xref: /openbmc/qemu/ui/vnc.c (revision 22709e90)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "vnc.h"
28 #include "vnc-jobs.h"
29 #include "sysemu/sysemu.h"
30 #include "qemu/sockets.h"
31 #include "qemu/timer.h"
32 #include "qemu/acl.h"
33 #include "qapi/qmp/types.h"
34 #include "qmp-commands.h"
35 #include "qemu/osdep.h"
36 #include "ui/input.h"
37 
38 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
39 #define VNC_REFRESH_INTERVAL_INC  50
40 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
41 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
42 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
43 
44 #include "vnc_keysym.h"
45 #include "d3des.h"
46 
47 static VncDisplay *vnc_display; /* needed for info vnc */
48 
49 static int vnc_cursor_define(VncState *vs);
50 static void vnc_release_modifiers(VncState *vs);
51 
52 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
53 {
54 #ifdef _VNC_DEBUG
55     static const char *mn[] = {
56         [0]                           = "undefined",
57         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
58         [VNC_SHARE_MODE_SHARED]       = "shared",
59         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
60         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
61     };
62     fprintf(stderr, "%s/%d: %s -> %s\n", __func__,
63             vs->csock, mn[vs->share_mode], mn[mode]);
64 #endif
65 
66     if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
67         vs->vd->num_exclusive--;
68     }
69     vs->share_mode = mode;
70     if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
71         vs->vd->num_exclusive++;
72     }
73 }
74 
75 static char *addr_to_string(const char *format,
76                             struct sockaddr_storage *sa,
77                             socklen_t salen) {
78     char *addr;
79     char host[NI_MAXHOST];
80     char serv[NI_MAXSERV];
81     int err;
82     size_t addrlen;
83 
84     if ((err = getnameinfo((struct sockaddr *)sa, salen,
85                            host, sizeof(host),
86                            serv, sizeof(serv),
87                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
88         VNC_DEBUG("Cannot resolve address %d: %s\n",
89                   err, gai_strerror(err));
90         return NULL;
91     }
92 
93     /* Enough for the existing format + the 2 vars we're
94      * substituting in. */
95     addrlen = strlen(format) + strlen(host) + strlen(serv);
96     addr = g_malloc(addrlen + 1);
97     snprintf(addr, addrlen, format, host, serv);
98     addr[addrlen] = '\0';
99 
100     return addr;
101 }
102 
103 
104 char *vnc_socket_local_addr(const char *format, int fd) {
105     struct sockaddr_storage sa;
106     socklen_t salen;
107 
108     salen = sizeof(sa);
109     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0)
110         return NULL;
111 
112     return addr_to_string(format, &sa, salen);
113 }
114 
115 char *vnc_socket_remote_addr(const char *format, int fd) {
116     struct sockaddr_storage sa;
117     socklen_t salen;
118 
119     salen = sizeof(sa);
120     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0)
121         return NULL;
122 
123     return addr_to_string(format, &sa, salen);
124 }
125 
126 static int put_addr_qdict(QDict *qdict, struct sockaddr_storage *sa,
127                           socklen_t salen)
128 {
129     char host[NI_MAXHOST];
130     char serv[NI_MAXSERV];
131     int err;
132 
133     if ((err = getnameinfo((struct sockaddr *)sa, salen,
134                            host, sizeof(host),
135                            serv, sizeof(serv),
136                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
137         VNC_DEBUG("Cannot resolve address %d: %s\n",
138                   err, gai_strerror(err));
139         return -1;
140     }
141 
142     qdict_put(qdict, "host", qstring_from_str(host));
143     qdict_put(qdict, "service", qstring_from_str(serv));
144     qdict_put(qdict, "family",qstring_from_str(inet_strfamily(sa->ss_family)));
145 
146     return 0;
147 }
148 
149 static int vnc_server_addr_put(QDict *qdict, int fd)
150 {
151     struct sockaddr_storage sa;
152     socklen_t salen;
153 
154     salen = sizeof(sa);
155     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0) {
156         return -1;
157     }
158 
159     return put_addr_qdict(qdict, &sa, salen);
160 }
161 
162 static int vnc_qdict_remote_addr(QDict *qdict, int fd)
163 {
164     struct sockaddr_storage sa;
165     socklen_t salen;
166 
167     salen = sizeof(sa);
168     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0) {
169         return -1;
170     }
171 
172     return put_addr_qdict(qdict, &sa, salen);
173 }
174 
175 static const char *vnc_auth_name(VncDisplay *vd) {
176     switch (vd->auth) {
177     case VNC_AUTH_INVALID:
178         return "invalid";
179     case VNC_AUTH_NONE:
180         return "none";
181     case VNC_AUTH_VNC:
182         return "vnc";
183     case VNC_AUTH_RA2:
184         return "ra2";
185     case VNC_AUTH_RA2NE:
186         return "ra2ne";
187     case VNC_AUTH_TIGHT:
188         return "tight";
189     case VNC_AUTH_ULTRA:
190         return "ultra";
191     case VNC_AUTH_TLS:
192         return "tls";
193     case VNC_AUTH_VENCRYPT:
194 #ifdef CONFIG_VNC_TLS
195         switch (vd->subauth) {
196         case VNC_AUTH_VENCRYPT_PLAIN:
197             return "vencrypt+plain";
198         case VNC_AUTH_VENCRYPT_TLSNONE:
199             return "vencrypt+tls+none";
200         case VNC_AUTH_VENCRYPT_TLSVNC:
201             return "vencrypt+tls+vnc";
202         case VNC_AUTH_VENCRYPT_TLSPLAIN:
203             return "vencrypt+tls+plain";
204         case VNC_AUTH_VENCRYPT_X509NONE:
205             return "vencrypt+x509+none";
206         case VNC_AUTH_VENCRYPT_X509VNC:
207             return "vencrypt+x509+vnc";
208         case VNC_AUTH_VENCRYPT_X509PLAIN:
209             return "vencrypt+x509+plain";
210         case VNC_AUTH_VENCRYPT_TLSSASL:
211             return "vencrypt+tls+sasl";
212         case VNC_AUTH_VENCRYPT_X509SASL:
213             return "vencrypt+x509+sasl";
214         default:
215             return "vencrypt";
216         }
217 #else
218         return "vencrypt";
219 #endif
220     case VNC_AUTH_SASL:
221         return "sasl";
222     }
223     return "unknown";
224 }
225 
226 static int vnc_server_info_put(QDict *qdict)
227 {
228     if (vnc_server_addr_put(qdict, vnc_display->lsock) < 0) {
229         return -1;
230     }
231 
232     qdict_put(qdict, "auth", qstring_from_str(vnc_auth_name(vnc_display)));
233     return 0;
234 }
235 
236 static void vnc_client_cache_auth(VncState *client)
237 {
238 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
239     QDict *qdict;
240 #endif
241 
242     if (!client->info) {
243         return;
244     }
245 
246 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
247     qdict = qobject_to_qdict(client->info);
248 #endif
249 
250 #ifdef CONFIG_VNC_TLS
251     if (client->tls.session &&
252         client->tls.dname) {
253         qdict_put(qdict, "x509_dname", qstring_from_str(client->tls.dname));
254     }
255 #endif
256 #ifdef CONFIG_VNC_SASL
257     if (client->sasl.conn &&
258         client->sasl.username) {
259         qdict_put(qdict, "sasl_username",
260                   qstring_from_str(client->sasl.username));
261     }
262 #endif
263 }
264 
265 static void vnc_client_cache_addr(VncState *client)
266 {
267     QDict *qdict;
268 
269     qdict = qdict_new();
270     if (vnc_qdict_remote_addr(qdict, client->csock) < 0) {
271         QDECREF(qdict);
272         /* XXX: how to report the error? */
273         return;
274     }
275 
276     client->info = QOBJECT(qdict);
277 }
278 
279 static void vnc_qmp_event(VncState *vs, MonitorEvent event)
280 {
281     QDict *server;
282     QObject *data;
283 
284     if (!vs->info) {
285         return;
286     }
287 
288     server = qdict_new();
289     if (vnc_server_info_put(server) < 0) {
290         QDECREF(server);
291         return;
292     }
293 
294     data = qobject_from_jsonf("{ 'client': %p, 'server': %p }",
295                               vs->info, QOBJECT(server));
296 
297     monitor_protocol_event(event, data);
298 
299     qobject_incref(vs->info);
300     qobject_decref(data);
301 }
302 
303 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
304 {
305     struct sockaddr_storage sa;
306     socklen_t salen = sizeof(sa);
307     char host[NI_MAXHOST];
308     char serv[NI_MAXSERV];
309     VncClientInfo *info;
310 
311     if (getpeername(client->csock, (struct sockaddr *)&sa, &salen) < 0) {
312         return NULL;
313     }
314 
315     if (getnameinfo((struct sockaddr *)&sa, salen,
316                     host, sizeof(host),
317                     serv, sizeof(serv),
318                     NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
319         return NULL;
320     }
321 
322     info = g_malloc0(sizeof(*info));
323     info->host = g_strdup(host);
324     info->service = g_strdup(serv);
325     info->family = g_strdup(inet_strfamily(sa.ss_family));
326 
327 #ifdef CONFIG_VNC_TLS
328     if (client->tls.session && client->tls.dname) {
329         info->has_x509_dname = true;
330         info->x509_dname = g_strdup(client->tls.dname);
331     }
332 #endif
333 #ifdef CONFIG_VNC_SASL
334     if (client->sasl.conn && client->sasl.username) {
335         info->has_sasl_username = true;
336         info->sasl_username = g_strdup(client->sasl.username);
337     }
338 #endif
339 
340     return info;
341 }
342 
343 VncInfo *qmp_query_vnc(Error **errp)
344 {
345     VncInfo *info = g_malloc0(sizeof(*info));
346 
347     if (vnc_display == NULL || vnc_display->display == NULL) {
348         info->enabled = false;
349     } else {
350         VncClientInfoList *cur_item = NULL;
351         struct sockaddr_storage sa;
352         socklen_t salen = sizeof(sa);
353         char host[NI_MAXHOST];
354         char serv[NI_MAXSERV];
355         VncState *client;
356 
357         info->enabled = true;
358 
359         /* for compatibility with the original command */
360         info->has_clients = true;
361 
362         QTAILQ_FOREACH(client, &vnc_display->clients, next) {
363             VncClientInfoList *cinfo = g_malloc0(sizeof(*info));
364             cinfo->value = qmp_query_vnc_client(client);
365 
366             /* XXX: waiting for the qapi to support GSList */
367             if (!cur_item) {
368                 info->clients = cur_item = cinfo;
369             } else {
370                 cur_item->next = cinfo;
371                 cur_item = cinfo;
372             }
373         }
374 
375         if (vnc_display->lsock == -1) {
376             return info;
377         }
378 
379         if (getsockname(vnc_display->lsock, (struct sockaddr *)&sa,
380                         &salen) == -1) {
381             error_set(errp, QERR_UNDEFINED_ERROR);
382             goto out_error;
383         }
384 
385         if (getnameinfo((struct sockaddr *)&sa, salen,
386                         host, sizeof(host),
387                         serv, sizeof(serv),
388                         NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
389             error_set(errp, QERR_UNDEFINED_ERROR);
390             goto out_error;
391         }
392 
393         info->has_host = true;
394         info->host = g_strdup(host);
395 
396         info->has_service = true;
397         info->service = g_strdup(serv);
398 
399         info->has_family = true;
400         info->family = g_strdup(inet_strfamily(sa.ss_family));
401 
402         info->has_auth = true;
403         info->auth = g_strdup(vnc_auth_name(vnc_display));
404     }
405 
406     return info;
407 
408 out_error:
409     qapi_free_VncInfo(info);
410     return NULL;
411 }
412 
413 /* TODO
414    1) Get the queue working for IO.
