xref: /openbmc/qemu/ui/vnc.c (revision 21f5826a)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "vnc.h"
28 #include "vnc-jobs.h"
29 #include "trace.h"
30 #include "hw/qdev.h"
31 #include "sysemu/sysemu.h"
32 #include "qemu/sockets.h"
33 #include "qemu/timer.h"
34 #include "qemu/acl.h"
35 #include "qemu/config-file.h"
36 #include "qapi/qmp/types.h"
37 #include "qmp-commands.h"
38 #include "qemu/osdep.h"
39 #include "ui/input.h"
40 #include "qapi-event.h"
41 
42 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
43 #define VNC_REFRESH_INTERVAL_INC  50
44 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
45 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
46 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
47 
48 #include "vnc_keysym.h"
49 #include "d3des.h"
50 
51 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
52     QTAILQ_HEAD_INITIALIZER(vnc_displays);
53 
54 static int vnc_cursor_define(VncState *vs);
55 static void vnc_release_modifiers(VncState *vs);
56 
57 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
58 {
59 #ifdef _VNC_DEBUG
60     static const char *mn[] = {
61         [0]                           = "undefined",
62         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
63         [VNC_SHARE_MODE_SHARED]       = "shared",
64         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
65         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
66     };
67     fprintf(stderr, "%s/%d: %s -> %s\n", __func__,
68             vs->csock, mn[vs->share_mode], mn[mode]);
69 #endif
70 
71     switch (vs->share_mode) {
72     case VNC_SHARE_MODE_CONNECTING:
73         vs->vd->num_connecting--;
74         break;
75     case VNC_SHARE_MODE_SHARED:
76         vs->vd->num_shared--;
77         break;
78     case VNC_SHARE_MODE_EXCLUSIVE:
79         vs->vd->num_exclusive--;
80         break;
81     default:
82         break;
83     }
84 
85     vs->share_mode = mode;
86 
87     switch (vs->share_mode) {
88     case VNC_SHARE_MODE_CONNECTING:
89         vs->vd->num_connecting++;
90         break;
91     case VNC_SHARE_MODE_SHARED:
92         vs->vd->num_shared++;
93         break;
94     case VNC_SHARE_MODE_EXCLUSIVE:
95         vs->vd->num_exclusive++;
96         break;
97     default:
98         break;
99     }
100 }
101 
102 static char *addr_to_string(const char *format,
103                             struct sockaddr_storage *sa,
104                             socklen_t salen) {
105     char *addr;
106     char host[NI_MAXHOST];
107     char serv[NI_MAXSERV];
108     int err;
109     size_t addrlen;
110 
111     if ((err = getnameinfo((struct sockaddr *)sa, salen,
112                            host, sizeof(host),
113                            serv, sizeof(serv),
114                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
115         VNC_DEBUG("Cannot resolve address %d: %s\n",
116                   err, gai_strerror(err));
117         return NULL;
118     }
119 
120     /* Enough for the existing format + the 2 vars we're
121      * substituting in. */
122     addrlen = strlen(format) + strlen(host) + strlen(serv);
123     addr = g_malloc(addrlen + 1);
124     snprintf(addr, addrlen, format, host, serv);
125     addr[addrlen] = '\0';
126 
127     return addr;
128 }
129 
130 
131 char *vnc_socket_local_addr(const char *format, int fd) {
132     struct sockaddr_storage sa;
133     socklen_t salen;
134 
135     salen = sizeof(sa);
136     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0)
137         return NULL;
138 
139     return addr_to_string(format, &sa, salen);
140 }
141 
142 char *vnc_socket_remote_addr(const char *format, int fd) {
143     struct sockaddr_storage sa;
144     socklen_t salen;
145 
146     salen = sizeof(sa);
147     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0)
148         return NULL;
149 
150     return addr_to_string(format, &sa, salen);
151 }
152 
153 static VncBasicInfo *vnc_basic_info_get(struct sockaddr_storage *sa,
154                                         socklen_t salen)
155 {
156     VncBasicInfo *info;
157     char host[NI_MAXHOST];
158     char serv[NI_MAXSERV];
159     int err;
160 
161     if ((err = getnameinfo((struct sockaddr *)sa, salen,
162                            host, sizeof(host),
163                            serv, sizeof(serv),
164                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
165         VNC_DEBUG("Cannot resolve address %d: %s\n",
166                   err, gai_strerror(err));
167         return NULL;
168     }
169 
170     info = g_malloc0(sizeof(VncBasicInfo));
171     info->host = g_strdup(host);
172     info->service = g_strdup(serv);
173     info->family = inet_netfamily(sa->ss_family);
174     return info;
175 }
176 
177 static VncBasicInfo *vnc_basic_info_get_from_server_addr(int fd)
178 {
179     struct sockaddr_storage sa;
180     socklen_t salen;
181 
182     salen = sizeof(sa);
183     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0) {
184         return NULL;
185     }
186 
187     return vnc_basic_info_get(&sa, salen);
188 }
189 
190 static VncBasicInfo *vnc_basic_info_get_from_remote_addr(int fd)
191 {
192     struct sockaddr_storage sa;
193     socklen_t salen;
194 
195     salen = sizeof(sa);
196     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0) {
197         return NULL;
198     }
199 
200     return vnc_basic_info_get(&sa, salen);
201 }
202 
203 static const char *vnc_auth_name(VncDisplay *vd) {
204     switch (vd->auth) {
205     case VNC_AUTH_INVALID:
206         return "invalid";
207     case VNC_AUTH_NONE:
208         return "none";
209     case VNC_AUTH_VNC:
210         return "vnc";
211     case VNC_AUTH_RA2:
212         return "ra2";
213     case VNC_AUTH_RA2NE:
214         return "ra2ne";
215     case VNC_AUTH_TIGHT:
216         return "tight";
217     case VNC_AUTH_ULTRA:
218         return "ultra";
219     case VNC_AUTH_TLS:
220         return "tls";
221     case VNC_AUTH_VENCRYPT:
222 #ifdef CONFIG_VNC_TLS
223         switch (vd->subauth) {
224         case VNC_AUTH_VENCRYPT_PLAIN:
225             return "vencrypt+plain";
226         case VNC_AUTH_VENCRYPT_TLSNONE:
227             return "vencrypt+tls+none";
228         case VNC_AUTH_VENCRYPT_TLSVNC:
229             return "vencrypt+tls+vnc";
230         case VNC_AUTH_VENCRYPT_TLSPLAIN:
231             return "vencrypt+tls+plain";
232         case VNC_AUTH_VENCRYPT_X509NONE:
233             return "vencrypt+x509+none";
234         case VNC_AUTH_VENCRYPT_X509VNC:
235             return "vencrypt+x509+vnc";
236         case VNC_AUTH_VENCRYPT_X509PLAIN:
237             return "vencrypt+x509+plain";
238         case VNC_AUTH_VENCRYPT_TLSSASL:
239             return "vencrypt+tls+sasl";
240         case VNC_AUTH_VENCRYPT_X509SASL:
241             return "vencrypt+x509+sasl";
242         default:
243             return "vencrypt";
244         }
245 #else
246         return "vencrypt";
247 #endif
248     case VNC_AUTH_SASL:
249         return "sasl";
250     }
251     return "unknown";
252 }
253 
254 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
255 {
256     VncServerInfo *info;
257     VncBasicInfo *bi = vnc_basic_info_get_from_server_addr(vd->lsock);
258     if (!bi) {
259         return NULL;
260     }
261 
262     info = g_malloc(sizeof(*info));
263     info->base = bi;
264     info->has_auth = true;
265     info->auth = g_strdup(vnc_auth_name(vd));
266     return info;
267 }
268 
269 static void vnc_client_cache_auth(VncState *client)
270 {
271     if (!client->info) {
272         return;
273     }
274 
275 #ifdef CONFIG_VNC_TLS
276     if (client->tls.session &&
277         client->tls.dname) {
278         client->info->has_x509_dname = true;
279         client->info->x509_dname = g_strdup(client->tls.dname);
280     }
281 #endif
282 #ifdef CONFIG_VNC_SASL
283     if (client->sasl.conn &&
284         client->sasl.username) {
285         client->info->has_sasl_username = true;
286         client->info->sasl_username = g_strdup(client->sasl.username);
287     }
288 #endif
289 }
290 
291 static void vnc_client_cache_addr(VncState *client)
292 {
293     VncBasicInfo *bi = vnc_basic_info_get_from_remote_addr(client->csock);
294 
295     if (bi) {
296         client->info = g_malloc0(sizeof(*client->info));
297         client->info->base = bi;
298     }
299 }
300 
301 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
302 {
303     VncServerInfo *si;
304 
305     if (!vs->info) {
306         return;
307     }
308     g_assert(vs->info->base);
309 
310     si = vnc_server_info_get(vs->vd);
311     if (!si) {
312         return;
313     }
314 
315     switch (event) {
316     case QAPI_EVENT_VNC_CONNECTED:
317         qapi_event_send_vnc_connected(si, vs->info->base, &error_abort);
318         break;
319     case QAPI_EVENT_VNC_INITIALIZED:
320         qapi_event_send_vnc_initialized(si, vs->info, &error_abort);
321         break;
322     case QAPI_EVENT_VNC_DISCONNECTED:
323         qapi_event_send_vnc_disconnected(si, vs->info, &error_abort);
324         break;
325     default:
326         break;
327     }
328 
329     qapi_free_VncServerInfo(si);
330 }
331 
332 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
333 {
334     struct sockaddr_storage sa;
335     socklen_t salen = sizeof(sa);
336     char host[NI_MAXHOST];
337     char serv[NI_MAXSERV];
338     VncClientInfo *info;
339 
340     if (getpeername(client->csock, (struct sockaddr *)&sa, &salen) < 0) {
341         return NULL;
342     }
343 
344     if (getnameinfo((struct sockaddr *)&sa, salen,
345                     host, sizeof(host),
346                     serv, sizeof(serv),
347                     NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
348         return NULL;
349     }
350 
351     info = g_malloc0(sizeof(*info));
352     info->base = g_malloc0(sizeof(*info->base));
353     info->base->host = g_strdup(host);
354     info->base->service = g_strdup(serv);
355     info->base->family = inet_netfamily(sa.ss_family);
356 #ifdef CONFIG_VNC_WS
357     info->base->websocket = client->websocket;
358 #endif
359 
360 #ifdef CONFIG_VNC_TLS
361     if (client->tls.session && client->tls.dname) {
362         info->has_x509_dname = true;
363         info->x509_dname = g_strdup(client->tls.dname);
364     }
365 #endif
366 #ifdef CONFIG_VNC_SASL
367     if (client->sasl.conn && client->sasl.username) {
368         info->has_sasl_username = true;
369         info->sasl_username = g_strdup(client->sasl.username);
370     }
371 #endif
372 
373     return info;
374 }
375 
376 static VncDisplay *vnc_display_find(const char *id)
377 {
378     VncDisplay *vd;
379 
380     if (id == NULL) {
381         return QTAILQ_FIRST(&vnc_displays);
382     }
383     QTAILQ_FOREACH(vd, &vnc_displays, next) {
384         if (strcmp(id, vd->id) == 0) {
385             return vd;
386         }
387     }
388     return NULL;
389 }
390 
391 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
392 {
393     VncClientInfoList *cinfo, *prev = NULL;
394     VncState *client;
395 
396     QTAILQ_FOREACH(client, &vd->clients, next) {
397         cinfo = g_new0(VncClientInfoList, 1);
398         cinfo->value = qmp_query_vnc_client(client);
399         cinfo->next = prev;
400         prev = cinfo;
401     }
402     return prev;
403 }
404 
405 VncInfo *qmp_query_vnc(Error **errp)
406 {
407     VncInfo *info = g_malloc0(sizeof(*info));
408     VncDisplay *vd = vnc_display_find(NULL);
409 
410     if (vd == NULL || vd->display == NULL) {
411         info->enabled = false;
412     } else {
413         struct sockaddr_storage sa;
414         socklen_t salen = sizeof(sa);
415         char host[NI_MAXHOST];
416         char serv[NI_MAXSERV];
417 
418         info->enabled = true;
419 
420         /* for compatibility with the original command */
421         info->has_clients = true;
422         info->clients = qmp_query_client_list(vd);
423 
424         if (vd->lsock == -1) {
425             return info;
426         }
427 
428         if (getsockname(vd->lsock, (struct sockaddr *)&sa,
429                         &salen) == -1) {
430             error_set(errp, QERR_UNDEFINED_ERROR);
431             goto out_error;
432         }
433 
434         if (getnameinfo((struct sockaddr *)&sa, salen,
435                         host, sizeof(host),
436                         serv, sizeof(serv),
437                         NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
438             error_set(errp, QERR_UNDEFINED_ERROR);
439             goto out_error;
440         }
441 
442         info->has_host = true;
443         info->host = g_strdup(host);
444 
445         info->has_service = true;
446         info->service = g_strdup(serv);
447 
448         info->has_family = true;
449         info->family = inet_netfamily(sa.ss_family);
450 
451         info->has_auth = true;
452         info->auth = g_strdup(vnc_auth_name(vd));
453     }
454 
455     return info;
456 
457 out_error:
458     qapi_free_VncInfo(info);
459     return NULL;
460 }
461 
462 static VncBasicInfoList *qmp_query_server_entry(int socket,
463                                                 bool websocket,
464                                                 VncBasicInfoList *prev)
465 {
466     VncBasicInfoList *list;
467     VncBasicInfo *info;
468     struct sockaddr_storage sa;
469     socklen_t salen = sizeof(sa);
470     char host[NI_MAXHOST];
471     char serv[NI_MAXSERV];
472 
473     if (getsockname(socket, (struct sockaddr *)&sa, &salen) < 0 ||
474         getnameinfo((struct sockaddr *)&sa, salen,
475                     host, sizeof(host), serv, sizeof(serv),
476                     NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
477         return prev;
478     }
479 
480     info = g_new0(VncBasicInfo, 1);
481     info->host = g_strdup(host);
482     info->service = g_strdup(serv);
483     info->family = inet_netfamily(sa.ss_family);
484     info->websocket = websocket;
485 
486     list = g_new0(VncBasicInfoList, 1);
487     list->value = info;
488     list->next = prev;
489     return list;
490 }
491 
492 static void qmp_query_auth(VncDisplay *vd, VncInfo2 *info)
493 {
494     switch (vd->auth) {
495     case VNC_AUTH_VNC:
496         info->auth = VNC_PRIMARY_AUTH_VNC;
497         break;
498     case VNC_AUTH_RA2:
499         info->auth = VNC_PRIMARY_AUTH_RA2;
500         break;
501     case VNC_AUTH_RA2NE:
502         info->auth = VNC_PRIMARY_AUTH_RA2NE;
503         break;
504     case VNC_AUTH_TIGHT:
505         info->auth = VNC_PRIMARY_AUTH_TIGHT;
506         break;
507     case VNC_AUTH_ULTRA:
508         info->auth = VNC_PRIMARY_AUTH_ULTRA;
509         break;
510     case VNC_AUTH_TLS:
511         info->auth = VNC_PRIMARY_AUTH_TLS;
512         break;
513     case VNC_AUTH_VENCRYPT:
514         info->auth = VNC_PRIMARY_AUTH_VENCRYPT;
515 #ifdef CONFIG_VNC_TLS
516         info->has_vencrypt = true;
517         switch (vd->subauth) {
518         case VNC_AUTH_VENCRYPT_PLAIN:
519             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
520             break;
521         case VNC_AUTH_VENCRYPT_TLSNONE:
522             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
523             break;
524         case VNC_AUTH_VENCRYPT_TLSVNC:
525             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
526             break;
527         case VNC_AUTH_VENCRYPT_TLSPLAIN:
528             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
529             break;
530         case VNC_AUTH_VENCRYPT_X509NONE:
531             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
532             break;
533         case VNC_AUTH_VENCRYPT_X509VNC:
534             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
535             break;
536         case VNC_AUTH_VENCRYPT_X509PLAIN:
537             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
538             break;
539         case VNC_AUTH_VENCRYPT_TLSSASL:
540             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
541             break;
542         case VNC_AUTH_VENCRYPT_X509SASL:
543             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
544             break;
545         default:
546             info->has_vencrypt = false;
547             break;
548         }
549 #endif
550         break;
551     case VNC_AUTH_SASL:
552         info->auth = VNC_PRIMARY_AUTH_SASL;
553         break;
554     case VNC_AUTH_NONE:
555     default:
556         info->auth = VNC_PRIMARY_AUTH_NONE;
557         break;
558     }
559 }
560 
561 VncInfo2List *qmp_query_vnc_servers(Error **errp)
562 {
563     VncInfo2List *item, *prev = NULL;
564     VncInfo2 *info;
565     VncDisplay *vd;
566     DeviceState *dev;
567 
568     QTAILQ_FOREACH(vd, &vnc_displays, next) {
569         info = g_new0(VncInfo2, 1);
570         info->id = g_strdup(vd->id);
571         info->clients = qmp_query_client_list(vd);
572         qmp_query_auth(vd, info);
573         if (vd->dcl.con) {
574             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
575                                                   "device", NULL));
576             info->has_display = true;
577             info->display = g_strdup(dev->id);
578         }
579         if (vd->lsock != -1) {
580             info->server = qmp_query_server_entry(vd->lsock, false,
581                                                   info->server);
582         }
583 #ifdef CONFIG_VNC_WS
584         if (vd->lwebsock != -1) {
585             info->server = qmp_query_server_entry(vd->lwebsock, true,
586                                                   info->server);
587         }
588 #endif
589 
590         item = g_new0(VncInfo2List, 1);
591         item->value = info;
592         item->next = prev;
593         prev = item;
594     }
595     return prev;
596 }
597 
598 /* TODO
599    1) Get the queue working for IO.
