xref: /openbmc/qemu/ui/vnc.c (revision 18736a21)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev-core.h"
32 #include "sysemu/sysemu.h"
33 #include "sysemu/runstate.h"
34 #include "qemu/error-report.h"
35 #include "qemu/main-loop.h"
36 #include "qemu/module.h"
37 #include "qemu/option.h"
38 #include "qemu/sockets.h"
39 #include "qemu/timer.h"
40 #include "authz/list.h"
41 #include "qemu/config-file.h"
42 #include "qapi/qapi-emit-events.h"
43 #include "qapi/qapi-events-ui.h"
44 #include "qapi/error.h"
45 #include "qapi/qapi-commands-ui.h"
46 #include "ui/input.h"
47 #include "crypto/hash.h"
48 #include "crypto/tlscreds.h"
49 #include "crypto/tlscredsanon.h"
50 #include "crypto/tlscredsx509.h"
51 #include "crypto/random.h"
52 #include "crypto/secret_common.h"
53 #include "qom/object_interfaces.h"
54 #include "qemu/cutils.h"
55 #include "qemu/help_option.h"
56 #include "io/dns-resolver.h"
57 #include "monitor/monitor.h"
58 
59 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
60 #define VNC_REFRESH_INTERVAL_INC  50
61 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
62 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
63 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
64 
65 #include "vnc_keysym.h"
66 #include "crypto/cipher.h"
67 
68 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
69     QTAILQ_HEAD_INITIALIZER(vnc_displays);
70 
71 static int vnc_cursor_define(VncState *vs);
72 static void vnc_update_throttle_offset(VncState *vs);
73 
74 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
75 {
76 #ifdef _VNC_DEBUG
77     static const char *mn[] = {
78         [0]                           = "undefined",
79         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
80         [VNC_SHARE_MODE_SHARED]       = "shared",
81         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
82         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
83     };
84     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
85             vs->ioc, mn[vs->share_mode], mn[mode]);
86 #endif
87 
88     switch (vs->share_mode) {
89     case VNC_SHARE_MODE_CONNECTING:
90         vs->vd->num_connecting--;
91         break;
92     case VNC_SHARE_MODE_SHARED:
93         vs->vd->num_shared--;
94         break;
95     case VNC_SHARE_MODE_EXCLUSIVE:
96         vs->vd->num_exclusive--;
97         break;
98     default:
99         break;
100     }
101 
102     vs->share_mode = mode;
103 
104     switch (vs->share_mode) {
105     case VNC_SHARE_MODE_CONNECTING:
106         vs->vd->num_connecting++;
107         break;
108     case VNC_SHARE_MODE_SHARED:
109         vs->vd->num_shared++;
110         break;
111     case VNC_SHARE_MODE_EXCLUSIVE:
112         vs->vd->num_exclusive++;
113         break;
114     default:
115         break;
116     }
117 }
118 
119 
120 static void vnc_init_basic_info(SocketAddress *addr,
121                                 VncBasicInfo *info,
122                                 Error **errp)
123 {
124     switch (addr->type) {
125     case SOCKET_ADDRESS_TYPE_INET:
126         info->host = g_strdup(addr->u.inet.host);
127         info->service = g_strdup(addr->u.inet.port);
128         if (addr->u.inet.ipv6) {
129             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
130         } else {
131             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
132         }
133         break;
134 
135     case SOCKET_ADDRESS_TYPE_UNIX:
136         info->host = g_strdup("");
137         info->service = g_strdup(addr->u.q_unix.path);
138         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
139         break;
140 
141     case SOCKET_ADDRESS_TYPE_VSOCK:
142     case SOCKET_ADDRESS_TYPE_FD:
143         error_setg(errp, "Unsupported socket address type %s",
144                    SocketAddressType_str(addr->type));
145         break;
146     default:
147         abort();
148     }
149 
150     return;
151 }
152 
153 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
154                                                  VncBasicInfo *info,
155                                                  Error **errp)
156 {
157     SocketAddress *addr = NULL;
158 
159     if (!ioc) {
160         error_setg(errp, "No listener socket available");
161         return;
162     }
163 
164     addr = qio_channel_socket_get_local_address(ioc, errp);
165     if (!addr) {
166         return;
167     }
168 
169     vnc_init_basic_info(addr, info, errp);
170     qapi_free_SocketAddress(addr);
171 }
172 
173 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
174                                                  VncBasicInfo *info,
175                                                  Error **errp)
176 {
177     SocketAddress *addr = NULL;
178 
179     addr = qio_channel_socket_get_remote_address(ioc, errp);
180     if (!addr) {
181         return;
182     }
183 
184     vnc_init_basic_info(addr, info, errp);
185     qapi_free_SocketAddress(addr);
186 }
187 
188 static const char *vnc_auth_name(VncDisplay *vd) {
189     switch (vd->auth) {
190     case VNC_AUTH_INVALID:
191         return "invalid";
192     case VNC_AUTH_NONE:
193         return "none";
194     case VNC_AUTH_VNC:
195         return "vnc";
196     case VNC_AUTH_RA2:
197         return "ra2";
198     case VNC_AUTH_RA2NE:
199         return "ra2ne";
200     case VNC_AUTH_TIGHT:
201         return "tight";
202     case VNC_AUTH_ULTRA:
203         return "ultra";
204     case VNC_AUTH_TLS:
205         return "tls";
206     case VNC_AUTH_VENCRYPT:
207         switch (vd->subauth) {
208         case VNC_AUTH_VENCRYPT_PLAIN:
209             return "vencrypt+plain";
210         case VNC_AUTH_VENCRYPT_TLSNONE:
211             return "vencrypt+tls+none";
212         case VNC_AUTH_VENCRYPT_TLSVNC:
213             return "vencrypt+tls+vnc";
214         case VNC_AUTH_VENCRYPT_TLSPLAIN:
215             return "vencrypt+tls+plain";
216         case VNC_AUTH_VENCRYPT_X509NONE:
217             return "vencrypt+x509+none";
218         case VNC_AUTH_VENCRYPT_X509VNC:
219             return "vencrypt+x509+vnc";
220         case VNC_AUTH_VENCRYPT_X509PLAIN:
221             return "vencrypt+x509+plain";
222         case VNC_AUTH_VENCRYPT_TLSSASL:
223             return "vencrypt+tls+sasl";
224         case VNC_AUTH_VENCRYPT_X509SASL:
225             return "vencrypt+x509+sasl";
226         default:
227             return "vencrypt";
228         }
229     case VNC_AUTH_SASL:
230         return "sasl";
231     }
232     return "unknown";
233 }
234 
235 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
236 {
237     VncServerInfo *info;
238     Error *err = NULL;
239 
240     if (!vd->listener || !vd->listener->nsioc) {
241         return NULL;
242     }
243 
244     info = g_malloc0(sizeof(*info));
245     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
246                                          qapi_VncServerInfo_base(info), &err);
247     info->auth = g_strdup(vnc_auth_name(vd));
248     if (err) {
249         qapi_free_VncServerInfo(info);
250         info = NULL;
251         error_free(err);
252     }
253     return info;
254 }
255 
256 static void vnc_client_cache_auth(VncState *client)
257 {
258     if (!client->info) {
259         return;
260     }
261 
262     if (client->tls) {
263         client->info->x509_dname =
264             qcrypto_tls_session_get_peer_name(client->tls);
265     }
266 #ifdef CONFIG_VNC_SASL
267     if (client->sasl.conn &&
268         client->sasl.username) {
269         client->info->sasl_username = g_strdup(client->sasl.username);
270     }
271 #endif
272 }
273 
274 static void vnc_client_cache_addr(VncState *client)
275 {
276     Error *err = NULL;
277 
278     client->info = g_malloc0(sizeof(*client->info));
279     vnc_init_basic_info_from_remote_addr(client->sioc,
280                                          qapi_VncClientInfo_base(client->info),
281                                          &err);
282     client->info->websocket = client->websocket;
283     if (err) {
284         qapi_free_VncClientInfo(client->info);
285         client->info = NULL;
286         error_free(err);
287     }
288 }
289 
290 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
291 {
292     VncServerInfo *si;
293 
294     if (!vs->info) {
295         return;
296     }
297 
298     si = vnc_server_info_get(vs->vd);
299     if (!si) {
300         return;
301     }
302 
303     switch (event) {
304     case QAPI_EVENT_VNC_CONNECTED:
305         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
306         break;
307     case QAPI_EVENT_VNC_INITIALIZED:
308         qapi_event_send_vnc_initialized(si, vs->info);
309         break;
310     case QAPI_EVENT_VNC_DISCONNECTED:
311         qapi_event_send_vnc_disconnected(si, vs->info);
312         break;
313     default:
314         break;
315     }
316 
317     qapi_free_VncServerInfo(si);
318 }
319 
320 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
321 {
322     VncClientInfo *info;
323     Error *err = NULL;
324 
325     info = g_malloc0(sizeof(*info));
326 
327     vnc_init_basic_info_from_remote_addr(client->sioc,
328                                          qapi_VncClientInfo_base(info),
329                                          &err);
330     if (err) {
331         error_free(err);
332         qapi_free_VncClientInfo(info);
333         return NULL;
334     }
335 
336     info->websocket = client->websocket;
337 
338     if (client->tls) {
339         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
340     }
341 #ifdef CONFIG_VNC_SASL
342     if (client->sasl.conn && client->sasl.username) {
343         info->sasl_username = g_strdup(client->sasl.username);
344     }
345 #endif
346 
347     return info;
348 }
349 
350 static VncDisplay *vnc_display_find(const char *id)
351 {
352     VncDisplay *vd;
353 
354     if (id == NULL) {
355         return QTAILQ_FIRST(&vnc_displays);
356     }
357     QTAILQ_FOREACH(vd, &vnc_displays, next) {
358         if (strcmp(id, vd->id) == 0) {
359             return vd;
360         }
361     }
362     return NULL;
363 }
364 
365 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
366 {
367     VncClientInfoList *prev = NULL;
368     VncState *client;
369 
370     QTAILQ_FOREACH(client, &vd->clients, next) {
371         QAPI_LIST_PREPEND(prev, qmp_query_vnc_client(client));
372     }
373     return prev;
374 }
375 
376 VncInfo *qmp_query_vnc(Error **errp)
377 {
378     VncInfo *info = g_malloc0(sizeof(*info));
379     VncDisplay *vd = vnc_display_find(NULL);
380     SocketAddress *addr = NULL;
381 
382     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
383         info->enabled = false;
384     } else {
385         info->enabled = true;
386 
387         /* for compatibility with the original command */
388         info->has_clients = true;
389         info->clients = qmp_query_client_list(vd);
390 
391         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
392                                                     errp);
393         if (!addr) {
394             goto out_error;
395         }
396 
397         switch (addr->type) {
398         case SOCKET_ADDRESS_TYPE_INET:
399             info->host = g_strdup(addr->u.inet.host);
400             info->service = g_strdup(addr->u.inet.port);
401             if (addr->u.inet.ipv6) {
402                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
403             } else {
404                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
405             }
406             break;
407 
408         case SOCKET_ADDRESS_TYPE_UNIX:
409             info->host = g_strdup("");
410             info->service = g_strdup(addr->u.q_unix.path);
411             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
412             break;
413 
414         case SOCKET_ADDRESS_TYPE_VSOCK:
415         case SOCKET_ADDRESS_TYPE_FD:
416             error_setg(errp, "Unsupported socket address type %s",
417                        SocketAddressType_str(addr->type));
418             goto out_error;
419         default:
420             abort();
421         }
422 
423         info->has_family = true;
424 
425         info->auth = g_strdup(vnc_auth_name(vd));
426     }
427 
428     qapi_free_SocketAddress(addr);
429     return info;
430 
431 out_error:
432     qapi_free_SocketAddress(addr);
433     qapi_free_VncInfo(info);
434     return NULL;
435 }
436 
437 
438 static void qmp_query_auth(int auth, int subauth,
439                            VncPrimaryAuth *qmp_auth,
440                            VncVencryptSubAuth *qmp_vencrypt,
441                            bool *qmp_has_vencrypt);
442 
443 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
444                                                   bool websocket,
445                                                   int auth,
446                                                   int subauth,
447                                                   VncServerInfo2List *prev)
448 {
449     VncServerInfo2 *info;
450     Error *err = NULL;
451     SocketAddress *addr;
452 
453     addr = qio_channel_socket_get_local_address(ioc, NULL);
454     if (!addr) {
455         return prev;
456     }
457 
458     info = g_new0(VncServerInfo2, 1);
459     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
460     qapi_free_SocketAddress(addr);
461     if (err) {
462         qapi_free_VncServerInfo2(info);
463         error_free(err);
464         return prev;
465     }
466     info->websocket = websocket;
467 
468     qmp_query_auth(auth, subauth, &info->auth,
469                    &info->vencrypt, &info->has_vencrypt);
470 
471     QAPI_LIST_PREPEND(prev, info);
472     return prev;
473 }
474 
475 static void qmp_query_auth(int auth, int subauth,
476                            VncPrimaryAuth *qmp_auth,
477                            VncVencryptSubAuth *qmp_vencrypt,
478                            bool *qmp_has_vencrypt)
479 {
480     switch (auth) {
481     case VNC_AUTH_VNC:
482         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
483         break;
484     case VNC_AUTH_RA2:
485         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
486         break;
487     case VNC_AUTH_RA2NE:
488         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
489         break;
490     case VNC_AUTH_TIGHT:
491         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
492         break;
493     case VNC_AUTH_ULTRA:
494         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
495         break;
496     case VNC_AUTH_TLS:
497         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
498         break;
499     case VNC_AUTH_VENCRYPT:
500         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
501         *qmp_has_vencrypt = true;
502         switch (subauth) {
503         case VNC_AUTH_VENCRYPT_PLAIN:
504             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
505             break;
506         case VNC_AUTH_VENCRYPT_TLSNONE:
507             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
508             break;
509         case VNC_AUTH_VENCRYPT_TLSVNC:
510             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
511             break;
512         case VNC_AUTH_VENCRYPT_TLSPLAIN:
513             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
514             break;
515         case VNC_AUTH_VENCRYPT_X509NONE:
516             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
517             break;
518         case VNC_AUTH_VENCRYPT_X509VNC:
519             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
520             break;
521         case VNC_AUTH_VENCRYPT_X509PLAIN:
522             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
523             break;
524         case VNC_AUTH_VENCRYPT_TLSSASL:
525             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
526             break;
527         case VNC_AUTH_VENCRYPT_X509SASL:
528             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
529             break;
530         default:
531             *qmp_has_vencrypt = false;
532             break;
533         }
534         break;
535     case VNC_AUTH_SASL:
536         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
537         break;
538     case VNC_AUTH_NONE:
539     default:
540         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
541         break;
542     }
543 }
544 
545 VncInfo2List *qmp_query_vnc_servers(Error **errp)
546 {
547     VncInfo2List *prev = NULL;
548     VncInfo2 *info;
549     VncDisplay *vd;
550     DeviceState *dev;
551     size_t i;
552 
553     QTAILQ_FOREACH(vd, &vnc_displays, next) {
554         info = g_new0(VncInfo2, 1);
555         info->id = g_strdup(vd->id);
556         info->clients = qmp_query_client_list(vd);
557         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
558                        &info->vencrypt, &info->has_vencrypt);
559         if (vd->dcl.con) {
560             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
561                                                   "device", &error_abort));
562             info->display = g_strdup(dev->id);
563         }
564         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
565             info->server = qmp_query_server_entry(
566                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
567                 info->server);
568         }
569         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
570             info->server = qmp_query_server_entry(
571                 vd->wslistener->sioc[i], true, vd->ws_auth,
572                 vd->ws_subauth, info->server);
573         }
574 
575         QAPI_LIST_PREPEND(prev, info);
576     }
577     return prev;
578 }
579 
580 bool vnc_display_reload_certs(const char *id, Error **errp)
581 {
582     VncDisplay *vd = vnc_display_find(id);
583     QCryptoTLSCredsClass *creds = NULL;
584 
585     if (!vd) {
586         error_setg(errp, "Can not find vnc display");
587         return false;
588     }
589 
590     if (!vd->tlscreds) {
591         error_setg(errp, "vnc tls is not enabled");
592         return false;
593     }
594 
595     creds = QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(vd->tlscreds));
596     if (creds->reload == NULL) {
597         error_setg(errp, "%s doesn't support to reload TLS credential",
598                    object_get_typename(OBJECT(vd->tlscreds)));
599         return false;
600     }
601     if (!creds->reload(vd->tlscreds, errp)) {
602         return false;
603     }
604 
605     return true;
606 }
607 
608 /* TODO
609    1) Get the queue working for IO.
