xref: /openbmc/qemu/ui/vnc.c (revision 4a09d0bb)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev.h"
32 #include "sysemu/sysemu.h"
33 #include "qemu/error-report.h"
34 #include "qemu/sockets.h"
35 #include "qemu/timer.h"
36 #include "qemu/acl.h"
37 #include "qemu/config-file.h"
38 #include "qapi/qmp/qerror.h"
39 #include "qapi/qmp/types.h"
40 #include "qmp-commands.h"
41 #include "ui/input.h"
42 #include "qapi-event.h"
43 #include "crypto/hash.h"
44 #include "crypto/tlscredsanon.h"
45 #include "crypto/tlscredsx509.h"
46 #include "qom/object_interfaces.h"
47 #include "qemu/cutils.h"
48 #include "io/dns-resolver.h"
49 
50 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
51 #define VNC_REFRESH_INTERVAL_INC  50
52 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
53 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
54 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
55 
56 #include "vnc_keysym.h"
57 #include "crypto/cipher.h"
58 
59 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
60     QTAILQ_HEAD_INITIALIZER(vnc_displays);
61 
62 static int vnc_cursor_define(VncState *vs);
63 static void vnc_release_modifiers(VncState *vs);
64 
65 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
66 {
67 #ifdef _VNC_DEBUG
68     static const char *mn[] = {
69         [0]                           = "undefined",
70         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
71         [VNC_SHARE_MODE_SHARED]       = "shared",
72         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
73         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
74     };
75     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
76             vs->ioc, mn[vs->share_mode], mn[mode]);
77 #endif
78 
79     switch (vs->share_mode) {
80     case VNC_SHARE_MODE_CONNECTING:
81         vs->vd->num_connecting--;
82         break;
83     case VNC_SHARE_MODE_SHARED:
84         vs->vd->num_shared--;
85         break;
86     case VNC_SHARE_MODE_EXCLUSIVE:
87         vs->vd->num_exclusive--;
88         break;
89     default:
90         break;
91     }
92 
93     vs->share_mode = mode;
94 
95     switch (vs->share_mode) {
96     case VNC_SHARE_MODE_CONNECTING:
97         vs->vd->num_connecting++;
98         break;
99     case VNC_SHARE_MODE_SHARED:
100         vs->vd->num_shared++;
101         break;
102     case VNC_SHARE_MODE_EXCLUSIVE:
103         vs->vd->num_exclusive++;
104         break;
105     default:
106         break;
107     }
108 }
109 
110 
111 static void vnc_init_basic_info(SocketAddress *addr,
112                                 VncBasicInfo *info,
113                                 Error **errp)
114 {
115     switch (addr->type) {
116     case SOCKET_ADDRESS_KIND_INET:
117         info->host = g_strdup(addr->u.inet.data->host);
118         info->service = g_strdup(addr->u.inet.data->port);
119         if (addr->u.inet.data->ipv6) {
120             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
121         } else {
122             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
123         }
124         break;
125 
126     case SOCKET_ADDRESS_KIND_UNIX:
127         info->host = g_strdup("");
128         info->service = g_strdup(addr->u.q_unix.data->path);
129         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
130         break;
131 
132     default:
133         error_setg(errp, "Unsupported socket kind %d",
134                    addr->type);
135         break;
136     }
137 
138     return;
139 }
140 
141 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
142                                                  VncBasicInfo *info,
143                                                  Error **errp)
144 {
145     SocketAddress *addr = NULL;
146 
147     if (!ioc) {
148         error_setg(errp, "No listener socket available");
149         return;
150     }
151 
152     addr = qio_channel_socket_get_local_address(ioc, errp);
153     if (!addr) {
154         return;
155     }
156 
157     vnc_init_basic_info(addr, info, errp);
158     qapi_free_SocketAddress(addr);
159 }
160 
161 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
162                                                  VncBasicInfo *info,
163                                                  Error **errp)
164 {
165     SocketAddress *addr = NULL;
166 
167     addr = qio_channel_socket_get_remote_address(ioc, errp);
168     if (!addr) {
169         return;
170     }
171 
172     vnc_init_basic_info(addr, info, errp);
173     qapi_free_SocketAddress(addr);
174 }
175 
176 static const char *vnc_auth_name(VncDisplay *vd) {
177     switch (vd->auth) {
178     case VNC_AUTH_INVALID:
179         return "invalid";
180     case VNC_AUTH_NONE:
181         return "none";
182     case VNC_AUTH_VNC:
183         return "vnc";
184     case VNC_AUTH_RA2:
185         return "ra2";
186     case VNC_AUTH_RA2NE:
187         return "ra2ne";
188     case VNC_AUTH_TIGHT:
189         return "tight";
190     case VNC_AUTH_ULTRA:
191         return "ultra";
192     case VNC_AUTH_TLS:
193         return "tls";
194     case VNC_AUTH_VENCRYPT:
195         switch (vd->subauth) {
196         case VNC_AUTH_VENCRYPT_PLAIN:
197             return "vencrypt+plain";
198         case VNC_AUTH_VENCRYPT_TLSNONE:
199             return "vencrypt+tls+none";
200         case VNC_AUTH_VENCRYPT_TLSVNC:
201             return "vencrypt+tls+vnc";
202         case VNC_AUTH_VENCRYPT_TLSPLAIN:
203             return "vencrypt+tls+plain";
204         case VNC_AUTH_VENCRYPT_X509NONE:
205             return "vencrypt+x509+none";
206         case VNC_AUTH_VENCRYPT_X509VNC:
207             return "vencrypt+x509+vnc";
208         case VNC_AUTH_VENCRYPT_X509PLAIN:
209             return "vencrypt+x509+plain";
210         case VNC_AUTH_VENCRYPT_TLSSASL:
211             return "vencrypt+tls+sasl";
212         case VNC_AUTH_VENCRYPT_X509SASL:
213             return "vencrypt+x509+sasl";
214         default:
215             return "vencrypt";
216         }
217     case VNC_AUTH_SASL:
218         return "sasl";
219     }
220     return "unknown";
221 }
222 
223 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
224 {
225     VncServerInfo *info;
226     Error *err = NULL;
227 
228     if (!vd->nlsock) {
229         return NULL;
230     }
231 
232     info = g_malloc0(sizeof(*info));
233     vnc_init_basic_info_from_server_addr(vd->lsock[0],
234                                          qapi_VncServerInfo_base(info), &err);
235     info->has_auth = true;
236     info->auth = g_strdup(vnc_auth_name(vd));
237     if (err) {
238         qapi_free_VncServerInfo(info);
239         info = NULL;
240         error_free(err);
241     }
242     return info;
243 }
244 
245 static void vnc_client_cache_auth(VncState *client)
246 {
247     if (!client->info) {
248         return;
249     }
250 
251     if (client->tls) {
252         client->info->x509_dname =
253             qcrypto_tls_session_get_peer_name(client->tls);
254         client->info->has_x509_dname =
255             client->info->x509_dname != NULL;
256     }
257 #ifdef CONFIG_VNC_SASL
258     if (client->sasl.conn &&
259         client->sasl.username) {
260         client->info->has_sasl_username = true;
261         client->info->sasl_username = g_strdup(client->sasl.username);
262     }
263 #endif
264 }
265 
266 static void vnc_client_cache_addr(VncState *client)
267 {
268     Error *err = NULL;
269 
270     client->info = g_malloc0(sizeof(*client->info));
271     vnc_init_basic_info_from_remote_addr(client->sioc,
272                                          qapi_VncClientInfo_base(client->info),
273                                          &err);
274     if (err) {
275         qapi_free_VncClientInfo(client->info);
276         client->info = NULL;
277         error_free(err);
278     }
279 }
280 
281 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
282 {
283     VncServerInfo *si;
284 
285     if (!vs->info) {
286         return;
287     }
288 
289     si = vnc_server_info_get(vs->vd);
290     if (!si) {
291         return;
292     }
293 
294     switch (event) {
295     case QAPI_EVENT_VNC_CONNECTED:
296         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info),
297                                       &error_abort);
298         break;
299     case QAPI_EVENT_VNC_INITIALIZED:
300         qapi_event_send_vnc_initialized(si, vs->info, &error_abort);
301         break;
302     case QAPI_EVENT_VNC_DISCONNECTED:
303         qapi_event_send_vnc_disconnected(si, vs->info, &error_abort);
304         break;
305     default:
306         break;
307     }
308 
309     qapi_free_VncServerInfo(si);
310 }
311 
312 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
313 {
314     VncClientInfo *info;
315     Error *err = NULL;
316 
317     info = g_malloc0(sizeof(*info));
318 
319     vnc_init_basic_info_from_remote_addr(client->sioc,
320                                          qapi_VncClientInfo_base(info),
321                                          &err);
322     if (err) {
323         error_free(err);
324         qapi_free_VncClientInfo(info);
325         return NULL;
326     }
327 
328     info->websocket = client->websocket;
329 
330     if (client->tls) {
331         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
332         info->has_x509_dname = info->x509_dname != NULL;
333     }
334 #ifdef CONFIG_VNC_SASL
335     if (client->sasl.conn && client->sasl.username) {
336         info->has_sasl_username = true;
337         info->sasl_username = g_strdup(client->sasl.username);
338     }
339 #endif
340 
341     return info;
342 }
343 
344 static VncDisplay *vnc_display_find(const char *id)
345 {
346     VncDisplay *vd;
347 
348     if (id == NULL) {
349         return QTAILQ_FIRST(&vnc_displays);
350     }
351     QTAILQ_FOREACH(vd, &vnc_displays, next) {
352         if (strcmp(id, vd->id) == 0) {
353             return vd;
354         }
355     }
356     return NULL;
357 }
358 
359 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
360 {
361     VncClientInfoList *cinfo, *prev = NULL;
362     VncState *client;
363 
364     QTAILQ_FOREACH(client, &vd->clients, next) {
365         cinfo = g_new0(VncClientInfoList, 1);
366         cinfo->value = qmp_query_vnc_client(client);
367         cinfo->next = prev;
368         prev = cinfo;
369     }
370     return prev;
371 }
372 
373 VncInfo *qmp_query_vnc(Error **errp)
374 {
375     VncInfo *info = g_malloc0(sizeof(*info));
376     VncDisplay *vd = vnc_display_find(NULL);
377     SocketAddress *addr = NULL;
378 
379     if (vd == NULL || !vd->nlsock) {
380         info->enabled = false;
381     } else {
382         info->enabled = true;
383 
384         /* for compatibility with the original command */
385         info->has_clients = true;
386         info->clients = qmp_query_client_list(vd);
387 
388         if (vd->lsock == NULL) {
389             return info;
390         }
391 
392         addr = qio_channel_socket_get_local_address(vd->lsock[0], errp);
393         if (!addr) {
394             goto out_error;
395         }
396 
397         switch (addr->type) {
398         case SOCKET_ADDRESS_KIND_INET:
399             info->host = g_strdup(addr->u.inet.data->host);
400             info->service = g_strdup(addr->u.inet.data->port);
401             if (addr->u.inet.data->ipv6) {
402                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
403             } else {
404                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
405             }
406             break;
407 
408         case SOCKET_ADDRESS_KIND_UNIX:
409             info->host = g_strdup("");
410             info->service = g_strdup(addr->u.q_unix.data->path);
411             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
412             break;
413 
414         default:
415             error_setg(errp, "Unsupported socket kind %d",
416                        addr->type);
417             goto out_error;
418         }
419 
420         info->has_host = true;
421         info->has_service = true;
422         info->has_family = true;
423 
424         info->has_auth = true;
425         info->auth = g_strdup(vnc_auth_name(vd));
426     }
427 
428     qapi_free_SocketAddress(addr);
429     return info;
430 
431 out_error:
432     qapi_free_SocketAddress(addr);
433     qapi_free_VncInfo(info);
434     return NULL;
435 }
436 
437 
438 static void qmp_query_auth(int auth, int subauth,
439                            VncPrimaryAuth *qmp_auth,
440                            VncVencryptSubAuth *qmp_vencrypt,
441                            bool *qmp_has_vencrypt);
442 
443 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
444                                                   bool websocket,
445                                                   int auth,
446                                                   int subauth,
447                                                   VncServerInfo2List *prev)
448 {
449     VncServerInfo2List *list;
450     VncServerInfo2 *info;
451     Error *err = NULL;
452     SocketAddress *addr;
453 
454     addr = qio_channel_socket_get_local_address(ioc, &err);
455     if (!addr) {
456         error_free(err);
457         return prev;
458     }
459 
460     info = g_new0(VncServerInfo2, 1);
461     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
462     qapi_free_SocketAddress(addr);
463     if (err) {
464         qapi_free_VncServerInfo2(info);
465         error_free(err);
466         return prev;
467     }
468     info->websocket = websocket;
469 
470     qmp_query_auth(auth, subauth, &info->auth,
471                    &info->vencrypt, &info->has_vencrypt);
472 
473     list = g_new0(VncServerInfo2List, 1);
474     list->value = info;
475     list->next = prev;
476     return list;
477 }
478 
479 static void qmp_query_auth(int auth, int subauth,
480                            VncPrimaryAuth *qmp_auth,
481                            VncVencryptSubAuth *qmp_vencrypt,
482                            bool *qmp_has_vencrypt)
483 {
484     switch (auth) {
485     case VNC_AUTH_VNC:
486         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
487         break;
488     case VNC_AUTH_RA2:
489         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
490         break;
491     case VNC_AUTH_RA2NE:
492         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
493         break;
494     case VNC_AUTH_TIGHT:
495         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
496         break;
497     case VNC_AUTH_ULTRA:
498         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
499         break;
500     case VNC_AUTH_TLS:
501         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
502         break;
503     case VNC_AUTH_VENCRYPT:
504         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
505         *qmp_has_vencrypt = true;
506         switch (subauth) {
507         case VNC_AUTH_VENCRYPT_PLAIN:
508             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
509             break;
510         case VNC_AUTH_VENCRYPT_TLSNONE:
511             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
512             break;
513         case VNC_AUTH_VENCRYPT_TLSVNC:
514             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
515             break;
516         case VNC_AUTH_VENCRYPT_TLSPLAIN:
517             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
518             break;
519         case VNC_AUTH_VENCRYPT_X509NONE:
520             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
521             break;
522         case VNC_AUTH_VENCRYPT_X509VNC:
523             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
524             break;
525         case VNC_AUTH_VENCRYPT_X509PLAIN:
526             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
527             break;
528         case VNC_AUTH_VENCRYPT_TLSSASL:
529             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
530             break;
531         case VNC_AUTH_VENCRYPT_X509SASL:
532             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
533             break;
534         default:
535             *qmp_has_vencrypt = false;
536             break;
537         }
538         break;
539     case VNC_AUTH_SASL:
540         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
541         break;
542     case VNC_AUTH_NONE:
543     default:
544         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
545         break;
546     }
547 }
548 
549 VncInfo2List *qmp_query_vnc_servers(Error **errp)
550 {
551     VncInfo2List *item, *prev = NULL;
552     VncInfo2 *info;
553     VncDisplay *vd;
554     DeviceState *dev;
555     size_t i;
556 
557     QTAILQ_FOREACH(vd, &vnc_displays, next) {
558         info = g_new0(VncInfo2, 1);
559         info->id = g_strdup(vd->id);
560         info->clients = qmp_query_client_list(vd);
561         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
562                        &info->vencrypt, &info->has_vencrypt);
563         if (vd->dcl.con) {
564             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
565                                                   "device", NULL));
566             info->has_display = true;
567             info->display = g_strdup(dev->id);
568         }
569         for (i = 0; i < vd->nlsock; i++) {
570             info->server = qmp_query_server_entry(
571                 vd->lsock[i], false, vd->auth, vd->subauth, info->server);
572         }
573         for (i = 0; i < vd->nlwebsock; i++) {
574             info->server = qmp_query_server_entry(
575                 vd->lwebsock[i], true, vd->ws_auth,
576                 vd->ws_subauth, info->server);
577         }
578 
579         item = g_new0(VncInfo2List, 1);
580         item->value = info;
581         item->next = prev;
582         prev = item;
583     }
584     return prev;
585 }
586 
587 /* TODO
588    1) Get the queue working for IO.
