xref: /openbmc/qemu/ui/vnc.c (revision 19f4ed36)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev-core.h"
32 #include "sysemu/sysemu.h"
33 #include "sysemu/runstate.h"
34 #include "qemu/error-report.h"
35 #include "qemu/main-loop.h"
36 #include "qemu/module.h"
37 #include "qemu/option.h"
38 #include "qemu/sockets.h"
39 #include "qemu/timer.h"
40 #include "authz/list.h"
41 #include "qemu/config-file.h"
42 #include "qapi/qapi-emit-events.h"
43 #include "qapi/qapi-events-ui.h"
44 #include "qapi/error.h"
45 #include "qapi/qapi-commands-ui.h"
46 #include "ui/input.h"
47 #include "crypto/hash.h"
48 #include "crypto/tlscredsanon.h"
49 #include "crypto/tlscredsx509.h"
50 #include "crypto/random.h"
51 #include "crypto/secret_common.h"
52 #include "qom/object_interfaces.h"
53 #include "qemu/cutils.h"
54 #include "qemu/help_option.h"
55 #include "io/dns-resolver.h"
56 
57 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
58 #define VNC_REFRESH_INTERVAL_INC  50
59 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
60 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
61 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
62 
63 #include "vnc_keysym.h"
64 #include "crypto/cipher.h"
65 
66 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
67     QTAILQ_HEAD_INITIALIZER(vnc_displays);
68 
69 static int vnc_cursor_define(VncState *vs);
70 static void vnc_update_throttle_offset(VncState *vs);
71 
72 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
73 {
74 #ifdef _VNC_DEBUG
75     static const char *mn[] = {
76         [0]                           = "undefined",
77         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
78         [VNC_SHARE_MODE_SHARED]       = "shared",
79         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
80         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
81     };
82     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
83             vs->ioc, mn[vs->share_mode], mn[mode]);
84 #endif
85 
86     switch (vs->share_mode) {
87     case VNC_SHARE_MODE_CONNECTING:
88         vs->vd->num_connecting--;
89         break;
90     case VNC_SHARE_MODE_SHARED:
91         vs->vd->num_shared--;
92         break;
93     case VNC_SHARE_MODE_EXCLUSIVE:
94         vs->vd->num_exclusive--;
95         break;
96     default:
97         break;
98     }
99 
100     vs->share_mode = mode;
101 
102     switch (vs->share_mode) {
103     case VNC_SHARE_MODE_CONNECTING:
104         vs->vd->num_connecting++;
105         break;
106     case VNC_SHARE_MODE_SHARED:
107         vs->vd->num_shared++;
108         break;
109     case VNC_SHARE_MODE_EXCLUSIVE:
110         vs->vd->num_exclusive++;
111         break;
112     default:
113         break;
114     }
115 }
116 
117 
118 static void vnc_init_basic_info(SocketAddress *addr,
119                                 VncBasicInfo *info,
120                                 Error **errp)
121 {
122     switch (addr->type) {
123     case SOCKET_ADDRESS_TYPE_INET:
124         info->host = g_strdup(addr->u.inet.host);
125         info->service = g_strdup(addr->u.inet.port);
126         if (addr->u.inet.ipv6) {
127             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
128         } else {
129             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
130         }
131         break;
132 
133     case SOCKET_ADDRESS_TYPE_UNIX:
134         info->host = g_strdup("");
135         info->service = g_strdup(addr->u.q_unix.path);
136         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
137         break;
138 
139     case SOCKET_ADDRESS_TYPE_VSOCK:
140     case SOCKET_ADDRESS_TYPE_FD:
141         error_setg(errp, "Unsupported socket address type %s",
142                    SocketAddressType_str(addr->type));
143         break;
144     default:
145         abort();
146     }
147 
148     return;
149 }
150 
151 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
152                                                  VncBasicInfo *info,
153                                                  Error **errp)
154 {
155     SocketAddress *addr = NULL;
156 
157     if (!ioc) {
158         error_setg(errp, "No listener socket available");
159         return;
160     }
161 
162     addr = qio_channel_socket_get_local_address(ioc, errp);
163     if (!addr) {
164         return;
165     }
166 
167     vnc_init_basic_info(addr, info, errp);
168     qapi_free_SocketAddress(addr);
169 }
170 
171 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
172                                                  VncBasicInfo *info,
173                                                  Error **errp)
174 {
175     SocketAddress *addr = NULL;
176 
177     addr = qio_channel_socket_get_remote_address(ioc, errp);
178     if (!addr) {
179         return;
180     }
181 
182     vnc_init_basic_info(addr, info, errp);
183     qapi_free_SocketAddress(addr);
184 }
185 
186 static const char *vnc_auth_name(VncDisplay *vd) {
187     switch (vd->auth) {
188     case VNC_AUTH_INVALID:
189         return "invalid";
190     case VNC_AUTH_NONE:
191         return "none";
192     case VNC_AUTH_VNC:
193         return "vnc";
194     case VNC_AUTH_RA2:
195         return "ra2";
196     case VNC_AUTH_RA2NE:
197         return "ra2ne";
198     case VNC_AUTH_TIGHT:
199         return "tight";
200     case VNC_AUTH_ULTRA:
201         return "ultra";
202     case VNC_AUTH_TLS:
203         return "tls";
204     case VNC_AUTH_VENCRYPT:
205         switch (vd->subauth) {
206         case VNC_AUTH_VENCRYPT_PLAIN:
207             return "vencrypt+plain";
208         case VNC_AUTH_VENCRYPT_TLSNONE:
209             return "vencrypt+tls+none";
210         case VNC_AUTH_VENCRYPT_TLSVNC:
211             return "vencrypt+tls+vnc";
212         case VNC_AUTH_VENCRYPT_TLSPLAIN:
213             return "vencrypt+tls+plain";
214         case VNC_AUTH_VENCRYPT_X509NONE:
215             return "vencrypt+x509+none";
216         case VNC_AUTH_VENCRYPT_X509VNC:
217             return "vencrypt+x509+vnc";
218         case VNC_AUTH_VENCRYPT_X509PLAIN:
219             return "vencrypt+x509+plain";
220         case VNC_AUTH_VENCRYPT_TLSSASL:
221             return "vencrypt+tls+sasl";
222         case VNC_AUTH_VENCRYPT_X509SASL:
223             return "vencrypt+x509+sasl";
224         default:
225             return "vencrypt";
226         }
227     case VNC_AUTH_SASL:
228         return "sasl";
229     }
230     return "unknown";
231 }
232 
233 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
234 {
235     VncServerInfo *info;
236     Error *err = NULL;
237 
238     if (!vd->listener || !vd->listener->nsioc) {
239         return NULL;
240     }
241 
242     info = g_malloc0(sizeof(*info));
243     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
244                                          qapi_VncServerInfo_base(info), &err);
245     info->has_auth = true;
246     info->auth = g_strdup(vnc_auth_name(vd));
247     if (err) {
248         qapi_free_VncServerInfo(info);
249         info = NULL;
250         error_free(err);
251     }
252     return info;
253 }
254 
255 static void vnc_client_cache_auth(VncState *client)
256 {
257     if (!client->info) {
258         return;
259     }
260 
261     if (client->tls) {
262         client->info->x509_dname =
263             qcrypto_tls_session_get_peer_name(client->tls);
264         client->info->has_x509_dname =
265             client->info->x509_dname != NULL;
266     }
267 #ifdef CONFIG_VNC_SASL
268     if (client->sasl.conn &&
269         client->sasl.username) {
270         client->info->has_sasl_username = true;
271         client->info->sasl_username = g_strdup(client->sasl.username);
272     }
273 #endif
274 }
275 
276 static void vnc_client_cache_addr(VncState *client)
277 {
278     Error *err = NULL;
279 
280     client->info = g_malloc0(sizeof(*client->info));
281     vnc_init_basic_info_from_remote_addr(client->sioc,
282                                          qapi_VncClientInfo_base(client->info),
283                                          &err);
284     client->info->websocket = client->websocket;
285     if (err) {
286         qapi_free_VncClientInfo(client->info);
287         client->info = NULL;
288         error_free(err);
289     }
290 }
291 
292 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
293 {
294     VncServerInfo *si;
295 
296     if (!vs->info) {
297         return;
298     }
299 
300     si = vnc_server_info_get(vs->vd);
301     if (!si) {
302         return;
303     }
304 
305     switch (event) {
306     case QAPI_EVENT_VNC_CONNECTED:
307         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
308         break;
309     case QAPI_EVENT_VNC_INITIALIZED:
310         qapi_event_send_vnc_initialized(si, vs->info);
311         break;
312     case QAPI_EVENT_VNC_DISCONNECTED:
313         qapi_event_send_vnc_disconnected(si, vs->info);
314         break;
315     default:
316         break;
317     }
318 
319     qapi_free_VncServerInfo(si);
320 }
321 
322 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
323 {
324     VncClientInfo *info;
325     Error *err = NULL;
326 
327     info = g_malloc0(sizeof(*info));
328 
329     vnc_init_basic_info_from_remote_addr(client->sioc,
330                                          qapi_VncClientInfo_base(info),
331                                          &err);
332     if (err) {
333         error_free(err);
334         qapi_free_VncClientInfo(info);
335         return NULL;
336     }
337 
338     info->websocket = client->websocket;
339 
340     if (client->tls) {
341         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
342         info->has_x509_dname = info->x509_dname != NULL;
343     }
344 #ifdef CONFIG_VNC_SASL
345     if (client->sasl.conn && client->sasl.username) {
346         info->has_sasl_username = true;
347         info->sasl_username = g_strdup(client->sasl.username);
348     }
349 #endif
350 
351     return info;
352 }
353 
354 static VncDisplay *vnc_display_find(const char *id)
355 {
356     VncDisplay *vd;
357 
358     if (id == NULL) {
359         return QTAILQ_FIRST(&vnc_displays);
360     }
361     QTAILQ_FOREACH(vd, &vnc_displays, next) {
362         if (strcmp(id, vd->id) == 0) {
363             return vd;
364         }
365     }
366     return NULL;
367 }
368 
369 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
370 {
371     VncClientInfoList *prev = NULL;
372     VncState *client;
373 
374     QTAILQ_FOREACH(client, &vd->clients, next) {
375         QAPI_LIST_PREPEND(prev, qmp_query_vnc_client(client));
376     }
377     return prev;
378 }
379 
380 VncInfo *qmp_query_vnc(Error **errp)
381 {
382     VncInfo *info = g_malloc0(sizeof(*info));
383     VncDisplay *vd = vnc_display_find(NULL);
384     SocketAddress *addr = NULL;
385 
386     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
387         info->enabled = false;
388     } else {
389         info->enabled = true;
390 
391         /* for compatibility with the original command */
392         info->has_clients = true;
393         info->clients = qmp_query_client_list(vd);
394 
395         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
396                                                     errp);
397         if (!addr) {
398             goto out_error;
399         }
400 
401         switch (addr->type) {
402         case SOCKET_ADDRESS_TYPE_INET:
403             info->host = g_strdup(addr->u.inet.host);
404             info->service = g_strdup(addr->u.inet.port);
405             if (addr->u.inet.ipv6) {
406                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
407             } else {
408                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
409             }
410             break;
411 
412         case SOCKET_ADDRESS_TYPE_UNIX:
413             info->host = g_strdup("");
414             info->service = g_strdup(addr->u.q_unix.path);
415             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
416             break;
417 
418         case SOCKET_ADDRESS_TYPE_VSOCK:
419         case SOCKET_ADDRESS_TYPE_FD:
420             error_setg(errp, "Unsupported socket address type %s",
421                        SocketAddressType_str(addr->type));
422             goto out_error;
423         default:
424             abort();
425         }
426 
427         info->has_host = true;
428         info->has_service = true;
429         info->has_family = true;
430 
431         info->has_auth = true;
432         info->auth = g_strdup(vnc_auth_name(vd));
433     }
434 
435     qapi_free_SocketAddress(addr);
436     return info;
437 
438 out_error:
439     qapi_free_SocketAddress(addr);
440     qapi_free_VncInfo(info);
441     return NULL;
442 }
443 
444 
445 static void qmp_query_auth(int auth, int subauth,
446                            VncPrimaryAuth *qmp_auth,
447                            VncVencryptSubAuth *qmp_vencrypt,
448                            bool *qmp_has_vencrypt);
449 
450 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
451                                                   bool websocket,
452                                                   int auth,
453                                                   int subauth,
454                                                   VncServerInfo2List *prev)
455 {
456     VncServerInfo2 *info;
457     Error *err = NULL;
458     SocketAddress *addr;
459 
460     addr = qio_channel_socket_get_local_address(ioc, NULL);
461     if (!addr) {
462         return prev;
463     }
464 
465     info = g_new0(VncServerInfo2, 1);
466     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
467     qapi_free_SocketAddress(addr);
468     if (err) {
469         qapi_free_VncServerInfo2(info);
470         error_free(err);
471         return prev;
472     }
473     info->websocket = websocket;
474 
475     qmp_query_auth(auth, subauth, &info->auth,
476                    &info->vencrypt, &info->has_vencrypt);
477 
478     QAPI_LIST_PREPEND(prev, info);
479     return prev;
480 }
481 
482 static void qmp_query_auth(int auth, int subauth,
483                            VncPrimaryAuth *qmp_auth,
484                            VncVencryptSubAuth *qmp_vencrypt,
485                            bool *qmp_has_vencrypt)
486 {
487     switch (auth) {
488     case VNC_AUTH_VNC:
489         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
490         break;
491     case VNC_AUTH_RA2:
492         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
493         break;
494     case VNC_AUTH_RA2NE:
495         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
496         break;
497     case VNC_AUTH_TIGHT:
498         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
499         break;
500     case VNC_AUTH_ULTRA:
501         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
502         break;
503     case VNC_AUTH_TLS:
504         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
505         break;
506     case VNC_AUTH_VENCRYPT:
507         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
508         *qmp_has_vencrypt = true;
509         switch (subauth) {
510         case VNC_AUTH_VENCRYPT_PLAIN:
511             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
512             break;
513         case VNC_AUTH_VENCRYPT_TLSNONE:
514             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
515             break;
516         case VNC_AUTH_VENCRYPT_TLSVNC:
517             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
518             break;
519         case VNC_AUTH_VENCRYPT_TLSPLAIN:
520             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
521             break;
522         case VNC_AUTH_VENCRYPT_X509NONE:
523             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
524             break;
525         case VNC_AUTH_VENCRYPT_X509VNC:
526             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
527             break;
528         case VNC_AUTH_VENCRYPT_X509PLAIN:
529             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
530             break;
531         case VNC_AUTH_VENCRYPT_TLSSASL:
532             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
533             break;
534         case VNC_AUTH_VENCRYPT_X509SASL:
535             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
536             break;
537         default:
538             *qmp_has_vencrypt = false;
539             break;
540         }
541         break;
542     case VNC_AUTH_SASL:
543         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
544         break;
545     case VNC_AUTH_NONE:
546     default:
547         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
548         break;
549     }
550 }
551 
552 VncInfo2List *qmp_query_vnc_servers(Error **errp)
553 {
554     VncInfo2List *prev = NULL;
555     VncInfo2 *info;
556     VncDisplay *vd;
557     DeviceState *dev;
558     size_t i;
559 
560     QTAILQ_FOREACH(vd, &vnc_displays, next) {
561         info = g_new0(VncInfo2, 1);
562         info->id = g_strdup(vd->id);
563         info->clients = qmp_query_client_list(vd);
564         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
565                        &info->vencrypt, &info->has_vencrypt);
566         if (vd->dcl.con) {
567             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
568                                                   "device", &error_abort));
569             info->has_display = true;
570             info->display = g_strdup(dev->id);
571         }
572         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
573             info->server = qmp_query_server_entry(
574                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
575                 info->server);
576         }
577         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
578             info->server = qmp_query_server_entry(
579                 vd->wslistener->sioc[i], true, vd->ws_auth,
580                 vd->ws_subauth, info->server);
581         }
582 
583         QAPI_LIST_PREPEND(prev, info);
584     }
585     return prev;
586 }
587 
588 bool vnc_display_reload_certs(const char *id, Error **errp)
589 {
590     VncDisplay *vd = vnc_display_find(id);
591     QCryptoTLSCredsClass *creds = NULL;
592 
593     if (!vd) {
594         error_setg(errp, "Can not find vnc display");
595         return false;
596     }
597 
598     if (!vd->tlscreds) {
599         error_setg(errp, "vnc tls is not enable");
600         return false;
601     }
602 
603     creds = QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(vd->tlscreds));
604     if (creds->reload == NULL) {
605         error_setg(errp, "%s doesn't support to reload TLS credential",
606                    object_get_typename(OBJECT(vd->tlscreds)));
607         return false;
608     }
609     if (!creds->reload(vd->tlscreds, errp)) {
610         return false;
611     }
612 
613     return true;
614 }
615 
616 /* TODO
617    1) Get the queue working for IO.
