xref: /openbmc/qemu/ui/vnc.c (revision 4a9b31b8)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "sysemu/sysemu.h"
32 #include "qemu/error-report.h"
33 #include "qemu/option.h"
34 #include "qemu/sockets.h"
35 #include "qemu/timer.h"
36 #include "qemu/acl.h"
37 #include "qemu/config-file.h"
38 #include "qapi/qapi-events.h"
39 #include "qapi/error.h"
40 #include "qapi/qapi-commands-ui.h"
41 #include "ui/input.h"
42 #include "crypto/hash.h"
43 #include "crypto/tlscredsanon.h"
44 #include "crypto/tlscredsx509.h"
45 #include "qom/object_interfaces.h"
46 #include "qemu/cutils.h"
47 #include "io/dns-resolver.h"
48 
49 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
50 #define VNC_REFRESH_INTERVAL_INC  50
51 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
52 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
53 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
54 
55 #include "vnc_keysym.h"
56 #include "crypto/cipher.h"
57 
58 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
59     QTAILQ_HEAD_INITIALIZER(vnc_displays);
60 
61 static int vnc_cursor_define(VncState *vs);
62 static void vnc_release_modifiers(VncState *vs);
63 static void vnc_update_throttle_offset(VncState *vs);
64 
65 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
66 {
67 #ifdef _VNC_DEBUG
68     static const char *mn[] = {
69         [0]                           = "undefined",
70         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
71         [VNC_SHARE_MODE_SHARED]       = "shared",
72         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
73         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
74     };
75     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
76             vs->ioc, mn[vs->share_mode], mn[mode]);
77 #endif
78 
79     switch (vs->share_mode) {
80     case VNC_SHARE_MODE_CONNECTING:
81         vs->vd->num_connecting--;
82         break;
83     case VNC_SHARE_MODE_SHARED:
84         vs->vd->num_shared--;
85         break;
86     case VNC_SHARE_MODE_EXCLUSIVE:
87         vs->vd->num_exclusive--;
88         break;
89     default:
90         break;
91     }
92 
93     vs->share_mode = mode;
94 
95     switch (vs->share_mode) {
96     case VNC_SHARE_MODE_CONNECTING:
97         vs->vd->num_connecting++;
98         break;
99     case VNC_SHARE_MODE_SHARED:
100         vs->vd->num_shared++;
101         break;
102     case VNC_SHARE_MODE_EXCLUSIVE:
103         vs->vd->num_exclusive++;
104         break;
105     default:
106         break;
107     }
108 }
109 
110 
111 static void vnc_init_basic_info(SocketAddress *addr,
112                                 VncBasicInfo *info,
113                                 Error **errp)
114 {
115     switch (addr->type) {
116     case SOCKET_ADDRESS_TYPE_INET:
117         info->host = g_strdup(addr->u.inet.host);
118         info->service = g_strdup(addr->u.inet.port);
119         if (addr->u.inet.ipv6) {
120             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
121         } else {
122             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
123         }
124         break;
125 
126     case SOCKET_ADDRESS_TYPE_UNIX:
127         info->host = g_strdup("");
128         info->service = g_strdup(addr->u.q_unix.path);
129         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
130         break;
131 
132     case SOCKET_ADDRESS_TYPE_VSOCK:
133     case SOCKET_ADDRESS_TYPE_FD:
134         error_setg(errp, "Unsupported socket address type %s",
135                    SocketAddressType_str(addr->type));
136         break;
137     default:
138         abort();
139     }
140 
141     return;
142 }
143 
144 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
145                                                  VncBasicInfo *info,
146                                                  Error **errp)
147 {
148     SocketAddress *addr = NULL;
149 
150     if (!ioc) {
151         error_setg(errp, "No listener socket available");
152         return;
153     }
154 
155     addr = qio_channel_socket_get_local_address(ioc, errp);
156     if (!addr) {
157         return;
158     }
159 
160     vnc_init_basic_info(addr, info, errp);
161     qapi_free_SocketAddress(addr);
162 }
163 
164 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
165                                                  VncBasicInfo *info,
166                                                  Error **errp)
167 {
168     SocketAddress *addr = NULL;
169 
170     addr = qio_channel_socket_get_remote_address(ioc, errp);
171     if (!addr) {
172         return;
173     }
174 
175     vnc_init_basic_info(addr, info, errp);
176     qapi_free_SocketAddress(addr);
177 }
178 
179 static const char *vnc_auth_name(VncDisplay *vd) {
180     switch (vd->auth) {
181     case VNC_AUTH_INVALID:
182         return "invalid";
183     case VNC_AUTH_NONE:
184         return "none";
185     case VNC_AUTH_VNC:
186         return "vnc";
187     case VNC_AUTH_RA2:
188         return "ra2";
189     case VNC_AUTH_RA2NE:
190         return "ra2ne";
191     case VNC_AUTH_TIGHT:
192         return "tight";
193     case VNC_AUTH_ULTRA:
194         return "ultra";
195     case VNC_AUTH_TLS:
196         return "tls";
197     case VNC_AUTH_VENCRYPT:
198         switch (vd->subauth) {
199         case VNC_AUTH_VENCRYPT_PLAIN:
200             return "vencrypt+plain";
201         case VNC_AUTH_VENCRYPT_TLSNONE:
202             return "vencrypt+tls+none";
203         case VNC_AUTH_VENCRYPT_TLSVNC:
204             return "vencrypt+tls+vnc";
205         case VNC_AUTH_VENCRYPT_TLSPLAIN:
206             return "vencrypt+tls+plain";
207         case VNC_AUTH_VENCRYPT_X509NONE:
208             return "vencrypt+x509+none";
209         case VNC_AUTH_VENCRYPT_X509VNC:
210             return "vencrypt+x509+vnc";
211         case VNC_AUTH_VENCRYPT_X509PLAIN:
212             return "vencrypt+x509+plain";
213         case VNC_AUTH_VENCRYPT_TLSSASL:
214             return "vencrypt+tls+sasl";
215         case VNC_AUTH_VENCRYPT_X509SASL:
216             return "vencrypt+x509+sasl";
217         default:
218             return "vencrypt";
219         }
220     case VNC_AUTH_SASL:
221         return "sasl";
222     }
223     return "unknown";
224 }
225 
226 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
227 {
228     VncServerInfo *info;
229     Error *err = NULL;
230 
231     if (!vd->listener || !vd->listener->nsioc) {
232         return NULL;
233     }
234 
235     info = g_malloc0(sizeof(*info));
236     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
237                                          qapi_VncServerInfo_base(info), &err);
238     info->has_auth = true;
239     info->auth = g_strdup(vnc_auth_name(vd));
240     if (err) {
241         qapi_free_VncServerInfo(info);
242         info = NULL;
243         error_free(err);
244     }
245     return info;
246 }
247 
248 static void vnc_client_cache_auth(VncState *client)
249 {
250     if (!client->info) {
251         return;
252     }
253 
254     if (client->tls) {
255         client->info->x509_dname =
256             qcrypto_tls_session_get_peer_name(client->tls);
257         client->info->has_x509_dname =
258             client->info->x509_dname != NULL;
259     }
260 #ifdef CONFIG_VNC_SASL
261     if (client->sasl.conn &&
262         client->sasl.username) {
263         client->info->has_sasl_username = true;
264         client->info->sasl_username = g_strdup(client->sasl.username);
265     }
266 #endif
267 }
268 
269 static void vnc_client_cache_addr(VncState *client)
270 {
271     Error *err = NULL;
272 
273     client->info = g_malloc0(sizeof(*client->info));
274     vnc_init_basic_info_from_remote_addr(client->sioc,
275                                          qapi_VncClientInfo_base(client->info),
276                                          &err);
277     if (err) {
278         qapi_free_VncClientInfo(client->info);
279         client->info = NULL;
280         error_free(err);
281     }
282 }
283 
284 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
285 {
286     VncServerInfo *si;
287 
288     if (!vs->info) {
289         return;
290     }
291 
292     si = vnc_server_info_get(vs->vd);
293     if (!si) {
294         return;
295     }
296 
297     switch (event) {
298     case QAPI_EVENT_VNC_CONNECTED:
299         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
300         break;
301     case QAPI_EVENT_VNC_INITIALIZED:
302         qapi_event_send_vnc_initialized(si, vs->info);
303         break;
304     case QAPI_EVENT_VNC_DISCONNECTED:
305         qapi_event_send_vnc_disconnected(si, vs->info);
306         break;
307     default:
308         break;
309     }
310 
311     qapi_free_VncServerInfo(si);
312 }
313 
314 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
315 {
316     VncClientInfo *info;
317     Error *err = NULL;
318 
319     info = g_malloc0(sizeof(*info));
320 
321     vnc_init_basic_info_from_remote_addr(client->sioc,
322                                          qapi_VncClientInfo_base(info),
323                                          &err);
324     if (err) {
325         error_free(err);
326         qapi_free_VncClientInfo(info);
327         return NULL;
328     }
329 
330     info->websocket = client->websocket;
331 
332     if (client->tls) {
333         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
334         info->has_x509_dname = info->x509_dname != NULL;
335     }
336 #ifdef CONFIG_VNC_SASL
337     if (client->sasl.conn && client->sasl.username) {
338         info->has_sasl_username = true;
339         info->sasl_username = g_strdup(client->sasl.username);
340     }
341 #endif
342 
343     return info;
344 }
345 
346 static VncDisplay *vnc_display_find(const char *id)
347 {
348     VncDisplay *vd;
349 
350     if (id == NULL) {
351         return QTAILQ_FIRST(&vnc_displays);
352     }
353     QTAILQ_FOREACH(vd, &vnc_displays, next) {
354         if (strcmp(id, vd->id) == 0) {
355             return vd;
356         }
357     }
358     return NULL;
359 }
360 
361 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
362 {
363     VncClientInfoList *cinfo, *prev = NULL;
364     VncState *client;
365 
366     QTAILQ_FOREACH(client, &vd->clients, next) {
367         cinfo = g_new0(VncClientInfoList, 1);
368         cinfo->value = qmp_query_vnc_client(client);
369         cinfo->next = prev;
370         prev = cinfo;
371     }
372     return prev;
373 }
374 
375 VncInfo *qmp_query_vnc(Error **errp)
376 {
377     VncInfo *info = g_malloc0(sizeof(*info));
378     VncDisplay *vd = vnc_display_find(NULL);
379     SocketAddress *addr = NULL;
380 
381     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
382         info->enabled = false;
383     } else {
384         info->enabled = true;
385 
386         /* for compatibility with the original command */
387         info->has_clients = true;
388         info->clients = qmp_query_client_list(vd);
389 
390         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
391                                                     errp);
392         if (!addr) {
393             goto out_error;
394         }
395 
396         switch (addr->type) {
397         case SOCKET_ADDRESS_TYPE_INET:
398             info->host = g_strdup(addr->u.inet.host);
399             info->service = g_strdup(addr->u.inet.port);
400             if (addr->u.inet.ipv6) {
401                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
402             } else {
403                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
404             }
405             break;
406 
407         case SOCKET_ADDRESS_TYPE_UNIX:
408             info->host = g_strdup("");
409             info->service = g_strdup(addr->u.q_unix.path);
410             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
411             break;
412 
413         case SOCKET_ADDRESS_TYPE_VSOCK:
414         case SOCKET_ADDRESS_TYPE_FD:
415             error_setg(errp, "Unsupported socket address type %s",
416                        SocketAddressType_str(addr->type));
417             goto out_error;
418         default:
419             abort();
420         }
421 
422         info->has_host = true;
423         info->has_service = true;
424         info->has_family = true;
425 
426         info->has_auth = true;
427         info->auth = g_strdup(vnc_auth_name(vd));
428     }
429 
430     qapi_free_SocketAddress(addr);
431     return info;
432 
433 out_error:
434     qapi_free_SocketAddress(addr);
435     qapi_free_VncInfo(info);
436     return NULL;
437 }
438 
439 
440 static void qmp_query_auth(int auth, int subauth,
441                            VncPrimaryAuth *qmp_auth,
442                            VncVencryptSubAuth *qmp_vencrypt,
443                            bool *qmp_has_vencrypt);
444 
445 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
446                                                   bool websocket,
447                                                   int auth,
448                                                   int subauth,
449                                                   VncServerInfo2List *prev)
450 {
451     VncServerInfo2List *list;
452     VncServerInfo2 *info;
453     Error *err = NULL;
454     SocketAddress *addr;
455 
456     addr = qio_channel_socket_get_local_address(ioc, &err);
457     if (!addr) {
458         error_free(err);
459         return prev;
460     }
461 
462     info = g_new0(VncServerInfo2, 1);
463     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
464     qapi_free_SocketAddress(addr);
465     if (err) {
466         qapi_free_VncServerInfo2(info);
467         error_free(err);
468         return prev;
469     }
470     info->websocket = websocket;
471 
472     qmp_query_auth(auth, subauth, &info->auth,
473                    &info->vencrypt, &info->has_vencrypt);
474 
475     list = g_new0(VncServerInfo2List, 1);
476     list->value = info;
477     list->next = prev;
478     return list;
479 }
480 
481 static void qmp_query_auth(int auth, int subauth,
482                            VncPrimaryAuth *qmp_auth,
483                            VncVencryptSubAuth *qmp_vencrypt,
484                            bool *qmp_has_vencrypt)
485 {
486     switch (auth) {
487     case VNC_AUTH_VNC:
488         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
489         break;
490     case VNC_AUTH_RA2:
491         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
492         break;
493     case VNC_AUTH_RA2NE:
494         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
495         break;
496     case VNC_AUTH_TIGHT:
497         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
498         break;
499     case VNC_AUTH_ULTRA:
500         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
501         break;
502     case VNC_AUTH_TLS:
503         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
504         break;
505     case VNC_AUTH_VENCRYPT:
506         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
507         *qmp_has_vencrypt = true;
508         switch (subauth) {
509         case VNC_AUTH_VENCRYPT_PLAIN:
510             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
511             break;
512         case VNC_AUTH_VENCRYPT_TLSNONE:
513             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
514             break;
515         case VNC_AUTH_VENCRYPT_TLSVNC:
516             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
517             break;
518         case VNC_AUTH_VENCRYPT_TLSPLAIN:
519             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
520             break;
521         case VNC_AUTH_VENCRYPT_X509NONE:
522             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
523             break;
524         case VNC_AUTH_VENCRYPT_X509VNC:
525             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
526             break;
527         case VNC_AUTH_VENCRYPT_X509PLAIN:
528             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
529             break;
530         case VNC_AUTH_VENCRYPT_TLSSASL:
531             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
532             break;
533         case VNC_AUTH_VENCRYPT_X509SASL:
534             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
535             break;
536         default:
537             *qmp_has_vencrypt = false;
538             break;
539         }
540         break;
541     case VNC_AUTH_SASL:
542         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
543         break;
544     case VNC_AUTH_NONE:
545     default:
546         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
547         break;
548     }
549 }
550 
551 VncInfo2List *qmp_query_vnc_servers(Error **errp)
552 {
553     VncInfo2List *item, *prev = NULL;
554     VncInfo2 *info;
555     VncDisplay *vd;
556     DeviceState *dev;
557     size_t i;
558 
559     QTAILQ_FOREACH(vd, &vnc_displays, next) {
560         info = g_new0(VncInfo2, 1);
561         info->id = g_strdup(vd->id);
562         info->clients = qmp_query_client_list(vd);
563         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
564                        &info->vencrypt, &info->has_vencrypt);
565         if (vd->dcl.con) {
566             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
567                                                   "device", NULL));
568             info->has_display = true;
569             info->display = g_strdup(dev->id);
570         }
571         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
572             info->server = qmp_query_server_entry(
573                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
574                 info->server);
575         }
576         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
577             info->server = qmp_query_server_entry(
578                 vd->wslistener->sioc[i], true, vd->ws_auth,
579                 vd->ws_subauth, info->server);
580         }
581 
582         item = g_new0(VncInfo2List, 1);
583         item->value = info;
584         item->next = prev;
585         prev = item;
586     }
587     return prev;
588 }
589 
590 /* TODO
591    1) Get the queue working for IO.
