xref: /openbmc/qemu/ui/vnc.c (revision 40f23e4e)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "qemu-common.h"
29 #include "vnc.h"
30 #include "vnc-jobs.h"
31 #include "trace.h"
32 #include "hw/qdev-core.h"
33 #include "sysemu/sysemu.h"
34 #include "sysemu/runstate.h"
35 #include "qemu/error-report.h"
36 #include "qemu/main-loop.h"
37 #include "qemu/module.h"
38 #include "qemu/option.h"
39 #include "qemu/sockets.h"
40 #include "qemu/timer.h"
41 #include "authz/list.h"
42 #include "qemu/config-file.h"
43 #include "qapi/qapi-emit-events.h"
44 #include "qapi/qapi-events-ui.h"
45 #include "qapi/error.h"
46 #include "qapi/qapi-commands-ui.h"
47 #include "ui/input.h"
48 #include "crypto/hash.h"
49 #include "crypto/tlscreds.h"
50 #include "crypto/tlscredsanon.h"
51 #include "crypto/tlscredsx509.h"
52 #include "crypto/random.h"
53 #include "crypto/secret_common.h"
54 #include "qom/object_interfaces.h"
55 #include "qemu/cutils.h"
56 #include "qemu/help_option.h"
57 #include "io/dns-resolver.h"
58 
59 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
60 #define VNC_REFRESH_INTERVAL_INC  50
61 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
62 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
63 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
64 
65 #include "vnc_keysym.h"
66 #include "crypto/cipher.h"
67 
68 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
69     QTAILQ_HEAD_INITIALIZER(vnc_displays);
70 
71 static int vnc_cursor_define(VncState *vs);
72 static void vnc_update_throttle_offset(VncState *vs);
73 
74 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
75 {
76 #ifdef _VNC_DEBUG
77     static const char *mn[] = {
78         [0]                           = "undefined",
79         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
80         [VNC_SHARE_MODE_SHARED]       = "shared",
81         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
82         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
83     };
84     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
85             vs->ioc, mn[vs->share_mode], mn[mode]);
86 #endif
87 
88     switch (vs->share_mode) {
89     case VNC_SHARE_MODE_CONNECTING:
90         vs->vd->num_connecting--;
91         break;
92     case VNC_SHARE_MODE_SHARED:
93         vs->vd->num_shared--;
94         break;
95     case VNC_SHARE_MODE_EXCLUSIVE:
96         vs->vd->num_exclusive--;
97         break;
98     default:
99         break;
100     }
101 
102     vs->share_mode = mode;
103 
104     switch (vs->share_mode) {
105     case VNC_SHARE_MODE_CONNECTING:
106         vs->vd->num_connecting++;
107         break;
108     case VNC_SHARE_MODE_SHARED:
109         vs->vd->num_shared++;
110         break;
111     case VNC_SHARE_MODE_EXCLUSIVE:
112         vs->vd->num_exclusive++;
113         break;
114     default:
115         break;
116     }
117 }
118 
119 
120 static void vnc_init_basic_info(SocketAddress *addr,
121                                 VncBasicInfo *info,
122                                 Error **errp)
123 {
124     switch (addr->type) {
125     case SOCKET_ADDRESS_TYPE_INET:
126         info->host = g_strdup(addr->u.inet.host);
127         info->service = g_strdup(addr->u.inet.port);
128         if (addr->u.inet.ipv6) {
129             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
130         } else {
131             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
132         }
133         break;
134 
135     case SOCKET_ADDRESS_TYPE_UNIX:
136         info->host = g_strdup("");
137         info->service = g_strdup(addr->u.q_unix.path);
138         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
139         break;
140 
141     case SOCKET_ADDRESS_TYPE_VSOCK:
142     case SOCKET_ADDRESS_TYPE_FD:
143         error_setg(errp, "Unsupported socket address type %s",
144                    SocketAddressType_str(addr->type));
145         break;
146     default:
147         abort();
148     }
149 
150     return;
151 }
152 
153 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
154                                                  VncBasicInfo *info,
155                                                  Error **errp)
156 {
157     SocketAddress *addr = NULL;
158 
159     if (!ioc) {
160         error_setg(errp, "No listener socket available");
161         return;
162     }
163 
164     addr = qio_channel_socket_get_local_address(ioc, errp);
165     if (!addr) {
166         return;
167     }
168 
169     vnc_init_basic_info(addr, info, errp);
170     qapi_free_SocketAddress(addr);
171 }
172 
173 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
174                                                  VncBasicInfo *info,
175                                                  Error **errp)
176 {
177     SocketAddress *addr = NULL;
178 
179     addr = qio_channel_socket_get_remote_address(ioc, errp);
180     if (!addr) {
181         return;
182     }
183 
184     vnc_init_basic_info(addr, info, errp);
185     qapi_free_SocketAddress(addr);
186 }
187 
188 static const char *vnc_auth_name(VncDisplay *vd) {
189     switch (vd->auth) {
190     case VNC_AUTH_INVALID:
191         return "invalid";
192     case VNC_AUTH_NONE:
193         return "none";
194     case VNC_AUTH_VNC:
195         return "vnc";
196     case VNC_AUTH_RA2:
197         return "ra2";
198     case VNC_AUTH_RA2NE:
199         return "ra2ne";
200     case VNC_AUTH_TIGHT:
201         return "tight";
202     case VNC_AUTH_ULTRA:
203         return "ultra";
204     case VNC_AUTH_TLS:
205         return "tls";
206     case VNC_AUTH_VENCRYPT:
207         switch (vd->subauth) {
208         case VNC_AUTH_VENCRYPT_PLAIN:
209             return "vencrypt+plain";
210         case VNC_AUTH_VENCRYPT_TLSNONE:
211             return "vencrypt+tls+none";
212         case VNC_AUTH_VENCRYPT_TLSVNC:
213             return "vencrypt+tls+vnc";
214         case VNC_AUTH_VENCRYPT_TLSPLAIN:
215             return "vencrypt+tls+plain";
216         case VNC_AUTH_VENCRYPT_X509NONE:
217             return "vencrypt+x509+none";
218         case VNC_AUTH_VENCRYPT_X509VNC:
219             return "vencrypt+x509+vnc";
220         case VNC_AUTH_VENCRYPT_X509PLAIN:
221             return "vencrypt+x509+plain";
222         case VNC_AUTH_VENCRYPT_TLSSASL:
223             return "vencrypt+tls+sasl";
224         case VNC_AUTH_VENCRYPT_X509SASL:
225             return "vencrypt+x509+sasl";
226         default:
227             return "vencrypt";
228         }
229     case VNC_AUTH_SASL:
230         return "sasl";
231     }
232     return "unknown";
233 }
234 
235 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
236 {
237     VncServerInfo *info;
238     Error *err = NULL;
239 
240     if (!vd->listener || !vd->listener->nsioc) {
241         return NULL;
242     }
243 
244     info = g_malloc0(sizeof(*info));
245     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
246                                          qapi_VncServerInfo_base(info), &err);
247     info->has_auth = true;
248     info->auth = g_strdup(vnc_auth_name(vd));
249     if (err) {
250         qapi_free_VncServerInfo(info);
251         info = NULL;
252         error_free(err);
253     }
254     return info;
255 }
256 
257 static void vnc_client_cache_auth(VncState *client)
258 {
259     if (!client->info) {
260         return;
261     }
262 
263     if (client->tls) {
264         client->info->x509_dname =
265             qcrypto_tls_session_get_peer_name(client->tls);
266         client->info->has_x509_dname =
267             client->info->x509_dname != NULL;
268     }
269 #ifdef CONFIG_VNC_SASL
270     if (client->sasl.conn &&
271         client->sasl.username) {
272         client->info->has_sasl_username = true;
273         client->info->sasl_username = g_strdup(client->sasl.username);
274     }
275 #endif
276 }
277 
278 static void vnc_client_cache_addr(VncState *client)
279 {
280     Error *err = NULL;
281 
282     client->info = g_malloc0(sizeof(*client->info));
283     vnc_init_basic_info_from_remote_addr(client->sioc,
284                                          qapi_VncClientInfo_base(client->info),
285                                          &err);
286     client->info->websocket = client->websocket;
287     if (err) {
288         qapi_free_VncClientInfo(client->info);
289         client->info = NULL;
290         error_free(err);
291     }
292 }
293 
294 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
295 {
296     VncServerInfo *si;
297 
298     if (!vs->info) {
299         return;
300     }
301 
302     si = vnc_server_info_get(vs->vd);
303     if (!si) {
304         return;
305     }
306 
307     switch (event) {
308     case QAPI_EVENT_VNC_CONNECTED:
309         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
310         break;
311     case QAPI_EVENT_VNC_INITIALIZED:
312         qapi_event_send_vnc_initialized(si, vs->info);
313         break;
314     case QAPI_EVENT_VNC_DISCONNECTED:
315         qapi_event_send_vnc_disconnected(si, vs->info);
316         break;
317     default:
318         break;
319     }
320 
321     qapi_free_VncServerInfo(si);
322 }
323 
324 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
325 {
326     VncClientInfo *info;
327     Error *err = NULL;
328 
329     info = g_malloc0(sizeof(*info));
330 
331     vnc_init_basic_info_from_remote_addr(client->sioc,
332                                          qapi_VncClientInfo_base(info),
333                                          &err);
334     if (err) {
335         error_free(err);
336         qapi_free_VncClientInfo(info);
337         return NULL;
338     }
339 
340     info->websocket = client->websocket;
341 
342     if (client->tls) {
343         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
344         info->has_x509_dname = info->x509_dname != NULL;
345     }
346 #ifdef CONFIG_VNC_SASL
347     if (client->sasl.conn && client->sasl.username) {
348         info->has_sasl_username = true;
349         info->sasl_username = g_strdup(client->sasl.username);
350     }
351 #endif
352 
353     return info;
354 }
355 
356 static VncDisplay *vnc_display_find(const char *id)
357 {
358     VncDisplay *vd;
359 
360     if (id == NULL) {
361         return QTAILQ_FIRST(&vnc_displays);
362     }
363     QTAILQ_FOREACH(vd, &vnc_displays, next) {
364         if (strcmp(id, vd->id) == 0) {
365             return vd;
366         }
367     }
368     return NULL;
369 }
370 
371 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
372 {
373     VncClientInfoList *prev = NULL;
374     VncState *client;
375 
376     QTAILQ_FOREACH(client, &vd->clients, next) {
377         QAPI_LIST_PREPEND(prev, qmp_query_vnc_client(client));
378     }
379     return prev;
380 }
381 
382 VncInfo *qmp_query_vnc(Error **errp)
383 {
384     VncInfo *info = g_malloc0(sizeof(*info));
385     VncDisplay *vd = vnc_display_find(NULL);
386     SocketAddress *addr = NULL;
387 
388     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
389         info->enabled = false;
390     } else {
391         info->enabled = true;
392 
393         /* for compatibility with the original command */
394         info->has_clients = true;
395         info->clients = qmp_query_client_list(vd);
396 
397         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
398                                                     errp);
399         if (!addr) {
400             goto out_error;
401         }
402 
403         switch (addr->type) {
404         case SOCKET_ADDRESS_TYPE_INET:
405             info->host = g_strdup(addr->u.inet.host);
406             info->service = g_strdup(addr->u.inet.port);
407             if (addr->u.inet.ipv6) {
408                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
409             } else {
410                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
411             }
412             break;
413 
414         case SOCKET_ADDRESS_TYPE_UNIX:
415             info->host = g_strdup("");
416             info->service = g_strdup(addr->u.q_unix.path);
417             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
418             break;
419 
420         case SOCKET_ADDRESS_TYPE_VSOCK:
421         case SOCKET_ADDRESS_TYPE_FD:
422             error_setg(errp, "Unsupported socket address type %s",
423                        SocketAddressType_str(addr->type));
424             goto out_error;
425         default:
426             abort();
427         }
428 
429         info->has_host = true;
430         info->has_service = true;
431         info->has_family = true;
432 
433         info->has_auth = true;
434         info->auth = g_strdup(vnc_auth_name(vd));
435     }
436 
437     qapi_free_SocketAddress(addr);
438     return info;
439 
440 out_error:
441     qapi_free_SocketAddress(addr);
442     qapi_free_VncInfo(info);
443     return NULL;
444 }
445 
446 
447 static void qmp_query_auth(int auth, int subauth,
448                            VncPrimaryAuth *qmp_auth,
449                            VncVencryptSubAuth *qmp_vencrypt,
450                            bool *qmp_has_vencrypt);
451 
452 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
453                                                   bool websocket,
454                                                   int auth,
455                                                   int subauth,
456                                                   VncServerInfo2List *prev)
457 {
458     VncServerInfo2 *info;
459     Error *err = NULL;
460     SocketAddress *addr;
461 
462     addr = qio_channel_socket_get_local_address(ioc, NULL);
463     if (!addr) {
464         return prev;
465     }
466 
467     info = g_new0(VncServerInfo2, 1);
468     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
469     qapi_free_SocketAddress(addr);
470     if (err) {
471         qapi_free_VncServerInfo2(info);
472         error_free(err);
473         return prev;
474     }
475     info->websocket = websocket;
476 
477     qmp_query_auth(auth, subauth, &info->auth,
478                    &info->vencrypt, &info->has_vencrypt);
479 
480     QAPI_LIST_PREPEND(prev, info);
481     return prev;
482 }
483 
484 static void qmp_query_auth(int auth, int subauth,
485                            VncPrimaryAuth *qmp_auth,
486                            VncVencryptSubAuth *qmp_vencrypt,
487                            bool *qmp_has_vencrypt)
488 {
489     switch (auth) {
490     case VNC_AUTH_VNC:
491         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
492         break;
493     case VNC_AUTH_RA2:
494         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
495         break;
496     case VNC_AUTH_RA2NE:
497         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
498         break;
499     case VNC_AUTH_TIGHT:
500         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
501         break;
502     case VNC_AUTH_ULTRA:
503         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
504         break;
505     case VNC_AUTH_TLS:
506         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
507         break;
508     case VNC_AUTH_VENCRYPT:
509         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
510         *qmp_has_vencrypt = true;
511         switch (subauth) {
512         case VNC_AUTH_VENCRYPT_PLAIN:
513             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
514             break;
515         case VNC_AUTH_VENCRYPT_TLSNONE:
516             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
517             break;
518         case VNC_AUTH_VENCRYPT_TLSVNC:
519             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
520             break;
521         case VNC_AUTH_VENCRYPT_TLSPLAIN:
522             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
523             break;
524         case VNC_AUTH_VENCRYPT_X509NONE:
525             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
526             break;
527         case VNC_AUTH_VENCRYPT_X509VNC:
528             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
529             break;
530         case VNC_AUTH_VENCRYPT_X509PLAIN:
531             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
532             break;
533         case VNC_AUTH_VENCRYPT_TLSSASL:
534             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
535             break;
536         case VNC_AUTH_VENCRYPT_X509SASL:
537             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
538             break;
539         default:
540             *qmp_has_vencrypt = false;
541             break;
542         }
543         break;
544     case VNC_AUTH_SASL:
545         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
546         break;
547     case VNC_AUTH_NONE:
548     default:
549         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
550         break;
551     }
552 }
553 
554 VncInfo2List *qmp_query_vnc_servers(Error **errp)
555 {
556     VncInfo2List *prev = NULL;
557     VncInfo2 *info;
558     VncDisplay *vd;
559     DeviceState *dev;
560     size_t i;
561 
562     QTAILQ_FOREACH(vd, &vnc_displays, next) {
563         info = g_new0(VncInfo2, 1);
564         info->id = g_strdup(vd->id);
565         info->clients = qmp_query_client_list(vd);
566         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
567                        &info->vencrypt, &info->has_vencrypt);
568         if (vd->dcl.con) {
569             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
570                                                   "device", &error_abort));
571             info->has_display = true;
572             info->display = g_strdup(dev->id);
573         }
574         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
575             info->server = qmp_query_server_entry(
576                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
577                 info->server);
578         }
579         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
580             info->server = qmp_query_server_entry(
581                 vd->wslistener->sioc[i], true, vd->ws_auth,
582                 vd->ws_subauth, info->server);
583         }
584 
585         QAPI_LIST_PREPEND(prev, info);
586     }
587     return prev;
588 }
589 
590 bool vnc_display_reload_certs(const char *id, Error **errp)
591 {
592     VncDisplay *vd = vnc_display_find(id);
593     QCryptoTLSCredsClass *creds = NULL;
594 
595     if (!vd) {
596         error_setg(errp, "Can not find vnc display");
597         return false;
598     }
599 
600     if (!vd->tlscreds) {
601         error_setg(errp, "vnc tls is not enabled");
602         return false;
603     }
604 
605     creds = QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(vd->tlscreds));
606     if (creds->reload == NULL) {
607         error_setg(errp, "%s doesn't support to reload TLS credential",
608                    object_get_typename(OBJECT(vd->tlscreds)));
609         return false;
610     }
611     if (!creds->reload(vd->tlscreds, errp)) {
612         return false;
613     }
614 
615     return true;
616 }
617 
618 /* TODO
619    1) Get the queue working for IO.