618    2) there is some weirdness when using the -S option (the screen is grey
619       and not totally invalidated
620    3) resolutions > 1024
621 */
622 
623 static int vnc_update_client(VncState *vs, int has_dirty);
624 static void vnc_disconnect_start(VncState *vs);
625 
626 static void vnc_colordepth(VncState *vs);
627 static void framebuffer_update_request(VncState *vs, int incremental,
628                                        int x_position, int y_position,
629                                        int w, int h);
630 static void vnc_refresh(DisplayChangeListener *dcl);
631 static int vnc_refresh_server_surface(VncDisplay *vd);
632 
633 static int vnc_width(VncDisplay *vd)
634 {
635     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
636                                        VNC_DIRTY_PIXELS_PER_BIT));
637 }
638 
639 static int vnc_true_width(VncDisplay *vd)
640 {
641     return MIN(VNC_MAX_WIDTH, surface_width(vd->ds));
642 }
643 
644 static int vnc_height(VncDisplay *vd)
645 {
646     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
647 }
648 
649 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
650                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
651                                VncDisplay *vd,
652                                int x, int y, int w, int h)
653 {
654     int width = vnc_width(vd);
655     int height = vnc_height(vd);
656 
657     /* this is needed this to ensure we updated all affected
658      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
659     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
660     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
661 
662     x = MIN(x, width);
663     y = MIN(y, height);
664     w = MIN(x + w, width) - x;
665     h = MIN(y + h, height);
666 
667     for (; y < h; y++) {
668         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
669                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
670     }
671 }
672 
673 static void vnc_dpy_update(DisplayChangeListener *dcl,
674                            int x, int y, int w, int h)
675 {
676     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
677     struct VncSurface *s = &vd->guest;
678 
679     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
680 }
681 
682 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
683                             int32_t encoding)
684 {
685     vnc_write_u16(vs, x);
686     vnc_write_u16(vs, y);
687     vnc_write_u16(vs, w);
688     vnc_write_u16(vs, h);
689 
690     vnc_write_s32(vs, encoding);
691 }
692 
693 static void vnc_desktop_resize_ext(VncState *vs, int reject_reason)
694 {
695     trace_vnc_msg_server_ext_desktop_resize(
696         vs, vs->ioc, vs->client_width, vs->client_height, reject_reason);
697 
698     vnc_lock_output(vs);
699     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
700     vnc_write_u8(vs, 0);
701     vnc_write_u16(vs, 1); /* number of rects */
702     vnc_framebuffer_update(vs,
703                            reject_reason ? 1 : 0,
704                            reject_reason,
705                            vs->client_width, vs->client_height,
706                            VNC_ENCODING_DESKTOP_RESIZE_EXT);
707     vnc_write_u8(vs, 1);  /* number of screens */
708     vnc_write_u8(vs, 0);  /* padding */
709     vnc_write_u8(vs, 0);  /* padding */
710     vnc_write_u8(vs, 0);  /* padding */
711     vnc_write_u32(vs, 0); /* screen id */
712     vnc_write_u16(vs, 0); /* screen x-pos */
713     vnc_write_u16(vs, 0); /* screen y-pos */
714     vnc_write_u16(vs, vs->client_width);
715     vnc_write_u16(vs, vs->client_height);
716     vnc_write_u32(vs, 0); /* screen flags */
717     vnc_unlock_output(vs);
718     vnc_flush(vs);
719 }
720 
721 static void vnc_desktop_resize(VncState *vs)
722 {
723     if (vs->ioc == NULL || (!vnc_has_feature(vs, VNC_FEATURE_RESIZE) &&
724                             !vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT))) {
725         return;
726     }
727     if (vs->client_width == vs->vd->true_width &&
728         vs->client_height == pixman_image_get_height(vs->vd->server)) {
729         return;
730     }
731 
732     assert(vs->vd->true_width < 65536 &&
733            vs->vd->true_width >= 0);
734     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
735            pixman_image_get_height(vs->vd->server) >= 0);
736     vs->client_width = vs->vd->true_width;
737     vs->client_height = pixman_image_get_height(vs->vd->server);
738 
739     if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
740         vnc_desktop_resize_ext(vs, 0);
741         return;
742     }
743 
744     trace_vnc_msg_server_desktop_resize(
745         vs, vs->ioc, vs->client_width, vs->client_height);
746 
747     vnc_lock_output(vs);
748     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
749     vnc_write_u8(vs, 0);
750     vnc_write_u16(vs, 1); /* number of rects */
751     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
752                            VNC_ENCODING_DESKTOPRESIZE);
753     vnc_unlock_output(vs);
754     vnc_flush(vs);
755 }
756 
757 static void vnc_abort_display_jobs(VncDisplay *vd)
758 {
759     VncState *vs;
760 
761     QTAILQ_FOREACH(vs, &vd->clients, next) {
762         vnc_lock_output(vs);
763         vs->abort = true;
764         vnc_unlock_output(vs);
765     }
766     QTAILQ_FOREACH(vs, &vd->clients, next) {
767         vnc_jobs_join(vs);
768     }
769     QTAILQ_FOREACH(vs, &vd->clients, next) {
770         vnc_lock_output(vs);
771         if (vs->update == VNC_STATE_UPDATE_NONE &&
772             vs->job_update != VNC_STATE_UPDATE_NONE) {
773             /* job aborted before completion */
774             vs->update = vs->job_update;
775             vs->job_update = VNC_STATE_UPDATE_NONE;
776         }
777         vs->abort = false;
778         vnc_unlock_output(vs);
779     }
780 }
781 
782 int vnc_server_fb_stride(VncDisplay *vd)
783 {
784     return pixman_image_get_stride(vd->server);
785 }
786 
787 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
788 {
789     uint8_t *ptr;
790 
791     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
792     ptr += y * vnc_server_fb_stride(vd);
793     ptr += x * VNC_SERVER_FB_BYTES;
794     return ptr;
795 }
796 
797 static void vnc_update_server_surface(VncDisplay *vd)
798 {
799     int width, height;
800 
801     qemu_pixman_image_unref(vd->server);
802     vd->server = NULL;
803 
804     if (QTAILQ_EMPTY(&vd->clients)) {
805         return;
806     }
807 
808     width = vnc_width(vd);
809     height = vnc_height(vd);
810     vd->true_width = vnc_true_width(vd);
811     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
812                                           width, height,
813                                           NULL, 0);
814 
815     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
816     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
817                        width, height);
818 }
819 
820 static bool vnc_check_pageflip(DisplaySurface *s1,
821                                DisplaySurface *s2)
822 {
823     return (s1 != NULL &&
824             s2 != NULL &&
825             surface_width(s1) == surface_width(s2) &&
826             surface_height(s1) == surface_height(s2) &&
827             surface_format(s1) == surface_format(s2));
828 
829 }
830 
831 static void vnc_dpy_switch(DisplayChangeListener *dcl,
832                            DisplaySurface *surface)
833 {
834     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
835     bool pageflip = vnc_check_pageflip(vd->ds, surface);
836     VncState *vs;
837 
838     vnc_abort_display_jobs(vd);
839     vd->ds = surface;
840 
841     /* guest surface */
842     qemu_pixman_image_unref(vd->guest.fb);
843     vd->guest.fb = pixman_image_ref(surface->image);
844     vd->guest.format = surface->format;
845 
846 
847     if (pageflip) {
848         trace_vnc_server_dpy_pageflip(vd,
849                                       surface_width(surface),
850                                       surface_height(surface),
851                                       surface_format(surface));
852         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
853                            surface_width(surface),
854                            surface_height(surface));
855         return;
856     }
857 
858     trace_vnc_server_dpy_recreate(vd,
859                                   surface_width(surface),
860                                   surface_height(surface),
861                                   surface_format(surface));
862     /* server surface */
863     vnc_update_server_surface(vd);
864 
865     QTAILQ_FOREACH(vs, &vd->clients, next) {
866         vnc_colordepth(vs);
867         vnc_desktop_resize(vs);
868         vnc_cursor_define(vs);
869         memset(vs->dirty, 0x00, sizeof(vs->dirty));
870         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
871                            vnc_width(vd),
872                            vnc_height(vd));
873         vnc_update_throttle_offset(vs);
874     }
875 }
876 
877 /* fastest code */
878 static void vnc_write_pixels_copy(VncState *vs,
879                                   void *pixels, int size)
880 {
881     vnc_write(vs, pixels, size);
882 }
883 
884 /* slowest but generic code. */
885 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
886 {
887     uint8_t r, g, b;
888 
889 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
890     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
891     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
892     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
893 #else
894 # error need some bits here if you change VNC_SERVER_FB_FORMAT
895 #endif
896     v = (r << vs->client_pf.rshift) |
897         (g << vs->client_pf.gshift) |
898         (b << vs->client_pf.bshift);
899     switch (vs->client_pf.bytes_per_pixel) {
900     case 1:
901         buf[0] = v;
902         break;
903     case 2:
904         if (vs->client_be) {
905             buf[0] = v >> 8;
906             buf[1] = v;
907         } else {
908             buf[1] = v >> 8;
909             buf[0] = v;
910         }
911         break;
912     default:
913     case 4:
914         if (vs->client_be) {
915             buf[0] = v >> 24;
916             buf[1] = v >> 16;
917             buf[2] = v >> 8;
918             buf[3] = v;
919         } else {
920             buf[3] = v >> 24;
921             buf[2] = v >> 16;
922             buf[1] = v >> 8;
923             buf[0] = v;
924         }
925         break;
926     }
927 }
928 
929 static void vnc_write_pixels_generic(VncState *vs,
930                                      void *pixels1, int size)
931 {
932     uint8_t buf[4];
933 
934     if (VNC_SERVER_FB_BYTES == 4) {
935         uint32_t *pixels = pixels1;
936         int n, i;
937         n = size >> 2;
938         for (i = 0; i < n; i++) {
939             vnc_convert_pixel(vs, buf, pixels[i]);
940             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
941         }
942     }
943 }
944 
945 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
946 {
947     int i;
948     uint8_t *row;
949     VncDisplay *vd = vs->vd;
950 
951     row = vnc_server_fb_ptr(vd, x, y);
952     for (i = 0; i < h; i++) {
953         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
954         row += vnc_server_fb_stride(vd);
955     }
956     return 1;
957 }
958 
959 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
960 {
961     int n = 0;
962 
963     switch(vs->vnc_encoding) {
964         case VNC_ENCODING_ZLIB:
965             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
966             break;
967         case VNC_ENCODING_HEXTILE:
968             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
969             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
970             break;
971         case VNC_ENCODING_TIGHT:
972             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
973             break;
974         case VNC_ENCODING_TIGHT_PNG:
975             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
976             break;
977         case VNC_ENCODING_ZRLE:
978             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
979             break;
980         case VNC_ENCODING_ZYWRLE:
981             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
982             break;
983         default:
984             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
985             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
986             break;
987     }
988     return n;
989 }
990 
991 static void vnc_mouse_set(DisplayChangeListener *dcl,
992                           int x, int y, int visible)
993 {
994     /* can we ask the client(s) to move the pointer ??? */
995 }
996 
997 static int vnc_cursor_define(VncState *vs)
998 {
999     QEMUCursor *c = vs->vd->cursor;
1000     int isize;
1001 
1002     if (!vs->vd->cursor) {
1003         return -1;
1004     }
1005 
1006     if (vnc_has_feature(vs, VNC_FEATURE_ALPHA_CURSOR)) {
1007         vnc_lock_output(vs);
1008         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1009         vnc_write_u8(vs,  0);  /*  padding     */
1010         vnc_write_u16(vs, 1);  /*  # of rects  */
1011         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1012                                VNC_ENCODING_ALPHA_CURSOR);
1013         vnc_write_s32(vs, VNC_ENCODING_RAW);
1014         vnc_write(vs, c->data, c->width * c->height * 4);
1015         vnc_unlock_output(vs);
1016         return 0;
1017     }
1018     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
1019         vnc_lock_output(vs);
1020         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1021         vnc_write_u8(vs,  0);  /*  padding     */
1022         vnc_write_u16(vs, 1);  /*  # of rects  */
1023         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1024                                VNC_ENCODING_RICH_CURSOR);
1025         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
1026         vnc_write_pixels_generic(vs, c->data, isize);
1027         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
1028         vnc_unlock_output(vs);
1029         return 0;
1030     }
1031     return -1;
1032 }
1033 
1034 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
1035                                   QEMUCursor *c)
1036 {
1037     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
1038     VncState *vs;
1039 
1040     cursor_put(vd->cursor);
1041     g_free(vd->cursor_mask);
1042 
1043     vd->cursor = c;
1044     cursor_get(vd->cursor);
1045     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1046     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1047     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1048 
1049     QTAILQ_FOREACH(vs, &vd->clients, next) {
1050         vnc_cursor_define(vs);
1051     }
1052 }
1053 
1054 static int find_and_clear_dirty_height(VncState *vs,
1055                                        int y, int last_x, int x, int height)
1056 {
1057     int h;
1058 
1059     for (h = 1; h < (height - y); h++) {
1060         if (!test_bit(last_x, vs->dirty[y + h])) {
1061             break;
1062         }
1063         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1064     }
1065 
1066     return h;
1067 }
1068 
1069 /*
1070  * Figure out how much pending data we should allow in the output
1071  * buffer before we throttle incremental display updates, and/or
1072  * drop audio samples.
1073  *
1074  * We allow for equiv of 1 full display's worth of FB updates,
1075  * and 1 second of audio samples. If audio backlog was larger
1076  * than that the client would already suffering awful audio
1077  * glitches, so dropping samples is no worse really).
1078  */
1079 static void vnc_update_throttle_offset(VncState *vs)
1080 {
1081     size_t offset =
1082         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1083 
1084     if (vs->audio_cap) {
1085         int bps;
1086         switch (vs->as.fmt) {
1087         default:
1088         case  AUDIO_FORMAT_U8:
1089         case  AUDIO_FORMAT_S8:
1090             bps = 1;
1091             break;
1092         case  AUDIO_FORMAT_U16:
1093         case  AUDIO_FORMAT_S16:
1094             bps = 2;
1095             break;
1096         case  AUDIO_FORMAT_U32:
1097         case  AUDIO_FORMAT_S32:
1098             bps = 4;
1099             break;
1100         }
1101         offset += vs->as.freq * bps * vs->as.nchannels;
1102     }
1103 
1104     /* Put a floor of 1MB on offset, so that if we have a large pending
1105      * buffer and the display is resized to a small size & back again
1106      * we don't suddenly apply a tiny send limit
1107      */
1108     offset = MAX(offset, 1024 * 1024);
1109 
1110     if (vs->throttle_output_offset != offset) {
1111         trace_vnc_client_throttle_threshold(
1112             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1113             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1114     }
1115 
1116     vs->throttle_output_offset = offset;
1117 }
1118 
1119 static bool vnc_should_update(VncState *vs)
1120 {
1121     switch (vs->update) {
1122     case VNC_STATE_UPDATE_NONE:
1123         break;
1124     case VNC_STATE_UPDATE_INCREMENTAL:
1125         /* Only allow incremental updates if the pending send queue
1126          * is less than the permitted threshold, and the job worker
1127          * is completely idle.