592    2) there is some weirdness when using the -S option (the screen is grey
593       and not totally invalidated
594    3) resolutions > 1024
595 */
596 
597 static int vnc_update_client(VncState *vs, int has_dirty);
598 static void vnc_disconnect_start(VncState *vs);
599 
600 static void vnc_colordepth(VncState *vs);
601 static void framebuffer_update_request(VncState *vs, int incremental,
602                                        int x_position, int y_position,
603                                        int w, int h);
604 static void vnc_refresh(DisplayChangeListener *dcl);
605 static int vnc_refresh_server_surface(VncDisplay *vd);
606 
607 static int vnc_width(VncDisplay *vd)
608 {
609     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
610                                        VNC_DIRTY_PIXELS_PER_BIT));
611 }
612 
613 static int vnc_height(VncDisplay *vd)
614 {
615     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
616 }
617 
618 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
619                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
620                                VncDisplay *vd,
621                                int x, int y, int w, int h)
622 {
623     int width = vnc_width(vd);
624     int height = vnc_height(vd);
625 
626     /* this is needed this to ensure we updated all affected
627      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
628     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
629     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
630 
631     x = MIN(x, width);
632     y = MIN(y, height);
633     w = MIN(x + w, width) - x;
634     h = MIN(y + h, height);
635 
636     for (; y < h; y++) {
637         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
638                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
639     }
640 }
641 
642 static void vnc_dpy_update(DisplayChangeListener *dcl,
643                            int x, int y, int w, int h)
644 {
645     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
646     struct VncSurface *s = &vd->guest;
647 
648     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
649 }
650 
651 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
652                             int32_t encoding)
653 {
654     vnc_write_u16(vs, x);
655     vnc_write_u16(vs, y);
656     vnc_write_u16(vs, w);
657     vnc_write_u16(vs, h);
658 
659     vnc_write_s32(vs, encoding);
660 }
661 
662 
663 static void vnc_desktop_resize(VncState *vs)
664 {
665     if (vs->ioc == NULL || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
666         return;
667     }
668     if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
669         vs->client_height == pixman_image_get_height(vs->vd->server)) {
670         return;
671     }
672 
673     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
674            pixman_image_get_width(vs->vd->server) >= 0);
675     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
676            pixman_image_get_height(vs->vd->server) >= 0);
677     vs->client_width = pixman_image_get_width(vs->vd->server);
678     vs->client_height = pixman_image_get_height(vs->vd->server);
679     vnc_lock_output(vs);
680     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
681     vnc_write_u8(vs, 0);
682     vnc_write_u16(vs, 1); /* number of rects */
683     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
684                            VNC_ENCODING_DESKTOPRESIZE);
685     vnc_unlock_output(vs);
686     vnc_flush(vs);
687 }
688 
689 static void vnc_abort_display_jobs(VncDisplay *vd)
690 {
691     VncState *vs;
692 
693     QTAILQ_FOREACH(vs, &vd->clients, next) {
694         vnc_lock_output(vs);
695         vs->abort = true;
696         vnc_unlock_output(vs);
697     }
698     QTAILQ_FOREACH(vs, &vd->clients, next) {
699         vnc_jobs_join(vs);
700     }
701     QTAILQ_FOREACH(vs, &vd->clients, next) {
702         vnc_lock_output(vs);
703         vs->abort = false;
704         vnc_unlock_output(vs);
705     }
706 }
707 
708 int vnc_server_fb_stride(VncDisplay *vd)
709 {
710     return pixman_image_get_stride(vd->server);
711 }
712 
713 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
714 {
715     uint8_t *ptr;
716 
717     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
718     ptr += y * vnc_server_fb_stride(vd);
719     ptr += x * VNC_SERVER_FB_BYTES;
720     return ptr;
721 }
722 
723 static void vnc_update_server_surface(VncDisplay *vd)
724 {
725     int width, height;
726 
727     qemu_pixman_image_unref(vd->server);
728     vd->server = NULL;
729 
730     if (QTAILQ_EMPTY(&vd->clients)) {
731         return;
732     }
733 
734     width = vnc_width(vd);
735     height = vnc_height(vd);
736     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
737                                           width, height,
738                                           NULL, 0);
739 
740     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
741     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
742                        width, height);
743 }
744 
745 static void vnc_dpy_switch(DisplayChangeListener *dcl,
746                            DisplaySurface *surface)
747 {
748     static const char placeholder_msg[] =
749         "Display output is not active.";
750     static DisplaySurface *placeholder;
751     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
752     VncState *vs;
753 
754     if (surface == NULL) {
755         if (placeholder == NULL) {
756             placeholder = qemu_create_message_surface(640, 480, placeholder_msg);
757         }
758         surface = placeholder;
759     }
760 
761     vnc_abort_display_jobs(vd);
762     vd->ds = surface;
763 
764     /* server surface */
765     vnc_update_server_surface(vd);
766 
767     /* guest surface */
768     qemu_pixman_image_unref(vd->guest.fb);
769     vd->guest.fb = pixman_image_ref(surface->image);
770     vd->guest.format = surface->format;
771 
772     QTAILQ_FOREACH(vs, &vd->clients, next) {
773         vnc_colordepth(vs);
774         vnc_desktop_resize(vs);
775         if (vs->vd->cursor) {
776             vnc_cursor_define(vs);
777         }
778         memset(vs->dirty, 0x00, sizeof(vs->dirty));
779         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
780                            vnc_width(vd),
781                            vnc_height(vd));
782         vnc_update_throttle_offset(vs);
783     }
784 }
785 
786 /* fastest code */
787 static void vnc_write_pixels_copy(VncState *vs,
788                                   void *pixels, int size)
789 {
790     vnc_write(vs, pixels, size);
791 }
792 
793 /* slowest but generic code. */
794 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
795 {
796     uint8_t r, g, b;
797 
798 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
799     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
800     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
801     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
802 #else
803 # error need some bits here if you change VNC_SERVER_FB_FORMAT
804 #endif
805     v = (r << vs->client_pf.rshift) |
806         (g << vs->client_pf.gshift) |
807         (b << vs->client_pf.bshift);
808     switch (vs->client_pf.bytes_per_pixel) {
809     case 1:
810         buf[0] = v;
811         break;
812     case 2:
813         if (vs->client_be) {
814             buf[0] = v >> 8;
815             buf[1] = v;
816         } else {
817             buf[1] = v >> 8;
818             buf[0] = v;
819         }
820         break;
821     default:
822     case 4:
823         if (vs->client_be) {
824             buf[0] = v >> 24;
825             buf[1] = v >> 16;
826             buf[2] = v >> 8;
827             buf[3] = v;
828         } else {
829             buf[3] = v >> 24;
830             buf[2] = v >> 16;
831             buf[1] = v >> 8;
832             buf[0] = v;
833         }
834         break;
835     }
836 }
837 
838 static void vnc_write_pixels_generic(VncState *vs,
839                                      void *pixels1, int size)
840 {
841     uint8_t buf[4];
842 
843     if (VNC_SERVER_FB_BYTES == 4) {
844         uint32_t *pixels = pixels1;
845         int n, i;
846         n = size >> 2;
847         for (i = 0; i < n; i++) {
848             vnc_convert_pixel(vs, buf, pixels[i]);
849             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
850         }
851     }
852 }
853 
854 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
855 {
856     int i;
857     uint8_t *row;
858     VncDisplay *vd = vs->vd;
859 
860     row = vnc_server_fb_ptr(vd, x, y);
861     for (i = 0; i < h; i++) {
862         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
863         row += vnc_server_fb_stride(vd);
864     }
865     return 1;
866 }
867 
868 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
869 {
870     int n = 0;
871     bool encode_raw = false;
872     size_t saved_offs = vs->output.offset;
873 
874     switch(vs->vnc_encoding) {
875         case VNC_ENCODING_ZLIB:
876             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
877             break;
878         case VNC_ENCODING_HEXTILE:
879             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
880             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
881             break;
882         case VNC_ENCODING_TIGHT:
883             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
884             break;
885         case VNC_ENCODING_TIGHT_PNG:
886             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
887             break;
888         case VNC_ENCODING_ZRLE:
889             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
890             break;
891         case VNC_ENCODING_ZYWRLE:
892             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
893             break;
894         default:
895             encode_raw = true;
896             break;
897     }
898 
899     /* If the client has the same pixel format as our internal buffer and
900      * a RAW encoding would need less space fall back to RAW encoding to
901      * save bandwidth and processing power in the client. */
902     if (!encode_raw && vs->write_pixels == vnc_write_pixels_copy &&
903         12 + h * w * VNC_SERVER_FB_BYTES <= (vs->output.offset - saved_offs)) {
904         vs->output.offset = saved_offs;
905         encode_raw = true;
906     }
907 
908     if (encode_raw) {
909         vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
910         n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
911     }
912 
913     return n;
914 }
915 
916 static void vnc_mouse_set(DisplayChangeListener *dcl,
917                           int x, int y, int visible)
918 {
919     /* can we ask the client(s) to move the pointer ??? */
920 }
921 
922 static int vnc_cursor_define(VncState *vs)
923 {
924     QEMUCursor *c = vs->vd->cursor;
925     int isize;
926 
927     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
928         vnc_lock_output(vs);
929         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
930         vnc_write_u8(vs,  0);  /*  padding     */
931         vnc_write_u16(vs, 1);  /*  # of rects  */
932         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
933                                VNC_ENCODING_RICH_CURSOR);
934         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
935         vnc_write_pixels_generic(vs, c->data, isize);
936         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
937         vnc_unlock_output(vs);
938         return 0;
939     }
940     return -1;
941 }
942 
943 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
944                                   QEMUCursor *c)
945 {
946     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
947     VncState *vs;
948 
949     cursor_put(vd->cursor);
950     g_free(vd->cursor_mask);
951 
952     vd->cursor = c;
953     cursor_get(vd->cursor);
954     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
955     vd->cursor_mask = g_malloc0(vd->cursor_msize);
956     cursor_get_mono_mask(c, 0, vd->cursor_mask);
957 
958     QTAILQ_FOREACH(vs, &vd->clients, next) {
959         vnc_cursor_define(vs);
960     }
961 }
962 
963 static int find_and_clear_dirty_height(VncState *vs,
964                                        int y, int last_x, int x, int height)
965 {
966     int h;
967 
968     for (h = 1; h < (height - y); h++) {
969         if (!test_bit(last_x, vs->dirty[y + h])) {
970             break;
971         }
972         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
973     }
974 
975     return h;
976 }
977 
978 /*
979  * Figure out how much pending data we should allow in the output
980  * buffer before we throttle incremental display updates, and/or
981  * drop audio samples.
982  *
983  * We allow for equiv of 1 full display's worth of FB updates,
984  * and 1 second of audio samples. If audio backlog was larger
985  * than that the client would already suffering awful audio
986  * glitches, so dropping samples is no worse really).
987  */
988 static void vnc_update_throttle_offset(VncState *vs)
989 {
990     size_t offset =
991         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
992 
993     if (vs->audio_cap) {
994         int bps;
995         switch (vs->as.fmt) {
996         default:
997         case  AUD_FMT_U8:
998         case  AUD_FMT_S8:
999             bps = 1;
1000             break;
1001         case  AUD_FMT_U16:
1002         case  AUD_FMT_S16:
1003             bps = 2;
1004             break;
1005         case  AUD_FMT_U32:
1006         case  AUD_FMT_S32:
1007             bps = 4;
1008             break;
1009         }
1010         offset += vs->as.freq * bps * vs->as.nchannels;
1011     }
1012 
1013     /* Put a floor of 1MB on offset, so that if we have a large pending
1014      * buffer and the display is resized to a small size & back again
1015      * we don't suddenly apply a tiny send limit
1016      */
1017     offset = MAX(offset, 1024 * 1024);
1018 
1019     if (vs->throttle_output_offset != offset) {
1020         trace_vnc_client_throttle_threshold(
1021             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1022             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1023     }
1024 
1025     vs->throttle_output_offset = offset;
1026 }
1027 
1028 static bool vnc_should_update(VncState *vs)
1029 {
1030     switch (vs->update) {
1031     case VNC_STATE_UPDATE_NONE:
1032         break;
1033     case VNC_STATE_UPDATE_INCREMENTAL:
1034         /* Only allow incremental updates if the pending send queue
1035          * is less than the permitted threshold, and the job worker
1036          * is completely idle.
1037          */
1038         if (vs->output.offset < vs->throttle_output_offset &&
1039             vs->job_update == VNC_STATE_UPDATE_NONE) {
1040             return true;
1041         }
1042         trace_vnc_client_throttle_incremental(
1043             vs, vs->ioc, vs->job_update, vs->output.offset);
1044         break;
1045     case VNC_STATE_UPDATE_FORCE:
1046         /* Only allow forced updates if the pending send queue
1047          * does not contain a previous forced update, and the
1048          * job worker is completely idle.
1049          *
1050          * Note this means we'll queue a forced update, even if
1051          * the output buffer size is otherwise over the throttle
1052          * output limit.
1053          */
1054         if (vs->force_update_offset == 0 &&
1055             vs->job_update == VNC_STATE_UPDATE_NONE) {
1056             return true;
1057         }
1058         trace_vnc_client_throttle_forced(
1059             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1060         break;
1061     }
1062     return false;
1063 }
1064 
1065 static int vnc_update_client(VncState *vs, int has_dirty)
1066 {
1067     VncDisplay *vd = vs->vd;
1068     VncJob *job;
1069     int y;
1070     int height, width;
1071     int n = 0;
1072 
1073     if (vs->disconnecting) {
1074         vnc_disconnect_finish(vs);
1075         return 0;
1076     }
1077 
1078     vs->has_dirty += has_dirty;
1079     if (!vnc_should_update(vs)) {
1080         return 0;
1081     }
1082 
1083     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1084         return 0;
1085     }
1086 
1087     /*
1088      * Send screen updates to the vnc client using the server
1089      * surface and server dirty map.  guest surface updates
1090      * happening in parallel don't disturb us, the next pass will
1091      * send them to the client.