620    2) there is some weirdness when using the -S option (the screen is grey
621       and not totally invalidated
622    3) resolutions > 1024
623 */
624 
625 static int vnc_update_client(VncState *vs, int has_dirty);
626 static void vnc_disconnect_start(VncState *vs);
627 
628 static void vnc_colordepth(VncState *vs);
629 static void framebuffer_update_request(VncState *vs, int incremental,
630                                        int x_position, int y_position,
631                                        int w, int h);
632 static void vnc_refresh(DisplayChangeListener *dcl);
633 static int vnc_refresh_server_surface(VncDisplay *vd);
634 
635 static int vnc_width(VncDisplay *vd)
636 {
637     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
638                                        VNC_DIRTY_PIXELS_PER_BIT));
639 }
640 
641 static int vnc_true_width(VncDisplay *vd)
642 {
643     return MIN(VNC_MAX_WIDTH, surface_width(vd->ds));
644 }
645 
646 static int vnc_height(VncDisplay *vd)
647 {
648     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
649 }
650 
651 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
652                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
653                                VncDisplay *vd,
654                                int x, int y, int w, int h)
655 {
656     int width = vnc_width(vd);
657     int height = vnc_height(vd);
658 
659     /* this is needed this to ensure we updated all affected
660      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
661     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
662     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
663 
664     x = MIN(x, width);
665     y = MIN(y, height);
666     w = MIN(x + w, width) - x;
667     h = MIN(y + h, height);
668 
669     for (; y < h; y++) {
670         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
671                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
672     }
673 }
674 
675 static void vnc_dpy_update(DisplayChangeListener *dcl,
676                            int x, int y, int w, int h)
677 {
678     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
679     struct VncSurface *s = &vd->guest;
680 
681     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
682 }
683 
684 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
685                             int32_t encoding)
686 {
687     vnc_write_u16(vs, x);
688     vnc_write_u16(vs, y);
689     vnc_write_u16(vs, w);
690     vnc_write_u16(vs, h);
691 
692     vnc_write_s32(vs, encoding);
693 }
694 
695 static void vnc_desktop_resize_ext(VncState *vs, int reject_reason)
696 {
697     trace_vnc_msg_server_ext_desktop_resize(
698         vs, vs->ioc, vs->client_width, vs->client_height, reject_reason);
699 
700     vnc_lock_output(vs);
701     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
702     vnc_write_u8(vs, 0);
703     vnc_write_u16(vs, 1); /* number of rects */
704     vnc_framebuffer_update(vs,
705                            reject_reason ? 1 : 0,
706                            reject_reason,
707                            vs->client_width, vs->client_height,
708                            VNC_ENCODING_DESKTOP_RESIZE_EXT);
709     vnc_write_u8(vs, 1);  /* number of screens */
710     vnc_write_u8(vs, 0);  /* padding */
711     vnc_write_u8(vs, 0);  /* padding */
712     vnc_write_u8(vs, 0);  /* padding */
713     vnc_write_u32(vs, 0); /* screen id */
714     vnc_write_u16(vs, 0); /* screen x-pos */
715     vnc_write_u16(vs, 0); /* screen y-pos */
716     vnc_write_u16(vs, vs->client_width);
717     vnc_write_u16(vs, vs->client_height);
718     vnc_write_u32(vs, 0); /* screen flags */
719     vnc_unlock_output(vs);
720     vnc_flush(vs);
721 }
722 
723 static void vnc_desktop_resize(VncState *vs)
724 {
725     if (vs->ioc == NULL || (!vnc_has_feature(vs, VNC_FEATURE_RESIZE) &&
726                             !vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT))) {
727         return;
728     }
729     if (vs->client_width == vs->vd->true_width &&
730         vs->client_height == pixman_image_get_height(vs->vd->server)) {
731         return;
732     }
733 
734     assert(vs->vd->true_width < 65536 &&
735            vs->vd->true_width >= 0);
736     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
737            pixman_image_get_height(vs->vd->server) >= 0);
738     vs->client_width = vs->vd->true_width;
739     vs->client_height = pixman_image_get_height(vs->vd->server);
740 
741     if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
742         vnc_desktop_resize_ext(vs, 0);
743         return;
744     }
745 
746     trace_vnc_msg_server_desktop_resize(
747         vs, vs->ioc, vs->client_width, vs->client_height);
748 
749     vnc_lock_output(vs);
750     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
751     vnc_write_u8(vs, 0);
752     vnc_write_u16(vs, 1); /* number of rects */
753     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
754                            VNC_ENCODING_DESKTOPRESIZE);
755     vnc_unlock_output(vs);
756     vnc_flush(vs);
757 }
758 
759 static void vnc_abort_display_jobs(VncDisplay *vd)
760 {
761     VncState *vs;
762 
763     QTAILQ_FOREACH(vs, &vd->clients, next) {
764         vnc_lock_output(vs);
765         vs->abort = true;
766         vnc_unlock_output(vs);
767     }
768     QTAILQ_FOREACH(vs, &vd->clients, next) {
769         vnc_jobs_join(vs);
770     }
771     QTAILQ_FOREACH(vs, &vd->clients, next) {
772         vnc_lock_output(vs);
773         if (vs->update == VNC_STATE_UPDATE_NONE &&
774             vs->job_update != VNC_STATE_UPDATE_NONE) {
775             /* job aborted before completion */
776             vs->update = vs->job_update;
777             vs->job_update = VNC_STATE_UPDATE_NONE;
778         }
779         vs->abort = false;
780         vnc_unlock_output(vs);
781     }
782 }
783 
784 int vnc_server_fb_stride(VncDisplay *vd)
785 {
786     return pixman_image_get_stride(vd->server);
787 }
788 
789 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
790 {
791     uint8_t *ptr;
792 
793     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
794     ptr += y * vnc_server_fb_stride(vd);
795     ptr += x * VNC_SERVER_FB_BYTES;
796     return ptr;
797 }
798 
799 static void vnc_update_server_surface(VncDisplay *vd)
800 {
801     int width, height;
802 
803     qemu_pixman_image_unref(vd->server);
804     vd->server = NULL;
805 
806     if (QTAILQ_EMPTY(&vd->clients)) {
807         return;
808     }
809 
810     width = vnc_width(vd);
811     height = vnc_height(vd);
812     vd->true_width = vnc_true_width(vd);
813     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
814                                           width, height,
815                                           NULL, 0);
816 
817     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
818     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
819                        width, height);
820 }
821 
822 static bool vnc_check_pageflip(DisplaySurface *s1,
823                                DisplaySurface *s2)
824 {
825     return (s1 != NULL &&
826             s2 != NULL &&
827             surface_width(s1) == surface_width(s2) &&
828             surface_height(s1) == surface_height(s2) &&
829             surface_format(s1) == surface_format(s2));
830 
831 }
832 
833 static void vnc_dpy_switch(DisplayChangeListener *dcl,
834                            DisplaySurface *surface)
835 {
836     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
837     bool pageflip = vnc_check_pageflip(vd->ds, surface);
838     VncState *vs;
839 
840     vnc_abort_display_jobs(vd);
841     vd->ds = surface;
842 
843     /* guest surface */
844     qemu_pixman_image_unref(vd->guest.fb);
845     vd->guest.fb = pixman_image_ref(surface->image);
846     vd->guest.format = surface->format;
847 
848 
849     if (pageflip) {
850         trace_vnc_server_dpy_pageflip(vd,
851                                       surface_width(surface),
852                                       surface_height(surface),
853                                       surface_format(surface));
854         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
855                            surface_width(surface),
856                            surface_height(surface));
857         return;
858     }
859 
860     trace_vnc_server_dpy_recreate(vd,
861                                   surface_width(surface),
862                                   surface_height(surface),
863                                   surface_format(surface));
864     /* server surface */
865     vnc_update_server_surface(vd);
866 
867     QTAILQ_FOREACH(vs, &vd->clients, next) {
868         vnc_colordepth(vs);
869         vnc_desktop_resize(vs);
870         vnc_cursor_define(vs);
871         memset(vs->dirty, 0x00, sizeof(vs->dirty));
872         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
873                            vnc_width(vd),
874                            vnc_height(vd));
875         vnc_update_throttle_offset(vs);
876     }
877 }
878 
879 /* fastest code */
880 static void vnc_write_pixels_copy(VncState *vs,
881                                   void *pixels, int size)
882 {
883     vnc_write(vs, pixels, size);
884 }
885 
886 /* slowest but generic code. */
887 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
888 {
889     uint8_t r, g, b;
890 
891 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
892     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
893     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
894     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
895 #else
896 # error need some bits here if you change VNC_SERVER_FB_FORMAT
897 #endif
898     v = (r << vs->client_pf.rshift) |
899         (g << vs->client_pf.gshift) |
900         (b << vs->client_pf.bshift);
901     switch (vs->client_pf.bytes_per_pixel) {
902     case 1:
903         buf[0] = v;
904         break;
905     case 2:
906         if (vs->client_be) {
907             buf[0] = v >> 8;
908             buf[1] = v;
909         } else {
910             buf[1] = v >> 8;
911             buf[0] = v;
912         }
913         break;
914     default:
915     case 4:
916         if (vs->client_be) {
917             buf[0] = v >> 24;
918             buf[1] = v >> 16;
919             buf[2] = v >> 8;
920             buf[3] = v;
921         } else {
922             buf[3] = v >> 24;
923             buf[2] = v >> 16;
924             buf[1] = v >> 8;
925             buf[0] = v;
926         }
927         break;
928     }
929 }
930 
931 static void vnc_write_pixels_generic(VncState *vs,
932                                      void *pixels1, int size)
933 {
934     uint8_t buf[4];
935 
936     if (VNC_SERVER_FB_BYTES == 4) {
937         uint32_t *pixels = pixels1;
938         int n, i;
939         n = size >> 2;
940         for (i = 0; i < n; i++) {
941             vnc_convert_pixel(vs, buf, pixels[i]);
942             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
943         }
944     }
945 }
946 
947 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
948 {
949     int i;
950     uint8_t *row;
951     VncDisplay *vd = vs->vd;
952 
953     row = vnc_server_fb_ptr(vd, x, y);
954     for (i = 0; i < h; i++) {
955         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
956         row += vnc_server_fb_stride(vd);
957     }
958     return 1;
959 }
960 
961 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
962 {
963     int n = 0;
964 
965     switch(vs->vnc_encoding) {
966         case VNC_ENCODING_ZLIB:
967             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
968             break;
969         case VNC_ENCODING_HEXTILE:
970             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
971             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
972             break;
973         case VNC_ENCODING_TIGHT:
974             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
975             break;
976         case VNC_ENCODING_TIGHT_PNG:
977             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
978             break;
979         case VNC_ENCODING_ZRLE:
980             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
981             break;
982         case VNC_ENCODING_ZYWRLE:
983             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
984             break;
985         default:
986             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
987             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
988             break;
989     }
990     return n;
991 }
992 
993 static void vnc_mouse_set(DisplayChangeListener *dcl,
994                           int x, int y, int visible)
995 {
996     /* can we ask the client(s) to move the pointer ??? */
997 }
998 
999 static int vnc_cursor_define(VncState *vs)
1000 {
1001     QEMUCursor *c = vs->vd->cursor;
1002     int isize;
1003 
1004     if (!vs->vd->cursor) {
1005         return -1;
1006     }
1007 
1008     if (vnc_has_feature(vs, VNC_FEATURE_ALPHA_CURSOR)) {
1009         vnc_lock_output(vs);
1010         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1011         vnc_write_u8(vs,  0);  /*  padding     */
1012         vnc_write_u16(vs, 1);  /*  # of rects  */
1013         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1014                                VNC_ENCODING_ALPHA_CURSOR);
1015         vnc_write_s32(vs, VNC_ENCODING_RAW);
1016         vnc_write(vs, c->data, c->width * c->height * 4);
1017         vnc_unlock_output(vs);
1018         return 0;
1019     }
1020     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
1021         vnc_lock_output(vs);
1022         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1023         vnc_write_u8(vs,  0);  /*  padding     */
1024         vnc_write_u16(vs, 1);  /*  # of rects  */
1025         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1026                                VNC_ENCODING_RICH_CURSOR);
1027         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
1028         vnc_write_pixels_generic(vs, c->data, isize);
1029         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
1030         vnc_unlock_output(vs);
1031         return 0;
1032     }
1033     return -1;
1034 }
1035 
1036 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
1037                                   QEMUCursor *c)
1038 {
1039     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
1040     VncState *vs;
1041 
1042     cursor_put(vd->cursor);
1043     g_free(vd->cursor_mask);
1044 
1045     vd->cursor = c;
1046     cursor_get(vd->cursor);
1047     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1048     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1049     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1050 
1051     QTAILQ_FOREACH(vs, &vd->clients, next) {
1052         vnc_cursor_define(vs);
1053     }
1054 }
1055 
1056 static int find_and_clear_dirty_height(VncState *vs,
1057                                        int y, int last_x, int x, int height)
1058 {
1059     int h;
1060 
1061     for (h = 1; h < (height - y); h++) {
1062         if (!test_bit(last_x, vs->dirty[y + h])) {
1063             break;
1064         }
1065         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1066     }
1067 
1068     return h;
1069 }
1070 
1071 /*
1072  * Figure out how much pending data we should allow in the output
1073  * buffer before we throttle incremental display updates, and/or
1074  * drop audio samples.
1075  *
1076  * We allow for equiv of 1 full display's worth of FB updates,
1077  * and 1 second of audio samples. If audio backlog was larger
1078  * than that the client would already suffering awful audio
1079  * glitches, so dropping samples is no worse really).
1080  */
1081 static void vnc_update_throttle_offset(VncState *vs)
1082 {
1083     size_t offset =
1084         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1085 
1086     if (vs->audio_cap) {
1087         int bps;
1088         switch (vs->as.fmt) {
1089         default:
1090         case  AUDIO_FORMAT_U8:
1091         case  AUDIO_FORMAT_S8:
1092             bps = 1;
1093             break;
1094         case  AUDIO_FORMAT_U16:
1095         case  AUDIO_FORMAT_S16:
1096             bps = 2;
1097             break;
1098         case  AUDIO_FORMAT_U32:
1099         case  AUDIO_FORMAT_S32:
1100             bps = 4;
1101             break;
1102         }
1103         offset += vs->as.freq * bps * vs->as.nchannels;
1104     }
1105 
1106     /* Put a floor of 1MB on offset, so that if we have a large pending
1107      * buffer and the display is resized to a small size & back again
1108      * we don't suddenly apply a tiny send limit
1109      */
1110     offset = MAX(offset, 1024 * 1024);
1111 
1112     if (vs->throttle_output_offset != offset) {
1113         trace_vnc_client_throttle_threshold(
1114             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1115             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1116     }
1117 
1118     vs->throttle_output_offset = offset;
1119 }
1120 
1121 static bool vnc_should_update(VncState *vs)
1122 {
1123     switch (vs->update) {
1124     case VNC_STATE_UPDATE_NONE:
1125         break;
1126     case VNC_STATE_UPDATE_INCREMENTAL:
1127         /* Only allow incremental updates if the pending send queue
1128          * is less than the permitted threshold, and the job worker
1129          * is completely idle.