610    2) there is some weirdness when using the -S option (the screen is grey
611       and not totally invalidated
612    3) resolutions > 1024
613 */
614 
615 static int vnc_update_client(VncState *vs, int has_dirty);
616 static void vnc_disconnect_start(VncState *vs);
617 
618 static void vnc_colordepth(VncState *vs);
619 static void framebuffer_update_request(VncState *vs, int incremental,
620                                        int x_position, int y_position,
621                                        int w, int h);
622 static void vnc_refresh(DisplayChangeListener *dcl);
623 static int vnc_refresh_server_surface(VncDisplay *vd);
624 
625 static int vnc_width(VncDisplay *vd)
626 {
627     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
628                                        VNC_DIRTY_PIXELS_PER_BIT));
629 }
630 
631 static int vnc_true_width(VncDisplay *vd)
632 {
633     return MIN(VNC_MAX_WIDTH, surface_width(vd->ds));
634 }
635 
636 static int vnc_height(VncDisplay *vd)
637 {
638     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
639 }
640 
641 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
642                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
643                                VncDisplay *vd,
644                                int x, int y, int w, int h)
645 {
646     int width = vnc_width(vd);
647     int height = vnc_height(vd);
648 
649     /* this is needed this to ensure we updated all affected
650      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
651     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
652     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
653 
654     x = MIN(x, width);
655     y = MIN(y, height);
656     w = MIN(x + w, width) - x;
657     h = MIN(y + h, height);
658 
659     for (; y < h; y++) {
660         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
661                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
662     }
663 }
664 
665 static void vnc_dpy_update(DisplayChangeListener *dcl,
666                            int x, int y, int w, int h)
667 {
668     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
669     struct VncSurface *s = &vd->guest;
670 
671     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
672 }
673 
674 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
675                             int32_t encoding)
676 {
677     vnc_write_u16(vs, x);
678     vnc_write_u16(vs, y);
679     vnc_write_u16(vs, w);
680     vnc_write_u16(vs, h);
681 
682     vnc_write_s32(vs, encoding);
683 }
684 
685 static void vnc_desktop_resize_ext(VncState *vs, int reject_reason)
686 {
687     trace_vnc_msg_server_ext_desktop_resize(
688         vs, vs->ioc, vs->client_width, vs->client_height, reject_reason);
689 
690     vnc_lock_output(vs);
691     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
692     vnc_write_u8(vs, 0);
693     vnc_write_u16(vs, 1); /* number of rects */
694     vnc_framebuffer_update(vs,
695                            reject_reason ? 1 : 0,
696                            reject_reason,
697                            vs->client_width, vs->client_height,
698                            VNC_ENCODING_DESKTOP_RESIZE_EXT);
699     vnc_write_u8(vs, 1);  /* number of screens */
700     vnc_write_u8(vs, 0);  /* padding */
701     vnc_write_u8(vs, 0);  /* padding */
702     vnc_write_u8(vs, 0);  /* padding */
703     vnc_write_u32(vs, 0); /* screen id */
704     vnc_write_u16(vs, 0); /* screen x-pos */
705     vnc_write_u16(vs, 0); /* screen y-pos */
706     vnc_write_u16(vs, vs->client_width);
707     vnc_write_u16(vs, vs->client_height);
708     vnc_write_u32(vs, 0); /* screen flags */
709     vnc_unlock_output(vs);
710     vnc_flush(vs);
711 }
712 
713 static void vnc_desktop_resize(VncState *vs)
714 {
715     if (vs->ioc == NULL || (!vnc_has_feature(vs, VNC_FEATURE_RESIZE) &&
716                             !vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT))) {
717         return;
718     }
719     if (vs->client_width == vs->vd->true_width &&
720         vs->client_height == pixman_image_get_height(vs->vd->server)) {
721         return;
722     }
723 
724     assert(vs->vd->true_width < 65536 &&
725            vs->vd->true_width >= 0);
726     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
727            pixman_image_get_height(vs->vd->server) >= 0);
728     vs->client_width = vs->vd->true_width;
729     vs->client_height = pixman_image_get_height(vs->vd->server);
730 
731     if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
732         vnc_desktop_resize_ext(vs, 0);
733         return;
734     }
735 
736     trace_vnc_msg_server_desktop_resize(
737         vs, vs->ioc, vs->client_width, vs->client_height);
738 
739     vnc_lock_output(vs);
740     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
741     vnc_write_u8(vs, 0);
742     vnc_write_u16(vs, 1); /* number of rects */
743     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
744                            VNC_ENCODING_DESKTOPRESIZE);
745     vnc_unlock_output(vs);
746     vnc_flush(vs);
747 }
748 
749 static void vnc_abort_display_jobs(VncDisplay *vd)
750 {
751     VncState *vs;
752 
753     QTAILQ_FOREACH(vs, &vd->clients, next) {
754         vnc_lock_output(vs);
755         vs->abort = true;
756         vnc_unlock_output(vs);
757     }
758     QTAILQ_FOREACH(vs, &vd->clients, next) {
759         vnc_jobs_join(vs);
760     }
761     QTAILQ_FOREACH(vs, &vd->clients, next) {
762         vnc_lock_output(vs);
763         if (vs->update == VNC_STATE_UPDATE_NONE &&
764             vs->job_update != VNC_STATE_UPDATE_NONE) {
765             /* job aborted before completion */
766             vs->update = vs->job_update;
767             vs->job_update = VNC_STATE_UPDATE_NONE;
768         }
769         vs->abort = false;
770         vnc_unlock_output(vs);
771     }
772 }
773 
774 int vnc_server_fb_stride(VncDisplay *vd)
775 {
776     return pixman_image_get_stride(vd->server);
777 }
778 
779 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
780 {
781     uint8_t *ptr;
782 
783     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
784     ptr += y * vnc_server_fb_stride(vd);
785     ptr += x * VNC_SERVER_FB_BYTES;
786     return ptr;
787 }
788 
789 static void vnc_update_server_surface(VncDisplay *vd)
790 {
791     int width, height;
792 
793     qemu_pixman_image_unref(vd->server);
794     vd->server = NULL;
795 
796     if (QTAILQ_EMPTY(&vd->clients)) {
797         return;
798     }
799 
800     width = vnc_width(vd);
801     height = vnc_height(vd);
802     vd->true_width = vnc_true_width(vd);
803     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
804                                           width, height,
805                                           NULL, 0);
806 
807     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
808     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
809                        width, height);
810 }
811 
812 static bool vnc_check_pageflip(DisplaySurface *s1,
813                                DisplaySurface *s2)
814 {
815     return (s1 != NULL &&
816             s2 != NULL &&
817             surface_width(s1) == surface_width(s2) &&
818             surface_height(s1) == surface_height(s2) &&
819             surface_format(s1) == surface_format(s2));
820 
821 }
822 
823 static void vnc_dpy_switch(DisplayChangeListener *dcl,
824                            DisplaySurface *surface)
825 {
826     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
827     bool pageflip = vnc_check_pageflip(vd->ds, surface);
828     VncState *vs;
829 
830     vnc_abort_display_jobs(vd);
831     vd->ds = surface;
832 
833     /* guest surface */
834     qemu_pixman_image_unref(vd->guest.fb);
835     vd->guest.fb = pixman_image_ref(surface->image);
836     vd->guest.format = surface_format(surface);
837 
838 
839     if (pageflip) {
840         trace_vnc_server_dpy_pageflip(vd,
841                                       surface_width(surface),
842                                       surface_height(surface),
843                                       surface_format(surface));
844         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
845                            surface_width(surface),
846                            surface_height(surface));
847         return;
848     }
849 
850     trace_vnc_server_dpy_recreate(vd,
851                                   surface_width(surface),
852                                   surface_height(surface),
853                                   surface_format(surface));
854     /* server surface */
855     vnc_update_server_surface(vd);
856 
857     QTAILQ_FOREACH(vs, &vd->clients, next) {
858         vnc_colordepth(vs);
859         vnc_desktop_resize(vs);
860         vnc_cursor_define(vs);
861         memset(vs->dirty, 0x00, sizeof(vs->dirty));
862         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
863                            vnc_width(vd),
864                            vnc_height(vd));
865         vnc_update_throttle_offset(vs);
866     }
867 }
868 
869 /* fastest code */
870 static void vnc_write_pixels_copy(VncState *vs,
871                                   void *pixels, int size)
872 {
873     vnc_write(vs, pixels, size);
874 }
875 
876 /* slowest but generic code. */
877 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
878 {
879     uint8_t r, g, b;
880 
881 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
882     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
883     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
884     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
885 #else
886 # error need some bits here if you change VNC_SERVER_FB_FORMAT
887 #endif
888     v = (r << vs->client_pf.rshift) |
889         (g << vs->client_pf.gshift) |
890         (b << vs->client_pf.bshift);
891     switch (vs->client_pf.bytes_per_pixel) {
892     case 1:
893         buf[0] = v;
894         break;
895     case 2:
896         if (vs->client_be) {
897             buf[0] = v >> 8;
898             buf[1] = v;
899         } else {
900             buf[1] = v >> 8;
901             buf[0] = v;
902         }
903         break;
904     default:
905     case 4:
906         if (vs->client_be) {
907             buf[0] = v >> 24;
908             buf[1] = v >> 16;
909             buf[2] = v >> 8;
910             buf[3] = v;
911         } else {
912             buf[3] = v >> 24;
913             buf[2] = v >> 16;
914             buf[1] = v >> 8;
915             buf[0] = v;
916         }
917         break;
918     }
919 }
920 
921 static void vnc_write_pixels_generic(VncState *vs,
922                                      void *pixels1, int size)
923 {
924     uint8_t buf[4];
925 
926     if (VNC_SERVER_FB_BYTES == 4) {
927         uint32_t *pixels = pixels1;
928         int n, i;
929         n = size >> 2;
930         for (i = 0; i < n; i++) {
931             vnc_convert_pixel(vs, buf, pixels[i]);
932             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
933         }
934     }
935 }
936 
937 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
938 {
939     int i;
940     uint8_t *row;
941     VncDisplay *vd = vs->vd;
942 
943     row = vnc_server_fb_ptr(vd, x, y);
944     for (i = 0; i < h; i++) {
945         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
946         row += vnc_server_fb_stride(vd);
947     }
948     return 1;
949 }
950 
951 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
952 {
953     int n = 0;
954 
955     switch(vs->vnc_encoding) {
956         case VNC_ENCODING_ZLIB:
957             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
958             break;
959         case VNC_ENCODING_HEXTILE:
960             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
961             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
962             break;
963         case VNC_ENCODING_TIGHT:
964             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
965             break;
966         case VNC_ENCODING_TIGHT_PNG:
967             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
968             break;
969         case VNC_ENCODING_ZRLE:
970             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
971             break;
972         case VNC_ENCODING_ZYWRLE:
973             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
974             break;
975         default:
976             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
977             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
978             break;
979     }
980     return n;
981 }
982 
983 static void vnc_mouse_set(DisplayChangeListener *dcl,
984                           int x, int y, int visible)
985 {
986     /* can we ask the client(s) to move the pointer ??? */
987 }
988 
989 static int vnc_cursor_define(VncState *vs)
990 {
991     QEMUCursor *c = qemu_console_get_cursor(vs->vd->dcl.con);
992     int isize;
993 
994     if (!c) {
995         return -1;
996     }
997 
998     if (vnc_has_feature(vs, VNC_FEATURE_ALPHA_CURSOR)) {
999         vnc_lock_output(vs);
1000         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1001         vnc_write_u8(vs,  0);  /*  padding     */
1002         vnc_write_u16(vs, 1);  /*  # of rects  */
1003         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1004                                VNC_ENCODING_ALPHA_CURSOR);
1005         vnc_write_s32(vs, VNC_ENCODING_RAW);
1006         vnc_write(vs, c->data, c->width * c->height * 4);
1007         vnc_unlock_output(vs);
1008         return 0;
1009     }
1010     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
1011         vnc_lock_output(vs);
1012         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1013         vnc_write_u8(vs,  0);  /*  padding     */
1014         vnc_write_u16(vs, 1);  /*  # of rects  */
1015         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1016                                VNC_ENCODING_RICH_CURSOR);
1017         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
1018         vnc_write_pixels_generic(vs, c->data, isize);
1019         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
1020         vnc_unlock_output(vs);
1021         return 0;
1022     }
1023     return -1;
1024 }
1025 
1026 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
1027                                   QEMUCursor *c)
1028 {
1029     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
1030     VncState *vs;
1031 
1032     g_free(vd->cursor_mask);
1033     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1034     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1035     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1036 
1037     QTAILQ_FOREACH(vs, &vd->clients, next) {
1038         vnc_cursor_define(vs);
1039     }
1040 }
1041 
1042 static int find_and_clear_dirty_height(VncState *vs,
1043                                        int y, int last_x, int x, int height)
1044 {
1045     int h;
1046 
1047     for (h = 1; h < (height - y); h++) {
1048         if (!test_bit(last_x, vs->dirty[y + h])) {
1049             break;
1050         }
1051         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1052     }
1053 
1054     return h;
1055 }
1056 
1057 /*
1058  * Figure out how much pending data we should allow in the output
1059  * buffer before we throttle incremental display updates, and/or
1060  * drop audio samples.
1061  *
1062  * We allow for equiv of 1 full display's worth of FB updates,
1063  * and 1 second of audio samples. If audio backlog was larger
1064  * than that the client would already suffering awful audio
1065  * glitches, so dropping samples is no worse really).
1066  */
1067 static void vnc_update_throttle_offset(VncState *vs)
1068 {
1069     size_t offset =
1070         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1071 
1072     if (vs->audio_cap) {
1073         int bps;
1074         switch (vs->as.fmt) {
1075         default:
1076         case  AUDIO_FORMAT_U8:
1077         case  AUDIO_FORMAT_S8:
1078             bps = 1;
1079             break;
1080         case  AUDIO_FORMAT_U16:
1081         case  AUDIO_FORMAT_S16:
1082             bps = 2;
1083             break;
1084         case  AUDIO_FORMAT_U32:
1085         case  AUDIO_FORMAT_S32:
1086             bps = 4;
1087             break;
1088         }
1089         offset += vs->as.freq * bps * vs->as.nchannels;
1090     }
1091 
1092     /* Put a floor of 1MB on offset, so that if we have a large pending
1093      * buffer and the display is resized to a small size & back again
1094      * we don't suddenly apply a tiny send limit
1095      */
1096     offset = MAX(offset, 1024 * 1024);
1097 
1098     if (vs->throttle_output_offset != offset) {
1099         trace_vnc_client_throttle_threshold(
1100             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1101             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1102     }
1103 
1104     vs->throttle_output_offset = offset;
1105 }
1106 
1107 static bool vnc_should_update(VncState *vs)
1108 {
1109     switch (vs->update) {
1110     case VNC_STATE_UPDATE_NONE:
1111         break;
1112     case VNC_STATE_UPDATE_INCREMENTAL:
1113         /* Only allow incremental updates if the pending send queue
1114          * is less than the permitted threshold, and the job worker
1115          * is completely idle.
1116          */
1117         if (vs->output.offset < vs->throttle_output_offset &&
1118             vs->job_update == VNC_STATE_UPDATE_NONE) {
1119             return true;
1120         }
1121         trace_vnc_client_throttle_incremental(
1122             vs, vs->ioc, vs->job_update, vs->output.offset);
1123         break;
1124     case VNC_STATE_UPDATE_FORCE:
1125         /* Only allow forced updates if the pending send queue
1126          * does not contain a previous forced update, and the
1127          * job worker is completely idle.
1128          *
1129          * Note this means we'll queue a forced update, even if
1130          * the output buffer size is otherwise over the throttle
1131          * output limit.
