xref: /openbmc/qemu/ui/vnc.c (revision 5692399f)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "vnc.h"
28 #include "vnc-jobs.h"
29 #include "trace.h"
30 #include "sysemu/sysemu.h"
31 #include "qemu/sockets.h"
32 #include "qemu/timer.h"
33 #include "qemu/acl.h"
34 #include "qapi/qmp/types.h"
35 #include "qmp-commands.h"
36 #include "qemu/osdep.h"
37 #include "ui/input.h"
38 #include "qapi-event.h"
39 
40 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
41 #define VNC_REFRESH_INTERVAL_INC  50
42 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
43 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
44 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
45 
46 #include "vnc_keysym.h"
47 #include "d3des.h"
48 
49 static VncDisplay *vnc_display; /* needed for info vnc */
50 
51 static int vnc_cursor_define(VncState *vs);
52 static void vnc_release_modifiers(VncState *vs);
53 
54 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
55 {
56 #ifdef _VNC_DEBUG
57     static const char *mn[] = {
58         [0]                           = "undefined",
59         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
60         [VNC_SHARE_MODE_SHARED]       = "shared",
61         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
62         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
63     };
64     fprintf(stderr, "%s/%d: %s -> %s\n", __func__,
65             vs->csock, mn[vs->share_mode], mn[mode]);
66 #endif
67 
68     if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
69         vs->vd->num_exclusive--;
70     }
71     vs->share_mode = mode;
72     if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
73         vs->vd->num_exclusive++;
74     }
75 }
76 
77 static char *addr_to_string(const char *format,
78                             struct sockaddr_storage *sa,
79                             socklen_t salen) {
80     char *addr;
81     char host[NI_MAXHOST];
82     char serv[NI_MAXSERV];
83     int err;
84     size_t addrlen;
85 
86     if ((err = getnameinfo((struct sockaddr *)sa, salen,
87                            host, sizeof(host),
88                            serv, sizeof(serv),
89                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
90         VNC_DEBUG("Cannot resolve address %d: %s\n",
91                   err, gai_strerror(err));
92         return NULL;
93     }
94 
95     /* Enough for the existing format + the 2 vars we're
96      * substituting in. */
97     addrlen = strlen(format) + strlen(host) + strlen(serv);
98     addr = g_malloc(addrlen + 1);
99     snprintf(addr, addrlen, format, host, serv);
100     addr[addrlen] = '\0';
101 
102     return addr;
103 }
104 
105 
106 char *vnc_socket_local_addr(const char *format, int fd) {
107     struct sockaddr_storage sa;
108     socklen_t salen;
109 
110     salen = sizeof(sa);
111     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0)
112         return NULL;
113 
114     return addr_to_string(format, &sa, salen);
115 }
116 
117 char *vnc_socket_remote_addr(const char *format, int fd) {
118     struct sockaddr_storage sa;
119     socklen_t salen;
120 
121     salen = sizeof(sa);
122     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0)
123         return NULL;
124 
125     return addr_to_string(format, &sa, salen);
126 }
127 
128 static VncBasicInfo *vnc_basic_info_get(struct sockaddr_storage *sa,
129                                         socklen_t salen)
130 {
131     VncBasicInfo *info;
132     char host[NI_MAXHOST];
133     char serv[NI_MAXSERV];
134     int err;
135 
136     if ((err = getnameinfo((struct sockaddr *)sa, salen,
137                            host, sizeof(host),
138                            serv, sizeof(serv),
139                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
140         VNC_DEBUG("Cannot resolve address %d: %s\n",
141                   err, gai_strerror(err));
142         return NULL;
143     }
144 
145     info = g_malloc0(sizeof(VncBasicInfo));
146     info->host = g_strdup(host);
147     info->service = g_strdup(serv);
148     info->family = inet_netfamily(sa->ss_family);
149     return info;
150 }
151 
152 static VncBasicInfo *vnc_basic_info_get_from_server_addr(int fd)
153 {
154     struct sockaddr_storage sa;
155     socklen_t salen;
156 
157     salen = sizeof(sa);
158     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0) {
159         return NULL;
160     }
161 
162     return vnc_basic_info_get(&sa, salen);
163 }
164 
165 static VncBasicInfo *vnc_basic_info_get_from_remote_addr(int fd)
166 {
167     struct sockaddr_storage sa;
168     socklen_t salen;
169 
170     salen = sizeof(sa);
171     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0) {
172         return NULL;
173     }
174 
175     return vnc_basic_info_get(&sa, salen);
176 }
177 
178 static const char *vnc_auth_name(VncDisplay *vd) {
179     switch (vd->auth) {
180     case VNC_AUTH_INVALID:
181         return "invalid";
182     case VNC_AUTH_NONE:
183         return "none";
184     case VNC_AUTH_VNC:
185         return "vnc";
186     case VNC_AUTH_RA2:
187         return "ra2";
188     case VNC_AUTH_RA2NE:
189         return "ra2ne";
190     case VNC_AUTH_TIGHT:
191         return "tight";
192     case VNC_AUTH_ULTRA:
193         return "ultra";
194     case VNC_AUTH_TLS:
195         return "tls";
196     case VNC_AUTH_VENCRYPT:
197 #ifdef CONFIG_VNC_TLS
198         switch (vd->subauth) {
199         case VNC_AUTH_VENCRYPT_PLAIN:
200             return "vencrypt+plain";
201         case VNC_AUTH_VENCRYPT_TLSNONE:
202             return "vencrypt+tls+none";
203         case VNC_AUTH_VENCRYPT_TLSVNC:
204             return "vencrypt+tls+vnc";
205         case VNC_AUTH_VENCRYPT_TLSPLAIN:
206             return "vencrypt+tls+plain";
207         case VNC_AUTH_VENCRYPT_X509NONE:
208             return "vencrypt+x509+none";
209         case VNC_AUTH_VENCRYPT_X509VNC:
210             return "vencrypt+x509+vnc";
211         case VNC_AUTH_VENCRYPT_X509PLAIN:
212             return "vencrypt+x509+plain";
213         case VNC_AUTH_VENCRYPT_TLSSASL:
214             return "vencrypt+tls+sasl";
215         case VNC_AUTH_VENCRYPT_X509SASL:
216             return "vencrypt+x509+sasl";
217         default:
218             return "vencrypt";
219         }
220 #else
221         return "vencrypt";
222 #endif
223     case VNC_AUTH_SASL:
224         return "sasl";
225     }
226     return "unknown";
227 }
228 
229 static VncServerInfo *vnc_server_info_get(void)
230 {
231     VncServerInfo *info;
232     VncBasicInfo *bi = vnc_basic_info_get_from_server_addr(vnc_display->lsock);
233     if (!bi) {
234         return NULL;
235     }
236 
237     info = g_malloc(sizeof(*info));
238     info->base = bi;
239     info->has_auth = true;
240     info->auth = g_strdup(vnc_auth_name(vnc_display));
241     return info;
242 }
243 
244 static void vnc_client_cache_auth(VncState *client)
245 {
246     if (!client->info) {
247         return;
248     }
249 
250 #ifdef CONFIG_VNC_TLS
251     if (client->tls.session &&
252         client->tls.dname) {
253         client->info->has_x509_dname = true;
254         client->info->x509_dname = g_strdup(client->tls.dname);
255     }
256 #endif
257 #ifdef CONFIG_VNC_SASL
258     if (client->sasl.conn &&
259         client->sasl.username) {
260         client->info->has_sasl_username = true;
261         client->info->sasl_username = g_strdup(client->sasl.username);
262     }
263 #endif
264 }
265 
266 static void vnc_client_cache_addr(VncState *client)
267 {
268     VncBasicInfo *bi = vnc_basic_info_get_from_remote_addr(client->csock);
269 
270     if (bi) {
271         client->info = g_malloc0(sizeof(*client->info));
272         client->info->base = bi;
273     }
274 }
275 
276 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
277 {
278     VncServerInfo *si;
279 
280     if (!vs->info) {
281         return;
282     }
283     g_assert(vs->info->base);
284 
285     si = vnc_server_info_get();
286     if (!si) {
287         return;
288     }
289 
290     switch (event) {
291     case QAPI_EVENT_VNC_CONNECTED:
292         qapi_event_send_vnc_connected(si, vs->info->base, &error_abort);
293         break;
294     case QAPI_EVENT_VNC_INITIALIZED:
295         qapi_event_send_vnc_initialized(si, vs->info, &error_abort);
296         break;
297     case QAPI_EVENT_VNC_DISCONNECTED:
298         qapi_event_send_vnc_disconnected(si, vs->info, &error_abort);
299         break;
300     default:
301         break;
302     }
303 
304     qapi_free_VncServerInfo(si);
305 }
306 
307 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
308 {
309     struct sockaddr_storage sa;
310     socklen_t salen = sizeof(sa);
311     char host[NI_MAXHOST];
312     char serv[NI_MAXSERV];
313     VncClientInfo *info;
314 
315     if (getpeername(client->csock, (struct sockaddr *)&sa, &salen) < 0) {
316         return NULL;
317     }
318 
319     if (getnameinfo((struct sockaddr *)&sa, salen,
320                     host, sizeof(host),
321                     serv, sizeof(serv),
322                     NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
323         return NULL;
324     }
325 
326     info = g_malloc0(sizeof(*info));
327     info->base = g_malloc0(sizeof(*info->base));
328     info->base->host = g_strdup(host);
329     info->base->service = g_strdup(serv);
330     info->base->family = inet_netfamily(sa.ss_family);
331 
332 #ifdef CONFIG_VNC_TLS
333     if (client->tls.session && client->tls.dname) {
334         info->has_x509_dname = true;
335         info->x509_dname = g_strdup(client->tls.dname);
336     }
337 #endif
338 #ifdef CONFIG_VNC_SASL
339     if (client->sasl.conn && client->sasl.username) {
340         info->has_sasl_username = true;
341         info->sasl_username = g_strdup(client->sasl.username);
342     }
343 #endif
344 
345     return info;
346 }
347 
348 VncInfo *qmp_query_vnc(Error **errp)
349 {
350     VncInfo *info = g_malloc0(sizeof(*info));
351 
352     if (vnc_display == NULL || vnc_display->display == NULL) {
353         info->enabled = false;
354     } else {
355         VncClientInfoList *cur_item = NULL;
356         struct sockaddr_storage sa;
357         socklen_t salen = sizeof(sa);
358         char host[NI_MAXHOST];
359         char serv[NI_MAXSERV];
360         VncState *client;
361 
362         info->enabled = true;
363 
364         /* for compatibility with the original command */
365         info->has_clients = true;
366 
367         QTAILQ_FOREACH(client, &vnc_display->clients, next) {
368             VncClientInfoList *cinfo = g_malloc0(sizeof(*info));
369             cinfo->value = qmp_query_vnc_client(client);
370 
371             /* XXX: waiting for the qapi to support GSList */
372             if (!cur_item) {
373                 info->clients = cur_item = cinfo;
374             } else {
375                 cur_item->next = cinfo;
376                 cur_item = cinfo;
377             }
378         }
379 
380         if (vnc_display->lsock == -1) {
381             return info;
382         }
383 
384         if (getsockname(vnc_display->lsock, (struct sockaddr *)&sa,
385                         &salen) == -1) {
386             error_set(errp, QERR_UNDEFINED_ERROR);
387             goto out_error;
388         }
389 
390         if (getnameinfo((struct sockaddr *)&sa, salen,
391                         host, sizeof(host),
392                         serv, sizeof(serv),
393                         NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
394             error_set(errp, QERR_UNDEFINED_ERROR);
395             goto out_error;
396         }
397 
398         info->has_host = true;
399         info->host = g_strdup(host);
400 
401         info->has_service = true;
402         info->service = g_strdup(serv);
403 
404         info->has_family = true;
405         info->family = inet_netfamily(sa.ss_family);
406 
407         info->has_auth = true;
408         info->auth = g_strdup(vnc_auth_name(vnc_display));
409     }
410 
411     return info;
412 
413 out_error:
414     qapi_free_VncInfo(info);
415     return NULL;
416 }
417 
418 /* TODO
419    1) Get the queue working for IO.