589    2) there is some weirdness when using the -S option (the screen is grey
590       and not totally invalidated
591    3) resolutions > 1024
592 */
593 
594 static int vnc_update_client(VncState *vs, int has_dirty, bool sync);
595 static void vnc_disconnect_start(VncState *vs);
596 
597 static void vnc_colordepth(VncState *vs);
598 static void framebuffer_update_request(VncState *vs, int incremental,
599                                        int x_position, int y_position,
600                                        int w, int h);
601 static void vnc_refresh(DisplayChangeListener *dcl);
602 static int vnc_refresh_server_surface(VncDisplay *vd);
603 
604 static int vnc_width(VncDisplay *vd)
605 {
606     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
607                                        VNC_DIRTY_PIXELS_PER_BIT));
608 }
609 
610 static int vnc_height(VncDisplay *vd)
611 {
612     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
613 }
614 
615 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
616                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
617                                VncDisplay *vd,
618                                int x, int y, int w, int h)
619 {
620     int width = vnc_width(vd);
621     int height = vnc_height(vd);
622 
623     /* this is needed this to ensure we updated all affected
624      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
625     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
626     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
627 
628     x = MIN(x, width);
629     y = MIN(y, height);
630     w = MIN(x + w, width) - x;
631     h = MIN(y + h, height);
632 
633     for (; y < h; y++) {
634         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
635                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
636     }
637 }
638 
639 static void vnc_dpy_update(DisplayChangeListener *dcl,
640                            int x, int y, int w, int h)
641 {
642     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
643     struct VncSurface *s = &vd->guest;
644 
645     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
646 }
647 
648 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
649                             int32_t encoding)
650 {
651     vnc_write_u16(vs, x);
652     vnc_write_u16(vs, y);
653     vnc_write_u16(vs, w);
654     vnc_write_u16(vs, h);
655 
656     vnc_write_s32(vs, encoding);
657 }
658 
659 
660 static void vnc_desktop_resize(VncState *vs)
661 {
662     if (vs->ioc == NULL || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
663         return;
664     }
665     if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
666         vs->client_height == pixman_image_get_height(vs->vd->server)) {
667         return;
668     }
669     vs->client_width = pixman_image_get_width(vs->vd->server);
670     vs->client_height = pixman_image_get_height(vs->vd->server);
671     vnc_lock_output(vs);
672     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
673     vnc_write_u8(vs, 0);
674     vnc_write_u16(vs, 1); /* number of rects */
675     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
676                            VNC_ENCODING_DESKTOPRESIZE);
677     vnc_unlock_output(vs);
678     vnc_flush(vs);
679 }
680 
681 static void vnc_abort_display_jobs(VncDisplay *vd)
682 {
683     VncState *vs;
684 
685     QTAILQ_FOREACH(vs, &vd->clients, next) {
686         vnc_lock_output(vs);
687         vs->abort = true;
688         vnc_unlock_output(vs);
689     }
690     QTAILQ_FOREACH(vs, &vd->clients, next) {
691         vnc_jobs_join(vs);
692     }
693     QTAILQ_FOREACH(vs, &vd->clients, next) {
694         vnc_lock_output(vs);
695         vs->abort = false;
696         vnc_unlock_output(vs);
697     }
698 }
699 
700 int vnc_server_fb_stride(VncDisplay *vd)
701 {
702     return pixman_image_get_stride(vd->server);
703 }
704 
705 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
706 {
707     uint8_t *ptr;
708 
709     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
710     ptr += y * vnc_server_fb_stride(vd);
711     ptr += x * VNC_SERVER_FB_BYTES;
712     return ptr;
713 }
714 
715 static void vnc_update_server_surface(VncDisplay *vd)
716 {
717     int width, height;
718 
719     qemu_pixman_image_unref(vd->server);
720     vd->server = NULL;
721 
722     if (QTAILQ_EMPTY(&vd->clients)) {
723         return;
724     }
725 
726     width = vnc_width(vd);
727     height = vnc_height(vd);
728     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
729                                           width, height,
730                                           NULL, 0);
731 
732     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
733     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
734                        width, height);
735 }
736 
737 static void vnc_dpy_switch(DisplayChangeListener *dcl,
738                            DisplaySurface *surface)
739 {
740     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
741     VncState *vs;
742 
743     vnc_abort_display_jobs(vd);
744     vd->ds = surface;
745 
746     /* server surface */
747     vnc_update_server_surface(vd);
748 
749     /* guest surface */
750     qemu_pixman_image_unref(vd->guest.fb);
751     vd->guest.fb = pixman_image_ref(surface->image);
752     vd->guest.format = surface->format;
753 
754     QTAILQ_FOREACH(vs, &vd->clients, next) {
755         vnc_colordepth(vs);
756         vnc_desktop_resize(vs);
757         if (vs->vd->cursor) {
758             vnc_cursor_define(vs);
759         }
760         memset(vs->dirty, 0x00, sizeof(vs->dirty));
761         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
762                            vnc_width(vd),
763                            vnc_height(vd));
764     }
765 }
766 
767 /* fastest code */
768 static void vnc_write_pixels_copy(VncState *vs,
769                                   void *pixels, int size)
770 {
771     vnc_write(vs, pixels, size);
772 }
773 
774 /* slowest but generic code. */
775 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
776 {
777     uint8_t r, g, b;
778 
779 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
780     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
781     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
782     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
783 #else
784 # error need some bits here if you change VNC_SERVER_FB_FORMAT
785 #endif
786     v = (r << vs->client_pf.rshift) |
787         (g << vs->client_pf.gshift) |
788         (b << vs->client_pf.bshift);
789     switch (vs->client_pf.bytes_per_pixel) {
790     case 1:
791         buf[0] = v;
792         break;
793     case 2:
794         if (vs->client_be) {
795             buf[0] = v >> 8;
796             buf[1] = v;
797         } else {
798             buf[1] = v >> 8;
799             buf[0] = v;
800         }
801         break;
802     default:
803     case 4:
804         if (vs->client_be) {
805             buf[0] = v >> 24;
806             buf[1] = v >> 16;
807             buf[2] = v >> 8;
808             buf[3] = v;
809         } else {
810             buf[3] = v >> 24;
811             buf[2] = v >> 16;
812             buf[1] = v >> 8;
813             buf[0] = v;
814         }
815         break;
816     }
817 }
818 
819 static void vnc_write_pixels_generic(VncState *vs,
820                                      void *pixels1, int size)
821 {
822     uint8_t buf[4];
823 
824     if (VNC_SERVER_FB_BYTES == 4) {
825         uint32_t *pixels = pixels1;
826         int n, i;
827         n = size >> 2;
828         for (i = 0; i < n; i++) {
829             vnc_convert_pixel(vs, buf, pixels[i]);
830             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
831         }
832     }
833 }
834 
835 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
836 {
837     int i;
838     uint8_t *row;
839     VncDisplay *vd = vs->vd;
840 
841     row = vnc_server_fb_ptr(vd, x, y);
842     for (i = 0; i < h; i++) {
843         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
844         row += vnc_server_fb_stride(vd);
845     }
846     return 1;
847 }
848 
849 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
850 {
851     int n = 0;
852     bool encode_raw = false;
853     size_t saved_offs = vs->output.offset;
854 
855     switch(vs->vnc_encoding) {
856         case VNC_ENCODING_ZLIB:
857             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
858             break;
859         case VNC_ENCODING_HEXTILE:
860             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
861             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
862             break;
863         case VNC_ENCODING_TIGHT:
864             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
865             break;
866         case VNC_ENCODING_TIGHT_PNG:
867             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
868             break;
869         case VNC_ENCODING_ZRLE:
870             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
871             break;
872         case VNC_ENCODING_ZYWRLE:
873             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
874             break;
875         default:
876             encode_raw = true;
877             break;
878     }
879 
880     /* If the client has the same pixel format as our internal buffer and
881      * a RAW encoding would need less space fall back to RAW encoding to
882      * save bandwidth and processing power in the client. */
883     if (!encode_raw && vs->write_pixels == vnc_write_pixels_copy &&
884         12 + h * w * VNC_SERVER_FB_BYTES <= (vs->output.offset - saved_offs)) {
885         vs->output.offset = saved_offs;
886         encode_raw = true;
887     }
888 
889     if (encode_raw) {
890         vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
891         n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
892     }
893 
894     return n;
895 }
896 
897 static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
898 {
899     /* send bitblit op to the vnc client */
900     vnc_lock_output(vs);
901     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
902     vnc_write_u8(vs, 0);
903     vnc_write_u16(vs, 1); /* number of rects */
904     vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
905     vnc_write_u16(vs, src_x);
906     vnc_write_u16(vs, src_y);
907     vnc_unlock_output(vs);
908     vnc_flush(vs);
909 }
910 
911 static void vnc_dpy_copy(DisplayChangeListener *dcl,
912                          int src_x, int src_y,
913                          int dst_x, int dst_y, int w, int h)
914 {
915     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
916     VncState *vs, *vn;
917     uint8_t *src_row;
918     uint8_t *dst_row;
919     int i, x, y, pitch, inc, w_lim, s;
920     int cmp_bytes;
921 
922     if (!vd->server) {
923         /* no client connected */
924         return;
925     }
926 
927     vnc_refresh_server_surface(vd);
928     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
929         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
930             vs->force_update = 1;
931             vnc_update_client(vs, 1, true);
932             /* vs might be free()ed here */
933         }
934     }
935 
936     if (!vd->server) {
937         /* no client connected */
938         return;
939     }
940     /* do bitblit op on the local surface too */
941     pitch = vnc_server_fb_stride(vd);
942     src_row = vnc_server_fb_ptr(vd, src_x, src_y);
943     dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y);
944     y = dst_y;
945     inc = 1;
946     if (dst_y > src_y) {
947         /* copy backwards */
948         src_row += pitch * (h-1);
949         dst_row += pitch * (h-1);
950         pitch = -pitch;
951         y = dst_y + h - 1;
952         inc = -1;
953     }
954     w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
955     if (w_lim < 0) {
956         w_lim = w;
957     } else {
958         w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
959     }
960     for (i = 0; i < h; i++) {
961         for (x = 0; x <= w_lim;
962                 x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
963             if (x == w_lim) {
964                 if ((s = w - w_lim) == 0)
965                     break;
966             } else if (!x) {
967                 s = (VNC_DIRTY_PIXELS_PER_BIT -
968                     (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
969                 s = MIN(s, w_lim);
970             } else {
971                 s = VNC_DIRTY_PIXELS_PER_BIT;
972             }
973             cmp_bytes = s * VNC_SERVER_FB_BYTES;
974             if (memcmp(src_row, dst_row, cmp_bytes) == 0)
975                 continue;
976             memmove(dst_row, src_row, cmp_bytes);
977             QTAILQ_FOREACH(vs, &vd->clients, next) {
978                 if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
979                     set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
980                             vs->dirty[y]);
981                 }
982             }
983         }
984         src_row += pitch - w * VNC_SERVER_FB_BYTES;
985         dst_row += pitch - w * VNC_SERVER_FB_BYTES;
986         y += inc;
987     }
988 
989     QTAILQ_FOREACH(vs, &vd->clients, next) {
990         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
991             vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
992         }
993     }
994 }
995 
996 static void vnc_mouse_set(DisplayChangeListener *dcl,
997                           int x, int y, int visible)
998 {
999     /* can we ask the client(s) to move the pointer ??? */
1000 }
1001 
1002 static int vnc_cursor_define(VncState *vs)
1003 {
1004     QEMUCursor *c = vs->vd->cursor;
1005     int isize;
1006 
1007     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
1008         vnc_lock_output(vs);
1009         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1010         vnc_write_u8(vs,  0);  /*  padding     */
1011         vnc_write_u16(vs, 1);  /*  # of rects  */
1012         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1013                                VNC_ENCODING_RICH_CURSOR);
1014         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
1015         vnc_write_pixels_generic(vs, c->data, isize);
1016         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
1017         vnc_unlock_output(vs);
1018         return 0;
1019     }
1020     return -1;
1021 }
1022 
1023 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
1024                                   QEMUCursor *c)
1025 {
1026     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
1027     VncState *vs;
1028 
1029     cursor_put(vd->cursor);
1030     g_free(vd->cursor_mask);
1031 
1032     vd->cursor = c;
1033     cursor_get(vd->cursor);
1034     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1035     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1036     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1037 
1038     QTAILQ_FOREACH(vs, &vd->clients, next) {
1039         vnc_cursor_define(vs);
1040     }
1041 }
1042 
1043 static int find_and_clear_dirty_height(VncState *vs,
1044                                        int y, int last_x, int x, int height)
1045 {
1046     int h;
1047 
1048     for (h = 1; h < (height - y); h++) {
1049         if (!test_bit(last_x, vs->dirty[y + h])) {
1050             break;
1051         }
1052         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1053     }
1054 
1055     return h;
1056 }
1057 
1058 static int vnc_update_client(VncState *vs, int has_dirty, bool sync)
1059 {
1060     if (vs->disconnecting) {
1061         vnc_disconnect_finish(vs);
1062         return 0;
1063     }
1064 
1065     vs->has_dirty += has_dirty;
1066     if (vs->need_update && !vs->disconnecting) {
1067         VncDisplay *vd = vs->vd;
1068         VncJob *job;
1069         int y;
1070         int height, width;
1071         int n = 0;
1072 
1073         if (vs->output.offset && !vs->audio_cap && !vs->force_update)
1074             /* kernel send buffers are full -> drop frames to throttle */
1075             return 0;
1076 
1077         if (!vs->has_dirty && !vs->audio_cap && !vs->force_update)
1078             return 0;
1079 
1080         /*
1081          * Send screen updates to the vnc client using the server
1082          * surface and server dirty map.  guest surface updates
1083          * happening in parallel don't disturb us, the next pass will
1084          * send them to the client.