1130          */
1131         if (vs->output.offset < vs->throttle_output_offset &&
1132             vs->job_update == VNC_STATE_UPDATE_NONE) {
1133             return true;
1134         }
1135         trace_vnc_client_throttle_incremental(
1136             vs, vs->ioc, vs->job_update, vs->output.offset);
1137         break;
1138     case VNC_STATE_UPDATE_FORCE:
1139         /* Only allow forced updates if the pending send queue
1140          * does not contain a previous forced update, and the
1141          * job worker is completely idle.
1142          *
1143          * Note this means we'll queue a forced update, even if
1144          * the output buffer size is otherwise over the throttle
1145          * output limit.
1146          */
1147         if (vs->force_update_offset == 0 &&
1148             vs->job_update == VNC_STATE_UPDATE_NONE) {
1149             return true;
1150         }
1151         trace_vnc_client_throttle_forced(
1152             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1153         break;
1154     }
1155     return false;
1156 }
1157 
1158 static int vnc_update_client(VncState *vs, int has_dirty)
1159 {
1160     VncDisplay *vd = vs->vd;
1161     VncJob *job;
1162     int y;
1163     int height, width;
1164     int n = 0;
1165 
1166     if (vs->disconnecting) {
1167         vnc_disconnect_finish(vs);
1168         return 0;
1169     }
1170 
1171     vs->has_dirty += has_dirty;
1172     if (!vnc_should_update(vs)) {
1173         return 0;
1174     }
1175 
1176     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1177         return 0;
1178     }
1179 
1180     /*
1181      * Send screen updates to the vnc client using the server
1182      * surface and server dirty map.  guest surface updates
1183      * happening in parallel don't disturb us, the next pass will
1184      * send them to the client.
1185      */
1186     job = vnc_job_new(vs);
1187 
1188     height = pixman_image_get_height(vd->server);
1189     width = pixman_image_get_width(vd->server);
1190 
1191     y = 0;
1192     for (;;) {
1193         int x, h;
1194         unsigned long x2;
1195         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1196                                              height * VNC_DIRTY_BPL(vs),
1197                                              y * VNC_DIRTY_BPL(vs));
1198         if (offset == height * VNC_DIRTY_BPL(vs)) {
1199             /* no more dirty bits */
1200             break;
1201         }
1202         y = offset / VNC_DIRTY_BPL(vs);
1203         x = offset % VNC_DIRTY_BPL(vs);
1204         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1205                                 VNC_DIRTY_BPL(vs), x);
1206         bitmap_clear(vs->dirty[y], x, x2 - x);
1207         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1208         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1209         if (x2 > x) {
1210             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1211                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1212         }
1213         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1214             y += h;
1215             if (y == height) {
1216                 break;
1217             }
1218         }
1219     }
1220 
1221     vs->job_update = vs->update;
1222     vs->update = VNC_STATE_UPDATE_NONE;
1223     vnc_job_push(job);
1224     vs->has_dirty = 0;
1225     return n;
1226 }
1227 
1228 /* audio */
1229 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1230 {
1231     VncState *vs = opaque;
1232 
1233     assert(vs->magic == VNC_MAGIC);
1234     switch (cmd) {
1235     case AUD_CNOTIFY_DISABLE:
1236         trace_vnc_msg_server_audio_end(vs, vs->ioc);
1237         vnc_lock_output(vs);
1238         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1239         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1240         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1241         vnc_unlock_output(vs);
1242         vnc_flush(vs);
1243         break;
1244 
1245     case AUD_CNOTIFY_ENABLE:
1246         trace_vnc_msg_server_audio_begin(vs, vs->ioc);
1247         vnc_lock_output(vs);
1248         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1249         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1250         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1251         vnc_unlock_output(vs);
1252         vnc_flush(vs);
1253         break;
1254     }
1255 }
1256 
1257 static void audio_capture_destroy(void *opaque)
1258 {
1259 }
1260 
1261 static void audio_capture(void *opaque, const void *buf, int size)
1262 {
1263     VncState *vs = opaque;
1264 
1265     assert(vs->magic == VNC_MAGIC);
1266     trace_vnc_msg_server_audio_data(vs, vs->ioc, buf, size);
1267     vnc_lock_output(vs);
1268     if (vs->output.offset < vs->throttle_output_offset) {
1269         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1270         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1271         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1272         vnc_write_u32(vs, size);
1273         vnc_write(vs, buf, size);
1274     } else {
1275         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1276     }
1277     vnc_unlock_output(vs);
1278     vnc_flush(vs);
1279 }
1280 
1281 static void audio_add(VncState *vs)
1282 {
1283     struct audio_capture_ops ops;
1284 
1285     if (vs->audio_cap) {
1286         error_report("audio already running");
1287         return;
1288     }
1289 
1290     ops.notify = audio_capture_notify;
1291     ops.destroy = audio_capture_destroy;
1292     ops.capture = audio_capture;
1293 
1294     vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1295     if (!vs->audio_cap) {
1296         error_report("Failed to add audio capture");
1297     }
1298 }
1299 
1300 static void audio_del(VncState *vs)
1301 {
1302     if (vs->audio_cap) {
1303         AUD_del_capture(vs->audio_cap, vs);
1304         vs->audio_cap = NULL;
1305     }
1306 }
1307 
1308 static void vnc_disconnect_start(VncState *vs)
1309 {
1310     if (vs->disconnecting) {
1311         return;
1312     }
1313     trace_vnc_client_disconnect_start(vs, vs->ioc);
1314     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1315     if (vs->ioc_tag) {
1316         g_source_remove(vs->ioc_tag);
1317         vs->ioc_tag = 0;
1318     }
1319     qio_channel_close(vs->ioc, NULL);
1320     vs->disconnecting = TRUE;
1321 }
1322 
1323 void vnc_disconnect_finish(VncState *vs)
1324 {
1325     int i;
1326 
1327     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1328 
1329     vnc_jobs_join(vs); /* Wait encoding jobs */
1330 
1331     vnc_lock_output(vs);
1332     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1333 
1334     buffer_free(&vs->input);
1335     buffer_free(&vs->output);
1336 
1337     qapi_free_VncClientInfo(vs->info);
1338 
1339     vnc_zlib_clear(vs);
1340     vnc_tight_clear(vs);
1341     vnc_zrle_clear(vs);
1342 
1343 #ifdef CONFIG_VNC_SASL
1344     vnc_sasl_client_cleanup(vs);
1345 #endif /* CONFIG_VNC_SASL */
1346     audio_del(vs);
1347     qkbd_state_lift_all_keys(vs->vd->kbd);
1348 
1349     if (vs->mouse_mode_notifier.notify != NULL) {
1350         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1351     }
1352     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1353     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1354         /* last client gone */
1355         vnc_update_server_surface(vs->vd);
1356     }
1357     if (vs->cbpeer.update.notify) {
1358         qemu_clipboard_peer_unregister(&vs->cbpeer);
1359     }
1360 
1361     vnc_unlock_output(vs);
1362 
1363     qemu_mutex_destroy(&vs->output_mutex);
1364     if (vs->bh != NULL) {
1365         qemu_bh_delete(vs->bh);
1366     }
1367     buffer_free(&vs->jobs_buffer);
1368 
1369     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1370         g_free(vs->lossy_rect[i]);
1371     }
1372     g_free(vs->lossy_rect);
1373 
1374     object_unref(OBJECT(vs->ioc));
1375     vs->ioc = NULL;
1376     object_unref(OBJECT(vs->sioc));
1377     vs->sioc = NULL;
1378     vs->magic = 0;
1379     g_free(vs->zrle);
1380     g_free(vs->tight);
1381     g_free(vs);
1382 }
1383 
1384 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error *err)
1385 {
1386     if (ret <= 0) {
1387         if (ret == 0) {
1388             trace_vnc_client_eof(vs, vs->ioc);
1389             vnc_disconnect_start(vs);
1390         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1391             trace_vnc_client_io_error(vs, vs->ioc,
1392                                       err ? error_get_pretty(err) : "Unknown");
1393             vnc_disconnect_start(vs);
1394         }
1395 
1396         error_free(err);
1397         return 0;
1398     }
1399     return ret;
1400 }
1401 
1402 
1403 void vnc_client_error(VncState *vs)
1404 {
1405     VNC_DEBUG("Closing down client sock: protocol error\n");
1406     vnc_disconnect_start(vs);
1407 }
1408 
1409 
1410 /*
1411  * Called to write a chunk of data to the client socket. The data may
1412  * be the raw data, or may have already been encoded by SASL.
1413  * The data will be written either straight onto the socket, or
1414  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1415  *
1416  * NB, it is theoretically possible to have 2 layers of encryption,
1417  * both SASL, and this TLS layer. It is highly unlikely in practice
1418  * though, since SASL encryption will typically be a no-op if TLS
1419  * is active
1420  *
1421  * Returns the number of bytes written, which may be less than
1422  * the requested 'datalen' if the socket would block. Returns
1423  * 0 on I/O error, and disconnects the client socket.
1424  */
1425 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1426 {
1427     Error *err = NULL;
1428     ssize_t ret;
1429     ret = qio_channel_write(vs->ioc, (const char *)data, datalen, &err);
1430     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1431     return vnc_client_io_error(vs, ret, err);
1432 }
1433 
1434 
1435 /*
1436  * Called to write buffered data to the client socket, when not
1437  * using any SASL SSF encryption layers. Will write as much data
1438  * as possible without blocking. If all buffered data is written,
1439  * will switch the FD poll() handler back to read monitoring.
1440  *
1441  * Returns the number of bytes written, which may be less than
1442  * the buffered output data if the socket would block.  Returns
1443  * 0 on I/O error, and disconnects the client socket.
1444  */
1445 static size_t vnc_client_write_plain(VncState *vs)
1446 {
1447     size_t offset;
1448     size_t ret;
1449 
1450 #ifdef CONFIG_VNC_SASL
1451     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1452               vs->output.buffer, vs->output.capacity, vs->output.offset,
1453               vs->sasl.waitWriteSSF);
1454 
1455     if (vs->sasl.conn &&
1456         vs->sasl.runSSF &&
1457         vs->sasl.waitWriteSSF) {
1458         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1459         if (ret)
1460             vs->sasl.waitWriteSSF -= ret;
1461     } else
1462 #endif /* CONFIG_VNC_SASL */
1463         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1464     if (!ret)
1465         return 0;
1466 
1467     if (ret >= vs->force_update_offset) {
1468         if (vs->force_update_offset != 0) {
1469             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1470         }
1471         vs->force_update_offset = 0;
1472     } else {
1473         vs->force_update_offset -= ret;
1474     }
1475     offset = vs->output.offset;
1476     buffer_advance(&vs->output, ret);
1477     if (offset >= vs->throttle_output_offset &&
1478         vs->output.offset < vs->throttle_output_offset) {
1479         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1480     }
1481 
1482     if (vs->output.offset == 0) {
1483         if (vs->ioc_tag) {
1484             g_source_remove(vs->ioc_tag);
1485         }
1486         vs->ioc_tag = qio_channel_add_watch(
1487             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1488             vnc_client_io, vs, NULL);
1489     }
1490 
1491     return ret;
1492 }
1493 
1494 
1495 /*
1496  * First function called whenever there is data to be written to
1497  * the client socket. Will delegate actual work according to whether
1498  * SASL SSF layers are enabled (thus requiring encryption calls)
1499  */
1500 static void vnc_client_write_locked(VncState *vs)
1501 {
1502 #ifdef CONFIG_VNC_SASL
1503     if (vs->sasl.conn &&
1504         vs->sasl.runSSF &&
1505         !vs->sasl.waitWriteSSF) {
1506         vnc_client_write_sasl(vs);
1507     } else
1508 #endif /* CONFIG_VNC_SASL */
1509     {
1510         vnc_client_write_plain(vs);
1511     }
1512 }
1513 
1514 static void vnc_client_write(VncState *vs)
1515 {
1516     assert(vs->magic == VNC_MAGIC);
1517     vnc_lock_output(vs);
1518     if (vs->output.offset) {
1519         vnc_client_write_locked(vs);
1520     } else if (vs->ioc != NULL) {
1521         if (vs->ioc_tag) {
1522             g_source_remove(vs->ioc_tag);
1523         }
1524         vs->ioc_tag = qio_channel_add_watch(
1525             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1526             vnc_client_io, vs, NULL);
1527     }
1528     vnc_unlock_output(vs);
1529 }
1530 
1531 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1532 {
1533     vs->read_handler = func;
1534     vs->read_handler_expect = expecting;
1535 }
1536 
1537 
1538 /*
1539  * Called to read a chunk of data from the client socket. The data may
1540  * be the raw data, or may need to be further decoded by SASL.
1541  * The data will be read either straight from to the socket, or
1542  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1543  *
1544  * NB, it is theoretically possible to have 2 layers of encryption,
1545  * both SASL, and this TLS layer. It is highly unlikely in practice
1546  * though, since SASL encryption will typically be a no-op if TLS
1547  * is active
1548  *
1549  * Returns the number of bytes read, which may be less than
1550  * the requested 'datalen' if the socket would block. Returns
1551  * 0 on I/O error or EOF, and disconnects the client socket.
1552  */
1553 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1554 {
1555     ssize_t ret;
1556     Error *err = NULL;
1557     ret = qio_channel_read(vs->ioc, (char *)data, datalen, &err);
1558     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1559     return vnc_client_io_error(vs, ret, err);
1560 }
1561 
1562 
1563 /*
1564  * Called to read data from the client socket to the input buffer,
1565  * when not using any SASL SSF encryption layers. Will read as much
1566  * data as possible without blocking.
1567  *
1568  * Returns the number of bytes read, which may be less than
1569  * the requested 'datalen' if the socket would block. Returns
1570  * 0 on I/O error or EOF, and disconnects the client socket.
1571  */
1572 static size_t vnc_client_read_plain(VncState *vs)
1573 {
1574     size_t ret;
1575     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1576               vs->input.buffer, vs->input.capacity, vs->input.offset);
1577     buffer_reserve(&vs->input, 4096);
1578     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1579     if (!ret)
1580         return 0;
1581     vs->input.offset += ret;
1582     return ret;
1583 }
1584 
1585 static void vnc_jobs_bh(void *opaque)
1586 {
1587     VncState *vs = opaque;
1588 
1589     assert(vs->magic == VNC_MAGIC);
1590     vnc_jobs_consume_buffer(vs);
1591 }
1592 
1593 /*
1594  * First function called whenever there is more data to be read from
1595  * the client socket. Will delegate actual work according to whether
1596  * SASL SSF layers are enabled (thus requiring decryption calls)
1597  * Returns 0 on success, -1 if client disconnected
1598  */
1599 static int vnc_client_read(VncState *vs)
1600 {
1601     size_t ret;
1602 
1603 #ifdef CONFIG_VNC_SASL
1604     if (vs->sasl.conn && vs->sasl.runSSF)
1605         ret = vnc_client_read_sasl(vs);
1606     else
1607 #endif /* CONFIG_VNC_SASL */
1608         ret = vnc_client_read_plain(vs);
1609     if (!ret) {
1610         if (vs->disconnecting) {
1611             vnc_disconnect_finish(vs);
1612             return -1;
1613         }
1614         return 0;
1615     }
1616 
1617     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1618         size_t len = vs->read_handler_expect;
1619         int ret;
1620 
1621         ret = vs->read_handler(vs, vs->input.buffer, len);
1622         if (vs->disconnecting) {
1623             vnc_disconnect_finish(vs);
1624             return -1;
1625         }
1626 
1627         if (!ret) {
1628             buffer_advance(&vs->input, len);
1629         } else {
1630             vs->read_handler_expect = ret;
1631         }
1632     }
1633     return 0;
1634 }
1635 
1636 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1637                        GIOCondition condition, void *opaque)
1638 {
1639     VncState *vs = opaque;
1640 
1641     assert(vs->magic == VNC_MAGIC);
1642 
1643     if (condition & (G_IO_HUP | G_IO_ERR)) {
1644         vnc_disconnect_start(vs);
1645         return TRUE;
1646     }
1647 
1648     if (condition & G_IO_IN) {
1649         if (vnc_client_read(vs) < 0) {
1650             /* vs is free()ed here */
1651             return TRUE;
1652         }
1653     }
1654     if (condition & G_IO_OUT) {
1655         vnc_client_write(vs);
1656     }
1657 
1658     if (vs->disconnecting) {
1659         if (vs->ioc_tag != 0) {
1660             g_source_remove(vs->ioc_tag);
1661         }
1662         vs->ioc_tag = 0;
1663     }
1664     return TRUE;
1665 }
1666 
1667 
1668 /*
1669  * Scale factor to apply to vs->throttle_output_offset when checking for
1670  * hard limit. Worst case normal usage could be x2, if we have a complete
1671  * incremental update and complete forced update in the output buffer.
