datalen, &err);
1493     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1494     return vnc_client_io_error(vs, ret, &err);
1495 }
1496 
1497 
1498 /*
1499  * Called to read data from the client socket to the input buffer,
1500  * when not using any SASL SSF encryption layers. Will read as much
1501  * data as possible without blocking.
1502  *
1503  * Returns the number of bytes read, which may be less than
1504  * the requested 'datalen' if the socket would block. Returns
1505  * 0 on I/O error or EOF, and disconnects the client socket.
1506  */
1507 static size_t vnc_client_read_plain(VncState *vs)
1508 {
1509     size_t ret;
1510     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1511               vs->input.buffer, vs->input.capacity, vs->input.offset);
1512     buffer_reserve(&vs->input, 4096);
1513     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1514     if (!ret)
1515         return 0;
1516     vs->input.offset += ret;
1517     return ret;
1518 }
1519 
1520 static void vnc_jobs_bh(void *opaque)
1521 {
1522     VncState *vs = opaque;
1523 
1524     assert(vs->magic == VNC_MAGIC);
1525     vnc_jobs_consume_buffer(vs);
1526 }
1527 
1528 /*
1529  * First function called whenever there is more data to be read from
1530  * the client socket. Will delegate actual work according to whether
1531  * SASL SSF layers are enabled (thus requiring decryption calls)
1532  * Returns 0 on success, -1 if client disconnected
1533  */
1534 static int vnc_client_read(VncState *vs)
1535 {
1536     size_t ret;
1537 
1538 #ifdef CONFIG_VNC_SASL
1539     if (vs->sasl.conn && vs->sasl.runSSF)
1540         ret = vnc_client_read_sasl(vs);
1541     else
1542 #endif /* CONFIG_VNC_SASL */
1543         ret = vnc_client_read_plain(vs);
1544     if (!ret) {
1545         if (vs->disconnecting) {
1546             vnc_disconnect_finish(vs);
1547             return -1;
1548         }
1549         return 0;
1550     }
1551 
1552     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1553         size_t len = vs->read_handler_expect;
1554         int ret;
1555 
1556         ret = vs->read_handler(vs, vs->input.buffer, len);
1557         if (vs->disconnecting) {
1558             vnc_disconnect_finish(vs);
1559             return -1;
1560         }
1561 
1562         if (!ret) {
1563             buffer_advance(&vs->input, len);
1564         } else {
1565             vs->read_handler_expect = ret;
1566         }
1567     }
1568     return 0;
1569 }
1570 
1571 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1572                        GIOCondition condition, void *opaque)
1573 {
1574     VncState *vs = opaque;
1575 
1576     assert(vs->magic == VNC_MAGIC);
1577     if (condition & G_IO_IN) {
1578         if (vnc_client_read(vs) < 0) {
1579             /* vs is free()ed here */
1580             return TRUE;
1581         }
1582     }
1583     if (condition & G_IO_OUT) {
1584         vnc_client_write(vs);
1585     }
1586 
1587     if (vs->disconnecting) {
1588         if (vs->ioc_tag != 0) {
1589             g_source_remove(vs->ioc_tag);
1590         }
1591         vs->ioc_tag = 0;
1592     }
1593     return TRUE;
1594 }
1595 
1596 
1597 /*
1598  * Scale factor to apply to vs->throttle_output_offset when checking for
1599  * hard limit. Worst case normal usage could be x2, if we have a complete
1600  * incremental update and complete forced update in the output buffer.
1601  * So x3 should be good enough, but we pick x5 to be conservative and thus
1602  * (hopefully) never trigger incorrectly.
1603  */
1604 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1605 
1606 void vnc_write(VncState *vs, const void *data, size_t len)
1607 {
1608     assert(vs->magic == VNC_MAGIC);
1609     if (vs->disconnecting) {
1610         return;
1611     }
1612     /* Protection against malicious client/guest to prevent our output
1613      * buffer growing without bound if client stops reading data. This
1614      * should rarely trigger, because we have earlier throttling code
1615      * which stops issuing framebuffer updates and drops audio data
1616      * if the throttle_output_offset value is exceeded. So we only reach
1617      * this higher level if a huge number of pseudo-encodings get
1618      * triggered while data can't be sent on the socket.
1619      *
1620      * NB throttle_output_offset can be zero during early protocol
1621      * handshake, or from the job thread's VncState clone
1622      */
1623     if (vs->throttle_output_offset != 0 &&
1624         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1625         vs->throttle_output_offset) {
1626         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1627                                       vs->throttle_output_offset);
1628         vnc_disconnect_start(vs);
1629         return;
1630     }
1631     buffer_reserve(&vs->output, len);
1632 
1633     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1634         if (vs->ioc_tag) {
1635             g_source_remove(vs->ioc_tag);
1636         }
1637         vs->ioc_tag = qio_channel_add_watch(
1638             vs->ioc, G_IO_IN | G_IO_OUT, vnc_client_io, vs, NULL);
1639     }
1640 
1641     buffer_append(&vs->output, data, len);
1642 }
1643 
1644 void vnc_write_s32(VncState *vs, int32_t value)
1645 {
1646     vnc_write_u32(vs, *(uint32_t *)&value);
1647 }
1648 
1649 void vnc_write_u32(VncState *vs, uint32_t value)
1650 {
1651     uint8_t buf[4];
1652 
1653     buf[0] = (value >> 24) & 0xFF;
1654     buf[1] = (value >> 16) & 0xFF;
1655     buf[2] = (value >>  8) & 0xFF;
1656     buf[3] = value & 0xFF;
1657 
1658     vnc_write(vs, buf, 4);
1659 }
1660 
1661 void vnc_write_u16(VncState *vs, uint16_t value)
1662 {
1663     uint8_t buf[2];
1664 
1665     buf[0] = (value >> 8) & 0xFF;
1666     buf[1] = value & 0xFF;
1667 
1668     vnc_write(vs, buf, 2);
1669 }
1670 
1671 void vnc_write_u8(VncState *vs, uint8_t value)
1672 {
1673     vnc_write(vs, (char *)&value, 1);
1674 }
1675 
1676 void vnc_flush(VncState *vs)
1677 {
1678     vnc_lock_output(vs);
1679     if (vs->ioc != NULL && vs->output.offset) {
1680         vnc_client_write_locked(vs);
1681     }
1682     if (vs->disconnecting) {
1683         if (vs->ioc_tag != 0) {
1684             g_source_remove(vs->ioc_tag);
1685         }
1686         vs->ioc_tag = 0;
1687     }
1688     vnc_unlock_output(vs);
1689 }
1690 
1691 static uint8_t read_u8(uint8_t *data, size_t offset)
1692 {
1693     return data[offset];
1694 }
1695 
1696 static uint16_t read_u16(uint8_t *data, size_t offset)
1697 {
1698     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1699 }
1700 
1701 static int32_t read_s32(uint8_t *data, size_t offset)
1702 {
1703     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1704                      (data[offset + 2] << 8) | data[offset + 3]);
1705 }
1706 
1707 uint32_t read_u32(uint8_t *data, size_t offset)
1708 {
1709     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1710             (data[offset + 2] << 8) | data[offset + 3]);
1711 }
1712 
1713 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1714 {
1715 }
1716 
1717 static void check_pointer_type_change(Notifier *notifier, void *data)
1718 {
1719     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1720     int absolute = qemu_input_is_absolute();
1721 
1722     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1723         vnc_lock_output(vs);
1724         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1725         vnc_write_u8(vs, 0);
1726         vnc_write_u16(vs, 1);
1727         vnc_framebuffer_update(vs, absolute, 0,
1728                                pixman_image_get_width(vs->vd->server),
1729                                pixman_image_get_height(vs->vd->server),
1730                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1731         vnc_unlock_output(vs);
1732         vnc_flush(vs);
1733     }
1734     vs->absolute = absolute;
1735 }
1736 
1737 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1738 {
1739     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1740         [INPUT_BUTTON_LEFT]       = 0x01,
1741         [INPUT_BUTTON_MIDDLE]     = 0x02,
1742         [INPUT_BUTTON_RIGHT]      = 0x04,
1743         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1744         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1745     };
1746     QemuConsole *con = vs->vd->dcl.con;
1747     int width = pixman_image_get_width(vs->vd->server);
1748     int height = pixman_image_get_height(vs->vd->server);
1749 
1750     if (vs->last_bmask != button_mask) {
1751         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1752         vs->last_bmask = button_mask;
1753     }
1754 
1755     if (vs->absolute) {
1756         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1757         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1758     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1759         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1760         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1761     } else {
1762         if (vs->last_x != -1) {
1763             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1764             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1765         }
1766         vs->last_x = x;
1767         vs->last_y = y;
1768     }
1769     qemu_input_event_sync();
1770 }
1771 
1772 static void press_key(VncState *vs, QKeyCode qcode)
1773 {
1774     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1775     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1776 }
1777 
1778 static void vnc_led_state_change(VncState *vs)
1779 {
1780     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1781         return;
1782     }
1783 
1784     vnc_lock_output(vs);
1785     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1786     vnc_write_u8(vs, 0);
1787     vnc_write_u16(vs, 1);
1788     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1789     vnc_write_u8(vs, vs->vd->ledstate);
1790     vnc_unlock_output(vs);
1791     vnc_flush(vs);
1792 }
1793 
1794 static void kbd_leds(void *opaque, int ledstate)
1795 {
1796     VncDisplay *vd = opaque;
1797     VncState *client;
1798 
1799     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1800                              (ledstate & QEMU_NUM_LOCK_LED),
1801                              (ledstate & QEMU_SCROLL_LOCK_LED));
1802 
1803     if (ledstate == vd->ledstate) {
1804         return;
1805     }
1806 
1807     vd->ledstate = ledstate;
1808 
1809     QTAILQ_FOREACH(client, &vd->clients, next) {
1810         vnc_led_state_change(client);
1811     }
1812 }
1813 
1814 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1815 {
1816     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1817 
1818     /* QEMU console switch */
1819     switch (qcode) {
1820     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1821         if (vs->vd->dcl.con == NULL && down &&
1822             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1823             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1824             /* Reset the modifiers sent to the current console */
1825             qkbd_state_lift_all_keys(vs->vd->kbd);
1826             console_select(qcode - Q_KEY_CODE_1);
1827             return;
1828         }
1829     default:
1830         break;
1831     }
1832 
1833     /* Turn off the lock state sync logic if the client support the led
1834        state extension.