1128          */
1129         if (vs->output.offset < vs->throttle_output_offset &&
1130             vs->job_update == VNC_STATE_UPDATE_NONE) {
1131             return true;
1132         }
1133         trace_vnc_client_throttle_incremental(
1134             vs, vs->ioc, vs->job_update, vs->output.offset);
1135         break;
1136     case VNC_STATE_UPDATE_FORCE:
1137         /* Only allow forced updates if the pending send queue
1138          * does not contain a previous forced update, and the
1139          * job worker is completely idle.
1140          *
1141          * Note this means we'll queue a forced update, even if
1142          * the output buffer size is otherwise over the throttle
1143          * output limit.
1144          */
1145         if (vs->force_update_offset == 0 &&
1146             vs->job_update == VNC_STATE_UPDATE_NONE) {
1147             return true;
1148         }
1149         trace_vnc_client_throttle_forced(
1150             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1151         break;
1152     }
1153     return false;
1154 }
1155 
1156 static int vnc_update_client(VncState *vs, int has_dirty)
1157 {
1158     VncDisplay *vd = vs->vd;
1159     VncJob *job;
1160     int y;
1161     int height, width;
1162     int n = 0;
1163 
1164     if (vs->disconnecting) {
1165         vnc_disconnect_finish(vs);
1166         return 0;
1167     }
1168 
1169     vs->has_dirty += has_dirty;
1170     if (!vnc_should_update(vs)) {
1171         return 0;
1172     }
1173 
1174     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1175         return 0;
1176     }
1177 
1178     /*
1179      * Send screen updates to the vnc client using the server
1180      * surface and server dirty map.  guest surface updates
1181      * happening in parallel don't disturb us, the next pass will
1182      * send them to the client.
1183      */
1184     job = vnc_job_new(vs);
1185 
1186     height = pixman_image_get_height(vd->server);
1187     width = pixman_image_get_width(vd->server);
1188 
1189     y = 0;
1190     for (;;) {
1191         int x, h;
1192         unsigned long x2;
1193         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1194                                              height * VNC_DIRTY_BPL(vs),
1195                                              y * VNC_DIRTY_BPL(vs));
1196         if (offset == height * VNC_DIRTY_BPL(vs)) {
1197             /* no more dirty bits */
1198             break;
1199         }
1200         y = offset / VNC_DIRTY_BPL(vs);
1201         x = offset % VNC_DIRTY_BPL(vs);
1202         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1203                                 VNC_DIRTY_BPL(vs), x);
1204         bitmap_clear(vs->dirty[y], x, x2 - x);
1205         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1206         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1207         if (x2 > x) {
1208             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1209                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1210         }
1211         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1212             y += h;
1213             if (y == height) {
1214                 break;
1215             }
1216         }
1217     }
1218 
1219     vs->job_update = vs->update;
1220     vs->update = VNC_STATE_UPDATE_NONE;
1221     vnc_job_push(job);
1222     vs->has_dirty = 0;
1223     return n;
1224 }
1225 
1226 /* audio */
1227 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1228 {
1229     VncState *vs = opaque;
1230 
1231     assert(vs->magic == VNC_MAGIC);
1232     switch (cmd) {
1233     case AUD_CNOTIFY_DISABLE:
1234         trace_vnc_msg_server_audio_end(vs, vs->ioc);
1235         vnc_lock_output(vs);
1236         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1237         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1238         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1239         vnc_unlock_output(vs);
1240         vnc_flush(vs);
1241         break;
1242 
1243     case AUD_CNOTIFY_ENABLE:
1244         trace_vnc_msg_server_audio_begin(vs, vs->ioc);
1245         vnc_lock_output(vs);
1246         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1247         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1248         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1249         vnc_unlock_output(vs);
1250         vnc_flush(vs);
1251         break;
1252     }
1253 }
1254 
1255 static void audio_capture_destroy(void *opaque)
1256 {
1257 }
1258 
1259 static void audio_capture(void *opaque, const void *buf, int size)
1260 {
1261     VncState *vs = opaque;
1262 
1263     assert(vs->magic == VNC_MAGIC);
1264     trace_vnc_msg_server_audio_data(vs, vs->ioc, buf, size);
1265     vnc_lock_output(vs);
1266     if (vs->output.offset < vs->throttle_output_offset) {
1267         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1268         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1269         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1270         vnc_write_u32(vs, size);
1271         vnc_write(vs, buf, size);
1272     } else {
1273         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1274     }
1275     vnc_unlock_output(vs);
1276     vnc_flush(vs);
1277 }
1278 
1279 static void audio_add(VncState *vs)
1280 {
1281     struct audio_capture_ops ops;
1282 
1283     if (vs->audio_cap) {
1284         error_report("audio already running");
1285         return;
1286     }
1287 
1288     ops.notify = audio_capture_notify;
1289     ops.destroy = audio_capture_destroy;
1290     ops.capture = audio_capture;
1291 
1292     vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1293     if (!vs->audio_cap) {
1294         error_report("Failed to add audio capture");
1295     }
1296 }
1297 
1298 static void audio_del(VncState *vs)
1299 {
1300     if (vs->audio_cap) {
1301         AUD_del_capture(vs->audio_cap, vs);
1302         vs->audio_cap = NULL;
1303     }
1304 }
1305 
1306 static void vnc_disconnect_start(VncState *vs)
1307 {
1308     if (vs->disconnecting) {
1309         return;
1310     }
1311     trace_vnc_client_disconnect_start(vs, vs->ioc);
1312     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1313     if (vs->ioc_tag) {
1314         g_source_remove(vs->ioc_tag);
1315         vs->ioc_tag = 0;
1316     }
1317     qio_channel_close(vs->ioc, NULL);
1318     vs->disconnecting = TRUE;
1319 }
1320 
1321 void vnc_disconnect_finish(VncState *vs)
1322 {
1323     int i;
1324 
1325     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1326 
1327     vnc_jobs_join(vs); /* Wait encoding jobs */
1328 
1329     vnc_lock_output(vs);
1330     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1331 
1332     buffer_free(&vs->input);
1333     buffer_free(&vs->output);
1334 
1335     qapi_free_VncClientInfo(vs->info);
1336 
1337     vnc_zlib_clear(vs);
1338     vnc_tight_clear(vs);
1339     vnc_zrle_clear(vs);
1340 
1341 #ifdef CONFIG_VNC_SASL
1342     vnc_sasl_client_cleanup(vs);
1343 #endif /* CONFIG_VNC_SASL */
1344     audio_del(vs);
1345     qkbd_state_lift_all_keys(vs->vd->kbd);
1346 
1347     if (vs->mouse_mode_notifier.notify != NULL) {
1348         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1349     }
1350     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1351     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1352         /* last client gone */
1353         vnc_update_server_surface(vs->vd);
1354     }
1355 
1356     vnc_unlock_output(vs);
1357 
1358     qemu_mutex_destroy(&vs->output_mutex);
1359     if (vs->bh != NULL) {
1360         qemu_bh_delete(vs->bh);
1361     }
1362     buffer_free(&vs->jobs_buffer);
1363 
1364     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1365         g_free(vs->lossy_rect[i]);
1366     }
1367     g_free(vs->lossy_rect);
1368 
1369     object_unref(OBJECT(vs->ioc));
1370     vs->ioc = NULL;
1371     object_unref(OBJECT(vs->sioc));
1372     vs->sioc = NULL;
1373     vs->magic = 0;
1374     g_free(vs->zrle);
1375     g_free(vs->tight);
1376     g_free(vs);
1377 }
1378 
1379 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error *err)
1380 {
1381     if (ret <= 0) {
1382         if (ret == 0) {
1383             trace_vnc_client_eof(vs, vs->ioc);
1384             vnc_disconnect_start(vs);
1385         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1386             trace_vnc_client_io_error(vs, vs->ioc,
1387                                       err ? error_get_pretty(err) : "Unknown");
1388             vnc_disconnect_start(vs);
1389         }
1390 
1391         error_free(err);
1392         return 0;
1393     }
1394     return ret;
1395 }
1396 
1397 
1398 void vnc_client_error(VncState *vs)
1399 {
1400     VNC_DEBUG("Closing down client sock: protocol error\n");
1401     vnc_disconnect_start(vs);
1402 }
1403 
1404 
1405 /*
1406  * Called to write a chunk of data to the client socket. The data may
1407  * be the raw data, or may have already been encoded by SASL.
1408  * The data will be written either straight onto the socket, or
1409  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1410  *
1411  * NB, it is theoretically possible to have 2 layers of encryption,
1412  * both SASL, and this TLS layer. It is highly unlikely in practice
1413  * though, since SASL encryption will typically be a no-op if TLS
1414  * is active
1415  *
1416  * Returns the number of bytes written, which may be less than
1417  * the requested 'datalen' if the socket would block. Returns
1418  * 0 on I/O error, and disconnects the client socket.
1419  */
1420 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1421 {
1422     Error *err = NULL;
1423     ssize_t ret;
1424     ret = qio_channel_write(vs->ioc, (const char *)data, datalen, &err);
1425     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1426     return vnc_client_io_error(vs, ret, err);
1427 }
1428 
1429 
1430 /*
1431  * Called to write buffered data to the client socket, when not
1432  * using any SASL SSF encryption layers. Will write as much data
1433  * as possible without blocking. If all buffered data is written,
1434  * will switch the FD poll() handler back to read monitoring.
1435  *
1436  * Returns the number of bytes written, which may be less than
1437  * the buffered output data if the socket would block.  Returns
1438  * 0 on I/O error, and disconnects the client socket.
1439  */
1440 static size_t vnc_client_write_plain(VncState *vs)
1441 {
1442     size_t offset;
1443     size_t ret;
1444 
1445 #ifdef CONFIG_VNC_SASL
1446     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1447               vs->output.buffer, vs->output.capacity, vs->output.offset,
1448               vs->sasl.waitWriteSSF);
1449 
1450     if (vs->sasl.conn &&
1451         vs->sasl.runSSF &&
1452         vs->sasl.waitWriteSSF) {
1453         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1454         if (ret)
1455             vs->sasl.waitWriteSSF -= ret;
1456     } else
1457 #endif /* CONFIG_VNC_SASL */
1458         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1459     if (!ret)
1460         return 0;
1461 
1462     if (ret >= vs->force_update_offset) {
1463         if (vs->force_update_offset != 0) {
1464             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1465         }
1466         vs->force_update_offset = 0;
1467     } else {
1468         vs->force_update_offset -= ret;
1469     }
1470     offset = vs->output.offset;
1471     buffer_advance(&vs->output, ret);
1472     if (offset >= vs->throttle_output_offset &&
1473         vs->output.offset < vs->throttle_output_offset) {
1474         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1475     }
1476 
1477     if (vs->output.offset == 0) {
1478         if (vs->ioc_tag) {
1479             g_source_remove(vs->ioc_tag);
1480         }
1481         vs->ioc_tag = qio_channel_add_watch(
1482             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1483             vnc_client_io, vs, NULL);
1484     }
1485 
1486     return ret;
1487 }
1488 
1489 
1490 /*
1491  * First function called whenever there is data to be written to
1492  * the client socket. Will delegate actual work according to whether
1493  * SASL SSF layers are enabled (thus requiring encryption calls)
1494  */
1495 static void vnc_client_write_locked(VncState *vs)
1496 {
1497 #ifdef CONFIG_VNC_SASL
1498     if (vs->sasl.conn &&
1499         vs->sasl.runSSF &&
1500         !vs->sasl.waitWriteSSF) {
1501         vnc_client_write_sasl(vs);
1502     } else
1503 #endif /* CONFIG_VNC_SASL */
1504     {
1505         vnc_client_write_plain(vs);
1506     }
1507 }
1508 
1509 static void vnc_client_write(VncState *vs)
1510 {
1511     assert(vs->magic == VNC_MAGIC);
1512     vnc_lock_output(vs);
1513     if (vs->output.offset) {
1514         vnc_client_write_locked(vs);
1515     } else if (vs->ioc != NULL) {
1516         if (vs->ioc_tag) {
1517             g_source_remove(vs->ioc_tag);
1518         }
1519         vs->ioc_tag = qio_channel_add_watch(
1520             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1521             vnc_client_io, vs, NULL);
1522     }
1523     vnc_unlock_output(vs);
1524 }
1525 
1526 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1527 {
1528     vs->read_handler = func;
1529     vs->read_handler_expect = expecting;
1530 }
1531 
1532 
1533 /*
1534  * Called to read a chunk of data from the client socket. The data may
1535  * be the raw data, or may need to be further decoded by SASL.
1536  * The data will be read either straight from to the socket, or
1537  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1538  *
1539  * NB, it is theoretically possible to have 2 layers of encryption,
1540  * both SASL, and this TLS layer. It is highly unlikely in practice
1541  * though, since SASL encryption will typically be a no-op if TLS
1542  * is active
1543  *
1544  * Returns the number of bytes read, which may be less than
1545  * the requested 'datalen' if the socket would block. Returns
1546  * 0 on I/O error or EOF, and disconnects the client socket.
1547  */
1548 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1549 {
1550     ssize_t ret;
1551     Error *err = NULL;
1552     ret = qio_channel_read(vs->ioc, (char *)data, datalen, &err);
1553     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1554     return vnc_client_io_error(vs, ret, err);
1555 }
1556 
1557 
1558 /*
1559  * Called to read data from the client socket to the input buffer,
1560  * when not using any SASL SSF encryption layers. Will read as much
1561  * data as possible without blocking.
1562  *
1563  * Returns the number of bytes read, which may be less than
1564  * the requested 'datalen' if the socket would block. Returns
1565  * 0 on I/O error or EOF, and disconnects the client socket.
1566  */
1567 static size_t vnc_client_read_plain(VncState *vs)
1568 {
1569     size_t ret;
1570     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1571               vs->input.buffer, vs->input.capacity, vs->input.offset);
1572     buffer_reserve(&vs->input, 4096);
1573     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1574     if (!ret)
1575         return 0;
1576     vs->input.offset += ret;
1577     return ret;
1578 }
1579 
1580 static void vnc_jobs_bh(void *opaque)
1581 {
1582     VncState *vs = opaque;
1583 
1584     assert(vs->magic == VNC_MAGIC);
1585     vnc_jobs_consume_buffer(vs);
1586 }
1587 
1588 /*
1589  * First function called whenever there is more data to be read from
1590  * the client socket. Will delegate actual work according to whether
1591  * SASL SSF layers are enabled (thus requiring decryption calls)
1592  * Returns 0 on success, -1 if client disconnected
1593  */
1594 static int vnc_client_read(VncState *vs)
1595 {
1596     size_t ret;
1597 
1598 #ifdef CONFIG_VNC_SASL
1599     if (vs->sasl.conn && vs->sasl.runSSF)
1600         ret = vnc_client_read_sasl(vs);
1601     else
1602 #endif /* CONFIG_VNC_SASL */
1603         ret = vnc_client_read_plain(vs);
1604     if (!ret) {
1605         if (vs->disconnecting) {
1606             vnc_disconnect_finish(vs);
1607             return -1;
1608         }
1609         return 0;
1610     }
1611 
1612     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1613         size_t len = vs->read_handler_expect;
1614         int ret;
1615 
1616         ret = vs->read_handler(vs, vs->input.buffer, len);
1617         if (vs->disconnecting) {
1618             vnc_disconnect_finish(vs);
1619             return -1;
1620         }
1621 
1622         if (!ret) {
1623             buffer_advance(&vs->input, len);
1624         } else {
1625             vs->read_handler_expect = ret;
1626         }
1627     }
1628     return 0;
1629 }
1630 
1631 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1632                        GIOCondition condition, void *opaque)
1633 {
1634     VncState *vs = opaque;
1635 
1636     assert(vs->magic == VNC_MAGIC);
1637 
1638     if (condition & (G_IO_HUP | G_IO_ERR)) {
1639         vnc_disconnect_start(vs);
1640         return TRUE;
1641     }
1642 
1643     if (condition & G_IO_IN) {
1644         if (vnc_client_read(vs) < 0) {
1645             /* vs is free()ed here */
1646             return TRUE;
1647         }
1648     }
1649     if (condition & G_IO_OUT) {
1650         vnc_client_write(vs);
1651     }
1652 
1653     if (vs->disconnecting) {
1654         if (vs->ioc_tag != 0) {
1655             g_source_remove(vs->ioc_tag);
1656         }
1657         vs->ioc_tag = 0;
1658     }
1659     return TRUE;
1660 }
1661 
1662 
1663 /*
1664  * Scale factor to apply to vs->throttle_output_offset when checking for
1665  * hard limit. Worst case normal usage could be x2, if we have a complete
1666  * incremental update and complete forced update in the output buffer.
