xref: /openbmc/qemu/ui/vnc.c (revision 2ae2bce7)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "vnc.h"
28 #include "vnc-jobs.h"
29 #include "sysemu.h"
30 #include "qemu_socket.h"
31 #include "qemu-timer.h"
32 #include "acl.h"
33 #include "qemu-objects.h"
34 #include "qmp-commands.h"
35 
36 #define VNC_REFRESH_INTERVAL_BASE 30
37 #define VNC_REFRESH_INTERVAL_INC  50
38 #define VNC_REFRESH_INTERVAL_MAX  2000
39 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
40 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
41 
42 #include "vnc_keysym.h"
43 #include "d3des.h"
44 
45 static VncDisplay *vnc_display; /* needed for info vnc */
46 static DisplayChangeListener *dcl;
47 
48 static int vnc_cursor_define(VncState *vs);
49 static void vnc_release_modifiers(VncState *vs);
50 
51 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
52 {
53 #ifdef _VNC_DEBUG
54     static const char *mn[] = {
55         [0]                           = "undefined",
56         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
57         [VNC_SHARE_MODE_SHARED]       = "shared",
58         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
59         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
60     };
61     fprintf(stderr, "%s/%d: %s -> %s\n", __func__,
62             vs->csock, mn[vs->share_mode], mn[mode]);
63 #endif
64 
65     if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
66         vs->vd->num_exclusive--;
67     }
68     vs->share_mode = mode;
69     if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
70         vs->vd->num_exclusive++;
71     }
72 }
73 
74 static char *addr_to_string(const char *format,
75                             struct sockaddr_storage *sa,
76                             socklen_t salen) {
77     char *addr;
78     char host[NI_MAXHOST];
79     char serv[NI_MAXSERV];
80     int err;
81     size_t addrlen;
82 
83     if ((err = getnameinfo((struct sockaddr *)sa, salen,
84                            host, sizeof(host),
85                            serv, sizeof(serv),
86                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
87         VNC_DEBUG("Cannot resolve address %d: %s\n",
88                   err, gai_strerror(err));
89         return NULL;
90     }
91 
92     /* Enough for the existing format + the 2 vars we're
93      * substituting in. */
94     addrlen = strlen(format) + strlen(host) + strlen(serv);
95     addr = g_malloc(addrlen + 1);
96     snprintf(addr, addrlen, format, host, serv);
97     addr[addrlen] = '\0';
98 
99     return addr;
100 }
101 
102 
103 char *vnc_socket_local_addr(const char *format, int fd) {
104     struct sockaddr_storage sa;
105     socklen_t salen;
106 
107     salen = sizeof(sa);
108     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0)
109         return NULL;
110 
111     return addr_to_string(format, &sa, salen);
112 }
113 
114 char *vnc_socket_remote_addr(const char *format, int fd) {
115     struct sockaddr_storage sa;
116     socklen_t salen;
117 
118     salen = sizeof(sa);
119     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0)
120         return NULL;
121 
122     return addr_to_string(format, &sa, salen);
123 }
124 
125 static int put_addr_qdict(QDict *qdict, struct sockaddr_storage *sa,
126                           socklen_t salen)
127 {
128     char host[NI_MAXHOST];
129     char serv[NI_MAXSERV];
130     int err;
131 
132     if ((err = getnameinfo((struct sockaddr *)sa, salen,
133                            host, sizeof(host),
134                            serv, sizeof(serv),
135                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
136         VNC_DEBUG("Cannot resolve address %d: %s\n",
137                   err, gai_strerror(err));
138         return -1;
139     }
140 
141     qdict_put(qdict, "host", qstring_from_str(host));
142     qdict_put(qdict, "service", qstring_from_str(serv));
143     qdict_put(qdict, "family",qstring_from_str(inet_strfamily(sa->ss_family)));
144 
145     return 0;
146 }
147 
148 static int vnc_server_addr_put(QDict *qdict, int fd)
149 {
150     struct sockaddr_storage sa;
151     socklen_t salen;
152 
153     salen = sizeof(sa);
154     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0) {
155         return -1;
156     }
157 
158     return put_addr_qdict(qdict, &sa, salen);
159 }
160 
161 static int vnc_qdict_remote_addr(QDict *qdict, int fd)
162 {
163     struct sockaddr_storage sa;
164     socklen_t salen;
165 
166     salen = sizeof(sa);
167     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0) {
168         return -1;
169     }
170 
171     return put_addr_qdict(qdict, &sa, salen);
172 }
173 
174 static const char *vnc_auth_name(VncDisplay *vd) {
175     switch (vd->auth) {
176     case VNC_AUTH_INVALID:
177         return "invalid";
178     case VNC_AUTH_NONE:
179         return "none";
180     case VNC_AUTH_VNC:
181         return "vnc";
182     case VNC_AUTH_RA2:
183         return "ra2";
184     case VNC_AUTH_RA2NE:
185         return "ra2ne";
186     case VNC_AUTH_TIGHT:
187         return "tight";
188     case VNC_AUTH_ULTRA:
189         return "ultra";
190     case VNC_AUTH_TLS:
191         return "tls";
192     case VNC_AUTH_VENCRYPT:
193 #ifdef CONFIG_VNC_TLS
194         switch (vd->subauth) {
195         case VNC_AUTH_VENCRYPT_PLAIN:
196             return "vencrypt+plain";
197         case VNC_AUTH_VENCRYPT_TLSNONE:
198             return "vencrypt+tls+none";
199         case VNC_AUTH_VENCRYPT_TLSVNC:
200             return "vencrypt+tls+vnc";
201         case VNC_AUTH_VENCRYPT_TLSPLAIN:
202             return "vencrypt+tls+plain";
203         case VNC_AUTH_VENCRYPT_X509NONE:
204             return "vencrypt+x509+none";
205         case VNC_AUTH_VENCRYPT_X509VNC:
206             return "vencrypt+x509+vnc";
207         case VNC_AUTH_VENCRYPT_X509PLAIN:
208             return "vencrypt+x509+plain";
209         case VNC_AUTH_VENCRYPT_TLSSASL:
210             return "vencrypt+tls+sasl";
211         case VNC_AUTH_VENCRYPT_X509SASL:
212             return "vencrypt+x509+sasl";
213         default:
214             return "vencrypt";
215         }
216 #else
217         return "vencrypt";
218 #endif
219     case VNC_AUTH_SASL:
220         return "sasl";
221     }
222     return "unknown";
223 }
224 
225 static int vnc_server_info_put(QDict *qdict)
226 {
227     if (vnc_server_addr_put(qdict, vnc_display->lsock) < 0) {
228         return -1;
229     }
230 
231     qdict_put(qdict, "auth", qstring_from_str(vnc_auth_name(vnc_display)));
232     return 0;
233 }
234 
235 static void vnc_client_cache_auth(VncState *client)
236 {
237 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
238     QDict *qdict;
239 #endif
240 
241     if (!client->info) {
242         return;
243     }
244 
245 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
246     qdict = qobject_to_qdict(client->info);
247 #endif
248 
249 #ifdef CONFIG_VNC_TLS
250     if (client->tls.session &&
251         client->tls.dname) {
252         qdict_put(qdict, "x509_dname", qstring_from_str(client->tls.dname));
253     }
254 #endif
255 #ifdef CONFIG_VNC_SASL
256     if (client->sasl.conn &&
257         client->sasl.username) {
258         qdict_put(qdict, "sasl_username",
259                   qstring_from_str(client->sasl.username));
260     }
261 #endif
262 }
263 
264 static void vnc_client_cache_addr(VncState *client)
265 {
266     QDict *qdict;
267 
268     qdict = qdict_new();
269     if (vnc_qdict_remote_addr(qdict, client->csock) < 0) {
270         QDECREF(qdict);
271         /* XXX: how to report the error? */
272         return;
273     }
274 
275     client->info = QOBJECT(qdict);
276 }
277 
278 static void vnc_qmp_event(VncState *vs, MonitorEvent event)
279 {
280     QDict *server;
281     QObject *data;
282 
283     if (!vs->info) {
284         return;
285     }
286 
287     server = qdict_new();
288     if (vnc_server_info_put(server) < 0) {
289         QDECREF(server);
290         return;
291     }
292 
293     data = qobject_from_jsonf("{ 'client': %p, 'server': %p }",
294                               vs->info, QOBJECT(server));
295 
296     monitor_protocol_event(event, data);
297 
298     qobject_incref(vs->info);
299     qobject_decref(data);
300 }
301 
302 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
303 {
304     struct sockaddr_storage sa;
305     socklen_t salen = sizeof(sa);
306     char host[NI_MAXHOST];
307     char serv[NI_MAXSERV];
308     VncClientInfo *info;
309 
310     if (getpeername(client->csock, (struct sockaddr *)&sa, &salen) < 0) {
311         return NULL;
312     }
313 
314     if (getnameinfo((struct sockaddr *)&sa, salen,
315                     host, sizeof(host),
316                     serv, sizeof(serv),
317                     NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
318         return NULL;
319     }
320 
321     info = g_malloc0(sizeof(*info));
322     info->host = g_strdup(host);
323     info->service = g_strdup(serv);
324     info->family = g_strdup(inet_strfamily(sa.ss_family));
325 
326 #ifdef CONFIG_VNC_TLS
327     if (client->tls.session && client->tls.dname) {
328         info->has_x509_dname = true;
329         info->x509_dname = g_strdup(client->tls.dname);
330     }
331 #endif
332 #ifdef CONFIG_VNC_SASL
333     if (client->sasl.conn && client->sasl.username) {
334         info->has_sasl_username = true;
335         info->sasl_username = g_strdup(client->sasl.username);
336     }
337 #endif
338 
339     return info;
340 }
341 
342 VncInfo *qmp_query_vnc(Error **errp)
343 {
344     VncInfo *info = g_malloc0(sizeof(*info));
345 
346     if (vnc_display == NULL || vnc_display->display == NULL) {
347         info->enabled = false;
348     } else {
349         VncClientInfoList *cur_item = NULL;
350         struct sockaddr_storage sa;
351         socklen_t salen = sizeof(sa);
352         char host[NI_MAXHOST];
353         char serv[NI_MAXSERV];
354         VncState *client;
355 
356         info->enabled = true;
357 
358         /* for compatibility with the original command */
359         info->has_clients = true;
360 
361         QTAILQ_FOREACH(client, &vnc_display->clients, next) {
362             VncClientInfoList *cinfo = g_malloc0(sizeof(*info));
363             cinfo->value = qmp_query_vnc_client(client);
364 
365             /* XXX: waiting for the qapi to support GSList */
366             if (!cur_item) {
367                 info->clients = cur_item = cinfo;
368             } else {
369                 cur_item->next = cinfo;
370                 cur_item = cinfo;
371             }
372         }
373 
374         if (getsockname(vnc_display->lsock, (struct sockaddr *)&sa,
375                         &salen) == -1) {
376             error_set(errp, QERR_UNDEFINED_ERROR);
377             goto out_error;
378         }
379 
380         if (getnameinfo((struct sockaddr *)&sa, salen,
381                         host, sizeof(host),
382                         serv, sizeof(serv),
383                         NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
384             error_set(errp, QERR_UNDEFINED_ERROR);
385             goto out_error;
386         }
387 
388         info->has_host = true;
389         info->host = g_strdup(host);
390 
391         info->has_service = true;
392         info->service = g_strdup(serv);
393 
394         info->has_family = true;
395         info->family = g_strdup(inet_strfamily(sa.ss_family));
396 
397         info->has_auth = true;
398         info->auth = g_strdup(vnc_auth_name(vnc_display));
399     }
400 
401     return info;
402 
403 out_error:
404     qapi_free_VncInfo(info);
405     return NULL;
406 }
407 
408 /* TODO
409    1) Get the queue working for IO.