1835     */
1836     if (down && vs->vd->lock_key_sync &&
1837         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1838         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1839         /* If the numlock state needs to change then simulate an additional
1840            keypress before sending this one.  This will happen if the user
1841            toggles numlock away from the VNC window.
1842         */
1843         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1844             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1845                 trace_vnc_key_sync_numlock(true);
1846                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1847             }
1848         } else {
1849             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1850                 trace_vnc_key_sync_numlock(false);
1851                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1852             }
1853         }
1854     }
1855 
1856     if (down && vs->vd->lock_key_sync &&
1857         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1858         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1859         /* If the capslock state needs to change then simulate an additional
1860            keypress before sending this one.  This will happen if the user
1861            toggles capslock away from the VNC window.
1862         */
1863         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1864         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1865         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1866         if (capslock) {
1867             if (uppercase == shift) {
1868                 trace_vnc_key_sync_capslock(false);
1869                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1870             }
1871         } else {
1872             if (uppercase != shift) {
1873                 trace_vnc_key_sync_capslock(true);
1874                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1875             }
1876         }
1877     }
1878 
1879     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1880     if (!qemu_console_is_graphic(NULL)) {
1881         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1882         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1883         /* QEMU console emulation */
1884         if (down) {
1885             switch (keycode) {
1886             case 0x2a:                          /* Left Shift */
1887             case 0x36:                          /* Right Shift */
1888             case 0x1d:                          /* Left CTRL */
1889             case 0x9d:                          /* Right CTRL */
1890             case 0x38:                          /* Left ALT */
1891             case 0xb8:                          /* Right ALT */
1892                 break;
1893             case 0xc8:
1894                 kbd_put_keysym(QEMU_KEY_UP);
1895                 break;
1896             case 0xd0:
1897                 kbd_put_keysym(QEMU_KEY_DOWN);
1898                 break;
1899             case 0xcb:
1900                 kbd_put_keysym(QEMU_KEY_LEFT);
1901                 break;
1902             case 0xcd:
1903                 kbd_put_keysym(QEMU_KEY_RIGHT);
1904                 break;
1905             case 0xd3:
1906                 kbd_put_keysym(QEMU_KEY_DELETE);
1907                 break;
1908             case 0xc7:
1909                 kbd_put_keysym(QEMU_KEY_HOME);
1910                 break;
1911             case 0xcf:
1912                 kbd_put_keysym(QEMU_KEY_END);
1913                 break;
1914             case 0xc9:
1915                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1916                 break;
1917             case 0xd1:
1918                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1919                 break;
1920 
1921             case 0x47:
1922                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1923                 break;
1924             case 0x48:
1925                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1926                 break;
1927             case 0x49:
1928                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1929                 break;
1930             case 0x4b:
1931                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1932                 break;
1933             case 0x4c:
1934                 kbd_put_keysym('5');
1935                 break;
1936             case 0x4d:
1937                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1938                 break;
1939             case 0x4f:
1940                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1941                 break;
1942             case 0x50:
1943                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1944                 break;
1945             case 0x51:
1946                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1947                 break;
1948             case 0x52:
1949                 kbd_put_keysym('0');
1950                 break;
1951             case 0x53:
1952                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1953                 break;
1954 
1955             case 0xb5:
1956                 kbd_put_keysym('/');
1957                 break;
1958             case 0x37:
1959                 kbd_put_keysym('*');
1960                 break;
1961             case 0x4a:
1962                 kbd_put_keysym('-');
1963                 break;
1964             case 0x4e:
1965                 kbd_put_keysym('+');
1966                 break;
1967             case 0x9c:
1968                 kbd_put_keysym('\n');
1969                 break;
1970 
1971             default:
1972                 if (control) {
1973                     kbd_put_keysym(sym & 0x1f);
1974                 } else {
1975                     kbd_put_keysym(sym);
1976                 }
1977                 break;
1978             }
1979         }
1980     }
1981 }
1982 
1983 static const char *code2name(int keycode)
1984 {
1985     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
1986 }
1987 
1988 static void key_event(VncState *vs, int down, uint32_t sym)
1989 {
1990     int keycode;
1991     int lsym = sym;
1992 
1993     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
1994         lsym = lsym - 'A' + 'a';
1995     }
1996 
1997     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
1998                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
1999     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2000     do_key_event(vs, down, keycode, sym);
2001 }
2002 
2003 static void ext_key_event(VncState *vs, int down,
2004                           uint32_t sym, uint16_t keycode)
2005 {
2006     /* if the user specifies a keyboard layout, always use it */
2007     if (keyboard_layout) {
2008         key_event(vs, down, sym);
2009     } else {
2010         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2011         do_key_event(vs, down, keycode, sym);
2012     }
2013 }
2014 
2015 static void framebuffer_update_request(VncState *vs, int incremental,
2016                                        int x, int y, int w, int h)
2017 {
2018     if (incremental) {
2019         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2020             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2021         }
2022     } else {
2023         vs->update = VNC_STATE_UPDATE_FORCE;
2024         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2025     }
2026 }
2027 
2028 static void send_ext_key_event_ack(VncState *vs)
2029 {
2030     vnc_lock_output(vs);
2031     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2032     vnc_write_u8(vs, 0);
2033     vnc_write_u16(vs, 1);
2034     vnc_framebuffer_update(vs, 0, 0,
2035                            pixman_image_get_width(vs->vd->server),
2036                            pixman_image_get_height(vs->vd->server),
2037                            VNC_ENCODING_EXT_KEY_EVENT);
2038     vnc_unlock_output(vs);
2039     vnc_flush(vs);
2040 }
2041 
2042 static void send_ext_audio_ack(VncState *vs)
2043 {
2044     vnc_lock_output(vs);
2045     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2046     vnc_write_u8(vs, 0);
2047     vnc_write_u16(vs, 1);
2048     vnc_framebuffer_update(vs, 0, 0,
2049                            pixman_image_get_width(vs->vd->server),
2050                            pixman_image_get_height(vs->vd->server),
2051                            VNC_ENCODING_AUDIO);
2052     vnc_unlock_output(vs);
2053     vnc_flush(vs);
2054 }
2055 
2056 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2057 {
2058     int i;
2059     unsigned int enc = 0;
2060 
2061     vs->features = 0;
2062     vs->vnc_encoding = 0;
2063     vs->tight->compression = 9;
2064     vs->tight->quality = -1; /* Lossless by default */
2065     vs->absolute = -1;
2066 
2067     /*
2068      * Start from the end because the encodings are sent in order of preference.
2069      * This way the preferred encoding (first encoding defined in the array)
2070      * will be set at the end of the loop.
2071      */
2072     for (i = n_encodings - 1; i >= 0; i--) {
2073         enc = encodings[i];
2074         switch (enc) {
2075         case VNC_ENCODING_RAW:
2076             vs->vnc_encoding = enc;
2077             break;
2078         case VNC_ENCODING_COPYRECT:
2079             vs->features |= VNC_FEATURE_COPYRECT_MASK;
2080             break;
2081         case VNC_ENCODING_HEXTILE:
2082             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2083             vs->vnc_encoding = enc;
2084             break;
2085         case VNC_ENCODING_TIGHT:
2086             vs->features |= VNC_FEATURE_TIGHT_MASK;
2087             vs->vnc_encoding = enc;
2088             break;
2089 #ifdef CONFIG_VNC_PNG
2090         case VNC_ENCODING_TIGHT_PNG:
2091             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2092             vs->vnc_encoding = enc;
2093             break;
2094 #endif
2095         case VNC_ENCODING_ZLIB:
2096             vs->features |= VNC_FEATURE_ZLIB_MASK;
2097             vs->vnc_encoding = enc;
2098             break;
2099         case VNC_ENCODING_ZRLE:
2100             vs->features |= VNC_FEATURE_ZRLE_MASK;
2101             vs->vnc_encoding = enc;
2102             break;
2103         case VNC_ENCODING_ZYWRLE:
2104             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2105             vs->vnc_encoding = enc;
2106             break;
2107         case VNC_ENCODING_DESKTOPRESIZE:
2108             vs->features |= VNC_FEATURE_RESIZE_MASK;
2109             break;
2110         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2111             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2112             break;
2113         case VNC_ENCODING_RICH_CURSOR:
2114             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2115             if (vs->vd->cursor) {
2116                 vnc_cursor_define(vs);
2117             }
2118             break;
2119         case VNC_ENCODING_EXT_KEY_EVENT:
2120             send_ext_key_event_ack(vs);
2121             break;
2122         case VNC_ENCODING_AUDIO:
2123             send_ext_audio_ack(vs);
2124             break;
2125         case VNC_ENCODING_WMVi:
2126             vs->features |= VNC_FEATURE_WMVI_MASK;
2127             break;
2128         case VNC_ENCODING_LED_STATE:
2129             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2130             break;
2131         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2132             vs->tight->compression = (enc & 0x0F);
2133             break;
2134         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2135             if (vs->vd->lossy) {
2136                 vs->tight->quality = (enc & 0x0F);
2137             }
2138             break;
2139         default:
2140             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2141             break;
2142         }
2143     }
2144     vnc_desktop_resize(vs);
2145     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2146     vnc_led_state_change(vs);
2147 }
2148 
2149 static void set_pixel_conversion(VncState *vs)
2150 {
2151     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2152 
2153     if (fmt == VNC_SERVER_FB_FORMAT) {
2154         vs->write_pixels = vnc_write_pixels_copy;
2155         vnc_hextile_set_pixel_conversion(vs, 0);
2156     } else {
2157         vs->write_pixels = vnc_write_pixels_generic;
2158         vnc_hextile_set_pixel_conversion(vs, 1);
2159     }
2160 }
2161 
2162 static void send_color_map(VncState *vs)
