xref: /openbmc/qemu/ui/vnc.c (revision 1c8f85d9)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev-core.h"
32 #include "sysemu/sysemu.h"
33 #include "qemu/error-report.h"
34 #include "qemu/main-loop.h"
35 #include "qemu/module.h"
36 #include "qemu/option.h"
37 #include "qemu/sockets.h"
38 #include "qemu/timer.h"
39 #include "authz/list.h"
40 #include "qemu/config-file.h"
41 #include "qapi/qapi-emit-events.h"
42 #include "qapi/qapi-events-ui.h"
43 #include "qapi/error.h"
44 #include "qapi/qapi-commands-ui.h"
45 #include "ui/input.h"
46 #include "crypto/hash.h"
47 #include "crypto/tlscredsanon.h"
48 #include "crypto/tlscredsx509.h"
49 #include "crypto/random.h"
50 #include "qom/object_interfaces.h"
51 #include "qemu/cutils.h"
52 #include "io/dns-resolver.h"
53 
54 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
55 #define VNC_REFRESH_INTERVAL_INC  50
56 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
57 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
58 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
59 
60 #include "vnc_keysym.h"
61 #include "crypto/cipher.h"
62 
63 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
64     QTAILQ_HEAD_INITIALIZER(vnc_displays);
65 
66 static int vnc_cursor_define(VncState *vs);
67 static void vnc_update_throttle_offset(VncState *vs);
68 
69 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
70 {
71 #ifdef _VNC_DEBUG
72     static const char *mn[] = {
73         [0]                           = "undefined",
74         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
75         [VNC_SHARE_MODE_SHARED]       = "shared",
76         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
77         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
78     };
79     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
80             vs->ioc, mn[vs->share_mode], mn[mode]);
81 #endif
82 
83     switch (vs->share_mode) {
84     case VNC_SHARE_MODE_CONNECTING:
85         vs->vd->num_connecting--;
86         break;
87     case VNC_SHARE_MODE_SHARED:
88         vs->vd->num_shared--;
89         break;
90     case VNC_SHARE_MODE_EXCLUSIVE:
91         vs->vd->num_exclusive--;
92         break;
93     default:
94         break;
95     }
96 
97     vs->share_mode = mode;
98 
99     switch (vs->share_mode) {
100     case VNC_SHARE_MODE_CONNECTING:
101         vs->vd->num_connecting++;
102         break;
103     case VNC_SHARE_MODE_SHARED:
104         vs->vd->num_shared++;
105         break;
106     case VNC_SHARE_MODE_EXCLUSIVE:
107         vs->vd->num_exclusive++;
108         break;
109     default:
110         break;
111     }
112 }
113 
114 
115 static void vnc_init_basic_info(SocketAddress *addr,
116                                 VncBasicInfo *info,
117                                 Error **errp)
118 {
119     switch (addr->type) {
120     case SOCKET_ADDRESS_TYPE_INET:
121         info->host = g_strdup(addr->u.inet.host);
122         info->service = g_strdup(addr->u.inet.port);
123         if (addr->u.inet.ipv6) {
124             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
125         } else {
126             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
127         }
128         break;
129 
130     case SOCKET_ADDRESS_TYPE_UNIX:
131         info->host = g_strdup("");
132         info->service = g_strdup(addr->u.q_unix.path);
133         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
134         break;
135 
136     case SOCKET_ADDRESS_TYPE_VSOCK:
137     case SOCKET_ADDRESS_TYPE_FD:
138         error_setg(errp, "Unsupported socket address type %s",
139                    SocketAddressType_str(addr->type));
140         break;
141     default:
142         abort();
143     }
144 
145     return;
146 }
147 
148 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
149                                                  VncBasicInfo *info,
150                                                  Error **errp)
151 {
152     SocketAddress *addr = NULL;
153 
154     if (!ioc) {
155         error_setg(errp, "No listener socket available");
156         return;
157     }
158 
159     addr = qio_channel_socket_get_local_address(ioc, errp);
160     if (!addr) {
161         return;
162     }
163 
164     vnc_init_basic_info(addr, info, errp);
165     qapi_free_SocketAddress(addr);
166 }
167 
168 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
169                                                  VncBasicInfo *info,
170                                                  Error **errp)
171 {
172     SocketAddress *addr = NULL;
173 
174     addr = qio_channel_socket_get_remote_address(ioc, errp);
175     if (!addr) {
176         return;
177     }
178 
179     vnc_init_basic_info(addr, info, errp);
180     qapi_free_SocketAddress(addr);
181 }
182 
183 static const char *vnc_auth_name(VncDisplay *vd) {
184     switch (vd->auth) {
185     case VNC_AUTH_INVALID:
186         return "invalid";
187     case VNC_AUTH_NONE:
188         return "none";
189     case VNC_AUTH_VNC:
190         return "vnc";
191     case VNC_AUTH_RA2:
192         return "ra2";
193     case VNC_AUTH_RA2NE:
194         return "ra2ne";
195     case VNC_AUTH_TIGHT:
196         return "tight";
197     case VNC_AUTH_ULTRA:
198         return "ultra";
199     case VNC_AUTH_TLS:
200         return "tls";
201     case VNC_AUTH_VENCRYPT:
202         switch (vd->subauth) {
203         case VNC_AUTH_VENCRYPT_PLAIN:
204             return "vencrypt+plain";
205         case VNC_AUTH_VENCRYPT_TLSNONE:
206             return "vencrypt+tls+none";
207         case VNC_AUTH_VENCRYPT_TLSVNC:
208             return "vencrypt+tls+vnc";
209         case VNC_AUTH_VENCRYPT_TLSPLAIN:
210             return "vencrypt+tls+plain";
211         case VNC_AUTH_VENCRYPT_X509NONE:
212             return "vencrypt+x509+none";
213         case VNC_AUTH_VENCRYPT_X509VNC:
214             return "vencrypt+x509+vnc";
215         case VNC_AUTH_VENCRYPT_X509PLAIN:
216             return "vencrypt+x509+plain";
217         case VNC_AUTH_VENCRYPT_TLSSASL:
218             return "vencrypt+tls+sasl";
219         case VNC_AUTH_VENCRYPT_X509SASL:
220             return "vencrypt+x509+sasl";
221         default:
222             return "vencrypt";
223         }
224     case VNC_AUTH_SASL:
225         return "sasl";
226     }
227     return "unknown";
228 }
229 
230 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
231 {
232     VncServerInfo *info;
233     Error *err = NULL;
234 
235     if (!vd->listener || !vd->listener->nsioc) {
236         return NULL;
237     }
238 
239     info = g_malloc0(sizeof(*info));
240     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
241                                          qapi_VncServerInfo_base(info), &err);
242     info->has_auth = true;
243     info->auth = g_strdup(vnc_auth_name(vd));
244     if (err) {
245         qapi_free_VncServerInfo(info);
246         info = NULL;
247         error_free(err);
248     }
249     return info;
250 }
251 
252 static void vnc_client_cache_auth(VncState *client)
253 {
254     if (!client->info) {
255         return;
256     }
257 
258     if (client->tls) {
259         client->info->x509_dname =
260             qcrypto_tls_session_get_peer_name(client->tls);
261         client->info->has_x509_dname =
262             client->info->x509_dname != NULL;
263     }
264 #ifdef CONFIG_VNC_SASL
265     if (client->sasl.conn &&
266         client->sasl.username) {
267         client->info->has_sasl_username = true;
268         client->info->sasl_username = g_strdup(client->sasl.username);
269     }
270 #endif
271 }
272 
273 static void vnc_client_cache_addr(VncState *client)
274 {
275     Error *err = NULL;
276 
277     client->info = g_malloc0(sizeof(*client->info));
278     vnc_init_basic_info_from_remote_addr(client->sioc,
279                                          qapi_VncClientInfo_base(client->info),
280                                          &err);
281     client->info->websocket = client->websocket;
282     if (err) {
283         qapi_free_VncClientInfo(client->info);
284         client->info = NULL;
285         error_free(err);
286     }
287 }
288 
289 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
290 {
291     VncServerInfo *si;
292 
293     if (!vs->info) {
294         return;
295     }
296 
297     si = vnc_server_info_get(vs->vd);
298     if (!si) {
299         return;
300     }
301 
302     switch (event) {
303     case QAPI_EVENT_VNC_CONNECTED:
304         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
305         break;
306     case QAPI_EVENT_VNC_INITIALIZED:
307         qapi_event_send_vnc_initialized(si, vs->info);
308         break;
309     case QAPI_EVENT_VNC_DISCONNECTED:
310         qapi_event_send_vnc_disconnected(si, vs->info);
311         break;
312     default:
313         break;
314     }
315 
316     qapi_free_VncServerInfo(si);
317 }
318 
319 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
320 {
321     VncClientInfo *info;
322     Error *err = NULL;
323 
324     info = g_malloc0(sizeof(*info));
325 
326     vnc_init_basic_info_from_remote_addr(client->sioc,
327                                          qapi_VncClientInfo_base(info),
328                                          &err);
329     if (err) {
330         error_free(err);
331         qapi_free_VncClientInfo(info);
332         return NULL;
333     }
334 
335     info->websocket = client->websocket;
336 
337     if (client->tls) {
338         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
339         info->has_x509_dname = info->x509_dname != NULL;
340     }
341 #ifdef CONFIG_VNC_SASL
342     if (client->sasl.conn && client->sasl.username) {
343         info->has_sasl_username = true;
344         info->sasl_username = g_strdup(client->sasl.username);
345     }
346 #endif
347 
348     return info;
349 }
350 
351 static VncDisplay *vnc_display_find(const char *id)
352 {
353     VncDisplay *vd;
354 
355     if (id == NULL) {
356         return QTAILQ_FIRST(&vnc_displays);
357     }
358     QTAILQ_FOREACH(vd, &vnc_displays, next) {
359         if (strcmp(id, vd->id) == 0) {
360             return vd;
361         }
362     }
363     return NULL;
364 }
365 
366 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
367 {
368     VncClientInfoList *cinfo, *prev = NULL;
369     VncState *client;
370 
371     QTAILQ_FOREACH(client, &vd->clients, next) {
372         cinfo = g_new0(VncClientInfoList, 1);
373         cinfo->value = qmp_query_vnc_client(client);
374         cinfo->next = prev;
375         prev = cinfo;
376     }
377     return prev;
378 }
379 
380 VncInfo *qmp_query_vnc(Error **errp)
381 {
382     VncInfo *info = g_malloc0(sizeof(*info));
383     VncDisplay *vd = vnc_display_find(NULL);
384     SocketAddress *addr = NULL;
385 
386     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
387         info->enabled = false;
388     } else {
389         info->enabled = true;
390 
391         /* for compatibility with the original command */
392         info->has_clients = true;
393         info->clients = qmp_query_client_list(vd);
394 
395         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
396                                                     errp);
397         if (!addr) {
398             goto out_error;
399         }
400 
401         switch (addr->type) {
402         case SOCKET_ADDRESS_TYPE_INET:
403             info->host = g_strdup(addr->u.inet.host);
404             info->service = g_strdup(addr->u.inet.port);
405             if (addr->u.inet.ipv6) {
406                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
407             } else {
408                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
409             }
410             break;
411 
412         case SOCKET_ADDRESS_TYPE_UNIX:
413             info->host = g_strdup("");
414             info->service = g_strdup(addr->u.q_unix.path);
415             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
416             break;
417 
418         case SOCKET_ADDRESS_TYPE_VSOCK:
419         case SOCKET_ADDRESS_TYPE_FD:
420             error_setg(errp, "Unsupported socket address type %s",
421                        SocketAddressType_str(addr->type));
422             goto out_error;
423         default:
424             abort();
425         }
426 
427         info->has_host = true;
428         info->has_service = true;
429         info->has_family = true;
430 
431         info->has_auth = true;
432         info->auth = g_strdup(vnc_auth_name(vd));
433     }
434 
435     qapi_free_SocketAddress(addr);
436     return info;
437 
438 out_error:
439     qapi_free_SocketAddress(addr);
440     qapi_free_VncInfo(info);
441     return NULL;
442 }
443 
444 
445 static void qmp_query_auth(int auth, int subauth,
446                            VncPrimaryAuth *qmp_auth,
447                            VncVencryptSubAuth *qmp_vencrypt,
448                            bool *qmp_has_vencrypt);
449 
450 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
451                                                   bool websocket,
452                                                   int auth,
453                                                   int subauth,
454                                                   VncServerInfo2List *prev)
455 {
456     VncServerInfo2List *list;
457     VncServerInfo2 *info;
458     Error *err = NULL;
459     SocketAddress *addr;
460 
461     addr = qio_channel_socket_get_local_address(ioc, &err);
462     if (!addr) {
463         error_free(err);
464         return prev;
465     }
466 
467     info = g_new0(VncServerInfo2, 1);
468     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
469     qapi_free_SocketAddress(addr);
470     if (err) {
471         qapi_free_VncServerInfo2(info);
472         error_free(err);
473         return prev;
474     }
475     info->websocket = websocket;
476 
477     qmp_query_auth(auth, subauth, &info->auth,
478                    &info->vencrypt, &info->has_vencrypt);
479 
480     list = g_new0(VncServerInfo2List, 1);
481     list->value = info;
482     list->next = prev;
483     return list;
484 }
485 
486 static void qmp_query_auth(int auth, int subauth,
487                            VncPrimaryAuth *qmp_auth,
488                            VncVencryptSubAuth *qmp_vencrypt,
489                            bool *qmp_has_vencrypt)
490 {
491     switch (auth) {
492     case VNC_AUTH_VNC:
493         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
494         break;
495     case VNC_AUTH_RA2:
496         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
497         break;
498     case VNC_AUTH_RA2NE:
499         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
500         break;
501     case VNC_AUTH_TIGHT:
502         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
503         break;
504     case VNC_AUTH_ULTRA:
505         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
506         break;
507     case VNC_AUTH_TLS:
508         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
509         break;
510     case VNC_AUTH_VENCRYPT:
511         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
512         *qmp_has_vencrypt = true;
513         switch (subauth) {
514         case VNC_AUTH_VENCRYPT_PLAIN:
515             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
516             break;
517         case VNC_AUTH_VENCRYPT_TLSNONE:
518             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
519             break;
520         case VNC_AUTH_VENCRYPT_TLSVNC:
521             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
522             break;
523         case VNC_AUTH_VENCRYPT_TLSPLAIN:
524             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
525             break;
526         case VNC_AUTH_VENCRYPT_X509NONE:
527             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
528             break;
529         case VNC_AUTH_VENCRYPT_X509VNC:
530             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
531             break;
532         case VNC_AUTH_VENCRYPT_X509PLAIN:
533             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
534             break;
535         case VNC_AUTH_VENCRYPT_TLSSASL:
536             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
537             break;
538         case VNC_AUTH_VENCRYPT_X509SASL:
539             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
540             break;
541         default:
542             *qmp_has_vencrypt = false;
543             break;
544         }
545         break;
546     case VNC_AUTH_SASL:
547         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
548         break;
549     case VNC_AUTH_NONE:
550     default:
551         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
552         break;
553     }
554 }
555 
556 VncInfo2List *qmp_query_vnc_servers(Error **errp)
557 {
558     VncInfo2List *item, *prev = NULL;
559     VncInfo2 *info;
560     VncDisplay *vd;
561     DeviceState *dev;
562     size_t i;
563 
564     QTAILQ_FOREACH(vd, &vnc_displays, next) {
565         info = g_new0(VncInfo2, 1);
566         info->id = g_strdup(vd->id);
567         info->clients = qmp_query_client_list(vd);
568         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
569                        &info->vencrypt, &info->has_vencrypt);
570         if (vd->dcl.con) {
571             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
572                                                   "device", NULL));
573             info->has_display = true;
574             info->display = g_strdup(dev->id);
575         }
576         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
577             info->server = qmp_query_server_entry(
578                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
579                 info->server);
580         }
581         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
582             info->server = qmp_query_server_entry(
583                 vd->wslistener->sioc[i], true, vd->ws_auth,
584                 vd->ws_subauth, info->server);
585         }
586 
587         item = g_new0(VncInfo2List, 1);
588         item->value = info;
589         item->next = prev;
590         prev = item;
591     }
592     return prev;
593 }
594 
595 /* TODO
596    1) Get the queue working for IO.