1092      */
1093     job = vnc_job_new(vs);
1094 
1095     height = pixman_image_get_height(vd->server);
1096     width = pixman_image_get_width(vd->server);
1097 
1098     y = 0;
1099     for (;;) {
1100         int x, h;
1101         unsigned long x2;
1102         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1103                                              height * VNC_DIRTY_BPL(vs),
1104                                              y * VNC_DIRTY_BPL(vs));
1105         if (offset == height * VNC_DIRTY_BPL(vs)) {
1106             /* no more dirty bits */
1107             break;
1108         }
1109         y = offset / VNC_DIRTY_BPL(vs);
1110         x = offset % VNC_DIRTY_BPL(vs);
1111         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1112                                 VNC_DIRTY_BPL(vs), x);
1113         bitmap_clear(vs->dirty[y], x, x2 - x);
1114         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1115         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1116         if (x2 > x) {
1117             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1118                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1119         }
1120         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1121             y += h;
1122             if (y == height) {
1123                 break;
1124             }
1125         }
1126     }
1127 
1128     vs->job_update = vs->update;
1129     vs->update = VNC_STATE_UPDATE_NONE;
1130     vnc_job_push(job);
1131     vs->has_dirty = 0;
1132     return n;
1133 }
1134 
1135 /* audio */
1136 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1137 {
1138     VncState *vs = opaque;
1139 
1140     assert(vs->magic == VNC_MAGIC);
1141     switch (cmd) {
1142     case AUD_CNOTIFY_DISABLE:
1143         vnc_lock_output(vs);
1144         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1145         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1146         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1147         vnc_unlock_output(vs);
1148         vnc_flush(vs);
1149         break;
1150 
1151     case AUD_CNOTIFY_ENABLE:
1152         vnc_lock_output(vs);
1153         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1154         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1155         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1156         vnc_unlock_output(vs);
1157         vnc_flush(vs);
1158         break;
1159     }
1160 }
1161 
1162 static void audio_capture_destroy(void *opaque)
1163 {
1164 }
1165 
1166 static void audio_capture(void *opaque, void *buf, int size)
1167 {
1168     VncState *vs = opaque;
1169 
1170     assert(vs->magic == VNC_MAGIC);
1171     vnc_lock_output(vs);
1172     if (vs->output.offset < vs->throttle_output_offset) {
1173         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1174         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1175         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1176         vnc_write_u32(vs, size);
1177         vnc_write(vs, buf, size);
1178     } else {
1179         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1180     }
1181     vnc_unlock_output(vs);
1182     vnc_flush(vs);
1183 }
1184 
1185 static void audio_add(VncState *vs)
1186 {
1187     struct audio_capture_ops ops;
1188 
1189     if (vs->audio_cap) {
1190         error_report("audio already running");
1191         return;
1192     }
1193 
1194     ops.notify = audio_capture_notify;
1195     ops.destroy = audio_capture_destroy;
1196     ops.capture = audio_capture;
1197 
1198     vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);
1199     if (!vs->audio_cap) {
1200         error_report("Failed to add audio capture");
1201     }
1202 }
1203 
1204 static void audio_del(VncState *vs)
1205 {
1206     if (vs->audio_cap) {
1207         AUD_del_capture(vs->audio_cap, vs);
1208         vs->audio_cap = NULL;
1209     }
1210 }
1211 
1212 static void vnc_disconnect_start(VncState *vs)
1213 {
1214     if (vs->disconnecting) {
1215         return;
1216     }
1217     trace_vnc_client_disconnect_start(vs, vs->ioc);
1218     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1219     if (vs->ioc_tag) {
1220         g_source_remove(vs->ioc_tag);
1221         vs->ioc_tag = 0;
1222     }
1223     qio_channel_close(vs->ioc, NULL);
1224     vs->disconnecting = TRUE;
1225 }
1226 
1227 void vnc_disconnect_finish(VncState *vs)
1228 {
1229     int i;
1230 
1231     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1232 
1233     vnc_jobs_join(vs); /* Wait encoding jobs */
1234 
1235     vnc_lock_output(vs);
1236     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1237 
1238     buffer_free(&vs->input);
1239     buffer_free(&vs->output);
1240 
1241     qapi_free_VncClientInfo(vs->info);
1242 
1243     vnc_zlib_clear(vs);
1244     vnc_tight_clear(vs);
1245     vnc_zrle_clear(vs);
1246 
1247 #ifdef CONFIG_VNC_SASL
1248     vnc_sasl_client_cleanup(vs);
1249 #endif /* CONFIG_VNC_SASL */
1250     audio_del(vs);
1251     vnc_release_modifiers(vs);
1252 
1253     if (vs->mouse_mode_notifier.notify != NULL) {
1254         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1255     }
1256     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1257     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1258         /* last client gone */
1259         vnc_update_server_surface(vs->vd);
1260     }
1261 
1262     vnc_unlock_output(vs);
1263 
1264     qemu_mutex_destroy(&vs->output_mutex);
1265     if (vs->bh != NULL) {
1266         qemu_bh_delete(vs->bh);
1267     }
1268     buffer_free(&vs->jobs_buffer);
1269 
1270     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1271         g_free(vs->lossy_rect[i]);
1272     }
1273     g_free(vs->lossy_rect);
1274 
1275     object_unref(OBJECT(vs->ioc));
1276     vs->ioc = NULL;
1277     object_unref(OBJECT(vs->sioc));
1278     vs->sioc = NULL;
1279     vs->magic = 0;
1280     g_free(vs);
1281 }
1282 
1283 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error **errp)
1284 {
1285     if (ret <= 0) {
1286         if (ret == 0) {
1287             trace_vnc_client_eof(vs, vs->ioc);
1288             vnc_disconnect_start(vs);
1289         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1290             trace_vnc_client_io_error(vs, vs->ioc,
1291                                       errp ? error_get_pretty(*errp) :
1292                                       "Unknown");
1293             vnc_disconnect_start(vs);
1294         }
1295 
1296         if (errp) {
1297             error_free(*errp);
1298             *errp = NULL;
1299         }
1300         return 0;
1301     }
1302     return ret;
1303 }
1304 
1305 
1306 void vnc_client_error(VncState *vs)
1307 {
1308     VNC_DEBUG("Closing down client sock: protocol error\n");
1309     vnc_disconnect_start(vs);
1310 }
1311 
1312 
1313 /*
1314  * Called to write a chunk of data to the client socket. The data may
1315  * be the raw data, or may have already been encoded by SASL.
1316  * The data will be written either straight onto the socket, or
1317  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1318  *
1319  * NB, it is theoretically possible to have 2 layers of encryption,
1320  * both SASL, and this TLS layer. It is highly unlikely in practice
1321  * though, since SASL encryption will typically be a no-op if TLS
1322  * is active
1323  *
1324  * Returns the number of bytes written, which may be less than
1325  * the requested 'datalen' if the socket would block. Returns
1326  * 0 on I/O error, and disconnects the client socket.
1327  */
1328 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1329 {
1330     Error *err = NULL;
1331     ssize_t ret;
1332     ret = qio_channel_write(
1333         vs->ioc, (const char *)data, datalen, &err);
1334     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1335     return vnc_client_io_error(vs, ret, &err);
1336 }
1337 
1338 
1339 /*
1340  * Called to write buffered data to the client socket, when not
1341  * using any SASL SSF encryption layers. Will write as much data
1342  * as possible without blocking. If all buffered data is written,
1343  * will switch the FD poll() handler back to read monitoring.
1344  *
1345  * Returns the number of bytes written, which may be less than
1346  * the buffered output data if the socket would block.  Returns
1347  * 0 on I/O error, and disconnects the client socket.
1348  */
1349 static size_t vnc_client_write_plain(VncState *vs)
1350 {
1351     size_t offset;
1352     size_t ret;
1353 
1354 #ifdef CONFIG_VNC_SASL
1355     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1356               vs->output.buffer, vs->output.capacity, vs->output.offset,
1357               vs->sasl.waitWriteSSF);
1358 
1359     if (vs->sasl.conn &&
1360         vs->sasl.runSSF &&
1361         vs->sasl.waitWriteSSF) {
1362         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1363         if (ret)
1364             vs->sasl.waitWriteSSF -= ret;
1365     } else
1366 #endif /* CONFIG_VNC_SASL */
1367         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1368     if (!ret)
1369         return 0;
1370 
1371     if (ret >= vs->force_update_offset) {
1372         if (vs->force_update_offset != 0) {
1373             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1374         }
1375         vs->force_update_offset = 0;
1376     } else {
1377         vs->force_update_offset -= ret;
1378     }
1379     offset = vs->output.offset;
1380     buffer_advance(&vs->output, ret);
1381     if (offset >= vs->throttle_output_offset &&
1382         vs->output.offset < vs->throttle_output_offset) {
1383         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1384     }
1385 
1386     if (vs->output.offset == 0) {
1387         if (vs->ioc_tag) {
1388             g_source_remove(vs->ioc_tag);
1389         }
1390         vs->ioc_tag = qio_channel_add_watch(
1391             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1392     }
1393 
1394     return ret;
1395 }
1396 
1397 
1398 /*
1399  * First function called whenever there is data to be written to
1400  * the client socket. Will delegate actual work according to whether
1401  * SASL SSF layers are enabled (thus requiring encryption calls)
1402  */
1403 static void vnc_client_write_locked(VncState *vs)
1404 {
1405 #ifdef CONFIG_VNC_SASL
1406     if (vs->sasl.conn &&
1407         vs->sasl.runSSF &&
1408         !vs->sasl.waitWriteSSF) {
1409         vnc_client_write_sasl(vs);
1410     } else
1411 #endif /* CONFIG_VNC_SASL */
1412     {
1413         vnc_client_write_plain(vs);
1414     }
1415 }
1416 
1417 static void vnc_client_write(VncState *vs)
1418 {
1419     assert(vs->magic == VNC_MAGIC);
1420     vnc_lock_output(vs);
1421     if (vs->output.offset) {
1422         vnc_client_write_locked(vs);
1423     } else if (vs->ioc != NULL) {
1424         if (vs->ioc_tag) {
1425             g_source_remove(vs->ioc_tag);
1426         }
1427         vs->ioc_tag = qio_channel_add_watch(
1428             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1429     }
1430     vnc_unlock_output(vs);
1431 }
1432 
1433 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1434 {
1435     vs->read_handler = func;
1436     vs->read_handler_expect = expecting;
1437 }
1438 
1439 
1440 /*
1441  * Called to read a chunk of data from the client socket. The data may
1442  * be the raw data, or may need to be further decoded by SASL.
1443  * The data will be read either straight from to the socket, or
1444  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1445  *
1446  * NB, it is theoretically possible to have 2 layers of encryption,
1447  * both SASL, and this TLS layer. It is highly unlikely in practice
1448  * though, since SASL encryption will typically be a no-op if TLS
1449  * is active
1450  *
1451  * Returns the number of bytes read, which may be less than
1452  * the requested 'datalen' if the socket would block. Returns
1453  * 0 on I/O error or EOF, and disconnects the client socket.
1454  */
1455 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1456 {
1457     ssize_t ret;
1458     Error *err = NULL;
1459     ret = qio_channel_read(
1460         vs->ioc, (char *)data, datalen, &err);
1461     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1462     return vnc_client_io_error(vs, ret, &err);
1463 }
1464 
1465 
1466 /*
1467  * Called to read data from the client socket to the input buffer,
1468  * when not using any SASL SSF encryption layers. Will read as much
1469  * data as possible without blocking.
1470  *
1471  * Returns the number of bytes read, which may be less than
1472  * the requested 'datalen' if the socket would block. Returns
1473  * 0 on I/O error or EOF, and disconnects the client socket.
1474  */
1475 static size_t vnc_client_read_plain(VncState *vs)
1476 {
1477     size_t ret;
1478     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1479               vs->input.buffer, vs->input.capacity, vs->input.offset);
1480     buffer_reserve(&vs->input, 4096);
1481     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1482     if (!ret)
1483         return 0;
1484     vs->input.offset += ret;
1485     return ret;
1486 }
1487 
1488 static void vnc_jobs_bh(void *opaque)
1489 {
1490     VncState *vs = opaque;
1491 
1492     assert(vs->magic == VNC_MAGIC);
1493     vnc_jobs_consume_buffer(vs);
1494 }
1495 
1496 /*
1497  * First function called whenever there is more data to be read from
1498  * the client socket. Will delegate actual work according to whether
1499  * SASL SSF layers are enabled (thus requiring decryption calls)
1500  * Returns 0 on success, -1 if client disconnected
1501  */
1502 static int vnc_client_read(VncState *vs)
1503 {
1504     size_t ret;
1505 
1506 #ifdef CONFIG_VNC_SASL
1507     if (vs->sasl.conn && vs->sasl.runSSF)
1508         ret = vnc_client_read_sasl(vs);
1509     else
1510 #endif /* CONFIG_VNC_SASL */
1511         ret = vnc_client_read_plain(vs);
1512     if (!ret) {
1513         if (vs->disconnecting) {
1514             vnc_disconnect_finish(vs);
1515             return -1;
1516         }
1517         return 0;
1518     }
1519 
1520     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1521         size_t len = vs->read_handler_expect;
1522         int ret;
1523 
1524         ret = vs->read_handler(vs, vs->input.buffer, len);
1525         if (vs->disconnecting) {
1526             vnc_disconnect_finish(vs);
1527             return -1;
1528         }
1529 
1530         if (!ret) {
1531             buffer_advance(&vs->input, len);
1532         } else {
1533             vs->read_handler_expect = ret;
1534         }
1535     }
1536     return 0;
1537 }
1538 
1539 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1540                        GIOCondition condition, void *opaque)
1541 {
1542     VncState *vs = opaque;
1543 
1544     assert(vs->magic == VNC_MAGIC);
1545     if (condition & G_IO_IN) {
1546         if (vnc_client_read(vs) < 0) {
1547             /* vs is free()ed here */
1548             return TRUE;
1549         }
1550     }
1551     if (condition & G_IO_OUT) {
1552         vnc_client_write(vs);
1553     }
1554 
1555     if (vs->disconnecting) {
1556         if (vs->ioc_tag != 0) {
1557             g_source_remove(vs->ioc_tag);
1558         }
1559         vs->ioc_tag = 0;
1560     }
1561     return TRUE;
1562 }
1563 
1564 
1565 /*
1566  * Scale factor to apply to vs->throttle_output_offset when checking for
1567  * hard limit. Worst case normal usage could be x2, if we have a complete
1568  * incremental update and complete forced update in the output buffer.
1569  * So x3 should be good enough, but we pick x5 to be conservative and thus
1570  * (hopefully) never trigger incorrectly.
1571  */
1572 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1573 
1574 void vnc_write(VncState *vs, const void *data, size_t len)
1575 {
1576     assert(vs->magic == VNC_MAGIC);
1577     if (vs->disconnecting) {
1578         return;
1579     }
1580     /* Protection against malicious client/guest to prevent our output
1581      * buffer growing without bound if client stops reading data. This
1582      * should rarely trigger, because we have earlier throttling code
1583      * which stops issuing framebuffer updates and drops audio data
1584      * if the throttle_output_offset value is exceeded. So we only reach
1585      * this higher level if a huge number of pseudo-encodings get
1586      * triggered while data can't be sent on the socket.
