xref: /openbmc/qemu/ui/vnc.c (revision 39734497)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev-core.h"
32 #include "sysemu/sysemu.h"
33 #include "sysemu/runstate.h"
34 #include "qemu/error-report.h"
35 #include "qemu/main-loop.h"
36 #include "qemu/module.h"
37 #include "qemu/option.h"
38 #include "qemu/sockets.h"
39 #include "qemu/timer.h"
40 #include "authz/list.h"
41 #include "qemu/config-file.h"
42 #include "qapi/qapi-emit-events.h"
43 #include "qapi/qapi-events-ui.h"
44 #include "qapi/error.h"
45 #include "qapi/qapi-commands-ui.h"
46 #include "ui/input.h"
47 #include "crypto/hash.h"
48 #include "crypto/tlscreds.h"
49 #include "crypto/tlscredsanon.h"
50 #include "crypto/tlscredsx509.h"
51 #include "crypto/random.h"
52 #include "crypto/secret_common.h"
53 #include "qom/object_interfaces.h"
54 #include "qemu/cutils.h"
55 #include "qemu/help_option.h"
56 #include "io/dns-resolver.h"
57 #include "monitor/monitor.h"
58 
59 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
60 #define VNC_REFRESH_INTERVAL_INC  50
61 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
62 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
63 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
64 
65 #include "vnc_keysym.h"
66 #include "crypto/cipher.h"
67 
68 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
69     QTAILQ_HEAD_INITIALIZER(vnc_displays);
70 
71 static int vnc_cursor_define(VncState *vs);
72 static void vnc_update_throttle_offset(VncState *vs);
73 
74 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
75 {
76 #ifdef _VNC_DEBUG
77     static const char *mn[] = {
78         [0]                           = "undefined",
79         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
80         [VNC_SHARE_MODE_SHARED]       = "shared",
81         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
82         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
83     };
84     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
85             vs->ioc, mn[vs->share_mode], mn[mode]);
86 #endif
87 
88     switch (vs->share_mode) {
89     case VNC_SHARE_MODE_CONNECTING:
90         vs->vd->num_connecting--;
91         break;
92     case VNC_SHARE_MODE_SHARED:
93         vs->vd->num_shared--;
94         break;
95     case VNC_SHARE_MODE_EXCLUSIVE:
96         vs->vd->num_exclusive--;
97         break;
98     default:
99         break;
100     }
101 
102     vs->share_mode = mode;
103 
104     switch (vs->share_mode) {
105     case VNC_SHARE_MODE_CONNECTING:
106         vs->vd->num_connecting++;
107         break;
108     case VNC_SHARE_MODE_SHARED:
109         vs->vd->num_shared++;
110         break;
111     case VNC_SHARE_MODE_EXCLUSIVE:
112         vs->vd->num_exclusive++;
113         break;
114     default:
115         break;
116     }
117 }
118 
119 
120 static void vnc_init_basic_info(SocketAddress *addr,
121                                 VncBasicInfo *info,
122                                 Error **errp)
123 {
124     switch (addr->type) {
125     case SOCKET_ADDRESS_TYPE_INET:
126         info->host = g_strdup(addr->u.inet.host);
127         info->service = g_strdup(addr->u.inet.port);
128         if (addr->u.inet.ipv6) {
129             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
130         } else {
131             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
132         }
133         break;
134 
135     case SOCKET_ADDRESS_TYPE_UNIX:
136         info->host = g_strdup("");
137         info->service = g_strdup(addr->u.q_unix.path);
138         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
139         break;
140 
141     case SOCKET_ADDRESS_TYPE_VSOCK:
142     case SOCKET_ADDRESS_TYPE_FD:
143         error_setg(errp, "Unsupported socket address type %s",
144                    SocketAddressType_str(addr->type));
145         break;
146     default:
147         abort();
148     }
149 
150     return;
151 }
152 
153 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
154                                                  VncBasicInfo *info,
155                                                  Error **errp)
156 {
157     SocketAddress *addr = NULL;
158 
159     if (!ioc) {
160         error_setg(errp, "No listener socket available");
161         return;
162     }
163 
164     addr = qio_channel_socket_get_local_address(ioc, errp);
165     if (!addr) {
166         return;
167     }
168 
169     vnc_init_basic_info(addr, info, errp);
170     qapi_free_SocketAddress(addr);
171 }
172 
173 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
174                                                  VncBasicInfo *info,
175                                                  Error **errp)
176 {
177     SocketAddress *addr = NULL;
178 
179     addr = qio_channel_socket_get_remote_address(ioc, errp);
180     if (!addr) {
181         return;
182     }
183 
184     vnc_init_basic_info(addr, info, errp);
185     qapi_free_SocketAddress(addr);
186 }
187 
188 static const char *vnc_auth_name(VncDisplay *vd) {
189     switch (vd->auth) {
190     case VNC_AUTH_INVALID:
191         return "invalid";
192     case VNC_AUTH_NONE:
193         return "none";
194     case VNC_AUTH_VNC:
195         return "vnc";
196     case VNC_AUTH_RA2:
197         return "ra2";
198     case VNC_AUTH_RA2NE:
199         return "ra2ne";
200     case VNC_AUTH_TIGHT:
201         return "tight";
202     case VNC_AUTH_ULTRA:
203         return "ultra";
204     case VNC_AUTH_TLS:
205         return "tls";
206     case VNC_AUTH_VENCRYPT:
207         switch (vd->subauth) {
208         case VNC_AUTH_VENCRYPT_PLAIN:
209             return "vencrypt+plain";
210         case VNC_AUTH_VENCRYPT_TLSNONE:
211             return "vencrypt+tls+none";
212         case VNC_AUTH_VENCRYPT_TLSVNC:
213             return "vencrypt+tls+vnc";
214         case VNC_AUTH_VENCRYPT_TLSPLAIN:
215             return "vencrypt+tls+plain";
216         case VNC_AUTH_VENCRYPT_X509NONE:
217             return "vencrypt+x509+none";
218         case VNC_AUTH_VENCRYPT_X509VNC:
219             return "vencrypt+x509+vnc";
220         case VNC_AUTH_VENCRYPT_X509PLAIN:
221             return "vencrypt+x509+plain";
222         case VNC_AUTH_VENCRYPT_TLSSASL:
223             return "vencrypt+tls+sasl";
224         case VNC_AUTH_VENCRYPT_X509SASL:
225             return "vencrypt+x509+sasl";
226         default:
227             return "vencrypt";
228         }
229     case VNC_AUTH_SASL:
230         return "sasl";
231     }
232     return "unknown";
233 }
234 
235 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
236 {
237     VncServerInfo *info;
238     Error *err = NULL;
239 
240     if (!vd->listener || !vd->listener->nsioc) {
241         return NULL;
242     }
243 
244     info = g_malloc0(sizeof(*info));
245     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
246                                          qapi_VncServerInfo_base(info), &err);
247     info->auth = g_strdup(vnc_auth_name(vd));
248     if (err) {
249         qapi_free_VncServerInfo(info);
250         info = NULL;
251         error_free(err);
252     }
253     return info;
254 }
255 
256 static void vnc_client_cache_auth(VncState *client)
257 {
258     if (!client->info) {
259         return;
260     }
261 
262     if (client->tls) {
263         client->info->x509_dname =
264             qcrypto_tls_session_get_peer_name(client->tls);
265     }
266 #ifdef CONFIG_VNC_SASL
267     if (client->sasl.conn &&
268         client->sasl.username) {
269         client->info->sasl_username = g_strdup(client->sasl.username);
270     }
271 #endif
272 }
273 
274 static void vnc_client_cache_addr(VncState *client)
275 {
276     Error *err = NULL;
277 
278     client->info = g_malloc0(sizeof(*client->info));
279     vnc_init_basic_info_from_remote_addr(client->sioc,
280                                          qapi_VncClientInfo_base(client->info),
281                                          &err);
282     client->info->websocket = client->websocket;
283     if (err) {
284         qapi_free_VncClientInfo(client->info);
285         client->info = NULL;
286         error_free(err);
287     }
288 }
289 
290 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
291 {
292     VncServerInfo *si;
293 
294     if (!vs->info) {
295         return;
296     }
297 
298     si = vnc_server_info_get(vs->vd);
299     if (!si) {
300         return;
301     }
302 
303     switch (event) {
304     case QAPI_EVENT_VNC_CONNECTED:
305         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
306         break;
307     case QAPI_EVENT_VNC_INITIALIZED:
308         qapi_event_send_vnc_initialized(si, vs->info);
309         break;
310     case QAPI_EVENT_VNC_DISCONNECTED:
311         qapi_event_send_vnc_disconnected(si, vs->info);
312         break;
313     default:
314         break;
315     }
316 
317     qapi_free_VncServerInfo(si);
318 }
319 
320 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
321 {
322     VncClientInfo *info;
323     Error *err = NULL;
324 
325     info = g_malloc0(sizeof(*info));
326 
327     vnc_init_basic_info_from_remote_addr(client->sioc,
328                                          qapi_VncClientInfo_base(info),
329                                          &err);
330     if (err) {
331         error_free(err);
332         qapi_free_VncClientInfo(info);
333         return NULL;
334     }
335 
336     info->websocket = client->websocket;
337 
338     if (client->tls) {
339         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
340     }
341 #ifdef CONFIG_VNC_SASL
342     if (client->sasl.conn && client->sasl.username) {
343         info->sasl_username = g_strdup(client->sasl.username);
344     }
345 #endif
346 
347     return info;
348 }
349 
350 static VncDisplay *vnc_display_find(const char *id)
351 {
352     VncDisplay *vd;
353 
354     if (id == NULL) {
355         return QTAILQ_FIRST(&vnc_displays);
356     }
357     QTAILQ_FOREACH(vd, &vnc_displays, next) {
358         if (strcmp(id, vd->id) == 0) {
359             return vd;
360         }
361     }
362     return NULL;
363 }
364 
365 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
366 {
367     VncClientInfoList *prev = NULL;
368     VncState *client;
369 
370     QTAILQ_FOREACH(client, &vd->clients, next) {
371         QAPI_LIST_PREPEND(prev, qmp_query_vnc_client(client));
372     }
373     return prev;
374 }
375 
376 VncInfo *qmp_query_vnc(Error **errp)
377 {
378     VncInfo *info = g_malloc0(sizeof(*info));
379     VncDisplay *vd = vnc_display_find(NULL);
380     SocketAddress *addr = NULL;
381 
382     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
383         info->enabled = false;
384     } else {
385         info->enabled = true;
386 
387         /* for compatibility with the original command */
388         info->has_clients = true;
389         info->clients = qmp_query_client_list(vd);
390 
391         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
392                                                     errp);
393         if (!addr) {
394             goto out_error;
395         }
396 
397         switch (addr->type) {
398         case SOCKET_ADDRESS_TYPE_INET:
399             info->host = g_strdup(addr->u.inet.host);
400             info->service = g_strdup(addr->u.inet.port);
401             if (addr->u.inet.ipv6) {
402                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
403             } else {
404                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
405             }
406             break;
407 
408         case SOCKET_ADDRESS_TYPE_UNIX:
409             info->host = g_strdup("");
410             info->service = g_strdup(addr->u.q_unix.path);
411             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
412             break;
413 
414         case SOCKET_ADDRESS_TYPE_VSOCK:
415         case SOCKET_ADDRESS_TYPE_FD:
416             error_setg(errp, "Unsupported socket address type %s",
417                        SocketAddressType_str(addr->type));
418             goto out_error;
419         default:
420             abort();
421         }
422 
423         info->has_family = true;
424 
425         info->auth = g_strdup(vnc_auth_name(vd));
426     }
427 
428     qapi_free_SocketAddress(addr);
429     return info;
430 
431 out_error:
432     qapi_free_SocketAddress(addr);
433     qapi_free_VncInfo(info);
434     return NULL;
435 }
436 
437 
438 static void qmp_query_auth(int auth, int subauth,
439                            VncPrimaryAuth *qmp_auth,
440                            VncVencryptSubAuth *qmp_vencrypt,
441                            bool *qmp_has_vencrypt);
442 
443 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
444                                                   bool websocket,
445                                                   int auth,
446                                                   int subauth,
447                                                   VncServerInfo2List *prev)
448 {
449     VncServerInfo2 *info;
450     Error *err = NULL;
451     SocketAddress *addr;
452 
453     addr = qio_channel_socket_get_local_address(ioc, NULL);
454     if (!addr) {
455         return prev;
456     }
457 
458     info = g_new0(VncServerInfo2, 1);
459     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
460     qapi_free_SocketAddress(addr);
461     if (err) {
462         qapi_free_VncServerInfo2(info);
463         error_free(err);
464         return prev;
465     }
466     info->websocket = websocket;
467 
468     qmp_query_auth(auth, subauth, &info->auth,
469                    &info->vencrypt, &info->has_vencrypt);
470 
471     QAPI_LIST_PREPEND(prev, info);
472     return prev;
473 }
474 
475 static void qmp_query_auth(int auth, int subauth,
476                            VncPrimaryAuth *qmp_auth,
477                            VncVencryptSubAuth *qmp_vencrypt,
478                            bool *qmp_has_vencrypt)
479 {
480     switch (auth) {
481     case VNC_AUTH_VNC:
482         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
483         break;
484     case VNC_AUTH_RA2:
485         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
486         break;
487     case VNC_AUTH_RA2NE:
488         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
489         break;
490     case VNC_AUTH_TIGHT:
491         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
492         break;
493     case VNC_AUTH_ULTRA:
494         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
495         break;
496     case VNC_AUTH_TLS:
497         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
498         break;
499     case VNC_AUTH_VENCRYPT:
500         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
501         *qmp_has_vencrypt = true;
502         switch (subauth) {
503         case VNC_AUTH_VENCRYPT_PLAIN:
504             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
505             break;
506         case VNC_AUTH_VENCRYPT_TLSNONE:
507             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
508             break;
509         case VNC_AUTH_VENCRYPT_TLSVNC:
510             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
511             break;
512         case VNC_AUTH_VENCRYPT_TLSPLAIN:
513             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
514             break;
515         case VNC_AUTH_VENCRYPT_X509NONE:
516             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
517             break;
518         case VNC_AUTH_VENCRYPT_X509VNC:
519             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
520             break;
521         case VNC_AUTH_VENCRYPT_X509PLAIN:
522             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
523             break;
524         case VNC_AUTH_VENCRYPT_TLSSASL:
525             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
526             break;
527         case VNC_AUTH_VENCRYPT_X509SASL:
528             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
529             break;
530         default:
531             *qmp_has_vencrypt = false;
532             break;
533         }
534         break;
535     case VNC_AUTH_SASL:
536         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
537         break;
538     case VNC_AUTH_NONE:
539     default:
540         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
541         break;
542     }
543 }
544 
545 VncInfo2List *qmp_query_vnc_servers(Error **errp)
546 {
547     VncInfo2List *prev = NULL;
548     VncInfo2 *info;
549     VncDisplay *vd;
550     DeviceState *dev;
551     size_t i;
552 
553     QTAILQ_FOREACH(vd, &vnc_displays, next) {
554         info = g_new0(VncInfo2, 1);
555         info->id = g_strdup(vd->id);
556         info->clients = qmp_query_client_list(vd);
557         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
558                        &info->vencrypt, &info->has_vencrypt);
559         if (vd->dcl.con) {
560             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
561                                                   "device", &error_abort));
562             info->display = g_strdup(dev->id);
563         }
564         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
565             info->server = qmp_query_server_entry(
566                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
567                 info->server);
568         }
569         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
570             info->server = qmp_query_server_entry(
571                 vd->wslistener->sioc[i], true, vd->ws_auth,
572                 vd->ws_subauth, info->server);
573         }
574 
575         QAPI_LIST_PREPEND(prev, info);
576     }
577     return prev;
578 }
579 
580 bool vnc_display_reload_certs(const char *id, Error **errp)
581 {
582     VncDisplay *vd = vnc_display_find(id);
583     QCryptoTLSCredsClass *creds = NULL;
584 
585     if (!vd) {
586         error_setg(errp, "Can not find vnc display");
587         return false;
588     }
589 
590     if (!vd->tlscreds) {
591         error_setg(errp, "vnc tls is not enabled");
592         return false;
593     }
594 
595     creds = QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(vd->tlscreds));
596     if (creds->reload == NULL) {
597         error_setg(errp, "%s doesn't support to reload TLS credential",
598                    object_get_typename(OBJECT(vd->tlscreds)));
599         return false;
600     }
601     if (!creds->reload(vd->tlscreds, errp)) {
602         return false;
603     }
604 
605     return true;
606 }
607 
608 /* TODO
609    1) Get the queue working for IO.