597    2) there is some weirdness when using the -S option (the screen is grey
598       and not totally invalidated
599    3) resolutions > 1024
600 */
601 
602 static int vnc_update_client(VncState *vs, int has_dirty);
603 static void vnc_disconnect_start(VncState *vs);
604 
605 static void vnc_colordepth(VncState *vs);
606 static void framebuffer_update_request(VncState *vs, int incremental,
607                                        int x_position, int y_position,
608                                        int w, int h);
609 static void vnc_refresh(DisplayChangeListener *dcl);
610 static int vnc_refresh_server_surface(VncDisplay *vd);
611 
612 static int vnc_width(VncDisplay *vd)
613 {
614     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
615                                        VNC_DIRTY_PIXELS_PER_BIT));
616 }
617 
618 static int vnc_height(VncDisplay *vd)
619 {
620     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
621 }
622 
623 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
624                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
625                                VncDisplay *vd,
626                                int x, int y, int w, int h)
627 {
628     int width = vnc_width(vd);
629     int height = vnc_height(vd);
630 
631     /* this is needed this to ensure we updated all affected
632      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
633     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
634     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
635 
636     x = MIN(x, width);
637     y = MIN(y, height);
638     w = MIN(x + w, width) - x;
639     h = MIN(y + h, height);
640 
641     for (; y < h; y++) {
642         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
643                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
644     }
645 }
646 
647 static void vnc_dpy_update(DisplayChangeListener *dcl,
648                            int x, int y, int w, int h)
649 {
650     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
651     struct VncSurface *s = &vd->guest;
652 
653     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
654 }
655 
656 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
657                             int32_t encoding)
658 {
659     vnc_write_u16(vs, x);
660     vnc_write_u16(vs, y);
661     vnc_write_u16(vs, w);
662     vnc_write_u16(vs, h);
663 
664     vnc_write_s32(vs, encoding);
665 }
666 
667 
668 static void vnc_desktop_resize(VncState *vs)
669 {
670     if (vs->ioc == NULL || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
671         return;
672     }
673     if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
674         vs->client_height == pixman_image_get_height(vs->vd->server)) {
675         return;
676     }
677 
678     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
679            pixman_image_get_width(vs->vd->server) >= 0);
680     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
681            pixman_image_get_height(vs->vd->server) >= 0);
682     vs->client_width = pixman_image_get_width(vs->vd->server);
683     vs->client_height = pixman_image_get_height(vs->vd->server);
684     vnc_lock_output(vs);
685     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
686     vnc_write_u8(vs, 0);
687     vnc_write_u16(vs, 1); /* number of rects */
688     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
689                            VNC_ENCODING_DESKTOPRESIZE);
690     vnc_unlock_output(vs);
691     vnc_flush(vs);
692 }
693 
694 static void vnc_abort_display_jobs(VncDisplay *vd)
695 {
696     VncState *vs;
697 
698     QTAILQ_FOREACH(vs, &vd->clients, next) {
699         vnc_lock_output(vs);
700         vs->abort = true;
701         vnc_unlock_output(vs);
702     }
703     QTAILQ_FOREACH(vs, &vd->clients, next) {
704         vnc_jobs_join(vs);
705     }
706     QTAILQ_FOREACH(vs, &vd->clients, next) {
707         vnc_lock_output(vs);
708         if (vs->update == VNC_STATE_UPDATE_NONE &&
709             vs->job_update != VNC_STATE_UPDATE_NONE) {
710             /* job aborted before completion */
711             vs->update = vs->job_update;
712             vs->job_update = VNC_STATE_UPDATE_NONE;
713         }
714         vs->abort = false;
715         vnc_unlock_output(vs);
716     }
717 }
718 
719 int vnc_server_fb_stride(VncDisplay *vd)
720 {
721     return pixman_image_get_stride(vd->server);
722 }
723 
724 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
725 {
726     uint8_t *ptr;
727 
728     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
729     ptr += y * vnc_server_fb_stride(vd);
730     ptr += x * VNC_SERVER_FB_BYTES;
731     return ptr;
732 }
733 
734 static void vnc_update_server_surface(VncDisplay *vd)
735 {
736     int width, height;
737 
738     qemu_pixman_image_unref(vd->server);
739     vd->server = NULL;
740 
741     if (QTAILQ_EMPTY(&vd->clients)) {
742         return;
743     }
744 
745     width = vnc_width(vd);
746     height = vnc_height(vd);
747     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
748                                           width, height,
749                                           NULL, 0);
750 
751     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
752     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
753                        width, height);
754 }
755 
756 static bool vnc_check_pageflip(DisplaySurface *s1,
757                                DisplaySurface *s2)
758 {
759     return (s1 != NULL &&
760             s2 != NULL &&
761             surface_width(s1) == surface_width(s2) &&
762             surface_height(s1) == surface_height(s2) &&
763             surface_format(s1) == surface_format(s2));
764 
765 }
766 
767 static void vnc_dpy_switch(DisplayChangeListener *dcl,
768                            DisplaySurface *surface)
769 {
770     static const char placeholder_msg[] =
771         "Display output is not active.";
772     static DisplaySurface *placeholder;
773     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
774     bool pageflip = vnc_check_pageflip(vd->ds, surface);
775     VncState *vs;
776 
777     if (surface == NULL) {
778         if (placeholder == NULL) {
779             placeholder = qemu_create_message_surface(640, 480, placeholder_msg);
780         }
781         surface = placeholder;
782     }
783 
784     vnc_abort_display_jobs(vd);
785     vd->ds = surface;
786 
787     /* guest surface */
788     qemu_pixman_image_unref(vd->guest.fb);
789     vd->guest.fb = pixman_image_ref(surface->image);
790     vd->guest.format = surface->format;
791 
792     if (pageflip) {
793         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
794                            surface_width(surface),
795                            surface_height(surface));
796         return;
797     }
798 
799     /* server surface */
800     vnc_update_server_surface(vd);
801 
802     QTAILQ_FOREACH(vs, &vd->clients, next) {
803         vnc_colordepth(vs);
804         vnc_desktop_resize(vs);
805         if (vs->vd->cursor) {
806             vnc_cursor_define(vs);
807         }
808         memset(vs->dirty, 0x00, sizeof(vs->dirty));
809         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
810                            vnc_width(vd),
811                            vnc_height(vd));
812         vnc_update_throttle_offset(vs);
813     }
814 }
815 
816 /* fastest code */
817 static void vnc_write_pixels_copy(VncState *vs,
818                                   void *pixels, int size)
819 {
820     vnc_write(vs, pixels, size);
821 }
822 
823 /* slowest but generic code. */
824 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
825 {
826     uint8_t r, g, b;
827 
828 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
829     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
830     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
831     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
832 #else
833 # error need some bits here if you change VNC_SERVER_FB_FORMAT
834 #endif
835     v = (r << vs->client_pf.rshift) |
836         (g << vs->client_pf.gshift) |
837         (b << vs->client_pf.bshift);
838     switch (vs->client_pf.bytes_per_pixel) {
839     case 1:
840         buf[0] = v;
841         break;
842     case 2:
843         if (vs->client_be) {
844             buf[0] = v >> 8;
845             buf[1] = v;
846         } else {
847             buf[1] = v >> 8;
848             buf[0] = v;
849         }
850         break;
851     default:
852     case 4:
853         if (vs->client_be) {
854             buf[0] = v >> 24;
855             buf[1] = v >> 16;
856             buf[2] = v >> 8;
857             buf[3] = v;
858         } else {
859             buf[3] = v >> 24;
860             buf[2] = v >> 16;
861             buf[1] = v >> 8;
862             buf[0] = v;
863         }
864         break;
865     }
866 }
867 
868 static void vnc_write_pixels_generic(VncState *vs,
869                                      void *pixels1, int size)
870 {
871     uint8_t buf[4];
872 
873     if (VNC_SERVER_FB_BYTES == 4) {
874         uint32_t *pixels = pixels1;
875         int n, i;
876         n = size >> 2;
877         for (i = 0; i < n; i++) {
878             vnc_convert_pixel(vs, buf, pixels[i]);
879             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
880         }
881     }
882 }
883 
884 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
885 {
886     int i;
887     uint8_t *row;
888     VncDisplay *vd = vs->vd;
889 
890     row = vnc_server_fb_ptr(vd, x, y);
891     for (i = 0; i < h; i++) {
892         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
893         row += vnc_server_fb_stride(vd);
894     }
895     return 1;
896 }
897 
898 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
899 {
900     int n = 0;
901     bool encode_raw = false;
902     size_t saved_offs = vs->output.offset;
903 
904     switch(vs->vnc_encoding) {
905         case VNC_ENCODING_ZLIB:
906             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
907             break;
908         case VNC_ENCODING_HEXTILE:
909             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
910             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
911             break;
912         case VNC_ENCODING_TIGHT:
913             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
914             break;
915         case VNC_ENCODING_TIGHT_PNG:
916             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
917             break;
918         case VNC_ENCODING_ZRLE:
919             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
920             break;
921         case VNC_ENCODING_ZYWRLE:
922             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
923             break;
924         default:
925             encode_raw = true;
926             break;
927     }
928 
929     /* If the client has the same pixel format as our internal buffer and
930      * a RAW encoding would need less space fall back to RAW encoding to
931      * save bandwidth and processing power in the client. */
932     if (!encode_raw && vs->write_pixels == vnc_write_pixels_copy &&
933         12 + h * w * VNC_SERVER_FB_BYTES <= (vs->output.offset - saved_offs)) {
934         vs->output.offset = saved_offs;
935         encode_raw = true;
936     }
937 
938     if (encode_raw) {
939         vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
940         n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
941     }
942 
943     return n;
944 }
945 
946 static void vnc_mouse_set(DisplayChangeListener *dcl,
947                           int x, int y, int visible)
948 {
949     /* can we ask the client(s) to move the pointer ??? */
950 }
951 
952 static int vnc_cursor_define(VncState *vs)
953 {
954     QEMUCursor *c = vs->vd->cursor;
955     int isize;
956 
957     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
958         vnc_lock_output(vs);
959         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
960         vnc_write_u8(vs,  0);  /*  padding     */
961         vnc_write_u16(vs, 1);  /*  # of rects  */
962         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
963                                VNC_ENCODING_RICH_CURSOR);
964         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
965         vnc_write_pixels_generic(vs, c->data, isize);
966         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
967         vnc_unlock_output(vs);
968         return 0;
969     }
970     return -1;
971 }
972 
973 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
974                                   QEMUCursor *c)
975 {
976     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
977     VncState *vs;
978 
979     cursor_put(vd->cursor);
980     g_free(vd->cursor_mask);
981 
982     vd->cursor = c;
983     cursor_get(vd->cursor);
984     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
985     vd->cursor_mask = g_malloc0(vd->cursor_msize);
986     cursor_get_mono_mask(c, 0, vd->cursor_mask);
987 
988     QTAILQ_FOREACH(vs, &vd->clients, next) {
989         vnc_cursor_define(vs);
990     }
991 }
992 
993 static int find_and_clear_dirty_height(VncState *vs,
994                                        int y, int last_x, int x, int height)
995 {
996     int h;
997 
998     for (h = 1; h < (height - y); h++) {
999         if (!test_bit(last_x, vs->dirty[y + h])) {
1000             break;
1001         }
1002         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1003     }
1004 
1005     return h;
1006 }
1007 
1008 /*
1009  * Figure out how much pending data we should allow in the output
1010  * buffer before we throttle incremental display updates, and/or
1011  * drop audio samples.
1012  *
1013  * We allow for equiv of 1 full display's worth of FB updates,
1014  * and 1 second of audio samples. If audio backlog was larger
1015  * than that the client would already suffering awful audio
1016  * glitches, so dropping samples is no worse really).
1017  */
1018 static void vnc_update_throttle_offset(VncState *vs)
1019 {
1020     size_t offset =
1021         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1022 
1023     if (vs->audio_cap) {
1024         int bps;
1025         switch (vs->as.fmt) {
1026         default:
1027         case  AUDIO_FORMAT_U8:
1028         case  AUDIO_FORMAT_S8:
1029             bps = 1;
1030             break;
1031         case  AUDIO_FORMAT_U16:
1032         case  AUDIO_FORMAT_S16:
1033             bps = 2;
1034             break;
1035         case  AUDIO_FORMAT_U32:
1036         case  AUDIO_FORMAT_S32:
1037             bps = 4;
1038             break;
1039         }
1040         offset += vs->as.freq * bps * vs->as.nchannels;
1041     }
1042 
1043     /* Put a floor of 1MB on offset, so that if we have a large pending
1044      * buffer and the display is resized to a small size & back again
1045      * we don't suddenly apply a tiny send limit
1046      */
1047     offset = MAX(offset, 1024 * 1024);
1048 
1049     if (vs->throttle_output_offset != offset) {
1050         trace_vnc_client_throttle_threshold(
1051             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1052             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1053     }
1054 
1055     vs->throttle_output_offset = offset;
1056 }
1057 
1058 static bool vnc_should_update(VncState *vs)
1059 {
1060     switch (vs->update) {
1061     case VNC_STATE_UPDATE_NONE:
1062         break;
1063     case VNC_STATE_UPDATE_INCREMENTAL:
1064         /* Only allow incremental updates if the pending send queue
1065          * is less than the permitted threshold, and the job worker
1066          * is completely idle.
1067          */
1068         if (vs->output.offset < vs->throttle_output_offset &&
1069             vs->job_update == VNC_STATE_UPDATE_NONE) {
1070             return true;
1071         }
1072         trace_vnc_client_throttle_incremental(
1073             vs, vs->ioc, vs->job_update, vs->output.offset);
1074         break;
1075     case VNC_STATE_UPDATE_FORCE:
1076         /* Only allow forced updates if the pending send queue
1077          * does not contain a previous forced update, and the
1078          * job worker is completely idle.
1079          *
1080          * Note this means we'll queue a forced update, even if
1081          * the output buffer size is otherwise over the throttle
1082          * output limit.