1587      *
1588      * NB throttle_output_offset can be zero during early protocol
1589      * handshake, or from the job thread's VncState clone
1590      */
1591     if (vs->throttle_output_offset != 0 &&
1592         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1593         vs->throttle_output_offset) {
1594         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1595                                       vs->throttle_output_offset);
1596         vnc_disconnect_start(vs);
1597         return;
1598     }
1599     buffer_reserve(&vs->output, len);
1600 
1601     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1602         if (vs->ioc_tag) {
1603             g_source_remove(vs->ioc_tag);
1604         }
1605         vs->ioc_tag = qio_channel_add_watch(
1606             vs->ioc, G_IO_IN | G_IO_OUT, vnc_client_io, vs, NULL);
1607     }
1608 
1609     buffer_append(&vs->output, data, len);
1610 }
1611 
1612 void vnc_write_s32(VncState *vs, int32_t value)
1613 {
1614     vnc_write_u32(vs, *(uint32_t *)&value);
1615 }
1616 
1617 void vnc_write_u32(VncState *vs, uint32_t value)
1618 {
1619     uint8_t buf[4];
1620 
1621     buf[0] = (value >> 24) & 0xFF;
1622     buf[1] = (value >> 16) & 0xFF;
1623     buf[2] = (value >>  8) & 0xFF;
1624     buf[3] = value & 0xFF;
1625 
1626     vnc_write(vs, buf, 4);
1627 }
1628 
1629 void vnc_write_u16(VncState *vs, uint16_t value)
1630 {
1631     uint8_t buf[2];
1632 
1633     buf[0] = (value >> 8) & 0xFF;
1634     buf[1] = value & 0xFF;
1635 
1636     vnc_write(vs, buf, 2);
1637 }
1638 
1639 void vnc_write_u8(VncState *vs, uint8_t value)
1640 {
1641     vnc_write(vs, (char *)&value, 1);
1642 }
1643 
1644 void vnc_flush(VncState *vs)
1645 {
1646     vnc_lock_output(vs);
1647     if (vs->ioc != NULL && vs->output.offset) {
1648         vnc_client_write_locked(vs);
1649     }
1650     if (vs->disconnecting) {
1651         if (vs->ioc_tag != 0) {
1652             g_source_remove(vs->ioc_tag);
1653         }
1654         vs->ioc_tag = 0;
1655     }
1656     vnc_unlock_output(vs);
1657 }
1658 
1659 static uint8_t read_u8(uint8_t *data, size_t offset)
1660 {
1661     return data[offset];
1662 }
1663 
1664 static uint16_t read_u16(uint8_t *data, size_t offset)
1665 {
1666     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1667 }
1668 
1669 static int32_t read_s32(uint8_t *data, size_t offset)
1670 {
1671     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1672                      (data[offset + 2] << 8) | data[offset + 3]);
1673 }
1674 
1675 uint32_t read_u32(uint8_t *data, size_t offset)
1676 {
1677     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1678             (data[offset + 2] << 8) | data[offset + 3]);
1679 }
1680 
1681 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1682 {
1683 }
1684 
1685 static void check_pointer_type_change(Notifier *notifier, void *data)
1686 {
1687     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1688     int absolute = qemu_input_is_absolute();
1689 
1690     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1691         vnc_lock_output(vs);
1692         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1693         vnc_write_u8(vs, 0);
1694         vnc_write_u16(vs, 1);
1695         vnc_framebuffer_update(vs, absolute, 0,
1696                                pixman_image_get_width(vs->vd->server),
1697                                pixman_image_get_height(vs->vd->server),
1698                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1699         vnc_unlock_output(vs);
1700         vnc_flush(vs);
1701     }
1702     vs->absolute = absolute;
1703 }
1704 
1705 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1706 {
1707     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1708         [INPUT_BUTTON_LEFT]       = 0x01,
1709         [INPUT_BUTTON_MIDDLE]     = 0x02,
1710         [INPUT_BUTTON_RIGHT]      = 0x04,
1711         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1712         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1713     };
1714     QemuConsole *con = vs->vd->dcl.con;
1715     int width = pixman_image_get_width(vs->vd->server);
1716     int height = pixman_image_get_height(vs->vd->server);
1717 
1718     if (vs->last_bmask != button_mask) {
1719         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1720         vs->last_bmask = button_mask;
1721     }
1722 
1723     if (vs->absolute) {
1724         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1725         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1726     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1727         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1728         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1729     } else {
1730         if (vs->last_x != -1) {
1731             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1732             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1733         }
1734         vs->last_x = x;
1735         vs->last_y = y;
1736     }
1737     qemu_input_event_sync();
1738 }
1739 
1740 static void reset_keys(VncState *vs)
1741 {
1742     int i;
1743     for(i = 0; i < 256; i++) {
1744         if (vs->modifiers_state[i]) {
1745             qemu_input_event_send_key_number(vs->vd->dcl.con, i, false);
1746             qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
1747             vs->modifiers_state[i] = 0;
1748         }
1749     }
1750 }
1751 
1752 static void press_key(VncState *vs, int keysym)
1753 {
1754     int keycode = keysym2scancode(vs->vd->kbd_layout, keysym,
1755                                   false, false, false) & SCANCODE_KEYMASK;
1756     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, true);
1757     qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
1758     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
1759     qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
1760 }
1761 
1762 static void vnc_led_state_change(VncState *vs)
1763 {
1764     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1765         return;
1766     }
1767 
1768     vnc_lock_output(vs);
1769     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1770     vnc_write_u8(vs, 0);
1771     vnc_write_u16(vs, 1);
1772     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1773     vnc_write_u8(vs, vs->vd->ledstate);
1774     vnc_unlock_output(vs);
1775     vnc_flush(vs);
1776 }
1777 
1778 static void kbd_leds(void *opaque, int ledstate)
1779 {
1780     VncDisplay *vd = opaque;
1781     VncState *client;
1782 
1783     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1784                              (ledstate & QEMU_NUM_LOCK_LED),
1785                              (ledstate & QEMU_SCROLL_LOCK_LED));
1786 
1787     if (ledstate == vd->ledstate) {
1788         return;
1789     }
1790 
1791     vd->ledstate = ledstate;
1792 
1793     QTAILQ_FOREACH(client, &vd->clients, next) {
1794         vnc_led_state_change(client);
1795     }
1796 }
1797 
1798 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1799 {
1800     /* QEMU console switch */
1801     switch(keycode) {
1802     case 0x2a:                          /* Left Shift */
1803     case 0x36:                          /* Right Shift */
1804     case 0x1d:                          /* Left CTRL */
1805     case 0x9d:                          /* Right CTRL */
1806     case 0x38:                          /* Left ALT */
1807     case 0xb8:                          /* Right ALT */
1808         if (down)
1809             vs->modifiers_state[keycode] = 1;
1810         else
1811             vs->modifiers_state[keycode] = 0;
1812         break;
1813     case 0x02 ... 0x0a: /* '1' to '9' keys */
1814         if (vs->vd->dcl.con == NULL &&
1815             down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
1816             /* Reset the modifiers sent to the current console */
1817             reset_keys(vs);
1818             console_select(keycode - 0x02);
1819             return;
1820         }
1821         break;
1822     case 0x3a:                        /* CapsLock */
1823     case 0x45:                        /* NumLock */
1824         if (down)
1825             vs->modifiers_state[keycode] ^= 1;
1826         break;
1827     }
1828 
1829     /* Turn off the lock state sync logic if the client support the led
1830        state extension.
1831     */
1832     if (down && vs->vd->lock_key_sync &&
1833         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1834         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1835         /* If the numlock state needs to change then simulate an additional
1836            keypress before sending this one.  This will happen if the user
1837            toggles numlock away from the VNC window.
1838         */
1839         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1840             if (!vs->modifiers_state[0x45]) {
1841                 trace_vnc_key_sync_numlock(true);
1842                 vs->modifiers_state[0x45] = 1;
1843                 press_key(vs, 0xff7f);
1844             }
1845         } else {
1846             if (vs->modifiers_state[0x45]) {
1847                 trace_vnc_key_sync_numlock(false);
1848                 vs->modifiers_state[0x45] = 0;
1849                 press_key(vs, 0xff7f);
1850             }
1851         }
1852     }
1853 
1854     if (down && vs->vd->lock_key_sync &&
1855         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1856         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1857         /* If the capslock state needs to change then simulate an additional
1858            keypress before sending this one.  This will happen if the user
1859            toggles capslock away from the VNC window.
1860         */
1861         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1862         int shift = !!(vs->modifiers_state[0x2a] | vs->modifiers_state[0x36]);
1863         int capslock = !!(vs->modifiers_state[0x3a]);
1864         if (capslock) {
1865             if (uppercase == shift) {
1866                 trace_vnc_key_sync_capslock(false);
1867                 vs->modifiers_state[0x3a] = 0;
1868                 press_key(vs, 0xffe5);
1869             }
1870         } else {
1871             if (uppercase != shift) {
1872                 trace_vnc_key_sync_capslock(true);
1873                 vs->modifiers_state[0x3a] = 1;
1874                 press_key(vs, 0xffe5);
1875             }
1876         }
1877     }
1878 
1879     if (qemu_console_is_graphic(NULL)) {
1880         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, down);
1881         qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
1882     } else {
1883         bool numlock = vs->modifiers_state[0x45];
1884         bool control = (vs->modifiers_state[0x1d] ||
1885                         vs->modifiers_state[0x9d]);
1886         /* QEMU console emulation */
1887         if (down) {
1888             switch (keycode) {
1889             case 0x2a:                          /* Left Shift */
1890             case 0x36:                          /* Right Shift */
1891             case 0x1d:                          /* Left CTRL */
1892             case 0x9d:                          /* Right CTRL */
1893             case 0x38:                          /* Left ALT */
1894             case 0xb8:                          /* Right ALT */
1895                 break;
1896             case 0xc8:
1897                 kbd_put_keysym(QEMU_KEY_UP);
1898                 break;
1899             case 0xd0:
1900                 kbd_put_keysym(QEMU_KEY_DOWN);
1901                 break;
1902             case 0xcb:
1903                 kbd_put_keysym(QEMU_KEY_LEFT);
1904                 break;
1905             case 0xcd:
1906                 kbd_put_keysym(QEMU_KEY_RIGHT);
1907                 break;
1908             case 0xd3:
1909                 kbd_put_keysym(QEMU_KEY_DELETE);
1910                 break;
1911             case 0xc7:
1912                 kbd_put_keysym(QEMU_KEY_HOME);
1913                 break;
1914             case 0xcf:
1915                 kbd_put_keysym(QEMU_KEY_END);
1916                 break;
1917             case 0xc9:
1918                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1919                 break;
1920             case 0xd1:
1921                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1922                 break;
1923 
1924             case 0x47:
1925                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1926                 break;
1927             case 0x48:
1928                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1929                 break;
1930             case 0x49:
1931                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1932                 break;
1933             case 0x4b:
1934                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1935                 break;
1936             case 0x4c:
1937                 kbd_put_keysym('5');
1938                 break;
1939             case 0x4d:
1940                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1941                 break;
1942             case 0x4f:
1943                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1944                 break;
1945             case 0x50:
1946                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1947                 break;
1948             case 0x51:
1949                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1950                 break;
1951             case 0x52:
1952                 kbd_put_keysym('0');
1953                 break;
1954             case 0x53:
1955                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1956                 break;
1957 
1958             case 0xb5:
1959                 kbd_put_keysym('/');
1960                 break;
1961             case 0x37:
1962                 kbd_put_keysym('*');
1963                 break;
1964             case 0x4a:
1965                 kbd_put_keysym('-');
1966                 break;
1967             case 0x4e:
1968                 kbd_put_keysym('+');
1969                 break;
1970             case 0x9c:
1971                 kbd_put_keysym('\n');
1972                 break;
1973 
1974             default:
1975                 if (control) {
1976                     kbd_put_keysym(sym & 0x1f);
1977                 } else {
1978                     kbd_put_keysym(sym);
1979                 }
1980                 break;
1981             }
1982         }
1983     }
1984 }
1985 
1986 static void vnc_release_modifiers(VncState *vs)
1987 {
1988     static const int keycodes[] = {
1989         /* shift, control, alt keys, both left & right */
1990         0x2a, 0x36, 0x1d, 0x9d, 0x38, 0xb8,
1991     };
1992     int i, keycode;
1993 
1994     if (!qemu_console_is_graphic(NULL)) {
1995         return;
1996     }
1997     for (i = 0; i < ARRAY_SIZE(keycodes); i++) {
1998         keycode = keycodes[i];
1999         if (!vs->modifiers_state[keycode]) {
2000             continue;
2001         }
2002         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
2003         qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
2004     }
2005 }
2006 
2007 static const char *code2name(int keycode)
2008 {
2009     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
2010 }
2011 
2012 static void key_event(VncState *vs, int down, uint32_t sym)
2013 {
2014     bool shift = vs->modifiers_state[0x2a] || vs->modifiers_state[0x36];
2015     bool altgr = vs->modifiers_state[0xb8];
2016     bool ctrl  = vs->modifiers_state[0x1d] || vs->modifiers_state[0x9d];
2017     int keycode;
2018     int lsym = sym;
2019 
2020     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
2021         lsym = lsym - 'A' + 'a';
2022     }
2023 
2024     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
2025                               shift, altgr, ctrl) & SCANCODE_KEYMASK;
2026     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2027     do_key_event(vs, down, keycode, sym);
2028 }
2029 
2030 static void ext_key_event(VncState *vs, int down,
2031                           uint32_t sym, uint16_t keycode)
2032 {
2033     /* if the user specifies a keyboard layout, always use it */
2034     if (keyboard_layout) {
2035         key_event(vs, down, sym);
2036     } else {
2037         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2038         do_key_event(vs, down, keycode, sym);
2039     }
2040 }
2041 
2042 static void framebuffer_update_request(VncState *vs, int incremental,
2043                                        int x, int y, int w, int h)
2044 {
2045     if (incremental) {
2046         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2047             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2048         }
2049     } else {
2050         vs->update = VNC_STATE_UPDATE_FORCE;
2051         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2052     }
2053 }
2054 
2055 static void send_ext_key_event_ack(VncState *vs)
2056 {
2057     vnc_lock_output(vs);
2058     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2059     vnc_write_u8(vs, 0);
2060     vnc_write_u16(vs, 1);
2061     vnc_framebuffer_update(vs, 0, 0,
2062                            pixman_image_get_width(vs->vd->server),
2063                            pixman_image_get_height(vs->vd->server),
2064                            VNC_ENCODING_EXT_KEY_EVENT);
2065     vnc_unlock_output(vs);
2066     vnc_flush(vs);
2067 }
2068 
2069 static void send_ext_audio_ack(VncState *vs)
2070 {
2071     vnc_lock_output(vs);
2072     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2073     vnc_write_u8(vs, 0);
2074     vnc_write_u16(vs, 1);
2075     vnc_framebuffer_update(vs, 0, 0,
2076                            pixman_image_get_width(vs->vd->server),
2077                            pixman_image_get_height(vs->vd->server),
2078                            VNC_ENCODING_AUDIO);
2079     vnc_unlock_output(vs);
2080     vnc_flush(vs);
2081 }
2082 
2083 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2084 {
2085     int i;
2086     unsigned int enc = 0;
2087 
2088     vs->features = 0;
2089     vs->vnc_encoding = 0;
2090     vs->tight.compression = 9;
2091     vs->tight.quality = -1; /* Lossless by default */
2092     vs->absolute = -1;
2093 
2094     /*
2095      * Start from the end because the encodings are sent in order of preference.
2096      * This way the preferred encoding (first encoding defined in the array)
2097      * will be set at the end of the loop.