610    2) there is some weirdness when using the -S option (the screen is grey
611       and not totally invalidated
612    3) resolutions > 1024
613 */
614 
615 static int vnc_update_client(VncState *vs, int has_dirty);
616 static void vnc_disconnect_start(VncState *vs);
617 
618 static void vnc_colordepth(VncState *vs);
619 static void framebuffer_update_request(VncState *vs, int incremental,
620                                        int x_position, int y_position,
621                                        int w, int h);
622 static void vnc_refresh(DisplayChangeListener *dcl);
623 static int vnc_refresh_server_surface(VncDisplay *vd);
624 
625 static int vnc_width(VncDisplay *vd)
626 {
627     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
628                                        VNC_DIRTY_PIXELS_PER_BIT));
629 }
630 
631 static int vnc_true_width(VncDisplay *vd)
632 {
633     return MIN(VNC_MAX_WIDTH, surface_width(vd->ds));
634 }
635 
636 static int vnc_height(VncDisplay *vd)
637 {
638     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
639 }
640 
641 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
642                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
643                                VncDisplay *vd,
644                                int x, int y, int w, int h)
645 {
646     int width = vnc_width(vd);
647     int height = vnc_height(vd);
648 
649     /* this is needed this to ensure we updated all affected
650      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
651     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
652     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
653 
654     x = MIN(x, width);
655     y = MIN(y, height);
656     w = MIN(x + w, width) - x;
657     h = MIN(y + h, height);
658 
659     for (; y < h; y++) {
660         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
661                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
662     }
663 }
664 
665 static void vnc_dpy_update(DisplayChangeListener *dcl,
666                            int x, int y, int w, int h)
667 {
668     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
669     struct VncSurface *s = &vd->guest;
670 
671     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
672 }
673 
674 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
675                             int32_t encoding)
676 {
677     vnc_write_u16(vs, x);
678     vnc_write_u16(vs, y);
679     vnc_write_u16(vs, w);
680     vnc_write_u16(vs, h);
681 
682     vnc_write_s32(vs, encoding);
683 }
684 
685 static void vnc_desktop_resize_ext(VncState *vs, int reject_reason)
686 {
687     trace_vnc_msg_server_ext_desktop_resize(
688         vs, vs->ioc, vs->client_width, vs->client_height, reject_reason);
689 
690     vnc_lock_output(vs);
691     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
692     vnc_write_u8(vs, 0);
693     vnc_write_u16(vs, 1); /* number of rects */
694     vnc_framebuffer_update(vs,
695                            reject_reason ? 1 : 0,
696                            reject_reason,
697                            vs->client_width, vs->client_height,
698                            VNC_ENCODING_DESKTOP_RESIZE_EXT);
699     vnc_write_u8(vs, 1);  /* number of screens */
700     vnc_write_u8(vs, 0);  /* padding */
701     vnc_write_u8(vs, 0);  /* padding */
702     vnc_write_u8(vs, 0);  /* padding */
703     vnc_write_u32(vs, 0); /* screen id */
704     vnc_write_u16(vs, 0); /* screen x-pos */
705     vnc_write_u16(vs, 0); /* screen y-pos */
706     vnc_write_u16(vs, vs->client_width);
707     vnc_write_u16(vs, vs->client_height);
708     vnc_write_u32(vs, 0); /* screen flags */
709     vnc_unlock_output(vs);
710     vnc_flush(vs);
711 }
712 
713 static void vnc_desktop_resize(VncState *vs)
714 {
715     if (vs->ioc == NULL || (!vnc_has_feature(vs, VNC_FEATURE_RESIZE) &&
716                             !vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT))) {
717         return;
718     }
719     if (vs->client_width == vs->vd->true_width &&
720         vs->client_height == pixman_image_get_height(vs->vd->server)) {
721         return;
722     }
723 
724     assert(vs->vd->true_width < 65536 &&
725            vs->vd->true_width >= 0);
726     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
727            pixman_image_get_height(vs->vd->server) >= 0);
728     vs->client_width = vs->vd->true_width;
729     vs->client_height = pixman_image_get_height(vs->vd->server);
730 
731     if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
732         vnc_desktop_resize_ext(vs, 0);
733         return;
734     }
735 
736     trace_vnc_msg_server_desktop_resize(
737         vs, vs->ioc, vs->client_width, vs->client_height);
738 
739     vnc_lock_output(vs);
740     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
741     vnc_write_u8(vs, 0);
742     vnc_write_u16(vs, 1); /* number of rects */
743     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
744                            VNC_ENCODING_DESKTOPRESIZE);
745     vnc_unlock_output(vs);
746     vnc_flush(vs);
747 }
748 
749 static void vnc_abort_display_jobs(VncDisplay *vd)
750 {
751     VncState *vs;
752 
753     QTAILQ_FOREACH(vs, &vd->clients, next) {
754         vnc_lock_output(vs);
755         vs->abort = true;
756         vnc_unlock_output(vs);
757     }
758     QTAILQ_FOREACH(vs, &vd->clients, next) {
759         vnc_jobs_join(vs);
760     }
761     QTAILQ_FOREACH(vs, &vd->clients, next) {
762         vnc_lock_output(vs);
763         if (vs->update == VNC_STATE_UPDATE_NONE &&
764             vs->job_update != VNC_STATE_UPDATE_NONE) {
765             /* job aborted before completion */
766             vs->update = vs->job_update;
767             vs->job_update = VNC_STATE_UPDATE_NONE;
768         }
769         vs->abort = false;
770         vnc_unlock_output(vs);
771     }
772 }
773 
774 int vnc_server_fb_stride(VncDisplay *vd)
775 {
776     return pixman_image_get_stride(vd->server);
777 }
778 
779 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
780 {
781     uint8_t *ptr;
782 
783     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
784     ptr += y * vnc_server_fb_stride(vd);
785     ptr += x * VNC_SERVER_FB_BYTES;
786     return ptr;
787 }
788 
789 static void vnc_update_server_surface(VncDisplay *vd)
790 {
791     int width, height;
792 
793     qemu_pixman_image_unref(vd->server);
794     vd->server = NULL;
795 
796     if (QTAILQ_EMPTY(&vd->clients)) {
797         return;
798     }
799 
800     width = vnc_width(vd);
801     height = vnc_height(vd);
802     vd->true_width = vnc_true_width(vd);
803     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
804                                           width, height,
805                                           NULL, 0);
806 
807     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
808     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
809                        width, height);
810 }
811 
812 static bool vnc_check_pageflip(DisplaySurface *s1,
813                                DisplaySurface *s2)
814 {
815     return (s1 != NULL &&
816             s2 != NULL &&
817             surface_width(s1) == surface_width(s2) &&
818             surface_height(s1) == surface_height(s2) &&
819             surface_format(s1) == surface_format(s2));
820 
821 }
822 
823 static void vnc_dpy_switch(DisplayChangeListener *dcl,
824                            DisplaySurface *surface)
825 {
826     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
827     bool pageflip = vnc_check_pageflip(vd->ds, surface);
828     VncState *vs;
829 
830     vnc_abort_display_jobs(vd);
831     vd->ds = surface;
832 
833     /* guest surface */
834     qemu_pixman_image_unref(vd->guest.fb);
835     vd->guest.fb = pixman_image_ref(surface->image);
836     vd->guest.format = surface_format(surface);
837 
838 
839     if (pageflip) {
840         trace_vnc_server_dpy_pageflip(vd,
841                                       surface_width(surface),
842                                       surface_height(surface),
843                                       surface_format(surface));
844         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
845                            surface_width(surface),
846                            surface_height(surface));
847         return;
848     }
849 
850     trace_vnc_server_dpy_recreate(vd,
851                                   surface_width(surface),
852                                   surface_height(surface),
853                                   surface_format(surface));
854     /* server surface */
855     vnc_update_server_surface(vd);
856 
857     QTAILQ_FOREACH(vs, &vd->clients, next) {
858         vnc_colordepth(vs);
859         vnc_desktop_resize(vs);
860         vnc_cursor_define(vs);
861         memset(vs->dirty, 0x00, sizeof(vs->dirty));
862         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
863                            vnc_width(vd),
864                            vnc_height(vd));
865         vnc_update_throttle_offset(vs);
866     }
867 }
868 
869 /* fastest code */
870 static void vnc_write_pixels_copy(VncState *vs,
871                                   void *pixels, int size)
872 {
873     vnc_write(vs, pixels, size);
874 }
875 
876 /* slowest but generic code. */
877 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
878 {
879     uint8_t r, g, b;
880 
881 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
882     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
883     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
884     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
885 #else
886 # error need some bits here if you change VNC_SERVER_FB_FORMAT
887 #endif
888     v = (r << vs->client_pf.rshift) |
889         (g << vs->client_pf.gshift) |
890         (b << vs->client_pf.bshift);
891     switch (vs->client_pf.bytes_per_pixel) {
892     case 1:
893         buf[0] = v;
894         break;
895     case 2:
896         if (vs->client_be) {
897             buf[0] = v >> 8;
898             buf[1] = v;
899         } else {
900             buf[1] = v >> 8;
901             buf[0] = v;
902         }
903         break;
904     default:
905     case 4:
906         if (vs->client_be) {
907             buf[0] = v >> 24;
908             buf[1] = v >> 16;
909             buf[2] = v >> 8;
910             buf[3] = v;
911         } else {
912             buf[3] = v >> 24;
913             buf[2] = v >> 16;
914             buf[1] = v >> 8;
915             buf[0] = v;
916         }
917         break;
918     }
919 }
920 
921 static void vnc_write_pixels_generic(VncState *vs,
922                                      void *pixels1, int size)
923 {
924     uint8_t buf[4];
925 
926     if (VNC_SERVER_FB_BYTES == 4) {
927         uint32_t *pixels = pixels1;
928         int n, i;
929         n = size >> 2;
930         for (i = 0; i < n; i++) {
931             vnc_convert_pixel(vs, buf, pixels[i]);
932             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
933         }
934     }
935 }
936 
937 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
938 {
939     int i;
940     uint8_t *row;
941     VncDisplay *vd = vs->vd;
942 
943     row = vnc_server_fb_ptr(vd, x, y);
944     for (i = 0; i < h; i++) {
945         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
946         row += vnc_server_fb_stride(vd);
947     }
948     return 1;
949 }
950 
951 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
952 {
953     int n = 0;
954 
955     switch(vs->vnc_encoding) {
956         case VNC_ENCODING_ZLIB:
957             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
958             break;
959         case VNC_ENCODING_HEXTILE:
960             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
961             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
962             break;
963         case VNC_ENCODING_TIGHT:
964             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
965             break;
966         case VNC_ENCODING_TIGHT_PNG:
967             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
968             break;
969         case VNC_ENCODING_ZRLE:
970             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
971             break;
972         case VNC_ENCODING_ZYWRLE:
973             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
974             break;
975         default:
976             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
977             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
978             break;
979     }
980     return n;
981 }
982 
983 static void vnc_mouse_set(DisplayChangeListener *dcl,
984                           int x, int y, bool visible)
985 {
986     /* can we ask the client(s) to move the pointer ??? */
987 }
988 
989 static int vnc_cursor_define(VncState *vs)
990 {
991     QEMUCursor *c = qemu_console_get_cursor(vs->vd->dcl.con);
992     int isize;
993 
994     if (!c) {
995         return -1;
996     }
997 
998     if (vnc_has_feature(vs, VNC_FEATURE_ALPHA_CURSOR)) {
999         vnc_lock_output(vs);
1000         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1001         vnc_write_u8(vs,  0);  /*  padding     */
1002         vnc_write_u16(vs, 1);  /*  # of rects  */
1003         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1004                                VNC_ENCODING_ALPHA_CURSOR);
1005         vnc_write_s32(vs, VNC_ENCODING_RAW);
1006         vnc_write(vs, c->data, c->width * c->height * 4);
1007         vnc_unlock_output(vs);
1008         return 0;
1009     }
1010     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
1011         vnc_lock_output(vs);
1012         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1013         vnc_write_u8(vs,  0);  /*  padding     */
1014         vnc_write_u16(vs, 1);  /*  # of rects  */
1015         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1016                                VNC_ENCODING_RICH_CURSOR);
1017         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
1018         vnc_write_pixels_generic(vs, c->data, isize);
1019         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
1020         vnc_unlock_output(vs);
1021         return 0;
1022     }
1023     return -1;
1024 }
1025 
1026 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
1027                                   QEMUCursor *c)
1028 {
1029     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
1030     VncState *vs;
1031 
1032     g_free(vd->cursor_mask);
1033     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1034     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1035     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1036 
1037     QTAILQ_FOREACH(vs, &vd->clients, next) {
1038         vnc_cursor_define(vs);
1039     }
1040 }
1041 
1042 static int find_and_clear_dirty_height(VncState *vs,
1043                                        int y, int last_x, int x, int height)
1044 {
1045     int h;
1046 
1047     for (h = 1; h < (height - y); h++) {
1048         if (!test_bit(last_x, vs->dirty[y + h])) {
1049             break;
1050         }
1051         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1052     }
1053 
1054     return h;
1055 }
1056 
1057 /*
1058  * Figure out how much pending data we should allow in the output
1059  * buffer before we throttle incremental display updates, and/or
1060  * drop audio samples.
1061  *
1062  * We allow for equiv of 1 full display's worth of FB updates,
1063  * and 1 second of audio samples. If audio backlog was larger
1064  * than that the client would already suffering awful audio
1065  * glitches, so dropping samples is no worse really).
1066  */
1067 static void vnc_update_throttle_offset(VncState *vs)
1068 {
1069     size_t offset =
1070         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1071 
1072     if (vs->audio_cap) {
1073         int bps;
1074         switch (vs->as.fmt) {
1075         default:
1076         case  AUDIO_FORMAT_U8:
1077         case  AUDIO_FORMAT_S8:
1078             bps = 1;
1079             break;
1080         case  AUDIO_FORMAT_U16:
1081         case  AUDIO_FORMAT_S16:
1082             bps = 2;
1083             break;
1084         case  AUDIO_FORMAT_U32:
1085         case  AUDIO_FORMAT_S32:
1086             bps = 4;
1087             break;
1088         }
1089         offset += vs->as.freq * bps * vs->as.nchannels;
1090     }
1091 
1092     /* Put a floor of 1MB on offset, so that if we have a large pending
1093      * buffer and the display is resized to a small size & back again
1094      * we don't suddenly apply a tiny send limit
1095      */
1096     offset = MAX(offset, 1024 * 1024);
1097 
1098     if (vs->throttle_output_offset != offset) {
1099         trace_vnc_client_throttle_threshold(
1100             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1101             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1102     }
1103 
1104     vs->throttle_output_offset = offset;
1105 }
1106 
1107 static bool vnc_should_update(VncState *vs)
1108 {
1109     switch (vs->update) {
1110     case VNC_STATE_UPDATE_NONE:
1111         break;
1112     case VNC_STATE_UPDATE_INCREMENTAL:
1113         /* Only allow incremental updates if the pending send queue
1114          * is less than the permitted threshold, and the job worker
1115          * is completely idle.
1116          */
1117         if (vs->output.offset < vs->throttle_output_offset &&
1118             vs->job_update == VNC_STATE_UPDATE_NONE) {
1119             return true;
1120         }
1121         trace_vnc_client_throttle_incremental(
1122             vs, vs->ioc, vs->job_update, vs->output.offset);
1123         break;
1124     case VNC_STATE_UPDATE_FORCE:
1125         /* Only allow forced updates if the pending send queue
1126          * does not contain a previous forced update, and the
1127          * job worker is completely idle.
1128          *
1129          * Note this means we'll queue a forced update, even if
1130          * the output buffer size is otherwise over the throttle
1131          * output limit.
1132          */
1133         if (vs->force_update_offset == 0 &&
1134             vs->job_update == VNC_STATE_UPDATE_NONE) {
1135             return true;
1136         }
1137         trace_vnc_client_throttle_forced(
1138             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1139         break;
1140     }
1141     return false;
1142 }
1143 
1144 static int vnc_update_client(VncState *vs, int has_dirty)
1145 {
1146     VncDisplay *vd = vs->vd;
1147     VncJob *job;
1148     int y;
1149     int height, width;
1150     int n = 0;
1151 
1152     if (vs->disconnecting) {
1153         vnc_disconnect_finish(vs);
1154         return 0;
1155     }
1156 
1157     vs->has_dirty += has_dirty;
1158     if (!vnc_should_update(vs)) {
1159         return 0;
1160     }
1161 
1162     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1163         return 0;
1164     }
1165 
1166     /*
1167      * Send screen updates to the vnc client using the server
1168      * surface and server dirty map.  guest surface updates
1169      * happening in parallel don't disturb us, the next pass will
1170      * send them to the client.
