xref: /openbmc/qemu/ui/vnc.c (revision 2f44bea9)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "qemu-common.h"
29 #include "vnc.h"
30 #include "vnc-jobs.h"
31 #include "trace.h"
32 #include "hw/qdev-core.h"
33 #include "sysemu/sysemu.h"
34 #include "sysemu/runstate.h"
35 #include "qemu/error-report.h"
36 #include "qemu/main-loop.h"
37 #include "qemu/module.h"
38 #include "qemu/option.h"
39 #include "qemu/sockets.h"
40 #include "qemu/timer.h"
41 #include "authz/list.h"
42 #include "qemu/config-file.h"
43 #include "qapi/qapi-emit-events.h"
44 #include "qapi/qapi-events-ui.h"
45 #include "qapi/error.h"
46 #include "qapi/qapi-commands-ui.h"
47 #include "ui/input.h"
48 #include "crypto/hash.h"
49 #include "crypto/tlscreds.h"
50 #include "crypto/tlscredsanon.h"
51 #include "crypto/tlscredsx509.h"
52 #include "crypto/random.h"
53 #include "crypto/secret_common.h"
54 #include "qom/object_interfaces.h"
55 #include "qemu/cutils.h"
56 #include "qemu/help_option.h"
57 #include "io/dns-resolver.h"
58 
59 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
60 #define VNC_REFRESH_INTERVAL_INC  50
61 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
62 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
63 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
64 
65 #include "vnc_keysym.h"
66 #include "crypto/cipher.h"
67 
68 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
69     QTAILQ_HEAD_INITIALIZER(vnc_displays);
70 
71 static int vnc_cursor_define(VncState *vs);
72 static void vnc_update_throttle_offset(VncState *vs);
73 
74 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
75 {
76 #ifdef _VNC_DEBUG
77     static const char *mn[] = {
78         [0]                           = "undefined",
79         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
80         [VNC_SHARE_MODE_SHARED]       = "shared",
81         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
82         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
83     };
84     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
85             vs->ioc, mn[vs->share_mode], mn[mode]);
86 #endif
87 
88     switch (vs->share_mode) {
89     case VNC_SHARE_MODE_CONNECTING:
90         vs->vd->num_connecting--;
91         break;
92     case VNC_SHARE_MODE_SHARED:
93         vs->vd->num_shared--;
94         break;
95     case VNC_SHARE_MODE_EXCLUSIVE:
96         vs->vd->num_exclusive--;
97         break;
98     default:
99         break;
100     }
101 
102     vs->share_mode = mode;
103 
104     switch (vs->share_mode) {
105     case VNC_SHARE_MODE_CONNECTING:
106         vs->vd->num_connecting++;
107         break;
108     case VNC_SHARE_MODE_SHARED:
109         vs->vd->num_shared++;
110         break;
111     case VNC_SHARE_MODE_EXCLUSIVE:
112         vs->vd->num_exclusive++;
113         break;
114     default:
115         break;
116     }
117 }
118 
119 
120 static void vnc_init_basic_info(SocketAddress *addr,
121                                 VncBasicInfo *info,
122                                 Error **errp)
123 {
124     switch (addr->type) {
125     case SOCKET_ADDRESS_TYPE_INET:
126         info->host = g_strdup(addr->u.inet.host);
127         info->service = g_strdup(addr->u.inet.port);
128         if (addr->u.inet.ipv6) {
129             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
130         } else {
131             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
132         }
133         break;
134 
135     case SOCKET_ADDRESS_TYPE_UNIX:
136         info->host = g_strdup("");
137         info->service = g_strdup(addr->u.q_unix.path);
138         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
139         break;
140 
141     case SOCKET_ADDRESS_TYPE_VSOCK:
142     case SOCKET_ADDRESS_TYPE_FD:
143         error_setg(errp, "Unsupported socket address type %s",
144                    SocketAddressType_str(addr->type));
145         break;
146     default:
147         abort();
148     }
149 
150     return;
151 }
152 
153 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
154                                                  VncBasicInfo *info,
155                                                  Error **errp)
156 {
157     SocketAddress *addr = NULL;
158 
159     if (!ioc) {
160         error_setg(errp, "No listener socket available");
161         return;
162     }
163 
164     addr = qio_channel_socket_get_local_address(ioc, errp);
165     if (!addr) {
166         return;
167     }
168 
169     vnc_init_basic_info(addr, info, errp);
170     qapi_free_SocketAddress(addr);
171 }
172 
173 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
174                                                  VncBasicInfo *info,
175                                                  Error **errp)
176 {
177     SocketAddress *addr = NULL;
178 
179     addr = qio_channel_socket_get_remote_address(ioc, errp);
180     if (!addr) {
181         return;
182     }
183 
184     vnc_init_basic_info(addr, info, errp);
185     qapi_free_SocketAddress(addr);
186 }
187 
188 static const char *vnc_auth_name(VncDisplay *vd) {
189     switch (vd->auth) {
190     case VNC_AUTH_INVALID:
191         return "invalid";
192     case VNC_AUTH_NONE:
193         return "none";
194     case VNC_AUTH_VNC:
195         return "vnc";
196     case VNC_AUTH_RA2:
197         return "ra2";
198     case VNC_AUTH_RA2NE:
199         return "ra2ne";
200     case VNC_AUTH_TIGHT:
201         return "tight";
202     case VNC_AUTH_ULTRA:
203         return "ultra";
204     case VNC_AUTH_TLS:
205         return "tls";
206     case VNC_AUTH_VENCRYPT:
207         switch (vd->subauth) {
208         case VNC_AUTH_VENCRYPT_PLAIN:
209             return "vencrypt+plain";
210         case VNC_AUTH_VENCRYPT_TLSNONE:
211             return "vencrypt+tls+none";
212         case VNC_AUTH_VENCRYPT_TLSVNC:
213             return "vencrypt+tls+vnc";
214         case VNC_AUTH_VENCRYPT_TLSPLAIN:
215             return "vencrypt+tls+plain";
216         case VNC_AUTH_VENCRYPT_X509NONE:
217             return "vencrypt+x509+none";
218         case VNC_AUTH_VENCRYPT_X509VNC:
219             return "vencrypt+x509+vnc";
220         case VNC_AUTH_VENCRYPT_X509PLAIN:
221             return "vencrypt+x509+plain";
222         case VNC_AUTH_VENCRYPT_TLSSASL:
223             return "vencrypt+tls+sasl";
224         case VNC_AUTH_VENCRYPT_X509SASL:
225             return "vencrypt+x509+sasl";
226         default:
227             return "vencrypt";
228         }
229     case VNC_AUTH_SASL:
230         return "sasl";
231     }
232     return "unknown";
233 }
234 
235 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
236 {
237     VncServerInfo *info;
238     Error *err = NULL;
239 
240     if (!vd->listener || !vd->listener->nsioc) {
241         return NULL;
242     }
243 
244     info = g_malloc0(sizeof(*info));
245     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
246                                          qapi_VncServerInfo_base(info), &err);
247     info->has_auth = true;
248     info->auth = g_strdup(vnc_auth_name(vd));
249     if (err) {
250         qapi_free_VncServerInfo(info);
251         info = NULL;
252         error_free(err);
253     }
254     return info;
255 }
256 
257 static void vnc_client_cache_auth(VncState *client)
258 {
259     if (!client->info) {
260         return;
261     }
262 
263     if (client->tls) {
264         client->info->x509_dname =
265             qcrypto_tls_session_get_peer_name(client->tls);
266         client->info->has_x509_dname =
267             client->info->x509_dname != NULL;
268     }
269 #ifdef CONFIG_VNC_SASL
270     if (client->sasl.conn &&
271         client->sasl.username) {
272         client->info->has_sasl_username = true;
273         client->info->sasl_username = g_strdup(client->sasl.username);
274     }
275 #endif
276 }
277 
278 static void vnc_client_cache_addr(VncState *client)
279 {
280     Error *err = NULL;
281 
282     client->info = g_malloc0(sizeof(*client->info));
283     vnc_init_basic_info_from_remote_addr(client->sioc,
284                                          qapi_VncClientInfo_base(client->info),
285                                          &err);
286     client->info->websocket = client->websocket;
287     if (err) {
288         qapi_free_VncClientInfo(client->info);
289         client->info = NULL;
290         error_free(err);
291     }
292 }
293 
294 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
295 {
296     VncServerInfo *si;
297 
298     if (!vs->info) {
299         return;
300     }
301 
302     si = vnc_server_info_get(vs->vd);
303     if (!si) {
304         return;
305     }
306 
307     switch (event) {
308     case QAPI_EVENT_VNC_CONNECTED:
309         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
310         break;
311     case QAPI_EVENT_VNC_INITIALIZED:
312         qapi_event_send_vnc_initialized(si, vs->info);
313         break;
314     case QAPI_EVENT_VNC_DISCONNECTED:
315         qapi_event_send_vnc_disconnected(si, vs->info);
316         break;
317     default:
318         break;
319     }
320 
321     qapi_free_VncServerInfo(si);
322 }
323 
324 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
325 {
326     VncClientInfo *info;
327     Error *err = NULL;
328 
329     info = g_malloc0(sizeof(*info));
330 
331     vnc_init_basic_info_from_remote_addr(client->sioc,
332                                          qapi_VncClientInfo_base(info),
333                                          &err);
334     if (err) {
335         error_free(err);
336         qapi_free_VncClientInfo(info);
337         return NULL;
338     }
339 
340     info->websocket = client->websocket;
341 
342     if (client->tls) {
343         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
344         info->has_x509_dname = info->x509_dname != NULL;
345     }
346 #ifdef CONFIG_VNC_SASL
347     if (client->sasl.conn && client->sasl.username) {
348         info->has_sasl_username = true;
349         info->sasl_username = g_strdup(client->sasl.username);
350     }
351 #endif
352 
353     return info;
354 }
355 
356 static VncDisplay *vnc_display_find(const char *id)
357 {
358     VncDisplay *vd;
359 
360     if (id == NULL) {
361         return QTAILQ_FIRST(&vnc_displays);
362     }
363     QTAILQ_FOREACH(vd, &vnc_displays, next) {
364         if (strcmp(id, vd->id) == 0) {
365             return vd;
366         }
367     }
368     return NULL;
369 }
370 
371 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
372 {
373     VncClientInfoList *prev = NULL;
374     VncState *client;
375 
376     QTAILQ_FOREACH(client, &vd->clients, next) {
377         QAPI_LIST_PREPEND(prev, qmp_query_vnc_client(client));
378     }
379     return prev;
380 }
381 
382 VncInfo *qmp_query_vnc(Error **errp)
383 {
384     VncInfo *info = g_malloc0(sizeof(*info));
385     VncDisplay *vd = vnc_display_find(NULL);
386     SocketAddress *addr = NULL;
387 
388     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
389         info->enabled = false;
390     } else {
391         info->enabled = true;
392 
393         /* for compatibility with the original command */
394         info->has_clients = true;
395         info->clients = qmp_query_client_list(vd);
396 
397         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
398                                                     errp);
399         if (!addr) {
400             goto out_error;
401         }
402 
403         switch (addr->type) {
404         case SOCKET_ADDRESS_TYPE_INET:
405             info->host = g_strdup(addr->u.inet.host);
406             info->service = g_strdup(addr->u.inet.port);
407             if (addr->u.inet.ipv6) {
408                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
409             } else {
410                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
411             }
412             break;
413 
414         case SOCKET_ADDRESS_TYPE_UNIX:
415             info->host = g_strdup("");
416             info->service = g_strdup(addr->u.q_unix.path);
417             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
418             break;
419 
420         case SOCKET_ADDRESS_TYPE_VSOCK:
421         case SOCKET_ADDRESS_TYPE_FD:
422             error_setg(errp, "Unsupported socket address type %s",
423                        SocketAddressType_str(addr->type));
424             goto out_error;
425         default:
426             abort();
427         }
428 
429         info->has_host = true;
430         info->has_service = true;
431         info->has_family = true;
432 
433         info->has_auth = true;
434         info->auth = g_strdup(vnc_auth_name(vd));
435     }
436 
437     qapi_free_SocketAddress(addr);
438     return info;
439 
440 out_error:
441     qapi_free_SocketAddress(addr);
442     qapi_free_VncInfo(info);
443     return NULL;
444 }
445 
446 
447 static void qmp_query_auth(int auth, int subauth,
448                            VncPrimaryAuth *qmp_auth,
449                            VncVencryptSubAuth *qmp_vencrypt,
450                            bool *qmp_has_vencrypt);
451 
452 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
453                                                   bool websocket,
454                                                   int auth,
455                                                   int subauth,
456                                                   VncServerInfo2List *prev)
457 {
458     VncServerInfo2 *info;
459     Error *err = NULL;
460     SocketAddress *addr;
461 
462     addr = qio_channel_socket_get_local_address(ioc, NULL);
463     if (!addr) {
464         return prev;
465     }
466 
467     info = g_new0(VncServerInfo2, 1);
468     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
469     qapi_free_SocketAddress(addr);
470     if (err) {
471         qapi_free_VncServerInfo2(info);
472         error_free(err);
473         return prev;
474     }
475     info->websocket = websocket;
476 
477     qmp_query_auth(auth, subauth, &info->auth,
478                    &info->vencrypt, &info->has_vencrypt);
479 
480     QAPI_LIST_PREPEND(prev, info);
481     return prev;
482 }
483 
484 static void qmp_query_auth(int auth, int subauth,
485                            VncPrimaryAuth *qmp_auth,
486                            VncVencryptSubAuth *qmp_vencrypt,
487                            bool *qmp_has_vencrypt)
488 {
489     switch (auth) {
490     case VNC_AUTH_VNC:
491         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
492         break;
493     case VNC_AUTH_RA2:
494         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
495         break;
496     case VNC_AUTH_RA2NE:
497         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
498         break;
499     case VNC_AUTH_TIGHT:
500         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
501         break;
502     case VNC_AUTH_ULTRA:
503         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
504         break;
505     case VNC_AUTH_TLS:
506         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
507         break;
508     case VNC_AUTH_VENCRYPT:
509         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
510         *qmp_has_vencrypt = true;
511         switch (subauth) {
512         case VNC_AUTH_VENCRYPT_PLAIN:
513             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
514             break;
515         case VNC_AUTH_VENCRYPT_TLSNONE:
516             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
517             break;
518         case VNC_AUTH_VENCRYPT_TLSVNC:
519             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
520             break;
521         case VNC_AUTH_VENCRYPT_TLSPLAIN:
522             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
523             break;
524         case VNC_AUTH_VENCRYPT_X509NONE:
525             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
526             break;
527         case VNC_AUTH_VENCRYPT_X509VNC:
528             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
529             break;
530         case VNC_AUTH_VENCRYPT_X509PLAIN:
531             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
532             break;
533         case VNC_AUTH_VENCRYPT_TLSSASL:
534             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
535             break;
536         case VNC_AUTH_VENCRYPT_X509SASL:
537             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
538             break;
539         default:
540             *qmp_has_vencrypt = false;
541             break;
542         }
543         break;
544     case VNC_AUTH_SASL:
545         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
546         break;
547     case VNC_AUTH_NONE:
548     default:
549         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
550         break;
551     }
552 }
553 
554 VncInfo2List *qmp_query_vnc_servers(Error **errp)
555 {
556     VncInfo2List *prev = NULL;
557     VncInfo2 *info;
558     VncDisplay *vd;
559     DeviceState *dev;
560     size_t i;
561 
562     QTAILQ_FOREACH(vd, &vnc_displays, next) {
563         info = g_new0(VncInfo2, 1);
564         info->id = g_strdup(vd->id);
565         info->clients = qmp_query_client_list(vd);
566         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
567                        &info->vencrypt, &info->has_vencrypt);
568         if (vd->dcl.con) {
569             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
570                                                   "device", &error_abort));
571             info->has_display = true;
572             info->display = g_strdup(dev->id);
573         }
574         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
575             info->server = qmp_query_server_entry(
576                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
577                 info->server);
578         }
579         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
580             info->server = qmp_query_server_entry(
581                 vd->wslistener->sioc[i], true, vd->ws_auth,
582                 vd->ws_subauth, info->server);
583         }
584 
585         QAPI_LIST_PREPEND(prev, info);
586     }
587     return prev;
588 }
589 
590 bool vnc_display_reload_certs(const char *id, Error **errp)
591 {
592     VncDisplay *vd = vnc_display_find(id);
593     QCryptoTLSCredsClass *creds = NULL;
594 
595     if (!vd) {
596         error_setg(errp, "Can not find vnc display");
597         return false;
598     }
599 
600     if (!vd->tlscreds) {
601         error_setg(errp, "vnc tls is not enabled");
602         return false;
603     }
604 
605     creds = QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(vd->tlscreds));
606     if (creds->reload == NULL) {
607         error_setg(errp, "%s doesn't support to reload TLS credential",
608                    object_get_typename(OBJECT(vd->tlscreds)));
609         return false;
610     }
611     if (!creds->reload(vd->tlscreds, errp)) {
612         return false;
613     }
614 
615     return true;
616 }
617 
618 /* TODO
619    1) Get the queue working for IO.