2098      */
2099     for (i = n_encodings - 1; i >= 0; i--) {
2100         enc = encodings[i];
2101         switch (enc) {
2102         case VNC_ENCODING_RAW:
2103             vs->vnc_encoding = enc;
2104             break;
2105         case VNC_ENCODING_COPYRECT:
2106             vs->features |= VNC_FEATURE_COPYRECT_MASK;
2107             break;
2108         case VNC_ENCODING_HEXTILE:
2109             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2110             vs->vnc_encoding = enc;
2111             break;
2112         case VNC_ENCODING_TIGHT:
2113             vs->features |= VNC_FEATURE_TIGHT_MASK;
2114             vs->vnc_encoding = enc;
2115             break;
2116 #ifdef CONFIG_VNC_PNG
2117         case VNC_ENCODING_TIGHT_PNG:
2118             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2119             vs->vnc_encoding = enc;
2120             break;
2121 #endif
2122         case VNC_ENCODING_ZLIB:
2123             vs->features |= VNC_FEATURE_ZLIB_MASK;
2124             vs->vnc_encoding = enc;
2125             break;
2126         case VNC_ENCODING_ZRLE:
2127             vs->features |= VNC_FEATURE_ZRLE_MASK;
2128             vs->vnc_encoding = enc;
2129             break;
2130         case VNC_ENCODING_ZYWRLE:
2131             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2132             vs->vnc_encoding = enc;
2133             break;
2134         case VNC_ENCODING_DESKTOPRESIZE:
2135             vs->features |= VNC_FEATURE_RESIZE_MASK;
2136             break;
2137         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2138             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2139             break;
2140         case VNC_ENCODING_RICH_CURSOR:
2141             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2142             if (vs->vd->cursor) {
2143                 vnc_cursor_define(vs);
2144             }
2145             break;
2146         case VNC_ENCODING_EXT_KEY_EVENT:
2147             send_ext_key_event_ack(vs);
2148             break;
2149         case VNC_ENCODING_AUDIO:
2150             send_ext_audio_ack(vs);
2151             break;
2152         case VNC_ENCODING_WMVi:
2153             vs->features |= VNC_FEATURE_WMVI_MASK;
2154             break;
2155         case VNC_ENCODING_LED_STATE:
2156             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2157             break;
2158         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2159             vs->tight.compression = (enc & 0x0F);
2160             break;
2161         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2162             if (vs->vd->lossy) {
2163                 vs->tight.quality = (enc & 0x0F);
2164             }
2165             break;
2166         default:
2167             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2168             break;
2169         }
2170     }
2171     vnc_desktop_resize(vs);
2172     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2173     vnc_led_state_change(vs);
2174 }
2175 
2176 static void set_pixel_conversion(VncState *vs)
2177 {
2178     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2179 
2180     if (fmt == VNC_SERVER_FB_FORMAT) {
2181         vs->write_pixels = vnc_write_pixels_copy;
2182         vnc_hextile_set_pixel_conversion(vs, 0);
2183     } else {
2184         vs->write_pixels = vnc_write_pixels_generic;
2185         vnc_hextile_set_pixel_conversion(vs, 1);
2186     }
2187 }
2188 
2189 static void send_color_map(VncState *vs)
2190 {
2191     int i;
2192 
2193     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2194     vnc_write_u8(vs,  0);    /* padding     */
2195     vnc_write_u16(vs, 0);    /* first color */
2196     vnc_write_u16(vs, 256);  /* # of colors */
2197 
2198     for (i = 0; i < 256; i++) {
2199         PixelFormat *pf = &vs->client_pf;
2200 
2201         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2202         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2203         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2204     }
2205 }
2206 
2207 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2208                              int big_endian_flag, int true_color_flag,
2209                              int red_max, int green_max, int blue_max,
2210                              int red_shift, int green_shift, int blue_shift)
2211 {
2212     if (!true_color_flag) {
2213         /* Expose a reasonable default 256 color map */
2214         bits_per_pixel = 8;
2215         red_max = 7;
2216         green_max = 7;
2217         blue_max = 3;
2218         red_shift = 0;
2219         green_shift = 3;
2220         blue_shift = 6;
2221     }
2222 
2223     switch (bits_per_pixel) {
2224     case 8:
2225     case 16:
2226     case 32:
2227         break;
2228     default:
2229         vnc_client_error(vs);
2230         return;
2231     }
2232 
2233     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2234     vs->client_pf.rbits = ctpopl(red_max);
2235     vs->client_pf.rshift = red_shift;
2236     vs->client_pf.rmask = red_max << red_shift;
2237     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2238     vs->client_pf.gbits = ctpopl(green_max);
2239     vs->client_pf.gshift = green_shift;
2240     vs->client_pf.gmask = green_max << green_shift;
2241     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2242     vs->client_pf.bbits = ctpopl(blue_max);
2243     vs->client_pf.bshift = blue_shift;
2244     vs->client_pf.bmask = blue_max << blue_shift;
2245     vs->client_pf.bits_per_pixel = bits_per_pixel;
2246     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2247     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2248     vs->client_be = big_endian_flag;
2249 
2250     if (!true_color_flag) {
2251         send_color_map(vs);
2252     }
2253 
2254     set_pixel_conversion(vs);
2255 
2256     graphic_hw_invalidate(vs->vd->dcl.con);
2257     graphic_hw_update(vs->vd->dcl.con);
2258 }
2259 
2260 static void pixel_format_message (VncState *vs) {
2261     char pad[3] = { 0, 0, 0 };
2262 
2263     vs->client_pf = qemu_default_pixelformat(32);
2264 
2265     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2266     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2267 
2268 #ifdef HOST_WORDS_BIGENDIAN
2269     vnc_write_u8(vs, 1);             /* big-endian-flag */
2270 #else
2271     vnc_write_u8(vs, 0);             /* big-endian-flag */
2272 #endif
2273     vnc_write_u8(vs, 1);             /* true-color-flag */
2274     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2275     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2276     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2277     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2278     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2279     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2280     vnc_write(vs, pad, 3);           /* padding */
2281 
2282     vnc_hextile_set_pixel_conversion(vs, 0);
2283     vs->write_pixels = vnc_write_pixels_copy;
2284 }
2285 
2286 static void vnc_colordepth(VncState *vs)
2287 {
2288     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2289         /* Sending a WMVi message to notify the client*/
2290         vnc_lock_output(vs);
2291         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2292         vnc_write_u8(vs, 0);
2293         vnc_write_u16(vs, 1); /* number of rects */
2294         vnc_framebuffer_update(vs, 0, 0,
2295                                pixman_image_get_width(vs->vd->server),
2296                                pixman_image_get_height(vs->vd->server),
2297                                VNC_ENCODING_WMVi);
2298         pixel_format_message(vs);
2299         vnc_unlock_output(vs);
2300         vnc_flush(vs);
2301     } else {
2302         set_pixel_conversion(vs);
2303     }
2304 }
2305 
2306 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2307 {
2308     int i;
2309     uint16_t limit;
2310     uint32_t freq;
2311     VncDisplay *vd = vs->vd;
2312 
2313     if (data[0] > 3) {
2314         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2315     }
2316 
2317     switch (data[0]) {
2318     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2319         if (len == 1)
2320             return 20;
2321 
2322         set_pixel_format(vs, read_u8(data, 4),
2323                          read_u8(data, 6), read_u8(data, 7),
2324                          read_u16(data, 8), read_u16(data, 10),
2325                          read_u16(data, 12), read_u8(data, 14),
2326                          read_u8(data, 15), read_u8(data, 16));
2327         break;
2328     case VNC_MSG_CLIENT_SET_ENCODINGS:
2329         if (len == 1)
2330             return 4;
2331 
2332         if (len == 4) {
2333             limit = read_u16(data, 2);
2334             if (limit > 0)
2335                 return 4 + (limit * 4);
2336         } else
2337             limit = read_u16(data, 2);
2338 
2339         for (i = 0; i < limit; i++) {
2340             int32_t val = read_s32(data, 4 + (i * 4));
2341             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2342         }
2343 
2344         set_encodings(vs, (int32_t *)(data + 4), limit);
2345         break;
2346     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2347         if (len == 1)
2348             return 10;
2349 
2350         framebuffer_update_request(vs,
2351                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2352                                    read_u16(data, 6), read_u16(data, 8));
2353         break;
2354     case VNC_MSG_CLIENT_KEY_EVENT:
2355         if (len == 1)
2356             return 8;
2357 
2358         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2359         break;
2360     case VNC_MSG_CLIENT_POINTER_EVENT:
2361         if (len == 1)
2362             return 6;
2363 
2364         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2365         break;
2366     case VNC_MSG_CLIENT_CUT_TEXT:
2367         if (len == 1) {
2368             return 8;
2369         }
2370         if (len == 8) {
2371             uint32_t dlen = read_u32(data, 4);
2372             if (dlen > (1 << 20)) {
2373                 error_report("vnc: client_cut_text msg payload has %u bytes"
2374                              " which exceeds our limit of 1MB.", dlen);
2375                 vnc_client_error(vs);
2376                 break;
2377             }
2378             if (dlen > 0) {
2379                 return 8 + dlen;
2380             }
2381         }
2382 
2383         client_cut_text(vs, read_u32(data, 4), data + 8);
2384         break;
2385     case VNC_MSG_CLIENT_QEMU:
2386         if (len == 1)
2387             return 2;
2388 
2389         switch (read_u8(data, 1)) {
2390         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2391             if (len == 2)
2392                 return 12;
2393 
2394             ext_key_event(vs, read_u16(data, 2),
2395                           read_u32(data, 4), read_u32(data, 8));
2396             break;
2397         case VNC_MSG_CLIENT_QEMU_AUDIO:
2398             if (len == 2)
2399                 return 4;
2400 
2401             switch (read_u16 (data, 2)) {
2402             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2403                 audio_add(vs);
2404                 break;
2405             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2406                 audio_del(vs);
2407                 break;
2408             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2409                 if (len == 4)
2410                     return 10;
2411                 switch (read_u8(data, 4)) {
2412                 case 0: vs->as.fmt = AUD_FMT_U8; break;
2413                 case 1: vs->as.fmt = AUD_FMT_S8; break;
2414                 case 2: vs->as.fmt = AUD_FMT_U16; break;
2415                 case 3: vs->as.fmt = AUD_FMT_S16; break;
2416                 case 4: vs->as.fmt = AUD_FMT_U32; break;
2417                 case 5: vs->as.fmt = AUD_FMT_S32; break;
2418                 default:
2419                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2420                     vnc_client_error(vs);
2421                     break;
2422                 }
2423                 vs->as.nchannels = read_u8(data, 5);
2424                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2425                     VNC_DEBUG("Invalid audio channel count %d\n",
2426                               read_u8(data, 5));
2427                     vnc_client_error(vs);
2428                     break;
2429                 }
2430                 freq = read_u32(data, 6);
2431                 /* No official limit for protocol, but 48khz is a sensible
2432                  * upper bound for trustworthy clients, and this limit
2433                  * protects calculations involving 'vs->as.freq' later.
2434                  */
2435                 if (freq > 48000) {
2436                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2437                     vnc_client_error(vs);
2438                     break;
2439                 }
2440                 vs->as.freq = freq;
2441                 break;
2442             default:
2443                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2444                 vnc_client_error(vs);
2445                 break;
2446             }
2447             break;
2448 
2449         default:
2450             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2451             vnc_client_error(vs);
2452             break;
2453         }
2454         break;
2455     default:
2456         VNC_DEBUG("Msg: %d\n", data[0]);
2457         vnc_client_error(vs);
2458         break;
2459     }
2460 
2461     vnc_update_throttle_offset(vs);
2462     vnc_read_when(vs, protocol_client_msg, 1);
2463     return 0;
2464 }
2465 
2466 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2467 {
2468     char buf[1024];
2469     VncShareMode mode;
2470     int size;
2471 
2472     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2473     switch (vs->vd->share_policy) {
2474     case VNC_SHARE_POLICY_IGNORE:
2475         /*
2476          * Ignore the shared flag.  Nothing to do here.
2477          *
2478          * Doesn't conform to the rfb spec but is traditional qemu
2479          * behavior, thus left here as option for compatibility
2480          * reasons.
2481          */
2482         break;
2483     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2484         /*
2485          * Policy: Allow clients ask for exclusive access.
2486          *
2487          * Implementation: When a client asks for exclusive access,
2488          * disconnect all others. Shared connects are allowed as long
2489          * as no exclusive connection exists.
2490          *
2491          * This is how the rfb spec suggests to handle the shared flag.
2492          */
2493         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2494             VncState *client;
2495             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2496                 if (vs == client) {
2497                     continue;
2498                 }
2499                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2500                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2501                     continue;
2502                 }
2503                 vnc_disconnect_start(client);
2504             }
2505         }
2506         if (mode == VNC_SHARE_MODE_SHARED) {
2507             if (vs->vd->num_exclusive > 0) {
2508                 vnc_disconnect_start(vs);
2509                 return 0;
2510             }
2511         }
2512         break;
2513     case VNC_SHARE_POLICY_FORCE_SHARED:
2514         /*
2515          * Policy: Shared connects only.
2516          * Implementation: Disallow clients asking for exclusive access.
2517          *
2518          * Useful for shared desktop sessions where you don't want
2519          * someone forgetting to say -shared when running the vnc
2520          * client disconnect everybody else.