600    2) there is some weirdness when using the -S option (the screen is grey
601       and not totally invalidated
602    3) resolutions > 1024
603 */
604 
605 static int vnc_update_client(VncState *vs, int has_dirty, bool sync);
606 static void vnc_disconnect_start(VncState *vs);
607 
608 static void vnc_colordepth(VncState *vs);
609 static void framebuffer_update_request(VncState *vs, int incremental,
610                                        int x_position, int y_position,
611                                        int w, int h);
612 static void vnc_refresh(DisplayChangeListener *dcl);
613 static int vnc_refresh_server_surface(VncDisplay *vd);
614 
615 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
616                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
617                                int width, int height,
618                                int x, int y, int w, int h) {
619     /* this is needed this to ensure we updated all affected
620      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
621     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
622     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
623 
624     x = MIN(x, width);
625     y = MIN(y, height);
626     w = MIN(x + w, width) - x;
627     h = MIN(y + h, height);
628 
629     for (; y < h; y++) {
630         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
631                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
632     }
633 }
634 
635 static void vnc_dpy_update(DisplayChangeListener *dcl,
636                            int x, int y, int w, int h)
637 {
638     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
639     struct VncSurface *s = &vd->guest;
640     int width = pixman_image_get_width(vd->server);
641     int height = pixman_image_get_height(vd->server);
642 
643     vnc_set_area_dirty(s->dirty, width, height, x, y, w, h);
644 }
645 
646 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
647                             int32_t encoding)
648 {
649     vnc_write_u16(vs, x);
650     vnc_write_u16(vs, y);
651     vnc_write_u16(vs, w);
652     vnc_write_u16(vs, h);
653 
654     vnc_write_s32(vs, encoding);
655 }
656 
657 void buffer_reserve(Buffer *buffer, size_t len)
658 {
659     if ((buffer->capacity - buffer->offset) < len) {
660         buffer->capacity += (len + 1024);
661         buffer->buffer = g_realloc(buffer->buffer, buffer->capacity);
662     }
663 }
664 
665 static int buffer_empty(Buffer *buffer)
666 {
667     return buffer->offset == 0;
668 }
669 
670 uint8_t *buffer_end(Buffer *buffer)
671 {
672     return buffer->buffer + buffer->offset;
673 }
674 
675 void buffer_reset(Buffer *buffer)
676 {
677         buffer->offset = 0;
678 }
679 
680 void buffer_free(Buffer *buffer)
681 {
682     g_free(buffer->buffer);
683     buffer->offset = 0;
684     buffer->capacity = 0;
685     buffer->buffer = NULL;
686 }
687 
688 void buffer_append(Buffer *buffer, const void *data, size_t len)
689 {
690     memcpy(buffer->buffer + buffer->offset, data, len);
691     buffer->offset += len;
692 }
693 
694 void buffer_advance(Buffer *buf, size_t len)
695 {
696     memmove(buf->buffer, buf->buffer + len,
697             (buf->offset - len));
698     buf->offset -= len;
699 }
700 
701 static void vnc_desktop_resize(VncState *vs)
702 {
703     if (vs->csock == -1 || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
704         return;
705     }
706     if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
707         vs->client_height == pixman_image_get_height(vs->vd->server)) {
708         return;
709     }
710     vs->client_width = pixman_image_get_width(vs->vd->server);
711     vs->client_height = pixman_image_get_height(vs->vd->server);
712     vnc_lock_output(vs);
713     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
714     vnc_write_u8(vs, 0);
715     vnc_write_u16(vs, 1); /* number of rects */
716     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
717                            VNC_ENCODING_DESKTOPRESIZE);
718     vnc_unlock_output(vs);
719     vnc_flush(vs);
720 }
721 
722 static void vnc_abort_display_jobs(VncDisplay *vd)
723 {
724     VncState *vs;
725 
726     QTAILQ_FOREACH(vs, &vd->clients, next) {
727         vnc_lock_output(vs);
728         vs->abort = true;
729         vnc_unlock_output(vs);
730     }
731     QTAILQ_FOREACH(vs, &vd->clients, next) {
732         vnc_jobs_join(vs);
733     }
734     QTAILQ_FOREACH(vs, &vd->clients, next) {
735         vnc_lock_output(vs);
736         vs->abort = false;
737         vnc_unlock_output(vs);
738     }
739 }
740 
741 int vnc_server_fb_stride(VncDisplay *vd)
742 {
743     return pixman_image_get_stride(vd->server);
744 }
745 
746 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
747 {
748     uint8_t *ptr;
749 
750     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
751     ptr += y * vnc_server_fb_stride(vd);
752     ptr += x * VNC_SERVER_FB_BYTES;
753     return ptr;
754 }
755 
756 static void vnc_dpy_switch(DisplayChangeListener *dcl,
757                            DisplaySurface *surface)
758 {
759     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
760     VncState *vs;
761     int width, height;
762 
763     vnc_abort_display_jobs(vd);
764 
765     /* server surface */
766     qemu_pixman_image_unref(vd->server);
767     vd->ds = surface;
768     width = MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
769                                         VNC_DIRTY_PIXELS_PER_BIT));
770     height = MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
771     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
772                                           width, height, NULL, 0);
773 
774     /* guest surface */
775 #if 0 /* FIXME */
776     if (ds_get_bytes_per_pixel(ds) != vd->guest.ds->pf.bytes_per_pixel)
777         console_color_init(ds);
778 #endif
779     qemu_pixman_image_unref(vd->guest.fb);
780     vd->guest.fb = pixman_image_ref(surface->image);
781     vd->guest.format = surface->format;
782     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
783     vnc_set_area_dirty(vd->guest.dirty, width, height, 0, 0,
784                        width, height);
785 
786     QTAILQ_FOREACH(vs, &vd->clients, next) {
787         vnc_colordepth(vs);
788         vnc_desktop_resize(vs);
789         if (vs->vd->cursor) {
790             vnc_cursor_define(vs);
791         }
792         memset(vs->dirty, 0x00, sizeof(vs->dirty));
793         vnc_set_area_dirty(vs->dirty, width, height, 0, 0,
794                            width, height);
795     }
796 }
797 
798 /* fastest code */
799 static void vnc_write_pixels_copy(VncState *vs,
800                                   void *pixels, int size)
801 {
802     vnc_write(vs, pixels, size);
803 }
804 
805 /* slowest but generic code. */
806 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
807 {
808     uint8_t r, g, b;
809 
810 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
811     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
812     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
813     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
814 #else
815 # error need some bits here if you change VNC_SERVER_FB_FORMAT
816 #endif
817     v = (r << vs->client_pf.rshift) |
818         (g << vs->client_pf.gshift) |
819         (b << vs->client_pf.bshift);
820     switch (vs->client_pf.bytes_per_pixel) {
821     case 1:
822         buf[0] = v;
823         break;
824     case 2:
825         if (vs->client_be) {
826             buf[0] = v >> 8;
827             buf[1] = v;
828         } else {
829             buf[1] = v >> 8;
830             buf[0] = v;
831         }
832         break;
833     default:
834     case 4:
835         if (vs->client_be) {
836             buf[0] = v >> 24;
837             buf[1] = v >> 16;
838             buf[2] = v >> 8;
839             buf[3] = v;
840         } else {
841             buf[3] = v >> 24;
842             buf[2] = v >> 16;
843             buf[1] = v >> 8;
844             buf[0] = v;
845         }
846         break;
847     }
848 }
849 
850 static void vnc_write_pixels_generic(VncState *vs,
851                                      void *pixels1, int size)
852 {
853     uint8_t buf[4];
854 
855     if (VNC_SERVER_FB_BYTES == 4) {
856         uint32_t *pixels = pixels1;
857         int n, i;
858         n = size >> 2;
859         for (i = 0; i < n; i++) {
860             vnc_convert_pixel(vs, buf, pixels[i]);
861             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
862         }
863     }
864 }
865 
866 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
867 {
868     int i;
869     uint8_t *row;
870     VncDisplay *vd = vs->vd;
871 
872     row = vnc_server_fb_ptr(vd, x, y);
873     for (i = 0; i < h; i++) {
874         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
875         row += vnc_server_fb_stride(vd);
876     }
877     return 1;
878 }
879 
880 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
881 {
882     int n = 0;
883 
884     switch(vs->vnc_encoding) {
885         case VNC_ENCODING_ZLIB:
886             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
887             break;
888         case VNC_ENCODING_HEXTILE:
889             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
890             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
891             break;
892         case VNC_ENCODING_TIGHT:
893             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
894             break;
895         case VNC_ENCODING_TIGHT_PNG:
896             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
897             break;
898         case VNC_ENCODING_ZRLE:
899             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
900             break;
901         case VNC_ENCODING_ZYWRLE:
902             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
903             break;
904         default:
905             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
906             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
907             break;
908     }
909     return n;
910 }
911 
912 static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
913 {
914     /* send bitblit op to the vnc client */
915     vnc_lock_output(vs);
916     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
917     vnc_write_u8(vs, 0);
918     vnc_write_u16(vs, 1); /* number of rects */
919     vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
920     vnc_write_u16(vs, src_x);
921     vnc_write_u16(vs, src_y);
922     vnc_unlock_output(vs);
923     vnc_flush(vs);
924 }
925 
926 static void vnc_dpy_copy(DisplayChangeListener *dcl,
927                          int src_x, int src_y,
928                          int dst_x, int dst_y, int w, int h)
929 {
930     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
931     VncState *vs, *vn;
932     uint8_t *src_row;
933     uint8_t *dst_row;
934     int i, x, y, pitch, inc, w_lim, s;
935     int cmp_bytes;
936 
937     vnc_refresh_server_surface(vd);
938     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
939         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
940             vs->force_update = 1;
941             vnc_update_client(vs, 1, true);
942             /* vs might be free()ed here */
943         }
944     }
945 
946     /* do bitblit op on the local surface too */
947     pitch = vnc_server_fb_stride(vd);
948     src_row = vnc_server_fb_ptr(vd, src_x, src_y);
949     dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y);
950     y = dst_y;
951     inc = 1;
952     if (dst_y > src_y) {
953         /* copy backwards */
954         src_row += pitch * (h-1);
955         dst_row += pitch * (h-1);
956         pitch = -pitch;
957         y = dst_y + h - 1;
958         inc = -1;
959     }
960     w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
961     if (w_lim < 0) {
962         w_lim = w;
963     } else {
964         w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
965     }
966     for (i = 0; i < h; i++) {
967         for (x = 0; x <= w_lim;
968                 x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
969             if (x == w_lim) {
970                 if ((s = w - w_lim) == 0)
971                     break;
972             } else if (!x) {
973                 s = (VNC_DIRTY_PIXELS_PER_BIT -
974                     (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
975                 s = MIN(s, w_lim);
976             } else {
977                 s = VNC_DIRTY_PIXELS_PER_BIT;
978             }
979             cmp_bytes = s * VNC_SERVER_FB_BYTES;
980             if (memcmp(src_row, dst_row, cmp_bytes) == 0)
981                 continue;
982             memmove(dst_row, src_row, cmp_bytes);
983             QTAILQ_FOREACH(vs, &vd->clients, next) {
984                 if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
985                     set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
986                             vs->dirty[y]);
987                 }
988             }
989         }
990         src_row += pitch - w * VNC_SERVER_FB_BYTES;
991         dst_row += pitch - w * VNC_SERVER_FB_BYTES;
992         y += inc;
993     }
994 
995     QTAILQ_FOREACH(vs, &vd->clients, next) {
996         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
997             vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
998         }
999     }
1000 }
1001 
1002 static void vnc_mouse_set(DisplayChangeListener *dcl,
1003                           int x, int y, int visible)
1004 {
1005     /* can we ask the client(s) to move the pointer ??? */
1006 }
1007 
1008 static int vnc_cursor_define(VncState *vs)
1009 {
1010     QEMUCursor *c = vs->vd->cursor;
1011     int isize;
1012 
1013     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
1014         vnc_lock_output(vs);
1015         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1016         vnc_write_u8(vs,  0);  /*  padding     */
1017         vnc_write_u16(vs, 1);  /*  # of rects  */
1018         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1019                                VNC_ENCODING_RICH_CURSOR);
1020         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
1021         vnc_write_pixels_generic(vs, c->data, isize);
1022         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
1023         vnc_unlock_output(vs);
1024         return 0;
1025     }
1026     return -1;
1027 }
1028 
1029 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
1030                                   QEMUCursor *c)
1031 {
1032     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
1033     VncState *vs;
1034 
1035     cursor_put(vd->cursor);
1036     g_free(vd->cursor_mask);
1037 
1038     vd->cursor = c;
1039     cursor_get(vd->cursor);
1040     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1041     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1042     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1043 
1044     QTAILQ_FOREACH(vs, &vd->clients, next) {
1045         vnc_cursor_define(vs);
1046     }
1047 }
1048 
1049 static int find_and_clear_dirty_height(struct VncState *vs,
1050                                        int y, int last_x, int x, int height)
1051 {
1052     int h;
1053 
1054     for (h = 1; h < (height - y); h++) {
1055         if (!test_bit(last_x, vs->dirty[y + h])) {
1056             break;
1057         }
1058         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1059     }
1060 
1061     return h;
1062 }
1063 
1064 static int vnc_update_client(VncState *vs, int has_dirty, bool sync)
1065 {
1066     vs->has_dirty += has_dirty;
1067     if (vs->need_update && vs->csock != -1) {
1068         VncDisplay *vd = vs->vd;
1069         VncJob *job;
1070         int y;
1071         int height, width;
1072         int n = 0;
1073 
1074         if (vs->output.offset && !vs->audio_cap && !vs->force_update)
1075             /* kernel send buffers are full -> drop frames to throttle */
1076             return 0;
1077 
1078         if (!vs->has_dirty && !vs->audio_cap && !vs->force_update)
1079             return 0;
1080 
1081         /*
1082          * Send screen updates to the vnc client using the server
1083          * surface and server dirty map.  guest surface updates
1084          * happening in parallel don't disturb us, the next pass will
1085          * send them to the client.