415    2) there is some weirdness when using the -S option (the screen is grey
416       and not totally invalidated
417    3) resolutions > 1024
418 */
419 
420 static int vnc_update_client(VncState *vs, int has_dirty, bool sync);
421 static void vnc_disconnect_start(VncState *vs);
422 
423 static void vnc_colordepth(VncState *vs);
424 static void framebuffer_update_request(VncState *vs, int incremental,
425                                        int x_position, int y_position,
426                                        int w, int h);
427 static void vnc_refresh(DisplayChangeListener *dcl);
428 static int vnc_refresh_server_surface(VncDisplay *vd);
429 
430 static void vnc_dpy_update(DisplayChangeListener *dcl,
431                            int x, int y, int w, int h)
432 {
433     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
434     struct VncSurface *s = &vd->guest;
435     int width = surface_width(vd->ds);
436     int height = surface_height(vd->ds);
437 
438     /* this is needed this to ensure we updated all affected
439      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
440     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
441     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
442 
443     x = MIN(x, width);
444     y = MIN(y, height);
445     w = MIN(x + w, width) - x;
446     h = MIN(y + h, height);
447 
448     for (; y < h; y++) {
449         bitmap_set(s->dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
450                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
451     }
452 }
453 
454 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
455                             int32_t encoding)
456 {
457     vnc_write_u16(vs, x);
458     vnc_write_u16(vs, y);
459     vnc_write_u16(vs, w);
460     vnc_write_u16(vs, h);
461 
462     vnc_write_s32(vs, encoding);
463 }
464 
465 void buffer_reserve(Buffer *buffer, size_t len)
466 {
467     if ((buffer->capacity - buffer->offset) < len) {
468         buffer->capacity += (len + 1024);
469         buffer->buffer = g_realloc(buffer->buffer, buffer->capacity);
470         if (buffer->buffer == NULL) {
471             fprintf(stderr, "vnc: out of memory\n");
472             exit(1);
473         }
474     }
475 }
476 
477 static int buffer_empty(Buffer *buffer)
478 {
479     return buffer->offset == 0;
480 }
481 
482 uint8_t *buffer_end(Buffer *buffer)
483 {
484     return buffer->buffer + buffer->offset;
485 }
486 
487 void buffer_reset(Buffer *buffer)
488 {
489         buffer->offset = 0;
490 }
491 
492 void buffer_free(Buffer *buffer)
493 {
494     g_free(buffer->buffer);
495     buffer->offset = 0;
496     buffer->capacity = 0;
497     buffer->buffer = NULL;
498 }
499 
500 void buffer_append(Buffer *buffer, const void *data, size_t len)
501 {
502     memcpy(buffer->buffer + buffer->offset, data, len);
503     buffer->offset += len;
504 }
505 
506 void buffer_advance(Buffer *buf, size_t len)
507 {
508     memmove(buf->buffer, buf->buffer + len,
509             (buf->offset - len));
510     buf->offset -= len;
511 }
512 
513 static void vnc_desktop_resize(VncState *vs)
514 {
515     DisplaySurface *ds = vs->vd->ds;
516 
517     if (vs->csock == -1 || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
518         return;
519     }
520     if (vs->client_width == surface_width(ds) &&
521         vs->client_height == surface_height(ds)) {
522         return;
523     }
524     vs->client_width = surface_width(ds);
525     vs->client_height = surface_height(ds);
526     vnc_lock_output(vs);
527     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
528     vnc_write_u8(vs, 0);
529     vnc_write_u16(vs, 1); /* number of rects */
530     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
531                            VNC_ENCODING_DESKTOPRESIZE);
532     vnc_unlock_output(vs);
533     vnc_flush(vs);
534 }
535 
536 static void vnc_abort_display_jobs(VncDisplay *vd)
537 {
538     VncState *vs;
539 
540     QTAILQ_FOREACH(vs, &vd->clients, next) {
541         vnc_lock_output(vs);
542         vs->abort = true;
543         vnc_unlock_output(vs);
544     }
545     QTAILQ_FOREACH(vs, &vd->clients, next) {
546         vnc_jobs_join(vs);
547     }
548     QTAILQ_FOREACH(vs, &vd->clients, next) {
549         vnc_lock_output(vs);
550         vs->abort = false;
551         vnc_unlock_output(vs);
552     }
553 }
554 
555 int vnc_server_fb_stride(VncDisplay *vd)
556 {
557     return pixman_image_get_stride(vd->server);
558 }
559 
560 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
561 {
562     uint8_t *ptr;
563 
564     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
565     ptr += y * vnc_server_fb_stride(vd);
566     ptr += x * VNC_SERVER_FB_BYTES;
567     return ptr;
568 }
569 /* this sets only the visible pixels of a dirty bitmap */
570 #define VNC_SET_VISIBLE_PIXELS_DIRTY(bitmap, w, h) {\
571         int y;\
572         memset(bitmap, 0x00, sizeof(bitmap));\
573         for (y = 0; y < h; y++) {\
574             bitmap_set(bitmap[y], 0,\
575                        DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));\
576         } \
577     }
578 
579 static void vnc_dpy_switch(DisplayChangeListener *dcl,
580                            DisplaySurface *surface)
581 {
582     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
583     VncState *vs;
584 
585     vnc_abort_display_jobs(vd);
586 
587     /* server surface */
588     qemu_pixman_image_unref(vd->server);
589     vd->ds = surface;
590     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
591                                           surface_width(vd->ds),
592                                           surface_height(vd->ds),
593                                           NULL, 0);
594 
595     /* guest surface */
596 #if 0 /* FIXME */
597     if (ds_get_bytes_per_pixel(ds) != vd->guest.ds->pf.bytes_per_pixel)
598         console_color_init(ds);
599 #endif
600     qemu_pixman_image_unref(vd->guest.fb);
601     vd->guest.fb = pixman_image_ref(surface->image);
602     vd->guest.format = surface->format;
603     VNC_SET_VISIBLE_PIXELS_DIRTY(vd->guest.dirty,
604                                  surface_width(vd->ds),
605                                  surface_height(vd->ds));
606 
607     QTAILQ_FOREACH(vs, &vd->clients, next) {
608         vnc_colordepth(vs);
609         vnc_desktop_resize(vs);
610         if (vs->vd->cursor) {
611             vnc_cursor_define(vs);
612         }
613         VNC_SET_VISIBLE_PIXELS_DIRTY(vs->dirty,
614                                      surface_width(vd->ds),
615                                      surface_height(vd->ds));
616     }
617 }
618 
619 /* fastest code */
620 static void vnc_write_pixels_copy(VncState *vs,
621                                   void *pixels, int size)
622 {
623     vnc_write(vs, pixels, size);
624 }
625 
626 /* slowest but generic code. */
627 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
628 {
629     uint8_t r, g, b;
630 
631 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
632     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
633     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
634     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
635 #else
636 # error need some bits here if you change VNC_SERVER_FB_FORMAT
637 #endif
638     v = (r << vs->client_pf.rshift) |
639         (g << vs->client_pf.gshift) |
640         (b << vs->client_pf.bshift);
641     switch (vs->client_pf.bytes_per_pixel) {
642     case 1:
643         buf[0] = v;
644         break;
645     case 2:
646         if (vs->client_be) {
647             buf[0] = v >> 8;
648             buf[1] = v;
649         } else {
650             buf[1] = v >> 8;
651             buf[0] = v;
652         }
653         break;
654     default:
655     case 4:
656         if (vs->client_be) {
657             buf[0] = v >> 24;
658             buf[1] = v >> 16;
659             buf[2] = v >> 8;
660             buf[3] = v;
661         } else {
662             buf[3] = v >> 24;
663             buf[2] = v >> 16;
664             buf[1] = v >> 8;
665             buf[0] = v;
666         }
667         break;
668     }
669 }
670 
671 static void vnc_write_pixels_generic(VncState *vs,
672                                      void *pixels1, int size)
673 {
674     uint8_t buf[4];
675 
676     if (VNC_SERVER_FB_BYTES == 4) {
677         uint32_t *pixels = pixels1;
678         int n, i;
679         n = size >> 2;
680         for (i = 0; i < n; i++) {
681             vnc_convert_pixel(vs, buf, pixels[i]);
682             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
683         }
684     }
685 }
686 
687 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
688 {
689     int i;
690     uint8_t *row;
691     VncDisplay *vd = vs->vd;
692 
693     row = vnc_server_fb_ptr(vd, x, y);
694     for (i = 0; i < h; i++) {
695         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
696         row += vnc_server_fb_stride(vd);
697     }
698     return 1;
699 }
700 
701 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
702 {
703     int n = 0;
704 
705     switch(vs->vnc_encoding) {
706         case VNC_ENCODING_ZLIB:
707             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
708             break;
709         case VNC_ENCODING_HEXTILE:
710             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
711             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
712             break;
713         case VNC_ENCODING_TIGHT:
714             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
715             break;
716         case VNC_ENCODING_TIGHT_PNG:
717             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
718             break;
719         case VNC_ENCODING_ZRLE:
720             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
721             break;
722         case VNC_ENCODING_ZYWRLE:
723             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
724             break;
725         default:
726             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
727             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
728             break;
729     }
730     return n;
731 }
732 
733 static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
734 {
735     /* send bitblit op to the vnc client */
736     vnc_lock_output(vs);
737     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
738     vnc_write_u8(vs, 0);
739     vnc_write_u16(vs, 1); /* number of rects */
740     vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
741     vnc_write_u16(vs, src_x);
742     vnc_write_u16(vs, src_y);
743     vnc_unlock_output(vs);
744     vnc_flush(vs);
745 }
746 
747 static void vnc_dpy_copy(DisplayChangeListener *dcl,
748                          int src_x, int src_y,
749                          int dst_x, int dst_y, int w, int h)
750 {
751     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
752     VncState *vs, *vn;
753     uint8_t *src_row;
754     uint8_t *dst_row;
755     int i, x, y, pitch, inc, w_lim, s;
756     int cmp_bytes;
757 
758     vnc_refresh_server_surface(vd);
759     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
760         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
761             vs->force_update = 1;
762             vnc_update_client(vs, 1, true);
763             /* vs might be free()ed here */
764         }
765     }
766 
767     /* do bitblit op on the local surface too */
768     pitch = vnc_server_fb_stride(vd);
769     src_row = vnc_server_fb_ptr(vd, src_x, src_y);
770     dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y);
771     y = dst_y;
772     inc = 1;
773     if (dst_y > src_y) {
774         /* copy backwards */
775         src_row += pitch * (h-1);
776         dst_row += pitch * (h-1);
777         pitch = -pitch;
778         y = dst_y + h - 1;
779         inc = -1;
780     }
781     w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
782     if (w_lim < 0) {
783         w_lim = w;
784     } else {
785         w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
786     }
787     for (i = 0; i < h; i++) {
788         for (x = 0; x <= w_lim;
789                 x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
790             if (x == w_lim) {
791                 if ((s = w - w_lim) == 0)
792                     break;
793             } else if (!x) {
794                 s = (VNC_DIRTY_PIXELS_PER_BIT -
795                     (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
796                 s = MIN(s, w_lim);
797             } else {
798                 s = VNC_DIRTY_PIXELS_PER_BIT;
799             }
800             cmp_bytes = s * VNC_SERVER_FB_BYTES;
801             if (memcmp(src_row, dst_row, cmp_bytes) == 0)
802                 continue;
803             memmove(dst_row, src_row, cmp_bytes);
804             QTAILQ_FOREACH(vs, &vd->clients, next) {
805                 if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
806                     set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
807                             vs->dirty[y]);
808                 }
809             }
810         }
811         src_row += pitch - w * VNC_SERVER_FB_BYTES;
812         dst_row += pitch - w * VNC_SERVER_FB_BYTES;
813         y += inc;
814     }
815 
816     QTAILQ_FOREACH(vs, &vd->clients, next) {
817         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
818             vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
819         }
820     }
821 }
822 
823 static void vnc_mouse_set(DisplayChangeListener *dcl,
824                           int x, int y, int visible)
825 {
826     /* can we ask the client(s) to move the pointer ??? */
827 }
828 
829 static int vnc_cursor_define(VncState *vs)
830 {
831     QEMUCursor *c = vs->vd->cursor;
832     int isize;
833 
834     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
835         vnc_lock_output(vs);
836         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
837         vnc_write_u8(vs,  0);  /*  padding     */
838         vnc_write_u16(vs, 1);  /*  # of rects  */
839         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
840                                VNC_ENCODING_RICH_CURSOR);
841         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
842         vnc_write_pixels_generic(vs, c->data, isize);
843         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
844         vnc_unlock_output(vs);
845         return 0;
846     }
847     return -1;
848 }
849 
850 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
851                                   QEMUCursor *c)
852 {
853     VncDisplay *vd = vnc_display;
854     VncState *vs;
855 
856     cursor_put(vd->cursor);
857     g_free(vd->cursor_mask);
858 
859     vd->cursor = c;
860     cursor_get(vd->cursor);
861     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
862     vd->cursor_mask = g_malloc0(vd->cursor_msize);
863     cursor_get_mono_mask(c, 0, vd->cursor_mask);
864 
865     QTAILQ_FOREACH(vs, &vd->clients, next) {
866         vnc_cursor_define(vs);
867     }
868 }
869 
870 static int find_and_clear_dirty_height(struct VncState *vs,
871                                        int y, int last_x, int x, int height)
872 {
873     int h;
874 
875     for (h = 1; h < (height - y); h++) {
876         if (!test_bit(last_x, vs->dirty[y + h])) {
877             break;
878         }
879         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
880     }
881 
882     return h;
883 }
884 
885 static int vnc_update_client(VncState *vs, int has_dirty, bool sync)
886 {
887     if (vs->need_update && vs->csock != -1) {
888         VncDisplay *vd = vs->vd;
889         VncJob *job;
890         int y;
891         int height, width;
892         int n = 0;
893 
894         if (vs->output.offset && !vs->audio_cap && !vs->force_update)
895             /* kernel send buffers are full -> drop frames to throttle */
896             return 0;
897 
898         if (!has_dirty && !vs->audio_cap && !vs->force_update)
899             return 0;
900 
901         /*
902          * Send screen updates to the vnc client using the server
903          * surface and server dirty map.  guest surface updates
904          * happening in parallel don't disturb us, the next pass will
905          * send them to the client.