1085          */
1086         job = vnc_job_new(vs);
1087 
1088         height = pixman_image_get_height(vd->server);
1089         width = pixman_image_get_width(vd->server);
1090 
1091         y = 0;
1092         for (;;) {
1093             int x, h;
1094             unsigned long x2;
1095             unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1096                                                  height * VNC_DIRTY_BPL(vs),
1097                                                  y * VNC_DIRTY_BPL(vs));
1098             if (offset == height * VNC_DIRTY_BPL(vs)) {
1099                 /* no more dirty bits */
1100                 break;
1101             }
1102             y = offset / VNC_DIRTY_BPL(vs);
1103             x = offset % VNC_DIRTY_BPL(vs);
1104             x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1105                                     VNC_DIRTY_BPL(vs), x);
1106             bitmap_clear(vs->dirty[y], x, x2 - x);
1107             h = find_and_clear_dirty_height(vs, y, x, x2, height);
1108             x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1109             if (x2 > x) {
1110                 n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1111                                       (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1112             }
1113             if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1114                 y += h;
1115                 if (y == height) {
1116                     break;
1117                 }
1118             }
1119         }
1120 
1121         vnc_job_push(job);
1122         if (sync) {
1123             vnc_jobs_join(vs);
1124         }
1125         vs->force_update = 0;
1126         vs->has_dirty = 0;
1127         return n;
1128     }
1129 
1130     if (vs->disconnecting) {
1131         vnc_disconnect_finish(vs);
1132     } else if (sync) {
1133         vnc_jobs_join(vs);
1134     }
1135 
1136     return 0;
1137 }
1138 
1139 /* audio */
1140 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1141 {
1142     VncState *vs = opaque;
1143 
1144     switch (cmd) {
1145     case AUD_CNOTIFY_DISABLE:
1146         vnc_lock_output(vs);
1147         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1148         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1149         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1150         vnc_unlock_output(vs);
1151         vnc_flush(vs);
1152         break;
1153 
1154     case AUD_CNOTIFY_ENABLE:
1155         vnc_lock_output(vs);
1156         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1157         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1158         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1159         vnc_unlock_output(vs);
1160         vnc_flush(vs);
1161         break;
1162     }
1163 }
1164 
1165 static void audio_capture_destroy(void *opaque)
1166 {
1167 }
1168 
1169 static void audio_capture(void *opaque, void *buf, int size)
1170 {
1171     VncState *vs = opaque;
1172 
1173     vnc_lock_output(vs);
1174     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1175     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1176     vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1177     vnc_write_u32(vs, size);
1178     vnc_write(vs, buf, size);
1179     vnc_unlock_output(vs);
1180     vnc_flush(vs);
1181 }
1182 
1183 static void audio_add(VncState *vs)
1184 {
1185     struct audio_capture_ops ops;
1186 
1187     if (vs->audio_cap) {
1188         error_report("audio already running");
1189         return;
1190     }
1191 
1192     ops.notify = audio_capture_notify;
1193     ops.destroy = audio_capture_destroy;
1194     ops.capture = audio_capture;
1195 
1196     vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);
1197     if (!vs->audio_cap) {
1198         error_report("Failed to add audio capture");
1199     }
1200 }
1201 
1202 static void audio_del(VncState *vs)
1203 {
1204     if (vs->audio_cap) {
1205         AUD_del_capture(vs->audio_cap, vs);
1206         vs->audio_cap = NULL;
1207     }
1208 }
1209 
1210 static void vnc_disconnect_start(VncState *vs)
1211 {
1212     if (vs->disconnecting) {
1213         return;
1214     }
1215     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1216     if (vs->ioc_tag) {
1217         g_source_remove(vs->ioc_tag);
1218     }
1219     qio_channel_close(vs->ioc, NULL);
1220     vs->disconnecting = TRUE;
1221 }
1222 
1223 void vnc_disconnect_finish(VncState *vs)
1224 {
1225     int i;
1226 
1227     vnc_jobs_join(vs); /* Wait encoding jobs */
1228 
1229     vnc_lock_output(vs);
1230     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1231 
1232     buffer_free(&vs->input);
1233     buffer_free(&vs->output);
1234 
1235     qapi_free_VncClientInfo(vs->info);
1236 
1237     vnc_zlib_clear(vs);
1238     vnc_tight_clear(vs);
1239     vnc_zrle_clear(vs);
1240 
1241 #ifdef CONFIG_VNC_SASL
1242     vnc_sasl_client_cleanup(vs);
1243 #endif /* CONFIG_VNC_SASL */
1244     audio_del(vs);
1245     vnc_release_modifiers(vs);
1246 
1247     if (vs->mouse_mode_notifier.notify != NULL) {
1248         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1249     }
1250     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1251     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1252         /* last client gone */
1253         vnc_update_server_surface(vs->vd);
1254     }
1255 
1256     vnc_unlock_output(vs);
1257 
1258     qemu_mutex_destroy(&vs->output_mutex);
1259     if (vs->bh != NULL) {
1260         qemu_bh_delete(vs->bh);
1261     }
1262     buffer_free(&vs->jobs_buffer);
1263 
1264     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1265         g_free(vs->lossy_rect[i]);
1266     }
1267     g_free(vs->lossy_rect);
1268 
1269     object_unref(OBJECT(vs->ioc));
1270     vs->ioc = NULL;
1271     object_unref(OBJECT(vs->sioc));
1272     vs->sioc = NULL;
1273     g_free(vs);
1274 }
1275 
1276 ssize_t vnc_client_io_error(VncState *vs, ssize_t ret, Error **errp)
1277 {
1278     if (ret <= 0) {
1279         if (ret == 0) {
1280             VNC_DEBUG("Closing down client sock: EOF\n");
1281             vnc_disconnect_start(vs);
1282         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1283             VNC_DEBUG("Closing down client sock: ret %zd (%s)\n",
1284                       ret, errp ? error_get_pretty(*errp) : "Unknown");
1285             vnc_disconnect_start(vs);
1286         }
1287 
1288         if (errp) {
1289             error_free(*errp);
1290             *errp = NULL;
1291         }
1292         return 0;
1293     }
1294     return ret;
1295 }
1296 
1297 
1298 void vnc_client_error(VncState *vs)
1299 {
1300     VNC_DEBUG("Closing down client sock: protocol error\n");
1301     vnc_disconnect_start(vs);
1302 }
1303 
1304 
1305 /*
1306  * Called to write a chunk of data to the client socket. The data may
1307  * be the raw data, or may have already been encoded by SASL.
1308  * The data will be written either straight onto the socket, or
1309  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1310  *
1311  * NB, it is theoretically possible to have 2 layers of encryption,
1312  * both SASL, and this TLS layer. It is highly unlikely in practice
1313  * though, since SASL encryption will typically be a no-op if TLS
1314  * is active
1315  *
1316  * Returns the number of bytes written, which may be less than
1317  * the requested 'datalen' if the socket would block. Returns
1318  * -1 on error, and disconnects the client socket.
1319  */
1320 ssize_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1321 {
1322     Error *err = NULL;
1323     ssize_t ret;
1324     ret = qio_channel_write(
1325         vs->ioc, (const char *)data, datalen, &err);
1326     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1327     return vnc_client_io_error(vs, ret, &err);
1328 }
1329 
1330 
1331 /*
1332  * Called to write buffered data to the client socket, when not
1333  * using any SASL SSF encryption layers. Will write as much data
1334  * as possible without blocking. If all buffered data is written,
1335  * will switch the FD poll() handler back to read monitoring.
1336  *
1337  * Returns the number of bytes written, which may be less than
1338  * the buffered output data if the socket would block. Returns
1339  * -1 on error, and disconnects the client socket.
1340  */
1341 static ssize_t vnc_client_write_plain(VncState *vs)
1342 {
1343     ssize_t ret;
1344 
1345 #ifdef CONFIG_VNC_SASL
1346     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1347               vs->output.buffer, vs->output.capacity, vs->output.offset,
1348               vs->sasl.waitWriteSSF);
1349 
1350     if (vs->sasl.conn &&
1351         vs->sasl.runSSF &&
1352         vs->sasl.waitWriteSSF) {
1353         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1354         if (ret)
1355             vs->sasl.waitWriteSSF -= ret;
1356     } else
1357 #endif /* CONFIG_VNC_SASL */
1358         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1359     if (!ret)
1360         return 0;
1361 
1362     buffer_advance(&vs->output, ret);
1363 
1364     if (vs->output.offset == 0) {
1365         if (vs->ioc_tag) {
1366             g_source_remove(vs->ioc_tag);
1367         }
1368         vs->ioc_tag = qio_channel_add_watch(
1369             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1370     }
1371 
1372     return ret;
1373 }
1374 
1375 
1376 /*
1377  * First function called whenever there is data to be written to
1378  * the client socket. Will delegate actual work according to whether
1379  * SASL SSF layers are enabled (thus requiring encryption calls)
1380  */
1381 static void vnc_client_write_locked(VncState *vs)
1382 {
1383 #ifdef CONFIG_VNC_SASL
1384     if (vs->sasl.conn &&
1385         vs->sasl.runSSF &&
1386         !vs->sasl.waitWriteSSF) {
1387         vnc_client_write_sasl(vs);
1388     } else
1389 #endif /* CONFIG_VNC_SASL */
1390     {
1391         vnc_client_write_plain(vs);
1392     }
1393 }
1394 
1395 static void vnc_client_write(VncState *vs)
1396 {
1397 
1398     vnc_lock_output(vs);
1399     if (vs->output.offset) {
1400         vnc_client_write_locked(vs);
1401     } else if (vs->ioc != NULL) {
1402         if (vs->ioc_tag) {
1403             g_source_remove(vs->ioc_tag);
1404         }
1405         vs->ioc_tag = qio_channel_add_watch(
1406             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1407     }
1408     vnc_unlock_output(vs);
1409 }
1410 
1411 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1412 {
1413     vs->read_handler = func;
1414     vs->read_handler_expect = expecting;
1415 }
1416 
1417 
1418 /*
1419  * Called to read a chunk of data from the client socket. The data may
1420  * be the raw data, or may need to be further decoded by SASL.
1421  * The data will be read either straight from to the socket, or
1422  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1423  *
1424  * NB, it is theoretically possible to have 2 layers of encryption,
1425  * both SASL, and this TLS layer. It is highly unlikely in practice
1426  * though, since SASL encryption will typically be a no-op if TLS
1427  * is active
1428  *
1429  * Returns the number of bytes read, which may be less than
1430  * the requested 'datalen' if the socket would block. Returns
1431  * -1 on error, and disconnects the client socket.
1432  */
1433 ssize_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1434 {
1435     ssize_t ret;
1436     Error *err = NULL;
1437     ret = qio_channel_read(
1438         vs->ioc, (char *)data, datalen, &err);
1439     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1440     return vnc_client_io_error(vs, ret, &err);
1441 }
1442 
1443 
1444 /*
1445  * Called to read data from the client socket to the input buffer,
1446  * when not using any SASL SSF encryption layers. Will read as much
1447  * data as possible without blocking.
1448  *
1449  * Returns the number of bytes read. Returns -1 on error, and
1450  * disconnects the client socket.
1451  */
1452 static ssize_t vnc_client_read_plain(VncState *vs)
1453 {
1454     ssize_t ret;
1455     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1456               vs->input.buffer, vs->input.capacity, vs->input.offset);
1457     buffer_reserve(&vs->input, 4096);
1458     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1459     if (!ret)
1460         return 0;
1461     vs->input.offset += ret;
1462     return ret;
1463 }
1464 
1465 static void vnc_jobs_bh(void *opaque)
1466 {
1467     VncState *vs = opaque;
1468 
1469     vnc_jobs_consume_buffer(vs);
1470 }
1471 
1472 /*
1473  * First function called whenever there is more data to be read from
1474  * the client socket. Will delegate actual work according to whether
1475  * SASL SSF layers are enabled (thus requiring decryption calls)
1476  * Returns 0 on success, -1 if client disconnected
1477  */
1478 static int vnc_client_read(VncState *vs)
1479 {
1480     ssize_t ret;
1481 
1482 #ifdef CONFIG_VNC_SASL
1483     if (vs->sasl.conn && vs->sasl.runSSF)
1484         ret = vnc_client_read_sasl(vs);
1485     else
1486 #endif /* CONFIG_VNC_SASL */
1487         ret = vnc_client_read_plain(vs);
1488     if (!ret) {
1489         if (vs->disconnecting) {
1490             vnc_disconnect_finish(vs);
1491             return -1;
1492         }
1493         return 0;
1494     }
1495 
1496     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1497         size_t len = vs->read_handler_expect;
1498         int ret;
1499 
1500         ret = vs->read_handler(vs, vs->input.buffer, len);
1501         if (vs->disconnecting) {
1502             vnc_disconnect_finish(vs);
1503             return -1;
1504         }
1505 
1506         if (!ret) {
1507             buffer_advance(&vs->input, len);
1508         } else {
1509             vs->read_handler_expect = ret;
1510         }
1511     }
1512     return 0;
1513 }
1514 
1515 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1516                        GIOCondition condition, void *opaque)
1517 {
1518     VncState *vs = opaque;
1519     if (condition & G_IO_IN) {
1520         if (vnc_client_read(vs) < 0) {
1521             return TRUE;
1522         }
1523     }
1524     if (condition & G_IO_OUT) {
1525         vnc_client_write(vs);
1526     }
1527     return TRUE;
1528 }
1529 
1530 
1531 void vnc_write(VncState *vs, const void *data, size_t len)
1532 {
1533     buffer_reserve(&vs->output, len);
1534 
1535     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1536         if (vs->ioc_tag) {
1537             g_source_remove(vs->ioc_tag);
1538         }
1539         vs->ioc_tag = qio_channel_add_watch(
1540             vs->ioc, G_IO_IN | G_IO_OUT, vnc_client_io, vs, NULL);
1541     }
1542 
1543     buffer_append(&vs->output, data, len);
1544 }
1545 
1546 void vnc_write_s32(VncState *vs, int32_t value)
1547 {
1548     vnc_write_u32(vs, *(uint32_t *)&value);
1549 }
1550 
1551 void vnc_write_u32(VncState *vs, uint32_t value)
1552 {
1553     uint8_t buf[4];
1554 
1555     buf[0] = (value >> 24) & 0xFF;
1556     buf[1] = (value >> 16) & 0xFF;
1557     buf[2] = (value >>  8) & 0xFF;
1558     buf[3] = value & 0xFF;
1559 
1560     vnc_write(vs, buf, 4);
1561 }
1562 
1563 void vnc_write_u16(VncState *vs, uint16_t value)
1564 {
1565     uint8_t buf[2];
1566 
1567     buf[0] = (value >> 8) & 0xFF;
1568     buf[1] = value & 0xFF;
1569 
1570     vnc_write(vs, buf, 2);
1571 }
1572 
1573 void vnc_write_u8(VncState *vs, uint8_t value)
1574 {
1575     vnc_write(vs, (char *)&value, 1);
1576 }
1577 
1578 void vnc_flush(VncState *vs)
1579 {
1580     vnc_lock_output(vs);
1581     if (vs->ioc != NULL && vs->output.offset) {
1582         vnc_client_write_locked(vs);
1583     }
1584     vnc_unlock_output(vs);
1585 }
1586 
1587 static uint8_t read_u8(uint8_t *data, size_t offset)
1588 {
1589     return data[offset];
1590 }
1591 
1592 static uint16_t read_u16(uint8_t *data, size_t offset)
1593 {
1594     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1595 }
1596 
1597 static int32_t read_s32(uint8_t *data, size_t offset)
1598 {
1599     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1600                      (data[offset + 2] << 8) | data[offset + 3]);
1601 }
1602 
1603 uint32_t read_u32(uint8_t *data, size_t offset)
1604 {
1605     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1606             (data[offset + 2] << 8) | data[offset + 3]);
1607 }
1608 
1609 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1610 {
1611 }
1612 
1613 static void check_pointer_type_change(Notifier *notifier, void *data)
1614 {
1615     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1616     int absolute = qemu_input_is_absolute();
1617 
1618     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1619         vnc_lock_output(vs);
1620         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1621         vnc_write_u8(vs, 0);
1622         vnc_write_u16(vs, 1);
1623         vnc_framebuffer_update(vs, absolute, 0,
1624                                pixman_image_get_width(vs->vd->server),
1625                                pixman_image_get_height(vs->vd->server),
1626                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1627         vnc_unlock_output(vs);
1628         vnc_flush(vs);
1629     }
1630     vs->absolute = absolute;
1631 }
1632 
1633 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1634 {
1635     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1636         [INPUT_BUTTON_LEFT]       = 0x01,
1637         [INPUT_BUTTON_MIDDLE]     = 0x02,
1638         [INPUT_BUTTON_RIGHT]      = 0x04,
1639         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1640         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1641     };
1642     QemuConsole *con = vs->vd->dcl.con;
1643     int width = pixman_image_get_width(vs->vd->server);
1644     int height = pixman_image_get_height(vs->vd->server);
1645 
1646     if (vs->last_bmask != button_mask) {
1647         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1648         vs->last_bmask = button_mask;
1649     }
1650 
1651     if (vs->absolute) {
1652         qemu_input_queue_abs(con, INPUT_AXIS_X, x, width);
1653         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, height);
1654     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1655         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1656         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1657     } else {
1658         if (vs->last_x != -1) {
1659             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1660             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1661         }
1662         vs->last_x = x;
1663         vs->last_y = y;
1664     }
1665     qemu_input_event_sync();
1666 }
1667 
1668 static void reset_keys(VncState *vs)
1669 {
1670     int i;
1671     for(i = 0; i < 256; i++) {
1672         if (vs->modifiers_state[i]) {
1673             qemu_input_event_send_key_number(vs->vd->dcl.con, i, false);
1674             qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
1675             vs->modifiers_state[i] = 0;
1676         }
1677     }
1678 }
1679 
1680 static void press_key(VncState *vs, int keysym)
1681 {
1682     int keycode = keysym2scancode(vs->vd->kbd_layout, keysym) & SCANCODE_KEYMASK;
1683     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, true);
1684     qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
1685     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
1686     qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
1687 }
1688 
1689 static void vnc_led_state_change(VncState *vs)
1690 {
1691     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1692         return;
1693     }
1694 
1695     vnc_lock_output(vs);
1696     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1697     vnc_write_u8(vs, 0);
1698     vnc_write_u16(vs, 1);
1699     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1700     vnc_write_u8(vs, vs->vd->ledstate);
1701     vnc_unlock_output(vs);
1702     vnc_flush(vs);
1703 }
1704 
1705 static void kbd_leds(void *opaque, int ledstate)
1706 {
1707     VncDisplay *vd = opaque;
1708     VncState *client;
1709 
1710     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1711                              (ledstate & QEMU_NUM_LOCK_LED),
1712                              (ledstate & QEMU_SCROLL_LOCK_LED));
1713 
1714     if (ledstate == vd->ledstate) {
1715         return;
1716     }
1717 
1718     vd->ledstate = ledstate;
1719 
1720     QTAILQ_FOREACH(client, &vd->clients, next) {
1721         vnc_led_state_change(client);
1722     }
1723 }
1724 
1725 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1726 {
1727     /* QEMU console switch */
1728     switch(keycode) {
1729     case 0x2a:                          /* Left Shift */
1730     case 0x36:                          /* Right Shift */
1731     case 0x1d:                          /* Left CTRL */
1732     case 0x9d:                          /* Right CTRL */
1733     case 0x38:                          /* Left ALT */
1734     case 0xb8:                          /* Right ALT */
1735         if (down)
1736             vs->modifiers_state[keycode] = 1;
1737         else
1738             vs->modifiers_state[keycode] = 0;
1739         break;
1740     case 0x02 ... 0x0a: /* '1' to '9' keys */
1741         if (vs->vd->dcl.con == NULL &&
1742             down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
1743             /* Reset the modifiers sent to the current console */
1744             reset_keys(vs);
1745             console_select(keycode - 0x02);
1746             return;
1747         }
1748         break;
1749     case 0x3a:                        /* CapsLock */
1750     case 0x45:                        /* NumLock */
1751         if (down)
1752             vs->modifiers_state[keycode] ^= 1;
1753         break;
1754     }
1755 
1756     /* Turn off the lock state sync logic if the client support the led
1757        state extension.
