xref: /openbmc/qemu/ui/vnc.c (revision 240ee8bd)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev-core.h"
32 #include "sysemu/sysemu.h"
33 #include "sysemu/runstate.h"
34 #include "qemu/error-report.h"
35 #include "qemu/main-loop.h"
36 #include "qemu/module.h"
37 #include "qemu/option.h"
38 #include "qemu/sockets.h"
39 #include "qemu/timer.h"
40 #include "authz/list.h"
41 #include "qemu/config-file.h"
42 #include "qapi/qapi-emit-events.h"
43 #include "qapi/qapi-events-ui.h"
44 #include "qapi/error.h"
45 #include "qapi/qapi-commands-ui.h"
46 #include "ui/input.h"
47 #include "crypto/hash.h"
48 #include "crypto/tlscredsanon.h"
49 #include "crypto/tlscredsx509.h"
50 #include "crypto/random.h"
51 #include "qom/object_interfaces.h"
52 #include "qemu/cutils.h"
53 #include "qemu/help_option.h"
54 #include "io/dns-resolver.h"
55 
56 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
57 #define VNC_REFRESH_INTERVAL_INC  50
58 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
59 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
60 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
61 
62 #include "vnc_keysym.h"
63 #include "crypto/cipher.h"
64 
65 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
66     QTAILQ_HEAD_INITIALIZER(vnc_displays);
67 
68 static int vnc_cursor_define(VncState *vs);
69 static void vnc_update_throttle_offset(VncState *vs);
70 
71 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
72 {
73 #ifdef _VNC_DEBUG
74     static const char *mn[] = {
75         [0]                           = "undefined",
76         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
77         [VNC_SHARE_MODE_SHARED]       = "shared",
78         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
79         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
80     };
81     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
82             vs->ioc, mn[vs->share_mode], mn[mode]);
83 #endif
84 
85     switch (vs->share_mode) {
86     case VNC_SHARE_MODE_CONNECTING:
87         vs->vd->num_connecting--;
88         break;
89     case VNC_SHARE_MODE_SHARED:
90         vs->vd->num_shared--;
91         break;
92     case VNC_SHARE_MODE_EXCLUSIVE:
93         vs->vd->num_exclusive--;
94         break;
95     default:
96         break;
97     }
98 
99     vs->share_mode = mode;
100 
101     switch (vs->share_mode) {
102     case VNC_SHARE_MODE_CONNECTING:
103         vs->vd->num_connecting++;
104         break;
105     case VNC_SHARE_MODE_SHARED:
106         vs->vd->num_shared++;
107         break;
108     case VNC_SHARE_MODE_EXCLUSIVE:
109         vs->vd->num_exclusive++;
110         break;
111     default:
112         break;
113     }
114 }
115 
116 
117 static void vnc_init_basic_info(SocketAddress *addr,
118                                 VncBasicInfo *info,
119                                 Error **errp)
120 {
121     switch (addr->type) {
122     case SOCKET_ADDRESS_TYPE_INET:
123         info->host = g_strdup(addr->u.inet.host);
124         info->service = g_strdup(addr->u.inet.port);
125         if (addr->u.inet.ipv6) {
126             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
127         } else {
128             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
129         }
130         break;
131 
132     case SOCKET_ADDRESS_TYPE_UNIX:
133         info->host = g_strdup("");
134         info->service = g_strdup(addr->u.q_unix.path);
135         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
136         break;
137 
138     case SOCKET_ADDRESS_TYPE_VSOCK:
139     case SOCKET_ADDRESS_TYPE_FD:
140         error_setg(errp, "Unsupported socket address type %s",
141                    SocketAddressType_str(addr->type));
142         break;
143     default:
144         abort();
145     }
146 
147     return;
148 }
149 
150 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
151                                                  VncBasicInfo *info,
152                                                  Error **errp)
153 {
154     SocketAddress *addr = NULL;
155 
156     if (!ioc) {
157         error_setg(errp, "No listener socket available");
158         return;
159     }
160 
161     addr = qio_channel_socket_get_local_address(ioc, errp);
162     if (!addr) {
163         return;
164     }
165 
166     vnc_init_basic_info(addr, info, errp);
167     qapi_free_SocketAddress(addr);
168 }
169 
170 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
171                                                  VncBasicInfo *info,
172                                                  Error **errp)
173 {
174     SocketAddress *addr = NULL;
175 
176     addr = qio_channel_socket_get_remote_address(ioc, errp);
177     if (!addr) {
178         return;
179     }
180 
181     vnc_init_basic_info(addr, info, errp);
182     qapi_free_SocketAddress(addr);
183 }
184 
185 static const char *vnc_auth_name(VncDisplay *vd) {
186     switch (vd->auth) {
187     case VNC_AUTH_INVALID:
188         return "invalid";
189     case VNC_AUTH_NONE:
190         return "none";
191     case VNC_AUTH_VNC:
192         return "vnc";
193     case VNC_AUTH_RA2:
194         return "ra2";
195     case VNC_AUTH_RA2NE:
196         return "ra2ne";
197     case VNC_AUTH_TIGHT:
198         return "tight";
199     case VNC_AUTH_ULTRA:
200         return "ultra";
201     case VNC_AUTH_TLS:
202         return "tls";
203     case VNC_AUTH_VENCRYPT:
204         switch (vd->subauth) {
205         case VNC_AUTH_VENCRYPT_PLAIN:
206             return "vencrypt+plain";
207         case VNC_AUTH_VENCRYPT_TLSNONE:
208             return "vencrypt+tls+none";
209         case VNC_AUTH_VENCRYPT_TLSVNC:
210             return "vencrypt+tls+vnc";
211         case VNC_AUTH_VENCRYPT_TLSPLAIN:
212             return "vencrypt+tls+plain";
213         case VNC_AUTH_VENCRYPT_X509NONE:
214             return "vencrypt+x509+none";
215         case VNC_AUTH_VENCRYPT_X509VNC:
216             return "vencrypt+x509+vnc";
217         case VNC_AUTH_VENCRYPT_X509PLAIN:
218             return "vencrypt+x509+plain";
219         case VNC_AUTH_VENCRYPT_TLSSASL:
220             return "vencrypt+tls+sasl";
221         case VNC_AUTH_VENCRYPT_X509SASL:
222             return "vencrypt+x509+sasl";
223         default:
224             return "vencrypt";
225         }
226     case VNC_AUTH_SASL:
227         return "sasl";
228     }
229     return "unknown";
230 }
231 
232 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
233 {
234     VncServerInfo *info;
235     Error *err = NULL;
236 
237     if (!vd->listener || !vd->listener->nsioc) {
238         return NULL;
239     }
240 
241     info = g_malloc0(sizeof(*info));
242     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
243                                          qapi_VncServerInfo_base(info), &err);
244     info->has_auth = true;
245     info->auth = g_strdup(vnc_auth_name(vd));
246     if (err) {
247         qapi_free_VncServerInfo(info);
248         info = NULL;
249         error_free(err);
250     }
251     return info;
252 }
253 
254 static void vnc_client_cache_auth(VncState *client)
255 {
256     if (!client->info) {
257         return;
258     }
259 
260     if (client->tls) {
261         client->info->x509_dname =
262             qcrypto_tls_session_get_peer_name(client->tls);
263         client->info->has_x509_dname =
264             client->info->x509_dname != NULL;
265     }
266 #ifdef CONFIG_VNC_SASL
267     if (client->sasl.conn &&
268         client->sasl.username) {
269         client->info->has_sasl_username = true;
270         client->info->sasl_username = g_strdup(client->sasl.username);
271     }
272 #endif
273 }
274 
275 static void vnc_client_cache_addr(VncState *client)
276 {
277     Error *err = NULL;
278 
279     client->info = g_malloc0(sizeof(*client->info));
280     vnc_init_basic_info_from_remote_addr(client->sioc,
281                                          qapi_VncClientInfo_base(client->info),
282                                          &err);
283     client->info->websocket = client->websocket;
284     if (err) {
285         qapi_free_VncClientInfo(client->info);
286         client->info = NULL;
287         error_free(err);
288     }
289 }
290 
291 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
292 {
293     VncServerInfo *si;
294 
295     if (!vs->info) {
296         return;
297     }
298 
299     si = vnc_server_info_get(vs->vd);
300     if (!si) {
301         return;
302     }
303 
304     switch (event) {
305     case QAPI_EVENT_VNC_CONNECTED:
306         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
307         break;
308     case QAPI_EVENT_VNC_INITIALIZED:
309         qapi_event_send_vnc_initialized(si, vs->info);
310         break;
311     case QAPI_EVENT_VNC_DISCONNECTED:
312         qapi_event_send_vnc_disconnected(si, vs->info);
313         break;
314     default:
315         break;
316     }
317 
318     qapi_free_VncServerInfo(si);
319 }
320 
321 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
322 {
323     VncClientInfo *info;
324     Error *err = NULL;
325 
326     info = g_malloc0(sizeof(*info));
327 
328     vnc_init_basic_info_from_remote_addr(client->sioc,
329                                          qapi_VncClientInfo_base(info),
330                                          &err);
331     if (err) {
332         error_free(err);
333         qapi_free_VncClientInfo(info);
334         return NULL;
335     }
336 
337     info->websocket = client->websocket;
338 
339     if (client->tls) {
340         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
341         info->has_x509_dname = info->x509_dname != NULL;
342     }
343 #ifdef CONFIG_VNC_SASL
344     if (client->sasl.conn && client->sasl.username) {
345         info->has_sasl_username = true;
346         info->sasl_username = g_strdup(client->sasl.username);
347     }
348 #endif
349 
350     return info;
351 }
352 
353 static VncDisplay *vnc_display_find(const char *id)
354 {
355     VncDisplay *vd;
356 
357     if (id == NULL) {
358         return QTAILQ_FIRST(&vnc_displays);
359     }
360     QTAILQ_FOREACH(vd, &vnc_displays, next) {
361         if (strcmp(id, vd->id) == 0) {
362             return vd;
363         }
364     }
365     return NULL;
366 }
367 
368 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
369 {
370     VncClientInfoList *prev = NULL;
371     VncState *client;
372 
373     QTAILQ_FOREACH(client, &vd->clients, next) {
374         QAPI_LIST_PREPEND(prev, qmp_query_vnc_client(client));
375     }
376     return prev;
377 }
378 
379 VncInfo *qmp_query_vnc(Error **errp)
380 {
381     VncInfo *info = g_malloc0(sizeof(*info));
382     VncDisplay *vd = vnc_display_find(NULL);
383     SocketAddress *addr = NULL;
384 
385     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
386         info->enabled = false;
387     } else {
388         info->enabled = true;
389 
390         /* for compatibility with the original command */
391         info->has_clients = true;
392         info->clients = qmp_query_client_list(vd);
393 
394         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
395                                                     errp);
396         if (!addr) {
397             goto out_error;
398         }
399 
400         switch (addr->type) {
401         case SOCKET_ADDRESS_TYPE_INET:
402             info->host = g_strdup(addr->u.inet.host);
403             info->service = g_strdup(addr->u.inet.port);
404             if (addr->u.inet.ipv6) {
405                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
406             } else {
407                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
408             }
409             break;
410 
411         case SOCKET_ADDRESS_TYPE_UNIX:
412             info->host = g_strdup("");
413             info->service = g_strdup(addr->u.q_unix.path);
414             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
415             break;
416 
417         case SOCKET_ADDRESS_TYPE_VSOCK:
418         case SOCKET_ADDRESS_TYPE_FD:
419             error_setg(errp, "Unsupported socket address type %s",
420                        SocketAddressType_str(addr->type));
421             goto out_error;
422         default:
423             abort();
424         }
425 
426         info->has_host = true;
427         info->has_service = true;
428         info->has_family = true;
429 
430         info->has_auth = true;
431         info->auth = g_strdup(vnc_auth_name(vd));
432     }
433 
434     qapi_free_SocketAddress(addr);
435     return info;
436 
437 out_error:
438     qapi_free_SocketAddress(addr);
439     qapi_free_VncInfo(info);
440     return NULL;
441 }
442 
443 
444 static void qmp_query_auth(int auth, int subauth,
445                            VncPrimaryAuth *qmp_auth,
446                            VncVencryptSubAuth *qmp_vencrypt,
447                            bool *qmp_has_vencrypt);
448 
449 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
450                                                   bool websocket,
451                                                   int auth,
452                                                   int subauth,
453                                                   VncServerInfo2List *prev)
454 {
455     VncServerInfo2 *info;
456     Error *err = NULL;
457     SocketAddress *addr;
458 
459     addr = qio_channel_socket_get_local_address(ioc, NULL);
460     if (!addr) {
461         return prev;
462     }
463 
464     info = g_new0(VncServerInfo2, 1);
465     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
466     qapi_free_SocketAddress(addr);
467     if (err) {
468         qapi_free_VncServerInfo2(info);
469         error_free(err);
470         return prev;
471     }
472     info->websocket = websocket;
473 
474     qmp_query_auth(auth, subauth, &info->auth,
475                    &info->vencrypt, &info->has_vencrypt);
476 
477     QAPI_LIST_PREPEND(prev, info);
478     return prev;
479 }
480 
481 static void qmp_query_auth(int auth, int subauth,
482                            VncPrimaryAuth *qmp_auth,
483                            VncVencryptSubAuth *qmp_vencrypt,
484                            bool *qmp_has_vencrypt)
485 {
486     switch (auth) {
487     case VNC_AUTH_VNC:
488         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
489         break;
490     case VNC_AUTH_RA2:
491         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
492         break;
493     case VNC_AUTH_RA2NE:
494         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
495         break;
496     case VNC_AUTH_TIGHT:
497         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
498         break;
499     case VNC_AUTH_ULTRA:
500         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
501         break;
502     case VNC_AUTH_TLS:
503         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
504         break;
505     case VNC_AUTH_VENCRYPT:
506         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
507         *qmp_has_vencrypt = true;
508         switch (subauth) {
509         case VNC_AUTH_VENCRYPT_PLAIN:
510             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
511             break;
512         case VNC_AUTH_VENCRYPT_TLSNONE:
513             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
514             break;
515         case VNC_AUTH_VENCRYPT_TLSVNC:
516             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
517             break;
518         case VNC_AUTH_VENCRYPT_TLSPLAIN:
519             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
520             break;
521         case VNC_AUTH_VENCRYPT_X509NONE:
522             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
523             break;
524         case VNC_AUTH_VENCRYPT_X509VNC:
525             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
526             break;
527         case VNC_AUTH_VENCRYPT_X509PLAIN:
528             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
529             break;
530         case VNC_AUTH_VENCRYPT_TLSSASL:
531             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
532             break;
533         case VNC_AUTH_VENCRYPT_X509SASL:
534             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
535             break;
536         default:
537             *qmp_has_vencrypt = false;
538             break;
539         }
540         break;
541     case VNC_AUTH_SASL:
542         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
543         break;
544     case VNC_AUTH_NONE:
545     default:
546         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
547         break;
548     }
549 }
550 
551 VncInfo2List *qmp_query_vnc_servers(Error **errp)
552 {
553     VncInfo2List *prev = NULL;
554     VncInfo2 *info;
555     VncDisplay *vd;
556     DeviceState *dev;
557     size_t i;
558 
559     QTAILQ_FOREACH(vd, &vnc_displays, next) {
560         info = g_new0(VncInfo2, 1);
561         info->id = g_strdup(vd->id);
562         info->clients = qmp_query_client_list(vd);
563         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
564                        &info->vencrypt, &info->has_vencrypt);
565         if (vd->dcl.con) {
566             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
567                                                   "device", &error_abort));
568             info->has_display = true;
569             info->display = g_strdup(dev->id);
570         }
571         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
572             info->server = qmp_query_server_entry(
573                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
574                 info->server);
575         }
576         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
577             info->server = qmp_query_server_entry(
578                 vd->wslistener->sioc[i], true, vd->ws_auth,
579                 vd->ws_subauth, info->server);
580         }
581 
582         QAPI_LIST_PREPEND(prev, info);
583     }
584     return prev;
585 }
586 
587 /* TODO
588    1) Get the queue working for IO.