1083          */
1084         if (vs->force_update_offset == 0 &&
1085             vs->job_update == VNC_STATE_UPDATE_NONE) {
1086             return true;
1087         }
1088         trace_vnc_client_throttle_forced(
1089             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1090         break;
1091     }
1092     return false;
1093 }
1094 
1095 static int vnc_update_client(VncState *vs, int has_dirty)
1096 {
1097     VncDisplay *vd = vs->vd;
1098     VncJob *job;
1099     int y;
1100     int height, width;
1101     int n = 0;
1102 
1103     if (vs->disconnecting) {
1104         vnc_disconnect_finish(vs);
1105         return 0;
1106     }
1107 
1108     vs->has_dirty += has_dirty;
1109     if (!vnc_should_update(vs)) {
1110         return 0;
1111     }
1112 
1113     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1114         return 0;
1115     }
1116 
1117     /*
1118      * Send screen updates to the vnc client using the server
1119      * surface and server dirty map.  guest surface updates
1120      * happening in parallel don't disturb us, the next pass will
1121      * send them to the client.
1122      */
1123     job = vnc_job_new(vs);
1124 
1125     height = pixman_image_get_height(vd->server);
1126     width = pixman_image_get_width(vd->server);
1127 
1128     y = 0;
1129     for (;;) {
1130         int x, h;
1131         unsigned long x2;
1132         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1133                                              height * VNC_DIRTY_BPL(vs),
1134                                              y * VNC_DIRTY_BPL(vs));
1135         if (offset == height * VNC_DIRTY_BPL(vs)) {
1136             /* no more dirty bits */
1137             break;
1138         }
1139         y = offset / VNC_DIRTY_BPL(vs);
1140         x = offset % VNC_DIRTY_BPL(vs);
1141         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1142                                 VNC_DIRTY_BPL(vs), x);
1143         bitmap_clear(vs->dirty[y], x, x2 - x);
1144         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1145         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1146         if (x2 > x) {
1147             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1148                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1149         }
1150         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1151             y += h;
1152             if (y == height) {
1153                 break;
1154             }
1155         }
1156     }
1157 
1158     vs->job_update = vs->update;
1159     vs->update = VNC_STATE_UPDATE_NONE;
1160     vnc_job_push(job);
1161     vs->has_dirty = 0;
1162     return n;
1163 }
1164 
1165 /* audio */
1166 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1167 {
1168     VncState *vs = opaque;
1169 
1170     assert(vs->magic == VNC_MAGIC);
1171     switch (cmd) {
1172     case AUD_CNOTIFY_DISABLE:
1173         vnc_lock_output(vs);
1174         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1175         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1176         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1177         vnc_unlock_output(vs);
1178         vnc_flush(vs);
1179         break;
1180 
1181     case AUD_CNOTIFY_ENABLE:
1182         vnc_lock_output(vs);
1183         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1184         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1185         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1186         vnc_unlock_output(vs);
1187         vnc_flush(vs);
1188         break;
1189     }
1190 }
1191 
1192 static void audio_capture_destroy(void *opaque)
1193 {
1194 }
1195 
1196 static void audio_capture(void *opaque, void *buf, int size)
1197 {
1198     VncState *vs = opaque;
1199 
1200     assert(vs->magic == VNC_MAGIC);
1201     vnc_lock_output(vs);
1202     if (vs->output.offset < vs->throttle_output_offset) {
1203         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1204         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1205         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1206         vnc_write_u32(vs, size);
1207         vnc_write(vs, buf, size);
1208     } else {
1209         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1210     }
1211     vnc_unlock_output(vs);
1212     vnc_flush(vs);
1213 }
1214 
1215 static void audio_add(VncState *vs)
1216 {
1217     struct audio_capture_ops ops;
1218 
1219     if (vs->audio_cap) {
1220         error_report("audio already running");
1221         return;
1222     }
1223 
1224     ops.notify = audio_capture_notify;
1225     ops.destroy = audio_capture_destroy;
1226     ops.capture = audio_capture;
1227 
1228     vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1229     if (!vs->audio_cap) {
1230         error_report("Failed to add audio capture");
1231     }
1232 }
1233 
1234 static void audio_del(VncState *vs)
1235 {
1236     if (vs->audio_cap) {
1237         AUD_del_capture(vs->audio_cap, vs);
1238         vs->audio_cap = NULL;
1239     }
1240 }
1241 
1242 static void vnc_disconnect_start(VncState *vs)
1243 {
1244     if (vs->disconnecting) {
1245         return;
1246     }
1247     trace_vnc_client_disconnect_start(vs, vs->ioc);
1248     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1249     if (vs->ioc_tag) {
1250         g_source_remove(vs->ioc_tag);
1251         vs->ioc_tag = 0;
1252     }
1253     qio_channel_close(vs->ioc, NULL);
1254     vs->disconnecting = TRUE;
1255 }
1256 
1257 void vnc_disconnect_finish(VncState *vs)
1258 {
1259     int i;
1260 
1261     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1262 
1263     vnc_jobs_join(vs); /* Wait encoding jobs */
1264 
1265     vnc_lock_output(vs);
1266     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1267 
1268     buffer_free(&vs->input);
1269     buffer_free(&vs->output);
1270 
1271     qapi_free_VncClientInfo(vs->info);
1272 
1273     vnc_zlib_clear(vs);
1274     vnc_tight_clear(vs);
1275     vnc_zrle_clear(vs);
1276 
1277 #ifdef CONFIG_VNC_SASL
1278     vnc_sasl_client_cleanup(vs);
1279 #endif /* CONFIG_VNC_SASL */
1280     audio_del(vs);
1281     qkbd_state_lift_all_keys(vs->vd->kbd);
1282 
1283     if (vs->mouse_mode_notifier.notify != NULL) {
1284         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1285     }
1286     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1287     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1288         /* last client gone */
1289         vnc_update_server_surface(vs->vd);
1290     }
1291 
1292     vnc_unlock_output(vs);
1293 
1294     qemu_mutex_destroy(&vs->output_mutex);
1295     if (vs->bh != NULL) {
1296         qemu_bh_delete(vs->bh);
1297     }
1298     buffer_free(&vs->jobs_buffer);
1299 
1300     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1301         g_free(vs->lossy_rect[i]);
1302     }
1303     g_free(vs->lossy_rect);
1304 
1305     object_unref(OBJECT(vs->ioc));
1306     vs->ioc = NULL;
1307     object_unref(OBJECT(vs->sioc));
1308     vs->sioc = NULL;
1309     vs->magic = 0;
1310     g_free(vs->zrle);
1311     g_free(vs->tight);
1312     g_free(vs);
1313 }
1314 
1315 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error *err)
1316 {
1317     if (ret <= 0) {
1318         if (ret == 0) {
1319             trace_vnc_client_eof(vs, vs->ioc);
1320             vnc_disconnect_start(vs);
1321         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1322             trace_vnc_client_io_error(vs, vs->ioc,
1323                                       err ? error_get_pretty(err) : "Unknown");
1324             vnc_disconnect_start(vs);
1325         }
1326 
1327         error_free(err);
1328         return 0;
1329     }
1330     return ret;
1331 }
1332 
1333 
1334 void vnc_client_error(VncState *vs)
1335 {
1336     VNC_DEBUG("Closing down client sock: protocol error\n");
1337     vnc_disconnect_start(vs);
1338 }
1339 
1340 
1341 /*
1342  * Called to write a chunk of data to the client socket. The data may
1343  * be the raw data, or may have already been encoded by SASL.
1344  * The data will be written either straight onto the socket, or
1345  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1346  *
1347  * NB, it is theoretically possible to have 2 layers of encryption,
1348  * both SASL, and this TLS layer. It is highly unlikely in practice
1349  * though, since SASL encryption will typically be a no-op if TLS
1350  * is active
1351  *
1352  * Returns the number of bytes written, which may be less than
1353  * the requested 'datalen' if the socket would block. Returns
1354  * 0 on I/O error, and disconnects the client socket.
1355  */
1356 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1357 {
1358     Error *err = NULL;
1359     ssize_t ret;
1360     ret = qio_channel_write(vs->ioc, (const char *)data, datalen, &err);
1361     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1362     return vnc_client_io_error(vs, ret, err);
1363 }
1364 
1365 
1366 /*
1367  * Called to write buffered data to the client socket, when not
1368  * using any SASL SSF encryption layers. Will write as much data
1369  * as possible without blocking. If all buffered data is written,
1370  * will switch the FD poll() handler back to read monitoring.
1371  *
1372  * Returns the number of bytes written, which may be less than
1373  * the buffered output data if the socket would block.  Returns
1374  * 0 on I/O error, and disconnects the client socket.
1375  */
1376 static size_t vnc_client_write_plain(VncState *vs)
1377 {
1378     size_t offset;
1379     size_t ret;
1380 
1381 #ifdef CONFIG_VNC_SASL
1382     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1383               vs->output.buffer, vs->output.capacity, vs->output.offset,
1384               vs->sasl.waitWriteSSF);
1385 
1386     if (vs->sasl.conn &&
1387         vs->sasl.runSSF &&
1388         vs->sasl.waitWriteSSF) {
1389         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1390         if (ret)
1391             vs->sasl.waitWriteSSF -= ret;
1392     } else
1393 #endif /* CONFIG_VNC_SASL */
1394         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1395     if (!ret)
1396         return 0;
1397 
1398     if (ret >= vs->force_update_offset) {
1399         if (vs->force_update_offset != 0) {
1400             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1401         }
1402         vs->force_update_offset = 0;
1403     } else {
1404         vs->force_update_offset -= ret;
1405     }
1406     offset = vs->output.offset;
1407     buffer_advance(&vs->output, ret);
1408     if (offset >= vs->throttle_output_offset &&
1409         vs->output.offset < vs->throttle_output_offset) {
1410         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1411     }
1412 
1413     if (vs->output.offset == 0) {
1414         if (vs->ioc_tag) {
1415             g_source_remove(vs->ioc_tag);
1416         }
1417         vs->ioc_tag = qio_channel_add_watch(
1418             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1419     }
1420 
1421     return ret;
1422 }
1423 
1424 
1425 /*
1426  * First function called whenever there is data to be written to
1427  * the client socket. Will delegate actual work according to whether
1428  * SASL SSF layers are enabled (thus requiring encryption calls)
1429  */
1430 static void vnc_client_write_locked(VncState *vs)
1431 {
1432 #ifdef CONFIG_VNC_SASL
1433     if (vs->sasl.conn &&
1434         vs->sasl.runSSF &&
1435         !vs->sasl.waitWriteSSF) {
1436         vnc_client_write_sasl(vs);
1437     } else
1438 #endif /* CONFIG_VNC_SASL */
1439     {
1440         vnc_client_write_plain(vs);
1441     }
1442 }
1443 
1444 static void vnc_client_write(VncState *vs)
1445 {
1446     assert(vs->magic == VNC_MAGIC);
1447     vnc_lock_output(vs);
1448     if (vs->output.offset) {
1449         vnc_client_write_locked(vs);
1450     } else if (vs->ioc != NULL) {
1451         if (vs->ioc_tag) {
1452             g_source_remove(vs->ioc_tag);
1453         }
1454         vs->ioc_tag = qio_channel_add_watch(
1455             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1456     }
1457     vnc_unlock_output(vs);
1458 }
1459 
1460 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1461 {
1462     vs->read_handler = func;
1463     vs->read_handler_expect = expecting;
1464 }
1465 
1466 
1467 /*
1468  * Called to read a chunk of data from the client socket. The data may
1469  * be the raw data, or may need to be further decoded by SASL.
1470  * The data will be read either straight from to the socket, or
1471  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1472  *
1473  * NB, it is theoretically possible to have 2 layers of encryption,
1474  * both SASL, and this TLS layer. It is highly unlikely in practice
1475  * though, since SASL encryption will typically be a no-op if TLS
1476  * is active
1477  *
1478  * Returns the number of bytes read, which may be less than
1479  * the requested 'datalen' if the socket would block. Returns
1480  * 0 on I/O error or EOF, and disconnects the client socket.
1481  */
1482 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1483 {
1484     ssize_t ret;
1485     Error *err = NULL;
1486     ret = qio_channel_read(vs->ioc, (char *)data, datalen, &err);
1487     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1488     return vnc_client_io_error(vs, ret, err);
1489 }
1490 
1491 
1492 /*
1493  * Called to read data from the client socket to the input buffer,
1494  * when not using any SASL SSF encryption layers. Will read as much
1495  * data as possible without blocking.
1496  *
1497  * Returns the number of bytes read, which may be less than
1498  * the requested 'datalen' if the socket would block. Returns
1499  * 0 on I/O error or EOF, and disconnects the client socket.
1500  */
1501 static size_t vnc_client_read_plain(VncState *vs)
1502 {
1503     size_t ret;
1504     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1505               vs->input.buffer, vs->input.capacity, vs->input.offset);
1506     buffer_reserve(&vs->input, 4096);
1507     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1508     if (!ret)
1509         return 0;
1510     vs->input.offset += ret;
1511     return ret;
1512 }
1513 
1514 static void vnc_jobs_bh(void *opaque)
1515 {
1516     VncState *vs = opaque;
1517 
1518     assert(vs->magic == VNC_MAGIC);
1519     vnc_jobs_consume_buffer(vs);
1520 }
1521 
1522 /*
1523  * First function called whenever there is more data to be read from
1524  * the client socket. Will delegate actual work according to whether
1525  * SASL SSF layers are enabled (thus requiring decryption calls)
1526  * Returns 0 on success, -1 if client disconnected
1527  */
1528 static int vnc_client_read(VncState *vs)
1529 {
1530     size_t ret;
1531 
1532 #ifdef CONFIG_VNC_SASL
1533     if (vs->sasl.conn && vs->sasl.runSSF)
1534         ret = vnc_client_read_sasl(vs);
1535     else
1536 #endif /* CONFIG_VNC_SASL */
1537         ret = vnc_client_read_plain(vs);
1538     if (!ret) {
1539         if (vs->disconnecting) {
1540             vnc_disconnect_finish(vs);
1541             return -1;
1542         }
1543         return 0;
1544     }
1545 
1546     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1547         size_t len = vs->read_handler_expect;
1548         int ret;
1549 
1550         ret = vs->read_handler(vs, vs->input.buffer, len);
1551         if (vs->disconnecting) {
1552             vnc_disconnect_finish(vs);
1553             return -1;
1554         }
1555 
1556         if (!ret) {
1557             buffer_advance(&vs->input, len);
1558         } else {
1559             vs->read_handler_expect = ret;
1560         }
1561     }
1562     return 0;
1563 }
1564 
1565 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1566                        GIOCondition condition, void *opaque)
1567 {
1568     VncState *vs = opaque;
1569 
1570     assert(vs->magic == VNC_MAGIC);
1571     if (condition & G_IO_IN) {
1572         if (vnc_client_read(vs) < 0) {
1573             /* vs is free()ed here */
1574             return TRUE;
1575         }
1576     }
1577     if (condition & G_IO_OUT) {
1578         vnc_client_write(vs);
1579     }
1580 
1581     if (vs->disconnecting) {
1582         if (vs->ioc_tag != 0) {
1583             g_source_remove(vs->ioc_tag);
1584         }
1585         vs->ioc_tag = 0;
1586     }
1587     return TRUE;
1588 }
1589 
1590 
1591 /*
1592  * Scale factor to apply to vs->throttle_output_offset when checking for
1593  * hard limit. Worst case normal usage could be x2, if we have a complete
1594  * incremental update and complete forced update in the output buffer.
1595  * So x3 should be good enough, but we pick x5 to be conservative and thus
1596  * (hopefully) never trigger incorrectly.