1132          */
1133         if (vs->force_update_offset == 0 &&
1134             vs->job_update == VNC_STATE_UPDATE_NONE) {
1135             return true;
1136         }
1137         trace_vnc_client_throttle_forced(
1138             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1139         break;
1140     }
1141     return false;
1142 }
1143 
1144 static int vnc_update_client(VncState *vs, int has_dirty)
1145 {
1146     VncDisplay *vd = vs->vd;
1147     VncJob *job;
1148     int y;
1149     int height, width;
1150     int n = 0;
1151 
1152     if (vs->disconnecting) {
1153         vnc_disconnect_finish(vs);
1154         return 0;
1155     }
1156 
1157     vs->has_dirty += has_dirty;
1158     if (!vnc_should_update(vs)) {
1159         return 0;
1160     }
1161 
1162     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1163         return 0;
1164     }
1165 
1166     /*
1167      * Send screen updates to the vnc client using the server
1168      * surface and server dirty map.  guest surface updates
1169      * happening in parallel don't disturb us, the next pass will
1170      * send them to the client.
1171      */
1172     job = vnc_job_new(vs);
1173 
1174     height = pixman_image_get_height(vd->server);
1175     width = pixman_image_get_width(vd->server);
1176 
1177     y = 0;
1178     for (;;) {
1179         int x, h;
1180         unsigned long x2;
1181         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1182                                              height * VNC_DIRTY_BPL(vs),
1183                                              y * VNC_DIRTY_BPL(vs));
1184         if (offset == height * VNC_DIRTY_BPL(vs)) {
1185             /* no more dirty bits */
1186             break;
1187         }
1188         y = offset / VNC_DIRTY_BPL(vs);
1189         x = offset % VNC_DIRTY_BPL(vs);
1190         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1191                                 VNC_DIRTY_BPL(vs), x);
1192         bitmap_clear(vs->dirty[y], x, x2 - x);
1193         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1194         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1195         if (x2 > x) {
1196             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1197                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1198         }
1199         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1200             y += h;
1201             if (y == height) {
1202                 break;
1203             }
1204         }
1205     }
1206 
1207     vs->job_update = vs->update;
1208     vs->update = VNC_STATE_UPDATE_NONE;
1209     vnc_job_push(job);
1210     vs->has_dirty = 0;
1211     return n;
1212 }
1213 
1214 /* audio */
1215 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1216 {
1217     VncState *vs = opaque;
1218 
1219     assert(vs->magic == VNC_MAGIC);
1220     switch (cmd) {
1221     case AUD_CNOTIFY_DISABLE:
1222         trace_vnc_msg_server_audio_end(vs, vs->ioc);
1223         vnc_lock_output(vs);
1224         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1225         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1226         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1227         vnc_unlock_output(vs);
1228         vnc_flush(vs);
1229         break;
1230 
1231     case AUD_CNOTIFY_ENABLE:
1232         trace_vnc_msg_server_audio_begin(vs, vs->ioc);
1233         vnc_lock_output(vs);
1234         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1235         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1236         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1237         vnc_unlock_output(vs);
1238         vnc_flush(vs);
1239         break;
1240     }
1241 }
1242 
1243 static void audio_capture_destroy(void *opaque)
1244 {
1245 }
1246 
1247 static void audio_capture(void *opaque, const void *buf, int size)
1248 {
1249     VncState *vs = opaque;
1250 
1251     assert(vs->magic == VNC_MAGIC);
1252     trace_vnc_msg_server_audio_data(vs, vs->ioc, buf, size);
1253     vnc_lock_output(vs);
1254     if (vs->output.offset < vs->throttle_output_offset) {
1255         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1256         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1257         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1258         vnc_write_u32(vs, size);
1259         vnc_write(vs, buf, size);
1260     } else {
1261         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1262     }
1263     vnc_unlock_output(vs);
1264     vnc_flush(vs);
1265 }
1266 
1267 static void audio_add(VncState *vs)
1268 {
1269     struct audio_capture_ops ops;
1270 
1271     if (vs->audio_cap) {
1272         error_report("audio already running");
1273         return;
1274     }
1275 
1276     ops.notify = audio_capture_notify;
1277     ops.destroy = audio_capture_destroy;
1278     ops.capture = audio_capture;
1279 
1280     vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1281     if (!vs->audio_cap) {
1282         error_report("Failed to add audio capture");
1283     }
1284 }
1285 
1286 static void audio_del(VncState *vs)
1287 {
1288     if (vs->audio_cap) {
1289         AUD_del_capture(vs->audio_cap, vs);
1290         vs->audio_cap = NULL;
1291     }
1292 }
1293 
1294 static void vnc_disconnect_start(VncState *vs)
1295 {
1296     if (vs->disconnecting) {
1297         return;
1298     }
1299     trace_vnc_client_disconnect_start(vs, vs->ioc);
1300     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1301     if (vs->ioc_tag) {
1302         g_source_remove(vs->ioc_tag);
1303         vs->ioc_tag = 0;
1304     }
1305     qio_channel_close(vs->ioc, NULL);
1306     vs->disconnecting = TRUE;
1307 }
1308 
1309 void vnc_disconnect_finish(VncState *vs)
1310 {
1311     int i;
1312 
1313     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1314 
1315     vnc_jobs_join(vs); /* Wait encoding jobs */
1316 
1317     vnc_lock_output(vs);
1318     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1319 
1320     buffer_free(&vs->input);
1321     buffer_free(&vs->output);
1322 
1323     qapi_free_VncClientInfo(vs->info);
1324 
1325     vnc_zlib_clear(vs);
1326     vnc_tight_clear(vs);
1327     vnc_zrle_clear(vs);
1328 
1329 #ifdef CONFIG_VNC_SASL
1330     vnc_sasl_client_cleanup(vs);
1331 #endif /* CONFIG_VNC_SASL */
1332     audio_del(vs);
1333     qkbd_state_lift_all_keys(vs->vd->kbd);
1334 
1335     if (vs->mouse_mode_notifier.notify != NULL) {
1336         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1337     }
1338     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1339     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1340         /* last client gone */
1341         vnc_update_server_surface(vs->vd);
1342     }
1343     vnc_unlock_output(vs);
1344 
1345     if (vs->cbpeer.notifier.notify) {
1346         qemu_clipboard_peer_unregister(&vs->cbpeer);
1347     }
1348 
1349     qemu_mutex_destroy(&vs->output_mutex);
1350     if (vs->bh != NULL) {
1351         qemu_bh_delete(vs->bh);
1352     }
1353     buffer_free(&vs->jobs_buffer);
1354 
1355     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1356         g_free(vs->lossy_rect[i]);
1357     }
1358     g_free(vs->lossy_rect);
1359 
1360     object_unref(OBJECT(vs->ioc));
1361     vs->ioc = NULL;
1362     object_unref(OBJECT(vs->sioc));
1363     vs->sioc = NULL;
1364     vs->magic = 0;
1365     g_free(vs->zrle);
1366     g_free(vs->tight);
1367     g_free(vs);
1368 }
1369 
1370 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error *err)
1371 {
1372     if (ret <= 0) {
1373         if (ret == 0) {
1374             trace_vnc_client_eof(vs, vs->ioc);
1375             vnc_disconnect_start(vs);
1376         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1377             trace_vnc_client_io_error(vs, vs->ioc,
1378                                       err ? error_get_pretty(err) : "Unknown");
1379             vnc_disconnect_start(vs);
1380         }
1381 
1382         error_free(err);
1383         return 0;
1384     }
1385     return ret;
1386 }
1387 
1388 
1389 void vnc_client_error(VncState *vs)
1390 {
1391     VNC_DEBUG("Closing down client sock: protocol error\n");
1392     vnc_disconnect_start(vs);
1393 }
1394 
1395 
1396 /*
1397  * Called to write a chunk of data to the client socket. The data may
1398  * be the raw data, or may have already been encoded by SASL.
1399  * The data will be written either straight onto the socket, or
1400  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1401  *
1402  * NB, it is theoretically possible to have 2 layers of encryption,
1403  * both SASL, and this TLS layer. It is highly unlikely in practice
1404  * though, since SASL encryption will typically be a no-op if TLS
1405  * is active
1406  *
1407  * Returns the number of bytes written, which may be less than
1408  * the requested 'datalen' if the socket would block. Returns
1409  * 0 on I/O error, and disconnects the client socket.
1410  */
1411 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1412 {
1413     Error *err = NULL;
1414     ssize_t ret;
1415     ret = qio_channel_write(vs->ioc, (const char *)data, datalen, &err);
1416     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1417     return vnc_client_io_error(vs, ret, err);
1418 }
1419 
1420 
1421 /*
1422  * Called to write buffered data to the client socket, when not
1423  * using any SASL SSF encryption layers. Will write as much data
1424  * as possible without blocking. If all buffered data is written,
1425  * will switch the FD poll() handler back to read monitoring.
1426  *
1427  * Returns the number of bytes written, which may be less than
1428  * the buffered output data if the socket would block.  Returns
1429  * 0 on I/O error, and disconnects the client socket.
1430  */
1431 static size_t vnc_client_write_plain(VncState *vs)
1432 {
1433     size_t offset;
1434     size_t ret;
1435 
1436 #ifdef CONFIG_VNC_SASL
1437     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1438               vs->output.buffer, vs->output.capacity, vs->output.offset,
1439               vs->sasl.waitWriteSSF);
1440 
1441     if (vs->sasl.conn &&
1442         vs->sasl.runSSF &&
1443         vs->sasl.waitWriteSSF) {
1444         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1445         if (ret)
1446             vs->sasl.waitWriteSSF -= ret;
1447     } else
1448 #endif /* CONFIG_VNC_SASL */
1449         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1450     if (!ret)
1451         return 0;
1452 
1453     if (ret >= vs->force_update_offset) {
1454         if (vs->force_update_offset != 0) {
1455             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1456         }
1457         vs->force_update_offset = 0;
1458     } else {
1459         vs->force_update_offset -= ret;
1460     }
1461     offset = vs->output.offset;
1462     buffer_advance(&vs->output, ret);
1463     if (offset >= vs->throttle_output_offset &&
1464         vs->output.offset < vs->throttle_output_offset) {
1465         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1466     }
1467 
1468     if (vs->output.offset == 0) {
1469         if (vs->ioc_tag) {
1470             g_source_remove(vs->ioc_tag);
1471         }
1472         vs->ioc_tag = qio_channel_add_watch(
1473             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1474             vnc_client_io, vs, NULL);
1475     }
1476 
1477     return ret;
1478 }
1479 
1480 
1481 /*
1482  * First function called whenever there is data to be written to
1483  * the client socket. Will delegate actual work according to whether
1484  * SASL SSF layers are enabled (thus requiring encryption calls)
1485  */
1486 static void vnc_client_write_locked(VncState *vs)
1487 {
1488 #ifdef CONFIG_VNC_SASL
1489     if (vs->sasl.conn &&
1490         vs->sasl.runSSF &&
1491         !vs->sasl.waitWriteSSF) {
1492         vnc_client_write_sasl(vs);
1493     } else
1494 #endif /* CONFIG_VNC_SASL */
1495     {
1496         vnc_client_write_plain(vs);
1497     }
1498 }
1499 
1500 static void vnc_client_write(VncState *vs)
1501 {
1502     assert(vs->magic == VNC_MAGIC);
1503     vnc_lock_output(vs);
1504     if (vs->output.offset) {
1505         vnc_client_write_locked(vs);
1506     } else if (vs->ioc != NULL) {
1507         if (vs->ioc_tag) {
1508             g_source_remove(vs->ioc_tag);
1509         }
1510         vs->ioc_tag = qio_channel_add_watch(
1511             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1512             vnc_client_io, vs, NULL);
1513     }
1514     vnc_unlock_output(vs);
1515 }
1516 
1517 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1518 {
1519     vs->read_handler = func;
1520     vs->read_handler_expect = expecting;
1521 }
1522 
1523 
1524 /*
1525  * Called to read a chunk of data from the client socket. The data may
1526  * be the raw data, or may need to be further decoded by SASL.
1527  * The data will be read either straight from to the socket, or
1528  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1529  *
1530  * NB, it is theoretically possible to have 2 layers of encryption,
1531  * both SASL, and this TLS layer. It is highly unlikely in practice
1532  * though, since SASL encryption will typically be a no-op if TLS
1533  * is active
1534  *
1535  * Returns the number of bytes read, which may be less than
1536  * the requested 'datalen' if the socket would block. Returns
1537  * 0 on I/O error or EOF, and disconnects the client socket.
1538  */
1539 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1540 {
1541     ssize_t ret;
1542     Error *err = NULL;
1543     ret = qio_channel_read(vs->ioc, (char *)data, datalen, &err);
1544     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1545     return vnc_client_io_error(vs, ret, err);
1546 }
1547 
1548 
1549 /*
1550  * Called to read data from the client socket to the input buffer,
1551  * when not using any SASL SSF encryption layers. Will read as much
1552  * data as possible without blocking.
1553  *
1554  * Returns the number of bytes read, which may be less than
1555  * the requested 'datalen' if the socket would block. Returns
1556  * 0 on I/O error or EOF, and disconnects the client socket.
1557  */
1558 static size_t vnc_client_read_plain(VncState *vs)
1559 {
1560     size_t ret;
1561     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1562               vs->input.buffer, vs->input.capacity, vs->input.offset);
1563     buffer_reserve(&vs->input, 4096);
1564     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1565     if (!ret)
1566         return 0;
1567     vs->input.offset += ret;
1568     return ret;
1569 }
1570 
1571 static void vnc_jobs_bh(void *opaque)
1572 {
1573     VncState *vs = opaque;
1574 
1575     assert(vs->magic == VNC_MAGIC);
1576     vnc_jobs_consume_buffer(vs);
1577 }
1578 
1579 /*
1580  * First function called whenever there is more data to be read from
1581  * the client socket. Will delegate actual work according to whether
1582  * SASL SSF layers are enabled (thus requiring decryption calls)
1583  * Returns 0 on success, -1 if client disconnected
1584  */
1585 static int vnc_client_read(VncState *vs)
1586 {
1587     size_t sz;
1588 
1589 #ifdef CONFIG_VNC_SASL
1590     if (vs->sasl.conn && vs->sasl.runSSF)
1591         sz = vnc_client_read_sasl(vs);
1592     else
1593 #endif /* CONFIG_VNC_SASL */
1594         sz = vnc_client_read_plain(vs);
1595     if (!sz) {
1596         if (vs->disconnecting) {
1597             vnc_disconnect_finish(vs);
1598             return -1;
1599         }
1600         return 0;
1601     }
1602 
1603     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1604         size_t len = vs->read_handler_expect;
1605         int ret;
1606 
1607         ret = vs->read_handler(vs, vs->input.buffer, len);
1608         if (vs->disconnecting) {
1609             vnc_disconnect_finish(vs);
1610             return -1;
1611         }
1612 
1613         if (!ret) {
1614             buffer_advance(&vs->input, len);
1615         } else {
1616             vs->read_handler_expect = ret;
1617         }
1618     }
1619     return 0;
1620 }
1621 
1622 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1623                        GIOCondition condition, void *opaque)
1624 {
1625     VncState *vs = opaque;
1626 
1627     assert(vs->magic == VNC_MAGIC);
1628 
1629     if (condition & (G_IO_HUP | G_IO_ERR)) {
1630         vnc_disconnect_start(vs);
1631         return TRUE;
1632     }
1633 
1634     if (condition & G_IO_IN) {
1635         if (vnc_client_read(vs) < 0) {
1636             /* vs is free()ed here */
1637             return TRUE;
1638         }
1639     }
1640     if (condition & G_IO_OUT) {
1641         vnc_client_write(vs);
1642     }
1643 
1644     if (vs->disconnecting) {
1645         if (vs->ioc_tag != 0) {
1646             g_source_remove(vs->ioc_tag);
1647         }
1648         vs->ioc_tag = 0;
1649     }
1650     return TRUE;
1651 }
1652 
1653 
1654 /*
1655  * Scale factor to apply to vs->throttle_output_offset when checking for
1656  * hard limit. Worst case normal usage could be x2, if we have a complete
1657  * incremental update and complete forced update in the output buffer.
1658  * So x3 should be good enough, but we pick x5 to be conservative and thus
1659  * (hopefully) never trigger incorrectly.
1660  */
1661 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1662 
1663 void vnc_write(VncState *vs, const void *data, size_t len)
1664 {
1665     assert(vs->magic == VNC_MAGIC);
1666     if (vs->disconnecting) {
1667         return;
1668     }
1669     /* Protection against malicious client/guest to prevent our output
1670      * buffer growing without bound if client stops reading data. This
1671      * should rarely trigger, because we have earlier throttling code
1672      * which stops issuing framebuffer updates and drops audio data
1673      * if the throttle_output_offset value is exceeded. So we only reach
1674      * this higher level if a huge number of pseudo-encodings get
1675      * triggered while data can't be sent on the socket.