620    2) there is some weirdness when using the -S option (the screen is grey
621       and not totally invalidated
622    3) resolutions > 1024
623 */
624 
625 static int vnc_update_client(VncState *vs, int has_dirty);
626 static void vnc_disconnect_start(VncState *vs);
627 
628 static void vnc_colordepth(VncState *vs);
629 static void framebuffer_update_request(VncState *vs, int incremental,
630                                        int x_position, int y_position,
631                                        int w, int h);
632 static void vnc_refresh(DisplayChangeListener *dcl);
633 static int vnc_refresh_server_surface(VncDisplay *vd);
634 
635 static int vnc_width(VncDisplay *vd)
636 {
637     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
638                                        VNC_DIRTY_PIXELS_PER_BIT));
639 }
640 
641 static int vnc_true_width(VncDisplay *vd)
642 {
643     return MIN(VNC_MAX_WIDTH, surface_width(vd->ds));
644 }
645 
646 static int vnc_height(VncDisplay *vd)
647 {
648     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
649 }
650 
651 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
652                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
653                                VncDisplay *vd,
654                                int x, int y, int w, int h)
655 {
656     int width = vnc_width(vd);
657     int height = vnc_height(vd);
658 
659     /* this is needed this to ensure we updated all affected
660      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
661     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
662     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
663 
664     x = MIN(x, width);
665     y = MIN(y, height);
666     w = MIN(x + w, width) - x;
667     h = MIN(y + h, height);
668 
669     for (; y < h; y++) {
670         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
671                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
672     }
673 }
674 
675 static void vnc_dpy_update(DisplayChangeListener *dcl,
676                            int x, int y, int w, int h)
677 {
678     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
679     struct VncSurface *s = &vd->guest;
680 
681     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
682 }
683 
684 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
685                             int32_t encoding)
686 {
687     vnc_write_u16(vs, x);
688     vnc_write_u16(vs, y);
689     vnc_write_u16(vs, w);
690     vnc_write_u16(vs, h);
691 
692     vnc_write_s32(vs, encoding);
693 }
694 
695 static void vnc_desktop_resize_ext(VncState *vs, int reject_reason)
696 {
697     trace_vnc_msg_server_ext_desktop_resize(
698         vs, vs->ioc, vs->client_width, vs->client_height, reject_reason);
699 
700     vnc_lock_output(vs);
701     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
702     vnc_write_u8(vs, 0);
703     vnc_write_u16(vs, 1); /* number of rects */
704     vnc_framebuffer_update(vs,
705                            reject_reason ? 1 : 0,
706                            reject_reason,
707                            vs->client_width, vs->client_height,
708                            VNC_ENCODING_DESKTOP_RESIZE_EXT);
709     vnc_write_u8(vs, 1);  /* number of screens */
710     vnc_write_u8(vs, 0);  /* padding */
711     vnc_write_u8(vs, 0);  /* padding */
712     vnc_write_u8(vs, 0);  /* padding */
713     vnc_write_u32(vs, 0); /* screen id */
714     vnc_write_u16(vs, 0); /* screen x-pos */
715     vnc_write_u16(vs, 0); /* screen y-pos */
716     vnc_write_u16(vs, vs->client_width);
717     vnc_write_u16(vs, vs->client_height);
718     vnc_write_u32(vs, 0); /* screen flags */
719     vnc_unlock_output(vs);
720     vnc_flush(vs);
721 }
722 
723 static void vnc_desktop_resize(VncState *vs)
724 {
725     if (vs->ioc == NULL || (!vnc_has_feature(vs, VNC_FEATURE_RESIZE) &&
726                             !vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT))) {
727         return;
728     }
729     if (vs->client_width == vs->vd->true_width &&
730         vs->client_height == pixman_image_get_height(vs->vd->server)) {
731         return;
732     }
733 
734     assert(vs->vd->true_width < 65536 &&
735            vs->vd->true_width >= 0);
736     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
737            pixman_image_get_height(vs->vd->server) >= 0);
738     vs->client_width = vs->vd->true_width;
739     vs->client_height = pixman_image_get_height(vs->vd->server);
740 
741     if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
742         vnc_desktop_resize_ext(vs, 0);
743         return;
744     }
745 
746     trace_vnc_msg_server_desktop_resize(
747         vs, vs->ioc, vs->client_width, vs->client_height);
748 
749     vnc_lock_output(vs);
750     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
751     vnc_write_u8(vs, 0);
752     vnc_write_u16(vs, 1); /* number of rects */
753     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
754                            VNC_ENCODING_DESKTOPRESIZE);
755     vnc_unlock_output(vs);
756     vnc_flush(vs);
757 }
758 
759 static void vnc_abort_display_jobs(VncDisplay *vd)
760 {
761     VncState *vs;
762 
763     QTAILQ_FOREACH(vs, &vd->clients, next) {
764         vnc_lock_output(vs);
765         vs->abort = true;
766         vnc_unlock_output(vs);
767     }
768     QTAILQ_FOREACH(vs, &vd->clients, next) {
769         vnc_jobs_join(vs);
770     }
771     QTAILQ_FOREACH(vs, &vd->clients, next) {
772         vnc_lock_output(vs);
773         if (vs->update == VNC_STATE_UPDATE_NONE &&
774             vs->job_update != VNC_STATE_UPDATE_NONE) {
775             /* job aborted before completion */
776             vs->update = vs->job_update;
777             vs->job_update = VNC_STATE_UPDATE_NONE;
778         }
779         vs->abort = false;
780         vnc_unlock_output(vs);
781     }
782 }
783 
784 int vnc_server_fb_stride(VncDisplay *vd)
785 {
786     return pixman_image_get_stride(vd->server);
787 }
788 
789 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
790 {
791     uint8_t *ptr;
792 
793     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
794     ptr += y * vnc_server_fb_stride(vd);
795     ptr += x * VNC_SERVER_FB_BYTES;
796     return ptr;
797 }
798 
799 static void vnc_update_server_surface(VncDisplay *vd)
800 {
801     int width, height;
802 
803     qemu_pixman_image_unref(vd->server);
804     vd->server = NULL;
805 
806     if (QTAILQ_EMPTY(&vd->clients)) {
807         return;
808     }
809 
810     width = vnc_width(vd);
811     height = vnc_height(vd);
812     vd->true_width = vnc_true_width(vd);
813     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
814                                           width, height,
815                                           NULL, 0);
816 
817     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
818     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
819                        width, height);
820 }
821 
822 static bool vnc_check_pageflip(DisplaySurface *s1,
823                                DisplaySurface *s2)
824 {
825     return (s1 != NULL &&
826             s2 != NULL &&
827             surface_width(s1) == surface_width(s2) &&
828             surface_height(s1) == surface_height(s2) &&
829             surface_format(s1) == surface_format(s2));
830 
831 }
832 
833 static void vnc_dpy_switch(DisplayChangeListener *dcl,
834                            DisplaySurface *surface)
835 {
836     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
837     bool pageflip = vnc_check_pageflip(vd->ds, surface);
838     VncState *vs;
839 
840     vnc_abort_display_jobs(vd);
841     vd->ds = surface;
842 
843     /* guest surface */
844     qemu_pixman_image_unref(vd->guest.fb);
845     vd->guest.fb = pixman_image_ref(surface->image);
846     vd->guest.format = surface->format;
847 
848 
849     if (pageflip) {
850         trace_vnc_server_dpy_pageflip(vd,
851                                       surface_width(surface),
852                                       surface_height(surface),
853                                       surface_format(surface));
854         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
855                            surface_width(surface),
856                            surface_height(surface));
857         return;
858     }
859 
860     trace_vnc_server_dpy_recreate(vd,
861                                   surface_width(surface),
862                                   surface_height(surface),
863                                   surface_format(surface));
864     /* server surface */
865     vnc_update_server_surface(vd);
866 
867     QTAILQ_FOREACH(vs, &vd->clients, next) {
868         vnc_colordepth(vs);
869         vnc_desktop_resize(vs);
870         vnc_cursor_define(vs);
871         memset(vs->dirty, 0x00, sizeof(vs->dirty));
872         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
873                            vnc_width(vd),
874                            vnc_height(vd));
875         vnc_update_throttle_offset(vs);
876     }
877 }
878 
879 /* fastest code */
880 static void vnc_write_pixels_copy(VncState *vs,
881                                   void *pixels, int size)
882 {
883     vnc_write(vs, pixels, size);
884 }
885 
886 /* slowest but generic code. */
887 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
888 {
889     uint8_t r, g, b;
890 
891 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
892     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
893     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
894     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
895 #else
896 # error need some bits here if you change VNC_SERVER_FB_FORMAT
897 #endif
898     v = (r << vs->client_pf.rshift) |
899         (g << vs->client_pf.gshift) |
900         (b << vs->client_pf.bshift);
901     switch (vs->client_pf.bytes_per_pixel) {
902     case 1:
903         buf[0] = v;
904         break;
905     case 2:
906         if (vs->client_be) {
907             buf[0] = v >> 8;
908             buf[1] = v;
909         } else {
910             buf[1] = v >> 8;
911             buf[0] = v;
912         }
913         break;
914     default:
915     case 4:
916         if (vs->client_be) {
917             buf[0] = v >> 24;
918             buf[1] = v >> 16;
919             buf[2] = v >> 8;
920             buf[3] = v;
921         } else {
922             buf[3] = v >> 24;
923             buf[2] = v >> 16;
924             buf[1] = v >> 8;
925             buf[0] = v;
926         }
927         break;
928     }
929 }
930 
931 static void vnc_write_pixels_generic(VncState *vs,
932                                      void *pixels1, int size)
933 {
934     uint8_t buf[4];
935 
936     if (VNC_SERVER_FB_BYTES == 4) {
937         uint32_t *pixels = pixels1;
938         int n, i;
939         n = size >> 2;
940         for (i = 0; i < n; i++) {
941             vnc_convert_pixel(vs, buf, pixels[i]);
942             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
943         }
944     }
945 }
946 
947 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
948 {
949     int i;
950     uint8_t *row;
951     VncDisplay *vd = vs->vd;
952 
953     row = vnc_server_fb_ptr(vd, x, y);
954     for (i = 0; i < h; i++) {
955         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
956         row += vnc_server_fb_stride(vd);
957     }
958     return 1;
959 }
960 
961 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
962 {
963     int n = 0;
964 
965     switch(vs->vnc_encoding) {
966         case VNC_ENCODING_ZLIB:
967             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
968             break;
969         case VNC_ENCODING_HEXTILE:
970             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
971             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
972             break;
973         case VNC_ENCODING_TIGHT:
974             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
975             break;
976         case VNC_ENCODING_TIGHT_PNG:
977             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
978             break;
979         case VNC_ENCODING_ZRLE:
980             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
981             break;
982         case VNC_ENCODING_ZYWRLE:
983             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
984             break;
985         default:
986             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
987             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
988             break;
989     }
990     return n;
991 }
992 
993 static void vnc_mouse_set(DisplayChangeListener *dcl,
994                           int x, int y, int visible)
995 {
996     /* can we ask the client(s) to move the pointer ??? */
997 }
998 
999 static int vnc_cursor_define(VncState *vs)
1000 {
1001     QEMUCursor *c = vs->vd->cursor;
1002     int isize;
1003 
1004     if (!vs->vd->cursor) {
1005         return -1;
1006     }
1007 
1008     if (vnc_has_feature(vs, VNC_FEATURE_ALPHA_CURSOR)) {
1009         vnc_lock_output(vs);
1010         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1011         vnc_write_u8(vs,  0);  /*  padding     */
1012         vnc_write_u16(vs, 1);  /*  # of rects  */
1013         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1014                                VNC_ENCODING_ALPHA_CURSOR);
1015         vnc_write_s32(vs, VNC_ENCODING_RAW);
1016         vnc_write(vs, c->data, c->width * c->height * 4);
1017         vnc_unlock_output(vs);
1018         return 0;
1019     }
1020     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
1021         vnc_lock_output(vs);
1022         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1023         vnc_write_u8(vs,  0);  /*  padding     */
1024         vnc_write_u16(vs, 1);  /*  # of rects  */
1025         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1026                                VNC_ENCODING_RICH_CURSOR);
1027         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
1028         vnc_write_pixels_generic(vs, c->data, isize);
1029         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
1030         vnc_unlock_output(vs);
1031         return 0;
1032     }
1033     return -1;
1034 }
1035 
1036 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
1037                                   QEMUCursor *c)
1038 {
1039     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
1040     VncState *vs;
1041 
1042     cursor_put(vd->cursor);
1043     g_free(vd->cursor_mask);
1044 
1045     vd->cursor = c;
1046     cursor_get(vd->cursor);
1047     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1048     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1049     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1050 
1051     QTAILQ_FOREACH(vs, &vd->clients, next) {
1052         vnc_cursor_define(vs);
1053     }
1054 }
1055 
1056 static int find_and_clear_dirty_height(VncState *vs,
1057                                        int y, int last_x, int x, int height)
1058 {
1059     int h;
1060 
1061     for (h = 1; h < (height - y); h++) {
1062         if (!test_bit(last_x, vs->dirty[y + h])) {
1063             break;
1064         }
1065         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1066     }
1067 
1068     return h;
1069 }
1070 
1071 /*
1072  * Figure out how much pending data we should allow in the output
1073  * buffer before we throttle incremental display updates, and/or
1074  * drop audio samples.
1075  *
1076  * We allow for equiv of 1 full display's worth of FB updates,
1077  * and 1 second of audio samples. If audio backlog was larger
1078  * than that the client would already suffering awful audio
1079  * glitches, so dropping samples is no worse really).
1080  */
1081 static void vnc_update_throttle_offset(VncState *vs)
1082 {
1083     size_t offset =
1084         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1085 
1086     if (vs->audio_cap) {
1087         int bps;
1088         switch (vs->as.fmt) {
1089         default:
1090         case  AUDIO_FORMAT_U8:
1091         case  AUDIO_FORMAT_S8:
1092             bps = 1;
1093             break;
1094         case  AUDIO_FORMAT_U16:
1095         case  AUDIO_FORMAT_S16:
1096             bps = 2;
1097             break;
1098         case  AUDIO_FORMAT_U32:
1099         case  AUDIO_FORMAT_S32:
1100             bps = 4;
1101             break;
1102         }
1103         offset += vs->as.freq * bps * vs->as.nchannels;
1104     }
1105 
1106     /* Put a floor of 1MB on offset, so that if we have a large pending
1107      * buffer and the display is resized to a small size & back again
1108      * we don't suddenly apply a tiny send limit
1109      */
1110     offset = MAX(offset, 1024 * 1024);
1111 
1112     if (vs->throttle_output_offset != offset) {
1113         trace_vnc_client_throttle_threshold(
1114             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1115             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1116     }
1117 
1118     vs->throttle_output_offset = offset;
1119 }
1120 
1121 static bool vnc_should_update(VncState *vs)
1122 {
1123     switch (vs->update) {
1124     case VNC_STATE_UPDATE_NONE:
1125         break;
1126     case VNC_STATE_UPDATE_INCREMENTAL:
1127         /* Only allow incremental updates if the pending send queue
1128          * is less than the permitted threshold, and the job worker
1129          * is completely idle.