2163 {
2164     int i;
2165 
2166     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2167     vnc_write_u8(vs,  0);    /* padding     */
2168     vnc_write_u16(vs, 0);    /* first color */
2169     vnc_write_u16(vs, 256);  /* # of colors */
2170 
2171     for (i = 0; i < 256; i++) {
2172         PixelFormat *pf = &vs->client_pf;
2173 
2174         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2175         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2176         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2177     }
2178 }
2179 
2180 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2181                              int big_endian_flag, int true_color_flag,
2182                              int red_max, int green_max, int blue_max,
2183                              int red_shift, int green_shift, int blue_shift)
2184 {
2185     if (!true_color_flag) {
2186         /* Expose a reasonable default 256 color map */
2187         bits_per_pixel = 8;
2188         red_max = 7;
2189         green_max = 7;
2190         blue_max = 3;
2191         red_shift = 0;
2192         green_shift = 3;
2193         blue_shift = 6;
2194     }
2195 
2196     switch (bits_per_pixel) {
2197     case 8:
2198     case 16:
2199     case 32:
2200         break;
2201     default:
2202         vnc_client_error(vs);
2203         return;
2204     }
2205 
2206     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2207     vs->client_pf.rbits = ctpopl(red_max);
2208     vs->client_pf.rshift = red_shift;
2209     vs->client_pf.rmask = red_max << red_shift;
2210     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2211     vs->client_pf.gbits = ctpopl(green_max);
2212     vs->client_pf.gshift = green_shift;
2213     vs->client_pf.gmask = green_max << green_shift;
2214     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2215     vs->client_pf.bbits = ctpopl(blue_max);
2216     vs->client_pf.bshift = blue_shift;
2217     vs->client_pf.bmask = blue_max << blue_shift;
2218     vs->client_pf.bits_per_pixel = bits_per_pixel;
2219     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2220     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2221     vs->client_be = big_endian_flag;
2222 
2223     if (!true_color_flag) {
2224         send_color_map(vs);
2225     }
2226 
2227     set_pixel_conversion(vs);
2228 
2229     graphic_hw_invalidate(vs->vd->dcl.con);
2230     graphic_hw_update(vs->vd->dcl.con);
2231 }
2232 
2233 static void pixel_format_message (VncState *vs) {
2234     char pad[3] = { 0, 0, 0 };
2235 
2236     vs->client_pf = qemu_default_pixelformat(32);
2237 
2238     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2239     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2240 
2241 #ifdef HOST_WORDS_BIGENDIAN
2242     vnc_write_u8(vs, 1);             /* big-endian-flag */
2243 #else
2244     vnc_write_u8(vs, 0);             /* big-endian-flag */
2245 #endif
2246     vnc_write_u8(vs, 1);             /* true-color-flag */
2247     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2248     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2249     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2250     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2251     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2252     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2253     vnc_write(vs, pad, 3);           /* padding */
2254 
2255     vnc_hextile_set_pixel_conversion(vs, 0);
2256     vs->write_pixels = vnc_write_pixels_copy;
2257 }
2258 
2259 static void vnc_colordepth(VncState *vs)
2260 {
2261     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2262         /* Sending a WMVi message to notify the client*/
2263         vnc_lock_output(vs);
2264         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2265         vnc_write_u8(vs, 0);
2266         vnc_write_u16(vs, 1); /* number of rects */
2267         vnc_framebuffer_update(vs, 0, 0,
2268                                pixman_image_get_width(vs->vd->server),
2269                                pixman_image_get_height(vs->vd->server),
2270                                VNC_ENCODING_WMVi);
2271         pixel_format_message(vs);
2272         vnc_unlock_output(vs);
2273         vnc_flush(vs);
2274     } else {
2275         set_pixel_conversion(vs);
2276     }
2277 }
2278 
2279 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2280 {
2281     int i;
2282     uint16_t limit;
2283     uint32_t freq;
2284     VncDisplay *vd = vs->vd;
2285 
2286     if (data[0] > 3) {
2287         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2288     }
2289 
2290     switch (data[0]) {
2291     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2292         if (len == 1)
2293             return 20;
2294 
2295         set_pixel_format(vs, read_u8(data, 4),
2296                          read_u8(data, 6), read_u8(data, 7),
2297                          read_u16(data, 8), read_u16(data, 10),
2298                          read_u16(data, 12), read_u8(data, 14),
2299                          read_u8(data, 15), read_u8(data, 16));
2300         break;
2301     case VNC_MSG_CLIENT_SET_ENCODINGS:
2302         if (len == 1)
2303             return 4;
2304 
2305         if (len == 4) {
2306             limit = read_u16(data, 2);
2307             if (limit > 0)
2308                 return 4 + (limit * 4);
2309         } else
2310             limit = read_u16(data, 2);
2311 
2312         for (i = 0; i < limit; i++) {
2313             int32_t val = read_s32(data, 4 + (i * 4));
2314             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2315         }
2316 
2317         set_encodings(vs, (int32_t *)(data + 4), limit);
2318         break;
2319     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2320         if (len == 1)
2321             return 10;
2322 
2323         framebuffer_update_request(vs,
2324                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2325                                    read_u16(data, 6), read_u16(data, 8));
2326         break;
2327     case VNC_MSG_CLIENT_KEY_EVENT:
2328         if (len == 1)
2329             return 8;
2330 
2331         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2332         break;
2333     case VNC_MSG_CLIENT_POINTER_EVENT:
2334         if (len == 1)
2335             return 6;
2336 
2337         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2338         break;
2339     case VNC_MSG_CLIENT_CUT_TEXT:
2340         if (len == 1) {
2341             return 8;
2342         }
2343         if (len == 8) {
2344             uint32_t dlen = read_u32(data, 4);
2345             if (dlen > (1 << 20)) {
2346                 error_report("vnc: client_cut_text msg payload has %u bytes"
2347                              " which exceeds our limit of 1MB.", dlen);
2348                 vnc_client_error(vs);
2349                 break;
2350             }
2351             if (dlen > 0) {
2352                 return 8 + dlen;
2353             }
2354         }
2355 
2356         client_cut_text(vs, read_u32(data, 4), data + 8);
2357         break;
2358     case VNC_MSG_CLIENT_QEMU:
2359         if (len == 1)
2360             return 2;
2361 
2362         switch (read_u8(data, 1)) {
2363         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2364             if (len == 2)
2365                 return 12;
2366 
2367             ext_key_event(vs, read_u16(data, 2),
2368                           read_u32(data, 4), read_u32(data, 8));
2369             break;
2370         case VNC_MSG_CLIENT_QEMU_AUDIO:
2371             if (len == 2)
2372                 return 4;
2373 
2374             switch (read_u16 (data, 2)) {
2375             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2376                 audio_add(vs);
2377                 break;
2378             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2379                 audio_del(vs);
2380                 break;
2381             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2382                 if (len == 4)
2383                     return 10;
2384                 switch (read_u8(data, 4)) {
2385                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2386                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2387                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2388                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2389                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2390                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2391                 default:
2392                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2393                     vnc_client_error(vs);
2394                     break;
2395                 }
2396                 vs->as.nchannels = read_u8(data, 5);
2397                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2398                     VNC_DEBUG("Invalid audio channel count %d\n",
2399                               read_u8(data, 5));
2400                     vnc_client_error(vs);
2401                     break;
2402                 }
2403                 freq = read_u32(data, 6);
2404                 /* No official limit for protocol, but 48khz is a sensible
2405                  * upper bound for trustworthy clients, and this limit
2406                  * protects calculations involving 'vs->as.freq' later.
2407                  */
2408                 if (freq > 48000) {
2409                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2410                     vnc_client_error(vs);
2411                     break;
2412                 }
2413                 vs->as.freq = freq;
2414                 break;
2415             default:
2416                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2417                 vnc_client_error(vs);
2418                 break;
2419             }
2420             break;
2421 
2422         default:
2423             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2424             vnc_client_error(vs);
2425             break;
2426         }
2427         break;
2428     default:
2429         VNC_DEBUG("Msg: %d\n", data[0]);
2430         vnc_client_error(vs);
2431         break;
2432     }
2433 
2434     vnc_update_throttle_offset(vs);
2435     vnc_read_when(vs, protocol_client_msg, 1);
2436     return 0;
2437 }
2438 
2439 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2440 {
2441     char buf[1024];
2442     VncShareMode mode;
2443     int size;
2444 
2445     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2446     switch (vs->vd->share_policy) {
2447     case VNC_SHARE_POLICY_IGNORE:
2448         /*
2449          * Ignore the shared flag.  Nothing to do here.
2450          *
2451          * Doesn't conform to the rfb spec but is traditional qemu
2452          * behavior, thus left here as option for compatibility
2453          * reasons.
2454          */
2455         break;
2456     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2457         /*
2458          * Policy: Allow clients ask for exclusive access.
2459          *
2460          * Implementation: When a client asks for exclusive access,
2461          * disconnect all others. Shared connects are allowed as long
2462          * as no exclusive connection exists.
2463          *
2464          * This is how the rfb spec suggests to handle the shared flag.
2465          */
2466         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2467             VncState *client;
2468             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2469                 if (vs == client) {
2470                     continue;
2471                 }
2472                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2473                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2474                     continue;
2475                 }
2476                 vnc_disconnect_start(client);
2477             }
2478         }
2479         if (mode == VNC_SHARE_MODE_SHARED) {
2480             if (vs->vd->num_exclusive > 0) {
2481                 vnc_disconnect_start(vs);
2482                 return 0;
2483             }
2484         }
2485         break;
2486     case VNC_SHARE_POLICY_FORCE_SHARED:
2487         /*
2488          * Policy: Shared connects only.
2489          * Implementation: Disallow clients asking for exclusive access.
2490          *
2491          * Useful for shared desktop sessions where you don't want
2492          * someone forgetting to say -shared when running the vnc
2493          * client disconnect everybody else.