1676      *
1677      * NB throttle_output_offset can be zero during early protocol
1678      * handshake, or from the job thread's VncState clone
1679      */
1680     if (vs->throttle_output_offset != 0 &&
1681         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1682         vs->throttle_output_offset) {
1683         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1684                                       vs->throttle_output_offset);
1685         vnc_disconnect_start(vs);
1686         return;
1687     }
1688     buffer_reserve(&vs->output, len);
1689 
1690     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1691         if (vs->ioc_tag) {
1692             g_source_remove(vs->ioc_tag);
1693         }
1694         vs->ioc_tag = qio_channel_add_watch(
1695             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
1696             vnc_client_io, vs, NULL);
1697     }
1698 
1699     buffer_append(&vs->output, data, len);
1700 }
1701 
1702 void vnc_write_s32(VncState *vs, int32_t value)
1703 {
1704     vnc_write_u32(vs, *(uint32_t *)&value);
1705 }
1706 
1707 void vnc_write_u32(VncState *vs, uint32_t value)
1708 {
1709     uint8_t buf[4];
1710 
1711     buf[0] = (value >> 24) & 0xFF;
1712     buf[1] = (value >> 16) & 0xFF;
1713     buf[2] = (value >>  8) & 0xFF;
1714     buf[3] = value & 0xFF;
1715 
1716     vnc_write(vs, buf, 4);
1717 }
1718 
1719 void vnc_write_u16(VncState *vs, uint16_t value)
1720 {
1721     uint8_t buf[2];
1722 
1723     buf[0] = (value >> 8) & 0xFF;
1724     buf[1] = value & 0xFF;
1725 
1726     vnc_write(vs, buf, 2);
1727 }
1728 
1729 void vnc_write_u8(VncState *vs, uint8_t value)
1730 {
1731     vnc_write(vs, (char *)&value, 1);
1732 }
1733 
1734 void vnc_flush(VncState *vs)
1735 {
1736     vnc_lock_output(vs);
1737     if (vs->ioc != NULL && vs->output.offset) {
1738         vnc_client_write_locked(vs);
1739     }
1740     if (vs->disconnecting) {
1741         if (vs->ioc_tag != 0) {
1742             g_source_remove(vs->ioc_tag);
1743         }
1744         vs->ioc_tag = 0;
1745     }
1746     vnc_unlock_output(vs);
1747 }
1748 
1749 static uint8_t read_u8(uint8_t *data, size_t offset)
1750 {
1751     return data[offset];
1752 }
1753 
1754 static uint16_t read_u16(uint8_t *data, size_t offset)
1755 {
1756     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1757 }
1758 
1759 static int32_t read_s32(uint8_t *data, size_t offset)
1760 {
1761     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1762                      (data[offset + 2] << 8) | data[offset + 3]);
1763 }
1764 
1765 uint32_t read_u32(uint8_t *data, size_t offset)
1766 {
1767     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1768             (data[offset + 2] << 8) | data[offset + 3]);
1769 }
1770 
1771 static void check_pointer_type_change(Notifier *notifier, void *data)
1772 {
1773     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1774     int absolute = qemu_input_is_absolute(vs->vd->dcl.con);
1775 
1776     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1777         vnc_lock_output(vs);
1778         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1779         vnc_write_u8(vs, 0);
1780         vnc_write_u16(vs, 1);
1781         vnc_framebuffer_update(vs, absolute, 0,
1782                                pixman_image_get_width(vs->vd->server),
1783                                pixman_image_get_height(vs->vd->server),
1784                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1785         vnc_unlock_output(vs);
1786         vnc_flush(vs);
1787     }
1788     vs->absolute = absolute;
1789 }
1790 
1791 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1792 {
1793     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1794         [INPUT_BUTTON_LEFT]       = 0x01,
1795         [INPUT_BUTTON_MIDDLE]     = 0x02,
1796         [INPUT_BUTTON_RIGHT]      = 0x04,
1797         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1798         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1799     };
1800     QemuConsole *con = vs->vd->dcl.con;
1801     int width = pixman_image_get_width(vs->vd->server);
1802     int height = pixman_image_get_height(vs->vd->server);
1803 
1804     if (vs->last_bmask != button_mask) {
1805         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1806         vs->last_bmask = button_mask;
1807     }
1808 
1809     if (vs->absolute) {
1810         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1811         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1812     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1813         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1814         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1815     } else {
1816         if (vs->last_x != -1) {
1817             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1818             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1819         }
1820         vs->last_x = x;
1821         vs->last_y = y;
1822     }
1823     qemu_input_event_sync();
1824 }
1825 
1826 static void press_key(VncState *vs, QKeyCode qcode)
1827 {
1828     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1829     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1830 }
1831 
1832 static void vnc_led_state_change(VncState *vs)
1833 {
1834     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1835         return;
1836     }
1837 
1838     vnc_lock_output(vs);
1839     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1840     vnc_write_u8(vs, 0);
1841     vnc_write_u16(vs, 1);
1842     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1843     vnc_write_u8(vs, vs->vd->ledstate);
1844     vnc_unlock_output(vs);
1845     vnc_flush(vs);
1846 }
1847 
1848 static void kbd_leds(void *opaque, int ledstate)
1849 {
1850     VncDisplay *vd = opaque;
1851     VncState *client;
1852 
1853     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1854                              (ledstate & QEMU_NUM_LOCK_LED),
1855                              (ledstate & QEMU_SCROLL_LOCK_LED));
1856 
1857     if (ledstate == vd->ledstate) {
1858         return;
1859     }
1860 
1861     vd->ledstate = ledstate;
1862 
1863     QTAILQ_FOREACH(client, &vd->clients, next) {
1864         vnc_led_state_change(client);
1865     }
1866 }
1867 
1868 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1869 {
1870     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1871 
1872     /* QEMU console switch */
1873     switch (qcode) {
1874     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1875         if (vs->vd->dcl.con == NULL && down &&
1876             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1877             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1878             /* Reset the modifiers sent to the current console */
1879             qkbd_state_lift_all_keys(vs->vd->kbd);
1880             console_select(qcode - Q_KEY_CODE_1);
1881             return;
1882         }
1883     default:
1884         break;
1885     }
1886 
1887     /* Turn off the lock state sync logic if the client support the led
1888        state extension.
1889     */
1890     if (down && vs->vd->lock_key_sync &&
1891         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1892         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1893         /* If the numlock state needs to change then simulate an additional
1894            keypress before sending this one.  This will happen if the user
1895            toggles numlock away from the VNC window.
1896         */
1897         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1898             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1899                 trace_vnc_key_sync_numlock(true);
1900                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1901             }
1902         } else {
1903             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1904                 trace_vnc_key_sync_numlock(false);
1905                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1906             }
1907         }
1908     }
1909 
1910     if (down && vs->vd->lock_key_sync &&
1911         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1912         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1913         /* If the capslock state needs to change then simulate an additional
1914            keypress before sending this one.  This will happen if the user
1915            toggles capslock away from the VNC window.
1916         */
1917         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1918         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1919         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1920         if (capslock) {
1921             if (uppercase == shift) {
1922                 trace_vnc_key_sync_capslock(false);
1923                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1924             }
1925         } else {
1926             if (uppercase != shift) {
1927                 trace_vnc_key_sync_capslock(true);
1928                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1929             }
1930         }
1931     }
1932 
1933     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1934     if (!qemu_console_is_graphic(NULL)) {
1935         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1936         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1937         /* QEMU console emulation */
1938         if (down) {
1939             switch (keycode) {
1940             case 0x2a:                          /* Left Shift */
1941             case 0x36:                          /* Right Shift */
1942             case 0x1d:                          /* Left CTRL */
1943             case 0x9d:                          /* Right CTRL */
1944             case 0x38:                          /* Left ALT */
1945             case 0xb8:                          /* Right ALT */
1946                 break;
1947             case 0xc8:
1948                 qemu_text_console_put_keysym(NULL, QEMU_KEY_UP);
1949                 break;
1950             case 0xd0:
1951                 qemu_text_console_put_keysym(NULL, QEMU_KEY_DOWN);
1952                 break;
1953             case 0xcb:
1954                 qemu_text_console_put_keysym(NULL, QEMU_KEY_LEFT);
1955                 break;
1956             case 0xcd:
1957                 qemu_text_console_put_keysym(NULL, QEMU_KEY_RIGHT);
1958                 break;
1959             case 0xd3:
1960                 qemu_text_console_put_keysym(NULL, QEMU_KEY_DELETE);
1961                 break;
1962             case 0xc7:
1963                 qemu_text_console_put_keysym(NULL, QEMU_KEY_HOME);
1964                 break;
1965             case 0xcf:
1966                 qemu_text_console_put_keysym(NULL, QEMU_KEY_END);
1967                 break;
1968             case 0xc9:
1969                 qemu_text_console_put_keysym(NULL, QEMU_KEY_PAGEUP);
1970                 break;
1971             case 0xd1:
1972                 qemu_text_console_put_keysym(NULL, QEMU_KEY_PAGEDOWN);
1973                 break;
1974 
1975             case 0x47:
1976                 qemu_text_console_put_keysym(NULL, numlock ? '7' : QEMU_KEY_HOME);
1977                 break;
1978             case 0x48:
1979                 qemu_text_console_put_keysym(NULL, numlock ? '8' : QEMU_KEY_UP);
1980                 break;
1981             case 0x49:
1982                 qemu_text_console_put_keysym(NULL, numlock ? '9' : QEMU_KEY_PAGEUP);
1983                 break;
1984             case 0x4b:
1985                 qemu_text_console_put_keysym(NULL, numlock ? '4' : QEMU_KEY_LEFT);
1986                 break;
1987             case 0x4c:
1988                 qemu_text_console_put_keysym(NULL, '5');
1989                 break;
1990             case 0x4d:
1991                 qemu_text_console_put_keysym(NULL, numlock ? '6' : QEMU_KEY_RIGHT);
1992                 break;
1993             case 0x4f:
1994                 qemu_text_console_put_keysym(NULL, numlock ? '1' : QEMU_KEY_END);
1995                 break;
1996             case 0x50:
1997                 qemu_text_console_put_keysym(NULL, numlock ? '2' : QEMU_KEY_DOWN);
1998                 break;
1999             case 0x51:
2000                 qemu_text_console_put_keysym(NULL, numlock ? '3' : QEMU_KEY_PAGEDOWN);
2001                 break;
2002             case 0x52:
2003                 qemu_text_console_put_keysym(NULL, '0');
2004                 break;
2005             case 0x53:
2006                 qemu_text_console_put_keysym(NULL, numlock ? '.' : QEMU_KEY_DELETE);
2007                 break;
2008 
2009             case 0xb5:
2010                 qemu_text_console_put_keysym(NULL, '/');
2011                 break;
2012             case 0x37:
2013                 qemu_text_console_put_keysym(NULL, '*');
2014                 break;
2015             case 0x4a:
2016                 qemu_text_console_put_keysym(NULL, '-');
2017                 break;
2018             case 0x4e:
2019                 qemu_text_console_put_keysym(NULL, '+');
2020                 break;
2021             case 0x9c:
2022                 qemu_text_console_put_keysym(NULL, '\n');
2023                 break;
2024 
2025             default:
2026                 if (control) {
2027                     qemu_text_console_put_keysym(NULL, sym & 0x1f);
2028                 } else {
2029                     qemu_text_console_put_keysym(NULL, sym);
2030                 }
2031                 break;
2032             }
2033         }
2034     }
2035 }
2036 
2037 static const char *code2name(int keycode)
2038 {
2039     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
2040 }
2041 
2042 static void key_event(VncState *vs, int down, uint32_t sym)
2043 {
2044     int keycode;
2045     int lsym = sym;
2046 
2047     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
2048         lsym = lsym - 'A' + 'a';
2049     }
2050 
2051     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
2052                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
2053     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2054     do_key_event(vs, down, keycode, sym);
2055 }
2056 
2057 static void ext_key_event(VncState *vs, int down,
2058                           uint32_t sym, uint16_t keycode)
2059 {
2060     /* if the user specifies a keyboard layout, always use it */
2061     if (keyboard_layout) {
2062         key_event(vs, down, sym);
2063     } else {
2064         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2065         do_key_event(vs, down, keycode, sym);
2066     }
2067 }
2068 
2069 static void framebuffer_update_request(VncState *vs, int incremental,
2070                                        int x, int y, int w, int h)
2071 {
2072     if (incremental) {
2073         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2074             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2075         }
2076     } else {
2077         vs->update = VNC_STATE_UPDATE_FORCE;
2078         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2079         if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
2080             vnc_desktop_resize_ext(vs, 0);
2081         }
2082     }
2083 }
2084 
2085 static void send_ext_key_event_ack(VncState *vs)
2086 {
2087     vnc_lock_output(vs);
2088     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2089     vnc_write_u8(vs, 0);
2090     vnc_write_u16(vs, 1);
2091     vnc_framebuffer_update(vs, 0, 0,
2092                            pixman_image_get_width(vs->vd->server),
2093                            pixman_image_get_height(vs->vd->server),
2094                            VNC_ENCODING_EXT_KEY_EVENT);
2095     vnc_unlock_output(vs);
2096     vnc_flush(vs);
2097 }
2098 
2099 static void send_ext_audio_ack(VncState *vs)
2100 {
2101     vnc_lock_output(vs);
2102     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2103     vnc_write_u8(vs, 0);
2104     vnc_write_u16(vs, 1);
2105     vnc_framebuffer_update(vs, 0, 0,
2106                            pixman_image_get_width(vs->vd->server),
2107                            pixman_image_get_height(vs->vd->server),
2108                            VNC_ENCODING_AUDIO);
2109     vnc_unlock_output(vs);
2110     vnc_flush(vs);
2111 }
2112 
2113 static void send_xvp_message(VncState *vs, int code)
2114 {
2115     vnc_lock_output(vs);
2116     vnc_write_u8(vs, VNC_MSG_SERVER_XVP);
2117     vnc_write_u8(vs, 0); /* pad */
2118     vnc_write_u8(vs, 1); /* version */
2119     vnc_write_u8(vs, code);
2120     vnc_unlock_output(vs);
2121     vnc_flush(vs);
2122 }
2123 
2124 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2125 {
2126     int i;
2127     unsigned int enc = 0;
2128 
2129     vs->features = 0;
2130     vs->vnc_encoding = 0;
2131     vs->tight->compression = 9;
2132     vs->tight->quality = -1; /* Lossless by default */
2133     vs->absolute = -1;
2134 
2135     /*
2136      * Start from the end because the encodings are sent in order of preference.
2137      * This way the preferred encoding (first encoding defined in the array)
2138      * will be set at the end of the loop.
2139      */
2140     for (i = n_encodings - 1; i >= 0; i--) {
2141         enc = encodings[i];
2142         switch (enc) {
2143         case VNC_ENCODING_RAW:
2144             vs->vnc_encoding = enc;
2145             break;
2146         case VNC_ENCODING_HEXTILE:
2147             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2148             vs->vnc_encoding = enc;
2149             break;
2150         case VNC_ENCODING_TIGHT:
2151             vs->features |= VNC_FEATURE_TIGHT_MASK;
2152             vs->vnc_encoding = enc;
2153             break;
2154 #ifdef CONFIG_PNG
2155         case VNC_ENCODING_TIGHT_PNG:
2156             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2157             vs->vnc_encoding = enc;
2158             break;
2159 #endif
2160         case VNC_ENCODING_ZLIB:
2161             /*
2162              * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB.
2163              * So prioritize ZRLE, even if the client hints that it prefers
2164              * ZLIB.