1672  * So x3 should be good enough, but we pick x5 to be conservative and thus
1673  * (hopefully) never trigger incorrectly.
1674  */
1675 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1676 
1677 void vnc_write(VncState *vs, const void *data, size_t len)
1678 {
1679     assert(vs->magic == VNC_MAGIC);
1680     if (vs->disconnecting) {
1681         return;
1682     }
1683     /* Protection against malicious client/guest to prevent our output
1684      * buffer growing without bound if client stops reading data. This
1685      * should rarely trigger, because we have earlier throttling code
1686      * which stops issuing framebuffer updates and drops audio data
1687      * if the throttle_output_offset value is exceeded. So we only reach
1688      * this higher level if a huge number of pseudo-encodings get
1689      * triggered while data can't be sent on the socket.
1690      *
1691      * NB throttle_output_offset can be zero during early protocol
1692      * handshake, or from the job thread's VncState clone
1693      */
1694     if (vs->throttle_output_offset != 0 &&
1695         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1696         vs->throttle_output_offset) {
1697         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1698                                       vs->throttle_output_offset);
1699         vnc_disconnect_start(vs);
1700         return;
1701     }
1702     buffer_reserve(&vs->output, len);
1703 
1704     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1705         if (vs->ioc_tag) {
1706             g_source_remove(vs->ioc_tag);
1707         }
1708         vs->ioc_tag = qio_channel_add_watch(
1709             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
1710             vnc_client_io, vs, NULL);
1711     }
1712 
1713     buffer_append(&vs->output, data, len);
1714 }
1715 
1716 void vnc_write_s32(VncState *vs, int32_t value)
1717 {
1718     vnc_write_u32(vs, *(uint32_t *)&value);
1719 }
1720 
1721 void vnc_write_u32(VncState *vs, uint32_t value)
1722 {
1723     uint8_t buf[4];
1724 
1725     buf[0] = (value >> 24) & 0xFF;
1726     buf[1] = (value >> 16) & 0xFF;
1727     buf[2] = (value >>  8) & 0xFF;
1728     buf[3] = value & 0xFF;
1729 
1730     vnc_write(vs, buf, 4);
1731 }
1732 
1733 void vnc_write_u16(VncState *vs, uint16_t value)
1734 {
1735     uint8_t buf[2];
1736 
1737     buf[0] = (value >> 8) & 0xFF;
1738     buf[1] = value & 0xFF;
1739 
1740     vnc_write(vs, buf, 2);
1741 }
1742 
1743 void vnc_write_u8(VncState *vs, uint8_t value)
1744 {
1745     vnc_write(vs, (char *)&value, 1);
1746 }
1747 
1748 void vnc_flush(VncState *vs)
1749 {
1750     vnc_lock_output(vs);
1751     if (vs->ioc != NULL && vs->output.offset) {
1752         vnc_client_write_locked(vs);
1753     }
1754     if (vs->disconnecting) {
1755         if (vs->ioc_tag != 0) {
1756             g_source_remove(vs->ioc_tag);
1757         }
1758         vs->ioc_tag = 0;
1759     }
1760     vnc_unlock_output(vs);
1761 }
1762 
1763 static uint8_t read_u8(uint8_t *data, size_t offset)
1764 {
1765     return data[offset];
1766 }
1767 
1768 static uint16_t read_u16(uint8_t *data, size_t offset)
1769 {
1770     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1771 }
1772 
1773 static int32_t read_s32(uint8_t *data, size_t offset)
1774 {
1775     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1776                      (data[offset + 2] << 8) | data[offset + 3]);
1777 }
1778 
1779 uint32_t read_u32(uint8_t *data, size_t offset)
1780 {
1781     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1782             (data[offset + 2] << 8) | data[offset + 3]);
1783 }
1784 
1785 static void check_pointer_type_change(Notifier *notifier, void *data)
1786 {
1787     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1788     int absolute = qemu_input_is_absolute();
1789 
1790     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1791         vnc_lock_output(vs);
1792         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1793         vnc_write_u8(vs, 0);
1794         vnc_write_u16(vs, 1);
1795         vnc_framebuffer_update(vs, absolute, 0,
1796                                pixman_image_get_width(vs->vd->server),
1797                                pixman_image_get_height(vs->vd->server),
1798                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1799         vnc_unlock_output(vs);
1800         vnc_flush(vs);
1801     }
1802     vs->absolute = absolute;
1803 }
1804 
1805 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1806 {
1807     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1808         [INPUT_BUTTON_LEFT]       = 0x01,
1809         [INPUT_BUTTON_MIDDLE]     = 0x02,
1810         [INPUT_BUTTON_RIGHT]      = 0x04,
1811         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1812         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1813     };
1814     QemuConsole *con = vs->vd->dcl.con;
1815     int width = pixman_image_get_width(vs->vd->server);
1816     int height = pixman_image_get_height(vs->vd->server);
1817 
1818     if (vs->last_bmask != button_mask) {
1819         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1820         vs->last_bmask = button_mask;
1821     }
1822 
1823     if (vs->absolute) {
1824         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1825         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1826     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1827         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1828         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1829     } else {
1830         if (vs->last_x != -1) {
1831             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1832             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1833         }
1834         vs->last_x = x;
1835         vs->last_y = y;
1836     }
1837     qemu_input_event_sync();
1838 }
1839 
1840 static void press_key(VncState *vs, QKeyCode qcode)
1841 {
1842     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1843     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1844 }
1845 
1846 static void vnc_led_state_change(VncState *vs)
1847 {
1848     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1849         return;
1850     }
1851 
1852     vnc_lock_output(vs);
1853     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1854     vnc_write_u8(vs, 0);
1855     vnc_write_u16(vs, 1);
1856     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1857     vnc_write_u8(vs, vs->vd->ledstate);
1858     vnc_unlock_output(vs);
1859     vnc_flush(vs);
1860 }
1861 
1862 static void kbd_leds(void *opaque, int ledstate)
1863 {
1864     VncDisplay *vd = opaque;
1865     VncState *client;
1866 
1867     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1868                              (ledstate & QEMU_NUM_LOCK_LED),
1869                              (ledstate & QEMU_SCROLL_LOCK_LED));
1870 
1871     if (ledstate == vd->ledstate) {
1872         return;
1873     }
1874 
1875     vd->ledstate = ledstate;
1876 
1877     QTAILQ_FOREACH(client, &vd->clients, next) {
1878         vnc_led_state_change(client);
1879     }
1880 }
1881 
1882 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1883 {
1884     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1885 
1886     /* QEMU console switch */
1887     switch (qcode) {
1888     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1889         if (vs->vd->dcl.con == NULL && down &&
1890             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1891             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1892             /* Reset the modifiers sent to the current console */
1893             qkbd_state_lift_all_keys(vs->vd->kbd);
1894             console_select(qcode - Q_KEY_CODE_1);
1895             return;
1896         }
1897     default:
1898         break;
1899     }
1900 
1901     /* Turn off the lock state sync logic if the client support the led
1902        state extension.
1903     */
1904     if (down && vs->vd->lock_key_sync &&
1905         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1906         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1907         /* If the numlock state needs to change then simulate an additional
1908            keypress before sending this one.  This will happen if the user
1909            toggles numlock away from the VNC window.
1910         */
1911         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1912             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1913                 trace_vnc_key_sync_numlock(true);
1914                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1915             }
1916         } else {
1917             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1918                 trace_vnc_key_sync_numlock(false);
1919                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1920             }
1921         }
1922     }
1923 
1924     if (down && vs->vd->lock_key_sync &&
1925         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1926         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1927         /* If the capslock state needs to change then simulate an additional
1928            keypress before sending this one.  This will happen if the user
1929            toggles capslock away from the VNC window.
1930         */
1931         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1932         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1933         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1934         if (capslock) {
1935             if (uppercase == shift) {
1936                 trace_vnc_key_sync_capslock(false);
1937                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1938             }
1939         } else {
1940             if (uppercase != shift) {
1941                 trace_vnc_key_sync_capslock(true);
1942                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1943             }
1944         }
1945     }
1946 
1947     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1948     if (!qemu_console_is_graphic(NULL)) {
1949         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1950         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1951         /* QEMU console emulation */
1952         if (down) {
1953             switch (keycode) {
1954             case 0x2a:                          /* Left Shift */
1955             case 0x36:                          /* Right Shift */
1956             case 0x1d:                          /* Left CTRL */
1957             case 0x9d:                          /* Right CTRL */
1958             case 0x38:                          /* Left ALT */
1959             case 0xb8:                          /* Right ALT */
1960                 break;
1961             case 0xc8:
1962                 kbd_put_keysym(QEMU_KEY_UP);
1963                 break;
1964             case 0xd0:
1965                 kbd_put_keysym(QEMU_KEY_DOWN);
1966                 break;
1967             case 0xcb:
1968                 kbd_put_keysym(QEMU_KEY_LEFT);
1969                 break;
1970             case 0xcd:
1971                 kbd_put_keysym(QEMU_KEY_RIGHT);
1972                 break;
1973             case 0xd3:
1974                 kbd_put_keysym(QEMU_KEY_DELETE);
1975                 break;
1976             case 0xc7:
1977                 kbd_put_keysym(QEMU_KEY_HOME);
1978                 break;
1979             case 0xcf:
1980                 kbd_put_keysym(QEMU_KEY_END);
1981                 break;
1982             case 0xc9:
1983                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1984                 break;
1985             case 0xd1:
1986                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1987                 break;
1988 
1989             case 0x47:
1990                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1991                 break;
1992             case 0x48:
1993                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1994                 break;
1995             case 0x49:
1996                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1997                 break;
1998             case 0x4b:
1999                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
2000                 break;
2001             case 0x4c:
2002                 kbd_put_keysym('5');
2003                 break;
2004             case 0x4d:
2005                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
2006                 break;
2007             case 0x4f:
2008                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
2009                 break;
2010             case 0x50:
2011                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
2012                 break;
2013             case 0x51:
2014                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
2015                 break;
2016             case 0x52:
2017                 kbd_put_keysym('0');
2018                 break;
2019             case 0x53:
2020                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
2021                 break;
2022 
2023             case 0xb5:
2024                 kbd_put_keysym('/');
2025                 break;
2026             case 0x37:
2027                 kbd_put_keysym('*');
2028                 break;
2029             case 0x4a:
2030                 kbd_put_keysym('-');
2031                 break;
2032             case 0x4e:
2033                 kbd_put_keysym('+');
2034                 break;
2035             case 0x9c:
2036                 kbd_put_keysym('\n');
2037                 break;
2038 
2039             default:
2040                 if (control) {
2041                     kbd_put_keysym(sym & 0x1f);
2042                 } else {
2043                     kbd_put_keysym(sym);
2044                 }
2045                 break;
2046             }
2047         }
2048     }
2049 }
2050 
2051 static const char *code2name(int keycode)
2052 {
2053     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
2054 }
2055 
2056 static void key_event(VncState *vs, int down, uint32_t sym)
2057 {
2058     int keycode;
2059     int lsym = sym;
2060 
2061     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
2062         lsym = lsym - 'A' + 'a';
2063     }
2064 
2065     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
2066                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
2067     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2068     do_key_event(vs, down, keycode, sym);
2069 }
2070 
2071 static void ext_key_event(VncState *vs, int down,
2072                           uint32_t sym, uint16_t keycode)
2073 {
2074     /* if the user specifies a keyboard layout, always use it */
2075     if (keyboard_layout) {
2076         key_event(vs, down, sym);
2077     } else {
2078         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2079         do_key_event(vs, down, keycode, sym);
2080     }
2081 }
2082 
2083 static void framebuffer_update_request(VncState *vs, int incremental,
2084                                        int x, int y, int w, int h)
2085 {
2086     if (incremental) {
2087         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2088             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2089         }
2090     } else {
2091         vs->update = VNC_STATE_UPDATE_FORCE;
2092         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2093         if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
2094             vnc_desktop_resize_ext(vs, 0);
2095         }
2096     }
2097 }
2098 
2099 static void send_ext_key_event_ack(VncState *vs)
2100 {
2101     vnc_lock_output(vs);
2102     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2103     vnc_write_u8(vs, 0);
2104     vnc_write_u16(vs, 1);
2105     vnc_framebuffer_update(vs, 0, 0,
2106                            pixman_image_get_width(vs->vd->server),
2107                            pixman_image_get_height(vs->vd->server),
2108                            VNC_ENCODING_EXT_KEY_EVENT);
2109     vnc_unlock_output(vs);
2110     vnc_flush(vs);
2111 }
2112 
2113 static void send_ext_audio_ack(VncState *vs)
2114 {
2115     vnc_lock_output(vs);
2116     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2117     vnc_write_u8(vs, 0);
2118     vnc_write_u16(vs, 1);
2119     vnc_framebuffer_update(vs, 0, 0,
2120                            pixman_image_get_width(vs->vd->server),
2121                            pixman_image_get_height(vs->vd->server),
2122                            VNC_ENCODING_AUDIO);
2123     vnc_unlock_output(vs);
2124     vnc_flush(vs);
2125 }
2126 
2127 static void send_xvp_message(VncState *vs, int code)
2128 {
2129     vnc_lock_output(vs);
2130     vnc_write_u8(vs, VNC_MSG_SERVER_XVP);
2131     vnc_write_u8(vs, 0); /* pad */
2132     vnc_write_u8(vs, 1); /* version */
2133     vnc_write_u8(vs, code);
2134     vnc_unlock_output(vs);
2135     vnc_flush(vs);
2136 }
2137 
2138 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2139 {
2140     int i;
2141     unsigned int enc = 0;
2142 
2143     vs->features = 0;
2144     vs->vnc_encoding = 0;
2145     vs->tight->compression = 9;
2146     vs->tight->quality = -1; /* Lossless by default */
2147     vs->absolute = -1;
2148 
2149     /*
2150      * Start from the end because the encodings are sent in order of preference.
2151      * This way the preferred encoding (first encoding defined in the array)
2152      * will be set at the end of the loop.
2153      */
2154     for (i = n_encodings - 1; i >= 0; i--) {
2155         enc = encodings[i];
2156         switch (enc) {
2157         case VNC_ENCODING_RAW:
2158             vs->vnc_encoding = enc;
2159             break;
2160         case VNC_ENCODING_HEXTILE:
2161             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2162             vs->vnc_encoding = enc;
2163             break;
2164         case VNC_ENCODING_TIGHT:
2165             vs->features |= VNC_FEATURE_TIGHT_MASK;
2166             vs->vnc_encoding = enc;
2167             break;
2168 #ifdef CONFIG_VNC_PNG
2169         case VNC_ENCODING_TIGHT_PNG:
2170             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2171             vs->vnc_encoding = enc;
2172             break;
2173 #endif
2174         case VNC_ENCODING_ZLIB:
2175             /*
2176              * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB.
2177              * So prioritize ZRLE, even if the client hints that it prefers
2178              * ZLIB.