1130          */
1131         if (vs->output.offset < vs->throttle_output_offset &&
1132             vs->job_update == VNC_STATE_UPDATE_NONE) {
1133             return true;
1134         }
1135         trace_vnc_client_throttle_incremental(
1136             vs, vs->ioc, vs->job_update, vs->output.offset);
1137         break;
1138     case VNC_STATE_UPDATE_FORCE:
1139         /* Only allow forced updates if the pending send queue
1140          * does not contain a previous forced update, and the
1141          * job worker is completely idle.
1142          *
1143          * Note this means we'll queue a forced update, even if
1144          * the output buffer size is otherwise over the throttle
1145          * output limit.
1146          */
1147         if (vs->force_update_offset == 0 &&
1148             vs->job_update == VNC_STATE_UPDATE_NONE) {
1149             return true;
1150         }
1151         trace_vnc_client_throttle_forced(
1152             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1153         break;
1154     }
1155     return false;
1156 }
1157 
1158 static int vnc_update_client(VncState *vs, int has_dirty)
1159 {
1160     VncDisplay *vd = vs->vd;
1161     VncJob *job;
1162     int y;
1163     int height, width;
1164     int n = 0;
1165 
1166     if (vs->disconnecting) {
1167         vnc_disconnect_finish(vs);
1168         return 0;
1169     }
1170 
1171     vs->has_dirty += has_dirty;
1172     if (!vnc_should_update(vs)) {
1173         return 0;
1174     }
1175 
1176     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1177         return 0;
1178     }
1179 
1180     /*
1181      * Send screen updates to the vnc client using the server
1182      * surface and server dirty map.  guest surface updates
1183      * happening in parallel don't disturb us, the next pass will
1184      * send them to the client.
1185      */
1186     job = vnc_job_new(vs);
1187 
1188     height = pixman_image_get_height(vd->server);
1189     width = pixman_image_get_width(vd->server);
1190 
1191     y = 0;
1192     for (;;) {
1193         int x, h;
1194         unsigned long x2;
1195         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1196                                              height * VNC_DIRTY_BPL(vs),
1197                                              y * VNC_DIRTY_BPL(vs));
1198         if (offset == height * VNC_DIRTY_BPL(vs)) {
1199             /* no more dirty bits */
1200             break;
1201         }
1202         y = offset / VNC_DIRTY_BPL(vs);
1203         x = offset % VNC_DIRTY_BPL(vs);
1204         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1205                                 VNC_DIRTY_BPL(vs), x);
1206         bitmap_clear(vs->dirty[y], x, x2 - x);
1207         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1208         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1209         if (x2 > x) {
1210             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1211                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1212         }
1213         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1214             y += h;
1215             if (y == height) {
1216                 break;
1217             }
1218         }
1219     }
1220 
1221     vs->job_update = vs->update;
1222     vs->update = VNC_STATE_UPDATE_NONE;
1223     vnc_job_push(job);
1224     vs->has_dirty = 0;
1225     return n;
1226 }
1227 
1228 /* audio */
1229 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1230 {
1231     VncState *vs = opaque;
1232 
1233     assert(vs->magic == VNC_MAGIC);
1234     switch (cmd) {
1235     case AUD_CNOTIFY_DISABLE:
1236         trace_vnc_msg_server_audio_end(vs, vs->ioc);
1237         vnc_lock_output(vs);
1238         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1239         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1240         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1241         vnc_unlock_output(vs);
1242         vnc_flush(vs);
1243         break;
1244 
1245     case AUD_CNOTIFY_ENABLE:
1246         trace_vnc_msg_server_audio_begin(vs, vs->ioc);
1247         vnc_lock_output(vs);
1248         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1249         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1250         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1251         vnc_unlock_output(vs);
1252         vnc_flush(vs);
1253         break;
1254     }
1255 }
1256 
1257 static void audio_capture_destroy(void *opaque)
1258 {
1259 }
1260 
1261 static void audio_capture(void *opaque, const void *buf, int size)
1262 {
1263     VncState *vs = opaque;
1264 
1265     assert(vs->magic == VNC_MAGIC);
1266     trace_vnc_msg_server_audio_data(vs, vs->ioc, buf, size);
1267     vnc_lock_output(vs);
1268     if (vs->output.offset < vs->throttle_output_offset) {
1269         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1270         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1271         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1272         vnc_write_u32(vs, size);
1273         vnc_write(vs, buf, size);
1274     } else {
1275         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1276     }
1277     vnc_unlock_output(vs);
1278     vnc_flush(vs);
1279 }
1280 
1281 static void audio_add(VncState *vs)
1282 {
1283     struct audio_capture_ops ops;
1284 
1285     if (vs->audio_cap) {
1286         error_report("audio already running");
1287         return;
1288     }
1289 
1290     ops.notify = audio_capture_notify;
1291     ops.destroy = audio_capture_destroy;
1292     ops.capture = audio_capture;
1293 
1294     vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1295     if (!vs->audio_cap) {
1296         error_report("Failed to add audio capture");
1297     }
1298 }
1299 
1300 static void audio_del(VncState *vs)
1301 {
1302     if (vs->audio_cap) {
1303         AUD_del_capture(vs->audio_cap, vs);
1304         vs->audio_cap = NULL;
1305     }
1306 }
1307 
1308 static void vnc_disconnect_start(VncState *vs)
1309 {
1310     if (vs->disconnecting) {
1311         return;
1312     }
1313     trace_vnc_client_disconnect_start(vs, vs->ioc);
1314     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1315     if (vs->ioc_tag) {
1316         g_source_remove(vs->ioc_tag);
1317         vs->ioc_tag = 0;
1318     }
1319     qio_channel_close(vs->ioc, NULL);
1320     vs->disconnecting = TRUE;
1321 }
1322 
1323 void vnc_disconnect_finish(VncState *vs)
1324 {
1325     int i;
1326 
1327     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1328 
1329     vnc_jobs_join(vs); /* Wait encoding jobs */
1330 
1331     vnc_lock_output(vs);
1332     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1333 
1334     buffer_free(&vs->input);
1335     buffer_free(&vs->output);
1336 
1337     qapi_free_VncClientInfo(vs->info);
1338 
1339     vnc_zlib_clear(vs);
1340     vnc_tight_clear(vs);
1341     vnc_zrle_clear(vs);
1342 
1343 #ifdef CONFIG_VNC_SASL
1344     vnc_sasl_client_cleanup(vs);
1345 #endif /* CONFIG_VNC_SASL */
1346     audio_del(vs);
1347     qkbd_state_lift_all_keys(vs->vd->kbd);
1348 
1349     if (vs->mouse_mode_notifier.notify != NULL) {
1350         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1351     }
1352     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1353     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1354         /* last client gone */
1355         vnc_update_server_surface(vs->vd);
1356     }
1357     if (vs->cbpeer.update.notify) {
1358         qemu_clipboard_peer_unregister(&vs->cbpeer);
1359     }
1360 
1361     vnc_unlock_output(vs);
1362 
1363     qemu_mutex_destroy(&vs->output_mutex);
1364     if (vs->bh != NULL) {
1365         qemu_bh_delete(vs->bh);
1366     }
1367     buffer_free(&vs->jobs_buffer);
1368 
1369     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1370         g_free(vs->lossy_rect[i]);
1371     }
1372     g_free(vs->lossy_rect);
1373 
1374     object_unref(OBJECT(vs->ioc));
1375     vs->ioc = NULL;
1376     object_unref(OBJECT(vs->sioc));
1377     vs->sioc = NULL;
1378     vs->magic = 0;
1379     g_free(vs->zrle);
1380     g_free(vs->tight);
1381     g_free(vs);
1382 }
1383 
1384 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error *err)
1385 {
1386     if (ret <= 0) {
1387         if (ret == 0) {
1388             trace_vnc_client_eof(vs, vs->ioc);
1389             vnc_disconnect_start(vs);
1390         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1391             trace_vnc_client_io_error(vs, vs->ioc,
1392                                       err ? error_get_pretty(err) : "Unknown");
1393             vnc_disconnect_start(vs);
1394         }
1395 
1396         error_free(err);
1397         return 0;
1398     }
1399     return ret;
1400 }
1401 
1402 
1403 void vnc_client_error(VncState *vs)
1404 {
1405     VNC_DEBUG("Closing down client sock: protocol error\n");
1406     vnc_disconnect_start(vs);
1407 }
1408 
1409 
1410 /*
1411  * Called to write a chunk of data to the client socket. The data may
1412  * be the raw data, or may have already been encoded by SASL.
1413  * The data will be written either straight onto the socket, or
1414  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1415  *
1416  * NB, it is theoretically possible to have 2 layers of encryption,
1417  * both SASL, and this TLS layer. It is highly unlikely in practice
1418  * though, since SASL encryption will typically be a no-op if TLS
1419  * is active
1420  *
1421  * Returns the number of bytes written, which may be less than
1422  * the requested 'datalen' if the socket would block. Returns
1423  * 0 on I/O error, and disconnects the client socket.
1424  */
1425 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1426 {
1427     Error *err = NULL;
1428     ssize_t ret;
1429     ret = qio_channel_write(vs->ioc, (const char *)data, datalen, &err);
1430     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1431     return vnc_client_io_error(vs, ret, err);
1432 }
1433 
1434 
1435 /*
1436  * Called to write buffered data to the client socket, when not
1437  * using any SASL SSF encryption layers. Will write as much data
1438  * as possible without blocking. If all buffered data is written,
1439  * will switch the FD poll() handler back to read monitoring.
1440  *
1441  * Returns the number of bytes written, which may be less than
1442  * the buffered output data if the socket would block.  Returns
1443  * 0 on I/O error, and disconnects the client socket.
1444  */
1445 static size_t vnc_client_write_plain(VncState *vs)
1446 {
1447     size_t offset;
1448     size_t ret;
1449 
1450 #ifdef CONFIG_VNC_SASL
1451     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1452               vs->output.buffer, vs->output.capacity, vs->output.offset,
1453               vs->sasl.waitWriteSSF);
1454 
1455     if (vs->sasl.conn &&
1456         vs->sasl.runSSF &&
1457         vs->sasl.waitWriteSSF) {
1458         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1459         if (ret)
1460             vs->sasl.waitWriteSSF -= ret;
1461     } else
1462 #endif /* CONFIG_VNC_SASL */
1463         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1464     if (!ret)
1465         return 0;
1466 
1467     if (ret >= vs->force_update_offset) {
1468         if (vs->force_update_offset != 0) {
1469             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1470         }
1471         vs->force_update_offset = 0;
1472     } else {
1473         vs->force_update_offset -= ret;
1474     }
1475     offset = vs->output.offset;
1476     buffer_advance(&vs->output, ret);
1477     if (offset >= vs->throttle_output_offset &&
1478         vs->output.offset < vs->throttle_output_offset) {
1479         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1480     }
1481 
1482     if (vs->output.offset == 0) {
1483         if (vs->ioc_tag) {
1484             g_source_remove(vs->ioc_tag);
1485         }
1486         vs->ioc_tag = qio_channel_add_watch(
1487             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1488             vnc_client_io, vs, NULL);
1489     }
1490 
1491     return ret;
1492 }
1493 
1494 
1495 /*
1496  * First function called whenever there is data to be written to
1497  * the client socket. Will delegate actual work according to whether
1498  * SASL SSF layers are enabled (thus requiring encryption calls)
1499  */
1500 static void vnc_client_write_locked(VncState *vs)
1501 {
1502 #ifdef CONFIG_VNC_SASL
1503     if (vs->sasl.conn &&
1504         vs->sasl.runSSF &&
1505         !vs->sasl.waitWriteSSF) {
1506         vnc_client_write_sasl(vs);
1507     } else
1508 #endif /* CONFIG_VNC_SASL */
1509     {
1510         vnc_client_write_plain(vs);
1511     }
1512 }
1513 
1514 static void vnc_client_write(VncState *vs)
1515 {
1516     assert(vs->magic == VNC_MAGIC);
1517     vnc_lock_output(vs);
1518     if (vs->output.offset) {
1519         vnc_client_write_locked(vs);
1520     } else if (vs->ioc != NULL) {
1521         if (vs->ioc_tag) {
1522             g_source_remove(vs->ioc_tag);
1523         }
1524         vs->ioc_tag = qio_channel_add_watch(
1525             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1526             vnc_client_io, vs, NULL);
1527     }
1528     vnc_unlock_output(vs);
1529 }
1530 
1531 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1532 {
1533     vs->read_handler = func;
1534     vs->read_handler_expect = expecting;
1535 }
1536 
1537 
1538 /*
1539  * Called to read a chunk of data from the client socket. The data may
1540  * be the raw data, or may need to be further decoded by SASL.
1541  * The data will be read either straight from to the socket, or
1542  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1543  *
1544  * NB, it is theoretically possible to have 2 layers of encryption,
1545  * both SASL, and this TLS layer. It is highly unlikely in practice
1546  * though, since SASL encryption will typically be a no-op if TLS
1547  * is active
1548  *
1549  * Returns the number of bytes read, which may be less than
1550  * the requested 'datalen' if the socket would block. Returns
1551  * 0 on I/O error or EOF, and disconnects the client socket.
1552  */
1553 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1554 {
1555     ssize_t ret;
1556     Error *err = NULL;
1557     ret = qio_channel_read(vs->ioc, (char *)data, datalen, &err);
1558     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1559     return vnc_client_io_error(vs, ret, err);
1560 }
1561 
1562 
1563 /*
1564  * Called to read data from the client socket to the input buffer,
1565  * when not using any SASL SSF encryption layers. Will read as much
1566  * data as possible without blocking.
1567  *
1568  * Returns the number of bytes read, which may be less than
1569  * the requested 'datalen' if the socket would block. Returns
1570  * 0 on I/O error or EOF, and disconnects the client socket.
1571  */
1572 static size_t vnc_client_read_plain(VncState *vs)
1573 {
1574     size_t ret;
1575     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1576               vs->input.buffer, vs->input.capacity, vs->input.offset);
1577     buffer_reserve(&vs->input, 4096);
1578     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1579     if (!ret)
1580         return 0;
1581     vs->input.offset += ret;
1582     return ret;
1583 }
1584 
1585 static void vnc_jobs_bh(void *opaque)
1586 {
1587     VncState *vs = opaque;
1588 
1589     assert(vs->magic == VNC_MAGIC);
1590     vnc_jobs_consume_buffer(vs);
1591 }
1592 
1593 /*
1594  * First function called whenever there is more data to be read from
1595  * the client socket. Will delegate actual work according to whether
1596  * SASL SSF layers are enabled (thus requiring decryption calls)
1597  * Returns 0 on success, -1 if client disconnected
1598  */
1599 static int vnc_client_read(VncState *vs)
1600 {
1601     size_t ret;
1602 
1603 #ifdef CONFIG_VNC_SASL
1604     if (vs->sasl.conn && vs->sasl.runSSF)
1605         ret = vnc_client_read_sasl(vs);
1606     else
1607 #endif /* CONFIG_VNC_SASL */
1608         ret = vnc_client_read_plain(vs);
1609     if (!ret) {
1610         if (vs->disconnecting) {
1611             vnc_disconnect_finish(vs);
1612             return -1;
1613         }
1614         return 0;
1615     }
1616 
1617     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1618         size_t len = vs->read_handler_expect;
1619         int ret;
1620 
1621         ret = vs->read_handler(vs, vs->input.buffer, len);
1622         if (vs->disconnecting) {
1623             vnc_disconnect_finish(vs);
1624             return -1;
1625         }
1626 
1627         if (!ret) {
1628             buffer_advance(&vs->input, len);
1629         } else {
1630             vs->read_handler_expect = ret;
1631         }
1632     }
1633     return 0;
1634 }
1635 
1636 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1637                        GIOCondition condition, void *opaque)
1638 {
1639     VncState *vs = opaque;
1640 
1641     assert(vs->magic == VNC_MAGIC);
1642 
1643     if (condition & (G_IO_HUP | G_IO_ERR)) {
1644         vnc_disconnect_start(vs);
1645         return TRUE;
1646     }
1647 
1648     if (condition & G_IO_IN) {
1649         if (vnc_client_read(vs) < 0) {
1650             /* vs is free()ed here */
1651             return TRUE;
1652         }
1653     }
1654     if (condition & G_IO_OUT) {
1655         vnc_client_write(vs);
1656     }
1657 
1658     if (vs->disconnecting) {
1659         if (vs->ioc_tag != 0) {
1660             g_source_remove(vs->ioc_tag);
1661         }
1662         vs->ioc_tag = 0;
1663     }
1664     return TRUE;
1665 }
1666 
1667 
1668 /*
1669  * Scale factor to apply to vs->throttle_output_offset when checking for
1670  * hard limit. Worst case normal usage could be x2, if we have a complete
1671  * incremental update and complete forced update in the output buffer.