906          */
907         job = vnc_job_new(vs);
908 
909         height = MIN(pixman_image_get_height(vd->server), vs->client_height);
910         width = MIN(pixman_image_get_width(vd->server), vs->client_width);
911 
912         y = 0;
913         for (;;) {
914             int x, h;
915             unsigned long x2;
916             unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
917                                                  height * VNC_DIRTY_BPL(vs),
918                                                  y * VNC_DIRTY_BPL(vs));
919             if (offset == height * VNC_DIRTY_BPL(vs)) {
920                 /* no more dirty bits */
921                 break;
922             }
923             y = offset / VNC_DIRTY_BPL(vs);
924             x = offset % VNC_DIRTY_BPL(vs);
925             x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
926                                     VNC_DIRTY_BPL(vs), x);
927             bitmap_clear(vs->dirty[y], x, x2 - x);
928             h = find_and_clear_dirty_height(vs, y, x, x2, height);
929             x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
930             if (x2 > x) {
931                 n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
932                                       (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
933             }
934         }
935 
936         vnc_job_push(job);
937         vs->force_update = 0;
938         return n;
939     }
940 
941     if (vs->csock == -1) {
942         vnc_disconnect_finish(vs);
943     } else if (sync) {
944         vnc_jobs_join(vs);
945     }
946 
947     return 0;
948 }
949 
950 /* audio */
951 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
952 {
953     VncState *vs = opaque;
954 
955     switch (cmd) {
956     case AUD_CNOTIFY_DISABLE:
957         vnc_lock_output(vs);
958         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
959         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
960         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
961         vnc_unlock_output(vs);
962         vnc_flush(vs);
963         break;
964 
965     case AUD_CNOTIFY_ENABLE:
966         vnc_lock_output(vs);
967         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
968         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
969         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
970         vnc_unlock_output(vs);
971         vnc_flush(vs);
972         break;
973     }
974 }
975 
976 static void audio_capture_destroy(void *opaque)
977 {
978 }
979 
980 static void audio_capture(void *opaque, void *buf, int size)
981 {
982     VncState *vs = opaque;
983 
984     vnc_lock_output(vs);
985     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
986     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
987     vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
988     vnc_write_u32(vs, size);
989     vnc_write(vs, buf, size);
990     vnc_unlock_output(vs);
991     vnc_flush(vs);
992 }
993 
994 static void audio_add(VncState *vs)
995 {
996     struct audio_capture_ops ops;
997 
998     if (vs->audio_cap) {
999         monitor_printf(default_mon, "audio already running\n");
1000         return;
1001     }
1002 
1003     ops.notify = audio_capture_notify;
1004     ops.destroy = audio_capture_destroy;
1005     ops.capture = audio_capture;
1006 
1007     vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);
1008     if (!vs->audio_cap) {
1009         monitor_printf(default_mon, "Failed to add audio capture\n");
1010     }
1011 }
1012 
1013 static void audio_del(VncState *vs)
1014 {
1015     if (vs->audio_cap) {
1016         AUD_del_capture(vs->audio_cap, vs);
1017         vs->audio_cap = NULL;
1018     }
1019 }
1020 
1021 static void vnc_disconnect_start(VncState *vs)
1022 {
1023     if (vs->csock == -1)
1024         return;
1025     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1026     qemu_set_fd_handler2(vs->csock, NULL, NULL, NULL, NULL);
1027     closesocket(vs->csock);
1028     vs->csock = -1;
1029 }
1030 
1031 void vnc_disconnect_finish(VncState *vs)
1032 {
1033     int i;
1034 
1035     vnc_jobs_join(vs); /* Wait encoding jobs */
1036 
1037     vnc_lock_output(vs);
1038     vnc_qmp_event(vs, QEVENT_VNC_DISCONNECTED);
1039 
1040     buffer_free(&vs->input);
1041     buffer_free(&vs->output);
1042 #ifdef CONFIG_VNC_WS
1043     buffer_free(&vs->ws_input);
1044     buffer_free(&vs->ws_output);
1045 #endif /* CONFIG_VNC_WS */
1046 
1047     qobject_decref(vs->info);
1048 
1049     vnc_zlib_clear(vs);
1050     vnc_tight_clear(vs);
1051     vnc_zrle_clear(vs);
1052 
1053 #ifdef CONFIG_VNC_TLS
1054     vnc_tls_client_cleanup(vs);
1055 #endif /* CONFIG_VNC_TLS */
1056 #ifdef CONFIG_VNC_SASL
1057     vnc_sasl_client_cleanup(vs);
1058 #endif /* CONFIG_VNC_SASL */
1059     audio_del(vs);
1060     vnc_release_modifiers(vs);
1061 
1062     if (vs->initialized) {
1063         QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1064         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1065     }
1066 
1067     if (vs->vd->lock_key_sync)
1068         qemu_remove_led_event_handler(vs->led);
1069     vnc_unlock_output(vs);
1070 
1071     qemu_mutex_destroy(&vs->output_mutex);
1072     if (vs->bh != NULL) {
1073         qemu_bh_delete(vs->bh);
1074     }
1075     buffer_free(&vs->jobs_buffer);
1076 
1077     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1078         g_free(vs->lossy_rect[i]);
1079     }
1080     g_free(vs->lossy_rect);
1081     g_free(vs);
1082 }
1083 
1084 int vnc_client_io_error(VncState *vs, int ret, int last_errno)
1085 {
1086     if (ret == 0 || ret == -1) {
1087         if (ret == -1) {
1088             switch (last_errno) {
1089                 case EINTR:
1090                 case EAGAIN:
1091 #ifdef _WIN32
1092                 case WSAEWOULDBLOCK:
1093 #endif
1094                     return 0;
1095                 default:
1096                     break;
1097             }
1098         }
1099 
1100         VNC_DEBUG("Closing down client sock: ret %d, errno %d\n",
1101                   ret, ret < 0 ? last_errno : 0);
1102         vnc_disconnect_start(vs);
1103 
1104         return 0;
1105     }
1106     return ret;
1107 }
1108 
1109 
1110 void vnc_client_error(VncState *vs)
1111 {
1112     VNC_DEBUG("Closing down client sock: protocol error\n");
1113     vnc_disconnect_start(vs);
1114 }
1115 
1116 #ifdef CONFIG_VNC_TLS
1117 static long vnc_client_write_tls(gnutls_session_t *session,
1118                                  const uint8_t *data,
1119                                  size_t datalen)
1120 {
1121     long ret = gnutls_write(*session, data, datalen);
1122     if (ret < 0) {
1123         if (ret == GNUTLS_E_AGAIN) {
1124             errno = EAGAIN;
1125         } else {
1126             errno = EIO;
1127         }
1128         ret = -1;
1129     }
1130     return ret;
1131 }
1132 #endif /* CONFIG_VNC_TLS */
1133 
1134 /*
1135  * Called to write a chunk of data to the client socket. The data may
1136  * be the raw data, or may have already been encoded by SASL.
1137  * The data will be written either straight onto the socket, or
1138  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1139  *
1140  * NB, it is theoretically possible to have 2 layers of encryption,
1141  * both SASL, and this TLS layer. It is highly unlikely in practice
1142  * though, since SASL encryption will typically be a no-op if TLS
1143  * is active
1144  *
1145  * Returns the number of bytes written, which may be less than
1146  * the requested 'datalen' if the socket would block. Returns
1147  * -1 on error, and disconnects the client socket.
1148  */
1149 long vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1150 {
1151     long ret;
1152 #ifdef CONFIG_VNC_TLS
1153     if (vs->tls.session) {
1154         ret = vnc_client_write_tls(&vs->tls.session, data, datalen);
1155     } else {
1156 #ifdef CONFIG_VNC_WS
1157         if (vs->ws_tls.session) {
1158             ret = vnc_client_write_tls(&vs->ws_tls.session, data, datalen);
1159         } else
1160 #endif /* CONFIG_VNC_WS */
1161 #endif /* CONFIG_VNC_TLS */
1162         {
1163             ret = send(vs->csock, (const void *)data, datalen, 0);
1164         }
1165 #ifdef CONFIG_VNC_TLS
1166     }
1167 #endif /* CONFIG_VNC_TLS */
1168     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1169     return vnc_client_io_error(vs, ret, socket_error());
1170 }
1171 
1172 
1173 /*
1174  * Called to write buffered data to the client socket, when not
1175  * using any SASL SSF encryption layers. Will write as much data
1176  * as possible without blocking. If all buffered data is written,
1177  * will switch the FD poll() handler back to read monitoring.
1178  *
1179  * Returns the number of bytes written, which may be less than
1180  * the buffered output data if the socket would block. Returns
1181  * -1 on error, and disconnects the client socket.
1182  */
1183 static long vnc_client_write_plain(VncState *vs)
1184 {
1185     long ret;
1186 
1187 #ifdef CONFIG_VNC_SASL
1188     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1189               vs->output.buffer, vs->output.capacity, vs->output.offset,
1190               vs->sasl.waitWriteSSF);
1191 
1192     if (vs->sasl.conn &&
1193         vs->sasl.runSSF &&
1194         vs->sasl.waitWriteSSF) {
1195         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1196         if (ret)
1197             vs->sasl.waitWriteSSF -= ret;
1198     } else
1199 #endif /* CONFIG_VNC_SASL */
1200         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1201     if (!ret)
1202         return 0;
1203 
1204     buffer_advance(&vs->output, ret);
1205 
1206     if (vs->output.offset == 0) {
1207         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
1208     }
1209 
1210     return ret;
1211 }
1212 
1213 
1214 /*
1215  * First function called whenever there is data to be written to
1216  * the client socket. Will delegate actual work according to whether
1217  * SASL SSF layers are enabled (thus requiring encryption calls)
1218  */
1219 static void vnc_client_write_locked(void *opaque)
1220 {
1221     VncState *vs = opaque;
1222 
1223 #ifdef CONFIG_VNC_SASL
1224     if (vs->sasl.conn &&
1225         vs->sasl.runSSF &&
1226         !vs->sasl.waitWriteSSF) {
1227         vnc_client_write_sasl(vs);
1228     } else
1229 #endif /* CONFIG_VNC_SASL */
1230     {
1231 #ifdef CONFIG_VNC_WS
1232         if (vs->encode_ws) {
1233             vnc_client_write_ws(vs);
1234         } else
1235 #endif /* CONFIG_VNC_WS */
1236         {
1237             vnc_client_write_plain(vs);
1238         }
1239     }
1240 }
1241 
1242 void vnc_client_write(void *opaque)
1243 {
1244     VncState *vs = opaque;
1245 
1246     vnc_lock_output(vs);
1247     if (vs->output.offset
1248 #ifdef CONFIG_VNC_WS
1249             || vs->ws_output.offset
1250 #endif
1251             ) {
1252         vnc_client_write_locked(opaque);
1253     } else if (vs->csock != -1) {
1254         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
1255     }
1256     vnc_unlock_output(vs);
1257 }
1258 
1259 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1260 {
1261     vs->read_handler = func;
1262     vs->read_handler_expect = expecting;
1263 }
1264 
1265 #ifdef CONFIG_VNC_TLS
1266 static long vnc_client_read_tls(gnutls_session_t *session, uint8_t *data,
1267                                 size_t datalen)
1268 {
1269     long ret = gnutls_read(*session, data, datalen);
1270     if (ret < 0) {
1271         if (ret == GNUTLS_E_AGAIN) {
1272             errno = EAGAIN;
1273         } else {
1274             errno = EIO;
1275         }
1276         ret = -1;
1277     }
1278     return ret;
1279 }
1280 #endif /* CONFIG_VNC_TLS */
1281 
1282 /*
1283  * Called to read a chunk of data from the client socket. The data may
1284  * be the raw data, or may need to be further decoded by SASL.
1285  * The data will be read either straight from to the socket, or
1286  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1287  *
1288  * NB, it is theoretically possible to have 2 layers of encryption,
1289  * both SASL, and this TLS layer. It is highly unlikely in practice
1290  * though, since SASL encryption will typically be a no-op if TLS
1291  * is active
1292  *
1293  * Returns the number of bytes read, which may be less than
1294  * the requested 'datalen' if the socket would block. Returns
1295  * -1 on error, and disconnects the client socket.
1296  */
1297 long vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1298 {
1299     long ret;
1300 #ifdef CONFIG_VNC_TLS
1301     if (vs->tls.session) {
1302         ret = vnc_client_read_tls(&vs->tls.session, data, datalen);
1303     } else {
1304 #ifdef CONFIG_VNC_WS
1305         if (vs->ws_tls.session) {
1306             ret = vnc_client_read_tls(&vs->ws_tls.session, data, datalen);
1307         } else
1308 #endif /* CONFIG_VNC_WS */
1309 #endif /* CONFIG_VNC_TLS */
1310         {
1311             ret = qemu_recv(vs->csock, data, datalen, 0);
1312         }
1313 #ifdef CONFIG_VNC_TLS
1314     }
1315 #endif /* CONFIG_VNC_TLS */
1316     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1317     return vnc_client_io_error(vs, ret, socket_error());
1318 }
1319 
1320 
1321 /*
1322  * Called to read data from the client socket to the input buffer,
1323  * when not using any SASL SSF encryption layers. Will read as much
1324  * data as possible without blocking.
1325  *
1326  * Returns the number of bytes read. Returns -1 on error, and
1327  * disconnects the client socket.