589    2) there is some weirdness when using the -S option (the screen is grey
590       and not totally invalidated
591    3) resolutions > 1024
592 */
593 
594 static int vnc_update_client(VncState *vs, int has_dirty);
595 static void vnc_disconnect_start(VncState *vs);
596 
597 static void vnc_colordepth(VncState *vs);
598 static void framebuffer_update_request(VncState *vs, int incremental,
599                                        int x_position, int y_position,
600                                        int w, int h);
601 static void vnc_refresh(DisplayChangeListener *dcl);
602 static int vnc_refresh_server_surface(VncDisplay *vd);
603 
604 static int vnc_width(VncDisplay *vd)
605 {
606     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
607                                        VNC_DIRTY_PIXELS_PER_BIT));
608 }
609 
610 static int vnc_height(VncDisplay *vd)
611 {
612     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
613 }
614 
615 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
616                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
617                                VncDisplay *vd,
618                                int x, int y, int w, int h)
619 {
620     int width = vnc_width(vd);
621     int height = vnc_height(vd);
622 
623     /* this is needed this to ensure we updated all affected
624      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
625     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
626     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
627 
628     x = MIN(x, width);
629     y = MIN(y, height);
630     w = MIN(x + w, width) - x;
631     h = MIN(y + h, height);
632 
633     for (; y < h; y++) {
634         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
635                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
636     }
637 }
638 
639 static void vnc_dpy_update(DisplayChangeListener *dcl,
640                            int x, int y, int w, int h)
641 {
642     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
643     struct VncSurface *s = &vd->guest;
644 
645     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
646 }
647 
648 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
649                             int32_t encoding)
650 {
651     vnc_write_u16(vs, x);
652     vnc_write_u16(vs, y);
653     vnc_write_u16(vs, w);
654     vnc_write_u16(vs, h);
655 
656     vnc_write_s32(vs, encoding);
657 }
658 
659 static void vnc_desktop_resize_ext(VncState *vs, int reject_reason)
660 {
661     vnc_lock_output(vs);
662     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
663     vnc_write_u8(vs, 0);
664     vnc_write_u16(vs, 1); /* number of rects */
665     vnc_framebuffer_update(vs,
666                            reject_reason ? 1 : 0,
667                            reject_reason,
668                            vs->client_width, vs->client_height,
669                            VNC_ENCODING_DESKTOP_RESIZE_EXT);
670     vnc_write_u8(vs, 1);  /* number of screens */
671     vnc_write_u8(vs, 0);  /* padding */
672     vnc_write_u8(vs, 0);  /* padding */
673     vnc_write_u8(vs, 0);  /* padding */
674     vnc_write_u32(vs, 0); /* screen id */
675     vnc_write_u16(vs, 0); /* screen x-pos */
676     vnc_write_u16(vs, 0); /* screen y-pos */
677     vnc_write_u16(vs, vs->client_width);
678     vnc_write_u16(vs, vs->client_height);
679     vnc_write_u32(vs, 0); /* screen flags */
680     vnc_unlock_output(vs);
681     vnc_flush(vs);
682 }
683 
684 static void vnc_desktop_resize(VncState *vs)
685 {
686     if (vs->ioc == NULL || (!vnc_has_feature(vs, VNC_FEATURE_RESIZE) &&
687                             !vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT))) {
688         return;
689     }
690 
691     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
692            pixman_image_get_width(vs->vd->server) >= 0);
693     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
694            pixman_image_get_height(vs->vd->server) >= 0);
695     vs->client_width = pixman_image_get_width(vs->vd->server);
696     vs->client_height = pixman_image_get_height(vs->vd->server);
697 
698     if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
699         vnc_desktop_resize_ext(vs, 0);
700         return;
701     }
702 
703     vnc_lock_output(vs);
704     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
705     vnc_write_u8(vs, 0);
706     vnc_write_u16(vs, 1); /* number of rects */
707     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
708                            VNC_ENCODING_DESKTOPRESIZE);
709     vnc_unlock_output(vs);
710     vnc_flush(vs);
711 }
712 
713 static void vnc_abort_display_jobs(VncDisplay *vd)
714 {
715     VncState *vs;
716 
717     QTAILQ_FOREACH(vs, &vd->clients, next) {
718         vnc_lock_output(vs);
719         vs->abort = true;
720         vnc_unlock_output(vs);
721     }
722     QTAILQ_FOREACH(vs, &vd->clients, next) {
723         vnc_jobs_join(vs);
724     }
725     QTAILQ_FOREACH(vs, &vd->clients, next) {
726         vnc_lock_output(vs);
727         if (vs->update == VNC_STATE_UPDATE_NONE &&
728             vs->job_update != VNC_STATE_UPDATE_NONE) {
729             /* job aborted before completion */
730             vs->update = vs->job_update;
731             vs->job_update = VNC_STATE_UPDATE_NONE;
732         }
733         vs->abort = false;
734         vnc_unlock_output(vs);
735     }
736 }
737 
738 int vnc_server_fb_stride(VncDisplay *vd)
739 {
740     return pixman_image_get_stride(vd->server);
741 }
742 
743 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
744 {
745     uint8_t *ptr;
746 
747     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
748     ptr += y * vnc_server_fb_stride(vd);
749     ptr += x * VNC_SERVER_FB_BYTES;
750     return ptr;
751 }
752 
753 static void vnc_update_server_surface(VncDisplay *vd)
754 {
755     int width, height;
756 
757     qemu_pixman_image_unref(vd->server);
758     vd->server = NULL;
759 
760     if (QTAILQ_EMPTY(&vd->clients)) {
761         return;
762     }
763 
764     width = vnc_width(vd);
765     height = vnc_height(vd);
766     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
767                                           width, height,
768                                           NULL, 0);
769 
770     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
771     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
772                        width, height);
773 }
774 
775 static bool vnc_check_pageflip(DisplaySurface *s1,
776                                DisplaySurface *s2)
777 {
778     return (s1 != NULL &&
779             s2 != NULL &&
780             surface_width(s1) == surface_width(s2) &&
781             surface_height(s1) == surface_height(s2) &&
782             surface_format(s1) == surface_format(s2));
783 
784 }
785 
786 static void vnc_dpy_switch(DisplayChangeListener *dcl,
787                            DisplaySurface *surface)
788 {
789     static const char placeholder_msg[] =
790         "Display output is not active.";
791     static DisplaySurface *placeholder;
792     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
793     bool pageflip = vnc_check_pageflip(vd->ds, surface);
794     VncState *vs;
795 
796     if (surface == NULL) {
797         if (placeholder == NULL) {
798             placeholder = qemu_create_message_surface(640, 480, placeholder_msg);
799         }
800         surface = placeholder;
801     }
802 
803     vnc_abort_display_jobs(vd);
804     vd->ds = surface;
805 
806     /* guest surface */
807     qemu_pixman_image_unref(vd->guest.fb);
808     vd->guest.fb = pixman_image_ref(surface->image);
809     vd->guest.format = surface->format;
810 
811     if (pageflip) {
812         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
813                            surface_width(surface),
814                            surface_height(surface));
815         return;
816     }
817 
818     /* server surface */
819     vnc_update_server_surface(vd);
820 
821     QTAILQ_FOREACH(vs, &vd->clients, next) {
822         vnc_colordepth(vs);
823         vnc_desktop_resize(vs);
824         vnc_cursor_define(vs);
825         memset(vs->dirty, 0x00, sizeof(vs->dirty));
826         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
827                            vnc_width(vd),
828                            vnc_height(vd));
829         vnc_update_throttle_offset(vs);
830     }
831 }
832 
833 /* fastest code */
834 static void vnc_write_pixels_copy(VncState *vs,
835                                   void *pixels, int size)
836 {
837     vnc_write(vs, pixels, size);
838 }
839 
840 /* slowest but generic code. */
841 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
842 {
843     uint8_t r, g, b;
844 
845 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
846     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
847     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
848     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
849 #else
850 # error need some bits here if you change VNC_SERVER_FB_FORMAT
851 #endif
852     v = (r << vs->client_pf.rshift) |
853         (g << vs->client_pf.gshift) |
854         (b << vs->client_pf.bshift);
855     switch (vs->client_pf.bytes_per_pixel) {
856     case 1:
857         buf[0] = v;
858         break;
859     case 2:
860         if (vs->client_be) {
861             buf[0] = v >> 8;
862             buf[1] = v;
863         } else {
864             buf[1] = v >> 8;
865             buf[0] = v;
866         }
867         break;
868     default:
869     case 4:
870         if (vs->client_be) {
871             buf[0] = v >> 24;
872             buf[1] = v >> 16;
873             buf[2] = v >> 8;
874             buf[3] = v;
875         } else {
876             buf[3] = v >> 24;
877             buf[2] = v >> 16;
878             buf[1] = v >> 8;
879             buf[0] = v;
880         }
881         break;
882     }
883 }
884 
885 static void vnc_write_pixels_generic(VncState *vs,
886                                      void *pixels1, int size)
887 {
888     uint8_t buf[4];
889 
890     if (VNC_SERVER_FB_BYTES == 4) {
891         uint32_t *pixels = pixels1;
892         int n, i;
893         n = size >> 2;
894         for (i = 0; i < n; i++) {
895             vnc_convert_pixel(vs, buf, pixels[i]);
896             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
897         }
898     }
899 }
900 
901 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
902 {
903     int i;
904     uint8_t *row;
905     VncDisplay *vd = vs->vd;
906 
907     row = vnc_server_fb_ptr(vd, x, y);
908     for (i = 0; i < h; i++) {
909         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
910         row += vnc_server_fb_stride(vd);
911     }
912     return 1;
913 }
914 
915 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
916 {
917     int n = 0;
918 
919     switch(vs->vnc_encoding) {
920         case VNC_ENCODING_ZLIB:
921             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
922             break;
923         case VNC_ENCODING_HEXTILE:
924             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
925             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
926             break;
927         case VNC_ENCODING_TIGHT:
928             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
929             break;
930         case VNC_ENCODING_TIGHT_PNG:
931             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
932             break;
933         case VNC_ENCODING_ZRLE:
934             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
935             break;
936         case VNC_ENCODING_ZYWRLE:
937             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
938             break;
939         default:
940             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
941             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
942             break;
943     }
944     return n;
945 }
946 
947 static void vnc_mouse_set(DisplayChangeListener *dcl,
948                           int x, int y, int visible)
949 {
950     /* can we ask the client(s) to move the pointer ??? */
951 }
952 
953 static int vnc_cursor_define(VncState *vs)
954 {
955     QEMUCursor *c = vs->vd->cursor;
956     int isize;
957 
958     if (!vs->vd->cursor) {
959         return -1;
960     }
961 
962     if (vnc_has_feature(vs, VNC_FEATURE_ALPHA_CURSOR)) {
963         vnc_lock_output(vs);
964         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
965         vnc_write_u8(vs,  0);  /*  padding     */
966         vnc_write_u16(vs, 1);  /*  # of rects  */
967         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
968                                VNC_ENCODING_ALPHA_CURSOR);
969         vnc_write_s32(vs, VNC_ENCODING_RAW);
970         vnc_write(vs, c->data, c->width * c->height * 4);
971         vnc_unlock_output(vs);
972         return 0;
973     }
974     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
975         vnc_lock_output(vs);
976         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
977         vnc_write_u8(vs,  0);  /*  padding     */
978         vnc_write_u16(vs, 1);  /*  # of rects  */
979         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
980                                VNC_ENCODING_RICH_CURSOR);
981         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
982         vnc_write_pixels_generic(vs, c->data, isize);
983         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
984         vnc_unlock_output(vs);
985         return 0;
986     }
987     return -1;
988 }
989 
990 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
991                                   QEMUCursor *c)
992 {
993     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
994     VncState *vs;
995 
996     cursor_put(vd->cursor);
997     g_free(vd->cursor_mask);
998 
999     vd->cursor = c;
1000     cursor_get(vd->cursor);
1001     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1002     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1003     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1004 
1005     QTAILQ_FOREACH(vs, &vd->clients, next) {
1006         vnc_cursor_define(vs);
1007     }
1008 }
1009 
1010 static int find_and_clear_dirty_height(VncState *vs,
1011                                        int y, int last_x, int x, int height)
1012 {
1013     int h;
1014 
1015     for (h = 1; h < (height - y); h++) {
1016         if (!test_bit(last_x, vs->dirty[y + h])) {
1017             break;
1018         }
1019         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1020     }
1021 
1022     return h;
1023 }
1024 
1025 /*
1026  * Figure out how much pending data we should allow in the output
1027  * buffer before we throttle incremental display updates, and/or
1028  * drop audio samples.
1029  *
1030  * We allow for equiv of 1 full display's worth of FB updates,
1031  * and 1 second of audio samples. If audio backlog was larger
1032  * than that the client would already suffering awful audio
1033  * glitches, so dropping samples is no worse really).
1034  */
1035 static void vnc_update_throttle_offset(VncState *vs)
1036 {
1037     size_t offset =
1038         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1039 
1040     if (vs->audio_cap) {
1041         int bps;
1042         switch (vs->as.fmt) {
1043         default:
1044         case  AUDIO_FORMAT_U8:
1045         case  AUDIO_FORMAT_S8:
1046             bps = 1;
1047             break;
1048         case  AUDIO_FORMAT_U16:
1049         case  AUDIO_FORMAT_S16:
1050             bps = 2;
1051             break;
1052         case  AUDIO_FORMAT_U32:
1053         case  AUDIO_FORMAT_S32:
1054             bps = 4;
1055             break;
1056         }
1057         offset += vs->as.freq * bps * vs->as.nchannels;
1058     }
1059 
1060     /* Put a floor of 1MB on offset, so that if we have a large pending
1061      * buffer and the display is resized to a small size & back again
1062      * we don't suddenly apply a tiny send limit
1063      */
1064     offset = MAX(offset, 1024 * 1024);
1065 
1066     if (vs->throttle_output_offset != offset) {
1067         trace_vnc_client_throttle_threshold(
1068             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1069             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1070     }
1071 
1072     vs->throttle_output_offset = offset;
1073 }
1074 
1075 static bool vnc_should_update(VncState *vs)
1076 {
1077     switch (vs->update) {
1078     case VNC_STATE_UPDATE_NONE:
1079         break;
1080     case VNC_STATE_UPDATE_INCREMENTAL:
1081         /* Only allow incremental updates if the pending send queue
1082          * is less than the permitted threshold, and the job worker
1083          * is completely idle.
1084          */
1085         if (vs->output.offset < vs->throttle_output_offset &&
1086             vs->job_update == VNC_STATE_UPDATE_NONE) {
1087             return true;
1088         }
1089         trace_vnc_client_throttle_incremental(
1090             vs, vs->ioc, vs->job_update, vs->output.offset);
1091         break;
1092     case VNC_STATE_UPDATE_FORCE:
1093         /* Only allow forced updates if the pending send queue
1094          * does not contain a previous forced update, and the
1095          * job worker is completely idle.
1096          *
1097          * Note this means we'll queue a forced update, even if
1098          * the output buffer size is otherwise over the throttle
1099          * output limit.
1100          */
1101         if (vs->force_update_offset == 0 &&
1102             vs->job_update == VNC_STATE_UPDATE_NONE) {
1103             return true;
1104         }
1105         trace_vnc_client_throttle_forced(
1106             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1107         break;
1108     }
1109     return false;
1110 }
1111 
1112 static int vnc_update_client(VncState *vs, int has_dirty)
1113 {
1114     VncDisplay *vd = vs->vd;
1115     VncJob *job;
1116     int y;
1117     int height, width;
1118     int n = 0;
1119 
1120     if (vs->disconnecting) {
1121         vnc_disconnect_finish(vs);
1122         return 0;
1123     }
1124 
1125     vs->has_dirty += has_dirty;
1126     if (!vnc_should_update(vs)) {
1127         return 0;
1128     }
1129 
1130     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1131         return 0;
1132     }
1133 
1134     /*
1135      * Send screen updates to the vnc client using the server
1136      * surface and server dirty map.  guest surface updates
1137      * happening in parallel don't disturb us, the next pass will
1138      * send them to the client.