1672  * So x3 should be good enough, but we pick x5 to be conservative and thus
1673  * (hopefully) never trigger incorrectly.
1674  */
1675 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1676 
1677 void vnc_write(VncState *vs, const void *data, size_t len)
1678 {
1679     assert(vs->magic == VNC_MAGIC);
1680     if (vs->disconnecting) {
1681         return;
1682     }
1683     /* Protection against malicious client/guest to prevent our output
1684      * buffer growing without bound if client stops reading data. This
1685      * should rarely trigger, because we have earlier throttling code
1686      * which stops issuing framebuffer updates and drops audio data
1687      * if the throttle_output_offset value is exceeded. So we only reach
1688      * this higher level if a huge number of pseudo-encodings get
1689      * triggered while data can't be sent on the socket.
1690      *
1691      * NB throttle_output_offset can be zero during early protocol
1692      * handshake, or from the job thread's VncState clone
1693      */
1694     if (vs->throttle_output_offset != 0 &&
1695         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1696         vs->throttle_output_offset) {
1697         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1698                                       vs->throttle_output_offset);
1699         vnc_disconnect_start(vs);
1700         return;
1701     }
1702     buffer_reserve(&vs->output, len);
1703 
1704     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1705         if (vs->ioc_tag) {
1706             g_source_remove(vs->ioc_tag);
1707         }
1708         vs->ioc_tag = qio_channel_add_watch(
1709             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
1710             vnc_client_io, vs, NULL);
1711     }
1712 
1713     buffer_append(&vs->output, data, len);
1714 }
1715 
1716 void vnc_write_s32(VncState *vs, int32_t value)
1717 {
1718     vnc_write_u32(vs, *(uint32_t *)&value);
1719 }
1720 
1721 void vnc_write_u32(VncState *vs, uint32_t value)
1722 {
1723     uint8_t buf[4];
1724 
1725     buf[0] = (value >> 24) & 0xFF;
1726     buf[1] = (value >> 16) & 0xFF;
1727     buf[2] = (value >>  8) & 0xFF;
1728     buf[3] = value & 0xFF;
1729 
1730     vnc_write(vs, buf, 4);
1731 }
1732 
1733 void vnc_write_u16(VncState *vs, uint16_t value)
1734 {
1735     uint8_t buf[2];
1736 
1737     buf[0] = (value >> 8) & 0xFF;
1738     buf[1] = value & 0xFF;
1739 
1740     vnc_write(vs, buf, 2);
1741 }
1742 
1743 void vnc_write_u8(VncState *vs, uint8_t value)
1744 {
1745     vnc_write(vs, (char *)&value, 1);
1746 }
1747 
1748 void vnc_flush(VncState *vs)
1749 {
1750     vnc_lock_output(vs);
1751     if (vs->ioc != NULL && vs->output.offset) {
1752         vnc_client_write_locked(vs);
1753     }
1754     if (vs->disconnecting) {
1755         if (vs->ioc_tag != 0) {
1756             g_source_remove(vs->ioc_tag);
1757         }
1758         vs->ioc_tag = 0;
1759     }
1760     vnc_unlock_output(vs);
1761 }
1762 
1763 static uint8_t read_u8(uint8_t *data, size_t offset)
1764 {
1765     return data[offset];
1766 }
1767 
1768 static uint16_t read_u16(uint8_t *data, size_t offset)
1769 {
1770     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1771 }
1772 
1773 static int32_t read_s32(uint8_t *data, size_t offset)
1774 {
1775     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1776                      (data[offset + 2] << 8) | data[offset + 3]);
1777 }
1778 
1779 uint32_t read_u32(uint8_t *data, size_t offset)
1780 {
1781     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1782             (data[offset + 2] << 8) | data[offset + 3]);
1783 }
1784 
1785 static void check_pointer_type_change(Notifier *notifier, void *data)
1786 {
1787     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1788     int absolute = qemu_input_is_absolute();
1789 
1790     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1791         vnc_lock_output(vs);
1792         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1793         vnc_write_u8(vs, 0);
1794         vnc_write_u16(vs, 1);
1795         vnc_framebuffer_update(vs, absolute, 0,
1796                                pixman_image_get_width(vs->vd->server),
1797                                pixman_image_get_height(vs->vd->server),
1798                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1799         vnc_unlock_output(vs);
1800         vnc_flush(vs);
1801     }
1802     vs->absolute = absolute;
1803 }
1804 
1805 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1806 {
1807     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1808         [INPUT_BUTTON_LEFT]       = 0x01,
1809         [INPUT_BUTTON_MIDDLE]     = 0x02,
1810         [INPUT_BUTTON_RIGHT]      = 0x04,
1811         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1812         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1813     };
1814     QemuConsole *con = vs->vd->dcl.con;
1815     int width = pixman_image_get_width(vs->vd->server);
1816     int height = pixman_image_get_height(vs->vd->server);
1817 
1818     if (vs->last_bmask != button_mask) {
1819         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1820         vs->last_bmask = button_mask;
1821     }
1822 
1823     if (vs->absolute) {
1824         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1825         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1826     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1827         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1828         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1829     } else {
1830         if (vs->last_x != -1) {
1831             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1832             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1833         }
1834         vs->last_x = x;
1835         vs->last_y = y;
1836     }
1837     qemu_input_event_sync();
1838 }
1839 
1840 static void press_key(VncState *vs, QKeyCode qcode)
1841 {
1842     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1843     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1844 }
1845 
1846 static void vnc_led_state_change(VncState *vs)
1847 {
1848     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1849         return;
1850     }
1851 
1852     vnc_lock_output(vs);
1853     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1854     vnc_write_u8(vs, 0);
1855     vnc_write_u16(vs, 1);
1856     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1857     vnc_write_u8(vs, vs->vd->ledstate);
1858     vnc_unlock_output(vs);
1859     vnc_flush(vs);
1860 }
1861 
1862 static void kbd_leds(void *opaque, int ledstate)
1863 {
1864     VncDisplay *vd = opaque;
1865     VncState *client;
1866 
1867     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1868                              (ledstate & QEMU_NUM_LOCK_LED),
1869                              (ledstate & QEMU_SCROLL_LOCK_LED));
1870 
1871     if (ledstate == vd->ledstate) {
1872         return;
1873     }
1874 
1875     vd->ledstate = ledstate;
1876 
1877     QTAILQ_FOREACH(client, &vd->clients, next) {
1878         vnc_led_state_change(client);
1879     }
1880 }
1881 
1882 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1883 {
1884     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1885 
1886     /* QEMU console switch */
1887     switch (qcode) {
1888     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1889         if (vs->vd->dcl.con == NULL && down &&
1890             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1891             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1892             /* Reset the modifiers sent to the current console */
1893             qkbd_state_lift_all_keys(vs->vd->kbd);
1894             console_select(qcode - Q_KEY_CODE_1);
1895             return;
1896         }
1897     default:
1898         break;
1899     }
1900 
1901     /* Turn off the lock state sync logic if the client support the led
1902        state extension.
1903     */
1904     if (down && vs->vd->lock_key_sync &&
1905         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1906         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1907         /* If the numlock state needs to change then simulate an additional
1908            keypress before sending this one.  This will happen if the user
1909            toggles numlock away from the VNC window.
1910         */
1911         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1912             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1913                 trace_vnc_key_sync_numlock(true);
1914                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1915             }
1916         } else {
1917             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1918                 trace_vnc_key_sync_numlock(false);
1919                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1920             }
1921         }
1922     }
1923 
1924     if (down && vs->vd->lock_key_sync &&
1925         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1926         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1927         /* If the capslock state needs to change then simulate an additional
1928            keypress before sending this one.  This will happen if the user
1929            toggles capslock away from the VNC window.
1930         */
1931         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1932         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1933         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1934         if (capslock) {
1935             if (uppercase == shift) {
1936                 trace_vnc_key_sync_capslock(false);
1937                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1938             }
1939         } else {
1940             if (uppercase != shift) {
1941                 trace_vnc_key_sync_capslock(true);
1942                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1943             }
1944         }
1945     }
1946 
1947     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1948     if (!qemu_console_is_graphic(NULL)) {
1949         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1950         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1951         /* QEMU console emulation */
1952         if (down) {
1953             switch (keycode) {
1954             case 0x2a:                          /* Left Shift */
1955             case 0x36:                          /* Right Shift */
1956             case 0x1d:                          /* Left CTRL */
1957             case 0x9d:                          /* Right CTRL */
1958             case 0x38:                          /* Left ALT */
1959             case 0xb8:                          /* Right ALT */
1960                 break;
1961             case 0xc8:
1962                 kbd_put_keysym(QEMU_KEY_UP);
1963                 break;
1964             case 0xd0:
1965                 kbd_put_keysym(QEMU_KEY_DOWN);
1966                 break;
1967             case 0xcb:
1968                 kbd_put_keysym(QEMU_KEY_LEFT);
1969                 break;
1970             case 0xcd:
1971                 kbd_put_keysym(QEMU_KEY_RIGHT);
1972                 break;
1973             case 0xd3:
1974                 kbd_put_keysym(QEMU_KEY_DELETE);
1975                 break;
1976             case 0xc7:
1977                 kbd_put_keysym(QEMU_KEY_HOME);
1978                 break;
1979             case 0xcf:
1980                 kbd_put_keysym(QEMU_KEY_END);
1981                 break;
1982             case 0xc9:
1983                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1984                 break;
1985             case 0xd1:
1986                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1987                 break;
1988 
1989             case 0x47:
1990                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1991                 break;
1992             case 0x48:
1993                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1994                 break;
1995             case 0x49:
1996                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1997                 break;
1998             case 0x4b:
1999                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
2000                 break;
2001             case 0x4c:
2002                 kbd_put_keysym('5');
2003                 break;
2004             case 0x4d:
2005                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
2006                 break;
2007             case 0x4f:
2008                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
2009                 break;
2010             case 0x50:
2011                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
2012                 break;
2013             case 0x51:
2014                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
2015                 break;
2016             case 0x52:
2017                 kbd_put_keysym('0');
2018                 break;
2019             case 0x53:
2020                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
2021                 break;
2022 
2023             case 0xb5:
2024                 kbd_put_keysym('/');
2025                 break;
2026             case 0x37:
2027                 kbd_put_keysym('*');
2028                 break;
2029             case 0x4a:
2030                 kbd_put_keysym('-');
2031                 break;
2032             case 0x4e:
2033                 kbd_put_keysym('+');
2034                 break;
2035             case 0x9c:
2036                 kbd_put_keysym('\n');
2037                 break;
2038 
2039             default:
2040                 if (control) {
2041                     kbd_put_keysym(sym & 0x1f);
2042                 } else {
2043                     kbd_put_keysym(sym);
2044                 }
2045                 break;
2046             }
2047         }
2048     }
2049 }
2050 
2051 static const char *code2name(int keycode)
2052 {
2053     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
2054 }
2055 
2056 static void key_event(VncState *vs, int down, uint32_t sym)
2057 {
2058     int keycode;
2059     int lsym = sym;
2060 
2061     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
2062         lsym = lsym - 'A' + 'a';
2063     }
2064 
2065     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
2066                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
2067     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2068     do_key_event(vs, down, keycode, sym);
2069 }
2070 
2071 static void ext_key_event(VncState *vs, int down,
2072                           uint32_t sym, uint16_t keycode)
2073 {
2074     /* if the user specifies a keyboard layout, always use it */
2075     if (keyboard_layout) {
2076         key_event(vs, down, sym);
2077     } else {
2078         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2079         do_key_event(vs, down, keycode, sym);
2080     }
2081 }
2082 
2083 static void framebuffer_update_request(VncState *vs, int incremental,
2084                                        int x, int y, int w, int h)
2085 {
2086     if (incremental) {
2087         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2088             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2089         }
2090     } else {
2091         vs->update = VNC_STATE_UPDATE_FORCE;
2092         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2093         if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
2094             vnc_desktop_resize_ext(vs, 0);
2095         }
2096     }
2097 }
2098 
2099 static void send_ext_key_event_ack(VncState *vs)
2100 {
2101     vnc_lock_output(vs);
2102     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2103     vnc_write_u8(vs, 0);
2104     vnc_write_u16(vs, 1);
2105     vnc_framebuffer_update(vs, 0, 0,
2106                            pixman_image_get_width(vs->vd->server),
2107                            pixman_image_get_height(vs->vd->server),
2108                            VNC_ENCODING_EXT_KEY_EVENT);
2109     vnc_unlock_output(vs);
2110     vnc_flush(vs);
2111 }
2112 
2113 static void send_ext_audio_ack(VncState *vs)
2114 {
2115     vnc_lock_output(vs);
2116     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2117     vnc_write_u8(vs, 0);
2118     vnc_write_u16(vs, 1);
2119     vnc_framebuffer_update(vs, 0, 0,
2120                            pixman_image_get_width(vs->vd->server),
2121                            pixman_image_get_height(vs->vd->server),
2122                            VNC_ENCODING_AUDIO);
2123     vnc_unlock_output(vs);
2124     vnc_flush(vs);
2125 }
2126 
2127 static void send_xvp_message(VncState *vs, int code)
2128 {
2129     vnc_lock_output(vs);
2130     vnc_write_u8(vs, VNC_MSG_SERVER_XVP);
2131     vnc_write_u8(vs, 0); /* pad */
2132     vnc_write_u8(vs, 1); /* version */
2133     vnc_write_u8(vs, code);
2134     vnc_unlock_output(vs);
2135     vnc_flush(vs);
2136 }
2137 
2138 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2139 {
2140     int i;
2141     unsigned int enc = 0;
2142 
2143     vs->features = 0;
2144     vs->vnc_encoding = 0;
2145     vs->tight->compression = 9;
2146     vs->tight->quality = -1; /* Lossless by default */
2147     vs->absolute = -1;
2148 
2149     /*
2150      * Start from the end because the encodings are sent in order of preference.
2151      * This way the preferred encoding (first encoding defined in the array)
2152      * will be set at the end of the loop.
2153      */
2154     for (i = n_encodings - 1; i >= 0; i--) {
2155         enc = encodings[i];
2156         switch (enc) {
2157         case VNC_ENCODING_RAW:
2158             vs->vnc_encoding = enc;
2159             break;
2160         case VNC_ENCODING_HEXTILE:
2161             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2162             vs->vnc_encoding = enc;
2163             break;
2164         case VNC_ENCODING_TIGHT:
2165             vs->features |= VNC_FEATURE_TIGHT_MASK;
2166             vs->vnc_encoding = enc;
2167             break;
2168 #ifdef CONFIG_VNC_PNG
2169         case VNC_ENCODING_TIGHT_PNG:
2170             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2171             vs->vnc_encoding = enc;
2172             break;
2173 #endif
2174         case VNC_ENCODING_ZLIB:
2175             /*
2176              * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB.
2177              * So prioritize ZRLE, even if the client hints that it prefers
2178              * ZLIB.