1597  */
1598 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1599 
1600 void vnc_write(VncState *vs, const void *data, size_t len)
1601 {
1602     assert(vs->magic == VNC_MAGIC);
1603     if (vs->disconnecting) {
1604         return;
1605     }
1606     /* Protection against malicious client/guest to prevent our output
1607      * buffer growing without bound if client stops reading data. This
1608      * should rarely trigger, because we have earlier throttling code
1609      * which stops issuing framebuffer updates and drops audio data
1610      * if the throttle_output_offset value is exceeded. So we only reach
1611      * this higher level if a huge number of pseudo-encodings get
1612      * triggered while data can't be sent on the socket.
1613      *
1614      * NB throttle_output_offset can be zero during early protocol
1615      * handshake, or from the job thread's VncState clone
1616      */
1617     if (vs->throttle_output_offset != 0 &&
1618         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1619         vs->throttle_output_offset) {
1620         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1621                                       vs->throttle_output_offset);
1622         vnc_disconnect_start(vs);
1623         return;
1624     }
1625     buffer_reserve(&vs->output, len);
1626 
1627     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1628         if (vs->ioc_tag) {
1629             g_source_remove(vs->ioc_tag);
1630         }
1631         vs->ioc_tag = qio_channel_add_watch(
1632             vs->ioc, G_IO_IN | G_IO_OUT, vnc_client_io, vs, NULL);
1633     }
1634 
1635     buffer_append(&vs->output, data, len);
1636 }
1637 
1638 void vnc_write_s32(VncState *vs, int32_t value)
1639 {
1640     vnc_write_u32(vs, *(uint32_t *)&value);
1641 }
1642 
1643 void vnc_write_u32(VncState *vs, uint32_t value)
1644 {
1645     uint8_t buf[4];
1646 
1647     buf[0] = (value >> 24) & 0xFF;
1648     buf[1] = (value >> 16) & 0xFF;
1649     buf[2] = (value >>  8) & 0xFF;
1650     buf[3] = value & 0xFF;
1651 
1652     vnc_write(vs, buf, 4);
1653 }
1654 
1655 void vnc_write_u16(VncState *vs, uint16_t value)
1656 {
1657     uint8_t buf[2];
1658 
1659     buf[0] = (value >> 8) & 0xFF;
1660     buf[1] = value & 0xFF;
1661 
1662     vnc_write(vs, buf, 2);
1663 }
1664 
1665 void vnc_write_u8(VncState *vs, uint8_t value)
1666 {
1667     vnc_write(vs, (char *)&value, 1);
1668 }
1669 
1670 void vnc_flush(VncState *vs)
1671 {
1672     vnc_lock_output(vs);
1673     if (vs->ioc != NULL && vs->output.offset) {
1674         vnc_client_write_locked(vs);
1675     }
1676     if (vs->disconnecting) {
1677         if (vs->ioc_tag != 0) {
1678             g_source_remove(vs->ioc_tag);
1679         }
1680         vs->ioc_tag = 0;
1681     }
1682     vnc_unlock_output(vs);
1683 }
1684 
1685 static uint8_t read_u8(uint8_t *data, size_t offset)
1686 {
1687     return data[offset];
1688 }
1689 
1690 static uint16_t read_u16(uint8_t *data, size_t offset)
1691 {
1692     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1693 }
1694 
1695 static int32_t read_s32(uint8_t *data, size_t offset)
1696 {
1697     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1698                      (data[offset + 2] << 8) | data[offset + 3]);
1699 }
1700 
1701 uint32_t read_u32(uint8_t *data, size_t offset)
1702 {
1703     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1704             (data[offset + 2] << 8) | data[offset + 3]);
1705 }
1706 
1707 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1708 {
1709 }
1710 
1711 static void check_pointer_type_change(Notifier *notifier, void *data)
1712 {
1713     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1714     int absolute = qemu_input_is_absolute();
1715 
1716     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1717         vnc_lock_output(vs);
1718         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1719         vnc_write_u8(vs, 0);
1720         vnc_write_u16(vs, 1);
1721         vnc_framebuffer_update(vs, absolute, 0,
1722                                pixman_image_get_width(vs->vd->server),
1723                                pixman_image_get_height(vs->vd->server),
1724                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1725         vnc_unlock_output(vs);
1726         vnc_flush(vs);
1727     }
1728     vs->absolute = absolute;
1729 }
1730 
1731 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1732 {
1733     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1734         [INPUT_BUTTON_LEFT]       = 0x01,
1735         [INPUT_BUTTON_MIDDLE]     = 0x02,
1736         [INPUT_BUTTON_RIGHT]      = 0x04,
1737         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1738         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1739     };
1740     QemuConsole *con = vs->vd->dcl.con;
1741     int width = pixman_image_get_width(vs->vd->server);
1742     int height = pixman_image_get_height(vs->vd->server);
1743 
1744     if (vs->last_bmask != button_mask) {
1745         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1746         vs->last_bmask = button_mask;
1747     }
1748 
1749     if (vs->absolute) {
1750         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1751         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1752     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1753         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1754         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1755     } else {
1756         if (vs->last_x != -1) {
1757             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1758             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1759         }
1760         vs->last_x = x;
1761         vs->last_y = y;
1762     }
1763     qemu_input_event_sync();
1764 }
1765 
1766 static void press_key(VncState *vs, QKeyCode qcode)
1767 {
1768     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1769     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1770 }
1771 
1772 static void vnc_led_state_change(VncState *vs)
1773 {
1774     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1775         return;
1776     }
1777 
1778     vnc_lock_output(vs);
1779     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1780     vnc_write_u8(vs, 0);
1781     vnc_write_u16(vs, 1);
1782     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1783     vnc_write_u8(vs, vs->vd->ledstate);
1784     vnc_unlock_output(vs);
1785     vnc_flush(vs);
1786 }
1787 
1788 static void kbd_leds(void *opaque, int ledstate)
1789 {
1790     VncDisplay *vd = opaque;
1791     VncState *client;
1792 
1793     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1794                              (ledstate & QEMU_NUM_LOCK_LED),
1795                              (ledstate & QEMU_SCROLL_LOCK_LED));
1796 
1797     if (ledstate == vd->ledstate) {
1798         return;
1799     }
1800 
1801     vd->ledstate = ledstate;
1802 
1803     QTAILQ_FOREACH(client, &vd->clients, next) {
1804         vnc_led_state_change(client);
1805     }
1806 }
1807 
1808 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1809 {
1810     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1811 
1812     /* QEMU console switch */
1813     switch (qcode) {
1814     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1815         if (vs->vd->dcl.con == NULL && down &&
1816             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1817             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1818             /* Reset the modifiers sent to the current console */
1819             qkbd_state_lift_all_keys(vs->vd->kbd);
1820             console_select(qcode - Q_KEY_CODE_1);
1821             return;
1822         }
1823     default:
1824         break;
1825     }
1826 
1827     /* Turn off the lock state sync logic if the client support the led
1828        state extension.
1829     */
1830     if (down && vs->vd->lock_key_sync &&
1831         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1832         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1833         /* If the numlock state needs to change then simulate an additional
1834            keypress before sending this one.  This will happen if the user
1835            toggles numlock away from the VNC window.
1836         */
1837         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1838             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1839                 trace_vnc_key_sync_numlock(true);
1840                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1841             }
1842         } else {
1843             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1844                 trace_vnc_key_sync_numlock(false);
1845                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1846             }
1847         }
1848     }
1849 
1850     if (down && vs->vd->lock_key_sync &&
1851         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1852         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1853         /* If the capslock state needs to change then simulate an additional
1854            keypress before sending this one.  This will happen if the user
1855            toggles capslock away from the VNC window.
1856         */
1857         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1858         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1859         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1860         if (capslock) {
1861             if (uppercase == shift) {
1862                 trace_vnc_key_sync_capslock(false);
1863                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1864             }
1865         } else {
1866             if (uppercase != shift) {
1867                 trace_vnc_key_sync_capslock(true);
1868                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1869             }
1870         }
1871     }
1872 
1873     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1874     if (!qemu_console_is_graphic(NULL)) {
1875         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1876         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1877         /* QEMU console emulation */
1878         if (down) {
1879             switch (keycode) {
1880             case 0x2a:                          /* Left Shift */
1881             case 0x36:                          /* Right Shift */
1882             case 0x1d:                          /* Left CTRL */
1883             case 0x9d:                          /* Right CTRL */
1884             case 0x38:                          /* Left ALT */
1885             case 0xb8:                          /* Right ALT */
1886                 break;
1887             case 0xc8:
1888                 kbd_put_keysym(QEMU_KEY_UP);
1889                 break;
1890             case 0xd0:
1891                 kbd_put_keysym(QEMU_KEY_DOWN);
1892                 break;
1893             case 0xcb:
1894                 kbd_put_keysym(QEMU_KEY_LEFT);
1895                 break;
1896             case 0xcd:
1897                 kbd_put_keysym(QEMU_KEY_RIGHT);
1898                 break;
1899             case 0xd3:
1900                 kbd_put_keysym(QEMU_KEY_DELETE);
1901                 break;
1902             case 0xc7:
1903                 kbd_put_keysym(QEMU_KEY_HOME);
1904                 break;
1905             case 0xcf:
1906                 kbd_put_keysym(QEMU_KEY_END);
1907                 break;
1908             case 0xc9:
1909                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1910                 break;
1911             case 0xd1:
1912                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1913                 break;
1914 
1915             case 0x47:
1916                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1917                 break;
1918             case 0x48:
1919                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1920                 break;
1921             case 0x49:
1922                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1923                 break;
1924             case 0x4b:
1925                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1926                 break;
1927             case 0x4c:
1928                 kbd_put_keysym('5');
1929                 break;
1930             case 0x4d:
1931                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1932                 break;
1933             case 0x4f:
1934                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1935                 break;
1936             case 0x50:
1937                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1938                 break;
1939             case 0x51:
1940                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1941                 break;
1942             case 0x52:
1943                 kbd_put_keysym('0');
1944                 break;
1945             case 0x53:
1946                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1947                 break;
1948 
1949             case 0xb5:
1950                 kbd_put_keysym('/');
1951                 break;
1952             case 0x37:
1953                 kbd_put_keysym('*');
1954                 break;
1955             case 0x4a:
1956                 kbd_put_keysym('-');
1957                 break;
1958             case 0x4e:
1959                 kbd_put_keysym('+');
1960                 break;
1961             case 0x9c:
1962                 kbd_put_keysym('\n');
1963                 break;
1964 
1965             default:
1966                 if (control) {
1967                     kbd_put_keysym(sym & 0x1f);
1968                 } else {
1969                     kbd_put_keysym(sym);
1970                 }
1971                 break;
1972             }
1973         }
1974     }
1975 }
1976 
1977 static const char *code2name(int keycode)
1978 {
1979     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
1980 }
1981 
1982 static void key_event(VncState *vs, int down, uint32_t sym)
1983 {
1984     int keycode;
1985     int lsym = sym;
1986 
1987     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
1988         lsym = lsym - 'A' + 'a';
1989     }
1990 
1991     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
1992                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
1993     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
1994     do_key_event(vs, down, keycode, sym);
1995 }
1996 
1997 static void ext_key_event(VncState *vs, int down,
1998                           uint32_t sym, uint16_t keycode)
1999 {
2000     /* if the user specifies a keyboard layout, always use it */
2001     if (keyboard_layout) {
2002         key_event(vs, down, sym);
2003     } else {
2004         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2005         do_key_event(vs, down, keycode, sym);
2006     }
2007 }
2008 
2009 static void framebuffer_update_request(VncState *vs, int incremental,
2010                                        int x, int y, int w, int h)
2011 {
2012     if (incremental) {
2013         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2014             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2015         }
2016     } else {
2017         vs->update = VNC_STATE_UPDATE_FORCE;
2018         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2019     }
2020 }
2021 
2022 static void send_ext_key_event_ack(VncState *vs)
2023 {
2024     vnc_lock_output(vs);
2025     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2026     vnc_write_u8(vs, 0);
2027     vnc_write_u16(vs, 1);
2028     vnc_framebuffer_update(vs, 0, 0,
2029                            pixman_image_get_width(vs->vd->server),
2030                            pixman_image_get_height(vs->vd->server),
2031                            VNC_ENCODING_EXT_KEY_EVENT);
2032     vnc_unlock_output(vs);
2033     vnc_flush(vs);
2034 }
2035 
2036 static void send_ext_audio_ack(VncState *vs)
2037 {
2038     vnc_lock_output(vs);
2039     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2040     vnc_write_u8(vs, 0);
2041     vnc_write_u16(vs, 1);
2042     vnc_framebuffer_update(vs, 0, 0,
2043                            pixman_image_get_width(vs->vd->server),
2044                            pixman_image_get_height(vs->vd->server),
2045                            VNC_ENCODING_AUDIO);
2046     vnc_unlock_output(vs);
2047     vnc_flush(vs);
2048 }
2049 
2050 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2051 {
2052     int i;
2053     unsigned int enc = 0;
2054 
2055     vs->features = 0;
2056     vs->vnc_encoding = 0;
2057     vs->tight->compression = 9;
2058     vs->tight->quality = -1; /* Lossless by default */
2059     vs->absolute = -1;
2060 
2061     /*
2062      * Start from the end because the encodings are sent in order of preference.
2063      * This way the preferred encoding (first encoding defined in the array)
2064      * will be set at the end of the loop.