1171      */
1172     job = vnc_job_new(vs);
1173 
1174     height = pixman_image_get_height(vd->server);
1175     width = pixman_image_get_width(vd->server);
1176 
1177     y = 0;
1178     for (;;) {
1179         int x, h;
1180         unsigned long x2;
1181         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1182                                              height * VNC_DIRTY_BPL(vs),
1183                                              y * VNC_DIRTY_BPL(vs));
1184         if (offset == height * VNC_DIRTY_BPL(vs)) {
1185             /* no more dirty bits */
1186             break;
1187         }
1188         y = offset / VNC_DIRTY_BPL(vs);
1189         x = offset % VNC_DIRTY_BPL(vs);
1190         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1191                                 VNC_DIRTY_BPL(vs), x);
1192         bitmap_clear(vs->dirty[y], x, x2 - x);
1193         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1194         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1195         if (x2 > x) {
1196             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1197                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1198         }
1199         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1200             y += h;
1201             if (y == height) {
1202                 break;
1203             }
1204         }
1205     }
1206 
1207     vs->job_update = vs->update;
1208     vs->update = VNC_STATE_UPDATE_NONE;
1209     vnc_job_push(job);
1210     vs->has_dirty = 0;
1211     return n;
1212 }
1213 
1214 /* audio */
1215 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1216 {
1217     VncState *vs = opaque;
1218 
1219     assert(vs->magic == VNC_MAGIC);
1220     switch (cmd) {
1221     case AUD_CNOTIFY_DISABLE:
1222         trace_vnc_msg_server_audio_end(vs, vs->ioc);
1223         vnc_lock_output(vs);
1224         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1225         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1226         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1227         vnc_unlock_output(vs);
1228         vnc_flush(vs);
1229         break;
1230 
1231     case AUD_CNOTIFY_ENABLE:
1232         trace_vnc_msg_server_audio_begin(vs, vs->ioc);
1233         vnc_lock_output(vs);
1234         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1235         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1236         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1237         vnc_unlock_output(vs);
1238         vnc_flush(vs);
1239         break;
1240     }
1241 }
1242 
1243 static void audio_capture_destroy(void *opaque)
1244 {
1245 }
1246 
1247 static void audio_capture(void *opaque, const void *buf, int size)
1248 {
1249     VncState *vs = opaque;
1250 
1251     assert(vs->magic == VNC_MAGIC);
1252     trace_vnc_msg_server_audio_data(vs, vs->ioc, buf, size);
1253     vnc_lock_output(vs);
1254     if (vs->output.offset < vs->throttle_output_offset) {
1255         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1256         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1257         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1258         vnc_write_u32(vs, size);
1259         vnc_write(vs, buf, size);
1260     } else {
1261         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1262     }
1263     vnc_unlock_output(vs);
1264     vnc_flush(vs);
1265 }
1266 
1267 static void audio_add(VncState *vs)
1268 {
1269     struct audio_capture_ops ops;
1270 
1271     if (vs->audio_cap) {
1272         error_report("audio already running");
1273         return;
1274     }
1275 
1276     ops.notify = audio_capture_notify;
1277     ops.destroy = audio_capture_destroy;
1278     ops.capture = audio_capture;
1279 
1280     vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1281     if (!vs->audio_cap) {
1282         error_report("Failed to add audio capture");
1283     }
1284 }
1285 
1286 static void audio_del(VncState *vs)
1287 {
1288     if (vs->audio_cap) {
1289         AUD_del_capture(vs->audio_cap, vs);
1290         vs->audio_cap = NULL;
1291     }
1292 }
1293 
1294 static void vnc_disconnect_start(VncState *vs)
1295 {
1296     if (vs->disconnecting) {
1297         return;
1298     }
1299     trace_vnc_client_disconnect_start(vs, vs->ioc);
1300     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1301     if (vs->ioc_tag) {
1302         g_source_remove(vs->ioc_tag);
1303         vs->ioc_tag = 0;
1304     }
1305     qio_channel_close(vs->ioc, NULL);
1306     vs->disconnecting = TRUE;
1307 }
1308 
1309 void vnc_disconnect_finish(VncState *vs)
1310 {
1311     int i;
1312 
1313     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1314 
1315     vnc_jobs_join(vs); /* Wait encoding jobs */
1316 
1317     vnc_lock_output(vs);
1318     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1319 
1320     buffer_free(&vs->input);
1321     buffer_free(&vs->output);
1322 
1323     qapi_free_VncClientInfo(vs->info);
1324 
1325     vnc_zlib_clear(vs);
1326     vnc_tight_clear(vs);
1327     vnc_zrle_clear(vs);
1328 
1329 #ifdef CONFIG_VNC_SASL
1330     vnc_sasl_client_cleanup(vs);
1331 #endif /* CONFIG_VNC_SASL */
1332     audio_del(vs);
1333     qkbd_state_lift_all_keys(vs->vd->kbd);
1334 
1335     if (vs->mouse_mode_notifier.notify != NULL) {
1336         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1337     }
1338     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1339     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1340         /* last client gone */
1341         vnc_update_server_surface(vs->vd);
1342     }
1343     vnc_unlock_output(vs);
1344 
1345     if (vs->cbpeer.notifier.notify) {
1346         qemu_clipboard_peer_unregister(&vs->cbpeer);
1347     }
1348 
1349     qemu_mutex_destroy(&vs->output_mutex);
1350     if (vs->bh != NULL) {
1351         qemu_bh_delete(vs->bh);
1352     }
1353     buffer_free(&vs->jobs_buffer);
1354 
1355     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1356         g_free(vs->lossy_rect[i]);
1357     }
1358     g_free(vs->lossy_rect);
1359 
1360     object_unref(OBJECT(vs->ioc));
1361     vs->ioc = NULL;
1362     object_unref(OBJECT(vs->sioc));
1363     vs->sioc = NULL;
1364     vs->magic = 0;
1365     g_free(vs->zrle);
1366     g_free(vs->tight);
1367     g_free(vs);
1368 }
1369 
1370 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error *err)
1371 {
1372     if (ret <= 0) {
1373         if (ret == 0) {
1374             trace_vnc_client_eof(vs, vs->ioc);
1375             vnc_disconnect_start(vs);
1376         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1377             trace_vnc_client_io_error(vs, vs->ioc,
1378                                       err ? error_get_pretty(err) : "Unknown");
1379             vnc_disconnect_start(vs);
1380         }
1381 
1382         error_free(err);
1383         return 0;
1384     }
1385     return ret;
1386 }
1387 
1388 
1389 void vnc_client_error(VncState *vs)
1390 {
1391     VNC_DEBUG("Closing down client sock: protocol error\n");
1392     vnc_disconnect_start(vs);
1393 }
1394 
1395 
1396 /*
1397  * Called to write a chunk of data to the client socket. The data may
1398  * be the raw data, or may have already been encoded by SASL.
1399  * The data will be written either straight onto the socket, or
1400  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1401  *
1402  * NB, it is theoretically possible to have 2 layers of encryption,
1403  * both SASL, and this TLS layer. It is highly unlikely in practice
1404  * though, since SASL encryption will typically be a no-op if TLS
1405  * is active
1406  *
1407  * Returns the number of bytes written, which may be less than
1408  * the requested 'datalen' if the socket would block. Returns
1409  * 0 on I/O error, and disconnects the client socket.
1410  */
1411 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1412 {
1413     Error *err = NULL;
1414     ssize_t ret;
1415     ret = qio_channel_write(vs->ioc, (const char *)data, datalen, &err);
1416     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1417     return vnc_client_io_error(vs, ret, err);
1418 }
1419 
1420 
1421 /*
1422  * Called to write buffered data to the client socket, when not
1423  * using any SASL SSF encryption layers. Will write as much data
1424  * as possible without blocking. If all buffered data is written,
1425  * will switch the FD poll() handler back to read monitoring.
1426  *
1427  * Returns the number of bytes written, which may be less than
1428  * the buffered output data if the socket would block.  Returns
1429  * 0 on I/O error, and disconnects the client socket.
1430  */
1431 static size_t vnc_client_write_plain(VncState *vs)
1432 {
1433     size_t offset;
1434     size_t ret;
1435 
1436 #ifdef CONFIG_VNC_SASL
1437     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1438               vs->output.buffer, vs->output.capacity, vs->output.offset,
1439               vs->sasl.waitWriteSSF);
1440 
1441     if (vs->sasl.conn &&
1442         vs->sasl.runSSF &&
1443         vs->sasl.waitWriteSSF) {
1444         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1445         if (ret)
1446             vs->sasl.waitWriteSSF -= ret;
1447     } else
1448 #endif /* CONFIG_VNC_SASL */
1449         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1450     if (!ret)
1451         return 0;
1452 
1453     if (ret >= vs->force_update_offset) {
1454         if (vs->force_update_offset != 0) {
1455             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1456         }
1457         vs->force_update_offset = 0;
1458     } else {
1459         vs->force_update_offset -= ret;
1460     }
1461     offset = vs->output.offset;
1462     buffer_advance(&vs->output, ret);
1463     if (offset >= vs->throttle_output_offset &&
1464         vs->output.offset < vs->throttle_output_offset) {
1465         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1466     }
1467 
1468     if (vs->output.offset == 0) {
1469         if (vs->ioc_tag) {
1470             g_source_remove(vs->ioc_tag);
1471         }
1472         vs->ioc_tag = qio_channel_add_watch(
1473             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1474             vnc_client_io, vs, NULL);
1475     }
1476 
1477     return ret;
1478 }
1479 
1480 
1481 /*
1482  * First function called whenever there is data to be written to
1483  * the client socket. Will delegate actual work according to whether
1484  * SASL SSF layers are enabled (thus requiring encryption calls)
1485  */
1486 static void vnc_client_write_locked(VncState *vs)
1487 {
1488 #ifdef CONFIG_VNC_SASL
1489     if (vs->sasl.conn &&
1490         vs->sasl.runSSF &&
1491         !vs->sasl.waitWriteSSF) {
1492         vnc_client_write_sasl(vs);
1493     } else
1494 #endif /* CONFIG_VNC_SASL */
1495     {
1496         vnc_client_write_plain(vs);
1497     }
1498 }
1499 
1500 static void vnc_client_write(VncState *vs)
1501 {
1502     assert(vs->magic == VNC_MAGIC);
1503     vnc_lock_output(vs);
1504     if (vs->output.offset) {
1505         vnc_client_write_locked(vs);
1506     } else if (vs->ioc != NULL) {
1507         if (vs->ioc_tag) {
1508             g_source_remove(vs->ioc_tag);
1509         }
1510         vs->ioc_tag = qio_channel_add_watch(
1511             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1512             vnc_client_io, vs, NULL);
1513     }
1514     vnc_unlock_output(vs);
1515 }
1516 
1517 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1518 {
1519     vs->read_handler = func;
1520     vs->read_handler_expect = expecting;
1521 }
1522 
1523 
1524 /*
1525  * Called to read a chunk of data from the client socket. The data may
1526  * be the raw data, or may need to be further decoded by SASL.
1527  * The data will be read either straight from to the socket, or
1528  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1529  *
1530  * NB, it is theoretically possible to have 2 layers of encryption,
1531  * both SASL, and this TLS layer. It is highly unlikely in practice
1532  * though, since SASL encryption will typically be a no-op if TLS
1533  * is active
1534  *
1535  * Returns the number of bytes read, which may be less than
1536  * the requested 'datalen' if the socket would block. Returns
1537  * 0 on I/O error or EOF, and disconnects the client socket.
1538  */
1539 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1540 {
1541     ssize_t ret;
1542     Error *err = NULL;
1543     ret = qio_channel_read(vs->ioc, (char *)data, datalen, &err);
1544     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1545     return vnc_client_io_error(vs, ret, err);
1546 }
1547 
1548 
1549 /*
1550  * Called to read data from the client socket to the input buffer,
1551  * when not using any SASL SSF encryption layers. Will read as much
1552  * data as possible without blocking.
1553  *
1554  * Returns the number of bytes read, which may be less than
1555  * the requested 'datalen' if the socket would block. Returns
1556  * 0 on I/O error or EOF, and disconnects the client socket.
1557  */
1558 static size_t vnc_client_read_plain(VncState *vs)
1559 {
1560     size_t ret;
1561     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1562               vs->input.buffer, vs->input.capacity, vs->input.offset);
1563     buffer_reserve(&vs->input, 4096);
1564     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1565     if (!ret)
1566         return 0;
1567     vs->input.offset += ret;
1568     return ret;
1569 }
1570 
1571 static void vnc_jobs_bh(void *opaque)
1572 {
1573     VncState *vs = opaque;
1574 
1575     assert(vs->magic == VNC_MAGIC);
1576     vnc_jobs_consume_buffer(vs);
1577 }
1578 
1579 /*
1580  * First function called whenever there is more data to be read from
1581  * the client socket. Will delegate actual work according to whether
1582  * SASL SSF layers are enabled (thus requiring decryption calls)
1583  * Returns 0 on success, -1 if client disconnected
1584  */
1585 static int vnc_client_read(VncState *vs)
1586 {
1587     size_t sz;
1588 
1589 #ifdef CONFIG_VNC_SASL
1590     if (vs->sasl.conn && vs->sasl.runSSF)
1591         sz = vnc_client_read_sasl(vs);
1592     else
1593 #endif /* CONFIG_VNC_SASL */
1594         sz = vnc_client_read_plain(vs);
1595     if (!sz) {
1596         if (vs->disconnecting) {
1597             vnc_disconnect_finish(vs);
1598             return -1;
1599         }
1600         return 0;
1601     }
1602 
1603     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1604         size_t len = vs->read_handler_expect;
1605         int ret;
1606 
1607         ret = vs->read_handler(vs, vs->input.buffer, len);
1608         if (vs->disconnecting) {
1609             vnc_disconnect_finish(vs);
1610             return -1;
1611         }
1612 
1613         if (!ret) {
1614             buffer_advance(&vs->input, len);
1615         } else {
1616             vs->read_handler_expect = ret;
1617         }
1618     }
1619     return 0;
1620 }
1621 
1622 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1623                        GIOCondition condition, void *opaque)
1624 {
1625     VncState *vs = opaque;
1626 
1627     assert(vs->magic == VNC_MAGIC);
1628 
1629     if (condition & (G_IO_HUP | G_IO_ERR)) {
1630         vnc_disconnect_start(vs);
1631         return TRUE;
1632     }
1633 
1634     if (condition & G_IO_IN) {
1635         if (vnc_client_read(vs) < 0) {
1636             /* vs is free()ed here */
1637             return TRUE;
1638         }
1639     }
1640     if (condition & G_IO_OUT) {
1641         vnc_client_write(vs);
1642     }
1643 
1644     if (vs->disconnecting) {
1645         if (vs->ioc_tag != 0) {
1646             g_source_remove(vs->ioc_tag);
1647         }
1648         vs->ioc_tag = 0;
1649     }
1650     return TRUE;
1651 }
1652 
1653 
1654 /*
1655  * Scale factor to apply to vs->throttle_output_offset when checking for
1656  * hard limit. Worst case normal usage could be x2, if we have a complete
1657  * incremental update and complete forced update in the output buffer.
1658  * So x3 should be good enough, but we pick x5 to be conservative and thus
1659  * (hopefully) never trigger incorrectly.
1660  */
1661 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1662 
1663 void vnc_write(VncState *vs, const void *data, size_t len)
1664 {
1665     assert(vs->magic == VNC_MAGIC);
1666     if (vs->disconnecting) {
1667         return;
1668     }
1669     /* Protection against malicious client/guest to prevent our output
1670      * buffer growing without bound if client stops reading data. This
1671      * should rarely trigger, because we have earlier throttling code
1672      * which stops issuing framebuffer updates and drops audio data
1673      * if the throttle_output_offset value is exceeded. So we only reach
1674      * this higher level if a huge number of pseudo-encodings get
1675      * triggered while data can't be sent on the socket.