2179              */
2180             if ((vs->features & VNC_FEATURE_ZRLE_MASK) == 0) {
2181                 vs->features |= VNC_FEATURE_ZLIB_MASK;
2182                 vs->vnc_encoding = enc;
2183             }
2184             break;
2185         case VNC_ENCODING_ZRLE:
2186             vs->features |= VNC_FEATURE_ZRLE_MASK;
2187             vs->vnc_encoding = enc;
2188             break;
2189         case VNC_ENCODING_ZYWRLE:
2190             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2191             vs->vnc_encoding = enc;
2192             break;
2193         case VNC_ENCODING_DESKTOPRESIZE:
2194             vs->features |= VNC_FEATURE_RESIZE_MASK;
2195             break;
2196         case VNC_ENCODING_DESKTOP_RESIZE_EXT:
2197             vs->features |= VNC_FEATURE_RESIZE_EXT_MASK;
2198             break;
2199         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2200             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2201             break;
2202         case VNC_ENCODING_RICH_CURSOR:
2203             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2204             break;
2205         case VNC_ENCODING_ALPHA_CURSOR:
2206             vs->features |= VNC_FEATURE_ALPHA_CURSOR_MASK;
2207             break;
2208         case VNC_ENCODING_EXT_KEY_EVENT:
2209             send_ext_key_event_ack(vs);
2210             break;
2211         case VNC_ENCODING_AUDIO:
2212             send_ext_audio_ack(vs);
2213             break;
2214         case VNC_ENCODING_WMVi:
2215             vs->features |= VNC_FEATURE_WMVI_MASK;
2216             break;
2217         case VNC_ENCODING_LED_STATE:
2218             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2219             break;
2220         case VNC_ENCODING_XVP:
2221             if (vs->vd->power_control) {
2222                 vs->features |= VNC_FEATURE_XVP;
2223                 send_xvp_message(vs, VNC_XVP_CODE_INIT);
2224             }
2225             break;
2226         case VNC_ENCODING_CLIPBOARD_EXT:
2227             vs->features |= VNC_FEATURE_CLIPBOARD_EXT_MASK;
2228             vnc_server_cut_text_caps(vs);
2229             break;
2230         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2231             vs->tight->compression = (enc & 0x0F);
2232             break;
2233         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2234             if (vs->vd->lossy) {
2235                 vs->tight->quality = (enc & 0x0F);
2236             }
2237             break;
2238         default:
2239             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2240             break;
2241         }
2242     }
2243     vnc_desktop_resize(vs);
2244     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2245     vnc_led_state_change(vs);
2246     vnc_cursor_define(vs);
2247 }
2248 
2249 static void set_pixel_conversion(VncState *vs)
2250 {
2251     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2252 
2253     if (fmt == VNC_SERVER_FB_FORMAT) {
2254         vs->write_pixels = vnc_write_pixels_copy;
2255         vnc_hextile_set_pixel_conversion(vs, 0);
2256     } else {
2257         vs->write_pixels = vnc_write_pixels_generic;
2258         vnc_hextile_set_pixel_conversion(vs, 1);
2259     }
2260 }
2261 
2262 static void send_color_map(VncState *vs)
2263 {
2264     int i;
2265 
2266     vnc_lock_output(vs);
2267     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2268     vnc_write_u8(vs,  0);    /* padding     */
2269     vnc_write_u16(vs, 0);    /* first color */
2270     vnc_write_u16(vs, 256);  /* # of colors */
2271 
2272     for (i = 0; i < 256; i++) {
2273         PixelFormat *pf = &vs->client_pf;
2274 
2275         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2276         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2277         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2278     }
2279     vnc_unlock_output(vs);
2280 }
2281 
2282 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2283                              int big_endian_flag, int true_color_flag,
2284                              int red_max, int green_max, int blue_max,
2285                              int red_shift, int green_shift, int blue_shift)
2286 {
2287     if (!true_color_flag) {
2288         /* Expose a reasonable default 256 color map */
2289         bits_per_pixel = 8;
2290         red_max = 7;
2291         green_max = 7;
2292         blue_max = 3;
2293         red_shift = 0;
2294         green_shift = 3;
2295         blue_shift = 6;
2296     }
2297 
2298     switch (bits_per_pixel) {
2299     case 8:
2300     case 16:
2301     case 32:
2302         break;
2303     default:
2304         vnc_client_error(vs);
2305         return;
2306     }
2307 
2308     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2309     vs->client_pf.rbits = ctpopl(red_max);
2310     vs->client_pf.rshift = red_shift;
2311     vs->client_pf.rmask = red_max << red_shift;
2312     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2313     vs->client_pf.gbits = ctpopl(green_max);
2314     vs->client_pf.gshift = green_shift;
2315     vs->client_pf.gmask = green_max << green_shift;
2316     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2317     vs->client_pf.bbits = ctpopl(blue_max);
2318     vs->client_pf.bshift = blue_shift;
2319     vs->client_pf.bmask = blue_max << blue_shift;
2320     vs->client_pf.bits_per_pixel = bits_per_pixel;
2321     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2322     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2323     vs->client_be = big_endian_flag;
2324 
2325     if (!true_color_flag) {
2326         send_color_map(vs);
2327     }
2328 
2329     set_pixel_conversion(vs);
2330 
2331     graphic_hw_invalidate(vs->vd->dcl.con);
2332     graphic_hw_update(vs->vd->dcl.con);
2333 }
2334 
2335 static void pixel_format_message (VncState *vs) {
2336     char pad[3] = { 0, 0, 0 };
2337 
2338     vs->client_pf = qemu_default_pixelformat(32);
2339 
2340     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2341     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2342 
2343 #ifdef HOST_WORDS_BIGENDIAN
2344     vnc_write_u8(vs, 1);             /* big-endian-flag */
2345 #else
2346     vnc_write_u8(vs, 0);             /* big-endian-flag */
2347 #endif
2348     vnc_write_u8(vs, 1);             /* true-color-flag */
2349     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2350     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2351     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2352     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2353     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2354     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2355     vnc_write(vs, pad, 3);           /* padding */
2356 
2357     vnc_hextile_set_pixel_conversion(vs, 0);
2358     vs->write_pixels = vnc_write_pixels_copy;
2359 }
2360 
2361 static void vnc_colordepth(VncState *vs)
2362 {
2363     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2364         /* Sending a WMVi message to notify the client*/
2365         vnc_lock_output(vs);
2366         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2367         vnc_write_u8(vs, 0);
2368         vnc_write_u16(vs, 1); /* number of rects */
2369         vnc_framebuffer_update(vs, 0, 0,
2370                                vs->client_width,
2371                                vs->client_height,
2372                                VNC_ENCODING_WMVi);
2373         pixel_format_message(vs);
2374         vnc_unlock_output(vs);
2375         vnc_flush(vs);
2376     } else {
2377         set_pixel_conversion(vs);
2378     }
2379 }
2380 
2381 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2382 {
2383     int i;
2384     uint16_t limit;
2385     uint32_t freq;
2386     VncDisplay *vd = vs->vd;
2387 
2388     if (data[0] > 3) {
2389         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2390     }
2391 
2392     switch (data[0]) {
2393     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2394         if (len == 1)
2395             return 20;
2396 
2397         set_pixel_format(vs, read_u8(data, 4),
2398                          read_u8(data, 6), read_u8(data, 7),
2399                          read_u16(data, 8), read_u16(data, 10),
2400                          read_u16(data, 12), read_u8(data, 14),
2401                          read_u8(data, 15), read_u8(data, 16));
2402         break;
2403     case VNC_MSG_CLIENT_SET_ENCODINGS:
2404         if (len == 1)
2405             return 4;
2406 
2407         if (len == 4) {
2408             limit = read_u16(data, 2);
2409             if (limit > 0)
2410                 return 4 + (limit * 4);
2411         } else
2412             limit = read_u16(data, 2);
2413 
2414         for (i = 0; i < limit; i++) {
2415             int32_t val = read_s32(data, 4 + (i * 4));
2416             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2417         }
2418 
2419         set_encodings(vs, (int32_t *)(data + 4), limit);
2420         break;
2421     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2422         if (len == 1)
2423             return 10;
2424 
2425         framebuffer_update_request(vs,
2426                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2427                                    read_u16(data, 6), read_u16(data, 8));
2428         break;
2429     case VNC_MSG_CLIENT_KEY_EVENT:
2430         if (len == 1)
2431             return 8;
2432 
2433         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2434         break;
2435     case VNC_MSG_CLIENT_POINTER_EVENT:
2436         if (len == 1)
2437             return 6;
2438 
2439         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2440         break;
2441     case VNC_MSG_CLIENT_CUT_TEXT:
2442         if (len == 1) {
2443             return 8;
2444         }
2445         if (len == 8) {
2446             uint32_t dlen = abs(read_s32(data, 4));
2447             if (dlen > (1 << 20)) {
2448                 error_report("vnc: client_cut_text msg payload has %u bytes"
2449                              " which exceeds our limit of 1MB.", dlen);
2450                 vnc_client_error(vs);
2451                 break;
2452             }
2453             if (dlen > 0) {
2454                 return 8 + dlen;
2455             }
2456         }
2457 
2458         if (read_s32(data, 4) < 0) {
2459             vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
2460                                     read_u32(data, 8), data + 12);
2461             break;
2462         }
2463         vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
2464         break;
2465     case VNC_MSG_CLIENT_XVP:
2466         if (!(vs->features & VNC_FEATURE_XVP)) {
2467             error_report("vnc: xvp client message while disabled");
2468             vnc_client_error(vs);
2469             break;
2470         }
2471         if (len == 1) {
2472             return 4;
2473         }
2474         if (len == 4) {
2475             uint8_t version = read_u8(data, 2);
2476             uint8_t action = read_u8(data, 3);
2477 
2478             if (version != 1) {
2479                 error_report("vnc: xvp client message version %d != 1",
2480                              version);
2481                 vnc_client_error(vs);
2482                 break;
2483             }
2484 
2485             switch (action) {
2486             case VNC_XVP_ACTION_SHUTDOWN:
2487                 qemu_system_powerdown_request();
2488                 break;
2489             case VNC_XVP_ACTION_REBOOT:
2490                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2491                 break;
2492             case VNC_XVP_ACTION_RESET:
2493                 qemu_system_reset_request(SHUTDOWN_CAUSE_HOST_QMP_SYSTEM_RESET);
2494                 break;
2495             default:
2496                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2497                 break;
2498             }
2499         }
2500         break;
2501     case VNC_MSG_CLIENT_QEMU:
2502         if (len == 1)
2503             return 2;
2504 
2505         switch (read_u8(data, 1)) {
2506         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2507             if (len == 2)
2508                 return 12;
2509 
2510             ext_key_event(vs, read_u16(data, 2),
2511                           read_u32(data, 4), read_u32(data, 8));
2512             break;
2513         case VNC_MSG_CLIENT_QEMU_AUDIO:
2514             if (len == 2)
2515                 return 4;
2516 
2517             switch (read_u16 (data, 2)) {
2518             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2519                 trace_vnc_msg_client_audio_enable(vs, vs->ioc);
2520                 audio_add(vs);
2521                 break;
2522             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2523                 trace_vnc_msg_client_audio_disable(vs, vs->ioc);
2524                 audio_del(vs);
2525                 break;
2526             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2527                 if (len == 4)
2528                     return 10;
2529                 switch (read_u8(data, 4)) {
2530                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2531                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2532                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2533                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2534                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2535                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2536                 default:
2537                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2538                     vnc_client_error(vs);
2539                     break;
2540                 }
2541                 vs->as.nchannels = read_u8(data, 5);
2542                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2543                     VNC_DEBUG("Invalid audio channel count %d\n",
2544                               read_u8(data, 5));
2545                     vnc_client_error(vs);
2546                     break;
2547                 }
2548                 freq = read_u32(data, 6);
2549                 /* No official limit for protocol, but 48khz is a sensible
2550                  * upper bound for trustworthy clients, and this limit
2551                  * protects calculations involving 'vs->as.freq' later.
2552                  */
2553                 if (freq > 48000) {
2554                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2555                     vnc_client_error(vs);
2556                     break;
2557                 }
2558                 vs->as.freq = freq;
2559                 trace_vnc_msg_client_audio_format(
2560                     vs, vs->ioc, vs->as.fmt, vs->as.nchannels, vs->as.freq);
2561                 break;
2562             default:
2563                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2564                 vnc_client_error(vs);
2565                 break;
2566             }
2567             break;
2568 
2569         default:
2570             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2571             vnc_client_error(vs);
2572             break;
2573         }
2574         break;
2575     case VNC_MSG_CLIENT_SET_DESKTOP_SIZE:
2576     {
2577         size_t size;
2578         uint8_t screens;
2579         int w, h;
2580 
2581         if (len < 8) {
2582             return 8;
2583         }
2584 
2585         screens = read_u8(data, 6);
2586         size    = 8 + screens * 16;
2587         if (len < size) {
2588             return size;
2589         }
2590         w = read_u16(data, 2);
2591         h = read_u16(data, 4);
2592 
2593         trace_vnc_msg_client_set_desktop_size(vs, vs->ioc, w, h, screens);
2594         if (dpy_ui_info_supported(vs->vd->dcl.con)) {
2595             QemuUIInfo info;
2596             memset(&info, 0, sizeof(info));
2597             info.width = w;
2598             info.height = h;
2599             dpy_set_ui_info(vs->vd->dcl.con, &info);
2600             vnc_desktop_resize_ext(vs, 4 /* Request forwarded */);
2601         } else {
2602             vnc_desktop_resize_ext(vs, 3 /* Invalid screen layout */);
2603         }
2604 
2605         break;
2606     }
2607     default:
2608         VNC_DEBUG("Msg: %d\n", data[0]);
2609         vnc_client_error(vs);
2610         break;
2611     }
2612 
2613     vnc_update_throttle_offset(vs);
2614     vnc_read_when(vs, protocol_client_msg, 1);
2615     return 0;
2616 }
2617 
2618 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2619 {
2620     char buf[1024];
2621     VncShareMode mode;
2622     int size;
2623 
2624     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2625     switch (vs->vd->share_policy) {
2626     case VNC_SHARE_POLICY_IGNORE:
2627         /*
2628          * Ignore the shared flag.  Nothing to do here.
2629          *
2630          * Doesn't conform to the rfb spec but is traditional qemu
2631          * behavior, thus left here as option for compatibility
2632          * reasons.
2633          */
2634         break;
2635     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2636         /*
2637          * Policy: Allow clients ask for exclusive access.
2638          *
2639          * Implementation: When a client asks for exclusive access,
2640          * disconnect all others. Shared connects are allowed as long
2641          * as no exclusive connection exists.
2642          *
2643          * This is how the rfb spec suggests to handle the shared flag.
2644          */
2645         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2646             VncState *client;
2647             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2648                 if (vs == client) {
2649                     continue;
2650                 }
2651                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2652                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2653                     continue;
2654                 }
2655                 vnc_disconnect_start(client);
2656             }
2657         }
2658         if (mode == VNC_SHARE_MODE_SHARED) {
2659             if (vs->vd->num_exclusive > 0) {
2660                 vnc_disconnect_start(vs);
2661                 return 0;
2662             }
2663         }
2664         break;
2665     case VNC_SHARE_POLICY_FORCE_SHARED:
2666         /*
2667          * Policy: Shared connects only.
2668          * Implementation: Disallow clients asking for exclusive access.
2669          *
2670          * Useful for shared desktop sessions where you don't want
2671          * someone forgetting to say -shared when running the vnc
2672          * client disconnect everybody else.