2065      */
2066     for (i = n_encodings - 1; i >= 0; i--) {
2067         enc = encodings[i];
2068         switch (enc) {
2069         case VNC_ENCODING_RAW:
2070             vs->vnc_encoding = enc;
2071             break;
2072         case VNC_ENCODING_COPYRECT:
2073             vs->features |= VNC_FEATURE_COPYRECT_MASK;
2074             break;
2075         case VNC_ENCODING_HEXTILE:
2076             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2077             vs->vnc_encoding = enc;
2078             break;
2079         case VNC_ENCODING_TIGHT:
2080             vs->features |= VNC_FEATURE_TIGHT_MASK;
2081             vs->vnc_encoding = enc;
2082             break;
2083 #ifdef CONFIG_VNC_PNG
2084         case VNC_ENCODING_TIGHT_PNG:
2085             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2086             vs->vnc_encoding = enc;
2087             break;
2088 #endif
2089         case VNC_ENCODING_ZLIB:
2090             vs->features |= VNC_FEATURE_ZLIB_MASK;
2091             vs->vnc_encoding = enc;
2092             break;
2093         case VNC_ENCODING_ZRLE:
2094             vs->features |= VNC_FEATURE_ZRLE_MASK;
2095             vs->vnc_encoding = enc;
2096             break;
2097         case VNC_ENCODING_ZYWRLE:
2098             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2099             vs->vnc_encoding = enc;
2100             break;
2101         case VNC_ENCODING_DESKTOPRESIZE:
2102             vs->features |= VNC_FEATURE_RESIZE_MASK;
2103             break;
2104         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2105             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2106             break;
2107         case VNC_ENCODING_RICH_CURSOR:
2108             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2109             if (vs->vd->cursor) {
2110                 vnc_cursor_define(vs);
2111             }
2112             break;
2113         case VNC_ENCODING_EXT_KEY_EVENT:
2114             send_ext_key_event_ack(vs);
2115             break;
2116         case VNC_ENCODING_AUDIO:
2117             send_ext_audio_ack(vs);
2118             break;
2119         case VNC_ENCODING_WMVi:
2120             vs->features |= VNC_FEATURE_WMVI_MASK;
2121             break;
2122         case VNC_ENCODING_LED_STATE:
2123             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2124             break;
2125         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2126             vs->tight->compression = (enc & 0x0F);
2127             break;
2128         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2129             if (vs->vd->lossy) {
2130                 vs->tight->quality = (enc & 0x0F);
2131             }
2132             break;
2133         default:
2134             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2135             break;
2136         }
2137     }
2138     vnc_desktop_resize(vs);
2139     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2140     vnc_led_state_change(vs);
2141 }
2142 
2143 static void set_pixel_conversion(VncState *vs)
2144 {
2145     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2146 
2147     if (fmt == VNC_SERVER_FB_FORMAT) {
2148         vs->write_pixels = vnc_write_pixels_copy;
2149         vnc_hextile_set_pixel_conversion(vs, 0);
2150     } else {
2151         vs->write_pixels = vnc_write_pixels_generic;
2152         vnc_hextile_set_pixel_conversion(vs, 1);
2153     }
2154 }
2155 
2156 static void send_color_map(VncState *vs)
2157 {
2158     int i;
2159 
2160     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2161     vnc_write_u8(vs,  0);    /* padding     */
2162     vnc_write_u16(vs, 0);    /* first color */
2163     vnc_write_u16(vs, 256);  /* # of colors */
2164 
2165     for (i = 0; i < 256; i++) {
2166         PixelFormat *pf = &vs->client_pf;
2167 
2168         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2169         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2170         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2171     }
2172 }
2173 
2174 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2175                              int big_endian_flag, int true_color_flag,
2176                              int red_max, int green_max, int blue_max,
2177                              int red_shift, int green_shift, int blue_shift)
2178 {
2179     if (!true_color_flag) {
2180         /* Expose a reasonable default 256 color map */
2181         bits_per_pixel = 8;
2182         red_max = 7;
2183         green_max = 7;
2184         blue_max = 3;
2185         red_shift = 0;
2186         green_shift = 3;
2187         blue_shift = 6;
2188     }
2189 
2190     switch (bits_per_pixel) {
2191     case 8:
2192     case 16:
2193     case 32:
2194         break;
2195     default:
2196         vnc_client_error(vs);
2197         return;
2198     }
2199 
2200     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2201     vs->client_pf.rbits = ctpopl(red_max);
2202     vs->client_pf.rshift = red_shift;
2203     vs->client_pf.rmask = red_max << red_shift;
2204     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2205     vs->client_pf.gbits = ctpopl(green_max);
2206     vs->client_pf.gshift = green_shift;
2207     vs->client_pf.gmask = green_max << green_shift;
2208     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2209     vs->client_pf.bbits = ctpopl(blue_max);
2210     vs->client_pf.bshift = blue_shift;
2211     vs->client_pf.bmask = blue_max << blue_shift;
2212     vs->client_pf.bits_per_pixel = bits_per_pixel;
2213     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2214     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2215     vs->client_be = big_endian_flag;
2216 
2217     if (!true_color_flag) {
2218         send_color_map(vs);
2219     }
2220 
2221     set_pixel_conversion(vs);
2222 
2223     graphic_hw_invalidate(vs->vd->dcl.con);
2224     graphic_hw_update(vs->vd->dcl.con);
2225 }
2226 
2227 static void pixel_format_message (VncState *vs) {
2228     char pad[3] = { 0, 0, 0 };
2229 
2230     vs->client_pf = qemu_default_pixelformat(32);
2231 
2232     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2233     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2234 
2235 #ifdef HOST_WORDS_BIGENDIAN
2236     vnc_write_u8(vs, 1);             /* big-endian-flag */
2237 #else
2238     vnc_write_u8(vs, 0);             /* big-endian-flag */
2239 #endif
2240     vnc_write_u8(vs, 1);             /* true-color-flag */
2241     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2242     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2243     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2244     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2245     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2246     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2247     vnc_write(vs, pad, 3);           /* padding */
2248 
2249     vnc_hextile_set_pixel_conversion(vs, 0);
2250     vs->write_pixels = vnc_write_pixels_copy;
2251 }
2252 
2253 static void vnc_colordepth(VncState *vs)
2254 {
2255     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2256         /* Sending a WMVi message to notify the client*/
2257         vnc_lock_output(vs);
2258         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2259         vnc_write_u8(vs, 0);
2260         vnc_write_u16(vs, 1); /* number of rects */
2261         vnc_framebuffer_update(vs, 0, 0,
2262                                pixman_image_get_width(vs->vd->server),
2263                                pixman_image_get_height(vs->vd->server),
2264                                VNC_ENCODING_WMVi);
2265         pixel_format_message(vs);
2266         vnc_unlock_output(vs);
2267         vnc_flush(vs);
2268     } else {
2269         set_pixel_conversion(vs);
2270     }
2271 }
2272 
2273 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2274 {
2275     int i;
2276     uint16_t limit;
2277     uint32_t freq;
2278     VncDisplay *vd = vs->vd;
2279 
2280     if (data[0] > 3) {
2281         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2282     }
2283 
2284     switch (data[0]) {
2285     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2286         if (len == 1)
2287             return 20;
2288 
2289         set_pixel_format(vs, read_u8(data, 4),
2290                          read_u8(data, 6), read_u8(data, 7),
2291                          read_u16(data, 8), read_u16(data, 10),
2292                          read_u16(data, 12), read_u8(data, 14),
2293                          read_u8(data, 15), read_u8(data, 16));
2294         break;
2295     case VNC_MSG_CLIENT_SET_ENCODINGS:
2296         if (len == 1)
2297             return 4;
2298 
2299         if (len == 4) {
2300             limit = read_u16(data, 2);
2301             if (limit > 0)
2302                 return 4 + (limit * 4);
2303         } else
2304             limit = read_u16(data, 2);
2305 
2306         for (i = 0; i < limit; i++) {
2307             int32_t val = read_s32(data, 4 + (i * 4));
2308             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2309         }
2310 
2311         set_encodings(vs, (int32_t *)(data + 4), limit);
2312         break;
2313     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2314         if (len == 1)
2315             return 10;
2316 
2317         framebuffer_update_request(vs,
2318                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2319                                    read_u16(data, 6), read_u16(data, 8));
2320         break;
2321     case VNC_MSG_CLIENT_KEY_EVENT:
2322         if (len == 1)
2323             return 8;
2324 
2325         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2326         break;
2327     case VNC_MSG_CLIENT_POINTER_EVENT:
2328         if (len == 1)
2329             return 6;
2330 
2331         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2332         break;
2333     case VNC_MSG_CLIENT_CUT_TEXT:
2334         if (len == 1) {
2335             return 8;
2336         }
2337         if (len == 8) {
2338             uint32_t dlen = read_u32(data, 4);
2339             if (dlen > (1 << 20)) {
2340                 error_report("vnc: client_cut_text msg payload has %u bytes"
2341                              " which exceeds our limit of 1MB.", dlen);
2342                 vnc_client_error(vs);
2343                 break;
2344             }
2345             if (dlen > 0) {
2346                 return 8 + dlen;
2347             }
2348         }
2349 
2350         client_cut_text(vs, read_u32(data, 4), data + 8);
2351         break;
2352     case VNC_MSG_CLIENT_QEMU:
2353         if (len == 1)
2354             return 2;
2355 
2356         switch (read_u8(data, 1)) {
2357         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2358             if (len == 2)
2359                 return 12;
2360 
2361             ext_key_event(vs, read_u16(data, 2),
2362                           read_u32(data, 4), read_u32(data, 8));
2363             break;
2364         case VNC_MSG_CLIENT_QEMU_AUDIO:
2365             if (len == 2)
2366                 return 4;
2367 
2368             switch (read_u16 (data, 2)) {
2369             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2370                 audio_add(vs);
2371                 break;
2372             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2373                 audio_del(vs);
2374                 break;
2375             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2376                 if (len == 4)
2377                     return 10;
2378                 switch (read_u8(data, 4)) {
2379                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2380                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2381                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2382                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2383                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2384                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2385                 default:
2386                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2387                     vnc_client_error(vs);
2388                     break;
2389                 }
2390                 vs->as.nchannels = read_u8(data, 5);
2391                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2392                     VNC_DEBUG("Invalid audio channel count %d\n",
2393                               read_u8(data, 5));
2394                     vnc_client_error(vs);
2395                     break;
2396                 }
2397                 freq = read_u32(data, 6);
2398                 /* No official limit for protocol, but 48khz is a sensible
2399                  * upper bound for trustworthy clients, and this limit
2400                  * protects calculations involving 'vs->as.freq' later.
2401                  */
2402                 if (freq > 48000) {
2403                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2404                     vnc_client_error(vs);
2405                     break;
2406                 }
2407                 vs->as.freq = freq;
2408                 break;
2409             default:
2410                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2411                 vnc_client_error(vs);
2412                 break;
2413             }
2414             break;
2415 
2416         default:
2417             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2418             vnc_client_error(vs);
2419             break;
2420         }
2421         break;
2422     default:
2423         VNC_DEBUG("Msg: %d\n", data[0]);
2424         vnc_client_error(vs);
2425         break;
2426     }
2427 
2428     vnc_update_throttle_offset(vs);
2429     vnc_read_when(vs, protocol_client_msg, 1);
2430     return 0;
2431 }
2432 
2433 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2434 {
2435     char buf[1024];
2436     VncShareMode mode;
2437     int size;
2438 
2439     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2440     switch (vs->vd->share_policy) {
2441     case VNC_SHARE_POLICY_IGNORE:
2442         /*
2443          * Ignore the shared flag.  Nothing to do here.
2444          *
2445          * Doesn't conform to the rfb spec but is traditional qemu
2446          * behavior, thus left here as option for compatibility
2447          * reasons.
2448          */
2449         break;
2450     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2451         /*
2452          * Policy: Allow clients ask for exclusive access.
2453          *
2454          * Implementation: When a client asks for exclusive access,
2455          * disconnect all others. Shared connects are allowed as long
2456          * as no exclusive connection exists.
2457          *
2458          * This is how the rfb spec suggests to handle the shared flag.
2459          */
2460         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2461             VncState *client;
2462             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2463                 if (vs == client) {
2464                     continue;
2465                 }
2466                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2467                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2468                     continue;
2469                 }
2470                 vnc_disconnect_start(client);
2471             }
2472         }
2473         if (mode == VNC_SHARE_MODE_SHARED) {
2474             if (vs->vd->num_exclusive > 0) {
2475                 vnc_disconnect_start(vs);
2476                 return 0;
2477             }
2478         }
2479         break;
2480     case VNC_SHARE_POLICY_FORCE_SHARED:
2481         /*
2482          * Policy: Shared connects only.
2483          * Implementation: Disallow clients asking for exclusive access.
2484          *
2485          * Useful for shared desktop sessions where you don't want
2486          * someone forgetting to say -shared when running the vnc
2487          * client disconnect everybody else.