420    2) there is some weirdness when using the -S option (the screen is grey
421       and not totally invalidated
422    3) resolutions > 1024
423 */
424 
425 static int vnc_update_client(VncState *vs, int has_dirty, bool sync);
426 static void vnc_disconnect_start(VncState *vs);
427 
428 static void vnc_colordepth(VncState *vs);
429 static void framebuffer_update_request(VncState *vs, int incremental,
430                                        int x_position, int y_position,
431                                        int w, int h);
432 static void vnc_refresh(DisplayChangeListener *dcl);
433 static int vnc_refresh_server_surface(VncDisplay *vd);
434 
435 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
436                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
437                                int width, int height,
438                                int x, int y, int w, int h) {
439     /* this is needed this to ensure we updated all affected
440      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
441     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
442     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
443 
444     x = MIN(x, width);
445     y = MIN(y, height);
446     w = MIN(x + w, width) - x;
447     h = MIN(y + h, height);
448 
449     for (; y < h; y++) {
450         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
451                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
452     }
453 }
454 
455 static void vnc_dpy_update(DisplayChangeListener *dcl,
456                            int x, int y, int w, int h)
457 {
458     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
459     struct VncSurface *s = &vd->guest;
460     int width = pixman_image_get_width(vd->server);
461     int height = pixman_image_get_height(vd->server);
462 
463     vnc_set_area_dirty(s->dirty, width, height, x, y, w, h);
464 }
465 
466 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
467                             int32_t encoding)
468 {
469     vnc_write_u16(vs, x);
470     vnc_write_u16(vs, y);
471     vnc_write_u16(vs, w);
472     vnc_write_u16(vs, h);
473 
474     vnc_write_s32(vs, encoding);
475 }
476 
477 void buffer_reserve(Buffer *buffer, size_t len)
478 {
479     if ((buffer->capacity - buffer->offset) < len) {
480         buffer->capacity += (len + 1024);
481         buffer->buffer = g_realloc(buffer->buffer, buffer->capacity);
482         if (buffer->buffer == NULL) {
483             fprintf(stderr, "vnc: out of memory\n");
484             exit(1);
485         }
486     }
487 }
488 
489 static int buffer_empty(Buffer *buffer)
490 {
491     return buffer->offset == 0;
492 }
493 
494 uint8_t *buffer_end(Buffer *buffer)
495 {
496     return buffer->buffer + buffer->offset;
497 }
498 
499 void buffer_reset(Buffer *buffer)
500 {
501         buffer->offset = 0;
502 }
503 
504 void buffer_free(Buffer *buffer)
505 {
506     g_free(buffer->buffer);
507     buffer->offset = 0;
508     buffer->capacity = 0;
509     buffer->buffer = NULL;
510 }
511 
512 void buffer_append(Buffer *buffer, const void *data, size_t len)
513 {
514     memcpy(buffer->buffer + buffer->offset, data, len);
515     buffer->offset += len;
516 }
517 
518 void buffer_advance(Buffer *buf, size_t len)
519 {
520     memmove(buf->buffer, buf->buffer + len,
521             (buf->offset - len));
522     buf->offset -= len;
523 }
524 
525 static void vnc_desktop_resize(VncState *vs)
526 {
527     if (vs->csock == -1 || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
528         return;
529     }
530     if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
531         vs->client_height == pixman_image_get_height(vs->vd->server)) {
532         return;
533     }
534     vs->client_width = pixman_image_get_width(vs->vd->server);
535     vs->client_height = pixman_image_get_height(vs->vd->server);
536     vnc_lock_output(vs);
537     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
538     vnc_write_u8(vs, 0);
539     vnc_write_u16(vs, 1); /* number of rects */
540     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
541                            VNC_ENCODING_DESKTOPRESIZE);
542     vnc_unlock_output(vs);
543     vnc_flush(vs);
544 }
545 
546 static void vnc_abort_display_jobs(VncDisplay *vd)
547 {
548     VncState *vs;
549 
550     QTAILQ_FOREACH(vs, &vd->clients, next) {
551         vnc_lock_output(vs);
552         vs->abort = true;
553         vnc_unlock_output(vs);
554     }
555     QTAILQ_FOREACH(vs, &vd->clients, next) {
556         vnc_jobs_join(vs);
557     }
558     QTAILQ_FOREACH(vs, &vd->clients, next) {
559         vnc_lock_output(vs);
560         vs->abort = false;
561         vnc_unlock_output(vs);
562     }
563 }
564 
565 int vnc_server_fb_stride(VncDisplay *vd)
566 {
567     return pixman_image_get_stride(vd->server);
568 }
569 
570 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
571 {
572     uint8_t *ptr;
573 
574     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
575     ptr += y * vnc_server_fb_stride(vd);
576     ptr += x * VNC_SERVER_FB_BYTES;
577     return ptr;
578 }
579 
580 static void vnc_dpy_switch(DisplayChangeListener *dcl,
581                            DisplaySurface *surface)
582 {
583     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
584     VncState *vs;
585     int width, height;
586 
587     vnc_abort_display_jobs(vd);
588 
589     /* server surface */
590     qemu_pixman_image_unref(vd->server);
591     vd->ds = surface;
592     width = MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
593                                         VNC_DIRTY_PIXELS_PER_BIT));
594     height = MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
595     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
596                                           width, height, NULL, 0);
597 
598     /* guest surface */
599 #if 0 /* FIXME */
600     if (ds_get_bytes_per_pixel(ds) != vd->guest.ds->pf.bytes_per_pixel)
601         console_color_init(ds);
602 #endif
603     qemu_pixman_image_unref(vd->guest.fb);
604     vd->guest.fb = pixman_image_ref(surface->image);
605     vd->guest.format = surface->format;
606     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
607     vnc_set_area_dirty(vd->guest.dirty, width, height, 0, 0,
608                        width, height);
609 
610     QTAILQ_FOREACH(vs, &vd->clients, next) {
611         vnc_colordepth(vs);
612         vnc_desktop_resize(vs);
613         if (vs->vd->cursor) {
614             vnc_cursor_define(vs);
615         }
616         memset(vs->dirty, 0x00, sizeof(vs->dirty));
617         vnc_set_area_dirty(vs->dirty, width, height, 0, 0,
618                            width, height);
619     }
620 }
621 
622 /* fastest code */
623 static void vnc_write_pixels_copy(VncState *vs,
624                                   void *pixels, int size)
625 {
626     vnc_write(vs, pixels, size);
627 }
628 
629 /* slowest but generic code. */
630 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
631 {
632     uint8_t r, g, b;
633 
634 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
635     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
636     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
637     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
638 #else
639 # error need some bits here if you change VNC_SERVER_FB_FORMAT
640 #endif
641     v = (r << vs->client_pf.rshift) |
642         (g << vs->client_pf.gshift) |
643         (b << vs->client_pf.bshift);
644     switch (vs->client_pf.bytes_per_pixel) {
645     case 1:
646         buf[0] = v;
647         break;
648     case 2:
649         if (vs->client_be) {
650             buf[0] = v >> 8;
651             buf[1] = v;
652         } else {
653             buf[1] = v >> 8;
654             buf[0] = v;
655         }
656         break;
657     default:
658     case 4:
659         if (vs->client_be) {
660             buf[0] = v >> 24;
661             buf[1] = v >> 16;
662             buf[2] = v >> 8;
663             buf[3] = v;
664         } else {
665             buf[3] = v >> 24;
666             buf[2] = v >> 16;
667             buf[1] = v >> 8;
668             buf[0] = v;
669         }
670         break;
671     }
672 }
673 
674 static void vnc_write_pixels_generic(VncState *vs,
675                                      void *pixels1, int size)
676 {
677     uint8_t buf[4];
678 
679     if (VNC_SERVER_FB_BYTES == 4) {
680         uint32_t *pixels = pixels1;
681         int n, i;
682         n = size >> 2;
683         for (i = 0; i < n; i++) {
684             vnc_convert_pixel(vs, buf, pixels[i]);
685             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
686         }
687     }
688 }
689 
690 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
691 {
692     int i;
693     uint8_t *row;
694     VncDisplay *vd = vs->vd;
695 
696     row = vnc_server_fb_ptr(vd, x, y);
697     for (i = 0; i < h; i++) {
698         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
699         row += vnc_server_fb_stride(vd);
700     }
701     return 1;
702 }
703 
704 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
705 {
706     int n = 0;
707 
708     switch(vs->vnc_encoding) {
709         case VNC_ENCODING_ZLIB:
710             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
711             break;
712         case VNC_ENCODING_HEXTILE:
713             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
714             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
715             break;
716         case VNC_ENCODING_TIGHT:
717             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
718             break;
719         case VNC_ENCODING_TIGHT_PNG:
720             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
721             break;
722         case VNC_ENCODING_ZRLE:
723             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
724             break;
725         case VNC_ENCODING_ZYWRLE:
726             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
727             break;
728         default:
729             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
730             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
731             break;
732     }
733     return n;
734 }
735 
736 static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
737 {
738     /* send bitblit op to the vnc client */
739     vnc_lock_output(vs);
740     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
741     vnc_write_u8(vs, 0);
742     vnc_write_u16(vs, 1); /* number of rects */
743     vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
744     vnc_write_u16(vs, src_x);
745     vnc_write_u16(vs, src_y);
746     vnc_unlock_output(vs);
747     vnc_flush(vs);
748 }
749 
750 static void vnc_dpy_copy(DisplayChangeListener *dcl,
751                          int src_x, int src_y,
752                          int dst_x, int dst_y, int w, int h)
753 {
754     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
755     VncState *vs, *vn;
756     uint8_t *src_row;
757     uint8_t *dst_row;
758     int i, x, y, pitch, inc, w_lim, s;
759     int cmp_bytes;
760 
761     vnc_refresh_server_surface(vd);
762     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
763         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
764             vs->force_update = 1;
765             vnc_update_client(vs, 1, true);
766             /* vs might be free()ed here */
767         }
768     }
769 
770     /* do bitblit op on the local surface too */
771     pitch = vnc_server_fb_stride(vd);
772     src_row = vnc_server_fb_ptr(vd, src_x, src_y);
773     dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y);
774     y = dst_y;
775     inc = 1;
776     if (dst_y > src_y) {
777         /* copy backwards */
778         src_row += pitch * (h-1);
779         dst_row += pitch * (h-1);
780         pitch = -pitch;
781         y = dst_y + h - 1;
782         inc = -1;
783     }
784     w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
785     if (w_lim < 0) {
786         w_lim = w;
787     } else {
788         w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
789     }
790     for (i = 0; i < h; i++) {
791         for (x = 0; x <= w_lim;
792                 x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
793             if (x == w_lim) {
794                 if ((s = w - w_lim) == 0)
795                     break;
796             } else if (!x) {
797                 s = (VNC_DIRTY_PIXELS_PER_BIT -
798                     (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
799                 s = MIN(s, w_lim);
800             } else {
801                 s = VNC_DIRTY_PIXELS_PER_BIT;
802             }
803             cmp_bytes = s * VNC_SERVER_FB_BYTES;
804             if (memcmp(src_row, dst_row, cmp_bytes) == 0)
805                 continue;
806             memmove(dst_row, src_row, cmp_bytes);
807             QTAILQ_FOREACH(vs, &vd->clients, next) {
808                 if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
809                     set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
810                             vs->dirty[y]);
811                 }
812             }
813         }
814         src_row += pitch - w * VNC_SERVER_FB_BYTES;
815         dst_row += pitch - w * VNC_SERVER_FB_BYTES;
816         y += inc;
817     }
818 
819     QTAILQ_FOREACH(vs, &vd->clients, next) {
820         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
821             vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
822         }
823     }
824 }
825 
826 static void vnc_mouse_set(DisplayChangeListener *dcl,
827                           int x, int y, int visible)
828 {
829     /* can we ask the client(s) to move the pointer ??? */
830 }
831 
832 static int vnc_cursor_define(VncState *vs)
833 {
834     QEMUCursor *c = vs->vd->cursor;
835     int isize;
836 
837     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
838         vnc_lock_output(vs);
839         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
840         vnc_write_u8(vs,  0);  /*  padding     */
841         vnc_write_u16(vs, 1);  /*  # of rects  */
842         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
843                                VNC_ENCODING_RICH_CURSOR);
844         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
845         vnc_write_pixels_generic(vs, c->data, isize);
846         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
847         vnc_unlock_output(vs);
848         return 0;
849     }
850     return -1;
851 }
852 
853 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
854                                   QEMUCursor *c)
855 {
856     VncDisplay *vd = vnc_display;
857     VncState *vs;
858 
859     cursor_put(vd->cursor);
860     g_free(vd->cursor_mask);
861 
862     vd->cursor = c;
863     cursor_get(vd->cursor);
864     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
865     vd->cursor_mask = g_malloc0(vd->cursor_msize);
866     cursor_get_mono_mask(c, 0, vd->cursor_mask);
867 
868     QTAILQ_FOREACH(vs, &vd->clients, next) {
869         vnc_cursor_define(vs);
870     }
871 }
872 
873 static int find_and_clear_dirty_height(struct VncState *vs,
874                                        int y, int last_x, int x, int height)
875 {
876     int h;
877 
878     for (h = 1; h < (height - y); h++) {
879         if (!test_bit(last_x, vs->dirty[y + h])) {
880             break;
881         }
882         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
883     }
884 
885     return h;
886 }
887 
888 static int vnc_update_client(VncState *vs, int has_dirty, bool sync)
889 {
890     vs->has_dirty += has_dirty;
891     if (vs->need_update && vs->csock != -1) {
892         VncDisplay *vd = vs->vd;
893         VncJob *job;
894         int y;
895         int height, width;
896         int n = 0;
897 
898         if (vs->output.offset && !vs->audio_cap && !vs->force_update)
899             /* kernel send buffers are full -> drop frames to throttle */
900             return 0;
901 
902         if (!vs->has_dirty && !vs->audio_cap && !vs->force_update)
903             return 0;
904 
905         /*
906          * Send screen updates to the vnc client using the server
907          * surface and server dirty map.  guest surface updates
908          * happening in parallel don't disturb us, the next pass will
909          * send them to the client.