1676      *
1677      * NB throttle_output_offset can be zero during early protocol
1678      * handshake, or from the job thread's VncState clone
1679      */
1680     if (vs->throttle_output_offset != 0 &&
1681         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1682         vs->throttle_output_offset) {
1683         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1684                                       vs->throttle_output_offset);
1685         vnc_disconnect_start(vs);
1686         return;
1687     }
1688     buffer_reserve(&vs->output, len);
1689 
1690     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1691         if (vs->ioc_tag) {
1692             g_source_remove(vs->ioc_tag);
1693         }
1694         vs->ioc_tag = qio_channel_add_watch(
1695             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
1696             vnc_client_io, vs, NULL);
1697     }
1698 
1699     buffer_append(&vs->output, data, len);
1700 }
1701 
1702 void vnc_write_s32(VncState *vs, int32_t value)
1703 {
1704     vnc_write_u32(vs, *(uint32_t *)&value);
1705 }
1706 
1707 void vnc_write_u32(VncState *vs, uint32_t value)
1708 {
1709     uint8_t buf[4];
1710 
1711     buf[0] = (value >> 24) & 0xFF;
1712     buf[1] = (value >> 16) & 0xFF;
1713     buf[2] = (value >>  8) & 0xFF;
1714     buf[3] = value & 0xFF;
1715 
1716     vnc_write(vs, buf, 4);
1717 }
1718 
1719 void vnc_write_u16(VncState *vs, uint16_t value)
1720 {
1721     uint8_t buf[2];
1722 
1723     buf[0] = (value >> 8) & 0xFF;
1724     buf[1] = value & 0xFF;
1725 
1726     vnc_write(vs, buf, 2);
1727 }
1728 
1729 void vnc_write_u8(VncState *vs, uint8_t value)
1730 {
1731     vnc_write(vs, (char *)&value, 1);
1732 }
1733 
1734 void vnc_flush(VncState *vs)
1735 {
1736     vnc_lock_output(vs);
1737     if (vs->ioc != NULL && vs->output.offset) {
1738         vnc_client_write_locked(vs);
1739     }
1740     if (vs->disconnecting) {
1741         if (vs->ioc_tag != 0) {
1742             g_source_remove(vs->ioc_tag);
1743         }
1744         vs->ioc_tag = 0;
1745     }
1746     vnc_unlock_output(vs);
1747 }
1748 
1749 static uint8_t read_u8(uint8_t *data, size_t offset)
1750 {
1751     return data[offset];
1752 }
1753 
1754 static uint16_t read_u16(uint8_t *data, size_t offset)
1755 {
1756     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1757 }
1758 
1759 static int32_t read_s32(uint8_t *data, size_t offset)
1760 {
1761     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1762                      (data[offset + 2] << 8) | data[offset + 3]);
1763 }
1764 
1765 uint32_t read_u32(uint8_t *data, size_t offset)
1766 {
1767     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1768             (data[offset + 2] << 8) | data[offset + 3]);
1769 }
1770 
1771 static void check_pointer_type_change(Notifier *notifier, void *data)
1772 {
1773     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1774     int absolute = qemu_input_is_absolute(vs->vd->dcl.con);
1775 
1776     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1777         vnc_lock_output(vs);
1778         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1779         vnc_write_u8(vs, 0);
1780         vnc_write_u16(vs, 1);
1781         vnc_framebuffer_update(vs, absolute, 0,
1782                                pixman_image_get_width(vs->vd->server),
1783                                pixman_image_get_height(vs->vd->server),
1784                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1785         vnc_unlock_output(vs);
1786         vnc_flush(vs);
1787     }
1788     vs->absolute = absolute;
1789 }
1790 
1791 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1792 {
1793     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1794         [INPUT_BUTTON_LEFT]       = 0x01,
1795         [INPUT_BUTTON_MIDDLE]     = 0x02,
1796         [INPUT_BUTTON_RIGHT]      = 0x04,
1797         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1798         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1799     };
1800     QemuConsole *con = vs->vd->dcl.con;
1801     int width = pixman_image_get_width(vs->vd->server);
1802     int height = pixman_image_get_height(vs->vd->server);
1803 
1804     if (vs->last_bmask != button_mask) {
1805         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1806         vs->last_bmask = button_mask;
1807     }
1808 
1809     if (vs->absolute) {
1810         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1811         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1812     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1813         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1814         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1815     } else {
1816         if (vs->last_x != -1) {
1817             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1818             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1819         }
1820         vs->last_x = x;
1821         vs->last_y = y;
1822     }
1823     qemu_input_event_sync();
1824 }
1825 
1826 static void press_key(VncState *vs, QKeyCode qcode)
1827 {
1828     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1829     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1830 }
1831 
1832 static void vnc_led_state_change(VncState *vs)
1833 {
1834     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1835         return;
1836     }
1837 
1838     vnc_lock_output(vs);
1839     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1840     vnc_write_u8(vs, 0);
1841     vnc_write_u16(vs, 1);
1842     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1843     vnc_write_u8(vs, vs->vd->ledstate);
1844     vnc_unlock_output(vs);
1845     vnc_flush(vs);
1846 }
1847 
1848 static void kbd_leds(void *opaque, int ledstate)
1849 {
1850     VncDisplay *vd = opaque;
1851     VncState *client;
1852 
1853     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1854                              (ledstate & QEMU_NUM_LOCK_LED),
1855                              (ledstate & QEMU_SCROLL_LOCK_LED));
1856 
1857     if (ledstate == vd->ledstate) {
1858         return;
1859     }
1860 
1861     vd->ledstate = ledstate;
1862 
1863     QTAILQ_FOREACH(client, &vd->clients, next) {
1864         vnc_led_state_change(client);
1865     }
1866 }
1867 
1868 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1869 {
1870     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1871 
1872     /* QEMU console switch */
1873     switch (qcode) {
1874     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1875         if (down &&
1876             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1877             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1878             QemuConsole *con = qemu_console_lookup_by_index(qcode - Q_KEY_CODE_1);
1879             if (con) {
1880                 unregister_displaychangelistener(&vs->vd->dcl);
1881                 qkbd_state_switch_console(vs->vd->kbd, con);
1882                 vs->vd->dcl.con = con;
1883                 register_displaychangelistener(&vs->vd->dcl);
1884             }
1885             return;
1886         }
1887     default:
1888         break;
1889     }
1890 
1891     /* Turn off the lock state sync logic if the client support the led
1892        state extension.
1893     */
1894     if (down && vs->vd->lock_key_sync &&
1895         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1896         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1897         /* If the numlock state needs to change then simulate an additional
1898            keypress before sending this one.  This will happen if the user
1899            toggles numlock away from the VNC window.
1900         */
1901         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1902             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1903                 trace_vnc_key_sync_numlock(true);
1904                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1905             }
1906         } else {
1907             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1908                 trace_vnc_key_sync_numlock(false);
1909                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1910             }
1911         }
1912     }
1913 
1914     if (down && vs->vd->lock_key_sync &&
1915         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1916         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1917         /* If the capslock state needs to change then simulate an additional
1918            keypress before sending this one.  This will happen if the user
1919            toggles capslock away from the VNC window.
1920         */
1921         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1922         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1923         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1924         if (capslock) {
1925             if (uppercase == shift) {
1926                 trace_vnc_key_sync_capslock(false);
1927                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1928             }
1929         } else {
1930             if (uppercase != shift) {
1931                 trace_vnc_key_sync_capslock(true);
1932                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1933             }
1934         }
1935     }
1936 
1937     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1938     if (QEMU_IS_TEXT_CONSOLE(vs->vd->dcl.con)) {
1939         QemuTextConsole *con = QEMU_TEXT_CONSOLE(vs->vd->dcl.con);
1940         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1941         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1942         /* QEMU console emulation */
1943         if (down) {
1944             switch (keycode) {
1945             case 0x2a:                          /* Left Shift */
1946             case 0x36:                          /* Right Shift */
1947             case 0x1d:                          /* Left CTRL */
1948             case 0x9d:                          /* Right CTRL */
1949             case 0x38:                          /* Left ALT */
1950             case 0xb8:                          /* Right ALT */
1951                 break;
1952             case 0xc8:
1953                 qemu_text_console_put_keysym(con, QEMU_KEY_UP);
1954                 break;
1955             case 0xd0:
1956                 qemu_text_console_put_keysym(con, QEMU_KEY_DOWN);
1957                 break;
1958             case 0xcb:
1959                 qemu_text_console_put_keysym(con, QEMU_KEY_LEFT);
1960                 break;
1961             case 0xcd:
1962                 qemu_text_console_put_keysym(con, QEMU_KEY_RIGHT);
1963                 break;
1964             case 0xd3:
1965                 qemu_text_console_put_keysym(con, QEMU_KEY_DELETE);
1966                 break;
1967             case 0xc7:
1968                 qemu_text_console_put_keysym(con, QEMU_KEY_HOME);
1969                 break;
1970             case 0xcf:
1971                 qemu_text_console_put_keysym(con, QEMU_KEY_END);
1972                 break;
1973             case 0xc9:
1974                 qemu_text_console_put_keysym(con, QEMU_KEY_PAGEUP);
1975                 break;
1976             case 0xd1:
1977                 qemu_text_console_put_keysym(con, QEMU_KEY_PAGEDOWN);
1978                 break;
1979 
1980             case 0x47:
1981                 qemu_text_console_put_keysym(con, numlock ? '7' : QEMU_KEY_HOME);
1982                 break;
1983             case 0x48:
1984                 qemu_text_console_put_keysym(con, numlock ? '8' : QEMU_KEY_UP);
1985                 break;
1986             case 0x49:
1987                 qemu_text_console_put_keysym(con, numlock ? '9' : QEMU_KEY_PAGEUP);
1988                 break;
1989             case 0x4b:
1990                 qemu_text_console_put_keysym(con, numlock ? '4' : QEMU_KEY_LEFT);
1991                 break;
1992             case 0x4c:
1993                 qemu_text_console_put_keysym(con, '5');
1994                 break;
1995             case 0x4d:
1996                 qemu_text_console_put_keysym(con, numlock ? '6' : QEMU_KEY_RIGHT);
1997                 break;
1998             case 0x4f:
1999                 qemu_text_console_put_keysym(con, numlock ? '1' : QEMU_KEY_END);
2000                 break;
2001             case 0x50:
2002                 qemu_text_console_put_keysym(con, numlock ? '2' : QEMU_KEY_DOWN);
2003                 break;
2004             case 0x51:
2005                 qemu_text_console_put_keysym(con, numlock ? '3' : QEMU_KEY_PAGEDOWN);
2006                 break;
2007             case 0x52:
2008                 qemu_text_console_put_keysym(con, '0');
2009                 break;
2010             case 0x53:
2011                 qemu_text_console_put_keysym(con, numlock ? '.' : QEMU_KEY_DELETE);
2012                 break;
2013 
2014             case 0xb5:
2015                 qemu_text_console_put_keysym(con, '/');
2016                 break;
2017             case 0x37:
2018                 qemu_text_console_put_keysym(con, '*');
2019                 break;
2020             case 0x4a:
2021                 qemu_text_console_put_keysym(con, '-');
2022                 break;
2023             case 0x4e:
2024                 qemu_text_console_put_keysym(con, '+');
2025                 break;
2026             case 0x9c:
2027                 qemu_text_console_put_keysym(con, '\n');
2028                 break;
2029 
2030             default:
2031                 if (control) {
2032                     qemu_text_console_put_keysym(con, sym & 0x1f);
2033                 } else {
2034                     qemu_text_console_put_keysym(con, sym);
2035                 }
2036                 break;
2037             }
2038         }
2039     }
2040 }
2041 
2042 static const char *code2name(int keycode)
2043 {
2044     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
2045 }
2046 
2047 static void key_event(VncState *vs, int down, uint32_t sym)
2048 {
2049     int keycode;
2050     int lsym = sym;
2051 
2052     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(vs->vd->dcl.con)) {
2053         lsym = lsym - 'A' + 'a';
2054     }
2055 
2056     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
2057                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
2058     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2059     do_key_event(vs, down, keycode, sym);
2060 }
2061 
2062 static void ext_key_event(VncState *vs, int down,
2063                           uint32_t sym, uint16_t keycode)
2064 {
2065     /* if the user specifies a keyboard layout, always use it */
2066     if (keyboard_layout) {
2067         key_event(vs, down, sym);
2068     } else {
2069         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2070         do_key_event(vs, down, keycode, sym);
2071     }
2072 }
2073 
2074 static void framebuffer_update_request(VncState *vs, int incremental,
2075                                        int x, int y, int w, int h)
2076 {
2077     if (incremental) {
2078         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2079             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2080         }
2081     } else {
2082         vs->update = VNC_STATE_UPDATE_FORCE;
2083         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2084         if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
2085             vnc_desktop_resize_ext(vs, 0);
2086         }
2087     }
2088 }
2089 
2090 static void send_ext_key_event_ack(VncState *vs)
2091 {
2092     vnc_lock_output(vs);
2093     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2094     vnc_write_u8(vs, 0);
2095     vnc_write_u16(vs, 1);
2096     vnc_framebuffer_update(vs, 0, 0,
2097                            pixman_image_get_width(vs->vd->server),
2098                            pixman_image_get_height(vs->vd->server),
2099                            VNC_ENCODING_EXT_KEY_EVENT);
2100     vnc_unlock_output(vs);
2101     vnc_flush(vs);
2102 }
2103 
2104 static void send_ext_audio_ack(VncState *vs)
2105 {
2106     vnc_lock_output(vs);
2107     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2108     vnc_write_u8(vs, 0);
2109     vnc_write_u16(vs, 1);
2110     vnc_framebuffer_update(vs, 0, 0,
2111                            pixman_image_get_width(vs->vd->server),
2112                            pixman_image_get_height(vs->vd->server),
2113                            VNC_ENCODING_AUDIO);
2114     vnc_unlock_output(vs);
2115     vnc_flush(vs);
2116 }
2117 
2118 static void send_xvp_message(VncState *vs, int code)
2119 {
2120     vnc_lock_output(vs);
2121     vnc_write_u8(vs, VNC_MSG_SERVER_XVP);
2122     vnc_write_u8(vs, 0); /* pad */
2123     vnc_write_u8(vs, 1); /* version */
2124     vnc_write_u8(vs, code);
2125     vnc_unlock_output(vs);
2126     vnc_flush(vs);
2127 }
2128 
2129 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2130 {
2131     int i;
2132     unsigned int enc = 0;
2133 
2134     vs->features = 0;
2135     vs->vnc_encoding = 0;
2136     vs->tight->compression = 9;
2137     vs->tight->quality = -1; /* Lossless by default */
2138     vs->absolute = -1;
2139 
2140     /*
2141      * Start from the end because the encodings are sent in order of preference.
2142      * This way the preferred encoding (first encoding defined in the array)
2143      * will be set at the end of the loop.
2144      */
2145     for (i = n_encodings - 1; i >= 0; i--) {
2146         enc = encodings[i];
2147         switch (enc) {
2148         case VNC_ENCODING_RAW:
2149             vs->vnc_encoding = enc;
2150             break;
2151         case VNC_ENCODING_HEXTILE:
2152             vnc_set_feature(vs, VNC_FEATURE_HEXTILE);
2153             vs->vnc_encoding = enc;
2154             break;
2155         case VNC_ENCODING_TIGHT:
2156             vnc_set_feature(vs, VNC_FEATURE_TIGHT);
2157             vs->vnc_encoding = enc;
2158             break;
2159 #ifdef CONFIG_PNG
2160         case VNC_ENCODING_TIGHT_PNG:
2161             vnc_set_feature(vs, VNC_FEATURE_TIGHT_PNG);
2162             vs->vnc_encoding = enc;
2163             break;
2164 #endif
2165         case VNC_ENCODING_ZLIB:
2166             /*
2167              * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB.
2168              * So prioritize ZRLE, even if the client hints that it prefers
2169              * ZLIB.