410    2) there is some weirdness when using the -S option (the screen is grey
411       and not totally invalidated
412    3) resolutions > 1024
413 */
414 
415 static int vnc_update_client(VncState *vs, int has_dirty);
416 static int vnc_update_client_sync(VncState *vs, int has_dirty);
417 static void vnc_disconnect_start(VncState *vs);
418 static void vnc_disconnect_finish(VncState *vs);
419 static void vnc_init_timer(VncDisplay *vd);
420 static void vnc_remove_timer(VncDisplay *vd);
421 
422 static void vnc_colordepth(VncState *vs);
423 static void framebuffer_update_request(VncState *vs, int incremental,
424                                        int x_position, int y_position,
425                                        int w, int h);
426 static void vnc_refresh(void *opaque);
427 static int vnc_refresh_server_surface(VncDisplay *vd);
428 
429 static void vnc_dpy_update(DisplayState *ds, int x, int y, int w, int h)
430 {
431     int i;
432     VncDisplay *vd = ds->opaque;
433     struct VncSurface *s = &vd->guest;
434 
435     h += y;
436 
437     /* round x down to ensure the loop only spans one 16-pixel block per,
438        iteration.  otherwise, if (x % 16) != 0, the last iteration may span
439        two 16-pixel blocks but we only mark the first as dirty
440     */
441     w += (x % 16);
442     x -= (x % 16);
443 
444     x = MIN(x, s->ds->width);
445     y = MIN(y, s->ds->height);
446     w = MIN(x + w, s->ds->width) - x;
447     h = MIN(h, s->ds->height);
448 
449     for (; y < h; y++)
450         for (i = 0; i < w; i += 16)
451             set_bit((x + i) / 16, s->dirty[y]);
452 }
453 
454 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
455                             int32_t encoding)
456 {
457     vnc_write_u16(vs, x);
458     vnc_write_u16(vs, y);
459     vnc_write_u16(vs, w);
460     vnc_write_u16(vs, h);
461 
462     vnc_write_s32(vs, encoding);
463 }
464 
465 void buffer_reserve(Buffer *buffer, size_t len)
466 {
467     if ((buffer->capacity - buffer->offset) < len) {
468         buffer->capacity += (len + 1024);
469         buffer->buffer = g_realloc(buffer->buffer, buffer->capacity);
470         if (buffer->buffer == NULL) {
471             fprintf(stderr, "vnc: out of memory\n");
472             exit(1);
473         }
474     }
475 }
476 
477 int buffer_empty(Buffer *buffer)
478 {
479     return buffer->offset == 0;
480 }
481 
482 uint8_t *buffer_end(Buffer *buffer)
483 {
484     return buffer->buffer + buffer->offset;
485 }
486 
487 void buffer_reset(Buffer *buffer)
488 {
489         buffer->offset = 0;
490 }
491 
492 void buffer_free(Buffer *buffer)
493 {
494     g_free(buffer->buffer);
495     buffer->offset = 0;
496     buffer->capacity = 0;
497     buffer->buffer = NULL;
498 }
499 
500 void buffer_append(Buffer *buffer, const void *data, size_t len)
501 {
502     memcpy(buffer->buffer + buffer->offset, data, len);
503     buffer->offset += len;
504 }
505 
506 static void vnc_desktop_resize(VncState *vs)
507 {
508     DisplayState *ds = vs->ds;
509 
510     if (vs->csock == -1 || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
511         return;
512     }
513     if (vs->client_width == ds_get_width(ds) &&
514         vs->client_height == ds_get_height(ds)) {
515         return;
516     }
517     vs->client_width = ds_get_width(ds);
518     vs->client_height = ds_get_height(ds);
519     vnc_lock_output(vs);
520     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
521     vnc_write_u8(vs, 0);
522     vnc_write_u16(vs, 1); /* number of rects */
523     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
524                            VNC_ENCODING_DESKTOPRESIZE);
525     vnc_unlock_output(vs);
526     vnc_flush(vs);
527 }
528 
529 #ifdef CONFIG_VNC_THREAD
530 static void vnc_abort_display_jobs(VncDisplay *vd)
531 {
532     VncState *vs;
533 
534     QTAILQ_FOREACH(vs, &vd->clients, next) {
535         vnc_lock_output(vs);
536         vs->abort = true;
537         vnc_unlock_output(vs);
538     }
539     QTAILQ_FOREACH(vs, &vd->clients, next) {
540         vnc_jobs_join(vs);
541     }
542     QTAILQ_FOREACH(vs, &vd->clients, next) {
543         vnc_lock_output(vs);
544         vs->abort = false;
545         vnc_unlock_output(vs);
546     }
547 }
548 #else
549 static void vnc_abort_display_jobs(VncDisplay *vd)
550 {
551 }
552 #endif
553 
554 static void vnc_dpy_resize(DisplayState *ds)
555 {
556     VncDisplay *vd = ds->opaque;
557     VncState *vs;
558 
559     vnc_abort_display_jobs(vd);
560 
561     /* server surface */
562     if (!vd->server)
563         vd->server = g_malloc0(sizeof(*vd->server));
564     if (vd->server->data)
565         g_free(vd->server->data);
566     *(vd->server) = *(ds->surface);
567     vd->server->data = g_malloc0(vd->server->linesize *
568                                     vd->server->height);
569 
570     /* guest surface */
571     if (!vd->guest.ds)
572         vd->guest.ds = g_malloc0(sizeof(*vd->guest.ds));
573     if (ds_get_bytes_per_pixel(ds) != vd->guest.ds->pf.bytes_per_pixel)
574         console_color_init(ds);
575     *(vd->guest.ds) = *(ds->surface);
576     memset(vd->guest.dirty, 0xFF, sizeof(vd->guest.dirty));
577 
578     QTAILQ_FOREACH(vs, &vd->clients, next) {
579         vnc_colordepth(vs);
580         vnc_desktop_resize(vs);
581         if (vs->vd->cursor) {
582             vnc_cursor_define(vs);
583         }
584         memset(vs->dirty, 0xFF, sizeof(vs->dirty));
585     }
586 }
587 
588 /* fastest code */
589 static void vnc_write_pixels_copy(VncState *vs, struct PixelFormat *pf,
590                                   void *pixels, int size)
591 {
592     vnc_write(vs, pixels, size);
593 }
594 
595 /* slowest but generic code. */
596 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
597 {
598     uint8_t r, g, b;
599     VncDisplay *vd = vs->vd;
600 
601     r = ((((v & vd->server->pf.rmask) >> vd->server->pf.rshift) << vs->clientds.pf.rbits) >>
602         vd->server->pf.rbits);
603     g = ((((v & vd->server->pf.gmask) >> vd->server->pf.gshift) << vs->clientds.pf.gbits) >>
604         vd->server->pf.gbits);
605     b = ((((v & vd->server->pf.bmask) >> vd->server->pf.bshift) << vs->clientds.pf.bbits) >>
606         vd->server->pf.bbits);
607     v = (r << vs->clientds.pf.rshift) |
608         (g << vs->clientds.pf.gshift) |
609         (b << vs->clientds.pf.bshift);
610     switch(vs->clientds.pf.bytes_per_pixel) {
611     case 1:
612         buf[0] = v;
613         break;
614     case 2:
615         if (vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) {
616             buf[0] = v >> 8;
617             buf[1] = v;
618         } else {
619             buf[1] = v >> 8;
620             buf[0] = v;
621         }
622         break;
623     default:
624     case 4:
625         if (vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) {
626             buf[0] = v >> 24;
627             buf[1] = v >> 16;
628             buf[2] = v >> 8;
629             buf[3] = v;
630         } else {
631             buf[3] = v >> 24;
632             buf[2] = v >> 16;
633             buf[1] = v >> 8;
634             buf[0] = v;
635         }
636         break;
637     }
638 }
639 
640 static void vnc_write_pixels_generic(VncState *vs, struct PixelFormat *pf,
641                                      void *pixels1, int size)
642 {
643     uint8_t buf[4];
644 
645     if (pf->bytes_per_pixel == 4) {
646         uint32_t *pixels = pixels1;
647         int n, i;
648         n = size >> 2;
649         for(i = 0; i < n; i++) {
650             vnc_convert_pixel(vs, buf, pixels[i]);
651             vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);
652         }
653     } else if (pf->bytes_per_pixel == 2) {
654         uint16_t *pixels = pixels1;
655         int n, i;
656         n = size >> 1;
657         for(i = 0; i < n; i++) {
658             vnc_convert_pixel(vs, buf, pixels[i]);
659             vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);
660         }
661     } else if (pf->bytes_per_pixel == 1) {
662         uint8_t *pixels = pixels1;
663         int n, i;
664         n = size;
665         for(i = 0; i < n; i++) {
666             vnc_convert_pixel(vs, buf, pixels[i]);
667             vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);
668         }
669     } else {
670         fprintf(stderr, "vnc_write_pixels_generic: VncState color depth not supported\n");
671     }
672 }
673 
674 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
675 {
676     int i;
677     uint8_t *row;
678     VncDisplay *vd = vs->vd;
679 
680     row = vd->server->data + y * ds_get_linesize(vs->ds) + x * ds_get_bytes_per_pixel(vs->ds);
681     for (i = 0; i < h; i++) {
682         vs->write_pixels(vs, &vd->server->pf, row, w * ds_get_bytes_per_pixel(vs->ds));
683         row += ds_get_linesize(vs->ds);
684     }
685     return 1;
686 }
687 
688 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
689 {
690     int n = 0;
691 
692     switch(vs->vnc_encoding) {
693         case VNC_ENCODING_ZLIB:
694             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
695             break;
696         case VNC_ENCODING_HEXTILE:
697             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
698             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
699             break;
700         case VNC_ENCODING_TIGHT:
701             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
702             break;
703         case VNC_ENCODING_TIGHT_PNG:
704             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
705             break;
706         case VNC_ENCODING_ZRLE:
707             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
708             break;
709         case VNC_ENCODING_ZYWRLE:
710             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
711             break;
712         default:
713             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
714             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
715             break;
716     }
717     return n;
718 }
719 
720 static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
721 {
722     /* send bitblit op to the vnc client */
723     vnc_lock_output(vs);
724     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
725     vnc_write_u8(vs, 0);
726     vnc_write_u16(vs, 1); /* number of rects */
727     vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
728     vnc_write_u16(vs, src_x);
729     vnc_write_u16(vs, src_y);
730     vnc_unlock_output(vs);
731     vnc_flush(vs);
732 }
733 
734 static void vnc_dpy_copy(DisplayState *ds, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
735 {
736     VncDisplay *vd = ds->opaque;
737     VncState *vs, *vn;
738     uint8_t *src_row;
739     uint8_t *dst_row;
740     int i,x,y,pitch,depth,inc,w_lim,s;
741     int cmp_bytes;
742 
743     vnc_refresh_server_surface(vd);
744     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
745         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
746             vs->force_update = 1;
747             vnc_update_client_sync(vs, 1);
748             /* vs might be free()ed here */
749         }
750     }
751 
752     /* do bitblit op on the local surface too */
753     pitch = ds_get_linesize(vd->ds);
754     depth = ds_get_bytes_per_pixel(vd->ds);
755     src_row = vd->server->data + pitch * src_y + depth * src_x;
756     dst_row = vd->server->data + pitch * dst_y + depth * dst_x;
757     y = dst_y;
758     inc = 1;
759     if (dst_y > src_y) {
760         /* copy backwards */
761         src_row += pitch * (h-1);
762         dst_row += pitch * (h-1);
763         pitch = -pitch;
764         y = dst_y + h - 1;
765         inc = -1;
766     }
767     w_lim = w - (16 - (dst_x % 16));
768     if (w_lim < 0)
769         w_lim = w;
770     else
771         w_lim = w - (w_lim % 16);
772     for (i = 0; i < h; i++) {
773         for (x = 0; x <= w_lim;
774                 x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
775             if (x == w_lim) {
776                 if ((s = w - w_lim) == 0)
777                     break;
778             } else if (!x) {
779                 s = (16 - (dst_x % 16));
780                 s = MIN(s, w_lim);
781             } else {
782                 s = 16;
783             }
784             cmp_bytes = s * depth;
785             if (memcmp(src_row, dst_row, cmp_bytes) == 0)
786                 continue;
787             memmove(dst_row, src_row, cmp_bytes);
788             QTAILQ_FOREACH(vs, &vd->clients, next) {
789                 if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
790                     set_bit(((x + dst_x) / 16), vs->dirty[y]);
791                 }
792             }
793         }
794         src_row += pitch - w * depth;
795         dst_row += pitch - w * depth;
796         y += inc;
797     }
798 
799     QTAILQ_FOREACH(vs, &vd->clients, next) {
800         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
801             vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
802         }
803     }
804 }
805 
806 static void vnc_mouse_set(int x, int y, int visible)
807 {
808     /* can we ask the client(s) to move the pointer ??? */
809 }
810 
811 static int vnc_cursor_define(VncState *vs)
812 {
813     QEMUCursor *c = vs->vd->cursor;
814     PixelFormat pf = qemu_default_pixelformat(32);
815     int isize;
816 
817     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
818         vnc_lock_output(vs);
819         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
820         vnc_write_u8(vs,  0);  /*  padding     */
821         vnc_write_u16(vs, 1);  /*  # of rects  */
822         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
823                                VNC_ENCODING_RICH_CURSOR);
824         isize = c->width * c->height * vs->clientds.pf.bytes_per_pixel;
825         vnc_write_pixels_generic(vs, &pf, c->data, isize);
826         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
827         vnc_unlock_output(vs);
828         return 0;
829     }
830     return -1;
831 }
832 
833 static void vnc_dpy_cursor_define(QEMUCursor *c)
834 {
835     VncDisplay *vd = vnc_display;
836     VncState *vs;
837 
838     cursor_put(vd->cursor);
839     g_free(vd->cursor_mask);
840 
841     vd->cursor = c;
842     cursor_get(vd->cursor);
843     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
844     vd->cursor_mask = g_malloc0(vd->cursor_msize);
845     cursor_get_mono_mask(c, 0, vd->cursor_mask);
846 
847     QTAILQ_FOREACH(vs, &vd->clients, next) {
848         vnc_cursor_define(vs);
849     }
850 }
851 
852 static int find_and_clear_dirty_height(struct VncState *vs,
853                                        int y, int last_x, int x, int height)
854 {
855     int h;
856 
857     for (h = 1; h < (height - y); h++) {
858         int tmp_x;
859         if (!test_bit(last_x, vs->dirty[y + h])) {
860             break;
861         }
862         for (tmp_x = last_x; tmp_x < x; tmp_x++) {
863             clear_bit(tmp_x, vs->dirty[y + h]);
864         }
865     }
866 
867     return h;
868 }
869 
870 #ifdef CONFIG_VNC_THREAD
871 static int vnc_update_client_sync(VncState *vs, int has_dirty)
872 {
873     int ret = vnc_update_client(vs, has_dirty);
874     vnc_jobs_join(vs);
875     return ret;
876 }
877 #else
878 static int vnc_update_client_sync(VncState *vs, int has_dirty)
879 {
880     return vnc_update_client(vs, has_dirty);
881 }
882 #endif
883 
884 static int vnc_update_client(VncState *vs, int has_dirty)
885 {
886     if (vs->need_update && vs->csock != -1) {
887         VncDisplay *vd = vs->vd;
888         VncJob *job;
889         int y;
890         int width, height;
891         int n = 0;
892 
893 
894         if (vs->output.offset && !vs->audio_cap && !vs->force_update)
895             /* kernel send buffers are full -> drop frames to throttle */
896             return 0;
897 
898         if (!has_dirty && !vs->audio_cap && !vs->force_update)
899             return 0;
900 
901         /*
902          * Send screen updates to the vnc client using the server
903          * surface and server dirty map.  guest surface updates
904          * happening in parallel don't disturb us, the next pass will
905          * send them to the client.