1139      */
1140     job = vnc_job_new(vs);
1141 
1142     height = pixman_image_get_height(vd->server);
1143     width = pixman_image_get_width(vd->server);
1144 
1145     y = 0;
1146     for (;;) {
1147         int x, h;
1148         unsigned long x2;
1149         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1150                                              height * VNC_DIRTY_BPL(vs),
1151                                              y * VNC_DIRTY_BPL(vs));
1152         if (offset == height * VNC_DIRTY_BPL(vs)) {
1153             /* no more dirty bits */
1154             break;
1155         }
1156         y = offset / VNC_DIRTY_BPL(vs);
1157         x = offset % VNC_DIRTY_BPL(vs);
1158         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1159                                 VNC_DIRTY_BPL(vs), x);
1160         bitmap_clear(vs->dirty[y], x, x2 - x);
1161         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1162         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1163         if (x2 > x) {
1164             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1165                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1166         }
1167         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1168             y += h;
1169             if (y == height) {
1170                 break;
1171             }
1172         }
1173     }
1174 
1175     vs->job_update = vs->update;
1176     vs->update = VNC_STATE_UPDATE_NONE;
1177     vnc_job_push(job);
1178     vs->has_dirty = 0;
1179     return n;
1180 }
1181 
1182 /* audio */
1183 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1184 {
1185     VncState *vs = opaque;
1186 
1187     assert(vs->magic == VNC_MAGIC);
1188     switch (cmd) {
1189     case AUD_CNOTIFY_DISABLE:
1190         vnc_lock_output(vs);
1191         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1192         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1193         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1194         vnc_unlock_output(vs);
1195         vnc_flush(vs);
1196         break;
1197 
1198     case AUD_CNOTIFY_ENABLE:
1199         vnc_lock_output(vs);
1200         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1201         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1202         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1203         vnc_unlock_output(vs);
1204         vnc_flush(vs);
1205         break;
1206     }
1207 }
1208 
1209 static void audio_capture_destroy(void *opaque)
1210 {
1211 }
1212 
1213 static void audio_capture(void *opaque, const void *buf, int size)
1214 {
1215     VncState *vs = opaque;
1216 
1217     assert(vs->magic == VNC_MAGIC);
1218     vnc_lock_output(vs);
1219     if (vs->output.offset < vs->throttle_output_offset) {
1220         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1221         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1222         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1223         vnc_write_u32(vs, size);
1224         vnc_write(vs, buf, size);
1225     } else {
1226         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1227     }
1228     vnc_unlock_output(vs);
1229     vnc_flush(vs);
1230 }
1231 
1232 static void audio_add(VncState *vs)
1233 {
1234     struct audio_capture_ops ops;
1235 
1236     if (vs->audio_cap) {
1237         error_report("audio already running");
1238         return;
1239     }
1240 
1241     ops.notify = audio_capture_notify;
1242     ops.destroy = audio_capture_destroy;
1243     ops.capture = audio_capture;
1244 
1245     vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1246     if (!vs->audio_cap) {
1247         error_report("Failed to add audio capture");
1248     }
1249 }
1250 
1251 static void audio_del(VncState *vs)
1252 {
1253     if (vs->audio_cap) {
1254         AUD_del_capture(vs->audio_cap, vs);
1255         vs->audio_cap = NULL;
1256     }
1257 }
1258 
1259 static void vnc_disconnect_start(VncState *vs)
1260 {
1261     if (vs->disconnecting) {
1262         return;
1263     }
1264     trace_vnc_client_disconnect_start(vs, vs->ioc);
1265     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1266     if (vs->ioc_tag) {
1267         g_source_remove(vs->ioc_tag);
1268         vs->ioc_tag = 0;
1269     }
1270     qio_channel_close(vs->ioc, NULL);
1271     vs->disconnecting = TRUE;
1272 }
1273 
1274 void vnc_disconnect_finish(VncState *vs)
1275 {
1276     int i;
1277 
1278     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1279 
1280     vnc_jobs_join(vs); /* Wait encoding jobs */
1281 
1282     vnc_lock_output(vs);
1283     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1284 
1285     buffer_free(&vs->input);
1286     buffer_free(&vs->output);
1287 
1288     qapi_free_VncClientInfo(vs->info);
1289 
1290     vnc_zlib_clear(vs);
1291     vnc_tight_clear(vs);
1292     vnc_zrle_clear(vs);
1293 
1294 #ifdef CONFIG_VNC_SASL
1295     vnc_sasl_client_cleanup(vs);
1296 #endif /* CONFIG_VNC_SASL */
1297     audio_del(vs);
1298     qkbd_state_lift_all_keys(vs->vd->kbd);
1299 
1300     if (vs->mouse_mode_notifier.notify != NULL) {
1301         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1302     }
1303     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1304     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1305         /* last client gone */
1306         vnc_update_server_surface(vs->vd);
1307     }
1308 
1309     vnc_unlock_output(vs);
1310 
1311     qemu_mutex_destroy(&vs->output_mutex);
1312     if (vs->bh != NULL) {
1313         qemu_bh_delete(vs->bh);
1314     }
1315     buffer_free(&vs->jobs_buffer);
1316 
1317     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1318         g_free(vs->lossy_rect[i]);
1319     }
1320     g_free(vs->lossy_rect);
1321 
1322     object_unref(OBJECT(vs->ioc));
1323     vs->ioc = NULL;
1324     object_unref(OBJECT(vs->sioc));
1325     vs->sioc = NULL;
1326     vs->magic = 0;
1327     g_free(vs->zrle);
1328     g_free(vs->tight);
1329     g_free(vs);
1330 }
1331 
1332 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error *err)
1333 {
1334     if (ret <= 0) {
1335         if (ret == 0) {
1336             trace_vnc_client_eof(vs, vs->ioc);
1337             vnc_disconnect_start(vs);
1338         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1339             trace_vnc_client_io_error(vs, vs->ioc,
1340                                       err ? error_get_pretty(err) : "Unknown");
1341             vnc_disconnect_start(vs);
1342         }
1343 
1344         error_free(err);
1345         return 0;
1346     }
1347     return ret;
1348 }
1349 
1350 
1351 void vnc_client_error(VncState *vs)
1352 {
1353     VNC_DEBUG("Closing down client sock: protocol error\n");
1354     vnc_disconnect_start(vs);
1355 }
1356 
1357 
1358 /*
1359  * Called to write a chunk of data to the client socket. The data may
1360  * be the raw data, or may have already been encoded by SASL.
1361  * The data will be written either straight onto the socket, or
1362  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1363  *
1364  * NB, it is theoretically possible to have 2 layers of encryption,
1365  * both SASL, and this TLS layer. It is highly unlikely in practice
1366  * though, since SASL encryption will typically be a no-op if TLS
1367  * is active
1368  *
1369  * Returns the number of bytes written, which may be less than
1370  * the requested 'datalen' if the socket would block. Returns
1371  * 0 on I/O error, and disconnects the client socket.
1372  */
1373 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1374 {
1375     Error *err = NULL;
1376     ssize_t ret;
1377     ret = qio_channel_write(vs->ioc, (const char *)data, datalen, &err);
1378     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1379     return vnc_client_io_error(vs, ret, err);
1380 }
1381 
1382 
1383 /*
1384  * Called to write buffered data to the client socket, when not
1385  * using any SASL SSF encryption layers. Will write as much data
1386  * as possible without blocking. If all buffered data is written,
1387  * will switch the FD poll() handler back to read monitoring.
1388  *
1389  * Returns the number of bytes written, which may be less than
1390  * the buffered output data if the socket would block.  Returns
1391  * 0 on I/O error, and disconnects the client socket.
1392  */
1393 static size_t vnc_client_write_plain(VncState *vs)
1394 {
1395     size_t offset;
1396     size_t ret;
1397 
1398 #ifdef CONFIG_VNC_SASL
1399     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1400               vs->output.buffer, vs->output.capacity, vs->output.offset,
1401               vs->sasl.waitWriteSSF);
1402 
1403     if (vs->sasl.conn &&
1404         vs->sasl.runSSF &&
1405         vs->sasl.waitWriteSSF) {
1406         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1407         if (ret)
1408             vs->sasl.waitWriteSSF -= ret;
1409     } else
1410 #endif /* CONFIG_VNC_SASL */
1411         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1412     if (!ret)
1413         return 0;
1414 
1415     if (ret >= vs->force_update_offset) {
1416         if (vs->force_update_offset != 0) {
1417             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1418         }
1419         vs->force_update_offset = 0;
1420     } else {
1421         vs->force_update_offset -= ret;
1422     }
1423     offset = vs->output.offset;
1424     buffer_advance(&vs->output, ret);
1425     if (offset >= vs->throttle_output_offset &&
1426         vs->output.offset < vs->throttle_output_offset) {
1427         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1428     }
1429 
1430     if (vs->output.offset == 0) {
1431         if (vs->ioc_tag) {
1432             g_source_remove(vs->ioc_tag);
1433         }
1434         vs->ioc_tag = qio_channel_add_watch(
1435             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1436             vnc_client_io, vs, NULL);
1437     }
1438 
1439     return ret;
1440 }
1441 
1442 
1443 /*
1444  * First function called whenever there is data to be written to
1445  * the client socket. Will delegate actual work according to whether
1446  * SASL SSF layers are enabled (thus requiring encryption calls)
1447  */
1448 static void vnc_client_write_locked(VncState *vs)
1449 {
1450 #ifdef CONFIG_VNC_SASL
1451     if (vs->sasl.conn &&
1452         vs->sasl.runSSF &&
1453         !vs->sasl.waitWriteSSF) {
1454         vnc_client_write_sasl(vs);
1455     } else
1456 #endif /* CONFIG_VNC_SASL */
1457     {
1458         vnc_client_write_plain(vs);
1459     }
1460 }
1461 
1462 static void vnc_client_write(VncState *vs)
1463 {
1464     assert(vs->magic == VNC_MAGIC);
1465     vnc_lock_output(vs);
1466     if (vs->output.offset) {
1467         vnc_client_write_locked(vs);
1468     } else if (vs->ioc != NULL) {
1469         if (vs->ioc_tag) {
1470             g_source_remove(vs->ioc_tag);
1471         }
1472         vs->ioc_tag = qio_channel_add_watch(
1473             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1474             vnc_client_io, vs, NULL);
1475     }
1476     vnc_unlock_output(vs);
1477 }
1478 
1479 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1480 {
1481     vs->read_handler = func;
1482     vs->read_handler_expect = expecting;
1483 }
1484 
1485 
1486 /*
1487  * Called to read a chunk of data from the client socket. The data may
1488  * be the raw data, or may need to be further decoded by SASL.
1489  * The data will be read either straight from to the socket, or
1490  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1491  *
1492  * NB, it is theoretically possible to have 2 layers of encryption,
1493  * both SASL, and this TLS layer. It is highly unlikely in practice
1494  * though, since SASL encryption will typically be a no-op if TLS
1495  * is active
1496  *
1497  * Returns the number of bytes read, which may be less than
1498  * the requested 'datalen' if the socket would block. Returns
1499  * 0 on I/O error or EOF, and disconnects the client socket.
1500  */
1501 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1502 {
1503     ssize_t ret;
1504     Error *err = NULL;
1505     ret = qio_channel_read(vs->ioc, (char *)data, datalen, &err);
1506     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1507     return vnc_client_io_error(vs, ret, err);
1508 }
1509 
1510 
1511 /*
1512  * Called to read data from the client socket to the input buffer,
1513  * when not using any SASL SSF encryption layers. Will read as much
1514  * data as possible without blocking.
1515  *
1516  * Returns the number of bytes read, which may be less than
1517  * the requested 'datalen' if the socket would block. Returns
1518  * 0 on I/O error or EOF, and disconnects the client socket.
1519  */
1520 static size_t vnc_client_read_plain(VncState *vs)
1521 {
1522     size_t ret;
1523     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1524               vs->input.buffer, vs->input.capacity, vs->input.offset);
1525     buffer_reserve(&vs->input, 4096);
1526     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1527     if (!ret)
1528         return 0;
1529     vs->input.offset += ret;
1530     return ret;
1531 }
1532 
1533 static void vnc_jobs_bh(void *opaque)
1534 {
1535     VncState *vs = opaque;
1536 
1537     assert(vs->magic == VNC_MAGIC);
1538     vnc_jobs_consume_buffer(vs);
1539 }
1540 
1541 /*
1542  * First function called whenever there is more data to be read from
1543  * the client socket. Will delegate actual work according to whether
1544  * SASL SSF layers are enabled (thus requiring decryption calls)
1545  * Returns 0 on success, -1 if client disconnected
1546  */
1547 static int vnc_client_read(VncState *vs)
1548 {
1549     size_t ret;
1550 
1551 #ifdef CONFIG_VNC_SASL
1552     if (vs->sasl.conn && vs->sasl.runSSF)
1553         ret = vnc_client_read_sasl(vs);
1554     else
1555 #endif /* CONFIG_VNC_SASL */
1556         ret = vnc_client_read_plain(vs);
1557     if (!ret) {
1558         if (vs->disconnecting) {
1559             vnc_disconnect_finish(vs);
1560             return -1;
1561         }
1562         return 0;
1563     }
1564 
1565     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1566         size_t len = vs->read_handler_expect;
1567         int ret;
1568 
1569         ret = vs->read_handler(vs, vs->input.buffer, len);
1570         if (vs->disconnecting) {
1571             vnc_disconnect_finish(vs);
1572             return -1;
1573         }
1574 
1575         if (!ret) {
1576             buffer_advance(&vs->input, len);
1577         } else {
1578             vs->read_handler_expect = ret;
1579         }
1580     }
1581     return 0;
1582 }
1583 
1584 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1585                        GIOCondition condition, void *opaque)
1586 {
1587     VncState *vs = opaque;
1588 
1589     assert(vs->magic == VNC_MAGIC);
1590 
1591     if (condition & (G_IO_HUP | G_IO_ERR)) {
1592         vnc_disconnect_start(vs);
1593         return TRUE;
1594     }
1595 
1596     if (condition & G_IO_IN) {
1597         if (vnc_client_read(vs) < 0) {
1598             /* vs is free()ed here */
1599             return TRUE;
1600         }
1601     }
1602     if (condition & G_IO_OUT) {
1603         vnc_client_write(vs);
1604     }
1605 
1606     if (vs->disconnecting) {
1607         if (vs->ioc_tag != 0) {
1608             g_source_remove(vs->ioc_tag);
1609         }
1610         vs->ioc_tag = 0;
1611     }
1612     return TRUE;
1613 }
1614 
1615 
1616 /*
1617  * Scale factor to apply to vs->throttle_output_offset when checking for
1618  * hard limit. Worst case normal usage could be x2, if we have a complete
1619  * incremental update and complete forced update in the output buffer.
1620  * So x3 should be good enough, but we pick x5 to be conservative and thus
1621  * (hopefully) never trigger incorrectly.
1622  */
1623 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1624 
1625 void vnc_write(VncState *vs, const void *data, size_t len)
1626 {
1627     assert(vs->magic == VNC_MAGIC);
1628     if (vs->disconnecting) {
1629         return;
1630     }
1631     /* Protection against malicious client/guest to prevent our output
1632      * buffer growing without bound if client stops reading data. This
1633      * should rarely trigger, because we have earlier throttling code
1634      * which stops issuing framebuffer updates and drops audio data
1635      * if the throttle_output_offset value is exceeded. So we only reach
1636      * this higher level if a huge number of pseudo-encodings get
1637      * triggered while data can't be sent on the socket.