1086          */
1087         job = vnc_job_new(vs);
1088 
1089         height = pixman_image_get_height(vd->server);
1090         width = pixman_image_get_width(vd->server);
1091 
1092         y = 0;
1093         for (;;) {
1094             int x, h;
1095             unsigned long x2;
1096             unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1097                                                  height * VNC_DIRTY_BPL(vs),
1098                                                  y * VNC_DIRTY_BPL(vs));
1099             if (offset == height * VNC_DIRTY_BPL(vs)) {
1100                 /* no more dirty bits */
1101                 break;
1102             }
1103             y = offset / VNC_DIRTY_BPL(vs);
1104             x = offset % VNC_DIRTY_BPL(vs);
1105             x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1106                                     VNC_DIRTY_BPL(vs), x);
1107             bitmap_clear(vs->dirty[y], x, x2 - x);
1108             h = find_and_clear_dirty_height(vs, y, x, x2, height);
1109             x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1110             if (x2 > x) {
1111                 n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1112                                       (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1113             }
1114         }
1115 
1116         vnc_job_push(job);
1117         if (sync) {
1118             vnc_jobs_join(vs);
1119         }
1120         vs->force_update = 0;
1121         vs->has_dirty = 0;
1122         return n;
1123     }
1124 
1125     if (vs->csock == -1) {
1126         vnc_disconnect_finish(vs);
1127     } else if (sync) {
1128         vnc_jobs_join(vs);
1129     }
1130 
1131     return 0;
1132 }
1133 
1134 /* audio */
1135 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1136 {
1137     VncState *vs = opaque;
1138 
1139     switch (cmd) {
1140     case AUD_CNOTIFY_DISABLE:
1141         vnc_lock_output(vs);
1142         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1143         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1144         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1145         vnc_unlock_output(vs);
1146         vnc_flush(vs);
1147         break;
1148 
1149     case AUD_CNOTIFY_ENABLE:
1150         vnc_lock_output(vs);
1151         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1152         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1153         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1154         vnc_unlock_output(vs);
1155         vnc_flush(vs);
1156         break;
1157     }
1158 }
1159 
1160 static void audio_capture_destroy(void *opaque)
1161 {
1162 }
1163 
1164 static void audio_capture(void *opaque, void *buf, int size)
1165 {
1166     VncState *vs = opaque;
1167 
1168     vnc_lock_output(vs);
1169     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1170     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1171     vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1172     vnc_write_u32(vs, size);
1173     vnc_write(vs, buf, size);
1174     vnc_unlock_output(vs);
1175     vnc_flush(vs);
1176 }
1177 
1178 static void audio_add(VncState *vs)
1179 {
1180     struct audio_capture_ops ops;
1181 
1182     if (vs->audio_cap) {
1183         error_report("audio already running");
1184         return;
1185     }
1186 
1187     ops.notify = audio_capture_notify;
1188     ops.destroy = audio_capture_destroy;
1189     ops.capture = audio_capture;
1190 
1191     vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);
1192     if (!vs->audio_cap) {
1193         error_report("Failed to add audio capture");
1194     }
1195 }
1196 
1197 static void audio_del(VncState *vs)
1198 {
1199     if (vs->audio_cap) {
1200         AUD_del_capture(vs->audio_cap, vs);
1201         vs->audio_cap = NULL;
1202     }
1203 }
1204 
1205 static void vnc_disconnect_start(VncState *vs)
1206 {
1207     if (vs->csock == -1)
1208         return;
1209     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1210     qemu_set_fd_handler2(vs->csock, NULL, NULL, NULL, NULL);
1211     closesocket(vs->csock);
1212     vs->csock = -1;
1213 }
1214 
1215 void vnc_disconnect_finish(VncState *vs)
1216 {
1217     int i;
1218 
1219     vnc_jobs_join(vs); /* Wait encoding jobs */
1220 
1221     vnc_lock_output(vs);
1222     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1223 
1224     buffer_free(&vs->input);
1225     buffer_free(&vs->output);
1226 #ifdef CONFIG_VNC_WS
1227     buffer_free(&vs->ws_input);
1228     buffer_free(&vs->ws_output);
1229 #endif /* CONFIG_VNC_WS */
1230 
1231     qapi_free_VncClientInfo(vs->info);
1232 
1233     vnc_zlib_clear(vs);
1234     vnc_tight_clear(vs);
1235     vnc_zrle_clear(vs);
1236 
1237 #ifdef CONFIG_VNC_TLS
1238     vnc_tls_client_cleanup(vs);
1239 #endif /* CONFIG_VNC_TLS */
1240 #ifdef CONFIG_VNC_SASL
1241     vnc_sasl_client_cleanup(vs);
1242 #endif /* CONFIG_VNC_SASL */
1243     audio_del(vs);
1244     vnc_release_modifiers(vs);
1245 
1246     if (vs->initialized) {
1247         QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1248         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1249     }
1250 
1251     if (vs->vd->lock_key_sync)
1252         qemu_remove_led_event_handler(vs->led);
1253     vnc_unlock_output(vs);
1254 
1255     qemu_mutex_destroy(&vs->output_mutex);
1256     if (vs->bh != NULL) {
1257         qemu_bh_delete(vs->bh);
1258     }
1259     buffer_free(&vs->jobs_buffer);
1260 
1261     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1262         g_free(vs->lossy_rect[i]);
1263     }
1264     g_free(vs->lossy_rect);
1265     g_free(vs);
1266 }
1267 
1268 int vnc_client_io_error(VncState *vs, int ret, int last_errno)
1269 {
1270     if (ret == 0 || ret == -1) {
1271         if (ret == -1) {
1272             switch (last_errno) {
1273                 case EINTR:
1274                 case EAGAIN:
1275 #ifdef _WIN32
1276                 case WSAEWOULDBLOCK:
1277 #endif
1278                     return 0;
1279                 default:
1280                     break;
1281             }
1282         }
1283 
1284         VNC_DEBUG("Closing down client sock: ret %d, errno %d\n",
1285                   ret, ret < 0 ? last_errno : 0);
1286         vnc_disconnect_start(vs);
1287 
1288         return 0;
1289     }
1290     return ret;
1291 }
1292 
1293 
1294 void vnc_client_error(VncState *vs)
1295 {
1296     VNC_DEBUG("Closing down client sock: protocol error\n");
1297     vnc_disconnect_start(vs);
1298 }
1299 
1300 #ifdef CONFIG_VNC_TLS
1301 static long vnc_client_write_tls(gnutls_session_t *session,
1302                                  const uint8_t *data,
1303                                  size_t datalen)
1304 {
1305     long ret = gnutls_write(*session, data, datalen);
1306     if (ret < 0) {
1307         if (ret == GNUTLS_E_AGAIN) {
1308             errno = EAGAIN;
1309         } else {
1310             errno = EIO;
1311         }
1312         ret = -1;
1313     }
1314     return ret;
1315 }
1316 #endif /* CONFIG_VNC_TLS */
1317 
1318 /*
1319  * Called to write a chunk of data to the client socket. The data may
1320  * be the raw data, or may have already been encoded by SASL.
1321  * The data will be written either straight onto the socket, or
1322  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1323  *
1324  * NB, it is theoretically possible to have 2 layers of encryption,
1325  * both SASL, and this TLS layer. It is highly unlikely in practice
1326  * though, since SASL encryption will typically be a no-op if TLS
1327  * is active
1328  *
1329  * Returns the number of bytes written, which may be less than
1330  * the requested 'datalen' if the socket would block. Returns
1331  * -1 on error, and disconnects the client socket.
1332  */
1333 long vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1334 {
1335     long ret;
1336 #ifdef CONFIG_VNC_TLS
1337     if (vs->tls.session) {
1338         ret = vnc_client_write_tls(&vs->tls.session, data, datalen);
1339     } else {
1340 #ifdef CONFIG_VNC_WS
1341         if (vs->ws_tls.session) {
1342             ret = vnc_client_write_tls(&vs->ws_tls.session, data, datalen);
1343         } else
1344 #endif /* CONFIG_VNC_WS */
1345 #endif /* CONFIG_VNC_TLS */
1346         {
1347             ret = send(vs->csock, (const void *)data, datalen, 0);
1348         }
1349 #ifdef CONFIG_VNC_TLS
1350     }
1351 #endif /* CONFIG_VNC_TLS */
1352     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1353     return vnc_client_io_error(vs, ret, socket_error());
1354 }
1355 
1356 
1357 /*
1358  * Called to write buffered data to the client socket, when not
1359  * using any SASL SSF encryption layers. Will write as much data
1360  * as possible without blocking. If all buffered data is written,
1361  * will switch the FD poll() handler back to read monitoring.
1362  *
1363  * Returns the number of bytes written, which may be less than
1364  * the buffered output data if the socket would block. Returns
1365  * -1 on error, and disconnects the client socket.
1366  */
1367 static long vnc_client_write_plain(VncState *vs)
1368 {
1369     long ret;
1370 
1371 #ifdef CONFIG_VNC_SASL
1372     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1373               vs->output.buffer, vs->output.capacity, vs->output.offset,
1374               vs->sasl.waitWriteSSF);
1375 
1376     if (vs->sasl.conn &&
1377         vs->sasl.runSSF &&
1378         vs->sasl.waitWriteSSF) {
1379         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1380         if (ret)
1381             vs->sasl.waitWriteSSF -= ret;
1382     } else
1383 #endif /* CONFIG_VNC_SASL */
1384         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1385     if (!ret)
1386         return 0;
1387 
1388     buffer_advance(&vs->output, ret);
1389 
1390     if (vs->output.offset == 0) {
1391         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
1392     }
1393 
1394     return ret;
1395 }
1396 
1397 
1398 /*
1399  * First function called whenever there is data to be written to
1400  * the client socket. Will delegate actual work according to whether
1401  * SASL SSF layers are enabled (thus requiring encryption calls)
1402  */
1403 static void vnc_client_write_locked(void *opaque)
1404 {
1405     VncState *vs = opaque;
1406 
1407 #ifdef CONFIG_VNC_SASL
1408     if (vs->sasl.conn &&
1409         vs->sasl.runSSF &&
1410         !vs->sasl.waitWriteSSF) {
1411         vnc_client_write_sasl(vs);
1412     } else
1413 #endif /* CONFIG_VNC_SASL */
1414     {
1415 #ifdef CONFIG_VNC_WS
1416         if (vs->encode_ws) {
1417             vnc_client_write_ws(vs);
1418         } else
1419 #endif /* CONFIG_VNC_WS */
1420         {
1421             vnc_client_write_plain(vs);
1422         }
1423     }
1424 }
1425 
1426 void vnc_client_write(void *opaque)
1427 {
1428     VncState *vs = opaque;
1429 
1430     vnc_lock_output(vs);
1431     if (vs->output.offset
1432 #ifdef CONFIG_VNC_WS
1433             || vs->ws_output.offset
1434 #endif
1435             ) {
1436         vnc_client_write_locked(opaque);
1437     } else if (vs->csock != -1) {
1438         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
1439     }
1440     vnc_unlock_output(vs);
1441 }
1442 
1443 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1444 {
1445     vs->read_handler = func;
1446     vs->read_handler_expect = expecting;
1447 }
1448 
1449 #ifdef CONFIG_VNC_TLS
1450 static long vnc_client_read_tls(gnutls_session_t *session, uint8_t *data,
1451                                 size_t datalen)
1452 {
1453     long ret = gnutls_read(*session, data, datalen);
1454     if (ret < 0) {
1455         if (ret == GNUTLS_E_AGAIN) {
1456             errno = EAGAIN;
1457         } else {
1458             errno = EIO;
1459         }
1460         ret = -1;
1461     }
1462     return ret;
1463 }
1464 #endif /* CONFIG_VNC_TLS */
1465 
1466 /*
1467  * Called to read a chunk of data from the client socket. The data may
1468  * be the raw data, or may need to be further decoded by SASL.