1328  */
1329 static long vnc_client_read_plain(VncState *vs)
1330 {
1331     int ret;
1332     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1333               vs->input.buffer, vs->input.capacity, vs->input.offset);
1334     buffer_reserve(&vs->input, 4096);
1335     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1336     if (!ret)
1337         return 0;
1338     vs->input.offset += ret;
1339     return ret;
1340 }
1341 
1342 static void vnc_jobs_bh(void *opaque)
1343 {
1344     VncState *vs = opaque;
1345 
1346     vnc_jobs_consume_buffer(vs);
1347 }
1348 
1349 /*
1350  * First function called whenever there is more data to be read from
1351  * the client socket. Will delegate actual work according to whether
1352  * SASL SSF layers are enabled (thus requiring decryption calls)
1353  */
1354 void vnc_client_read(void *opaque)
1355 {
1356     VncState *vs = opaque;
1357     long ret;
1358 
1359 #ifdef CONFIG_VNC_SASL
1360     if (vs->sasl.conn && vs->sasl.runSSF)
1361         ret = vnc_client_read_sasl(vs);
1362     else
1363 #endif /* CONFIG_VNC_SASL */
1364 #ifdef CONFIG_VNC_WS
1365         if (vs->encode_ws) {
1366             ret = vnc_client_read_ws(vs);
1367             if (ret == -1) {
1368                 vnc_disconnect_start(vs);
1369                 return;
1370             } else if (ret == -2) {
1371                 vnc_client_error(vs);
1372                 return;
1373             }
1374         } else
1375 #endif /* CONFIG_VNC_WS */
1376         {
1377         ret = vnc_client_read_plain(vs);
1378         }
1379     if (!ret) {
1380         if (vs->csock == -1)
1381             vnc_disconnect_finish(vs);
1382         return;
1383     }
1384 
1385     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1386         size_t len = vs->read_handler_expect;
1387         int ret;
1388 
1389         ret = vs->read_handler(vs, vs->input.buffer, len);
1390         if (vs->csock == -1) {
1391             vnc_disconnect_finish(vs);
1392             return;
1393         }
1394 
1395         if (!ret) {
1396             buffer_advance(&vs->input, len);
1397         } else {
1398             vs->read_handler_expect = ret;
1399         }
1400     }
1401 }
1402 
1403 void vnc_write(VncState *vs, const void *data, size_t len)
1404 {
1405     buffer_reserve(&vs->output, len);
1406 
1407     if (vs->csock != -1 && buffer_empty(&vs->output)) {
1408         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);
1409     }
1410 
1411     buffer_append(&vs->output, data, len);
1412 }
1413 
1414 void vnc_write_s32(VncState *vs, int32_t value)
1415 {
1416     vnc_write_u32(vs, *(uint32_t *)&value);
1417 }
1418 
1419 void vnc_write_u32(VncState *vs, uint32_t value)
1420 {
1421     uint8_t buf[4];
1422 
1423     buf[0] = (value >> 24) & 0xFF;
1424     buf[1] = (value >> 16) & 0xFF;
1425     buf[2] = (value >>  8) & 0xFF;
1426     buf[3] = value & 0xFF;
1427 
1428     vnc_write(vs, buf, 4);
1429 }
1430 
1431 void vnc_write_u16(VncState *vs, uint16_t value)
1432 {
1433     uint8_t buf[2];
1434 
1435     buf[0] = (value >> 8) & 0xFF;
1436     buf[1] = value & 0xFF;
1437 
1438     vnc_write(vs, buf, 2);
1439 }
1440 
1441 void vnc_write_u8(VncState *vs, uint8_t value)
1442 {
1443     vnc_write(vs, (char *)&value, 1);
1444 }
1445 
1446 void vnc_flush(VncState *vs)
1447 {
1448     vnc_lock_output(vs);
1449     if (vs->csock != -1 && (vs->output.offset
1450 #ifdef CONFIG_VNC_WS
1451                 || vs->ws_output.offset
1452 #endif
1453                 )) {
1454         vnc_client_write_locked(vs);
1455     }
1456     vnc_unlock_output(vs);
1457 }
1458 
1459 static uint8_t read_u8(uint8_t *data, size_t offset)
1460 {
1461     return data[offset];
1462 }
1463 
1464 static uint16_t read_u16(uint8_t *data, size_t offset)
1465 {
1466     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1467 }
1468 
1469 static int32_t read_s32(uint8_t *data, size_t offset)
1470 {
1471     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1472                      (data[offset + 2] << 8) | data[offset + 3]);
1473 }
1474 
1475 uint32_t read_u32(uint8_t *data, size_t offset)
1476 {
1477     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1478             (data[offset + 2] << 8) | data[offset + 3]);
1479 }
1480 
1481 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1482 {
1483 }
1484 
1485 static void check_pointer_type_change(Notifier *notifier, void *data)
1486 {
1487     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1488     int absolute = qemu_input_is_absolute();
1489 
1490     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1491         vnc_lock_output(vs);
1492         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1493         vnc_write_u8(vs, 0);
1494         vnc_write_u16(vs, 1);
1495         vnc_framebuffer_update(vs, absolute, 0,
1496                                surface_width(vs->vd->ds),
1497                                surface_height(vs->vd->ds),
1498                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1499         vnc_unlock_output(vs);
1500         vnc_flush(vs);
1501     }
1502     vs->absolute = absolute;
1503 }
1504 
1505 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1506 {
1507     static uint32_t bmap[INPUT_BUTTON_MAX] = {
1508         [INPUT_BUTTON_LEFT]       = 0x01,
1509         [INPUT_BUTTON_MIDDLE]     = 0x02,
1510         [INPUT_BUTTON_RIGHT]      = 0x04,
1511         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1512         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1513     };
1514     QemuConsole *con = vs->vd->dcl.con;
1515     int width = surface_width(vs->vd->ds);
1516     int height = surface_height(vs->vd->ds);
1517 
1518     if (vs->last_bmask != button_mask) {
1519         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1520         vs->last_bmask = button_mask;
1521     }
1522 
1523     if (vs->absolute) {
1524         qemu_input_queue_abs(con, INPUT_AXIS_X, x, width);
1525         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, height);
1526     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1527         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1528         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1529     } else {
1530         if (vs->last_x != -1) {
1531             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1532             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1533         }
1534         vs->last_x = x;
1535         vs->last_y = y;
1536     }
1537     qemu_input_event_sync();
1538 }
1539 
1540 static void reset_keys(VncState *vs)
1541 {
1542     int i;
1543     for(i = 0; i < 256; i++) {
1544         if (vs->modifiers_state[i]) {
1545             qemu_input_event_send_key_number(vs->vd->dcl.con, i, false);
1546             vs->modifiers_state[i] = 0;
1547         }
1548     }
1549 }
1550 
1551 static void press_key(VncState *vs, int keysym)
1552 {
1553     int keycode = keysym2scancode(vs->vd->kbd_layout, keysym) & SCANCODE_KEYMASK;
1554     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, true);
1555     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
1556 }
1557 
1558 static int current_led_state(VncState *vs)
1559 {
1560     int ledstate = 0;
1561 
1562     if (vs->modifiers_state[0x46]) {
1563         ledstate |= QEMU_SCROLL_LOCK_LED;
1564     }
1565     if (vs->modifiers_state[0x45]) {
1566         ledstate |= QEMU_NUM_LOCK_LED;
1567     }
1568     if (vs->modifiers_state[0x3a]) {
1569         ledstate |= QEMU_CAPS_LOCK_LED;
1570     }
1571 
1572     return ledstate;
1573 }
1574 
1575 static void vnc_led_state_change(VncState *vs)
1576 {
1577     int ledstate = 0;
1578 
1579     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1580         return;
1581     }
1582 
1583     ledstate = current_led_state(vs);
1584     vnc_lock_output(vs);
1585     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1586     vnc_write_u8(vs, 0);
1587     vnc_write_u16(vs, 1);
1588     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1589     vnc_write_u8(vs, ledstate);
1590     vnc_unlock_output(vs);
1591     vnc_flush(vs);
1592 }
1593 
1594 static void kbd_leds(void *opaque, int ledstate)
1595 {
1596     VncState *vs = opaque;
1597     int caps, num, scr;
1598     bool has_changed = (ledstate != current_led_state(vs));
1599 
1600     caps = ledstate & QEMU_CAPS_LOCK_LED ? 1 : 0;
1601     num  = ledstate & QEMU_NUM_LOCK_LED  ? 1 : 0;
1602     scr  = ledstate & QEMU_SCROLL_LOCK_LED ? 1 : 0;
1603 
1604     if (vs->modifiers_state[0x3a] != caps) {
1605         vs->modifiers_state[0x3a] = caps;
1606     }
1607     if (vs->modifiers_state[0x45] != num) {
1608         vs->modifiers_state[0x45] = num;
1609     }
1610     if (vs->modifiers_state[0x46] != scr) {
1611         vs->modifiers_state[0x46] = scr;
1612     }
1613 
1614     /* Sending the current led state message to the client */
1615     if (has_changed) {
1616         vnc_led_state_change(vs);
1617     }
1618 }
1619 
1620 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1621 {
1622     /* QEMU console switch */
1623     switch(keycode) {
1624     case 0x2a:                          /* Left Shift */
1625     case 0x36:                          /* Right Shift */
1626     case 0x1d:                          /* Left CTRL */
1627     case 0x9d:                          /* Right CTRL */
1628     case 0x38:                          /* Left ALT */
1629     case 0xb8:                          /* Right ALT */
1630         if (down)
1631             vs->modifiers_state[keycode] = 1;
1632         else
1633             vs->modifiers_state[keycode] = 0;
1634         break;
1635     case 0x02 ... 0x0a: /* '1' to '9' keys */
1636         if (down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
1637             /* Reset the modifiers sent to the current console */
1638             reset_keys(vs);
1639             console_select(keycode - 0x02);
1640             return;
1641         }
1642         break;
1643     case 0x3a:                        /* CapsLock */
1644     case 0x45:                        /* NumLock */
1645         if (down)
1646             vs->modifiers_state[keycode] ^= 1;
1647         break;
1648     }
1649 
1650     /* Turn off the lock state sync logic if the client support the led
1651        state extension.
1652     */
1653     if (down && vs->vd->lock_key_sync &&
1654         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1655         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1656         /* If the numlock state needs to change then simulate an additional
1657            keypress before sending this one.  This will happen if the user
1658            toggles numlock away from the VNC window.
1659         */
1660         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1661             if (!vs->modifiers_state[0x45]) {
1662                 vs->modifiers_state[0x45] = 1;
1663                 press_key(vs, 0xff7f);
1664             }
1665         } else {
1666             if (vs->modifiers_state[0x45]) {
1667                 vs->modifiers_state[0x45] = 0;
1668                 press_key(vs, 0xff7f);
1669             }
1670         }
1671     }
1672 
1673     if (down && vs->vd->lock_key_sync &&
1674         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1675         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1676         /* If the capslock state needs to change then simulate an additional
1677            keypress before sending this one.  This will happen if the user
1678            toggles capslock away from the VNC window.