1638      *
1639      * NB throttle_output_offset can be zero during early protocol
1640      * handshake, or from the job thread's VncState clone
1641      */
1642     if (vs->throttle_output_offset != 0 &&
1643         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1644         vs->throttle_output_offset) {
1645         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1646                                       vs->throttle_output_offset);
1647         vnc_disconnect_start(vs);
1648         return;
1649     }
1650     buffer_reserve(&vs->output, len);
1651 
1652     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1653         if (vs->ioc_tag) {
1654             g_source_remove(vs->ioc_tag);
1655         }
1656         vs->ioc_tag = qio_channel_add_watch(
1657             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
1658             vnc_client_io, vs, NULL);
1659     }
1660 
1661     buffer_append(&vs->output, data, len);
1662 }
1663 
1664 void vnc_write_s32(VncState *vs, int32_t value)
1665 {
1666     vnc_write_u32(vs, *(uint32_t *)&value);
1667 }
1668 
1669 void vnc_write_u32(VncState *vs, uint32_t value)
1670 {
1671     uint8_t buf[4];
1672 
1673     buf[0] = (value >> 24) & 0xFF;
1674     buf[1] = (value >> 16) & 0xFF;
1675     buf[2] = (value >>  8) & 0xFF;
1676     buf[3] = value & 0xFF;
1677 
1678     vnc_write(vs, buf, 4);
1679 }
1680 
1681 void vnc_write_u16(VncState *vs, uint16_t value)
1682 {
1683     uint8_t buf[2];
1684 
1685     buf[0] = (value >> 8) & 0xFF;
1686     buf[1] = value & 0xFF;
1687 
1688     vnc_write(vs, buf, 2);
1689 }
1690 
1691 void vnc_write_u8(VncState *vs, uint8_t value)
1692 {
1693     vnc_write(vs, (char *)&value, 1);
1694 }
1695 
1696 void vnc_flush(VncState *vs)
1697 {
1698     vnc_lock_output(vs);
1699     if (vs->ioc != NULL && vs->output.offset) {
1700         vnc_client_write_locked(vs);
1701     }
1702     if (vs->disconnecting) {
1703         if (vs->ioc_tag != 0) {
1704             g_source_remove(vs->ioc_tag);
1705         }
1706         vs->ioc_tag = 0;
1707     }
1708     vnc_unlock_output(vs);
1709 }
1710 
1711 static uint8_t read_u8(uint8_t *data, size_t offset)
1712 {
1713     return data[offset];
1714 }
1715 
1716 static uint16_t read_u16(uint8_t *data, size_t offset)
1717 {
1718     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1719 }
1720 
1721 static int32_t read_s32(uint8_t *data, size_t offset)
1722 {
1723     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1724                      (data[offset + 2] << 8) | data[offset + 3]);
1725 }
1726 
1727 uint32_t read_u32(uint8_t *data, size_t offset)
1728 {
1729     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1730             (data[offset + 2] << 8) | data[offset + 3]);
1731 }
1732 
1733 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1734 {
1735 }
1736 
1737 static void check_pointer_type_change(Notifier *notifier, void *data)
1738 {
1739     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1740     int absolute = qemu_input_is_absolute();
1741 
1742     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1743         vnc_lock_output(vs);
1744         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1745         vnc_write_u8(vs, 0);
1746         vnc_write_u16(vs, 1);
1747         vnc_framebuffer_update(vs, absolute, 0,
1748                                pixman_image_get_width(vs->vd->server),
1749                                pixman_image_get_height(vs->vd->server),
1750                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1751         vnc_unlock_output(vs);
1752         vnc_flush(vs);
1753     }
1754     vs->absolute = absolute;
1755 }
1756 
1757 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1758 {
1759     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1760         [INPUT_BUTTON_LEFT]       = 0x01,
1761         [INPUT_BUTTON_MIDDLE]     = 0x02,
1762         [INPUT_BUTTON_RIGHT]      = 0x04,
1763         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1764         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1765     };
1766     QemuConsole *con = vs->vd->dcl.con;
1767     int width = pixman_image_get_width(vs->vd->server);
1768     int height = pixman_image_get_height(vs->vd->server);
1769 
1770     if (vs->last_bmask != button_mask) {
1771         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1772         vs->last_bmask = button_mask;
1773     }
1774 
1775     if (vs->absolute) {
1776         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1777         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1778     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1779         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1780         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1781     } else {
1782         if (vs->last_x != -1) {
1783             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1784             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1785         }
1786         vs->last_x = x;
1787         vs->last_y = y;
1788     }
1789     qemu_input_event_sync();
1790 }
1791 
1792 static void press_key(VncState *vs, QKeyCode qcode)
1793 {
1794     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1795     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1796 }
1797 
1798 static void vnc_led_state_change(VncState *vs)
1799 {
1800     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1801         return;
1802     }
1803 
1804     vnc_lock_output(vs);
1805     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1806     vnc_write_u8(vs, 0);
1807     vnc_write_u16(vs, 1);
1808     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1809     vnc_write_u8(vs, vs->vd->ledstate);
1810     vnc_unlock_output(vs);
1811     vnc_flush(vs);
1812 }
1813 
1814 static void kbd_leds(void *opaque, int ledstate)
1815 {
1816     VncDisplay *vd = opaque;
1817     VncState *client;
1818 
1819     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1820                              (ledstate & QEMU_NUM_LOCK_LED),
1821                              (ledstate & QEMU_SCROLL_LOCK_LED));
1822 
1823     if (ledstate == vd->ledstate) {
1824         return;
1825     }
1826 
1827     vd->ledstate = ledstate;
1828 
1829     QTAILQ_FOREACH(client, &vd->clients, next) {
1830         vnc_led_state_change(client);
1831     }
1832 }
1833 
1834 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1835 {
1836     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1837 
1838     /* QEMU console switch */
1839     switch (qcode) {
1840     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1841         if (vs->vd->dcl.con == NULL && down &&
1842             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1843             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1844             /* Reset the modifiers sent to the current console */
1845             qkbd_state_lift_all_keys(vs->vd->kbd);
1846             console_select(qcode - Q_KEY_CODE_1);
1847             return;
1848         }
1849     default:
1850         break;
1851     }
1852 
1853     /* Turn off the lock state sync logic if the client support the led
1854        state extension.
1855     */
1856     if (down && vs->vd->lock_key_sync &&
1857         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1858         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1859         /* If the numlock state needs to change then simulate an additional
1860            keypress before sending this one.  This will happen if the user
1861            toggles numlock away from the VNC window.
1862         */
1863         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1864             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1865                 trace_vnc_key_sync_numlock(true);
1866                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1867             }
1868         } else {
1869             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1870                 trace_vnc_key_sync_numlock(false);
1871                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1872             }
1873         }
1874     }
1875 
1876     if (down && vs->vd->lock_key_sync &&
1877         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1878         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1879         /* If the capslock state needs to change then simulate an additional
1880            keypress before sending this one.  This will happen if the user
1881            toggles capslock away from the VNC window.
1882         */
1883         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1884         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1885         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1886         if (capslock) {
1887             if (uppercase == shift) {
1888                 trace_vnc_key_sync_capslock(false);
1889                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1890             }
1891         } else {
1892             if (uppercase != shift) {
1893                 trace_vnc_key_sync_capslock(true);
1894                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1895             }
1896         }
1897     }
1898 
1899     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1900     if (!qemu_console_is_graphic(NULL)) {
1901         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1902         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1903         /* QEMU console emulation */
1904         if (down) {
1905             switch (keycode) {
1906             case 0x2a:                          /* Left Shift */
1907             case 0x36:                          /* Right Shift */
1908             case 0x1d:                          /* Left CTRL */
1909             case 0x9d:                          /* Right CTRL */
1910             case 0x38:                          /* Left ALT */
1911             case 0xb8:                          /* Right ALT */
1912                 break;
1913             case 0xc8:
1914                 kbd_put_keysym(QEMU_KEY_UP);
1915                 break;
1916             case 0xd0:
1917                 kbd_put_keysym(QEMU_KEY_DOWN);
1918                 break;
1919             case 0xcb:
1920                 kbd_put_keysym(QEMU_KEY_LEFT);
1921                 break;
1922             case 0xcd:
1923                 kbd_put_keysym(QEMU_KEY_RIGHT);
1924                 break;
1925             case 0xd3:
1926                 kbd_put_keysym(QEMU_KEY_DELETE);
1927                 break;
1928             case 0xc7:
1929                 kbd_put_keysym(QEMU_KEY_HOME);
1930                 break;
1931             case 0xcf:
1932                 kbd_put_keysym(QEMU_KEY_END);
1933                 break;
1934             case 0xc9:
1935                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1936                 break;
1937             case 0xd1:
1938                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1939                 break;
1940 
1941             case 0x47:
1942                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1943                 break;
1944             case 0x48:
1945                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1946                 break;
1947             case 0x49:
1948                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1949                 break;
1950             case 0x4b:
1951                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1952                 break;
1953             case 0x4c:
1954                 kbd_put_keysym('5');
1955                 break;
1956             case 0x4d:
1957                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1958                 break;
1959             case 0x4f:
1960                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1961                 break;
1962             case 0x50:
1963                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1964                 break;
1965             case 0x51:
1966                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1967                 break;
1968             case 0x52:
1969                 kbd_put_keysym('0');
1970                 break;
1971             case 0x53:
1972                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1973                 break;
1974 
1975             case 0xb5:
1976                 kbd_put_keysym('/');
1977                 break;
1978             case 0x37:
1979                 kbd_put_keysym('*');
1980                 break;
1981             case 0x4a:
1982                 kbd_put_keysym('-');
1983                 break;
1984             case 0x4e:
1985                 kbd_put_keysym('+');
1986                 break;
1987             case 0x9c:
1988                 kbd_put_keysym('\n');
1989                 break;
1990 
1991             default:
1992                 if (control) {
1993                     kbd_put_keysym(sym & 0x1f);
1994                 } else {
1995                     kbd_put_keysym(sym);
1996                 }
1997                 break;
1998             }
1999         }
2000     }
2001 }
2002 
2003 static const char *code2name(int keycode)
2004 {
2005     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
2006 }
2007 
2008 static void key_event(VncState *vs, int down, uint32_t sym)
2009 {
2010     int keycode;
2011     int lsym = sym;
2012 
2013     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
2014         lsym = lsym - 'A' + 'a';
2015     }
2016 
2017     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
2018                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
2019     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2020     do_key_event(vs, down, keycode, sym);
2021 }
2022 
2023 static void ext_key_event(VncState *vs, int down,
2024                           uint32_t sym, uint16_t keycode)
2025 {
2026     /* if the user specifies a keyboard layout, always use it */
2027     if (keyboard_layout) {
2028         key_event(vs, down, sym);
2029     } else {
2030         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2031         do_key_event(vs, down, keycode, sym);
2032     }
2033 }
2034 
2035 static void framebuffer_update_request(VncState *vs, int incremental,
2036                                        int x, int y, int w, int h)
2037 {
2038     if (incremental) {
2039         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2040             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2041         }
2042     } else {
2043         vs->update = VNC_STATE_UPDATE_FORCE;
2044         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2045         vnc_colordepth(vs);
2046         vnc_desktop_resize(vs);
2047         vnc_led_state_change(vs);
2048         vnc_cursor_define(vs);
2049     }
2050 }
2051 
2052 static void send_ext_key_event_ack(VncState *vs)
2053 {
2054     vnc_lock_output(vs);
2055     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2056     vnc_write_u8(vs, 0);
2057     vnc_write_u16(vs, 1);
2058     vnc_framebuffer_update(vs, 0, 0,
2059                            pixman_image_get_width(vs->vd->server),
2060                            pixman_image_get_height(vs->vd->server),
2061                            VNC_ENCODING_EXT_KEY_EVENT);
2062     vnc_unlock_output(vs);
2063     vnc_flush(vs);
2064 }
2065 
2066 static void send_ext_audio_ack(VncState *vs)
2067 {
2068     vnc_lock_output(vs);
2069     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2070     vnc_write_u8(vs, 0);
2071     vnc_write_u16(vs, 1);
2072     vnc_framebuffer_update(vs, 0, 0,
2073                            pixman_image_get_width(vs->vd->server),
2074                            pixman_image_get_height(vs->vd->server),
2075                            VNC_ENCODING_AUDIO);
2076     vnc_unlock_output(vs);
2077     vnc_flush(vs);
2078 }
2079 
2080 static void send_xvp_message(VncState *vs, int code)
2081 {
2082     vnc_lock_output(vs);
2083     vnc_write_u8(vs, VNC_MSG_SERVER_XVP);
2084     vnc_write_u8(vs, 0); /* pad */
2085     vnc_write_u8(vs, 1); /* version */
2086     vnc_write_u8(vs, code);
2087     vnc_unlock_output(vs);
2088     vnc_flush(vs);
2089 }
2090 
2091 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2092 {
2093     int i;
2094     unsigned int enc = 0;
2095 
2096     vs->features = 0;
2097     vs->vnc_encoding = 0;
2098     vs->tight->compression = 9;
2099     vs->tight->quality = -1; /* Lossless by default */
2100     vs->absolute = -1;
2101 
2102     /*
2103      * Start from the end because the encodings are sent in order of preference.
2104      * This way the preferred encoding (first encoding defined in the array)
2105      * will be set at the end of the loop.
2106      */
2107     for (i = n_encodings - 1; i >= 0; i--) {
2108         enc = encodings[i];
2109         switch (enc) {
2110         case VNC_ENCODING_RAW:
2111             vs->vnc_encoding = enc;
2112             break;
2113         case VNC_ENCODING_HEXTILE:
2114             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2115             vs->vnc_encoding = enc;
2116             break;
2117         case VNC_ENCODING_TIGHT:
2118             vs->features |= VNC_FEATURE_TIGHT_MASK;
2119             vs->vnc_encoding = enc;
2120             break;
2121 #ifdef CONFIG_VNC_PNG
2122         case VNC_ENCODING_TIGHT_PNG:
2123             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2124             vs->vnc_encoding = enc;
2125             break;
2126 #endif
2127         case VNC_ENCODING_ZLIB:
2128             /*
2129              * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB.
2130              * So prioritize ZRLE, even if the client hints that it prefers
2131              * ZLIB.