910          */
911         job = vnc_job_new(vs);
912 
913         height = pixman_image_get_height(vd->server);
914         width = pixman_image_get_width(vd->server);
915 
916         y = 0;
917         for (;;) {
918             int x, h;
919             unsigned long x2;
920             unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
921                                                  height * VNC_DIRTY_BPL(vs),
922                                                  y * VNC_DIRTY_BPL(vs));
923             if (offset == height * VNC_DIRTY_BPL(vs)) {
924                 /* no more dirty bits */
925                 break;
926             }
927             y = offset / VNC_DIRTY_BPL(vs);
928             x = offset % VNC_DIRTY_BPL(vs);
929             x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
930                                     VNC_DIRTY_BPL(vs), x);
931             bitmap_clear(vs->dirty[y], x, x2 - x);
932             h = find_and_clear_dirty_height(vs, y, x, x2, height);
933             x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
934             if (x2 > x) {
935                 n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
936                                       (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
937             }
938         }
939 
940         vnc_job_push(job);
941         if (sync) {
942             vnc_jobs_join(vs);
943         }
944         vs->force_update = 0;
945         vs->has_dirty = 0;
946         return n;
947     }
948 
949     if (vs->csock == -1) {
950         vnc_disconnect_finish(vs);
951     } else if (sync) {
952         vnc_jobs_join(vs);
953     }
954 
955     return 0;
956 }
957 
958 /* audio */
959 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
960 {
961     VncState *vs = opaque;
962 
963     switch (cmd) {
964     case AUD_CNOTIFY_DISABLE:
965         vnc_lock_output(vs);
966         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
967         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
968         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
969         vnc_unlock_output(vs);
970         vnc_flush(vs);
971         break;
972 
973     case AUD_CNOTIFY_ENABLE:
974         vnc_lock_output(vs);
975         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
976         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
977         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
978         vnc_unlock_output(vs);
979         vnc_flush(vs);
980         break;
981     }
982 }
983 
984 static void audio_capture_destroy(void *opaque)
985 {
986 }
987 
988 static void audio_capture(void *opaque, void *buf, int size)
989 {
990     VncState *vs = opaque;
991 
992     vnc_lock_output(vs);
993     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
994     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
995     vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
996     vnc_write_u32(vs, size);
997     vnc_write(vs, buf, size);
998     vnc_unlock_output(vs);
999     vnc_flush(vs);
1000 }
1001 
1002 static void audio_add(VncState *vs)
1003 {
1004     struct audio_capture_ops ops;
1005 
1006     if (vs->audio_cap) {
1007         error_report("audio already running");
1008         return;
1009     }
1010 
1011     ops.notify = audio_capture_notify;
1012     ops.destroy = audio_capture_destroy;
1013     ops.capture = audio_capture;
1014 
1015     vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);
1016     if (!vs->audio_cap) {
1017         error_report("Failed to add audio capture");
1018     }
1019 }
1020 
1021 static void audio_del(VncState *vs)
1022 {
1023     if (vs->audio_cap) {
1024         AUD_del_capture(vs->audio_cap, vs);
1025         vs->audio_cap = NULL;
1026     }
1027 }
1028 
1029 static void vnc_disconnect_start(VncState *vs)
1030 {
1031     if (vs->csock == -1)
1032         return;
1033     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1034     qemu_set_fd_handler2(vs->csock, NULL, NULL, NULL, NULL);
1035     closesocket(vs->csock);
1036     vs->csock = -1;
1037 }
1038 
1039 void vnc_disconnect_finish(VncState *vs)
1040 {
1041     int i;
1042 
1043     vnc_jobs_join(vs); /* Wait encoding jobs */
1044 
1045     vnc_lock_output(vs);
1046     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1047 
1048     buffer_free(&vs->input);
1049     buffer_free(&vs->output);
1050 #ifdef CONFIG_VNC_WS
1051     buffer_free(&vs->ws_input);
1052     buffer_free(&vs->ws_output);
1053 #endif /* CONFIG_VNC_WS */
1054 
1055     qapi_free_VncClientInfo(vs->info);
1056 
1057     vnc_zlib_clear(vs);
1058     vnc_tight_clear(vs);
1059     vnc_zrle_clear(vs);
1060 
1061 #ifdef CONFIG_VNC_TLS
1062     vnc_tls_client_cleanup(vs);
1063 #endif /* CONFIG_VNC_TLS */
1064 #ifdef CONFIG_VNC_SASL
1065     vnc_sasl_client_cleanup(vs);
1066 #endif /* CONFIG_VNC_SASL */
1067     audio_del(vs);
1068     vnc_release_modifiers(vs);
1069 
1070     if (vs->initialized) {
1071         QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1072         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1073     }
1074 
1075     if (vs->vd->lock_key_sync)
1076         qemu_remove_led_event_handler(vs->led);
1077     vnc_unlock_output(vs);
1078 
1079     qemu_mutex_destroy(&vs->output_mutex);
1080     if (vs->bh != NULL) {
1081         qemu_bh_delete(vs->bh);
1082     }
1083     buffer_free(&vs->jobs_buffer);
1084 
1085     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1086         g_free(vs->lossy_rect[i]);
1087     }
1088     g_free(vs->lossy_rect);
1089     g_free(vs);
1090 }
1091 
1092 int vnc_client_io_error(VncState *vs, int ret, int last_errno)
1093 {
1094     if (ret == 0 || ret == -1) {
1095         if (ret == -1) {
1096             switch (last_errno) {
1097                 case EINTR:
1098                 case EAGAIN:
1099 #ifdef _WIN32
1100                 case WSAEWOULDBLOCK:
1101 #endif
1102                     return 0;
1103                 default:
1104                     break;
1105             }
1106         }
1107 
1108         VNC_DEBUG("Closing down client sock: ret %d, errno %d\n",
1109                   ret, ret < 0 ? last_errno : 0);
1110         vnc_disconnect_start(vs);
1111 
1112         return 0;
1113     }
1114     return ret;
1115 }
1116 
1117 
1118 void vnc_client_error(VncState *vs)
1119 {
1120     VNC_DEBUG("Closing down client sock: protocol error\n");
1121     vnc_disconnect_start(vs);
1122 }
1123 
1124 #ifdef CONFIG_VNC_TLS
1125 static long vnc_client_write_tls(gnutls_session_t *session,
1126                                  const uint8_t *data,
1127                                  size_t datalen)
1128 {
1129     long ret = gnutls_write(*session, data, datalen);
1130     if (ret < 0) {
1131         if (ret == GNUTLS_E_AGAIN) {
1132             errno = EAGAIN;
1133         } else {
1134             errno = EIO;
1135         }
1136         ret = -1;
1137     }
1138     return ret;
1139 }
1140 #endif /* CONFIG_VNC_TLS */
1141 
1142 /*
1143  * Called to write a chunk of data to the client socket. The data may
1144  * be the raw data, or may have already been encoded by SASL.
1145  * The data will be written either straight onto the socket, or
1146  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1147  *
1148  * NB, it is theoretically possible to have 2 layers of encryption,
1149  * both SASL, and this TLS layer. It is highly unlikely in practice
1150  * though, since SASL encryption will typically be a no-op if TLS
1151  * is active
1152  *
1153  * Returns the number of bytes written, which may be less than
1154  * the requested 'datalen' if the socket would block. Returns
1155  * -1 on error, and disconnects the client socket.
1156  */
1157 long vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1158 {
1159     long ret;
1160 #ifdef CONFIG_VNC_TLS
1161     if (vs->tls.session) {
1162         ret = vnc_client_write_tls(&vs->tls.session, data, datalen);
1163     } else {
1164 #ifdef CONFIG_VNC_WS
1165         if (vs->ws_tls.session) {
1166             ret = vnc_client_write_tls(&vs->ws_tls.session, data, datalen);
1167         } else
1168 #endif /* CONFIG_VNC_WS */
1169 #endif /* CONFIG_VNC_TLS */
1170         {
1171             ret = send(vs->csock, (const void *)data, datalen, 0);
1172         }
1173 #ifdef CONFIG_VNC_TLS
1174     }
1175 #endif /* CONFIG_VNC_TLS */
1176     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1177     return vnc_client_io_error(vs, ret, socket_error());
1178 }
1179 
1180 
1181 /*
1182  * Called to write buffered data to the client socket, when not
1183  * using any SASL SSF encryption layers. Will write as much data
1184  * as possible without blocking. If all buffered data is written,
1185  * will switch the FD poll() handler back to read monitoring.
1186  *
1187  * Returns the number of bytes written, which may be less than
1188  * the buffered output data if the socket would block. Returns
1189  * -1 on error, and disconnects the client socket.
1190  */
1191 static long vnc_client_write_plain(VncState *vs)
1192 {
1193     long ret;
1194 
1195 #ifdef CONFIG_VNC_SASL
1196     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1197               vs->output.buffer, vs->output.capacity, vs->output.offset,
1198               vs->sasl.waitWriteSSF);
1199 
1200     if (vs->sasl.conn &&
1201         vs->sasl.runSSF &&
1202         vs->sasl.waitWriteSSF) {
1203         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1204         if (ret)
1205             vs->sasl.waitWriteSSF -= ret;
1206     } else
1207 #endif /* CONFIG_VNC_SASL */
1208         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1209     if (!ret)
1210         return 0;
1211 
1212     buffer_advance(&vs->output, ret);
1213 
1214     if (vs->output.offset == 0) {
1215         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
1216     }
1217 
1218     return ret;
1219 }
1220 
1221 
1222 /*
1223  * First function called whenever there is data to be written to
1224  * the client socket. Will delegate actual work according to whether
1225  * SASL SSF layers are enabled (thus requiring encryption calls)
1226  */
1227 static void vnc_client_write_locked(void *opaque)
1228 {
1229     VncState *vs = opaque;
1230 
1231 #ifdef CONFIG_VNC_SASL
1232     if (vs->sasl.conn &&
1233         vs->sasl.runSSF &&
1234         !vs->sasl.waitWriteSSF) {
1235         vnc_client_write_sasl(vs);
1236     } else
1237 #endif /* CONFIG_VNC_SASL */
1238     {
1239 #ifdef CONFIG_VNC_WS
1240         if (vs->encode_ws) {
1241             vnc_client_write_ws(vs);
1242         } else
1243 #endif /* CONFIG_VNC_WS */
1244         {
1245             vnc_client_write_plain(vs);
1246         }
1247     }
1248 }
1249 
1250 void vnc_client_write(void *opaque)
1251 {
1252     VncState *vs = opaque;
1253 
1254     vnc_lock_output(vs);
1255     if (vs->output.offset
1256 #ifdef CONFIG_VNC_WS
1257             || vs->ws_output.offset
1258 #endif
1259             ) {
1260         vnc_client_write_locked(opaque);
1261     } else if (vs->csock != -1) {
1262         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
1263     }
1264     vnc_unlock_output(vs);
1265 }
1266 
1267 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1268 {
1269     vs->read_handler = func;
1270     vs->read_handler_expect = expecting;
1271 }
1272 
1273 #ifdef CONFIG_VNC_TLS
1274 static long vnc_client_read_tls(gnutls_session_t *session, uint8_t *data,
1275                                 size_t datalen)
1276 {
1277     long ret = gnutls_read(*session, data, datalen);
1278     if (ret < 0) {
1279         if (ret == GNUTLS_E_AGAIN) {
1280             errno = EAGAIN;
1281         } else {
1282             errno = EIO;
1283         }
1284         ret = -1;
1285     }
1286     return ret;
1287 }
1288 #endif /* CONFIG_VNC_TLS */
1289 
1290 /*
1291  * Called to read a chunk of data from the client socket. The data may
1292  * be the raw data, or may need to be further decoded by SASL.
1293  * The data will be read either straight from to the socket, or
1294  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1295  *
1296  * NB, it is theoretically possible to have 2 layers of encryption,
1297  * both SASL, and this TLS layer. It is highly unlikely in practice
1298  * though, since SASL encryption will typically be a no-op if TLS
1299  * is active
1300  *
1301  * Returns the number of bytes read, which may be less than
1302  * the requested 'datalen' if the socket would block. Returns
1303  * -1 on error, and disconnects the client socket.