1469  * The data will be read either straight from to the socket, or
1470  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1471  *
1472  * NB, it is theoretically possible to have 2 layers of encryption,
1473  * both SASL, and this TLS layer. It is highly unlikely in practice
1474  * though, since SASL encryption will typically be a no-op if TLS
1475  * is active
1476  *
1477  * Returns the number of bytes read, which may be less than
1478  * the requested 'datalen' if the socket would block. Returns
1479  * -1 on error, and disconnects the client socket.
1480  */
1481 long vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1482 {
1483     long ret;
1484 #ifdef CONFIG_VNC_TLS
1485     if (vs->tls.session) {
1486         ret = vnc_client_read_tls(&vs->tls.session, data, datalen);
1487     } else {
1488 #ifdef CONFIG_VNC_WS
1489         if (vs->ws_tls.session) {
1490             ret = vnc_client_read_tls(&vs->ws_tls.session, data, datalen);
1491         } else
1492 #endif /* CONFIG_VNC_WS */
1493 #endif /* CONFIG_VNC_TLS */
1494         {
1495             ret = qemu_recv(vs->csock, data, datalen, 0);
1496         }
1497 #ifdef CONFIG_VNC_TLS
1498     }
1499 #endif /* CONFIG_VNC_TLS */
1500     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1501     return vnc_client_io_error(vs, ret, socket_error());
1502 }
1503 
1504 
1505 /*
1506  * Called to read data from the client socket to the input buffer,
1507  * when not using any SASL SSF encryption layers. Will read as much
1508  * data as possible without blocking.
1509  *
1510  * Returns the number of bytes read. Returns -1 on error, and
1511  * disconnects the client socket.
1512  */
1513 static long vnc_client_read_plain(VncState *vs)
1514 {
1515     int ret;
1516     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1517               vs->input.buffer, vs->input.capacity, vs->input.offset);
1518     buffer_reserve(&vs->input, 4096);
1519     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1520     if (!ret)
1521         return 0;
1522     vs->input.offset += ret;
1523     return ret;
1524 }
1525 
1526 static void vnc_jobs_bh(void *opaque)
1527 {
1528     VncState *vs = opaque;
1529 
1530     vnc_jobs_consume_buffer(vs);
1531 }
1532 
1533 /*
1534  * First function called whenever there is more data to be read from
1535  * the client socket. Will delegate actual work according to whether
1536  * SASL SSF layers are enabled (thus requiring decryption calls)
1537  */
1538 void vnc_client_read(void *opaque)
1539 {
1540     VncState *vs = opaque;
1541     long ret;
1542 
1543 #ifdef CONFIG_VNC_SASL
1544     if (vs->sasl.conn && vs->sasl.runSSF)
1545         ret = vnc_client_read_sasl(vs);
1546     else
1547 #endif /* CONFIG_VNC_SASL */
1548 #ifdef CONFIG_VNC_WS
1549         if (vs->encode_ws) {
1550             ret = vnc_client_read_ws(vs);
1551             if (ret == -1) {
1552                 vnc_disconnect_start(vs);
1553                 return;
1554             } else if (ret == -2) {
1555                 vnc_client_error(vs);
1556                 return;
1557             }
1558         } else
1559 #endif /* CONFIG_VNC_WS */
1560         {
1561         ret = vnc_client_read_plain(vs);
1562         }
1563     if (!ret) {
1564         if (vs->csock == -1)
1565             vnc_disconnect_finish(vs);
1566         return;
1567     }
1568 
1569     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1570         size_t len = vs->read_handler_expect;
1571         int ret;
1572 
1573         ret = vs->read_handler(vs, vs->input.buffer, len);
1574         if (vs->csock == -1) {
1575             vnc_disconnect_finish(vs);
1576             return;
1577         }
1578 
1579         if (!ret) {
1580             buffer_advance(&vs->input, len);
1581         } else {
1582             vs->read_handler_expect = ret;
1583         }
1584     }
1585 }
1586 
1587 void vnc_write(VncState *vs, const void *data, size_t len)
1588 {
1589     buffer_reserve(&vs->output, len);
1590 
1591     if (vs->csock != -1 && buffer_empty(&vs->output)) {
1592         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);
1593     }
1594 
1595     buffer_append(&vs->output, data, len);
1596 }
1597 
1598 void vnc_write_s32(VncState *vs, int32_t value)
1599 {
1600     vnc_write_u32(vs, *(uint32_t *)&value);
1601 }
1602 
1603 void vnc_write_u32(VncState *vs, uint32_t value)
1604 {
1605     uint8_t buf[4];
1606 
1607     buf[0] = (value >> 24) & 0xFF;
1608     buf[1] = (value >> 16) & 0xFF;
1609     buf[2] = (value >>  8) & 0xFF;
1610     buf[3] = value & 0xFF;
1611 
1612     vnc_write(vs, buf, 4);
1613 }
1614 
1615 void vnc_write_u16(VncState *vs, uint16_t value)
1616 {
1617     uint8_t buf[2];
1618 
1619     buf[0] = (value >> 8) & 0xFF;
1620     buf[1] = value & 0xFF;
1621 
1622     vnc_write(vs, buf, 2);
1623 }
1624 
1625 void vnc_write_u8(VncState *vs, uint8_t value)
1626 {
1627     vnc_write(vs, (char *)&value, 1);
1628 }
1629 
1630 void vnc_flush(VncState *vs)
1631 {
1632     vnc_lock_output(vs);
1633     if (vs->csock != -1 && (vs->output.offset
1634 #ifdef CONFIG_VNC_WS
1635                 || vs->ws_output.offset
1636 #endif
1637                 )) {
1638         vnc_client_write_locked(vs);
1639     }
1640     vnc_unlock_output(vs);
1641 }
1642 
1643 static uint8_t read_u8(uint8_t *data, size_t offset)
1644 {
1645     return data[offset];
1646 }
1647 
1648 static uint16_t read_u16(uint8_t *data, size_t offset)
1649 {
1650     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1651 }
1652 
1653 static int32_t read_s32(uint8_t *data, size_t offset)
1654 {
1655     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1656                      (data[offset + 2] << 8) | data[offset + 3]);
1657 }
1658 
1659 uint32_t read_u32(uint8_t *data, size_t offset)
1660 {
1661     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1662             (data[offset + 2] << 8) | data[offset + 3]);
1663 }
1664 
1665 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1666 {
1667 }
1668 
1669 static void check_pointer_type_change(Notifier *notifier, void *data)
1670 {
1671     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1672     int absolute = qemu_input_is_absolute();
1673 
1674     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1675         vnc_lock_output(vs);
1676         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1677         vnc_write_u8(vs, 0);
1678         vnc_write_u16(vs, 1);
1679         vnc_framebuffer_update(vs, absolute, 0,
1680                                pixman_image_get_width(vs->vd->server),
1681                                pixman_image_get_height(vs->vd->server),
1682                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1683         vnc_unlock_output(vs);
1684         vnc_flush(vs);
1685     }
1686     vs->absolute = absolute;
1687 }
1688 
1689 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1690 {
1691     static uint32_t bmap[INPUT_BUTTON_MAX] = {
1692         [INPUT_BUTTON_LEFT]       = 0x01,
1693         [INPUT_BUTTON_MIDDLE]     = 0x02,
1694         [INPUT_BUTTON_RIGHT]      = 0x04,
1695         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1696         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1697     };
1698     QemuConsole *con = vs->vd->dcl.con;
1699     int width = pixman_image_get_width(vs->vd->server);
1700     int height = pixman_image_get_height(vs->vd->server);
1701 
1702     if (vs->last_bmask != button_mask) {
1703         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1704         vs->last_bmask = button_mask;
1705     }
1706 
1707     if (vs->absolute) {
1708         qemu_input_queue_abs(con, INPUT_AXIS_X, x, width);
1709         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, height);
1710     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1711         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1712         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1713     } else {
1714         if (vs->last_x != -1) {
1715             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1716             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1717         }
1718         vs->last_x = x;
1719         vs->last_y = y;
1720     }
1721     qemu_input_event_sync();
1722 }
1723 
1724 static void reset_keys(VncState *vs)
1725 {
1726     int i;
1727     for(i = 0; i < 256; i++) {
1728         if (vs->modifiers_state[i]) {
1729             qemu_input_event_send_key_number(vs->vd->dcl.con, i, false);
1730             vs->modifiers_state[i] = 0;
1731         }
1732     }
1733 }
1734 
1735 static void press_key(VncState *vs, int keysym)
1736 {
1737     int keycode = keysym2scancode(vs->vd->kbd_layout, keysym) & SCANCODE_KEYMASK;
1738     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, true);
1739     qemu_input_event_send_key_delay(0);
1740     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
1741     qemu_input_event_send_key_delay(0);
1742 }
1743 
1744 static int current_led_state(VncState *vs)
1745 {
1746     int ledstate = 0;
1747 
1748     if (vs->modifiers_state[0x46]) {
1749         ledstate |= QEMU_SCROLL_LOCK_LED;
1750     }
1751     if (vs->modifiers_state[0x45]) {
1752         ledstate |= QEMU_NUM_LOCK_LED;
1753     }
1754     if (vs->modifiers_state[0x3a]) {
1755         ledstate |= QEMU_CAPS_LOCK_LED;
1756     }
1757 
1758     return ledstate;
1759 }
1760 
1761 static void vnc_led_state_change(VncState *vs)
1762 {
1763     int ledstate = 0;
1764 
1765     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1766         return;
1767     }
1768 
1769     ledstate = current_led_state(vs);
1770     vnc_lock_output(vs);
1771     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1772     vnc_write_u8(vs, 0);
1773     vnc_write_u16(vs, 1);
1774     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1775     vnc_write_u8(vs, ledstate);
1776     vnc_unlock_output(vs);
1777     vnc_flush(vs);
1778 }
1779 
1780 static void kbd_leds(void *opaque, int ledstate)
1781 {
1782     VncState *vs = opaque;
1783     int caps, num, scr;
1784     bool has_changed = (ledstate != current_led_state(vs));
1785 
1786     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1787                              (ledstate & QEMU_NUM_LOCK_LED),
1788                              (ledstate & QEMU_SCROLL_LOCK_LED));
1789 
1790     caps = ledstate & QEMU_CAPS_LOCK_LED ? 1 : 0;
1791     num  = ledstate & QEMU_NUM_LOCK_LED  ? 1 : 0;
1792     scr  = ledstate & QEMU_SCROLL_LOCK_LED ? 1 : 0;
1793 
1794     if (vs->modifiers_state[0x3a] != caps) {
1795         vs->modifiers_state[0x3a] = caps;
1796     }
1797     if (vs->modifiers_state[0x45] != num) {
1798         vs->modifiers_state[0x45] = num;
1799     }
1800     if (vs->modifiers_state[0x46] != scr) {
1801         vs->modifiers_state[0x46] = scr;
1802     }
1803 
1804     /* Sending the current led state message to the client */
1805     if (has_changed) {
1806         vnc_led_state_change(vs);
1807     }
1808 }
1809 
1810 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1811 {
1812     /* QEMU console switch */
1813     switch(keycode) {
1814     case 0x2a:                          /* Left Shift */
1815     case 0x36:                          /* Right Shift */
1816     case 0x1d:                          /* Left CTRL */
1817     case 0x9d:                          /* Right CTRL */
1818     case 0x38:                          /* Left ALT */
1819     case 0xb8:                          /* Right ALT */
1820         if (down)
1821             vs->modifiers_state[keycode] = 1;
1822         else
1823             vs->modifiers_state[keycode] = 0;
1824         break;
1825     case 0x02 ... 0x0a: /* '1' to '9' keys */
1826         if (vs->vd->dcl.con == NULL &&
1827             down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
1828             /* Reset the modifiers sent to the current console */
1829             reset_keys(vs);
1830             console_select(keycode - 0x02);
1831             return;
1832         }
1833         break;
1834     case 0x3a:                        /* CapsLock */
1835     case 0x45:                        /* NumLock */
1836         if (down)
1837             vs->modifiers_state[keycode] ^= 1;
1838         break;
1839     }
1840 
1841     /* Turn off the lock state sync logic if the client support the led
1842        state extension.
1843     */
1844     if (down && vs->vd->lock_key_sync &&
1845         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1846         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1847         /* If the numlock state needs to change then simulate an additional
1848            keypress before sending this one.  This will happen if the user
1849            toggles numlock away from the VNC window.
1850         */
1851         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1852             if (!vs->modifiers_state[0x45]) {
1853                 trace_vnc_key_sync_numlock(true);
1854                 vs->modifiers_state[0x45] = 1;
1855                 press_key(vs, 0xff7f);
1856             }
1857         } else {
1858             if (vs->modifiers_state[0x45]) {
1859                 trace_vnc_key_sync_numlock(false);
1860                 vs->modifiers_state[0x45] = 0;
1861                 press_key(vs, 0xff7f);
1862             }
1863         }
1864     }
1865 
1866     if (down && vs->vd->lock_key_sync &&
1867         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1868         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1869         /* If the capslock state needs to change then simulate an additional
1870            keypress before sending this one.  This will happen if the user
1871            toggles capslock away from the VNC window.