1758     */
1759     if (down && vs->vd->lock_key_sync &&
1760         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1761         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1762         /* If the numlock state needs to change then simulate an additional
1763            keypress before sending this one.  This will happen if the user
1764            toggles numlock away from the VNC window.
1765         */
1766         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1767             if (!vs->modifiers_state[0x45]) {
1768                 trace_vnc_key_sync_numlock(true);
1769                 vs->modifiers_state[0x45] = 1;
1770                 press_key(vs, 0xff7f);
1771             }
1772         } else {
1773             if (vs->modifiers_state[0x45]) {
1774                 trace_vnc_key_sync_numlock(false);
1775                 vs->modifiers_state[0x45] = 0;
1776                 press_key(vs, 0xff7f);
1777             }
1778         }
1779     }
1780 
1781     if (down && vs->vd->lock_key_sync &&
1782         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1783         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1784         /* If the capslock state needs to change then simulate an additional
1785            keypress before sending this one.  This will happen if the user
1786            toggles capslock away from the VNC window.
1787         */
1788         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1789         int shift = !!(vs->modifiers_state[0x2a] | vs->modifiers_state[0x36]);
1790         int capslock = !!(vs->modifiers_state[0x3a]);
1791         if (capslock) {
1792             if (uppercase == shift) {
1793                 trace_vnc_key_sync_capslock(false);
1794                 vs->modifiers_state[0x3a] = 0;
1795                 press_key(vs, 0xffe5);
1796             }
1797         } else {
1798             if (uppercase != shift) {
1799                 trace_vnc_key_sync_capslock(true);
1800                 vs->modifiers_state[0x3a] = 1;
1801                 press_key(vs, 0xffe5);
1802             }
1803         }
1804     }
1805 
1806     if (qemu_console_is_graphic(NULL)) {
1807         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, down);
1808         qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
1809     } else {
1810         bool numlock = vs->modifiers_state[0x45];
1811         bool control = (vs->modifiers_state[0x1d] ||
1812                         vs->modifiers_state[0x9d]);
1813         /* QEMU console emulation */
1814         if (down) {
1815             switch (keycode) {
1816             case 0x2a:                          /* Left Shift */
1817             case 0x36:                          /* Right Shift */
1818             case 0x1d:                          /* Left CTRL */
1819             case 0x9d:                          /* Right CTRL */
1820             case 0x38:                          /* Left ALT */
1821             case 0xb8:                          /* Right ALT */
1822                 break;
1823             case 0xc8:
1824                 kbd_put_keysym(QEMU_KEY_UP);
1825                 break;
1826             case 0xd0:
1827                 kbd_put_keysym(QEMU_KEY_DOWN);
1828                 break;
1829             case 0xcb:
1830                 kbd_put_keysym(QEMU_KEY_LEFT);
1831                 break;
1832             case 0xcd:
1833                 kbd_put_keysym(QEMU_KEY_RIGHT);
1834                 break;
1835             case 0xd3:
1836                 kbd_put_keysym(QEMU_KEY_DELETE);
1837                 break;
1838             case 0xc7:
1839                 kbd_put_keysym(QEMU_KEY_HOME);
1840                 break;
1841             case 0xcf:
1842                 kbd_put_keysym(QEMU_KEY_END);
1843                 break;
1844             case 0xc9:
1845                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1846                 break;
1847             case 0xd1:
1848                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1849                 break;
1850 
1851             case 0x47:
1852                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1853                 break;
1854             case 0x48:
1855                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1856                 break;
1857             case 0x49:
1858                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1859                 break;
1860             case 0x4b:
1861                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1862                 break;
1863             case 0x4c:
1864                 kbd_put_keysym('5');
1865                 break;
1866             case 0x4d:
1867                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1868                 break;
1869             case 0x4f:
1870                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1871                 break;
1872             case 0x50:
1873                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1874                 break;
1875             case 0x51:
1876                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1877                 break;
1878             case 0x52:
1879                 kbd_put_keysym('0');
1880                 break;
1881             case 0x53:
1882                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1883                 break;
1884 
1885             case 0xb5:
1886                 kbd_put_keysym('/');
1887                 break;
1888             case 0x37:
1889                 kbd_put_keysym('*');
1890                 break;
1891             case 0x4a:
1892                 kbd_put_keysym('-');
1893                 break;
1894             case 0x4e:
1895                 kbd_put_keysym('+');
1896                 break;
1897             case 0x9c:
1898                 kbd_put_keysym('\n');
1899                 break;
1900 
1901             default:
1902                 if (control) {
1903                     kbd_put_keysym(sym & 0x1f);
1904                 } else {
1905                     kbd_put_keysym(sym);
1906                 }
1907                 break;
1908             }
1909         }
1910     }
1911 }
1912 
1913 static void vnc_release_modifiers(VncState *vs)
1914 {
1915     static const int keycodes[] = {
1916         /* shift, control, alt keys, both left & right */
1917         0x2a, 0x36, 0x1d, 0x9d, 0x38, 0xb8,
1918     };
1919     int i, keycode;
1920 
1921     if (!qemu_console_is_graphic(NULL)) {
1922         return;
1923     }
1924     for (i = 0; i < ARRAY_SIZE(keycodes); i++) {
1925         keycode = keycodes[i];
1926         if (!vs->modifiers_state[keycode]) {
1927             continue;
1928         }
1929         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
1930         qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
1931     }
1932 }
1933 
1934 static const char *code2name(int keycode)
1935 {
1936     return QKeyCode_lookup[qemu_input_key_number_to_qcode(keycode)];
1937 }
1938 
1939 static void key_event(VncState *vs, int down, uint32_t sym)
1940 {
1941     int keycode;
1942     int lsym = sym;
1943 
1944     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
1945         lsym = lsym - 'A' + 'a';
1946     }
1947 
1948     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF) & SCANCODE_KEYMASK;
1949     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
1950     do_key_event(vs, down, keycode, sym);
1951 }
1952 
1953 static void ext_key_event(VncState *vs, int down,
1954                           uint32_t sym, uint16_t keycode)
1955 {
1956     /* if the user specifies a keyboard layout, always use it */
1957     if (keyboard_layout) {
1958         key_event(vs, down, sym);
1959     } else {
1960         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
1961         do_key_event(vs, down, keycode, sym);
1962     }
1963 }
1964 
1965 static void framebuffer_update_request(VncState *vs, int incremental,
1966                                        int x, int y, int w, int h)
1967 {
1968     vs->need_update = 1;
1969 
1970     if (incremental) {
1971         return;
1972     }
1973 
1974     vs->force_update = 1;
1975     vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
1976 }
1977 
1978 static void send_ext_key_event_ack(VncState *vs)
1979 {
1980     vnc_lock_output(vs);
1981     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1982     vnc_write_u8(vs, 0);
1983     vnc_write_u16(vs, 1);
1984     vnc_framebuffer_update(vs, 0, 0,
1985                            pixman_image_get_width(vs->vd->server),
1986                            pixman_image_get_height(vs->vd->server),
1987                            VNC_ENCODING_EXT_KEY_EVENT);
1988     vnc_unlock_output(vs);
1989     vnc_flush(vs);
1990 }
1991 
1992 static void send_ext_audio_ack(VncState *vs)
1993 {
1994     vnc_lock_output(vs);
1995     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1996     vnc_write_u8(vs, 0);
1997     vnc_write_u16(vs, 1);
1998     vnc_framebuffer_update(vs, 0, 0,
1999                            pixman_image_get_width(vs->vd->server),
2000                            pixman_image_get_height(vs->vd->server),
2001                            VNC_ENCODING_AUDIO);
2002     vnc_unlock_output(vs);
2003     vnc_flush(vs);
2004 }
2005 
2006 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2007 {
2008     int i;
2009     unsigned int enc = 0;
2010 
2011     vs->features = 0;
2012     vs->vnc_encoding = 0;
2013     vs->tight.compression = 9;
2014     vs->tight.quality = -1; /* Lossless by default */
2015     vs->absolute = -1;
2016 
2017     /*
2018      * Start from the end because the encodings are sent in order of preference.
2019      * This way the preferred encoding (first encoding defined in the array)
2020      * will be set at the end of the loop.
2021      */
2022     for (i = n_encodings - 1; i >= 0; i--) {
2023         enc = encodings[i];
2024         switch (enc) {
2025         case VNC_ENCODING_RAW:
2026             vs->vnc_encoding = enc;
2027             break;
2028         case VNC_ENCODING_COPYRECT:
2029             vs->features |= VNC_FEATURE_COPYRECT_MASK;
2030             break;
2031         case VNC_ENCODING_HEXTILE:
2032             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2033             vs->vnc_encoding = enc;
2034             break;
2035         case VNC_ENCODING_TIGHT:
2036             vs->features |= VNC_FEATURE_TIGHT_MASK;
2037             vs->vnc_encoding = enc;
2038             break;
2039 #ifdef CONFIG_VNC_PNG
2040         case VNC_ENCODING_TIGHT_PNG:
2041             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2042             vs->vnc_encoding = enc;
2043             break;
2044 #endif
2045         case VNC_ENCODING_ZLIB:
2046             vs->features |= VNC_FEATURE_ZLIB_MASK;
2047             vs->vnc_encoding = enc;
2048             break;
2049         case VNC_ENCODING_ZRLE:
2050             vs->features |= VNC_FEATURE_ZRLE_MASK;
2051             vs->vnc_encoding = enc;
2052             break;
2053         case VNC_ENCODING_ZYWRLE:
2054             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2055             vs->vnc_encoding = enc;
2056             break;
2057         case VNC_ENCODING_DESKTOPRESIZE:
2058             vs->features |= VNC_FEATURE_RESIZE_MASK;
2059             break;
2060         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2061             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2062             break;
2063         case VNC_ENCODING_RICH_CURSOR:
2064             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2065             if (vs->vd->cursor) {
2066                 vnc_cursor_define(vs);
2067             }
2068             break;
2069         case VNC_ENCODING_EXT_KEY_EVENT:
2070             send_ext_key_event_ack(vs);
2071             break;
2072         case VNC_ENCODING_AUDIO:
2073             send_ext_audio_ack(vs);
2074             break;
2075         case VNC_ENCODING_WMVi:
2076             vs->features |= VNC_FEATURE_WMVI_MASK;
2077             break;
2078         case VNC_ENCODING_LED_STATE:
2079             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2080             break;
2081         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2082             vs->tight.compression = (enc & 0x0F);
2083             break;
2084         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2085             if (vs->vd->lossy) {
2086                 vs->tight.quality = (enc & 0x0F);
2087             }
2088             break;
2089         default:
2090             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2091             break;
2092         }
2093     }
2094     vnc_desktop_resize(vs);
2095     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2096     vnc_led_state_change(vs);
2097 }
2098 
2099 static void set_pixel_conversion(VncState *vs)
2100 {
2101     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2102 
2103     if (fmt == VNC_SERVER_FB_FORMAT) {
2104         vs->write_pixels = vnc_write_pixels_copy;
2105         vnc_hextile_set_pixel_conversion(vs, 0);
2106     } else {
2107         vs->write_pixels = vnc_write_pixels_generic;
2108         vnc_hextile_set_pixel_conversion(vs, 1);
2109     }
2110 }
2111 
2112 static void send_color_map(VncState *vs)
2113 {
2114     int i;
2115 
2116     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2117     vnc_write_u8(vs,  0);    /* padding     */
2118     vnc_write_u16(vs, 0);    /* first color */
2119     vnc_write_u16(vs, 256);  /* # of colors */
2120 
2121     for (i = 0; i < 256; i++) {
2122         PixelFormat *pf = &vs->client_pf;
2123 
2124         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2125         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2126         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2127     }
2128 }
2129 
2130 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2131                              int big_endian_flag, int true_color_flag,
2132                              int red_max, int green_max, int blue_max,
2133                              int red_shift, int green_shift, int blue_shift)
2134 {
2135     if (!true_color_flag) {
2136         /* Expose a reasonable default 256 color map */
2137         bits_per_pixel = 8;
2138         red_max = 7;
2139         green_max = 7;
2140         blue_max = 3;
2141         red_shift = 0;
2142         green_shift = 3;
2143         blue_shift = 6;
2144     }
2145 
2146     switch (bits_per_pixel) {
2147     case 8:
2148     case 16:
2149     case 32:
2150         break;
2151     default:
2152         vnc_client_error(vs);
2153         return;
2154     }
2155 
2156     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2157     vs->client_pf.rbits = hweight_long(red_max);
2158     vs->client_pf.rshift = red_shift;
2159     vs->client_pf.rmask = red_max << red_shift;
2160     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2161     vs->client_pf.gbits = hweight_long(green_max);
2162     vs->client_pf.gshift = green_shift;
2163     vs->client_pf.gmask = green_max << green_shift;
2164     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2165     vs->client_pf.bbits = hweight_long(blue_max);
2166     vs->client_pf.bshift = blue_shift;
2167     vs->client_pf.bmask = blue_max << blue_shift;
2168     vs->client_pf.bits_per_pixel = bits_per_pixel;
2169     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2170     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2171     vs->client_be = big_endian_flag;
2172 
2173     if (!true_color_flag) {
2174         send_color_map(vs);
2175     }
2176 
2177     set_pixel_conversion(vs);
2178 
2179     graphic_hw_invalidate(vs->vd->dcl.con);
2180     graphic_hw_update(vs->vd->dcl.con);
2181 }
2182 
2183 static void pixel_format_message (VncState *vs) {
2184     char pad[3] = { 0, 0, 0 };
2185 
2186     vs->client_pf = qemu_default_pixelformat(32);
2187 
2188     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2189     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2190 
2191 #ifdef HOST_WORDS_BIGENDIAN
2192     vnc_write_u8(vs, 1);             /* big-endian-flag */
2193 #else
2194     vnc_write_u8(vs, 0);             /* big-endian-flag */
2195 #endif
2196     vnc_write_u8(vs, 1);             /* true-color-flag */
2197     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2198     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2199     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2200     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2201     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2202     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2203     vnc_write(vs, pad, 3);           /* padding */
2204 
2205     vnc_hextile_set_pixel_conversion(vs, 0);
2206     vs->write_pixels = vnc_write_pixels_copy;
2207 }
2208 
2209 static void vnc_colordepth(VncState *vs)
2210 {