1304  */
1305 long vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1306 {
1307     long ret;
1308 #ifdef CONFIG_VNC_TLS
1309     if (vs->tls.session) {
1310         ret = vnc_client_read_tls(&vs->tls.session, data, datalen);
1311     } else {
1312 #ifdef CONFIG_VNC_WS
1313         if (vs->ws_tls.session) {
1314             ret = vnc_client_read_tls(&vs->ws_tls.session, data, datalen);
1315         } else
1316 #endif /* CONFIG_VNC_WS */
1317 #endif /* CONFIG_VNC_TLS */
1318         {
1319             ret = qemu_recv(vs->csock, data, datalen, 0);
1320         }
1321 #ifdef CONFIG_VNC_TLS
1322     }
1323 #endif /* CONFIG_VNC_TLS */
1324     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1325     return vnc_client_io_error(vs, ret, socket_error());
1326 }
1327 
1328 
1329 /*
1330  * Called to read data from the client socket to the input buffer,
1331  * when not using any SASL SSF encryption layers. Will read as much
1332  * data as possible without blocking.
1333  *
1334  * Returns the number of bytes read. Returns -1 on error, and
1335  * disconnects the client socket.
1336  */
1337 static long vnc_client_read_plain(VncState *vs)
1338 {
1339     int ret;
1340     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1341               vs->input.buffer, vs->input.capacity, vs->input.offset);
1342     buffer_reserve(&vs->input, 4096);
1343     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1344     if (!ret)
1345         return 0;
1346     vs->input.offset += ret;
1347     return ret;
1348 }
1349 
1350 static void vnc_jobs_bh(void *opaque)
1351 {
1352     VncState *vs = opaque;
1353 
1354     vnc_jobs_consume_buffer(vs);
1355 }
1356 
1357 /*
1358  * First function called whenever there is more data to be read from
1359  * the client socket. Will delegate actual work according to whether
1360  * SASL SSF layers are enabled (thus requiring decryption calls)
1361  */
1362 void vnc_client_read(void *opaque)
1363 {
1364     VncState *vs = opaque;
1365     long ret;
1366 
1367 #ifdef CONFIG_VNC_SASL
1368     if (vs->sasl.conn && vs->sasl.runSSF)
1369         ret = vnc_client_read_sasl(vs);
1370     else
1371 #endif /* CONFIG_VNC_SASL */
1372 #ifdef CONFIG_VNC_WS
1373         if (vs->encode_ws) {
1374             ret = vnc_client_read_ws(vs);
1375             if (ret == -1) {
1376                 vnc_disconnect_start(vs);
1377                 return;
1378             } else if (ret == -2) {
1379                 vnc_client_error(vs);
1380                 return;
1381             }
1382         } else
1383 #endif /* CONFIG_VNC_WS */
1384         {
1385         ret = vnc_client_read_plain(vs);
1386         }
1387     if (!ret) {
1388         if (vs->csock == -1)
1389             vnc_disconnect_finish(vs);
1390         return;
1391     }
1392 
1393     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1394         size_t len = vs->read_handler_expect;
1395         int ret;
1396 
1397         ret = vs->read_handler(vs, vs->input.buffer, len);
1398         if (vs->csock == -1) {
1399             vnc_disconnect_finish(vs);
1400             return;
1401         }
1402 
1403         if (!ret) {
1404             buffer_advance(&vs->input, len);
1405         } else {
1406             vs->read_handler_expect = ret;
1407         }
1408     }
1409 }
1410 
1411 void vnc_write(VncState *vs, const void *data, size_t len)
1412 {
1413     buffer_reserve(&vs->output, len);
1414 
1415     if (vs->csock != -1 && buffer_empty(&vs->output)) {
1416         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);
1417     }
1418 
1419     buffer_append(&vs->output, data, len);
1420 }
1421 
1422 void vnc_write_s32(VncState *vs, int32_t value)
1423 {
1424     vnc_write_u32(vs, *(uint32_t *)&value);
1425 }
1426 
1427 void vnc_write_u32(VncState *vs, uint32_t value)
1428 {
1429     uint8_t buf[4];
1430 
1431     buf[0] = (value >> 24) & 0xFF;
1432     buf[1] = (value >> 16) & 0xFF;
1433     buf[2] = (value >>  8) & 0xFF;
1434     buf[3] = value & 0xFF;
1435 
1436     vnc_write(vs, buf, 4);
1437 }
1438 
1439 void vnc_write_u16(VncState *vs, uint16_t value)
1440 {
1441     uint8_t buf[2];
1442 
1443     buf[0] = (value >> 8) & 0xFF;
1444     buf[1] = value & 0xFF;
1445 
1446     vnc_write(vs, buf, 2);
1447 }
1448 
1449 void vnc_write_u8(VncState *vs, uint8_t value)
1450 {
1451     vnc_write(vs, (char *)&value, 1);
1452 }
1453 
1454 void vnc_flush(VncState *vs)
1455 {
1456     vnc_lock_output(vs);
1457     if (vs->csock != -1 && (vs->output.offset
1458 #ifdef CONFIG_VNC_WS
1459                 || vs->ws_output.offset
1460 #endif
1461                 )) {
1462         vnc_client_write_locked(vs);
1463     }
1464     vnc_unlock_output(vs);
1465 }
1466 
1467 static uint8_t read_u8(uint8_t *data, size_t offset)
1468 {
1469     return data[offset];
1470 }
1471 
1472 static uint16_t read_u16(uint8_t *data, size_t offset)
1473 {
1474     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1475 }
1476 
1477 static int32_t read_s32(uint8_t *data, size_t offset)
1478 {
1479     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1480                      (data[offset + 2] << 8) | data[offset + 3]);
1481 }
1482 
1483 uint32_t read_u32(uint8_t *data, size_t offset)
1484 {
1485     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1486             (data[offset + 2] << 8) | data[offset + 3]);
1487 }
1488 
1489 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1490 {
1491 }
1492 
1493 static void check_pointer_type_change(Notifier *notifier, void *data)
1494 {
1495     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1496     int absolute = qemu_input_is_absolute();
1497 
1498     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1499         vnc_lock_output(vs);
1500         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1501         vnc_write_u8(vs, 0);
1502         vnc_write_u16(vs, 1);
1503         vnc_framebuffer_update(vs, absolute, 0,
1504                                pixman_image_get_width(vs->vd->server),
1505                                pixman_image_get_height(vs->vd->server),
1506                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1507         vnc_unlock_output(vs);
1508         vnc_flush(vs);
1509     }
1510     vs->absolute = absolute;
1511 }
1512 
1513 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1514 {
1515     static uint32_t bmap[INPUT_BUTTON_MAX] = {
1516         [INPUT_BUTTON_LEFT]       = 0x01,
1517         [INPUT_BUTTON_MIDDLE]     = 0x02,
1518         [INPUT_BUTTON_RIGHT]      = 0x04,
1519         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1520         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1521     };
1522     QemuConsole *con = vs->vd->dcl.con;
1523     int width = pixman_image_get_width(vs->vd->server);
1524     int height = pixman_image_get_height(vs->vd->server);
1525 
1526     if (vs->last_bmask != button_mask) {
1527         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1528         vs->last_bmask = button_mask;
1529     }
1530 
1531     if (vs->absolute) {
1532         qemu_input_queue_abs(con, INPUT_AXIS_X, x, width);
1533         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, height);
1534     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1535         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1536         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1537     } else {
1538         if (vs->last_x != -1) {
1539             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1540             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1541         }
1542         vs->last_x = x;
1543         vs->last_y = y;
1544     }
1545     qemu_input_event_sync();
1546 }
1547 
1548 static void reset_keys(VncState *vs)
1549 {
1550     int i;
1551     for(i = 0; i < 256; i++) {
1552         if (vs->modifiers_state[i]) {
1553             qemu_input_event_send_key_number(vs->vd->dcl.con, i, false);
1554             vs->modifiers_state[i] = 0;
1555         }
1556     }
1557 }
1558 
1559 static void press_key(VncState *vs, int keysym)
1560 {
1561     int keycode = keysym2scancode(vs->vd->kbd_layout, keysym) & SCANCODE_KEYMASK;
1562     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, true);
1563     qemu_input_event_send_key_delay(0);
1564     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
1565     qemu_input_event_send_key_delay(0);
1566 }
1567 
1568 static int current_led_state(VncState *vs)
1569 {
1570     int ledstate = 0;
1571 
1572     if (vs->modifiers_state[0x46]) {
1573         ledstate |= QEMU_SCROLL_LOCK_LED;
1574     }
1575     if (vs->modifiers_state[0x45]) {
1576         ledstate |= QEMU_NUM_LOCK_LED;
1577     }
1578     if (vs->modifiers_state[0x3a]) {
1579         ledstate |= QEMU_CAPS_LOCK_LED;
1580     }
1581 
1582     return ledstate;
1583 }
1584 
1585 static void vnc_led_state_change(VncState *vs)
1586 {
1587     int ledstate = 0;
1588 
1589     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1590         return;
1591     }
1592 
1593     ledstate = current_led_state(vs);
1594     vnc_lock_output(vs);
1595     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1596     vnc_write_u8(vs, 0);
1597     vnc_write_u16(vs, 1);
1598     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1599     vnc_write_u8(vs, ledstate);
1600     vnc_unlock_output(vs);
1601     vnc_flush(vs);
1602 }
1603 
1604 static void kbd_leds(void *opaque, int ledstate)
1605 {
1606     VncState *vs = opaque;
1607     int caps, num, scr;
1608     bool has_changed = (ledstate != current_led_state(vs));
1609 
1610     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1611                              (ledstate & QEMU_NUM_LOCK_LED),
1612                              (ledstate & QEMU_SCROLL_LOCK_LED));
1613 
1614     caps = ledstate & QEMU_CAPS_LOCK_LED ? 1 : 0;
1615     num  = ledstate & QEMU_NUM_LOCK_LED  ? 1 : 0;
1616     scr  = ledstate & QEMU_SCROLL_LOCK_LED ? 1 : 0;
1617 
1618     if (vs->modifiers_state[0x3a] != caps) {
1619         vs->modifiers_state[0x3a] = caps;
1620     }
1621     if (vs->modifiers_state[0x45] != num) {
1622         vs->modifiers_state[0x45] = num;
1623     }
1624     if (vs->modifiers_state[0x46] != scr) {
1625         vs->modifiers_state[0x46] = scr;
1626     }
1627 
1628     /* Sending the current led state message to the client */
1629     if (has_changed) {
1630         vnc_led_state_change(vs);
1631     }
1632 }
1633 
1634 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1635 {
1636     /* QEMU console switch */
1637     switch(keycode) {
1638     case 0x2a:                          /* Left Shift */
1639     case 0x36:                          /* Right Shift */
1640     case 0x1d:                          /* Left CTRL */
1641     case 0x9d:                          /* Right CTRL */
1642     case 0x38:                          /* Left ALT */
1643     case 0xb8:                          /* Right ALT */
1644         if (down)
1645             vs->modifiers_state[keycode] = 1;
1646         else
1647             vs->modifiers_state[keycode] = 0;
1648         break;
1649     case 0x02 ... 0x0a: /* '1' to '9' keys */
1650         if (down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
1651             /* Reset the modifiers sent to the current console */
1652             reset_keys(vs);
1653             console_select(keycode - 0x02);
1654             return;
1655         }
1656         break;
1657     case 0x3a:                        /* CapsLock */
1658     case 0x45:                        /* NumLock */
1659         if (down)
1660             vs->modifiers_state[keycode] ^= 1;
1661         break;
1662     }
1663 
1664     /* Turn off the lock state sync logic if the client support the led
1665        state extension.
1666     */
1667     if (down && vs->vd->lock_key_sync &&
1668         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1669         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1670         /* If the numlock state needs to change then simulate an additional
1671            keypress before sending this one.  This will happen if the user
1672            toggles numlock away from the VNC window.
1673         */
1674         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1675             if (!vs->modifiers_state[0x45]) {
1676                 trace_vnc_key_sync_numlock(true);
1677                 vs->modifiers_state[0x45] = 1;
1678                 press_key(vs, 0xff7f);
1679             }
1680         } else {
1681             if (vs->modifiers_state[0x45]) {
1682                 trace_vnc_key_sync_numlock(false);
1683                 vs->modifiers_state[0x45] = 0;
1684                 press_key(vs, 0xff7f);
1685             }
1686         }
1687     }
1688 
1689     if (down && vs->vd->lock_key_sync &&
1690         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1691         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1692         /* If the capslock state needs to change then simulate an additional
1693            keypress before sending this one.  This will happen if the user
1694            toggles capslock away from the VNC window.