2132              */
2133             if ((vs->features & VNC_FEATURE_ZRLE_MASK) == 0) {
2134                 vs->features |= VNC_FEATURE_ZLIB_MASK;
2135                 vs->vnc_encoding = enc;
2136             }
2137             break;
2138         case VNC_ENCODING_ZRLE:
2139             vs->features |= VNC_FEATURE_ZRLE_MASK;
2140             vs->vnc_encoding = enc;
2141             break;
2142         case VNC_ENCODING_ZYWRLE:
2143             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2144             vs->vnc_encoding = enc;
2145             break;
2146         case VNC_ENCODING_DESKTOPRESIZE:
2147             vs->features |= VNC_FEATURE_RESIZE_MASK;
2148             break;
2149         case VNC_ENCODING_DESKTOP_RESIZE_EXT:
2150             vs->features |= VNC_FEATURE_RESIZE_EXT_MASK;
2151             break;
2152         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2153             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2154             break;
2155         case VNC_ENCODING_RICH_CURSOR:
2156             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2157             break;
2158         case VNC_ENCODING_ALPHA_CURSOR:
2159             vs->features |= VNC_FEATURE_ALPHA_CURSOR_MASK;
2160             break;
2161         case VNC_ENCODING_EXT_KEY_EVENT:
2162             send_ext_key_event_ack(vs);
2163             break;
2164         case VNC_ENCODING_AUDIO:
2165             send_ext_audio_ack(vs);
2166             break;
2167         case VNC_ENCODING_WMVi:
2168             vs->features |= VNC_FEATURE_WMVI_MASK;
2169             break;
2170         case VNC_ENCODING_LED_STATE:
2171             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2172             break;
2173         case VNC_ENCODING_XVP:
2174             if (vs->vd->power_control) {
2175                 vs->features |= VNC_FEATURE_XVP;
2176                 send_xvp_message(vs, VNC_XVP_CODE_INIT);
2177             }
2178             break;
2179         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2180             vs->tight->compression = (enc & 0x0F);
2181             break;
2182         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2183             if (vs->vd->lossy) {
2184                 vs->tight->quality = (enc & 0x0F);
2185             }
2186             break;
2187         default:
2188             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2189             break;
2190         }
2191     }
2192     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2193 }
2194 
2195 static void set_pixel_conversion(VncState *vs)
2196 {
2197     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2198 
2199     if (fmt == VNC_SERVER_FB_FORMAT) {
2200         vs->write_pixels = vnc_write_pixels_copy;
2201         vnc_hextile_set_pixel_conversion(vs, 0);
2202     } else {
2203         vs->write_pixels = vnc_write_pixels_generic;
2204         vnc_hextile_set_pixel_conversion(vs, 1);
2205     }
2206 }
2207 
2208 static void send_color_map(VncState *vs)
2209 {
2210     int i;
2211 
2212     vnc_lock_output(vs);
2213     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2214     vnc_write_u8(vs,  0);    /* padding     */
2215     vnc_write_u16(vs, 0);    /* first color */
2216     vnc_write_u16(vs, 256);  /* # of colors */
2217 
2218     for (i = 0; i < 256; i++) {
2219         PixelFormat *pf = &vs->client_pf;
2220 
2221         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2222         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2223         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2224     }
2225     vnc_unlock_output(vs);
2226 }
2227 
2228 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2229                              int big_endian_flag, int true_color_flag,
2230                              int red_max, int green_max, int blue_max,
2231                              int red_shift, int green_shift, int blue_shift)
2232 {
2233     if (!true_color_flag) {
2234         /* Expose a reasonable default 256 color map */
2235         bits_per_pixel = 8;
2236         red_max = 7;
2237         green_max = 7;
2238         blue_max = 3;
2239         red_shift = 0;
2240         green_shift = 3;
2241         blue_shift = 6;
2242     }
2243 
2244     switch (bits_per_pixel) {
2245     case 8:
2246     case 16:
2247     case 32:
2248         break;
2249     default:
2250         vnc_client_error(vs);
2251         return;
2252     }
2253 
2254     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2255     vs->client_pf.rbits = ctpopl(red_max);
2256     vs->client_pf.rshift = red_shift;
2257     vs->client_pf.rmask = red_max << red_shift;
2258     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2259     vs->client_pf.gbits = ctpopl(green_max);
2260     vs->client_pf.gshift = green_shift;
2261     vs->client_pf.gmask = green_max << green_shift;
2262     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2263     vs->client_pf.bbits = ctpopl(blue_max);
2264     vs->client_pf.bshift = blue_shift;
2265     vs->client_pf.bmask = blue_max << blue_shift;
2266     vs->client_pf.bits_per_pixel = bits_per_pixel;
2267     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2268     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2269     vs->client_be = big_endian_flag;
2270 
2271     if (!true_color_flag) {
2272         send_color_map(vs);
2273     }
2274 
2275     set_pixel_conversion(vs);
2276 
2277     graphic_hw_invalidate(vs->vd->dcl.con);
2278     graphic_hw_update(vs->vd->dcl.con);
2279 }
2280 
2281 static void pixel_format_message (VncState *vs) {
2282     char pad[3] = { 0, 0, 0 };
2283 
2284     vs->client_pf = qemu_default_pixelformat(32);
2285 
2286     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2287     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2288 
2289 #ifdef HOST_WORDS_BIGENDIAN
2290     vnc_write_u8(vs, 1);             /* big-endian-flag */
2291 #else
2292     vnc_write_u8(vs, 0);             /* big-endian-flag */
2293 #endif
2294     vnc_write_u8(vs, 1);             /* true-color-flag */
2295     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2296     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2297     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2298     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2299     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2300     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2301     vnc_write(vs, pad, 3);           /* padding */
2302 
2303     vnc_hextile_set_pixel_conversion(vs, 0);
2304     vs->write_pixels = vnc_write_pixels_copy;
2305 }
2306 
2307 static void vnc_colordepth(VncState *vs)
2308 {
2309     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2310         /* Sending a WMVi message to notify the client*/
2311         vnc_lock_output(vs);
2312         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2313         vnc_write_u8(vs, 0);
2314         vnc_write_u16(vs, 1); /* number of rects */
2315         vnc_framebuffer_update(vs, 0, 0,
2316                                pixman_image_get_width(vs->vd->server),
2317                                pixman_image_get_height(vs->vd->server),
2318                                VNC_ENCODING_WMVi);
2319         pixel_format_message(vs);
2320         vnc_unlock_output(vs);
2321         vnc_flush(vs);
2322     } else {
2323         set_pixel_conversion(vs);
2324     }
2325 }
2326 
2327 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2328 {
2329     int i;
2330     uint16_t limit;
2331     uint32_t freq;
2332     VncDisplay *vd = vs->vd;
2333 
2334     if (data[0] > 3) {
2335         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2336     }
2337 
2338     switch (data[0]) {
2339     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2340         if (len == 1)
2341             return 20;
2342 
2343         set_pixel_format(vs, read_u8(data, 4),
2344                          read_u8(data, 6), read_u8(data, 7),
2345                          read_u16(data, 8), read_u16(data, 10),
2346                          read_u16(data, 12), read_u8(data, 14),
2347                          read_u8(data, 15), read_u8(data, 16));
2348         break;
2349     case VNC_MSG_CLIENT_SET_ENCODINGS:
2350         if (len == 1)
2351             return 4;
2352 
2353         if (len == 4) {
2354             limit = read_u16(data, 2);
2355             if (limit > 0)
2356                 return 4 + (limit * 4);
2357         } else
2358             limit = read_u16(data, 2);
2359 
2360         for (i = 0; i < limit; i++) {
2361             int32_t val = read_s32(data, 4 + (i * 4));
2362             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2363         }
2364 
2365         set_encodings(vs, (int32_t *)(data + 4), limit);
2366         break;
2367     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2368         if (len == 1)
2369             return 10;
2370 
2371         framebuffer_update_request(vs,
2372                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2373                                    read_u16(data, 6), read_u16(data, 8));
2374         break;
2375     case VNC_MSG_CLIENT_KEY_EVENT:
2376         if (len == 1)
2377             return 8;
2378 
2379         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2380         break;
2381     case VNC_MSG_CLIENT_POINTER_EVENT:
2382         if (len == 1)
2383             return 6;
2384 
2385         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2386         break;
2387     case VNC_MSG_CLIENT_CUT_TEXT:
2388         if (len == 1) {
2389             return 8;
2390         }
2391         if (len == 8) {
2392             uint32_t dlen = read_u32(data, 4);
2393             if (dlen > (1 << 20)) {
2394                 error_report("vnc: client_cut_text msg payload has %u bytes"
2395                              " which exceeds our limit of 1MB.", dlen);
2396                 vnc_client_error(vs);
2397                 break;
2398             }
2399             if (dlen > 0) {
2400                 return 8 + dlen;
2401             }
2402         }
2403 
2404         client_cut_text(vs, read_u32(data, 4), data + 8);
2405         break;
2406     case VNC_MSG_CLIENT_XVP:
2407         if (!(vs->features & VNC_FEATURE_XVP)) {
2408             error_report("vnc: xvp client message while disabled");
2409             vnc_client_error(vs);
2410             break;
2411         }
2412         if (len == 1) {
2413             return 4;
2414         }
2415         if (len == 4) {
2416             uint8_t version = read_u8(data, 2);
2417             uint8_t action = read_u8(data, 3);
2418 
2419             if (version != 1) {
2420                 error_report("vnc: xvp client message version %d != 1",
2421                              version);
2422                 vnc_client_error(vs);
2423                 break;
2424             }
2425 
2426             switch (action) {
2427             case VNC_XVP_ACTION_SHUTDOWN:
2428                 qemu_system_powerdown_request();
2429                 break;
2430             case VNC_XVP_ACTION_REBOOT:
2431                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2432                 break;
2433             case VNC_XVP_ACTION_RESET:
2434                 qemu_system_reset_request(SHUTDOWN_CAUSE_HOST_QMP_SYSTEM_RESET);
2435                 break;
2436             default:
2437                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2438                 break;
2439             }
2440         }
2441         break;
2442     case VNC_MSG_CLIENT_QEMU:
2443         if (len == 1)
2444             return 2;
2445 
2446         switch (read_u8(data, 1)) {
2447         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2448             if (len == 2)
2449                 return 12;
2450 
2451             ext_key_event(vs, read_u16(data, 2),
2452                           read_u32(data, 4), read_u32(data, 8));
2453             break;
2454         case VNC_MSG_CLIENT_QEMU_AUDIO:
2455             if (len == 2)
2456                 return 4;
2457 
2458             switch (read_u16 (data, 2)) {
2459             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2460                 audio_add(vs);
2461                 break;
2462             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2463                 audio_del(vs);
2464                 break;
2465             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2466                 if (len == 4)
2467                     return 10;
2468                 switch (read_u8(data, 4)) {
2469                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2470                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2471                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2472                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2473                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2474                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2475                 default:
2476                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2477                     vnc_client_error(vs);
2478                     break;
2479                 }
2480                 vs->as.nchannels = read_u8(data, 5);
2481                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2482                     VNC_DEBUG("Invalid audio channel count %d\n",
2483                               read_u8(data, 5));
2484                     vnc_client_error(vs);
2485                     break;
2486                 }
2487                 freq = read_u32(data, 6);
2488                 /* No official limit for protocol, but 48khz is a sensible
2489                  * upper bound for trustworthy clients, and this limit
2490                  * protects calculations involving 'vs->as.freq' later.
2491                  */
2492                 if (freq > 48000) {
2493                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2494                     vnc_client_error(vs);
2495                     break;
2496                 }
2497                 vs->as.freq = freq;
2498                 break;
2499             default:
2500                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2501                 vnc_client_error(vs);
2502                 break;
2503             }
2504             break;
2505 
2506         default:
2507             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2508             vnc_client_error(vs);
2509             break;
2510         }
2511         break;
2512     case VNC_MSG_CLIENT_SET_DESKTOP_SIZE:
2513     {
2514         size_t size;
2515         uint8_t screens;
2516 
2517         if (len < 8) {
2518             return 8;
2519         }
2520 
2521         screens = read_u8(data, 6);
2522         size    = 8 + screens * 16;
2523         if (len < size) {
2524             return size;
2525         }
2526 
2527         if (dpy_ui_info_supported(vs->vd->dcl.con)) {
2528             QemuUIInfo info;
2529             memset(&info, 0, sizeof(info));
2530             info.width = read_u16(data, 2);
2531             info.height = read_u16(data, 4);
2532             dpy_set_ui_info(vs->vd->dcl.con, &info);
2533             vnc_desktop_resize_ext(vs, 4 /* Request forwarded */);
2534         } else {
2535             vnc_desktop_resize_ext(vs, 3 /* Invalid screen layout */);
2536         }
2537 
2538         break;
2539     }
2540     default:
2541         VNC_DEBUG("Msg: %d\n", data[0]);
2542         vnc_client_error(vs);
2543         break;
2544     }
2545 
2546     vnc_update_throttle_offset(vs);
2547     vnc_read_when(vs, protocol_client_msg, 1);
2548     return 0;
2549 }
2550 
2551 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2552 {
2553     char buf[1024];
2554     VncShareMode mode;
2555     int size;
2556 
2557     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2558     switch (vs->vd->share_policy) {
2559     case VNC_SHARE_POLICY_IGNORE:
2560         /*
2561          * Ignore the shared flag.  Nothing to do here.
2562          *
2563          * Doesn't conform to the rfb spec but is traditional qemu
2564          * behavior, thus left here as option for compatibility
2565          * reasons.
2566          */
2567         break;
2568     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2569         /*
2570          * Policy: Allow clients ask for exclusive access.
2571          *
2572          * Implementation: When a client asks for exclusive access,
2573          * disconnect all others. Shared connects are allowed as long
2574          * as no exclusive connection exists.
2575          *
2576          * This is how the rfb spec suggests to handle the shared flag.
2577          */
2578         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2579             VncState *client;
2580             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2581                 if (vs == client) {
2582                     continue;
2583                 }
2584                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2585                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2586                     continue;
2587                 }
2588                 vnc_disconnect_start(client);
2589             }
2590         }
2591         if (mode == VNC_SHARE_MODE_SHARED) {
2592             if (vs->vd->num_exclusive > 0) {
2593                 vnc_disconnect_start(vs);
2594                 return 0;
2595             }
2596         }
2597         break;
2598     case VNC_SHARE_POLICY_FORCE_SHARED:
2599         /*
2600          * Policy: Shared connects only.
2601          * Implementation: Disallow clients asking for exclusive access.
2602          *
2603          * Useful for shared desktop sessions where you don't want
2604          * someone forgetting to say -shared when running the vnc
2605          * client disconnect everybody else.