2211     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2212         /* Sending a WMVi message to notify the client*/
2213         vnc_lock_output(vs);
2214         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2215         vnc_write_u8(vs, 0);
2216         vnc_write_u16(vs, 1); /* number of rects */
2217         vnc_framebuffer_update(vs, 0, 0,
2218                                pixman_image_get_width(vs->vd->server),
2219                                pixman_image_get_height(vs->vd->server),
2220                                VNC_ENCODING_WMVi);
2221         pixel_format_message(vs);
2222         vnc_unlock_output(vs);
2223         vnc_flush(vs);
2224     } else {
2225         set_pixel_conversion(vs);
2226     }
2227 }
2228 
2229 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2230 {
2231     int i;
2232     uint16_t limit;
2233     VncDisplay *vd = vs->vd;
2234 
2235     if (data[0] > 3) {
2236         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2237     }
2238 
2239     switch (data[0]) {
2240     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2241         if (len == 1)
2242             return 20;
2243 
2244         set_pixel_format(vs, read_u8(data, 4),
2245                          read_u8(data, 6), read_u8(data, 7),
2246                          read_u16(data, 8), read_u16(data, 10),
2247                          read_u16(data, 12), read_u8(data, 14),
2248                          read_u8(data, 15), read_u8(data, 16));
2249         break;
2250     case VNC_MSG_CLIENT_SET_ENCODINGS:
2251         if (len == 1)
2252             return 4;
2253 
2254         if (len == 4) {
2255             limit = read_u16(data, 2);
2256             if (limit > 0)
2257                 return 4 + (limit * 4);
2258         } else
2259             limit = read_u16(data, 2);
2260 
2261         for (i = 0; i < limit; i++) {
2262             int32_t val = read_s32(data, 4 + (i * 4));
2263             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2264         }
2265 
2266         set_encodings(vs, (int32_t *)(data + 4), limit);
2267         break;
2268     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2269         if (len == 1)
2270             return 10;
2271 
2272         framebuffer_update_request(vs,
2273                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2274                                    read_u16(data, 6), read_u16(data, 8));
2275         break;
2276     case VNC_MSG_CLIENT_KEY_EVENT:
2277         if (len == 1)
2278             return 8;
2279 
2280         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2281         break;
2282     case VNC_MSG_CLIENT_POINTER_EVENT:
2283         if (len == 1)
2284             return 6;
2285 
2286         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2287         break;
2288     case VNC_MSG_CLIENT_CUT_TEXT:
2289         if (len == 1) {
2290             return 8;
2291         }
2292         if (len == 8) {
2293             uint32_t dlen = read_u32(data, 4);
2294             if (dlen > (1 << 20)) {
2295                 error_report("vnc: client_cut_text msg payload has %u bytes"
2296                              " which exceeds our limit of 1MB.", dlen);
2297                 vnc_client_error(vs);
2298                 break;
2299             }
2300             if (dlen > 0) {
2301                 return 8 + dlen;
2302             }
2303         }
2304 
2305         client_cut_text(vs, read_u32(data, 4), data + 8);
2306         break;
2307     case VNC_MSG_CLIENT_QEMU:
2308         if (len == 1)
2309             return 2;
2310 
2311         switch (read_u8(data, 1)) {
2312         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2313             if (len == 2)
2314                 return 12;
2315 
2316             ext_key_event(vs, read_u16(data, 2),
2317                           read_u32(data, 4), read_u32(data, 8));
2318             break;
2319         case VNC_MSG_CLIENT_QEMU_AUDIO:
2320             if (len == 2)
2321                 return 4;
2322 
2323             switch (read_u16 (data, 2)) {
2324             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2325                 audio_add(vs);
2326                 break;
2327             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2328                 audio_del(vs);
2329                 break;
2330             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2331                 if (len == 4)
2332                     return 10;
2333                 switch (read_u8(data, 4)) {
2334                 case 0: vs->as.fmt = AUD_FMT_U8; break;
2335                 case 1: vs->as.fmt = AUD_FMT_S8; break;
2336                 case 2: vs->as.fmt = AUD_FMT_U16; break;
2337                 case 3: vs->as.fmt = AUD_FMT_S16; break;
2338                 case 4: vs->as.fmt = AUD_FMT_U32; break;
2339                 case 5: vs->as.fmt = AUD_FMT_S32; break;
2340                 default:
2341                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2342                     vnc_client_error(vs);
2343                     break;
2344                 }
2345                 vs->as.nchannels = read_u8(data, 5);
2346                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2347                     VNC_DEBUG("Invalid audio channel coount %d\n",
2348                               read_u8(data, 5));
2349                     vnc_client_error(vs);
2350                     break;
2351                 }
2352                 vs->as.freq = read_u32(data, 6);
2353                 break;
2354             default:
2355                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2356                 vnc_client_error(vs);
2357                 break;
2358             }
2359             break;
2360 
2361         default:
2362             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2363             vnc_client_error(vs);
2364             break;
2365         }
2366         break;
2367     default:
2368         VNC_DEBUG("Msg: %d\n", data[0]);
2369         vnc_client_error(vs);
2370         break;
2371     }
2372 
2373     vnc_read_when(vs, protocol_client_msg, 1);
2374     return 0;
2375 }
2376 
2377 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2378 {
2379     char buf[1024];
2380     VncShareMode mode;
2381     int size;
2382 
2383     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2384     switch (vs->vd->share_policy) {
2385     case VNC_SHARE_POLICY_IGNORE:
2386         /*
2387          * Ignore the shared flag.  Nothing to do here.
2388          *
2389          * Doesn't conform to the rfb spec but is traditional qemu
2390          * behavior, thus left here as option for compatibility
2391          * reasons.
2392          */
2393         break;
2394     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2395         /*
2396          * Policy: Allow clients ask for exclusive access.
2397          *
2398          * Implementation: When a client asks for exclusive access,
2399          * disconnect all others. Shared connects are allowed as long
2400          * as no exclusive connection exists.
2401          *
2402          * This is how the rfb spec suggests to handle the shared flag.
2403          */
2404         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2405             VncState *client;
2406             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2407                 if (vs == client) {
2408                     continue;
2409                 }
2410                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2411                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2412                     continue;
2413                 }
2414                 vnc_disconnect_start(client);
2415             }
2416         }
2417         if (mode == VNC_SHARE_MODE_SHARED) {
2418             if (vs->vd->num_exclusive > 0) {
2419                 vnc_disconnect_start(vs);
2420                 return 0;
2421             }
2422         }
2423         break;
2424     case VNC_SHARE_POLICY_FORCE_SHARED:
2425         /*
2426          * Policy: Shared connects only.
2427          * Implementation: Disallow clients asking for exclusive access.
2428          *
2429          * Useful for shared desktop sessions where you don't want
2430          * someone forgetting to say -shared when running the vnc
2431          * client disconnect everybody else.
2432          */
2433         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2434             vnc_disconnect_start(vs);
2435             return 0;
2436         }
2437         break;
2438     }
2439     vnc_set_share_mode(vs, mode);
2440 
2441     if (vs->vd->num_shared > vs->vd->connections_limit) {
2442         vnc_disconnect_start(vs);
2443         return 0;
2444     }
2445 
2446     vs->client_width = pixman_image_get_width(vs->vd->server);
2447     vs->client_height = pixman_image_get_height(vs->vd->server);
2448     vnc_write_u16(vs, vs->client_width);
2449     vnc_write_u16(vs, vs->client_height);
2450 
2451     pixel_format_message(vs);
2452 
2453     if (qemu_name) {
2454         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2455         if (size > sizeof(buf)) {
2456             size = sizeof(buf);
2457         }
2458     } else {
2459         size = snprintf(buf, sizeof(buf), "QEMU");
2460     }
2461 
2462     vnc_write_u32(vs, size);
2463     vnc_write(vs, buf, size);
2464     vnc_flush(vs);
2465 
2466     vnc_client_cache_auth(vs);
2467     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2468 
2469     vnc_read_when(vs, protocol_client_msg, 1);
2470 
2471     return 0;
2472 }
2473 
2474 void start_client_init(VncState *vs)
2475 {
2476     vnc_read_when(vs, protocol_client_init, 1);
2477 }
2478 
2479 static void make_challenge(VncState *vs)
2480 {
2481     int i;
2482 
2483     srand(time(NULL)+getpid()+getpid()*987654+rand());
2484 
2485     for (i = 0 ; i < sizeof(vs->challenge) ; i++)
2486         vs->challenge[i] = (int) (256.0*rand()/(RAND_MAX+1.0));
2487 }
2488 
2489 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2490 {
2491     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2492     size_t i, pwlen;
2493     unsigned char key[8];
2494     time_t now = time(NULL);
2495     QCryptoCipher *cipher = NULL;
2496     Error *err = NULL;
2497 
2498     if (!vs->vd->password) {
2499         VNC_DEBUG("No password configured on server");
2500         goto reject;
2501     }
2502     if (vs->vd->expires < now) {
2503         VNC_DEBUG("Password is expired");
2504         goto reject;
2505     }
2506 
2507     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2508 
2509     /* Calculate the expected challenge response */
2510     pwlen = strlen(vs->vd->password);
2511     for (i=0; i<sizeof(key); i++)
2512         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2513 
2514     cipher = qcrypto_cipher_new(
2515         QCRYPTO_CIPHER_ALG_DES_RFB,
2516         QCRYPTO_CIPHER_MODE_ECB,
2517         key, G_N_ELEMENTS(key),
2518         &err);
2519     if (!cipher) {
2520         VNC_DEBUG("Cannot initialize cipher %s",
2521                   error_get_pretty(err));
2522         error_free(err);
2523         goto reject;
2524     }
2525 
2526     if (qcrypto_cipher_encrypt(cipher,
2527                                vs->challenge,
2528                                response,
2529                                VNC_AUTH_CHALLENGE_SIZE,
2530                                &err) < 0) {
2531         VNC_DEBUG("Cannot encrypt challenge %s",
2532                   error_get_pretty(err));
2533         error_free(err);
2534         goto reject;
2535     }
2536 
2537     /* Compare expected vs actual challenge response */
2538     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2539         VNC_DEBUG("Client challenge response did not match\n");
2540         goto reject;
2541     } else {
2542         VNC_DEBUG("Accepting VNC challenge response\n");
2543         vnc_write_u32(vs, 0); /* Accept auth */
2544         vnc_flush(vs);
2545 
2546         start_client_init(vs);
2547     }
2548 
2549     qcrypto_cipher_free(cipher);
2550     return 0;
2551 
2552 reject:
2553     vnc_write_u32(vs, 1); /* Reject auth */
2554     if (vs->minor >= 8) {
2555         static const char err[] = "Authentication failed";
2556         vnc_write_u32(vs, sizeof(err));
2557         vnc_write(vs, err, sizeof(err));
2558     }
2559     vnc_flush(vs);
2560     vnc_client_error(vs);
2561     qcrypto_cipher_free(cipher);
2562     return 0;
2563 }
2564 
2565 void start_auth_vnc(VncState *vs)
2566 {
2567     make_challenge(vs);
2568     /* Send client a 'random' challenge */
2569     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2570     vnc_flush(vs);
2571 
2572     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2573 }
2574 
2575 
2576 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2577 {
2578     /* We only advertise 1 auth scheme at a time, so client
2579      * must pick the one we sent. Verify this */
2580     if (data[0] != vs->auth) { /* Reject auth */
2581        VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
2582        vnc_write_u32(vs, 1);
2583        if (vs->minor >= 8) {
2584            static const char err[] = "Authentication failed";
2585            vnc_write_u32(vs, sizeof(err));
2586            vnc_write(vs, err, sizeof(err));
2587        }
2588        vnc_client_error(vs);
2589     } else { /* Accept requested auth */
2590        VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
2591        switch (vs->auth) {
2592        case VNC_AUTH_NONE:
2593            VNC_DEBUG("Accept auth none\n");
2594            if (vs->minor >= 8) {
2595                vnc_write_u32(vs, 0); /* Accept auth completion */
2596                vnc_flush(vs);
2597            }
2598            start_client_init(vs);
2599            break;
2600 
2601        case VNC_AUTH_VNC:
2602            VNC_DEBUG("Start VNC auth\n");
2603            start_auth_vnc(vs);
2604            break;
2605 
2606        case VNC_AUTH_VENCRYPT:
2607            VNC_DEBUG("Accept VeNCrypt auth\n");
2608            start_auth_vencrypt(vs);
2609            break;
2610 
2611 #ifdef CONFIG_VNC_SASL
2612        case VNC_AUTH_SASL:
2613            VNC_DEBUG("Accept SASL auth\n");
2614            start_auth_sasl(vs);
2615            break;
2616 #endif /* CONFIG_VNC_SASL */
2617 
2618        default: /* Should not be possible, but just in case */
2619            VNC_DEBUG("Reject auth %d server code bug\n", vs->auth);
2620            vnc_write_u8(vs, 1);
2621            if (vs->minor >= 8) {
2622                static const char err[] = "Authentication failed";
2623                vnc_write_u32(vs, sizeof(err));
2624                vnc_write(vs, err, sizeof(err));
2625            }
2626            vnc_client_error(vs);
2627        }
2628     }
2629     return 0;
2630 }
2631 
2632 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2633 {
2634     char local[13];
2635 
2636     memcpy(local, version, 12);
2637     local[12] = 0;
2638 
2639     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2640         VNC_DEBUG("Malformed protocol version %s\n", local);
2641         vnc_client_error(vs);
2642         return 0;
2643     }
2644     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2645     if (vs->major != 3 ||
2646         (vs->minor != 3 &&
2647          vs->minor != 4 &&
2648          vs->minor != 5 &&
2649          vs->minor != 7 &&
2650          vs->minor != 8)) {
2651         VNC_DEBUG("Unsupported client version\n");
2652         vnc_write_u32(vs, VNC_AUTH_INVALID);
2653         vnc_flush(vs);
2654         vnc_client_error(vs);
2655         return 0;
2656     }
2657     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2658      * as equivalent to v3.3 by servers
2659      */
2660     if (vs->minor == 4 || vs->minor == 5)
2661         vs->minor = 3;
2662 
2663     if (vs->minor == 3) {
2664         if (vs->auth == VNC_AUTH_NONE) {
2665             VNC_DEBUG("Tell client auth none\n");
2666             vnc_write_u32(vs, vs->auth);
2667             vnc_flush(vs);
2668             start_client_init(vs);
2669        } else if (vs->auth == VNC_AUTH_VNC) {
2670             VNC_DEBUG("Tell client VNC auth\n");
2671             vnc_write_u32(vs, vs->auth);
2672             vnc_flush(vs);
2673             start_auth_vnc(vs);
2674        } else {
2675             VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth);
2676             vnc_write_u32(vs, VNC_AUTH_INVALID);
2677             vnc_flush(vs);
2678             vnc_client_error(vs);
2679        }
2680     } else {
2681         VNC_DEBUG("Telling client we support auth %d\n", vs->auth);
2682         vnc_write_u8(vs, 1); /* num auth */
2683         vnc_write_u8(vs, vs->auth);
2684         vnc_read_when(vs, protocol_client_auth, 1);
2685         vnc_flush(vs);
2686     }
2687 
2688     return 0;
2689 }
2690 
2691 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2692 {