2488          */
2489         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2490             vnc_disconnect_start(vs);
2491             return 0;
2492         }
2493         break;
2494     }
2495     vnc_set_share_mode(vs, mode);
2496 
2497     if (vs->vd->num_shared > vs->vd->connections_limit) {
2498         vnc_disconnect_start(vs);
2499         return 0;
2500     }
2501 
2502     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2503            pixman_image_get_width(vs->vd->server) >= 0);
2504     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2505            pixman_image_get_height(vs->vd->server) >= 0);
2506     vs->client_width = pixman_image_get_width(vs->vd->server);
2507     vs->client_height = pixman_image_get_height(vs->vd->server);
2508     vnc_write_u16(vs, vs->client_width);
2509     vnc_write_u16(vs, vs->client_height);
2510 
2511     pixel_format_message(vs);
2512 
2513     if (qemu_name) {
2514         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2515         if (size > sizeof(buf)) {
2516             size = sizeof(buf);
2517         }
2518     } else {
2519         size = snprintf(buf, sizeof(buf), "QEMU");
2520     }
2521 
2522     vnc_write_u32(vs, size);
2523     vnc_write(vs, buf, size);
2524     vnc_flush(vs);
2525 
2526     vnc_client_cache_auth(vs);
2527     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2528 
2529     vnc_read_when(vs, protocol_client_msg, 1);
2530 
2531     return 0;
2532 }
2533 
2534 void start_client_init(VncState *vs)
2535 {
2536     vnc_read_when(vs, protocol_client_init, 1);
2537 }
2538 
2539 static void authentication_failed(VncState *vs)
2540 {
2541     vnc_write_u32(vs, 1); /* Reject auth */
2542     if (vs->minor >= 8) {
2543         static const char err[] = "Authentication failed";
2544         vnc_write_u32(vs, sizeof(err));
2545         vnc_write(vs, err, sizeof(err));
2546     }
2547     vnc_flush(vs);
2548     vnc_client_error(vs);
2549 }
2550 
2551 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2552 {
2553     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2554     size_t i, pwlen;
2555     unsigned char key[8];
2556     time_t now = time(NULL);
2557     QCryptoCipher *cipher = NULL;
2558     Error *err = NULL;
2559 
2560     if (!vs->vd->password) {
2561         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2562         goto reject;
2563     }
2564     if (vs->vd->expires < now) {
2565         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2566         goto reject;
2567     }
2568 
2569     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2570 
2571     /* Calculate the expected challenge response */
2572     pwlen = strlen(vs->vd->password);
2573     for (i=0; i<sizeof(key); i++)
2574         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2575 
2576     cipher = qcrypto_cipher_new(
2577         QCRYPTO_CIPHER_ALG_DES_RFB,
2578         QCRYPTO_CIPHER_MODE_ECB,
2579         key, G_N_ELEMENTS(key),
2580         &err);
2581     if (!cipher) {
2582         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2583                             error_get_pretty(err));
2584         error_free(err);
2585         goto reject;
2586     }
2587 
2588     if (qcrypto_cipher_encrypt(cipher,
2589                                vs->challenge,
2590                                response,
2591                                VNC_AUTH_CHALLENGE_SIZE,
2592                                &err) < 0) {
2593         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2594                             error_get_pretty(err));
2595         error_free(err);
2596         goto reject;
2597     }
2598 
2599     /* Compare expected vs actual challenge response */
2600     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2601         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2602         goto reject;
2603     } else {
2604         trace_vnc_auth_pass(vs, vs->auth);
2605         vnc_write_u32(vs, 0); /* Accept auth */
2606         vnc_flush(vs);
2607 
2608         start_client_init(vs);
2609     }
2610 
2611     qcrypto_cipher_free(cipher);
2612     return 0;
2613 
2614 reject:
2615     authentication_failed(vs);
2616     qcrypto_cipher_free(cipher);
2617     return 0;
2618 }
2619 
2620 void start_auth_vnc(VncState *vs)
2621 {
2622     Error *err = NULL;
2623 
2624     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2625         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2626                             error_get_pretty(err));
2627         error_free(err);
2628         authentication_failed(vs);
2629         return;
2630     }
2631 
2632     /* Send client a 'random' challenge */
2633     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2634     vnc_flush(vs);
2635 
2636     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2637 }
2638 
2639 
2640 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2641 {
2642     /* We only advertise 1 auth scheme at a time, so client
2643      * must pick the one we sent. Verify this */
2644     if (data[0] != vs->auth) { /* Reject auth */
2645        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2646        authentication_failed(vs);
2647     } else { /* Accept requested auth */
2648        trace_vnc_auth_start(vs, vs->auth);
2649        switch (vs->auth) {
2650        case VNC_AUTH_NONE:
2651            if (vs->minor >= 8) {
2652                vnc_write_u32(vs, 0); /* Accept auth completion */
2653                vnc_flush(vs);
2654            }
2655            trace_vnc_auth_pass(vs, vs->auth);
2656            start_client_init(vs);
2657            break;
2658 
2659        case VNC_AUTH_VNC:
2660            start_auth_vnc(vs);
2661            break;
2662 
2663        case VNC_AUTH_VENCRYPT:
2664            start_auth_vencrypt(vs);
2665            break;
2666 
2667 #ifdef CONFIG_VNC_SASL
2668        case VNC_AUTH_SASL:
2669            start_auth_sasl(vs);
2670            break;
2671 #endif /* CONFIG_VNC_SASL */
2672 
2673        default: /* Should not be possible, but just in case */
2674            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2675            authentication_failed(vs);
2676        }
2677     }
2678     return 0;
2679 }
2680 
2681 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2682 {
2683     char local[13];
2684 
2685     memcpy(local, version, 12);
2686     local[12] = 0;
2687 
2688     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2689         VNC_DEBUG("Malformed protocol version %s\n", local);
2690         vnc_client_error(vs);
2691         return 0;
2692     }
2693     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2694     if (vs->major != 3 ||
2695         (vs->minor != 3 &&
2696          vs->minor != 4 &&
2697          vs->minor != 5 &&
2698          vs->minor != 7 &&
2699          vs->minor != 8)) {
2700         VNC_DEBUG("Unsupported client version\n");
2701         vnc_write_u32(vs, VNC_AUTH_INVALID);
2702         vnc_flush(vs);
2703         vnc_client_error(vs);
2704         return 0;
2705     }
2706     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2707      * as equivalent to v3.3 by servers
2708      */
2709     if (vs->minor == 4 || vs->minor == 5)
2710         vs->minor = 3;
2711 
2712     if (vs->minor == 3) {
2713         trace_vnc_auth_start(vs, vs->auth);
2714         if (vs->auth == VNC_AUTH_NONE) {
2715             vnc_write_u32(vs, vs->auth);
2716             vnc_flush(vs);
2717             trace_vnc_auth_pass(vs, vs->auth);
2718             start_client_init(vs);
2719        } else if (vs->auth == VNC_AUTH_VNC) {
2720             VNC_DEBUG("Tell client VNC auth\n");
2721             vnc_write_u32(vs, vs->auth);
2722             vnc_flush(vs);
2723             start_auth_vnc(vs);
2724        } else {
2725             trace_vnc_auth_fail(vs, vs->auth,
2726                                 "Unsupported auth method for v3.3", "");
2727             vnc_write_u32(vs, VNC_AUTH_INVALID);
2728             vnc_flush(vs);
2729             vnc_client_error(vs);
2730        }
2731     } else {
2732         vnc_write_u8(vs, 1); /* num auth */
2733         vnc_write_u8(vs, vs->auth);
2734         vnc_read_when(vs, protocol_client_auth, 1);
2735         vnc_flush(vs);
2736     }
2737 
2738     return 0;
2739 }
2740 
2741 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2742 {
2743     struct VncSurface *vs = &vd->guest;
2744 
2745     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2746 }
2747 
2748 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2749 {
2750     int i, j;
2751 
2752     w = (x + w) / VNC_STAT_RECT;
2753     h = (y + h) / VNC_STAT_RECT;
2754     x /= VNC_STAT_RECT;
2755     y /= VNC_STAT_RECT;
2756 
2757     for (j = y; j <= h; j++) {
2758         for (i = x; i <= w; i++) {
2759             vs->lossy_rect[j][i] = 1;
2760         }
2761     }
2762 }
2763 
2764 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2765 {
2766     VncState *vs;
2767     int sty = y / VNC_STAT_RECT;
2768     int stx = x / VNC_STAT_RECT;
2769     int has_dirty = 0;
2770 
2771     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2772     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2773 
2774     QTAILQ_FOREACH(vs, &vd->clients, next) {
2775         int j;
2776 
2777         /* kernel send buffers are full -> refresh later */
2778         if (vs->output.offset) {
2779             continue;
2780         }
2781 
2782         if (!vs->lossy_rect[sty][stx]) {
2783             continue;
2784         }
2785 
2786         vs->lossy_rect[sty][stx] = 0;
2787         for (j = 0; j < VNC_STAT_RECT; ++j) {
2788             bitmap_set(vs->dirty[y + j],
2789                        x / VNC_DIRTY_PIXELS_PER_BIT,
2790                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2791         }
2792         has_dirty++;
2793     }
2794 
2795     return has_dirty;
2796 }
2797 
2798 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2799 {
2800     int width = MIN(pixman_image_get_width(vd->guest.fb),
2801                     pixman_image_get_width(vd->server));
2802     int height = MIN(pixman_image_get_height(vd->guest.fb),
2803                      pixman_image_get_height(vd->server));
2804     int x, y;
2805     struct timeval res;
2806     int has_dirty = 0;
2807 
2808     for (y = 0; y < height; y += VNC_STAT_RECT) {
2809         for (x = 0; x < width; x += VNC_STAT_RECT) {
2810             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2811 
2812             rect->updated = false;
2813         }
2814     }
2815 
2816     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2817 
2818     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2819         return has_dirty;
2820     }
2821     vd->guest.last_freq_check = *tv;
2822 
2823     for (y = 0; y < height; y += VNC_STAT_RECT) {
2824         for (x = 0; x < width; x += VNC_STAT_RECT) {
2825             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2826             int count = ARRAY_SIZE(rect->times);
2827             struct timeval min, max;
2828 
2829             if (!timerisset(&rect->times[count - 1])) {
2830                 continue ;
2831             }
2832 
2833             max = rect->times[(rect->idx + count - 1) % count];
2834             qemu_timersub(tv, &max, &res);
2835 
2836             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2837                 rect->freq = 0;
2838                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2839                 memset(rect->times, 0, sizeof (rect->times));
2840                 continue ;
2841             }
2842 
2843             min = rect->times[rect->idx];
2844             max = rect->times[(rect->idx + count - 1) % count];
2845             qemu_timersub(&max, &min, &res);
2846 
2847             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2848             rect->freq /= count;
2849             rect->freq = 1. / rect->freq;
2850         }
2851     }
2852     return has_dirty;
2853 }
2854 
2855 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2856 {
2857     int i, j;
2858     double total = 0;
2859     int num = 0;
2860 
2861     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2862     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2863 
2864     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2865         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2866             total += vnc_stat_rect(vs->vd, i, j)->freq;
2867             num++;
2868         }
2869     }
2870 
2871     if (num) {
2872         return total / num;
2873     } else {
2874         return 0;
2875     }
2876 }
2877 
2878 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2879 {
2880     VncRectStat *rect;
2881 
2882     rect = vnc_stat_rect(vd, x, y);
2883     if (rect->updated) {
2884         return ;
2885     }
2886     rect->times[rect->idx] = *tv;
2887     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2888     rect->updated = true;
2889 }
2890 
2891 static int vnc_refresh_server_surface(VncDisplay *vd)
2892 {
2893     int width = MIN(pixman_image_get_width(vd->guest.fb),
2894                     pixman_image_get_width(vd->server));
2895     int height = MIN(pixman_image_get_height(vd->guest.fb),
2896                      pixman_image_get_height(vd->server));
2897     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
2898     uint8_t *guest_row0 = NULL, *server_row0;
2899     VncState *vs;
2900     int has_dirty = 0;
2901     pixman_image_t *tmpbuf = NULL;
2902 
2903     struct timeval tv = { 0, 0 };
2904 
2905     if (!vd->non_adaptive) {
2906         gettimeofday(&tv, NULL);
2907         has_dirty = vnc_update_stats(vd, &tv);
2908     }
2909 
2910     /*
2911      * Walk through the guest dirty map.
2912      * Check and copy modified bits from guest to server surface.
2913      * Update server dirty map.
2914      */
2915     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
2916     server_stride = guest_stride = guest_ll =
2917         pixman_image_get_stride(vd->server);
2918     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
2919                     server_stride);
2920     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2921         int width = pixman_image_get_width(vd->server);
2922         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2923     } else {
2924         int guest_bpp =
2925             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
2926         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2927         guest_stride = pixman_image_get_stride(vd->guest.fb);
2928         guest_ll = pixman_image_get_width(vd->guest.fb)
2929                    * DIV_ROUND_UP(guest_bpp, 8);
2930     }
2931     line_bytes = MIN(server_stride, guest_ll);
2932 
2933     for (;;) {
2934         int x;
2935         uint8_t *guest_ptr, *server_ptr;
2936         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
2937                                              height * VNC_DIRTY_BPL(&vd->guest),
2938                                              y * VNC_DIRTY_BPL(&vd->guest));
2939         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
2940             /* no more dirty bits */
2941             break;
2942         }
2943         y = offset / VNC_DIRTY_BPL(&vd->guest);
2944         x = offset % VNC_DIRTY_BPL(&vd->guest);
2945 
2946         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
2947 
2948         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2949             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2950             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2951         } else {
2952             guest_ptr = guest_row0 + y * guest_stride;
2953         }
2954         guest_ptr += x * cmp_bytes;
2955 
2956         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
2957              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2958             int _cmp_bytes = cmp_bytes;
2959             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
2960                 continue;
2961             }
2962             if ((x + 1) * cmp_bytes > line_bytes) {
2963                 _cmp_bytes = line_bytes - x * cmp_bytes;
2964             }
2965             assert(_cmp_bytes >= 0);
2966             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
2967                 continue;
2968             }
2969             memcpy(server_ptr, guest_ptr, _cmp_bytes);
2970             if (!vd->non_adaptive) {
2971                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
2972                                  y, &tv);
2973             }
2974             QTAILQ_FOREACH(vs, &vd->clients, next) {
2975                 set_bit(x, vs->dirty[y]);
2976             }
2977             has_dirty++;
2978         }
2979 
2980         y++;
2981     }
2982     qemu_pixman_image_unref(tmpbuf);
2983     return has_dirty;
2984 }
2985 
2986 static void vnc_refresh(DisplayChangeListener *dcl)
2987 {
2988     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
2989     VncState *vs, *vn;
2990     int has_dirty, rects = 0;
2991 
2992     if (QTAILQ_EMPTY(&vd->clients)) {
2993         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
2994         return;
2995     }
2996 
2997     graphic_hw_update(vd->dcl.con);
2998 
2999     if (vnc_trylock_display(vd)) {
3000         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3001         return;
3002     }
3003 
3004     has_dirty = vnc_refresh_server_surface(vd);
3005     vnc_unlock_display(vd);
3006 
3007     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3008         rects += vnc_update_client(vs, has_dirty);
3009         /* vs might be free()ed here */
3010     }
3011 
3012     if (has_dirty && rects) {
3013         vd->dcl.update_interval /= 2;
3014         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3015             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3016         }
3017     } else {
3018         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3019         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3020             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3021         }
3022     }
3023 }
3024 
3025 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3026                         bool skipauth, bool websocket)
3027 {
3028     VncState *vs = g_new0(VncState, 1);
3029     bool first_client = QTAILQ_EMPTY(&vd->clients);
3030     int i;
3031 
3032     trace_vnc_client_connect(vs, sioc);
3033     vs->zrle = g_new0(VncZrle, 1);
3034     vs->tight = g_new0(VncTight, 1);
3035     vs->magic = VNC_MAGIC;
3036     vs->sioc = sioc;
3037     object_ref(OBJECT(vs->sioc));
3038     vs->ioc = QIO_CHANNEL(sioc);
3039     object_ref(OBJECT(vs->ioc));
3040     vs->vd = vd;
3041 
3042     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3043     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3044     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3045 