2673          */
2674         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2675             vnc_disconnect_start(vs);
2676             return 0;
2677         }
2678         break;
2679     }
2680     vnc_set_share_mode(vs, mode);
2681 
2682     if (vs->vd->num_shared > vs->vd->connections_limit) {
2683         vnc_disconnect_start(vs);
2684         return 0;
2685     }
2686 
2687     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2688            pixman_image_get_width(vs->vd->server) >= 0);
2689     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2690            pixman_image_get_height(vs->vd->server) >= 0);
2691     vs->client_width = pixman_image_get_width(vs->vd->server);
2692     vs->client_height = pixman_image_get_height(vs->vd->server);
2693     vnc_write_u16(vs, vs->client_width);
2694     vnc_write_u16(vs, vs->client_height);
2695 
2696     pixel_format_message(vs);
2697 
2698     if (qemu_name) {
2699         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2700         if (size > sizeof(buf)) {
2701             size = sizeof(buf);
2702         }
2703     } else {
2704         size = snprintf(buf, sizeof(buf), "QEMU");
2705     }
2706 
2707     vnc_write_u32(vs, size);
2708     vnc_write(vs, buf, size);
2709     vnc_flush(vs);
2710 
2711     vnc_client_cache_auth(vs);
2712     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2713 
2714     vnc_read_when(vs, protocol_client_msg, 1);
2715 
2716     return 0;
2717 }
2718 
2719 void start_client_init(VncState *vs)
2720 {
2721     vnc_read_when(vs, protocol_client_init, 1);
2722 }
2723 
2724 static void authentication_failed(VncState *vs)
2725 {
2726     vnc_write_u32(vs, 1); /* Reject auth */
2727     if (vs->minor >= 8) {
2728         static const char err[] = "Authentication failed";
2729         vnc_write_u32(vs, sizeof(err));
2730         vnc_write(vs, err, sizeof(err));
2731     }
2732     vnc_flush(vs);
2733     vnc_client_error(vs);
2734 }
2735 
2736 static void
2737 vnc_munge_des_rfb_key(unsigned char *key, size_t nkey)
2738 {
2739     size_t i;
2740     for (i = 0; i < nkey; i++) {
2741         uint8_t r = key[i];
2742         r = (r & 0xf0) >> 4 | (r & 0x0f) << 4;
2743         r = (r & 0xcc) >> 2 | (r & 0x33) << 2;
2744         r = (r & 0xaa) >> 1 | (r & 0x55) << 1;
2745         key[i] = r;
2746     }
2747 }
2748 
2749 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2750 {
2751     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2752     size_t i, pwlen;
2753     unsigned char key[8];
2754     time_t now = time(NULL);
2755     QCryptoCipher *cipher = NULL;
2756     Error *err = NULL;
2757 
2758     if (!vs->vd->password) {
2759         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2760         goto reject;
2761     }
2762     if (vs->vd->expires < now) {
2763         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2764         goto reject;
2765     }
2766 
2767     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2768 
2769     /* Calculate the expected challenge response */
2770     pwlen = strlen(vs->vd->password);
2771     for (i=0; i<sizeof(key); i++)
2772         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2773     vnc_munge_des_rfb_key(key, sizeof(key));
2774 
2775     cipher = qcrypto_cipher_new(
2776         QCRYPTO_CIPHER_ALG_DES,
2777         QCRYPTO_CIPHER_MODE_ECB,
2778         key, G_N_ELEMENTS(key),
2779         &err);
2780     if (!cipher) {
2781         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2782                             error_get_pretty(err));
2783         error_free(err);
2784         goto reject;
2785     }
2786 
2787     if (qcrypto_cipher_encrypt(cipher,
2788                                vs->challenge,
2789                                response,
2790                                VNC_AUTH_CHALLENGE_SIZE,
2791                                &err) < 0) {
2792         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2793                             error_get_pretty(err));
2794         error_free(err);
2795         goto reject;
2796     }
2797 
2798     /* Compare expected vs actual challenge response */
2799     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2800         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2801         goto reject;
2802     } else {
2803         trace_vnc_auth_pass(vs, vs->auth);
2804         vnc_write_u32(vs, 0); /* Accept auth */
2805         vnc_flush(vs);
2806 
2807         start_client_init(vs);
2808     }
2809 
2810     qcrypto_cipher_free(cipher);
2811     return 0;
2812 
2813 reject:
2814     authentication_failed(vs);
2815     qcrypto_cipher_free(cipher);
2816     return 0;
2817 }
2818 
2819 void start_auth_vnc(VncState *vs)
2820 {
2821     Error *err = NULL;
2822 
2823     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2824         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2825                             error_get_pretty(err));
2826         error_free(err);
2827         authentication_failed(vs);
2828         return;
2829     }
2830 
2831     /* Send client a 'random' challenge */
2832     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2833     vnc_flush(vs);
2834 
2835     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2836 }
2837 
2838 
2839 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2840 {
2841     /* We only advertise 1 auth scheme at a time, so client
2842      * must pick the one we sent. Verify this */
2843     if (data[0] != vs->auth) { /* Reject auth */
2844        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2845        authentication_failed(vs);
2846     } else { /* Accept requested auth */
2847        trace_vnc_auth_start(vs, vs->auth);
2848        switch (vs->auth) {
2849        case VNC_AUTH_NONE:
2850            if (vs->minor >= 8) {
2851                vnc_write_u32(vs, 0); /* Accept auth completion */
2852                vnc_flush(vs);
2853            }
2854            trace_vnc_auth_pass(vs, vs->auth);
2855            start_client_init(vs);
2856            break;
2857 
2858        case VNC_AUTH_VNC:
2859            start_auth_vnc(vs);
2860            break;
2861 
2862        case VNC_AUTH_VENCRYPT:
2863            start_auth_vencrypt(vs);
2864            break;
2865 
2866 #ifdef CONFIG_VNC_SASL
2867        case VNC_AUTH_SASL:
2868            start_auth_sasl(vs);
2869            break;
2870 #endif /* CONFIG_VNC_SASL */
2871 
2872        default: /* Should not be possible, but just in case */
2873            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2874            authentication_failed(vs);
2875        }
2876     }
2877     return 0;
2878 }
2879 
2880 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2881 {
2882     char local[13];
2883 
2884     memcpy(local, version, 12);
2885     local[12] = 0;
2886 
2887     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2888         VNC_DEBUG("Malformed protocol version %s\n", local);
2889         vnc_client_error(vs);
2890         return 0;
2891     }
2892     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2893     if (vs->major != 3 ||
2894         (vs->minor != 3 &&
2895          vs->minor != 4 &&
2896          vs->minor != 5 &&
2897          vs->minor != 7 &&
2898          vs->minor != 8)) {
2899         VNC_DEBUG("Unsupported client version\n");
2900         vnc_write_u32(vs, VNC_AUTH_INVALID);
2901         vnc_flush(vs);
2902         vnc_client_error(vs);
2903         return 0;
2904     }
2905     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2906      * as equivalent to v3.3 by servers
2907      */
2908     if (vs->minor == 4 || vs->minor == 5)
2909         vs->minor = 3;
2910 
2911     if (vs->minor == 3) {
2912         trace_vnc_auth_start(vs, vs->auth);
2913         if (vs->auth == VNC_AUTH_NONE) {
2914             vnc_write_u32(vs, vs->auth);
2915             vnc_flush(vs);
2916             trace_vnc_auth_pass(vs, vs->auth);
2917             start_client_init(vs);
2918        } else if (vs->auth == VNC_AUTH_VNC) {
2919             VNC_DEBUG("Tell client VNC auth\n");
2920             vnc_write_u32(vs, vs->auth);
2921             vnc_flush(vs);
2922             start_auth_vnc(vs);
2923        } else {
2924             trace_vnc_auth_fail(vs, vs->auth,
2925                                 "Unsupported auth method for v3.3", "");
2926             vnc_write_u32(vs, VNC_AUTH_INVALID);
2927             vnc_flush(vs);
2928             vnc_client_error(vs);
2929        }
2930     } else {
2931         vnc_write_u8(vs, 1); /* num auth */
2932         vnc_write_u8(vs, vs->auth);
2933         vnc_read_when(vs, protocol_client_auth, 1);
2934         vnc_flush(vs);
2935     }
2936 
2937     return 0;
2938 }
2939 
2940 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2941 {
2942     struct VncSurface *vs = &vd->guest;
2943 
2944     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2945 }
2946 
2947 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2948 {
2949     int i, j;
2950 
2951     w = (x + w) / VNC_STAT_RECT;
2952     h = (y + h) / VNC_STAT_RECT;
2953     x /= VNC_STAT_RECT;
2954     y /= VNC_STAT_RECT;
2955 
2956     for (j = y; j <= h; j++) {
2957         for (i = x; i <= w; i++) {
2958             vs->lossy_rect[j][i] = 1;
2959         }
2960     }
2961 }
2962 
2963 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2964 {
2965     VncState *vs;
2966     int sty = y / VNC_STAT_RECT;
2967     int stx = x / VNC_STAT_RECT;
2968     int has_dirty = 0;
2969 
2970     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2971     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2972 
2973     QTAILQ_FOREACH(vs, &vd->clients, next) {
2974         int j;
2975 
2976         /* kernel send buffers are full -> refresh later */
2977         if (vs->output.offset) {
2978             continue;
2979         }
2980 
2981         if (!vs->lossy_rect[sty][stx]) {
2982             continue;
2983         }
2984 
2985         vs->lossy_rect[sty][stx] = 0;
2986         for (j = 0; j < VNC_STAT_RECT; ++j) {
2987             bitmap_set(vs->dirty[y + j],
2988                        x / VNC_DIRTY_PIXELS_PER_BIT,
2989                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2990         }
2991         has_dirty++;
2992     }
2993 
2994     return has_dirty;
2995 }
2996 
2997 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2998 {
2999     int width = MIN(pixman_image_get_width(vd->guest.fb),
3000                     pixman_image_get_width(vd->server));
3001     int height = MIN(pixman_image_get_height(vd->guest.fb),
3002                      pixman_image_get_height(vd->server));
3003     int x, y;
3004     struct timeval res;
3005     int has_dirty = 0;
3006 
3007     for (y = 0; y < height; y += VNC_STAT_RECT) {
3008         for (x = 0; x < width; x += VNC_STAT_RECT) {
3009             VncRectStat *rect = vnc_stat_rect(vd, x, y);
3010 
3011             rect->updated = false;
3012         }
3013     }
3014 
3015     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
3016 
3017     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
3018         return has_dirty;
3019     }
3020     vd->guest.last_freq_check = *tv;
3021 
3022     for (y = 0; y < height; y += VNC_STAT_RECT) {
3023         for (x = 0; x < width; x += VNC_STAT_RECT) {
3024             VncRectStat *rect= vnc_stat_rect(vd, x, y);
3025             int count = ARRAY_SIZE(rect->times);
3026             struct timeval min, max;
3027 
3028             if (!timerisset(&rect->times[count - 1])) {
3029                 continue ;
3030             }
3031 
3032             max = rect->times[(rect->idx + count - 1) % count];
3033             qemu_timersub(tv, &max, &res);
3034 
3035             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
3036                 rect->freq = 0;
3037                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
3038                 memset(rect->times, 0, sizeof (rect->times));
3039                 continue ;
3040             }
3041 
3042             min = rect->times[rect->idx];
3043             max = rect->times[(rect->idx + count - 1) % count];
3044             qemu_timersub(&max, &min, &res);
3045 
3046             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
3047             rect->freq /= count;
3048             rect->freq = 1. / rect->freq;
3049         }
3050     }
3051     return has_dirty;
3052 }
3053 
3054 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
3055 {
3056     int i, j;
3057     double total = 0;
3058     int num = 0;
3059 
3060     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
3061     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
3062 
3063     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
3064         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
3065             total += vnc_stat_rect(vs->vd, i, j)->freq;
3066             num++;
3067         }
3068     }
3069 
3070     if (num) {
3071         return total / num;
3072     } else {
3073         return 0;
3074     }
3075 }
3076 
3077 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
3078 {
3079     VncRectStat *rect;
3080 
3081     rect = vnc_stat_rect(vd, x, y);
3082     if (rect->updated) {
3083         return ;
3084     }
3085     rect->times[rect->idx] = *tv;
3086     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
3087     rect->updated = true;
3088 }
3089 
3090 static int vnc_refresh_server_surface(VncDisplay *vd)
3091 {
3092     int width = MIN(pixman_image_get_width(vd->guest.fb),
3093                     pixman_image_get_width(vd->server));
3094     int height = MIN(pixman_image_get_height(vd->guest.fb),
3095                      pixman_image_get_height(vd->server));
3096     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
3097     uint8_t *guest_row0 = NULL, *server_row0;
3098     VncState *vs;
3099     int has_dirty = 0;
3100     pixman_image_t *tmpbuf = NULL;
3101 
3102     struct timeval tv = { 0, 0 };
3103 
3104     if (!vd->non_adaptive) {
3105         gettimeofday(&tv, NULL);
3106         has_dirty = vnc_update_stats(vd, &tv);
3107     }
3108 
3109     /*
3110      * Walk through the guest dirty map.
3111      * Check and copy modified bits from guest to server surface.
3112      * Update server dirty map.