2165              */
2166             if ((vs->features & VNC_FEATURE_ZRLE_MASK) == 0) {
2167                 vs->features |= VNC_FEATURE_ZLIB_MASK;
2168                 vs->vnc_encoding = enc;
2169             }
2170             break;
2171         case VNC_ENCODING_ZRLE:
2172             vs->features |= VNC_FEATURE_ZRLE_MASK;
2173             vs->vnc_encoding = enc;
2174             break;
2175         case VNC_ENCODING_ZYWRLE:
2176             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2177             vs->vnc_encoding = enc;
2178             break;
2179         case VNC_ENCODING_DESKTOPRESIZE:
2180             vs->features |= VNC_FEATURE_RESIZE_MASK;
2181             break;
2182         case VNC_ENCODING_DESKTOP_RESIZE_EXT:
2183             vs->features |= VNC_FEATURE_RESIZE_EXT_MASK;
2184             break;
2185         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2186             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2187             break;
2188         case VNC_ENCODING_RICH_CURSOR:
2189             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2190             break;
2191         case VNC_ENCODING_ALPHA_CURSOR:
2192             vs->features |= VNC_FEATURE_ALPHA_CURSOR_MASK;
2193             break;
2194         case VNC_ENCODING_EXT_KEY_EVENT:
2195             send_ext_key_event_ack(vs);
2196             break;
2197         case VNC_ENCODING_AUDIO:
2198             if (vs->vd->audio_state) {
2199                 vs->features |= VNC_FEATURE_AUDIO_MASK;
2200                 send_ext_audio_ack(vs);
2201             }
2202             break;
2203         case VNC_ENCODING_WMVi:
2204             vs->features |= VNC_FEATURE_WMVI_MASK;
2205             break;
2206         case VNC_ENCODING_LED_STATE:
2207             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2208             break;
2209         case VNC_ENCODING_XVP:
2210             if (vs->vd->power_control) {
2211                 vs->features |= VNC_FEATURE_XVP_MASK;
2212                 send_xvp_message(vs, VNC_XVP_CODE_INIT);
2213             }
2214             break;
2215         case VNC_ENCODING_CLIPBOARD_EXT:
2216             vs->features |= VNC_FEATURE_CLIPBOARD_EXT_MASK;
2217             vnc_server_cut_text_caps(vs);
2218             break;
2219         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2220             vs->tight->compression = (enc & 0x0F);
2221             break;
2222         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2223             if (vs->vd->lossy) {
2224                 vs->tight->quality = (enc & 0x0F);
2225             }
2226             break;
2227         default:
2228             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2229             break;
2230         }
2231     }
2232     vnc_desktop_resize(vs);
2233     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2234     vnc_led_state_change(vs);
2235     vnc_cursor_define(vs);
2236 }
2237 
2238 static void set_pixel_conversion(VncState *vs)
2239 {
2240     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2241 
2242     if (fmt == VNC_SERVER_FB_FORMAT) {
2243         vs->write_pixels = vnc_write_pixels_copy;
2244         vnc_hextile_set_pixel_conversion(vs, 0);
2245     } else {
2246         vs->write_pixels = vnc_write_pixels_generic;
2247         vnc_hextile_set_pixel_conversion(vs, 1);
2248     }
2249 }
2250 
2251 static void send_color_map(VncState *vs)
2252 {
2253     int i;
2254 
2255     vnc_lock_output(vs);
2256     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2257     vnc_write_u8(vs,  0);    /* padding     */
2258     vnc_write_u16(vs, 0);    /* first color */
2259     vnc_write_u16(vs, 256);  /* # of colors */
2260 
2261     for (i = 0; i < 256; i++) {
2262         PixelFormat *pf = &vs->client_pf;
2263 
2264         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2265         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2266         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2267     }
2268     vnc_unlock_output(vs);
2269 }
2270 
2271 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2272                              int big_endian_flag, int true_color_flag,
2273                              int red_max, int green_max, int blue_max,
2274                              int red_shift, int green_shift, int blue_shift)
2275 {
2276     if (!true_color_flag) {
2277         /* Expose a reasonable default 256 color map */
2278         bits_per_pixel = 8;
2279         red_max = 7;
2280         green_max = 7;
2281         blue_max = 3;
2282         red_shift = 0;
2283         green_shift = 3;
2284         blue_shift = 6;
2285     }
2286 
2287     switch (bits_per_pixel) {
2288     case 8:
2289     case 16:
2290     case 32:
2291         break;
2292     default:
2293         vnc_client_error(vs);
2294         return;
2295     }
2296 
2297     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2298     vs->client_pf.rbits = ctpopl(red_max);
2299     vs->client_pf.rshift = red_shift;
2300     vs->client_pf.rmask = red_max << red_shift;
2301     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2302     vs->client_pf.gbits = ctpopl(green_max);
2303     vs->client_pf.gshift = green_shift;
2304     vs->client_pf.gmask = green_max << green_shift;
2305     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2306     vs->client_pf.bbits = ctpopl(blue_max);
2307     vs->client_pf.bshift = blue_shift;
2308     vs->client_pf.bmask = blue_max << blue_shift;
2309     vs->client_pf.bits_per_pixel = bits_per_pixel;
2310     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2311     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2312     vs->client_be = big_endian_flag;
2313 
2314     if (!true_color_flag) {
2315         send_color_map(vs);
2316     }
2317 
2318     set_pixel_conversion(vs);
2319 
2320     graphic_hw_invalidate(vs->vd->dcl.con);
2321     graphic_hw_update(vs->vd->dcl.con);
2322 }
2323 
2324 static void pixel_format_message (VncState *vs) {
2325     char pad[3] = { 0, 0, 0 };
2326 
2327     vs->client_pf = qemu_default_pixelformat(32);
2328 
2329     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2330     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2331 
2332 #if HOST_BIG_ENDIAN
2333     vnc_write_u8(vs, 1);             /* big-endian-flag */
2334 #else
2335     vnc_write_u8(vs, 0);             /* big-endian-flag */
2336 #endif
2337     vnc_write_u8(vs, 1);             /* true-color-flag */
2338     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2339     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2340     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2341     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2342     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2343     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2344     vnc_write(vs, pad, 3);           /* padding */
2345 
2346     vnc_hextile_set_pixel_conversion(vs, 0);
2347     vs->write_pixels = vnc_write_pixels_copy;
2348 }
2349 
2350 static void vnc_colordepth(VncState *vs)
2351 {
2352     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2353         /* Sending a WMVi message to notify the client*/
2354         vnc_lock_output(vs);
2355         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2356         vnc_write_u8(vs, 0);
2357         vnc_write_u16(vs, 1); /* number of rects */
2358         vnc_framebuffer_update(vs, 0, 0,
2359                                vs->client_width,
2360                                vs->client_height,
2361                                VNC_ENCODING_WMVi);
2362         pixel_format_message(vs);
2363         vnc_unlock_output(vs);
2364         vnc_flush(vs);
2365     } else {
2366         set_pixel_conversion(vs);
2367     }
2368 }
2369 
2370 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2371 {
2372     int i;
2373     uint16_t limit;
2374     uint32_t freq;
2375     VncDisplay *vd = vs->vd;
2376 
2377     if (data[0] > 3) {
2378         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2379     }
2380 
2381     switch (data[0]) {
2382     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2383         if (len == 1)
2384             return 20;
2385 
2386         set_pixel_format(vs, read_u8(data, 4),
2387                          read_u8(data, 6), read_u8(data, 7),
2388                          read_u16(data, 8), read_u16(data, 10),
2389                          read_u16(data, 12), read_u8(data, 14),
2390                          read_u8(data, 15), read_u8(data, 16));
2391         break;
2392     case VNC_MSG_CLIENT_SET_ENCODINGS:
2393         if (len == 1)
2394             return 4;
2395 
2396         if (len == 4) {
2397             limit = read_u16(data, 2);
2398             if (limit > 0)
2399                 return 4 + (limit * 4);
2400         } else
2401             limit = read_u16(data, 2);
2402 
2403         for (i = 0; i < limit; i++) {
2404             int32_t val = read_s32(data, 4 + (i * 4));
2405             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2406         }
2407 
2408         set_encodings(vs, (int32_t *)(data + 4), limit);
2409         break;
2410     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2411         if (len == 1)
2412             return 10;
2413 
2414         framebuffer_update_request(vs,
2415                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2416                                    read_u16(data, 6), read_u16(data, 8));
2417         break;
2418     case VNC_MSG_CLIENT_KEY_EVENT:
2419         if (len == 1)
2420             return 8;
2421 
2422         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2423         break;
2424     case VNC_MSG_CLIENT_POINTER_EVENT:
2425         if (len == 1)
2426             return 6;
2427 
2428         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2429         break;
2430     case VNC_MSG_CLIENT_CUT_TEXT:
2431         if (len == 1) {
2432             return 8;
2433         }
2434         uint32_t dlen = abs(read_s32(data, 4));
2435         if (len == 8) {
2436             if (dlen > (1 << 20)) {
2437                 error_report("vnc: client_cut_text msg payload has %u bytes"
2438                              " which exceeds our limit of 1MB.", dlen);
2439                 vnc_client_error(vs);
2440                 break;
2441             }
2442             if (dlen > 0) {
2443                 return 8 + dlen;
2444             }
2445         }
2446 
2447         if (read_s32(data, 4) < 0) {
2448             if (dlen < 4) {
2449                 error_report("vnc: malformed payload (header less than 4 bytes)"
2450                              " in extended clipboard pseudo-encoding.");
2451                 vnc_client_error(vs);
2452                 break;
2453             }
2454             vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
2455             break;
2456         }
2457         vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
2458         break;
2459     case VNC_MSG_CLIENT_XVP:
2460         if (!vnc_has_feature(vs, VNC_FEATURE_XVP)) {
2461             error_report("vnc: xvp client message while disabled");
2462             vnc_client_error(vs);
2463             break;
2464         }
2465         if (len == 1) {
2466             return 4;
2467         }
2468         if (len == 4) {
2469             uint8_t version = read_u8(data, 2);
2470             uint8_t action = read_u8(data, 3);
2471 
2472             if (version != 1) {
2473                 error_report("vnc: xvp client message version %d != 1",
2474                              version);
2475                 vnc_client_error(vs);
2476                 break;
2477             }
2478 
2479             switch (action) {
2480             case VNC_XVP_ACTION_SHUTDOWN:
2481                 qemu_system_powerdown_request();
2482                 break;
2483             case VNC_XVP_ACTION_REBOOT:
2484                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2485                 break;
2486             case VNC_XVP_ACTION_RESET:
2487                 qemu_system_reset_request(SHUTDOWN_CAUSE_HOST_QMP_SYSTEM_RESET);
2488                 break;
2489             default:
2490                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2491                 break;
2492             }
2493         }
2494         break;
2495     case VNC_MSG_CLIENT_QEMU:
2496         if (len == 1)
2497             return 2;
2498 
2499         switch (read_u8(data, 1)) {
2500         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2501             if (len == 2)
2502                 return 12;
2503 
2504             ext_key_event(vs, read_u16(data, 2),
2505                           read_u32(data, 4), read_u32(data, 8));
2506             break;
2507         case VNC_MSG_CLIENT_QEMU_AUDIO:
2508             if (!vnc_has_feature(vs, VNC_FEATURE_AUDIO)) {
2509                 error_report("Audio message %d with audio disabled", read_u8(data, 2));
2510                 vnc_client_error(vs);
2511                 break;
2512             }
2513 
2514             if (len == 2)
2515                 return 4;
2516 
2517             switch (read_u16 (data, 2)) {
2518             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2519                 trace_vnc_msg_client_audio_enable(vs, vs->ioc);
2520                 audio_add(vs);
2521                 break;
2522             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2523                 trace_vnc_msg_client_audio_disable(vs, vs->ioc);
2524                 audio_del(vs);
2525                 break;
2526             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2527                 if (len == 4)
2528                     return 10;
2529                 switch (read_u8(data, 4)) {
2530                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2531                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2532                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2533                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2534                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2535                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2536                 default:
2537                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2538                     vnc_client_error(vs);
2539                     break;
2540                 }
2541                 vs->as.nchannels = read_u8(data, 5);
2542                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2543                     VNC_DEBUG("Invalid audio channel count %d\n",
2544                               read_u8(data, 5));
2545                     vnc_client_error(vs);
2546                     break;
2547                 }
2548                 freq = read_u32(data, 6);
2549                 /* No official limit for protocol, but 48khz is a sensible
2550                  * upper bound for trustworthy clients, and this limit
2551                  * protects calculations involving 'vs->as.freq' later.
2552                  */
2553                 if (freq > 48000) {
2554                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2555                     vnc_client_error(vs);
2556                     break;
2557                 }
2558                 vs->as.freq = freq;
2559                 trace_vnc_msg_client_audio_format(
2560                     vs, vs->ioc, vs->as.fmt, vs->as.nchannels, vs->as.freq);
2561                 break;
2562             default:
2563                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 2));
2564                 vnc_client_error(vs);
2565                 break;
2566             }
2567             break;
2568 
2569         default:
2570             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2571             vnc_client_error(vs);
2572             break;
2573         }
2574         break;
2575     case VNC_MSG_CLIENT_SET_DESKTOP_SIZE:
2576     {
2577         size_t size;
2578         uint8_t screens;
2579         int w, h;
2580 
2581         if (len < 8) {
2582             return 8;
2583         }
2584 
2585         screens = read_u8(data, 6);
2586         size    = 8 + screens * 16;
2587         if (len < size) {
2588             return size;
2589         }
2590         w = read_u16(data, 2);
2591         h = read_u16(data, 4);
2592 
2593         trace_vnc_msg_client_set_desktop_size(vs, vs->ioc, w, h, screens);
2594         if (dpy_ui_info_supported(vs->vd->dcl.con)) {
2595             QemuUIInfo info;
2596             memset(&info, 0, sizeof(info));
2597             info.width = w;
2598             info.height = h;
2599             dpy_set_ui_info(vs->vd->dcl.con, &info, false);
2600             vnc_desktop_resize_ext(vs, 4 /* Request forwarded */);
2601         } else {
2602             vnc_desktop_resize_ext(vs, 3 /* Invalid screen layout */);
2603         }
2604 
2605         break;
2606     }
2607     default:
2608         VNC_DEBUG("Msg: %d\n", data[0]);
2609         vnc_client_error(vs);
2610         break;
2611     }
2612 
2613     vnc_update_throttle_offset(vs);
2614     vnc_read_when(vs, protocol_client_msg, 1);
2615     return 0;
2616 }
2617 
2618 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2619 {
2620     char buf[1024];
2621     VncShareMode mode;
2622     int size;
2623 
2624     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2625     switch (vs->vd->share_policy) {
2626     case VNC_SHARE_POLICY_IGNORE:
2627         /*
2628          * Ignore the shared flag.  Nothing to do here.
2629          *
2630          * Doesn't conform to the rfb spec but is traditional qemu
2631          * behavior, thus left here as option for compatibility
2632          * reasons.
2633          */
2634         break;
2635     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2636         /*
2637          * Policy: Allow clients ask for exclusive access.
2638          *
2639          * Implementation: When a client asks for exclusive access,
2640          * disconnect all others. Shared connects are allowed as long
2641          * as no exclusive connection exists.
2642          *
2643          * This is how the rfb spec suggests to handle the shared flag.
2644          */
2645         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2646             VncState *client;
2647             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2648                 if (vs == client) {
2649                     continue;
2650                 }
2651                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2652                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2653                     continue;
2654                 }
2655                 vnc_disconnect_start(client);
2656             }
2657         }
2658         if (mode == VNC_SHARE_MODE_SHARED) {
2659             if (vs->vd->num_exclusive > 0) {
2660                 vnc_disconnect_start(vs);
2661                 return 0;
2662             }
2663         }
2664         break;
2665     case VNC_SHARE_POLICY_FORCE_SHARED:
2666         /*
2667          * Policy: Shared connects only.
2668          * Implementation: Disallow clients asking for exclusive access.
2669          *
2670          * Useful for shared desktop sessions where you don't want
2671          * someone forgetting to say -shared when running the vnc
2672          * client disconnect everybody else.