2170              */
2171             if (!vnc_has_feature(vs, VNC_FEATURE_ZRLE)) {
2172                 vnc_set_feature(vs, VNC_FEATURE_ZLIB);
2173                 vs->vnc_encoding = enc;
2174             }
2175             break;
2176         case VNC_ENCODING_ZRLE:
2177             vnc_set_feature(vs, VNC_FEATURE_ZRLE);
2178             vs->vnc_encoding = enc;
2179             break;
2180         case VNC_ENCODING_ZYWRLE:
2181             vnc_set_feature(vs, VNC_FEATURE_ZYWRLE);
2182             vs->vnc_encoding = enc;
2183             break;
2184         case VNC_ENCODING_DESKTOPRESIZE:
2185             vnc_set_feature(vs, VNC_FEATURE_RESIZE);
2186             break;
2187         case VNC_ENCODING_DESKTOP_RESIZE_EXT:
2188             vnc_set_feature(vs, VNC_FEATURE_RESIZE_EXT);
2189             break;
2190         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2191             vnc_set_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE);
2192             break;
2193         case VNC_ENCODING_RICH_CURSOR:
2194             vnc_set_feature(vs, VNC_FEATURE_RICH_CURSOR);
2195             break;
2196         case VNC_ENCODING_ALPHA_CURSOR:
2197             vnc_set_feature(vs, VNC_FEATURE_ALPHA_CURSOR);
2198             break;
2199         case VNC_ENCODING_EXT_KEY_EVENT:
2200             send_ext_key_event_ack(vs);
2201             break;
2202         case VNC_ENCODING_AUDIO:
2203             if (vs->vd->audio_state) {
2204                 vnc_set_feature(vs, VNC_FEATURE_AUDIO);
2205                 send_ext_audio_ack(vs);
2206             }
2207             break;
2208         case VNC_ENCODING_WMVi:
2209             vnc_set_feature(vs, VNC_FEATURE_WMVI);
2210             break;
2211         case VNC_ENCODING_LED_STATE:
2212             vnc_set_feature(vs, VNC_FEATURE_LED_STATE);
2213             break;
2214         case VNC_ENCODING_XVP:
2215             if (vs->vd->power_control) {
2216                 vnc_set_feature(vs, VNC_FEATURE_XVP);
2217                 send_xvp_message(vs, VNC_XVP_CODE_INIT);
2218             }
2219             break;
2220         case VNC_ENCODING_CLIPBOARD_EXT:
2221             vnc_set_feature(vs, VNC_FEATURE_CLIPBOARD_EXT);
2222             vnc_server_cut_text_caps(vs);
2223             break;
2224         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2225             vs->tight->compression = (enc & 0x0F);
2226             break;
2227         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2228             if (vs->vd->lossy) {
2229                 vs->tight->quality = (enc & 0x0F);
2230             }
2231             break;
2232         default:
2233             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2234             break;
2235         }
2236     }
2237     vnc_desktop_resize(vs);
2238     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2239     vnc_led_state_change(vs);
2240     vnc_cursor_define(vs);
2241 }
2242 
2243 static void set_pixel_conversion(VncState *vs)
2244 {
2245     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2246 
2247     if (fmt == VNC_SERVER_FB_FORMAT) {
2248         vs->write_pixels = vnc_write_pixels_copy;
2249         vnc_hextile_set_pixel_conversion(vs, 0);
2250     } else {
2251         vs->write_pixels = vnc_write_pixels_generic;
2252         vnc_hextile_set_pixel_conversion(vs, 1);
2253     }
2254 }
2255 
2256 static void send_color_map(VncState *vs)
2257 {
2258     int i;
2259 
2260     vnc_lock_output(vs);
2261     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2262     vnc_write_u8(vs,  0);    /* padding     */
2263     vnc_write_u16(vs, 0);    /* first color */
2264     vnc_write_u16(vs, 256);  /* # of colors */
2265 
2266     for (i = 0; i < 256; i++) {
2267         PixelFormat *pf = &vs->client_pf;
2268 
2269         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2270         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2271         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2272     }
2273     vnc_unlock_output(vs);
2274 }
2275 
2276 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2277                              int big_endian_flag, int true_color_flag,
2278                              int red_max, int green_max, int blue_max,
2279                              int red_shift, int green_shift, int blue_shift)
2280 {
2281     if (!true_color_flag) {
2282         /* Expose a reasonable default 256 color map */
2283         bits_per_pixel = 8;
2284         red_max = 7;
2285         green_max = 7;
2286         blue_max = 3;
2287         red_shift = 0;
2288         green_shift = 3;
2289         blue_shift = 6;
2290     }
2291 
2292     switch (bits_per_pixel) {
2293     case 8:
2294     case 16:
2295     case 32:
2296         break;
2297     default:
2298         vnc_client_error(vs);
2299         return;
2300     }
2301 
2302     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2303     vs->client_pf.rbits = ctpopl(red_max);
2304     vs->client_pf.rshift = red_shift;
2305     vs->client_pf.rmask = red_max << red_shift;
2306     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2307     vs->client_pf.gbits = ctpopl(green_max);
2308     vs->client_pf.gshift = green_shift;
2309     vs->client_pf.gmask = green_max << green_shift;
2310     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2311     vs->client_pf.bbits = ctpopl(blue_max);
2312     vs->client_pf.bshift = blue_shift;
2313     vs->client_pf.bmask = blue_max << blue_shift;
2314     vs->client_pf.bits_per_pixel = bits_per_pixel;
2315     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2316     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2317     vs->client_be = big_endian_flag;
2318 
2319     if (!true_color_flag) {
2320         send_color_map(vs);
2321     }
2322 
2323     set_pixel_conversion(vs);
2324 
2325     graphic_hw_invalidate(vs->vd->dcl.con);
2326     graphic_hw_update(vs->vd->dcl.con);
2327 }
2328 
2329 static void pixel_format_message (VncState *vs) {
2330     char pad[3] = { 0, 0, 0 };
2331 
2332     vs->client_pf = qemu_default_pixelformat(32);
2333 
2334     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2335     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2336 
2337 #if HOST_BIG_ENDIAN
2338     vnc_write_u8(vs, 1);             /* big-endian-flag */
2339 #else
2340     vnc_write_u8(vs, 0);             /* big-endian-flag */
2341 #endif
2342     vnc_write_u8(vs, 1);             /* true-color-flag */
2343     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2344     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2345     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2346     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2347     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2348     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2349     vnc_write(vs, pad, 3);           /* padding */
2350 
2351     vnc_hextile_set_pixel_conversion(vs, 0);
2352     vs->write_pixels = vnc_write_pixels_copy;
2353 }
2354 
2355 static void vnc_colordepth(VncState *vs)
2356 {
2357     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2358         /* Sending a WMVi message to notify the client*/
2359         vnc_lock_output(vs);
2360         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2361         vnc_write_u8(vs, 0);
2362         vnc_write_u16(vs, 1); /* number of rects */
2363         vnc_framebuffer_update(vs, 0, 0,
2364                                vs->client_width,
2365                                vs->client_height,
2366                                VNC_ENCODING_WMVi);
2367         pixel_format_message(vs);
2368         vnc_unlock_output(vs);
2369         vnc_flush(vs);
2370     } else {
2371         set_pixel_conversion(vs);
2372     }
2373 }
2374 
2375 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2376 {
2377     int i;
2378     uint16_t limit;
2379     uint32_t freq;
2380     VncDisplay *vd = vs->vd;
2381 
2382     if (data[0] > 3) {
2383         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2384     }
2385 
2386     switch (data[0]) {
2387     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2388         if (len == 1)
2389             return 20;
2390 
2391         set_pixel_format(vs, read_u8(data, 4),
2392                          read_u8(data, 6), read_u8(data, 7),
2393                          read_u16(data, 8), read_u16(data, 10),
2394                          read_u16(data, 12), read_u8(data, 14),
2395                          read_u8(data, 15), read_u8(data, 16));
2396         break;
2397     case VNC_MSG_CLIENT_SET_ENCODINGS:
2398         if (len == 1)
2399             return 4;
2400 
2401         if (len == 4) {
2402             limit = read_u16(data, 2);
2403             if (limit > 0)
2404                 return 4 + (limit * 4);
2405         } else
2406             limit = read_u16(data, 2);
2407 
2408         for (i = 0; i < limit; i++) {
2409             int32_t val = read_s32(data, 4 + (i * 4));
2410             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2411         }
2412 
2413         set_encodings(vs, (int32_t *)(data + 4), limit);
2414         break;
2415     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2416         if (len == 1)
2417             return 10;
2418 
2419         framebuffer_update_request(vs,
2420                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2421                                    read_u16(data, 6), read_u16(data, 8));
2422         break;
2423     case VNC_MSG_CLIENT_KEY_EVENT:
2424         if (len == 1)
2425             return 8;
2426 
2427         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2428         break;
2429     case VNC_MSG_CLIENT_POINTER_EVENT:
2430         if (len == 1)
2431             return 6;
2432 
2433         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2434         break;
2435     case VNC_MSG_CLIENT_CUT_TEXT:
2436         if (len == 1) {
2437             return 8;
2438         }
2439         uint32_t dlen = abs(read_s32(data, 4));
2440         if (len == 8) {
2441             if (dlen > (1 << 20)) {
2442                 error_report("vnc: client_cut_text msg payload has %u bytes"
2443                              " which exceeds our limit of 1MB.", dlen);
2444                 vnc_client_error(vs);
2445                 break;
2446             }
2447             if (dlen > 0) {
2448                 return 8 + dlen;
2449             }
2450         }
2451 
2452         if (read_s32(data, 4) < 0) {
2453             if (!vnc_has_feature(vs, VNC_FEATURE_CLIPBOARD_EXT)) {
2454                 error_report("vnc: extended clipboard message while disabled");
2455                 vnc_client_error(vs);
2456                 break;
2457             }
2458             if (dlen < 4) {
2459                 error_report("vnc: malformed payload (header less than 4 bytes)"
2460                              " in extended clipboard pseudo-encoding.");
2461                 vnc_client_error(vs);
2462                 break;
2463             }
2464             vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
2465             break;
2466         }
2467         vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
2468         break;
2469     case VNC_MSG_CLIENT_XVP:
2470         if (!vnc_has_feature(vs, VNC_FEATURE_XVP)) {
2471             error_report("vnc: xvp client message while disabled");
2472             vnc_client_error(vs);
2473             break;
2474         }
2475         if (len == 1) {
2476             return 4;
2477         }
2478         if (len == 4) {
2479             uint8_t version = read_u8(data, 2);
2480             uint8_t action = read_u8(data, 3);
2481 
2482             if (version != 1) {
2483                 error_report("vnc: xvp client message version %d != 1",
2484                              version);
2485                 vnc_client_error(vs);
2486                 break;
2487             }
2488 
2489             switch (action) {
2490             case VNC_XVP_ACTION_SHUTDOWN:
2491                 qemu_system_powerdown_request();
2492                 break;
2493             case VNC_XVP_ACTION_REBOOT:
2494                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2495                 break;
2496             case VNC_XVP_ACTION_RESET:
2497                 qemu_system_reset_request(SHUTDOWN_CAUSE_HOST_QMP_SYSTEM_RESET);
2498                 break;
2499             default:
2500                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2501                 break;
2502             }
2503         }
2504         break;
2505     case VNC_MSG_CLIENT_QEMU:
2506         if (len == 1)
2507             return 2;
2508 
2509         switch (read_u8(data, 1)) {
2510         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2511             if (len == 2)
2512                 return 12;
2513 
2514             ext_key_event(vs, read_u16(data, 2),
2515                           read_u32(data, 4), read_u32(data, 8));
2516             break;
2517         case VNC_MSG_CLIENT_QEMU_AUDIO:
2518             if (!vnc_has_feature(vs, VNC_FEATURE_AUDIO)) {
2519                 error_report("Audio message %d with audio disabled", read_u8(data, 2));
2520                 vnc_client_error(vs);
2521                 break;
2522             }
2523 
2524             if (len == 2)
2525                 return 4;
2526 
2527             switch (read_u16 (data, 2)) {
2528             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2529                 trace_vnc_msg_client_audio_enable(vs, vs->ioc);
2530                 audio_add(vs);
2531                 break;
2532             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2533                 trace_vnc_msg_client_audio_disable(vs, vs->ioc);
2534                 audio_del(vs);
2535                 break;
2536             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2537                 if (len == 4)
2538                     return 10;
2539                 switch (read_u8(data, 4)) {
2540                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2541                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2542                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2543                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2544                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2545                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2546                 default:
2547                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2548                     vnc_client_error(vs);
2549                     break;
2550                 }
2551                 vs->as.nchannels = read_u8(data, 5);
2552                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2553                     VNC_DEBUG("Invalid audio channel count %d\n",
2554                               read_u8(data, 5));
2555                     vnc_client_error(vs);
2556                     break;
2557                 }
2558                 freq = read_u32(data, 6);
2559                 /* No official limit for protocol, but 48khz is a sensible
2560                  * upper bound for trustworthy clients, and this limit
2561                  * protects calculations involving 'vs->as.freq' later.
2562                  */
2563                 if (freq > 48000) {
2564                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2565                     vnc_client_error(vs);
2566                     break;
2567                 }
2568                 vs->as.freq = freq;
2569                 trace_vnc_msg_client_audio_format(
2570                     vs, vs->ioc, vs->as.fmt, vs->as.nchannels, vs->as.freq);
2571                 break;
2572             default:
2573                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 2));
2574                 vnc_client_error(vs);
2575                 break;
2576             }
2577             break;
2578 
2579         default:
2580             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2581             vnc_client_error(vs);
2582             break;
2583         }
2584         break;
2585     case VNC_MSG_CLIENT_SET_DESKTOP_SIZE:
2586     {
2587         size_t size;
2588         uint8_t screens;
2589         int w, h;
2590 
2591         if (len < 8) {
2592             return 8;
2593         }
2594 
2595         screens = read_u8(data, 6);
2596         size    = 8 + screens * 16;
2597         if (len < size) {
2598             return size;
2599         }
2600         w = read_u16(data, 2);
2601         h = read_u16(data, 4);
2602 
2603         trace_vnc_msg_client_set_desktop_size(vs, vs->ioc, w, h, screens);
2604         if (dpy_ui_info_supported(vs->vd->dcl.con)) {
2605             QemuUIInfo info;
2606             memset(&info, 0, sizeof(info));
2607             info.width = w;
2608             info.height = h;
2609             dpy_set_ui_info(vs->vd->dcl.con, &info, false);
2610             vnc_desktop_resize_ext(vs, 4 /* Request forwarded */);
2611         } else {
2612             vnc_desktop_resize_ext(vs, 3 /* Invalid screen layout */);
2613         }
2614 
2615         break;
2616     }
2617     default:
2618         VNC_DEBUG("Msg: %d\n", data[0]);
2619         vnc_client_error(vs);
2620         break;
2621     }
2622 
2623     vnc_update_throttle_offset(vs);
2624     vnc_read_when(vs, protocol_client_msg, 1);
2625     return 0;
2626 }
2627 
2628 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2629 {
2630     char buf[1024];
2631     VncShareMode mode;
2632     int size;
2633 
2634     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2635     switch (vs->vd->share_policy) {
2636     case VNC_SHARE_POLICY_IGNORE:
2637         /*
2638          * Ignore the shared flag.  Nothing to do here.
2639          *
2640          * Doesn't conform to the rfb spec but is traditional qemu
2641          * behavior, thus left here as option for compatibility
2642          * reasons.
2643          */
2644         break;
2645     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2646         /*
2647          * Policy: Allow clients ask for exclusive access.
2648          *
2649          * Implementation: When a client asks for exclusive access,
2650          * disconnect all others. Shared connects are allowed as long
2651          * as no exclusive connection exists.
2652          *
2653          * This is how the rfb spec suggests to handle the shared flag.
2654          */
2655         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2656             VncState *client;
2657             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2658                 if (vs == client) {
2659                     continue;
2660                 }
2661                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2662                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2663                     continue;
2664                 }
2665                 vnc_disconnect_start(client);
2666             }
2667         }
2668         if (mode == VNC_SHARE_MODE_SHARED) {
2669             if (vs->vd->num_exclusive > 0) {
2670                 vnc_disconnect_start(vs);
2671                 return 0;
2672             }
2673         }
2674         break;
2675     case VNC_SHARE_POLICY_FORCE_SHARED:
2676         /*
2677          * Policy: Shared connects only.
2678          * Implementation: Disallow clients asking for exclusive access.
2679          *
2680          * Useful for shared desktop sessions where you don't want
2681          * someone forgetting to say -shared when running the vnc
2682          * client disconnect everybody else.