2494          */
2495         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2496             vnc_disconnect_start(vs);
2497             return 0;
2498         }
2499         break;
2500     }
2501     vnc_set_share_mode(vs, mode);
2502 
2503     if (vs->vd->num_shared > vs->vd->connections_limit) {
2504         vnc_disconnect_start(vs);
2505         return 0;
2506     }
2507 
2508     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2509            pixman_image_get_width(vs->vd->server) >= 0);
2510     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2511            pixman_image_get_height(vs->vd->server) >= 0);
2512     vs->client_width = pixman_image_get_width(vs->vd->server);
2513     vs->client_height = pixman_image_get_height(vs->vd->server);
2514     vnc_write_u16(vs, vs->client_width);
2515     vnc_write_u16(vs, vs->client_height);
2516 
2517     pixel_format_message(vs);
2518 
2519     if (qemu_name) {
2520         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2521         if (size > sizeof(buf)) {
2522             size = sizeof(buf);
2523         }
2524     } else {
2525         size = snprintf(buf, sizeof(buf), "QEMU");
2526     }
2527 
2528     vnc_write_u32(vs, size);
2529     vnc_write(vs, buf, size);
2530     vnc_flush(vs);
2531 
2532     vnc_client_cache_auth(vs);
2533     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2534 
2535     vnc_read_when(vs, protocol_client_msg, 1);
2536 
2537     return 0;
2538 }
2539 
2540 void start_client_init(VncState *vs)
2541 {
2542     vnc_read_when(vs, protocol_client_init, 1);
2543 }
2544 
2545 static void authentication_failed(VncState *vs)
2546 {
2547     vnc_write_u32(vs, 1); /* Reject auth */
2548     if (vs->minor >= 8) {
2549         static const char err[] = "Authentication failed";
2550         vnc_write_u32(vs, sizeof(err));
2551         vnc_write(vs, err, sizeof(err));
2552     }
2553     vnc_flush(vs);
2554     vnc_client_error(vs);
2555 }
2556 
2557 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2558 {
2559     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2560     size_t i, pwlen;
2561     unsigned char key[8];
2562     time_t now = time(NULL);
2563     QCryptoCipher *cipher = NULL;
2564     Error *err = NULL;
2565 
2566     if (!vs->vd->password) {
2567         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2568         goto reject;
2569     }
2570     if (vs->vd->expires < now) {
2571         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2572         goto reject;
2573     }
2574 
2575     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2576 
2577     /* Calculate the expected challenge response */
2578     pwlen = strlen(vs->vd->password);
2579     for (i=0; i<sizeof(key); i++)
2580         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2581 
2582     cipher = qcrypto_cipher_new(
2583         QCRYPTO_CIPHER_ALG_DES_RFB,
2584         QCRYPTO_CIPHER_MODE_ECB,
2585         key, G_N_ELEMENTS(key),
2586         &err);
2587     if (!cipher) {
2588         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2589                             error_get_pretty(err));
2590         error_free(err);
2591         goto reject;
2592     }
2593 
2594     if (qcrypto_cipher_encrypt(cipher,
2595                                vs->challenge,
2596                                response,
2597                                VNC_AUTH_CHALLENGE_SIZE,
2598                                &err) < 0) {
2599         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2600                             error_get_pretty(err));
2601         error_free(err);
2602         goto reject;
2603     }
2604 
2605     /* Compare expected vs actual challenge response */
2606     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2607         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2608         goto reject;
2609     } else {
2610         trace_vnc_auth_pass(vs, vs->auth);
2611         vnc_write_u32(vs, 0); /* Accept auth */
2612         vnc_flush(vs);
2613 
2614         start_client_init(vs);
2615     }
2616 
2617     qcrypto_cipher_free(cipher);
2618     return 0;
2619 
2620 reject:
2621     authentication_failed(vs);
2622     qcrypto_cipher_free(cipher);
2623     return 0;
2624 }
2625 
2626 void start_auth_vnc(VncState *vs)
2627 {
2628     Error *err = NULL;
2629 
2630     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2631         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2632                             error_get_pretty(err));
2633         error_free(err);
2634         authentication_failed(vs);
2635         return;
2636     }
2637 
2638     /* Send client a 'random' challenge */
2639     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2640     vnc_flush(vs);
2641 
2642     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2643 }
2644 
2645 
2646 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2647 {
2648     /* We only advertise 1 auth scheme at a time, so client
2649      * must pick the one we sent. Verify this */
2650     if (data[0] != vs->auth) { /* Reject auth */
2651        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2652        authentication_failed(vs);
2653     } else { /* Accept requested auth */
2654        trace_vnc_auth_start(vs, vs->auth);
2655        switch (vs->auth) {
2656        case VNC_AUTH_NONE:
2657            if (vs->minor >= 8) {
2658                vnc_write_u32(vs, 0); /* Accept auth completion */
2659                vnc_flush(vs);
2660            }
2661            trace_vnc_auth_pass(vs, vs->auth);
2662            start_client_init(vs);
2663            break;
2664 
2665        case VNC_AUTH_VNC:
2666            start_auth_vnc(vs);
2667            break;
2668 
2669        case VNC_AUTH_VENCRYPT:
2670            start_auth_vencrypt(vs);
2671            break;
2672 
2673 #ifdef CONFIG_VNC_SASL
2674        case VNC_AUTH_SASL:
2675            start_auth_sasl(vs);
2676            break;
2677 #endif /* CONFIG_VNC_SASL */
2678 
2679        default: /* Should not be possible, but just in case */
2680            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2681            authentication_failed(vs);
2682        }
2683     }
2684     return 0;
2685 }
2686 
2687 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2688 {
2689     char local[13];
2690 
2691     memcpy(local, version, 12);
2692     local[12] = 0;
2693 
2694     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2695         VNC_DEBUG("Malformed protocol version %s\n", local);
2696         vnc_client_error(vs);
2697         return 0;
2698     }
2699     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2700     if (vs->major != 3 ||
2701         (vs->minor != 3 &&
2702          vs->minor != 4 &&
2703          vs->minor != 5 &&
2704          vs->minor != 7 &&
2705          vs->minor != 8)) {
2706         VNC_DEBUG("Unsupported client version\n");
2707         vnc_write_u32(vs, VNC_AUTH_INVALID);
2708         vnc_flush(vs);
2709         vnc_client_error(vs);
2710         return 0;
2711     }
2712     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2713      * as equivalent to v3.3 by servers
2714      */
2715     if (vs->minor == 4 || vs->minor == 5)
2716         vs->minor = 3;
2717 
2718     if (vs->minor == 3) {
2719         trace_vnc_auth_start(vs, vs->auth);
2720         if (vs->auth == VNC_AUTH_NONE) {
2721             vnc_write_u32(vs, vs->auth);
2722             vnc_flush(vs);
2723             trace_vnc_auth_pass(vs, vs->auth);
2724             start_client_init(vs);
2725        } else if (vs->auth == VNC_AUTH_VNC) {
2726             VNC_DEBUG("Tell client VNC auth\n");
2727             vnc_write_u32(vs, vs->auth);
2728             vnc_flush(vs);
2729             start_auth_vnc(vs);
2730        } else {
2731             trace_vnc_auth_fail(vs, vs->auth,
2732                                 "Unsupported auth method for v3.3", "");
2733             vnc_write_u32(vs, VNC_AUTH_INVALID);
2734             vnc_flush(vs);
2735             vnc_client_error(vs);
2736        }
2737     } else {
2738         vnc_write_u8(vs, 1); /* num auth */
2739         vnc_write_u8(vs, vs->auth);
2740         vnc_read_when(vs, protocol_client_auth, 1);
2741         vnc_flush(vs);
2742     }
2743 
2744     return 0;
2745 }
2746 
2747 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2748 {
2749     struct VncSurface *vs = &vd->guest;
2750 
2751     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2752 }
2753 
2754 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2755 {
2756     int i, j;
2757 
2758     w = (x + w) / VNC_STAT_RECT;
2759     h = (y + h) / VNC_STAT_RECT;
2760     x /= VNC_STAT_RECT;
2761     y /= VNC_STAT_RECT;
2762 
2763     for (j = y; j <= h; j++) {
2764         for (i = x; i <= w; i++) {
2765             vs->lossy_rect[j][i] = 1;
2766         }
2767     }
2768 }
2769 
2770 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2771 {
2772     VncState *vs;
2773     int sty = y / VNC_STAT_RECT;
2774     int stx = x / VNC_STAT_RECT;
2775     int has_dirty = 0;
2776 
2777     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2778     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2779 
2780     QTAILQ_FOREACH(vs, &vd->clients, next) {
2781         int j;
2782 
2783         /* kernel send buffers are full -> refresh later */
2784         if (vs->output.offset) {
2785             continue;
2786         }
2787 
2788         if (!vs->lossy_rect[sty][stx]) {
2789             continue;
2790         }
2791 
2792         vs->lossy_rect[sty][stx] = 0;
2793         for (j = 0; j < VNC_STAT_RECT; ++j) {
2794             bitmap_set(vs->dirty[y + j],
2795                        x / VNC_DIRTY_PIXELS_PER_BIT,
2796                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2797         }
2798         has_dirty++;
2799     }
2800 
2801     return has_dirty;
2802 }
2803 
2804 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2805 {
2806     int width = MIN(pixman_image_get_width(vd->guest.fb),
2807                     pixman_image_get_width(vd->server));
2808     int height = MIN(pixman_image_get_height(vd->guest.fb),
2809                      pixman_image_get_height(vd->server));
2810     int x, y;
2811     struct timeval res;
2812     int has_dirty = 0;
2813 
2814     for (y = 0; y < height; y += VNC_STAT_RECT) {
2815         for (x = 0; x < width; x += VNC_STAT_RECT) {
2816             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2817 
2818             rect->updated = false;
2819         }
2820     }
2821 
2822     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2823 
2824     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2825         return has_dirty;
2826     }
2827     vd->guest.last_freq_check = *tv;
2828 
2829     for (y = 0; y < height; y += VNC_STAT_RECT) {
2830         for (x = 0; x < width; x += VNC_STAT_RECT) {
2831             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2832             int count = ARRAY_SIZE(rect->times);
2833             struct timeval min, max;
2834 
2835             if (!timerisset(&rect->times[count - 1])) {
2836                 continue ;
2837             }
2838 
2839             max = rect->times[(rect->idx + count - 1) % count];
2840             qemu_timersub(tv, &max, &res);
2841 
2842             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2843                 rect->freq = 0;
2844                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2845                 memset(rect->times, 0, sizeof (rect->times));
2846                 continue ;
2847             }
2848 
2849             min = rect->times[rect->idx];
2850             max = rect->times[(rect->idx + count - 1) % count];
2851             qemu_timersub(&max, &min, &res);
2852 
2853             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2854             rect->freq /= count;
2855             rect->freq = 1. / rect->freq;
2856         }
2857     }
2858     return has_dirty;
2859 }
2860 
2861 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2862 {
2863     int i, j;
2864     double total = 0;
2865     int num = 0;
2866 
2867     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2868     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2869 
2870     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2871         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2872             total += vnc_stat_rect(vs->vd, i, j)->freq;
2873             num++;
2874         }
2875     }
2876 
2877     if (num) {
2878         return total / num;
2879     } else {
2880         return 0;
2881     }
2882 }
2883 
2884 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2885 {
2886     VncRectStat *rect;
2887 
2888     rect = vnc_stat_rect(vd, x, y);
2889     if (rect->updated) {
2890         return ;
2891     }
2892     rect->times[rect->idx] = *tv;
2893     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2894     rect->updated = true;
2895 }
2896 
2897 static int vnc_refresh_server_surface(VncDisplay *vd)
2898 {
2899     int width = MIN(pixman_image_get_width(vd->guest.fb),
2900                     pixman_image_get_width(vd->server));
2901     int height = MIN(pixman_image_get_height(vd->guest.fb),
2902                      pixman_image_get_height(vd->server));
2903     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
2904     uint8_t *guest_row0 = NULL, *server_row0;
2905     VncState *vs;
2906     int has_dirty = 0;
2907     pixman_image_t *tmpbuf = NULL;
2908 
2909     struct timeval tv = { 0, 0 };
2910 
2911     if (!vd->non_adaptive) {
2912         gettimeofday(&tv, NULL);
2913         has_dirty = vnc_update_stats(vd, &tv);
2914     }
2915 
2916     /*
2917      * Walk through the guest dirty map.