1667  * So x3 should be good enough, but we pick x5 to be conservative and thus
1668  * (hopefully) never trigger incorrectly.
1669  */
1670 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1671 
1672 void vnc_write(VncState *vs, const void *data, size_t len)
1673 {
1674     assert(vs->magic == VNC_MAGIC);
1675     if (vs->disconnecting) {
1676         return;
1677     }
1678     /* Protection against malicious client/guest to prevent our output
1679      * buffer growing without bound if client stops reading data. This
1680      * should rarely trigger, because we have earlier throttling code
1681      * which stops issuing framebuffer updates and drops audio data
1682      * if the throttle_output_offset value is exceeded. So we only reach
1683      * this higher level if a huge number of pseudo-encodings get
1684      * triggered while data can't be sent on the socket.
1685      *
1686      * NB throttle_output_offset can be zero during early protocol
1687      * handshake, or from the job thread's VncState clone
1688      */
1689     if (vs->throttle_output_offset != 0 &&
1690         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1691         vs->throttle_output_offset) {
1692         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1693                                       vs->throttle_output_offset);
1694         vnc_disconnect_start(vs);
1695         return;
1696     }
1697     buffer_reserve(&vs->output, len);
1698 
1699     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1700         if (vs->ioc_tag) {
1701             g_source_remove(vs->ioc_tag);
1702         }
1703         vs->ioc_tag = qio_channel_add_watch(
1704             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
1705             vnc_client_io, vs, NULL);
1706     }
1707 
1708     buffer_append(&vs->output, data, len);
1709 }
1710 
1711 void vnc_write_s32(VncState *vs, int32_t value)
1712 {
1713     vnc_write_u32(vs, *(uint32_t *)&value);
1714 }
1715 
1716 void vnc_write_u32(VncState *vs, uint32_t value)
1717 {
1718     uint8_t buf[4];
1719 
1720     buf[0] = (value >> 24) & 0xFF;
1721     buf[1] = (value >> 16) & 0xFF;
1722     buf[2] = (value >>  8) & 0xFF;
1723     buf[3] = value & 0xFF;
1724 
1725     vnc_write(vs, buf, 4);
1726 }
1727 
1728 void vnc_write_u16(VncState *vs, uint16_t value)
1729 {
1730     uint8_t buf[2];
1731 
1732     buf[0] = (value >> 8) & 0xFF;
1733     buf[1] = value & 0xFF;
1734 
1735     vnc_write(vs, buf, 2);
1736 }
1737 
1738 void vnc_write_u8(VncState *vs, uint8_t value)
1739 {
1740     vnc_write(vs, (char *)&value, 1);
1741 }
1742 
1743 void vnc_flush(VncState *vs)
1744 {
1745     vnc_lock_output(vs);
1746     if (vs->ioc != NULL && vs->output.offset) {
1747         vnc_client_write_locked(vs);
1748     }
1749     if (vs->disconnecting) {
1750         if (vs->ioc_tag != 0) {
1751             g_source_remove(vs->ioc_tag);
1752         }
1753         vs->ioc_tag = 0;
1754     }
1755     vnc_unlock_output(vs);
1756 }
1757 
1758 static uint8_t read_u8(uint8_t *data, size_t offset)
1759 {
1760     return data[offset];
1761 }
1762 
1763 static uint16_t read_u16(uint8_t *data, size_t offset)
1764 {
1765     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1766 }
1767 
1768 static int32_t read_s32(uint8_t *data, size_t offset)
1769 {
1770     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1771                      (data[offset + 2] << 8) | data[offset + 3]);
1772 }
1773 
1774 uint32_t read_u32(uint8_t *data, size_t offset)
1775 {
1776     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1777             (data[offset + 2] << 8) | data[offset + 3]);
1778 }
1779 
1780 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1781 {
1782 }
1783 
1784 static void check_pointer_type_change(Notifier *notifier, void *data)
1785 {
1786     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1787     int absolute = qemu_input_is_absolute();
1788 
1789     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1790         vnc_lock_output(vs);
1791         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1792         vnc_write_u8(vs, 0);
1793         vnc_write_u16(vs, 1);
1794         vnc_framebuffer_update(vs, absolute, 0,
1795                                pixman_image_get_width(vs->vd->server),
1796                                pixman_image_get_height(vs->vd->server),
1797                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1798         vnc_unlock_output(vs);
1799         vnc_flush(vs);
1800     }
1801     vs->absolute = absolute;
1802 }
1803 
1804 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1805 {
1806     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1807         [INPUT_BUTTON_LEFT]       = 0x01,
1808         [INPUT_BUTTON_MIDDLE]     = 0x02,
1809         [INPUT_BUTTON_RIGHT]      = 0x04,
1810         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1811         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1812     };
1813     QemuConsole *con = vs->vd->dcl.con;
1814     int width = pixman_image_get_width(vs->vd->server);
1815     int height = pixman_image_get_height(vs->vd->server);
1816 
1817     if (vs->last_bmask != button_mask) {
1818         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1819         vs->last_bmask = button_mask;
1820     }
1821 
1822     if (vs->absolute) {
1823         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1824         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1825     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1826         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1827         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1828     } else {
1829         if (vs->last_x != -1) {
1830             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1831             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1832         }
1833         vs->last_x = x;
1834         vs->last_y = y;
1835     }
1836     qemu_input_event_sync();
1837 }
1838 
1839 static void press_key(VncState *vs, QKeyCode qcode)
1840 {
1841     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1842     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1843 }
1844 
1845 static void vnc_led_state_change(VncState *vs)
1846 {
1847     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1848         return;
1849     }
1850 
1851     vnc_lock_output(vs);
1852     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1853     vnc_write_u8(vs, 0);
1854     vnc_write_u16(vs, 1);
1855     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1856     vnc_write_u8(vs, vs->vd->ledstate);
1857     vnc_unlock_output(vs);
1858     vnc_flush(vs);
1859 }
1860 
1861 static void kbd_leds(void *opaque, int ledstate)
1862 {
1863     VncDisplay *vd = opaque;
1864     VncState *client;
1865 
1866     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1867                              (ledstate & QEMU_NUM_LOCK_LED),
1868                              (ledstate & QEMU_SCROLL_LOCK_LED));
1869 
1870     if (ledstate == vd->ledstate) {
1871         return;
1872     }
1873 
1874     vd->ledstate = ledstate;
1875 
1876     QTAILQ_FOREACH(client, &vd->clients, next) {
1877         vnc_led_state_change(client);
1878     }
1879 }
1880 
1881 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1882 {
1883     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1884 
1885     /* QEMU console switch */
1886     switch (qcode) {
1887     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1888         if (vs->vd->dcl.con == NULL && down &&
1889             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1890             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1891             /* Reset the modifiers sent to the current console */
1892             qkbd_state_lift_all_keys(vs->vd->kbd);
1893             console_select(qcode - Q_KEY_CODE_1);
1894             return;
1895         }
1896     default:
1897         break;
1898     }
1899 
1900     /* Turn off the lock state sync logic if the client support the led
1901        state extension.
1902     */
1903     if (down && vs->vd->lock_key_sync &&
1904         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1905         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1906         /* If the numlock state needs to change then simulate an additional
1907            keypress before sending this one.  This will happen if the user
1908            toggles numlock away from the VNC window.
1909         */
1910         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1911             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1912                 trace_vnc_key_sync_numlock(true);
1913                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1914             }
1915         } else {
1916             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1917                 trace_vnc_key_sync_numlock(false);
1918                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1919             }
1920         }
1921     }
1922 
1923     if (down && vs->vd->lock_key_sync &&
1924         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1925         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1926         /* If the capslock state needs to change then simulate an additional
1927            keypress before sending this one.  This will happen if the user
1928            toggles capslock away from the VNC window.
1929         */
1930         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1931         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1932         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1933         if (capslock) {
1934             if (uppercase == shift) {
1935                 trace_vnc_key_sync_capslock(false);
1936                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1937             }
1938         } else {
1939             if (uppercase != shift) {
1940                 trace_vnc_key_sync_capslock(true);
1941                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1942             }
1943         }
1944     }
1945 
1946     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1947     if (!qemu_console_is_graphic(NULL)) {
1948         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1949         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1950         /* QEMU console emulation */
1951         if (down) {
1952             switch (keycode) {
1953             case 0x2a:                          /* Left Shift */
1954             case 0x36:                          /* Right Shift */
1955             case 0x1d:                          /* Left CTRL */
1956             case 0x9d:                          /* Right CTRL */
1957             case 0x38:                          /* Left ALT */
1958             case 0xb8:                          /* Right ALT */
1959                 break;
1960             case 0xc8:
1961                 kbd_put_keysym(QEMU_KEY_UP);
1962                 break;
1963             case 0xd0:
1964                 kbd_put_keysym(QEMU_KEY_DOWN);
1965                 break;
1966             case 0xcb:
1967                 kbd_put_keysym(QEMU_KEY_LEFT);
1968                 break;
1969             case 0xcd:
1970                 kbd_put_keysym(QEMU_KEY_RIGHT);
1971                 break;
1972             case 0xd3:
1973                 kbd_put_keysym(QEMU_KEY_DELETE);
1974                 break;
1975             case 0xc7:
1976                 kbd_put_keysym(QEMU_KEY_HOME);
1977                 break;
1978             case 0xcf:
1979                 kbd_put_keysym(QEMU_KEY_END);
1980                 break;
1981             case 0xc9:
1982                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1983                 break;
1984             case 0xd1:
1985                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1986                 break;
1987 
1988             case 0x47:
1989                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1990                 break;
1991             case 0x48:
1992                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1993                 break;
1994             case 0x49:
1995                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1996                 break;
1997             case 0x4b:
1998                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1999                 break;
2000             case 0x4c:
2001                 kbd_put_keysym('5');
2002                 break;
2003             case 0x4d:
2004                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
2005                 break;
2006             case 0x4f:
2007                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
2008                 break;
2009             case 0x50:
2010                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
2011                 break;
2012             case 0x51:
2013                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
2014                 break;
2015             case 0x52:
2016                 kbd_put_keysym('0');
2017                 break;
2018             case 0x53:
2019                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
2020                 break;
2021 
2022             case 0xb5:
2023                 kbd_put_keysym('/');
2024                 break;
2025             case 0x37:
2026                 kbd_put_keysym('*');
2027                 break;
2028             case 0x4a:
2029                 kbd_put_keysym('-');
2030                 break;
2031             case 0x4e:
2032                 kbd_put_keysym('+');
2033                 break;
2034             case 0x9c:
2035                 kbd_put_keysym('\n');
2036                 break;
2037 
2038             default:
2039                 if (control) {
2040                     kbd_put_keysym(sym & 0x1f);
2041                 } else {
2042                     kbd_put_keysym(sym);
2043                 }
2044                 break;
2045             }
2046         }
2047     }
2048 }
2049 
2050 static const char *code2name(int keycode)
2051 {
2052     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
2053 }
2054 
2055 static void key_event(VncState *vs, int down, uint32_t sym)
2056 {
2057     int keycode;
2058     int lsym = sym;
2059 
2060     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
2061         lsym = lsym - 'A' + 'a';
2062     }
2063 
2064     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
2065                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
2066     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2067     do_key_event(vs, down, keycode, sym);
2068 }
2069 
2070 static void ext_key_event(VncState *vs, int down,
2071                           uint32_t sym, uint16_t keycode)
2072 {
2073     /* if the user specifies a keyboard layout, always use it */
2074     if (keyboard_layout) {
2075         key_event(vs, down, sym);
2076     } else {
2077         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2078         do_key_event(vs, down, keycode, sym);
2079     }
2080 }
2081 
2082 static void framebuffer_update_request(VncState *vs, int incremental,
2083                                        int x, int y, int w, int h)
2084 {
2085     if (incremental) {
2086         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2087             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2088         }
2089     } else {
2090         vs->update = VNC_STATE_UPDATE_FORCE;
2091         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2092         if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
2093             vnc_desktop_resize_ext(vs, 0);
2094         }
2095     }
2096 }
2097 
2098 static void send_ext_key_event_ack(VncState *vs)
2099 {
2100     vnc_lock_output(vs);
2101     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2102     vnc_write_u8(vs, 0);
2103     vnc_write_u16(vs, 1);
2104     vnc_framebuffer_update(vs, 0, 0,
2105                            pixman_image_get_width(vs->vd->server),
2106                            pixman_image_get_height(vs->vd->server),
2107                            VNC_ENCODING_EXT_KEY_EVENT);
2108     vnc_unlock_output(vs);
2109     vnc_flush(vs);
2110 }
2111 
2112 static void send_ext_audio_ack(VncState *vs)
2113 {
2114     vnc_lock_output(vs);
2115     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2116     vnc_write_u8(vs, 0);
2117     vnc_write_u16(vs, 1);
2118     vnc_framebuffer_update(vs, 0, 0,
2119                            pixman_image_get_width(vs->vd->server),
2120                            pixman_image_get_height(vs->vd->server),
2121                            VNC_ENCODING_AUDIO);
2122     vnc_unlock_output(vs);
2123     vnc_flush(vs);
2124 }
2125 
2126 static void send_xvp_message(VncState *vs, int code)
2127 {
2128     vnc_lock_output(vs);
2129     vnc_write_u8(vs, VNC_MSG_SERVER_XVP);
2130     vnc_write_u8(vs, 0); /* pad */
2131     vnc_write_u8(vs, 1); /* version */
2132     vnc_write_u8(vs, code);
2133     vnc_unlock_output(vs);
2134     vnc_flush(vs);
2135 }
2136 
2137 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2138 {
2139     int i;
2140     unsigned int enc = 0;
2141 
2142     vs->features = 0;
2143     vs->vnc_encoding = 0;
2144     vs->tight->compression = 9;
2145     vs->tight->quality = -1; /* Lossless by default */
2146     vs->absolute = -1;
2147 
2148     /*
2149      * Start from the end because the encodings are sent in order of preference.
2150      * This way the preferred encoding (first encoding defined in the array)
2151      * will be set at the end of the loop.
2152      */
2153     for (i = n_encodings - 1; i >= 0; i--) {
2154         enc = encodings[i];
2155         switch (enc) {
2156         case VNC_ENCODING_RAW:
2157             vs->vnc_encoding = enc;
2158             break;
2159         case VNC_ENCODING_HEXTILE:
2160             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2161             vs->vnc_encoding = enc;
2162             break;
2163         case VNC_ENCODING_TIGHT:
2164             vs->features |= VNC_FEATURE_TIGHT_MASK;
2165             vs->vnc_encoding = enc;
2166             break;
2167 #ifdef CONFIG_VNC_PNG
2168         case VNC_ENCODING_TIGHT_PNG:
2169             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2170             vs->vnc_encoding = enc;
2171             break;
2172 #endif
2173         case VNC_ENCODING_ZLIB:
2174             /*
2175              * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB.
2176              * So prioritize ZRLE, even if the client hints that it prefers
2177              * ZLIB.