2683          */
2684         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2685             vnc_disconnect_start(vs);
2686             return 0;
2687         }
2688         break;
2689     }
2690     vnc_set_share_mode(vs, mode);
2691 
2692     if (vs->vd->num_shared > vs->vd->connections_limit) {
2693         vnc_disconnect_start(vs);
2694         return 0;
2695     }
2696 
2697     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2698            pixman_image_get_width(vs->vd->server) >= 0);
2699     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2700            pixman_image_get_height(vs->vd->server) >= 0);
2701     vs->client_width = pixman_image_get_width(vs->vd->server);
2702     vs->client_height = pixman_image_get_height(vs->vd->server);
2703     vnc_write_u16(vs, vs->client_width);
2704     vnc_write_u16(vs, vs->client_height);
2705 
2706     pixel_format_message(vs);
2707 
2708     if (qemu_name) {
2709         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2710         if (size > sizeof(buf)) {
2711             size = sizeof(buf);
2712         }
2713     } else {
2714         size = snprintf(buf, sizeof(buf), "QEMU");
2715     }
2716 
2717     vnc_write_u32(vs, size);
2718     vnc_write(vs, buf, size);
2719     vnc_flush(vs);
2720 
2721     vnc_client_cache_auth(vs);
2722     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2723 
2724     vnc_read_when(vs, protocol_client_msg, 1);
2725 
2726     return 0;
2727 }
2728 
2729 void start_client_init(VncState *vs)
2730 {
2731     vnc_read_when(vs, protocol_client_init, 1);
2732 }
2733 
2734 static void authentication_failed(VncState *vs)
2735 {
2736     vnc_write_u32(vs, 1); /* Reject auth */
2737     if (vs->minor >= 8) {
2738         static const char err[] = "Authentication failed";
2739         vnc_write_u32(vs, sizeof(err));
2740         vnc_write(vs, err, sizeof(err));
2741     }
2742     vnc_flush(vs);
2743     vnc_client_error(vs);
2744 }
2745 
2746 static void
2747 vnc_munge_des_rfb_key(unsigned char *key, size_t nkey)
2748 {
2749     size_t i;
2750     for (i = 0; i < nkey; i++) {
2751         uint8_t r = key[i];
2752         r = (r & 0xf0) >> 4 | (r & 0x0f) << 4;
2753         r = (r & 0xcc) >> 2 | (r & 0x33) << 2;
2754         r = (r & 0xaa) >> 1 | (r & 0x55) << 1;
2755         key[i] = r;
2756     }
2757 }
2758 
2759 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2760 {
2761     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2762     size_t i, pwlen;
2763     unsigned char key[8];
2764     time_t now = time(NULL);
2765     QCryptoCipher *cipher = NULL;
2766     Error *err = NULL;
2767 
2768     if (!vs->vd->password) {
2769         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2770         goto reject;
2771     }
2772     if (vs->vd->expires < now) {
2773         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2774         goto reject;
2775     }
2776 
2777     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2778 
2779     /* Calculate the expected challenge response */
2780     pwlen = strlen(vs->vd->password);
2781     for (i=0; i<sizeof(key); i++)
2782         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2783     vnc_munge_des_rfb_key(key, sizeof(key));
2784 
2785     cipher = qcrypto_cipher_new(
2786         QCRYPTO_CIPHER_ALGO_DES,
2787         QCRYPTO_CIPHER_MODE_ECB,
2788         key, G_N_ELEMENTS(key),
2789         &err);
2790     if (!cipher) {
2791         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2792                             error_get_pretty(err));
2793         error_free(err);
2794         goto reject;
2795     }
2796 
2797     if (qcrypto_cipher_encrypt(cipher,
2798                                vs->challenge,
2799                                response,
2800                                VNC_AUTH_CHALLENGE_SIZE,
2801                                &err) < 0) {
2802         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2803                             error_get_pretty(err));
2804         error_free(err);
2805         goto reject;
2806     }
2807 
2808     /* Compare expected vs actual challenge response */
2809     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2810         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2811         goto reject;
2812     } else {
2813         trace_vnc_auth_pass(vs, vs->auth);
2814         vnc_write_u32(vs, 0); /* Accept auth */
2815         vnc_flush(vs);
2816 
2817         start_client_init(vs);
2818     }
2819 
2820     qcrypto_cipher_free(cipher);
2821     return 0;
2822 
2823 reject:
2824     authentication_failed(vs);
2825     qcrypto_cipher_free(cipher);
2826     return 0;
2827 }
2828 
2829 void start_auth_vnc(VncState *vs)
2830 {
2831     Error *err = NULL;
2832 
2833     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2834         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2835                             error_get_pretty(err));
2836         error_free(err);
2837         authentication_failed(vs);
2838         return;
2839     }
2840 
2841     /* Send client a 'random' challenge */
2842     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2843     vnc_flush(vs);
2844 
2845     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2846 }
2847 
2848 
2849 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2850 {
2851     /* We only advertise 1 auth scheme at a time, so client
2852      * must pick the one we sent. Verify this */
2853     if (data[0] != vs->auth) { /* Reject auth */
2854        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2855        authentication_failed(vs);
2856     } else { /* Accept requested auth */
2857        trace_vnc_auth_start(vs, vs->auth);
2858        switch (vs->auth) {
2859        case VNC_AUTH_NONE:
2860            if (vs->minor >= 8) {
2861                vnc_write_u32(vs, 0); /* Accept auth completion */
2862                vnc_flush(vs);
2863            }
2864            trace_vnc_auth_pass(vs, vs->auth);
2865            start_client_init(vs);
2866            break;
2867 
2868        case VNC_AUTH_VNC:
2869            start_auth_vnc(vs);
2870            break;
2871 
2872        case VNC_AUTH_VENCRYPT:
2873            start_auth_vencrypt(vs);
2874            break;
2875 
2876 #ifdef CONFIG_VNC_SASL
2877        case VNC_AUTH_SASL:
2878            start_auth_sasl(vs);
2879            break;
2880 #endif /* CONFIG_VNC_SASL */
2881 
2882        default: /* Should not be possible, but just in case */
2883            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2884            authentication_failed(vs);
2885        }
2886     }
2887     return 0;
2888 }
2889 
2890 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2891 {
2892     char local[13];
2893 
2894     memcpy(local, version, 12);
2895     local[12] = 0;
2896 
2897     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2898         VNC_DEBUG("Malformed protocol version %s\n", local);
2899         vnc_client_error(vs);
2900         return 0;
2901     }
2902     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2903     if (vs->major != 3 ||
2904         (vs->minor != 3 &&
2905          vs->minor != 4 &&
2906          vs->minor != 5 &&
2907          vs->minor != 7 &&
2908          vs->minor != 8)) {
2909         VNC_DEBUG("Unsupported client version\n");
2910         vnc_write_u32(vs, VNC_AUTH_INVALID);
2911         vnc_flush(vs);
2912         vnc_client_error(vs);
2913         return 0;
2914     }
2915     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2916      * as equivalent to v3.3 by servers
2917      */
2918     if (vs->minor == 4 || vs->minor == 5)
2919         vs->minor = 3;
2920 
2921     if (vs->minor == 3) {
2922         trace_vnc_auth_start(vs, vs->auth);
2923         if (vs->auth == VNC_AUTH_NONE) {
2924             vnc_write_u32(vs, vs->auth);
2925             vnc_flush(vs);
2926             trace_vnc_auth_pass(vs, vs->auth);
2927             start_client_init(vs);
2928        } else if (vs->auth == VNC_AUTH_VNC) {
2929             VNC_DEBUG("Tell client VNC auth\n");
2930             vnc_write_u32(vs, vs->auth);
2931             vnc_flush(vs);
2932             start_auth_vnc(vs);
2933        } else {
2934             trace_vnc_auth_fail(vs, vs->auth,
2935                                 "Unsupported auth method for v3.3", "");
2936             vnc_write_u32(vs, VNC_AUTH_INVALID);
2937             vnc_flush(vs);
2938             vnc_client_error(vs);
2939        }
2940     } else {
2941         vnc_write_u8(vs, 1); /* num auth */
2942         vnc_write_u8(vs, vs->auth);
2943         vnc_read_when(vs, protocol_client_auth, 1);
2944         vnc_flush(vs);
2945     }
2946 
2947     return 0;
2948 }
2949 
2950 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2951 {
2952     struct VncSurface *vs = &vd->guest;
2953 
2954     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2955 }
2956 
2957 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2958 {
2959     int i, j;
2960 
2961     w = (x + w) / VNC_STAT_RECT;
2962     h = (y + h) / VNC_STAT_RECT;
2963     x /= VNC_STAT_RECT;
2964     y /= VNC_STAT_RECT;
2965 
2966     for (j = y; j <= h; j++) {
2967         for (i = x; i <= w; i++) {
2968             vs->lossy_rect[j][i] = 1;
2969         }
2970     }
2971 }
2972 
2973 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2974 {
2975     VncState *vs;
2976     int sty = y / VNC_STAT_RECT;
2977     int stx = x / VNC_STAT_RECT;
2978     int has_dirty = 0;
2979 
2980     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2981     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2982 
2983     QTAILQ_FOREACH(vs, &vd->clients, next) {
2984         int j;
2985 
2986         /* kernel send buffers are full -> refresh later */
2987         if (vs->output.offset) {
2988             continue;
2989         }
2990 
2991         if (!vs->lossy_rect[sty][stx]) {
2992             continue;
2993         }
2994 
2995         vs->lossy_rect[sty][stx] = 0;
2996         for (j = 0; j < VNC_STAT_RECT; ++j) {
2997             bitmap_set(vs->dirty[y + j],
2998                        x / VNC_DIRTY_PIXELS_PER_BIT,
2999                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
3000         }
3001         has_dirty++;
3002     }
3003 
3004     return has_dirty;
3005 }
3006 
3007 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
3008 {
3009     int width = MIN(pixman_image_get_width(vd->guest.fb),
3010                     pixman_image_get_width(vd->server));
3011     int height = MIN(pixman_image_get_height(vd->guest.fb),
3012                      pixman_image_get_height(vd->server));
3013     int x, y;
3014     struct timeval res;
3015     int has_dirty = 0;
3016 
3017     for (y = 0; y < height; y += VNC_STAT_RECT) {
3018         for (x = 0; x < width; x += VNC_STAT_RECT) {
3019             VncRectStat *rect = vnc_stat_rect(vd, x, y);
3020 
3021             rect->updated = false;
3022         }
3023     }
3024 
3025     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
3026 
3027     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
3028         return has_dirty;
3029     }
3030     vd->guest.last_freq_check = *tv;
3031 
3032     for (y = 0; y < height; y += VNC_STAT_RECT) {
3033         for (x = 0; x < width; x += VNC_STAT_RECT) {
3034             VncRectStat *rect= vnc_stat_rect(vd, x, y);
3035             int count = ARRAY_SIZE(rect->times);
3036             struct timeval min, max;
3037 
3038             if (!timerisset(&rect->times[count - 1])) {
3039                 continue ;
3040             }
3041 
3042             max = rect->times[(rect->idx + count - 1) % count];
3043             qemu_timersub(tv, &max, &res);
3044 
3045             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
3046                 rect->freq = 0;
3047                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
3048                 memset(rect->times, 0, sizeof (rect->times));
3049                 continue ;
3050             }
3051 
3052             min = rect->times[rect->idx];
3053             max = rect->times[(rect->idx + count - 1) % count];
3054             qemu_timersub(&max, &min, &res);
3055 
3056             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
3057             rect->freq /= count;
3058             rect->freq = 1. / rect->freq;
3059         }
3060     }
3061     return has_dirty;
3062 }
3063 
3064 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
3065 {
3066     int i, j;
3067     double total = 0;
3068     int num = 0;
3069 
3070     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
3071     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
3072 
3073     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
3074         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
3075             total += vnc_stat_rect(vs->vd, i, j)->freq;
3076             num++;
3077         }
3078     }
3079 
3080     if (num) {
3081         return total / num;
3082     } else {
3083         return 0;
3084     }
3085 }
3086 
3087 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
3088 {
3089     VncRectStat *rect;
3090 
3091     rect = vnc_stat_rect(vd, x, y);
3092     if (rect->updated) {
3093         return;
3094     }
3095     rect->times[rect->idx] = *tv;
3096     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
3097     rect->updated = true;
3098 }
3099 
3100 static int vnc_refresh_server_surface(VncDisplay *vd)
3101 {
3102     int width = MIN(pixman_image_get_width(vd->guest.fb),
3103                     pixman_image_get_width(vd->server));
3104     int height = MIN(pixman_image_get_height(vd->guest.fb),
3105                      pixman_image_get_height(vd->server));
3106     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
3107     uint8_t *guest_row0 = NULL, *server_row0;
3108     VncState *vs;
3109     int has_dirty = 0;
3110     pixman_image_t *tmpbuf = NULL;
3111     unsigned long offset;
3112     int x;
3113     uint8_t *guest_ptr, *server_ptr;
3114 
3115     struct timeval tv = { 0, 0 };
3116 
3117     if (!vd->non_adaptive) {
3118         gettimeofday(&tv, NULL);
3119         has_dirty = vnc_update_stats(vd, &tv);
3120     }
3121 
3122     offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3123                            height * VNC_DIRTY_BPL(&vd->guest), 0);
3124     if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3125         /* no dirty bits in guest surface */
3126         return has_dirty;
3127     }
3128 
3129     /*
3130      * Walk through the guest dirty map.
3131      * Check and copy modified bits from guest to server surface.
3132      * Update server dirty map.