2606          */
2607         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2608             vnc_disconnect_start(vs);
2609             return 0;
2610         }
2611         break;
2612     }
2613     vnc_set_share_mode(vs, mode);
2614 
2615     if (vs->vd->num_shared > vs->vd->connections_limit) {
2616         vnc_disconnect_start(vs);
2617         return 0;
2618     }
2619 
2620     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2621            pixman_image_get_width(vs->vd->server) >= 0);
2622     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2623            pixman_image_get_height(vs->vd->server) >= 0);
2624     vs->client_width = pixman_image_get_width(vs->vd->server);
2625     vs->client_height = pixman_image_get_height(vs->vd->server);
2626     vnc_write_u16(vs, vs->client_width);
2627     vnc_write_u16(vs, vs->client_height);
2628 
2629     pixel_format_message(vs);
2630 
2631     if (qemu_name) {
2632         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2633         if (size > sizeof(buf)) {
2634             size = sizeof(buf);
2635         }
2636     } else {
2637         size = snprintf(buf, sizeof(buf), "QEMU");
2638     }
2639 
2640     vnc_write_u32(vs, size);
2641     vnc_write(vs, buf, size);
2642     vnc_flush(vs);
2643 
2644     vnc_client_cache_auth(vs);
2645     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2646 
2647     vnc_read_when(vs, protocol_client_msg, 1);
2648 
2649     return 0;
2650 }
2651 
2652 void start_client_init(VncState *vs)
2653 {
2654     vnc_read_when(vs, protocol_client_init, 1);
2655 }
2656 
2657 static void authentication_failed(VncState *vs)
2658 {
2659     vnc_write_u32(vs, 1); /* Reject auth */
2660     if (vs->minor >= 8) {
2661         static const char err[] = "Authentication failed";
2662         vnc_write_u32(vs, sizeof(err));
2663         vnc_write(vs, err, sizeof(err));
2664     }
2665     vnc_flush(vs);
2666     vnc_client_error(vs);
2667 }
2668 
2669 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2670 {
2671     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2672     size_t i, pwlen;
2673     unsigned char key[8];
2674     time_t now = time(NULL);
2675     QCryptoCipher *cipher = NULL;
2676     Error *err = NULL;
2677 
2678     if (!vs->vd->password) {
2679         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2680         goto reject;
2681     }
2682     if (vs->vd->expires < now) {
2683         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2684         goto reject;
2685     }
2686 
2687     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2688 
2689     /* Calculate the expected challenge response */
2690     pwlen = strlen(vs->vd->password);
2691     for (i=0; i<sizeof(key); i++)
2692         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2693 
2694     cipher = qcrypto_cipher_new(
2695         QCRYPTO_CIPHER_ALG_DES_RFB,
2696         QCRYPTO_CIPHER_MODE_ECB,
2697         key, G_N_ELEMENTS(key),
2698         &err);
2699     if (!cipher) {
2700         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2701                             error_get_pretty(err));
2702         error_free(err);
2703         goto reject;
2704     }
2705 
2706     if (qcrypto_cipher_encrypt(cipher,
2707                                vs->challenge,
2708                                response,
2709                                VNC_AUTH_CHALLENGE_SIZE,
2710                                &err) < 0) {
2711         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2712                             error_get_pretty(err));
2713         error_free(err);
2714         goto reject;
2715     }
2716 
2717     /* Compare expected vs actual challenge response */
2718     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2719         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2720         goto reject;
2721     } else {
2722         trace_vnc_auth_pass(vs, vs->auth);
2723         vnc_write_u32(vs, 0); /* Accept auth */
2724         vnc_flush(vs);
2725 
2726         start_client_init(vs);
2727     }
2728 
2729     qcrypto_cipher_free(cipher);
2730     return 0;
2731 
2732 reject:
2733     authentication_failed(vs);
2734     qcrypto_cipher_free(cipher);
2735     return 0;
2736 }
2737 
2738 void start_auth_vnc(VncState *vs)
2739 {
2740     Error *err = NULL;
2741 
2742     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2743         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2744                             error_get_pretty(err));
2745         error_free(err);
2746         authentication_failed(vs);
2747         return;
2748     }
2749 
2750     /* Send client a 'random' challenge */
2751     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2752     vnc_flush(vs);
2753 
2754     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2755 }
2756 
2757 
2758 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2759 {
2760     /* We only advertise 1 auth scheme at a time, so client
2761      * must pick the one we sent. Verify this */
2762     if (data[0] != vs->auth) { /* Reject auth */
2763        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2764        authentication_failed(vs);
2765     } else { /* Accept requested auth */
2766        trace_vnc_auth_start(vs, vs->auth);
2767        switch (vs->auth) {
2768        case VNC_AUTH_NONE:
2769            if (vs->minor >= 8) {
2770                vnc_write_u32(vs, 0); /* Accept auth completion */
2771                vnc_flush(vs);
2772            }
2773            trace_vnc_auth_pass(vs, vs->auth);
2774            start_client_init(vs);
2775            break;
2776 
2777        case VNC_AUTH_VNC:
2778            start_auth_vnc(vs);
2779            break;
2780 
2781        case VNC_AUTH_VENCRYPT:
2782            start_auth_vencrypt(vs);
2783            break;
2784 
2785 #ifdef CONFIG_VNC_SASL
2786        case VNC_AUTH_SASL:
2787            start_auth_sasl(vs);
2788            break;
2789 #endif /* CONFIG_VNC_SASL */
2790 
2791        default: /* Should not be possible, but just in case */
2792            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2793            authentication_failed(vs);
2794        }
2795     }
2796     return 0;
2797 }
2798 
2799 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2800 {
2801     char local[13];
2802 
2803     memcpy(local, version, 12);
2804     local[12] = 0;
2805 
2806     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2807         VNC_DEBUG("Malformed protocol version %s\n", local);
2808         vnc_client_error(vs);
2809         return 0;
2810     }
2811     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2812     if (vs->major != 3 ||
2813         (vs->minor != 3 &&
2814          vs->minor != 4 &&
2815          vs->minor != 5 &&
2816          vs->minor != 7 &&
2817          vs->minor != 8)) {
2818         VNC_DEBUG("Unsupported client version\n");
2819         vnc_write_u32(vs, VNC_AUTH_INVALID);
2820         vnc_flush(vs);
2821         vnc_client_error(vs);
2822         return 0;
2823     }
2824     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2825      * as equivalent to v3.3 by servers
2826      */
2827     if (vs->minor == 4 || vs->minor == 5)
2828         vs->minor = 3;
2829 
2830     if (vs->minor == 3) {
2831         trace_vnc_auth_start(vs, vs->auth);
2832         if (vs->auth == VNC_AUTH_NONE) {
2833             vnc_write_u32(vs, vs->auth);
2834             vnc_flush(vs);
2835             trace_vnc_auth_pass(vs, vs->auth);
2836             start_client_init(vs);
2837        } else if (vs->auth == VNC_AUTH_VNC) {
2838             VNC_DEBUG("Tell client VNC auth\n");
2839             vnc_write_u32(vs, vs->auth);
2840             vnc_flush(vs);
2841             start_auth_vnc(vs);
2842        } else {
2843             trace_vnc_auth_fail(vs, vs->auth,
2844                                 "Unsupported auth method for v3.3", "");
2845             vnc_write_u32(vs, VNC_AUTH_INVALID);
2846             vnc_flush(vs);
2847             vnc_client_error(vs);
2848        }
2849     } else {
2850         vnc_write_u8(vs, 1); /* num auth */
2851         vnc_write_u8(vs, vs->auth);
2852         vnc_read_when(vs, protocol_client_auth, 1);
2853         vnc_flush(vs);
2854     }
2855 
2856     return 0;
2857 }
2858 
2859 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2860 {
2861     struct VncSurface *vs = &vd->guest;
2862 
2863     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2864 }
2865 
2866 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2867 {
2868     int i, j;
2869 
2870     w = (x + w) / VNC_STAT_RECT;
2871     h = (y + h) / VNC_STAT_RECT;
2872     x /= VNC_STAT_RECT;
2873     y /= VNC_STAT_RECT;
2874 
2875     for (j = y; j <= h; j++) {
2876         for (i = x; i <= w; i++) {
2877             vs->lossy_rect[j][i] = 1;
2878         }
2879     }
2880 }
2881 
2882 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2883 {
2884     VncState *vs;
2885     int sty = y / VNC_STAT_RECT;
2886     int stx = x / VNC_STAT_RECT;
2887     int has_dirty = 0;
2888 
2889     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2890     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2891 
2892     QTAILQ_FOREACH(vs, &vd->clients, next) {
2893         int j;
2894 
2895         /* kernel send buffers are full -> refresh later */
2896         if (vs->output.offset) {
2897             continue;
2898         }
2899 
2900         if (!vs->lossy_rect[sty][stx]) {
2901             continue;
2902         }
2903 
2904         vs->lossy_rect[sty][stx] = 0;
2905         for (j = 0; j < VNC_STAT_RECT; ++j) {
2906             bitmap_set(vs->dirty[y + j],
2907                        x / VNC_DIRTY_PIXELS_PER_BIT,
2908                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2909         }
2910         has_dirty++;
2911     }
2912 
2913     return has_dirty;
2914 }
2915 
2916 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2917 {
2918     int width = MIN(pixman_image_get_width(vd->guest.fb),
2919                     pixman_image_get_width(vd->server));
2920     int height = MIN(pixman_image_get_height(vd->guest.fb),
2921                      pixman_image_get_height(vd->server));
2922     int x, y;
2923     struct timeval res;
2924     int has_dirty = 0;
2925 
2926     for (y = 0; y < height; y += VNC_STAT_RECT) {
2927         for (x = 0; x < width; x += VNC_STAT_RECT) {
2928             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2929 
2930             rect->updated = false;
2931         }
2932     }
2933 
2934     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2935 
2936     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2937         return has_dirty;
2938     }
2939     vd->guest.last_freq_check = *tv;
2940 
2941     for (y = 0; y < height; y += VNC_STAT_RECT) {
2942         for (x = 0; x < width; x += VNC_STAT_RECT) {
2943             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2944             int count = ARRAY_SIZE(rect->times);
2945             struct timeval min, max;
2946 
2947             if (!timerisset(&rect->times[count - 1])) {
2948                 continue ;
2949             }
2950 
2951             max = rect->times[(rect->idx + count - 1) % count];
2952             qemu_timersub(tv, &max, &res);
2953 
2954             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2955                 rect->freq = 0;
2956                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2957                 memset(rect->times, 0, sizeof (rect->times));
2958                 continue ;
2959             }
2960 
2961             min = rect->times[rect->idx];
2962             max = rect->times[(rect->idx + count - 1) % count];
2963             qemu_timersub(&max, &min, &res);
2964 
2965             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2966             rect->freq /= count;
2967             rect->freq = 1. / rect->freq;
2968         }
2969     }
2970     return has_dirty;
2971 }
2972 
2973 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2974 {
2975     int i, j;
2976     double total = 0;
2977     int num = 0;
2978 
2979     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2980     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2981 
2982     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2983         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2984             total += vnc_stat_rect(vs->vd, i, j)->freq;
2985             num++;
2986         }
2987     }
2988 
2989     if (num) {
2990         return total / num;
2991     } else {
2992         return 0;
2993     }
2994 }
2995 
2996 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2997 {
2998     VncRectStat *rect;
2999 
3000     rect = vnc_stat_rect(vd, x, y);
3001     if (rect->updated) {
3002         return ;
3003     }
3004     rect->times[rect->idx] = *tv;
3005     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
3006     rect->updated = true;
3007 }
3008 
3009 static int vnc_refresh_server_surface(VncDisplay *vd)
3010 {
3011     int width = MIN(pixman_image_get_width(vd->guest.fb),
3012                     pixman_image_get_width(vd->server));
3013     int height = MIN(pixman_image_get_height(vd->guest.fb),
3014                      pixman_image_get_height(vd->server));
3015     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
3016     uint8_t *guest_row0 = NULL, *server_row0;
3017     VncState *vs;
3018     int has_dirty = 0;
3019     pixman_image_t *tmpbuf = NULL;
3020 
3021     struct timeval tv = { 0, 0 };
3022 
3023     if (!vd->non_adaptive) {
3024         gettimeofday(&tv, NULL);
3025         has_dirty = vnc_update_stats(vd, &tv);
3026     }
3027 
3028     /*
3029      * Walk through the guest dirty map.
3030      * Check and copy modified bits from guest to server surface.
3031      * Update server dirty map.
3032      */
3033     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
3034     server_stride = guest_stride = guest_ll =
3035         pixman_image_get_stride(vd->server);
3036     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
3037                     server_stride);
3038     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3039         int width = pixman_image_get_width(vd->server);
3040         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
3041     } else {
3042         int guest_bpp =
3043             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
3044         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
3045         guest_stride = pixman_image_get_stride(vd->guest.fb);
3046         guest_ll = pixman_image_get_width(vd->guest.fb)
3047                    * DIV_ROUND_UP(guest_bpp, 8);
3048     }
3049     line_bytes = MIN(server_stride, guest_ll);
3050 
3051     for (;;) {
3052         int x;
3053         uint8_t *guest_ptr, *server_ptr;
3054         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3055                                              height * VNC_DIRTY_BPL(&vd->guest),
3056                                              y * VNC_DIRTY_BPL(&vd->guest));
3057         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3058             /* no more dirty bits */
3059             break;
3060         }
3061         y = offset / VNC_DIRTY_BPL(&vd->guest);
3062         x = offset % VNC_DIRTY_BPL(&vd->guest);
3063 
3064         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
3065 
3066         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3067             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
3068             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
3069         } else {
3070             guest_ptr = guest_row0 + y * guest_stride;
3071         }
3072         guest_ptr += x * cmp_bytes;
3073 
3074         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
3075              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
3076             int _cmp_bytes = cmp_bytes;
3077             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
3078                 continue;
3079             }
3080             if ((x + 1) * cmp_bytes > line_bytes) {
3081                 _cmp_bytes = line_bytes - x * cmp_bytes;
3082             }
3083             assert(_cmp_bytes >= 0);
3084             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
3085                 continue;
3086             }
3087             memcpy(server_ptr, guest_ptr, _cmp_bytes);
3088             if (!vd->non_adaptive) {
3089                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
3090                                  y, &tv);
3091             }
3092             QTAILQ_FOREACH(vs, &vd->clients, next) {
3093                 set_bit(x, vs->dirty[y]);
3094             }
3095             has_dirty++;
3096         }
3097 
3098         y++;
3099     }
3100     qemu_pixman_image_unref(tmpbuf);
3101     return has_dirty;
3102 }
3103 
3104 static void vnc_refresh(DisplayChangeListener *dcl)
3105 {
3106     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
3107     VncState *vs, *vn;
3108     int has_dirty, rects = 0;
3109 
3110     if (QTAILQ_EMPTY(&vd->clients)) {
3111         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
3112         return;
3113     }
3114 
3115     graphic_hw_update(vd->dcl.con);
3116 
3117     if (vnc_trylock_display(vd)) {
3118         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3119         return;
3120     }
3121 
3122     has_dirty = vnc_refresh_server_surface(vd);
3123     vnc_unlock_display(vd);
3124 
3125     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3126         rects += vnc_update_client(vs, has_dirty);
3127         /* vs might be free()ed here */
3128     }
3129 
3130     if (has_dirty && rects) {
3131         vd->dcl.update_interval /= 2;
3132         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3133             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3134         }
3135     } else {
3136         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3137         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3138             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3139         }
3140     }
3141 }
3142 
3143 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3144                         bool skipauth, bool websocket)
3145 {
3146     VncState *vs = g_new0(VncState, 1);
3147     bool first_client = QTAILQ_EMPTY(&vd->clients);
3148     int i;
3149 
3150     trace_vnc_client_connect(vs, sioc);
3151     vs->zrle = g_new0(VncZrle, 1);
3152     vs->tight = g_new0(VncTight, 1);
3153     vs->magic = VNC_MAGIC;
3154     vs->sioc = sioc;
3155     object_ref(OBJECT(vs->sioc));
3156     vs->ioc = QIO_CHANNEL(sioc);
3157     object_ref(OBJECT(vs->ioc));
3158     vs->vd = vd;
3159 
3160     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3161     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3162     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3163 