906          */
907         job = vnc_job_new(vs);
908 
909         width = MIN(vd->server->width, vs->client_width);
910         height = MIN(vd->server->height, vs->client_height);
911 
912         for (y = 0; y < height; y++) {
913             int x;
914             int last_x = -1;
915             for (x = 0; x < width / 16; x++) {
916                 if (test_and_clear_bit(x, vs->dirty[y])) {
917                     if (last_x == -1) {
918                         last_x = x;
919                     }
920                 } else {
921                     if (last_x != -1) {
922                         int h = find_and_clear_dirty_height(vs, y, last_x, x,
923                                                             height);
924 
925                         n += vnc_job_add_rect(job, last_x * 16, y,
926                                               (x - last_x) * 16, h);
927                     }
928                     last_x = -1;
929                 }
930             }
931             if (last_x != -1) {
932                 int h = find_and_clear_dirty_height(vs, y, last_x, x, height);
933                 n += vnc_job_add_rect(job, last_x * 16, y,
934                                       (x - last_x) * 16, h);
935             }
936         }
937 
938         vnc_job_push(job);
939         vs->force_update = 0;
940         return n;
941     }
942 
943     if (vs->csock == -1)
944         vnc_disconnect_finish(vs);
945 
946     return 0;
947 }
948 
949 /* audio */
950 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
951 {
952     VncState *vs = opaque;
953 
954     switch (cmd) {
955     case AUD_CNOTIFY_DISABLE:
956         vnc_lock_output(vs);
957         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
958         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
959         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
960         vnc_unlock_output(vs);
961         vnc_flush(vs);
962         break;
963 
964     case AUD_CNOTIFY_ENABLE:
965         vnc_lock_output(vs);
966         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
967         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
968         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
969         vnc_unlock_output(vs);
970         vnc_flush(vs);
971         break;
972     }
973 }
974 
975 static void audio_capture_destroy(void *opaque)
976 {
977 }
978 
979 static void audio_capture(void *opaque, void *buf, int size)
980 {
981     VncState *vs = opaque;
982 
983     vnc_lock_output(vs);
984     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
985     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
986     vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
987     vnc_write_u32(vs, size);
988     vnc_write(vs, buf, size);
989     vnc_unlock_output(vs);
990     vnc_flush(vs);
991 }
992 
993 static void audio_add(VncState *vs)
994 {
995     struct audio_capture_ops ops;
996 
997     if (vs->audio_cap) {
998         monitor_printf(default_mon, "audio already running\n");
999         return;
1000     }
1001 
1002     ops.notify = audio_capture_notify;
1003     ops.destroy = audio_capture_destroy;
1004     ops.capture = audio_capture;
1005 
1006     vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);
1007     if (!vs->audio_cap) {
1008         monitor_printf(default_mon, "Failed to add audio capture\n");
1009     }
1010 }
1011 
1012 static void audio_del(VncState *vs)
1013 {
1014     if (vs->audio_cap) {
1015         AUD_del_capture(vs->audio_cap, vs);
1016         vs->audio_cap = NULL;
1017     }
1018 }
1019 
1020 static void vnc_disconnect_start(VncState *vs)
1021 {
1022     if (vs->csock == -1)
1023         return;
1024     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1025     qemu_set_fd_handler2(vs->csock, NULL, NULL, NULL, NULL);
1026     closesocket(vs->csock);
1027     vs->csock = -1;
1028 }
1029 
1030 static void vnc_disconnect_finish(VncState *vs)
1031 {
1032     int i;
1033 
1034     vnc_jobs_join(vs); /* Wait encoding jobs */
1035 
1036     vnc_lock_output(vs);
1037     vnc_qmp_event(vs, QEVENT_VNC_DISCONNECTED);
1038 
1039     buffer_free(&vs->input);
1040     buffer_free(&vs->output);
1041 
1042     qobject_decref(vs->info);
1043 
1044     vnc_zlib_clear(vs);
1045     vnc_tight_clear(vs);
1046     vnc_zrle_clear(vs);
1047 
1048 #ifdef CONFIG_VNC_TLS
1049     vnc_tls_client_cleanup(vs);
1050 #endif /* CONFIG_VNC_TLS */
1051 #ifdef CONFIG_VNC_SASL
1052     vnc_sasl_client_cleanup(vs);
1053 #endif /* CONFIG_VNC_SASL */
1054     audio_del(vs);
1055     vnc_release_modifiers(vs);
1056 
1057     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1058 
1059     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1060         dcl->idle = 1;
1061     }
1062 
1063     qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1064     vnc_remove_timer(vs->vd);
1065     if (vs->vd->lock_key_sync)
1066         qemu_remove_led_event_handler(vs->led);
1067     vnc_unlock_output(vs);
1068 
1069 #ifdef CONFIG_VNC_THREAD
1070     qemu_mutex_destroy(&vs->output_mutex);
1071 #endif
1072     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1073         g_free(vs->lossy_rect[i]);
1074     }
1075     g_free(vs->lossy_rect);
1076     g_free(vs);
1077 }
1078 
1079 int vnc_client_io_error(VncState *vs, int ret, int last_errno)
1080 {
1081     if (ret == 0 || ret == -1) {
1082         if (ret == -1) {
1083             switch (last_errno) {
1084                 case EINTR:
1085                 case EAGAIN:
1086 #ifdef _WIN32
1087                 case WSAEWOULDBLOCK:
1088 #endif
1089                     return 0;
1090                 default:
1091                     break;
1092             }
1093         }
1094 
1095         VNC_DEBUG("Closing down client sock: ret %d, errno %d\n",
1096                   ret, ret < 0 ? last_errno : 0);
1097         vnc_disconnect_start(vs);
1098 
1099         return 0;
1100     }
1101     return ret;
1102 }
1103 
1104 
1105 void vnc_client_error(VncState *vs)
1106 {
1107     VNC_DEBUG("Closing down client sock: protocol error\n");
1108     vnc_disconnect_start(vs);
1109 }
1110 
1111 
1112 /*
1113  * Called to write a chunk of data to the client socket. The data may
1114  * be the raw data, or may have already been encoded by SASL.
1115  * The data will be written either straight onto the socket, or
1116  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1117  *
1118  * NB, it is theoretically possible to have 2 layers of encryption,
1119  * both SASL, and this TLS layer. It is highly unlikely in practice
1120  * though, since SASL encryption will typically be a no-op if TLS
1121  * is active
1122  *
1123  * Returns the number of bytes written, which may be less than
1124  * the requested 'datalen' if the socket would block. Returns
1125  * -1 on error, and disconnects the client socket.
1126  */
1127 long vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1128 {
1129     long ret;
1130 #ifdef CONFIG_VNC_TLS
1131     if (vs->tls.session) {
1132         ret = gnutls_write(vs->tls.session, data, datalen);
1133         if (ret < 0) {
1134             if (ret == GNUTLS_E_AGAIN)
1135                 errno = EAGAIN;
1136             else
1137                 errno = EIO;
1138             ret = -1;
1139         }
1140     } else
1141 #endif /* CONFIG_VNC_TLS */
1142         ret = send(vs->csock, (const void *)data, datalen, 0);
1143     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1144     return vnc_client_io_error(vs, ret, socket_error());
1145 }
1146 
1147 
1148 /*
1149  * Called to write buffered data to the client socket, when not
1150  * using any SASL SSF encryption layers. Will write as much data
1151  * as possible without blocking. If all buffered data is written,
1152  * will switch the FD poll() handler back to read monitoring.
1153  *
1154  * Returns the number of bytes written, which may be less than
1155  * the buffered output data if the socket would block. Returns
1156  * -1 on error, and disconnects the client socket.
1157  */
1158 static long vnc_client_write_plain(VncState *vs)
1159 {
1160     long ret;
1161 
1162 #ifdef CONFIG_VNC_SASL
1163     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1164               vs->output.buffer, vs->output.capacity, vs->output.offset,
1165               vs->sasl.waitWriteSSF);
1166 
1167     if (vs->sasl.conn &&
1168         vs->sasl.runSSF &&
1169         vs->sasl.waitWriteSSF) {
1170         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1171         if (ret)
1172             vs->sasl.waitWriteSSF -= ret;
1173     } else
1174 #endif /* CONFIG_VNC_SASL */
1175         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1176     if (!ret)
1177         return 0;
1178 
1179     memmove(vs->output.buffer, vs->output.buffer + ret, (vs->output.offset - ret));
1180     vs->output.offset -= ret;
1181 
1182     if (vs->output.offset == 0) {
1183         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
1184     }
1185 
1186     return ret;
1187 }
1188 
1189 
1190 /*
1191  * First function called whenever there is data to be written to
1192  * the client socket. Will delegate actual work according to whether
1193  * SASL SSF layers are enabled (thus requiring encryption calls)
1194  */
1195 static void vnc_client_write_locked(void *opaque)
1196 {
1197     VncState *vs = opaque;
1198 
1199 #ifdef CONFIG_VNC_SASL
1200     if (vs->sasl.conn &&
1201         vs->sasl.runSSF &&
1202         !vs->sasl.waitWriteSSF) {
1203         vnc_client_write_sasl(vs);
1204     } else
1205 #endif /* CONFIG_VNC_SASL */
1206         vnc_client_write_plain(vs);
1207 }
1208 
1209 void vnc_client_write(void *opaque)
1210 {
1211     VncState *vs = opaque;
1212 
1213     vnc_lock_output(vs);
1214     if (vs->output.offset) {
1215         vnc_client_write_locked(opaque);
1216     } else if (vs->csock != -1) {
1217         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
1218     }
1219     vnc_unlock_output(vs);
1220 }
1221 
1222 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1223 {
1224     vs->read_handler = func;
1225     vs->read_handler_expect = expecting;
1226 }
1227 
1228 
1229 /*
1230  * Called to read a chunk of data from the client socket. The data may
1231  * be the raw data, or may need to be further decoded by SASL.
1232  * The data will be read either straight from to the socket, or
1233  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1234  *
1235  * NB, it is theoretically possible to have 2 layers of encryption,
1236  * both SASL, and this TLS layer. It is highly unlikely in practice
1237  * though, since SASL encryption will typically be a no-op if TLS
1238  * is active
1239  *
1240  * Returns the number of bytes read, which may be less than
1241  * the requested 'datalen' if the socket would block. Returns
1242  * -1 on error, and disconnects the client socket.