1679         */
1680         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1681         int shift = !!(vs->modifiers_state[0x2a] | vs->modifiers_state[0x36]);
1682         int capslock = !!(vs->modifiers_state[0x3a]);
1683         if (capslock) {
1684             if (uppercase == shift) {
1685                 vs->modifiers_state[0x3a] = 0;
1686                 press_key(vs, 0xffe5);
1687             }
1688         } else {
1689             if (uppercase != shift) {
1690                 vs->modifiers_state[0x3a] = 1;
1691                 press_key(vs, 0xffe5);
1692             }
1693         }
1694     }
1695 
1696     if (qemu_console_is_graphic(NULL)) {
1697         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, down);
1698     } else {
1699         bool numlock = vs->modifiers_state[0x45];
1700         bool control = (vs->modifiers_state[0x1d] ||
1701                         vs->modifiers_state[0x9d]);
1702         /* QEMU console emulation */
1703         if (down) {
1704             switch (keycode) {
1705             case 0x2a:                          /* Left Shift */
1706             case 0x36:                          /* Right Shift */
1707             case 0x1d:                          /* Left CTRL */
1708             case 0x9d:                          /* Right CTRL */
1709             case 0x38:                          /* Left ALT */
1710             case 0xb8:                          /* Right ALT */
1711                 break;
1712             case 0xc8:
1713                 kbd_put_keysym(QEMU_KEY_UP);
1714                 break;
1715             case 0xd0:
1716                 kbd_put_keysym(QEMU_KEY_DOWN);
1717                 break;
1718             case 0xcb:
1719                 kbd_put_keysym(QEMU_KEY_LEFT);
1720                 break;
1721             case 0xcd:
1722                 kbd_put_keysym(QEMU_KEY_RIGHT);
1723                 break;
1724             case 0xd3:
1725                 kbd_put_keysym(QEMU_KEY_DELETE);
1726                 break;
1727             case 0xc7:
1728                 kbd_put_keysym(QEMU_KEY_HOME);
1729                 break;
1730             case 0xcf:
1731                 kbd_put_keysym(QEMU_KEY_END);
1732                 break;
1733             case 0xc9:
1734                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1735                 break;
1736             case 0xd1:
1737                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1738                 break;
1739 
1740             case 0x47:
1741                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1742                 break;
1743             case 0x48:
1744                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1745                 break;
1746             case 0x49:
1747                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1748                 break;
1749             case 0x4b:
1750                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1751                 break;
1752             case 0x4c:
1753                 kbd_put_keysym('5');
1754                 break;
1755             case 0x4d:
1756                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1757                 break;
1758             case 0x4f:
1759                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1760                 break;
1761             case 0x50:
1762                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1763                 break;
1764             case 0x51:
1765                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1766                 break;
1767             case 0x52:
1768                 kbd_put_keysym('0');
1769                 break;
1770             case 0x53:
1771                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1772                 break;
1773 
1774             case 0xb5:
1775                 kbd_put_keysym('/');
1776                 break;
1777             case 0x37:
1778                 kbd_put_keysym('*');
1779                 break;
1780             case 0x4a:
1781                 kbd_put_keysym('-');
1782                 break;
1783             case 0x4e:
1784                 kbd_put_keysym('+');
1785                 break;
1786             case 0x9c:
1787                 kbd_put_keysym('\n');
1788                 break;
1789 
1790             default:
1791                 if (control) {
1792                     kbd_put_keysym(sym & 0x1f);
1793                 } else {
1794                     kbd_put_keysym(sym);
1795                 }
1796                 break;
1797             }
1798         }
1799     }
1800 }
1801 
1802 static void vnc_release_modifiers(VncState *vs)
1803 {
1804     static const int keycodes[] = {
1805         /* shift, control, alt keys, both left & right */
1806         0x2a, 0x36, 0x1d, 0x9d, 0x38, 0xb8,
1807     };
1808     int i, keycode;
1809 
1810     if (!qemu_console_is_graphic(NULL)) {
1811         return;
1812     }
1813     for (i = 0; i < ARRAY_SIZE(keycodes); i++) {
1814         keycode = keycodes[i];
1815         if (!vs->modifiers_state[keycode]) {
1816             continue;
1817         }
1818         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
1819     }
1820 }
1821 
1822 static void key_event(VncState *vs, int down, uint32_t sym)
1823 {
1824     int keycode;
1825     int lsym = sym;
1826 
1827     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
1828         lsym = lsym - 'A' + 'a';
1829     }
1830 
1831     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF) & SCANCODE_KEYMASK;
1832     do_key_event(vs, down, keycode, sym);
1833 }
1834 
1835 static void ext_key_event(VncState *vs, int down,
1836                           uint32_t sym, uint16_t keycode)
1837 {
1838     /* if the user specifies a keyboard layout, always use it */
1839     if (keyboard_layout)
1840         key_event(vs, down, sym);
1841     else
1842         do_key_event(vs, down, keycode, sym);
1843 }
1844 
1845 static void framebuffer_update_request(VncState *vs, int incremental,
1846                                        int x_position, int y_position,
1847                                        int w, int h)
1848 {
1849     int i;
1850     const size_t width = surface_width(vs->vd->ds) / VNC_DIRTY_PIXELS_PER_BIT;
1851     const size_t height = surface_height(vs->vd->ds);
1852 
1853     if (y_position > height) {
1854         y_position = height;
1855     }
1856     if (y_position + h >= height) {
1857         h = height - y_position;
1858     }
1859 
1860     vs->need_update = 1;
1861     if (!incremental) {
1862         vs->force_update = 1;
1863         for (i = 0; i < h; i++) {
1864             bitmap_set(vs->dirty[y_position + i], 0, width);
1865             bitmap_clear(vs->dirty[y_position + i], width,
1866                          VNC_DIRTY_BITS - width);
1867         }
1868     }
1869 }
1870 
1871 static void send_ext_key_event_ack(VncState *vs)
1872 {
1873     vnc_lock_output(vs);
1874     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1875     vnc_write_u8(vs, 0);
1876     vnc_write_u16(vs, 1);
1877     vnc_framebuffer_update(vs, 0, 0,
1878                            surface_width(vs->vd->ds),
1879                            surface_height(vs->vd->ds),
1880                            VNC_ENCODING_EXT_KEY_EVENT);
1881     vnc_unlock_output(vs);
1882     vnc_flush(vs);
1883 }
1884 
1885 static void send_ext_audio_ack(VncState *vs)
1886 {
1887     vnc_lock_output(vs);
1888     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1889     vnc_write_u8(vs, 0);
1890     vnc_write_u16(vs, 1);
1891     vnc_framebuffer_update(vs, 0, 0,
1892                            surface_width(vs->vd->ds),
1893                            surface_height(vs->vd->ds),
1894                            VNC_ENCODING_AUDIO);
1895     vnc_unlock_output(vs);
1896     vnc_flush(vs);
1897 }
1898 
1899 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
1900 {
1901     int i;
1902     unsigned int enc = 0;
1903 
1904     vs->features = 0;
1905     vs->vnc_encoding = 0;
1906     vs->tight.compression = 9;
1907     vs->tight.quality = -1; /* Lossless by default */
1908     vs->absolute = -1;
1909 
1910     /*
1911      * Start from the end because the encodings are sent in order of preference.
1912      * This way the preferred encoding (first encoding defined in the array)
1913      * will be set at the end of the loop.
1914      */
1915     for (i = n_encodings - 1; i >= 0; i--) {
1916         enc = encodings[i];
1917         switch (enc) {
1918         case VNC_ENCODING_RAW:
1919             vs->vnc_encoding = enc;
1920             break;
1921         case VNC_ENCODING_COPYRECT:
1922             vs->features |= VNC_FEATURE_COPYRECT_MASK;
1923             break;
1924         case VNC_ENCODING_HEXTILE:
1925             vs->features |= VNC_FEATURE_HEXTILE_MASK;
1926             vs->vnc_encoding = enc;
1927             break;
1928         case VNC_ENCODING_TIGHT:
1929             vs->features |= VNC_FEATURE_TIGHT_MASK;
1930             vs->vnc_encoding = enc;
1931             break;
1932 #ifdef CONFIG_VNC_PNG
1933         case VNC_ENCODING_TIGHT_PNG:
1934             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
1935             vs->vnc_encoding = enc;
1936             break;
1937 #endif
1938         case VNC_ENCODING_ZLIB:
1939             vs->features |= VNC_FEATURE_ZLIB_MASK;
1940             vs->vnc_encoding = enc;
1941             break;
1942         case VNC_ENCODING_ZRLE:
1943             vs->features |= VNC_FEATURE_ZRLE_MASK;
1944             vs->vnc_encoding = enc;
1945             break;
1946         case VNC_ENCODING_ZYWRLE:
1947             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
1948             vs->vnc_encoding = enc;
1949             break;
1950         case VNC_ENCODING_DESKTOPRESIZE:
1951             vs->features |= VNC_FEATURE_RESIZE_MASK;
1952             break;
1953         case VNC_ENCODING_POINTER_TYPE_CHANGE:
1954             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
1955             break;
1956         case VNC_ENCODING_RICH_CURSOR:
1957             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
1958             break;
1959         case VNC_ENCODING_EXT_KEY_EVENT:
1960             send_ext_key_event_ack(vs);
1961             break;
1962         case VNC_ENCODING_AUDIO:
1963             send_ext_audio_ack(vs);
1964             break;
1965         case VNC_ENCODING_WMVi:
1966             vs->features |= VNC_FEATURE_WMVI_MASK;
1967             break;
1968         case VNC_ENCODING_LED_STATE:
1969             vs->features |= VNC_FEATURE_LED_STATE_MASK;
1970             break;
1971         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
1972             vs->tight.compression = (enc & 0x0F);
1973             break;
1974         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
1975             if (vs->vd->lossy) {
1976                 vs->tight.quality = (enc & 0x0F);
1977             }
1978             break;
1979         default:
1980             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
1981             break;
1982         }
1983     }
1984     vnc_desktop_resize(vs);
1985     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
1986     vnc_led_state_change(vs);
1987 }
1988 
1989 static void set_pixel_conversion(VncState *vs)
1990 {
1991     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
1992 
1993     if (fmt == VNC_SERVER_FB_FORMAT) {
1994         vs->write_pixels = vnc_write_pixels_copy;
1995         vnc_hextile_set_pixel_conversion(vs, 0);
1996     } else {
1997         vs->write_pixels = vnc_write_pixels_generic;
1998         vnc_hextile_set_pixel_conversion(vs, 1);
1999     }
2000 }
2001 
2002 static void set_pixel_format(VncState *vs,
2003                              int bits_per_pixel, int depth,
2004                              int big_endian_flag, int true_color_flag,
2005                              int red_max, int green_max, int blue_max,
2006                              int red_shift, int green_shift, int blue_shift)
2007 {
2008     if (!true_color_flag) {
2009         vnc_client_error(vs);
2010         return;
2011     }
2012 
2013     vs->client_pf.rmax = red_max;
2014     vs->client_pf.rbits = hweight_long(red_max);
2015     vs->client_pf.rshift = red_shift;
2016     vs->client_pf.rmask = red_max << red_shift;
2017     vs->client_pf.gmax = green_max;
2018     vs->client_pf.gbits = hweight_long(green_max);
2019     vs->client_pf.gshift = green_shift;
2020     vs->client_pf.gmask = green_max << green_shift;
2021     vs->client_pf.bmax = blue_max;
2022     vs->client_pf.bbits = hweight_long(blue_max);
2023     vs->client_pf.bshift = blue_shift;
2024     vs->client_pf.bmask = blue_max << blue_shift;
2025     vs->client_pf.bits_per_pixel = bits_per_pixel;
2026     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2027     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2028     vs->client_be = big_endian_flag;
2029 
2030     set_pixel_conversion(vs);
2031 
2032     graphic_hw_invalidate(NULL);
2033     graphic_hw_update(NULL);
2034 }
2035 
2036 static void pixel_format_message (VncState *vs) {
2037     char pad[3] = { 0, 0, 0 };
2038 
2039     vs->client_pf = qemu_default_pixelformat(32);
2040 
2041     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2042     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2043 
2044 #ifdef HOST_WORDS_BIGENDIAN
2045     vnc_write_u8(vs, 1);             /* big-endian-flag */
2046 #else
2047     vnc_write_u8(vs, 0);             /* big-endian-flag */
2048 #endif
2049     vnc_write_u8(vs, 1);             /* true-color-flag */
2050     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2051     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2052     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2053     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2054     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2055     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2056     vnc_write(vs, pad, 3);           /* padding */
2057 
2058     vnc_hextile_set_pixel_conversion(vs, 0);
2059     vs->write_pixels = vnc_write_pixels_copy;
2060 }
2061 
2062 static void vnc_colordepth(VncState *vs)
2063 {
2064     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2065         /* Sending a WMVi message to notify the client*/
2066         vnc_lock_output(vs);
2067         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2068         vnc_write_u8(vs, 0);
2069         vnc_write_u16(vs, 1); /* number of rects */
2070         vnc_framebuffer_update(vs, 0, 0,
2071                                surface_width(vs->vd->ds),
2072                                surface_height(vs->vd->ds),
2073                                VNC_ENCODING_WMVi);
2074         pixel_format_message(vs);
2075         vnc_unlock_output(vs);
2076         vnc_flush(vs);
2077     } else {
2078         set_pixel_conversion(vs);
2079     }
2080 }
2081 
2082 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2083 {
2084     int i;
2085     uint16_t limit;
2086     VncDisplay *vd = vs->vd;
2087 
2088     if (data[0] > 3) {
2089         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2090     }
2091 
2092     switch (data[0]) {
2093     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2094         if (len == 1)
2095             return 20;
2096 
2097         set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5),
2098                          read_u8(data, 6), read_u8(data, 7),
2099                          read_u16(data, 8), read_u16(data, 10),
2100                          read_u16(data, 12), read_u8(data, 14),
2101                          read_u8(data, 15), read_u8(data, 16));
2102         break;
2103     case VNC_MSG_CLIENT_SET_ENCODINGS:
2104         if (len == 1)
2105             return 4;
2106 
2107         if (len == 4) {
2108             limit = read_u16(data, 2);
2109             if (limit > 0)
2110                 return 4 + (limit * 4);
2111         } else
2112             limit = read_u16(data, 2);
2113 
2114         for (i = 0; i < limit; i++) {
2115             int32_t val = read_s32(data, 4 + (i * 4));
2116             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2117         }
2118 
2119         set_encodings(vs, (int32_t *)(data + 4), limit);
2120         break;
2121     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2122         if (len == 1)
2123             return 10;
2124 
2125         framebuffer_update_request(vs,
2126                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2127                                    read_u16(data, 6), read_u16(data, 8));
2128         break;
2129     case VNC_MSG_CLIENT_KEY_EVENT:
2130         if (len == 1)
2131             return 8;
2132 
2133         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2134         break;
2135     case VNC_MSG_CLIENT_POINTER_EVENT:
2136         if (len == 1)
2137             return 6;
2138 
2139         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2140         break;
2141     case VNC_MSG_CLIENT_CUT_TEXT:
2142         if (len == 1)
2143             return 8;
2144 
2145         if (len == 8) {
2146             uint32_t dlen = read_u32(data, 4);
2147             if (dlen > 0)
2148                 return 8 + dlen;
2149         }
2150 
2151         client_cut_text(vs, read_u32(data, 4), data + 8);
2152         break;
2153     case VNC_MSG_CLIENT_QEMU:
2154         if (len == 1)
2155             return 2;
2156 
2157         switch (read_u8(data, 1)) {
2158         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2159             if (len == 2)
2160                 return 12;
2161 
2162             ext_key_event(vs, read_u16(data, 2),
2163                           read_u32(data, 4), read_u32(data, 8));
2164             break;
2165         case VNC_MSG_CLIENT_QEMU_AUDIO:
2166             if (len == 2)
2167                 return 4;
2168 
2169             switch (read_u16 (data, 2)) {
2170             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2171                 audio_add(vs);
2172                 break;
2173             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2174                 audio_del(vs);
2175                 break;
2176             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2177                 if (len == 4)
2178                     return 10;
2179                 switch (read_u8(data, 4)) {
2180                 case 0: vs->as.fmt = AUD_FMT_U8; break;
2181                 case 1: vs->as.fmt = AUD_FMT_S8; break;
2182                 case 2: vs->as.fmt = AUD_FMT_U16; break;
2183                 case 3: vs->as.fmt = AUD_FMT_S16; break;
2184                 case 4: vs->as.fmt = AUD_FMT_U32; break;
2185                 case 5: vs->as.fmt = AUD_FMT_S32; break;
2186                 default:
2187                     printf("Invalid audio format %d\n", read_u8(data, 4));
2188                     vnc_client_error(vs);
2189                     break;
2190                 }
2191                 vs->as.nchannels = read_u8(data, 5);
2192                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2193                     printf("Invalid audio channel coount %d\n",
2194                            read_u8(data, 5));
2195                     vnc_client_error(vs);
2196                     break;
2197                 }
2198                 vs->as.freq = read_u32(data, 6);
2199                 break;
2200             default:
2201                 printf ("Invalid audio message %d\n", read_u8(data, 4));
2202                 vnc_client_error(vs);
2203                 break;
2204             }
2205             break;
2206 
2207         default:
2208             printf("Msg: %d\n", read_u16(data, 0));
2209             vnc_client_error(vs);
2210             break;
2211         }
2212         break;
2213     default:
2214         printf("Msg: %d\n", data[0]);
2215         vnc_client_error(vs);
2216         break;
2217     }
2218 
2219     vnc_read_when(vs, protocol_client_msg, 1);
2220     return 0;
2221 }
2222 
2223 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2224 {
2225     char buf[1024];
2226     VncShareMode mode;
2227     int size;
2228 
2229     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2230     switch (vs->vd->share_policy) {
2231     case VNC_SHARE_POLICY_IGNORE:
2232         /*
2233          * Ignore the shared flag.  Nothing to do here.