2178              */
2179             if ((vs->features & VNC_FEATURE_ZRLE_MASK) == 0) {
2180                 vs->features |= VNC_FEATURE_ZLIB_MASK;
2181                 vs->vnc_encoding = enc;
2182             }
2183             break;
2184         case VNC_ENCODING_ZRLE:
2185             vs->features |= VNC_FEATURE_ZRLE_MASK;
2186             vs->vnc_encoding = enc;
2187             break;
2188         case VNC_ENCODING_ZYWRLE:
2189             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2190             vs->vnc_encoding = enc;
2191             break;
2192         case VNC_ENCODING_DESKTOPRESIZE:
2193             vs->features |= VNC_FEATURE_RESIZE_MASK;
2194             break;
2195         case VNC_ENCODING_DESKTOP_RESIZE_EXT:
2196             vs->features |= VNC_FEATURE_RESIZE_EXT_MASK;
2197             break;
2198         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2199             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2200             break;
2201         case VNC_ENCODING_RICH_CURSOR:
2202             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2203             break;
2204         case VNC_ENCODING_ALPHA_CURSOR:
2205             vs->features |= VNC_FEATURE_ALPHA_CURSOR_MASK;
2206             break;
2207         case VNC_ENCODING_EXT_KEY_EVENT:
2208             send_ext_key_event_ack(vs);
2209             break;
2210         case VNC_ENCODING_AUDIO:
2211             send_ext_audio_ack(vs);
2212             break;
2213         case VNC_ENCODING_WMVi:
2214             vs->features |= VNC_FEATURE_WMVI_MASK;
2215             break;
2216         case VNC_ENCODING_LED_STATE:
2217             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2218             break;
2219         case VNC_ENCODING_XVP:
2220             if (vs->vd->power_control) {
2221                 vs->features |= VNC_FEATURE_XVP;
2222                 send_xvp_message(vs, VNC_XVP_CODE_INIT);
2223             }
2224             break;
2225         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2226             vs->tight->compression = (enc & 0x0F);
2227             break;
2228         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2229             if (vs->vd->lossy) {
2230                 vs->tight->quality = (enc & 0x0F);
2231             }
2232             break;
2233         default:
2234             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2235             break;
2236         }
2237     }
2238     vnc_desktop_resize(vs);
2239     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2240     vnc_led_state_change(vs);
2241     vnc_cursor_define(vs);
2242 }
2243 
2244 static void set_pixel_conversion(VncState *vs)
2245 {
2246     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2247 
2248     if (fmt == VNC_SERVER_FB_FORMAT) {
2249         vs->write_pixels = vnc_write_pixels_copy;
2250         vnc_hextile_set_pixel_conversion(vs, 0);
2251     } else {
2252         vs->write_pixels = vnc_write_pixels_generic;
2253         vnc_hextile_set_pixel_conversion(vs, 1);
2254     }
2255 }
2256 
2257 static void send_color_map(VncState *vs)
2258 {
2259     int i;
2260 
2261     vnc_lock_output(vs);
2262     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2263     vnc_write_u8(vs,  0);    /* padding     */
2264     vnc_write_u16(vs, 0);    /* first color */
2265     vnc_write_u16(vs, 256);  /* # of colors */
2266 
2267     for (i = 0; i < 256; i++) {
2268         PixelFormat *pf = &vs->client_pf;
2269 
2270         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2271         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2272         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2273     }
2274     vnc_unlock_output(vs);
2275 }
2276 
2277 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2278                              int big_endian_flag, int true_color_flag,
2279                              int red_max, int green_max, int blue_max,
2280                              int red_shift, int green_shift, int blue_shift)
2281 {
2282     if (!true_color_flag) {
2283         /* Expose a reasonable default 256 color map */
2284         bits_per_pixel = 8;
2285         red_max = 7;
2286         green_max = 7;
2287         blue_max = 3;
2288         red_shift = 0;
2289         green_shift = 3;
2290         blue_shift = 6;
2291     }
2292 
2293     switch (bits_per_pixel) {
2294     case 8:
2295     case 16:
2296     case 32:
2297         break;
2298     default:
2299         vnc_client_error(vs);
2300         return;
2301     }
2302 
2303     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2304     vs->client_pf.rbits = ctpopl(red_max);
2305     vs->client_pf.rshift = red_shift;
2306     vs->client_pf.rmask = red_max << red_shift;
2307     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2308     vs->client_pf.gbits = ctpopl(green_max);
2309     vs->client_pf.gshift = green_shift;
2310     vs->client_pf.gmask = green_max << green_shift;
2311     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2312     vs->client_pf.bbits = ctpopl(blue_max);
2313     vs->client_pf.bshift = blue_shift;
2314     vs->client_pf.bmask = blue_max << blue_shift;
2315     vs->client_pf.bits_per_pixel = bits_per_pixel;
2316     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2317     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2318     vs->client_be = big_endian_flag;
2319 
2320     if (!true_color_flag) {
2321         send_color_map(vs);
2322     }
2323 
2324     set_pixel_conversion(vs);
2325 
2326     graphic_hw_invalidate(vs->vd->dcl.con);
2327     graphic_hw_update(vs->vd->dcl.con);
2328 }
2329 
2330 static void pixel_format_message (VncState *vs) {
2331     char pad[3] = { 0, 0, 0 };
2332 
2333     vs->client_pf = qemu_default_pixelformat(32);
2334 
2335     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2336     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2337 
2338 #ifdef HOST_WORDS_BIGENDIAN
2339     vnc_write_u8(vs, 1);             /* big-endian-flag */
2340 #else
2341     vnc_write_u8(vs, 0);             /* big-endian-flag */
2342 #endif
2343     vnc_write_u8(vs, 1);             /* true-color-flag */
2344     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2345     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2346     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2347     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2348     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2349     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2350     vnc_write(vs, pad, 3);           /* padding */
2351 
2352     vnc_hextile_set_pixel_conversion(vs, 0);
2353     vs->write_pixels = vnc_write_pixels_copy;
2354 }
2355 
2356 static void vnc_colordepth(VncState *vs)
2357 {
2358     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2359         /* Sending a WMVi message to notify the client*/
2360         vnc_lock_output(vs);
2361         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2362         vnc_write_u8(vs, 0);
2363         vnc_write_u16(vs, 1); /* number of rects */
2364         vnc_framebuffer_update(vs, 0, 0,
2365                                vs->client_width,
2366                                vs->client_height,
2367                                VNC_ENCODING_WMVi);
2368         pixel_format_message(vs);
2369         vnc_unlock_output(vs);
2370         vnc_flush(vs);
2371     } else {
2372         set_pixel_conversion(vs);
2373     }
2374 }
2375 
2376 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2377 {
2378     int i;
2379     uint16_t limit;
2380     uint32_t freq;
2381     VncDisplay *vd = vs->vd;
2382 
2383     if (data[0] > 3) {
2384         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2385     }
2386 
2387     switch (data[0]) {
2388     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2389         if (len == 1)
2390             return 20;
2391 
2392         set_pixel_format(vs, read_u8(data, 4),
2393                          read_u8(data, 6), read_u8(data, 7),
2394                          read_u16(data, 8), read_u16(data, 10),
2395                          read_u16(data, 12), read_u8(data, 14),
2396                          read_u8(data, 15), read_u8(data, 16));
2397         break;
2398     case VNC_MSG_CLIENT_SET_ENCODINGS:
2399         if (len == 1)
2400             return 4;
2401 
2402         if (len == 4) {
2403             limit = read_u16(data, 2);
2404             if (limit > 0)
2405                 return 4 + (limit * 4);
2406         } else
2407             limit = read_u16(data, 2);
2408 
2409         for (i = 0; i < limit; i++) {
2410             int32_t val = read_s32(data, 4 + (i * 4));
2411             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2412         }
2413 
2414         set_encodings(vs, (int32_t *)(data + 4), limit);
2415         break;
2416     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2417         if (len == 1)
2418             return 10;
2419 
2420         framebuffer_update_request(vs,
2421                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2422                                    read_u16(data, 6), read_u16(data, 8));
2423         break;
2424     case VNC_MSG_CLIENT_KEY_EVENT:
2425         if (len == 1)
2426             return 8;
2427 
2428         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2429         break;
2430     case VNC_MSG_CLIENT_POINTER_EVENT:
2431         if (len == 1)
2432             return 6;
2433 
2434         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2435         break;
2436     case VNC_MSG_CLIENT_CUT_TEXT:
2437         if (len == 1) {
2438             return 8;
2439         }
2440         if (len == 8) {
2441             uint32_t dlen = read_u32(data, 4);
2442             if (dlen > (1 << 20)) {
2443                 error_report("vnc: client_cut_text msg payload has %u bytes"
2444                              " which exceeds our limit of 1MB.", dlen);
2445                 vnc_client_error(vs);
2446                 break;
2447             }
2448             if (dlen > 0) {
2449                 return 8 + dlen;
2450             }
2451         }
2452 
2453         client_cut_text(vs, read_u32(data, 4), data + 8);
2454         break;
2455     case VNC_MSG_CLIENT_XVP:
2456         if (!(vs->features & VNC_FEATURE_XVP)) {
2457             error_report("vnc: xvp client message while disabled");
2458             vnc_client_error(vs);
2459             break;
2460         }
2461         if (len == 1) {
2462             return 4;
2463         }
2464         if (len == 4) {
2465             uint8_t version = read_u8(data, 2);
2466             uint8_t action = read_u8(data, 3);
2467 
2468             if (version != 1) {
2469                 error_report("vnc: xvp client message version %d != 1",
2470                              version);
2471                 vnc_client_error(vs);
2472                 break;
2473             }
2474 
2475             switch (action) {
2476             case VNC_XVP_ACTION_SHUTDOWN:
2477                 qemu_system_powerdown_request();
2478                 break;
2479             case VNC_XVP_ACTION_REBOOT:
2480                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2481                 break;
2482             case VNC_XVP_ACTION_RESET:
2483                 qemu_system_reset_request(SHUTDOWN_CAUSE_HOST_QMP_SYSTEM_RESET);
2484                 break;
2485             default:
2486                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2487                 break;
2488             }
2489         }
2490         break;
2491     case VNC_MSG_CLIENT_QEMU:
2492         if (len == 1)
2493             return 2;
2494 
2495         switch (read_u8(data, 1)) {
2496         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2497             if (len == 2)
2498                 return 12;
2499 
2500             ext_key_event(vs, read_u16(data, 2),
2501                           read_u32(data, 4), read_u32(data, 8));
2502             break;
2503         case VNC_MSG_CLIENT_QEMU_AUDIO:
2504             if (len == 2)
2505                 return 4;
2506 
2507             switch (read_u16 (data, 2)) {
2508             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2509                 trace_vnc_msg_client_audio_enable(vs, vs->ioc);
2510                 audio_add(vs);
2511                 break;
2512             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2513                 trace_vnc_msg_client_audio_disable(vs, vs->ioc);
2514                 audio_del(vs);
2515                 break;
2516             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2517                 if (len == 4)
2518                     return 10;
2519                 switch (read_u8(data, 4)) {
2520                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2521                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2522                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2523                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2524                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2525                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2526                 default:
2527                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2528                     vnc_client_error(vs);
2529                     break;
2530                 }
2531                 vs->as.nchannels = read_u8(data, 5);
2532                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2533                     VNC_DEBUG("Invalid audio channel count %d\n",
2534                               read_u8(data, 5));
2535                     vnc_client_error(vs);
2536                     break;
2537                 }
2538                 freq = read_u32(data, 6);
2539                 /* No official limit for protocol, but 48khz is a sensible
2540                  * upper bound for trustworthy clients, and this limit
2541                  * protects calculations involving 'vs->as.freq' later.
2542                  */
2543                 if (freq > 48000) {
2544                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2545                     vnc_client_error(vs);
2546                     break;
2547                 }
2548                 vs->as.freq = freq;
2549                 trace_vnc_msg_client_audio_format(
2550                     vs, vs->ioc, vs->as.fmt, vs->as.nchannels, vs->as.freq);
2551                 break;
2552             default:
2553                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2554                 vnc_client_error(vs);
2555                 break;
2556             }
2557             break;
2558 
2559         default:
2560             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2561             vnc_client_error(vs);
2562             break;
2563         }
2564         break;
2565     case VNC_MSG_CLIENT_SET_DESKTOP_SIZE:
2566     {
2567         size_t size;
2568         uint8_t screens;
2569         int w, h;
2570 
2571         if (len < 8) {
2572             return 8;
2573         }
2574 
2575         screens = read_u8(data, 6);
2576         size    = 8 + screens * 16;
2577         if (len < size) {
2578             return size;
2579         }
2580         w = read_u16(data, 2);
2581         h = read_u16(data, 4);
2582 
2583         trace_vnc_msg_client_set_desktop_size(vs, vs->ioc, w, h, screens);
2584         if (dpy_ui_info_supported(vs->vd->dcl.con)) {
2585             QemuUIInfo info;
2586             memset(&info, 0, sizeof(info));
2587             info.width = w;
2588             info.height = h;
2589             dpy_set_ui_info(vs->vd->dcl.con, &info);
2590             vnc_desktop_resize_ext(vs, 4 /* Request forwarded */);
2591         } else {
2592             vnc_desktop_resize_ext(vs, 3 /* Invalid screen layout */);
2593         }
2594 
2595         break;
2596     }
2597     default:
2598         VNC_DEBUG("Msg: %d\n", data[0]);
2599         vnc_client_error(vs);
2600         break;
2601     }
2602 
2603     vnc_update_throttle_offset(vs);
2604     vnc_read_when(vs, protocol_client_msg, 1);
2605     return 0;
2606 }
2607 
2608 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2609 {
2610     char buf[1024];
2611     VncShareMode mode;
2612     int size;
2613 
2614     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2615     switch (vs->vd->share_policy) {
2616     case VNC_SHARE_POLICY_IGNORE:
2617         /*
2618          * Ignore the shared flag.  Nothing to do here.
2619          *
2620          * Doesn't conform to the rfb spec but is traditional qemu
2621          * behavior, thus left here as option for compatibility
2622          * reasons.
2623          */
2624         break;
2625     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2626         /*
2627          * Policy: Allow clients ask for exclusive access.
2628          *
2629          * Implementation: When a client asks for exclusive access,
2630          * disconnect all others. Shared connects are allowed as long
2631          * as no exclusive connection exists.
2632          *
2633          * This is how the rfb spec suggests to handle the shared flag.
2634          */
2635         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2636             VncState *client;
2637             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2638                 if (vs == client) {
2639                     continue;
2640                 }
2641                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2642                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2643                     continue;
2644                 }
2645                 vnc_disconnect_start(client);
2646             }
2647         }
2648         if (mode == VNC_SHARE_MODE_SHARED) {
2649             if (vs->vd->num_exclusive > 0) {
2650                 vnc_disconnect_start(vs);
2651                 return 0;
2652             }
2653         }
2654         break;
2655     case VNC_SHARE_POLICY_FORCE_SHARED:
2656         /*
2657          * Policy: Shared connects only.
2658          * Implementation: Disallow clients asking for exclusive access.
2659          *
2660          * Useful for shared desktop sessions where you don't want
2661          * someone forgetting to say -shared when running the vnc
2662          * client disconnect everybody else.