3113      */
3114     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
3115     server_stride = guest_stride = guest_ll =
3116         pixman_image_get_stride(vd->server);
3117     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
3118                     server_stride);
3119     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3120         int width = pixman_image_get_width(vd->server);
3121         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
3122     } else {
3123         int guest_bpp =
3124             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
3125         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
3126         guest_stride = pixman_image_get_stride(vd->guest.fb);
3127         guest_ll = pixman_image_get_width(vd->guest.fb)
3128                    * DIV_ROUND_UP(guest_bpp, 8);
3129     }
3130     line_bytes = MIN(server_stride, guest_ll);
3131 
3132     for (;;) {
3133         int x;
3134         uint8_t *guest_ptr, *server_ptr;
3135         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3136                                              height * VNC_DIRTY_BPL(&vd->guest),
3137                                              y * VNC_DIRTY_BPL(&vd->guest));
3138         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3139             /* no more dirty bits */
3140             break;
3141         }
3142         y = offset / VNC_DIRTY_BPL(&vd->guest);
3143         x = offset % VNC_DIRTY_BPL(&vd->guest);
3144 
3145         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
3146 
3147         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3148             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
3149             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
3150         } else {
3151             guest_ptr = guest_row0 + y * guest_stride;
3152         }
3153         guest_ptr += x * cmp_bytes;
3154 
3155         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
3156              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
3157             int _cmp_bytes = cmp_bytes;
3158             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
3159                 continue;
3160             }
3161             if ((x + 1) * cmp_bytes > line_bytes) {
3162                 _cmp_bytes = line_bytes - x * cmp_bytes;
3163             }
3164             assert(_cmp_bytes >= 0);
3165             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
3166                 continue;
3167             }
3168             memcpy(server_ptr, guest_ptr, _cmp_bytes);
3169             if (!vd->non_adaptive) {
3170                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
3171                                  y, &tv);
3172             }
3173             QTAILQ_FOREACH(vs, &vd->clients, next) {
3174                 set_bit(x, vs->dirty[y]);
3175             }
3176             has_dirty++;
3177         }
3178 
3179         y++;
3180     }
3181     qemu_pixman_image_unref(tmpbuf);
3182     return has_dirty;
3183 }
3184 
3185 static void vnc_refresh(DisplayChangeListener *dcl)
3186 {
3187     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
3188     VncState *vs, *vn;
3189     int has_dirty, rects = 0;
3190 
3191     if (QTAILQ_EMPTY(&vd->clients)) {
3192         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
3193         return;
3194     }
3195 
3196     graphic_hw_update(vd->dcl.con);
3197 
3198     if (vnc_trylock_display(vd)) {
3199         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3200         return;
3201     }
3202 
3203     has_dirty = vnc_refresh_server_surface(vd);
3204     vnc_unlock_display(vd);
3205 
3206     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3207         rects += vnc_update_client(vs, has_dirty);
3208         /* vs might be free()ed here */
3209     }
3210 
3211     if (has_dirty && rects) {
3212         vd->dcl.update_interval /= 2;
3213         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3214             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3215         }
3216     } else {
3217         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3218         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3219             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3220         }
3221     }
3222 }
3223 
3224 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3225                         bool skipauth, bool websocket)
3226 {
3227     VncState *vs = g_new0(VncState, 1);
3228     bool first_client = QTAILQ_EMPTY(&vd->clients);
3229     int i;
3230 
3231     trace_vnc_client_connect(vs, sioc);
3232     vs->zrle = g_new0(VncZrle, 1);
3233     vs->tight = g_new0(VncTight, 1);
3234     vs->magic = VNC_MAGIC;
3235     vs->sioc = sioc;
3236     object_ref(OBJECT(vs->sioc));
3237     vs->ioc = QIO_CHANNEL(sioc);
3238     object_ref(OBJECT(vs->ioc));
3239     vs->vd = vd;
3240 
3241     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3242     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3243     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3244 
3245     buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3246     buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3247     buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3248 #ifdef CONFIG_VNC_JPEG
3249     buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3250 #endif
3251 #ifdef CONFIG_VNC_PNG
3252     buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3253 #endif
3254     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3255     buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3256     buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3257     buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3258 
3259     if (skipauth) {
3260         vs->auth = VNC_AUTH_NONE;
3261         vs->subauth = VNC_AUTH_INVALID;
3262     } else {
3263         if (websocket) {
3264             vs->auth = vd->ws_auth;
3265             vs->subauth = VNC_AUTH_INVALID;
3266         } else {
3267             vs->auth = vd->auth;
3268             vs->subauth = vd->subauth;
3269         }
3270     }
3271     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3272               sioc, websocket, vs->auth, vs->subauth);
3273 
3274     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3275     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3276         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3277     }
3278 
3279     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3280     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3281     qio_channel_set_blocking(vs->ioc, false, NULL);
3282     if (vs->ioc_tag) {
3283         g_source_remove(vs->ioc_tag);
3284     }
3285     if (websocket) {
3286         vs->websocket = 1;
3287         if (vd->tlscreds) {
3288             vs->ioc_tag = qio_channel_add_watch(
3289                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3290                 vncws_tls_handshake_io, vs, NULL);
3291         } else {
3292             vs->ioc_tag = qio_channel_add_watch(
3293                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3294                 vncws_handshake_io, vs, NULL);
3295         }
3296     } else {
3297         vs->ioc_tag = qio_channel_add_watch(
3298             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3299             vnc_client_io, vs, NULL);
3300     }
3301 
3302     vnc_client_cache_addr(vs);
3303     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3304     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3305 
3306     vs->last_x = -1;
3307     vs->last_y = -1;
3308 
3309     vs->as.freq = 44100;
3310     vs->as.nchannels = 2;
3311     vs->as.fmt = AUDIO_FORMAT_S16;
3312     vs->as.endianness = 0;
3313 
3314     qemu_mutex_init(&vs->output_mutex);
3315     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3316 
3317     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3318     if (first_client) {
3319         vnc_update_server_surface(vd);
3320     }
3321 
3322     graphic_hw_update(vd->dcl.con);
3323 
3324     if (!vs->websocket) {
3325         vnc_start_protocol(vs);
3326     }
3327 
3328     if (vd->num_connecting > vd->connections_limit) {
3329         QTAILQ_FOREACH(vs, &vd->clients, next) {
3330             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3331                 vnc_disconnect_start(vs);
3332                 return;
3333             }
3334         }
3335     }
3336 }
3337 
3338 void vnc_start_protocol(VncState *vs)
3339 {
3340     vnc_write(vs, "RFB 003.008\n", 12);
3341     vnc_flush(vs);
3342     vnc_read_when(vs, protocol_version, 12);
3343 
3344     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3345     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3346 }
3347 
3348 static void vnc_listen_io(QIONetListener *listener,
3349                           QIOChannelSocket *cioc,
3350                           void *opaque)
3351 {
3352     VncDisplay *vd = opaque;
3353     bool isWebsock = listener == vd->wslistener;
3354 
3355     qio_channel_set_name(QIO_CHANNEL(cioc),
3356                          isWebsock ? "vnc-ws-server" : "vnc-server");
3357     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3358     vnc_connect(vd, cioc, false, isWebsock);
3359 }
3360 
3361 static const DisplayChangeListenerOps dcl_ops = {
3362     .dpy_name             = "vnc",
3363     .dpy_refresh          = vnc_refresh,
3364     .dpy_gfx_update       = vnc_dpy_update,
3365     .dpy_gfx_switch       = vnc_dpy_switch,
3366     .dpy_gfx_check_format = qemu_pixman_check_format,
3367     .dpy_mouse_set        = vnc_mouse_set,
3368     .dpy_cursor_define    = vnc_dpy_cursor_define,
3369 };
3370 
3371 void vnc_display_init(const char *id, Error **errp)
3372 {
3373     VncDisplay *vd;
3374 
3375     if (vnc_display_find(id) != NULL) {
3376         return;
3377     }
3378     vd = g_malloc0(sizeof(*vd));
3379 
3380     vd->id = strdup(id);
3381     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3382 
3383     QTAILQ_INIT(&vd->clients);
3384     vd->expires = TIME_MAX;
3385 
3386     if (keyboard_layout) {
3387         trace_vnc_key_map_init(keyboard_layout);
3388         vd->kbd_layout = init_keyboard_layout(name2keysym,
3389                                               keyboard_layout, errp);
3390     } else {
3391         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3392     }
3393 
3394     if (!vd->kbd_layout) {
3395         return;
3396     }
3397 
3398     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3399     vd->connections_limit = 32;
3400 
3401     qemu_mutex_init(&vd->mutex);
3402     vnc_start_worker_thread();
3403 
3404     vd->dcl.ops = &dcl_ops;
3405     register_displaychangelistener(&vd->dcl);
3406     vd->kbd = qkbd_state_init(vd->dcl.con);
3407 }
3408 
3409 
3410 static void vnc_display_close(VncDisplay *vd)
3411 {
3412     if (!vd) {
3413         return;
3414     }
3415     vd->is_unix = false;
3416 
3417     if (vd->listener) {
3418         qio_net_listener_disconnect(vd->listener);
3419         object_unref(OBJECT(vd->listener));
3420     }
3421     vd->listener = NULL;
3422 
3423     if (vd->wslistener) {
3424         qio_net_listener_disconnect(vd->wslistener);
3425         object_unref(OBJECT(vd->wslistener));
3426     }
3427     vd->wslistener = NULL;
3428 
3429     vd->auth = VNC_AUTH_INVALID;
3430     vd->subauth = VNC_AUTH_INVALID;
3431     if (vd->tlscreds) {
3432         object_unref(OBJECT(vd->tlscreds));
3433         vd->tlscreds = NULL;
3434     }
3435     if (vd->tlsauthz) {
3436         object_unparent(OBJECT(vd->tlsauthz));
3437         vd->tlsauthz = NULL;
3438     }
3439     g_free(vd->tlsauthzid);
3440     vd->tlsauthzid = NULL;
3441     if (vd->lock_key_sync) {
3442         qemu_remove_led_event_handler(vd->led);
3443         vd->led = NULL;
3444     }
3445 #ifdef CONFIG_VNC_SASL
3446     if (vd->sasl.authz) {
3447         object_unparent(OBJECT(vd->sasl.authz));
3448         vd->sasl.authz = NULL;
3449     }
3450     g_free(vd->sasl.authzid);
3451     vd->sasl.authzid = NULL;
3452 #endif
3453 }
3454 
3455 int vnc_display_password(const char *id, const char *password)
3456 {
3457     VncDisplay *vd = vnc_display_find(id);
3458 
3459     if (!vd) {
3460         return -EINVAL;
3461     }
3462     if (vd->auth == VNC_AUTH_NONE) {
3463         error_printf_unless_qmp("If you want use passwords please enable "
3464                                 "password auth using '-vnc ${dpy},password'.\n");
3465         return -EINVAL;
3466     }
3467 
3468     g_free(vd->password);
3469     vd->password = g_strdup(password);
3470 
3471     return 0;
3472 }
3473 
3474 int vnc_display_pw_expire(const char *id, time_t expires)
3475 {
3476     VncDisplay *vd = vnc_display_find(id);
3477 
3478     if (!vd) {
3479         return -EINVAL;
3480     }
3481 
3482     vd->expires = expires;
3483     return 0;
3484 }
3485 
3486 static void vnc_display_print_local_addr(VncDisplay *vd)
3487 {
3488     SocketAddress *addr;
3489 
3490     if (!vd->listener || !vd->listener->nsioc) {
3491         return;
3492     }
3493 
3494     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], NULL);
3495     if (!addr) {
3496         return;
3497     }
3498 
3499     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3500         qapi_free_SocketAddress(addr);
3501         return;
3502     }
3503     error_printf_unless_qmp("VNC server running on %s:%s\n",
3504                             addr->u.inet.host,
3505                             addr->u.inet.port);
3506     qapi_free_SocketAddress(addr);
3507 }
3508 
3509 static QemuOptsList qemu_vnc_opts = {
3510     .name = "vnc",
3511     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3512     .implied_opt_name = "vnc",
3513     .desc = {
3514         {
3515             .name = "vnc",
3516             .type = QEMU_OPT_STRING,
3517         },{
3518             .name = "websocket",
3519             .type = QEMU_OPT_STRING,
3520         },{
3521             .name = "tls-creds",
3522             .type = QEMU_OPT_STRING,
3523         },{
3524             .name = "share",
3525             .type = QEMU_OPT_STRING,
3526         },{
3527             .name = "display",
3528             .type = QEMU_OPT_STRING,
3529         },{
3530             .name = "head",
3531             .type = QEMU_OPT_NUMBER,
3532         },{
3533             .name = "connections",
3534             .type = QEMU_OPT_NUMBER,
3535         },{
3536             .name = "to",
3537             .type = QEMU_OPT_NUMBER,
3538         },{
3539             .name = "ipv4",
3540             .type = QEMU_OPT_BOOL,
3541         },{
3542             .name = "ipv6",
3543             .type = QEMU_OPT_BOOL,
3544         },{
3545             .name = "password",
3546             .type = QEMU_OPT_BOOL,
3547         },{
3548             .name = "password-secret",
3549             .type = QEMU_OPT_STRING,
3550         },{
3551             .name = "reverse",
3552             .type = QEMU_OPT_BOOL,
3553         },{
3554             .name = "lock-key-sync",
3555             .type = QEMU_OPT_BOOL,
3556         },{
3557             .name = "key-delay-ms",
3558             .type = QEMU_OPT_NUMBER,
3559         },{
3560             .name = "sasl",
3561             .type = QEMU_OPT_BOOL,
3562         },{
3563             .name = "tls-authz",
3564             .type = QEMU_OPT_STRING,
3565         },{
3566             .name = "sasl-authz",
3567             .type = QEMU_OPT_STRING,
3568         },{
3569             .name = "lossy",
3570             .type = QEMU_OPT_BOOL,
3571         },{
3572             .name = "non-adaptive",
3573             .type = QEMU_OPT_BOOL,
3574         },{
3575             .name = "audiodev",
3576             .type = QEMU_OPT_STRING,
3577         },{
3578             .name = "power-control",
3579             .type = QEMU_OPT_BOOL,
3580         },
3581         { /* end of list */ }
3582     },
3583 };
3584 
3585 
3586 static int
3587 vnc_display_setup_auth(int *auth,
3588                        int *subauth,
3589                        QCryptoTLSCreds *tlscreds,
3590                        bool password,
3591                        bool sasl,
3592                        bool websocket,
3593                        Error **errp)
3594 {
3595     /*
3596      * We have a choice of 3 authentication options
3597      *
3598      *   1. none
3599      *   2. vnc
3600      *   3. sasl
3601      *
3602      * The channel can be run in 2 modes
3603      *
3604      *   1. clear
3605      *   2. tls
3606      *
3607      * And TLS can use 2 types of credentials
3608      *
3609      *   1. anon
3610      *   2. x509
3611      *
3612      * We thus have 9 possible logical combinations
3613      *
3614      *   1. clear + none
3615      *   2. clear + vnc
3616      *   3. clear + sasl
3617      *   4. tls + anon + none
3618      *   5. tls + anon + vnc
3619      *   6. tls + anon + sasl
3620      *   7. tls + x509 + none
3621      *   8. tls + x509 + vnc
3622      *   9. tls + x509 + sasl
3623      *
3624      * These need to be mapped into the VNC auth schemes
3625      * in an appropriate manner. In regular VNC, all the
3626      * TLS options get mapped into VNC_AUTH_VENCRYPT
3627      * sub-auth types.
3628      *
3629      * In websockets, the https:// protocol already provides
3630      * TLS support, so there is no need to make use of the
3631      * VeNCrypt extension. Furthermore, websockets browser
3632      * clients could not use VeNCrypt even if they wanted to,
3633      * as they cannot control when the TLS handshake takes
3634      * place. Thus there is no option but to rely on https://,
3635      * meaning combinations 4->6 and 7->9 will be mapped to
3636      * VNC auth schemes in the same way as combos 1->3.
3637      *
3638      * Regardless of fact that we have a different mapping to
3639      * VNC auth mechs for plain VNC vs websockets VNC, the end
3640      * result has the same security characteristics.