3046     buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3047     buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3048     buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3049 #ifdef CONFIG_VNC_JPEG
3050     buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3051 #endif
3052 #ifdef CONFIG_VNC_PNG
3053     buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3054 #endif
3055     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3056     buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3057     buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3058     buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3059 
3060     if (skipauth) {
3061         vs->auth = VNC_AUTH_NONE;
3062         vs->subauth = VNC_AUTH_INVALID;
3063     } else {
3064         if (websocket) {
3065             vs->auth = vd->ws_auth;
3066             vs->subauth = VNC_AUTH_INVALID;
3067         } else {
3068             vs->auth = vd->auth;
3069             vs->subauth = vd->subauth;
3070         }
3071     }
3072     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3073               sioc, websocket, vs->auth, vs->subauth);
3074 
3075     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3076     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3077         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3078     }
3079 
3080     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3081     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3082     qio_channel_set_blocking(vs->ioc, false, NULL);
3083     if (vs->ioc_tag) {
3084         g_source_remove(vs->ioc_tag);
3085     }
3086     if (websocket) {
3087         vs->websocket = 1;
3088         if (vd->tlscreds) {
3089             vs->ioc_tag = qio_channel_add_watch(
3090                 vs->ioc, G_IO_IN, vncws_tls_handshake_io, vs, NULL);
3091         } else {
3092             vs->ioc_tag = qio_channel_add_watch(
3093                 vs->ioc, G_IO_IN, vncws_handshake_io, vs, NULL);
3094         }
3095     } else {
3096         vs->ioc_tag = qio_channel_add_watch(
3097             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
3098     }
3099 
3100     vnc_client_cache_addr(vs);
3101     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3102     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3103 
3104     vs->last_x = -1;
3105     vs->last_y = -1;
3106 
3107     vs->as.freq = 44100;
3108     vs->as.nchannels = 2;
3109     vs->as.fmt = AUDIO_FORMAT_S16;
3110     vs->as.endianness = 0;
3111 
3112     qemu_mutex_init(&vs->output_mutex);
3113     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3114 
3115     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3116     if (first_client) {
3117         vnc_update_server_surface(vd);
3118     }
3119 
3120     graphic_hw_update(vd->dcl.con);
3121 
3122     if (!vs->websocket) {
3123         vnc_start_protocol(vs);
3124     }
3125 
3126     if (vd->num_connecting > vd->connections_limit) {
3127         QTAILQ_FOREACH(vs, &vd->clients, next) {
3128             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3129                 vnc_disconnect_start(vs);
3130                 return;
3131             }
3132         }
3133     }
3134 }
3135 
3136 void vnc_start_protocol(VncState *vs)
3137 {
3138     vnc_write(vs, "RFB 003.008\n", 12);
3139     vnc_flush(vs);
3140     vnc_read_when(vs, protocol_version, 12);
3141 
3142     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3143     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3144 }
3145 
3146 static void vnc_listen_io(QIONetListener *listener,
3147                           QIOChannelSocket *cioc,
3148                           void *opaque)
3149 {
3150     VncDisplay *vd = opaque;
3151     bool isWebsock = listener == vd->wslistener;
3152 
3153     qio_channel_set_name(QIO_CHANNEL(cioc),
3154                          isWebsock ? "vnc-ws-server" : "vnc-server");
3155     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3156     vnc_connect(vd, cioc, false, isWebsock);
3157 }
3158 
3159 static const DisplayChangeListenerOps dcl_ops = {
3160     .dpy_name             = "vnc",
3161     .dpy_refresh          = vnc_refresh,
3162     .dpy_gfx_update       = vnc_dpy_update,
3163     .dpy_gfx_switch       = vnc_dpy_switch,
3164     .dpy_gfx_check_format = qemu_pixman_check_format,
3165     .dpy_mouse_set        = vnc_mouse_set,
3166     .dpy_cursor_define    = vnc_dpy_cursor_define,
3167 };
3168 
3169 void vnc_display_init(const char *id, Error **errp)
3170 {
3171     VncDisplay *vd;
3172 
3173     if (vnc_display_find(id) != NULL) {
3174         return;
3175     }
3176     vd = g_malloc0(sizeof(*vd));
3177 
3178     vd->id = strdup(id);
3179     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3180 
3181     QTAILQ_INIT(&vd->clients);
3182     vd->expires = TIME_MAX;
3183 
3184     if (keyboard_layout) {
3185         trace_vnc_key_map_init(keyboard_layout);
3186         vd->kbd_layout = init_keyboard_layout(name2keysym,
3187                                               keyboard_layout, errp);
3188     } else {
3189         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3190     }
3191 
3192     if (!vd->kbd_layout) {
3193         return;
3194     }
3195 
3196     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3197     vd->connections_limit = 32;
3198 
3199     qemu_mutex_init(&vd->mutex);
3200     vnc_start_worker_thread();
3201 
3202     vd->dcl.ops = &dcl_ops;
3203     register_displaychangelistener(&vd->dcl);
3204     vd->kbd = qkbd_state_init(vd->dcl.con);
3205 }
3206 
3207 
3208 static void vnc_display_close(VncDisplay *vd)
3209 {
3210     if (!vd) {
3211         return;
3212     }
3213     vd->is_unix = false;
3214 
3215     if (vd->listener) {
3216         qio_net_listener_disconnect(vd->listener);
3217         object_unref(OBJECT(vd->listener));
3218     }
3219     vd->listener = NULL;
3220 
3221     if (vd->wslistener) {
3222         qio_net_listener_disconnect(vd->wslistener);
3223         object_unref(OBJECT(vd->wslistener));
3224     }
3225     vd->wslistener = NULL;
3226 
3227     vd->auth = VNC_AUTH_INVALID;
3228     vd->subauth = VNC_AUTH_INVALID;
3229     if (vd->tlscreds) {
3230         object_unparent(OBJECT(vd->tlscreds));
3231         vd->tlscreds = NULL;
3232     }
3233     if (vd->tlsauthz) {
3234         object_unparent(OBJECT(vd->tlsauthz));
3235         vd->tlsauthz = NULL;
3236     }
3237     g_free(vd->tlsauthzid);
3238     vd->tlsauthzid = NULL;
3239     if (vd->lock_key_sync) {
3240         qemu_remove_led_event_handler(vd->led);
3241         vd->led = NULL;
3242     }
3243 #ifdef CONFIG_VNC_SASL
3244     if (vd->sasl.authz) {
3245         object_unparent(OBJECT(vd->sasl.authz));
3246         vd->sasl.authz = NULL;
3247     }
3248     g_free(vd->sasl.authzid);
3249     vd->sasl.authzid = NULL;
3250 #endif
3251 }
3252 
3253 int vnc_display_password(const char *id, const char *password)
3254 {
3255     VncDisplay *vd = vnc_display_find(id);
3256 
3257     if (!vd) {
3258         return -EINVAL;
3259     }
3260     if (vd->auth == VNC_AUTH_NONE) {
3261         error_printf_unless_qmp("If you want use passwords please enable "
3262                                 "password auth using '-vnc ${dpy},password'.\n");
3263         return -EINVAL;
3264     }
3265 
3266     g_free(vd->password);
3267     vd->password = g_strdup(password);
3268 
3269     return 0;
3270 }
3271 
3272 int vnc_display_pw_expire(const char *id, time_t expires)
3273 {
3274     VncDisplay *vd = vnc_display_find(id);
3275 
3276     if (!vd) {
3277         return -EINVAL;
3278     }
3279 
3280     vd->expires = expires;
3281     return 0;
3282 }
3283 
3284 static void vnc_display_print_local_addr(VncDisplay *vd)
3285 {
3286     SocketAddress *addr;
3287     Error *err = NULL;
3288 
3289     if (!vd->listener || !vd->listener->nsioc) {
3290         return;
3291     }
3292 
3293     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], &err);
3294     if (!addr) {
3295         return;
3296     }
3297 
3298     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3299         qapi_free_SocketAddress(addr);
3300         return;
3301     }
3302     error_printf_unless_qmp("VNC server running on %s:%s\n",
3303                             addr->u.inet.host,
3304                             addr->u.inet.port);
3305     qapi_free_SocketAddress(addr);
3306 }
3307 
3308 static QemuOptsList qemu_vnc_opts = {
3309     .name = "vnc",
3310     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3311     .implied_opt_name = "vnc",
3312     .desc = {
3313         {
3314             .name = "vnc",
3315             .type = QEMU_OPT_STRING,
3316         },{
3317             .name = "websocket",
3318             .type = QEMU_OPT_STRING,
3319         },{
3320             .name = "tls-creds",
3321             .type = QEMU_OPT_STRING,
3322         },{
3323             .name = "share",
3324             .type = QEMU_OPT_STRING,
3325         },{
3326             .name = "display",
3327             .type = QEMU_OPT_STRING,
3328         },{
3329             .name = "head",
3330             .type = QEMU_OPT_NUMBER,
3331         },{
3332             .name = "connections",
3333             .type = QEMU_OPT_NUMBER,
3334         },{
3335             .name = "to",
3336             .type = QEMU_OPT_NUMBER,
3337         },{
3338             .name = "ipv4",
3339             .type = QEMU_OPT_BOOL,
3340         },{
3341             .name = "ipv6",
3342             .type = QEMU_OPT_BOOL,
3343         },{
3344             .name = "password",
3345             .type = QEMU_OPT_BOOL,
3346         },{
3347             .name = "reverse",
3348             .type = QEMU_OPT_BOOL,
3349         },{
3350             .name = "lock-key-sync",
3351             .type = QEMU_OPT_BOOL,
3352         },{
3353             .name = "key-delay-ms",
3354             .type = QEMU_OPT_NUMBER,
3355         },{
3356             .name = "sasl",
3357             .type = QEMU_OPT_BOOL,
3358         },{
3359             .name = "acl",
3360             .type = QEMU_OPT_BOOL,
3361         },{
3362             .name = "tls-authz",
3363             .type = QEMU_OPT_STRING,
3364         },{
3365             .name = "sasl-authz",
3366             .type = QEMU_OPT_STRING,
3367         },{
3368             .name = "lossy",
3369             .type = QEMU_OPT_BOOL,
3370         },{
3371             .name = "non-adaptive",
3372             .type = QEMU_OPT_BOOL,
3373         },{
3374             .name = "audiodev",
3375             .type = QEMU_OPT_STRING,
3376         },
3377         { /* end of list */ }
3378     },
3379 };
3380 
3381 
3382 static int
3383 vnc_display_setup_auth(int *auth,
3384                        int *subauth,
3385                        QCryptoTLSCreds *tlscreds,
3386                        bool password,
3387                        bool sasl,
3388                        bool websocket,
3389                        Error **errp)
3390 {
3391     /*
3392      * We have a choice of 3 authentication options
3393      *
3394      *   1. none
3395      *   2. vnc
3396      *   3. sasl
3397      *
3398      * The channel can be run in 2 modes
3399      *
3400      *   1. clear
3401      *   2. tls
3402      *
3403      * And TLS can use 2 types of credentials
3404      *
3405      *   1. anon
3406      *   2. x509
3407      *
3408      * We thus have 9 possible logical combinations
3409      *
3410      *   1. clear + none
3411      *   2. clear + vnc
3412      *   3. clear + sasl
3413      *   4. tls + anon + none
3414      *   5. tls + anon + vnc
3415      *   6. tls + anon + sasl
3416      *   7. tls + x509 + none
3417      *   8. tls + x509 + vnc
3418      *   9. tls + x509 + sasl
3419      *
3420      * These need to be mapped into the VNC auth schemes
3421      * in an appropriate manner. In regular VNC, all the
3422      * TLS options get mapped into VNC_AUTH_VENCRYPT
3423      * sub-auth types.
3424      *
3425      * In websockets, the https:// protocol already provides
3426      * TLS support, so there is no need to make use of the
3427      * VeNCrypt extension. Furthermore, websockets browser
3428      * clients could not use VeNCrypt even if they wanted to,
3429      * as they cannot control when the TLS handshake takes
3430      * place. Thus there is no option but to rely on https://,
3431      * meaning combinations 4->6 and 7->9 will be mapped to
3432      * VNC auth schemes in the same way as combos 1->3.
3433      *
3434      * Regardless of fact that we have a different mapping to
3435      * VNC auth mechs for plain VNC vs websockets VNC, the end
3436      * result has the same security characteristics.
3437      */
3438     if (websocket || !tlscreds) {
3439         if (password) {
3440             VNC_DEBUG("Initializing VNC server with password auth\n");
3441             *auth = VNC_AUTH_VNC;
3442         } else if (sasl) {
3443             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3444             *auth = VNC_AUTH_SASL;
3445         } else {
3446             VNC_DEBUG("Initializing VNC server with no auth\n");
3447             *auth = VNC_AUTH_NONE;
3448         }
3449         *subauth = VNC_AUTH_INVALID;
3450     } else {
3451         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3452                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3453         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3454                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3455 
3456         if (!is_x509 && !is_anon) {
3457             error_setg(errp,
3458                        "Unsupported TLS cred type %s",
3459                        object_get_typename(OBJECT(tlscreds)));
3460             return -1;
3461         }
3462         *auth = VNC_AUTH_VENCRYPT;
3463         if (password) {
3464             if (is_x509) {
3465                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3466                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3467             } else {
3468                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3469                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3470             }
3471 
3472         } else if (sasl) {
3473             if (is_x509) {
3474                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3475                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3476             } else {
3477                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3478                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3479             }
3480         } else {
3481             if (is_x509) {
3482                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3483                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3484             } else {
3485                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3486                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3487             }
3488         }
3489     }
3490     return 0;
3491 }
3492 
3493 
3494 static int vnc_display_get_address(const char *addrstr,
3495                                    bool websocket,
3496                                    bool reverse,
3497                                    int displaynum,
3498                                    int to,
3499                                    bool has_ipv4,
3500                                    bool has_ipv6,
3501                                    bool ipv4,
3502                                    bool ipv6,
3503                                    SocketAddress **retaddr,
3504                                    Error **errp)
3505 {
3506     int ret = -1;
3507     SocketAddress *addr = NULL;
3508 
3509     addr = g_new0(SocketAddress, 1);
3510 
3511     if (strncmp(addrstr, "unix:", 5) == 0) {
3512         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3513         addr->u.q_unix.path = g_strdup(addrstr + 5);
3514 
3515         if (websocket) {
3516             error_setg(errp, "UNIX sockets not supported with websock");
3517             goto cleanup;
3518         }
3519 
3520         if (to) {
3521             error_setg(errp, "Port range not support with UNIX socket");
3522             goto cleanup;
3523         }
3524         ret = 0;
3525     } else {
3526         const char *port;
3527         size_t hostlen;
3528         unsigned long long baseport = 0;
3529         InetSocketAddress *inet;
3530 
3531         port = strrchr(addrstr, ':');
3532         if (!port) {
3533             if (websocket) {
3534                 hostlen = 0;
3535                 port = addrstr;
3536             } else {
3537                 error_setg(errp, "no vnc port specified");
3538                 goto cleanup;
3539             }
3540         } else {
3541             hostlen = port - addrstr;
3542             port++;
3543             if (*port == '\0') {
3544                 error_setg(errp, "vnc port cannot be empty");
3545                 goto cleanup;
3546             }
3547         }
3548 
3549         addr->type = SOCKET_ADDRESS_TYPE_INET;
3550         inet = &addr->u.inet;
3551         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3552             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3553         } else {
3554             inet->host = g_strndup(addrstr, hostlen);
3555         }
3556         /* plain VNC port is just an offset, for websocket
3557          * port is absolute */
3558         if (websocket) {
3559             if (g_str_equal(addrstr, "") ||
3560                 g_str_equal(addrstr, "on")) {
3561                 if (displaynum == -1) {
3562                     error_setg(errp, "explicit websocket port is required");
3563                     goto cleanup;
3564                 }
3565                 inet->port = g_strdup_printf(
3566                     "%d", displaynum + 5700);
3567                 if (to) {
3568                     inet->has_to = true;
3569                     inet->to = to + 5700;
3570                 }
3571             } else {
3572                 inet->port = g_strdup(port);
3573             }
3574         } else {
3575             int offset = reverse ? 0 : 5900;
3576             if (parse_uint_full(port, &baseport, 10) < 0) {
3577                 error_setg(errp, "can't convert to a number: %s", port);
3578                 goto cleanup;
3579             }
3580             if (baseport > 65535 ||
3581                 baseport + offset > 65535) {
3582                 error_setg(errp, "port %s out of range", port);
3583                 goto cleanup;
3584             }
3585             inet->port = g_strdup_printf(
3586                 "%d", (int)baseport + offset);
3587 
3588             if (to) {
3589                 inet->has_to = true;