1872         */
1873         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1874         int shift = !!(vs->modifiers_state[0x2a] | vs->modifiers_state[0x36]);
1875         int capslock = !!(vs->modifiers_state[0x3a]);
1876         if (capslock) {
1877             if (uppercase == shift) {
1878                 trace_vnc_key_sync_capslock(false);
1879                 vs->modifiers_state[0x3a] = 0;
1880                 press_key(vs, 0xffe5);
1881             }
1882         } else {
1883             if (uppercase != shift) {
1884                 trace_vnc_key_sync_capslock(true);
1885                 vs->modifiers_state[0x3a] = 1;
1886                 press_key(vs, 0xffe5);
1887             }
1888         }
1889     }
1890 
1891     if (qemu_console_is_graphic(NULL)) {
1892         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, down);
1893     } else {
1894         bool numlock = vs->modifiers_state[0x45];
1895         bool control = (vs->modifiers_state[0x1d] ||
1896                         vs->modifiers_state[0x9d]);
1897         /* QEMU console emulation */
1898         if (down) {
1899             switch (keycode) {
1900             case 0x2a:                          /* Left Shift */
1901             case 0x36:                          /* Right Shift */
1902             case 0x1d:                          /* Left CTRL */
1903             case 0x9d:                          /* Right CTRL */
1904             case 0x38:                          /* Left ALT */
1905             case 0xb8:                          /* Right ALT */
1906                 break;
1907             case 0xc8:
1908                 kbd_put_keysym(QEMU_KEY_UP);
1909                 break;
1910             case 0xd0:
1911                 kbd_put_keysym(QEMU_KEY_DOWN);
1912                 break;
1913             case 0xcb:
1914                 kbd_put_keysym(QEMU_KEY_LEFT);
1915                 break;
1916             case 0xcd:
1917                 kbd_put_keysym(QEMU_KEY_RIGHT);
1918                 break;
1919             case 0xd3:
1920                 kbd_put_keysym(QEMU_KEY_DELETE);
1921                 break;
1922             case 0xc7:
1923                 kbd_put_keysym(QEMU_KEY_HOME);
1924                 break;
1925             case 0xcf:
1926                 kbd_put_keysym(QEMU_KEY_END);
1927                 break;
1928             case 0xc9:
1929                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1930                 break;
1931             case 0xd1:
1932                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1933                 break;
1934 
1935             case 0x47:
1936                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1937                 break;
1938             case 0x48:
1939                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1940                 break;
1941             case 0x49:
1942                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1943                 break;
1944             case 0x4b:
1945                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1946                 break;
1947             case 0x4c:
1948                 kbd_put_keysym('5');
1949                 break;
1950             case 0x4d:
1951                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1952                 break;
1953             case 0x4f:
1954                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1955                 break;
1956             case 0x50:
1957                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1958                 break;
1959             case 0x51:
1960                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1961                 break;
1962             case 0x52:
1963                 kbd_put_keysym('0');
1964                 break;
1965             case 0x53:
1966                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1967                 break;
1968 
1969             case 0xb5:
1970                 kbd_put_keysym('/');
1971                 break;
1972             case 0x37:
1973                 kbd_put_keysym('*');
1974                 break;
1975             case 0x4a:
1976                 kbd_put_keysym('-');
1977                 break;
1978             case 0x4e:
1979                 kbd_put_keysym('+');
1980                 break;
1981             case 0x9c:
1982                 kbd_put_keysym('\n');
1983                 break;
1984 
1985             default:
1986                 if (control) {
1987                     kbd_put_keysym(sym & 0x1f);
1988                 } else {
1989                     kbd_put_keysym(sym);
1990                 }
1991                 break;
1992             }
1993         }
1994     }
1995 }
1996 
1997 static void vnc_release_modifiers(VncState *vs)
1998 {
1999     static const int keycodes[] = {
2000         /* shift, control, alt keys, both left & right */
2001         0x2a, 0x36, 0x1d, 0x9d, 0x38, 0xb8,
2002     };
2003     int i, keycode;
2004 
2005     if (!qemu_console_is_graphic(NULL)) {
2006         return;
2007     }
2008     for (i = 0; i < ARRAY_SIZE(keycodes); i++) {
2009         keycode = keycodes[i];
2010         if (!vs->modifiers_state[keycode]) {
2011             continue;
2012         }
2013         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
2014     }
2015 }
2016 
2017 static const char *code2name(int keycode)
2018 {
2019     return QKeyCode_lookup[qemu_input_key_number_to_qcode(keycode)];
2020 }
2021 
2022 static void key_event(VncState *vs, int down, uint32_t sym)
2023 {
2024     int keycode;
2025     int lsym = sym;
2026 
2027     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
2028         lsym = lsym - 'A' + 'a';
2029     }
2030 
2031     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF) & SCANCODE_KEYMASK;
2032     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2033     do_key_event(vs, down, keycode, sym);
2034 }
2035 
2036 static void ext_key_event(VncState *vs, int down,
2037                           uint32_t sym, uint16_t keycode)
2038 {
2039     /* if the user specifies a keyboard layout, always use it */
2040     if (keyboard_layout) {
2041         key_event(vs, down, sym);
2042     } else {
2043         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2044         do_key_event(vs, down, keycode, sym);
2045     }
2046 }
2047 
2048 static void framebuffer_update_request(VncState *vs, int incremental,
2049                                        int x, int y, int w, int h)
2050 {
2051     int width = pixman_image_get_width(vs->vd->server);
2052     int height = pixman_image_get_height(vs->vd->server);
2053 
2054     vs->need_update = 1;
2055 
2056     if (incremental) {
2057         return;
2058     }
2059 
2060     vs->force_update = 1;
2061     vnc_set_area_dirty(vs->dirty, width, height, x, y, w, h);
2062 }
2063 
2064 static void send_ext_key_event_ack(VncState *vs)
2065 {
2066     vnc_lock_output(vs);
2067     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2068     vnc_write_u8(vs, 0);
2069     vnc_write_u16(vs, 1);
2070     vnc_framebuffer_update(vs, 0, 0,
2071                            pixman_image_get_width(vs->vd->server),
2072                            pixman_image_get_height(vs->vd->server),
2073                            VNC_ENCODING_EXT_KEY_EVENT);
2074     vnc_unlock_output(vs);
2075     vnc_flush(vs);
2076 }
2077 
2078 static void send_ext_audio_ack(VncState *vs)
2079 {
2080     vnc_lock_output(vs);
2081     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2082     vnc_write_u8(vs, 0);
2083     vnc_write_u16(vs, 1);
2084     vnc_framebuffer_update(vs, 0, 0,
2085                            pixman_image_get_width(vs->vd->server),
2086                            pixman_image_get_height(vs->vd->server),
2087                            VNC_ENCODING_AUDIO);
2088     vnc_unlock_output(vs);
2089     vnc_flush(vs);
2090 }
2091 
2092 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2093 {
2094     int i;
2095     unsigned int enc = 0;
2096 
2097     vs->features = 0;
2098     vs->vnc_encoding = 0;
2099     vs->tight.compression = 9;
2100     vs->tight.quality = -1; /* Lossless by default */
2101     vs->absolute = -1;
2102 
2103     /*
2104      * Start from the end because the encodings are sent in order of preference.
2105      * This way the preferred encoding (first encoding defined in the array)
2106      * will be set at the end of the loop.
2107      */
2108     for (i = n_encodings - 1; i >= 0; i--) {
2109         enc = encodings[i];
2110         switch (enc) {
2111         case VNC_ENCODING_RAW:
2112             vs->vnc_encoding = enc;
2113             break;
2114         case VNC_ENCODING_COPYRECT:
2115             vs->features |= VNC_FEATURE_COPYRECT_MASK;
2116             break;
2117         case VNC_ENCODING_HEXTILE:
2118             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2119             vs->vnc_encoding = enc;
2120             break;
2121         case VNC_ENCODING_TIGHT:
2122             vs->features |= VNC_FEATURE_TIGHT_MASK;
2123             vs->vnc_encoding = enc;
2124             break;
2125 #ifdef CONFIG_VNC_PNG
2126         case VNC_ENCODING_TIGHT_PNG:
2127             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2128             vs->vnc_encoding = enc;
2129             break;
2130 #endif
2131         case VNC_ENCODING_ZLIB:
2132             vs->features |= VNC_FEATURE_ZLIB_MASK;
2133             vs->vnc_encoding = enc;
2134             break;
2135         case VNC_ENCODING_ZRLE:
2136             vs->features |= VNC_FEATURE_ZRLE_MASK;
2137             vs->vnc_encoding = enc;
2138             break;
2139         case VNC_ENCODING_ZYWRLE:
2140             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2141             vs->vnc_encoding = enc;
2142             break;
2143         case VNC_ENCODING_DESKTOPRESIZE:
2144             vs->features |= VNC_FEATURE_RESIZE_MASK;
2145             break;
2146         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2147             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2148             break;
2149         case VNC_ENCODING_RICH_CURSOR:
2150             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2151             break;
2152         case VNC_ENCODING_EXT_KEY_EVENT:
2153             send_ext_key_event_ack(vs);
2154             break;
2155         case VNC_ENCODING_AUDIO:
2156             send_ext_audio_ack(vs);
2157             break;
2158         case VNC_ENCODING_WMVi:
2159             vs->features |= VNC_FEATURE_WMVI_MASK;
2160             break;
2161         case VNC_ENCODING_LED_STATE:
2162             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2163             break;
2164         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2165             vs->tight.compression = (enc & 0x0F);
2166             break;
2167         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2168             if (vs->vd->lossy) {
2169                 vs->tight.quality = (enc & 0x0F);
2170             }
2171             break;
2172         default:
2173             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2174             break;
2175         }
2176     }
2177     vnc_desktop_resize(vs);
2178     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2179     vnc_led_state_change(vs);
2180 }
2181 
2182 static void set_pixel_conversion(VncState *vs)
2183 {
2184     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2185 
2186     if (fmt == VNC_SERVER_FB_FORMAT) {
2187         vs->write_pixels = vnc_write_pixels_copy;
2188         vnc_hextile_set_pixel_conversion(vs, 0);
2189     } else {
2190         vs->write_pixels = vnc_write_pixels_generic;
2191         vnc_hextile_set_pixel_conversion(vs, 1);
2192     }
2193 }
2194 
2195 static void set_pixel_format(VncState *vs,
2196                              int bits_per_pixel, int depth,
2197                              int big_endian_flag, int true_color_flag,
2198                              int red_max, int green_max, int blue_max,
2199                              int red_shift, int green_shift, int blue_shift)
2200 {
2201     if (!true_color_flag) {
2202         vnc_client_error(vs);
2203         return;
2204     }
2205 
2206     switch (bits_per_pixel) {
2207     case 8:
2208     case 16:
2209     case 32:
2210         break;
2211     default:
2212         vnc_client_error(vs);
2213         return;
2214     }
2215 
2216     vs->client_pf.rmax = red_max;
2217     vs->client_pf.rbits = hweight_long(red_max);
2218     vs->client_pf.rshift = red_shift;
2219     vs->client_pf.rmask = red_max << red_shift;
2220     vs->client_pf.gmax = green_max;
2221     vs->client_pf.gbits = hweight_long(green_max);
2222     vs->client_pf.gshift = green_shift;
2223     vs->client_pf.gmask = green_max << green_shift;
2224     vs->client_pf.bmax = blue_max;
2225     vs->client_pf.bbits = hweight_long(blue_max);
2226     vs->client_pf.bshift = blue_shift;
2227     vs->client_pf.bmask = blue_max << blue_shift;
2228     vs->client_pf.bits_per_pixel = bits_per_pixel;
2229     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2230     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2231     vs->client_be = big_endian_flag;
2232 
2233     set_pixel_conversion(vs);
2234 
2235     graphic_hw_invalidate(vs->vd->dcl.con);
2236     graphic_hw_update(vs->vd->dcl.con);
2237 }
2238 
2239 static void pixel_format_message (VncState *vs) {
2240     char pad[3] = { 0, 0, 0 };
2241 
2242     vs->client_pf = qemu_default_pixelformat(32);
2243 
2244     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2245     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2246 
2247 #ifdef HOST_WORDS_BIGENDIAN
2248     vnc_write_u8(vs, 1);             /* big-endian-flag */
2249 #else
2250     vnc_write_u8(vs, 0);             /* big-endian-flag */
2251 #endif
2252     vnc_write_u8(vs, 1);             /* true-color-flag */
2253     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2254     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2255     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2256     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2257     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2258     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2259     vnc_write(vs, pad, 3);           /* padding */
2260 
2261     vnc_hextile_set_pixel_conversion(vs, 0);
2262     vs->write_pixels = vnc_write_pixels_copy;
2263 }
2264 
2265 static void vnc_colordepth(VncState *vs)
2266 {
2267     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2268         /* Sending a WMVi message to notify the client*/
2269         vnc_lock_output(vs);
2270         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2271         vnc_write_u8(vs, 0);
2272         vnc_write_u16(vs, 1); /* number of rects */
2273         vnc_framebuffer_update(vs, 0, 0,
2274                                pixman_image_get_width(vs->vd->server),
2275                                pixman_image_get_height(vs->vd->server),
2276                                VNC_ENCODING_WMVi);
2277         pixel_format_message(vs);
2278         vnc_unlock_output(vs);
2279         vnc_flush(vs);
2280     } else {
2281         set_pixel_conversion(vs);
2282     }
2283 }
2284 
2285 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2286 {
2287     int i;
2288     uint16_t limit;
2289     VncDisplay *vd = vs->vd;
2290 
2291     if (data[0] > 3) {
2292         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2293     }
2294 
2295     switch (data[0]) {
2296     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2297         if (len == 1)
2298             return 20;
2299 
2300         set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5),
2301                          read_u8(data, 6), read_u8(data, 7),
2302                          read_u16(data, 8), read_u16(data, 10),
2303                          read_u16(data, 12), read_u8(data, 14),
2304                          read_u8(data, 15), read_u8(data, 16));
2305         break;
2306     case VNC_MSG_CLIENT_SET_ENCODINGS:
2307         if (len == 1)
2308             return 4;
2309 
2310         if (len == 4) {
2311             limit = read_u16(data, 2);
2312             if (limit > 0)
2313                 return 4 + (limit * 4);
2314         } else
2315             limit = read_u16(data, 2);
2316 
2317         for (i = 0; i < limit; i++) {
2318             int32_t val = read_s32(data, 4 + (i * 4));
2319             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2320         }
2321 
2322         set_encodings(vs, (int32_t *)(data + 4), limit);
2323         break;
2324     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2325         if (len == 1)
2326             return 10;
2327 
2328         framebuffer_update_request(vs,
2329                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2330                                    read_u16(data, 6), read_u16(data, 8));
2331         break;
2332     case VNC_MSG_CLIENT_KEY_EVENT:
2333         if (len == 1)
2334             return 8;
2335 
2336         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2337         break;
2338     case VNC_MSG_CLIENT_POINTER_EVENT:
2339         if (len == 1)
2340             return 6;
2341 
2342         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2343         break;
2344     case VNC_MSG_CLIENT_CUT_TEXT:
2345         if (len == 1) {
2346             return 8;
2347         }
2348         if (len == 8) {
2349             uint32_t dlen = read_u32(data, 4);
2350             if (dlen > (1 << 20)) {
2351                 error_report("vnc: client_cut_text msg payload has %u bytes"
2352                              " which exceeds our limit of 1MB.", dlen);
2353                 vnc_client_error(vs);
2354                 break;
2355             }
2356             if (dlen > 0) {
2357                 return 8 + dlen;
2358             }
2359         }
2360 
2361         client_cut_text(vs, read_u32(data, 4), data + 8);
2362         break;
2363     case VNC_MSG_CLIENT_QEMU:
2364         if (len == 1)
2365             return 2;
2366 
2367         switch (read_u8(data, 1)) {
2368         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2369             if (len == 2)
2370                 return 12;
2371 
2372             ext_key_event(vs, read_u16(data, 2),
2373                           read_u32(data, 4), read_u32(data, 8));
2374             break;
2375         case VNC_MSG_CLIENT_QEMU_AUDIO:
2376             if (len == 2)
2377                 return 4;
2378 
2379             switch (read_u16 (data, 2)) {
2380             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2381                 audio_add(vs);
2382                 break;
2383             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2384                 audio_del(vs);
2385                 break;
2386             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2387                 if (len == 4)
2388                     return 10;
2389                 switch (read_u8(data, 4)) {
2390                 case 0: vs->as.fmt = AUD_FMT_U8; break;
2391                 case 1: vs->as.fmt = AUD_FMT_S8; break;
2392                 case 2: vs->as.fmt = AUD_FMT_U16; break;
2393                 case 3: vs->as.fmt = AUD_FMT_S16; break;
2394                 case 4: vs->as.fmt = AUD_FMT_U32; break;
2395                 case 5: vs->as.fmt = AUD_FMT_S32; break;
2396                 default:
2397                     printf("Invalid audio format %d\n", read_u8(data, 4));
2398                     vnc_client_error(vs);
2399                     break;
2400                 }
2401                 vs->as.nchannels = read_u8(data, 5);
2402                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2403                     printf("Invalid audio channel coount %d\n",
2404                            read_u8(data, 5));
2405                     vnc_client_error(vs);
2406                     break;
2407                 }
2408                 vs->as.freq = read_u32(data, 6);
2409                 break;
2410             default:
2411                 printf ("Invalid audio message %d\n", read_u8(data, 4));
2412                 vnc_client_error(vs);
2413                 break;
2414             }
2415             break;
2416 
2417         default:
2418             printf("Msg: %d\n", read_u16(data, 0));
2419             vnc_client_error(vs);
2420             break;
2421         }
2422         break;
2423     default:
2424         printf("Msg: %d\n", data[0]);
2425         vnc_client_error(vs);
2426         break;
2427     }
2428 
2429     vnc_read_when(vs, protocol_client_msg, 1);
2430     return 0;
2431 }
2432 
2433 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2434 {
2435     char buf[1024];
2436     VncShareMode mode;
2437     int size;
2438 
2439     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2440     switch (vs->vd->share_policy) {
2441     case VNC_SHARE_POLICY_IGNORE:
2442         /*
2443          * Ignore the shared flag.  Nothing to do here.