2693     struct VncSurface *vs = &vd->guest;
2694 
2695     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2696 }
2697 
2698 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2699 {
2700     int i, j;
2701 
2702     w = (x + w) / VNC_STAT_RECT;
2703     h = (y + h) / VNC_STAT_RECT;
2704     x /= VNC_STAT_RECT;
2705     y /= VNC_STAT_RECT;
2706 
2707     for (j = y; j <= h; j++) {
2708         for (i = x; i <= w; i++) {
2709             vs->lossy_rect[j][i] = 1;
2710         }
2711     }
2712 }
2713 
2714 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2715 {
2716     VncState *vs;
2717     int sty = y / VNC_STAT_RECT;
2718     int stx = x / VNC_STAT_RECT;
2719     int has_dirty = 0;
2720 
2721     y = y / VNC_STAT_RECT * VNC_STAT_RECT;
2722     x = x / VNC_STAT_RECT * VNC_STAT_RECT;
2723 
2724     QTAILQ_FOREACH(vs, &vd->clients, next) {
2725         int j;
2726 
2727         /* kernel send buffers are full -> refresh later */
2728         if (vs->output.offset) {
2729             continue;
2730         }
2731 
2732         if (!vs->lossy_rect[sty][stx]) {
2733             continue;
2734         }
2735 
2736         vs->lossy_rect[sty][stx] = 0;
2737         for (j = 0; j < VNC_STAT_RECT; ++j) {
2738             bitmap_set(vs->dirty[y + j],
2739                        x / VNC_DIRTY_PIXELS_PER_BIT,
2740                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2741         }
2742         has_dirty++;
2743     }
2744 
2745     return has_dirty;
2746 }
2747 
2748 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2749 {
2750     int width = MIN(pixman_image_get_width(vd->guest.fb),
2751                     pixman_image_get_width(vd->server));
2752     int height = MIN(pixman_image_get_height(vd->guest.fb),
2753                      pixman_image_get_height(vd->server));
2754     int x, y;
2755     struct timeval res;
2756     int has_dirty = 0;
2757 
2758     for (y = 0; y < height; y += VNC_STAT_RECT) {
2759         for (x = 0; x < width; x += VNC_STAT_RECT) {
2760             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2761 
2762             rect->updated = false;
2763         }
2764     }
2765 
2766     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2767 
2768     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2769         return has_dirty;
2770     }
2771     vd->guest.last_freq_check = *tv;
2772 
2773     for (y = 0; y < height; y += VNC_STAT_RECT) {
2774         for (x = 0; x < width; x += VNC_STAT_RECT) {
2775             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2776             int count = ARRAY_SIZE(rect->times);
2777             struct timeval min, max;
2778 
2779             if (!timerisset(&rect->times[count - 1])) {
2780                 continue ;
2781             }
2782 
2783             max = rect->times[(rect->idx + count - 1) % count];
2784             qemu_timersub(tv, &max, &res);
2785 
2786             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2787                 rect->freq = 0;
2788                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2789                 memset(rect->times, 0, sizeof (rect->times));
2790                 continue ;
2791             }
2792 
2793             min = rect->times[rect->idx];
2794             max = rect->times[(rect->idx + count - 1) % count];
2795             qemu_timersub(&max, &min, &res);
2796 
2797             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2798             rect->freq /= count;
2799             rect->freq = 1. / rect->freq;
2800         }
2801     }
2802     return has_dirty;
2803 }
2804 
2805 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2806 {
2807     int i, j;
2808     double total = 0;
2809     int num = 0;
2810 
2811     x =  (x / VNC_STAT_RECT) * VNC_STAT_RECT;
2812     y =  (y / VNC_STAT_RECT) * VNC_STAT_RECT;
2813 
2814     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2815         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2816             total += vnc_stat_rect(vs->vd, i, j)->freq;
2817             num++;
2818         }
2819     }
2820 
2821     if (num) {
2822         return total / num;
2823     } else {
2824         return 0;
2825     }
2826 }
2827 
2828 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2829 {
2830     VncRectStat *rect;
2831 
2832     rect = vnc_stat_rect(vd, x, y);
2833     if (rect->updated) {
2834         return ;
2835     }
2836     rect->times[rect->idx] = *tv;
2837     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2838     rect->updated = true;
2839 }
2840 
2841 static int vnc_refresh_server_surface(VncDisplay *vd)
2842 {
2843     int width = MIN(pixman_image_get_width(vd->guest.fb),
2844                     pixman_image_get_width(vd->server));
2845     int height = MIN(pixman_image_get_height(vd->guest.fb),
2846                      pixman_image_get_height(vd->server));
2847     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
2848     uint8_t *guest_row0 = NULL, *server_row0;
2849     VncState *vs;
2850     int has_dirty = 0;
2851     pixman_image_t *tmpbuf = NULL;
2852 
2853     struct timeval tv = { 0, 0 };
2854 
2855     if (!vd->non_adaptive) {
2856         gettimeofday(&tv, NULL);
2857         has_dirty = vnc_update_stats(vd, &tv);
2858     }
2859 
2860     /*
2861      * Walk through the guest dirty map.
2862      * Check and copy modified bits from guest to server surface.
2863      * Update server dirty map.
2864      */
2865     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
2866     server_stride = guest_stride = guest_ll =
2867         pixman_image_get_stride(vd->server);
2868     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
2869                     server_stride);
2870     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2871         int width = pixman_image_get_width(vd->server);
2872         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2873     } else {
2874         int guest_bpp =
2875             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
2876         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2877         guest_stride = pixman_image_get_stride(vd->guest.fb);
2878         guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8);
2879     }
2880     line_bytes = MIN(server_stride, guest_ll);
2881 
2882     for (;;) {
2883         int x;
2884         uint8_t *guest_ptr, *server_ptr;
2885         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
2886                                              height * VNC_DIRTY_BPL(&vd->guest),
2887                                              y * VNC_DIRTY_BPL(&vd->guest));
2888         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
2889             /* no more dirty bits */
2890             break;
2891         }
2892         y = offset / VNC_DIRTY_BPL(&vd->guest);
2893         x = offset % VNC_DIRTY_BPL(&vd->guest);
2894 
2895         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
2896 
2897         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2898             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2899             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2900         } else {
2901             guest_ptr = guest_row0 + y * guest_stride;
2902         }
2903         guest_ptr += x * cmp_bytes;
2904 
2905         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
2906              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2907             int _cmp_bytes = cmp_bytes;
2908             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
2909                 continue;
2910             }
2911             if ((x + 1) * cmp_bytes > line_bytes) {
2912                 _cmp_bytes = line_bytes - x * cmp_bytes;
2913             }
2914             assert(_cmp_bytes >= 0);
2915             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
2916                 continue;
2917             }
2918             memcpy(server_ptr, guest_ptr, _cmp_bytes);
2919             if (!vd->non_adaptive) {
2920                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
2921                                  y, &tv);
2922             }
2923             QTAILQ_FOREACH(vs, &vd->clients, next) {
2924                 set_bit(x, vs->dirty[y]);
2925             }
2926             has_dirty++;
2927         }
2928 
2929         y++;
2930     }
2931     qemu_pixman_image_unref(tmpbuf);
2932     return has_dirty;
2933 }
2934 
2935 static void vnc_refresh(DisplayChangeListener *dcl)
2936 {
2937     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
2938     VncState *vs, *vn;
2939     int has_dirty, rects = 0;
2940 
2941     if (QTAILQ_EMPTY(&vd->clients)) {
2942         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
2943         return;
2944     }
2945 
2946     graphic_hw_update(vd->dcl.con);
2947 
2948     if (vnc_trylock_display(vd)) {
2949         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2950         return;
2951     }
2952 
2953     has_dirty = vnc_refresh_server_surface(vd);
2954     vnc_unlock_display(vd);
2955 
2956     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
2957         rects += vnc_update_client(vs, has_dirty, false);
2958         /* vs might be free()ed here */
2959     }
2960 
2961     if (has_dirty && rects) {
2962         vd->dcl.update_interval /= 2;
2963         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
2964             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
2965         }
2966     } else {
2967         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
2968         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
2969             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
2970         }
2971     }
2972 }
2973 
2974 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
2975                         bool skipauth, bool websocket)
2976 {
2977     VncState *vs = g_new0(VncState, 1);
2978     bool first_client = QTAILQ_EMPTY(&vd->clients);
2979     int i;
2980 
2981     vs->sioc = sioc;
2982     object_ref(OBJECT(vs->sioc));
2983     vs->ioc = QIO_CHANNEL(sioc);
2984     object_ref(OBJECT(vs->ioc));
2985     vs->vd = vd;
2986 
2987     buffer_init(&vs->input,          "vnc-input/%p", sioc);
2988     buffer_init(&vs->output,         "vnc-output/%p", sioc);
2989     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
2990 
2991     buffer_init(&vs->tight.tight,    "vnc-tight/%p", sioc);
2992     buffer_init(&vs->tight.zlib,     "vnc-tight-zlib/%p", sioc);
2993     buffer_init(&vs->tight.gradient, "vnc-tight-gradient/%p", sioc);
2994 #ifdef CONFIG_VNC_JPEG
2995     buffer_init(&vs->tight.jpeg,     "vnc-tight-jpeg/%p", sioc);
2996 #endif
2997 #ifdef CONFIG_VNC_PNG
2998     buffer_init(&vs->tight.png,      "vnc-tight-png/%p", sioc);
2999 #endif
3000     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3001     buffer_init(&vs->zrle.zrle,      "vnc-zrle/%p", sioc);
3002     buffer_init(&vs->zrle.fb,        "vnc-zrle-fb/%p", sioc);
3003     buffer_init(&vs->zrle.zlib,      "vnc-zrle-zlib/%p", sioc);
3004 
3005     if (skipauth) {
3006 	vs->auth = VNC_AUTH_NONE;
3007 	vs->subauth = VNC_AUTH_INVALID;
3008     } else {
3009         if (websocket) {
3010             vs->auth = vd->ws_auth;
3011             vs->subauth = VNC_AUTH_INVALID;
3012         } else {
3013             vs->auth = vd->auth;
3014             vs->subauth = vd->subauth;
3015         }
3016     }
3017     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3018               sioc, websocket, vs->auth, vs->subauth);
3019 
3020     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3021     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3022         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3023     }
3024 
3025     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3026     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3027     qio_channel_set_blocking(vs->ioc, false, NULL);
3028     if (websocket) {
3029         vs->websocket = 1;
3030         if (vd->tlscreds) {
3031             vs->ioc_tag = qio_channel_add_watch(
3032                 vs->ioc, G_IO_IN, vncws_tls_handshake_io, vs, NULL);
3033         } else {
3034             vs->ioc_tag = qio_channel_add_watch(
3035                 vs->ioc, G_IO_IN, vncws_handshake_io, vs, NULL);
3036         }
3037     } else {
3038         vs->ioc_tag = qio_channel_add_watch(
3039             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
3040     }
3041 
3042     vnc_client_cache_addr(vs);
3043     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3044     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3045 
3046     vs->last_x = -1;
3047     vs->last_y = -1;
3048 
3049     vs->as.freq = 44100;
3050     vs->as.nchannels = 2;
3051     vs->as.fmt = AUD_FMT_S16;
3052     vs->as.endianness = 0;
3053 
3054     qemu_mutex_init(&vs->output_mutex);
3055     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3056 
3057     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3058     if (first_client) {
3059         vnc_update_server_surface(vd);
3060     }
3061 
3062     graphic_hw_update(vd->dcl.con);
3063 
3064     if (!vs->websocket) {
3065         vnc_start_protocol(vs);
3066     }
3067 
3068     if (vd->num_connecting > vd->connections_limit) {
3069         QTAILQ_FOREACH(vs, &vd->clients, next) {
3070             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3071                 vnc_disconnect_start(vs);
3072                 return;
3073             }
3074         }
3075     }
3076 }
3077 
3078 void vnc_start_protocol(VncState *vs)
3079 {
3080     vnc_write(vs, "RFB 003.008\n", 12);
3081     vnc_flush(vs);
3082     vnc_read_when(vs, protocol_version, 12);
3083 
3084     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3085     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3086 }
3087 
3088 static gboolean vnc_listen_io(QIOChannel *ioc,
3089                               GIOCondition condition,
3090                               void *opaque)
3091 {
3092     VncDisplay *vd = opaque;
3093     QIOChannelSocket *sioc = NULL;
3094     Error *err = NULL;
3095     bool isWebsock = false;
3096     size_t i;
3097 
3098     for (i = 0; i < vd->nlwebsock; i++) {
3099         if (ioc == QIO_CHANNEL(vd->lwebsock[i])) {
3100             isWebsock = true;
3101             break;
3102         }
3103     }
3104 
3105     sioc = qio_channel_socket_accept(QIO_CHANNEL_SOCKET(ioc), &err);
3106     if (sioc != NULL) {
3107         qio_channel_set_name(QIO_CHANNEL(sioc),
3108                              isWebsock ? "vnc-ws-server" : "vnc-server");
3109         qio_channel_set_delay(QIO_CHANNEL(sioc), false);
3110         vnc_connect(vd, sioc, false, isWebsock);
3111         object_unref(OBJECT(sioc));
3112     } else {
3113         /* client probably closed connection before we got there */
3114         error_free(err);
3115     }
3116 
3117     return TRUE;
3118 }
3119 
3120 static const DisplayChangeListenerOps dcl_ops = {
3121     .dpy_name             = "vnc",
3122     .dpy_refresh          = vnc_refresh,
3123     .dpy_gfx_copy         = vnc_dpy_copy,
3124     .dpy_gfx_update       = vnc_dpy_update,
3125     .dpy_gfx_switch       = vnc_dpy_switch,
3126     .dpy_gfx_check_format = qemu_pixman_check_format,
3127     .dpy_mouse_set        = vnc_mouse_set,
3128     .dpy_cursor_define    = vnc_dpy_cursor_define,
3129 };
3130 
3131 void vnc_display_init(const char *id)
3132 {
3133     VncDisplay *vd;
3134 
3135     if (vnc_display_find(id) != NULL) {
3136         return;
3137     }
3138     vd = g_malloc0(sizeof(*vd));
3139 
3140     vd->id = strdup(id);
3141     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3142 
3143     QTAILQ_INIT(&vd->clients);
3144     vd->expires = TIME_MAX;
3145 
3146     if (keyboard_layout) {
3147         trace_vnc_key_map_init(keyboard_layout);
3148         vd->kbd_layout = init_keyboard_layout(name2keysym, keyboard_layout);
3149     } else {
3150         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us");
3151     }
3152 
3153     if (!vd->kbd_layout) {
3154         exit(1);
3155     }
3156 
3157     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3158     vd->connections_limit = 32;
3159 
3160     qemu_mutex_init(&vd->mutex);
3161     vnc_start_worker_thread();
3162 
3163     vd->dcl.ops = &dcl_ops;
3164     register_displaychangelistener(&vd->dcl);
3165 }
3166 
3167 
3168 static void vnc_display_close(VncDisplay *vd)
3169 {
3170     size_t i;
3171     if (!vd) {
3172         return;
3173     }
3174     vd->is_unix = false;
3175     for (i = 0; i < vd->nlsock; i++) {
3176         if (vd->lsock_tag[i]) {
3177             g_source_remove(vd->lsock_tag[i]);
3178         }
3179         object_unref(OBJECT(vd->lsock[i]));
3180     }
3181     g_free(vd->lsock);
3182     g_free(vd->lsock_tag);
3183     vd->lsock = NULL;
3184     vd->nlsock = 0;
3185 
3186     for (i = 0; i < vd->nlwebsock; i++) {
3187         if (vd->lwebsock_tag[i]) {