1243  */
1244 long vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1245 {
1246     long ret;
1247 #ifdef CONFIG_VNC_TLS
1248     if (vs->tls.session) {
1249         ret = gnutls_read(vs->tls.session, data, datalen);
1250         if (ret < 0) {
1251             if (ret == GNUTLS_E_AGAIN)
1252                 errno = EAGAIN;
1253             else
1254                 errno = EIO;
1255             ret = -1;
1256         }
1257     } else
1258 #endif /* CONFIG_VNC_TLS */
1259         ret = qemu_recv(vs->csock, data, datalen, 0);
1260     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1261     return vnc_client_io_error(vs, ret, socket_error());
1262 }
1263 
1264 
1265 /*
1266  * Called to read data from the client socket to the input buffer,
1267  * when not using any SASL SSF encryption layers. Will read as much
1268  * data as possible without blocking.
1269  *
1270  * Returns the number of bytes read. Returns -1 on error, and
1271  * disconnects the client socket.
1272  */
1273 static long vnc_client_read_plain(VncState *vs)
1274 {
1275     int ret;
1276     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1277               vs->input.buffer, vs->input.capacity, vs->input.offset);
1278     buffer_reserve(&vs->input, 4096);
1279     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1280     if (!ret)
1281         return 0;
1282     vs->input.offset += ret;
1283     return ret;
1284 }
1285 
1286 
1287 /*
1288  * First function called whenever there is more data to be read from
1289  * the client socket. Will delegate actual work according to whether
1290  * SASL SSF layers are enabled (thus requiring decryption calls)
1291  */
1292 void vnc_client_read(void *opaque)
1293 {
1294     VncState *vs = opaque;
1295     long ret;
1296 
1297 #ifdef CONFIG_VNC_SASL
1298     if (vs->sasl.conn && vs->sasl.runSSF)
1299         ret = vnc_client_read_sasl(vs);
1300     else
1301 #endif /* CONFIG_VNC_SASL */
1302         ret = vnc_client_read_plain(vs);
1303     if (!ret) {
1304         if (vs->csock == -1)
1305             vnc_disconnect_finish(vs);
1306         return;
1307     }
1308 
1309     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1310         size_t len = vs->read_handler_expect;
1311         int ret;
1312 
1313         ret = vs->read_handler(vs, vs->input.buffer, len);
1314         if (vs->csock == -1) {
1315             vnc_disconnect_finish(vs);
1316             return;
1317         }
1318 
1319         if (!ret) {
1320             memmove(vs->input.buffer, vs->input.buffer + len, (vs->input.offset - len));
1321             vs->input.offset -= len;
1322         } else {
1323             vs->read_handler_expect = ret;
1324         }
1325     }
1326 }
1327 
1328 void vnc_write(VncState *vs, const void *data, size_t len)
1329 {
1330     buffer_reserve(&vs->output, len);
1331 
1332     if (vs->csock != -1 && buffer_empty(&vs->output)) {
1333         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);
1334     }
1335 
1336     buffer_append(&vs->output, data, len);
1337 }
1338 
1339 void vnc_write_s32(VncState *vs, int32_t value)
1340 {
1341     vnc_write_u32(vs, *(uint32_t *)&value);
1342 }
1343 
1344 void vnc_write_u32(VncState *vs, uint32_t value)
1345 {
1346     uint8_t buf[4];
1347 
1348     buf[0] = (value >> 24) & 0xFF;
1349     buf[1] = (value >> 16) & 0xFF;
1350     buf[2] = (value >>  8) & 0xFF;
1351     buf[3] = value & 0xFF;
1352 
1353     vnc_write(vs, buf, 4);
1354 }
1355 
1356 void vnc_write_u16(VncState *vs, uint16_t value)
1357 {
1358     uint8_t buf[2];
1359 
1360     buf[0] = (value >> 8) & 0xFF;
1361     buf[1] = value & 0xFF;
1362 
1363     vnc_write(vs, buf, 2);
1364 }
1365 
1366 void vnc_write_u8(VncState *vs, uint8_t value)
1367 {
1368     vnc_write(vs, (char *)&value, 1);
1369 }
1370 
1371 void vnc_flush(VncState *vs)
1372 {
1373     vnc_lock_output(vs);
1374     if (vs->csock != -1 && vs->output.offset) {
1375         vnc_client_write_locked(vs);
1376     }
1377     vnc_unlock_output(vs);
1378 }
1379 
1380 uint8_t read_u8(uint8_t *data, size_t offset)
1381 {
1382     return data[offset];
1383 }
1384 
1385 uint16_t read_u16(uint8_t *data, size_t offset)
1386 {
1387     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1388 }
1389 
1390 int32_t read_s32(uint8_t *data, size_t offset)
1391 {
1392     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1393                      (data[offset + 2] << 8) | data[offset + 3]);
1394 }
1395 
1396 uint32_t read_u32(uint8_t *data, size_t offset)
1397 {
1398     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1399             (data[offset + 2] << 8) | data[offset + 3]);
1400 }
1401 
1402 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1403 {
1404 }
1405 
1406 static void check_pointer_type_change(Notifier *notifier, void *data)
1407 {
1408     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1409     int absolute = kbd_mouse_is_absolute();
1410 
1411     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1412         vnc_lock_output(vs);
1413         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1414         vnc_write_u8(vs, 0);
1415         vnc_write_u16(vs, 1);
1416         vnc_framebuffer_update(vs, absolute, 0,
1417                                ds_get_width(vs->ds), ds_get_height(vs->ds),
1418                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1419         vnc_unlock_output(vs);
1420         vnc_flush(vs);
1421     }
1422     vs->absolute = absolute;
1423 }
1424 
1425 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1426 {
1427     int buttons = 0;
1428     int dz = 0;
1429 
1430     if (button_mask & 0x01)
1431         buttons |= MOUSE_EVENT_LBUTTON;
1432     if (button_mask & 0x02)
1433         buttons |= MOUSE_EVENT_MBUTTON;
1434     if (button_mask & 0x04)
1435         buttons |= MOUSE_EVENT_RBUTTON;
1436     if (button_mask & 0x08)
1437         dz = -1;
1438     if (button_mask & 0x10)
1439         dz = 1;
1440 
1441     if (vs->absolute) {
1442         kbd_mouse_event(ds_get_width(vs->ds) > 1 ?
1443                           x * 0x7FFF / (ds_get_width(vs->ds) - 1) : 0x4000,
1444                         ds_get_height(vs->ds) > 1 ?
1445                           y * 0x7FFF / (ds_get_height(vs->ds) - 1) : 0x4000,
1446                         dz, buttons);
1447     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1448         x -= 0x7FFF;
1449         y -= 0x7FFF;
1450 
1451         kbd_mouse_event(x, y, dz, buttons);
1452     } else {
1453         if (vs->last_x != -1)
1454             kbd_mouse_event(x - vs->last_x,
1455                             y - vs->last_y,
1456                             dz, buttons);
1457         vs->last_x = x;
1458         vs->last_y = y;
1459     }
1460 }
1461 
1462 static void reset_keys(VncState *vs)
1463 {
1464     int i;
1465     for(i = 0; i < 256; i++) {
1466         if (vs->modifiers_state[i]) {
1467             if (i & SCANCODE_GREY)
1468                 kbd_put_keycode(SCANCODE_EMUL0);
1469             kbd_put_keycode(i | SCANCODE_UP);
1470             vs->modifiers_state[i] = 0;
1471         }
1472     }
1473 }
1474 
1475 static void press_key(VncState *vs, int keysym)
1476 {
1477     int keycode = keysym2scancode(vs->vd->kbd_layout, keysym) & SCANCODE_KEYMASK;
1478     if (keycode & SCANCODE_GREY)
1479         kbd_put_keycode(SCANCODE_EMUL0);
1480     kbd_put_keycode(keycode & SCANCODE_KEYCODEMASK);
1481     if (keycode & SCANCODE_GREY)
1482         kbd_put_keycode(SCANCODE_EMUL0);
1483     kbd_put_keycode(keycode | SCANCODE_UP);
1484 }
1485 
1486 static void kbd_leds(void *opaque, int ledstate)
1487 {
1488     VncState *vs = opaque;
1489     int caps, num;
1490 
1491     caps = ledstate & QEMU_CAPS_LOCK_LED ? 1 : 0;
1492     num  = ledstate & QEMU_NUM_LOCK_LED  ? 1 : 0;
1493 
1494     if (vs->modifiers_state[0x3a] != caps) {
1495         vs->modifiers_state[0x3a] = caps;
1496     }
1497     if (vs->modifiers_state[0x45] != num) {
1498         vs->modifiers_state[0x45] = num;
1499     }
1500 }
1501 
1502 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1503 {
1504     /* QEMU console switch */
1505     switch(keycode) {
1506     case 0x2a:                          /* Left Shift */
1507     case 0x36:                          /* Right Shift */
1508     case 0x1d:                          /* Left CTRL */
1509     case 0x9d:                          /* Right CTRL */
1510     case 0x38:                          /* Left ALT */
1511     case 0xb8:                          /* Right ALT */
1512         if (down)
1513             vs->modifiers_state[keycode] = 1;
1514         else
1515             vs->modifiers_state[keycode] = 0;
1516         break;
1517     case 0x02 ... 0x0a: /* '1' to '9' keys */
1518         if (down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
1519             /* Reset the modifiers sent to the current console */
1520             reset_keys(vs);
1521             console_select(keycode - 0x02);
1522             return;
1523         }
1524         break;
1525     case 0x3a:                        /* CapsLock */
1526     case 0x45:                        /* NumLock */
1527         if (down)
1528             vs->modifiers_state[keycode] ^= 1;
1529         break;
1530     }
1531 
1532     if (down && vs->vd->lock_key_sync &&
1533         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1534         /* If the numlock state needs to change then simulate an additional
1535            keypress before sending this one.  This will happen if the user
1536            toggles numlock away from the VNC window.
1537         */
1538         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1539             if (!vs->modifiers_state[0x45]) {
1540                 vs->modifiers_state[0x45] = 1;
1541                 press_key(vs, 0xff7f);
1542             }
1543         } else {
1544             if (vs->modifiers_state[0x45]) {
1545                 vs->modifiers_state[0x45] = 0;
1546                 press_key(vs, 0xff7f);
1547             }
1548         }
1549     }
1550 
1551     if (down && vs->vd->lock_key_sync &&
1552         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1553         /* If the capslock state needs to change then simulate an additional
1554            keypress before sending this one.  This will happen if the user
1555            toggles capslock away from the VNC window.