2179              */
2180             if ((vs->features & VNC_FEATURE_ZRLE_MASK) == 0) {
2181                 vs->features |= VNC_FEATURE_ZLIB_MASK;
2182                 vs->vnc_encoding = enc;
2183             }
2184             break;
2185         case VNC_ENCODING_ZRLE:
2186             vs->features |= VNC_FEATURE_ZRLE_MASK;
2187             vs->vnc_encoding = enc;
2188             break;
2189         case VNC_ENCODING_ZYWRLE:
2190             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2191             vs->vnc_encoding = enc;
2192             break;
2193         case VNC_ENCODING_DESKTOPRESIZE:
2194             vs->features |= VNC_FEATURE_RESIZE_MASK;
2195             break;
2196         case VNC_ENCODING_DESKTOP_RESIZE_EXT:
2197             vs->features |= VNC_FEATURE_RESIZE_EXT_MASK;
2198             break;
2199         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2200             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2201             break;
2202         case VNC_ENCODING_RICH_CURSOR:
2203             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2204             break;
2205         case VNC_ENCODING_ALPHA_CURSOR:
2206             vs->features |= VNC_FEATURE_ALPHA_CURSOR_MASK;
2207             break;
2208         case VNC_ENCODING_EXT_KEY_EVENT:
2209             send_ext_key_event_ack(vs);
2210             break;
2211         case VNC_ENCODING_AUDIO:
2212             send_ext_audio_ack(vs);
2213             break;
2214         case VNC_ENCODING_WMVi:
2215             vs->features |= VNC_FEATURE_WMVI_MASK;
2216             break;
2217         case VNC_ENCODING_LED_STATE:
2218             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2219             break;
2220         case VNC_ENCODING_XVP:
2221             if (vs->vd->power_control) {
2222                 vs->features |= VNC_FEATURE_XVP;
2223                 send_xvp_message(vs, VNC_XVP_CODE_INIT);
2224             }
2225             break;
2226         case VNC_ENCODING_CLIPBOARD_EXT:
2227             vs->features |= VNC_FEATURE_CLIPBOARD_EXT_MASK;
2228             vnc_server_cut_text_caps(vs);
2229             break;
2230         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2231             vs->tight->compression = (enc & 0x0F);
2232             break;
2233         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2234             if (vs->vd->lossy) {
2235                 vs->tight->quality = (enc & 0x0F);
2236             }
2237             break;
2238         default:
2239             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2240             break;
2241         }
2242     }
2243     vnc_desktop_resize(vs);
2244     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2245     vnc_led_state_change(vs);
2246     vnc_cursor_define(vs);
2247 }
2248 
2249 static void set_pixel_conversion(VncState *vs)
2250 {
2251     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2252 
2253     if (fmt == VNC_SERVER_FB_FORMAT) {
2254         vs->write_pixels = vnc_write_pixels_copy;
2255         vnc_hextile_set_pixel_conversion(vs, 0);
2256     } else {
2257         vs->write_pixels = vnc_write_pixels_generic;
2258         vnc_hextile_set_pixel_conversion(vs, 1);
2259     }
2260 }
2261 
2262 static void send_color_map(VncState *vs)
2263 {
2264     int i;
2265 
2266     vnc_lock_output(vs);
2267     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2268     vnc_write_u8(vs,  0);    /* padding     */
2269     vnc_write_u16(vs, 0);    /* first color */
2270     vnc_write_u16(vs, 256);  /* # of colors */
2271 
2272     for (i = 0; i < 256; i++) {
2273         PixelFormat *pf = &vs->client_pf;
2274 
2275         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2276         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2277         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2278     }
2279     vnc_unlock_output(vs);
2280 }
2281 
2282 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2283                              int big_endian_flag, int true_color_flag,
2284                              int red_max, int green_max, int blue_max,
2285                              int red_shift, int green_shift, int blue_shift)
2286 {
2287     if (!true_color_flag) {
2288         /* Expose a reasonable default 256 color map */
2289         bits_per_pixel = 8;
2290         red_max = 7;
2291         green_max = 7;
2292         blue_max = 3;
2293         red_shift = 0;
2294         green_shift = 3;
2295         blue_shift = 6;
2296     }
2297 
2298     switch (bits_per_pixel) {
2299     case 8:
2300     case 16:
2301     case 32:
2302         break;
2303     default:
2304         vnc_client_error(vs);
2305         return;
2306     }
2307 
2308     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2309     vs->client_pf.rbits = ctpopl(red_max);
2310     vs->client_pf.rshift = red_shift;
2311     vs->client_pf.rmask = red_max << red_shift;
2312     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2313     vs->client_pf.gbits = ctpopl(green_max);
2314     vs->client_pf.gshift = green_shift;
2315     vs->client_pf.gmask = green_max << green_shift;
2316     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2317     vs->client_pf.bbits = ctpopl(blue_max);
2318     vs->client_pf.bshift = blue_shift;
2319     vs->client_pf.bmask = blue_max << blue_shift;
2320     vs->client_pf.bits_per_pixel = bits_per_pixel;
2321     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2322     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2323     vs->client_be = big_endian_flag;
2324 
2325     if (!true_color_flag) {
2326         send_color_map(vs);
2327     }
2328 
2329     set_pixel_conversion(vs);
2330 
2331     graphic_hw_invalidate(vs->vd->dcl.con);
2332     graphic_hw_update(vs->vd->dcl.con);
2333 }
2334 
2335 static void pixel_format_message (VncState *vs) {
2336     char pad[3] = { 0, 0, 0 };
2337 
2338     vs->client_pf = qemu_default_pixelformat(32);
2339 
2340     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2341     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2342 
2343 #ifdef HOST_WORDS_BIGENDIAN
2344     vnc_write_u8(vs, 1);             /* big-endian-flag */
2345 #else
2346     vnc_write_u8(vs, 0);             /* big-endian-flag */
2347 #endif
2348     vnc_write_u8(vs, 1);             /* true-color-flag */
2349     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2350     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2351     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2352     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2353     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2354     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2355     vnc_write(vs, pad, 3);           /* padding */
2356 
2357     vnc_hextile_set_pixel_conversion(vs, 0);
2358     vs->write_pixels = vnc_write_pixels_copy;
2359 }
2360 
2361 static void vnc_colordepth(VncState *vs)
2362 {
2363     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2364         /* Sending a WMVi message to notify the client*/
2365         vnc_lock_output(vs);
2366         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2367         vnc_write_u8(vs, 0);
2368         vnc_write_u16(vs, 1); /* number of rects */
2369         vnc_framebuffer_update(vs, 0, 0,
2370                                vs->client_width,
2371                                vs->client_height,
2372                                VNC_ENCODING_WMVi);
2373         pixel_format_message(vs);
2374         vnc_unlock_output(vs);
2375         vnc_flush(vs);
2376     } else {
2377         set_pixel_conversion(vs);
2378     }
2379 }
2380 
2381 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2382 {
2383     int i;
2384     uint16_t limit;
2385     uint32_t freq;
2386     VncDisplay *vd = vs->vd;
2387 
2388     if (data[0] > 3) {
2389         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2390     }
2391 
2392     switch (data[0]) {
2393     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2394         if (len == 1)
2395             return 20;
2396 
2397         set_pixel_format(vs, read_u8(data, 4),
2398                          read_u8(data, 6), read_u8(data, 7),
2399                          read_u16(data, 8), read_u16(data, 10),
2400                          read_u16(data, 12), read_u8(data, 14),
2401                          read_u8(data, 15), read_u8(data, 16));
2402         break;
2403     case VNC_MSG_CLIENT_SET_ENCODINGS:
2404         if (len == 1)
2405             return 4;
2406 
2407         if (len == 4) {
2408             limit = read_u16(data, 2);
2409             if (limit > 0)
2410                 return 4 + (limit * 4);
2411         } else
2412             limit = read_u16(data, 2);
2413 
2414         for (i = 0; i < limit; i++) {
2415             int32_t val = read_s32(data, 4 + (i * 4));
2416             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2417         }
2418 
2419         set_encodings(vs, (int32_t *)(data + 4), limit);
2420         break;
2421     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2422         if (len == 1)
2423             return 10;
2424 
2425         framebuffer_update_request(vs,
2426                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2427                                    read_u16(data, 6), read_u16(data, 8));
2428         break;
2429     case VNC_MSG_CLIENT_KEY_EVENT:
2430         if (len == 1)
2431             return 8;
2432 
2433         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2434         break;
2435     case VNC_MSG_CLIENT_POINTER_EVENT:
2436         if (len == 1)
2437             return 6;
2438 
2439         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2440         break;
2441     case VNC_MSG_CLIENT_CUT_TEXT:
2442         if (len == 1) {
2443             return 8;
2444         }
2445         if (len == 8) {
2446             uint32_t dlen = abs(read_s32(data, 4));
2447             if (dlen > (1 << 20)) {
2448                 error_report("vnc: client_cut_text msg payload has %u bytes"
2449                              " which exceeds our limit of 1MB.", dlen);
2450                 vnc_client_error(vs);
2451                 break;
2452             }
2453             if (dlen > 0) {
2454                 return 8 + dlen;
2455             }
2456         }
2457 
2458         if (read_s32(data, 4) < 0) {
2459             vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
2460                                     read_u32(data, 8), data + 12);
2461             break;
2462         }
2463         vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
2464         break;
2465     case VNC_MSG_CLIENT_XVP:
2466         if (!(vs->features & VNC_FEATURE_XVP)) {
2467             error_report("vnc: xvp client message while disabled");
2468             vnc_client_error(vs);
2469             break;
2470         }
2471         if (len == 1) {
2472             return 4;
2473         }
2474         if (len == 4) {
2475             uint8_t version = read_u8(data, 2);
2476             uint8_t action = read_u8(data, 3);
2477 
2478             if (version != 1) {
2479                 error_report("vnc: xvp client message version %d != 1",
2480                              version);
2481                 vnc_client_error(vs);
2482                 break;
2483             }
2484 
2485             switch (action) {
2486             case VNC_XVP_ACTION_SHUTDOWN:
2487                 qemu_system_powerdown_request();
2488                 break;
2489             case VNC_XVP_ACTION_REBOOT:
2490                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2491                 break;
2492             case VNC_XVP_ACTION_RESET:
2493                 qemu_system_reset_request(SHUTDOWN_CAUSE_HOST_QMP_SYSTEM_RESET);
2494                 break;
2495             default:
2496                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2497                 break;
2498             }
2499         }
2500         break;
2501     case VNC_MSG_CLIENT_QEMU:
2502         if (len == 1)
2503             return 2;
2504 
2505         switch (read_u8(data, 1)) {
2506         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2507             if (len == 2)
2508                 return 12;
2509 
2510             ext_key_event(vs, read_u16(data, 2),
2511                           read_u32(data, 4), read_u32(data, 8));
2512             break;
2513         case VNC_MSG_CLIENT_QEMU_AUDIO:
2514             if (len == 2)
2515                 return 4;
2516 
2517             switch (read_u16 (data, 2)) {
2518             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2519                 trace_vnc_msg_client_audio_enable(vs, vs->ioc);
2520                 audio_add(vs);
2521                 break;
2522             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2523                 trace_vnc_msg_client_audio_disable(vs, vs->ioc);
2524                 audio_del(vs);
2525                 break;
2526             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2527                 if (len == 4)
2528                     return 10;
2529                 switch (read_u8(data, 4)) {
2530                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2531                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2532                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2533                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2534                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2535                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2536                 default:
2537                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2538                     vnc_client_error(vs);
2539                     break;
2540                 }
2541                 vs->as.nchannels = read_u8(data, 5);
2542                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2543                     VNC_DEBUG("Invalid audio channel count %d\n",
2544                               read_u8(data, 5));
2545                     vnc_client_error(vs);
2546                     break;
2547                 }
2548                 freq = read_u32(data, 6);
2549                 /* No official limit for protocol, but 48khz is a sensible
2550                  * upper bound for trustworthy clients, and this limit
2551                  * protects calculations involving 'vs->as.freq' later.
2552                  */
2553                 if (freq > 48000) {
2554                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2555                     vnc_client_error(vs);
2556                     break;
2557                 }
2558                 vs->as.freq = freq;
2559                 trace_vnc_msg_client_audio_format(
2560                     vs, vs->ioc, vs->as.fmt, vs->as.nchannels, vs->as.freq);
2561                 break;
2562             default:
2563                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2564                 vnc_client_error(vs);
2565                 break;
2566             }
2567             break;
2568 
2569         default:
2570             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2571             vnc_client_error(vs);
2572             break;
2573         }
2574         break;
2575     case VNC_MSG_CLIENT_SET_DESKTOP_SIZE:
2576     {
2577         size_t size;
2578         uint8_t screens;
2579         int w, h;
2580 
2581         if (len < 8) {
2582             return 8;
2583         }
2584 
2585         screens = read_u8(data, 6);
2586         size    = 8 + screens * 16;
2587         if (len < size) {
2588             return size;
2589         }
2590         w = read_u16(data, 2);
2591         h = read_u16(data, 4);
2592 
2593         trace_vnc_msg_client_set_desktop_size(vs, vs->ioc, w, h, screens);
2594         if (dpy_ui_info_supported(vs->vd->dcl.con)) {
2595             QemuUIInfo info;
2596             memset(&info, 0, sizeof(info));
2597             info.width = w;
2598             info.height = h;
2599             dpy_set_ui_info(vs->vd->dcl.con, &info);
2600             vnc_desktop_resize_ext(vs, 4 /* Request forwarded */);
2601         } else {
2602             vnc_desktop_resize_ext(vs, 3 /* Invalid screen layout */);
2603         }
2604 
2605         break;
2606     }
2607     default:
2608         VNC_DEBUG("Msg: %d\n", data[0]);
2609         vnc_client_error(vs);
2610         break;
2611     }
2612 
2613     vnc_update_throttle_offset(vs);
2614     vnc_read_when(vs, protocol_client_msg, 1);
2615     return 0;
2616 }
2617 
2618 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2619 {
2620     char buf[1024];
2621     VncShareMode mode;
2622     int size;
2623 
2624     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2625     switch (vs->vd->share_policy) {
2626     case VNC_SHARE_POLICY_IGNORE:
2627         /*
2628          * Ignore the shared flag.  Nothing to do here.
2629          *
2630          * Doesn't conform to the rfb spec but is traditional qemu
2631          * behavior, thus left here as option for compatibility
2632          * reasons.
2633          */
2634         break;
2635     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2636         /*
2637          * Policy: Allow clients ask for exclusive access.
2638          *
2639          * Implementation: When a client asks for exclusive access,
2640          * disconnect all others. Shared connects are allowed as long
2641          * as no exclusive connection exists.
2642          *
2643          * This is how the rfb spec suggests to handle the shared flag.
2644          */
2645         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2646             VncState *client;
2647             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2648                 if (vs == client) {
2649                     continue;
2650                 }
2651                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2652                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2653                     continue;
2654                 }
2655                 vnc_disconnect_start(client);
2656             }
2657         }
2658         if (mode == VNC_SHARE_MODE_SHARED) {
2659             if (vs->vd->num_exclusive > 0) {
2660                 vnc_disconnect_start(vs);
2661                 return 0;
2662             }
2663         }
2664         break;
2665     case VNC_SHARE_POLICY_FORCE_SHARED:
2666         /*
2667          * Policy: Shared connects only.
2668          * Implementation: Disallow clients asking for exclusive access.
2669          *
2670          * Useful for shared desktop sessions where you don't want
2671          * someone forgetting to say -shared when running the vnc
2672          * client disconnect everybody else.