2918      * Check and copy modified bits from guest to server surface.
2919      * Update server dirty map.
2920      */
2921     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
2922     server_stride = guest_stride = guest_ll =
2923         pixman_image_get_stride(vd->server);
2924     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
2925                     server_stride);
2926     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2927         int width = pixman_image_get_width(vd->server);
2928         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2929     } else {
2930         int guest_bpp =
2931             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
2932         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2933         guest_stride = pixman_image_get_stride(vd->guest.fb);
2934         guest_ll = pixman_image_get_width(vd->guest.fb)
2935                    * DIV_ROUND_UP(guest_bpp, 8);
2936     }
2937     line_bytes = MIN(server_stride, guest_ll);
2938 
2939     for (;;) {
2940         int x;
2941         uint8_t *guest_ptr, *server_ptr;
2942         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
2943                                              height * VNC_DIRTY_BPL(&vd->guest),
2944                                              y * VNC_DIRTY_BPL(&vd->guest));
2945         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
2946             /* no more dirty bits */
2947             break;
2948         }
2949         y = offset / VNC_DIRTY_BPL(&vd->guest);
2950         x = offset % VNC_DIRTY_BPL(&vd->guest);
2951 
2952         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
2953 
2954         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2955             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2956             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2957         } else {
2958             guest_ptr = guest_row0 + y * guest_stride;
2959         }
2960         guest_ptr += x * cmp_bytes;
2961 
2962         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
2963              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2964             int _cmp_bytes = cmp_bytes;
2965             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
2966                 continue;
2967             }
2968             if ((x + 1) * cmp_bytes > line_bytes) {
2969                 _cmp_bytes = line_bytes - x * cmp_bytes;
2970             }
2971             assert(_cmp_bytes >= 0);
2972             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
2973                 continue;
2974             }
2975             memcpy(server_ptr, guest_ptr, _cmp_bytes);
2976             if (!vd->non_adaptive) {
2977                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
2978                                  y, &tv);
2979             }
2980             QTAILQ_FOREACH(vs, &vd->clients, next) {
2981                 set_bit(x, vs->dirty[y]);
2982             }
2983             has_dirty++;
2984         }
2985 
2986         y++;
2987     }
2988     qemu_pixman_image_unref(tmpbuf);
2989     return has_dirty;
2990 }
2991 
2992 static void vnc_refresh(DisplayChangeListener *dcl)
2993 {
2994     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
2995     VncState *vs, *vn;
2996     int has_dirty, rects = 0;
2997 
2998     if (QTAILQ_EMPTY(&vd->clients)) {
2999         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
3000         return;
3001     }
3002 
3003     graphic_hw_update(vd->dcl.con);
3004 
3005     if (vnc_trylock_display(vd)) {
3006         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3007         return;
3008     }
3009 
3010     has_dirty = vnc_refresh_server_surface(vd);
3011     vnc_unlock_display(vd);
3012 
3013     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3014         rects += vnc_update_client(vs, has_dirty);
3015         /* vs might be free()ed here */
3016     }
3017 
3018     if (has_dirty && rects) {
3019         vd->dcl.update_interval /= 2;
3020         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3021             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3022         }
3023     } else {
3024         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3025         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3026             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3027         }
3028     }
3029 }
3030 
3031 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3032                         bool skipauth, bool websocket)
3033 {
3034     VncState *vs = g_new0(VncState, 1);
3035     bool first_client = QTAILQ_EMPTY(&vd->clients);
3036     int i;
3037 
3038     trace_vnc_client_connect(vs, sioc);
3039     vs->zrle = g_new0(VncZrle, 1);
3040     vs->tight = g_new0(VncTight, 1);
3041     vs->magic = VNC_MAGIC;
3042     vs->sioc = sioc;
3043     object_ref(OBJECT(vs->sioc));
3044     vs->ioc = QIO_CHANNEL(sioc);
3045     object_ref(OBJECT(vs->ioc));
3046     vs->vd = vd;
3047 
3048     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3049     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3050     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3051 
3052     buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3053     buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3054     buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3055 #ifdef CONFIG_VNC_JPEG
3056     buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3057 #endif
3058 #ifdef CONFIG_VNC_PNG
3059     buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3060 #endif
3061     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3062     buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3063     buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3064     buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3065 
3066     if (skipauth) {
3067         vs->auth = VNC_AUTH_NONE;
3068         vs->subauth = VNC_AUTH_INVALID;
3069     } else {
3070         if (websocket) {
3071             vs->auth = vd->ws_auth;
3072             vs->subauth = VNC_AUTH_INVALID;
3073         } else {
3074             vs->auth = vd->auth;
3075             vs->subauth = vd->subauth;
3076         }
3077     }
3078     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3079               sioc, websocket, vs->auth, vs->subauth);
3080 
3081     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3082     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3083         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3084     }
3085 
3086     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3087     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3088     qio_channel_set_blocking(vs->ioc, false, NULL);
3089     if (vs->ioc_tag) {
3090         g_source_remove(vs->ioc_tag);
3091     }
3092     if (websocket) {
3093         vs->websocket = 1;
3094         if (vd->tlscreds) {
3095             vs->ioc_tag = qio_channel_add_watch(
3096                 vs->ioc, G_IO_IN, vncws_tls_handshake_io, vs, NULL);
3097         } else {
3098             vs->ioc_tag = qio_channel_add_watch(
3099                 vs->ioc, G_IO_IN, vncws_handshake_io, vs, NULL);
3100         }
3101     } else {
3102         vs->ioc_tag = qio_channel_add_watch(
3103             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
3104     }
3105 
3106     vnc_client_cache_addr(vs);
3107     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3108     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3109 
3110     vs->last_x = -1;
3111     vs->last_y = -1;
3112 
3113     vs->as.freq = 44100;
3114     vs->as.nchannels = 2;
3115     vs->as.fmt = AUDIO_FORMAT_S16;
3116     vs->as.endianness = 0;
3117 
3118     qemu_mutex_init(&vs->output_mutex);
3119     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3120 
3121     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3122     if (first_client) {
3123         vnc_update_server_surface(vd);
3124     }
3125 
3126     graphic_hw_update(vd->dcl.con);
3127 
3128     if (!vs->websocket) {
3129         vnc_start_protocol(vs);
3130     }
3131 
3132     if (vd->num_connecting > vd->connections_limit) {
3133         QTAILQ_FOREACH(vs, &vd->clients, next) {
3134             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3135                 vnc_disconnect_start(vs);
3136                 return;
3137             }
3138         }
3139     }
3140 }
3141 
3142 void vnc_start_protocol(VncState *vs)
3143 {
3144     vnc_write(vs, "RFB 003.008\n", 12);
3145     vnc_flush(vs);
3146     vnc_read_when(vs, protocol_version, 12);
3147 
3148     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3149     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3150 }
3151 
3152 static void vnc_listen_io(QIONetListener *listener,
3153                           QIOChannelSocket *cioc,
3154                           void *opaque)
3155 {
3156     VncDisplay *vd = opaque;