1556         */
1557         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1558         int shift = !!(vs->modifiers_state[0x2a] | vs->modifiers_state[0x36]);
1559         int capslock = !!(vs->modifiers_state[0x3a]);
1560         if (capslock) {
1561             if (uppercase == shift) {
1562                 vs->modifiers_state[0x3a] = 0;
1563                 press_key(vs, 0xffe5);
1564             }
1565         } else {
1566             if (uppercase != shift) {
1567                 vs->modifiers_state[0x3a] = 1;
1568                 press_key(vs, 0xffe5);
1569             }
1570         }
1571     }
1572 
1573     if (is_graphic_console()) {
1574         if (keycode & SCANCODE_GREY)
1575             kbd_put_keycode(SCANCODE_EMUL0);
1576         if (down)
1577             kbd_put_keycode(keycode & SCANCODE_KEYCODEMASK);
1578         else
1579             kbd_put_keycode(keycode | SCANCODE_UP);
1580     } else {
1581         bool numlock = vs->modifiers_state[0x45];
1582         bool control = (vs->modifiers_state[0x1d] ||
1583                         vs->modifiers_state[0x9d]);
1584         /* QEMU console emulation */
1585         if (down) {
1586             switch (keycode) {
1587             case 0x2a:                          /* Left Shift */
1588             case 0x36:                          /* Right Shift */
1589             case 0x1d:                          /* Left CTRL */
1590             case 0x9d:                          /* Right CTRL */
1591             case 0x38:                          /* Left ALT */
1592             case 0xb8:                          /* Right ALT */
1593                 break;
1594             case 0xc8:
1595                 kbd_put_keysym(QEMU_KEY_UP);
1596                 break;
1597             case 0xd0:
1598                 kbd_put_keysym(QEMU_KEY_DOWN);
1599                 break;
1600             case 0xcb:
1601                 kbd_put_keysym(QEMU_KEY_LEFT);
1602                 break;
1603             case 0xcd:
1604                 kbd_put_keysym(QEMU_KEY_RIGHT);
1605                 break;
1606             case 0xd3:
1607                 kbd_put_keysym(QEMU_KEY_DELETE);
1608                 break;
1609             case 0xc7:
1610                 kbd_put_keysym(QEMU_KEY_HOME);
1611                 break;
1612             case 0xcf:
1613                 kbd_put_keysym(QEMU_KEY_END);
1614                 break;
1615             case 0xc9:
1616                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1617                 break;
1618             case 0xd1:
1619                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1620                 break;
1621 
1622             case 0x47:
1623                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1624                 break;
1625             case 0x48:
1626                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1627                 break;
1628             case 0x49:
1629                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1630                 break;
1631             case 0x4b:
1632                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1633                 break;
1634             case 0x4c:
1635                 kbd_put_keysym('5');
1636                 break;
1637             case 0x4d:
1638                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1639                 break;
1640             case 0x4f:
1641                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1642                 break;
1643             case 0x50:
1644                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1645                 break;
1646             case 0x51:
1647                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1648                 break;
1649             case 0x52:
1650                 kbd_put_keysym('0');
1651                 break;
1652             case 0x53:
1653                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1654                 break;
1655 
1656             case 0xb5:
1657                 kbd_put_keysym('/');
1658                 break;
1659             case 0x37:
1660                 kbd_put_keysym('*');
1661                 break;
1662             case 0x4a:
1663                 kbd_put_keysym('-');
1664                 break;
1665             case 0x4e:
1666                 kbd_put_keysym('+');
1667                 break;
1668             case 0x9c:
1669                 kbd_put_keysym('\n');
1670                 break;
1671 
1672             default:
1673                 if (control) {
1674                     kbd_put_keysym(sym & 0x1f);
1675                 } else {
1676                     kbd_put_keysym(sym);
1677                 }
1678                 break;
1679             }
1680         }
1681     }
1682 }
1683 
1684 static void vnc_release_modifiers(VncState *vs)
1685 {
1686     static const int keycodes[] = {
1687         /* shift, control, alt keys, both left & right */
1688         0x2a, 0x36, 0x1d, 0x9d, 0x38, 0xb8,
1689     };
1690     int i, keycode;
1691 
1692     if (!is_graphic_console()) {
1693         return;
1694     }
1695     for (i = 0; i < ARRAY_SIZE(keycodes); i++) {
1696         keycode = keycodes[i];
1697         if (!vs->modifiers_state[keycode]) {
1698             continue;
1699         }
1700         if (keycode & SCANCODE_GREY) {
1701             kbd_put_keycode(SCANCODE_EMUL0);
1702         }
1703         kbd_put_keycode(keycode | SCANCODE_UP);
1704     }
1705 }
1706 
1707 static void key_event(VncState *vs, int down, uint32_t sym)
1708 {
1709     int keycode;
1710     int lsym = sym;
1711 
1712     if (lsym >= 'A' && lsym <= 'Z' && is_graphic_console()) {
1713         lsym = lsym - 'A' + 'a';
1714     }
1715 
1716     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF) & SCANCODE_KEYMASK;
1717     do_key_event(vs, down, keycode, sym);
1718 }
1719 
1720 static void ext_key_event(VncState *vs, int down,
1721                           uint32_t sym, uint16_t keycode)
1722 {
1723     /* if the user specifies a keyboard layout, always use it */
1724     if (keyboard_layout)
1725         key_event(vs, down, sym);
1726     else
1727         do_key_event(vs, down, keycode, sym);
1728 }
1729 
1730 static void framebuffer_update_request(VncState *vs, int incremental,
1731                                        int x_position, int y_position,
1732                                        int w, int h)
1733 {
1734     int i;
1735     const size_t width = ds_get_width(vs->ds) / 16;
1736 
1737     if (y_position > ds_get_height(vs->ds))
1738         y_position = ds_get_height(vs->ds);
1739     if (y_position + h >= ds_get_height(vs->ds))
1740         h = ds_get_height(vs->ds) - y_position;
1741 
1742     vs->need_update = 1;
1743     if (!incremental) {
1744         vs->force_update = 1;
1745         for (i = 0; i < h; i++) {
1746             bitmap_set(vs->dirty[y_position + i], 0, width);
1747             bitmap_clear(vs->dirty[y_position + i], width,
1748                          VNC_DIRTY_BITS - width);
1749         }
1750     }
1751 }
1752 
1753 static void send_ext_key_event_ack(VncState *vs)
1754 {
1755     vnc_lock_output(vs);
1756     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1757     vnc_write_u8(vs, 0);
1758     vnc_write_u16(vs, 1);
1759     vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds), ds_get_height(vs->ds),
1760                            VNC_ENCODING_EXT_KEY_EVENT);
1761     vnc_unlock_output(vs);
1762     vnc_flush(vs);
1763 }
1764 
1765 static void send_ext_audio_ack(VncState *vs)
1766 {
1767     vnc_lock_output(vs);
1768     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1769     vnc_write_u8(vs, 0);
1770     vnc_write_u16(vs, 1);
1771     vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds), ds_get_height(vs->ds),
1772                            VNC_ENCODING_AUDIO);
1773     vnc_unlock_output(vs);
1774     vnc_flush(vs);
1775 }
1776 
1777 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
1778 {
1779     int i;
1780     unsigned int enc = 0;
1781 
1782     vs->features = 0;
1783     vs->vnc_encoding = 0;
1784     vs->tight.compression = 9;
1785     vs->tight.quality = -1; /* Lossless by default */
1786     vs->absolute = -1;
1787 
1788     /*
1789      * Start from the end because the encodings are sent in order of preference.
1790      * This way the preferred encoding (first encoding defined in the array)
1791      * will be set at the end of the loop.
1792      */
1793     for (i = n_encodings - 1; i >= 0; i--) {
1794         enc = encodings[i];
1795         switch (enc) {
1796         case VNC_ENCODING_RAW:
1797             vs->vnc_encoding = enc;
1798             break;
1799         case VNC_ENCODING_COPYRECT:
1800             vs->features |= VNC_FEATURE_COPYRECT_MASK;
1801             break;
1802         case VNC_ENCODING_HEXTILE:
1803             vs->features |= VNC_FEATURE_HEXTILE_MASK;
1804             vs->vnc_encoding = enc;
1805             break;
1806         case VNC_ENCODING_TIGHT:
1807             vs->features |= VNC_FEATURE_TIGHT_MASK;
1808             vs->vnc_encoding = enc;
1809             break;
1810         case VNC_ENCODING_TIGHT_PNG:
1811             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
1812             vs->vnc_encoding = enc;
1813             break;
1814         case VNC_ENCODING_ZLIB:
1815             vs->features |= VNC_FEATURE_ZLIB_MASK;
1816             vs->vnc_encoding = enc;
1817             break;
1818         case VNC_ENCODING_ZRLE:
1819             vs->features |= VNC_FEATURE_ZRLE_MASK;
1820             vs->vnc_encoding = enc;
1821             break;
1822         case VNC_ENCODING_ZYWRLE:
1823             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
1824             vs->vnc_encoding = enc;
1825             break;
1826         case VNC_ENCODING_DESKTOPRESIZE:
1827             vs->features |= VNC_FEATURE_RESIZE_MASK;
1828             break;
1829         case VNC_ENCODING_POINTER_TYPE_CHANGE:
1830             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
1831             break;
1832         case VNC_ENCODING_RICH_CURSOR:
1833             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
1834             break;
1835         case VNC_ENCODING_EXT_KEY_EVENT:
1836             send_ext_key_event_ack(vs);
1837             break;
1838         case VNC_ENCODING_AUDIO:
1839             send_ext_audio_ack(vs);
1840             break;
1841         case VNC_ENCODING_WMVi:
1842             vs->features |= VNC_FEATURE_WMVI_MASK;
1843             break;
1844         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
1845             vs->tight.compression = (enc & 0x0F);
1846             break;
1847         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
1848             if (vs->vd->lossy) {
1849                 vs->tight.quality = (enc & 0x0F);
1850             }
1851             break;
1852         default:
1853             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
1854             break;
1855         }
1856     }
1857     vnc_desktop_resize(vs);
1858     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
1859 }
1860 
1861 static void set_pixel_conversion(VncState *vs)
1862 {
1863     if ((vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) ==
1864         (vs->ds->surface->flags & QEMU_BIG_ENDIAN_FLAG) &&
1865         !memcmp(&(vs->clientds.pf), &(vs->ds->surface->pf), sizeof(PixelFormat))) {
1866         vs->write_pixels = vnc_write_pixels_copy;
1867         vnc_hextile_set_pixel_conversion(vs, 0);
1868     } else {
1869         vs->write_pixels = vnc_write_pixels_generic;
1870         vnc_hextile_set_pixel_conversion(vs, 1);
1871     }
1872 }
1873 
1874 static void set_pixel_format(VncState *vs,
1875                              int bits_per_pixel, int depth,
1876                              int big_endian_flag, int true_color_flag,
1877                              int red_max, int green_max, int blue_max,
1878                              int red_shift, int green_shift, int blue_shift)
1879 {
1880     if (!true_color_flag) {
1881         vnc_client_error(vs);
1882         return;
1883     }
1884 
1885     vs->clientds = *(vs->vd->guest.ds);
1886     vs->clientds.pf.rmax = red_max;
1887     vs->clientds.pf.rbits = hweight_long(red_max);
1888     vs->clientds.pf.rshift = red_shift;
1889     vs->clientds.pf.rmask = red_max << red_shift;
1890     vs->clientds.pf.gmax = green_max;
1891     vs->clientds.pf.gbits = hweight_long(green_max);
1892     vs->clientds.pf.gshift = green_shift;
1893     vs->clientds.pf.gmask = green_max << green_shift;
1894     vs->clientds.pf.bmax = blue_max;
1895     vs->clientds.pf.bbits = hweight_long(blue_max);
1896     vs->clientds.pf.bshift = blue_shift;
1897     vs->clientds.pf.bmask = blue_max << blue_shift;
1898     vs->clientds.pf.bits_per_pixel = bits_per_pixel;
1899     vs->clientds.pf.bytes_per_pixel = bits_per_pixel / 8;
1900     vs->clientds.pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
1901     vs->clientds.flags = big_endian_flag ? QEMU_BIG_ENDIAN_FLAG : 0x00;
1902 
1903     set_pixel_conversion(vs);
1904 
1905     vga_hw_invalidate();
1906     vga_hw_update();
1907 }
1908 
1909 static void pixel_format_message (VncState *vs) {
1910     char pad[3] = { 0, 0, 0 };
1911 
1912     vnc_write_u8(vs, vs->ds->surface->pf.bits_per_pixel); /* bits-per-pixel */
1913     vnc_write_u8(vs, vs->ds->surface->pf.depth); /* depth */