2521          */
2522         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2523             vnc_disconnect_start(vs);
2524             return 0;
2525         }
2526         break;
2527     }
2528     vnc_set_share_mode(vs, mode);
2529 
2530     if (vs->vd->num_shared > vs->vd->connections_limit) {
2531         vnc_disconnect_start(vs);
2532         return 0;
2533     }
2534 
2535     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2536            pixman_image_get_width(vs->vd->server) >= 0);
2537     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2538            pixman_image_get_height(vs->vd->server) >= 0);
2539     vs->client_width = pixman_image_get_width(vs->vd->server);
2540     vs->client_height = pixman_image_get_height(vs->vd->server);
2541     vnc_write_u16(vs, vs->client_width);
2542     vnc_write_u16(vs, vs->client_height);
2543 
2544     pixel_format_message(vs);
2545 
2546     if (qemu_name) {
2547         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2548         if (size > sizeof(buf)) {
2549             size = sizeof(buf);
2550         }
2551     } else {
2552         size = snprintf(buf, sizeof(buf), "QEMU");
2553     }
2554 
2555     vnc_write_u32(vs, size);
2556     vnc_write(vs, buf, size);
2557     vnc_flush(vs);
2558 
2559     vnc_client_cache_auth(vs);
2560     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2561 
2562     vnc_read_when(vs, protocol_client_msg, 1);
2563 
2564     return 0;
2565 }
2566 
2567 void start_client_init(VncState *vs)
2568 {
2569     vnc_read_when(vs, protocol_client_init, 1);
2570 }
2571 
2572 static void make_challenge(VncState *vs)
2573 {
2574     int i;
2575 
2576     srand(time(NULL)+getpid()+getpid()*987654+rand());
2577 
2578     for (i = 0 ; i < sizeof(vs->challenge) ; i++)
2579         vs->challenge[i] = (int) (256.0*rand()/(RAND_MAX+1.0));
2580 }
2581 
2582 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2583 {
2584     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2585     size_t i, pwlen;
2586     unsigned char key[8];
2587     time_t now = time(NULL);
2588     QCryptoCipher *cipher = NULL;
2589     Error *err = NULL;
2590 
2591     if (!vs->vd->password) {
2592         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2593         goto reject;
2594     }
2595     if (vs->vd->expires < now) {
2596         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2597         goto reject;
2598     }
2599 
2600     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2601 
2602     /* Calculate the expected challenge response */
2603     pwlen = strlen(vs->vd->password);
2604     for (i=0; i<sizeof(key); i++)
2605         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2606 
2607     cipher = qcrypto_cipher_new(
2608         QCRYPTO_CIPHER_ALG_DES_RFB,
2609         QCRYPTO_CIPHER_MODE_ECB,
2610         key, G_N_ELEMENTS(key),
2611         &err);
2612     if (!cipher) {
2613         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2614                             error_get_pretty(err));
2615         error_free(err);
2616         goto reject;
2617     }
2618 
2619     if (qcrypto_cipher_encrypt(cipher,
2620                                vs->challenge,
2621                                response,
2622                                VNC_AUTH_CHALLENGE_SIZE,
2623                                &err) < 0) {
2624         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2625                             error_get_pretty(err));
2626         error_free(err);
2627         goto reject;
2628     }
2629 
2630     /* Compare expected vs actual challenge response */
2631     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2632         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2633         goto reject;
2634     } else {
2635         trace_vnc_auth_pass(vs, vs->auth);
2636         vnc_write_u32(vs, 0); /* Accept auth */
2637         vnc_flush(vs);
2638 
2639         start_client_init(vs);
2640     }
2641 
2642     qcrypto_cipher_free(cipher);
2643     return 0;
2644 
2645 reject:
2646     vnc_write_u32(vs, 1); /* Reject auth */
2647     if (vs->minor >= 8) {
2648         static const char err[] = "Authentication failed";
2649         vnc_write_u32(vs, sizeof(err));
2650         vnc_write(vs, err, sizeof(err));
2651     }
2652     vnc_flush(vs);
2653     vnc_client_error(vs);
2654     qcrypto_cipher_free(cipher);
2655     return 0;
2656 }
2657 
2658 void start_auth_vnc(VncState *vs)
2659 {
2660     make_challenge(vs);
2661     /* Send client a 'random' challenge */
2662     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2663     vnc_flush(vs);
2664 
2665     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2666 }
2667 
2668 
2669 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2670 {
2671     /* We only advertise 1 auth scheme at a time, so client
2672      * must pick the one we sent. Verify this */
2673     if (data[0] != vs->auth) { /* Reject auth */
2674        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2675        vnc_write_u32(vs, 1);
2676        if (vs->minor >= 8) {
2677            static const char err[] = "Authentication failed";
2678            vnc_write_u32(vs, sizeof(err));
2679            vnc_write(vs, err, sizeof(err));
2680        }
2681        vnc_client_error(vs);
2682     } else { /* Accept requested auth */
2683        trace_vnc_auth_start(vs, vs->auth);
2684        switch (vs->auth) {
2685        case VNC_AUTH_NONE:
2686            if (vs->minor >= 8) {
2687                vnc_write_u32(vs, 0); /* Accept auth completion */
2688                vnc_flush(vs);
2689            }
2690            trace_vnc_auth_pass(vs, vs->auth);
2691            start_client_init(vs);
2692            break;
2693 
2694        case VNC_AUTH_VNC:
2695            start_auth_vnc(vs);
2696            break;
2697 
2698        case VNC_AUTH_VENCRYPT:
2699            start_auth_vencrypt(vs);
2700            break;
2701 
2702 #ifdef CONFIG_VNC_SASL
2703        case VNC_AUTH_SASL:
2704            start_auth_sasl(vs);
2705            break;
2706 #endif /* CONFIG_VNC_SASL */
2707 
2708        default: /* Should not be possible, but just in case */
2709            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2710            vnc_write_u8(vs, 1);
2711            if (vs->minor >= 8) {
2712                static const char err[] = "Authentication failed";
2713                vnc_write_u32(vs, sizeof(err));
2714                vnc_write(vs, err, sizeof(err));
2715            }
2716            vnc_client_error(vs);
2717        }
2718     }
2719     return 0;
2720 }
2721 
2722 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2723 {
2724     char local[13];
2725 
2726     memcpy(local, version, 12);
2727     local[12] = 0;
2728 
2729     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2730         VNC_DEBUG("Malformed protocol version %s\n", local);
2731         vnc_client_error(vs);
2732         return 0;
2733     }
2734     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2735     if (vs->major != 3 ||
2736         (vs->minor != 3 &&
2737          vs->minor != 4 &&
2738          vs->minor != 5 &&
2739          vs->minor != 7 &&
2740          vs->minor != 8)) {
2741         VNC_DEBUG("Unsupported client version\n");
2742         vnc_write_u32(vs, VNC_AUTH_INVALID);
2743         vnc_flush(vs);
2744         vnc_client_error(vs);
2745         return 0;
2746     }
2747     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2748      * as equivalent to v3.3 by servers
2749      */
2750     if (vs->minor == 4 || vs->minor == 5)
2751         vs->minor = 3;
2752 
2753     if (vs->minor == 3) {
2754         trace_vnc_auth_start(vs, vs->auth);
2755         if (vs->auth == VNC_AUTH_NONE) {
2756             vnc_write_u32(vs, vs->auth);
2757             vnc_flush(vs);
2758             trace_vnc_auth_pass(vs, vs->auth);
2759             start_client_init(vs);
2760        } else if (vs->auth == VNC_AUTH_VNC) {
2761             VNC_DEBUG("Tell client VNC auth\n");
2762             vnc_write_u32(vs, vs->auth);
2763             vnc_flush(vs);
2764             start_auth_vnc(vs);
2765        } else {
2766             trace_vnc_auth_fail(vs, vs->auth,
2767                                 "Unsupported auth method for v3.3", "");
2768             vnc_write_u32(vs, VNC_AUTH_INVALID);
2769             vnc_flush(vs);
2770             vnc_client_error(vs);
2771        }
2772     } else {
2773         vnc_write_u8(vs, 1); /* num auth */
2774         vnc_write_u8(vs, vs->auth);
2775         vnc_read_when(vs, protocol_client_auth, 1);
2776         vnc_flush(vs);
2777     }
2778 
2779     return 0;
2780 }
2781 
2782 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2783 {
2784     struct VncSurface *vs = &vd->guest;
2785 
2786     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2787 }
2788 
2789 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2790 {
2791     int i, j;
2792 
2793     w = (x + w) / VNC_STAT_RECT;
2794     h = (y + h) / VNC_STAT_RECT;
2795     x /= VNC_STAT_RECT;
2796     y /= VNC_STAT_RECT;
2797 
2798     for (j = y; j <= h; j++) {
2799         for (i = x; i <= w; i++) {
2800             vs->lossy_rect[j][i] = 1;
2801         }
2802     }
2803 }
2804 
2805 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2806 {
2807     VncState *vs;
2808     int sty = y / VNC_STAT_RECT;
2809     int stx = x / VNC_STAT_RECT;
2810     int has_dirty = 0;
2811 
2812     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2813     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2814 
2815     QTAILQ_FOREACH(vs, &vd->clients, next) {
2816         int j;
2817 
2818         /* kernel send buffers are full -> refresh later */
2819         if (vs->output.offset) {
2820             continue;
2821         }
2822 
2823         if (!vs->lossy_rect[sty][stx]) {
2824             continue;
2825         }
2826 
2827         vs->lossy_rect[sty][stx] = 0;
2828         for (j = 0; j < VNC_STAT_RECT; ++j) {
2829             bitmap_set(vs->dirty[y + j],
2830                        x / VNC_DIRTY_PIXELS_PER_BIT,
2831                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2832         }
2833         has_dirty++;
2834     }
2835 
2836     return has_dirty;
2837 }
2838 
2839 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2840 {
2841     int width = MIN(pixman_image_get_width(vd->guest.fb),
2842                     pixman_image_get_width(vd->server));
2843     int height = MIN(pixman_image_get_height(vd->guest.fb),
2844                      pixman_image_get_height(vd->server));
2845     int x, y;
2846     struct timeval res;
2847     int has_dirty = 0;
2848 
2849     for (y = 0; y < height; y += VNC_STAT_RECT) {
2850         for (x = 0; x < width; x += VNC_STAT_RECT) {
2851             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2852 
2853             rect->updated = false;
2854         }
2855     }
2856 
2857     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2858 
2859     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2860         return has_dirty;
2861     }
2862     vd->guest.last_freq_check = *tv;
2863 
2864     for (y = 0; y < height; y += VNC_STAT_RECT) {
2865         for (x = 0; x < width; x += VNC_STAT_RECT) {
2866             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2867             int count = ARRAY_SIZE(rect->times);
2868             struct timeval min, max;
2869 
2870             if (!timerisset(&rect->times[count - 1])) {
2871                 continue ;
2872             }
2873 
2874             max = rect->times[(rect->idx + count - 1) % count];
2875             qemu_timersub(tv, &max, &res);
2876 
2877             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2878                 rect->freq = 0;
2879                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2880                 memset(rect->times, 0, sizeof (rect->times));
2881                 continue ;
2882             }
2883 
2884             min = rect->times[rect->idx];
2885             max = rect->times[(rect->idx + count - 1) % count];
2886             qemu_timersub(&max, &min, &res);
2887 
2888             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2889             rect->freq /= count;
2890             rect->freq = 1. / rect->freq;
2891         }
2892     }
2893     return has_dirty;
2894 }
2895 
2896 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2897 {
2898     int i, j;
2899     double total = 0;
2900     int num = 0;
2901 
2902     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2903     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2904 
2905     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2906         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2907             total += vnc_stat_rect(vs->vd, i, j)->freq;
2908             num++;
2909         }
2910     }
2911 
2912     if (num) {
2913         return total / num;
2914     } else {
2915         return 0;
2916     }
2917 }
2918 
2919 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2920 {
2921     VncRectStat *rect;
2922 
2923     rect = vnc_stat_rect(vd, x, y);
2924     if (rect->updated) {
2925         return ;
2926     }
2927     rect->times[rect->idx] = *tv;
2928     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2929     rect->updated = true;
2930 }
2931 
2932 static int vnc_refresh_server_surface(VncDisplay *vd)
2933 {
2934     int width = MIN(pixman_image_get_width(vd->guest.fb),
2935                     pixman_image_get_width(vd->server));
2936     int height = MIN(pixman_image_get_height(vd->guest.fb),
2937                      pixman_image_get_height(vd->server));
2938     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
2939     uint8_t *guest_row0 = NULL, *server_row0;
2940     VncState *vs;
2941     int has_dirty = 0;
2942     pixman_image_t *tmpbuf = NULL;
2943 
2944     struct timeval tv = { 0, 0 };
2945 
2946     if (!vd->non_adaptive) {
2947         gettimeofday(&tv, NULL);
2948         has_dirty = vnc_update_stats(vd, &tv);
2949     }
2950 
2951     /*
2952      * Walk through the guest dirty map.
2953      * Check and copy modified bits from guest to server surface.
2954      * Update server dirty map.
2955      */
2956     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
2957     server_stride = guest_stride = guest_ll =
2958         pixman_image_get_stride(vd->server);
2959     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
2960                     server_stride);
2961     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2962         int width = pixman_image_get_width(vd->server);
2963         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2964     } else {
2965         int guest_bpp =
2966             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
2967         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2968         guest_stride = pixman_image_get_stride(vd->guest.fb);
2969         guest_ll = pixman_image_get_width(vd->guest.fb)
2970                    * DIV_ROUND_UP(guest_bpp, 8);
2971     }
2972     line_bytes = MIN(server_stride, guest_ll);
2973 
2974     for (;;) {
2975         int x;
2976         uint8_t *guest_ptr, *server_ptr;
2977         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
2978                                              height * VNC_DIRTY_BPL(&vd->guest),
2979                                              y * VNC_DIRTY_BPL(&vd->guest));
2980         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
2981             /* no more dirty bits */
2982             break;
2983         }