2673          */
2674         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2675             vnc_disconnect_start(vs);
2676             return 0;
2677         }
2678         break;
2679     }
2680     vnc_set_share_mode(vs, mode);
2681 
2682     if (vs->vd->num_shared > vs->vd->connections_limit) {
2683         vnc_disconnect_start(vs);
2684         return 0;
2685     }
2686 
2687     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2688            pixman_image_get_width(vs->vd->server) >= 0);
2689     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2690            pixman_image_get_height(vs->vd->server) >= 0);
2691     vs->client_width = pixman_image_get_width(vs->vd->server);
2692     vs->client_height = pixman_image_get_height(vs->vd->server);
2693     vnc_write_u16(vs, vs->client_width);
2694     vnc_write_u16(vs, vs->client_height);
2695 
2696     pixel_format_message(vs);
2697 
2698     if (qemu_name) {
2699         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2700         if (size > sizeof(buf)) {
2701             size = sizeof(buf);
2702         }
2703     } else {
2704         size = snprintf(buf, sizeof(buf), "QEMU");
2705     }
2706 
2707     vnc_write_u32(vs, size);
2708     vnc_write(vs, buf, size);
2709     vnc_flush(vs);
2710 
2711     vnc_client_cache_auth(vs);
2712     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2713 
2714     vnc_read_when(vs, protocol_client_msg, 1);
2715 
2716     return 0;
2717 }
2718 
2719 void start_client_init(VncState *vs)
2720 {
2721     vnc_read_when(vs, protocol_client_init, 1);
2722 }
2723 
2724 static void authentication_failed(VncState *vs)
2725 {
2726     vnc_write_u32(vs, 1); /* Reject auth */
2727     if (vs->minor >= 8) {
2728         static const char err[] = "Authentication failed";
2729         vnc_write_u32(vs, sizeof(err));
2730         vnc_write(vs, err, sizeof(err));
2731     }
2732     vnc_flush(vs);
2733     vnc_client_error(vs);
2734 }
2735 
2736 static void
2737 vnc_munge_des_rfb_key(unsigned char *key, size_t nkey)
2738 {
2739     size_t i;
2740     for (i = 0; i < nkey; i++) {
2741         uint8_t r = key[i];
2742         r = (r & 0xf0) >> 4 | (r & 0x0f) << 4;
2743         r = (r & 0xcc) >> 2 | (r & 0x33) << 2;
2744         r = (r & 0xaa) >> 1 | (r & 0x55) << 1;
2745         key[i] = r;
2746     }
2747 }
2748 
2749 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2750 {
2751     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2752     size_t i, pwlen;
2753     unsigned char key[8];
2754     time_t now = time(NULL);
2755     QCryptoCipher *cipher = NULL;
2756     Error *err = NULL;
2757 
2758     if (!vs->vd->password) {
2759         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2760         goto reject;
2761     }
2762     if (vs->vd->expires < now) {
2763         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2764         goto reject;
2765     }
2766 
2767     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2768 
2769     /* Calculate the expected challenge response */
2770     pwlen = strlen(vs->vd->password);
2771     for (i=0; i<sizeof(key); i++)
2772         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2773     vnc_munge_des_rfb_key(key, sizeof(key));
2774 
2775     cipher = qcrypto_cipher_new(
2776         QCRYPTO_CIPHER_ALG_DES,
2777         QCRYPTO_CIPHER_MODE_ECB,
2778         key, G_N_ELEMENTS(key),
2779         &err);
2780     if (!cipher) {
2781         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2782                             error_get_pretty(err));
2783         error_free(err);
2784         goto reject;
2785     }
2786 
2787     if (qcrypto_cipher_encrypt(cipher,
2788                                vs->challenge,
2789                                response,
2790                                VNC_AUTH_CHALLENGE_SIZE,
2791                                &err) < 0) {
2792         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2793                             error_get_pretty(err));
2794         error_free(err);
2795         goto reject;
2796     }
2797 
2798     /* Compare expected vs actual challenge response */
2799     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2800         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2801         goto reject;
2802     } else {
2803         trace_vnc_auth_pass(vs, vs->auth);
2804         vnc_write_u32(vs, 0); /* Accept auth */
2805         vnc_flush(vs);
2806 
2807         start_client_init(vs);
2808     }
2809 
2810     qcrypto_cipher_free(cipher);
2811     return 0;
2812 
2813 reject:
2814     authentication_failed(vs);
2815     qcrypto_cipher_free(cipher);
2816     return 0;
2817 }
2818 
2819 void start_auth_vnc(VncState *vs)
2820 {
2821     Error *err = NULL;
2822 
2823     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2824         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2825                             error_get_pretty(err));
2826         error_free(err);
2827         authentication_failed(vs);
2828         return;
2829     }
2830 
2831     /* Send client a 'random' challenge */
2832     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2833     vnc_flush(vs);
2834 
2835     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2836 }
2837 
2838 
2839 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2840 {
2841     /* We only advertise 1 auth scheme at a time, so client
2842      * must pick the one we sent. Verify this */
2843     if (data[0] != vs->auth) { /* Reject auth */
2844        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2845        authentication_failed(vs);
2846     } else { /* Accept requested auth */
2847        trace_vnc_auth_start(vs, vs->auth);
2848        switch (vs->auth) {
2849        case VNC_AUTH_NONE:
2850            if (vs->minor >= 8) {
2851                vnc_write_u32(vs, 0); /* Accept auth completion */
2852                vnc_flush(vs);
2853            }
2854            trace_vnc_auth_pass(vs, vs->auth);
2855            start_client_init(vs);
2856            break;
2857 
2858        case VNC_AUTH_VNC:
2859            start_auth_vnc(vs);
2860            break;
2861 
2862        case VNC_AUTH_VENCRYPT:
2863            start_auth_vencrypt(vs);
2864            break;
2865 
2866 #ifdef CONFIG_VNC_SASL
2867        case VNC_AUTH_SASL:
2868            start_auth_sasl(vs);
2869            break;
2870 #endif /* CONFIG_VNC_SASL */
2871 
2872        default: /* Should not be possible, but just in case */
2873            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2874            authentication_failed(vs);
2875        }
2876     }
2877     return 0;
2878 }
2879 
2880 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2881 {
2882     char local[13];
2883 
2884     memcpy(local, version, 12);
2885     local[12] = 0;
2886 
2887     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2888         VNC_DEBUG("Malformed protocol version %s\n", local);
2889         vnc_client_error(vs);
2890         return 0;
2891     }
2892     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2893     if (vs->major != 3 ||
2894         (vs->minor != 3 &&
2895          vs->minor != 4 &&
2896          vs->minor != 5 &&
2897          vs->minor != 7 &&
2898          vs->minor != 8)) {
2899         VNC_DEBUG("Unsupported client version\n");
2900         vnc_write_u32(vs, VNC_AUTH_INVALID);
2901         vnc_flush(vs);
2902         vnc_client_error(vs);
2903         return 0;
2904     }
2905     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2906      * as equivalent to v3.3 by servers
2907      */
2908     if (vs->minor == 4 || vs->minor == 5)
2909         vs->minor = 3;
2910 
2911     if (vs->minor == 3) {
2912         trace_vnc_auth_start(vs, vs->auth);
2913         if (vs->auth == VNC_AUTH_NONE) {
2914             vnc_write_u32(vs, vs->auth);
2915             vnc_flush(vs);
2916             trace_vnc_auth_pass(vs, vs->auth);
2917             start_client_init(vs);
2918        } else if (vs->auth == VNC_AUTH_VNC) {
2919             VNC_DEBUG("Tell client VNC auth\n");
2920             vnc_write_u32(vs, vs->auth);
2921             vnc_flush(vs);
2922             start_auth_vnc(vs);
2923        } else {
2924             trace_vnc_auth_fail(vs, vs->auth,
2925                                 "Unsupported auth method for v3.3", "");
2926             vnc_write_u32(vs, VNC_AUTH_INVALID);
2927             vnc_flush(vs);
2928             vnc_client_error(vs);
2929        }
2930     } else {
2931         vnc_write_u8(vs, 1); /* num auth */
2932         vnc_write_u8(vs, vs->auth);
2933         vnc_read_when(vs, protocol_client_auth, 1);
2934         vnc_flush(vs);
2935     }
2936 
2937     return 0;
2938 }
2939 
2940 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2941 {
2942     struct VncSurface *vs = &vd->guest;
2943 
2944     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2945 }
2946 
2947 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2948 {
2949     int i, j;
2950 
2951     w = (x + w) / VNC_STAT_RECT;
2952     h = (y + h) / VNC_STAT_RECT;
2953     x /= VNC_STAT_RECT;
2954     y /= VNC_STAT_RECT;
2955 
2956     for (j = y; j <= h; j++) {
2957         for (i = x; i <= w; i++) {
2958             vs->lossy_rect[j][i] = 1;
2959         }
2960     }
2961 }
2962 
2963 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2964 {
2965     VncState *vs;
2966     int sty = y / VNC_STAT_RECT;
2967     int stx = x / VNC_STAT_RECT;
2968     int has_dirty = 0;
2969 
2970     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2971     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2972 
2973     QTAILQ_FOREACH(vs, &vd->clients, next) {
2974         int j;
2975 
2976         /* kernel send buffers are full -> refresh later */
2977         if (vs->output.offset) {
2978             continue;
2979         }
2980 
2981         if (!vs->lossy_rect[sty][stx]) {
2982             continue;
2983         }
2984 
2985         vs->lossy_rect[sty][stx] = 0;
2986         for (j = 0; j < VNC_STAT_RECT; ++j) {
2987             bitmap_set(vs->dirty[y + j],
2988                        x / VNC_DIRTY_PIXELS_PER_BIT,
2989                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2990         }
2991         has_dirty++;
2992     }
2993 
2994     return has_dirty;
2995 }
2996 
2997 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2998 {
2999     int width = MIN(pixman_image_get_width(vd->guest.fb),
3000                     pixman_image_get_width(vd->server));
3001     int height = MIN(pixman_image_get_height(vd->guest.fb),
3002                      pixman_image_get_height(vd->server));
3003     int x, y;
3004     struct timeval res;
3005     int has_dirty = 0;
3006 
3007     for (y = 0; y < height; y += VNC_STAT_RECT) {
3008         for (x = 0; x < width; x += VNC_STAT_RECT) {
3009             VncRectStat *rect = vnc_stat_rect(vd, x, y);
3010 
3011             rect->updated = false;
3012         }
3013     }
3014 
3015     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
3016 
3017     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
3018         return has_dirty;
3019     }
3020     vd->guest.last_freq_check = *tv;
3021 
3022     for (y = 0; y < height; y += VNC_STAT_RECT) {
3023         for (x = 0; x < width; x += VNC_STAT_RECT) {
3024             VncRectStat *rect= vnc_stat_rect(vd, x, y);
3025             int count = ARRAY_SIZE(rect->times);
3026             struct timeval min, max;
3027 
3028             if (!timerisset(&rect->times[count - 1])) {
3029                 continue ;
3030             }
3031 
3032             max = rect->times[(rect->idx + count - 1) % count];
3033             qemu_timersub(tv, &max, &res);
3034 
3035             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
3036                 rect->freq = 0;
3037                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
3038                 memset(rect->times, 0, sizeof (rect->times));
3039                 continue ;
3040             }
3041 
3042             min = rect->times[rect->idx];
3043             max = rect->times[(rect->idx + count - 1) % count];
3044             qemu_timersub(&max, &min, &res);
3045 
3046             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
3047             rect->freq /= count;
3048             rect->freq = 1. / rect->freq;
3049         }
3050     }
3051     return has_dirty;
3052 }
3053 
3054 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
3055 {
3056     int i, j;
3057     double total = 0;
3058     int num = 0;
3059 
3060     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
3061     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
3062 
3063     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
3064         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
3065             total += vnc_stat_rect(vs->vd, i, j)->freq;
3066             num++;
3067         }
3068     }
3069 
3070     if (num) {
3071         return total / num;
3072     } else {
3073         return 0;
3074     }
3075 }
3076 
3077 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
3078 {
3079     VncRectStat *rect;
3080 
3081     rect = vnc_stat_rect(vd, x, y);
3082     if (rect->updated) {
3083         return;
3084     }
3085     rect->times[rect->idx] = *tv;
3086     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
3087     rect->updated = true;
3088 }
3089 
3090 static int vnc_refresh_server_surface(VncDisplay *vd)
3091 {
3092     int width = MIN(pixman_image_get_width(vd->guest.fb),
3093                     pixman_image_get_width(vd->server));
3094     int height = MIN(pixman_image_get_height(vd->guest.fb),
3095                      pixman_image_get_height(vd->server));
3096     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
3097     uint8_t *guest_row0 = NULL, *server_row0;
3098     VncState *vs;
3099     int has_dirty = 0;
3100     pixman_image_t *tmpbuf = NULL;
3101     unsigned long offset;
3102     int x;
3103     uint8_t *guest_ptr, *server_ptr;
3104 
3105     struct timeval tv = { 0, 0 };
3106 
3107     if (!vd->non_adaptive) {
3108         gettimeofday(&tv, NULL);
3109         has_dirty = vnc_update_stats(vd, &tv);
3110     }
3111 
3112     offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3113                            height * VNC_DIRTY_BPL(&vd->guest), 0);
3114     if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3115         /* no dirty bits in guest surface */
3116         return has_dirty;
3117     }
3118 
3119     /*
3120      * Walk through the guest dirty map.
3121      * Check and copy modified bits from guest to server surface.
3122      * Update server dirty map.