2663          */
2664         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2665             vnc_disconnect_start(vs);
2666             return 0;
2667         }
2668         break;
2669     }
2670     vnc_set_share_mode(vs, mode);
2671 
2672     if (vs->vd->num_shared > vs->vd->connections_limit) {
2673         vnc_disconnect_start(vs);
2674         return 0;
2675     }
2676 
2677     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2678            pixman_image_get_width(vs->vd->server) >= 0);
2679     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2680            pixman_image_get_height(vs->vd->server) >= 0);
2681     vs->client_width = pixman_image_get_width(vs->vd->server);
2682     vs->client_height = pixman_image_get_height(vs->vd->server);
2683     vnc_write_u16(vs, vs->client_width);
2684     vnc_write_u16(vs, vs->client_height);
2685 
2686     pixel_format_message(vs);
2687 
2688     if (qemu_name) {
2689         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2690         if (size > sizeof(buf)) {
2691             size = sizeof(buf);
2692         }
2693     } else {
2694         size = snprintf(buf, sizeof(buf), "QEMU");
2695     }
2696 
2697     vnc_write_u32(vs, size);
2698     vnc_write(vs, buf, size);
2699     vnc_flush(vs);
2700 
2701     vnc_client_cache_auth(vs);
2702     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2703 
2704     vnc_read_when(vs, protocol_client_msg, 1);
2705 
2706     return 0;
2707 }
2708 
2709 void start_client_init(VncState *vs)
2710 {
2711     vnc_read_when(vs, protocol_client_init, 1);
2712 }
2713 
2714 static void authentication_failed(VncState *vs)
2715 {
2716     vnc_write_u32(vs, 1); /* Reject auth */
2717     if (vs->minor >= 8) {
2718         static const char err[] = "Authentication failed";
2719         vnc_write_u32(vs, sizeof(err));
2720         vnc_write(vs, err, sizeof(err));
2721     }
2722     vnc_flush(vs);
2723     vnc_client_error(vs);
2724 }
2725 
2726 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2727 {
2728     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2729     size_t i, pwlen;
2730     unsigned char key[8];
2731     time_t now = time(NULL);
2732     QCryptoCipher *cipher = NULL;
2733     Error *err = NULL;
2734 
2735     if (!vs->vd->password) {
2736         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2737         goto reject;
2738     }
2739     if (vs->vd->expires < now) {
2740         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2741         goto reject;
2742     }
2743 
2744     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2745 
2746     /* Calculate the expected challenge response */
2747     pwlen = strlen(vs->vd->password);
2748     for (i=0; i<sizeof(key); i++)
2749         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2750 
2751     cipher = qcrypto_cipher_new(
2752         QCRYPTO_CIPHER_ALG_DES_RFB,
2753         QCRYPTO_CIPHER_MODE_ECB,
2754         key, G_N_ELEMENTS(key),
2755         &err);
2756     if (!cipher) {
2757         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2758                             error_get_pretty(err));
2759         error_free(err);
2760         goto reject;
2761     }
2762 
2763     if (qcrypto_cipher_encrypt(cipher,
2764                                vs->challenge,
2765                                response,
2766                                VNC_AUTH_CHALLENGE_SIZE,
2767                                &err) < 0) {
2768         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2769                             error_get_pretty(err));
2770         error_free(err);
2771         goto reject;
2772     }
2773 
2774     /* Compare expected vs actual challenge response */
2775     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2776         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2777         goto reject;
2778     } else {
2779         trace_vnc_auth_pass(vs, vs->auth);
2780         vnc_write_u32(vs, 0); /* Accept auth */
2781         vnc_flush(vs);
2782 
2783         start_client_init(vs);
2784     }
2785 
2786     qcrypto_cipher_free(cipher);
2787     return 0;
2788 
2789 reject:
2790     authentication_failed(vs);
2791     qcrypto_cipher_free(cipher);
2792     return 0;
2793 }
2794 
2795 void start_auth_vnc(VncState *vs)
2796 {
2797     Error *err = NULL;
2798 
2799     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2800         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2801                             error_get_pretty(err));
2802         error_free(err);
2803         authentication_failed(vs);
2804         return;
2805     }
2806 
2807     /* Send client a 'random' challenge */
2808     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2809     vnc_flush(vs);
2810 
2811     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2812 }
2813 
2814 
2815 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2816 {
2817     /* We only advertise 1 auth scheme at a time, so client
2818      * must pick the one we sent. Verify this */
2819     if (data[0] != vs->auth) { /* Reject auth */
2820        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2821        authentication_failed(vs);
2822     } else { /* Accept requested auth */
2823        trace_vnc_auth_start(vs, vs->auth);
2824        switch (vs->auth) {
2825        case VNC_AUTH_NONE:
2826            if (vs->minor >= 8) {
2827                vnc_write_u32(vs, 0); /* Accept auth completion */
2828                vnc_flush(vs);
2829            }
2830            trace_vnc_auth_pass(vs, vs->auth);
2831            start_client_init(vs);
2832            break;
2833 
2834        case VNC_AUTH_VNC:
2835            start_auth_vnc(vs);
2836            break;
2837 
2838        case VNC_AUTH_VENCRYPT:
2839            start_auth_vencrypt(vs);
2840            break;
2841 
2842 #ifdef CONFIG_VNC_SASL
2843        case VNC_AUTH_SASL:
2844            start_auth_sasl(vs);
2845            break;
2846 #endif /* CONFIG_VNC_SASL */
2847 
2848        default: /* Should not be possible, but just in case */
2849            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2850            authentication_failed(vs);
2851        }
2852     }
2853     return 0;
2854 }
2855 
2856 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2857 {
2858     char local[13];
2859 
2860     memcpy(local, version, 12);
2861     local[12] = 0;
2862 
2863     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2864         VNC_DEBUG("Malformed protocol version %s\n", local);
2865         vnc_client_error(vs);
2866         return 0;
2867     }
2868     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2869     if (vs->major != 3 ||
2870         (vs->minor != 3 &&
2871          vs->minor != 4 &&
2872          vs->minor != 5 &&
2873          vs->minor != 7 &&
2874          vs->minor != 8)) {
2875         VNC_DEBUG("Unsupported client version\n");
2876         vnc_write_u32(vs, VNC_AUTH_INVALID);
2877         vnc_flush(vs);
2878         vnc_client_error(vs);
2879         return 0;
2880     }
2881     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2882      * as equivalent to v3.3 by servers
2883      */
2884     if (vs->minor == 4 || vs->minor == 5)
2885         vs->minor = 3;
2886 
2887     if (vs->minor == 3) {
2888         trace_vnc_auth_start(vs, vs->auth);
2889         if (vs->auth == VNC_AUTH_NONE) {
2890             vnc_write_u32(vs, vs->auth);
2891             vnc_flush(vs);
2892             trace_vnc_auth_pass(vs, vs->auth);
2893             start_client_init(vs);
2894        } else if (vs->auth == VNC_AUTH_VNC) {
2895             VNC_DEBUG("Tell client VNC auth\n");
2896             vnc_write_u32(vs, vs->auth);
2897             vnc_flush(vs);
2898             start_auth_vnc(vs);
2899        } else {
2900             trace_vnc_auth_fail(vs, vs->auth,
2901                                 "Unsupported auth method for v3.3", "");
2902             vnc_write_u32(vs, VNC_AUTH_INVALID);
2903             vnc_flush(vs);
2904             vnc_client_error(vs);
2905        }
2906     } else {
2907         vnc_write_u8(vs, 1); /* num auth */
2908         vnc_write_u8(vs, vs->auth);
2909         vnc_read_when(vs, protocol_client_auth, 1);
2910         vnc_flush(vs);
2911     }
2912 
2913     return 0;
2914 }
2915 
2916 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2917 {
2918     struct VncSurface *vs = &vd->guest;
2919 
2920     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2921 }
2922 
2923 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2924 {
2925     int i, j;
2926 
2927     w = (x + w) / VNC_STAT_RECT;
2928     h = (y + h) / VNC_STAT_RECT;
2929     x /= VNC_STAT_RECT;
2930     y /= VNC_STAT_RECT;
2931 
2932     for (j = y; j <= h; j++) {
2933         for (i = x; i <= w; i++) {
2934             vs->lossy_rect[j][i] = 1;
2935         }
2936     }
2937 }
2938 
2939 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2940 {
2941     VncState *vs;
2942     int sty = y / VNC_STAT_RECT;
2943     int stx = x / VNC_STAT_RECT;
2944     int has_dirty = 0;
2945 
2946     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2947     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2948 
2949     QTAILQ_FOREACH(vs, &vd->clients, next) {
2950         int j;
2951 
2952         /* kernel send buffers are full -> refresh later */
2953         if (vs->output.offset) {
2954             continue;
2955         }
2956 
2957         if (!vs->lossy_rect[sty][stx]) {
2958             continue;
2959         }
2960 
2961         vs->lossy_rect[sty][stx] = 0;
2962         for (j = 0; j < VNC_STAT_RECT; ++j) {
2963             bitmap_set(vs->dirty[y + j],
2964                        x / VNC_DIRTY_PIXELS_PER_BIT,
2965                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2966         }
2967         has_dirty++;
2968     }
2969 
2970     return has_dirty;
2971 }
2972 
2973 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2974 {
2975     int width = MIN(pixman_image_get_width(vd->guest.fb),
2976                     pixman_image_get_width(vd->server));
2977     int height = MIN(pixman_image_get_height(vd->guest.fb),
2978                      pixman_image_get_height(vd->server));
2979     int x, y;
2980     struct timeval res;
2981     int has_dirty = 0;
2982 
2983     for (y = 0; y < height; y += VNC_STAT_RECT) {
2984         for (x = 0; x < width; x += VNC_STAT_RECT) {
2985             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2986 
2987             rect->updated = false;
2988         }
2989     }
2990 
2991     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2992 
2993     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2994         return has_dirty;
2995     }
2996     vd->guest.last_freq_check = *tv;
2997 
2998     for (y = 0; y < height; y += VNC_STAT_RECT) {
2999         for (x = 0; x < width; x += VNC_STAT_RECT) {
3000             VncRectStat *rect= vnc_stat_rect(vd, x, y);
3001             int count = ARRAY_SIZE(rect->times);
3002             struct timeval min, max;
3003 
3004             if (!timerisset(&rect->times[count - 1])) {
3005                 continue ;
3006             }
3007 
3008             max = rect->times[(rect->idx + count - 1) % count];
3009             qemu_timersub(tv, &max, &res);
3010 
3011             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
3012                 rect->freq = 0;
3013                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
3014                 memset(rect->times, 0, sizeof (rect->times));
3015                 continue ;
3016             }
3017 
3018             min = rect->times[rect->idx];
3019             max = rect->times[(rect->idx + count - 1) % count];
3020             qemu_timersub(&max, &min, &res);
3021 
3022             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
3023             rect->freq /= count;
3024             rect->freq = 1. / rect->freq;
3025         }
3026     }
3027     return has_dirty;
3028 }
3029 
3030 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
3031 {
3032     int i, j;
3033     double total = 0;
3034     int num = 0;
3035 
3036     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
3037     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
3038 
3039     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
3040         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
3041             total += vnc_stat_rect(vs->vd, i, j)->freq;
3042             num++;
3043         }
3044     }
3045 
3046     if (num) {
3047         return total / num;
3048     } else {
3049         return 0;
3050     }
3051 }
3052 
3053 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
3054 {
3055     VncRectStat *rect;
3056 
3057     rect = vnc_stat_rect(vd, x, y);
3058     if (rect->updated) {
3059         return ;
3060     }
3061     rect->times[rect->idx] = *tv;
3062     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
3063     rect->updated = true;
3064 }
3065 
3066 static int vnc_refresh_server_surface(VncDisplay *vd)
3067 {
3068     int width = MIN(pixman_image_get_width(vd->guest.fb),
3069                     pixman_image_get_width(vd->server));
3070     int height = MIN(pixman_image_get_height(vd->guest.fb),
3071                      pixman_image_get_height(vd->server));
3072     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
3073     uint8_t *guest_row0 = NULL, *server_row0;
3074     VncState *vs;
3075     int has_dirty = 0;
3076     pixman_image_t *tmpbuf = NULL;
3077 
3078     struct timeval tv = { 0, 0 };
3079 
3080     if (!vd->non_adaptive) {
3081         gettimeofday(&tv, NULL);
3082         has_dirty = vnc_update_stats(vd, &tv);
3083     }
3084 
3085     /*
3086      * Walk through the guest dirty map.
3087      * Check and copy modified bits from guest to server surface.
3088      * Update server dirty map.