2673          */
2674         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2675             vnc_disconnect_start(vs);
2676             return 0;
2677         }
2678         break;
2679     }
2680     vnc_set_share_mode(vs, mode);
2681 
2682     if (vs->vd->num_shared > vs->vd->connections_limit) {
2683         vnc_disconnect_start(vs);
2684         return 0;
2685     }
2686 
2687     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2688            pixman_image_get_width(vs->vd->server) >= 0);
2689     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2690            pixman_image_get_height(vs->vd->server) >= 0);
2691     vs->client_width = pixman_image_get_width(vs->vd->server);
2692     vs->client_height = pixman_image_get_height(vs->vd->server);
2693     vnc_write_u16(vs, vs->client_width);
2694     vnc_write_u16(vs, vs->client_height);
2695 
2696     pixel_format_message(vs);
2697 
2698     if (qemu_name) {
2699         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2700         if (size > sizeof(buf)) {
2701             size = sizeof(buf);
2702         }
2703     } else {
2704         size = snprintf(buf, sizeof(buf), "QEMU");
2705     }
2706 
2707     vnc_write_u32(vs, size);
2708     vnc_write(vs, buf, size);
2709     vnc_flush(vs);
2710 
2711     vnc_client_cache_auth(vs);
2712     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2713 
2714     vnc_read_when(vs, protocol_client_msg, 1);
2715 
2716     return 0;
2717 }
2718 
2719 void start_client_init(VncState *vs)
2720 {
2721     vnc_read_when(vs, protocol_client_init, 1);
2722 }
2723 
2724 static void authentication_failed(VncState *vs)
2725 {
2726     vnc_write_u32(vs, 1); /* Reject auth */
2727     if (vs->minor >= 8) {
2728         static const char err[] = "Authentication failed";
2729         vnc_write_u32(vs, sizeof(err));
2730         vnc_write(vs, err, sizeof(err));
2731     }
2732     vnc_flush(vs);
2733     vnc_client_error(vs);
2734 }
2735 
2736 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2737 {
2738     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2739     size_t i, pwlen;
2740     unsigned char key[8];
2741     time_t now = time(NULL);
2742     QCryptoCipher *cipher = NULL;
2743     Error *err = NULL;
2744 
2745     if (!vs->vd->password) {
2746         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2747         goto reject;
2748     }
2749     if (vs->vd->expires < now) {
2750         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2751         goto reject;
2752     }
2753 
2754     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2755 
2756     /* Calculate the expected challenge response */
2757     pwlen = strlen(vs->vd->password);
2758     for (i=0; i<sizeof(key); i++)
2759         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2760 
2761     cipher = qcrypto_cipher_new(
2762         QCRYPTO_CIPHER_ALG_DES_RFB,
2763         QCRYPTO_CIPHER_MODE_ECB,
2764         key, G_N_ELEMENTS(key),
2765         &err);
2766     if (!cipher) {
2767         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2768                             error_get_pretty(err));
2769         error_free(err);
2770         goto reject;
2771     }
2772 
2773     if (qcrypto_cipher_encrypt(cipher,
2774                                vs->challenge,
2775                                response,
2776                                VNC_AUTH_CHALLENGE_SIZE,
2777                                &err) < 0) {
2778         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2779                             error_get_pretty(err));
2780         error_free(err);
2781         goto reject;
2782     }
2783 
2784     /* Compare expected vs actual challenge response */
2785     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2786         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2787         goto reject;
2788     } else {
2789         trace_vnc_auth_pass(vs, vs->auth);
2790         vnc_write_u32(vs, 0); /* Accept auth */
2791         vnc_flush(vs);
2792 
2793         start_client_init(vs);
2794     }
2795 
2796     qcrypto_cipher_free(cipher);
2797     return 0;
2798 
2799 reject:
2800     authentication_failed(vs);
2801     qcrypto_cipher_free(cipher);
2802     return 0;
2803 }
2804 
2805 void start_auth_vnc(VncState *vs)
2806 {
2807     Error *err = NULL;
2808 
2809     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2810         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2811                             error_get_pretty(err));
2812         error_free(err);
2813         authentication_failed(vs);
2814         return;
2815     }
2816 
2817     /* Send client a 'random' challenge */
2818     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2819     vnc_flush(vs);
2820 
2821     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2822 }
2823 
2824 
2825 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2826 {
2827     /* We only advertise 1 auth scheme at a time, so client
2828      * must pick the one we sent. Verify this */
2829     if (data[0] != vs->auth) { /* Reject auth */
2830        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2831        authentication_failed(vs);
2832     } else { /* Accept requested auth */
2833        trace_vnc_auth_start(vs, vs->auth);
2834        switch (vs->auth) {
2835        case VNC_AUTH_NONE:
2836            if (vs->minor >= 8) {
2837                vnc_write_u32(vs, 0); /* Accept auth completion */
2838                vnc_flush(vs);
2839            }
2840            trace_vnc_auth_pass(vs, vs->auth);
2841            start_client_init(vs);
2842            break;
2843 
2844        case VNC_AUTH_VNC:
2845            start_auth_vnc(vs);
2846            break;
2847 
2848        case VNC_AUTH_VENCRYPT:
2849            start_auth_vencrypt(vs);
2850            break;
2851 
2852 #ifdef CONFIG_VNC_SASL
2853        case VNC_AUTH_SASL:
2854            start_auth_sasl(vs);
2855            break;
2856 #endif /* CONFIG_VNC_SASL */
2857 
2858        default: /* Should not be possible, but just in case */
2859            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2860            authentication_failed(vs);
2861        }
2862     }
2863     return 0;
2864 }
2865 
2866 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2867 {
2868     char local[13];
2869 
2870     memcpy(local, version, 12);
2871     local[12] = 0;
2872 
2873     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2874         VNC_DEBUG("Malformed protocol version %s\n", local);
2875         vnc_client_error(vs);
2876         return 0;
2877     }
2878     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2879     if (vs->major != 3 ||
2880         (vs->minor != 3 &&
2881          vs->minor != 4 &&
2882          vs->minor != 5 &&
2883          vs->minor != 7 &&
2884          vs->minor != 8)) {
2885         VNC_DEBUG("Unsupported client version\n");
2886         vnc_write_u32(vs, VNC_AUTH_INVALID);
2887         vnc_flush(vs);
2888         vnc_client_error(vs);
2889         return 0;
2890     }
2891     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2892      * as equivalent to v3.3 by servers
2893      */
2894     if (vs->minor == 4 || vs->minor == 5)
2895         vs->minor = 3;
2896 
2897     if (vs->minor == 3) {
2898         trace_vnc_auth_start(vs, vs->auth);
2899         if (vs->auth == VNC_AUTH_NONE) {
2900             vnc_write_u32(vs, vs->auth);
2901             vnc_flush(vs);
2902             trace_vnc_auth_pass(vs, vs->auth);
2903             start_client_init(vs);
2904        } else if (vs->auth == VNC_AUTH_VNC) {
2905             VNC_DEBUG("Tell client VNC auth\n");
2906             vnc_write_u32(vs, vs->auth);
2907             vnc_flush(vs);
2908             start_auth_vnc(vs);
2909        } else {
2910             trace_vnc_auth_fail(vs, vs->auth,
2911                                 "Unsupported auth method for v3.3", "");
2912             vnc_write_u32(vs, VNC_AUTH_INVALID);
2913             vnc_flush(vs);
2914             vnc_client_error(vs);
2915        }
2916     } else {
2917         vnc_write_u8(vs, 1); /* num auth */
2918         vnc_write_u8(vs, vs->auth);
2919         vnc_read_when(vs, protocol_client_auth, 1);
2920         vnc_flush(vs);
2921     }
2922 
2923     return 0;
2924 }
2925 
2926 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2927 {
2928     struct VncSurface *vs = &vd->guest;
2929 
2930     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2931 }
2932 
2933 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2934 {
2935     int i, j;
2936 
2937     w = (x + w) / VNC_STAT_RECT;
2938     h = (y + h) / VNC_STAT_RECT;
2939     x /= VNC_STAT_RECT;
2940     y /= VNC_STAT_RECT;
2941 
2942     for (j = y; j <= h; j++) {
2943         for (i = x; i <= w; i++) {
2944             vs->lossy_rect[j][i] = 1;
2945         }
2946     }
2947 }
2948 
2949 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2950 {
2951     VncState *vs;
2952     int sty = y / VNC_STAT_RECT;
2953     int stx = x / VNC_STAT_RECT;
2954     int has_dirty = 0;
2955 
2956     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2957     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2958 
2959     QTAILQ_FOREACH(vs, &vd->clients, next) {
2960         int j;
2961 
2962         /* kernel send buffers are full -> refresh later */
2963         if (vs->output.offset) {
2964             continue;
2965         }
2966 
2967         if (!vs->lossy_rect[sty][stx]) {
2968             continue;
2969         }
2970 
2971         vs->lossy_rect[sty][stx] = 0;
2972         for (j = 0; j < VNC_STAT_RECT; ++j) {
2973             bitmap_set(vs->dirty[y + j],
2974                        x / VNC_DIRTY_PIXELS_PER_BIT,
2975                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2976         }
2977         has_dirty++;
2978     }
2979 
2980     return has_dirty;
2981 }
2982 
2983 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2984 {
2985     int width = MIN(pixman_image_get_width(vd->guest.fb),
2986                     pixman_image_get_width(vd->server));
2987     int height = MIN(pixman_image_get_height(vd->guest.fb),
2988                      pixman_image_get_height(vd->server));
2989     int x, y;
2990     struct timeval res;
2991     int has_dirty = 0;
2992 
2993     for (y = 0; y < height; y += VNC_STAT_RECT) {
2994         for (x = 0; x < width; x += VNC_STAT_RECT) {
2995             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2996 
2997             rect->updated = false;
2998         }
2999     }
3000 
3001     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
3002 
3003     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
3004         return has_dirty;
3005     }
3006     vd->guest.last_freq_check = *tv;
3007 
3008     for (y = 0; y < height; y += VNC_STAT_RECT) {
3009         for (x = 0; x < width; x += VNC_STAT_RECT) {
3010             VncRectStat *rect= vnc_stat_rect(vd, x, y);
3011             int count = ARRAY_SIZE(rect->times);
3012             struct timeval min, max;
3013 
3014             if (!timerisset(&rect->times[count - 1])) {
3015                 continue ;
3016             }
3017 
3018             max = rect->times[(rect->idx + count - 1) % count];
3019             qemu_timersub(tv, &max, &res);
3020 
3021             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
3022                 rect->freq = 0;
3023                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
3024                 memset(rect->times, 0, sizeof (rect->times));
3025                 continue ;
3026             }
3027 
3028             min = rect->times[rect->idx];
3029             max = rect->times[(rect->idx + count - 1) % count];
3030             qemu_timersub(&max, &min, &res);
3031 
3032             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
3033             rect->freq /= count;
3034             rect->freq = 1. / rect->freq;
3035         }
3036     }
3037     return has_dirty;
3038 }
3039 
3040 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
3041 {
3042     int i, j;
3043     double total = 0;
3044     int num = 0;
3045 
3046     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
3047     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
3048 
3049     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
3050         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
3051             total += vnc_stat_rect(vs->vd, i, j)->freq;
3052             num++;
3053         }
3054     }
3055 
3056     if (num) {
3057         return total / num;
3058     } else {
3059         return 0;
3060     }
3061 }
3062 
3063 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
3064 {
3065     VncRectStat *rect;
3066 
3067     rect = vnc_stat_rect(vd, x, y);
3068     if (rect->updated) {
3069         return ;
3070     }
3071     rect->times[rect->idx] = *tv;
3072     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
3073     rect->updated = true;
3074 }
3075 
3076 static int vnc_refresh_server_surface(VncDisplay *vd)
3077 {
3078     int width = MIN(pixman_image_get_width(vd->guest.fb),
3079                     pixman_image_get_width(vd->server));
3080     int height = MIN(pixman_image_get_height(vd->guest.fb),
3081                      pixman_image_get_height(vd->server));
3082     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
3083     uint8_t *guest_row0 = NULL, *server_row0;
3084     VncState *vs;
3085     int has_dirty = 0;
3086     pixman_image_t *tmpbuf = NULL;
3087 
3088     struct timeval tv = { 0, 0 };
3089 
3090     if (!vd->non_adaptive) {
3091         gettimeofday(&tv, NULL);
3092         has_dirty = vnc_update_stats(vd, &tv);
3093     }
3094 
3095     /*
3096      * Walk through the guest dirty map.
3097      * Check and copy modified bits from guest to server surface.
3098      * Update server dirty map.