1695         */
1696         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1697         int shift = !!(vs->modifiers_state[0x2a] | vs->modifiers_state[0x36]);
1698         int capslock = !!(vs->modifiers_state[0x3a]);
1699         if (capslock) {
1700             if (uppercase == shift) {
1701                 trace_vnc_key_sync_capslock(false);
1702                 vs->modifiers_state[0x3a] = 0;
1703                 press_key(vs, 0xffe5);
1704             }
1705         } else {
1706             if (uppercase != shift) {
1707                 trace_vnc_key_sync_capslock(true);
1708                 vs->modifiers_state[0x3a] = 1;
1709                 press_key(vs, 0xffe5);
1710             }
1711         }
1712     }
1713 
1714     if (qemu_console_is_graphic(NULL)) {
1715         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, down);
1716     } else {
1717         bool numlock = vs->modifiers_state[0x45];
1718         bool control = (vs->modifiers_state[0x1d] ||
1719                         vs->modifiers_state[0x9d]);
1720         /* QEMU console emulation */
1721         if (down) {
1722             switch (keycode) {
1723             case 0x2a:                          /* Left Shift */
1724             case 0x36:                          /* Right Shift */
1725             case 0x1d:                          /* Left CTRL */
1726             case 0x9d:                          /* Right CTRL */
1727             case 0x38:                          /* Left ALT */
1728             case 0xb8:                          /* Right ALT */
1729                 break;
1730             case 0xc8:
1731                 kbd_put_keysym(QEMU_KEY_UP);
1732                 break;
1733             case 0xd0:
1734                 kbd_put_keysym(QEMU_KEY_DOWN);
1735                 break;
1736             case 0xcb:
1737                 kbd_put_keysym(QEMU_KEY_LEFT);
1738                 break;
1739             case 0xcd:
1740                 kbd_put_keysym(QEMU_KEY_RIGHT);
1741                 break;
1742             case 0xd3:
1743                 kbd_put_keysym(QEMU_KEY_DELETE);
1744                 break;
1745             case 0xc7:
1746                 kbd_put_keysym(QEMU_KEY_HOME);
1747                 break;
1748             case 0xcf:
1749                 kbd_put_keysym(QEMU_KEY_END);
1750                 break;
1751             case 0xc9:
1752                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1753                 break;
1754             case 0xd1:
1755                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1756                 break;
1757 
1758             case 0x47:
1759                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1760                 break;
1761             case 0x48:
1762                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1763                 break;
1764             case 0x49:
1765                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1766                 break;
1767             case 0x4b:
1768                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1769                 break;
1770             case 0x4c:
1771                 kbd_put_keysym('5');
1772                 break;
1773             case 0x4d:
1774                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1775                 break;
1776             case 0x4f:
1777                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1778                 break;
1779             case 0x50:
1780                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1781                 break;
1782             case 0x51:
1783                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1784                 break;
1785             case 0x52:
1786                 kbd_put_keysym('0');
1787                 break;
1788             case 0x53:
1789                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1790                 break;
1791 
1792             case 0xb5:
1793                 kbd_put_keysym('/');
1794                 break;
1795             case 0x37:
1796                 kbd_put_keysym('*');
1797                 break;
1798             case 0x4a:
1799                 kbd_put_keysym('-');
1800                 break;
1801             case 0x4e:
1802                 kbd_put_keysym('+');
1803                 break;
1804             case 0x9c:
1805                 kbd_put_keysym('\n');
1806                 break;
1807 
1808             default:
1809                 if (control) {
1810                     kbd_put_keysym(sym & 0x1f);
1811                 } else {
1812                     kbd_put_keysym(sym);
1813                 }
1814                 break;
1815             }
1816         }
1817     }
1818 }
1819 
1820 static void vnc_release_modifiers(VncState *vs)
1821 {
1822     static const int keycodes[] = {
1823         /* shift, control, alt keys, both left & right */
1824         0x2a, 0x36, 0x1d, 0x9d, 0x38, 0xb8,
1825     };
1826     int i, keycode;
1827 
1828     if (!qemu_console_is_graphic(NULL)) {
1829         return;
1830     }
1831     for (i = 0; i < ARRAY_SIZE(keycodes); i++) {
1832         keycode = keycodes[i];
1833         if (!vs->modifiers_state[keycode]) {
1834             continue;
1835         }
1836         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
1837     }
1838 }
1839 
1840 static const char *code2name(int keycode)
1841 {
1842     return QKeyCode_lookup[qemu_input_key_number_to_qcode(keycode)];
1843 }
1844 
1845 static void key_event(VncState *vs, int down, uint32_t sym)
1846 {
1847     int keycode;
1848     int lsym = sym;
1849 
1850     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
1851         lsym = lsym - 'A' + 'a';
1852     }
1853 
1854     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF) & SCANCODE_KEYMASK;
1855     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
1856     do_key_event(vs, down, keycode, sym);
1857 }
1858 
1859 static void ext_key_event(VncState *vs, int down,
1860                           uint32_t sym, uint16_t keycode)
1861 {
1862     /* if the user specifies a keyboard layout, always use it */
1863     if (keyboard_layout) {
1864         key_event(vs, down, sym);
1865     } else {
1866         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
1867         do_key_event(vs, down, keycode, sym);
1868     }
1869 }
1870 
1871 static void framebuffer_update_request(VncState *vs, int incremental,
1872                                        int x, int y, int w, int h)
1873 {
1874     int width = pixman_image_get_width(vs->vd->server);
1875     int height = pixman_image_get_height(vs->vd->server);
1876 
1877     vs->need_update = 1;
1878 
1879     if (incremental) {
1880         return;
1881     }
1882 
1883     vs->force_update = 1;
1884     vnc_set_area_dirty(vs->dirty, width, height, x, y, w, h);
1885 }
1886 
1887 static void send_ext_key_event_ack(VncState *vs)
1888 {
1889     vnc_lock_output(vs);
1890     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1891     vnc_write_u8(vs, 0);
1892     vnc_write_u16(vs, 1);
1893     vnc_framebuffer_update(vs, 0, 0,
1894                            pixman_image_get_width(vs->vd->server),
1895                            pixman_image_get_height(vs->vd->server),
1896                            VNC_ENCODING_EXT_KEY_EVENT);
1897     vnc_unlock_output(vs);
1898     vnc_flush(vs);
1899 }
1900 
1901 static void send_ext_audio_ack(VncState *vs)
1902 {
1903     vnc_lock_output(vs);
1904     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1905     vnc_write_u8(vs, 0);
1906     vnc_write_u16(vs, 1);
1907     vnc_framebuffer_update(vs, 0, 0,
1908                            pixman_image_get_width(vs->vd->server),
1909                            pixman_image_get_height(vs->vd->server),
1910                            VNC_ENCODING_AUDIO);
1911     vnc_unlock_output(vs);
1912     vnc_flush(vs);
1913 }
1914 
1915 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
1916 {
1917     int i;
1918     unsigned int enc = 0;
1919 
1920     vs->features = 0;
1921     vs->vnc_encoding = 0;
1922     vs->tight.compression = 9;
1923     vs->tight.quality = -1; /* Lossless by default */
1924     vs->absolute = -1;
1925 
1926     /*
1927      * Start from the end because the encodings are sent in order of preference.
1928      * This way the preferred encoding (first encoding defined in the array)
1929      * will be set at the end of the loop.
1930      */
1931     for (i = n_encodings - 1; i >= 0; i--) {
1932         enc = encodings[i];
1933         switch (enc) {
1934         case VNC_ENCODING_RAW:
1935             vs->vnc_encoding = enc;
1936             break;
1937         case VNC_ENCODING_COPYRECT:
1938             vs->features |= VNC_FEATURE_COPYRECT_MASK;
1939             break;
1940         case VNC_ENCODING_HEXTILE:
1941             vs->features |= VNC_FEATURE_HEXTILE_MASK;
1942             vs->vnc_encoding = enc;
1943             break;
1944         case VNC_ENCODING_TIGHT:
1945             vs->features |= VNC_FEATURE_TIGHT_MASK;
1946             vs->vnc_encoding = enc;
1947             break;
1948 #ifdef CONFIG_VNC_PNG
1949         case VNC_ENCODING_TIGHT_PNG:
1950             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
1951             vs->vnc_encoding = enc;
1952             break;
1953 #endif
1954         case VNC_ENCODING_ZLIB:
1955             vs->features |= VNC_FEATURE_ZLIB_MASK;
1956             vs->vnc_encoding = enc;
1957             break;
1958         case VNC_ENCODING_ZRLE:
1959             vs->features |= VNC_FEATURE_ZRLE_MASK;
1960             vs->vnc_encoding = enc;
1961             break;
1962         case VNC_ENCODING_ZYWRLE:
1963             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
1964             vs->vnc_encoding = enc;
1965             break;
1966         case VNC_ENCODING_DESKTOPRESIZE:
1967             vs->features |= VNC_FEATURE_RESIZE_MASK;
1968             break;
1969         case VNC_ENCODING_POINTER_TYPE_CHANGE:
1970             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
1971             break;
1972         case VNC_ENCODING_RICH_CURSOR:
1973             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
1974             break;
1975         case VNC_ENCODING_EXT_KEY_EVENT:
1976             send_ext_key_event_ack(vs);
1977             break;
1978         case VNC_ENCODING_AUDIO:
1979             send_ext_audio_ack(vs);
1980             break;
1981         case VNC_ENCODING_WMVi:
1982             vs->features |= VNC_FEATURE_WMVI_MASK;
1983             break;
1984         case VNC_ENCODING_LED_STATE:
1985             vs->features |= VNC_FEATURE_LED_STATE_MASK;
1986             break;
1987         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
1988             vs->tight.compression = (enc & 0x0F);
1989             break;
1990         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
1991             if (vs->vd->lossy) {
1992                 vs->tight.quality = (enc & 0x0F);
1993             }
1994             break;
1995         default:
1996             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
1997             break;
1998         }
1999     }
2000     vnc_desktop_resize(vs);
2001     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2002     vnc_led_state_change(vs);
2003 }
2004 
2005 static void set_pixel_conversion(VncState *vs)
2006 {
2007     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2008 
2009     if (fmt == VNC_SERVER_FB_FORMAT) {
2010         vs->write_pixels = vnc_write_pixels_copy;
2011         vnc_hextile_set_pixel_conversion(vs, 0);
2012     } else {
2013         vs->write_pixels = vnc_write_pixels_generic;
2014         vnc_hextile_set_pixel_conversion(vs, 1);
2015     }
2016 }
2017 
2018 static void set_pixel_format(VncState *vs,
2019                              int bits_per_pixel, int depth,
2020                              int big_endian_flag, int true_color_flag,
2021                              int red_max, int green_max, int blue_max,
2022                              int red_shift, int green_shift, int blue_shift)
2023 {
2024     if (!true_color_flag) {
2025         vnc_client_error(vs);
2026         return;
2027     }
2028 
2029     vs->client_pf.rmax = red_max;
2030     vs->client_pf.rbits = hweight_long(red_max);
2031     vs->client_pf.rshift = red_shift;
2032     vs->client_pf.rmask = red_max << red_shift;
2033     vs->client_pf.gmax = green_max;
2034     vs->client_pf.gbits = hweight_long(green_max);
2035     vs->client_pf.gshift = green_shift;
2036     vs->client_pf.gmask = green_max << green_shift;
2037     vs->client_pf.bmax = blue_max;
2038     vs->client_pf.bbits = hweight_long(blue_max);
2039     vs->client_pf.bshift = blue_shift;
2040     vs->client_pf.bmask = blue_max << blue_shift;
2041     vs->client_pf.bits_per_pixel = bits_per_pixel;
2042     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2043     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2044     vs->client_be = big_endian_flag;
2045 
2046     set_pixel_conversion(vs);
2047 
2048     graphic_hw_invalidate(NULL);
2049     graphic_hw_update(NULL);
2050 }
2051 
2052 static void pixel_format_message (VncState *vs) {
2053     char pad[3] = { 0, 0, 0 };
2054 
2055     vs->client_pf = qemu_default_pixelformat(32);
2056 
2057     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2058     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2059 
2060 #ifdef HOST_WORDS_BIGENDIAN
2061     vnc_write_u8(vs, 1);             /* big-endian-flag */
2062 #else
2063     vnc_write_u8(vs, 0);             /* big-endian-flag */
2064 #endif
2065     vnc_write_u8(vs, 1);             /* true-color-flag */