3089      */
3090     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
3091     server_stride = guest_stride = guest_ll =
3092         pixman_image_get_stride(vd->server);
3093     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
3094                     server_stride);
3095     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3096         int width = pixman_image_get_width(vd->server);
3097         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
3098     } else {
3099         int guest_bpp =
3100             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
3101         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
3102         guest_stride = pixman_image_get_stride(vd->guest.fb);
3103         guest_ll = pixman_image_get_width(vd->guest.fb)
3104                    * DIV_ROUND_UP(guest_bpp, 8);
3105     }
3106     line_bytes = MIN(server_stride, guest_ll);
3107 
3108     for (;;) {
3109         int x;
3110         uint8_t *guest_ptr, *server_ptr;
3111         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3112                                              height * VNC_DIRTY_BPL(&vd->guest),
3113                                              y * VNC_DIRTY_BPL(&vd->guest));
3114         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3115             /* no more dirty bits */
3116             break;
3117         }
3118         y = offset / VNC_DIRTY_BPL(&vd->guest);
3119         x = offset % VNC_DIRTY_BPL(&vd->guest);
3120 
3121         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
3122 
3123         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3124             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
3125             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
3126         } else {
3127             guest_ptr = guest_row0 + y * guest_stride;
3128         }
3129         guest_ptr += x * cmp_bytes;
3130 
3131         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
3132              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
3133             int _cmp_bytes = cmp_bytes;
3134             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
3135                 continue;
3136             }
3137             if ((x + 1) * cmp_bytes > line_bytes) {
3138                 _cmp_bytes = line_bytes - x * cmp_bytes;
3139             }
3140             assert(_cmp_bytes >= 0);
3141             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
3142                 continue;
3143             }
3144             memcpy(server_ptr, guest_ptr, _cmp_bytes);
3145             if (!vd->non_adaptive) {
3146                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
3147                                  y, &tv);
3148             }
3149             QTAILQ_FOREACH(vs, &vd->clients, next) {
3150                 set_bit(x, vs->dirty[y]);
3151             }
3152             has_dirty++;
3153         }
3154 
3155         y++;
3156     }
3157     qemu_pixman_image_unref(tmpbuf);
3158     return has_dirty;
3159 }
3160 
3161 static void vnc_refresh(DisplayChangeListener *dcl)
3162 {
3163     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
3164     VncState *vs, *vn;
3165     int has_dirty, rects = 0;
3166 
3167     if (QTAILQ_EMPTY(&vd->clients)) {
3168         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
3169         return;
3170     }
3171 
3172     graphic_hw_update(vd->dcl.con);
3173 
3174     if (vnc_trylock_display(vd)) {
3175         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3176         return;
3177     }
3178 
3179     has_dirty = vnc_refresh_server_surface(vd);
3180     vnc_unlock_display(vd);
3181 
3182     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3183         rects += vnc_update_client(vs, has_dirty);
3184         /* vs might be free()ed here */
3185     }
3186 
3187     if (has_dirty && rects) {
3188         vd->dcl.update_interval /= 2;
3189         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3190             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3191         }
3192     } else {
3193         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3194         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3195             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3196         }
3197     }
3198 }
3199 
3200 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3201                         bool skipauth, bool websocket)
3202 {
3203     VncState *vs = g_new0(VncState, 1);
3204     bool first_client = QTAILQ_EMPTY(&vd->clients);
3205     int i;
3206 
3207     trace_vnc_client_connect(vs, sioc);
3208     vs->zrle = g_new0(VncZrle, 1);
3209     vs->tight = g_new0(VncTight, 1);
3210     vs->magic = VNC_MAGIC;
3211     vs->sioc = sioc;
3212     object_ref(OBJECT(vs->sioc));
3213     vs->ioc = QIO_CHANNEL(sioc);
3214     object_ref(OBJECT(vs->ioc));
3215     vs->vd = vd;
3216 
3217     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3218     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3219     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3220 
3221     buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3222     buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3223     buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3224 #ifdef CONFIG_VNC_JPEG
3225     buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3226 #endif
3227 #ifdef CONFIG_VNC_PNG
3228     buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3229 #endif
3230     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3231     buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3232     buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3233     buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3234 
3235     if (skipauth) {
3236         vs->auth = VNC_AUTH_NONE;
3237         vs->subauth = VNC_AUTH_INVALID;
3238     } else {
3239         if (websocket) {
3240             vs->auth = vd->ws_auth;
3241             vs->subauth = VNC_AUTH_INVALID;
3242         } else {
3243             vs->auth = vd->auth;
3244             vs->subauth = vd->subauth;
3245         }
3246     }
3247     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3248               sioc, websocket, vs->auth, vs->subauth);
3249 
3250     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3251     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3252         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3253     }
3254 
3255     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3256     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3257     qio_channel_set_blocking(vs->ioc, false, NULL);
3258     if (vs->ioc_tag) {
3259         g_source_remove(vs->ioc_tag);
3260     }
3261     if (websocket) {
3262         vs->websocket = 1;
3263         if (vd->tlscreds) {
3264             vs->ioc_tag = qio_channel_add_watch(
3265                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3266                 vncws_tls_handshake_io, vs, NULL);
3267         } else {
3268             vs->ioc_tag = qio_channel_add_watch(
3269                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3270                 vncws_handshake_io, vs, NULL);
3271         }
3272     } else {
3273         vs->ioc_tag = qio_channel_add_watch(
3274             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3275             vnc_client_io, vs, NULL);
3276     }
3277 
3278     vnc_client_cache_addr(vs);
3279     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3280     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3281 
3282     vs->last_x = -1;
3283     vs->last_y = -1;
3284 
3285     vs->as.freq = 44100;
3286     vs->as.nchannels = 2;
3287     vs->as.fmt = AUDIO_FORMAT_S16;
3288     vs->as.endianness = 0;
3289 
3290     qemu_mutex_init(&vs->output_mutex);
3291     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3292 
3293     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3294     if (first_client) {
3295         vnc_update_server_surface(vd);
3296     }
3297 
3298     graphic_hw_update(vd->dcl.con);
3299 
3300     if (!vs->websocket) {
3301         vnc_start_protocol(vs);
3302     }
3303 
3304     if (vd->num_connecting > vd->connections_limit) {
3305         QTAILQ_FOREACH(vs, &vd->clients, next) {
3306             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3307                 vnc_disconnect_start(vs);
3308                 return;
3309             }
3310         }
3311     }
3312 }
3313 
3314 void vnc_start_protocol(VncState *vs)
3315 {
3316     vnc_write(vs, "RFB 003.008\n", 12);
3317     vnc_flush(vs);
3318     vnc_read_when(vs, protocol_version, 12);
3319 
3320     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3321     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3322 }
3323 
3324 static void vnc_listen_io(QIONetListener *listener,
3325                           QIOChannelSocket *cioc,
3326                           void *opaque)
3327 {
3328     VncDisplay *vd = opaque;
3329     bool isWebsock = listener == vd->wslistener;
3330 
3331     qio_channel_set_name(QIO_CHANNEL(cioc),
3332                          isWebsock ? "vnc-ws-server" : "vnc-server");
3333     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3334     vnc_connect(vd, cioc, false, isWebsock);
3335 }
3336 
3337 static const DisplayChangeListenerOps dcl_ops = {
3338     .dpy_name             = "vnc",
3339     .dpy_refresh          = vnc_refresh,
3340     .dpy_gfx_update       = vnc_dpy_update,
3341     .dpy_gfx_switch       = vnc_dpy_switch,
3342     .dpy_gfx_check_format = qemu_pixman_check_format,
3343     .dpy_mouse_set        = vnc_mouse_set,
3344     .dpy_cursor_define    = vnc_dpy_cursor_define,
3345 };
3346 
3347 void vnc_display_init(const char *id, Error **errp)
3348 {
3349     VncDisplay *vd;
3350 
3351     if (vnc_display_find(id) != NULL) {
3352         return;
3353     }
3354     vd = g_malloc0(sizeof(*vd));
3355 
3356     vd->id = strdup(id);
3357     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3358 
3359     QTAILQ_INIT(&vd->clients);
3360     vd->expires = TIME_MAX;
3361 
3362     if (keyboard_layout) {
3363         trace_vnc_key_map_init(keyboard_layout);
3364         vd->kbd_layout = init_keyboard_layout(name2keysym,
3365                                               keyboard_layout, errp);
3366     } else {
3367         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3368     }
3369 
3370     if (!vd->kbd_layout) {
3371         return;
3372     }
3373 
3374     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3375     vd->connections_limit = 32;
3376 
3377     qemu_mutex_init(&vd->mutex);
3378     vnc_start_worker_thread();
3379 
3380     vd->dcl.ops = &dcl_ops;
3381     register_displaychangelistener(&vd->dcl);
3382     vd->kbd = qkbd_state_init(vd->dcl.con);
3383 }
3384 
3385 
3386 static void vnc_display_close(VncDisplay *vd)
3387 {
3388     if (!vd) {
3389         return;
3390     }
3391     vd->is_unix = false;
3392 
3393     if (vd->listener) {
3394         qio_net_listener_disconnect(vd->listener);
3395         object_unref(OBJECT(vd->listener));
3396     }
3397     vd->listener = NULL;
3398 
3399     if (vd->wslistener) {
3400         qio_net_listener_disconnect(vd->wslistener);
3401         object_unref(OBJECT(vd->wslistener));
3402     }
3403     vd->wslistener = NULL;
3404 
3405     vd->auth = VNC_AUTH_INVALID;
3406     vd->subauth = VNC_AUTH_INVALID;
3407     if (vd->tlscreds) {
3408         object_unref(OBJECT(vd->tlscreds));
3409         vd->tlscreds = NULL;
3410     }
3411     if (vd->tlsauthz) {
3412         object_unparent(OBJECT(vd->tlsauthz));
3413         vd->tlsauthz = NULL;
3414     }
3415     g_free(vd->tlsauthzid);
3416     vd->tlsauthzid = NULL;
3417     if (vd->lock_key_sync) {
3418         qemu_remove_led_event_handler(vd->led);
3419         vd->led = NULL;
3420     }
3421 #ifdef CONFIG_VNC_SASL
3422     if (vd->sasl.authz) {
3423         object_unparent(OBJECT(vd->sasl.authz));
3424         vd->sasl.authz = NULL;
3425     }
3426     g_free(vd->sasl.authzid);
3427     vd->sasl.authzid = NULL;
3428 #endif
3429 }
3430 
3431 int vnc_display_password(const char *id, const char *password)
3432 {
3433     VncDisplay *vd = vnc_display_find(id);
3434 
3435     if (!vd) {
3436         return -EINVAL;
3437     }
3438     if (vd->auth == VNC_AUTH_NONE) {
3439         error_printf_unless_qmp("If you want use passwords please enable "
3440                                 "password auth using '-vnc ${dpy},password'.\n");
3441         return -EINVAL;
3442     }
3443 
3444     g_free(vd->password);
3445     vd->password = g_strdup(password);
3446 
3447     return 0;
3448 }
3449 
3450 int vnc_display_pw_expire(const char *id, time_t expires)
3451 {
3452     VncDisplay *vd = vnc_display_find(id);
3453 
3454     if (!vd) {
3455         return -EINVAL;
3456     }
3457 
3458     vd->expires = expires;
3459     return 0;
3460 }
3461 
3462 static void vnc_display_print_local_addr(VncDisplay *vd)
3463 {
3464     SocketAddress *addr;
3465 
3466     if (!vd->listener || !vd->listener->nsioc) {
3467         return;
3468     }
3469 
3470     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], NULL);
3471     if (!addr) {
3472         return;
3473     }
3474 
3475     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3476         qapi_free_SocketAddress(addr);
3477         return;
3478     }
3479     error_printf_unless_qmp("VNC server running on %s:%s\n",
3480                             addr->u.inet.host,
3481                             addr->u.inet.port);
3482     qapi_free_SocketAddress(addr);
3483 }
3484 
3485 static QemuOptsList qemu_vnc_opts = {
3486     .name = "vnc",
3487     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3488     .implied_opt_name = "vnc",
3489     .desc = {
3490         {
3491             .name = "vnc",
3492             .type = QEMU_OPT_STRING,
3493         },{
3494             .name = "websocket",
3495             .type = QEMU_OPT_STRING,
3496         },{
3497             .name = "tls-creds",
3498             .type = QEMU_OPT_STRING,
3499         },{
3500             .name = "share",
3501             .type = QEMU_OPT_STRING,
3502         },{
3503             .name = "display",
3504             .type = QEMU_OPT_STRING,
3505         },{
3506             .name = "head",
3507             .type = QEMU_OPT_NUMBER,
3508         },{
3509             .name = "connections",
3510             .type = QEMU_OPT_NUMBER,
3511         },{
3512             .name = "to",
3513             .type = QEMU_OPT_NUMBER,
3514         },{
3515             .name = "ipv4",
3516             .type = QEMU_OPT_BOOL,
3517         },{
3518             .name = "ipv6",
3519             .type = QEMU_OPT_BOOL,
3520         },{
3521             .name = "password",
3522             .type = QEMU_OPT_BOOL,
3523         },{
3524             .name = "password-secret",
3525             .type = QEMU_OPT_STRING,
3526         },{
3527             .name = "reverse",
3528             .type = QEMU_OPT_BOOL,
3529         },{
3530             .name = "lock-key-sync",
3531             .type = QEMU_OPT_BOOL,
3532         },{
3533             .name = "key-delay-ms",
3534             .type = QEMU_OPT_NUMBER,
3535         },{
3536             .name = "sasl",
3537             .type = QEMU_OPT_BOOL,
3538         },{
3539             .name = "tls-authz",
3540             .type = QEMU_OPT_STRING,
3541         },{
3542             .name = "sasl-authz",
3543             .type = QEMU_OPT_STRING,
3544         },{
3545             .name = "lossy",
3546             .type = QEMU_OPT_BOOL,
3547         },{
3548             .name = "non-adaptive",
3549             .type = QEMU_OPT_BOOL,
3550         },{
3551             .name = "audiodev",
3552             .type = QEMU_OPT_STRING,
3553         },{
3554             .name = "power-control",
3555             .type = QEMU_OPT_BOOL,
3556         },
3557         { /* end of list */ }
3558     },
3559 };
3560 
3561 
3562 static int
3563 vnc_display_setup_auth(int *auth,
3564                        int *subauth,
3565                        QCryptoTLSCreds *tlscreds,
3566                        bool password,
3567                        bool sasl,
3568                        bool websocket,
3569                        Error **errp)
3570 {
3571     /*
3572      * We have a choice of 3 authentication options
3573      *
3574      *   1. none
3575      *   2. vnc
3576      *   3. sasl
3577      *
3578      * The channel can be run in 2 modes
3579      *
3580      *   1. clear
3581      *   2. tls
3582      *
3583      * And TLS can use 2 types of credentials
3584      *
3585      *   1. anon
3586      *   2. x509
3587      *
3588      * We thus have 9 possible logical combinations
3589      *
3590      *   1. clear + none
3591      *   2. clear + vnc
3592      *   3. clear + sasl
3593      *   4. tls + anon + none
3594      *   5. tls + anon + vnc
3595      *   6. tls + anon + sasl
3596      *   7. tls + x509 + none
3597      *   8. tls + x509 + vnc
3598      *   9. tls + x509 + sasl
3599      *
3600      * These need to be mapped into the VNC auth schemes
3601      * in an appropriate manner. In regular VNC, all the
3602      * TLS options get mapped into VNC_AUTH_VENCRYPT
3603      * sub-auth types.
3604      *
3605      * In websockets, the https:// protocol already provides
3606      * TLS support, so there is no need to make use of the
3607      * VeNCrypt extension. Furthermore, websockets browser
3608      * clients could not use VeNCrypt even if they wanted to,
3609      * as they cannot control when the TLS handshake takes
3610      * place. Thus there is no option but to rely on https://,
3611      * meaning combinations 4->6 and 7->9 will be mapped to
3612      * VNC auth schemes in the same way as combos 1->3.
3613      *
3614      * Regardless of fact that we have a different mapping to
3615      * VNC auth mechs for plain VNC vs websockets VNC, the end
3616      * result has the same security characteristics.