2444          *
2445          * Doesn't conform to the rfb spec but is traditional qemu
2446          * behavior, thus left here as option for compatibility
2447          * reasons.
2448          */
2449         break;
2450     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2451         /*
2452          * Policy: Allow clients ask for exclusive access.
2453          *
2454          * Implementation: When a client asks for exclusive access,
2455          * disconnect all others. Shared connects are allowed as long
2456          * as no exclusive connection exists.
2457          *
2458          * This is how the rfb spec suggests to handle the shared flag.
2459          */
2460         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2461             VncState *client;
2462             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2463                 if (vs == client) {
2464                     continue;
2465                 }
2466                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2467                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2468                     continue;
2469                 }
2470                 vnc_disconnect_start(client);
2471             }
2472         }
2473         if (mode == VNC_SHARE_MODE_SHARED) {
2474             if (vs->vd->num_exclusive > 0) {
2475                 vnc_disconnect_start(vs);
2476                 return 0;
2477             }
2478         }
2479         break;
2480     case VNC_SHARE_POLICY_FORCE_SHARED:
2481         /*
2482          * Policy: Shared connects only.
2483          * Implementation: Disallow clients asking for exclusive access.
2484          *
2485          * Useful for shared desktop sessions where you don't want
2486          * someone forgetting to say -shared when running the vnc
2487          * client disconnect everybody else.
2488          */
2489         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2490             vnc_disconnect_start(vs);
2491             return 0;
2492         }
2493         break;
2494     }
2495     vnc_set_share_mode(vs, mode);
2496 
2497     if (vs->vd->num_shared > vs->vd->connections_limit) {
2498         vnc_disconnect_start(vs);
2499         return 0;
2500     }
2501 
2502     vs->client_width = pixman_image_get_width(vs->vd->server);
2503     vs->client_height = pixman_image_get_height(vs->vd->server);
2504     vnc_write_u16(vs, vs->client_width);
2505     vnc_write_u16(vs, vs->client_height);
2506 
2507     pixel_format_message(vs);
2508 
2509     if (qemu_name)
2510         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2511     else
2512         size = snprintf(buf, sizeof(buf), "QEMU");
2513 
2514     vnc_write_u32(vs, size);
2515     vnc_write(vs, buf, size);
2516     vnc_flush(vs);
2517 
2518     vnc_client_cache_auth(vs);
2519     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2520 
2521     vnc_read_when(vs, protocol_client_msg, 1);
2522 
2523     return 0;
2524 }
2525 
2526 void start_client_init(VncState *vs)
2527 {
2528     vnc_read_when(vs, protocol_client_init, 1);
2529 }
2530 
2531 static void make_challenge(VncState *vs)
2532 {
2533     int i;
2534 
2535     srand(time(NULL)+getpid()+getpid()*987654+rand());
2536 
2537     for (i = 0 ; i < sizeof(vs->challenge) ; i++)
2538         vs->challenge[i] = (int) (256.0*rand()/(RAND_MAX+1.0));
2539 }
2540 
2541 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2542 {
2543     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2544     int i, j, pwlen;
2545     unsigned char key[8];
2546     time_t now = time(NULL);
2547 
2548     if (!vs->vd->password) {
2549         VNC_DEBUG("No password configured on server");
2550         goto reject;
2551     }
2552     if (vs->vd->expires < now) {
2553         VNC_DEBUG("Password is expired");
2554         goto reject;
2555     }
2556 
2557     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2558 
2559     /* Calculate the expected challenge response */
2560     pwlen = strlen(vs->vd->password);
2561     for (i=0; i<sizeof(key); i++)
2562         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2563     deskey(key, EN0);
2564     for (j = 0; j < VNC_AUTH_CHALLENGE_SIZE; j += 8)
2565         des(response+j, response+j);
2566 
2567     /* Compare expected vs actual challenge response */
2568     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2569         VNC_DEBUG("Client challenge response did not match\n");
2570         goto reject;
2571     } else {
2572         VNC_DEBUG("Accepting VNC challenge response\n");
2573         vnc_write_u32(vs, 0); /* Accept auth */
2574         vnc_flush(vs);
2575 
2576         start_client_init(vs);
2577     }
2578     return 0;
2579 
2580 reject:
2581     vnc_write_u32(vs, 1); /* Reject auth */
2582     if (vs->minor >= 8) {
2583         static const char err[] = "Authentication failed";
2584         vnc_write_u32(vs, sizeof(err));
2585         vnc_write(vs, err, sizeof(err));
2586     }
2587     vnc_flush(vs);
2588     vnc_client_error(vs);
2589     return 0;
2590 }
2591 
2592 void start_auth_vnc(VncState *vs)
2593 {
2594     make_challenge(vs);
2595     /* Send client a 'random' challenge */
2596     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2597     vnc_flush(vs);
2598 
2599     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2600 }
2601 
2602 
2603 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2604 {
2605     /* We only advertise 1 auth scheme at a time, so client
2606      * must pick the one we sent. Verify this */
2607     if (data[0] != vs->auth) { /* Reject auth */
2608        VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
2609        vnc_write_u32(vs, 1);
2610        if (vs->minor >= 8) {
2611            static const char err[] = "Authentication failed";
2612            vnc_write_u32(vs, sizeof(err));
2613            vnc_write(vs, err, sizeof(err));
2614        }
2615        vnc_client_error(vs);
2616     } else { /* Accept requested auth */
2617        VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
2618        switch (vs->auth) {
2619        case VNC_AUTH_NONE:
2620            VNC_DEBUG("Accept auth none\n");
2621            if (vs->minor >= 8) {
2622                vnc_write_u32(vs, 0); /* Accept auth completion */
2623                vnc_flush(vs);
2624            }
2625            start_client_init(vs);
2626            break;
2627 
2628        case VNC_AUTH_VNC:
2629            VNC_DEBUG("Start VNC auth\n");
2630            start_auth_vnc(vs);
2631            break;
2632 
2633 #ifdef CONFIG_VNC_TLS
2634        case VNC_AUTH_VENCRYPT:
2635            VNC_DEBUG("Accept VeNCrypt auth\n");
2636            start_auth_vencrypt(vs);
2637            break;
2638 #endif /* CONFIG_VNC_TLS */
2639 
2640 #ifdef CONFIG_VNC_SASL
2641        case VNC_AUTH_SASL:
2642            VNC_DEBUG("Accept SASL auth\n");
2643            start_auth_sasl(vs);
2644            break;
2645 #endif /* CONFIG_VNC_SASL */
2646 
2647        default: /* Should not be possible, but just in case */
2648            VNC_DEBUG("Reject auth %d server code bug\n", vs->auth);
2649            vnc_write_u8(vs, 1);
2650            if (vs->minor >= 8) {
2651                static const char err[] = "Authentication failed";
2652                vnc_write_u32(vs, sizeof(err));
2653                vnc_write(vs, err, sizeof(err));
2654            }
2655            vnc_client_error(vs);
2656        }
2657     }
2658     return 0;
2659 }
2660 
2661 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2662 {
2663     char local[13];
2664 
2665     memcpy(local, version, 12);
2666     local[12] = 0;
2667 
2668     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2669         VNC_DEBUG("Malformed protocol version %s\n", local);
2670         vnc_client_error(vs);
2671         return 0;
2672     }
2673     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2674     if (vs->major != 3 ||
2675         (vs->minor != 3 &&
2676          vs->minor != 4 &&
2677          vs->minor != 5 &&
2678          vs->minor != 7 &&
2679          vs->minor != 8)) {
2680         VNC_DEBUG("Unsupported client version\n");
2681         vnc_write_u32(vs, VNC_AUTH_INVALID);
2682         vnc_flush(vs);
2683         vnc_client_error(vs);
2684         return 0;
2685     }
2686     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2687      * as equivalent to v3.3 by servers
2688      */
2689     if (vs->minor == 4 || vs->minor == 5)
2690         vs->minor = 3;
2691 
2692     if (vs->minor == 3) {
2693         if (vs->auth == VNC_AUTH_NONE) {
2694             VNC_DEBUG("Tell client auth none\n");
2695             vnc_write_u32(vs, vs->auth);
2696             vnc_flush(vs);
2697             start_client_init(vs);
2698        } else if (vs->auth == VNC_AUTH_VNC) {
2699             VNC_DEBUG("Tell client VNC auth\n");
2700             vnc_write_u32(vs, vs->auth);
2701             vnc_flush(vs);
2702             start_auth_vnc(vs);
2703        } else {
2704             VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth);
2705             vnc_write_u32(vs, VNC_AUTH_INVALID);
2706             vnc_flush(vs);
2707             vnc_client_error(vs);
2708        }
2709     } else {
2710         VNC_DEBUG("Telling client we support auth %d\n", vs->auth);
2711         vnc_write_u8(vs, 1); /* num auth */
2712         vnc_write_u8(vs, vs->auth);
2713         vnc_read_when(vs, protocol_client_auth, 1);
2714         vnc_flush(vs);
2715     }
2716 
2717     return 0;
2718 }
2719 
2720 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2721 {
2722     struct VncSurface *vs = &vd->guest;
2723 
2724     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2725 }
2726 
2727 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2728 {
2729     int i, j;
2730 
2731     w = (x + w) / VNC_STAT_RECT;
2732     h = (y + h) / VNC_STAT_RECT;
2733     x /= VNC_STAT_RECT;
2734     y /= VNC_STAT_RECT;
2735 
2736     for (j = y; j <= h; j++) {
2737         for (i = x; i <= w; i++) {
2738             vs->lossy_rect[j][i] = 1;
2739         }
2740     }
2741 }
2742 
2743 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2744 {
2745     VncState *vs;
2746     int sty = y / VNC_STAT_RECT;
2747     int stx = x / VNC_STAT_RECT;
2748     int has_dirty = 0;
2749 
2750     y = y / VNC_STAT_RECT * VNC_STAT_RECT;
2751     x = x / VNC_STAT_RECT * VNC_STAT_RECT;
2752 
2753     QTAILQ_FOREACH(vs, &vd->clients, next) {
2754         int j;
2755 
2756         /* kernel send buffers are full -> refresh later */
2757         if (vs->output.offset) {
2758             continue;
2759         }
2760 
2761         if (!vs->lossy_rect[sty][stx]) {
2762             continue;
2763         }
2764 
2765         vs->lossy_rect[sty][stx] = 0;
2766         for (j = 0; j < VNC_STAT_RECT; ++j) {
2767             bitmap_set(vs->dirty[y + j],
2768                        x / VNC_DIRTY_PIXELS_PER_BIT,
2769                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2770         }
2771         has_dirty++;
2772     }
2773 
2774     return has_dirty;
2775 }
2776 
2777 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2778 {
2779     int width = pixman_image_get_width(vd->guest.fb);
2780     int height = pixman_image_get_height(vd->guest.fb);
2781     int x, y;
2782     struct timeval res;
2783     int has_dirty = 0;
2784 
2785     for (y = 0; y < height; y += VNC_STAT_RECT) {
2786         for (x = 0; x < width; x += VNC_STAT_RECT) {
2787             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2788 
2789             rect->updated = false;
2790         }
2791     }
2792 
2793     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2794 
2795     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2796         return has_dirty;
2797     }
2798     vd->guest.last_freq_check = *tv;
2799 
2800     for (y = 0; y < height; y += VNC_STAT_RECT) {
2801         for (x = 0; x < width; x += VNC_STAT_RECT) {
2802             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2803             int count = ARRAY_SIZE(rect->times);
2804             struct timeval min, max;
2805 
2806             if (!timerisset(&rect->times[count - 1])) {
2807                 continue ;
2808             }
2809 
2810             max = rect->times[(rect->idx + count - 1) % count];
2811             qemu_timersub(tv, &max, &res);
2812 
2813             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2814                 rect->freq = 0;
2815                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2816                 memset(rect->times, 0, sizeof (rect->times));
2817                 continue ;
2818             }
2819 
2820             min = rect->times[rect->idx];
2821             max = rect->times[(rect->idx + count - 1) % count];
2822             qemu_timersub(&max, &min, &res);
2823 
2824             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2825             rect->freq /= count;
2826             rect->freq = 1. / rect->freq;
2827         }
2828     }
2829     return has_dirty;
2830 }
2831 
2832 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2833 {
2834     int i, j;
2835     double total = 0;
2836     int num = 0;
2837 
2838     x =  (x / VNC_STAT_RECT) * VNC_STAT_RECT;
2839     y =  (y / VNC_STAT_RECT) * VNC_STAT_RECT;
2840 
2841     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2842         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2843             total += vnc_stat_rect(vs->vd, i, j)->freq;
2844             num++;
2845         }
2846     }
2847 
2848     if (num) {
2849         return total / num;
2850     } else {
2851         return 0;
2852     }
2853 }
2854 
2855 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2856 {
2857     VncRectStat *rect;
2858 
2859     rect = vnc_stat_rect(vd, x, y);
2860     if (rect->updated) {
2861         return ;
2862     }
2863     rect->times[rect->idx] = *tv;
2864     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2865     rect->updated = true;
2866 }
2867 
2868 static int vnc_refresh_server_surface(VncDisplay *vd)
2869 {
2870     int width = MIN(pixman_image_get_width(vd->guest.fb),
2871                     pixman_image_get_width(vd->server));
2872     int height = MIN(pixman_image_get_height(vd->guest.fb),
2873                      pixman_image_get_height(vd->server));
2874     int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
2875     uint8_t *guest_row0 = NULL, *server_row0;
2876     VncState *vs;
2877     int has_dirty = 0;
2878     pixman_image_t *tmpbuf = NULL;
2879 
2880     struct timeval tv = { 0, 0 };
2881 
2882     if (!vd->non_adaptive) {
2883         gettimeofday(&tv, NULL);
2884         has_dirty = vnc_update_stats(vd, &tv);
2885     }
2886 
2887     /*
2888      * Walk through the guest dirty map.