2066     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2067     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2068     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2069     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2070     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2071     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2072     vnc_write(vs, pad, 3);           /* padding */
2073 
2074     vnc_hextile_set_pixel_conversion(vs, 0);
2075     vs->write_pixels = vnc_write_pixels_copy;
2076 }
2077 
2078 static void vnc_colordepth(VncState *vs)
2079 {
2080     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2081         /* Sending a WMVi message to notify the client*/
2082         vnc_lock_output(vs);
2083         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2084         vnc_write_u8(vs, 0);
2085         vnc_write_u16(vs, 1); /* number of rects */
2086         vnc_framebuffer_update(vs, 0, 0,
2087                                pixman_image_get_width(vs->vd->server),
2088                                pixman_image_get_height(vs->vd->server),
2089                                VNC_ENCODING_WMVi);
2090         pixel_format_message(vs);
2091         vnc_unlock_output(vs);
2092         vnc_flush(vs);
2093     } else {
2094         set_pixel_conversion(vs);
2095     }
2096 }
2097 
2098 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2099 {
2100     int i;
2101     uint16_t limit;
2102     VncDisplay *vd = vs->vd;
2103 
2104     if (data[0] > 3) {
2105         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2106     }
2107 
2108     switch (data[0]) {
2109     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2110         if (len == 1)
2111             return 20;
2112 
2113         set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5),
2114                          read_u8(data, 6), read_u8(data, 7),
2115                          read_u16(data, 8), read_u16(data, 10),
2116                          read_u16(data, 12), read_u8(data, 14),
2117                          read_u8(data, 15), read_u8(data, 16));
2118         break;
2119     case VNC_MSG_CLIENT_SET_ENCODINGS:
2120         if (len == 1)
2121             return 4;
2122 
2123         if (len == 4) {
2124             limit = read_u16(data, 2);
2125             if (limit > 0)
2126                 return 4 + (limit * 4);
2127         } else
2128             limit = read_u16(data, 2);
2129 
2130         for (i = 0; i < limit; i++) {
2131             int32_t val = read_s32(data, 4 + (i * 4));
2132             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2133         }
2134 
2135         set_encodings(vs, (int32_t *)(data + 4), limit);
2136         break;
2137     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2138         if (len == 1)
2139             return 10;
2140 
2141         framebuffer_update_request(vs,
2142                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2143                                    read_u16(data, 6), read_u16(data, 8));
2144         break;
2145     case VNC_MSG_CLIENT_KEY_EVENT:
2146         if (len == 1)
2147             return 8;
2148 
2149         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2150         break;
2151     case VNC_MSG_CLIENT_POINTER_EVENT:
2152         if (len == 1)
2153             return 6;
2154 
2155         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2156         break;
2157     case VNC_MSG_CLIENT_CUT_TEXT:
2158         if (len == 1) {
2159             return 8;
2160         }
2161         if (len == 8) {
2162             uint32_t dlen = read_u32(data, 4);
2163             if (dlen > (1 << 20)) {
2164                 error_report("vnc: client_cut_text msg payload has %u bytes"
2165                              " which exceeds our limit of 1MB.", dlen);
2166                 vnc_client_error(vs);
2167                 break;
2168             }
2169             if (dlen > 0) {
2170                 return 8 + dlen;
2171             }
2172         }
2173 
2174         client_cut_text(vs, read_u32(data, 4), data + 8);
2175         break;
2176     case VNC_MSG_CLIENT_QEMU:
2177         if (len == 1)
2178             return 2;
2179 
2180         switch (read_u8(data, 1)) {
2181         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2182             if (len == 2)
2183                 return 12;
2184 
2185             ext_key_event(vs, read_u16(data, 2),
2186                           read_u32(data, 4), read_u32(data, 8));
2187             break;
2188         case VNC_MSG_CLIENT_QEMU_AUDIO:
2189             if (len == 2)
2190                 return 4;
2191 
2192             switch (read_u16 (data, 2)) {
2193             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2194                 audio_add(vs);
2195                 break;
2196             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2197                 audio_del(vs);
2198                 break;
2199             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2200                 if (len == 4)
2201                     return 10;
2202                 switch (read_u8(data, 4)) {
2203                 case 0: vs->as.fmt = AUD_FMT_U8; break;
2204                 case 1: vs->as.fmt = AUD_FMT_S8; break;
2205                 case 2: vs->as.fmt = AUD_FMT_U16; break;
2206                 case 3: vs->as.fmt = AUD_FMT_S16; break;
2207                 case 4: vs->as.fmt = AUD_FMT_U32; break;
2208                 case 5: vs->as.fmt = AUD_FMT_S32; break;
2209                 default:
2210                     printf("Invalid audio format %d\n", read_u8(data, 4));
2211                     vnc_client_error(vs);
2212                     break;
2213                 }
2214                 vs->as.nchannels = read_u8(data, 5);
2215                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2216                     printf("Invalid audio channel coount %d\n",
2217                            read_u8(data, 5));
2218                     vnc_client_error(vs);
2219                     break;
2220                 }
2221                 vs->as.freq = read_u32(data, 6);
2222                 break;
2223             default:
2224                 printf ("Invalid audio message %d\n", read_u8(data, 4));
2225                 vnc_client_error(vs);
2226                 break;
2227             }
2228             break;
2229 
2230         default:
2231             printf("Msg: %d\n", read_u16(data, 0));
2232             vnc_client_error(vs);
2233             break;
2234         }
2235         break;
2236     default:
2237         printf("Msg: %d\n", data[0]);
2238         vnc_client_error(vs);
2239         break;
2240     }
2241 
2242     vnc_read_when(vs, protocol_client_msg, 1);
2243     return 0;
2244 }
2245 
2246 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2247 {
2248     char buf[1024];
2249     VncShareMode mode;
2250     int size;
2251 
2252     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2253     switch (vs->vd->share_policy) {
2254     case VNC_SHARE_POLICY_IGNORE:
2255         /*
2256          * Ignore the shared flag.  Nothing to do here.
2257          *
2258          * Doesn't conform to the rfb spec but is traditional qemu
2259          * behavior, thus left here as option for compatibility
2260          * reasons.
2261          */
2262         break;
2263     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2264         /*
2265          * Policy: Allow clients ask for exclusive access.
2266          *
2267          * Implementation: When a client asks for exclusive access,
2268          * disconnect all others. Shared connects are allowed as long
2269          * as no exclusive connection exists.
2270          *
2271          * This is how the rfb spec suggests to handle the shared flag.
2272          */
2273         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2274             VncState *client;
2275             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2276                 if (vs == client) {
2277                     continue;
2278                 }
2279                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2280                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2281                     continue;
2282                 }
2283                 vnc_disconnect_start(client);
2284             }
2285         }
2286         if (mode == VNC_SHARE_MODE_SHARED) {
2287             if (vs->vd->num_exclusive > 0) {
2288                 vnc_disconnect_start(vs);
2289                 return 0;
2290             }
2291         }
2292         break;
2293     case VNC_SHARE_POLICY_FORCE_SHARED:
2294         /*
2295          * Policy: Shared connects only.
2296          * Implementation: Disallow clients asking for exclusive access.
2297          *
2298          * Useful for shared desktop sessions where you don't want
2299          * someone forgetting to say -shared when running the vnc
2300          * client disconnect everybody else.
2301          */
2302         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2303             vnc_disconnect_start(vs);
2304             return 0;
2305         }
2306         break;
2307     }
2308     vnc_set_share_mode(vs, mode);
2309 
2310     vs->client_width = pixman_image_get_width(vs->vd->server);
2311     vs->client_height = pixman_image_get_height(vs->vd->server);
2312     vnc_write_u16(vs, vs->client_width);
2313     vnc_write_u16(vs, vs->client_height);
2314 
2315     pixel_format_message(vs);
2316 
2317     if (qemu_name)
2318         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2319     else
2320         size = snprintf(buf, sizeof(buf), "QEMU");
2321 
2322     vnc_write_u32(vs, size);
2323     vnc_write(vs, buf, size);
2324     vnc_flush(vs);
2325 
2326     vnc_client_cache_auth(vs);
2327     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2328 
2329     vnc_read_when(vs, protocol_client_msg, 1);
2330 
2331     return 0;
2332 }
2333 
2334 void start_client_init(VncState *vs)
2335 {
2336     vnc_read_when(vs, protocol_client_init, 1);
2337 }
2338 
2339 static void make_challenge(VncState *vs)
2340 {
2341     int i;
2342 
2343     srand(time(NULL)+getpid()+getpid()*987654+rand());
2344 
2345     for (i = 0 ; i < sizeof(vs->challenge) ; i++)
2346         vs->challenge[i] = (int) (256.0*rand()/(RAND_MAX+1.0));
2347 }
2348 
2349 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2350 {
2351     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2352     int i, j, pwlen;
2353     unsigned char key[8];
2354     time_t now = time(NULL);
2355 
2356     if (!vs->vd->password) {
2357         VNC_DEBUG("No password configured on server");
2358         goto reject;
2359     }
2360     if (vs->vd->expires < now) {
2361         VNC_DEBUG("Password is expired");
2362         goto reject;
2363     }
2364 
2365     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2366 
2367     /* Calculate the expected challenge response */
2368     pwlen = strlen(vs->vd->password);
2369     for (i=0; i<sizeof(key); i++)
2370         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2371     deskey(key, EN0);
2372     for (j = 0; j < VNC_AUTH_CHALLENGE_SIZE; j += 8)
2373         des(response+j, response+j);
2374 
2375     /* Compare expected vs actual challenge response */
2376     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2377         VNC_DEBUG("Client challenge response did not match\n");
2378         goto reject;
2379     } else {
2380         VNC_DEBUG("Accepting VNC challenge response\n");
2381         vnc_write_u32(vs, 0); /* Accept auth */
2382         vnc_flush(vs);
2383 
2384         start_client_init(vs);
2385     }
2386     return 0;
2387 
2388 reject:
2389     vnc_write_u32(vs, 1); /* Reject auth */
2390     if (vs->minor >= 8) {
2391         static const char err[] = "Authentication failed";
2392         vnc_write_u32(vs, sizeof(err));
2393         vnc_write(vs, err, sizeof(err));
2394     }
2395     vnc_flush(vs);
2396     vnc_client_error(vs);
2397     return 0;
2398 }
2399 
2400 void start_auth_vnc(VncState *vs)
2401 {
2402     make_challenge(vs);
2403     /* Send client a 'random' challenge */
2404     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2405     vnc_flush(vs);
2406 
2407     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2408 }
2409 
2410 
2411 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2412 {
2413     /* We only advertise 1 auth scheme at a time, so client
2414      * must pick the one we sent. Verify this */
2415     if (data[0] != vs->auth) { /* Reject auth */
2416        VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
2417        vnc_write_u32(vs, 1);
2418        if (vs->minor >= 8) {
2419            static const char err[] = "Authentication failed";
2420            vnc_write_u32(vs, sizeof(err));
2421            vnc_write(vs, err, sizeof(err));
2422        }
2423        vnc_client_error(vs);
2424     } else { /* Accept requested auth */
2425        VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
2426        switch (vs->auth) {
2427        case VNC_AUTH_NONE:
2428            VNC_DEBUG("Accept auth none\n");
2429            if (vs->minor >= 8) {
2430                vnc_write_u32(vs, 0); /* Accept auth completion */
2431                vnc_flush(vs);
2432            }
2433            start_client_init(vs);
2434            break;
2435 
2436        case VNC_AUTH_VNC:
2437            VNC_DEBUG("Start VNC auth\n");
2438            start_auth_vnc(vs);
2439            break;
2440 
2441 #ifdef CONFIG_VNC_TLS
2442        case VNC_AUTH_VENCRYPT:
2443            VNC_DEBUG("Accept VeNCrypt auth\n");
2444            start_auth_vencrypt(vs);
2445            break;
2446 #endif /* CONFIG_VNC_TLS */
2447 
2448 #ifdef CONFIG_VNC_SASL
2449        case VNC_AUTH_SASL:
2450            VNC_DEBUG("Accept SASL auth\n");
2451            start_auth_sasl(vs);