1914 
1915 #ifdef HOST_WORDS_BIGENDIAN
1916     vnc_write_u8(vs, 1);             /* big-endian-flag */
1917 #else
1918     vnc_write_u8(vs, 0);             /* big-endian-flag */
1919 #endif
1920     vnc_write_u8(vs, 1);             /* true-color-flag */
1921     vnc_write_u16(vs, vs->ds->surface->pf.rmax);     /* red-max */
1922     vnc_write_u16(vs, vs->ds->surface->pf.gmax);     /* green-max */
1923     vnc_write_u16(vs, vs->ds->surface->pf.bmax);     /* blue-max */
1924     vnc_write_u8(vs, vs->ds->surface->pf.rshift);    /* red-shift */
1925     vnc_write_u8(vs, vs->ds->surface->pf.gshift);    /* green-shift */
1926     vnc_write_u8(vs, vs->ds->surface->pf.bshift);    /* blue-shift */
1927 
1928     vnc_hextile_set_pixel_conversion(vs, 0);
1929 
1930     vs->clientds = *(vs->ds->surface);
1931     vs->clientds.flags &= ~QEMU_ALLOCATED_FLAG;
1932     vs->write_pixels = vnc_write_pixels_copy;
1933 
1934     vnc_write(vs, pad, 3);           /* padding */
1935 }
1936 
1937 static void vnc_dpy_setdata(DisplayState *ds)
1938 {
1939     /* We don't have to do anything */
1940 }
1941 
1942 static void vnc_colordepth(VncState *vs)
1943 {
1944     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
1945         /* Sending a WMVi message to notify the client*/
1946         vnc_lock_output(vs);
1947         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1948         vnc_write_u8(vs, 0);
1949         vnc_write_u16(vs, 1); /* number of rects */
1950         vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds),
1951                                ds_get_height(vs->ds), VNC_ENCODING_WMVi);
1952         pixel_format_message(vs);
1953         vnc_unlock_output(vs);
1954         vnc_flush(vs);
1955     } else {
1956         set_pixel_conversion(vs);
1957     }
1958 }
1959 
1960 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
1961 {
1962     int i;
1963     uint16_t limit;
1964     VncDisplay *vd = vs->vd;
1965 
1966     if (data[0] > 3) {
1967         vd->timer_interval = VNC_REFRESH_INTERVAL_BASE;
1968         if (!qemu_timer_expired(vd->timer, qemu_get_clock_ms(rt_clock) + vd->timer_interval))
1969             qemu_mod_timer(vd->timer, qemu_get_clock_ms(rt_clock) + vd->timer_interval);
1970     }
1971 
1972     switch (data[0]) {
1973     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
1974         if (len == 1)
1975             return 20;
1976 
1977         set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5),
1978                          read_u8(data, 6), read_u8(data, 7),
1979                          read_u16(data, 8), read_u16(data, 10),
1980                          read_u16(data, 12), read_u8(data, 14),
1981                          read_u8(data, 15), read_u8(data, 16));
1982         break;
1983     case VNC_MSG_CLIENT_SET_ENCODINGS:
1984         if (len == 1)
1985             return 4;
1986 
1987         if (len == 4) {
1988             limit = read_u16(data, 2);
1989             if (limit > 0)
1990                 return 4 + (limit * 4);
1991         } else
1992             limit = read_u16(data, 2);
1993 
1994         for (i = 0; i < limit; i++) {
1995             int32_t val = read_s32(data, 4 + (i * 4));
1996             memcpy(data + 4 + (i * 4), &val, sizeof(val));
1997         }
1998 
1999         set_encodings(vs, (int32_t *)(data + 4), limit);
2000         break;
2001     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2002         if (len == 1)
2003             return 10;
2004 
2005         framebuffer_update_request(vs,
2006                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2007                                    read_u16(data, 6), read_u16(data, 8));
2008         break;
2009     case VNC_MSG_CLIENT_KEY_EVENT:
2010         if (len == 1)
2011             return 8;
2012 
2013         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2014         break;
2015     case VNC_MSG_CLIENT_POINTER_EVENT:
2016         if (len == 1)
2017             return 6;
2018 
2019         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2020         break;
2021     case VNC_MSG_CLIENT_CUT_TEXT:
2022         if (len == 1)
2023             return 8;
2024 
2025         if (len == 8) {
2026             uint32_t dlen = read_u32(data, 4);
2027             if (dlen > 0)
2028                 return 8 + dlen;
2029         }
2030 
2031         client_cut_text(vs, read_u32(data, 4), data + 8);
2032         break;
2033     case VNC_MSG_CLIENT_QEMU:
2034         if (len == 1)
2035             return 2;
2036 
2037         switch (read_u8(data, 1)) {
2038         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2039             if (len == 2)
2040                 return 12;
2041 
2042             ext_key_event(vs, read_u16(data, 2),
2043                           read_u32(data, 4), read_u32(data, 8));
2044             break;
2045         case VNC_MSG_CLIENT_QEMU_AUDIO:
2046             if (len == 2)
2047                 return 4;
2048 
2049             switch (read_u16 (data, 2)) {
2050             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2051                 audio_add(vs);
2052                 break;
2053             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2054                 audio_del(vs);
2055                 break;
2056             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2057                 if (len == 4)
2058                     return 10;
2059                 switch (read_u8(data, 4)) {
2060                 case 0: vs->as.fmt = AUD_FMT_U8; break;
2061                 case 1: vs->as.fmt = AUD_FMT_S8; break;
2062                 case 2: vs->as.fmt = AUD_FMT_U16; break;
2063                 case 3: vs->as.fmt = AUD_FMT_S16; break;
2064                 case 4: vs->as.fmt = AUD_FMT_U32; break;
2065                 case 5: vs->as.fmt = AUD_FMT_S32; break;
2066                 default:
2067                     printf("Invalid audio format %d\n", read_u8(data, 4));
2068                     vnc_client_error(vs);
2069                     break;
2070                 }
2071                 vs->as.nchannels = read_u8(data, 5);
2072                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2073                     printf("Invalid audio channel coount %d\n",
2074                            read_u8(data, 5));
2075                     vnc_client_error(vs);
2076                     break;
2077                 }
2078                 vs->as.freq = read_u32(data, 6);
2079                 break;
2080             default:
2081                 printf ("Invalid audio message %d\n", read_u8(data, 4));
2082                 vnc_client_error(vs);
2083                 break;
2084             }
2085             break;
2086 
2087         default:
2088             printf("Msg: %d\n", read_u16(data, 0));
2089             vnc_client_error(vs);
2090             break;
2091         }
2092         break;
2093     default:
2094         printf("Msg: %d\n", data[0]);
2095         vnc_client_error(vs);
2096         break;
2097     }
2098 
2099     vnc_read_when(vs, protocol_client_msg, 1);
2100     return 0;
2101 }
2102 
2103 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2104 {
2105     char buf[1024];
2106     VncShareMode mode;
2107     int size;
2108 
2109     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2110     switch (vs->vd->share_policy) {
2111     case VNC_SHARE_POLICY_IGNORE:
2112         /*
2113          * Ignore the shared flag.  Nothing to do here.
2114          *
2115          * Doesn't conform to the rfb spec but is traditional qemu
2116          * behavior, thus left here as option for compatibility
2117          * reasons.
2118          */
2119         break;
2120     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2121         /*
2122          * Policy: Allow clients ask for exclusive access.
2123          *
2124          * Implementation: When a client asks for exclusive access,
2125          * disconnect all others. Shared connects are allowed as long
2126          * as no exclusive connection exists.
2127          *
2128          * This is how the rfb spec suggests to handle the shared flag.
2129          */
2130         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2131             VncState *client;
2132             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2133                 if (vs == client) {
2134                     continue;
2135                 }
2136                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2137                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2138                     continue;
2139                 }
2140                 vnc_disconnect_start(client);
2141             }
2142         }
2143         if (mode == VNC_SHARE_MODE_SHARED) {
2144             if (vs->vd->num_exclusive > 0) {
2145                 vnc_disconnect_start(vs);
2146                 return 0;
2147             }
2148         }
2149         break;
2150     case VNC_SHARE_POLICY_FORCE_SHARED:
2151         /*
2152          * Policy: Shared connects only.
2153          * Implementation: Disallow clients asking for exclusive access.
2154          *
2155          * Useful for shared desktop sessions where you don't want
2156          * someone forgetting to say -shared when running the vnc
2157          * client disconnect everybody else.
2158          */
2159         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2160             vnc_disconnect_start(vs);
2161             return 0;
2162         }
2163         break;
2164     }
2165     vnc_set_share_mode(vs, mode);
2166 
2167     vs->client_width = ds_get_width(vs->ds);
2168     vs->client_height = ds_get_height(vs->ds);
2169     vnc_write_u16(vs, vs->client_width);
2170     vnc_write_u16(vs, vs->client_height);
2171 
2172     pixel_format_message(vs);
2173 
2174     if (qemu_name)
2175         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2176     else
2177         size = snprintf(buf, sizeof(buf), "QEMU");
2178 
2179     vnc_write_u32(vs, size);
2180     vnc_write(vs, buf, size);
2181     vnc_flush(vs);
2182 
2183     vnc_client_cache_auth(vs);
2184     vnc_qmp_event(vs, QEVENT_VNC_INITIALIZED);
2185 
2186     vnc_read_when(vs, protocol_client_msg, 1);
2187 
2188     return 0;
2189 }
2190 
2191 void start_client_init(VncState *vs)
2192 {
2193     vnc_read_when(vs, protocol_client_init, 1);
2194 }
2195 
2196 static void make_challenge(VncState *vs)
2197 {
2198     int i;
2199 
2200     srand(time(NULL)+getpid()+getpid()*987654+rand());
2201 
2202     for (i = 0 ; i < sizeof(vs->challenge) ; i++)
2203         vs->challenge[i] = (int) (256.0*rand()/(RAND_MAX+1.0));
2204 }
2205 
2206 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2207 {
2208     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2209     int i, j, pwlen;
2210     unsigned char key[8];
2211     time_t now = time(NULL);
2212 
2213     if (!vs->vd->password) {
2214         VNC_DEBUG("No password configured on server");
2215         goto reject;
2216     }
2217     if (vs->vd->expires < now) {
2218         VNC_DEBUG("Password is expired");
2219         goto reject;
2220     }
2221 
2222     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2223 
2224     /* Calculate the expected challenge response */
2225     pwlen = strlen(vs->vd->password);
2226     for (i=0; i<sizeof(key); i++)
2227         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2228     deskey(key, EN0);
2229     for (j = 0; j < VNC_AUTH_CHALLENGE_SIZE; j += 8)
2230         des(response+j, response+j);
2231 
2232     /* Compare expected vs actual challenge response */
2233     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2234         VNC_DEBUG("Client challenge response did not match\n");
2235         goto reject;
2236     } else {
2237         VNC_DEBUG("Accepting VNC challenge response\n");
2238         vnc_write_u32(vs, 0); /* Accept auth */
2239         vnc_flush(vs);
2240 
2241         start_client_init(vs);
2242     }
2243     return 0;
2244 
2245 reject:
2246     vnc_write_u32(vs, 1); /* Reject auth */
2247     if (vs->minor >= 8) {
2248         static const char err[] = "Authentication failed";
2249         vnc_write_u32(vs, sizeof(err));
2250         vnc_write(vs, err, sizeof(err));
2251     }
2252     vnc_flush(vs);
2253     vnc_client_error(vs);
2254     return 0;
2255 }
2256 
2257 void start_auth_vnc(VncState *vs)
2258 {
2259     make_challenge(vs);
2260     /* Send client a 'random' challenge */
2261     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2262     vnc_flush(vs);
2263 
2264     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2265 }
2266 
2267 
2268 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2269 {
2270     /* We only advertise 1 auth scheme at a time, so client
2271      * must pick the one we sent. Verify this */
2272     if (data[0] != vs->auth) { /* Reject auth */
2273        VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
2274        vnc_write_u32(vs, 1);
2275        if (vs->minor >= 8) {
2276            static const char err[] = "Authentication failed";
2277            vnc_write_u32(vs, sizeof(err));
2278            vnc_write(vs, err, sizeof(err));
2279        }
2280        vnc_client_error(vs);
2281     } else { /* Accept requested auth */
2282        VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
2283        switch (vs->auth) {
2284        case VNC_AUTH_NONE:
2285            VNC_DEBUG("Accept auth none\n");