3164     buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3165     buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3166     buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3167 #ifdef CONFIG_VNC_JPEG
3168     buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3169 #endif
3170 #ifdef CONFIG_VNC_PNG
3171     buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3172 #endif
3173     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3174     buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3175     buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3176     buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3177 
3178     if (skipauth) {
3179         vs->auth = VNC_AUTH_NONE;
3180         vs->subauth = VNC_AUTH_INVALID;
3181     } else {
3182         if (websocket) {
3183             vs->auth = vd->ws_auth;
3184             vs->subauth = VNC_AUTH_INVALID;
3185         } else {
3186             vs->auth = vd->auth;
3187             vs->subauth = vd->subauth;
3188         }
3189     }
3190     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3191               sioc, websocket, vs->auth, vs->subauth);
3192 
3193     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3194     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3195         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3196     }
3197 
3198     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3199     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3200     qio_channel_set_blocking(vs->ioc, false, NULL);
3201     if (vs->ioc_tag) {
3202         g_source_remove(vs->ioc_tag);
3203     }
3204     if (websocket) {
3205         vs->websocket = 1;
3206         if (vd->tlscreds) {
3207             vs->ioc_tag = qio_channel_add_watch(
3208                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3209                 vncws_tls_handshake_io, vs, NULL);
3210         } else {
3211             vs->ioc_tag = qio_channel_add_watch(
3212                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3213                 vncws_handshake_io, vs, NULL);
3214         }
3215     } else {
3216         vs->ioc_tag = qio_channel_add_watch(
3217             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3218             vnc_client_io, vs, NULL);
3219     }
3220 
3221     vnc_client_cache_addr(vs);
3222     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3223     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3224 
3225     vs->last_x = -1;
3226     vs->last_y = -1;
3227 
3228     vs->as.freq = 44100;
3229     vs->as.nchannels = 2;
3230     vs->as.fmt = AUDIO_FORMAT_S16;
3231     vs->as.endianness = 0;
3232 
3233     qemu_mutex_init(&vs->output_mutex);
3234     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3235 
3236     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3237     if (first_client) {
3238         vnc_update_server_surface(vd);
3239     }
3240 
3241     graphic_hw_update(vd->dcl.con);
3242 
3243     if (!vs->websocket) {
3244         vnc_start_protocol(vs);
3245     }
3246 
3247     if (vd->num_connecting > vd->connections_limit) {
3248         QTAILQ_FOREACH(vs, &vd->clients, next) {
3249             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3250                 vnc_disconnect_start(vs);
3251                 return;
3252             }
3253         }
3254     }
3255 }
3256 
3257 void vnc_start_protocol(VncState *vs)
3258 {
3259     vnc_write(vs, "RFB 003.008\n", 12);
3260     vnc_flush(vs);
3261     vnc_read_when(vs, protocol_version, 12);
3262 
3263     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3264     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3265 }
3266 
3267 static void vnc_listen_io(QIONetListener *listener,
3268                           QIOChannelSocket *cioc,
3269                           void *opaque)
3270 {
3271     VncDisplay *vd = opaque;
3272     bool isWebsock = listener == vd->wslistener;
3273 
3274     qio_channel_set_name(QIO_CHANNEL(cioc),
3275                          isWebsock ? "vnc-ws-server" : "vnc-server");
3276     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3277     vnc_connect(vd, cioc, false, isWebsock);
3278 }
3279 
3280 static const DisplayChangeListenerOps dcl_ops = {
3281     .dpy_name             = "vnc",
3282     .dpy_refresh          = vnc_refresh,
3283     .dpy_gfx_update       = vnc_dpy_update,
3284     .dpy_gfx_switch       = vnc_dpy_switch,
3285     .dpy_gfx_check_format = qemu_pixman_check_format,
3286     .dpy_mouse_set        = vnc_mouse_set,
3287     .dpy_cursor_define    = vnc_dpy_cursor_define,
3288 };
3289 
3290 void vnc_display_init(const char *id, Error **errp)
3291 {
3292     VncDisplay *vd;
3293 
3294     if (vnc_display_find(id) != NULL) {
3295         return;
3296     }
3297     vd = g_malloc0(sizeof(*vd));
3298 
3299     vd->id = strdup(id);
3300     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3301 
3302     QTAILQ_INIT(&vd->clients);
3303     vd->expires = TIME_MAX;
3304 
3305     if (keyboard_layout) {
3306         trace_vnc_key_map_init(keyboard_layout);
3307         vd->kbd_layout = init_keyboard_layout(name2keysym,
3308                                               keyboard_layout, errp);
3309     } else {
3310         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3311     }
3312 
3313     if (!vd->kbd_layout) {
3314         return;
3315     }
3316 
3317     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3318     vd->connections_limit = 32;
3319 
3320     qemu_mutex_init(&vd->mutex);
3321     vnc_start_worker_thread();
3322 
3323     vd->dcl.ops = &dcl_ops;
3324     register_displaychangelistener(&vd->dcl);
3325     vd->kbd = qkbd_state_init(vd->dcl.con);
3326 }
3327 
3328 
3329 static void vnc_display_close(VncDisplay *vd)
3330 {
3331     if (!vd) {
3332         return;
3333     }
3334     vd->is_unix = false;
3335 
3336     if (vd->listener) {
3337         qio_net_listener_disconnect(vd->listener);
3338         object_unref(OBJECT(vd->listener));
3339     }
3340     vd->listener = NULL;
3341 
3342     if (vd->wslistener) {
3343         qio_net_listener_disconnect(vd->wslistener);
3344         object_unref(OBJECT(vd->wslistener));
3345     }
3346     vd->wslistener = NULL;
3347 
3348     vd->auth = VNC_AUTH_INVALID;
3349     vd->subauth = VNC_AUTH_INVALID;
3350     if (vd->tlscreds) {
3351         object_unref(OBJECT(vd->tlscreds));
3352         vd->tlscreds = NULL;
3353     }
3354     if (vd->tlsauthz) {
3355         object_unparent(OBJECT(vd->tlsauthz));
3356         vd->tlsauthz = NULL;
3357     }
3358     g_free(vd->tlsauthzid);
3359     vd->tlsauthzid = NULL;
3360     if (vd->lock_key_sync) {
3361         qemu_remove_led_event_handler(vd->led);
3362         vd->led = NULL;
3363     }
3364 #ifdef CONFIG_VNC_SASL
3365     if (vd->sasl.authz) {
3366         object_unparent(OBJECT(vd->sasl.authz));
3367         vd->sasl.authz = NULL;
3368     }
3369     g_free(vd->sasl.authzid);
3370     vd->sasl.authzid = NULL;
3371 #endif
3372 }
3373 
3374 int vnc_display_password(const char *id, const char *password)
3375 {
3376     VncDisplay *vd = vnc_display_find(id);
3377 
3378     if (!vd) {
3379         return -EINVAL;
3380     }
3381     if (vd->auth == VNC_AUTH_NONE) {
3382         error_printf_unless_qmp("If you want use passwords please enable "
3383                                 "password auth using '-vnc ${dpy},password'.\n");
3384         return -EINVAL;
3385     }
3386 
3387     g_free(vd->password);
3388     vd->password = g_strdup(password);
3389 
3390     return 0;
3391 }
3392 
3393 int vnc_display_pw_expire(const char *id, time_t expires)
3394 {
3395     VncDisplay *vd = vnc_display_find(id);
3396 
3397     if (!vd) {
3398         return -EINVAL;
3399     }
3400 
3401     vd->expires = expires;
3402     return 0;
3403 }
3404 
3405 static void vnc_display_print_local_addr(VncDisplay *vd)
3406 {
3407     SocketAddress *addr;
3408 
3409     if (!vd->listener || !vd->listener->nsioc) {
3410         return;
3411     }
3412 
3413     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], NULL);
3414     if (!addr) {
3415         return;
3416     }
3417 
3418     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3419         qapi_free_SocketAddress(addr);
3420         return;
3421     }
3422     error_printf_unless_qmp("VNC server running on %s:%s\n",
3423                             addr->u.inet.host,
3424                             addr->u.inet.port);
3425     qapi_free_SocketAddress(addr);
3426 }
3427 
3428 static QemuOptsList qemu_vnc_opts = {
3429     .name = "vnc",
3430     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3431     .implied_opt_name = "vnc",
3432     .desc = {
3433         {
3434             .name = "vnc",
3435             .type = QEMU_OPT_STRING,
3436         },{
3437             .name = "websocket",
3438             .type = QEMU_OPT_STRING,
3439         },{
3440             .name = "tls-creds",
3441             .type = QEMU_OPT_STRING,
3442         },{
3443             .name = "share",
3444             .type = QEMU_OPT_STRING,
3445         },{
3446             .name = "display",
3447             .type = QEMU_OPT_STRING,
3448         },{
3449             .name = "head",
3450             .type = QEMU_OPT_NUMBER,
3451         },{
3452             .name = "connections",
3453             .type = QEMU_OPT_NUMBER,
3454         },{
3455             .name = "to",
3456             .type = QEMU_OPT_NUMBER,
3457         },{
3458             .name = "ipv4",
3459             .type = QEMU_OPT_BOOL,
3460         },{
3461             .name = "ipv6",
3462             .type = QEMU_OPT_BOOL,
3463         },{
3464             .name = "password",
3465             .type = QEMU_OPT_BOOL,
3466         },{
3467             .name = "reverse",
3468             .type = QEMU_OPT_BOOL,
3469         },{
3470             .name = "lock-key-sync",
3471             .type = QEMU_OPT_BOOL,
3472         },{
3473             .name = "key-delay-ms",
3474             .type = QEMU_OPT_NUMBER,
3475         },{
3476             .name = "sasl",
3477             .type = QEMU_OPT_BOOL,
3478         },{
3479             .name = "acl",
3480             .type = QEMU_OPT_BOOL,
3481         },{
3482             .name = "tls-authz",
3483             .type = QEMU_OPT_STRING,
3484         },{
3485             .name = "sasl-authz",
3486             .type = QEMU_OPT_STRING,
3487         },{
3488             .name = "lossy",
3489             .type = QEMU_OPT_BOOL,
3490         },{
3491             .name = "non-adaptive",
3492             .type = QEMU_OPT_BOOL,
3493         },{
3494             .name = "audiodev",
3495             .type = QEMU_OPT_STRING,
3496         },{
3497             .name = "power-control",
3498             .type = QEMU_OPT_BOOL,
3499         },
3500         { /* end of list */ }
3501     },
3502 };
3503 
3504 
3505 static int
3506 vnc_display_setup_auth(int *auth,
3507                        int *subauth,
3508                        QCryptoTLSCreds *tlscreds,
3509                        bool password,
3510                        bool sasl,
3511                        bool websocket,
3512                        Error **errp)
3513 {
3514     /*
3515      * We have a choice of 3 authentication options
3516      *
3517      *   1. none
3518      *   2. vnc
3519      *   3. sasl
3520      *
3521      * The channel can be run in 2 modes
3522      *
3523      *   1. clear
3524      *   2. tls
3525      *
3526      * And TLS can use 2 types of credentials
3527      *
3528      *   1. anon
3529      *   2. x509
3530      *
3531      * We thus have 9 possible logical combinations
3532      *
3533      *   1. clear + none
3534      *   2. clear + vnc
3535      *   3. clear + sasl
3536      *   4. tls + anon + none
3537      *   5. tls + anon + vnc
3538      *   6. tls + anon + sasl
3539      *   7. tls + x509 + none
3540      *   8. tls + x509 + vnc
3541      *   9. tls + x509 + sasl
3542      *
3543      * These need to be mapped into the VNC auth schemes
3544      * in an appropriate manner. In regular VNC, all the
3545      * TLS options get mapped into VNC_AUTH_VENCRYPT
3546      * sub-auth types.
3547      *
3548      * In websockets, the https:// protocol already provides
3549      * TLS support, so there is no need to make use of the
3550      * VeNCrypt extension. Furthermore, websockets browser
3551      * clients could not use VeNCrypt even if they wanted to,
3552      * as they cannot control when the TLS handshake takes
3553      * place. Thus there is no option but to rely on https://,
3554      * meaning combinations 4->6 and 7->9 will be mapped to
3555      * VNC auth schemes in the same way as combos 1->3.
3556      *
3557      * Regardless of fact that we have a different mapping to
3558      * VNC auth mechs for plain VNC vs websockets VNC, the end
3559      * result has the same security characteristics.
3560      */
3561     if (websocket || !tlscreds) {
3562         if (password) {
3563             VNC_DEBUG("Initializing VNC server with password auth\n");
3564             *auth = VNC_AUTH_VNC;
3565         } else if (sasl) {
3566             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3567             *auth = VNC_AUTH_SASL;
3568         } else {
3569             VNC_DEBUG("Initializing VNC server with no auth\n");
3570             *auth = VNC_AUTH_NONE;
3571         }
3572         *subauth = VNC_AUTH_INVALID;
3573     } else {
3574         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3575                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3576         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3577                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3578 
3579         if (!is_x509 && !is_anon) {
3580             error_setg(errp,
3581                        "Unsupported TLS cred type %s",
3582                        object_get_typename(OBJECT(tlscreds)));
3583             return -1;
3584         }
3585         *auth = VNC_AUTH_VENCRYPT;
3586         if (password) {
3587             if (is_x509) {
3588                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3589                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3590             } else {
3591                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3592                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3593             }
3594 
3595         } else if (sasl) {
3596             if (is_x509) {
3597                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3598                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3599             } else {
3600                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3601                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3602             }
3603         } else {
3604             if (is_x509) {
3605                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3606                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3607             } else {
3608                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3609                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3610             }
3611         }
3612     }
3613     return 0;
3614 }
3615 
3616 
3617 static int vnc_display_get_address(const char *addrstr,
3618                                    bool websocket,
3619                                    bool reverse,
3620                                    int displaynum,
3621                                    int to,
3622                                    bool has_ipv4,
3623                                    bool has_ipv6,
3624                                    bool ipv4,
3625                                    bool ipv6,
3626                                    SocketAddress **retaddr,
3627                                    Error **errp)
3628 {
3629     int ret = -1;
3630     SocketAddress *addr = NULL;
3631 
3632     addr = g_new0(SocketAddress, 1);
3633 
3634     if (strncmp(addrstr, "unix:", 5) == 0) {
3635         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3636         addr->u.q_unix.path = g_strdup(addrstr + 5);
3637 
3638         if (websocket) {
3639             error_setg(errp, "UNIX sockets not supported with websock");
3640             goto cleanup;
3641         }
3642 
3643         if (to) {
3644             error_setg(errp, "Port range not support with UNIX socket");
3645             goto cleanup;
3646         }
3647         ret = 0;
3648     } else {
3649         const char *port;
3650         size_t hostlen;
3651         unsigned long long baseport = 0;
3652         InetSocketAddress *inet;
3653 
3654         port = strrchr(addrstr, ':');
3655         if (!port) {
3656             if (websocket) {
3657                 hostlen = 0;
3658                 port = addrstr;
3659             } else {
3660                 error_setg(errp, "no vnc port specified");
3661                 goto cleanup;
3662             }
3663         } else {
3664             hostlen = port - addrstr;
3665             port++;
3666             if (*port == '\0') {
3667                 error_setg(errp, "vnc port cannot be empty");
3668                 goto cleanup;
3669             }
3670         }
3671 
3672         addr->type = SOCKET_ADDRESS_TYPE_INET;
3673         inet = &addr->u.inet;
3674         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3675             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3676         } else {
3677             inet->host = g_strndup(addrstr, hostlen);
3678         }
3679         /* plain VNC port is just an offset, for websocket
3680          * port is absolute */
3681         if (websocket) {
3682             if (g_str_equal(addrstr, "") ||
3683                 g_str_equal(addrstr, "on")) {
3684                 if (displaynum == -1) {
3685                     error_setg(errp, "explicit websocket port is required");
3686                     goto cleanup;
3687                 }
3688                 inet->port = g_strdup_printf(
3689                     "%d", displaynum + 5700);
3690                 if (to) {
3691                     inet->has_to = true;
3692                     inet->to = to + 5700;
3693                 }
3694             } else {
3695                 inet->port = g_strdup(port);
3696             }
3697         } else {
3698             int offset = reverse ? 0 : 5900;
3699             if (parse_uint_full(port, &baseport, 10) < 0) {
3700                 error_setg(errp, "can't convert to a number: %s", port);
3701                 goto cleanup;
3702             }
3703             if (baseport > 65535 ||
3704                 baseport + offset > 65535) {
3705                 error_setg(errp, "port %s out of range", port);
3706                 goto cleanup;
3707             }
3708             inet->port = g_strdup_printf(
3709                 "%d", (int)baseport + offset);
3710 
3711             if (to) {
3712                 inet->has_to = true;