2234          *
2235          * Doesn't conform to the rfb spec but is traditional qemu
2236          * behavior, thus left here as option for compatibility
2237          * reasons.
2238          */
2239         break;
2240     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2241         /*
2242          * Policy: Allow clients ask for exclusive access.
2243          *
2244          * Implementation: When a client asks for exclusive access,
2245          * disconnect all others. Shared connects are allowed as long
2246          * as no exclusive connection exists.
2247          *
2248          * This is how the rfb spec suggests to handle the shared flag.
2249          */
2250         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2251             VncState *client;
2252             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2253                 if (vs == client) {
2254                     continue;
2255                 }
2256                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2257                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2258                     continue;
2259                 }
2260                 vnc_disconnect_start(client);
2261             }
2262         }
2263         if (mode == VNC_SHARE_MODE_SHARED) {
2264             if (vs->vd->num_exclusive > 0) {
2265                 vnc_disconnect_start(vs);
2266                 return 0;
2267             }
2268         }
2269         break;
2270     case VNC_SHARE_POLICY_FORCE_SHARED:
2271         /*
2272          * Policy: Shared connects only.
2273          * Implementation: Disallow clients asking for exclusive access.
2274          *
2275          * Useful for shared desktop sessions where you don't want
2276          * someone forgetting to say -shared when running the vnc
2277          * client disconnect everybody else.
2278          */
2279         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2280             vnc_disconnect_start(vs);
2281             return 0;
2282         }
2283         break;
2284     }
2285     vnc_set_share_mode(vs, mode);
2286 
2287     vs->client_width = surface_width(vs->vd->ds);
2288     vs->client_height = surface_height(vs->vd->ds);
2289     vnc_write_u16(vs, vs->client_width);
2290     vnc_write_u16(vs, vs->client_height);
2291 
2292     pixel_format_message(vs);
2293 
2294     if (qemu_name)
2295         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2296     else
2297         size = snprintf(buf, sizeof(buf), "QEMU");
2298 
2299     vnc_write_u32(vs, size);
2300     vnc_write(vs, buf, size);
2301     vnc_flush(vs);
2302 
2303     vnc_client_cache_auth(vs);
2304     vnc_qmp_event(vs, QEVENT_VNC_INITIALIZED);
2305 
2306     vnc_read_when(vs, protocol_client_msg, 1);
2307 
2308     return 0;
2309 }
2310 
2311 void start_client_init(VncState *vs)
2312 {
2313     vnc_read_when(vs, protocol_client_init, 1);
2314 }
2315 
2316 static void make_challenge(VncState *vs)
2317 {
2318     int i;
2319 
2320     srand(time(NULL)+getpid()+getpid()*987654+rand());
2321 
2322     for (i = 0 ; i < sizeof(vs->challenge) ; i++)
2323         vs->challenge[i] = (int) (256.0*rand()/(RAND_MAX+1.0));
2324 }
2325 
2326 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2327 {
2328     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2329     int i, j, pwlen;
2330     unsigned char key[8];
2331     time_t now = time(NULL);
2332 
2333     if (!vs->vd->password) {
2334         VNC_DEBUG("No password configured on server");
2335         goto reject;
2336     }
2337     if (vs->vd->expires < now) {
2338         VNC_DEBUG("Password is expired");
2339         goto reject;
2340     }
2341 
2342     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2343 
2344     /* Calculate the expected challenge response */
2345     pwlen = strlen(vs->vd->password);
2346     for (i=0; i<sizeof(key); i++)
2347         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2348     deskey(key, EN0);
2349     for (j = 0; j < VNC_AUTH_CHALLENGE_SIZE; j += 8)
2350         des(response+j, response+j);
2351 
2352     /* Compare expected vs actual challenge response */
2353     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2354         VNC_DEBUG("Client challenge response did not match\n");
2355         goto reject;
2356     } else {
2357         VNC_DEBUG("Accepting VNC challenge response\n");
2358         vnc_write_u32(vs, 0); /* Accept auth */
2359         vnc_flush(vs);
2360 
2361         start_client_init(vs);
2362     }
2363     return 0;
2364 
2365 reject:
2366     vnc_write_u32(vs, 1); /* Reject auth */
2367     if (vs->minor >= 8) {
2368         static const char err[] = "Authentication failed";
2369         vnc_write_u32(vs, sizeof(err));
2370         vnc_write(vs, err, sizeof(err));
2371     }
2372     vnc_flush(vs);
2373     vnc_client_error(vs);
2374     return 0;
2375 }
2376 
2377 void start_auth_vnc(VncState *vs)
2378 {
2379     make_challenge(vs);
2380     /* Send client a 'random' challenge */
2381     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2382     vnc_flush(vs);
2383 
2384     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2385 }
2386 
2387 
2388 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2389 {
2390     /* We only advertise 1 auth scheme at a time, so client
2391      * must pick the one we sent. Verify this */
2392     if (data[0] != vs->auth) { /* Reject auth */
2393        VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
2394        vnc_write_u32(vs, 1);
2395        if (vs->minor >= 8) {
2396            static const char err[] = "Authentication failed";
2397            vnc_write_u32(vs, sizeof(err));
2398            vnc_write(vs, err, sizeof(err));
2399        }
2400        vnc_client_error(vs);
2401     } else { /* Accept requested auth */
2402        VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
2403        switch (vs->auth) {
2404        case VNC_AUTH_NONE:
2405            VNC_DEBUG("Accept auth none\n");
2406            if (vs->minor >= 8) {
2407                vnc_write_u32(vs, 0); /* Accept auth completion */
2408                vnc_flush(vs);
2409            }
2410            start_client_init(vs);
2411            break;
2412 
2413        case VNC_AUTH_VNC:
2414            VNC_DEBUG("Start VNC auth\n");
2415            start_auth_vnc(vs);
2416            break;
2417 
2418 #ifdef CONFIG_VNC_TLS
2419        case VNC_AUTH_VENCRYPT:
2420            VNC_DEBUG("Accept VeNCrypt auth\n");
2421            start_auth_vencrypt(vs);
2422            break;
2423 #endif /* CONFIG_VNC_TLS */
2424 
2425 #ifdef CONFIG_VNC_SASL
2426        case VNC_AUTH_SASL:
2427            VNC_DEBUG("Accept SASL auth\n");
2428            start_auth_sasl(vs);
2429            break;
2430 #endif /* CONFIG_VNC_SASL */
2431 
2432        default: /* Should not be possible, but just in case */
2433            VNC_DEBUG("Reject auth %d server code bug\n", vs->auth);
2434            vnc_write_u8(vs, 1);
2435            if (vs->minor >= 8) {
2436                static const char err[] = "Authentication failed";
2437                vnc_write_u32(vs, sizeof(err));
2438                vnc_write(vs, err, sizeof(err));
2439            }
2440            vnc_client_error(vs);
2441        }
2442     }
2443     return 0;
2444 }
2445 
2446 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2447 {
2448     char local[13];
2449 
2450     memcpy(local, version, 12);
2451     local[12] = 0;
2452 
2453     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2454         VNC_DEBUG("Malformed protocol version %s\n", local);
2455         vnc_client_error(vs);
2456         return 0;
2457     }
2458     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2459     if (vs->major != 3 ||
2460         (vs->minor != 3 &&
2461          vs->minor != 4 &&
2462          vs->minor != 5 &&
2463          vs->minor != 7 &&
2464          vs->minor != 8)) {
2465         VNC_DEBUG("Unsupported client version\n");
2466         vnc_write_u32(vs, VNC_AUTH_INVALID);
2467         vnc_flush(vs);
2468         vnc_client_error(vs);
2469         return 0;
2470     }
2471     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2472      * as equivalent to v3.3 by servers
2473      */
2474     if (vs->minor == 4 || vs->minor == 5)
2475         vs->minor = 3;
2476 
2477     if (vs->minor == 3) {
2478         if (vs->auth == VNC_AUTH_NONE) {
2479             VNC_DEBUG("Tell client auth none\n");
2480             vnc_write_u32(vs, vs->auth);
2481             vnc_flush(vs);
2482             start_client_init(vs);
2483        } else if (vs->auth == VNC_AUTH_VNC) {
2484             VNC_DEBUG("Tell client VNC auth\n");
2485             vnc_write_u32(vs, vs->auth);
2486             vnc_flush(vs);
2487             start_auth_vnc(vs);
2488        } else {
2489             VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth);
2490             vnc_write_u32(vs, VNC_AUTH_INVALID);
2491             vnc_flush(vs);
2492             vnc_client_error(vs);
2493        }
2494     } else {
2495         VNC_DEBUG("Telling client we support auth %d\n", vs->auth);
2496         vnc_write_u8(vs, 1); /* num auth */
2497         vnc_write_u8(vs, vs->auth);
2498         vnc_read_when(vs, protocol_client_auth, 1);
2499         vnc_flush(vs);
2500     }
2501 
2502     return 0;
2503 }
2504 
2505 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2506 {
2507     struct VncSurface *vs = &vd->guest;
2508 
2509     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2510 }
2511 
2512 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2513 {
2514     int i, j;
2515 
2516     w = (x + w) / VNC_STAT_RECT;
2517     h = (y + h) / VNC_STAT_RECT;
2518     x /= VNC_STAT_RECT;
2519     y /= VNC_STAT_RECT;
2520 
2521     for (j = y; j <= h; j++) {
2522         for (i = x; i <= w; i++) {
2523             vs->lossy_rect[j][i] = 1;
2524         }
2525     }
2526 }
2527 
2528 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2529 {
2530     VncState *vs;
2531     int sty = y / VNC_STAT_RECT;
2532     int stx = x / VNC_STAT_RECT;
2533     int has_dirty = 0;
2534 
2535     y = y / VNC_STAT_RECT * VNC_STAT_RECT;
2536     x = x / VNC_STAT_RECT * VNC_STAT_RECT;
2537 
2538     QTAILQ_FOREACH(vs, &vd->clients, next) {
2539         int j;
2540 
2541         /* kernel send buffers are full -> refresh later */
2542         if (vs->output.offset) {
2543             continue;
2544         }
2545 
2546         if (!vs->lossy_rect[sty][stx]) {
2547             continue;
2548         }
2549 
2550         vs->lossy_rect[sty][stx] = 0;
2551         for (j = 0; j < VNC_STAT_RECT; ++j) {
2552             bitmap_set(vs->dirty[y + j],
2553                        x / VNC_DIRTY_PIXELS_PER_BIT,
2554                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2555         }
2556         has_dirty++;
2557     }
2558 
2559     return has_dirty;
2560 }
2561 
2562 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2563 {
2564     int width = pixman_image_get_width(vd->guest.fb);
2565     int height = pixman_image_get_height(vd->guest.fb);
2566     int x, y;
2567     struct timeval res;
2568     int has_dirty = 0;
2569 
2570     for (y = 0; y < height; y += VNC_STAT_RECT) {
2571         for (x = 0; x < width; x += VNC_STAT_RECT) {
2572             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2573 
2574             rect->updated = false;
2575         }
2576     }
2577 
2578     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2579 
2580     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2581         return has_dirty;
2582     }
2583     vd->guest.last_freq_check = *tv;
2584 
2585     for (y = 0; y < height; y += VNC_STAT_RECT) {
2586         for (x = 0; x < width; x += VNC_STAT_RECT) {
2587             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2588             int count = ARRAY_SIZE(rect->times);
2589             struct timeval min, max;
2590 
2591             if (!timerisset(&rect->times[count - 1])) {
2592                 continue ;
2593             }
2594 
2595             max = rect->times[(rect->idx + count - 1) % count];
2596             qemu_timersub(tv, &max, &res);
2597 
2598             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2599                 rect->freq = 0;
2600                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2601                 memset(rect->times, 0, sizeof (rect->times));
2602                 continue ;
2603             }
2604 
2605             min = rect->times[rect->idx];
2606             max = rect->times[(rect->idx + count - 1) % count];
2607             qemu_timersub(&max, &min, &res);
2608 
2609             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2610             rect->freq /= count;
2611             rect->freq = 1. / rect->freq;
2612         }
2613     }
2614     return has_dirty;
2615 }
2616 
2617 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2618 {
2619     int i, j;
2620     double total = 0;
2621     int num = 0;
2622 
2623     x =  (x / VNC_STAT_RECT) * VNC_STAT_RECT;
2624     y =  (y / VNC_STAT_RECT) * VNC_STAT_RECT;
2625 
2626     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2627         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2628             total += vnc_stat_rect(vs->vd, i, j)->freq;
2629             num++;
2630         }
2631     }
2632 
2633     if (num) {
2634         return total / num;
2635     } else {
2636         return 0;
2637     }
2638 }
2639 
2640 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2641 {
2642     VncRectStat *rect;
2643 
2644     rect = vnc_stat_rect(vd, x, y);
2645     if (rect->updated) {
2646         return ;
2647     }
2648     rect->times[rect->idx] = *tv;
2649     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2650     rect->updated = true;
2651 }
2652 
2653 static int vnc_refresh_server_surface(VncDisplay *vd)
2654 {
2655     int width = pixman_image_get_width(vd->guest.fb);
2656     int height = pixman_image_get_height(vd->guest.fb);
2657     int y;
2658     uint8_t *guest_row0 = NULL, *server_row0;
2659     int guest_stride = 0, server_stride;
2660     int cmp_bytes;
2661     VncState *vs;
2662     int has_dirty = 0;
2663     pixman_image_t *tmpbuf = NULL;
2664 
2665     struct timeval tv = { 0, 0 };
2666 
2667     if (!vd->non_adaptive) {
2668         gettimeofday(&tv, NULL);
2669         has_dirty = vnc_update_stats(vd, &tv);
2670     }
2671 
2672     /*
2673      * Walk through the guest dirty map.