3099      */
3100     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
3101     server_stride = guest_stride = guest_ll =
3102         pixman_image_get_stride(vd->server);
3103     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
3104                     server_stride);
3105     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3106         int width = pixman_image_get_width(vd->server);
3107         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
3108     } else {
3109         int guest_bpp =
3110             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
3111         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
3112         guest_stride = pixman_image_get_stride(vd->guest.fb);
3113         guest_ll = pixman_image_get_width(vd->guest.fb)
3114                    * DIV_ROUND_UP(guest_bpp, 8);
3115     }
3116     line_bytes = MIN(server_stride, guest_ll);
3117 
3118     for (;;) {
3119         int x;
3120         uint8_t *guest_ptr, *server_ptr;
3121         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3122                                              height * VNC_DIRTY_BPL(&vd->guest),
3123                                              y * VNC_DIRTY_BPL(&vd->guest));
3124         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3125             /* no more dirty bits */
3126             break;
3127         }
3128         y = offset / VNC_DIRTY_BPL(&vd->guest);
3129         x = offset % VNC_DIRTY_BPL(&vd->guest);
3130 
3131         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
3132 
3133         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3134             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
3135             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
3136         } else {
3137             guest_ptr = guest_row0 + y * guest_stride;
3138         }
3139         guest_ptr += x * cmp_bytes;
3140 
3141         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
3142              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
3143             int _cmp_bytes = cmp_bytes;
3144             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
3145                 continue;
3146             }
3147             if ((x + 1) * cmp_bytes > line_bytes) {
3148                 _cmp_bytes = line_bytes - x * cmp_bytes;
3149             }
3150             assert(_cmp_bytes >= 0);
3151             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
3152                 continue;
3153             }
3154             memcpy(server_ptr, guest_ptr, _cmp_bytes);
3155             if (!vd->non_adaptive) {
3156                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
3157                                  y, &tv);
3158             }
3159             QTAILQ_FOREACH(vs, &vd->clients, next) {
3160                 set_bit(x, vs->dirty[y]);
3161             }
3162             has_dirty++;
3163         }
3164 
3165         y++;
3166     }
3167     qemu_pixman_image_unref(tmpbuf);
3168     return has_dirty;
3169 }
3170 
3171 static void vnc_refresh(DisplayChangeListener *dcl)
3172 {
3173     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
3174     VncState *vs, *vn;
3175     int has_dirty, rects = 0;
3176 
3177     if (QTAILQ_EMPTY(&vd->clients)) {
3178         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
3179         return;
3180     }
3181 
3182     graphic_hw_update(vd->dcl.con);
3183 
3184     if (vnc_trylock_display(vd)) {
3185         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3186         return;
3187     }
3188 
3189     has_dirty = vnc_refresh_server_surface(vd);
3190     vnc_unlock_display(vd);
3191 
3192     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3193         rects += vnc_update_client(vs, has_dirty);
3194         /* vs might be free()ed here */
3195     }
3196 
3197     if (has_dirty && rects) {
3198         vd->dcl.update_interval /= 2;
3199         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3200             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3201         }
3202     } else {
3203         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3204         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3205             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3206         }
3207     }
3208 }
3209 
3210 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3211                         bool skipauth, bool websocket)
3212 {
3213     VncState *vs = g_new0(VncState, 1);
3214     bool first_client = QTAILQ_EMPTY(&vd->clients);
3215     int i;
3216 
3217     trace_vnc_client_connect(vs, sioc);
3218     vs->zrle = g_new0(VncZrle, 1);
3219     vs->tight = g_new0(VncTight, 1);
3220     vs->magic = VNC_MAGIC;
3221     vs->sioc = sioc;
3222     object_ref(OBJECT(vs->sioc));
3223     vs->ioc = QIO_CHANNEL(sioc);
3224     object_ref(OBJECT(vs->ioc));
3225     vs->vd = vd;
3226 
3227     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3228     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3229     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3230 
3231     buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3232     buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3233     buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3234 #ifdef CONFIG_VNC_JPEG
3235     buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3236 #endif
3237 #ifdef CONFIG_VNC_PNG
3238     buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3239 #endif
3240     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3241     buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3242     buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3243     buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3244 
3245     if (skipauth) {
3246         vs->auth = VNC_AUTH_NONE;
3247         vs->subauth = VNC_AUTH_INVALID;
3248     } else {
3249         if (websocket) {
3250             vs->auth = vd->ws_auth;
3251             vs->subauth = VNC_AUTH_INVALID;
3252         } else {
3253             vs->auth = vd->auth;
3254             vs->subauth = vd->subauth;
3255         }
3256     }
3257     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3258               sioc, websocket, vs->auth, vs->subauth);
3259 
3260     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3261     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3262         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3263     }
3264 
3265     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3266     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3267     qio_channel_set_blocking(vs->ioc, false, NULL);
3268     if (vs->ioc_tag) {
3269         g_source_remove(vs->ioc_tag);
3270     }
3271     if (websocket) {
3272         vs->websocket = 1;
3273         if (vd->tlscreds) {
3274             vs->ioc_tag = qio_channel_add_watch(
3275                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3276                 vncws_tls_handshake_io, vs, NULL);
3277         } else {
3278             vs->ioc_tag = qio_channel_add_watch(
3279                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3280                 vncws_handshake_io, vs, NULL);
3281         }
3282     } else {
3283         vs->ioc_tag = qio_channel_add_watch(
3284             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3285             vnc_client_io, vs, NULL);
3286     }
3287 
3288     vnc_client_cache_addr(vs);
3289     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3290     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3291 
3292     vs->last_x = -1;
3293     vs->last_y = -1;
3294 
3295     vs->as.freq = 44100;
3296     vs->as.nchannels = 2;
3297     vs->as.fmt = AUDIO_FORMAT_S16;
3298     vs->as.endianness = 0;
3299 
3300     qemu_mutex_init(&vs->output_mutex);
3301     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3302 
3303     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3304     if (first_client) {
3305         vnc_update_server_surface(vd);
3306     }
3307 
3308     graphic_hw_update(vd->dcl.con);
3309 
3310     if (!vs->websocket) {
3311         vnc_start_protocol(vs);
3312     }
3313 
3314     if (vd->num_connecting > vd->connections_limit) {
3315         QTAILQ_FOREACH(vs, &vd->clients, next) {
3316             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3317                 vnc_disconnect_start(vs);
3318                 return;
3319             }
3320         }
3321     }
3322 }
3323 
3324 void vnc_start_protocol(VncState *vs)
3325 {
3326     vnc_write(vs, "RFB 003.008\n", 12);
3327     vnc_flush(vs);
3328     vnc_read_when(vs, protocol_version, 12);
3329 
3330     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3331     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3332 }
3333 
3334 static void vnc_listen_io(QIONetListener *listener,
3335                           QIOChannelSocket *cioc,
3336                           void *opaque)
3337 {
3338     VncDisplay *vd = opaque;
3339     bool isWebsock = listener == vd->wslistener;
3340 
3341     qio_channel_set_name(QIO_CHANNEL(cioc),
3342                          isWebsock ? "vnc-ws-server" : "vnc-server");
3343     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3344     vnc_connect(vd, cioc, false, isWebsock);
3345 }
3346 
3347 static const DisplayChangeListenerOps dcl_ops = {
3348     .dpy_name             = "vnc",
3349     .dpy_refresh          = vnc_refresh,
3350     .dpy_gfx_update       = vnc_dpy_update,
3351     .dpy_gfx_switch       = vnc_dpy_switch,
3352     .dpy_gfx_check_format = qemu_pixman_check_format,
3353     .dpy_mouse_set        = vnc_mouse_set,
3354     .dpy_cursor_define    = vnc_dpy_cursor_define,
3355 };
3356 
3357 void vnc_display_init(const char *id, Error **errp)
3358 {
3359     VncDisplay *vd;
3360 
3361     if (vnc_display_find(id) != NULL) {
3362         return;
3363     }
3364     vd = g_malloc0(sizeof(*vd));
3365 
3366     vd->id = strdup(id);
3367     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3368 
3369     QTAILQ_INIT(&vd->clients);
3370     vd->expires = TIME_MAX;
3371 
3372     if (keyboard_layout) {
3373         trace_vnc_key_map_init(keyboard_layout);
3374         vd->kbd_layout = init_keyboard_layout(name2keysym,
3375                                               keyboard_layout, errp);
3376     } else {
3377         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3378     }
3379 
3380     if (!vd->kbd_layout) {
3381         return;
3382     }
3383 
3384     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3385     vd->connections_limit = 32;
3386 
3387     qemu_mutex_init(&vd->mutex);
3388     vnc_start_worker_thread();
3389 
3390     vd->dcl.ops = &dcl_ops;
3391     register_displaychangelistener(&vd->dcl);
3392     vd->kbd = qkbd_state_init(vd->dcl.con);
3393 }
3394 
3395 
3396 static void vnc_display_close(VncDisplay *vd)
3397 {
3398     if (!vd) {
3399         return;
3400     }
3401     vd->is_unix = false;
3402 
3403     if (vd->listener) {
3404         qio_net_listener_disconnect(vd->listener);
3405         object_unref(OBJECT(vd->listener));
3406     }
3407     vd->listener = NULL;
3408 
3409     if (vd->wslistener) {
3410         qio_net_listener_disconnect(vd->wslistener);
3411         object_unref(OBJECT(vd->wslistener));
3412     }
3413     vd->wslistener = NULL;
3414 
3415     vd->auth = VNC_AUTH_INVALID;
3416     vd->subauth = VNC_AUTH_INVALID;
3417     if (vd->tlscreds) {
3418         object_unref(OBJECT(vd->tlscreds));
3419         vd->tlscreds = NULL;
3420     }
3421     if (vd->tlsauthz) {
3422         object_unparent(OBJECT(vd->tlsauthz));
3423         vd->tlsauthz = NULL;
3424     }
3425     g_free(vd->tlsauthzid);
3426     vd->tlsauthzid = NULL;
3427     if (vd->lock_key_sync) {
3428         qemu_remove_led_event_handler(vd->led);
3429         vd->led = NULL;
3430     }
3431 #ifdef CONFIG_VNC_SASL
3432     if (vd->sasl.authz) {
3433         object_unparent(OBJECT(vd->sasl.authz));
3434         vd->sasl.authz = NULL;
3435     }
3436     g_free(vd->sasl.authzid);
3437     vd->sasl.authzid = NULL;
3438 #endif
3439 }
3440 
3441 int vnc_display_password(const char *id, const char *password)
3442 {
3443     VncDisplay *vd = vnc_display_find(id);
3444 
3445     if (!vd) {
3446         return -EINVAL;
3447     }
3448     if (vd->auth == VNC_AUTH_NONE) {
3449         error_printf_unless_qmp("If you want use passwords please enable "
3450                                 "password auth using '-vnc ${dpy},password'.\n");
3451         return -EINVAL;
3452     }
3453 
3454     g_free(vd->password);
3455     vd->password = g_strdup(password);
3456 
3457     return 0;
3458 }
3459 
3460 int vnc_display_pw_expire(const char *id, time_t expires)
3461 {
3462     VncDisplay *vd = vnc_display_find(id);
3463 
3464     if (!vd) {
3465         return -EINVAL;
3466     }
3467 
3468     vd->expires = expires;
3469     return 0;
3470 }
3471 
3472 static void vnc_display_print_local_addr(VncDisplay *vd)
3473 {
3474     SocketAddress *addr;
3475 
3476     if (!vd->listener || !vd->listener->nsioc) {
3477         return;
3478     }
3479 
3480     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], NULL);
3481     if (!addr) {
3482         return;
3483     }
3484 
3485     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3486         qapi_free_SocketAddress(addr);
3487         return;
3488     }
3489     error_printf_unless_qmp("VNC server running on %s:%s\n",
3490                             addr->u.inet.host,
3491                             addr->u.inet.port);
3492     qapi_free_SocketAddress(addr);
3493 }
3494 
3495 static QemuOptsList qemu_vnc_opts = {
3496     .name = "vnc",
3497     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3498     .implied_opt_name = "vnc",
3499     .desc = {
3500         {
3501             .name = "vnc",
3502             .type = QEMU_OPT_STRING,
3503         },{
3504             .name = "websocket",
3505             .type = QEMU_OPT_STRING,
3506         },{
3507             .name = "tls-creds",
3508             .type = QEMU_OPT_STRING,
3509         },{
3510             .name = "share",
3511             .type = QEMU_OPT_STRING,
3512         },{
3513             .name = "display",
3514             .type = QEMU_OPT_STRING,
3515         },{
3516             .name = "head",
3517             .type = QEMU_OPT_NUMBER,
3518         },{
3519             .name = "connections",
3520             .type = QEMU_OPT_NUMBER,
3521         },{
3522             .name = "to",
3523             .type = QEMU_OPT_NUMBER,
3524         },{
3525             .name = "ipv4",
3526             .type = QEMU_OPT_BOOL,
3527         },{
3528             .name = "ipv6",
3529             .type = QEMU_OPT_BOOL,
3530         },{
3531             .name = "password",
3532             .type = QEMU_OPT_BOOL,
3533         },{
3534             .name = "password-secret",
3535             .type = QEMU_OPT_STRING,
3536         },{
3537             .name = "reverse",
3538             .type = QEMU_OPT_BOOL,
3539         },{
3540             .name = "lock-key-sync",
3541             .type = QEMU_OPT_BOOL,
3542         },{
3543             .name = "key-delay-ms",
3544             .type = QEMU_OPT_NUMBER,
3545         },{
3546             .name = "sasl",
3547             .type = QEMU_OPT_BOOL,
3548         },{
3549             .name = "tls-authz",
3550             .type = QEMU_OPT_STRING,
3551         },{
3552             .name = "sasl-authz",
3553             .type = QEMU_OPT_STRING,
3554         },{
3555             .name = "lossy",
3556             .type = QEMU_OPT_BOOL,
3557         },{
3558             .name = "non-adaptive",
3559             .type = QEMU_OPT_BOOL,
3560         },{
3561             .name = "audiodev",
3562             .type = QEMU_OPT_STRING,
3563         },{
3564             .name = "power-control",
3565             .type = QEMU_OPT_BOOL,
3566         },
3567         { /* end of list */ }
3568     },
3569 };
3570 
3571 
3572 static int
3573 vnc_display_setup_auth(int *auth,
3574                        int *subauth,
3575                        QCryptoTLSCreds *tlscreds,
3576                        bool password,
3577                        bool sasl,
3578                        bool websocket,
3579                        Error **errp)
3580 {
3581     /*
3582      * We have a choice of 3 authentication options
3583      *
3584      *   1. none
3585      *   2. vnc
3586      *   3. sasl
3587      *
3588      * The channel can be run in 2 modes
3589      *
3590      *   1. clear
3591      *   2. tls
3592      *
3593      * And TLS can use 2 types of credentials
3594      *
3595      *   1. anon
3596      *   2. x509
3597      *
3598      * We thus have 9 possible logical combinations
3599      *
3600      *   1. clear + none
3601      *   2. clear + vnc
3602      *   3. clear + sasl
3603      *   4. tls + anon + none
3604      *   5. tls + anon + vnc
3605      *   6. tls + anon + sasl
3606      *   7. tls + x509 + none
3607      *   8. tls + x509 + vnc
3608      *   9. tls + x509 + sasl
3609      *
3610      * These need to be mapped into the VNC auth schemes
3611      * in an appropriate manner. In regular VNC, all the
3612      * TLS options get mapped into VNC_AUTH_VENCRYPT
3613      * sub-auth types.
3614      *
3615      * In websockets, the https:// protocol already provides
3616      * TLS support, so there is no need to make use of the
3617      * VeNCrypt extension. Furthermore, websockets browser
3618      * clients could not use VeNCrypt even if they wanted to,
3619      * as they cannot control when the TLS handshake takes
3620      * place. Thus there is no option but to rely on https://,
3621      * meaning combinations 4->6 and 7->9 will be mapped to
3622      * VNC auth schemes in the same way as combos 1->3.
3623      *
3624      * Regardless of fact that we have a different mapping to
3625      * VNC auth mechs for plain VNC vs websockets VNC, the end
3626      * result has the same security characteristics.