2984         y = offset / VNC_DIRTY_BPL(&vd->guest);
2985         x = offset % VNC_DIRTY_BPL(&vd->guest);
2986 
2987         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
2988 
2989         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2990             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2991             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2992         } else {
2993             guest_ptr = guest_row0 + y * guest_stride;
2994         }
2995         guest_ptr += x * cmp_bytes;
2996 
2997         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
2998              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2999             int _cmp_bytes = cmp_bytes;
3000             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
3001                 continue;
3002             }
3003             if ((x + 1) * cmp_bytes > line_bytes) {
3004                 _cmp_bytes = line_bytes - x * cmp_bytes;
3005             }
3006             assert(_cmp_bytes >= 0);
3007             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
3008                 continue;
3009             }
3010             memcpy(server_ptr, guest_ptr, _cmp_bytes);
3011             if (!vd->non_adaptive) {
3012                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
3013                                  y, &tv);
3014             }
3015             QTAILQ_FOREACH(vs, &vd->clients, next) {
3016                 set_bit(x, vs->dirty[y]);
3017             }
3018             has_dirty++;
3019         }
3020 
3021         y++;
3022     }
3023     qemu_pixman_image_unref(tmpbuf);
3024     return has_dirty;
3025 }
3026 
3027 static void vnc_refresh(DisplayChangeListener *dcl)
3028 {
3029     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
3030     VncState *vs, *vn;
3031     int has_dirty, rects = 0;
3032 
3033     if (QTAILQ_EMPTY(&vd->clients)) {
3034         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
3035         return;
3036     }
3037 
3038     graphic_hw_update(vd->dcl.con);
3039 
3040     if (vnc_trylock_display(vd)) {
3041         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3042         return;
3043     }
3044 
3045     has_dirty = vnc_refresh_server_surface(vd);
3046     vnc_unlock_display(vd);
3047 
3048     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3049         rects += vnc_update_client(vs, has_dirty);
3050         /* vs might be free()ed here */
3051     }
3052 
3053     if (has_dirty && rects) {
3054         vd->dcl.update_interval /= 2;
3055         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3056             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3057         }
3058     } else {
3059         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3060         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3061             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3062         }
3063     }
3064 }
3065 
3066 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3067                         bool skipauth, bool websocket)
3068 {
3069     VncState *vs = g_new0(VncState, 1);
3070     bool first_client = QTAILQ_EMPTY(&vd->clients);
3071     int i;
3072 
3073     trace_vnc_client_connect(vs, sioc);
3074     vs->magic = VNC_MAGIC;
3075     vs->sioc = sioc;
3076     object_ref(OBJECT(vs->sioc));
3077     vs->ioc = QIO_CHANNEL(sioc);
3078     object_ref(OBJECT(vs->ioc));
3079     vs->vd = vd;
3080 
3081     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3082     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3083     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3084 
3085     buffer_init(&vs->tight.tight,    "vnc-tight/%p", sioc);
3086     buffer_init(&vs->tight.zlib,     "vnc-tight-zlib/%p", sioc);
3087     buffer_init(&vs->tight.gradient, "vnc-tight-gradient/%p", sioc);
3088 #ifdef CONFIG_VNC_JPEG
3089     buffer_init(&vs->tight.jpeg,     "vnc-tight-jpeg/%p", sioc);
3090 #endif
3091 #ifdef CONFIG_VNC_PNG
3092     buffer_init(&vs->tight.png,      "vnc-tight-png/%p", sioc);
3093 #endif
3094     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3095     buffer_init(&vs->zrle.zrle,      "vnc-zrle/%p", sioc);
3096     buffer_init(&vs->zrle.fb,        "vnc-zrle-fb/%p", sioc);
3097     buffer_init(&vs->zrle.zlib,      "vnc-zrle-zlib/%p", sioc);
3098 
3099     if (skipauth) {
3100 	vs->auth = VNC_AUTH_NONE;
3101 	vs->subauth = VNC_AUTH_INVALID;
3102     } else {
3103         if (websocket) {
3104             vs->auth = vd->ws_auth;
3105             vs->subauth = VNC_AUTH_INVALID;
3106         } else {
3107             vs->auth = vd->auth;
3108             vs->subauth = vd->subauth;
3109         }
3110     }
3111     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3112               sioc, websocket, vs->auth, vs->subauth);
3113 
3114     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3115     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3116         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3117     }
3118 
3119     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3120     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3121     qio_channel_set_blocking(vs->ioc, false, NULL);
3122     if (vs->ioc_tag) {
3123         g_source_remove(vs->ioc_tag);
3124     }
3125     if (websocket) {
3126         vs->websocket = 1;
3127         if (vd->tlscreds) {
3128             vs->ioc_tag = qio_channel_add_watch(
3129                 vs->ioc, G_IO_IN, vncws_tls_handshake_io, vs, NULL);
3130         } else {
3131             vs->ioc_tag = qio_channel_add_watch(
3132                 vs->ioc, G_IO_IN, vncws_handshake_io, vs, NULL);
3133         }
3134     } else {
3135         vs->ioc_tag = qio_channel_add_watch(
3136             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
3137     }
3138 
3139     vnc_client_cache_addr(vs);
3140     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3141     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3142 
3143     vs->last_x = -1;
3144     vs->last_y = -1;
3145 
3146     vs->as.freq = 44100;
3147     vs->as.nchannels = 2;
3148     vs->as.fmt = AUD_FMT_S16;
3149     vs->as.endianness = 0;
3150 
3151     qemu_mutex_init(&vs->output_mutex);
3152     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3153 
3154     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3155     if (first_client) {
3156         vnc_update_server_surface(vd);
3157     }
3158 
3159     graphic_hw_update(vd->dcl.con);
3160 
3161     if (!vs->websocket) {
3162         vnc_start_protocol(vs);
3163     }
3164 
3165     if (vd->num_connecting > vd->connections_limit) {
3166         QTAILQ_FOREACH(vs, &vd->clients, next) {
3167             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3168                 vnc_disconnect_start(vs);
3169                 return;
3170             }
3171         }
3172     }
3173 }
3174 
3175 void vnc_start_protocol(VncState *vs)
3176 {
3177     vnc_write(vs, "RFB 003.008\n", 12);
3178     vnc_flush(vs);
3179     vnc_read_when(vs, protocol_version, 12);
3180 
3181     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3182     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3183 }
3184 
3185 static void vnc_listen_io(QIONetListener *listener,
3186                           QIOChannelSocket *cioc,
3187                           void *opaque)
3188 {
3189     VncDisplay *vd = opaque;
3190     bool isWebsock = listener == vd->wslistener;
3191 
3192     qio_channel_set_name(QIO_CHANNEL(cioc),
3193                          isWebsock ? "vnc-ws-server" : "vnc-server");
3194     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3195     vnc_connect(vd, cioc, false, isWebsock);
3196 }
3197 
3198 static const DisplayChangeListenerOps dcl_ops = {
3199     .dpy_name             = "vnc",
3200     .dpy_refresh          = vnc_refresh,
3201     .dpy_gfx_update       = vnc_dpy_update,
3202     .dpy_gfx_switch       = vnc_dpy_switch,
3203     .dpy_gfx_check_format = qemu_pixman_check_format,
3204     .dpy_mouse_set        = vnc_mouse_set,
3205     .dpy_cursor_define    = vnc_dpy_cursor_define,
3206 };
3207 
3208 void vnc_display_init(const char *id, Error **errp)
3209 {
3210     VncDisplay *vd;
3211 
3212     if (vnc_display_find(id) != NULL) {
3213         return;
3214     }
3215     vd = g_malloc0(sizeof(*vd));
3216 
3217     vd->id = strdup(id);
3218     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3219 
3220     QTAILQ_INIT(&vd->clients);
3221     vd->expires = TIME_MAX;
3222 
3223     if (keyboard_layout) {
3224         trace_vnc_key_map_init(keyboard_layout);
3225         vd->kbd_layout = init_keyboard_layout(name2keysym,
3226                                               keyboard_layout, errp);
3227     } else {
3228         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3229     }
3230 
3231     if (!vd->kbd_layout) {
3232         return;
3233     }
3234 
3235     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3236     vd->connections_limit = 32;
3237 
3238     qemu_mutex_init(&vd->mutex);
3239     vnc_start_worker_thread();
3240 
3241     vd->dcl.ops = &dcl_ops;
3242     register_displaychangelistener(&vd->dcl);
3243 }
3244 
3245 
3246 static void vnc_display_close(VncDisplay *vd)
3247 {
3248     if (!vd) {
3249         return;
3250     }
3251     vd->is_unix = false;
3252 
3253     if (vd->listener) {
3254         qio_net_listener_disconnect(vd->listener);
3255         object_unref(OBJECT(vd->listener));
3256     }
3257     vd->listener = NULL;
3258 
3259     if (vd->wslistener) {
3260         qio_net_listener_disconnect(vd->wslistener);
3261         object_unref(OBJECT(vd->wslistener));
3262     }
3263     vd->wslistener = NULL;
3264 
3265     vd->auth = VNC_AUTH_INVALID;
3266     vd->subauth = VNC_AUTH_INVALID;
3267     if (vd->tlscreds) {
3268         object_unparent(OBJECT(vd->tlscreds));
3269         vd->tlscreds = NULL;
3270     }
3271     g_free(vd->tlsaclname);
3272     vd->tlsaclname = NULL;
3273     if (vd->lock_key_sync) {
3274         qemu_remove_led_event_handler(vd->led);
3275         vd->led = NULL;
3276     }
3277 }
3278 
3279 int vnc_display_password(const char *id, const char *password)
3280 {
3281     VncDisplay *vd = vnc_display_find(id);
3282 
3283     if (!vd) {
3284         return -EINVAL;
3285     }
3286     if (vd->auth == VNC_AUTH_NONE) {
3287         error_printf_unless_qmp("If you want use passwords please enable "
3288                                 "password auth using '-vnc ${dpy},password'.\n");
3289         return -EINVAL;
3290     }
3291 
3292     g_free(vd->password);
3293     vd->password = g_strdup(password);
3294 
3295     return 0;
3296 }
3297 
3298 int vnc_display_pw_expire(const char *id, time_t expires)
3299 {
3300     VncDisplay *vd = vnc_display_find(id);
3301 
3302     if (!vd) {
3303         return -EINVAL;
3304     }
3305 
3306     vd->expires = expires;
3307     return 0;
3308 }
3309 
3310 static void vnc_display_print_local_addr(VncDisplay *vd)
3311 {
3312     SocketAddress *addr;
3313     Error *err = NULL;
3314 
3315     if (!vd->listener || !vd->listener->nsioc) {
3316         return;
3317     }
3318 
3319     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], &err);
3320     if (!addr) {
3321         return;
3322     }
3323 
3324     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3325         qapi_free_SocketAddress(addr);
3326         return;
3327     }
3328     error_printf_unless_qmp("VNC server running on %s:%s\n",
3329                             addr->u.inet.host,
3330                             addr->u.inet.port);
3331     qapi_free_SocketAddress(addr);
3332 }
3333 
3334 static QemuOptsList qemu_vnc_opts = {
3335     .name = "vnc",
3336     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3337     .implied_opt_name = "vnc",
3338     .desc = {
3339         {
3340             .name = "vnc",
3341             .type = QEMU_OPT_STRING,
3342         },{
3343             .name = "websocket",
3344             .type = QEMU_OPT_STRING,
3345         },{
3346             .name = "tls-creds",
3347             .type = QEMU_OPT_STRING,
3348         },{
3349             .name = "share",
3350             .type = QEMU_OPT_STRING,
3351         },{
3352             .name = "display",
3353             .type = QEMU_OPT_STRING,
3354         },{
3355             .name = "head",
3356             .type = QEMU_OPT_NUMBER,
3357         },{
3358             .name = "connections",
3359             .type = QEMU_OPT_NUMBER,
3360         },{
3361             .name = "to",
3362             .type = QEMU_OPT_NUMBER,
3363         },{
3364             .name = "ipv4",
3365             .type = QEMU_OPT_BOOL,
3366         },{
3367             .name = "ipv6",
3368             .type = QEMU_OPT_BOOL,
3369         },{
3370             .name = "password",
3371             .type = QEMU_OPT_BOOL,
3372         },{
3373             .name = "reverse",
3374             .type = QEMU_OPT_BOOL,
3375         },{
3376             .name = "lock-key-sync",
3377             .type = QEMU_OPT_BOOL,
3378         },{
3379             .name = "key-delay-ms",
3380             .type = QEMU_OPT_NUMBER,
3381         },{
3382             .name = "sasl",
3383             .type = QEMU_OPT_BOOL,
3384         },{
3385             .name = "acl",
3386             .type = QEMU_OPT_BOOL,
3387         },{
3388             .name = "lossy",
3389             .type = QEMU_OPT_BOOL,
3390         },{
3391             .name = "non-adaptive",
3392             .type = QEMU_OPT_BOOL,
3393         },
3394         { /* end of list */ }
3395     },
3396 };
3397 
3398 
3399 static int
3400 vnc_display_setup_auth(int *auth,
3401                        int *subauth,
3402                        QCryptoTLSCreds *tlscreds,
3403                        bool password,
3404                        bool sasl,
3405                        bool websocket,
3406                        Error **errp)
3407 {
3408     /*
3409      * We have a choice of 3 authentication options
3410      *
3411      *   1. none
3412      *   2. vnc
3413      *   3. sasl
3414      *
3415      * The channel can be run in 2 modes
3416      *
3417      *   1. clear
3418      *   2. tls
3419      *
3420      * And TLS can use 2 types of credentials
3421      *
3422      *   1. anon
3423      *   2. x509
3424      *
3425      * We thus have 9 possible logical combinations
3426      *
3427      *   1. clear + none
3428      *   2. clear + vnc
3429      *   3. clear + sasl
3430      *   4. tls + anon + none
3431      *   5. tls + anon + vnc
3432      *   6. tls + anon + sasl
3433      *   7. tls + x509 + none
3434      *   8. tls + x509 + vnc
3435      *   9. tls + x509 + sasl
3436      *
3437      * These need to be mapped into the VNC auth schemes
3438      * in an appropriate manner. In regular VNC, all the
3439      * TLS options get mapped into VNC_AUTH_VENCRYPT
3440      * sub-auth types.
3441      *
3442      * In websockets, the https:// protocol already provides
3443      * TLS support, so there is no need to make use of the
3444      * VeNCrypt extension. Furthermore, websockets browser
3445      * clients could not use VeNCrypt even if they wanted to,
3446      * as they cannot control when the TLS handshake takes
3447      * place. Thus there is no option but to rely on https://,
3448      * meaning combinations 4->6 and 7->9 will be mapped to
3449      * VNC auth schemes in the same way as combos 1->3.
3450      *
3451      * Regardless of fact that we have a different mapping to
3452      * VNC auth mechs for plain VNC vs websockets VNC, the end
3453      * result has the same security characteristics.