3157     bool isWebsock = listener == vd->wslistener;
3158 
3159     qio_channel_set_name(QIO_CHANNEL(cioc),
3160                          isWebsock ? "vnc-ws-server" : "vnc-server");
3161     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3162     vnc_connect(vd, cioc, false, isWebsock);
3163 }
3164 
3165 static const DisplayChangeListenerOps dcl_ops = {
3166     .dpy_name             = "vnc",
3167     .dpy_refresh          = vnc_refresh,
3168     .dpy_gfx_update       = vnc_dpy_update,
3169     .dpy_gfx_switch       = vnc_dpy_switch,
3170     .dpy_gfx_check_format = qemu_pixman_check_format,
3171     .dpy_mouse_set        = vnc_mouse_set,
3172     .dpy_cursor_define    = vnc_dpy_cursor_define,
3173 };
3174 
3175 void vnc_display_init(const char *id, Error **errp)
3176 {
3177     VncDisplay *vd;
3178 
3179     if (vnc_display_find(id) != NULL) {
3180         return;
3181     }
3182     vd = g_malloc0(sizeof(*vd));
3183 
3184     vd->id = strdup(id);
3185     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3186 
3187     QTAILQ_INIT(&vd->clients);
3188     vd->expires = TIME_MAX;
3189 
3190     if (keyboard_layout) {
3191         trace_vnc_key_map_init(keyboard_layout);
3192         vd->kbd_layout = init_keyboard_layout(name2keysym,
3193                                               keyboard_layout, errp);
3194     } else {
3195         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3196     }
3197 
3198     if (!vd->kbd_layout) {
3199         return;
3200     }
3201 
3202     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3203     vd->connections_limit = 32;
3204 
3205     qemu_mutex_init(&vd->mutex);
3206     vnc_start_worker_thread();
3207 
3208     vd->dcl.ops = &dcl_ops;
3209     register_displaychangelistener(&vd->dcl);
3210     vd->kbd = qkbd_state_init(vd->dcl.con);
3211 }
3212 
3213 
3214 static void vnc_display_close(VncDisplay *vd)
3215 {
3216     if (!vd) {
3217         return;
3218     }
3219     vd->is_unix = false;
3220 
3221     if (vd->listener) {
3222         qio_net_listener_disconnect(vd->listener);
3223         object_unref(OBJECT(vd->listener));
3224     }
3225     vd->listener = NULL;
3226 
3227     if (vd->wslistener) {
3228         qio_net_listener_disconnect(vd->wslistener);
3229         object_unref(OBJECT(vd->wslistener));
3230     }
3231     vd->wslistener = NULL;
3232 
3233     vd->auth = VNC_AUTH_INVALID;
3234     vd->subauth = VNC_AUTH_INVALID;
3235     if (vd->tlscreds) {
3236         object_unparent(OBJECT(vd->tlscreds));
3237         vd->tlscreds = NULL;
3238     }
3239     if (vd->tlsauthz) {
3240         object_unparent(OBJECT(vd->tlsauthz));
3241         vd->tlsauthz = NULL;
3242     }
3243     g_free(vd->tlsauthzid);
3244     vd->tlsauthzid = NULL;
3245     if (vd->lock_key_sync) {
3246         qemu_remove_led_event_handler(vd->led);
3247         vd->led = NULL;
3248     }
3249 #ifdef CONFIG_VNC_SASL
3250     if (vd->sasl.authz) {
3251         object_unparent(OBJECT(vd->sasl.authz));
3252         vd->sasl.authz = NULL;
3253     }
3254     g_free(vd->sasl.authzid);
3255     vd->sasl.authzid = NULL;
3256 #endif
3257 }
3258 
3259 int vnc_display_password(const char *id, const char *password)
3260 {
3261     VncDisplay *vd = vnc_display_find(id);
3262 
3263     if (!vd) {
3264         return -EINVAL;
3265     }
3266     if (vd->auth == VNC_AUTH_NONE) {
3267         error_printf_unless_qmp("If you want use passwords please enable "
3268                                 "password auth using '-vnc ${dpy},password'.\n");
3269         return -EINVAL;
3270     }
3271 
3272     g_free(vd->password);
3273     vd->password = g_strdup(password);
3274 
3275     return 0;
3276 }
3277 
3278 int vnc_display_pw_expire(const char *id, time_t expires)
3279 {
3280     VncDisplay *vd = vnc_display_find(id);
3281 
3282     if (!vd) {
3283         return -EINVAL;
3284     }
3285 
3286     vd->expires = expires;
3287     return 0;
3288 }
3289 
3290 static void vnc_display_print_local_addr(VncDisplay *vd)
3291 {
3292     SocketAddress *addr;
3293     Error *err = NULL;
3294 
3295     if (!vd->listener || !vd->listener->nsioc) {
3296         return;
3297     }
3298 
3299     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], &err);
3300     if (!addr) {
3301         return;
3302     }
3303 
3304     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3305         qapi_free_SocketAddress(addr);
3306         return;
3307     }
3308     error_printf_unless_qmp("VNC server running on %s:%s\n",
3309                             addr->u.inet.host,
3310                             addr->u.inet.port);
3311     qapi_free_SocketAddress(addr);
3312 }
3313 
3314 static QemuOptsList qemu_vnc_opts = {
3315     .name = "vnc",
3316     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3317     .implied_opt_name = "vnc",
3318     .desc = {
3319         {
3320             .name = "vnc",
3321             .type = QEMU_OPT_STRING,
3322         },{
3323             .name = "websocket",
3324             .type = QEMU_OPT_STRING,
3325         },{
3326             .name = "tls-creds",
3327             .type = QEMU_OPT_STRING,
3328         },{
3329             .name = "share",
3330             .type = QEMU_OPT_STRING,
3331         },{
3332             .name = "display",
3333             .type = QEMU_OPT_STRING,
3334         },{
3335             .name = "head",
3336             .type = QEMU_OPT_NUMBER,
3337         },{
3338             .name = "connections",
3339             .type = QEMU_OPT_NUMBER,
3340         },{
3341             .name = "to",
3342             .type = QEMU_OPT_NUMBER,
3343         },{
3344             .name = "ipv4",
3345             .type = QEMU_OPT_BOOL,
3346         },{
3347             .name = "ipv6",
3348             .type = QEMU_OPT_BOOL,
3349         },{
3350             .name = "password",
3351             .type = QEMU_OPT_BOOL,
3352         },{
3353             .name = "reverse",
3354             .type = QEMU_OPT_BOOL,
3355         },{
3356             .name = "lock-key-sync",
3357             .type = QEMU_OPT_BOOL,
3358         },{
3359             .name = "key-delay-ms",
3360             .type = QEMU_OPT_NUMBER,
3361         },{
3362             .name = "sasl",
3363             .type = QEMU_OPT_BOOL,
3364         },{
3365             .name = "acl",
3366             .type = QEMU_OPT_BOOL,
3367         },{
3368             .name = "tls-authz",
3369             .type = QEMU_OPT_STRING,
3370         },{
3371             .name = "sasl-authz",
3372             .type = QEMU_OPT_STRING,
3373         },{
3374             .name = "lossy",
3375             .type = QEMU_OPT_BOOL,
3376         },{
3377             .name = "non-adaptive",
3378             .type = QEMU_OPT_BOOL,
3379         },{
3380             .name = "audiodev",
3381             .type = QEMU_OPT_STRING,
3382         },
3383         { /* end of list */ }
3384     },
3385 };
3386 
3387 
3388 static int
3389 vnc_display_setup_auth(int *auth,
3390                        int *subauth,
3391                        QCryptoTLSCreds *tlscreds,
3392                        bool password,
3393                        bool sasl,
3394                        bool websocket,
3395                        Error **errp)
3396 {
3397     /*
3398      * We have a choice of 3 authentication options
3399      *
3400      *   1. none
3401      *   2. vnc
3402      *   3. sasl
3403      *
3404      * The channel can be run in 2 modes
3405      *
3406      *   1. clear
3407      *   2. tls
3408      *
3409      * And TLS can use 2 types of credentials
3410      *
3411      *   1. anon
3412      *   2. x509
3413      *
3414      * We thus have 9 possible logical combinations
3415      *
3416      *   1. clear + none
3417      *   2. clear + vnc
3418      *   3. clear + sasl
3419      *   4. tls + anon + none
3420      *   5. tls + anon + vnc
3421      *   6. tls + anon + sasl
3422      *   7. tls + x509 + none
3423      *   8. tls + x509 + vnc
3424      *   9. tls + x509 + sasl
3425      *
3426      * These need to be mapped into the VNC auth schemes
3427      * in an appropriate manner. In regular VNC, all the
3428      * TLS options get mapped into VNC_AUTH_VENCRYPT
3429      * sub-auth types.
3430      *
3431      * In websockets, the https:// protocol already provides
3432      * TLS support, so there is no need to make use of the
3433      * VeNCrypt extension. Furthermore, websockets browser
3434      * clients could not use VeNCrypt even if they wanted to,
3435      * as they cannot control when the TLS handshake takes
3436      * place. Thus there is no option but to rely on https://,
3437      * meaning combinations 4->6 and 7->9 will be mapped to
3438      * VNC auth schemes in the same way as combos 1->3.
3439      *
3440      * Regardless of fact that we have a different mapping to
3441      * VNC auth mechs for plain VNC vs websockets VNC, the end
3442      * result has the same security characteristics.