3188             g_source_remove(vd->lwebsock_tag[i]);
3189         }
3190         object_unref(OBJECT(vd->lwebsock[i]));
3191     }
3192     g_free(vd->lwebsock);
3193     g_free(vd->lwebsock_tag);
3194     vd->lwebsock = NULL;
3195     vd->nlwebsock = 0;
3196 
3197     vd->auth = VNC_AUTH_INVALID;
3198     vd->subauth = VNC_AUTH_INVALID;
3199     if (vd->tlscreds) {
3200         object_unparent(OBJECT(vd->tlscreds));
3201         vd->tlscreds = NULL;
3202     }
3203     g_free(vd->tlsaclname);
3204     vd->tlsaclname = NULL;
3205     if (vd->lock_key_sync) {
3206         qemu_remove_led_event_handler(vd->led);
3207     }
3208 }
3209 
3210 int vnc_display_password(const char *id, const char *password)
3211 {
3212     VncDisplay *vd = vnc_display_find(id);
3213 
3214     if (!vd) {
3215         return -EINVAL;
3216     }
3217     if (vd->auth == VNC_AUTH_NONE) {
3218         error_printf_unless_qmp("If you want use passwords please enable "
3219                                 "password auth using '-vnc ${dpy},password'.\n");
3220         return -EINVAL;
3221     }
3222 
3223     g_free(vd->password);
3224     vd->password = g_strdup(password);
3225 
3226     return 0;
3227 }
3228 
3229 int vnc_display_pw_expire(const char *id, time_t expires)
3230 {
3231     VncDisplay *vd = vnc_display_find(id);
3232 
3233     if (!vd) {
3234         return -EINVAL;
3235     }
3236 
3237     vd->expires = expires;
3238     return 0;
3239 }
3240 
3241 static void vnc_display_print_local_addr(VncDisplay *vd)
3242 {
3243     SocketAddress *addr;
3244     Error *err = NULL;
3245 
3246     if (!vd->nlsock) {
3247         return;
3248     }
3249 
3250     addr = qio_channel_socket_get_local_address(vd->lsock[0], &err);
3251     if (!addr) {
3252         return;
3253     }
3254 
3255     if (addr->type != SOCKET_ADDRESS_KIND_INET) {
3256         qapi_free_SocketAddress(addr);
3257         return;
3258     }
3259     error_printf_unless_qmp("VNC server running on %s:%s\n",
3260                             addr->u.inet.data->host,
3261                             addr->u.inet.data->port);
3262     qapi_free_SocketAddress(addr);
3263 }
3264 
3265 static QemuOptsList qemu_vnc_opts = {
3266     .name = "vnc",
3267     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3268     .implied_opt_name = "vnc",
3269     .desc = {
3270         {
3271             .name = "vnc",
3272             .type = QEMU_OPT_STRING,
3273         },{
3274             .name = "websocket",
3275             .type = QEMU_OPT_STRING,
3276         },{
3277             .name = "tls-creds",
3278             .type = QEMU_OPT_STRING,
3279         },{
3280             /* Deprecated in favour of tls-creds */
3281             .name = "x509",
3282             .type = QEMU_OPT_STRING,
3283         },{
3284             .name = "share",
3285             .type = QEMU_OPT_STRING,
3286         },{
3287             .name = "display",
3288             .type = QEMU_OPT_STRING,
3289         },{
3290             .name = "head",
3291             .type = QEMU_OPT_NUMBER,
3292         },{
3293             .name = "connections",
3294             .type = QEMU_OPT_NUMBER,
3295         },{
3296             .name = "to",
3297             .type = QEMU_OPT_NUMBER,
3298         },{
3299             .name = "ipv4",
3300             .type = QEMU_OPT_BOOL,
3301         },{
3302             .name = "ipv6",
3303             .type = QEMU_OPT_BOOL,
3304         },{
3305             .name = "password",
3306             .type = QEMU_OPT_BOOL,
3307         },{
3308             .name = "reverse",
3309             .type = QEMU_OPT_BOOL,
3310         },{
3311             .name = "lock-key-sync",
3312             .type = QEMU_OPT_BOOL,
3313         },{
3314             .name = "key-delay-ms",
3315             .type = QEMU_OPT_NUMBER,
3316         },{
3317             .name = "sasl",
3318             .type = QEMU_OPT_BOOL,
3319         },{
3320             /* Deprecated in favour of tls-creds */
3321             .name = "tls",
3322             .type = QEMU_OPT_BOOL,
3323         },{
3324             /* Deprecated in favour of tls-creds */
3325             .name = "x509verify",
3326             .type = QEMU_OPT_STRING,
3327         },{
3328             .name = "acl",
3329             .type = QEMU_OPT_BOOL,
3330         },{
3331             .name = "lossy",
3332             .type = QEMU_OPT_BOOL,
3333         },{
3334             .name = "non-adaptive",
3335             .type = QEMU_OPT_BOOL,
3336         },
3337         { /* end of list */ }
3338     },
3339 };
3340 
3341 
3342 static int
3343 vnc_display_setup_auth(int *auth,
3344                        int *subauth,
3345                        QCryptoTLSCreds *tlscreds,
3346                        bool password,
3347                        bool sasl,
3348                        bool websocket,
3349                        Error **errp)
3350 {
3351     /*
3352      * We have a choice of 3 authentication options
3353      *
3354      *   1. none
3355      *   2. vnc
3356      *   3. sasl
3357      *
3358      * The channel can be run in 2 modes
3359      *
3360      *   1. clear
3361      *   2. tls
3362      *
3363      * And TLS can use 2 types of credentials
3364      *
3365      *   1. anon
3366      *   2. x509
3367      *
3368      * We thus have 9 possible logical combinations
3369      *
3370      *   1. clear + none
3371      *   2. clear + vnc
3372      *   3. clear + sasl
3373      *   4. tls + anon + none
3374      *   5. tls + anon + vnc
3375      *   6. tls + anon + sasl
3376      *   7. tls + x509 + none
3377      *   8. tls + x509 + vnc
3378      *   9. tls + x509 + sasl
3379      *
3380      * These need to be mapped into the VNC auth schemes
3381      * in an appropriate manner. In regular VNC, all the
3382      * TLS options get mapped into VNC_AUTH_VENCRYPT
3383      * sub-auth types.
3384      *
3385      * In websockets, the https:// protocol already provides
3386      * TLS support, so there is no need to make use of the
3387      * VeNCrypt extension. Furthermore, websockets browser
3388      * clients could not use VeNCrypt even if they wanted to,
3389      * as they cannot control when the TLS handshake takes
3390      * place. Thus there is no option but to rely on https://,
3391      * meaning combinations 4->6 and 7->9 will be mapped to
3392      * VNC auth schemes in the same way as combos 1->3.
3393      *
3394      * Regardless of fact that we have a different mapping to
3395      * VNC auth mechs for plain VNC vs websockets VNC, the end
3396      * result has the same security characteristics.
3397      */
3398     if (websocket || !tlscreds) {
3399         if (password) {
3400             VNC_DEBUG("Initializing VNC server with password auth\n");
3401             *auth = VNC_AUTH_VNC;
3402         } else if (sasl) {
3403             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3404             *auth = VNC_AUTH_SASL;
3405         } else {
3406             VNC_DEBUG("Initializing VNC server with no auth\n");
3407             *auth = VNC_AUTH_NONE;
3408         }
3409         *subauth = VNC_AUTH_INVALID;
3410     } else {
3411         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3412                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3413         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3414                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3415 
3416         if (!is_x509 && !is_anon) {
3417             error_setg(errp,
3418                        "Unsupported TLS cred type %s",
3419                        object_get_typename(OBJECT(tlscreds)));
3420             return -1;
3421         }
3422         *auth = VNC_AUTH_VENCRYPT;
3423         if (password) {
3424             if (is_x509) {
3425                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3426                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3427             } else {
3428                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3429                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3430             }
3431 
3432         } else if (sasl) {
3433             if (is_x509) {
3434                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3435                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3436             } else {
3437                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3438                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3439             }
3440         } else {
3441             if (is_x509) {
3442                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3443                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3444             } else {
3445                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3446                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3447             }
3448         }
3449     }
3450     return 0;
3451 }
3452 
3453 
3454 /*
3455  * Handle back compat with old CLI syntax by creating some
3456  * suitable QCryptoTLSCreds objects
3457  */
3458 static QCryptoTLSCreds *
3459 vnc_display_create_creds(bool x509,
3460                          bool x509verify,
3461                          const char *dir,
3462                          const char *id,
3463                          Error **errp)
3464 {
3465     gchar *credsid = g_strdup_printf("tlsvnc%s", id);
3466     Object *parent = object_get_objects_root();
3467     Object *creds;
3468     Error *err = NULL;
3469 
3470     if (x509) {
3471         creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_X509,
3472                                       parent,
3473                                       credsid,
3474                                       &err,
3475                                       "endpoint", "server",
3476                                       "dir", dir,
3477                                       "verify-peer", x509verify ? "yes" : "no",
3478                                       NULL);
3479     } else {
3480         creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_ANON,
3481                                       parent,
3482                                       credsid,
3483                                       &err,
3484                                       "endpoint", "server",
3485                                       NULL);
3486     }
3487 
3488     g_free(credsid);
3489 
3490     if (err) {
3491         error_propagate(errp, err);
3492         return NULL;
3493     }
3494 
3495     return QCRYPTO_TLS_CREDS(creds);
3496 }
3497 
3498 
3499 static int vnc_display_get_address(const char *addrstr,
3500                                    bool websocket,
3501                                    int displaynum,
3502                                    int to,
3503                                    bool has_ipv4,
3504                                    bool has_ipv6,
3505                                    bool ipv4,
3506                                    bool ipv6,
3507                                    SocketAddress **retaddr,
3508                                    Error **errp)
3509 {
3510     int ret = -1;
3511     SocketAddress *addr = NULL;
3512 
3513     addr = g_new0(SocketAddress, 1);
3514 
3515     if (strncmp(addrstr, "unix:", 5) == 0) {
3516         addr->type = SOCKET_ADDRESS_KIND_UNIX;
3517         addr->u.q_unix.data = g_new0(UnixSocketAddress, 1);
3518         addr->u.q_unix.data->path = g_strdup(addrstr + 5);
3519 
3520         if (websocket) {
3521             error_setg(errp, "UNIX sockets not supported with websock");
3522             goto cleanup;
3523         }
3524 
3525         if (to) {
3526             error_setg(errp, "Port range not support with UNIX socket");
3527             goto cleanup;
3528         }
3529         ret = 0;
3530     } else {
3531         const char *port;
3532         size_t hostlen;
3533         unsigned long long baseport = 0;
3534         InetSocketAddress *inet;
3535 
3536         port = strrchr(addrstr, ':');
3537         if (!port) {
3538             if (websocket) {
3539                 hostlen = 0;
3540                 port = addrstr;
3541             } else {
3542                 error_setg(errp, "no vnc port specified");
3543                 goto cleanup;
3544             }
3545         } else {
3546             hostlen = port - addrstr;
3547             port++;
3548             if (*port == '\0') {
3549                 error_setg(errp, "vnc port cannot be empty");
3550                 goto cleanup;
3551             }
3552         }
3553 
3554         addr->type = SOCKET_ADDRESS_KIND_INET;
3555         inet = addr->u.inet.data = g_new0(InetSocketAddress, 1);
3556         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3557             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3558         } else {
3559             inet->host = g_strndup(addrstr, hostlen);
3560         }
3561         /* plain VNC port is just an offset, for websocket
3562          * port is absolute */
3563         if (websocket) {
3564             if (g_str_equal(addrstr, "") ||
3565                 g_str_equal(addrstr, "on")) {
3566                 if (displaynum == -1) {
3567                     error_setg(errp, "explicit websocket port is required");
3568                     goto cleanup;
3569                 }
3570                 inet->port = g_strdup_printf(
3571                     "%d", displaynum + 5700);
3572                 if (to) {
3573                     inet->has_to = true;
3574                     inet->to = to + 5700;
3575                 }
3576             } else {
3577                 inet->port = g_strdup(port);
3578             }
3579         } else {
3580             if (parse_uint_full(port, &baseport, 10) < 0) {
3581                 error_setg(errp, "can't convert to a number: %s", port);
3582                 goto cleanup;
3583             }
3584             if (baseport > 65535 ||
3585                 baseport + 5900 > 65535) {
3586                 error_setg(errp, "port %s out of range", port);
3587                 goto cleanup;
3588             }
3589             inet->port = g_strdup_printf(
3590                 "%d", (int)baseport + 5900);
3591 
3592             if (to) {
3593                 inet->has_to = true;
3594                 inet->to = to + 5900;
3595             }
3596         }
3597 
3598         inet->ipv4 = ipv4;
3599         inet->has_ipv4 = has_ipv4;
3600         inet->ipv6 = ipv6;
3601         inet->has_ipv6 = has_ipv6;
3602 
3603         ret = baseport;
3604     }
3605 
3606     *retaddr = addr;
3607 
3608  cleanup:
3609     if (ret < 0) {
3610         qapi_free_SocketAddress(addr);
3611     }
3612     return ret;
3613 }
3614 
3615 static int vnc_display_get_addresses(QemuOpts *opts,
3616                                      SocketAddress ***retsaddr,
3617                                      size_t *retnsaddr,
3618                                      SocketAddress ***retwsaddr,
3619                                      size_t *retnwsaddr,
3620                                      Error **errp)
3621 {
3622     SocketAddress *saddr = NULL;
3623     SocketAddress *wsaddr = NULL;
3624     QemuOptsIter addriter;
3625     const char *addr;
3626     int to = qemu_opt_get_number(opts, "to", 0);
3627     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3628     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3629     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3630     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3631     size_t i;
3632     int displaynum = -1;
3633     int ret = -1;
3634 
3635     *retsaddr = NULL;
3636     *retnsaddr = 0;
3637     *retwsaddr = NULL;
3638     *retnwsaddr = 0;
3639 
3640     addr = qemu_opt_get(opts, "vnc");
3641     if (addr == NULL || g_str_equal(addr, "none")) {
3642         ret = 0;
3643         goto cleanup;
3644     }
3645     if (qemu_opt_get(opts, "websocket") &&
3646         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3647         error_setg(errp,
3648                    "SHA1 hash support is required for websockets");
3649         goto cleanup;
3650     }
3651 
3652     qemu_opt_iter_init(&addriter, opts, "vnc");
3653     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3654         int rv;
3655         rv = vnc_display_get_address(addr, false, 0, to,
3656                                      has_ipv4, has_ipv6,
3657                                      ipv4, ipv6,
3658                                      &saddr, errp);
3659         if (rv < 0) {
3660             goto cleanup;
3661         }
3662         /* Historical compat - first listen address can be used
3663          * to set the default websocket port
3664          */
3665         if (displaynum == -1) {
3666             displaynum = rv;
3667         }
3668         *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3669         (*retsaddr)[(*retnsaddr)++] = saddr;
3670     }
3671 
3672     /* If we had multiple primary displays, we don't do defaults