2674      * Check and copy modified bits from guest to server surface.
2675      * Update server dirty map.
2676      */
2677     cmp_bytes = VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES;
2678     if (cmp_bytes > vnc_server_fb_stride(vd)) {
2679         cmp_bytes = vnc_server_fb_stride(vd);
2680     }
2681     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2682         int width = pixman_image_get_width(vd->server);
2683         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2684     } else {
2685         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2686         guest_stride = pixman_image_get_stride(vd->guest.fb);
2687     }
2688     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
2689     server_stride = pixman_image_get_stride(vd->server);
2690 
2691     y = 0;
2692     for (;;) {
2693         int x;
2694         uint8_t *guest_ptr, *server_ptr;
2695         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
2696                                              height * VNC_DIRTY_BPL(&vd->guest),
2697                                              y * VNC_DIRTY_BPL(&vd->guest));
2698         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
2699             /* no more dirty bits */
2700             break;
2701         }
2702         y = offset / VNC_DIRTY_BPL(&vd->guest);
2703         x = offset % VNC_DIRTY_BPL(&vd->guest);
2704 
2705         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
2706 
2707         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2708             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2709             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2710         } else {
2711             guest_ptr = guest_row0 + y * guest_stride;
2712         }
2713         guest_ptr += x * cmp_bytes;
2714 
2715         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
2716              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2717             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
2718                 continue;
2719             }
2720             if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) {
2721                 continue;
2722             }
2723             memcpy(server_ptr, guest_ptr, cmp_bytes);
2724             if (!vd->non_adaptive) {
2725                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
2726                                  y, &tv);
2727             }
2728             QTAILQ_FOREACH(vs, &vd->clients, next) {
2729                 set_bit(x, vs->dirty[y]);
2730             }
2731             has_dirty++;
2732         }
2733 
2734         y++;
2735     }
2736     qemu_pixman_image_unref(tmpbuf);
2737     return has_dirty;
2738 }
2739 
2740 static void vnc_refresh(DisplayChangeListener *dcl)
2741 {
2742     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
2743     VncState *vs, *vn;
2744     int has_dirty, rects = 0;
2745 
2746     graphic_hw_update(NULL);
2747 
2748     if (vnc_trylock_display(vd)) {
2749         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2750         return;
2751     }
2752 
2753     has_dirty = vnc_refresh_server_surface(vd);
2754     vnc_unlock_display(vd);
2755 
2756     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
2757         rects += vnc_update_client(vs, has_dirty, false);
2758         /* vs might be free()ed here */
2759     }
2760 
2761     if (QTAILQ_EMPTY(&vd->clients)) {
2762         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
2763         return;
2764     }
2765 
2766     if (has_dirty && rects) {
2767         vd->dcl.update_interval /= 2;
2768         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
2769             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
2770         }
2771     } else {
2772         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
2773         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
2774             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
2775         }
2776     }
2777 }
2778 
2779 static void vnc_connect(VncDisplay *vd, int csock,
2780                         bool skipauth, bool websocket)
2781 {
2782     VncState *vs = g_malloc0(sizeof(VncState));
2783     int i;
2784 
2785     vs->csock = csock;
2786 
2787     if (skipauth) {
2788 	vs->auth = VNC_AUTH_NONE;
2789 #ifdef CONFIG_VNC_TLS
2790 	vs->subauth = VNC_AUTH_INVALID;
2791 #endif
2792     } else {
2793 	vs->auth = vd->auth;
2794 #ifdef CONFIG_VNC_TLS
2795 	vs->subauth = vd->subauth;
2796 #endif
2797     }
2798 
2799     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
2800     for (i = 0; i < VNC_STAT_ROWS; ++i) {
2801         vs->lossy_rect[i] = g_malloc0(VNC_STAT_COLS * sizeof (uint8_t));
2802     }
2803 
2804     VNC_DEBUG("New client on socket %d\n", csock);
2805     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2806     qemu_set_nonblock(vs->csock);
2807 #ifdef CONFIG_VNC_WS
2808     if (websocket) {
2809         vs->websocket = 1;
2810 #ifdef CONFIG_VNC_TLS
2811         if (vd->tls.x509cert) {
2812             qemu_set_fd_handler2(vs->csock, NULL, vncws_tls_handshake_peek,
2813                                  NULL, vs);
2814         } else
2815 #endif /* CONFIG_VNC_TLS */
2816         {
2817             qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read,
2818                                  NULL, vs);
2819         }
2820     } else
2821 #endif /* CONFIG_VNC_WS */
2822     {
2823         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
2824     }
2825 
2826     vnc_client_cache_addr(vs);
2827     vnc_qmp_event(vs, QEVENT_VNC_CONNECTED);
2828     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
2829 
2830     vs->vd = vd;
2831 
2832 #ifdef CONFIG_VNC_WS
2833     if (!vs->websocket)
2834 #endif
2835     {
2836         vnc_init_state(vs);
2837     }
2838 }
2839 
2840 void vnc_init_state(VncState *vs)
2841 {
2842     vs->initialized = true;
2843     VncDisplay *vd = vs->vd;
2844 
2845     vs->last_x = -1;
2846     vs->last_y = -1;
2847 
2848     vs->as.freq = 44100;
2849     vs->as.nchannels = 2;
2850     vs->as.fmt = AUD_FMT_S16;
2851     vs->as.endianness = 0;
2852 
2853     qemu_mutex_init(&vs->output_mutex);
2854     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
2855 
2856     QTAILQ_INSERT_HEAD(&vd->clients, vs, next);
2857 
2858     graphic_hw_update(NULL);
2859 
2860     vnc_write(vs, "RFB 003.008\n", 12);
2861     vnc_flush(vs);
2862     vnc_read_when(vs, protocol_version, 12);
2863     reset_keys(vs);
2864     if (vs->vd->lock_key_sync)
2865         vs->led = qemu_add_led_event_handler(kbd_leds, vs);
2866 
2867     vs->mouse_mode_notifier.notify = check_pointer_type_change;
2868     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
2869 
2870     /* vs might be free()ed here */
2871 }
2872 
2873 static void vnc_listen_read(void *opaque, bool websocket)
2874 {
2875     VncDisplay *vs = opaque;
2876     struct sockaddr_in addr;
2877     socklen_t addrlen = sizeof(addr);
2878     int csock;
2879 
2880     /* Catch-up */
2881     graphic_hw_update(NULL);
2882 #ifdef CONFIG_VNC_WS
2883     if (websocket) {
2884         csock = qemu_accept(vs->lwebsock, (struct sockaddr *)&addr, &addrlen);
2885     } else
2886 #endif /* CONFIG_VNC_WS */
2887     {
2888         csock = qemu_accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
2889     }
2890 
2891     if (csock != -1) {
2892         vnc_connect(vs, csock, false, websocket);
2893     }
2894 }
2895 
2896 static void vnc_listen_regular_read(void *opaque)
2897 {
2898     vnc_listen_read(opaque, false);
2899 }
2900 
2901 #ifdef CONFIG_VNC_WS
2902 static void vnc_listen_websocket_read(void *opaque)
2903 {
2904     vnc_listen_read(opaque, true);
2905 }
2906 #endif /* CONFIG_VNC_WS */
2907 
2908 static const DisplayChangeListenerOps dcl_ops = {
2909     .dpy_name          = "vnc",
2910     .dpy_refresh       = vnc_refresh,
2911     .dpy_gfx_copy      = vnc_dpy_copy,
2912     .dpy_gfx_update    = vnc_dpy_update,
2913     .dpy_gfx_switch    = vnc_dpy_switch,
2914     .dpy_mouse_set     = vnc_mouse_set,
2915     .dpy_cursor_define = vnc_dpy_cursor_define,
2916 };
2917 
2918 void vnc_display_init(DisplayState *ds)
2919 {
2920     VncDisplay *vs = g_malloc0(sizeof(*vs));
2921 
2922     vnc_display = vs;
2923 
2924     vs->lsock = -1;
2925 #ifdef CONFIG_VNC_WS
2926     vs->lwebsock = -1;
2927 #endif
2928 
2929     QTAILQ_INIT(&vs->clients);
2930     vs->expires = TIME_MAX;
2931 
2932     if (keyboard_layout)
2933         vs->kbd_layout = init_keyboard_layout(name2keysym, keyboard_layout);
2934     else
2935         vs->kbd_layout = init_keyboard_layout(name2keysym, "en-us");
2936 
2937     if (!vs->kbd_layout)
2938         exit(1);
2939 
2940     qemu_mutex_init(&vs->mutex);
2941     vnc_start_worker_thread();
2942 
2943     vs->dcl.ops = &dcl_ops;
2944     register_displaychangelistener(&vs->dcl);
2945 }
2946 
2947 
2948 static void vnc_display_close(DisplayState *ds)
2949 {
2950     VncDisplay *vs = vnc_display;
2951 
2952     if (!vs)
2953         return;
2954     if (vs->display) {
2955         g_free(vs->display);
2956         vs->display = NULL;
2957     }
2958     if (vs->lsock != -1) {
2959         qemu_set_fd_handler2(vs->lsock, NULL, NULL, NULL, NULL);
2960         close(vs->lsock);
2961         vs->lsock = -1;
2962     }
2963 #ifdef CONFIG_VNC_WS
2964     g_free(vs->ws_display);
2965     vs->ws_display = NULL;
2966     if (vs->lwebsock != -1) {
2967         qemu_set_fd_handler2(vs->lwebsock, NULL, NULL, NULL, NULL);
2968         close(vs->lwebsock);
2969         vs->lwebsock = -1;
2970     }
2971 #endif /* CONFIG_VNC_WS */
2972     vs->auth = VNC_AUTH_INVALID;
2973 #ifdef CONFIG_VNC_TLS
2974     vs->subauth = VNC_AUTH_INVALID;
2975     vs->tls.x509verify = 0;
2976 #endif
2977 }
2978 
2979 static int vnc_display_disable_login(DisplayState *ds)
2980 {
2981     VncDisplay *vs = vnc_display;
2982 
2983     if (!vs) {
2984         return -1;
2985     }
2986 
2987     if (vs->password) {
2988         g_free(vs->password);
2989     }
2990 
2991     vs->password = NULL;
2992     if (vs->auth == VNC_AUTH_NONE) {
2993         vs->auth = VNC_AUTH_VNC;
2994     }
2995 
2996     return 0;
2997 }
2998 
2999 int vnc_display_password(DisplayState *ds, const char *password)
3000 {
3001     VncDisplay *vs = vnc_display;
3002 
3003     if (!vs) {
3004         return -EINVAL;
3005     }
3006 
3007     if (!password) {
3008         /* This is not the intention of this interface but err on the side
3009            of being safe */
3010         return vnc_display_disable_login(ds);
3011     }
3012 
3013     if (vs->password) {
3014         g_free(vs->password);
3015         vs->password = NULL;
3016     }
3017     vs->password = g_strdup(password);
3018     if (vs->auth == VNC_AUTH_NONE) {
3019         vs->auth = VNC_AUTH_VNC;
3020     }
3021 
3022     return 0;
3023 }
3024 
3025 int vnc_display_pw_expire(DisplayState *ds, time_t expires)
3026 {
3027     VncDisplay *vs = vnc_display;
3028 
3029     if (!vs) {
3030         return -EINVAL;
3031     }
3032 
3033     vs->expires = expires;
3034     return 0;
3035 }
3036 
3037 char *vnc_display_local_addr(DisplayState *ds)
3038 {
3039     VncDisplay *vs = vnc_display;
3040 
3041     return vnc_socket_local_addr("%s:%s", vs->lsock);
3042 }
3043 
3044 void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
3045 {
3046     VncDisplay *vs = vnc_display;
3047     const char *options;
3048     int password = 0;
3049     int reverse = 0;
3050 #ifdef CONFIG_VNC_TLS
3051     int tls = 0, x509 = 0;
3052 #endif
3053 #ifdef CONFIG_VNC_SASL
3054     int sasl = 0;
3055     int saslErr;
3056 #endif
3057 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
3058     int acl = 0;
3059 #endif
3060     int lock_key_sync = 1;
3061 
3062     if (!vnc_display) {
3063         error_setg(errp, "VNC display not active");
3064         return;
3065     }
3066     vnc_display_close(ds);
3067     if (strcmp(display, "none") == 0)