3133      */
3134     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
3135     server_stride = guest_stride = guest_ll =
3136         pixman_image_get_stride(vd->server);
3137     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
3138                     server_stride);
3139     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3140         int w = pixman_image_get_width(vd->server);
3141         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, w);
3142     } else {
3143         int guest_bpp =
3144             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
3145         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
3146         guest_stride = pixman_image_get_stride(vd->guest.fb);
3147         guest_ll = pixman_image_get_width(vd->guest.fb)
3148                    * DIV_ROUND_UP(guest_bpp, 8);
3149     }
3150     line_bytes = MIN(server_stride, guest_ll);
3151 
3152     for (;;) {
3153         y = offset / VNC_DIRTY_BPL(&vd->guest);
3154         x = offset % VNC_DIRTY_BPL(&vd->guest);
3155 
3156         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
3157 
3158         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3159             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
3160             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
3161         } else {
3162             guest_ptr = guest_row0 + y * guest_stride;
3163         }
3164         guest_ptr += x * cmp_bytes;
3165 
3166         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
3167              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
3168             int _cmp_bytes = cmp_bytes;
3169             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
3170                 continue;
3171             }
3172             if ((x + 1) * cmp_bytes > line_bytes) {
3173                 _cmp_bytes = line_bytes - x * cmp_bytes;
3174             }
3175             assert(_cmp_bytes >= 0);
3176             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
3177                 continue;
3178             }
3179             memcpy(server_ptr, guest_ptr, _cmp_bytes);
3180             if (!vd->non_adaptive) {
3181                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
3182                                  y, &tv);
3183             }
3184             QTAILQ_FOREACH(vs, &vd->clients, next) {
3185                 set_bit(x, vs->dirty[y]);
3186             }
3187             has_dirty++;
3188         }
3189 
3190         y++;
3191         offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3192                                height * VNC_DIRTY_BPL(&vd->guest),
3193                                y * VNC_DIRTY_BPL(&vd->guest));
3194         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3195             /* no more dirty bits */
3196             break;
3197         }
3198     }
3199     qemu_pixman_image_unref(tmpbuf);
3200     return has_dirty;
3201 }
3202 
3203 static void vnc_refresh(DisplayChangeListener *dcl)
3204 {
3205     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
3206     VncState *vs, *vn;
3207     int has_dirty, rects = 0;
3208 
3209     if (QTAILQ_EMPTY(&vd->clients)) {
3210         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
3211         return;
3212     }
3213 
3214     graphic_hw_update(vd->dcl.con);
3215 
3216     if (vnc_trylock_display(vd)) {
3217         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3218         return;
3219     }
3220 
3221     has_dirty = vnc_refresh_server_surface(vd);
3222     vnc_unlock_display(vd);
3223 
3224     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3225         rects += vnc_update_client(vs, has_dirty);
3226         /* vs might be free()ed here */
3227     }
3228 
3229     if (has_dirty && rects) {
3230         vd->dcl.update_interval /= 2;
3231         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3232             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3233         }
3234     } else {
3235         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3236         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3237             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3238         }
3239     }
3240 }
3241 
3242 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3243                         bool skipauth, bool websocket)
3244 {
3245     VncState *vs = g_new0(VncState, 1);
3246     bool first_client = QTAILQ_EMPTY(&vd->clients);
3247     int i;
3248 
3249     trace_vnc_client_connect(vs, sioc);
3250     vs->zrle = g_new0(VncZrle, 1);
3251     vs->tight = g_new0(VncTight, 1);
3252     vs->magic = VNC_MAGIC;
3253     vs->sioc = sioc;
3254     object_ref(OBJECT(vs->sioc));
3255     vs->ioc = QIO_CHANNEL(sioc);
3256     object_ref(OBJECT(vs->ioc));
3257     vs->vd = vd;
3258 
3259     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3260     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3261     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3262 
3263     buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3264     buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3265     buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3266 #ifdef CONFIG_VNC_JPEG
3267     buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3268 #endif
3269 #ifdef CONFIG_PNG
3270     buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3271 #endif
3272     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3273     buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3274     buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3275     buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3276 
3277     if (skipauth) {
3278         vs->auth = VNC_AUTH_NONE;
3279         vs->subauth = VNC_AUTH_INVALID;
3280     } else {
3281         if (websocket) {
3282             vs->auth = vd->ws_auth;
3283             vs->subauth = VNC_AUTH_INVALID;
3284         } else {
3285             vs->auth = vd->auth;
3286             vs->subauth = vd->subauth;
3287         }
3288     }
3289     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3290               sioc, websocket, vs->auth, vs->subauth);
3291 
3292     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3293     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3294         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3295     }
3296 
3297     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3298     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3299     qio_channel_set_blocking(vs->ioc, false, NULL);
3300     if (vs->ioc_tag) {
3301         g_source_remove(vs->ioc_tag);
3302     }
3303     if (websocket) {
3304         vs->websocket = 1;
3305         if (vd->tlscreds) {
3306             vs->ioc_tag = qio_channel_add_watch(
3307                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3308                 vncws_tls_handshake_io, vs, NULL);
3309         } else {
3310             vs->ioc_tag = qio_channel_add_watch(
3311                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3312                 vncws_handshake_io, vs, NULL);
3313         }
3314     } else {
3315         vs->ioc_tag = qio_channel_add_watch(
3316             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3317             vnc_client_io, vs, NULL);
3318     }
3319 
3320     vnc_client_cache_addr(vs);
3321     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3322     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3323 
3324     vs->last_x = -1;
3325     vs->last_y = -1;
3326 
3327     vs->as.freq = 44100;
3328     vs->as.nchannels = 2;
3329     vs->as.fmt = AUDIO_FORMAT_S16;
3330     vs->as.endianness = 0;
3331 
3332     qemu_mutex_init(&vs->output_mutex);
3333     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3334 
3335     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3336     if (first_client) {
3337         vnc_update_server_surface(vd);
3338     }
3339 
3340     graphic_hw_update(vd->dcl.con);
3341 
3342     if (!vs->websocket) {
3343         vnc_start_protocol(vs);
3344     }
3345 
3346     if (vd->num_connecting > vd->connections_limit) {
3347         QTAILQ_FOREACH(vs, &vd->clients, next) {
3348             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3349                 vnc_disconnect_start(vs);
3350                 return;
3351             }
3352         }
3353     }
3354 }
3355 
3356 void vnc_start_protocol(VncState *vs)
3357 {
3358     vnc_write(vs, "RFB 003.008\n", 12);
3359     vnc_flush(vs);
3360     vnc_read_when(vs, protocol_version, 12);
3361 
3362     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3363     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3364 }
3365 
3366 static void vnc_listen_io(QIONetListener *listener,
3367                           QIOChannelSocket *cioc,
3368                           void *opaque)
3369 {
3370     VncDisplay *vd = opaque;
3371     bool isWebsock = listener == vd->wslistener;
3372 
3373     qio_channel_set_name(QIO_CHANNEL(cioc),
3374                          isWebsock ? "vnc-ws-server" : "vnc-server");
3375     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3376     vnc_connect(vd, cioc, false, isWebsock);
3377 }
3378 
3379 static const DisplayChangeListenerOps dcl_ops = {
3380     .dpy_name             = "vnc",
3381     .dpy_refresh          = vnc_refresh,
3382     .dpy_gfx_update       = vnc_dpy_update,
3383     .dpy_gfx_switch       = vnc_dpy_switch,
3384     .dpy_gfx_check_format = qemu_pixman_check_format,
3385     .dpy_mouse_set        = vnc_mouse_set,
3386     .dpy_cursor_define    = vnc_dpy_cursor_define,
3387 };
3388 
3389 void vnc_display_init(const char *id, Error **errp)
3390 {
3391     VncDisplay *vd;
3392 
3393     if (vnc_display_find(id) != NULL) {
3394         return;
3395     }
3396     vd = g_malloc0(sizeof(*vd));
3397 
3398     vd->id = strdup(id);
3399     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3400 
3401     QTAILQ_INIT(&vd->clients);
3402     vd->expires = TIME_MAX;
3403 
3404     if (keyboard_layout) {
3405         trace_vnc_key_map_init(keyboard_layout);
3406         vd->kbd_layout = init_keyboard_layout(name2keysym,
3407                                               keyboard_layout, errp);
3408     } else {
3409         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3410     }
3411 
3412     if (!vd->kbd_layout) {
3413         return;
3414     }
3415 
3416     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3417     vd->connections_limit = 32;
3418 
3419     qemu_mutex_init(&vd->mutex);
3420     vnc_start_worker_thread();
3421 
3422     vd->dcl.ops = &dcl_ops;
3423     register_displaychangelistener(&vd->dcl);
3424     vd->kbd = qkbd_state_init(vd->dcl.con);
3425 }
3426 
3427 
3428 static void vnc_display_close(VncDisplay *vd)
3429 {
3430     if (!vd) {
3431         return;
3432     }
3433 
3434     if (vd->listener) {
3435         qio_net_listener_disconnect(vd->listener);
3436         object_unref(OBJECT(vd->listener));
3437     }
3438     vd->listener = NULL;
3439 
3440     if (vd->wslistener) {
3441         qio_net_listener_disconnect(vd->wslistener);
3442         object_unref(OBJECT(vd->wslistener));
3443     }
3444     vd->wslistener = NULL;
3445 
3446     vd->auth = VNC_AUTH_INVALID;
3447     vd->subauth = VNC_AUTH_INVALID;
3448     if (vd->tlscreds) {
3449         object_unref(OBJECT(vd->tlscreds));
3450         vd->tlscreds = NULL;
3451     }
3452     if (vd->tlsauthz) {
3453         object_unparent(OBJECT(vd->tlsauthz));
3454         vd->tlsauthz = NULL;
3455     }
3456     g_free(vd->tlsauthzid);
3457     vd->tlsauthzid = NULL;
3458     if (vd->lock_key_sync) {
3459         qemu_remove_led_event_handler(vd->led);
3460         vd->led = NULL;
3461     }
3462 #ifdef CONFIG_VNC_SASL
3463     if (vd->sasl.authz) {
3464         object_unparent(OBJECT(vd->sasl.authz));
3465         vd->sasl.authz = NULL;
3466     }
3467     g_free(vd->sasl.authzid);
3468     vd->sasl.authzid = NULL;
3469 #endif
3470 }
3471 
3472 int vnc_display_password(const char *id, const char *password)
3473 {
3474     VncDisplay *vd = vnc_display_find(id);
3475 
3476     if (!vd) {
3477         return -EINVAL;
3478     }
3479     if (vd->auth == VNC_AUTH_NONE) {
3480         error_printf_unless_qmp("If you want use passwords please enable "
3481                                 "password auth using '-vnc ${dpy},password'.\n");
3482         return -EINVAL;
3483     }
3484 
3485     g_free(vd->password);
3486     vd->password = g_strdup(password);
3487 
3488     return 0;
3489 }
3490 
3491 int vnc_display_pw_expire(const char *id, time_t expires)
3492 {
3493     VncDisplay *vd = vnc_display_find(id);
3494 
3495     if (!vd) {
3496         return -EINVAL;
3497     }
3498 
3499     vd->expires = expires;
3500     return 0;
3501 }
3502 
3503 static void vnc_display_print_local_addr(VncDisplay *vd)
3504 {
3505     SocketAddress *addr;
3506 
3507     if (!vd->listener || !vd->listener->nsioc) {
3508         return;
3509     }
3510 
3511     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], NULL);
3512     if (!addr) {
3513         return;
3514     }
3515 
3516     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3517         qapi_free_SocketAddress(addr);
3518         return;
3519     }
3520     error_printf_unless_qmp("VNC server running on %s:%s\n",
3521                             addr->u.inet.host,
3522                             addr->u.inet.port);
3523     qapi_free_SocketAddress(addr);
3524 }
3525 
3526 static QemuOptsList qemu_vnc_opts = {
3527     .name = "vnc",
3528     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3529     .implied_opt_name = "vnc",
3530     .desc = {
3531         {
3532             .name = "vnc",
3533             .type = QEMU_OPT_STRING,
3534         },{
3535             .name = "websocket",
3536             .type = QEMU_OPT_STRING,
3537         },{
3538             .name = "tls-creds",
3539             .type = QEMU_OPT_STRING,
3540         },{
3541             .name = "share",
3542             .type = QEMU_OPT_STRING,
3543         },{
3544             .name = "display",
3545             .type = QEMU_OPT_STRING,
3546         },{
3547             .name = "head",
3548             .type = QEMU_OPT_NUMBER,
3549         },{
3550             .name = "connections",
3551             .type = QEMU_OPT_NUMBER,
3552         },{
3553             .name = "to",
3554             .type = QEMU_OPT_NUMBER,
3555         },{
3556             .name = "ipv4",
3557             .type = QEMU_OPT_BOOL,
3558         },{
3559             .name = "ipv6",
3560             .type = QEMU_OPT_BOOL,
3561         },{
3562             .name = "password",
3563             .type = QEMU_OPT_BOOL,
3564         },{
3565             .name = "password-secret",
3566             .type = QEMU_OPT_STRING,
3567         },{
3568             .name = "reverse",
3569             .type = QEMU_OPT_BOOL,
3570         },{
3571             .name = "lock-key-sync",
3572             .type = QEMU_OPT_BOOL,
3573         },{
3574             .name = "key-delay-ms",
3575             .type = QEMU_OPT_NUMBER,
3576         },{
3577             .name = "sasl",
3578             .type = QEMU_OPT_BOOL,
3579         },{
3580             .name = "tls-authz",
3581             .type = QEMU_OPT_STRING,
3582         },{
3583             .name = "sasl-authz",
3584             .type = QEMU_OPT_STRING,
3585         },{
3586             .name = "lossy",
3587             .type = QEMU_OPT_BOOL,
3588         },{
3589             .name = "non-adaptive",
3590             .type = QEMU_OPT_BOOL,
3591         },{
3592             .name = "audiodev",
3593             .type = QEMU_OPT_STRING,
3594         },{
3595             .name = "power-control",
3596             .type = QEMU_OPT_BOOL,
3597         },
3598         { /* end of list */ }
3599     },
3600 };
3601 
3602 
3603 static int
3604 vnc_display_setup_auth(int *auth,
3605                        int *subauth,
3606                        QCryptoTLSCreds *tlscreds,
3607                        bool password,
3608                        bool sasl,
3609                        bool websocket,
3610                        Error **errp)
3611 {
3612     /*
3613      * We have a choice of 3 authentication options
3614      *
3615      *   1. none
3616      *   2. vnc
3617      *   3. sasl
3618      *
3619      * The channel can be run in 2 modes
3620      *
3621      *   1. clear
3622      *   2. tls
3623      *
3624      * And TLS can use 2 types of credentials
3625      *
3626      *   1. anon
3627      *   2. x509
3628      *
3629      * We thus have 9 possible logical combinations
3630      *
3631      *   1. clear + none
3632      *   2. clear + vnc
3633      *   3. clear + sasl
3634      *   4. tls + anon + none
3635      *   5. tls + anon + vnc
3636      *   6. tls + anon + sasl
3637      *   7. tls + x509 + none
3638      *   8. tls + x509 + vnc
3639      *   9. tls + x509 + sasl
3640      *
3641      * These need to be mapped into the VNC auth schemes
3642      * in an appropriate manner. In regular VNC, all the
3643      * TLS options get mapped into VNC_AUTH_VENCRYPT
3644      * sub-auth types.
3645      *
3646      * In websockets, the https:// protocol already provides
3647      * TLS support, so there is no need to make use of the
3648      * VeNCrypt extension. Furthermore, websockets browser
3649      * clients could not use VeNCrypt even if they wanted to,
3650      * as they cannot control when the TLS handshake takes
3651      * place. Thus there is no option but to rely on https://,
3652      * meaning combinations 4->6 and 7->9 will be mapped to
3653      * VNC auth schemes in the same way as combos 1->3.
3654      *
3655      * Regardless of fact that we have a different mapping to
3656      * VNC auth mechs for plain VNC vs websockets VNC, the end
3657      * result has the same security characteristics.
3658      */
3659     if (websocket || !tlscreds) {
3660         if (password) {
3661             VNC_DEBUG("Initializing VNC server with password auth\n");
3662             *auth = VNC_AUTH_VNC;
3663         } else if (sasl) {
3664             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3665             *auth = VNC_AUTH_SASL;
3666         } else {
3667             VNC_DEBUG("Initializing VNC server with no auth\n");
3668             *auth = VNC_AUTH_NONE;
3669         }
3670         *subauth = VNC_AUTH_INVALID;
3671     } else {
3672         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3673                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3674         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3675                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3676 
3677         if (!is_x509 && !is_anon) {
3678             error_setg(errp,
3679                        "Unsupported TLS cred type %s",
3680                        object_get_typename(OBJECT(tlscreds)));
3681             return -1;
3682         }
3683         *auth = VNC_AUTH_VENCRYPT;
3684         if (password) {
3685             if (is_x509) {
3686                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3687                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3688             } else {
3689                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3690                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3691             }
3692 
3693         } else if (sasl) {
3694             if (is_x509) {
3695                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3696                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3697             } else {
3698                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3699                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3700             }
3701         } else {
3702             if (is_x509) {
3703                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3704                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3705             } else {
3706                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3707                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3708             }
3709         }
3710     }
3711     return 0;
3712 }
3713 
3714 
3715 static int vnc_display_get_address(const char *addrstr,
3716                                    bool websocket,
3717                                    bool reverse,
3718                                    int displaynum,
3719                                    int to,
3720                                    bool has_ipv4,
3721                                    bool has_ipv6,
3722                                    bool ipv4,
3723                                    bool ipv6,
3724                                    SocketAddress **retaddr,
3725                                    Error **errp)
3726 {
3727     int ret = -1;
3728     SocketAddress *addr = NULL;
3729 
3730     addr = g_new0(SocketAddress, 1);
3731 
3732     if (strncmp(addrstr, "unix:", 5) == 0) {
3733         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3734         addr->u.q_unix.path = g_strdup(addrstr + 5);
3735 
3736         if (to) {
3737             error_setg(errp, "Port range not support with UNIX socket");
3738             goto cleanup;
3739         }
3740         ret = 0;
3741     } else {
3742         const char *port;
3743         size_t hostlen;
3744         uint64_t baseport = 0;
3745         InetSocketAddress *inet;
3746 
3747         port = strrchr(addrstr, ':');
3748         if (!port) {
3749             if (websocket) {
3750                 hostlen = 0;
3751                 port = addrstr;
3752             } else {
3753                 error_setg(errp, "no vnc port specified");
3754                 goto cleanup;
3755             }
3756         } else {
3757             hostlen = port - addrstr;
3758             port++;
3759             if (*port == '\0') {
3760                 error_setg(errp, "vnc port cannot be empty");
3761                 goto cleanup;
3762             }
3763         }
3764 
3765         addr->type = SOCKET_ADDRESS_TYPE_INET;
3766         inet = &addr->u.inet;
3767         if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3768             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3769         } else {
3770             inet->host = g_strndup(addrstr, hostlen);
3771         }
3772         /* plain VNC port is just an offset, for websocket
3773          * port is absolute */
3774         if (websocket) {
3775             if (g_str_equal(addrstr, "") ||
3776                 g_str_equal(addrstr, "on")) {
3777                 if (displaynum == -1) {
3778                     error_setg(errp, "explicit websocket port is required");
3779                     goto cleanup;
3780                 }
3781                 inet->port = g_strdup_printf(
3782                     "%d", displaynum + 5700);
3783                 if (to) {
3784                     inet->has_to = true;
3785                     inet->to = to + 5700;
3786                 }
3787             } else {
3788                 inet->port = g_strdup(port);
3789             }
3790         } else {
3791             int offset = reverse ? 0 : 5900;
3792             if (parse_uint_full(port, 10, &baseport) < 0) {
3793                 error_setg(errp, "can't convert to a number: %s", port);
3794                 goto cleanup;
3795             }
3796             if (baseport > 65535 ||
3797                 baseport + offset > 65535) {
3798                 error_setg(errp, "port %s out of range", port);
3799                 goto cleanup;
3800             }
3801             inet->port = g_strdup_printf(
3802                 "%d", (int)baseport + offset);
3803 
3804             if (to) {
3805                 inet->has_to = true;
3806                 inet->to = to + offset;
3807             }
3808         }
3809 
3810         inet->ipv4 = ipv4;
3811         inet->has_ipv4 = has_ipv4;
3812         inet->ipv6 = ipv6;
3813         inet->has_ipv6 = has_ipv6;
3814 
3815         ret = baseport;
3816     }
3817 
3818     *retaddr = addr;
3819 
3820  cleanup:
3821     if (ret < 0) {
3822         qapi_free_SocketAddress(addr);
3823     }
3824     return ret;
3825 }
3826 
3827 static int vnc_display_get_addresses(QemuOpts *opts,
3828                                      bool reverse,
3829                                      SocketAddressList **saddr_list_ret,
3830                                      SocketAddressList **wsaddr_list_ret,
3831                                      Error **errp)
3832 {
3833     SocketAddress *saddr = NULL;
3834     SocketAddress *wsaddr = NULL;
3835     g_autoptr(SocketAddressList) saddr_list = NULL;
3836     SocketAddressList **saddr_tail = &saddr_list;
3837     SocketAddress *single_saddr = NULL;
3838     g_autoptr(SocketAddressList) wsaddr_list = NULL;
3839     SocketAddressList **wsaddr_tail = &wsaddr_list;
3840     QemuOptsIter addriter;
3841     const char *addr;
3842     int to = qemu_opt_get_number(opts, "to", 0);
3843     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3844     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3845     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3846     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3847     int displaynum = -1;
3848 
3849     addr = qemu_opt_get(opts, "vnc");
3850     if (addr == NULL || g_str_equal(addr, "none")) {
3851         return 0;
3852     }
3853     if (qemu_opt_get(opts, "websocket") &&
3854         !qcrypto_hash_supports(QCRYPTO_HASH_ALGO_SHA1)) {
3855         error_setg(errp,
3856                    "SHA1 hash support is required for websockets");
3857         return -1;
3858     }
3859 
3860     qemu_opt_iter_init(&addriter, opts, "vnc");
3861     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3862         int rv;
3863         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3864                                      has_ipv4, has_ipv6,
3865                                      ipv4, ipv6,
3866                                      &saddr, errp);
3867         if (rv < 0) {
3868             return -1;
3869         }
3870         /* Historical compat - first listen address can be used
3871          * to set the default websocket port
3872          */
3873         if (displaynum == -1) {
3874             displaynum = rv;
3875         }
3876         QAPI_LIST_APPEND(saddr_tail, saddr);
3877     }
3878 
3879     if (saddr_list && !saddr_list->next) {
3880         single_saddr = saddr_list->value;
3881     } else {
3882         /*
3883          * If we had multiple primary displays, we don't do defaults
3884          * for websocket, and require explicit config instead.