3443      */
3444     if (websocket || !tlscreds) {
3445         if (password) {
3446             VNC_DEBUG("Initializing VNC server with password auth\n");
3447             *auth = VNC_AUTH_VNC;
3448         } else if (sasl) {
3449             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3450             *auth = VNC_AUTH_SASL;
3451         } else {
3452             VNC_DEBUG("Initializing VNC server with no auth\n");
3453             *auth = VNC_AUTH_NONE;
3454         }
3455         *subauth = VNC_AUTH_INVALID;
3456     } else {
3457         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3458                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3459         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3460                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3461 
3462         if (!is_x509 && !is_anon) {
3463             error_setg(errp,
3464                        "Unsupported TLS cred type %s",
3465                        object_get_typename(OBJECT(tlscreds)));
3466             return -1;
3467         }
3468         *auth = VNC_AUTH_VENCRYPT;
3469         if (password) {
3470             if (is_x509) {
3471                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3472                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3473             } else {
3474                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3475                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3476             }
3477 
3478         } else if (sasl) {
3479             if (is_x509) {
3480                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3481                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3482             } else {
3483                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3484                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3485             }
3486         } else {
3487             if (is_x509) {
3488                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3489                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3490             } else {
3491                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3492                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3493             }
3494         }
3495     }
3496     return 0;
3497 }
3498 
3499 
3500 static int vnc_display_get_address(const char *addrstr,
3501                                    bool websocket,
3502                                    bool reverse,
3503                                    int displaynum,
3504                                    int to,
3505                                    bool has_ipv4,
3506                                    bool has_ipv6,
3507                                    bool ipv4,
3508                                    bool ipv6,
3509                                    SocketAddress **retaddr,
3510                                    Error **errp)
3511 {
3512     int ret = -1;
3513     SocketAddress *addr = NULL;
3514 
3515     addr = g_new0(SocketAddress, 1);
3516 
3517     if (strncmp(addrstr, "unix:", 5) == 0) {
3518         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3519         addr->u.q_unix.path = g_strdup(addrstr + 5);
3520 
3521         if (websocket) {
3522             error_setg(errp, "UNIX sockets not supported with websock");
3523             goto cleanup;
3524         }
3525 
3526         if (to) {
3527             error_setg(errp, "Port range not support with UNIX socket");
3528             goto cleanup;
3529         }
3530         ret = 0;
3531     } else {
3532         const char *port;
3533         size_t hostlen;
3534         unsigned long long baseport = 0;
3535         InetSocketAddress *inet;
3536 
3537         port = strrchr(addrstr, ':');
3538         if (!port) {
3539             if (websocket) {
3540                 hostlen = 0;
3541                 port = addrstr;
3542             } else {
3543                 error_setg(errp, "no vnc port specified");
3544                 goto cleanup;
3545             }
3546         } else {
3547             hostlen = port - addrstr;
3548             port++;
3549             if (*port == '\0') {
3550                 error_setg(errp, "vnc port cannot be empty");
3551                 goto cleanup;
3552             }
3553         }
3554 
3555         addr->type = SOCKET_ADDRESS_TYPE_INET;
3556         inet = &addr->u.inet;
3557         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3558             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3559         } else {
3560             inet->host = g_strndup(addrstr, hostlen);
3561         }
3562         /* plain VNC port is just an offset, for websocket
3563          * port is absolute */
3564         if (websocket) {
3565             if (g_str_equal(addrstr, "") ||
3566                 g_str_equal(addrstr, "on")) {
3567                 if (displaynum == -1) {
3568                     error_setg(errp, "explicit websocket port is required");
3569                     goto cleanup;
3570                 }
3571                 inet->port = g_strdup_printf(
3572                     "%d", displaynum + 5700);
3573                 if (to) {
3574                     inet->has_to = true;
3575                     inet->to = to + 5700;
3576                 }
3577             } else {
3578                 inet->port = g_strdup(port);
3579             }
3580         } else {
3581             int offset = reverse ? 0 : 5900;
3582             if (parse_uint_full(port, &baseport, 10) < 0) {
3583                 error_setg(errp, "can't convert to a number: %s", port);
3584                 goto cleanup;
3585             }
3586             if (baseport > 65535 ||
3587                 baseport + offset > 65535) {
3588                 error_setg(errp, "port %s out of range", port);
3589                 goto cleanup;
3590             }
3591             inet->port = g_strdup_printf(
3592                 "%d", (int)baseport + offset);
3593 
3594             if (to) {
3595                 inet->has_to = true;
3596                 inet->to = to + offset;
3597             }
3598         }
3599 
3600         inet->ipv4 = ipv4;
3601         inet->has_ipv4 = has_ipv4;
3602         inet->ipv6 = ipv6;
3603         inet->has_ipv6 = has_ipv6;
3604 
3605         ret = baseport;
3606     }
3607 
3608     *retaddr = addr;
3609 
3610  cleanup:
3611     if (ret < 0) {
3612         qapi_free_SocketAddress(addr);
3613     }
3614     return ret;
3615 }
3616 
3617 static void vnc_free_addresses(SocketAddress ***retsaddr,
3618                                size_t *retnsaddr)
3619 {
3620     size_t i;
3621 
3622     for (i = 0; i < *retnsaddr; i++) {
3623         qapi_free_SocketAddress((*retsaddr)[i]);
3624     }
3625     g_free(*retsaddr);
3626 
3627     *retsaddr = NULL;
3628     *retnsaddr = 0;
3629 }
3630 
3631 static int vnc_display_get_addresses(QemuOpts *opts,
3632                                      bool reverse,
3633                                      SocketAddress ***retsaddr,
3634                                      size_t *retnsaddr,
3635                                      SocketAddress ***retwsaddr,
3636                                      size_t *retnwsaddr,
3637                                      Error **errp)
3638 {
3639     SocketAddress *saddr = NULL;
3640     SocketAddress *wsaddr = NULL;
3641     QemuOptsIter addriter;
3642     const char *addr;
3643     int to = qemu_opt_get_number(opts, "to", 0);
3644     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3645     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3646     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3647     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3648     int displaynum = -1;
3649     int ret = -1;
3650 
3651     *retsaddr = NULL;
3652     *retnsaddr = 0;
3653     *retwsaddr = NULL;
3654     *retnwsaddr = 0;
3655 
3656     addr = qemu_opt_get(opts, "vnc");
3657     if (addr == NULL || g_str_equal(addr, "none")) {
3658         ret = 0;
3659         goto cleanup;
3660     }
3661     if (qemu_opt_get(opts, "websocket") &&
3662         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3663         error_setg(errp,
3664                    "SHA1 hash support is required for websockets");
3665         goto cleanup;
3666     }
3667 
3668     qemu_opt_iter_init(&addriter, opts, "vnc");
3669     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3670         int rv;
3671         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3672                                      has_ipv4, has_ipv6,
3673                                      ipv4, ipv6,
3674                                      &saddr, errp);
3675         if (rv < 0) {
3676             goto cleanup;
3677         }
3678         /* Historical compat - first listen address can be used
3679          * to set the default websocket port
3680          */
3681         if (displaynum == -1) {
3682             displaynum = rv;
3683         }
3684         *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3685         (*retsaddr)[(*retnsaddr)++] = saddr;
3686     }
3687 
3688     /* If we had multiple primary displays, we don't do defaults
3689      * for websocket, and require explicit config instead. */
3690     if (*retnsaddr > 1) {
3691         displaynum = -1;
3692     }
3693 
3694     qemu_opt_iter_init(&addriter, opts, "websocket");
3695     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3696         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3697                                     has_ipv4, has_ipv6,
3698                                     ipv4, ipv6,
3699                                     &wsaddr, errp) < 0) {
3700             goto cleanup;
3701         }
3702 
3703         /* Historical compat - if only a single listen address was
3704          * provided, then this is used to set the default listen
3705          * address for websocket too
3706          */
3707         if (*retnsaddr == 1 &&
3708             (*retsaddr)[0]->type == SOCKET_ADDRESS_TYPE_INET &&
3709             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3710             g_str_equal(wsaddr->u.inet.host, "") &&
3711             !g_str_equal((*retsaddr)[0]->u.inet.host, "")) {
3712             g_free(wsaddr->u.inet.host);
3713             wsaddr->u.inet.host = g_strdup((*retsaddr)[0]->u.inet.host);
3714         }
3715 
3716         *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3717         (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3718     }
3719 
3720     ret = 0;
3721  cleanup:
3722     if (ret < 0) {
3723         vnc_free_addresses(retsaddr, retnsaddr);
3724         vnc_free_addresses(retwsaddr, retnwsaddr);
3725     }
3726     return ret;
3727 }
3728 
3729 static int vnc_display_connect(VncDisplay *vd,
3730                                SocketAddress **saddr,
3731                                size_t nsaddr,
3732                                SocketAddress **wsaddr,
3733                                size_t nwsaddr,
3734                                Error **errp)
3735 {
3736     /* connect to viewer */
3737     QIOChannelSocket *sioc = NULL;
3738     if (nwsaddr != 0) {
3739         error_setg(errp, "Cannot use websockets in reverse mode");
3740         return -1;
3741     }
3742     if (nsaddr != 1) {
3743         error_setg(errp, "Expected a single address in reverse mode");
3744         return -1;
3745     }
3746     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3747     vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_TYPE_UNIX;
3748     sioc = qio_channel_socket_new();
3749     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3750     if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3751         return -1;
3752     }
3753     vnc_connect(vd, sioc, false, false);
3754     object_unref(OBJECT(sioc));
3755     return 0;
3756 }
3757 
3758 
3759 static int vnc_display_listen(VncDisplay *vd,
3760                               SocketAddress **saddr,
3761                               size_t nsaddr,
3762                               SocketAddress **wsaddr,
3763                               size_t nwsaddr,
3764                               Error **errp)
3765 {
3766     size_t i;
3767 
3768     if (nsaddr) {
3769         vd->listener = qio_net_listener_new();
3770         qio_net_listener_set_name(vd->listener, "vnc-listen");
3771         for (i = 0; i < nsaddr; i++) {