2452            break;
2453 #endif /* CONFIG_VNC_SASL */
2454 
2455        default: /* Should not be possible, but just in case */
2456            VNC_DEBUG("Reject auth %d server code bug\n", vs->auth);
2457            vnc_write_u8(vs, 1);
2458            if (vs->minor >= 8) {
2459                static const char err[] = "Authentication failed";
2460                vnc_write_u32(vs, sizeof(err));
2461                vnc_write(vs, err, sizeof(err));
2462            }
2463            vnc_client_error(vs);
2464        }
2465     }
2466     return 0;
2467 }
2468 
2469 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2470 {
2471     char local[13];
2472 
2473     memcpy(local, version, 12);
2474     local[12] = 0;
2475 
2476     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2477         VNC_DEBUG("Malformed protocol version %s\n", local);
2478         vnc_client_error(vs);
2479         return 0;
2480     }
2481     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2482     if (vs->major != 3 ||
2483         (vs->minor != 3 &&
2484          vs->minor != 4 &&
2485          vs->minor != 5 &&
2486          vs->minor != 7 &&
2487          vs->minor != 8)) {
2488         VNC_DEBUG("Unsupported client version\n");
2489         vnc_write_u32(vs, VNC_AUTH_INVALID);
2490         vnc_flush(vs);
2491         vnc_client_error(vs);
2492         return 0;
2493     }
2494     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2495      * as equivalent to v3.3 by servers
2496      */
2497     if (vs->minor == 4 || vs->minor == 5)
2498         vs->minor = 3;
2499 
2500     if (vs->minor == 3) {
2501         if (vs->auth == VNC_AUTH_NONE) {
2502             VNC_DEBUG("Tell client auth none\n");
2503             vnc_write_u32(vs, vs->auth);
2504             vnc_flush(vs);
2505             start_client_init(vs);
2506        } else if (vs->auth == VNC_AUTH_VNC) {
2507             VNC_DEBUG("Tell client VNC auth\n");
2508             vnc_write_u32(vs, vs->auth);
2509             vnc_flush(vs);
2510             start_auth_vnc(vs);
2511        } else {
2512             VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth);
2513             vnc_write_u32(vs, VNC_AUTH_INVALID);
2514             vnc_flush(vs);
2515             vnc_client_error(vs);
2516        }
2517     } else {
2518         VNC_DEBUG("Telling client we support auth %d\n", vs->auth);
2519         vnc_write_u8(vs, 1); /* num auth */
2520         vnc_write_u8(vs, vs->auth);
2521         vnc_read_when(vs, protocol_client_auth, 1);
2522         vnc_flush(vs);
2523     }
2524 
2525     return 0;
2526 }
2527 
2528 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2529 {
2530     struct VncSurface *vs = &vd->guest;
2531 
2532     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2533 }
2534 
2535 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2536 {
2537     int i, j;
2538 
2539     w = (x + w) / VNC_STAT_RECT;
2540     h = (y + h) / VNC_STAT_RECT;
2541     x /= VNC_STAT_RECT;
2542     y /= VNC_STAT_RECT;
2543 
2544     for (j = y; j <= h; j++) {
2545         for (i = x; i <= w; i++) {
2546             vs->lossy_rect[j][i] = 1;
2547         }
2548     }
2549 }
2550 
2551 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2552 {
2553     VncState *vs;
2554     int sty = y / VNC_STAT_RECT;
2555     int stx = x / VNC_STAT_RECT;
2556     int has_dirty = 0;
2557 
2558     y = y / VNC_STAT_RECT * VNC_STAT_RECT;
2559     x = x / VNC_STAT_RECT * VNC_STAT_RECT;
2560 
2561     QTAILQ_FOREACH(vs, &vd->clients, next) {
2562         int j;
2563 
2564         /* kernel send buffers are full -> refresh later */
2565         if (vs->output.offset) {
2566             continue;
2567         }
2568 
2569         if (!vs->lossy_rect[sty][stx]) {
2570             continue;
2571         }
2572 
2573         vs->lossy_rect[sty][stx] = 0;
2574         for (j = 0; j < VNC_STAT_RECT; ++j) {
2575             bitmap_set(vs->dirty[y + j],
2576                        x / VNC_DIRTY_PIXELS_PER_BIT,
2577                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2578         }
2579         has_dirty++;
2580     }
2581 
2582     return has_dirty;
2583 }
2584 
2585 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2586 {
2587     int width = pixman_image_get_width(vd->guest.fb);
2588     int height = pixman_image_get_height(vd->guest.fb);
2589     int x, y;
2590     struct timeval res;
2591     int has_dirty = 0;
2592 
2593     for (y = 0; y < height; y += VNC_STAT_RECT) {
2594         for (x = 0; x < width; x += VNC_STAT_RECT) {
2595             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2596 
2597             rect->updated = false;
2598         }
2599     }
2600 
2601     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2602 
2603     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2604         return has_dirty;
2605     }
2606     vd->guest.last_freq_check = *tv;
2607 
2608     for (y = 0; y < height; y += VNC_STAT_RECT) {
2609         for (x = 0; x < width; x += VNC_STAT_RECT) {
2610             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2611             int count = ARRAY_SIZE(rect->times);
2612             struct timeval min, max;
2613 
2614             if (!timerisset(&rect->times[count - 1])) {
2615                 continue ;
2616             }
2617 
2618             max = rect->times[(rect->idx + count - 1) % count];
2619             qemu_timersub(tv, &max, &res);
2620 
2621             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2622                 rect->freq = 0;
2623                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2624                 memset(rect->times, 0, sizeof (rect->times));
2625                 continue ;
2626             }
2627 
2628             min = rect->times[rect->idx];
2629             max = rect->times[(rect->idx + count - 1) % count];
2630             qemu_timersub(&max, &min, &res);
2631 
2632             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2633             rect->freq /= count;
2634             rect->freq = 1. / rect->freq;
2635         }
2636     }
2637     return has_dirty;
2638 }
2639 
2640 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2641 {
2642     int i, j;
2643     double total = 0;
2644     int num = 0;
2645 
2646     x =  (x / VNC_STAT_RECT) * VNC_STAT_RECT;
2647     y =  (y / VNC_STAT_RECT) * VNC_STAT_RECT;
2648 
2649     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2650         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2651             total += vnc_stat_rect(vs->vd, i, j)->freq;
2652             num++;
2653         }
2654     }
2655 
2656     if (num) {
2657         return total / num;
2658     } else {
2659         return 0;
2660     }
2661 }
2662 
2663 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2664 {
2665     VncRectStat *rect;
2666 
2667     rect = vnc_stat_rect(vd, x, y);
2668     if (rect->updated) {
2669         return ;
2670     }
2671     rect->times[rect->idx] = *tv;
2672     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2673     rect->updated = true;
2674 }
2675 
2676 static int vnc_refresh_server_surface(VncDisplay *vd)
2677 {
2678     int width = MIN(pixman_image_get_width(vd->guest.fb),
2679                     pixman_image_get_width(vd->server));
2680     int height = MIN(pixman_image_get_height(vd->guest.fb),
2681                      pixman_image_get_height(vd->server));
2682     int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
2683     uint8_t *guest_row0 = NULL, *server_row0;
2684     VncState *vs;
2685     int has_dirty = 0;
2686     pixman_image_t *tmpbuf = NULL;
2687 
2688     struct timeval tv = { 0, 0 };
2689 
2690     if (!vd->non_adaptive) {
2691         gettimeofday(&tv, NULL);
2692         has_dirty = vnc_update_stats(vd, &tv);
2693     }
2694 
2695     /*
2696      * Walk through the guest dirty map.
2697      * Check and copy modified bits from guest to server surface.
2698      * Update server dirty map.
2699      */
2700     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
2701     server_stride = guest_stride = pixman_image_get_stride(vd->server);
2702     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
2703                     server_stride);
2704     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2705         int width = pixman_image_get_width(vd->server);
2706         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2707     } else {
2708         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2709         guest_stride = pixman_image_get_stride(vd->guest.fb);
2710     }
2711     min_stride = MIN(server_stride, guest_stride);
2712 
2713     for (;;) {
2714         int x;
2715         uint8_t *guest_ptr, *server_ptr;
2716         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
2717                                              height * VNC_DIRTY_BPL(&vd->guest),
2718                                              y * VNC_DIRTY_BPL(&vd->guest));
2719         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
2720             /* no more dirty bits */
2721             break;
2722         }
2723         y = offset / VNC_DIRTY_BPL(&vd->guest);
2724         x = offset % VNC_DIRTY_BPL(&vd->guest);
2725 
2726         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
2727 
2728         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2729             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2730             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2731         } else {
2732             guest_ptr = guest_row0 + y * guest_stride;
2733         }
2734         guest_ptr += x * cmp_bytes;
2735 
2736         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
2737              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2738             int _cmp_bytes = cmp_bytes;
2739             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
2740                 continue;
2741             }
2742             if ((x + 1) * cmp_bytes > min_stride) {
2743                 _cmp_bytes = min_stride - x * cmp_bytes;
2744             }
2745             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
2746                 continue;
2747             }
2748             memcpy(server_ptr, guest_ptr, _cmp_bytes);
2749             if (!vd->non_adaptive) {
2750                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
2751                                  y, &tv);
2752             }
2753             QTAILQ_FOREACH(vs, &vd->clients, next) {
2754                 set_bit(x, vs->dirty[y]);
2755             }
2756             has_dirty++;
2757         }
2758 
2759         y++;
2760     }
2761     qemu_pixman_image_unref(tmpbuf);
2762     return has_dirty;
2763 }
2764 
2765 static void vnc_refresh(DisplayChangeListener *dcl)
2766 {
2767     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
2768     VncState *vs, *vn;
2769     int has_dirty, rects = 0;
2770 
2771     graphic_hw_update(NULL);
2772 
2773     if (vnc_trylock_display(vd)) {
2774         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2775         return;
2776     }
2777 
2778     has_dirty = vnc_refresh_server_surface(vd);
2779     vnc_unlock_display(vd);
2780 
2781     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
2782         rects += vnc_update_client(vs, has_dirty, false);
2783         /* vs might be free()ed here */
2784     }
2785 
2786     if (QTAILQ_EMPTY(&vd->clients)) {
2787         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
2788         return;
2789     }
2790 
2791     if (has_dirty && rects) {
2792         vd->dcl.update_interval /= 2;
2793         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
2794             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
2795         }
2796     } else {
2797         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
2798         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
2799             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
2800         }
2801     }
2802 }
2803 
2804 static void vnc_connect(VncDisplay *vd, int csock,
2805                         bool skipauth, bool websocket)
2806 {
2807     VncState *vs = g_malloc0(sizeof(VncState));
2808     int i;
2809 
2810     vs->csock = csock;
2811 
2812     if (skipauth) {
2813 	vs->auth = VNC_AUTH_NONE;
2814 #ifdef CONFIG_VNC_TLS
2815 	vs->subauth = VNC_AUTH_INVALID;
2816 #endif
2817     } else {
2818 	vs->auth = vd->auth;
2819 #ifdef CONFIG_VNC_TLS
2820 	vs->subauth = vd->subauth;
2821 #endif
2822     }
2823 
2824     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
2825     for (i = 0; i < VNC_STAT_ROWS; ++i) {
2826         vs->lossy_rect[i] = g_malloc0(VNC_STAT_COLS * sizeof (uint8_t));
2827     }
2828 
2829     VNC_DEBUG("New client on socket %d\n", csock);
2830     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2831     qemu_set_nonblock(vs->csock);
2832 #ifdef CONFIG_VNC_WS
2833     if (websocket) {
2834         vs->websocket = 1;
2835 #ifdef CONFIG_VNC_TLS
2836         if (vd->tls.x509cert) {
2837             qemu_set_fd_handler2(vs->csock, NULL, vncws_tls_handshake_peek,
2838                                  NULL, vs);
2839         } else
2840 #endif /* CONFIG_VNC_TLS */
2841         {
2842             qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read,
2843                                  NULL, vs);
2844         }
2845     } else
2846 #endif /* CONFIG_VNC_WS */
2847     {
2848         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
2849     }
2850 
2851     vnc_client_cache_addr(vs);
2852     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
2853     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
2854 
2855     vs->vd = vd;
2856 
2857 #ifdef CONFIG_VNC_WS
2858     if (!vs->websocket)
2859 #endif
2860     {