3068         return;
3069 
3070     vs->display = g_strdup(display);
3071     vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3072 
3073     options = display;
3074     while ((options = strchr(options, ','))) {
3075         options++;
3076         if (strncmp(options, "password", 8) == 0) {
3077             if (fips_get_state()) {
3078                 error_setg(errp,
3079                            "VNC password auth disabled due to FIPS mode, "
3080                            "consider using the VeNCrypt or SASL authentication "
3081                            "methods as an alternative");
3082                 goto fail;
3083             }
3084             password = 1; /* Require password auth */
3085         } else if (strncmp(options, "reverse", 7) == 0) {
3086             reverse = 1;
3087         } else if (strncmp(options, "no-lock-key-sync", 16) == 0) {
3088             lock_key_sync = 0;
3089 #ifdef CONFIG_VNC_SASL
3090         } else if (strncmp(options, "sasl", 4) == 0) {
3091             sasl = 1; /* Require SASL auth */
3092 #endif
3093 #ifdef CONFIG_VNC_WS
3094         } else if (strncmp(options, "websocket", 9) == 0) {
3095             char *start, *end;
3096             vs->websocket = 1;
3097 
3098             /* Check for 'websocket=<port>' */
3099             start = strchr(options, '=');
3100             end = strchr(options, ',');
3101             if (start && (!end || (start < end))) {
3102                 int len = end ? end-(start+1) : strlen(start+1);
3103                 if (len < 6) {
3104                     /* extract the host specification from display */
3105                     char  *host = NULL, *port = NULL, *host_end = NULL;
3106                     port = g_strndup(start + 1, len);
3107 
3108                     /* ipv6 hosts have colons */
3109                     end = strchr(display, ',');
3110                     host_end = g_strrstr_len(display, end - display, ":");
3111 
3112                     if (host_end) {
3113                         host = g_strndup(display, host_end - display + 1);
3114                     } else {
3115                         host = g_strndup(":", 1);
3116                     }
3117                     vs->ws_display = g_strconcat(host, port, NULL);
3118                     g_free(host);
3119                     g_free(port);
3120                 }
3121             }
3122 #endif /* CONFIG_VNC_WS */
3123 #ifdef CONFIG_VNC_TLS
3124         } else if (strncmp(options, "tls", 3) == 0) {
3125             tls = 1; /* Require TLS */
3126         } else if (strncmp(options, "x509", 4) == 0) {
3127             char *start, *end;
3128             x509 = 1; /* Require x509 certificates */
3129             if (strncmp(options, "x509verify", 10) == 0)
3130                 vs->tls.x509verify = 1; /* ...and verify client certs */
3131 
3132             /* Now check for 'x509=/some/path' postfix
3133              * and use that to setup x509 certificate/key paths */
3134             start = strchr(options, '=');
3135             end = strchr(options, ',');
3136             if (start && (!end || (start < end))) {
3137                 int len = end ? end-(start+1) : strlen(start+1);
3138                 char *path = g_strndup(start + 1, len);
3139 
3140                 VNC_DEBUG("Trying certificate path '%s'\n", path);
3141                 if (vnc_tls_set_x509_creds_dir(vs, path) < 0) {
3142                     error_setg(errp, "Failed to find x509 certificates/keys in %s", path);
3143                     g_free(path);
3144                     goto fail;
3145                 }
3146                 g_free(path);
3147             } else {
3148                 error_setg(errp, "No certificate path provided");
3149                 goto fail;
3150             }
3151 #endif
3152 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
3153         } else if (strncmp(options, "acl", 3) == 0) {
3154             acl = 1;
3155 #endif
3156         } else if (strncmp(options, "lossy", 5) == 0) {
3157 #ifdef CONFIG_VNC_JPEG
3158             vs->lossy = true;
3159 #endif
3160         } else if (strncmp(options, "non-adaptive", 12) == 0) {
3161             vs->non_adaptive = true;
3162         } else if (strncmp(options, "share=", 6) == 0) {
3163             if (strncmp(options+6, "ignore", 6) == 0) {
3164                 vs->share_policy = VNC_SHARE_POLICY_IGNORE;
3165             } else if (strncmp(options+6, "allow-exclusive", 15) == 0) {
3166                 vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3167             } else if (strncmp(options+6, "force-shared", 12) == 0) {
3168                 vs->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3169             } else {
3170                 error_setg(errp, "unknown vnc share= option");
3171                 goto fail;
3172             }
3173         }
3174     }
3175 
3176     /* adaptive updates are only used with tight encoding and
3177      * if lossy updates are enabled so we can disable all the
3178      * calculations otherwise */
3179     if (!vs->lossy) {
3180         vs->non_adaptive = true;
3181     }
3182 
3183 #ifdef CONFIG_VNC_TLS
3184     if (acl && x509 && vs->tls.x509verify) {
3185         if (!(vs->tls.acl = qemu_acl_init("vnc.x509dname"))) {
3186             fprintf(stderr, "Failed to create x509 dname ACL\n");
3187             exit(1);
3188         }
3189     }
3190 #endif
3191 #ifdef CONFIG_VNC_SASL
3192     if (acl && sasl) {
3193         if (!(vs->sasl.acl = qemu_acl_init("vnc.username"))) {
3194             fprintf(stderr, "Failed to create username ACL\n");
3195             exit(1);
3196         }
3197     }
3198 #endif
3199 
3200     /*
3201      * Combinations we support here:
3202      *
3203      *  - no-auth                (clear text, no auth)
3204      *  - password               (clear text, weak auth)
3205      *  - sasl                   (encrypt, good auth *IF* using Kerberos via GSSAPI)
3206      *  - tls                    (encrypt, weak anonymous creds, no auth)
3207      *  - tls + password         (encrypt, weak anonymous creds, weak auth)
3208      *  - tls + sasl             (encrypt, weak anonymous creds, good auth)
3209      *  - tls + x509             (encrypt, good x509 creds, no auth)
3210      *  - tls + x509 + password  (encrypt, good x509 creds, weak auth)
3211      *  - tls + x509 + sasl      (encrypt, good x509 creds, good auth)
3212      *
3213      * NB1. TLS is a stackable auth scheme.
3214      * NB2. the x509 schemes have option to validate a client cert dname
3215      */
3216     if (password) {
3217 #ifdef CONFIG_VNC_TLS
3218         if (tls) {
3219             vs->auth = VNC_AUTH_VENCRYPT;
3220             if (x509) {
3221                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3222                 vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
3223             } else {
3224                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3225                 vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3226             }
3227         } else {
3228 #endif /* CONFIG_VNC_TLS */
3229             VNC_DEBUG("Initializing VNC server with password auth\n");
3230             vs->auth = VNC_AUTH_VNC;
3231 #ifdef CONFIG_VNC_TLS
3232             vs->subauth = VNC_AUTH_INVALID;
3233         }
3234 #endif /* CONFIG_VNC_TLS */
3235 #ifdef CONFIG_VNC_SASL
3236     } else if (sasl) {
3237 #ifdef CONFIG_VNC_TLS
3238         if (tls) {
3239             vs->auth = VNC_AUTH_VENCRYPT;
3240             if (x509) {
3241                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3242                 vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
3243             } else {
3244                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3245                 vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3246             }
3247         } else {
3248 #endif /* CONFIG_VNC_TLS */
3249             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3250             vs->auth = VNC_AUTH_SASL;
3251 #ifdef CONFIG_VNC_TLS
3252             vs->subauth = VNC_AUTH_INVALID;
3253         }
3254 #endif /* CONFIG_VNC_TLS */
3255 #endif /* CONFIG_VNC_SASL */
3256     } else {
3257 #ifdef CONFIG_VNC_TLS
3258         if (tls) {
3259             vs->auth = VNC_AUTH_VENCRYPT;
3260             if (x509) {
3261                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3262                 vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
3263             } else {
3264                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3265                 vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3266             }
3267         } else {
3268 #endif
3269             VNC_DEBUG("Initializing VNC server with no auth\n");
3270             vs->auth = VNC_AUTH_NONE;
3271 #ifdef CONFIG_VNC_TLS
3272             vs->subauth = VNC_AUTH_INVALID;
3273         }
3274 #endif
3275     }
3276 
3277 #ifdef CONFIG_VNC_SASL
3278     if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
3279         error_setg(errp, "Failed to initialize SASL auth: %s",
3280                    sasl_errstring(saslErr, NULL, NULL));
3281         goto fail;
3282     }
3283 #endif
3284     vs->lock_key_sync = lock_key_sync;
3285 
3286     if (reverse) {
3287         /* connect to viewer */
3288         int csock;
3289         vs->lsock = -1;
3290 #ifdef CONFIG_VNC_WS
3291         vs->lwebsock = -1;
3292 #endif
3293         if (strncmp(display, "unix:", 5) == 0) {
3294             csock = unix_connect(display+5, errp);
3295         } else {
3296             csock = inet_connect(display, errp);
3297         }
3298         if (csock < 0) {
3299             goto fail;
3300         }
3301         vnc_connect(vs, csock, false, false);
3302     } else {
3303         /* listen for connects */
3304         char *dpy;
3305         dpy = g_malloc(256);
3306         if (strncmp(display, "unix:", 5) == 0) {
3307             pstrcpy(dpy, 256, "unix:");
3308             vs->lsock = unix_listen(display+5, dpy+5, 256-5, errp);
3309         } else {
3310             vs->lsock = inet_listen(display, dpy, 256,
3311                                     SOCK_STREAM, 5900, errp);
3312             if (vs->lsock < 0) {
3313                 g_free(dpy);
3314                 goto fail;
3315             }
3316 #ifdef CONFIG_VNC_WS
3317             if (vs->websocket) {
3318                 if (vs->ws_display) {
3319                     vs->lwebsock = inet_listen(vs->ws_display, NULL, 256,
3320                         SOCK_STREAM, 0, errp);
3321                 } else {
3322                     vs->lwebsock = inet_listen(vs->display, NULL, 256,
3323                         SOCK_STREAM, 5700, errp);
3324                 }
3325 
3326                 if (vs->lwebsock < 0) {
3327                     if (vs->lsock) {
3328                         close(vs->lsock);
3329                         vs->lsock = -1;
3330                     }
3331                     g_free(dpy);
3332                     goto fail;
3333                 }
3334             }
3335 #endif /* CONFIG_VNC_WS */
3336         }
3337         g_free(vs->display);
3338         vs->display = dpy;
3339         qemu_set_fd_handler2(vs->lsock, NULL,
3340                 vnc_listen_regular_read, NULL, vs);
3341 #ifdef CONFIG_VNC_WS
3342         if (vs->websocket) {
3343             qemu_set_fd_handler2(vs->lwebsock, NULL,
3344                     vnc_listen_websocket_read, NULL, vs);
3345         }
3346 #endif /* CONFIG_VNC_WS */
3347     }
3348     return;
3349 
3350 fail:
3351     g_free(vs->display);
3352     vs->display = NULL;
3353 #ifdef CONFIG_VNC_WS
3354     g_free(vs->ws_display);
3355     vs->ws_display = NULL;
3356 #endif /* CONFIG_VNC_WS */
3357 }
3358 
3359 void vnc_display_add_client(DisplayState *ds, int csock, bool skipauth)
3360 {
3361     VncDisplay *vs = vnc_display;
3362 
3363     vnc_connect(vs, csock, skipauth, false);
3364 }
3365