3123      */
3124     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
3125     server_stride = guest_stride = guest_ll =
3126         pixman_image_get_stride(vd->server);
3127     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
3128                     server_stride);
3129     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3130         int w = pixman_image_get_width(vd->server);
3131         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, w);
3132     } else {
3133         int guest_bpp =
3134             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
3135         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
3136         guest_stride = pixman_image_get_stride(vd->guest.fb);
3137         guest_ll = pixman_image_get_width(vd->guest.fb)
3138                    * DIV_ROUND_UP(guest_bpp, 8);
3139     }
3140     line_bytes = MIN(server_stride, guest_ll);
3141 
3142     for (;;) {
3143         y = offset / VNC_DIRTY_BPL(&vd->guest);
3144         x = offset % VNC_DIRTY_BPL(&vd->guest);
3145 
3146         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
3147 
3148         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3149             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
3150             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
3151         } else {
3152             guest_ptr = guest_row0 + y * guest_stride;
3153         }
3154         guest_ptr += x * cmp_bytes;
3155 
3156         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
3157              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
3158             int _cmp_bytes = cmp_bytes;
3159             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
3160                 continue;
3161             }
3162             if ((x + 1) * cmp_bytes > line_bytes) {
3163                 _cmp_bytes = line_bytes - x * cmp_bytes;
3164             }
3165             assert(_cmp_bytes >= 0);
3166             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
3167                 continue;
3168             }
3169             memcpy(server_ptr, guest_ptr, _cmp_bytes);
3170             if (!vd->non_adaptive) {
3171                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
3172                                  y, &tv);
3173             }
3174             QTAILQ_FOREACH(vs, &vd->clients, next) {
3175                 set_bit(x, vs->dirty[y]);
3176             }
3177             has_dirty++;
3178         }
3179 
3180         y++;
3181         offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3182                                height * VNC_DIRTY_BPL(&vd->guest),
3183                                y * VNC_DIRTY_BPL(&vd->guest));
3184         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3185             /* no more dirty bits */
3186             break;
3187         }
3188     }
3189     qemu_pixman_image_unref(tmpbuf);
3190     return has_dirty;
3191 }
3192 
3193 static void vnc_refresh(DisplayChangeListener *dcl)
3194 {
3195     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
3196     VncState *vs, *vn;
3197     int has_dirty, rects = 0;
3198 
3199     if (QTAILQ_EMPTY(&vd->clients)) {
3200         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
3201         return;
3202     }
3203 
3204     graphic_hw_update(vd->dcl.con);
3205 
3206     if (vnc_trylock_display(vd)) {
3207         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3208         return;
3209     }
3210 
3211     has_dirty = vnc_refresh_server_surface(vd);
3212     vnc_unlock_display(vd);
3213 
3214     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3215         rects += vnc_update_client(vs, has_dirty);
3216         /* vs might be free()ed here */
3217     }
3218 
3219     if (has_dirty && rects) {
3220         vd->dcl.update_interval /= 2;
3221         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3222             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3223         }
3224     } else {
3225         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3226         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3227             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3228         }
3229     }
3230 }
3231 
3232 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3233                         bool skipauth, bool websocket)
3234 {
3235     VncState *vs = g_new0(VncState, 1);
3236     bool first_client = QTAILQ_EMPTY(&vd->clients);
3237     int i;
3238 
3239     trace_vnc_client_connect(vs, sioc);
3240     vs->zrle = g_new0(VncZrle, 1);
3241     vs->tight = g_new0(VncTight, 1);
3242     vs->magic = VNC_MAGIC;
3243     vs->sioc = sioc;
3244     object_ref(OBJECT(vs->sioc));
3245     vs->ioc = QIO_CHANNEL(sioc);
3246     object_ref(OBJECT(vs->ioc));
3247     vs->vd = vd;
3248 
3249     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3250     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3251     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3252 
3253     buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3254     buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3255     buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3256 #ifdef CONFIG_VNC_JPEG
3257     buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3258 #endif
3259 #ifdef CONFIG_PNG
3260     buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3261 #endif
3262     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3263     buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3264     buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3265     buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3266 
3267     if (skipauth) {
3268         vs->auth = VNC_AUTH_NONE;
3269         vs->subauth = VNC_AUTH_INVALID;
3270     } else {
3271         if (websocket) {
3272             vs->auth = vd->ws_auth;
3273             vs->subauth = VNC_AUTH_INVALID;
3274         } else {
3275             vs->auth = vd->auth;
3276             vs->subauth = vd->subauth;
3277         }
3278     }
3279     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3280               sioc, websocket, vs->auth, vs->subauth);
3281 
3282     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3283     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3284         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3285     }
3286 
3287     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3288     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3289     qio_channel_set_blocking(vs->ioc, false, NULL);
3290     if (vs->ioc_tag) {
3291         g_source_remove(vs->ioc_tag);
3292     }
3293     if (websocket) {
3294         vs->websocket = 1;
3295         if (vd->tlscreds) {
3296             vs->ioc_tag = qio_channel_add_watch(
3297                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3298                 vncws_tls_handshake_io, vs, NULL);
3299         } else {
3300             vs->ioc_tag = qio_channel_add_watch(
3301                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3302                 vncws_handshake_io, vs, NULL);
3303         }
3304     } else {
3305         vs->ioc_tag = qio_channel_add_watch(
3306             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3307             vnc_client_io, vs, NULL);
3308     }
3309 
3310     vnc_client_cache_addr(vs);
3311     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3312     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3313 
3314     vs->last_x = -1;
3315     vs->last_y = -1;
3316 
3317     vs->as.freq = 44100;
3318     vs->as.nchannels = 2;
3319     vs->as.fmt = AUDIO_FORMAT_S16;
3320     vs->as.endianness = 0;
3321 
3322     qemu_mutex_init(&vs->output_mutex);
3323     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3324 
3325     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3326     if (first_client) {
3327         vnc_update_server_surface(vd);
3328     }
3329 
3330     graphic_hw_update(vd->dcl.con);
3331 
3332     if (!vs->websocket) {
3333         vnc_start_protocol(vs);
3334     }
3335 
3336     if (vd->num_connecting > vd->connections_limit) {
3337         QTAILQ_FOREACH(vs, &vd->clients, next) {
3338             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3339                 vnc_disconnect_start(vs);
3340                 return;
3341             }
3342         }
3343     }
3344 }
3345 
3346 void vnc_start_protocol(VncState *vs)
3347 {
3348     vnc_write(vs, "RFB 003.008\n", 12);
3349     vnc_flush(vs);
3350     vnc_read_when(vs, protocol_version, 12);
3351 
3352     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3353     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3354 }
3355 
3356 static void vnc_listen_io(QIONetListener *listener,
3357                           QIOChannelSocket *cioc,
3358                           void *opaque)
3359 {
3360     VncDisplay *vd = opaque;
3361     bool isWebsock = listener == vd->wslistener;
3362 
3363     qio_channel_set_name(QIO_CHANNEL(cioc),
3364                          isWebsock ? "vnc-ws-server" : "vnc-server");
3365     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3366     vnc_connect(vd, cioc, false, isWebsock);
3367 }
3368 
3369 static const DisplayChangeListenerOps dcl_ops = {
3370     .dpy_name             = "vnc",
3371     .dpy_refresh          = vnc_refresh,
3372     .dpy_gfx_update       = vnc_dpy_update,
3373     .dpy_gfx_switch       = vnc_dpy_switch,
3374     .dpy_gfx_check_format = qemu_pixman_check_format,
3375     .dpy_mouse_set        = vnc_mouse_set,
3376     .dpy_cursor_define    = vnc_dpy_cursor_define,
3377 };
3378 
3379 void vnc_display_init(const char *id, Error **errp)
3380 {
3381     VncDisplay *vd;
3382 
3383     if (vnc_display_find(id) != NULL) {
3384         return;
3385     }
3386     vd = g_malloc0(sizeof(*vd));
3387 
3388     vd->id = strdup(id);
3389     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3390 
3391     QTAILQ_INIT(&vd->clients);
3392     vd->expires = TIME_MAX;
3393 
3394     if (keyboard_layout) {
3395         trace_vnc_key_map_init(keyboard_layout);
3396         vd->kbd_layout = init_keyboard_layout(name2keysym,
3397                                               keyboard_layout, errp);
3398     } else {
3399         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3400     }
3401 
3402     if (!vd->kbd_layout) {
3403         return;
3404     }
3405 
3406     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3407     vd->connections_limit = 32;
3408 
3409     qemu_mutex_init(&vd->mutex);
3410     vnc_start_worker_thread();
3411 
3412     vd->dcl.ops = &dcl_ops;
3413     register_displaychangelistener(&vd->dcl);
3414     vd->kbd = qkbd_state_init(vd->dcl.con);
3415 }
3416 
3417 
3418 static void vnc_display_close(VncDisplay *vd)
3419 {
3420     if (!vd) {
3421         return;
3422     }
3423     vd->is_unix = false;
3424 
3425     if (vd->listener) {
3426         qio_net_listener_disconnect(vd->listener);
3427         object_unref(OBJECT(vd->listener));
3428     }
3429     vd->listener = NULL;
3430 
3431     if (vd->wslistener) {
3432         qio_net_listener_disconnect(vd->wslistener);
3433         object_unref(OBJECT(vd->wslistener));
3434     }
3435     vd->wslistener = NULL;
3436 
3437     vd->auth = VNC_AUTH_INVALID;
3438     vd->subauth = VNC_AUTH_INVALID;
3439     if (vd->tlscreds) {
3440         object_unref(OBJECT(vd->tlscreds));
3441         vd->tlscreds = NULL;
3442     }
3443     if (vd->tlsauthz) {
3444         object_unparent(OBJECT(vd->tlsauthz));
3445         vd->tlsauthz = NULL;
3446     }
3447     g_free(vd->tlsauthzid);
3448     vd->tlsauthzid = NULL;
3449     if (vd->lock_key_sync) {
3450         qemu_remove_led_event_handler(vd->led);
3451         vd->led = NULL;
3452     }
3453 #ifdef CONFIG_VNC_SASL
3454     if (vd->sasl.authz) {
3455         object_unparent(OBJECT(vd->sasl.authz));
3456         vd->sasl.authz = NULL;
3457     }
3458     g_free(vd->sasl.authzid);
3459     vd->sasl.authzid = NULL;
3460 #endif
3461 }
3462 
3463 int vnc_display_password(const char *id, const char *password)
3464 {
3465     VncDisplay *vd = vnc_display_find(id);
3466 
3467     if (!vd) {
3468         return -EINVAL;
3469     }
3470     if (vd->auth == VNC_AUTH_NONE) {
3471         error_printf_unless_qmp("If you want use passwords please enable "
3472                                 "password auth using '-vnc ${dpy},password'.\n");
3473         return -EINVAL;
3474     }
3475 
3476     g_free(vd->password);
3477     vd->password = g_strdup(password);
3478 
3479     return 0;
3480 }
3481 
3482 int vnc_display_pw_expire(const char *id, time_t expires)
3483 {
3484     VncDisplay *vd = vnc_display_find(id);
3485 
3486     if (!vd) {
3487         return -EINVAL;
3488     }
3489 
3490     vd->expires = expires;
3491     return 0;
3492 }
3493 
3494 static void vnc_display_print_local_addr(VncDisplay *vd)
3495 {
3496     SocketAddress *addr;
3497 
3498     if (!vd->listener || !vd->listener->nsioc) {
3499         return;
3500     }
3501 
3502     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], NULL);
3503     if (!addr) {
3504         return;
3505     }
3506 
3507     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3508         qapi_free_SocketAddress(addr);
3509         return;
3510     }
3511     error_printf_unless_qmp("VNC server running on %s:%s\n",
3512                             addr->u.inet.host,
3513                             addr->u.inet.port);
3514     qapi_free_SocketAddress(addr);
3515 }
3516 
3517 static QemuOptsList qemu_vnc_opts = {
3518     .name = "vnc",
3519     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3520     .implied_opt_name = "vnc",
3521     .desc = {
3522         {
3523             .name = "vnc",
3524             .type = QEMU_OPT_STRING,
3525         },{
3526             .name = "websocket",
3527             .type = QEMU_OPT_STRING,
3528         },{
3529             .name = "tls-creds",
3530             .type = QEMU_OPT_STRING,
3531         },{
3532             .name = "share",
3533             .type = QEMU_OPT_STRING,
3534         },{
3535             .name = "display",
3536             .type = QEMU_OPT_STRING,
3537         },{
3538             .name = "head",
3539             .type = QEMU_OPT_NUMBER,
3540         },{
3541             .name = "connections",
3542             .type = QEMU_OPT_NUMBER,
3543         },{
3544             .name = "to",
3545             .type = QEMU_OPT_NUMBER,
3546         },{
3547             .name = "ipv4",
3548             .type = QEMU_OPT_BOOL,
3549         },{
3550             .name = "ipv6",
3551             .type = QEMU_OPT_BOOL,
3552         },{
3553             .name = "password",
3554             .type = QEMU_OPT_BOOL,
3555         },{
3556             .name = "password-secret",
3557             .type = QEMU_OPT_STRING,
3558         },{
3559             .name = "reverse",
3560             .type = QEMU_OPT_BOOL,
3561         },{
3562             .name = "lock-key-sync",
3563             .type = QEMU_OPT_BOOL,
3564         },{
3565             .name = "key-delay-ms",
3566             .type = QEMU_OPT_NUMBER,
3567         },{
3568             .name = "sasl",
3569             .type = QEMU_OPT_BOOL,
3570         },{
3571             .name = "tls-authz",
3572             .type = QEMU_OPT_STRING,
3573         },{
3574             .name = "sasl-authz",
3575             .type = QEMU_OPT_STRING,
3576         },{
3577             .name = "lossy",
3578             .type = QEMU_OPT_BOOL,
3579         },{
3580             .name = "non-adaptive",
3581             .type = QEMU_OPT_BOOL,
3582         },{
3583             .name = "audiodev",
3584             .type = QEMU_OPT_STRING,
3585         },{
3586             .name = "power-control",
3587             .type = QEMU_OPT_BOOL,
3588         },
3589         { /* end of list */ }
3590     },
3591 };
3592 
3593 
3594 static int
3595 vnc_display_setup_auth(int *auth,
3596                        int *subauth,
3597                        QCryptoTLSCreds *tlscreds,
3598                        bool password,
3599                        bool sasl,
3600                        bool websocket,
3601                        Error **errp)
3602 {
3603     /*
3604      * We have a choice of 3 authentication options
3605      *
3606      *   1. none
3607      *   2. vnc
3608      *   3. sasl
3609      *
3610      * The channel can be run in 2 modes
3611      *
3612      *   1. clear
3613      *   2. tls
3614      *
3615      * And TLS can use 2 types of credentials
3616      *
3617      *   1. anon
3618      *   2. x509
3619      *
3620      * We thus have 9 possible logical combinations
3621      *
3622      *   1. clear + none
3623      *   2. clear + vnc
3624      *   3. clear + sasl
3625      *   4. tls + anon + none
3626      *   5. tls + anon + vnc
3627      *   6. tls + anon + sasl
3628      *   7. tls + x509 + none
3629      *   8. tls + x509 + vnc
3630      *   9. tls + x509 + sasl
3631      *
3632      * These need to be mapped into the VNC auth schemes
3633      * in an appropriate manner. In regular VNC, all the
3634      * TLS options get mapped into VNC_AUTH_VENCRYPT
3635      * sub-auth types.
3636      *
3637      * In websockets, the https:// protocol already provides
3638      * TLS support, so there is no need to make use of the
3639      * VeNCrypt extension. Furthermore, websockets browser
3640      * clients could not use VeNCrypt even if they wanted to,
3641      * as they cannot control when the TLS handshake takes
3642      * place. Thus there is no option but to rely on https://,
3643      * meaning combinations 4->6 and 7->9 will be mapped to
3644      * VNC auth schemes in the same way as combos 1->3.
3645      *
3646      * Regardless of fact that we have a different mapping to
3647      * VNC auth mechs for plain VNC vs websockets VNC, the end
3648      * result has the same security characteristics.
3649      */
3650     if (websocket || !tlscreds) {
3651         if (password) {
3652             VNC_DEBUG("Initializing VNC server with password auth\n");
3653             *auth = VNC_AUTH_VNC;
3654         } else if (sasl) {
3655             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3656             *auth = VNC_AUTH_SASL;
3657         } else {
3658             VNC_DEBUG("Initializing VNC server with no auth\n");
3659             *auth = VNC_AUTH_NONE;
3660         }
3661         *subauth = VNC_AUTH_INVALID;
3662     } else {
3663         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3664                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3665         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3666                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3667 
3668         if (!is_x509 && !is_anon) {
3669             error_setg(errp,
3670                        "Unsupported TLS cred type %s",
3671                        object_get_typename(OBJECT(tlscreds)));
3672             return -1;
3673         }
3674         *auth = VNC_AUTH_VENCRYPT;
3675         if (password) {
3676             if (is_x509) {
3677                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3678                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3679             } else {
3680                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3681                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3682             }
3683 
3684         } else if (sasl) {
3685             if (is_x509) {
3686                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3687                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3688             } else {
3689                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3690                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3691             }
3692         } else {
3693             if (is_x509) {
3694                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3695                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3696             } else {
3697                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3698                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3699             }
3700         }
3701     }
3702     return 0;
3703 }
3704 
3705 
3706 static int vnc_display_get_address(const char *addrstr,
3707                                    bool websocket,
3708                                    bool reverse,
3709                                    int displaynum,
3710                                    int to,
3711                                    bool has_ipv4,
3712                                    bool has_ipv6,
3713                                    bool ipv4,
3714                                    bool ipv6,
3715                                    SocketAddress **retaddr,
3716                                    Error **errp)
3717 {
3718     int ret = -1;
3719     SocketAddress *addr = NULL;
3720 
3721     addr = g_new0(SocketAddress, 1);
3722 
3723     if (strncmp(addrstr, "unix:", 5) == 0) {
3724         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3725         addr->u.q_unix.path = g_strdup(addrstr + 5);
3726 
3727         if (websocket) {
3728             error_setg(errp, "UNIX sockets not supported with websock");
3729             goto cleanup;
3730         }
3731 
3732         if (to) {
3733             error_setg(errp, "Port range not support with UNIX socket");
3734             goto cleanup;
3735         }
3736         ret = 0;
3737     } else {
3738         const char *port;
3739         size_t hostlen;
3740         uint64_t baseport = 0;
3741         InetSocketAddress *inet;
3742 
3743         port = strrchr(addrstr, ':');
3744         if (!port) {
3745             if (websocket) {
3746                 hostlen = 0;
3747                 port = addrstr;
3748             } else {
3749                 error_setg(errp, "no vnc port specified");
3750                 goto cleanup;
3751             }
3752         } else {
3753             hostlen = port - addrstr;
3754             port++;
3755             if (*port == '\0') {
3756                 error_setg(errp, "vnc port cannot be empty");
3757                 goto cleanup;
3758             }
3759         }
3760 
3761         addr->type = SOCKET_ADDRESS_TYPE_INET;
3762         inet = &addr->u.inet;
3763         if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3764             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3765         } else {
3766             inet->host = g_strndup(addrstr, hostlen);
3767         }
3768         /* plain VNC port is just an offset, for websocket
3769          * port is absolute */
3770         if (websocket) {
3771             if (g_str_equal(addrstr, "") ||
3772                 g_str_equal(addrstr, "on")) {
3773                 if (displaynum == -1) {
3774                     error_setg(errp, "explicit websocket port is required");
3775                     goto cleanup;
3776                 }
3777                 inet->port = g_strdup_printf(
3778                     "%d", displaynum + 5700);
3779                 if (to) {
3780                     inet->has_to = true;
3781                     inet->to = to + 5700;
3782                 }
3783             } else {
3784                 inet->port = g_strdup(port);
3785             }
3786         } else {
3787             int offset = reverse ? 0 : 5900;
3788             if (parse_uint_full(port, 10, &baseport) < 0) {
3789                 error_setg(errp, "can't convert to a number: %s", port);
3790                 goto cleanup;
3791             }
3792             if (baseport > 65535 ||
3793                 baseport + offset > 65535) {
3794                 error_setg(errp, "port %s out of range", port);
3795                 goto cleanup;
3796             }
3797             inet->port = g_strdup_printf(
3798                 "%d", (int)baseport + offset);
3799 
3800             if (to) {
3801                 inet->has_to = true;
3802                 inet->to = to + offset;
3803             }
3804         }
3805 
3806         inet->ipv4 = ipv4;
3807         inet->has_ipv4 = has_ipv4;
3808         inet->ipv6 = ipv6;
3809         inet->has_ipv6 = has_ipv6;
3810 
3811         ret = baseport;
3812     }
3813 
3814     *retaddr = addr;
3815 
3816  cleanup:
3817     if (ret < 0) {
3818         qapi_free_SocketAddress(addr);
3819     }
3820     return ret;
3821 }
3822 
3823 static int vnc_display_get_addresses(QemuOpts *opts,
3824                                      bool reverse,
3825                                      SocketAddressList **saddr_list_ret,
3826                                      SocketAddressList **wsaddr_list_ret,
3827                                      Error **errp)
3828 {
3829     SocketAddress *saddr = NULL;
3830     SocketAddress *wsaddr = NULL;
3831     g_autoptr(SocketAddressList) saddr_list = NULL;
3832     SocketAddressList **saddr_tail = &saddr_list;
3833     SocketAddress *single_saddr = NULL;
3834     g_autoptr(SocketAddressList) wsaddr_list = NULL;
3835     SocketAddressList **wsaddr_tail = &wsaddr_list;
3836     QemuOptsIter addriter;
3837     const char *addr;
3838     int to = qemu_opt_get_number(opts, "to", 0);
3839     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3840     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3841     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3842     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3843     int displaynum = -1;
3844 
3845     addr = qemu_opt_get(opts, "vnc");
3846     if (addr == NULL || g_str_equal(addr, "none")) {
3847         return 0;
3848     }
3849     if (qemu_opt_get(opts, "websocket") &&
3850         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3851         error_setg(errp,
3852                    "SHA1 hash support is required for websockets");
3853         return -1;
3854     }
3855 
3856     qemu_opt_iter_init(&addriter, opts, "vnc");
3857     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3858         int rv;
3859         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3860                                      has_ipv4, has_ipv6,
3861                                      ipv4, ipv6,
3862                                      &saddr, errp);
3863         if (rv < 0) {
3864             return -1;
3865         }
3866         /* Historical compat - first listen address can be used
3867          * to set the default websocket port
3868          */
3869         if (displaynum == -1) {
3870             displaynum = rv;
3871         }
3872         QAPI_LIST_APPEND(saddr_tail, saddr);
3873     }
3874 
3875     if (saddr_list && !saddr_list->next) {
3876         single_saddr = saddr_list->value;
3877     } else {
3878         /*
3879          * If we had multiple primary displays, we don't do defaults
3880          * for websocket, and require explicit config instead.