2286            if (vs->minor >= 8) {
2287                vnc_write_u32(vs, 0); /* Accept auth completion */
2288                vnc_flush(vs);
2289            }
2290            start_client_init(vs);
2291            break;
2292 
2293        case VNC_AUTH_VNC:
2294            VNC_DEBUG("Start VNC auth\n");
2295            start_auth_vnc(vs);
2296            break;
2297 
2298 #ifdef CONFIG_VNC_TLS
2299        case VNC_AUTH_VENCRYPT:
2300            VNC_DEBUG("Accept VeNCrypt auth\n");
2301            start_auth_vencrypt(vs);
2302            break;
2303 #endif /* CONFIG_VNC_TLS */
2304 
2305 #ifdef CONFIG_VNC_SASL
2306        case VNC_AUTH_SASL:
2307            VNC_DEBUG("Accept SASL auth\n");
2308            start_auth_sasl(vs);
2309            break;
2310 #endif /* CONFIG_VNC_SASL */
2311 
2312        default: /* Should not be possible, but just in case */
2313            VNC_DEBUG("Reject auth %d server code bug\n", vs->auth);
2314            vnc_write_u8(vs, 1);
2315            if (vs->minor >= 8) {
2316                static const char err[] = "Authentication failed";
2317                vnc_write_u32(vs, sizeof(err));
2318                vnc_write(vs, err, sizeof(err));
2319            }
2320            vnc_client_error(vs);
2321        }
2322     }
2323     return 0;
2324 }
2325 
2326 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2327 {
2328     char local[13];
2329 
2330     memcpy(local, version, 12);
2331     local[12] = 0;
2332 
2333     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2334         VNC_DEBUG("Malformed protocol version %s\n", local);
2335         vnc_client_error(vs);
2336         return 0;
2337     }
2338     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2339     if (vs->major != 3 ||
2340         (vs->minor != 3 &&
2341          vs->minor != 4 &&
2342          vs->minor != 5 &&
2343          vs->minor != 7 &&
2344          vs->minor != 8)) {
2345         VNC_DEBUG("Unsupported client version\n");
2346         vnc_write_u32(vs, VNC_AUTH_INVALID);
2347         vnc_flush(vs);
2348         vnc_client_error(vs);
2349         return 0;
2350     }
2351     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2352      * as equivalent to v3.3 by servers
2353      */
2354     if (vs->minor == 4 || vs->minor == 5)
2355         vs->minor = 3;
2356 
2357     if (vs->minor == 3) {
2358         if (vs->auth == VNC_AUTH_NONE) {
2359             VNC_DEBUG("Tell client auth none\n");
2360             vnc_write_u32(vs, vs->auth);
2361             vnc_flush(vs);
2362             start_client_init(vs);
2363        } else if (vs->auth == VNC_AUTH_VNC) {
2364             VNC_DEBUG("Tell client VNC auth\n");
2365             vnc_write_u32(vs, vs->auth);
2366             vnc_flush(vs);
2367             start_auth_vnc(vs);
2368        } else {
2369             VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth);
2370             vnc_write_u32(vs, VNC_AUTH_INVALID);
2371             vnc_flush(vs);
2372             vnc_client_error(vs);
2373        }
2374     } else {
2375         VNC_DEBUG("Telling client we support auth %d\n", vs->auth);
2376         vnc_write_u8(vs, 1); /* num auth */
2377         vnc_write_u8(vs, vs->auth);
2378         vnc_read_when(vs, protocol_client_auth, 1);
2379         vnc_flush(vs);
2380     }
2381 
2382     return 0;
2383 }
2384 
2385 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2386 {
2387     struct VncSurface *vs = &vd->guest;
2388 
2389     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2390 }
2391 
2392 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2393 {
2394     int i, j;
2395 
2396     w = (x + w) / VNC_STAT_RECT;
2397     h = (y + h) / VNC_STAT_RECT;
2398     x /= VNC_STAT_RECT;
2399     y /= VNC_STAT_RECT;
2400 
2401     for (j = y; j <= h; j++) {
2402         for (i = x; i <= w; i++) {
2403             vs->lossy_rect[j][i] = 1;
2404         }
2405     }
2406 }
2407 
2408 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2409 {
2410     VncState *vs;
2411     int sty = y / VNC_STAT_RECT;
2412     int stx = x / VNC_STAT_RECT;
2413     int has_dirty = 0;
2414 
2415     y = y / VNC_STAT_RECT * VNC_STAT_RECT;
2416     x = x / VNC_STAT_RECT * VNC_STAT_RECT;
2417 
2418     QTAILQ_FOREACH(vs, &vd->clients, next) {
2419         int j;
2420 
2421         /* kernel send buffers are full -> refresh later */
2422         if (vs->output.offset) {
2423             continue;
2424         }
2425 
2426         if (!vs->lossy_rect[sty][stx]) {
2427             continue;
2428         }
2429 
2430         vs->lossy_rect[sty][stx] = 0;
2431         for (j = 0; j < VNC_STAT_RECT; ++j) {
2432             bitmap_set(vs->dirty[y + j], x / 16, VNC_STAT_RECT / 16);
2433         }
2434         has_dirty++;
2435     }
2436 
2437     return has_dirty;
2438 }
2439 
2440 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2441 {
2442     int x, y;
2443     struct timeval res;
2444     int has_dirty = 0;
2445 
2446     for (y = 0; y < vd->guest.ds->height; y += VNC_STAT_RECT) {
2447         for (x = 0; x < vd->guest.ds->width; x += VNC_STAT_RECT) {
2448             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2449 
2450             rect->updated = false;
2451         }
2452     }
2453 
2454     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2455 
2456     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2457         return has_dirty;
2458     }
2459     vd->guest.last_freq_check = *tv;
2460 
2461     for (y = 0; y < vd->guest.ds->height; y += VNC_STAT_RECT) {
2462         for (x = 0; x < vd->guest.ds->width; x += VNC_STAT_RECT) {
2463             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2464             int count = ARRAY_SIZE(rect->times);
2465             struct timeval min, max;
2466 
2467             if (!timerisset(&rect->times[count - 1])) {
2468                 continue ;
2469             }
2470 
2471             max = rect->times[(rect->idx + count - 1) % count];
2472             qemu_timersub(tv, &max, &res);
2473 
2474             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2475                 rect->freq = 0;
2476                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2477                 memset(rect->times, 0, sizeof (rect->times));
2478                 continue ;
2479             }
2480 
2481             min = rect->times[rect->idx];
2482             max = rect->times[(rect->idx + count - 1) % count];
2483             qemu_timersub(&max, &min, &res);
2484 
2485             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2486             rect->freq /= count;
2487             rect->freq = 1. / rect->freq;
2488         }
2489     }
2490     return has_dirty;
2491 }
2492 
2493 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2494 {
2495     int i, j;
2496     double total = 0;
2497     int num = 0;
2498 
2499     x =  (x / VNC_STAT_RECT) * VNC_STAT_RECT;
2500     y =  (y / VNC_STAT_RECT) * VNC_STAT_RECT;
2501 
2502     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2503         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2504             total += vnc_stat_rect(vs->vd, i, j)->freq;
2505             num++;
2506         }
2507     }
2508 
2509     if (num) {
2510         return total / num;
2511     } else {
2512         return 0;
2513     }
2514 }
2515 
2516 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2517 {
2518     VncRectStat *rect;
2519 
2520     rect = vnc_stat_rect(vd, x, y);
2521     if (rect->updated) {
2522         return ;
2523     }
2524     rect->times[rect->idx] = *tv;
2525     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2526     rect->updated = true;
2527 }
2528 
2529 static int vnc_refresh_server_surface(VncDisplay *vd)
2530 {
2531     int y;
2532     uint8_t *guest_row;
2533     uint8_t *server_row;
2534     int cmp_bytes;
2535     VncState *vs;
2536     int has_dirty = 0;
2537 
2538     struct timeval tv = { 0, 0 };
2539 
2540     if (!vd->non_adaptive) {
2541         gettimeofday(&tv, NULL);
2542         has_dirty = vnc_update_stats(vd, &tv);
2543     }
2544 
2545     /*
2546      * Walk through the guest dirty map.
2547      * Check and copy modified bits from guest to server surface.
2548      * Update server dirty map.
2549      */
2550     cmp_bytes = 16 * ds_get_bytes_per_pixel(vd->ds);
2551     guest_row  = vd->guest.ds->data;
2552     server_row = vd->server->data;
2553     for (y = 0; y < vd->guest.ds->height; y++) {
2554         if (!bitmap_empty(vd->guest.dirty[y], VNC_DIRTY_BITS)) {
2555             int x;
2556             uint8_t *guest_ptr;
2557             uint8_t *server_ptr;
2558 
2559             guest_ptr  = guest_row;
2560             server_ptr = server_row;
2561 
2562             for (x = 0; x + 15 < vd->guest.ds->width;
2563                     x += 16, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2564                 if (!test_and_clear_bit((x / 16), vd->guest.dirty[y]))
2565                     continue;
2566                 if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0)
2567                     continue;
2568                 memcpy(server_ptr, guest_ptr, cmp_bytes);
2569                 if (!vd->non_adaptive)
2570                     vnc_rect_updated(vd, x, y, &tv);
2571                 QTAILQ_FOREACH(vs, &vd->clients, next) {
2572                     set_bit((x / 16), vs->dirty[y]);
2573                 }
2574                 has_dirty++;
2575             }
2576         }
2577         guest_row  += ds_get_linesize(vd->ds);
2578         server_row += ds_get_linesize(vd->ds);
2579     }
2580     return has_dirty;
2581 }
2582 
2583 static void vnc_refresh(void *opaque)
2584 {
2585     VncDisplay *vd = opaque;
2586     VncState *vs, *vn;
2587     int has_dirty, rects = 0;
2588 
2589     vga_hw_update();
2590 
2591     if (vnc_trylock_display(vd)) {
2592         vd->timer_interval = VNC_REFRESH_INTERVAL_BASE;
2593         qemu_mod_timer(vd->timer, qemu_get_clock_ms(rt_clock) +
2594                        vd->timer_interval);
2595         return;
2596     }
2597 
2598     has_dirty = vnc_refresh_server_surface(vd);
2599     vnc_unlock_display(vd);
2600 
2601     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
2602         rects += vnc_update_client(vs, has_dirty);
2603         /* vs might be free()ed here */
2604     }
2605 
2606     /* vd->timer could be NULL now if the last client disconnected,
2607      * in this case don't update the timer */
2608     if (vd->timer == NULL)
2609         return;
2610 
2611     if (has_dirty && rects) {
2612         vd->timer_interval /= 2;
2613         if (vd->timer_interval < VNC_REFRESH_INTERVAL_BASE)
2614             vd->timer_interval = VNC_REFRESH_INTERVAL_BASE;
2615     } else {
2616         vd->timer_interval += VNC_REFRESH_INTERVAL_INC;
2617         if (vd->timer_interval > VNC_REFRESH_INTERVAL_MAX)
2618             vd->timer_interval = VNC_REFRESH_INTERVAL_MAX;
2619     }
2620     qemu_mod_timer(vd->timer, qemu_get_clock_ms(rt_clock) + vd->timer_interval);
2621 }
2622 
2623 static void vnc_init_timer(VncDisplay *vd)
2624 {
2625     vd->timer_interval = VNC_REFRESH_INTERVAL_BASE;
2626     if (vd->timer == NULL && !QTAILQ_EMPTY(&vd->clients)) {
2627         vd->timer = qemu_new_timer_ms(rt_clock, vnc_refresh, vd);
2628         vnc_dpy_resize(vd->ds);
2629         vnc_refresh(vd);
2630     }
2631 }
2632 
2633 static void vnc_remove_timer(VncDisplay *vd)
2634 {
2635     if (vd->timer != NULL && QTAILQ_EMPTY(&vd->clients)) {
2636         qemu_del_timer(vd->timer);
2637         qemu_free_timer(vd->timer);
2638         vd->timer = NULL;
2639     }
2640 }
2641 
2642 static void vnc_connect(VncDisplay *vd, int csock, int skipauth)
2643 {
2644     VncState *vs = g_malloc0(sizeof(VncState));
2645     int i;
2646 
2647     vs->csock = csock;
2648 
2649     if (skipauth) {
2650 	vs->auth = VNC_AUTH_NONE;
2651 #ifdef CONFIG_VNC_TLS
2652 	vs->subauth = VNC_AUTH_INVALID;
2653 #endif
2654     } else {
2655 	vs->auth = vd->auth;
2656 #ifdef CONFIG_VNC_TLS
2657 	vs->subauth = vd->subauth;
2658 #endif
2659     }
2660 
2661     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
2662     for (i = 0; i < VNC_STAT_ROWS; ++i) {
2663         vs->lossy_rect[i] = g_malloc0(VNC_STAT_COLS * sizeof (uint8_t));
2664     }
2665 
2666     VNC_DEBUG("New client on socket %d\n", csock);
2667     dcl->idle = 0;
2668     socket_set_nonblock(vs->csock);
2669     qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
2670 
2671     vnc_client_cache_addr(vs);
2672     vnc_qmp_event(vs, QEVENT_VNC_CONNECTED);
2673     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
2674 
2675     vs->vd = vd;
2676     vs->ds = vd->ds;
2677     vs->last_x = -1;
2678     vs->last_y = -1;
2679 
2680     vs->as.freq = 44100;
2681     vs->as.nchannels = 2;
2682     vs->as.fmt = AUD_FMT_S16;
2683     vs->as.endianness = 0;
2684 
2685 #ifdef CONFIG_VNC_THREAD
2686     qemu_mutex_init(&vs->output_mutex);
2687 #endif
2688 
2689     QTAILQ_INSERT_HEAD(&vd->clients, vs, next);
2690 
2691     vga_hw_update();
2692 
2693     vnc_write(vs, "RFB 003.008\n", 12);
2694     vnc_flush(vs);
2695     vnc_read_when(vs, protocol_version, 12);
2696     reset_keys(vs);
2697     if (vs->vd->lock_key_sync)
2698         vs->led = qemu_add_led_event_handler(kbd_leds, vs);
2699 
2700     vs->mouse_mode_notifier.notify = check_pointer_type_change;
2701     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
2702 