3772             if (qio_net_listener_open_sync(vd->listener,
3773                                            saddr[i], 1,
3774                                            errp) < 0)  {
3775                 return -1;
3776             }
3777         }
3778 
3779         qio_net_listener_set_client_func(vd->listener,
3780                                          vnc_listen_io, vd, NULL);
3781     }
3782 
3783     if (nwsaddr) {
3784         vd->wslistener = qio_net_listener_new();
3785         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3786         for (i = 0; i < nwsaddr; i++) {
3787             if (qio_net_listener_open_sync(vd->wslistener,
3788                                            wsaddr[i], 1,
3789                                            errp) < 0)  {
3790                 return -1;
3791             }
3792         }
3793 
3794         qio_net_listener_set_client_func(vd->wslistener,
3795                                          vnc_listen_io, vd, NULL);
3796     }
3797 
3798     return 0;
3799 }
3800 
3801 
3802 void vnc_display_open(const char *id, Error **errp)
3803 {
3804     VncDisplay *vd = vnc_display_find(id);
3805     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3806     SocketAddress **saddr = NULL, **wsaddr = NULL;
3807     size_t nsaddr, nwsaddr;
3808     const char *share, *device_id;
3809     QemuConsole *con;
3810     bool password = false;
3811     bool reverse = false;
3812     const char *credid;
3813     bool sasl = false;
3814     int acl = 0;
3815     const char *tlsauthz;
3816     const char *saslauthz;
3817     int lock_key_sync = 1;
3818     int key_delay_ms;
3819     const char *audiodev;
3820 
3821     if (!vd) {
3822         error_setg(errp, "VNC display not active");
3823         return;
3824     }
3825     vnc_display_close(vd);
3826 
3827     if (!opts) {
3828         return;
3829     }
3830 
3831     reverse = qemu_opt_get_bool(opts, "reverse", false);
3832     if (vnc_display_get_addresses(opts, reverse, &saddr, &nsaddr,
3833                                   &wsaddr, &nwsaddr, errp) < 0) {
3834         goto fail;
3835     }
3836 
3837     password = qemu_opt_get_bool(opts, "password", false);
3838     if (password) {
3839         if (fips_get_state()) {
3840             error_setg(errp,
3841                        "VNC password auth disabled due to FIPS mode, "
3842                        "consider using the VeNCrypt or SASL authentication "
3843                        "methods as an alternative");
3844             goto fail;
3845         }
3846         if (!qcrypto_cipher_supports(
3847                 QCRYPTO_CIPHER_ALG_DES_RFB, QCRYPTO_CIPHER_MODE_ECB)) {
3848             error_setg(errp,
3849                        "Cipher backend does not support DES RFB algorithm");
3850             goto fail;
3851         }
3852     }
3853 
3854     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
3855     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
3856     sasl = qemu_opt_get_bool(opts, "sasl", false);
3857 #ifndef CONFIG_VNC_SASL
3858     if (sasl) {
3859         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
3860         goto fail;
3861     }
3862 #endif /* CONFIG_VNC_SASL */
3863     credid = qemu_opt_get(opts, "tls-creds");
3864     if (credid) {
3865         Object *creds;
3866         creds = object_resolve_path_component(
3867             object_get_objects_root(), credid);
3868         if (!creds) {
3869             error_setg(errp, "No TLS credentials with id '%s'",
3870                        credid);
3871             goto fail;
3872         }
3873         vd->tlscreds = (QCryptoTLSCreds *)
3874             object_dynamic_cast(creds,
3875                                 TYPE_QCRYPTO_TLS_CREDS);
3876         if (!vd->tlscreds) {
3877             error_setg(errp, "Object with id '%s' is not TLS credentials",
3878                        credid);
3879             goto fail;
3880         }
3881         object_ref(OBJECT(vd->tlscreds));
3882 
3883         if (vd->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
3884             error_setg(errp,
3885                        "Expecting TLS credentials with a server endpoint");
3886             goto fail;
3887         }
3888     }
3889     if (qemu_opt_get(opts, "acl")) {
3890         error_report("The 'acl' option to -vnc is deprecated. "
3891                      "Please use the 'tls-authz' and 'sasl-authz' "
3892                      "options instead");
3893     }
3894     acl = qemu_opt_get_bool(opts, "acl", false);
3895     tlsauthz = qemu_opt_get(opts, "tls-authz");
3896     if (acl && tlsauthz) {
3897         error_setg(errp, "'acl' option is mutually exclusive with the "
3898                    "'tls-authz' option");
3899         goto fail;
3900     }
3901     if (tlsauthz && !vd->tlscreds) {
3902         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
3903         goto fail;
3904     }
3905 
3906     saslauthz = qemu_opt_get(opts, "sasl-authz");
3907     if (acl && saslauthz) {
3908         error_setg(errp, "'acl' option is mutually exclusive with the "
3909                    "'sasl-authz' option");
3910         goto fail;
3911     }
3912     if (saslauthz && !sasl) {
3913         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
3914         goto fail;
3915     }
3916 
3917     share = qemu_opt_get(opts, "share");
3918     if (share) {
3919         if (strcmp(share, "ignore") == 0) {
3920             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
3921         } else if (strcmp(share, "allow-exclusive") == 0) {
3922             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3923         } else if (strcmp(share, "force-shared") == 0) {
3924             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3925         } else {
3926             error_setg(errp, "unknown vnc share= option");
3927             goto fail;
3928         }
3929     } else {
3930         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3931     }
3932     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
3933 
3934 #ifdef CONFIG_VNC_JPEG
3935     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
3936 #endif
3937     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
3938     /* adaptive updates are only used with tight encoding and
3939      * if lossy updates are enabled so we can disable all the
3940      * calculations otherwise */
3941     if (!vd->lossy) {
3942         vd->non_adaptive = true;
3943     }
3944 
3945     if (tlsauthz) {
3946         vd->tlsauthzid = g_strdup(tlsauthz);
3947     } else if (acl) {
3948         if (strcmp(vd->id, "default") == 0) {
3949             vd->tlsauthzid = g_strdup("vnc.x509dname");
3950         } else {
3951             vd->tlsauthzid = g_strdup_printf("vnc.%s.x509dname", vd->id);
3952         }
3953         vd->tlsauthz = QAUTHZ(qauthz_list_new(vd->tlsauthzid,
3954                                               QAUTHZ_LIST_POLICY_DENY,
3955                                               &error_abort));
3956     }
3957 #ifdef CONFIG_VNC_SASL
3958     if (sasl) {
3959         if (saslauthz) {
3960             vd->sasl.authzid = g_strdup(saslauthz);
3961         } else if (acl) {
3962             if (strcmp(vd->id, "default") == 0) {
3963                 vd->sasl.authzid = g_strdup("vnc.username");
3964             } else {
3965                 vd->sasl.authzid = g_strdup_printf("vnc.%s.username", vd->id);
3966             }
3967             vd->sasl.authz = QAUTHZ(qauthz_list_new(vd->sasl.authzid,
3968                                                     QAUTHZ_LIST_POLICY_DENY,
3969                                                     &error_abort));
3970         }
3971     }
3972 #endif
3973 
3974     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
3975                                vd->tlscreds, password,
3976                                sasl, false, errp) < 0) {
3977         goto fail;
3978     }
3979     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
3980 
3981     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
3982                                vd->tlscreds, password,
3983                                sasl, true, errp) < 0) {
3984         goto fail;
3985     }
3986     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
3987 
3988 #ifdef CONFIG_VNC_SASL
3989     if (sasl) {
3990         int saslErr = sasl_server_init(NULL, "qemu");
3991 
3992         if (saslErr != SASL_OK) {
3993             error_setg(errp, "Failed to initialize SASL auth: %s",
3994                        sasl_errstring(saslErr, NULL, NULL));
3995             goto fail;
3996         }
3997     }
3998 #endif
3999     vd->lock_key_sync = lock_key_sync;
4000     if (lock_key_sync) {
4001         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
4002     }
4003     vd->ledstate = 0;
4004 
4005     audiodev = qemu_opt_get(opts, "audiodev");
4006     if (audiodev) {
4007         vd->audio_state = audio_state_by_name(audiodev);
4008         if (!vd->audio_state) {
4009             error_setg(errp, "Audiodev '%s' not found", audiodev);
4010             goto fail;
4011         }
4012     }
4013 
4014     device_id = qemu_opt_get(opts, "display");
4015     if (device_id) {
4016         int head = qemu_opt_get_number(opts, "head", 0);
4017         Error *err = NULL;
4018 
4019         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4020         if (err) {
4021             error_propagate(errp, err);
4022             goto fail;
4023         }
4024     } else {
4025         con = NULL;
4026     }
4027 
4028     if (con != vd->dcl.con) {
4029         qkbd_state_free(vd->kbd);
4030         unregister_displaychangelistener(&vd->dcl);
4031         vd->dcl.con = con;
4032         register_displaychangelistener(&vd->dcl);
4033         vd->kbd = qkbd_state_init(vd->dcl.con);
4034     }
4035     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4036 
4037     if (saddr == NULL) {
4038         goto cleanup;
4039     }
4040 
4041     if (reverse) {
4042         if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4043             goto fail;
4044         }
4045     } else {
4046         if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4047             goto fail;
4048         }
4049     }
4050 
4051     if (qemu_opt_get(opts, "to")) {
4052         vnc_display_print_local_addr(vd);
4053     }
4054 
4055  cleanup:
4056     vnc_free_addresses(&saddr, &nsaddr);
4057     vnc_free_addresses(&wsaddr, &nwsaddr);
4058     return;
4059 
4060 fail:
4061     vnc_display_close(vd);
4062     goto cleanup;
4063 }
4064 
4065 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4066 {
4067     VncDisplay *vd = vnc_display_find(id);
4068     QIOChannelSocket *sioc;
4069 
4070     if (!vd) {
4071         return;
4072     }
4073 
4074     sioc = qio_channel_socket_new_fd(csock, NULL);
4075     if (sioc) {
4076         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4077         vnc_connect(vd, sioc, skipauth, false);
4078         object_unref(OBJECT(sioc));
4079     }
4080 }
4081 
4082 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4083 {
4084     int i = 2;
4085     char *id;
4086 
4087     id = g_strdup("default");
4088     while (qemu_opts_find(olist, id)) {
4089         g_free(id);
4090         id = g_strdup_printf("vnc%d", i++);
4091     }
4092     qemu_opts_set_id(opts, id);
4093 }
4094 
4095 QemuOpts *vnc_parse(const char *str, Error **errp)
4096 {
4097     QemuOptsList *olist = qemu_find_opts("vnc");
4098     QemuOpts *opts = qemu_opts_parse(olist, str, true, errp);
4099     const char *id;
4100 
4101     if (!opts) {
4102         return NULL;
4103     }
4104 
4105     id = qemu_opts_id(opts);
4106     if (!id) {
4107         /* auto-assign id if not present */
4108         vnc_auto_assign_id(olist, opts);
4109     }
4110     return opts;
4111 }
4112 
4113 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4114 {
4115     Error *local_err = NULL;
4116     char *id = (char *)qemu_opts_id(opts);
4117 
4118     assert(id);
4119     vnc_display_init(id, &local_err);
4120     if (local_err) {
4121         error_propagate(errp, local_err);
4122         return -1;
4123     }
4124     vnc_display_open(id, &local_err);
4125     if (local_err != NULL) {
4126         error_propagate(errp, local_err);
4127         return -1;
4128     }
4129     return 0;
4130 }
4131 
4132 static void vnc_register_config(void)
4133 {
4134     qemu_add_opts(&qemu_vnc_opts);
4135 }
4136 opts_init(vnc_register_config);
4137