3673      * for websocket, and require explicit config instead. */
3674     if (*retnsaddr > 1) {
3675         displaynum = -1;
3676     }
3677 
3678     qemu_opt_iter_init(&addriter, opts, "websocket");
3679     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3680         if (vnc_display_get_address(addr, true, displaynum, to,
3681                                     has_ipv4, has_ipv6,
3682                                     ipv4, ipv6,
3683                                     &wsaddr, errp) < 0) {
3684             goto cleanup;
3685         }
3686 
3687         /* Historical compat - if only a single listen address was
3688          * provided, then this is used to set the default listen
3689          * address for websocket too
3690          */
3691         if (*retnsaddr == 1 &&
3692             (*retsaddr)[0]->type == SOCKET_ADDRESS_KIND_INET &&
3693             wsaddr->type == SOCKET_ADDRESS_KIND_INET &&
3694             g_str_equal(wsaddr->u.inet.data->host, "") &&
3695             !g_str_equal((*retsaddr)[0]->u.inet.data->host, "")) {
3696             g_free(wsaddr->u.inet.data->host);
3697             wsaddr->u.inet.data->host =
3698                 g_strdup((*retsaddr)[0]->u.inet.data->host);
3699         }
3700 
3701         *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3702         (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3703     }
3704 
3705     ret = 0;
3706  cleanup:
3707     if (ret < 0) {
3708         for (i = 0; i < *retnsaddr; i++) {
3709             qapi_free_SocketAddress((*retsaddr)[i]);
3710         }
3711         g_free(*retsaddr);
3712         for (i = 0; i < *retnwsaddr; i++) {
3713             qapi_free_SocketAddress((*retwsaddr)[i]);
3714         }
3715         g_free(*retwsaddr);
3716         *retsaddr = *retwsaddr = NULL;
3717         *retnsaddr = *retnwsaddr = 0;
3718     }
3719     return ret;
3720 }
3721 
3722 static int vnc_display_connect(VncDisplay *vd,
3723                                SocketAddress **saddr,
3724                                size_t nsaddr,
3725                                SocketAddress **wsaddr,
3726                                size_t nwsaddr,
3727                                Error **errp)
3728 {
3729     /* connect to viewer */
3730     QIOChannelSocket *sioc = NULL;
3731     if (nwsaddr != 0) {
3732         error_setg(errp, "Cannot use websockets in reverse mode");
3733         return -1;
3734     }
3735     if (nsaddr != 1) {
3736         error_setg(errp, "Expected a single address in reverse mode");
3737         return -1;
3738     }
3739     vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_KIND_UNIX;
3740     sioc = qio_channel_socket_new();
3741     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3742     if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3743         return -1;
3744     }
3745     vnc_connect(vd, sioc, false, false);
3746     object_unref(OBJECT(sioc));
3747     return 0;
3748 }
3749 
3750 
3751 static int vnc_display_listen_addr(VncDisplay *vd,
3752                                    SocketAddress *addr,
3753                                    const char *name,
3754                                    QIOChannelSocket ***lsock,
3755                                    guint **lsock_tag,
3756                                    size_t *nlsock,
3757                                    Error **errp)
3758 {
3759     QIODNSResolver *resolver = qio_dns_resolver_get_instance();
3760     SocketAddress **rawaddrs = NULL;
3761     size_t nrawaddrs = 0;
3762     Error *listenerr = NULL;
3763     bool listening = false;
3764     size_t i;
3765 
3766     if (qio_dns_resolver_lookup_sync(resolver, addr, &nrawaddrs,
3767                                      &rawaddrs, errp) < 0) {
3768         return -1;
3769     }
3770 
3771     for (i = 0; i < nrawaddrs; i++) {
3772         QIOChannelSocket *sioc = qio_channel_socket_new();
3773 
3774         qio_channel_set_name(QIO_CHANNEL(sioc), name);
3775         if (qio_channel_socket_listen_sync(
3776                 sioc, rawaddrs[i], listenerr == NULL ? &listenerr : NULL) < 0) {
3777             continue;
3778         }
3779         listening = true;
3780         (*nlsock)++;
3781         *lsock = g_renew(QIOChannelSocket *, *lsock, *nlsock);
3782         *lsock_tag = g_renew(guint, *lsock_tag, *nlsock);
3783 
3784         (*lsock)[*nlsock - 1] = sioc;
3785         (*lsock_tag)[*nlsock - 1] = 0;
3786     }
3787 
3788     for (i = 0; i < nrawaddrs; i++) {
3789         qapi_free_SocketAddress(rawaddrs[i]);
3790     }
3791     g_free(rawaddrs);
3792 
3793     if (listenerr) {
3794         if (!listening) {
3795             error_propagate(errp, listenerr);
3796             return -1;
3797         } else {
3798             error_free(listenerr);
3799         }
3800     }
3801 
3802     for (i = 0; i < *nlsock; i++) {
3803         (*lsock_tag)[i] = qio_channel_add_watch(
3804             QIO_CHANNEL((*lsock)[i]),
3805             G_IO_IN, vnc_listen_io, vd, NULL);
3806     }
3807 
3808     return 0;
3809 }
3810 
3811 
3812 static int vnc_display_listen(VncDisplay *vd,
3813                               SocketAddress **saddr,
3814                               size_t nsaddr,
3815                               SocketAddress **wsaddr,
3816                               size_t nwsaddr,
3817                               Error **errp)
3818 {
3819     size_t i;
3820 
3821     for (i = 0; i < nsaddr; i++) {
3822         if (vnc_display_listen_addr(vd, saddr[i],
3823                                     "vnc-listen",
3824                                     &vd->lsock,
3825                                     &vd->lsock_tag,
3826                                     &vd->nlsock,
3827                                     errp) < 0) {
3828             return -1;
3829         }
3830     }
3831     for (i = 0; i < nwsaddr; i++) {
3832         if (vnc_display_listen_addr(vd, wsaddr[i],
3833                                     "vnc-ws-listen",
3834                                     &vd->lwebsock,
3835                                     &vd->lwebsock_tag,
3836                                     &vd->nlwebsock,
3837                                     errp) < 0) {
3838             return -1;
3839         }
3840     }
3841 
3842     return 0;
3843 }
3844 
3845 
3846 void vnc_display_open(const char *id, Error **errp)
3847 {
3848     VncDisplay *vd = vnc_display_find(id);
3849     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3850     SocketAddress **saddr = NULL, **wsaddr = NULL;
3851     size_t nsaddr, nwsaddr;
3852     const char *share, *device_id;
3853     QemuConsole *con;
3854     bool password = false;
3855     bool reverse = false;
3856     const char *credid;
3857     bool sasl = false;
3858 #ifdef CONFIG_VNC_SASL
3859     int saslErr;
3860 #endif
3861     int acl = 0;
3862     int lock_key_sync = 1;
3863     int key_delay_ms;
3864     size_t i;
3865 
3866     if (!vd) {
3867         error_setg(errp, "VNC display not active");
3868         return;
3869     }
3870     vnc_display_close(vd);
3871 
3872     if (!opts) {
3873         return;
3874     }
3875 
3876     if (vnc_display_get_addresses(opts, &saddr, &nsaddr,
3877                                   &wsaddr, &nwsaddr, errp) < 0) {
3878         goto fail;
3879     }
3880 
3881     if (saddr == NULL) {
3882         return;
3883     }
3884 
3885     password = qemu_opt_get_bool(opts, "password", false);
3886     if (password) {
3887         if (fips_get_state()) {
3888             error_setg(errp,
3889                        "VNC password auth disabled due to FIPS mode, "
3890                        "consider using the VeNCrypt or SASL authentication "
3891                        "methods as an alternative");
3892             goto fail;
3893         }
3894         if (!qcrypto_cipher_supports(
3895                 QCRYPTO_CIPHER_ALG_DES_RFB, QCRYPTO_CIPHER_MODE_ECB)) {
3896             error_setg(errp,
3897                        "Cipher backend does not support DES RFB algorithm");
3898             goto fail;
3899         }
3900     }
3901 
3902     reverse = qemu_opt_get_bool(opts, "reverse", false);
3903     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
3904     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 1);
3905     sasl = qemu_opt_get_bool(opts, "sasl", false);
3906 #ifndef CONFIG_VNC_SASL
3907     if (sasl) {
3908         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
3909         goto fail;
3910     }
3911 #endif /* CONFIG_VNC_SASL */
3912     credid = qemu_opt_get(opts, "tls-creds");
3913     if (credid) {
3914         Object *creds;
3915         if (qemu_opt_get(opts, "tls") ||
3916             qemu_opt_get(opts, "x509") ||
3917             qemu_opt_get(opts, "x509verify")) {
3918             error_setg(errp,
3919                        "'tls-creds' parameter is mutually exclusive with "
3920                        "'tls', 'x509' and 'x509verify' parameters");
3921             goto fail;
3922         }
3923 
3924         creds = object_resolve_path_component(
3925             object_get_objects_root(), credid);
3926         if (!creds) {
3927             error_setg(errp, "No TLS credentials with id '%s'",
3928                        credid);
3929             goto fail;
3930         }
3931         vd->tlscreds = (QCryptoTLSCreds *)
3932             object_dynamic_cast(creds,
3933                                 TYPE_QCRYPTO_TLS_CREDS);
3934         if (!vd->tlscreds) {
3935             error_setg(errp, "Object with id '%s' is not TLS credentials",
3936                        credid);
3937             goto fail;
3938         }
3939         object_ref(OBJECT(vd->tlscreds));
3940 
3941         if (vd->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
3942             error_setg(errp,
3943                        "Expecting TLS credentials with a server endpoint");
3944             goto fail;
3945         }
3946     } else {
3947         const char *path;
3948         bool tls = false, x509 = false, x509verify = false;
3949         tls  = qemu_opt_get_bool(opts, "tls", false);
3950         if (tls) {
3951             path = qemu_opt_get(opts, "x509");
3952 
3953             if (path) {
3954                 x509 = true;
3955             } else {
3956                 path = qemu_opt_get(opts, "x509verify");
3957                 if (path) {
3958                     x509 = true;
3959                     x509verify = true;
3960                 }
3961             }
3962             vd->tlscreds = vnc_display_create_creds(x509,
3963                                                     x509verify,
3964                                                     path,
3965                                                     vd->id,
3966                                                     errp);
3967             if (!vd->tlscreds) {
3968                 goto fail;
3969             }
3970         }
3971     }
3972     acl = qemu_opt_get_bool(opts, "acl", false);
3973 
3974     share = qemu_opt_get(opts, "share");
3975     if (share) {
3976         if (strcmp(share, "ignore") == 0) {
3977             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
3978         } else if (strcmp(share, "allow-exclusive") == 0) {
3979             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3980         } else if (strcmp(share, "force-shared") == 0) {
3981             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3982         } else {
3983             error_setg(errp, "unknown vnc share= option");
3984             goto fail;
3985         }
3986     } else {
3987         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3988     }
3989     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
3990 
3991 #ifdef CONFIG_VNC_JPEG
3992     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
3993 #endif
3994     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
3995     /* adaptive updates are only used with tight encoding and
3996      * if lossy updates are enabled so we can disable all the
3997      * calculations otherwise */
3998     if (!vd->lossy) {
3999         vd->non_adaptive = true;
4000     }
4001 
4002     if (acl) {
4003         if (strcmp(vd->id, "default") == 0) {
4004             vd->tlsaclname = g_strdup("vnc.x509dname");
4005         } else {
4006             vd->tlsaclname = g_strdup_printf("vnc.%s.x509dname", vd->id);
4007         }
4008         qemu_acl_init(vd->tlsaclname);
4009     }
4010 #ifdef CONFIG_VNC_SASL
4011     if (acl && sasl) {
4012         char *aclname;
4013 
4014         if (strcmp(vd->id, "default") == 0) {
4015             aclname = g_strdup("vnc.username");
4016         } else {
4017             aclname = g_strdup_printf("vnc.%s.username", vd->id);
4018         }
4019         vd->sasl.acl = qemu_acl_init(aclname);
4020         g_free(aclname);
4021     }
4022 #endif
4023 
4024     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
4025                                vd->tlscreds, password,
4026                                sasl, false, errp) < 0) {
4027         goto fail;
4028     }
4029 
4030     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
4031                                vd->tlscreds, password,
4032                                sasl, true, errp) < 0) {
4033         goto fail;
4034     }
4035 
4036 #ifdef CONFIG_VNC_SASL
4037     if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
4038         error_setg(errp, "Failed to initialize SASL auth: %s",
4039                    sasl_errstring(saslErr, NULL, NULL));
4040         goto fail;
4041     }
4042 #endif
4043     vd->lock_key_sync = lock_key_sync;
4044     if (lock_key_sync) {
4045         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
4046     }
4047     vd->ledstate = 0;
4048     vd->key_delay_ms = key_delay_ms;
4049 
4050     device_id = qemu_opt_get(opts, "display");
4051     if (device_id) {
4052         int head = qemu_opt_get_number(opts, "head", 0);
4053         Error *err = NULL;
4054 
4055         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4056         if (err) {
4057             error_propagate(errp, err);
4058             goto fail;
4059         }
4060     } else {
4061         con = NULL;
4062     }
4063 
4064     if (con != vd->dcl.con) {
4065         unregister_displaychangelistener(&vd->dcl);
4066         vd->dcl.con = con;
4067         register_displaychangelistener(&vd->dcl);
4068     }
4069 
4070     if (reverse) {
4071         if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4072             goto fail;
4073         }
4074     } else {
4075         if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4076             goto fail;
4077         }
4078     }
4079 
4080     if (qemu_opt_get(opts, "to")) {
4081         vnc_display_print_local_addr(vd);
4082     }
4083 
4084  cleanup:
4085     for (i = 0; i < nsaddr; i++) {
4086         qapi_free_SocketAddress(saddr[i]);
4087     }
4088     for (i = 0; i < nwsaddr; i++) {
4089         qapi_free_SocketAddress(wsaddr[i]);
4090     }
4091     return;
4092 
4093 fail:
4094     vnc_display_close(vd);
4095     goto cleanup;
4096 }
4097 
4098 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4099 {
4100     VncDisplay *vd = vnc_display_find(id);
4101     QIOChannelSocket *sioc;
4102 
4103     if (!vd) {
4104         return;
4105     }
4106 
4107     sioc = qio_channel_socket_new_fd(csock, NULL);
4108     if (sioc) {
4109         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4110         vnc_connect(vd, sioc, skipauth, false);
4111         object_unref(OBJECT(sioc));
4112     }
4113 }
4114 
4115 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4116 {
4117     int i = 2;
4118     char *id;
4119 
4120     id = g_strdup("default");
4121     while (qemu_opts_find(olist, id)) {
4122         g_free(id);
4123         id = g_strdup_printf("vnc%d", i++);
4124     }
4125     qemu_opts_set_id(opts, id);
4126 }
4127 
4128 QemuOpts *vnc_parse(const char *str, Error **errp)
4129 {
4130     QemuOptsList *olist = qemu_find_opts("vnc");
4131     QemuOpts *opts = qemu_opts_parse(olist, str, true, errp);
4132     const char *id;
4133 
4134     if (!opts) {
4135         return NULL;
4136     }
4137 
4138     id = qemu_opts_id(opts);
4139     if (!id) {
4140         /* auto-assign id if not present */
4141         vnc_auto_assign_id(olist, opts);
4142     }
4143     return opts;
4144 }
4145 
4146 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4147 {
4148     Error *local_err = NULL;
4149     char *id = (char *)qemu_opts_id(opts);
4150 
4151     assert(id);
4152     vnc_display_init(id);
4153     vnc_display_open(id, &local_err);
4154     if (local_err != NULL) {
4155         error_reportf_err(local_err, "Failed to start VNC server: ");
4156         exit(1);
4157     }
4158     return 0;
4159 }
4160 
4161 static void vnc_register_config(void)
4162 {
4163     qemu_add_opts(&qemu_vnc_opts);
4164 }
4165 opts_init(vnc_register_config);
4166