3590                 inet->to = to + offset;
3591             }
3592         }
3593 
3594         inet->ipv4 = ipv4;
3595         inet->has_ipv4 = has_ipv4;
3596         inet->ipv6 = ipv6;
3597         inet->has_ipv6 = has_ipv6;
3598 
3599         ret = baseport;
3600     }
3601 
3602     *retaddr = addr;
3603 
3604  cleanup:
3605     if (ret < 0) {
3606         qapi_free_SocketAddress(addr);
3607     }
3608     return ret;
3609 }
3610 
3611 static void vnc_free_addresses(SocketAddress ***retsaddr,
3612                                size_t *retnsaddr)
3613 {
3614     size_t i;
3615 
3616     for (i = 0; i < *retnsaddr; i++) {
3617         qapi_free_SocketAddress((*retsaddr)[i]);
3618     }
3619     g_free(*retsaddr);
3620 
3621     *retsaddr = NULL;
3622     *retnsaddr = 0;
3623 }
3624 
3625 static int vnc_display_get_addresses(QemuOpts *opts,
3626                                      bool reverse,
3627                                      SocketAddress ***retsaddr,
3628                                      size_t *retnsaddr,
3629                                      SocketAddress ***retwsaddr,
3630                                      size_t *retnwsaddr,
3631                                      Error **errp)
3632 {
3633     SocketAddress *saddr = NULL;
3634     SocketAddress *wsaddr = NULL;
3635     QemuOptsIter addriter;
3636     const char *addr;
3637     int to = qemu_opt_get_number(opts, "to", 0);
3638     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3639     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3640     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3641     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3642     int displaynum = -1;
3643     int ret = -1;
3644 
3645     *retsaddr = NULL;
3646     *retnsaddr = 0;
3647     *retwsaddr = NULL;
3648     *retnwsaddr = 0;
3649 
3650     addr = qemu_opt_get(opts, "vnc");
3651     if (addr == NULL || g_str_equal(addr, "none")) {
3652         ret = 0;
3653         goto cleanup;
3654     }
3655     if (qemu_opt_get(opts, "websocket") &&
3656         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3657         error_setg(errp,
3658                    "SHA1 hash support is required for websockets");
3659         goto cleanup;
3660     }
3661 
3662     qemu_opt_iter_init(&addriter, opts, "vnc");
3663     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3664         int rv;
3665         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3666                                      has_ipv4, has_ipv6,
3667                                      ipv4, ipv6,
3668                                      &saddr, errp);
3669         if (rv < 0) {
3670             goto cleanup;
3671         }
3672         /* Historical compat - first listen address can be used
3673          * to set the default websocket port
3674          */
3675         if (displaynum == -1) {
3676             displaynum = rv;
3677         }
3678         *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3679         (*retsaddr)[(*retnsaddr)++] = saddr;
3680     }
3681 
3682     /* If we had multiple primary displays, we don't do defaults
3683      * for websocket, and require explicit config instead. */
3684     if (*retnsaddr > 1) {
3685         displaynum = -1;
3686     }
3687 
3688     qemu_opt_iter_init(&addriter, opts, "websocket");
3689     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3690         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3691                                     has_ipv4, has_ipv6,
3692                                     ipv4, ipv6,
3693                                     &wsaddr, errp) < 0) {
3694             goto cleanup;
3695         }
3696 
3697         /* Historical compat - if only a single listen address was
3698          * provided, then this is used to set the default listen
3699          * address for websocket too
3700          */
3701         if (*retnsaddr == 1 &&
3702             (*retsaddr)[0]->type == SOCKET_ADDRESS_TYPE_INET &&
3703             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3704             g_str_equal(wsaddr->u.inet.host, "") &&
3705             !g_str_equal((*retsaddr)[0]->u.inet.host, "")) {
3706             g_free(wsaddr->u.inet.host);
3707             wsaddr->u.inet.host = g_strdup((*retsaddr)[0]->u.inet.host);
3708         }
3709 
3710         *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3711         (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3712     }
3713 
3714     ret = 0;
3715  cleanup:
3716     if (ret < 0) {
3717         vnc_free_addresses(retsaddr, retnsaddr);
3718         vnc_free_addresses(retwsaddr, retnwsaddr);
3719     }
3720     return ret;
3721 }
3722 
3723 static int vnc_display_connect(VncDisplay *vd,
3724                                SocketAddress **saddr,
3725                                size_t nsaddr,
3726                                SocketAddress **wsaddr,
3727                                size_t nwsaddr,
3728                                Error **errp)
3729 {
3730     /* connect to viewer */
3731     QIOChannelSocket *sioc = NULL;
3732     if (nwsaddr != 0) {
3733         error_setg(errp, "Cannot use websockets in reverse mode");
3734         return -1;
3735     }
3736     if (nsaddr != 1) {
3737         error_setg(errp, "Expected a single address in reverse mode");
3738         return -1;
3739     }
3740     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3741     vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_TYPE_UNIX;
3742     sioc = qio_channel_socket_new();
3743     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3744     if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3745         return -1;
3746     }
3747     vnc_connect(vd, sioc, false, false);
3748     object_unref(OBJECT(sioc));
3749     return 0;
3750 }
3751 
3752 
3753 static int vnc_display_listen(VncDisplay *vd,
3754                               SocketAddress **saddr,
3755                               size_t nsaddr,
3756                               SocketAddress **wsaddr,
3757                               size_t nwsaddr,
3758                               Error **errp)
3759 {
3760     size_t i;
3761 
3762     if (nsaddr) {
3763         vd->listener = qio_net_listener_new();
3764         qio_net_listener_set_name(vd->listener, "vnc-listen");
3765         for (i = 0; i < nsaddr; i++) {
3766             if (qio_net_listener_open_sync(vd->listener,
3767                                            saddr[i], 1,
3768                                            errp) < 0)  {
3769                 return -1;
3770             }
3771         }
3772 
3773         qio_net_listener_set_client_func(vd->listener,
3774                                          vnc_listen_io, vd, NULL);
3775     }
3776 
3777     if (nwsaddr) {
3778         vd->wslistener = qio_net_listener_new();
3779         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3780         for (i = 0; i < nwsaddr; i++) {
3781             if (qio_net_listener_open_sync(vd->wslistener,
3782                                            wsaddr[i], 1,
3783                                            errp) < 0)  {
3784                 return -1;
3785             }
3786         }
3787 
3788         qio_net_listener_set_client_func(vd->wslistener,
3789                                          vnc_listen_io, vd, NULL);
3790     }
3791 
3792     return 0;
3793 }
3794 
3795 
3796 void vnc_display_open(const char *id, Error **errp)
3797 {
3798     VncDisplay *vd = vnc_display_find(id);
3799     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3800     SocketAddress **saddr = NULL, **wsaddr = NULL;
3801     size_t nsaddr, nwsaddr;
3802     const char *share, *device_id;
3803     QemuConsole *con;
3804     bool password = false;
3805     bool reverse = false;
3806     const char *credid;
3807     bool sasl = false;
3808     int acl = 0;
3809     const char *tlsauthz;
3810     const char *saslauthz;
3811     int lock_key_sync = 1;
3812     int key_delay_ms;
3813     const char *audiodev;
3814 
3815     if (!vd) {
3816         error_setg(errp, "VNC display not active");
3817         return;
3818     }
3819     vnc_display_close(vd);
3820 
3821     if (!opts) {
3822         return;
3823     }
3824 
3825     reverse = qemu_opt_get_bool(opts, "reverse", false);
3826     if (vnc_display_get_addresses(opts, reverse, &saddr, &nsaddr,
3827                                   &wsaddr, &nwsaddr, errp) < 0) {
3828         goto fail;
3829     }
3830 
3831     password = qemu_opt_get_bool(opts, "password", false);
3832     if (password) {
3833         if (fips_get_state()) {
3834             error_setg(errp,
3835                        "VNC password auth disabled due to FIPS mode, "
3836                        "consider using the VeNCrypt or SASL authentication "
3837                        "methods as an alternative");
3838             goto fail;
3839         }
3840         if (!qcrypto_cipher_supports(
3841                 QCRYPTO_CIPHER_ALG_DES_RFB, QCRYPTO_CIPHER_MODE_ECB)) {
3842             error_setg(errp,
3843                        "Cipher backend does not support DES RFB algorithm");
3844             goto fail;
3845         }
3846     }
3847 
3848     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
3849     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
3850     sasl = qemu_opt_get_bool(opts, "sasl", false);
3851 #ifndef CONFIG_VNC_SASL
3852     if (sasl) {
3853         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
3854         goto fail;
3855     }
3856 #endif /* CONFIG_VNC_SASL */
3857     credid = qemu_opt_get(opts, "tls-creds");
3858     if (credid) {
3859         Object *creds;
3860         creds = object_resolve_path_component(
3861             object_get_objects_root(), credid);
3862         if (!creds) {
3863             error_setg(errp, "No TLS credentials with id '%s'",
3864                        credid);
3865             goto fail;
3866         }
3867         vd->tlscreds = (QCryptoTLSCreds *)
3868             object_dynamic_cast(creds,
3869                                 TYPE_QCRYPTO_TLS_CREDS);
3870         if (!vd->tlscreds) {
3871             error_setg(errp, "Object with id '%s' is not TLS credentials",
3872                        credid);
3873             goto fail;
3874         }
3875         object_ref(OBJECT(vd->tlscreds));
3876 
3877         if (vd->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
3878             error_setg(errp,
3879                        "Expecting TLS credentials with a server endpoint");
3880             goto fail;
3881         }
3882     }
3883     if (qemu_opt_get(opts, "acl")) {
3884         error_report("The 'acl' option to -vnc is deprecated. "
3885                      "Please use the 'tls-authz' and 'sasl-authz' "
3886                      "options instead");
3887     }
3888     acl = qemu_opt_get_bool(opts, "acl", false);
3889     tlsauthz = qemu_opt_get(opts, "tls-authz");
3890     if (acl && tlsauthz) {
3891         error_setg(errp, "'acl' option is mutually exclusive with the "
3892                    "'tls-authz' option");
3893         goto fail;
3894     }
3895     if (tlsauthz && !vd->tlscreds) {
3896         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
3897         goto fail;
3898     }
3899 
3900     saslauthz = qemu_opt_get(opts, "sasl-authz");
3901     if (acl && saslauthz) {
3902         error_setg(errp, "'acl' option is mutually exclusive with the "
3903                    "'sasl-authz' option");
3904         goto fail;
3905     }
3906     if (saslauthz && !sasl) {
3907         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
3908         goto fail;
3909     }
3910 
3911     share = qemu_opt_get(opts, "share");
3912     if (share) {
3913         if (strcmp(share, "ignore") == 0) {
3914             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
3915         } else if (strcmp(share, "allow-exclusive") == 0) {
3916             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3917         } else if (strcmp(share, "force-shared") == 0) {
3918             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3919         } else {
3920             error_setg(errp, "unknown vnc share= option");
3921             goto fail;
3922         }
3923     } else {
3924         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3925     }
3926     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
3927 
3928 #ifdef CONFIG_VNC_JPEG
3929     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
3930 #endif
3931     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
3932     /* adaptive updates are only used with tight encoding and
3933      * if lossy updates are enabled so we can disable all the
3934      * calculations otherwise */
3935     if (!vd->lossy) {
3936         vd->non_adaptive = true;
3937     }
3938 
3939     if (tlsauthz) {
3940         vd->tlsauthzid = g_strdup(tlsauthz);
3941     } else if (acl) {
3942         if (strcmp(vd->id, "default") == 0) {
3943             vd->tlsauthzid = g_strdup("vnc.x509dname");
3944         } else {
3945             vd->tlsauthzid = g_strdup_printf("vnc.%s.x509dname", vd->id);
3946         }
3947         vd->tlsauthz = QAUTHZ(qauthz_list_new(vd->tlsauthzid,
3948                                               QAUTHZ_LIST_POLICY_DENY,
3949                                               &error_abort));
3950     }
3951 #ifdef CONFIG_VNC_SASL
3952     if (sasl) {
3953         if (saslauthz) {
3954             vd->sasl.authzid = g_strdup(saslauthz);
3955         } else if (acl) {
3956             if (strcmp(vd->id, "default") == 0) {
3957                 vd->sasl.authzid = g_strdup("vnc.username");
3958             } else {
3959                 vd->sasl.authzid = g_strdup_printf("vnc.%s.username", vd->id);
3960             }
3961             vd->sasl.authz = QAUTHZ(qauthz_list_new(vd->sasl.authzid,
3962                                                     QAUTHZ_LIST_POLICY_DENY,
3963                                                     &error_abort));
3964         }
3965     }
3966 #endif
3967 
3968     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
3969                                vd->tlscreds, password,
3970                                sasl, false, errp) < 0) {
3971         goto fail;
3972     }
3973     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
3974 
3975     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
3976                                vd->tlscreds, password,
3977                                sasl, true, errp) < 0) {
3978         goto fail;
3979     }
3980     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
3981 
3982 #ifdef CONFIG_VNC_SASL
3983     if (sasl) {
3984         int saslErr = sasl_server_init(NULL, "qemu");
3985 
3986         if (saslErr != SASL_OK) {
3987             error_setg(errp, "Failed to initialize SASL auth: %s",
3988                        sasl_errstring(saslErr, NULL, NULL));
3989             goto fail;
3990         }
3991     }
3992 #endif
3993     vd->lock_key_sync = lock_key_sync;
3994     if (lock_key_sync) {
3995         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
3996     }
3997     vd->ledstate = 0;
3998 
3999     audiodev = qemu_opt_get(opts, "audiodev");
4000     if (audiodev) {
4001         vd->audio_state = audio_state_by_name(audiodev);
4002         if (!vd->audio_state) {
4003             error_setg(errp, "Audiodev '%s' not found", audiodev);
4004             goto fail;
4005         }
4006     }
4007 
4008     device_id = qemu_opt_get(opts, "display");
4009     if (device_id) {
4010         int head = qemu_opt_get_number(opts, "head", 0);
4011         Error *err = NULL;
4012 
4013         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4014         if (err) {
4015             error_propagate(errp, err);
4016             goto fail;
4017         }
4018     } else {
4019         con = NULL;
4020     }
4021 
4022     if (con != vd->dcl.con) {
4023         qkbd_state_free(vd->kbd);
4024         unregister_displaychangelistener(&vd->dcl);
4025         vd->dcl.con = con;
4026         register_displaychangelistener(&vd->dcl);
4027         vd->kbd = qkbd_state_init(vd->dcl.con);
4028     }
4029     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4030 
4031     if (saddr == NULL) {
4032         goto cleanup;
4033     }
4034 
4035     if (reverse) {
4036         if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4037             goto fail;
4038         }
4039     } else {
4040         if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4041             goto fail;
4042         }
4043     }
4044 
4045     if (qemu_opt_get(opts, "to")) {
4046         vnc_display_print_local_addr(vd);
4047     }
4048 
4049  cleanup:
4050     vnc_free_addresses(&saddr, &nsaddr);
4051     vnc_free_addresses(&wsaddr, &nwsaddr);
4052     return;
4053 
4054 fail:
4055     vnc_display_close(vd);
4056     goto cleanup;
4057 }
4058 
4059 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4060 {
4061     VncDisplay *vd = vnc_display_find(id);
4062     QIOChannelSocket *sioc;
4063 
4064     if (!vd) {
4065         return;
4066     }
4067 
4068     sioc = qio_channel_socket_new_fd(csock, NULL);
4069     if (sioc) {
4070         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4071         vnc_connect(vd, sioc, skipauth, false);
4072         object_unref(OBJECT(sioc));
4073     }
4074 }
4075 
4076 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4077 {
4078     int i = 2;
4079     char *id;
4080 
4081     id = g_strdup("default");
4082     while (qemu_opts_find(olist, id)) {
4083         g_free(id);
4084         id = g_strdup_printf("vnc%d", i++);
4085     }
4086     qemu_opts_set_id(opts, id);
4087 }
4088 
4089 QemuOpts *vnc_parse(const char *str, Error **errp)
4090 {
4091     QemuOptsList *olist = qemu_find_opts("vnc");
4092     QemuOpts *opts = qemu_opts_parse(olist, str, true, errp);
4093     const char *id;
4094 
4095     if (!opts) {
4096         return NULL;
4097     }
4098 
4099     id = qemu_opts_id(opts);
4100     if (!id) {
4101         /* auto-assign id if not present */
4102         vnc_auto_assign_id(olist, opts);
4103     }
4104     return opts;
4105 }
4106 
4107 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4108 {
4109     Error *local_err = NULL;
4110     char *id = (char *)qemu_opts_id(opts);
4111 
4112     assert(id);
4113     vnc_display_init(id, &local_err);
4114     if (local_err) {
4115         error_propagate(errp, local_err);
4116         return -1;
4117     }
4118     vnc_display_open(id, &local_err);
4119     if (local_err != NULL) {
4120         error_propagate(errp, local_err);
4121         return -1;
4122     }
4123     return 0;
4124 }
4125 
4126 static void vnc_register_config(void)
4127 {
4128     qemu_add_opts(&qemu_vnc_opts);
4129 }
4130 opts_init(vnc_register_config);
4131