3713                 inet->to = to + offset;
3714             }
3715         }
3716 
3717         inet->ipv4 = ipv4;
3718         inet->has_ipv4 = has_ipv4;
3719         inet->ipv6 = ipv6;
3720         inet->has_ipv6 = has_ipv6;
3721 
3722         ret = baseport;
3723     }
3724 
3725     *retaddr = addr;
3726 
3727  cleanup:
3728     if (ret < 0) {
3729         qapi_free_SocketAddress(addr);
3730     }
3731     return ret;
3732 }
3733 
3734 static void vnc_free_addresses(SocketAddress ***retsaddr,
3735                                size_t *retnsaddr)
3736 {
3737     size_t i;
3738 
3739     for (i = 0; i < *retnsaddr; i++) {
3740         qapi_free_SocketAddress((*retsaddr)[i]);
3741     }
3742     g_free(*retsaddr);
3743 
3744     *retsaddr = NULL;
3745     *retnsaddr = 0;
3746 }
3747 
3748 static int vnc_display_get_addresses(QemuOpts *opts,
3749                                      bool reverse,
3750                                      SocketAddress ***retsaddr,
3751                                      size_t *retnsaddr,
3752                                      SocketAddress ***retwsaddr,
3753                                      size_t *retnwsaddr,
3754                                      Error **errp)
3755 {
3756     SocketAddress *saddr = NULL;
3757     SocketAddress *wsaddr = NULL;
3758     QemuOptsIter addriter;
3759     const char *addr;
3760     int to = qemu_opt_get_number(opts, "to", 0);
3761     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3762     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3763     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3764     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3765     int displaynum = -1;
3766     int ret = -1;
3767 
3768     *retsaddr = NULL;
3769     *retnsaddr = 0;
3770     *retwsaddr = NULL;
3771     *retnwsaddr = 0;
3772 
3773     addr = qemu_opt_get(opts, "vnc");
3774     if (addr == NULL || g_str_equal(addr, "none")) {
3775         ret = 0;
3776         goto cleanup;
3777     }
3778     if (qemu_opt_get(opts, "websocket") &&
3779         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3780         error_setg(errp,
3781                    "SHA1 hash support is required for websockets");
3782         goto cleanup;
3783     }
3784 
3785     qemu_opt_iter_init(&addriter, opts, "vnc");
3786     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3787         int rv;
3788         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3789                                      has_ipv4, has_ipv6,
3790                                      ipv4, ipv6,
3791                                      &saddr, errp);
3792         if (rv < 0) {
3793             goto cleanup;
3794         }
3795         /* Historical compat - first listen address can be used
3796          * to set the default websocket port
3797          */
3798         if (displaynum == -1) {
3799             displaynum = rv;
3800         }
3801         *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3802         (*retsaddr)[(*retnsaddr)++] = saddr;
3803     }
3804 
3805     /* If we had multiple primary displays, we don't do defaults
3806      * for websocket, and require explicit config instead. */
3807     if (*retnsaddr > 1) {
3808         displaynum = -1;
3809     }
3810 
3811     qemu_opt_iter_init(&addriter, opts, "websocket");
3812     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3813         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3814                                     has_ipv4, has_ipv6,
3815                                     ipv4, ipv6,
3816                                     &wsaddr, errp) < 0) {
3817             goto cleanup;
3818         }
3819 
3820         /* Historical compat - if only a single listen address was
3821          * provided, then this is used to set the default listen
3822          * address for websocket too
3823          */
3824         if (*retnsaddr == 1 &&
3825             (*retsaddr)[0]->type == SOCKET_ADDRESS_TYPE_INET &&
3826             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3827             g_str_equal(wsaddr->u.inet.host, "") &&
3828             !g_str_equal((*retsaddr)[0]->u.inet.host, "")) {
3829             g_free(wsaddr->u.inet.host);
3830             wsaddr->u.inet.host = g_strdup((*retsaddr)[0]->u.inet.host);
3831         }
3832 
3833         *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3834         (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3835     }
3836 
3837     ret = 0;
3838  cleanup:
3839     if (ret < 0) {
3840         vnc_free_addresses(retsaddr, retnsaddr);
3841         vnc_free_addresses(retwsaddr, retnwsaddr);
3842     }
3843     return ret;
3844 }
3845 
3846 static int vnc_display_connect(VncDisplay *vd,
3847                                SocketAddress **saddr,
3848                                size_t nsaddr,
3849                                SocketAddress **wsaddr,
3850                                size_t nwsaddr,
3851                                Error **errp)
3852 {
3853     /* connect to viewer */
3854     QIOChannelSocket *sioc = NULL;
3855     if (nwsaddr != 0) {
3856         error_setg(errp, "Cannot use websockets in reverse mode");
3857         return -1;
3858     }
3859     if (nsaddr != 1) {
3860         error_setg(errp, "Expected a single address in reverse mode");
3861         return -1;
3862     }
3863     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3864     vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_TYPE_UNIX;
3865     sioc = qio_channel_socket_new();
3866     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3867     if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3868         object_unref(OBJECT(sioc));
3869         return -1;
3870     }
3871     vnc_connect(vd, sioc, false, false);
3872     object_unref(OBJECT(sioc));
3873     return 0;
3874 }
3875 
3876 
3877 static int vnc_display_listen(VncDisplay *vd,
3878                               SocketAddress **saddr,
3879                               size_t nsaddr,
3880                               SocketAddress **wsaddr,
3881                               size_t nwsaddr,
3882                               Error **errp)
3883 {
3884     size_t i;
3885 
3886     if (nsaddr) {
3887         vd->listener = qio_net_listener_new();
3888         qio_net_listener_set_name(vd->listener, "vnc-listen");
3889         for (i = 0; i < nsaddr; i++) {
3890             if (qio_net_listener_open_sync(vd->listener,
3891                                            saddr[i], 1,
3892                                            errp) < 0)  {
3893                 return -1;
3894             }
3895         }
3896 
3897         qio_net_listener_set_client_func(vd->listener,
3898                                          vnc_listen_io, vd, NULL);
3899     }
3900 
3901     if (nwsaddr) {
3902         vd->wslistener = qio_net_listener_new();
3903         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3904         for (i = 0; i < nwsaddr; i++) {
3905             if (qio_net_listener_open_sync(vd->wslistener,
3906                                            wsaddr[i], 1,
3907                                            errp) < 0)  {
3908                 return -1;
3909             }
3910         }
3911 
3912         qio_net_listener_set_client_func(vd->wslistener,
3913                                          vnc_listen_io, vd, NULL);
3914     }
3915 
3916     return 0;
3917 }
3918 
3919 
3920 void vnc_display_open(const char *id, Error **errp)
3921 {
3922     VncDisplay *vd = vnc_display_find(id);
3923     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3924     SocketAddress **saddr = NULL, **wsaddr = NULL;
3925     size_t nsaddr, nwsaddr;
3926     const char *share, *device_id;
3927     QemuConsole *con;
3928     bool password = false;
3929     bool reverse = false;
3930     const char *credid;
3931     bool sasl = false;
3932     int acl = 0;
3933     const char *tlsauthz;
3934     const char *saslauthz;
3935     int lock_key_sync = 1;
3936     int key_delay_ms;
3937     const char *audiodev;
3938 
3939     if (!vd) {
3940         error_setg(errp, "VNC display not active");
3941         return;
3942     }
3943     vnc_display_close(vd);
3944 
3945     if (!opts) {
3946         return;
3947     }
3948 
3949     reverse = qemu_opt_get_bool(opts, "reverse", false);
3950     if (vnc_display_get_addresses(opts, reverse, &saddr, &nsaddr,
3951                                   &wsaddr, &nwsaddr, errp) < 0) {
3952         goto fail;
3953     }
3954 
3955     password = qemu_opt_get_bool(opts, "password", false);
3956     if (password) {
3957         if (fips_get_state()) {
3958             error_setg(errp,
3959                        "VNC password auth disabled due to FIPS mode, "
3960                        "consider using the VeNCrypt or SASL authentication "
3961                        "methods as an alternative");
3962             goto fail;
3963         }
3964         if (!qcrypto_cipher_supports(
3965                 QCRYPTO_CIPHER_ALG_DES_RFB, QCRYPTO_CIPHER_MODE_ECB)) {
3966             error_setg(errp,
3967                        "Cipher backend does not support DES RFB algorithm");
3968             goto fail;
3969         }
3970     }
3971 
3972     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
3973     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
3974     sasl = qemu_opt_get_bool(opts, "sasl", false);
3975 #ifndef CONFIG_VNC_SASL
3976     if (sasl) {
3977         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
3978         goto fail;
3979     }
3980 #endif /* CONFIG_VNC_SASL */
3981     credid = qemu_opt_get(opts, "tls-creds");
3982     if (credid) {
3983         Object *creds;
3984         creds = object_resolve_path_component(
3985             object_get_objects_root(), credid);
3986         if (!creds) {
3987             error_setg(errp, "No TLS credentials with id '%s'",
3988                        credid);
3989             goto fail;
3990         }
3991         vd->tlscreds = (QCryptoTLSCreds *)
3992             object_dynamic_cast(creds,
3993                                 TYPE_QCRYPTO_TLS_CREDS);
3994         if (!vd->tlscreds) {
3995             error_setg(errp, "Object with id '%s' is not TLS credentials",
3996                        credid);
3997             goto fail;
3998         }
3999         object_ref(OBJECT(vd->tlscreds));
4000 
4001         if (vd->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
4002             error_setg(errp,
4003                        "Expecting TLS credentials with a server endpoint");
4004             goto fail;
4005         }
4006     }
4007     if (qemu_opt_get(opts, "acl")) {
4008         error_report("The 'acl' option to -vnc is deprecated. "
4009                      "Please use the 'tls-authz' and 'sasl-authz' "
4010                      "options instead");
4011     }
4012     acl = qemu_opt_get_bool(opts, "acl", false);
4013     tlsauthz = qemu_opt_get(opts, "tls-authz");
4014     if (acl && tlsauthz) {
4015         error_setg(errp, "'acl' option is mutually exclusive with the "
4016                    "'tls-authz' option");
4017         goto fail;
4018     }
4019     if (tlsauthz && !vd->tlscreds) {
4020         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
4021         goto fail;
4022     }
4023 
4024     saslauthz = qemu_opt_get(opts, "sasl-authz");
4025     if (acl && saslauthz) {
4026         error_setg(errp, "'acl' option is mutually exclusive with the "
4027                    "'sasl-authz' option");
4028         goto fail;
4029     }
4030     if (saslauthz && !sasl) {
4031         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
4032         goto fail;
4033     }
4034 
4035     share = qemu_opt_get(opts, "share");
4036     if (share) {
4037         if (strcmp(share, "ignore") == 0) {
4038             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
4039         } else if (strcmp(share, "allow-exclusive") == 0) {
4040             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4041         } else if (strcmp(share, "force-shared") == 0) {
4042             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
4043         } else {
4044             error_setg(errp, "unknown vnc share= option");
4045             goto fail;
4046         }
4047     } else {
4048         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4049     }
4050     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
4051 
4052 #ifdef CONFIG_VNC_JPEG
4053     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
4054 #endif
4055     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
4056     /* adaptive updates are only used with tight encoding and
4057      * if lossy updates are enabled so we can disable all the
4058      * calculations otherwise */
4059     if (!vd->lossy) {
4060         vd->non_adaptive = true;
4061     }
4062 
4063     vd->power_control = qemu_opt_get_bool(opts, "power-control", false);
4064 
4065     if (tlsauthz) {
4066         vd->tlsauthzid = g_strdup(tlsauthz);
4067     } else if (acl) {
4068         if (strcmp(vd->id, "default") == 0) {
4069             vd->tlsauthzid = g_strdup("vnc.x509dname");
4070         } else {
4071             vd->tlsauthzid = g_strdup_printf("vnc.%s.x509dname", vd->id);
4072         }
4073         vd->tlsauthz = QAUTHZ(qauthz_list_new(vd->tlsauthzid,
4074                                               QAUTHZ_LIST_POLICY_DENY,
4075                                               &error_abort));
4076     }
4077 #ifdef CONFIG_VNC_SASL
4078     if (sasl) {
4079         if (saslauthz) {
4080             vd->sasl.authzid = g_strdup(saslauthz);
4081         } else if (acl) {
4082             if (strcmp(vd->id, "default") == 0) {
4083                 vd->sasl.authzid = g_strdup("vnc.username");
4084             } else {
4085                 vd->sasl.authzid = g_strdup_printf("vnc.%s.username", vd->id);
4086             }
4087             vd->sasl.authz = QAUTHZ(qauthz_list_new(vd->sasl.authzid,
4088                                                     QAUTHZ_LIST_POLICY_DENY,
4089                                                     &error_abort));
4090         }
4091     }
4092 #endif
4093 
4094     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
4095                                vd->tlscreds, password,
4096                                sasl, false, errp) < 0) {
4097         goto fail;
4098     }
4099     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
4100 
4101     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
4102                                vd->tlscreds, password,
4103                                sasl, true, errp) < 0) {
4104         goto fail;
4105     }
4106     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
4107 
4108 #ifdef CONFIG_VNC_SASL
4109     if (sasl) {
4110         int saslErr = sasl_server_init(NULL, "qemu");
4111 
4112         if (saslErr != SASL_OK) {
4113             error_setg(errp, "Failed to initialize SASL auth: %s",
4114                        sasl_errstring(saslErr, NULL, NULL));
4115             goto fail;
4116         }
4117     }
4118 #endif
4119     vd->lock_key_sync = lock_key_sync;
4120     if (lock_key_sync) {
4121         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
4122     }
4123     vd->ledstate = 0;
4124 
4125     audiodev = qemu_opt_get(opts, "audiodev");
4126     if (audiodev) {
4127         vd->audio_state = audio_state_by_name(audiodev);
4128         if (!vd->audio_state) {
4129             error_setg(errp, "Audiodev '%s' not found", audiodev);
4130             goto fail;
4131         }
4132     }
4133 
4134     device_id = qemu_opt_get(opts, "display");
4135     if (device_id) {
4136         int head = qemu_opt_get_number(opts, "head", 0);
4137         Error *err = NULL;
4138 
4139         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4140         if (err) {
4141             error_propagate(errp, err);
4142             goto fail;
4143         }
4144     } else {
4145         con = NULL;
4146     }
4147 
4148     if (con != vd->dcl.con) {
4149         qkbd_state_free(vd->kbd);
4150         unregister_displaychangelistener(&vd->dcl);
4151         vd->dcl.con = con;
4152         register_displaychangelistener(&vd->dcl);
4153         vd->kbd = qkbd_state_init(vd->dcl.con);
4154     }
4155     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4156 
4157     if (saddr == NULL) {
4158         goto cleanup;
4159     }
4160 
4161     if (reverse) {
4162         if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4163             goto fail;
4164         }
4165     } else {
4166         if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4167             goto fail;
4168         }
4169     }
4170 
4171     if (qemu_opt_get(opts, "to")) {
4172         vnc_display_print_local_addr(vd);
4173     }
4174 
4175  cleanup:
4176     vnc_free_addresses(&saddr, &nsaddr);
4177     vnc_free_addresses(&wsaddr, &nwsaddr);
4178     return;
4179 
4180 fail:
4181     vnc_display_close(vd);
4182     goto cleanup;
4183 }
4184 
4185 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4186 {
4187     VncDisplay *vd = vnc_display_find(id);
4188     QIOChannelSocket *sioc;
4189 
4190     if (!vd) {
4191         return;
4192     }
4193 
4194     sioc = qio_channel_socket_new_fd(csock, NULL);
4195     if (sioc) {
4196         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4197         vnc_connect(vd, sioc, skipauth, false);
4198         object_unref(OBJECT(sioc));
4199     }
4200 }
4201 
4202 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4203 {
4204     int i = 2;
4205     char *id;
4206 
4207     id = g_strdup("default");
4208     while (qemu_opts_find(olist, id)) {
4209         g_free(id);
4210         id = g_strdup_printf("vnc%d", i++);
4211     }
4212     qemu_opts_set_id(opts, id);
4213 }
4214 
4215 void vnc_parse(const char *str)
4216 {
4217     QemuOptsList *olist = qemu_find_opts("vnc");
4218     QemuOpts *opts = qemu_opts_parse_noisily(olist, str, !is_help_option(str));
4219     const char *id;
4220 
4221     if (!opts) {
4222         exit(1);
4223     }
4224 
4225     id = qemu_opts_id(opts);
4226     if (!id) {
4227         /* auto-assign id if not present */
4228         vnc_auto_assign_id(olist, opts);
4229     }
4230 }
4231 
4232 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4233 {
4234     Error *local_err = NULL;
4235     char *id = (char *)qemu_opts_id(opts);
4236 
4237     assert(id);
4238     vnc_display_init(id, &local_err);
4239     if (local_err) {
4240         error_propagate(errp, local_err);
4241         return -1;
4242     }
4243     vnc_display_open(id, &local_err);
4244     if (local_err != NULL) {
4245         error_propagate(errp, local_err);
4246         return -1;
4247     }
4248     return 0;
4249 }
4250 
4251 static void vnc_register_config(void)
4252 {
4253     qemu_add_opts(&qemu_vnc_opts);
4254 }
4255 opts_init(vnc_register_config);
4256