3881          */
3882         displaynum = -1;
3883     }
3884 
3885     qemu_opt_iter_init(&addriter, opts, "websocket");
3886     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3887         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3888                                     has_ipv4, has_ipv6,
3889                                     ipv4, ipv6,
3890                                     &wsaddr, errp) < 0) {
3891             return -1;
3892         }
3893 
3894         /* Historical compat - if only a single listen address was
3895          * provided, then this is used to set the default listen
3896          * address for websocket too
3897          */
3898         if (single_saddr &&
3899             single_saddr->type == SOCKET_ADDRESS_TYPE_INET &&
3900             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3901             g_str_equal(wsaddr->u.inet.host, "") &&
3902             !g_str_equal(single_saddr->u.inet.host, "")) {
3903             g_free(wsaddr->u.inet.host);
3904             wsaddr->u.inet.host = g_strdup(single_saddr->u.inet.host);
3905         }
3906 
3907         QAPI_LIST_APPEND(wsaddr_tail, wsaddr);
3908     }
3909 
3910     *saddr_list_ret = g_steal_pointer(&saddr_list);
3911     *wsaddr_list_ret = g_steal_pointer(&wsaddr_list);
3912     return 0;
3913 }
3914 
3915 static int vnc_display_connect(VncDisplay *vd,
3916                                SocketAddressList *saddr_list,
3917                                SocketAddressList *wsaddr_list,
3918                                Error **errp)
3919 {
3920     /* connect to viewer */
3921     QIOChannelSocket *sioc = NULL;
3922     if (wsaddr_list) {
3923         error_setg(errp, "Cannot use websockets in reverse mode");
3924         return -1;
3925     }
3926     if (!saddr_list || saddr_list->next) {
3927         error_setg(errp, "Expected a single address in reverse mode");
3928         return -1;
3929     }
3930     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3931     vd->is_unix = saddr_list->value->type == SOCKET_ADDRESS_TYPE_UNIX;
3932     sioc = qio_channel_socket_new();
3933     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3934     if (qio_channel_socket_connect_sync(sioc, saddr_list->value, errp) < 0) {
3935         object_unref(OBJECT(sioc));
3936         return -1;
3937     }
3938     vnc_connect(vd, sioc, false, false);
3939     object_unref(OBJECT(sioc));
3940     return 0;
3941 }
3942 
3943 
3944 static int vnc_display_listen(VncDisplay *vd,
3945                               SocketAddressList *saddr_list,
3946                               SocketAddressList *wsaddr_list,
3947                               Error **errp)
3948 {
3949     SocketAddressList *el;
3950 
3951     if (saddr_list) {
3952         vd->listener = qio_net_listener_new();
3953         qio_net_listener_set_name(vd->listener, "vnc-listen");
3954         for (el = saddr_list; el; el = el->next) {
3955             if (qio_net_listener_open_sync(vd->listener,
3956                                            el->value, 1,
3957                                            errp) < 0)  {
3958                 return -1;
3959             }
3960         }
3961 
3962         qio_net_listener_set_client_func(vd->listener,
3963                                          vnc_listen_io, vd, NULL);
3964     }
3965 
3966     if (wsaddr_list) {
3967         vd->wslistener = qio_net_listener_new();
3968         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3969         for (el = wsaddr_list; el; el = el->next) {
3970             if (qio_net_listener_open_sync(vd->wslistener,
3971                                            el->value, 1,
3972                                            errp) < 0)  {
3973                 return -1;
3974             }
3975         }
3976 
3977         qio_net_listener_set_client_func(vd->wslistener,
3978                                          vnc_listen_io, vd, NULL);
3979     }
3980 
3981     return 0;
3982 }
3983 
3984 bool vnc_display_update(DisplayUpdateOptionsVNC *arg, Error **errp)
3985 {
3986     VncDisplay *vd = vnc_display_find(NULL);
3987 
3988     if (!vd) {
3989         error_setg(errp, "Can not find vnc display");
3990         return false;
3991     }
3992 
3993     if (arg->has_addresses) {
3994         if (vd->listener) {
3995             qio_net_listener_disconnect(vd->listener);
3996             object_unref(OBJECT(vd->listener));
3997             vd->listener = NULL;
3998         }
3999 
4000         if (vnc_display_listen(vd, arg->addresses, NULL, errp) < 0) {
4001             return false;
4002         }
4003     }
4004 
4005     return true;
4006 }
4007 
4008 void vnc_display_open(const char *id, Error **errp)
4009 {
4010     VncDisplay *vd = vnc_display_find(id);
4011     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
4012     g_autoptr(SocketAddressList) saddr_list = NULL;
4013     g_autoptr(SocketAddressList) wsaddr_list = NULL;
4014     const char *share, *device_id;
4015     QemuConsole *con;
4016     bool password = false;
4017     bool reverse = false;
4018     const char *credid;
4019     bool sasl = false;
4020     const char *tlsauthz;
4021     const char *saslauthz;
4022     int lock_key_sync = 1;
4023     int key_delay_ms;
4024     const char *audiodev;
4025     const char *passwordSecret;
4026 
4027     if (!vd) {
4028         error_setg(errp, "VNC display not active");
4029         return;
4030     }
4031     vnc_display_close(vd);
4032 
4033     if (!opts) {
4034         return;
4035     }
4036 
4037     reverse = qemu_opt_get_bool(opts, "reverse", false);
4038     if (vnc_display_get_addresses(opts, reverse, &saddr_list, &wsaddr_list,
4039                                   errp) < 0) {
4040         goto fail;
4041     }
4042 
4043 
4044     passwordSecret = qemu_opt_get(opts, "password-secret");
4045     if (passwordSecret) {
4046         if (qemu_opt_get(opts, "password")) {
4047             error_setg(errp,
4048                        "'password' flag is redundant with 'password-secret'");
4049             goto fail;
4050         }
4051         vd->password = qcrypto_secret_lookup_as_utf8(passwordSecret,
4052                                                      errp);
4053         if (!vd->password) {
4054             goto fail;
4055         }
4056         password = true;
4057     } else {
4058         password = qemu_opt_get_bool(opts, "password", false);
4059     }
4060     if (password) {
4061         if (!qcrypto_cipher_supports(
4062                 QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) {
4063             error_setg(errp,
4064                        "Cipher backend does not support DES algorithm");
4065             goto fail;
4066         }
4067     }
4068 
4069     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
4070     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
4071     sasl = qemu_opt_get_bool(opts, "sasl", false);
4072 #ifndef CONFIG_VNC_SASL
4073     if (sasl) {
4074         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
4075         goto fail;
4076     }
4077 #endif /* CONFIG_VNC_SASL */
4078     credid = qemu_opt_get(opts, "tls-creds");
4079     if (credid) {
4080         Object *creds;
4081         creds = object_resolve_path_component(
4082             object_get_objects_root(), credid);
4083         if (!creds) {
4084             error_setg(errp, "No TLS credentials with id '%s'",
4085                        credid);
4086             goto fail;
4087         }
4088         vd->tlscreds = (QCryptoTLSCreds *)
4089             object_dynamic_cast(creds,
4090                                 TYPE_QCRYPTO_TLS_CREDS);
4091         if (!vd->tlscreds) {
4092             error_setg(errp, "Object with id '%s' is not TLS credentials",
4093                        credid);
4094             goto fail;
4095         }
4096         object_ref(OBJECT(vd->tlscreds));
4097 
4098         if (!qcrypto_tls_creds_check_endpoint(vd->tlscreds,
4099                                               QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
4100                                               errp)) {
4101             goto fail;
4102         }
4103     }
4104     tlsauthz = qemu_opt_get(opts, "tls-authz");
4105     if (tlsauthz && !vd->tlscreds) {
4106         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
4107         goto fail;
4108     }
4109 
4110     saslauthz = qemu_opt_get(opts, "sasl-authz");
4111     if (saslauthz && !sasl) {
4112         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
4113         goto fail;
4114     }
4115 
4116     share = qemu_opt_get(opts, "share");
4117     if (share) {
4118         if (strcmp(share, "ignore") == 0) {
4119             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
4120         } else if (strcmp(share, "allow-exclusive") == 0) {
4121             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4122         } else if (strcmp(share, "force-shared") == 0) {
4123             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
4124         } else {
4125             error_setg(errp, "unknown vnc share= option");
4126             goto fail;
4127         }
4128     } else {
4129         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4130     }
4131     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
4132 
4133 #ifdef CONFIG_VNC_JPEG
4134     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
4135 #endif
4136     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
4137     /* adaptive updates are only used with tight encoding and
4138      * if lossy updates are enabled so we can disable all the
4139      * calculations otherwise */
4140     if (!vd->lossy) {
4141         vd->non_adaptive = true;
4142     }
4143 
4144     vd->power_control = qemu_opt_get_bool(opts, "power-control", false);
4145 
4146     if (tlsauthz) {
4147         vd->tlsauthzid = g_strdup(tlsauthz);
4148     }
4149 #ifdef CONFIG_VNC_SASL
4150     if (sasl) {
4151         if (saslauthz) {
4152             vd->sasl.authzid = g_strdup(saslauthz);
4153         }
4154     }
4155 #endif
4156 
4157     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
4158                                vd->tlscreds, password,
4159                                sasl, false, errp) < 0) {
4160         goto fail;
4161     }
4162     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
4163 
4164     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
4165                                vd->tlscreds, password,
4166                                sasl, true, errp) < 0) {
4167         goto fail;
4168     }
4169     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
4170 
4171 #ifdef CONFIG_VNC_SASL
4172     if (sasl && !vnc_sasl_server_init(errp)) {
4173         goto fail;
4174     }
4175 #endif
4176     vd->lock_key_sync = lock_key_sync;
4177     if (lock_key_sync) {
4178         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
4179     }
4180     vd->ledstate = 0;
4181 
4182     audiodev = qemu_opt_get(opts, "audiodev");
4183     if (audiodev) {
4184         vd->audio_state = audio_state_by_name(audiodev, errp);
4185         if (!vd->audio_state) {
4186             goto fail;
4187         }
4188     } else {
4189         vd->audio_state = audio_get_default_audio_state(NULL);
4190     }
4191 
4192     device_id = qemu_opt_get(opts, "display");
4193     if (device_id) {
4194         int head = qemu_opt_get_number(opts, "head", 0);
4195         Error *err = NULL;
4196 
4197         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4198         if (err) {
4199             error_propagate(errp, err);
4200             goto fail;
4201         }
4202     } else {
4203         con = NULL;
4204     }
4205 
4206     if (con != vd->dcl.con) {
4207         qkbd_state_free(vd->kbd);
4208         unregister_displaychangelistener(&vd->dcl);
4209         vd->dcl.con = con;
4210         register_displaychangelistener(&vd->dcl);
4211         vd->kbd = qkbd_state_init(vd->dcl.con);
4212     }
4213     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4214 
4215     if (saddr_list == NULL) {
4216         return;
4217     }
4218 
4219     if (reverse) {
4220         if (vnc_display_connect(vd, saddr_list, wsaddr_list, errp) < 0) {
4221             goto fail;
4222         }
4223     } else {
4224         if (vnc_display_listen(vd, saddr_list, wsaddr_list, errp) < 0) {
4225             goto fail;
4226         }
4227     }
4228 
4229     if (qemu_opt_get(opts, "to")) {
4230         vnc_display_print_local_addr(vd);
4231     }
4232 
4233     /* Success */
4234     return;
4235 
4236 fail:
4237     vnc_display_close(vd);
4238 }
4239 
4240 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4241 {
4242     VncDisplay *vd = vnc_display_find(id);
4243     QIOChannelSocket *sioc;
4244 
4245     if (!vd) {
4246         return;
4247     }
4248 
4249     sioc = qio_channel_socket_new_fd(csock, NULL);
4250     if (sioc) {
4251         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4252         vnc_connect(vd, sioc, skipauth, false);
4253         object_unref(OBJECT(sioc));
4254     }
4255 }
4256 
4257 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4258 {
4259     int i = 2;
4260     char *id;
4261 
4262     id = g_strdup("default");
4263     while (qemu_opts_find(olist, id)) {
4264         g_free(id);
4265         id = g_strdup_printf("vnc%d", i++);
4266     }
4267     qemu_opts_set_id(opts, id);
4268 }
4269 
4270 void vnc_parse(const char *str)
4271 {
4272     QemuOptsList *olist = qemu_find_opts("vnc");
4273     QemuOpts *opts = qemu_opts_parse_noisily(olist, str, !is_help_option(str));
4274     const char *id;
4275 
4276     if (!opts) {
4277         exit(1);
4278     }
4279 
4280     id = qemu_opts_id(opts);
4281     if (!id) {
4282         /* auto-assign id if not present */
4283         vnc_auto_assign_id(olist, opts);
4284     }
4285 }
4286 
4287 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4288 {
4289     Error *local_err = NULL;
4290     char *id = (char *)qemu_opts_id(opts);
4291 
4292     assert(id);
4293     vnc_display_init(id, &local_err);
4294     if (local_err) {
4295         error_propagate(errp, local_err);
4296         return -1;
4297     }
4298     vnc_display_open(id, &local_err);
4299     if (local_err != NULL) {
4300         error_propagate(errp, local_err);
4301         return -1;
4302     }
4303     return 0;
4304 }
4305 
4306 static void vnc_register_config(void)
4307 {
4308     qemu_add_opts(&qemu_vnc_opts);
4309 }
4310 opts_init(vnc_register_config);
4311