3641      */
3642     if (websocket || !tlscreds) {
3643         if (password) {
3644             VNC_DEBUG("Initializing VNC server with password auth\n");
3645             *auth = VNC_AUTH_VNC;
3646         } else if (sasl) {
3647             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3648             *auth = VNC_AUTH_SASL;
3649         } else {
3650             VNC_DEBUG("Initializing VNC server with no auth\n");
3651             *auth = VNC_AUTH_NONE;
3652         }
3653         *subauth = VNC_AUTH_INVALID;
3654     } else {
3655         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3656                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3657         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3658                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3659 
3660         if (!is_x509 && !is_anon) {
3661             error_setg(errp,
3662                        "Unsupported TLS cred type %s",
3663                        object_get_typename(OBJECT(tlscreds)));
3664             return -1;
3665         }
3666         *auth = VNC_AUTH_VENCRYPT;
3667         if (password) {
3668             if (is_x509) {
3669                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3670                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3671             } else {
3672                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3673                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3674             }
3675 
3676         } else if (sasl) {
3677             if (is_x509) {
3678                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3679                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3680             } else {
3681                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3682                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3683             }
3684         } else {
3685             if (is_x509) {
3686                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3687                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3688             } else {
3689                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3690                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3691             }
3692         }
3693     }
3694     return 0;
3695 }
3696 
3697 
3698 static int vnc_display_get_address(const char *addrstr,
3699                                    bool websocket,
3700                                    bool reverse,
3701                                    int displaynum,
3702                                    int to,
3703                                    bool has_ipv4,
3704                                    bool has_ipv6,
3705                                    bool ipv4,
3706                                    bool ipv6,
3707                                    SocketAddress **retaddr,
3708                                    Error **errp)
3709 {
3710     int ret = -1;
3711     SocketAddress *addr = NULL;
3712 
3713     addr = g_new0(SocketAddress, 1);
3714 
3715     if (strncmp(addrstr, "unix:", 5) == 0) {
3716         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3717         addr->u.q_unix.path = g_strdup(addrstr + 5);
3718 
3719         if (websocket) {
3720             error_setg(errp, "UNIX sockets not supported with websock");
3721             goto cleanup;
3722         }
3723 
3724         if (to) {
3725             error_setg(errp, "Port range not support with UNIX socket");
3726             goto cleanup;
3727         }
3728         ret = 0;
3729     } else {
3730         const char *port;
3731         size_t hostlen;
3732         unsigned long long baseport = 0;
3733         InetSocketAddress *inet;
3734 
3735         port = strrchr(addrstr, ':');
3736         if (!port) {
3737             if (websocket) {
3738                 hostlen = 0;
3739                 port = addrstr;
3740             } else {
3741                 error_setg(errp, "no vnc port specified");
3742                 goto cleanup;
3743             }
3744         } else {
3745             hostlen = port - addrstr;
3746             port++;
3747             if (*port == '\0') {
3748                 error_setg(errp, "vnc port cannot be empty");
3749                 goto cleanup;
3750             }
3751         }
3752 
3753         addr->type = SOCKET_ADDRESS_TYPE_INET;
3754         inet = &addr->u.inet;
3755         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3756             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3757         } else {
3758             inet->host = g_strndup(addrstr, hostlen);
3759         }
3760         /* plain VNC port is just an offset, for websocket
3761          * port is absolute */
3762         if (websocket) {
3763             if (g_str_equal(addrstr, "") ||
3764                 g_str_equal(addrstr, "on")) {
3765                 if (displaynum == -1) {
3766                     error_setg(errp, "explicit websocket port is required");
3767                     goto cleanup;
3768                 }
3769                 inet->port = g_strdup_printf(
3770                     "%d", displaynum + 5700);
3771                 if (to) {
3772                     inet->has_to = true;
3773                     inet->to = to + 5700;
3774                 }
3775             } else {
3776                 inet->port = g_strdup(port);
3777             }
3778         } else {
3779             int offset = reverse ? 0 : 5900;
3780             if (parse_uint_full(port, &baseport, 10) < 0) {
3781                 error_setg(errp, "can't convert to a number: %s", port);
3782                 goto cleanup;
3783             }
3784             if (baseport > 65535 ||
3785                 baseport + offset > 65535) {
3786                 error_setg(errp, "port %s out of range", port);
3787                 goto cleanup;
3788             }
3789             inet->port = g_strdup_printf(
3790                 "%d", (int)baseport + offset);
3791 
3792             if (to) {
3793                 inet->has_to = true;
3794                 inet->to = to + offset;
3795             }
3796         }
3797 
3798         inet->ipv4 = ipv4;
3799         inet->has_ipv4 = has_ipv4;
3800         inet->ipv6 = ipv6;
3801         inet->has_ipv6 = has_ipv6;
3802 
3803         ret = baseport;
3804     }
3805 
3806     *retaddr = addr;
3807 
3808  cleanup:
3809     if (ret < 0) {
3810         qapi_free_SocketAddress(addr);
3811     }
3812     return ret;
3813 }
3814 
3815 static void vnc_free_addresses(SocketAddress ***retsaddr,
3816                                size_t *retnsaddr)
3817 {
3818     size_t i;
3819 
3820     for (i = 0; i < *retnsaddr; i++) {
3821         qapi_free_SocketAddress((*retsaddr)[i]);
3822     }
3823     g_free(*retsaddr);
3824 
3825     *retsaddr = NULL;
3826     *retnsaddr = 0;
3827 }
3828 
3829 static int vnc_display_get_addresses(QemuOpts *opts,
3830                                      bool reverse,
3831                                      SocketAddress ***retsaddr,
3832                                      size_t *retnsaddr,
3833                                      SocketAddress ***retwsaddr,
3834                                      size_t *retnwsaddr,
3835                                      Error **errp)
3836 {
3837     SocketAddress *saddr = NULL;
3838     SocketAddress *wsaddr = NULL;
3839     QemuOptsIter addriter;
3840     const char *addr;
3841     int to = qemu_opt_get_number(opts, "to", 0);
3842     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3843     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3844     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3845     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3846     int displaynum = -1;
3847     int ret = -1;
3848 
3849     *retsaddr = NULL;
3850     *retnsaddr = 0;
3851     *retwsaddr = NULL;
3852     *retnwsaddr = 0;
3853 
3854     addr = qemu_opt_get(opts, "vnc");
3855     if (addr == NULL || g_str_equal(addr, "none")) {
3856         ret = 0;
3857         goto cleanup;
3858     }
3859     if (qemu_opt_get(opts, "websocket") &&
3860         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3861         error_setg(errp,
3862                    "SHA1 hash support is required for websockets");
3863         goto cleanup;
3864     }
3865 
3866     qemu_opt_iter_init(&addriter, opts, "vnc");
3867     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3868         int rv;
3869         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3870                                      has_ipv4, has_ipv6,
3871                                      ipv4, ipv6,
3872                                      &saddr, errp);
3873         if (rv < 0) {
3874             goto cleanup;
3875         }
3876         /* Historical compat - first listen address can be used
3877          * to set the default websocket port
3878          */
3879         if (displaynum == -1) {
3880             displaynum = rv;
3881         }
3882         *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3883         (*retsaddr)[(*retnsaddr)++] = saddr;
3884     }
3885 
3886     /* If we had multiple primary displays, we don't do defaults
3887      * for websocket, and require explicit config instead. */
3888     if (*retnsaddr > 1) {
3889         displaynum = -1;
3890     }
3891 
3892     qemu_opt_iter_init(&addriter, opts, "websocket");
3893     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3894         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3895                                     has_ipv4, has_ipv6,
3896                                     ipv4, ipv6,
3897                                     &wsaddr, errp) < 0) {
3898             goto cleanup;
3899         }
3900 
3901         /* Historical compat - if only a single listen address was
3902          * provided, then this is used to set the default listen
3903          * address for websocket too
3904          */
3905         if (*retnsaddr == 1 &&
3906             (*retsaddr)[0]->type == SOCKET_ADDRESS_TYPE_INET &&
3907             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3908             g_str_equal(wsaddr->u.inet.host, "") &&
3909             !g_str_equal((*retsaddr)[0]->u.inet.host, "")) {
3910             g_free(wsaddr->u.inet.host);
3911             wsaddr->u.inet.host = g_strdup((*retsaddr)[0]->u.inet.host);
3912         }
3913 
3914         *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3915         (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3916     }
3917 
3918     ret = 0;
3919  cleanup:
3920     if (ret < 0) {
3921         vnc_free_addresses(retsaddr, retnsaddr);
3922         vnc_free_addresses(retwsaddr, retnwsaddr);
3923     }
3924     return ret;
3925 }
3926 
3927 static int vnc_display_connect(VncDisplay *vd,
3928                                SocketAddress **saddr,
3929                                size_t nsaddr,
3930                                SocketAddress **wsaddr,
3931                                size_t nwsaddr,
3932                                Error **errp)
3933 {
3934     /* connect to viewer */
3935     QIOChannelSocket *sioc = NULL;
3936     if (nwsaddr != 0) {
3937         error_setg(errp, "Cannot use websockets in reverse mode");
3938         return -1;
3939     }
3940     if (nsaddr != 1) {
3941         error_setg(errp, "Expected a single address in reverse mode");
3942         return -1;
3943     }
3944     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3945     vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_TYPE_UNIX;
3946     sioc = qio_channel_socket_new();
3947     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3948     if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3949         object_unref(OBJECT(sioc));
3950         return -1;
3951     }
3952     vnc_connect(vd, sioc, false, false);
3953     object_unref(OBJECT(sioc));
3954     return 0;
3955 }
3956 
3957 
3958 static int vnc_display_listen(VncDisplay *vd,
3959                               SocketAddress **saddr,
3960                               size_t nsaddr,
3961                               SocketAddress **wsaddr,
3962                               size_t nwsaddr,
3963                               Error **errp)
3964 {
3965     size_t i;
3966 
3967     if (nsaddr) {
3968         vd->listener = qio_net_listener_new();
3969         qio_net_listener_set_name(vd->listener, "vnc-listen");
3970         for (i = 0; i < nsaddr; i++) {
3971             if (qio_net_listener_open_sync(vd->listener,
3972                                            saddr[i], 1,
3973                                            errp) < 0)  {
3974                 return -1;
3975             }
3976         }
3977 
3978         qio_net_listener_set_client_func(vd->listener,
3979                                          vnc_listen_io, vd, NULL);
3980     }
3981 
3982     if (nwsaddr) {
3983         vd->wslistener = qio_net_listener_new();
3984         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3985         for (i = 0; i < nwsaddr; i++) {
3986             if (qio_net_listener_open_sync(vd->wslistener,
3987                                            wsaddr[i], 1,
3988                                            errp) < 0)  {
3989                 return -1;
3990             }
3991         }
3992 
3993         qio_net_listener_set_client_func(vd->wslistener,
3994                                          vnc_listen_io, vd, NULL);
3995     }
3996 
3997     return 0;
3998 }
3999 
4000 
4001 void vnc_display_open(const char *id, Error **errp)
4002 {
4003     VncDisplay *vd = vnc_display_find(id);
4004     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
4005     SocketAddress **saddr = NULL, **wsaddr = NULL;
4006     size_t nsaddr, nwsaddr;
4007     const char *share, *device_id;
4008     QemuConsole *con;
4009     bool password = false;
4010     bool reverse = false;
4011     const char *credid;
4012     bool sasl = false;
4013     const char *tlsauthz;
4014     const char *saslauthz;
4015     int lock_key_sync = 1;
4016     int key_delay_ms;
4017     const char *audiodev;
4018     const char *passwordSecret;
4019 
4020     if (!vd) {
4021         error_setg(errp, "VNC display not active");
4022         return;
4023     }
4024     vnc_display_close(vd);
4025 
4026     if (!opts) {
4027         return;
4028     }
4029 
4030     reverse = qemu_opt_get_bool(opts, "reverse", false);
4031     if (vnc_display_get_addresses(opts, reverse, &saddr, &nsaddr,
4032                                   &wsaddr, &nwsaddr, errp) < 0) {
4033         goto fail;
4034     }
4035 
4036 
4037     passwordSecret = qemu_opt_get(opts, "password-secret");
4038     if (passwordSecret) {
4039         if (qemu_opt_get(opts, "password")) {
4040             error_setg(errp,
4041                        "'password' flag is redundant with 'password-secret'");
4042             goto fail;
4043         }
4044         vd->password = qcrypto_secret_lookup_as_utf8(passwordSecret,
4045                                                      errp);
4046         if (!vd->password) {
4047             goto fail;
4048         }
4049         password = true;
4050     } else {
4051         password = qemu_opt_get_bool(opts, "password", false);
4052     }
4053     if (password) {
4054         if (fips_get_state()) {
4055             error_setg(errp,
4056                        "VNC password auth disabled due to FIPS mode, "
4057                        "consider using the VeNCrypt or SASL authentication "
4058                        "methods as an alternative");
4059             goto fail;
4060         }
4061         if (!qcrypto_cipher_supports(
4062                 QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) {
4063             error_setg(errp,
4064                        "Cipher backend does not support DES algorithm");
4065             goto fail;
4066         }
4067     }
4068 
4069     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
4070     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
4071     sasl = qemu_opt_get_bool(opts, "sasl", false);
4072 #ifndef CONFIG_VNC_SASL
4073     if (sasl) {
4074         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
4075         goto fail;
4076     }
4077 #endif /* CONFIG_VNC_SASL */
4078     credid = qemu_opt_get(opts, "tls-creds");
4079     if (credid) {
4080         Object *creds;
4081         creds = object_resolve_path_component(
4082             object_get_objects_root(), credid);
4083         if (!creds) {
4084             error_setg(errp, "No TLS credentials with id '%s'",
4085                        credid);
4086             goto fail;
4087         }
4088         vd->tlscreds = (QCryptoTLSCreds *)
4089             object_dynamic_cast(creds,
4090                                 TYPE_QCRYPTO_TLS_CREDS);
4091         if (!vd->tlscreds) {
4092             error_setg(errp, "Object with id '%s' is not TLS credentials",
4093                        credid);
4094             goto fail;
4095         }
4096         object_ref(OBJECT(vd->tlscreds));
4097 
4098         if (!qcrypto_tls_creds_check_endpoint(vd->tlscreds,
4099                                               QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
4100                                               errp)) {
4101             goto fail;
4102         }
4103     }
4104     tlsauthz = qemu_opt_get(opts, "tls-authz");
4105     if (tlsauthz && !vd->tlscreds) {
4106         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
4107         goto fail;
4108     }
4109 
4110     saslauthz = qemu_opt_get(opts, "sasl-authz");
4111     if (saslauthz && !sasl) {
4112         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
4113         goto fail;
4114     }
4115 
4116     share = qemu_opt_get(opts, "share");
4117     if (share) {
4118         if (strcmp(share, "ignore") == 0) {
4119             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
4120         } else if (strcmp(share, "allow-exclusive") == 0) {
4121             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4122         } else if (strcmp(share, "force-shared") == 0) {
4123             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
4124         } else {
4125             error_setg(errp, "unknown vnc share= option");
4126             goto fail;
4127         }
4128     } else {
4129         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4130     }
4131     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
4132 
4133 #ifdef CONFIG_VNC_JPEG
4134     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
4135 #endif
4136     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
4137     /* adaptive updates are only used with tight encoding and
4138      * if lossy updates are enabled so we can disable all the
4139      * calculations otherwise */
4140     if (!vd->lossy) {
4141         vd->non_adaptive = true;
4142     }
4143 
4144     vd->power_control = qemu_opt_get_bool(opts, "power-control", false);
4145 
4146     if (tlsauthz) {
4147         vd->tlsauthzid = g_strdup(tlsauthz);
4148     }
4149 #ifdef CONFIG_VNC_SASL
4150     if (sasl) {
4151         if (saslauthz) {
4152             vd->sasl.authzid = g_strdup(saslauthz);
4153         }
4154     }
4155 #endif
4156 
4157     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
4158                                vd->tlscreds, password,
4159                                sasl, false, errp) < 0) {
4160         goto fail;
4161     }
4162     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
4163 
4164     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
4165                                vd->tlscreds, password,
4166                                sasl, true, errp) < 0) {
4167         goto fail;
4168     }
4169     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
4170 
4171 #ifdef CONFIG_VNC_SASL
4172     if (sasl && !vnc_sasl_server_init(errp)) {
4173         goto fail;
4174     }
4175 #endif
4176     vd->lock_key_sync = lock_key_sync;
4177     if (lock_key_sync) {
4178         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
4179     }
4180     vd->ledstate = 0;
4181 
4182     audiodev = qemu_opt_get(opts, "audiodev");
4183     if (audiodev) {
4184         vd->audio_state = audio_state_by_name(audiodev);
4185         if (!vd->audio_state) {
4186             error_setg(errp, "Audiodev '%s' not found", audiodev);
4187             goto fail;
4188         }
4189     }
4190 
4191     device_id = qemu_opt_get(opts, "display");
4192     if (device_id) {
4193         int head = qemu_opt_get_number(opts, "head", 0);
4194         Error *err = NULL;
4195 
4196         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4197         if (err) {
4198             error_propagate(errp, err);
4199             goto fail;
4200         }
4201     } else {
4202         con = NULL;
4203     }
4204 
4205     if (con != vd->dcl.con) {
4206         qkbd_state_free(vd->kbd);
4207         unregister_displaychangelistener(&vd->dcl);
4208         vd->dcl.con = con;
4209         register_displaychangelistener(&vd->dcl);
4210         vd->kbd = qkbd_state_init(vd->dcl.con);
4211     }
4212     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4213 
4214     if (saddr == NULL) {
4215         goto cleanup;
4216     }
4217 
4218     if (reverse) {
4219         if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4220             goto fail;
4221         }
4222     } else {
4223         if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4224             goto fail;
4225         }
4226     }
4227 
4228     if (qemu_opt_get(opts, "to")) {
4229         vnc_display_print_local_addr(vd);
4230     }
4231 
4232  cleanup:
4233     vnc_free_addresses(&saddr, &nsaddr);
4234     vnc_free_addresses(&wsaddr, &nwsaddr);
4235     return;
4236 
4237 fail:
4238     vnc_display_close(vd);
4239     goto cleanup;
4240 }
4241 
4242 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4243 {
4244     VncDisplay *vd = vnc_display_find(id);
4245     QIOChannelSocket *sioc;
4246 
4247     if (!vd) {
4248         return;
4249     }
4250 
4251     sioc = qio_channel_socket_new_fd(csock, NULL);
4252     if (sioc) {
4253         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4254         vnc_connect(vd, sioc, skipauth, false);
4255         object_unref(OBJECT(sioc));
4256     }
4257 }
4258 
4259 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4260 {
4261     int i = 2;
4262     char *id;
4263 
4264     id = g_strdup("default");
4265     while (qemu_opts_find(olist, id)) {
4266         g_free(id);
4267         id = g_strdup_printf("vnc%d", i++);
4268     }
4269     qemu_opts_set_id(opts, id);
4270 }
4271 
4272 void vnc_parse(const char *str)
4273 {
4274     QemuOptsList *olist = qemu_find_opts("vnc");
4275     QemuOpts *opts = qemu_opts_parse_noisily(olist, str, !is_help_option(str));
4276     const char *id;
4277 
4278     if (!opts) {
4279         exit(1);
4280     }
4281 
4282     id = qemu_opts_id(opts);
4283     if (!id) {
4284         /* auto-assign id if not present */
4285         vnc_auto_assign_id(olist, opts);
4286     }
4287 }
4288 
4289 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4290 {
4291     Error *local_err = NULL;
4292     char *id = (char *)qemu_opts_id(opts);
4293 
4294     assert(id);
4295     vnc_display_init(id, &local_err);
4296     if (local_err) {
4297         error_propagate(errp, local_err);
4298         return -1;
4299     }
4300     vnc_display_open(id, &local_err);
4301     if (local_err != NULL) {
4302         error_propagate(errp, local_err);
4303         return -1;
4304     }
4305     return 0;
4306 }
4307 
4308 static void vnc_register_config(void)
4309 {
4310     qemu_add_opts(&qemu_vnc_opts);
4311 }
4312 opts_init(vnc_register_config);
4313