3885          */
3886         displaynum = -1;
3887     }
3888 
3889     qemu_opt_iter_init(&addriter, opts, "websocket");
3890     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3891         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3892                                     has_ipv4, has_ipv6,
3893                                     ipv4, ipv6,
3894                                     &wsaddr, errp) < 0) {
3895             return -1;
3896         }
3897 
3898         /* Historical compat - if only a single listen address was
3899          * provided, then this is used to set the default listen
3900          * address for websocket too
3901          */
3902         if (single_saddr &&
3903             single_saddr->type == SOCKET_ADDRESS_TYPE_INET &&
3904             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3905             g_str_equal(wsaddr->u.inet.host, "") &&
3906             !g_str_equal(single_saddr->u.inet.host, "")) {
3907             g_free(wsaddr->u.inet.host);
3908             wsaddr->u.inet.host = g_strdup(single_saddr->u.inet.host);
3909         }
3910 
3911         QAPI_LIST_APPEND(wsaddr_tail, wsaddr);
3912     }
3913 
3914     *saddr_list_ret = g_steal_pointer(&saddr_list);
3915     *wsaddr_list_ret = g_steal_pointer(&wsaddr_list);
3916     return 0;
3917 }
3918 
3919 static int vnc_display_connect(VncDisplay *vd,
3920                                SocketAddressList *saddr_list,
3921                                SocketAddressList *wsaddr_list,
3922                                Error **errp)
3923 {
3924     /* connect to viewer */
3925     QIOChannelSocket *sioc = NULL;
3926     if (wsaddr_list) {
3927         error_setg(errp, "Cannot use websockets in reverse mode");
3928         return -1;
3929     }
3930     if (!saddr_list || saddr_list->next) {
3931         error_setg(errp, "Expected a single address in reverse mode");
3932         return -1;
3933     }
3934     sioc = qio_channel_socket_new();
3935     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3936     if (qio_channel_socket_connect_sync(sioc, saddr_list->value, errp) < 0) {
3937         object_unref(OBJECT(sioc));
3938         return -1;
3939     }
3940     vnc_connect(vd, sioc, false, false);
3941     object_unref(OBJECT(sioc));
3942     return 0;
3943 }
3944 
3945 
3946 static int vnc_display_listen(VncDisplay *vd,
3947                               SocketAddressList *saddr_list,
3948                               SocketAddressList *wsaddr_list,
3949                               Error **errp)
3950 {
3951     SocketAddressList *el;
3952 
3953     if (saddr_list) {
3954         vd->listener = qio_net_listener_new();
3955         qio_net_listener_set_name(vd->listener, "vnc-listen");
3956         for (el = saddr_list; el; el = el->next) {
3957             if (qio_net_listener_open_sync(vd->listener,
3958                                            el->value, 1,
3959                                            errp) < 0)  {
3960                 return -1;
3961             }
3962         }
3963 
3964         qio_net_listener_set_client_func(vd->listener,
3965                                          vnc_listen_io, vd, NULL);
3966     }
3967 
3968     if (wsaddr_list) {
3969         vd->wslistener = qio_net_listener_new();
3970         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3971         for (el = wsaddr_list; el; el = el->next) {
3972             if (qio_net_listener_open_sync(vd->wslistener,
3973                                            el->value, 1,
3974                                            errp) < 0)  {
3975                 return -1;
3976             }
3977         }
3978 
3979         qio_net_listener_set_client_func(vd->wslistener,
3980                                          vnc_listen_io, vd, NULL);
3981     }
3982 
3983     return 0;
3984 }
3985 
3986 bool vnc_display_update(DisplayUpdateOptionsVNC *arg, Error **errp)
3987 {
3988     VncDisplay *vd = vnc_display_find(NULL);
3989 
3990     if (!vd) {
3991         error_setg(errp, "Can not find vnc display");
3992         return false;
3993     }
3994 
3995     if (arg->has_addresses) {
3996         if (vd->listener) {
3997             qio_net_listener_disconnect(vd->listener);
3998             object_unref(OBJECT(vd->listener));
3999             vd->listener = NULL;
4000         }
4001 
4002         if (vnc_display_listen(vd, arg->addresses, NULL, errp) < 0) {
4003             return false;
4004         }
4005     }
4006 
4007     return true;
4008 }
4009 
4010 void vnc_display_open(const char *id, Error **errp)
4011 {
4012     VncDisplay *vd = vnc_display_find(id);
4013     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
4014     g_autoptr(SocketAddressList) saddr_list = NULL;
4015     g_autoptr(SocketAddressList) wsaddr_list = NULL;
4016     const char *share, *device_id;
4017     QemuConsole *con;
4018     bool password = false;
4019     bool reverse = false;
4020     const char *credid;
4021     bool sasl = false;
4022     const char *tlsauthz;
4023     const char *saslauthz;
4024     int lock_key_sync = 1;
4025     int key_delay_ms;
4026     const char *audiodev;
4027     const char *passwordSecret;
4028 
4029     if (!vd) {
4030         error_setg(errp, "VNC display not active");
4031         return;
4032     }
4033     vnc_display_close(vd);
4034 
4035     if (!opts) {
4036         return;
4037     }
4038 
4039     reverse = qemu_opt_get_bool(opts, "reverse", false);
4040     if (vnc_display_get_addresses(opts, reverse, &saddr_list, &wsaddr_list,
4041                                   errp) < 0) {
4042         goto fail;
4043     }
4044 
4045 
4046     passwordSecret = qemu_opt_get(opts, "password-secret");
4047     if (passwordSecret) {
4048         if (qemu_opt_get(opts, "password")) {
4049             error_setg(errp,
4050                        "'password' flag is redundant with 'password-secret'");
4051             goto fail;
4052         }
4053         vd->password = qcrypto_secret_lookup_as_utf8(passwordSecret,
4054                                                      errp);
4055         if (!vd->password) {
4056             goto fail;
4057         }
4058         password = true;
4059     } else {
4060         password = qemu_opt_get_bool(opts, "password", false);
4061     }
4062     if (password) {
4063         if (!qcrypto_cipher_supports(
4064                 QCRYPTO_CIPHER_ALGO_DES, QCRYPTO_CIPHER_MODE_ECB)) {
4065             error_setg(errp,
4066                        "Cipher backend does not support DES algorithm");
4067             goto fail;
4068         }
4069     }
4070 
4071     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
4072     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
4073     sasl = qemu_opt_get_bool(opts, "sasl", false);
4074 #ifndef CONFIG_VNC_SASL
4075     if (sasl) {
4076         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
4077         goto fail;
4078     }
4079 #endif /* CONFIG_VNC_SASL */
4080     credid = qemu_opt_get(opts, "tls-creds");
4081     if (credid) {
4082         Object *creds;
4083         creds = object_resolve_path_component(
4084             object_get_objects_root(), credid);
4085         if (!creds) {
4086             error_setg(errp, "No TLS credentials with id '%s'",
4087                        credid);
4088             goto fail;
4089         }
4090         vd->tlscreds = (QCryptoTLSCreds *)
4091             object_dynamic_cast(creds,
4092                                 TYPE_QCRYPTO_TLS_CREDS);
4093         if (!vd->tlscreds) {
4094             error_setg(errp, "Object with id '%s' is not TLS credentials",
4095                        credid);
4096             goto fail;
4097         }
4098         object_ref(OBJECT(vd->tlscreds));
4099 
4100         if (!qcrypto_tls_creds_check_endpoint(vd->tlscreds,
4101                                               QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
4102                                               errp)) {
4103             goto fail;
4104         }
4105     }
4106     tlsauthz = qemu_opt_get(opts, "tls-authz");
4107     if (tlsauthz && !vd->tlscreds) {
4108         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
4109         goto fail;
4110     }
4111 
4112     saslauthz = qemu_opt_get(opts, "sasl-authz");
4113     if (saslauthz && !sasl) {
4114         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
4115         goto fail;
4116     }
4117 
4118     share = qemu_opt_get(opts, "share");
4119     if (share) {
4120         if (strcmp(share, "ignore") == 0) {
4121             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
4122         } else if (strcmp(share, "allow-exclusive") == 0) {
4123             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4124         } else if (strcmp(share, "force-shared") == 0) {
4125             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
4126         } else {
4127             error_setg(errp, "unknown vnc share= option");
4128             goto fail;
4129         }
4130     } else {
4131         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4132     }
4133     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
4134 
4135 #ifdef CONFIG_VNC_JPEG
4136     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
4137 #endif
4138     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
4139     /* adaptive updates are only used with tight encoding and
4140      * if lossy updates are enabled so we can disable all the
4141      * calculations otherwise */
4142     if (!vd->lossy) {
4143         vd->non_adaptive = true;
4144     }
4145 
4146     vd->power_control = qemu_opt_get_bool(opts, "power-control", false);
4147 
4148     if (tlsauthz) {
4149         vd->tlsauthzid = g_strdup(tlsauthz);
4150     }
4151 #ifdef CONFIG_VNC_SASL
4152     if (sasl) {
4153         if (saslauthz) {
4154             vd->sasl.authzid = g_strdup(saslauthz);
4155         }
4156     }
4157 #endif
4158 
4159     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
4160                                vd->tlscreds, password,
4161                                sasl, false, errp) < 0) {
4162         goto fail;
4163     }
4164     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
4165 
4166     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
4167                                vd->tlscreds, password,
4168                                sasl, true, errp) < 0) {
4169         goto fail;
4170     }
4171     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
4172 
4173 #ifdef CONFIG_VNC_SASL
4174     if (sasl && !vnc_sasl_server_init(errp)) {
4175         goto fail;
4176     }
4177 #endif
4178     vd->lock_key_sync = lock_key_sync;
4179     if (lock_key_sync) {
4180         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
4181     }
4182     vd->ledstate = 0;
4183 
4184     audiodev = qemu_opt_get(opts, "audiodev");
4185     if (audiodev) {
4186         vd->audio_state = audio_state_by_name(audiodev, errp);
4187         if (!vd->audio_state) {
4188             goto fail;
4189         }
4190     } else {
4191         vd->audio_state = audio_get_default_audio_state(NULL);
4192     }
4193 
4194     device_id = qemu_opt_get(opts, "display");
4195     if (device_id) {
4196         int head = qemu_opt_get_number(opts, "head", 0);
4197         Error *err = NULL;
4198 
4199         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4200         if (err) {
4201             error_propagate(errp, err);
4202             goto fail;
4203         }
4204     } else {
4205         con = qemu_console_lookup_default();
4206     }
4207 
4208     if (con != vd->dcl.con) {
4209         qkbd_state_free(vd->kbd);
4210         unregister_displaychangelistener(&vd->dcl);
4211         vd->dcl.con = con;
4212         register_displaychangelistener(&vd->dcl);
4213         vd->kbd = qkbd_state_init(vd->dcl.con);
4214     }
4215     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4216 
4217     if (saddr_list == NULL) {
4218         return;
4219     }
4220 
4221     if (reverse) {
4222         if (vnc_display_connect(vd, saddr_list, wsaddr_list, errp) < 0) {
4223             goto fail;
4224         }
4225     } else {
4226         if (vnc_display_listen(vd, saddr_list, wsaddr_list, errp) < 0) {
4227             goto fail;
4228         }
4229     }
4230 
4231     if (qemu_opt_get(opts, "to")) {
4232         vnc_display_print_local_addr(vd);
4233     }
4234 
4235     /* Success */
4236     return;
4237 
4238 fail:
4239     vnc_display_close(vd);
4240 }
4241 
4242 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4243 {
4244     VncDisplay *vd = vnc_display_find(id);
4245     QIOChannelSocket *sioc;
4246 
4247     if (!vd) {
4248         return;
4249     }
4250 
4251     sioc = qio_channel_socket_new_fd(csock, NULL);
4252     if (sioc) {
4253         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4254         vnc_connect(vd, sioc, skipauth, false);
4255         object_unref(OBJECT(sioc));
4256     }
4257 }
4258 
4259 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4260 {
4261     int i = 2;
4262     char *id;
4263 
4264     id = g_strdup("default");
4265     while (qemu_opts_find(olist, id)) {
4266         g_free(id);
4267         id = g_strdup_printf("vnc%d", i++);
4268     }
4269     qemu_opts_set_id(opts, id);
4270 }
4271 
4272 void vnc_parse(const char *str)
4273 {
4274     QemuOptsList *olist = qemu_find_opts("vnc");
4275     QemuOpts *opts = qemu_opts_parse_noisily(olist, str, !is_help_option(str));
4276     const char *id;
4277 
4278     if (!opts) {
4279         exit(1);
4280     }
4281 
4282     id = qemu_opts_id(opts);
4283     if (!id) {
4284         /* auto-assign id if not present */
4285         vnc_auto_assign_id(olist, opts);
4286     }
4287 }
4288 
4289 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4290 {
4291     Error *local_err = NULL;
4292     char *id = (char *)qemu_opts_id(opts);
4293 
4294     assert(id);
4295     vnc_display_init(id, &local_err);
4296     if (local_err) {
4297         error_propagate(errp, local_err);
4298         return -1;
4299     }
4300     vnc_display_open(id, &local_err);
4301     if (local_err != NULL) {
4302         error_propagate(errp, local_err);
4303         return -1;
4304     }
4305     return 0;
4306 }
4307 
4308 static void vnc_register_config(void)
4309 {
4310     qemu_add_opts(&qemu_vnc_opts);
4311 }
4312 opts_init(vnc_register_config);
4313