2889      * Check and copy modified bits from guest to server surface.
2890      * Update server dirty map.
2891      */
2892     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
2893     server_stride = guest_stride = pixman_image_get_stride(vd->server);
2894     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
2895                     server_stride);
2896     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2897         int width = pixman_image_get_width(vd->server);
2898         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2899     } else {
2900         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2901         guest_stride = pixman_image_get_stride(vd->guest.fb);
2902     }
2903     min_stride = MIN(server_stride, guest_stride);
2904 
2905     for (;;) {
2906         int x;
2907         uint8_t *guest_ptr, *server_ptr;
2908         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
2909                                              height * VNC_DIRTY_BPL(&vd->guest),
2910                                              y * VNC_DIRTY_BPL(&vd->guest));
2911         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
2912             /* no more dirty bits */
2913             break;
2914         }
2915         y = offset / VNC_DIRTY_BPL(&vd->guest);
2916         x = offset % VNC_DIRTY_BPL(&vd->guest);
2917 
2918         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
2919 
2920         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2921             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2922             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2923         } else {
2924             guest_ptr = guest_row0 + y * guest_stride;
2925         }
2926         guest_ptr += x * cmp_bytes;
2927 
2928         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
2929              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2930             int _cmp_bytes = cmp_bytes;
2931             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
2932                 continue;
2933             }
2934             if ((x + 1) * cmp_bytes > min_stride) {
2935                 _cmp_bytes = min_stride - x * cmp_bytes;
2936             }
2937             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
2938                 continue;
2939             }
2940             memcpy(server_ptr, guest_ptr, _cmp_bytes);
2941             if (!vd->non_adaptive) {
2942                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
2943                                  y, &tv);
2944             }
2945             QTAILQ_FOREACH(vs, &vd->clients, next) {
2946                 set_bit(x, vs->dirty[y]);
2947             }
2948             has_dirty++;
2949         }
2950 
2951         y++;
2952     }
2953     qemu_pixman_image_unref(tmpbuf);
2954     return has_dirty;
2955 }
2956 
2957 static void vnc_refresh(DisplayChangeListener *dcl)
2958 {
2959     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
2960     VncState *vs, *vn;
2961     int has_dirty, rects = 0;
2962 
2963     if (QTAILQ_EMPTY(&vd->clients)) {
2964         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
2965         return;
2966     }
2967 
2968     graphic_hw_update(vd->dcl.con);
2969 
2970     if (vnc_trylock_display(vd)) {
2971         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2972         return;
2973     }
2974 
2975     has_dirty = vnc_refresh_server_surface(vd);
2976     vnc_unlock_display(vd);
2977 
2978     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
2979         rects += vnc_update_client(vs, has_dirty, false);
2980         /* vs might be free()ed here */
2981     }
2982 
2983     if (has_dirty && rects) {
2984         vd->dcl.update_interval /= 2;
2985         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
2986             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
2987         }
2988     } else {
2989         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
2990         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
2991             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
2992         }
2993     }
2994 }
2995 
2996 static void vnc_connect(VncDisplay *vd, int csock,
2997                         bool skipauth, bool websocket)
2998 {
2999     VncState *vs = g_malloc0(sizeof(VncState));
3000     int i;
3001 
3002     vs->csock = csock;
3003     vs->vd = vd;
3004 
3005     if (skipauth) {
3006 	vs->auth = VNC_AUTH_NONE;
3007 #ifdef CONFIG_VNC_TLS
3008 	vs->subauth = VNC_AUTH_INVALID;
3009 #endif
3010     } else {
3011 	vs->auth = vd->auth;
3012 #ifdef CONFIG_VNC_TLS
3013 	vs->subauth = vd->subauth;
3014 #endif
3015     }
3016 
3017     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3018     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3019         vs->lossy_rect[i] = g_malloc0(VNC_STAT_COLS * sizeof (uint8_t));
3020     }
3021 
3022     VNC_DEBUG("New client on socket %d\n", csock);
3023     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3024     qemu_set_nonblock(vs->csock);
3025 #ifdef CONFIG_VNC_WS
3026     if (websocket) {
3027         vs->websocket = 1;
3028 #ifdef CONFIG_VNC_TLS
3029         if (vd->tls.x509cert) {
3030             qemu_set_fd_handler2(vs->csock, NULL, vncws_tls_handshake_peek,
3031                                  NULL, vs);
3032         } else
3033 #endif /* CONFIG_VNC_TLS */
3034         {
3035             qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read,
3036                                  NULL, vs);
3037         }
3038     } else
3039 #endif /* CONFIG_VNC_WS */
3040     {
3041         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
3042     }
3043 
3044     vnc_client_cache_addr(vs);
3045     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3046     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3047 
3048 #ifdef CONFIG_VNC_WS
3049     if (!vs->websocket)
3050 #endif
3051     {
3052         vnc_init_state(vs);
3053     }
3054 
3055     if (vd->num_connecting > vd->connections_limit) {
3056         QTAILQ_FOREACH(vs, &vd->clients, next) {
3057             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3058                 vnc_disconnect_start(vs);
3059                 return;
3060             }
3061         }
3062     }
3063 }
3064 
3065 void vnc_init_state(VncState *vs)
3066 {
3067     vs->initialized = true;
3068     VncDisplay *vd = vs->vd;
3069 
3070     vs->last_x = -1;
3071     vs->last_y = -1;
3072 
3073     vs->as.freq = 44100;
3074     vs->as.nchannels = 2;
3075     vs->as.fmt = AUD_FMT_S16;
3076     vs->as.endianness = 0;
3077 
3078     qemu_mutex_init(&vs->output_mutex);
3079     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3080 
3081     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3082 
3083     graphic_hw_update(vd->dcl.con);
3084 
3085     vnc_write(vs, "RFB 003.008\n", 12);
3086     vnc_flush(vs);
3087     vnc_read_when(vs, protocol_version, 12);
3088     reset_keys(vs);
3089     if (vs->vd->lock_key_sync)
3090         vs->led = qemu_add_led_event_handler(kbd_leds, vs);
3091 
3092     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3093     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3094 
3095     /* vs might be free()ed here */
3096 }
3097 
3098 static void vnc_listen_read(void *opaque, bool websocket)
3099 {
3100     VncDisplay *vs = opaque;
3101     struct sockaddr_in addr;
3102     socklen_t addrlen = sizeof(addr);
3103     int csock;
3104 
3105     /* Catch-up */
3106     graphic_hw_update(vs->dcl.con);
3107 #ifdef CONFIG_VNC_WS
3108     if (websocket) {
3109         csock = qemu_accept(vs->lwebsock, (struct sockaddr *)&addr, &addrlen);
3110     } else
3111 #endif /* CONFIG_VNC_WS */
3112     {
3113         csock = qemu_accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
3114     }
3115 
3116     if (csock != -1) {
3117         socket_set_nodelay(csock);
3118         vnc_connect(vs, csock, false, websocket);
3119     }
3120 }
3121 
3122 static void vnc_listen_regular_read(void *opaque)
3123 {
3124     vnc_listen_read(opaque, false);
3125 }
3126 
3127 #ifdef CONFIG_VNC_WS
3128 static void vnc_listen_websocket_read(void *opaque)
3129 {
3130     vnc_listen_read(opaque, true);
3131 }
3132 #endif /* CONFIG_VNC_WS */
3133 
3134 static const DisplayChangeListenerOps dcl_ops = {
3135     .dpy_name             = "vnc",
3136     .dpy_refresh          = vnc_refresh,
3137     .dpy_gfx_copy         = vnc_dpy_copy,
3138     .dpy_gfx_update       = vnc_dpy_update,
3139     .dpy_gfx_switch       = vnc_dpy_switch,
3140     .dpy_gfx_check_format = qemu_pixman_check_format,
3141     .dpy_mouse_set        = vnc_mouse_set,
3142     .dpy_cursor_define    = vnc_dpy_cursor_define,
3143 };
3144 
3145 void vnc_display_init(const char *id)
3146 {
3147     VncDisplay *vs;
3148 
3149     if (vnc_display_find(id) != NULL) {
3150         return;
3151     }
3152     vs = g_malloc0(sizeof(*vs));
3153 
3154     vs->id = strdup(id);
3155     QTAILQ_INSERT_TAIL(&vnc_displays, vs, next);
3156 
3157     vs->lsock = -1;
3158 #ifdef CONFIG_VNC_WS
3159     vs->lwebsock = -1;
3160 #endif
3161 
3162     QTAILQ_INIT(&vs->clients);
3163     vs->expires = TIME_MAX;
3164 
3165     if (keyboard_layout) {
3166         trace_vnc_key_map_init(keyboard_layout);
3167         vs->kbd_layout = init_keyboard_layout(name2keysym, keyboard_layout);
3168     } else {
3169         vs->kbd_layout = init_keyboard_layout(name2keysym, "en-us");
3170     }
3171 
3172     if (!vs->kbd_layout)
3173         exit(1);
3174 
3175     qemu_mutex_init(&vs->mutex);
3176     vnc_start_worker_thread();
3177 
3178     vs->dcl.ops = &dcl_ops;
3179     register_displaychangelistener(&vs->dcl);
3180 }
3181 
3182 
3183 static void vnc_display_close(VncDisplay *vs)
3184 {
3185     if (!vs)
3186         return;
3187     g_free(vs->display);
3188     vs->display = NULL;
3189     if (vs->lsock != -1) {
3190         qemu_set_fd_handler2(vs->lsock, NULL, NULL, NULL, NULL);
3191         close(vs->lsock);
3192         vs->lsock = -1;
3193     }
3194 #ifdef CONFIG_VNC_WS
3195     g_free(vs->ws_display);
3196     vs->ws_display = NULL;
3197     if (vs->lwebsock != -1) {
3198         qemu_set_fd_handler2(vs->lwebsock, NULL, NULL, NULL, NULL);
3199         close(vs->lwebsock);
3200         vs->lwebsock = -1;
3201     }
3202 #endif /* CONFIG_VNC_WS */
3203     vs->auth = VNC_AUTH_INVALID;
3204 #ifdef CONFIG_VNC_TLS
3205     vs->subauth = VNC_AUTH_INVALID;
3206     vs->tls.x509verify = 0;
3207 #endif
3208 }
3209 
3210 int vnc_display_password(const char *id, const char *password)
3211 {
3212     VncDisplay *vs = vnc_display_find(id);
3213 
3214     if (!vs) {
3215         return -EINVAL;
3216     }
3217     if (vs->auth == VNC_AUTH_NONE) {
3218         error_printf_unless_qmp("If you want use passwords please enable "
3219                                 "password auth using '-vnc ${dpy},password'.");
3220         return -EINVAL;
3221     }
3222 
3223     g_free(vs->password);
3224     vs->password = g_strdup(password);
3225 
3226     return 0;
3227 }
3228 
3229 int vnc_display_pw_expire(const char *id, time_t expires)
3230 {
3231     VncDisplay *vs = vnc_display_find(id);
3232 
3233     if (!vs) {
3234         return -EINVAL;
3235     }
3236 
3237     vs->expires = expires;
3238     return 0;
3239 }
3240 
3241 char *vnc_display_local_addr(const char *id)
3242 {
3243     VncDisplay *vs = vnc_display_find(id);
3244 
3245     return vnc_socket_local_addr("%s:%s", vs->lsock);
3246 }
3247 
3248 static QemuOptsList qemu_vnc_opts = {
3249     .name = "vnc",
3250     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3251     .implied_opt_name = "vnc",
3252     .desc = {
3253         {
3254             .name = "vnc",
3255             .type = QEMU_OPT_STRING,
3256         },{
3257             .name = "websocket",
3258             .type = QEMU_OPT_STRING,
3259         },{
3260             .name = "x509",
3261             .type = QEMU_OPT_STRING,
3262         },{
3263             .name = "share",
3264             .type = QEMU_OPT_STRING,
3265         },{
3266             .name = "display",
3267             .type = QEMU_OPT_STRING,
3268         },{
3269             .name = "head",
3270             .type = QEMU_OPT_NUMBER,
3271         },{
3272             .name = "connections",
3273             .type = QEMU_OPT_NUMBER,
3274         },{
3275             .name = "password",
3276             .type = QEMU_OPT_BOOL,
3277         },{
3278             .name = "reverse",
3279             .type = QEMU_OPT_BOOL,
3280         },{
3281             .name = "lock-key-sync",
3282             .type = QEMU_OPT_BOOL,
3283         },{
3284             .name = "sasl",
3285             .type = QEMU_OPT_BOOL,
3286         },{
3287             .name = "tls",
3288             .type = QEMU_OPT_BOOL,
3289         },{
3290             .name = "x509verify",
3291             .type = QEMU_OPT_BOOL,
3292         },{
3293             .name = "acl",
3294             .type = QEMU_OPT_BOOL,
3295         },{
3296             .name = "lossy",
3297             .type = QEMU_OPT_BOOL,
3298         },{
3299             .name = "non-adaptive",
3300             .type = QEMU_OPT_BOOL,
3301         },
3302         { /* end of list */ }
3303     },
3304 };
3305 
3306 void vnc_display_open(const char *id, Error **errp)
3307 {
3308     VncDisplay *vs = vnc_display_find(id);
3309     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3310     const char *display, *share, *device_id;