2703     vnc_init_timer(vd);
2704 
2705     /* vs might be free()ed here */
2706 }
2707 
2708 static void vnc_listen_read(void *opaque)
2709 {
2710     VncDisplay *vs = opaque;
2711     struct sockaddr_in addr;
2712     socklen_t addrlen = sizeof(addr);
2713 
2714     /* Catch-up */
2715     vga_hw_update();
2716 
2717     int csock = qemu_accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
2718     if (csock != -1) {
2719         vnc_connect(vs, csock, 0);
2720     }
2721 }
2722 
2723 void vnc_display_init(DisplayState *ds)
2724 {
2725     VncDisplay *vs = g_malloc0(sizeof(*vs));
2726 
2727     dcl = g_malloc0(sizeof(DisplayChangeListener));
2728 
2729     ds->opaque = vs;
2730     dcl->idle = 1;
2731     vnc_display = vs;
2732 
2733     vs->lsock = -1;
2734 
2735     vs->ds = ds;
2736     QTAILQ_INIT(&vs->clients);
2737     vs->expires = TIME_MAX;
2738 
2739     if (keyboard_layout)
2740         vs->kbd_layout = init_keyboard_layout(name2keysym, keyboard_layout);
2741     else
2742         vs->kbd_layout = init_keyboard_layout(name2keysym, "en-us");
2743 
2744     if (!vs->kbd_layout)
2745         exit(1);
2746 
2747 #ifdef CONFIG_VNC_THREAD
2748     qemu_mutex_init(&vs->mutex);
2749     vnc_start_worker_thread();
2750 #endif
2751 
2752     dcl->dpy_copy = vnc_dpy_copy;
2753     dcl->dpy_update = vnc_dpy_update;
2754     dcl->dpy_resize = vnc_dpy_resize;
2755     dcl->dpy_setdata = vnc_dpy_setdata;
2756     register_displaychangelistener(ds, dcl);
2757     ds->mouse_set = vnc_mouse_set;
2758     ds->cursor_define = vnc_dpy_cursor_define;
2759 }
2760 
2761 
2762 void vnc_display_close(DisplayState *ds)
2763 {
2764     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2765 
2766     if (!vs)
2767         return;
2768     if (vs->display) {
2769         g_free(vs->display);
2770         vs->display = NULL;
2771     }
2772     if (vs->lsock != -1) {
2773         qemu_set_fd_handler2(vs->lsock, NULL, NULL, NULL, NULL);
2774         close(vs->lsock);
2775         vs->lsock = -1;
2776     }
2777     vs->auth = VNC_AUTH_INVALID;
2778 #ifdef CONFIG_VNC_TLS
2779     vs->subauth = VNC_AUTH_INVALID;
2780     vs->tls.x509verify = 0;
2781 #endif
2782 }
2783 
2784 int vnc_display_disable_login(DisplayState *ds)
2785 {
2786     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2787 
2788     if (!vs) {
2789         return -1;
2790     }
2791 
2792     if (vs->password) {
2793         g_free(vs->password);
2794     }
2795 
2796     vs->password = NULL;
2797     if (vs->auth == VNC_AUTH_NONE) {
2798         vs->auth = VNC_AUTH_VNC;
2799     }
2800 
2801     return 0;
2802 }
2803 
2804 int vnc_display_password(DisplayState *ds, const char *password)
2805 {
2806     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2807 
2808     if (!vs) {
2809         return -EINVAL;
2810     }
2811 
2812     if (!password) {
2813         /* This is not the intention of this interface but err on the side
2814            of being safe */
2815         return vnc_display_disable_login(ds);
2816     }
2817 
2818     if (vs->password) {
2819         g_free(vs->password);
2820         vs->password = NULL;
2821     }
2822     vs->password = g_strdup(password);
2823     if (vs->auth == VNC_AUTH_NONE) {
2824         vs->auth = VNC_AUTH_VNC;
2825     }
2826 
2827     return 0;
2828 }
2829 
2830 int vnc_display_pw_expire(DisplayState *ds, time_t expires)
2831 {
2832     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2833 
2834     vs->expires = expires;
2835     return 0;
2836 }
2837 
2838 char *vnc_display_local_addr(DisplayState *ds)
2839 {
2840     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2841 
2842     return vnc_socket_local_addr("%s:%s", vs->lsock);
2843 }
2844 
2845 int vnc_display_open(DisplayState *ds, const char *display)
2846 {
2847     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
2848     const char *options;
2849     int password = 0;
2850     int reverse = 0;
2851 #ifdef CONFIG_VNC_TLS
2852     int tls = 0, x509 = 0;
2853 #endif
2854 #ifdef CONFIG_VNC_SASL
2855     int sasl = 0;
2856     int saslErr;
2857 #endif
2858 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
2859     int acl = 0;
2860 #endif
2861     int lock_key_sync = 1;
2862 
2863     if (!vnc_display)
2864         return -1;
2865     vnc_display_close(ds);
2866     if (strcmp(display, "none") == 0)
2867         return 0;
2868 
2869     if (!(vs->display = strdup(display)))
2870         return -1;
2871     vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
2872 
2873     options = display;
2874     while ((options = strchr(options, ','))) {
2875         options++;
2876         if (strncmp(options, "password", 8) == 0) {
2877             password = 1; /* Require password auth */
2878         } else if (strncmp(options, "reverse", 7) == 0) {
2879             reverse = 1;
2880         } else if (strncmp(options, "no-lock-key-sync", 16) == 0) {
2881             lock_key_sync = 0;
2882 #ifdef CONFIG_VNC_SASL
2883         } else if (strncmp(options, "sasl", 4) == 0) {
2884             sasl = 1; /* Require SASL auth */
2885 #endif
2886 #ifdef CONFIG_VNC_TLS
2887         } else if (strncmp(options, "tls", 3) == 0) {
2888             tls = 1; /* Require TLS */
2889         } else if (strncmp(options, "x509", 4) == 0) {
2890             char *start, *end;
2891             x509 = 1; /* Require x509 certificates */
2892             if (strncmp(options, "x509verify", 10) == 0)
2893                 vs->tls.x509verify = 1; /* ...and verify client certs */
2894 
2895             /* Now check for 'x509=/some/path' postfix
2896              * and use that to setup x509 certificate/key paths */
2897             start = strchr(options, '=');
2898             end = strchr(options, ',');
2899             if (start && (!end || (start < end))) {
2900                 int len = end ? end-(start+1) : strlen(start+1);
2901                 char *path = g_strndup(start + 1, len);
2902 
2903                 VNC_DEBUG("Trying certificate path '%s'\n", path);
2904                 if (vnc_tls_set_x509_creds_dir(vs, path) < 0) {
2905                     fprintf(stderr, "Failed to find x509 certificates/keys in %s\n", path);
2906                     g_free(path);
2907                     g_free(vs->display);
2908                     vs->display = NULL;
2909                     return -1;
2910                 }
2911                 g_free(path);
2912             } else {
2913                 fprintf(stderr, "No certificate path provided\n");
2914                 g_free(vs->display);
2915                 vs->display = NULL;
2916                 return -1;
2917             }
2918 #endif
2919 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
2920         } else if (strncmp(options, "acl", 3) == 0) {
2921             acl = 1;
2922 #endif
2923         } else if (strncmp(options, "lossy", 5) == 0) {
2924             vs->lossy = true;
2925         } else if (strncmp(options, "non-adapative", 13) == 0) {
2926             vs->non_adaptive = true;
2927         } else if (strncmp(options, "share=", 6) == 0) {
2928             if (strncmp(options+6, "ignore", 6) == 0) {
2929                 vs->share_policy = VNC_SHARE_POLICY_IGNORE;
2930             } else if (strncmp(options+6, "allow-exclusive", 15) == 0) {
2931                 vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
2932             } else if (strncmp(options+6, "force-shared", 12) == 0) {
2933                 vs->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
2934             } else {
2935                 fprintf(stderr, "unknown vnc share= option\n");
2936                 g_free(vs->display);
2937                 vs->display = NULL;
2938                 return -1;
2939             }
2940         }
2941     }
2942 
2943 #ifdef CONFIG_VNC_TLS
2944     if (acl && x509 && vs->tls.x509verify) {
2945         if (!(vs->tls.acl = qemu_acl_init("vnc.x509dname"))) {
2946             fprintf(stderr, "Failed to create x509 dname ACL\n");
2947             exit(1);
2948         }
2949     }
2950 #endif
2951 #ifdef CONFIG_VNC_SASL
2952     if (acl && sasl) {
2953         if (!(vs->sasl.acl = qemu_acl_init("vnc.username"))) {
2954             fprintf(stderr, "Failed to create username ACL\n");
2955             exit(1);
2956         }
2957     }
2958 #endif
2959 
2960     /*
2961      * Combinations we support here:
2962      *
2963      *  - no-auth                (clear text, no auth)
2964      *  - password               (clear text, weak auth)
2965      *  - sasl                   (encrypt, good auth *IF* using Kerberos via GSSAPI)
2966      *  - tls                    (encrypt, weak anonymous creds, no auth)
2967      *  - tls + password         (encrypt, weak anonymous creds, weak auth)
2968      *  - tls + sasl             (encrypt, weak anonymous creds, good auth)
2969      *  - tls + x509             (encrypt, good x509 creds, no auth)
2970      *  - tls + x509 + password  (encrypt, good x509 creds, weak auth)
2971      *  - tls + x509 + sasl      (encrypt, good x509 creds, good auth)
2972      *
2973      * NB1. TLS is a stackable auth scheme.
2974      * NB2. the x509 schemes have option to validate a client cert dname
2975      */
2976     if (password) {
2977 #ifdef CONFIG_VNC_TLS
2978         if (tls) {
2979             vs->auth = VNC_AUTH_VENCRYPT;
2980             if (x509) {
2981                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
2982                 vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
2983             } else {
2984                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
2985                 vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
2986             }
2987         } else {
2988 #endif /* CONFIG_VNC_TLS */
2989             VNC_DEBUG("Initializing VNC server with password auth\n");
2990             vs->auth = VNC_AUTH_VNC;
2991 #ifdef CONFIG_VNC_TLS
2992             vs->subauth = VNC_AUTH_INVALID;
2993         }
2994 #endif /* CONFIG_VNC_TLS */
2995 #ifdef CONFIG_VNC_SASL
2996     } else if (sasl) {
2997 #ifdef CONFIG_VNC_TLS
2998         if (tls) {
2999             vs->auth = VNC_AUTH_VENCRYPT;
3000             if (x509) {
3001                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3002                 vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
3003             } else {
3004                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3005                 vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3006             }
3007         } else {
3008 #endif /* CONFIG_VNC_TLS */
3009             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3010             vs->auth = VNC_AUTH_SASL;
3011 #ifdef CONFIG_VNC_TLS
3012             vs->subauth = VNC_AUTH_INVALID;
3013         }
3014 #endif /* CONFIG_VNC_TLS */
3015 #endif /* CONFIG_VNC_SASL */
3016     } else {
3017 #ifdef CONFIG_VNC_TLS
3018         if (tls) {
3019             vs->auth = VNC_AUTH_VENCRYPT;
3020             if (x509) {
3021                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3022                 vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
3023             } else {
3024                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3025                 vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3026             }
3027         } else {
3028 #endif
3029             VNC_DEBUG("Initializing VNC server with no auth\n");
3030             vs->auth = VNC_AUTH_NONE;
3031 #ifdef CONFIG_VNC_TLS
3032             vs->subauth = VNC_AUTH_INVALID;
3033         }
3034 #endif
3035     }
3036 
3037 #ifdef CONFIG_VNC_SASL
3038     if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
3039         fprintf(stderr, "Failed to initialize SASL auth %s",
3040                 sasl_errstring(saslErr, NULL, NULL));
3041         g_free(vs->display);
3042         vs->display = NULL;
3043         return -1;
3044     }
3045 #endif
3046     vs->lock_key_sync = lock_key_sync;
3047 
3048     if (reverse) {
3049         /* connect to viewer */
3050         if (strncmp(display, "unix:", 5) == 0)
3051             vs->lsock = unix_connect(display+5);
3052         else
3053             vs->lsock = inet_connect(display, SOCK_STREAM);
3054         if (-1 == vs->lsock) {
3055             g_free(vs->display);
3056             vs->display = NULL;
3057             return -1;
3058         } else {
3059             int csock = vs->lsock;
3060             vs->lsock = -1;
3061             vnc_connect(vs, csock, 0);
3062         }
3063         return 0;
3064 
3065     } else {
3066         /* listen for connects */
3067         char *dpy;
3068         dpy = g_malloc(256);
3069         if (strncmp(display, "unix:", 5) == 0) {
3070             pstrcpy(dpy, 256, "unix:");
3071             vs->lsock = unix_listen(display+5, dpy+5, 256-5);
3072         } else {
3073             vs->lsock = inet_listen(display, dpy, 256, SOCK_STREAM, 5900);
3074         }
3075         if (-1 == vs->lsock) {
3076             g_free(dpy);
3077             return -1;
3078         } else {
3079             g_free(vs->display);
3080             vs->display = dpy;
3081         }
3082     }
3083     return qemu_set_fd_handler2(vs->lsock, NULL, vnc_listen_read, NULL, vs);
3084 }
3085 
3086 void vnc_display_add_client(DisplayState *ds, int csock, int skipauth)
3087 {
3088     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
3089 
3090     return vnc_connect(vs, csock, skipauth);
3091 }
3092