3627      */
3628     if (websocket || !tlscreds) {
3629         if (password) {
3630             VNC_DEBUG("Initializing VNC server with password auth\n");
3631             *auth = VNC_AUTH_VNC;
3632         } else if (sasl) {
3633             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3634             *auth = VNC_AUTH_SASL;
3635         } else {
3636             VNC_DEBUG("Initializing VNC server with no auth\n");
3637             *auth = VNC_AUTH_NONE;
3638         }
3639         *subauth = VNC_AUTH_INVALID;
3640     } else {
3641         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3642                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3643         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3644                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3645 
3646         if (!is_x509 && !is_anon) {
3647             error_setg(errp,
3648                        "Unsupported TLS cred type %s",
3649                        object_get_typename(OBJECT(tlscreds)));
3650             return -1;
3651         }
3652         *auth = VNC_AUTH_VENCRYPT;
3653         if (password) {
3654             if (is_x509) {
3655                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3656                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3657             } else {
3658                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3659                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3660             }
3661 
3662         } else if (sasl) {
3663             if (is_x509) {
3664                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3665                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3666             } else {
3667                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3668                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3669             }
3670         } else {
3671             if (is_x509) {
3672                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3673                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3674             } else {
3675                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3676                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3677             }
3678         }
3679     }
3680     return 0;
3681 }
3682 
3683 
3684 static int vnc_display_get_address(const char *addrstr,
3685                                    bool websocket,
3686                                    bool reverse,
3687                                    int displaynum,
3688                                    int to,
3689                                    bool has_ipv4,
3690                                    bool has_ipv6,
3691                                    bool ipv4,
3692                                    bool ipv6,
3693                                    SocketAddress **retaddr,
3694                                    Error **errp)
3695 {
3696     int ret = -1;
3697     SocketAddress *addr = NULL;
3698 
3699     addr = g_new0(SocketAddress, 1);
3700 
3701     if (strncmp(addrstr, "unix:", 5) == 0) {
3702         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3703         addr->u.q_unix.path = g_strdup(addrstr + 5);
3704 
3705         if (websocket) {
3706             error_setg(errp, "UNIX sockets not supported with websock");
3707             goto cleanup;
3708         }
3709 
3710         if (to) {
3711             error_setg(errp, "Port range not support with UNIX socket");
3712             goto cleanup;
3713         }
3714         ret = 0;
3715     } else {
3716         const char *port;
3717         size_t hostlen;
3718         unsigned long long baseport = 0;
3719         InetSocketAddress *inet;
3720 
3721         port = strrchr(addrstr, ':');
3722         if (!port) {
3723             if (websocket) {
3724                 hostlen = 0;
3725                 port = addrstr;
3726             } else {
3727                 error_setg(errp, "no vnc port specified");
3728                 goto cleanup;
3729             }
3730         } else {
3731             hostlen = port - addrstr;
3732             port++;
3733             if (*port == '\0') {
3734                 error_setg(errp, "vnc port cannot be empty");
3735                 goto cleanup;
3736             }
3737         }
3738 
3739         addr->type = SOCKET_ADDRESS_TYPE_INET;
3740         inet = &addr->u.inet;
3741         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3742             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3743         } else {
3744             inet->host = g_strndup(addrstr, hostlen);
3745         }
3746         /* plain VNC port is just an offset, for websocket
3747          * port is absolute */
3748         if (websocket) {
3749             if (g_str_equal(addrstr, "") ||
3750                 g_str_equal(addrstr, "on")) {
3751                 if (displaynum == -1) {
3752                     error_setg(errp, "explicit websocket port is required");
3753                     goto cleanup;
3754                 }
3755                 inet->port = g_strdup_printf(
3756                     "%d", displaynum + 5700);
3757                 if (to) {
3758                     inet->has_to = true;
3759                     inet->to = to + 5700;
3760                 }
3761             } else {
3762                 inet->port = g_strdup(port);
3763             }
3764         } else {
3765             int offset = reverse ? 0 : 5900;
3766             if (parse_uint_full(port, &baseport, 10) < 0) {
3767                 error_setg(errp, "can't convert to a number: %s", port);
3768                 goto cleanup;
3769             }
3770             if (baseport > 65535 ||
3771                 baseport + offset > 65535) {
3772                 error_setg(errp, "port %s out of range", port);
3773                 goto cleanup;
3774             }
3775             inet->port = g_strdup_printf(
3776                 "%d", (int)baseport + offset);
3777 
3778             if (to) {
3779                 inet->has_to = true;
3780                 inet->to = to + offset;
3781             }
3782         }
3783 
3784         inet->ipv4 = ipv4;
3785         inet->has_ipv4 = has_ipv4;
3786         inet->ipv6 = ipv6;
3787         inet->has_ipv6 = has_ipv6;
3788 
3789         ret = baseport;
3790     }
3791 
3792     *retaddr = addr;
3793 
3794  cleanup:
3795     if (ret < 0) {
3796         qapi_free_SocketAddress(addr);
3797     }
3798     return ret;
3799 }
3800 
3801 static void vnc_free_addresses(SocketAddress ***retsaddr,
3802                                size_t *retnsaddr)
3803 {
3804     size_t i;
3805 
3806     for (i = 0; i < *retnsaddr; i++) {
3807         qapi_free_SocketAddress((*retsaddr)[i]);
3808     }
3809     g_free(*retsaddr);
3810 
3811     *retsaddr = NULL;
3812     *retnsaddr = 0;
3813 }
3814 
3815 static int vnc_display_get_addresses(QemuOpts *opts,
3816                                      bool reverse,
3817                                      SocketAddress ***retsaddr,
3818                                      size_t *retnsaddr,
3819                                      SocketAddress ***retwsaddr,
3820                                      size_t *retnwsaddr,
3821                                      Error **errp)
3822 {
3823     SocketAddress *saddr = NULL;
3824     SocketAddress *wsaddr = NULL;
3825     QemuOptsIter addriter;
3826     const char *addr;
3827     int to = qemu_opt_get_number(opts, "to", 0);
3828     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3829     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3830     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3831     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3832     int displaynum = -1;
3833     int ret = -1;
3834 
3835     *retsaddr = NULL;
3836     *retnsaddr = 0;
3837     *retwsaddr = NULL;
3838     *retnwsaddr = 0;
3839 
3840     addr = qemu_opt_get(opts, "vnc");
3841     if (addr == NULL || g_str_equal(addr, "none")) {
3842         ret = 0;
3843         goto cleanup;
3844     }
3845     if (qemu_opt_get(opts, "websocket") &&
3846         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3847         error_setg(errp,
3848                    "SHA1 hash support is required for websockets");
3849         goto cleanup;
3850     }
3851 
3852     qemu_opt_iter_init(&addriter, opts, "vnc");
3853     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3854         int rv;
3855         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3856                                      has_ipv4, has_ipv6,
3857                                      ipv4, ipv6,
3858                                      &saddr, errp);
3859         if (rv < 0) {
3860             goto cleanup;
3861         }
3862         /* Historical compat - first listen address can be used
3863          * to set the default websocket port
3864          */
3865         if (displaynum == -1) {
3866             displaynum = rv;
3867         }
3868         *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3869         (*retsaddr)[(*retnsaddr)++] = saddr;
3870     }
3871 
3872     /* If we had multiple primary displays, we don't do defaults
3873      * for websocket, and require explicit config instead. */
3874     if (*retnsaddr > 1) {
3875         displaynum = -1;
3876     }
3877 
3878     qemu_opt_iter_init(&addriter, opts, "websocket");
3879     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3880         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3881                                     has_ipv4, has_ipv6,
3882                                     ipv4, ipv6,
3883                                     &wsaddr, errp) < 0) {
3884             goto cleanup;
3885         }
3886 
3887         /* Historical compat - if only a single listen address was
3888          * provided, then this is used to set the default listen
3889          * address for websocket too
3890          */
3891         if (*retnsaddr == 1 &&
3892             (*retsaddr)[0]->type == SOCKET_ADDRESS_TYPE_INET &&
3893             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3894             g_str_equal(wsaddr->u.inet.host, "") &&
3895             !g_str_equal((*retsaddr)[0]->u.inet.host, "")) {
3896             g_free(wsaddr->u.inet.host);
3897             wsaddr->u.inet.host = g_strdup((*retsaddr)[0]->u.inet.host);
3898         }
3899 
3900         *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3901         (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3902     }
3903 
3904     ret = 0;
3905  cleanup:
3906     if (ret < 0) {
3907         vnc_free_addresses(retsaddr, retnsaddr);
3908         vnc_free_addresses(retwsaddr, retnwsaddr);
3909     }
3910     return ret;
3911 }
3912 
3913 static int vnc_display_connect(VncDisplay *vd,
3914                                SocketAddress **saddr,
3915                                size_t nsaddr,
3916                                SocketAddress **wsaddr,
3917                                size_t nwsaddr,
3918                                Error **errp)
3919 {
3920     /* connect to viewer */
3921     QIOChannelSocket *sioc = NULL;
3922     if (nwsaddr != 0) {
3923         error_setg(errp, "Cannot use websockets in reverse mode");
3924         return -1;
3925     }
3926     if (nsaddr != 1) {
3927         error_setg(errp, "Expected a single address in reverse mode");
3928         return -1;
3929     }
3930     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3931     vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_TYPE_UNIX;
3932     sioc = qio_channel_socket_new();
3933     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3934     if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3935         object_unref(OBJECT(sioc));
3936         return -1;
3937     }
3938     vnc_connect(vd, sioc, false, false);
3939     object_unref(OBJECT(sioc));
3940     return 0;
3941 }
3942 
3943 
3944 static int vnc_display_listen(VncDisplay *vd,
3945                               SocketAddress **saddr,
3946                               size_t nsaddr,
3947                               SocketAddress **wsaddr,
3948                               size_t nwsaddr,
3949                               Error **errp)
3950 {
3951     size_t i;
3952 
3953     if (nsaddr) {
3954         vd->listener = qio_net_listener_new();
3955         qio_net_listener_set_name(vd->listener, "vnc-listen");
3956         for (i = 0; i < nsaddr; i++) {
3957             if (qio_net_listener_open_sync(vd->listener,
3958                                            saddr[i], 1,
3959                                            errp) < 0)  {
3960                 return -1;
3961             }
3962         }
3963 
3964         qio_net_listener_set_client_func(vd->listener,
3965                                          vnc_listen_io, vd, NULL);
3966     }
3967 
3968     if (nwsaddr) {
3969         vd->wslistener = qio_net_listener_new();
3970         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3971         for (i = 0; i < nwsaddr; i++) {
3972             if (qio_net_listener_open_sync(vd->wslistener,
3973                                            wsaddr[i], 1,
3974                                            errp) < 0)  {
3975                 return -1;
3976             }
3977         }
3978 
3979         qio_net_listener_set_client_func(vd->wslistener,
3980                                          vnc_listen_io, vd, NULL);
3981     }
3982 
3983     return 0;
3984 }
3985 
3986 
3987 void vnc_display_open(const char *id, Error **errp)
3988 {
3989     VncDisplay *vd = vnc_display_find(id);
3990     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3991     SocketAddress **saddr = NULL, **wsaddr = NULL;
3992     size_t nsaddr, nwsaddr;
3993     const char *share, *device_id;
3994     QemuConsole *con;
3995     bool password = false;
3996     bool reverse = false;
3997     const char *credid;
3998     bool sasl = false;
3999     const char *tlsauthz;
4000     const char *saslauthz;
4001     int lock_key_sync = 1;
4002     int key_delay_ms;
4003     const char *audiodev;
4004     const char *passwordSecret;
4005 
4006     if (!vd) {
4007         error_setg(errp, "VNC display not active");
4008         return;
4009     }
4010     vnc_display_close(vd);
4011 
4012     if (!opts) {
4013         return;
4014     }
4015 
4016     reverse = qemu_opt_get_bool(opts, "reverse", false);
4017     if (vnc_display_get_addresses(opts, reverse, &saddr, &nsaddr,
4018                                   &wsaddr, &nwsaddr, errp) < 0) {
4019         goto fail;
4020     }
4021 
4022 
4023     passwordSecret = qemu_opt_get(opts, "password-secret");
4024     if (passwordSecret) {
4025         if (qemu_opt_get(opts, "password")) {
4026             error_setg(errp,
4027                        "'password' flag is redundant with 'password-secret'");
4028             goto fail;
4029         }
4030         vd->password = qcrypto_secret_lookup_as_utf8(passwordSecret,
4031                                                      errp);
4032         if (!vd->password) {
4033             goto fail;
4034         }
4035         password = true;
4036     } else {
4037         password = qemu_opt_get_bool(opts, "password", false);
4038     }
4039     if (password) {
4040         if (fips_get_state()) {
4041             error_setg(errp,
4042                        "VNC password auth disabled due to FIPS mode, "
4043                        "consider using the VeNCrypt or SASL authentication "
4044                        "methods as an alternative");
4045             goto fail;
4046         }
4047         if (!qcrypto_cipher_supports(
4048                 QCRYPTO_CIPHER_ALG_DES_RFB, QCRYPTO_CIPHER_MODE_ECB)) {
4049             error_setg(errp,
4050                        "Cipher backend does not support DES RFB algorithm");
4051             goto fail;
4052         }
4053     }
4054 
4055     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
4056     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
4057     sasl = qemu_opt_get_bool(opts, "sasl", false);
4058 #ifndef CONFIG_VNC_SASL
4059     if (sasl) {
4060         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
4061         goto fail;
4062     }
4063 #endif /* CONFIG_VNC_SASL */
4064     credid = qemu_opt_get(opts, "tls-creds");
4065     if (credid) {
4066         Object *creds;
4067         creds = object_resolve_path_component(
4068             object_get_objects_root(), credid);
4069         if (!creds) {
4070             error_setg(errp, "No TLS credentials with id '%s'",
4071                        credid);
4072             goto fail;
4073         }
4074         vd->tlscreds = (QCryptoTLSCreds *)
4075             object_dynamic_cast(creds,
4076                                 TYPE_QCRYPTO_TLS_CREDS);
4077         if (!vd->tlscreds) {
4078             error_setg(errp, "Object with id '%s' is not TLS credentials",
4079                        credid);
4080             goto fail;
4081         }
4082         object_ref(OBJECT(vd->tlscreds));
4083 
4084         if (!qcrypto_tls_creds_check_endpoint(vd->tlscreds,
4085                                               QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
4086                                               errp)) {
4087             goto fail;
4088         }
4089     }
4090     tlsauthz = qemu_opt_get(opts, "tls-authz");
4091     if (tlsauthz && !vd->tlscreds) {
4092         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
4093         goto fail;
4094     }
4095 
4096     saslauthz = qemu_opt_get(opts, "sasl-authz");
4097     if (saslauthz && !sasl) {
4098         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
4099         goto fail;
4100     }
4101 
4102     share = qemu_opt_get(opts, "share");
4103     if (share) {
4104         if (strcmp(share, "ignore") == 0) {
4105             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
4106         } else if (strcmp(share, "allow-exclusive") == 0) {
4107             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4108         } else if (strcmp(share, "force-shared") == 0) {
4109             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
4110         } else {
4111             error_setg(errp, "unknown vnc share= option");
4112             goto fail;
4113         }
4114     } else {
4115         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4116     }
4117     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
4118 
4119 #ifdef CONFIG_VNC_JPEG
4120     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
4121 #endif
4122     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
4123     /* adaptive updates are only used with tight encoding and
4124      * if lossy updates are enabled so we can disable all the
4125      * calculations otherwise */
4126     if (!vd->lossy) {
4127         vd->non_adaptive = true;
4128     }
4129 
4130     vd->power_control = qemu_opt_get_bool(opts, "power-control", false);
4131 
4132     if (tlsauthz) {
4133         vd->tlsauthzid = g_strdup(tlsauthz);
4134     }
4135 #ifdef CONFIG_VNC_SASL
4136     if (sasl) {
4137         if (saslauthz) {
4138             vd->sasl.authzid = g_strdup(saslauthz);
4139         }
4140     }
4141 #endif
4142 
4143     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
4144                                vd->tlscreds, password,
4145                                sasl, false, errp) < 0) {
4146         goto fail;
4147     }
4148     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
4149 
4150     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
4151                                vd->tlscreds, password,
4152                                sasl, true, errp) < 0) {
4153         goto fail;
4154     }
4155     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
4156 
4157 #ifdef CONFIG_VNC_SASL
4158     if (sasl && !vnc_sasl_server_init(errp)) {
4159         goto fail;
4160     }
4161 #endif
4162     vd->lock_key_sync = lock_key_sync;
4163     if (lock_key_sync) {
4164         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
4165     }
4166     vd->ledstate = 0;
4167 
4168     audiodev = qemu_opt_get(opts, "audiodev");
4169     if (audiodev) {
4170         vd->audio_state = audio_state_by_name(audiodev);
4171         if (!vd->audio_state) {
4172             error_setg(errp, "Audiodev '%s' not found", audiodev);
4173             goto fail;
4174         }
4175     }
4176 
4177     device_id = qemu_opt_get(opts, "display");
4178     if (device_id) {
4179         int head = qemu_opt_get_number(opts, "head", 0);
4180         Error *err = NULL;
4181 
4182         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4183         if (err) {
4184             error_propagate(errp, err);
4185             goto fail;
4186         }
4187     } else {
4188         con = NULL;
4189     }
4190 
4191     if (con != vd->dcl.con) {
4192         qkbd_state_free(vd->kbd);
4193         unregister_displaychangelistener(&vd->dcl);
4194         vd->dcl.con = con;
4195         register_displaychangelistener(&vd->dcl);
4196         vd->kbd = qkbd_state_init(vd->dcl.con);
4197     }
4198     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4199 
4200     if (saddr == NULL) {
4201         goto cleanup;
4202     }
4203 
4204     if (reverse) {
4205         if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4206             goto fail;
4207         }
4208     } else {
4209         if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4210             goto fail;
4211         }
4212     }
4213 
4214     if (qemu_opt_get(opts, "to")) {
4215         vnc_display_print_local_addr(vd);
4216     }
4217 
4218  cleanup:
4219     vnc_free_addresses(&saddr, &nsaddr);
4220     vnc_free_addresses(&wsaddr, &nwsaddr);
4221     return;
4222 
4223 fail:
4224     vnc_display_close(vd);
4225     goto cleanup;
4226 }
4227 
4228 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4229 {
4230     VncDisplay *vd = vnc_display_find(id);
4231     QIOChannelSocket *sioc;
4232 
4233     if (!vd) {
4234         return;
4235     }
4236 
4237     sioc = qio_channel_socket_new_fd(csock, NULL);
4238     if (sioc) {
4239         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4240         vnc_connect(vd, sioc, skipauth, false);
4241         object_unref(OBJECT(sioc));
4242     }
4243 }
4244 
4245 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4246 {
4247     int i = 2;
4248     char *id;
4249 
4250     id = g_strdup("default");
4251     while (qemu_opts_find(olist, id)) {
4252         g_free(id);
4253         id = g_strdup_printf("vnc%d", i++);
4254     }
4255     qemu_opts_set_id(opts, id);
4256 }
4257 
4258 void vnc_parse(const char *str)
4259 {
4260     QemuOptsList *olist = qemu_find_opts("vnc");
4261     QemuOpts *opts = qemu_opts_parse_noisily(olist, str, !is_help_option(str));
4262     const char *id;
4263 
4264     if (!opts) {
4265         exit(1);
4266     }
4267 
4268     id = qemu_opts_id(opts);
4269     if (!id) {
4270         /* auto-assign id if not present */
4271         vnc_auto_assign_id(olist, opts);
4272     }
4273 }
4274 
4275 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4276 {
4277     Error *local_err = NULL;
4278     char *id = (char *)qemu_opts_id(opts);
4279 
4280     assert(id);
4281     vnc_display_init(id, &local_err);
4282     if (local_err) {
4283         error_propagate(errp, local_err);
4284         return -1;
4285     }
4286     vnc_display_open(id, &local_err);
4287     if (local_err != NULL) {
4288         error_propagate(errp, local_err);
4289         return -1;
4290     }
4291     return 0;
4292 }
4293 
4294 static void vnc_register_config(void)
4295 {
4296     qemu_add_opts(&qemu_vnc_opts);
4297 }
4298 opts_init(vnc_register_config);
4299