3311     QemuConsole *con;
3312     int password = 0;
3313     int reverse = 0;
3314 #ifdef CONFIG_VNC_WS
3315     const char *websocket;
3316 #endif
3317 #ifdef CONFIG_VNC_TLS
3318     int tls = 0, x509 = 0;
3319     const char *path;
3320 #endif
3321 #ifdef CONFIG_VNC_SASL
3322     int sasl = 0;
3323     int saslErr;
3324 #endif
3325 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
3326     int acl = 0;
3327 #endif
3328     int lock_key_sync = 1;
3329 
3330     if (!vs) {
3331         error_setg(errp, "VNC display not active");
3332         return;
3333     }
3334     vnc_display_close(vs);
3335 
3336     if (!opts) {
3337         return;
3338     }
3339     display = qemu_opt_get(opts, "vnc");
3340     if (!display || strcmp(display, "none") == 0) {
3341         return;
3342     }
3343     vs->display = g_strdup(display);
3344 
3345     password = qemu_opt_get_bool(opts, "password", false);
3346     if (password && fips_get_state()) {
3347         error_setg(errp,
3348                    "VNC password auth disabled due to FIPS mode, "
3349                    "consider using the VeNCrypt or SASL authentication "
3350                    "methods as an alternative");
3351         goto fail;
3352     }
3353 
3354     reverse = qemu_opt_get_bool(opts, "reverse", false);
3355     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
3356 #ifdef CONFIG_VNC_SASL
3357     sasl = qemu_opt_get_bool(opts, "sasl", false);
3358 #endif
3359 #ifdef CONFIG_VNC_TLS
3360     tls  = qemu_opt_get_bool(opts, "tls", false);
3361     path = qemu_opt_get(opts, "x509");
3362     if (path) {
3363         x509 = 1;
3364         vs->tls.x509verify = qemu_opt_get_bool(opts, "x509verify", false);
3365         if (vnc_tls_set_x509_creds_dir(vs, path) < 0) {
3366             error_setg(errp, "Failed to find x509 certificates/keys in %s",
3367                        path);
3368             goto fail;
3369         }
3370     }
3371 #endif
3372 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
3373     acl = qemu_opt_get_bool(opts, "acl", false);
3374 #endif
3375 
3376     share = qemu_opt_get(opts, "share");
3377     if (share) {
3378         if (strcmp(share, "ignore") == 0) {
3379             vs->share_policy = VNC_SHARE_POLICY_IGNORE;
3380         } else if (strcmp(share, "allow-exclusive") == 0) {
3381             vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3382         } else if (strcmp(share, "force-shared") == 0) {
3383             vs->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3384         } else {
3385             error_setg(errp, "unknown vnc share= option");
3386             goto fail;
3387         }
3388     } else {
3389         vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3390     }
3391     vs->connections_limit = qemu_opt_get_number(opts, "connections", 32);
3392 
3393  #ifdef CONFIG_VNC_WS
3394     websocket = qemu_opt_get(opts, "websocket");
3395     if (websocket) {
3396         /* extract the host specification from display */
3397         char  *host = NULL, *host_end = NULL;
3398         vs->websocket = 1;
3399 
3400         /* ipv6 hosts have colons */
3401         host_end = strrchr(display, ':');
3402         if (host_end) {
3403             host = g_strndup(display, host_end - display + 1);
3404         } else {
3405             host = g_strdup(":");
3406         }
3407         vs->ws_display = g_strconcat(host, websocket, NULL);
3408         g_free(host);
3409     }
3410 #endif /* CONFIG_VNC_WS */
3411 
3412 #ifdef CONFIG_VNC_JPEG
3413     vs->lossy = qemu_opt_get_bool(opts, "lossy", false);
3414 #endif
3415     vs->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
3416     /* adaptive updates are only used with tight encoding and
3417      * if lossy updates are enabled so we can disable all the
3418      * calculations otherwise */
3419     if (!vs->lossy) {
3420         vs->non_adaptive = true;
3421     }
3422 
3423 #ifdef CONFIG_VNC_TLS
3424     if (acl && x509 && vs->tls.x509verify) {
3425         char *aclname;
3426 
3427         if (strcmp(vs->id, "default") == 0) {
3428             aclname = g_strdup("vnc.x509dname");
3429         } else {
3430             aclname = g_strdup_printf("vnc.%s.x509dname", vs->id);
3431         }
3432         vs->tls.acl = qemu_acl_init(aclname);
3433         if (!vs->tls.acl) {
3434             fprintf(stderr, "Failed to create x509 dname ACL\n");
3435             exit(1);
3436         }
3437         g_free(aclname);
3438     }
3439 #endif
3440 #ifdef CONFIG_VNC_SASL
3441     if (acl && sasl) {
3442         char *aclname;
3443 
3444         if (strcmp(vs->id, "default") == 0) {
3445             aclname = g_strdup("vnc.username");
3446         } else {
3447             aclname = g_strdup_printf("vnc.%s.username", vs->id);
3448         }
3449         vs->sasl.acl = qemu_acl_init(aclname);
3450         if (!vs->sasl.acl) {
3451             fprintf(stderr, "Failed to create username ACL\n");
3452             exit(1);
3453         }
3454         g_free(aclname);
3455     }
3456 #endif
3457 
3458     /*
3459      * Combinations we support here:
3460      *
3461      *  - no-auth                (clear text, no auth)
3462      *  - password               (clear text, weak auth)
3463      *  - sasl                   (encrypt, good auth *IF* using Kerberos via GSSAPI)
3464      *  - tls                    (encrypt, weak anonymous creds, no auth)
3465      *  - tls + password         (encrypt, weak anonymous creds, weak auth)
3466      *  - tls + sasl             (encrypt, weak anonymous creds, good auth)
3467      *  - tls + x509             (encrypt, good x509 creds, no auth)
3468      *  - tls + x509 + password  (encrypt, good x509 creds, weak auth)
3469      *  - tls + x509 + sasl      (encrypt, good x509 creds, good auth)
3470      *
3471      * NB1. TLS is a stackable auth scheme.
3472      * NB2. the x509 schemes have option to validate a client cert dname
3473      */
3474     if (password) {
3475 #ifdef CONFIG_VNC_TLS
3476         if (tls) {
3477             vs->auth = VNC_AUTH_VENCRYPT;
3478             if (x509) {
3479                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3480                 vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
3481             } else {
3482                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3483                 vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3484             }
3485         } else {
3486 #endif /* CONFIG_VNC_TLS */
3487             VNC_DEBUG("Initializing VNC server with password auth\n");
3488             vs->auth = VNC_AUTH_VNC;
3489 #ifdef CONFIG_VNC_TLS
3490             vs->subauth = VNC_AUTH_INVALID;
3491         }
3492 #endif /* CONFIG_VNC_TLS */
3493 #ifdef CONFIG_VNC_SASL
3494     } else if (sasl) {
3495 #ifdef CONFIG_VNC_TLS
3496         if (tls) {
3497             vs->auth = VNC_AUTH_VENCRYPT;
3498             if (x509) {
3499                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3500                 vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
3501             } else {
3502                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3503                 vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3504             }
3505         } else {
3506 #endif /* CONFIG_VNC_TLS */
3507             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3508             vs->auth = VNC_AUTH_SASL;
3509 #ifdef CONFIG_VNC_TLS
3510             vs->subauth = VNC_AUTH_INVALID;
3511         }
3512 #endif /* CONFIG_VNC_TLS */
3513 #endif /* CONFIG_VNC_SASL */
3514     } else {
3515 #ifdef CONFIG_VNC_TLS
3516         if (tls) {
3517             vs->auth = VNC_AUTH_VENCRYPT;
3518             if (x509) {
3519                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3520                 vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
3521             } else {
3522                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3523                 vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3524             }
3525         } else {
3526 #endif
3527             VNC_DEBUG("Initializing VNC server with no auth\n");
3528             vs->auth = VNC_AUTH_NONE;
3529 #ifdef CONFIG_VNC_TLS
3530             vs->subauth = VNC_AUTH_INVALID;
3531         }
3532 #endif
3533     }
3534 
3535 #ifdef CONFIG_VNC_SASL
3536     if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
3537         error_setg(errp, "Failed to initialize SASL auth: %s",
3538                    sasl_errstring(saslErr, NULL, NULL));
3539         goto fail;
3540     }
3541 #endif
3542     vs->lock_key_sync = lock_key_sync;
3543 
3544     device_id = qemu_opt_get(opts, "display");
3545     if (device_id) {
3546         DeviceState *dev;
3547         int head = qemu_opt_get_number(opts, "head", 0);
3548 
3549         dev = qdev_find_recursive(sysbus_get_default(), device_id);
3550         if (dev == NULL) {
3551             error_set(errp, QERR_DEVICE_NOT_FOUND, device_id);
3552             goto fail;
3553         }
3554 
3555         con = qemu_console_lookup_by_device(dev, head);
3556         if (con == NULL) {
3557             error_setg(errp, "Device %s is not bound to a QemuConsole",
3558                        device_id);
3559             goto fail;
3560         }
3561     } else {
3562         con = NULL;
3563     }
3564 
3565     if (con != vs->dcl.con) {
3566         unregister_displaychangelistener(&vs->dcl);
3567         vs->dcl.con = con;
3568         register_displaychangelistener(&vs->dcl);
3569     }
3570 
3571     if (reverse) {
3572         /* connect to viewer */
3573         int csock;
3574         vs->lsock = -1;
3575 #ifdef CONFIG_VNC_WS
3576         vs->lwebsock = -1;
3577 #endif
3578         if (strncmp(display, "unix:", 5) == 0) {
3579             csock = unix_connect(display+5, errp);
3580         } else {
3581             csock = inet_connect(display, errp);
3582         }
3583         if (csock < 0) {
3584             goto fail;
3585         }
3586         vnc_connect(vs, csock, false, false);
3587     } else {
3588         /* listen for connects */
3589         char *dpy;
3590         dpy = g_malloc(256);
3591         if (strncmp(display, "unix:", 5) == 0) {
3592             pstrcpy(dpy, 256, "unix:");
3593             vs->lsock = unix_listen(display+5, dpy+5, 256-5, errp);
3594         } else {
3595             vs->lsock = inet_listen(display, dpy, 256,
3596                                     SOCK_STREAM, 5900, errp);
3597             if (vs->lsock < 0) {
3598                 g_free(dpy);
3599                 goto fail;
3600             }
3601 #ifdef CONFIG_VNC_WS
3602             if (vs->websocket) {
3603                 if (vs->ws_display) {
3604                     vs->lwebsock = inet_listen(vs->ws_display, NULL, 256,
3605                         SOCK_STREAM, 0, errp);
3606                 } else {
3607                     vs->lwebsock = inet_listen(vs->display, NULL, 256,
3608                         SOCK_STREAM, 5700, errp);
3609                 }
3610 
3611                 if (vs->lwebsock < 0) {
3612                     if (vs->lsock) {
3613                         close(vs->lsock);
3614                         vs->lsock = -1;
3615                     }
3616                     g_free(dpy);
3617                     goto fail;
3618                 }
3619             }
3620 #endif /* CONFIG_VNC_WS */
3621         }
3622         g_free(vs->display);
3623         vs->display = dpy;
3624         qemu_set_fd_handler2(vs->lsock, NULL,
3625                 vnc_listen_regular_read, NULL, vs);
3626 #ifdef CONFIG_VNC_WS
3627         if (vs->websocket) {
3628             qemu_set_fd_handler2(vs->lwebsock, NULL,
3629                     vnc_listen_websocket_read, NULL, vs);
3630         }
3631 #endif /* CONFIG_VNC_WS */
3632     }
3633     return;
3634 
3635 fail:
3636     g_free(vs->display);
3637     vs->display = NULL;
3638 #ifdef CONFIG_VNC_WS
3639     g_free(vs->ws_display);
3640     vs->ws_display = NULL;
3641 #endif /* CONFIG_VNC_WS */
3642 }
3643 
3644 void vnc_display_add_client(const char *id, int csock, bool skipauth)
3645 {
3646     VncDisplay *vs = vnc_display_find(id);
3647 
3648     if (!vs) {
3649         return;
3650     }
3651     vnc_connect(vs, csock, skipauth, false);
3652 }
3653 
3654 QemuOpts *vnc_parse_func(const char *str)
3655 {
3656     return qemu_opts_parse(qemu_find_opts("vnc"), str, 1);
3657 }
3658 
3659 int vnc_init_func(QemuOpts *opts, void *opaque)
3660 {
3661     Error *local_err = NULL;
3662     QemuOptsList *olist = qemu_find_opts("vnc");
3663     char *id = (char *)qemu_opts_id(opts);
3664 
3665     if (!id) {
3666         /* auto-assign id if not present */
3667         int i = 2;
3668         id = g_strdup("default");
3669         while (qemu_opts_find(olist, id)) {
3670             g_free(id);
3671             id = g_strdup_printf("vnc%d", i++);
3672         }
3673         qemu_opts_set_id(opts, id);
3674     }
3675 
3676     vnc_display_init(id);
3677     vnc_display_open(id, &local_err);
3678     if (local_err != NULL) {
3679         error_report("Failed to start VNC server on `%s': %s",
3680                      qemu_opt_get(opts, "display"),
3681                      error_get_pretty(local_err));
3682         error_free(local_err);
3683         exit(1);
3684     }
3685     return 0;
3686 }
3687 
3688 static void vnc_register_config(void)
3689 {
3690     qemu_add_opts(&qemu_vnc_opts);
3691 }
3692 machine_init(vnc_register_config);
3693