3617      */
3618     if (websocket || !tlscreds) {
3619         if (password) {
3620             VNC_DEBUG("Initializing VNC server with password auth\n");
3621             *auth = VNC_AUTH_VNC;
3622         } else if (sasl) {
3623             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3624             *auth = VNC_AUTH_SASL;
3625         } else {
3626             VNC_DEBUG("Initializing VNC server with no auth\n");
3627             *auth = VNC_AUTH_NONE;
3628         }
3629         *subauth = VNC_AUTH_INVALID;
3630     } else {
3631         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3632                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3633         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3634                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3635 
3636         if (!is_x509 && !is_anon) {
3637             error_setg(errp,
3638                        "Unsupported TLS cred type %s",
3639                        object_get_typename(OBJECT(tlscreds)));
3640             return -1;
3641         }
3642         *auth = VNC_AUTH_VENCRYPT;
3643         if (password) {
3644             if (is_x509) {
3645                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3646                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3647             } else {
3648                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3649                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3650             }
3651 
3652         } else if (sasl) {
3653             if (is_x509) {
3654                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3655                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3656             } else {
3657                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3658                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3659             }
3660         } else {
3661             if (is_x509) {
3662                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3663                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3664             } else {
3665                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3666                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3667             }
3668         }
3669     }
3670     return 0;
3671 }
3672 
3673 
3674 static int vnc_display_get_address(const char *addrstr,
3675                                    bool websocket,
3676                                    bool reverse,
3677                                    int displaynum,
3678                                    int to,
3679                                    bool has_ipv4,
3680                                    bool has_ipv6,
3681                                    bool ipv4,
3682                                    bool ipv6,
3683                                    SocketAddress **retaddr,
3684                                    Error **errp)
3685 {
3686     int ret = -1;
3687     SocketAddress *addr = NULL;
3688 
3689     addr = g_new0(SocketAddress, 1);
3690 
3691     if (strncmp(addrstr, "unix:", 5) == 0) {
3692         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3693         addr->u.q_unix.path = g_strdup(addrstr + 5);
3694 
3695         if (websocket) {
3696             error_setg(errp, "UNIX sockets not supported with websock");
3697             goto cleanup;
3698         }
3699 
3700         if (to) {
3701             error_setg(errp, "Port range not support with UNIX socket");
3702             goto cleanup;
3703         }
3704         ret = 0;
3705     } else {
3706         const char *port;
3707         size_t hostlen;
3708         unsigned long long baseport = 0;
3709         InetSocketAddress *inet;
3710 
3711         port = strrchr(addrstr, ':');
3712         if (!port) {
3713             if (websocket) {
3714                 hostlen = 0;
3715                 port = addrstr;
3716             } else {
3717                 error_setg(errp, "no vnc port specified");
3718                 goto cleanup;
3719             }
3720         } else {
3721             hostlen = port - addrstr;
3722             port++;
3723             if (*port == '\0') {
3724                 error_setg(errp, "vnc port cannot be empty");
3725                 goto cleanup;
3726             }
3727         }
3728 
3729         addr->type = SOCKET_ADDRESS_TYPE_INET;
3730         inet = &addr->u.inet;
3731         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3732             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3733         } else {
3734             inet->host = g_strndup(addrstr, hostlen);
3735         }
3736         /* plain VNC port is just an offset, for websocket
3737          * port is absolute */
3738         if (websocket) {
3739             if (g_str_equal(addrstr, "") ||
3740                 g_str_equal(addrstr, "on")) {
3741                 if (displaynum == -1) {
3742                     error_setg(errp, "explicit websocket port is required");
3743                     goto cleanup;
3744                 }
3745                 inet->port = g_strdup_printf(
3746                     "%d", displaynum + 5700);
3747                 if (to) {
3748                     inet->has_to = true;
3749                     inet->to = to + 5700;
3750                 }
3751             } else {
3752                 inet->port = g_strdup(port);
3753             }
3754         } else {
3755             int offset = reverse ? 0 : 5900;
3756             if (parse_uint_full(port, &baseport, 10) < 0) {
3757                 error_setg(errp, "can't convert to a number: %s", port);
3758                 goto cleanup;
3759             }
3760             if (baseport > 65535 ||
3761                 baseport + offset > 65535) {
3762                 error_setg(errp, "port %s out of range", port);
3763                 goto cleanup;
3764             }
3765             inet->port = g_strdup_printf(
3766                 "%d", (int)baseport + offset);
3767 
3768             if (to) {
3769                 inet->has_to = true;
3770                 inet->to = to + offset;
3771             }
3772         }
3773 
3774         inet->ipv4 = ipv4;
3775         inet->has_ipv4 = has_ipv4;
3776         inet->ipv6 = ipv6;
3777         inet->has_ipv6 = has_ipv6;
3778 
3779         ret = baseport;
3780     }
3781 
3782     *retaddr = addr;
3783 
3784  cleanup:
3785     if (ret < 0) {
3786         qapi_free_SocketAddress(addr);
3787     }
3788     return ret;
3789 }
3790 
3791 static void vnc_free_addresses(SocketAddress ***retsaddr,
3792                                size_t *retnsaddr)
3793 {
3794     size_t i;
3795 
3796     for (i = 0; i < *retnsaddr; i++) {
3797         qapi_free_SocketAddress((*retsaddr)[i]);
3798     }
3799     g_free(*retsaddr);
3800 
3801     *retsaddr = NULL;
3802     *retnsaddr = 0;
3803 }
3804 
3805 static int vnc_display_get_addresses(QemuOpts *opts,
3806                                      bool reverse,
3807                                      SocketAddress ***retsaddr,
3808                                      size_t *retnsaddr,
3809                                      SocketAddress ***retwsaddr,
3810                                      size_t *retnwsaddr,
3811                                      Error **errp)
3812 {
3813     SocketAddress *saddr = NULL;
3814     SocketAddress *wsaddr = NULL;
3815     QemuOptsIter addriter;
3816     const char *addr;
3817     int to = qemu_opt_get_number(opts, "to", 0);
3818     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3819     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3820     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3821     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3822     int displaynum = -1;
3823     int ret = -1;
3824 
3825     *retsaddr = NULL;
3826     *retnsaddr = 0;
3827     *retwsaddr = NULL;
3828     *retnwsaddr = 0;
3829 
3830     addr = qemu_opt_get(opts, "vnc");
3831     if (addr == NULL || g_str_equal(addr, "none")) {
3832         ret = 0;
3833         goto cleanup;
3834     }
3835     if (qemu_opt_get(opts, "websocket") &&
3836         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3837         error_setg(errp,
3838                    "SHA1 hash support is required for websockets");
3839         goto cleanup;
3840     }
3841 
3842     qemu_opt_iter_init(&addriter, opts, "vnc");
3843     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3844         int rv;
3845         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3846                                      has_ipv4, has_ipv6,
3847                                      ipv4, ipv6,
3848                                      &saddr, errp);
3849         if (rv < 0) {
3850             goto cleanup;
3851         }
3852         /* Historical compat - first listen address can be used
3853          * to set the default websocket port
3854          */
3855         if (displaynum == -1) {
3856             displaynum = rv;
3857         }
3858         *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3859         (*retsaddr)[(*retnsaddr)++] = saddr;
3860     }
3861 
3862     /* If we had multiple primary displays, we don't do defaults
3863      * for websocket, and require explicit config instead. */
3864     if (*retnsaddr > 1) {
3865         displaynum = -1;
3866     }
3867 
3868     qemu_opt_iter_init(&addriter, opts, "websocket");
3869     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3870         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3871                                     has_ipv4, has_ipv6,
3872                                     ipv4, ipv6,
3873                                     &wsaddr, errp) < 0) {
3874             goto cleanup;
3875         }
3876 
3877         /* Historical compat - if only a single listen address was
3878          * provided, then this is used to set the default listen
3879          * address for websocket too
3880          */
3881         if (*retnsaddr == 1 &&
3882             (*retsaddr)[0]->type == SOCKET_ADDRESS_TYPE_INET &&
3883             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3884             g_str_equal(wsaddr->u.inet.host, "") &&
3885             !g_str_equal((*retsaddr)[0]->u.inet.host, "")) {
3886             g_free(wsaddr->u.inet.host);
3887             wsaddr->u.inet.host = g_strdup((*retsaddr)[0]->u.inet.host);
3888         }
3889 
3890         *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3891         (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3892     }
3893 
3894     ret = 0;
3895  cleanup:
3896     if (ret < 0) {
3897         vnc_free_addresses(retsaddr, retnsaddr);
3898         vnc_free_addresses(retwsaddr, retnwsaddr);
3899     }
3900     return ret;
3901 }
3902 
3903 static int vnc_display_connect(VncDisplay *vd,
3904                                SocketAddress **saddr,
3905                                size_t nsaddr,
3906                                SocketAddress **wsaddr,
3907                                size_t nwsaddr,
3908                                Error **errp)
3909 {
3910     /* connect to viewer */
3911     QIOChannelSocket *sioc = NULL;
3912     if (nwsaddr != 0) {
3913         error_setg(errp, "Cannot use websockets in reverse mode");
3914         return -1;
3915     }
3916     if (nsaddr != 1) {
3917         error_setg(errp, "Expected a single address in reverse mode");
3918         return -1;
3919     }
3920     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3921     vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_TYPE_UNIX;
3922     sioc = qio_channel_socket_new();
3923     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3924     if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3925         object_unref(OBJECT(sioc));
3926         return -1;
3927     }
3928     vnc_connect(vd, sioc, false, false);
3929     object_unref(OBJECT(sioc));
3930     return 0;
3931 }
3932 
3933 
3934 static int vnc_display_listen(VncDisplay *vd,
3935                               SocketAddress **saddr,
3936                               size_t nsaddr,
3937                               SocketAddress **wsaddr,
3938                               size_t nwsaddr,
3939                               Error **errp)
3940 {
3941     size_t i;
3942 
3943     if (nsaddr) {
3944         vd->listener = qio_net_listener_new();
3945         qio_net_listener_set_name(vd->listener, "vnc-listen");
3946         for (i = 0; i < nsaddr; i++) {
3947             if (qio_net_listener_open_sync(vd->listener,
3948                                            saddr[i], 1,
3949                                            errp) < 0)  {
3950                 return -1;
3951             }
3952         }
3953 
3954         qio_net_listener_set_client_func(vd->listener,
3955                                          vnc_listen_io, vd, NULL);
3956     }
3957 
3958     if (nwsaddr) {
3959         vd->wslistener = qio_net_listener_new();
3960         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3961         for (i = 0; i < nwsaddr; i++) {
3962             if (qio_net_listener_open_sync(vd->wslistener,
3963                                            wsaddr[i], 1,
3964                                            errp) < 0)  {
3965                 return -1;
3966             }
3967         }
3968 
3969         qio_net_listener_set_client_func(vd->wslistener,
3970                                          vnc_listen_io, vd, NULL);
3971     }
3972 
3973     return 0;
3974 }
3975 
3976 
3977 void vnc_display_open(const char *id, Error **errp)
3978 {
3979     VncDisplay *vd = vnc_display_find(id);
3980     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3981     SocketAddress **saddr = NULL, **wsaddr = NULL;
3982     size_t nsaddr, nwsaddr;
3983     const char *share, *device_id;
3984     QemuConsole *con;
3985     bool password = false;
3986     bool reverse = false;
3987     const char *credid;
3988     bool sasl = false;
3989     const char *tlsauthz;
3990     const char *saslauthz;
3991     int lock_key_sync = 1;
3992     int key_delay_ms;
3993     const char *audiodev;
3994     const char *passwordSecret;
3995 
3996     if (!vd) {
3997         error_setg(errp, "VNC display not active");
3998         return;
3999     }
4000     vnc_display_close(vd);
4001 
4002     if (!opts) {
4003         return;
4004     }
4005 
4006     reverse = qemu_opt_get_bool(opts, "reverse", false);
4007     if (vnc_display_get_addresses(opts, reverse, &saddr, &nsaddr,
4008                                   &wsaddr, &nwsaddr, errp) < 0) {
4009         goto fail;
4010     }
4011 
4012 
4013     passwordSecret = qemu_opt_get(opts, "password-secret");
4014     if (passwordSecret) {
4015         if (qemu_opt_get(opts, "password")) {
4016             error_setg(errp,
4017                        "'password' flag is redundant with 'password-secret'");
4018             goto fail;
4019         }
4020         vd->password = qcrypto_secret_lookup_as_utf8(passwordSecret,
4021                                                      errp);
4022         if (!vd->password) {
4023             goto fail;
4024         }
4025         password = true;
4026     } else {
4027         password = qemu_opt_get_bool(opts, "password", false);
4028     }
4029     if (password) {
4030         if (fips_get_state()) {
4031             error_setg(errp,
4032                        "VNC password auth disabled due to FIPS mode, "
4033                        "consider using the VeNCrypt or SASL authentication "
4034                        "methods as an alternative");
4035             goto fail;
4036         }
4037         if (!qcrypto_cipher_supports(
4038                 QCRYPTO_CIPHER_ALG_DES_RFB, QCRYPTO_CIPHER_MODE_ECB)) {
4039             error_setg(errp,
4040                        "Cipher backend does not support DES RFB algorithm");
4041             goto fail;
4042         }
4043     }
4044 
4045     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
4046     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
4047     sasl = qemu_opt_get_bool(opts, "sasl", false);
4048 #ifndef CONFIG_VNC_SASL
4049     if (sasl) {
4050         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
4051         goto fail;
4052     }
4053 #endif /* CONFIG_VNC_SASL */
4054     credid = qemu_opt_get(opts, "tls-creds");
4055     if (credid) {
4056         Object *creds;
4057         creds = object_resolve_path_component(
4058             object_get_objects_root(), credid);
4059         if (!creds) {
4060             error_setg(errp, "No TLS credentials with id '%s'",
4061                        credid);
4062             goto fail;
4063         }
4064         vd->tlscreds = (QCryptoTLSCreds *)
4065             object_dynamic_cast(creds,
4066                                 TYPE_QCRYPTO_TLS_CREDS);
4067         if (!vd->tlscreds) {
4068             error_setg(errp, "Object with id '%s' is not TLS credentials",
4069                        credid);
4070             goto fail;
4071         }
4072         object_ref(OBJECT(vd->tlscreds));
4073 
4074         if (vd->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
4075             error_setg(errp,
4076                        "Expecting TLS credentials with a server endpoint");
4077             goto fail;
4078         }
4079     }
4080     tlsauthz = qemu_opt_get(opts, "tls-authz");
4081     if (tlsauthz && !vd->tlscreds) {
4082         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
4083         goto fail;
4084     }
4085 
4086     saslauthz = qemu_opt_get(opts, "sasl-authz");
4087     if (saslauthz && !sasl) {
4088         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
4089         goto fail;
4090     }
4091 
4092     share = qemu_opt_get(opts, "share");
4093     if (share) {
4094         if (strcmp(share, "ignore") == 0) {
4095             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
4096         } else if (strcmp(share, "allow-exclusive") == 0) {
4097             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4098         } else if (strcmp(share, "force-shared") == 0) {
4099             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
4100         } else {
4101             error_setg(errp, "unknown vnc share= option");
4102             goto fail;
4103         }
4104     } else {
4105         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4106     }
4107     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
4108 
4109 #ifdef CONFIG_VNC_JPEG
4110     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
4111 #endif
4112     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
4113     /* adaptive updates are only used with tight encoding and
4114      * if lossy updates are enabled so we can disable all the
4115      * calculations otherwise */
4116     if (!vd->lossy) {
4117         vd->non_adaptive = true;
4118     }
4119 
4120     vd->power_control = qemu_opt_get_bool(opts, "power-control", false);
4121 
4122     if (tlsauthz) {
4123         vd->tlsauthzid = g_strdup(tlsauthz);
4124     }
4125 #ifdef CONFIG_VNC_SASL
4126     if (sasl) {
4127         if (saslauthz) {
4128             vd->sasl.authzid = g_strdup(saslauthz);
4129         }
4130     }
4131 #endif
4132 
4133     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
4134                                vd->tlscreds, password,
4135                                sasl, false, errp) < 0) {
4136         goto fail;
4137     }
4138     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
4139 
4140     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
4141                                vd->tlscreds, password,
4142                                sasl, true, errp) < 0) {
4143         goto fail;
4144     }
4145     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
4146 
4147 #ifdef CONFIG_VNC_SASL
4148     if (sasl) {
4149         int saslErr = sasl_server_init(NULL, "qemu");
4150 
4151         if (saslErr != SASL_OK) {
4152             error_setg(errp, "Failed to initialize SASL auth: %s",
4153                        sasl_errstring(saslErr, NULL, NULL));
4154             goto fail;
4155         }
4156     }
4157 #endif
4158     vd->lock_key_sync = lock_key_sync;
4159     if (lock_key_sync) {
4160         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
4161     }
4162     vd->ledstate = 0;
4163 
4164     audiodev = qemu_opt_get(opts, "audiodev");
4165     if (audiodev) {
4166         vd->audio_state = audio_state_by_name(audiodev);
4167         if (!vd->audio_state) {
4168             error_setg(errp, "Audiodev '%s' not found", audiodev);
4169             goto fail;
4170         }
4171     }
4172 
4173     device_id = qemu_opt_get(opts, "display");
4174     if (device_id) {
4175         int head = qemu_opt_get_number(opts, "head", 0);
4176         Error *err = NULL;
4177 
4178         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4179         if (err) {
4180             error_propagate(errp, err);
4181             goto fail;
4182         }
4183     } else {
4184         con = NULL;
4185     }
4186 
4187     if (con != vd->dcl.con) {
4188         qkbd_state_free(vd->kbd);
4189         unregister_displaychangelistener(&vd->dcl);
4190         vd->dcl.con = con;
4191         register_displaychangelistener(&vd->dcl);
4192         vd->kbd = qkbd_state_init(vd->dcl.con);
4193     }
4194     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4195 
4196     if (saddr == NULL) {
4197         goto cleanup;
4198     }
4199 
4200     if (reverse) {
4201         if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4202             goto fail;
4203         }
4204     } else {
4205         if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4206             goto fail;
4207         }
4208     }
4209 
4210     if (qemu_opt_get(opts, "to")) {
4211         vnc_display_print_local_addr(vd);
4212     }
4213 
4214  cleanup:
4215     vnc_free_addresses(&saddr, &nsaddr);
4216     vnc_free_addresses(&wsaddr, &nwsaddr);
4217     return;
4218 
4219 fail:
4220     vnc_display_close(vd);
4221     goto cleanup;
4222 }
4223 
4224 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4225 {
4226     VncDisplay *vd = vnc_display_find(id);
4227     QIOChannelSocket *sioc;
4228 
4229     if (!vd) {
4230         return;
4231     }
4232 
4233     sioc = qio_channel_socket_new_fd(csock, NULL);
4234     if (sioc) {
4235         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4236         vnc_connect(vd, sioc, skipauth, false);
4237         object_unref(OBJECT(sioc));
4238     }
4239 }
4240 
4241 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4242 {
4243     int i = 2;
4244     char *id;
4245 
4246     id = g_strdup("default");
4247     while (qemu_opts_find(olist, id)) {
4248         g_free(id);
4249         id = g_strdup_printf("vnc%d", i++);
4250     }
4251     qemu_opts_set_id(opts, id);
4252 }
4253 
4254 void vnc_parse(const char *str)
4255 {
4256     QemuOptsList *olist = qemu_find_opts("vnc");
4257     QemuOpts *opts = qemu_opts_parse_noisily(olist, str, !is_help_option(str));
4258     const char *id;
4259 
4260     if (!opts) {
4261         exit(1);
4262     }
4263 
4264     id = qemu_opts_id(opts);
4265     if (!id) {
4266         /* auto-assign id if not present */
4267         vnc_auto_assign_id(olist, opts);
4268     }
4269 }
4270 
4271 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4272 {
4273     Error *local_err = NULL;
4274     char *id = (char *)qemu_opts_id(opts);
4275 
4276     assert(id);
4277     vnc_display_init(id, &local_err);
4278     if (local_err) {
4279         error_propagate(errp, local_err);
4280         return -1;
4281     }
4282     vnc_display_open(id, &local_err);
4283     if (local_err != NULL) {
4284         error_propagate(errp, local_err);
4285         return -1;
4286     }
4287     return 0;
4288 }
4289 
4290 static void vnc_register_config(void)
4291 {
4292     qemu_add_opts(&qemu_vnc_opts);
4293 }
4294 opts_init(vnc_register_config);
4295