3454      */
3455     if (websocket || !tlscreds) {
3456         if (password) {
3457             VNC_DEBUG("Initializing VNC server with password auth\n");
3458             *auth = VNC_AUTH_VNC;
3459         } else if (sasl) {
3460             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3461             *auth = VNC_AUTH_SASL;
3462         } else {
3463             VNC_DEBUG("Initializing VNC server with no auth\n");
3464             *auth = VNC_AUTH_NONE;
3465         }
3466         *subauth = VNC_AUTH_INVALID;
3467     } else {
3468         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3469                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3470         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3471                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3472 
3473         if (!is_x509 && !is_anon) {
3474             error_setg(errp,
3475                        "Unsupported TLS cred type %s",
3476                        object_get_typename(OBJECT(tlscreds)));
3477             return -1;
3478         }
3479         *auth = VNC_AUTH_VENCRYPT;
3480         if (password) {
3481             if (is_x509) {
3482                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3483                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3484             } else {
3485                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3486                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3487             }
3488 
3489         } else if (sasl) {
3490             if (is_x509) {
3491                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3492                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3493             } else {
3494                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3495                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3496             }
3497         } else {
3498             if (is_x509) {
3499                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3500                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3501             } else {
3502                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3503                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3504             }
3505         }
3506     }
3507     return 0;
3508 }
3509 
3510 
3511 static int vnc_display_get_address(const char *addrstr,
3512                                    bool websocket,
3513                                    bool reverse,
3514                                    int displaynum,
3515                                    int to,
3516                                    bool has_ipv4,
3517                                    bool has_ipv6,
3518                                    bool ipv4,
3519                                    bool ipv6,
3520                                    SocketAddress **retaddr,
3521                                    Error **errp)
3522 {
3523     int ret = -1;
3524     SocketAddress *addr = NULL;
3525 
3526     addr = g_new0(SocketAddress, 1);
3527 
3528     if (strncmp(addrstr, "unix:", 5) == 0) {
3529         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3530         addr->u.q_unix.path = g_strdup(addrstr + 5);
3531 
3532         if (websocket) {
3533             error_setg(errp, "UNIX sockets not supported with websock");
3534             goto cleanup;
3535         }
3536 
3537         if (to) {
3538             error_setg(errp, "Port range not support with UNIX socket");
3539             goto cleanup;
3540         }
3541         ret = 0;
3542     } else {
3543         const char *port;
3544         size_t hostlen;
3545         unsigned long long baseport = 0;
3546         InetSocketAddress *inet;
3547 
3548         port = strrchr(addrstr, ':');
3549         if (!port) {
3550             if (websocket) {
3551                 hostlen = 0;
3552                 port = addrstr;
3553             } else {
3554                 error_setg(errp, "no vnc port specified");
3555                 goto cleanup;
3556             }
3557         } else {
3558             hostlen = port - addrstr;
3559             port++;
3560             if (*port == '\0') {
3561                 error_setg(errp, "vnc port cannot be empty");
3562                 goto cleanup;
3563             }
3564         }
3565 
3566         addr->type = SOCKET_ADDRESS_TYPE_INET;
3567         inet = &addr->u.inet;
3568         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3569             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3570         } else {
3571             inet->host = g_strndup(addrstr, hostlen);
3572         }
3573         /* plain VNC port is just an offset, for websocket
3574          * port is absolute */
3575         if (websocket) {
3576             if (g_str_equal(addrstr, "") ||
3577                 g_str_equal(addrstr, "on")) {
3578                 if (displaynum == -1) {
3579                     error_setg(errp, "explicit websocket port is required");
3580                     goto cleanup;
3581                 }
3582                 inet->port = g_strdup_printf(
3583                     "%d", displaynum + 5700);
3584                 if (to) {
3585                     inet->has_to = true;
3586                     inet->to = to + 5700;
3587                 }
3588             } else {
3589                 inet->port = g_strdup(port);
3590             }
3591         } else {
3592             int offset = reverse ? 0 : 5900;
3593             if (parse_uint_full(port, &baseport, 10) < 0) {
3594                 error_setg(errp, "can't convert to a number: %s", port);
3595                 goto cleanup;
3596             }
3597             if (baseport > 65535 ||
3598                 baseport + offset > 65535) {
3599                 error_setg(errp, "port %s out of range", port);
3600                 goto cleanup;
3601             }
3602             inet->port = g_strdup_printf(
3603                 "%d", (int)baseport + offset);
3604 
3605             if (to) {
3606                 inet->has_to = true;
3607                 inet->to = to + offset;
3608             }
3609         }
3610 
3611         inet->ipv4 = ipv4;
3612         inet->has_ipv4 = has_ipv4;
3613         inet->ipv6 = ipv6;
3614         inet->has_ipv6 = has_ipv6;
3615 
3616         ret = baseport;
3617     }
3618 
3619     *retaddr = addr;
3620 
3621  cleanup:
3622     if (ret < 0) {
3623         qapi_free_SocketAddress(addr);
3624     }
3625     return ret;
3626 }
3627 
3628 static void vnc_free_addresses(SocketAddress ***retsaddr,
3629                                size_t *retnsaddr)
3630 {
3631     size_t i;
3632 
3633     for (i = 0; i < *retnsaddr; i++) {
3634         qapi_free_SocketAddress((*retsaddr)[i]);
3635     }
3636     g_free(*retsaddr);
3637 
3638     *retsaddr = NULL;
3639     *retnsaddr = 0;
3640 }
3641 
3642 static int vnc_display_get_addresses(QemuOpts *opts,
3643                                      bool reverse,
3644                                      SocketAddress ***retsaddr,
3645                                      size_t *retnsaddr,
3646                                      SocketAddress ***retwsaddr,
3647                                      size_t *retnwsaddr,
3648                                      Error **errp)
3649 {
3650     SocketAddress *saddr = NULL;
3651     SocketAddress *wsaddr = NULL;
3652     QemuOptsIter addriter;
3653     const char *addr;
3654     int to = qemu_opt_get_number(opts, "to", 0);
3655     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3656     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3657     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3658     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3659     int displaynum = -1;
3660     int ret = -1;
3661 
3662     *retsaddr = NULL;
3663     *retnsaddr = 0;
3664     *retwsaddr = NULL;
3665     *retnwsaddr = 0;
3666 
3667     addr = qemu_opt_get(opts, "vnc");
3668     if (addr == NULL || g_str_equal(addr, "none")) {
3669         ret = 0;
3670         goto cleanup;
3671     }
3672     if (qemu_opt_get(opts, "websocket") &&
3673         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3674         error_setg(errp,
3675                    "SHA1 hash support is required for websockets");
3676         goto cleanup;
3677     }
3678 
3679     qemu_opt_iter_init(&addriter, opts, "vnc");
3680     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3681         int rv;
3682         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3683                                      has_ipv4, has_ipv6,
3684                                      ipv4, ipv6,
3685                                      &saddr, errp);
3686         if (rv < 0) {
3687             goto cleanup;
3688         }
3689         /* Historical compat - first listen address can be used
3690          * to set the default websocket port
3691          */
3692         if (displaynum == -1) {
3693             displaynum = rv;
3694         }
3695         *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3696         (*retsaddr)[(*retnsaddr)++] = saddr;
3697     }
3698 
3699     /* If we had multiple primary displays, we don't do defaults
3700      * for websocket, and require explicit config instead. */
3701     if (*retnsaddr > 1) {
3702         displaynum = -1;
3703     }
3704 
3705     qemu_opt_iter_init(&addriter, opts, "websocket");
3706     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3707         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3708                                     has_ipv4, has_ipv6,
3709                                     ipv4, ipv6,
3710                                     &wsaddr, errp) < 0) {
3711             goto cleanup;
3712         }
3713 
3714         /* Historical compat - if only a single listen address was
3715          * provided, then this is used to set the default listen
3716          * address for websocket too
3717          */
3718         if (*retnsaddr == 1 &&
3719             (*retsaddr)[0]->type == SOCKET_ADDRESS_TYPE_INET &&
3720             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3721             g_str_equal(wsaddr->u.inet.host, "") &&
3722             !g_str_equal((*retsaddr)[0]->u.inet.host, "")) {
3723             g_free(wsaddr->u.inet.host);
3724             wsaddr->u.inet.host = g_strdup((*retsaddr)[0]->u.inet.host);
3725         }
3726 
3727         *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3728         (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3729     }
3730 
3731     ret = 0;
3732  cleanup:
3733     if (ret < 0) {
3734         vnc_free_addresses(retsaddr, retnsaddr);
3735         vnc_free_addresses(retwsaddr, retnwsaddr);
3736     }
3737     return ret;
3738 }
3739 
3740 static int vnc_display_connect(VncDisplay *vd,
3741                                SocketAddress **saddr,
3742                                size_t nsaddr,
3743                                SocketAddress **wsaddr,
3744                                size_t nwsaddr,
3745                                Error **errp)
3746 {
3747     /* connect to viewer */
3748     QIOChannelSocket *sioc = NULL;
3749     if (nwsaddr != 0) {
3750         error_setg(errp, "Cannot use websockets in reverse mode");
3751         return -1;
3752     }
3753     if (nsaddr != 1) {
3754         error_setg(errp, "Expected a single address in reverse mode");
3755         return -1;
3756     }
3757     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3758     vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_TYPE_UNIX;
3759     sioc = qio_channel_socket_new();
3760     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3761     if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3762         return -1;
3763     }
3764     vnc_connect(vd, sioc, false, false);
3765     object_unref(OBJECT(sioc));
3766     return 0;
3767 }
3768 
3769 
3770 static int vnc_display_listen(VncDisplay *vd,
3771                               SocketAddress **saddr,
3772                               size_t nsaddr,
3773                               SocketAddress **wsaddr,
3774                               size_t nwsaddr,
3775                               Error **errp)
3776 {
3777     size_t i;
3778 
3779     if (nsaddr) {
3780         vd->listener = qio_net_listener_new();
3781         qio_net_listener_set_name(vd->listener, "vnc-listen");
3782         for (i = 0; i < nsaddr; i++) {
3783             if (qio_net_listener_open_sync(vd->listener,
3784                                            saddr[i],
3785                                            errp) < 0)  {
3786                 return -1;
3787             }
3788         }
3789 
3790         qio_net_listener_set_client_func(vd->listener,
3791                                          vnc_listen_io, vd, NULL);
3792     }
3793 
3794     if (nwsaddr) {
3795         vd->wslistener = qio_net_listener_new();
3796         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3797         for (i = 0; i < nwsaddr; i++) {
3798             if (qio_net_listener_open_sync(vd->wslistener,
3799                                            wsaddr[i],
3800                                            errp) < 0)  {
3801                 return -1;
3802             }
3803         }
3804 
3805         qio_net_listener_set_client_func(vd->wslistener,
3806                                          vnc_listen_io, vd, NULL);
3807     }
3808 
3809     return 0;
3810 }
3811 
3812 
3813 void vnc_display_open(const char *id, Error **errp)
3814 {
3815     VncDisplay *vd = vnc_display_find(id);
3816     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3817     SocketAddress **saddr = NULL, **wsaddr = NULL;
3818     size_t nsaddr, nwsaddr;
3819     const char *share, *device_id;
3820     QemuConsole *con;
3821     bool password = false;
3822     bool reverse = false;
3823     const char *credid;
3824     bool sasl = false;
3825     int acl = 0;
3826     int lock_key_sync = 1;
3827     int key_delay_ms;
3828 
3829     if (!vd) {
3830         error_setg(errp, "VNC display not active");
3831         return;
3832     }
3833     vnc_display_close(vd);
3834 
3835     if (!opts) {
3836         return;
3837     }
3838 
3839     reverse = qemu_opt_get_bool(opts, "reverse", false);
3840     if (vnc_display_get_addresses(opts, reverse, &saddr, &nsaddr,
3841                                   &wsaddr, &nwsaddr, errp) < 0) {
3842         goto fail;
3843     }
3844 
3845     password = qemu_opt_get_bool(opts, "password", false);
3846     if (password) {
3847         if (fips_get_state()) {
3848             error_setg(errp,
3849                        "VNC password auth disabled due to FIPS mode, "
3850                        "consider using the VeNCrypt or SASL authentication "
3851                        "methods as an alternative");
3852             goto fail;
3853         }
3854         if (!qcrypto_cipher_supports(
3855                 QCRYPTO_CIPHER_ALG_DES_RFB, QCRYPTO_CIPHER_MODE_ECB)) {
3856             error_setg(errp,
3857                        "Cipher backend does not support DES RFB algorithm");
3858             goto fail;
3859         }
3860     }
3861 
3862     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
3863     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
3864     sasl = qemu_opt_get_bool(opts, "sasl", false);
3865 #ifndef CONFIG_VNC_SASL
3866     if (sasl) {
3867         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
3868         goto fail;
3869     }
3870 #endif /* CONFIG_VNC_SASL */
3871     credid = qemu_opt_get(opts, "tls-creds");
3872     if (credid) {
3873         Object *creds;
3874         creds = object_resolve_path_component(
3875             object_get_objects_root(), credid);
3876         if (!creds) {
3877             error_setg(errp, "No TLS credentials with id '%s'",
3878                        credid);
3879             goto fail;
3880         }
3881         vd->tlscreds = (QCryptoTLSCreds *)
3882             object_dynamic_cast(creds,
3883                                 TYPE_QCRYPTO_TLS_CREDS);
3884         if (!vd->tlscreds) {
3885             error_setg(errp, "Object with id '%s' is not TLS credentials",
3886                        credid);
3887             goto fail;
3888         }
3889         object_ref(OBJECT(vd->tlscreds));
3890 
3891         if (vd->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
3892             error_setg(errp,
3893                        "Expecting TLS credentials with a server endpoint");
3894             goto fail;
3895         }
3896     }
3897     acl = qemu_opt_get_bool(opts, "acl", false);
3898 
3899     share = qemu_opt_get(opts, "share");
3900     if (share) {
3901         if (strcmp(share, "ignore") == 0) {
3902             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
3903         } else if (strcmp(share, "allow-exclusive") == 0) {
3904             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3905         } else if (strcmp(share, "force-shared") == 0) {
3906             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3907         } else {
3908             error_setg(errp, "unknown vnc share= option");
3909             goto fail;
3910         }
3911     } else {
3912         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3913     }
3914     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
3915 
3916 #ifdef CONFIG_VNC_JPEG
3917     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
3918 #endif
3919     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
3920     /* adaptive updates are only used with tight encoding and
3921      * if lossy updates are enabled so we can disable all the
3922      * calculations otherwise */
3923     if (!vd->lossy) {
3924         vd->non_adaptive = true;
3925     }
3926 
3927     if (acl) {
3928         if (strcmp(vd->id, "default") == 0) {
3929             vd->tlsaclname = g_strdup("vnc.x509dname");
3930         } else {
3931             vd->tlsaclname = g_strdup_printf("vnc.%s.x509dname", vd->id);
3932         }
3933         qemu_acl_init(vd->tlsaclname);
3934     }
3935 #ifdef CONFIG_VNC_SASL
3936     if (acl && sasl) {
3937         char *aclname;
3938 
3939         if (strcmp(vd->id, "default") == 0) {
3940             aclname = g_strdup("vnc.username");
3941         } else {
3942             aclname = g_strdup_printf("vnc.%s.username", vd->id);
3943         }
3944         vd->sasl.acl = qemu_acl_init(aclname);
3945         g_free(aclname);
3946     }
3947 #endif
3948 
3949     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
3950                                vd->tlscreds, password,
3951                                sasl, false, errp) < 0) {
3952         goto fail;
3953     }
3954     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
3955 
3956     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
3957                                vd->tlscreds, password,
3958                                sasl, true, errp) < 0) {
3959         goto fail;
3960     }
3961     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
3962 
3963 #ifdef CONFIG_VNC_SASL
3964     if (sasl) {
3965         int saslErr = sasl_server_init(NULL, "qemu");
3966 
3967         if (saslErr != SASL_OK) {
3968             error_setg(errp, "Failed to initialize SASL auth: %s",
3969                        sasl_errstring(saslErr, NULL, NULL));
3970             goto fail;
3971         }
3972     }
3973 #endif
3974     vd->lock_key_sync = lock_key_sync;
3975     if (lock_key_sync) {
3976         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
3977     }
3978     vd->ledstate = 0;
3979     vd->key_delay_ms = key_delay_ms;
3980 
3981     device_id = qemu_opt_get(opts, "display");
3982     if (device_id) {
3983         int head = qemu_opt_get_number(opts, "head", 0);
3984         Error *err = NULL;
3985 
3986         con = qemu_console_lookup_by_device_name(device_id, head, &err);
3987         if (err) {
3988             error_propagate(errp, err);
3989             goto fail;
3990         }
3991     } else {
3992         con = NULL;
3993     }
3994 
3995     if (con != vd->dcl.con) {
3996         unregister_displaychangelistener(&vd->dcl);
3997         vd->dcl.con = con;
3998         register_displaychangelistener(&vd->dcl);
3999     }
4000 
4001     if (saddr == NULL) {
4002         goto cleanup;
4003     }
4004 
4005     if (reverse) {
4006         if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4007             goto fail;
4008         }
4009     } else {
4010         if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4011             goto fail;
4012         }
4013     }
4014 
4015     if (qemu_opt_get(opts, "to")) {
4016         vnc_display_print_local_addr(vd);
4017     }
4018 
4019  cleanup:
4020     vnc_free_addresses(&saddr, &nsaddr);
4021     vnc_free_addresses(&wsaddr, &nwsaddr);
4022     return;
4023 
4024 fail:
4025     vnc_display_close(vd);
4026     goto cleanup;
4027 }
4028 
4029 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4030 {
4031     VncDisplay *vd = vnc_display_find(id);
4032     QIOChannelSocket *sioc;
4033 
4034     if (!vd) {
4035         return;
4036     }
4037 
4038     sioc = qio_channel_socket_new_fd(csock, NULL);
4039     if (sioc) {
4040         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4041         vnc_connect(vd, sioc, skipauth, false);
4042         object_unref(OBJECT(sioc));
4043     }
4044 }
4045 
4046 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4047 {
4048     int i = 2;
4049     char *id;
4050 
4051     id = g_strdup("default");
4052     while (qemu_opts_find(olist, id)) {
4053         g_free(id);
4054         id = g_strdup_printf("vnc%d", i++);
4055     }
4056     qemu_opts_set_id(opts, id);
4057 }
4058 
4059 QemuOpts *vnc_parse(const char *str, Error **errp)
4060 {
4061     QemuOptsList *olist = qemu_find_opts("vnc");
4062     QemuOpts *opts = qemu_opts_parse(olist, str, true, errp);
4063     const char *id;
4064 
4065     if (!opts) {
4066         return NULL;
4067     }
4068 
4069     id = qemu_opts_id(opts);
4070     if (!id) {
4071         /* auto-assign id if not present */
4072         vnc_auto_assign_id(olist, opts);
4073     }
4074     return opts;
4075 }
4076 
4077 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4078 {
4079     Error *local_err = NULL;
4080     char *id = (char *)qemu_opts_id(opts);
4081 
4082     assert(id);
4083     vnc_display_init(id, &local_err);
4084     if (local_err) {
4085         error_propagate(errp, local_err);
4086         return -1;
4087     }
4088     vnc_display_open(id, &local_err);
4089     if (local_err != NULL) {
4090         error_propagate(errp, local_err);
4091         return -1;
4092     }
4093     return 0;
4094 }
4095 
4096 static void vnc_register_config(void)
4097 {
4098     qemu_add_opts(&qemu_vnc_opts);
4099 }
4100 opts_init(vnc_register_config);
4101