2861         vnc_init_state(vs);
2862     }
2863 }
2864 
2865 void vnc_init_state(VncState *vs)
2866 {
2867     vs->initialized = true;
2868     VncDisplay *vd = vs->vd;
2869 
2870     vs->last_x = -1;
2871     vs->last_y = -1;
2872 
2873     vs->as.freq = 44100;
2874     vs->as.nchannels = 2;
2875     vs->as.fmt = AUD_FMT_S16;
2876     vs->as.endianness = 0;
2877 
2878     qemu_mutex_init(&vs->output_mutex);
2879     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
2880 
2881     QTAILQ_INSERT_HEAD(&vd->clients, vs, next);
2882 
2883     graphic_hw_update(NULL);
2884 
2885     vnc_write(vs, "RFB 003.008\n", 12);
2886     vnc_flush(vs);
2887     vnc_read_when(vs, protocol_version, 12);
2888     reset_keys(vs);
2889     if (vs->vd->lock_key_sync)
2890         vs->led = qemu_add_led_event_handler(kbd_leds, vs);
2891 
2892     vs->mouse_mode_notifier.notify = check_pointer_type_change;
2893     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
2894 
2895     /* vs might be free()ed here */
2896 }
2897 
2898 static void vnc_listen_read(void *opaque, bool websocket)
2899 {
2900     VncDisplay *vs = opaque;
2901     struct sockaddr_in addr;
2902     socklen_t addrlen = sizeof(addr);
2903     int csock;
2904 
2905     /* Catch-up */
2906     graphic_hw_update(NULL);
2907 #ifdef CONFIG_VNC_WS
2908     if (websocket) {
2909         csock = qemu_accept(vs->lwebsock, (struct sockaddr *)&addr, &addrlen);
2910     } else
2911 #endif /* CONFIG_VNC_WS */
2912     {
2913         csock = qemu_accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
2914     }
2915 
2916     if (csock != -1) {
2917         vnc_connect(vs, csock, false, websocket);
2918     }
2919 }
2920 
2921 static void vnc_listen_regular_read(void *opaque)
2922 {
2923     vnc_listen_read(opaque, false);
2924 }
2925 
2926 #ifdef CONFIG_VNC_WS
2927 static void vnc_listen_websocket_read(void *opaque)
2928 {
2929     vnc_listen_read(opaque, true);
2930 }
2931 #endif /* CONFIG_VNC_WS */
2932 
2933 static const DisplayChangeListenerOps dcl_ops = {
2934     .dpy_name          = "vnc",
2935     .dpy_refresh       = vnc_refresh,
2936     .dpy_gfx_copy      = vnc_dpy_copy,
2937     .dpy_gfx_update    = vnc_dpy_update,
2938     .dpy_gfx_switch    = vnc_dpy_switch,
2939     .dpy_mouse_set     = vnc_mouse_set,
2940     .dpy_cursor_define = vnc_dpy_cursor_define,
2941 };
2942 
2943 void vnc_display_init(DisplayState *ds)
2944 {
2945     VncDisplay *vs = g_malloc0(sizeof(*vs));
2946 
2947     vnc_display = vs;
2948 
2949     vs->lsock = -1;
2950 #ifdef CONFIG_VNC_WS
2951     vs->lwebsock = -1;
2952 #endif
2953 
2954     QTAILQ_INIT(&vs->clients);
2955     vs->expires = TIME_MAX;
2956 
2957     if (keyboard_layout) {
2958         trace_vnc_key_map_init(keyboard_layout);
2959         vs->kbd_layout = init_keyboard_layout(name2keysym, keyboard_layout);
2960     } else {
2961         vs->kbd_layout = init_keyboard_layout(name2keysym, "en-us");
2962     }
2963 
2964     if (!vs->kbd_layout)
2965         exit(1);
2966 
2967     qemu_mutex_init(&vs->mutex);
2968     vnc_start_worker_thread();
2969 
2970     vs->dcl.ops = &dcl_ops;
2971     register_displaychangelistener(&vs->dcl);
2972 }
2973 
2974 
2975 static void vnc_display_close(DisplayState *ds)
2976 {
2977     VncDisplay *vs = vnc_display;
2978 
2979     if (!vs)
2980         return;
2981     g_free(vs->display);
2982     vs->display = NULL;
2983     if (vs->lsock != -1) {
2984         qemu_set_fd_handler2(vs->lsock, NULL, NULL, NULL, NULL);
2985         close(vs->lsock);
2986         vs->lsock = -1;
2987     }
2988 #ifdef CONFIG_VNC_WS
2989     g_free(vs->ws_display);
2990     vs->ws_display = NULL;
2991     if (vs->lwebsock != -1) {
2992         qemu_set_fd_handler2(vs->lwebsock, NULL, NULL, NULL, NULL);
2993         close(vs->lwebsock);
2994         vs->lwebsock = -1;
2995     }
2996 #endif /* CONFIG_VNC_WS */
2997     vs->auth = VNC_AUTH_INVALID;
2998 #ifdef CONFIG_VNC_TLS
2999     vs->subauth = VNC_AUTH_INVALID;
3000     vs->tls.x509verify = 0;
3001 #endif
3002 }
3003 
3004 int vnc_display_password(DisplayState *ds, const char *password)
3005 {
3006     VncDisplay *vs = vnc_display;
3007 
3008     if (!vs) {
3009         return -EINVAL;
3010     }
3011     if (vs->auth == VNC_AUTH_NONE) {
3012         error_printf_unless_qmp("If you want use passwords please enable "
3013                                 "password auth using '-vnc ${dpy},password'.");
3014         return -EINVAL;
3015     }
3016 
3017     g_free(vs->password);
3018     vs->password = g_strdup(password);
3019 
3020     return 0;
3021 }
3022 
3023 int vnc_display_pw_expire(DisplayState *ds, time_t expires)
3024 {
3025     VncDisplay *vs = vnc_display;
3026 
3027     if (!vs) {
3028         return -EINVAL;
3029     }
3030 
3031     vs->expires = expires;
3032     return 0;
3033 }
3034 
3035 char *vnc_display_local_addr(DisplayState *ds)
3036 {
3037     VncDisplay *vs = vnc_display;
3038 
3039     return vnc_socket_local_addr("%s:%s", vs->lsock);
3040 }
3041 
3042 void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
3043 {
3044     VncDisplay *vs = vnc_display;
3045     const char *options;
3046     int password = 0;
3047     int reverse = 0;
3048 #ifdef CONFIG_VNC_TLS
3049     int tls = 0, x509 = 0;
3050 #endif
3051 #ifdef CONFIG_VNC_SASL
3052     int sasl = 0;
3053     int saslErr;
3054 #endif
3055 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
3056     int acl = 0;
3057 #endif
3058     int lock_key_sync = 1;
3059 
3060     if (!vnc_display) {
3061         error_setg(errp, "VNC display not active");
3062         return;
3063     }
3064     vnc_display_close(ds);
3065     if (strcmp(display, "none") == 0)
3066         return;
3067 
3068     vs->display = g_strdup(display);
3069     vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3070 
3071     options = display;
3072     while ((options = strchr(options, ','))) {
3073         options++;
3074         if (strncmp(options, "password", 8) == 0) {
3075             if (fips_get_state()) {
3076                 error_setg(errp,
3077                            "VNC password auth disabled due to FIPS mode, "
3078                            "consider using the VeNCrypt or SASL authentication "
3079                            "methods as an alternative");
3080                 goto fail;
3081             }
3082             password = 1; /* Require password auth */
3083         } else if (strncmp(options, "reverse", 7) == 0) {
3084             reverse = 1;
3085         } else if (strncmp(options, "no-lock-key-sync", 16) == 0) {
3086             lock_key_sync = 0;
3087 #ifdef CONFIG_VNC_SASL
3088         } else if (strncmp(options, "sasl", 4) == 0) {
3089             sasl = 1; /* Require SASL auth */
3090 #endif
3091 #ifdef CONFIG_VNC_WS
3092         } else if (strncmp(options, "websocket", 9) == 0) {
3093             char *start, *end;
3094             vs->websocket = 1;
3095 
3096             /* Check for 'websocket=<port>' */
3097             start = strchr(options, '=');
3098             end = strchr(options, ',');
3099             if (start && (!end || (start < end))) {
3100                 int len = end ? end-(start+1) : strlen(start+1);
3101                 if (len < 6) {
3102                     /* extract the host specification from display */
3103                     char  *host = NULL, *port = NULL, *host_end = NULL;
3104                     port = g_strndup(start + 1, len);
3105 
3106                     /* ipv6 hosts have colons */
3107                     end = strchr(display, ',');
3108                     host_end = g_strrstr_len(display, end - display, ":");
3109 
3110                     if (host_end) {
3111                         host = g_strndup(display, host_end - display + 1);
3112                     } else {
3113                         host = g_strndup(":", 1);
3114                     }
3115                     vs->ws_display = g_strconcat(host, port, NULL);
3116                     g_free(host);
3117                     g_free(port);
3118                 }
3119             }
3120 #endif /* CONFIG_VNC_WS */
3121 #ifdef CONFIG_VNC_TLS
3122         } else if (strncmp(options, "tls", 3) == 0) {
3123             tls = 1; /* Require TLS */
3124         } else if (strncmp(options, "x509", 4) == 0) {
3125             char *start, *end;
3126             x509 = 1; /* Require x509 certificates */
3127             if (strncmp(options, "x509verify", 10) == 0)
3128                 vs->tls.x509verify = 1; /* ...and verify client certs */
3129 
3130             /* Now check for 'x509=/some/path' postfix
3131              * and use that to setup x509 certificate/key paths */
3132             start = strchr(options, '=');
3133             end = strchr(options, ',');
3134             if (start && (!end || (start < end))) {
3135                 int len = end ? end-(start+1) : strlen(start+1);
3136                 char *path = g_strndup(start + 1, len);
3137 
3138                 VNC_DEBUG("Trying certificate path '%s'\n", path);
3139                 if (vnc_tls_set_x509_creds_dir(vs, path) < 0) {
3140                     error_setg(errp, "Failed to find x509 certificates/keys in %s", path);
3141                     g_free(path);
3142                     goto fail;
3143                 }
3144                 g_free(path);
3145             } else {
3146                 error_setg(errp, "No certificate path provided");
3147                 goto fail;
3148             }
3149 #endif
3150 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
3151         } else if (strncmp(options, "acl", 3) == 0) {
3152             acl = 1;
3153 #endif
3154         } else if (strncmp(options, "lossy", 5) == 0) {
3155 #ifdef CONFIG_VNC_JPEG
3156             vs->lossy = true;
3157 #endif
3158         } else if (strncmp(options, "non-adaptive", 12) == 0) {
3159             vs->non_adaptive = true;
3160         } else if (strncmp(options, "share=", 6) == 0) {
3161             if (strncmp(options+6, "ignore", 6) == 0) {
3162                 vs->share_policy = VNC_SHARE_POLICY_IGNORE;
3163             } else if (strncmp(options+6, "allow-exclusive", 15) == 0) {
3164                 vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3165             } else if (strncmp(options+6, "force-shared", 12) == 0) {
3166                 vs->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3167             } else {
3168                 error_setg(errp, "unknown vnc share= option");
3169                 goto fail;
3170             }
3171         }
3172     }
3173 
3174     /* adaptive updates are only used with tight encoding and
3175      * if lossy updates are enabled so we can disable all the
3176      * calculations otherwise */
3177     if (!vs->lossy) {
3178         vs->non_adaptive = true;
3179     }
3180 
3181 #ifdef CONFIG_VNC_TLS
3182     if (acl && x509 && vs->tls.x509verify) {
3183         if (!(vs->tls.acl = qemu_acl_init("vnc.x509dname"))) {
3184             fprintf(stderr, "Failed to create x509 dname ACL\n");
3185             exit(1);
3186         }
3187     }
3188 #endif
3189 #ifdef CONFIG_VNC_SASL
3190     if (acl && sasl) {
3191         if (!(vs->sasl.acl = qemu_acl_init("vnc.username"))) {
3192             fprintf(stderr, "Failed to create username ACL\n");
3193             exit(1);
3194         }
3195     }
3196 #endif
3197 
3198     /*
3199      * Combinations we support here:
3200      *
3201      *  - no-auth                (clear text, no auth)
3202      *  - password               (clear text, weak auth)
3203      *  - sasl                   (encrypt, good auth *IF* using Kerberos via GSSAPI)
3204      *  - tls                    (encrypt, weak anonymous creds, no auth)
3205      *  - tls + password         (encrypt, weak anonymous creds, weak auth)
3206      *  - tls + sasl             (encrypt, weak anonymous creds, good auth)
3207      *  - tls + x509             (encrypt, good x509 creds, no auth)
3208      *  - tls + x509 + password  (encrypt, good x509 creds, weak auth)
3209      *  - tls + x509 + sasl      (encrypt, good x509 creds, good auth)
3210      *
3211      * NB1. TLS is a stackable auth scheme.
3212      * NB2. the x509 schemes have option to validate a client cert dname
3213      */
3214     if (password) {
3215 #ifdef CONFIG_VNC_TLS
3216         if (tls) {
3217             vs->auth = VNC_AUTH_VENCRYPT;
3218             if (x509) {
3219                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3220                 vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
3221             } else {
3222                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3223                 vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3224             }
3225         } else {
3226 #endif /* CONFIG_VNC_TLS */
3227             VNC_DEBUG("Initializing VNC server with password auth\n");
3228             vs->auth = VNC_AUTH_VNC;
3229 #ifdef CONFIG_VNC_TLS
3230             vs->subauth = VNC_AUTH_INVALID;
3231         }
3232 #endif /* CONFIG_VNC_TLS */
3233 #ifdef CONFIG_VNC_SASL
3234     } else if (sasl) {
3235 #ifdef CONFIG_VNC_TLS
3236         if (tls) {
3237             vs->auth = VNC_AUTH_VENCRYPT;
3238             if (x509) {
3239                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3240                 vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
3241             } else {
3242                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3243                 vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3244             }
3245         } else {
3246 #endif /* CONFIG_VNC_TLS */
3247             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3248             vs->auth = VNC_AUTH_SASL;
3249 #ifdef CONFIG_VNC_TLS
3250             vs->subauth = VNC_AUTH_INVALID;
3251         }
3252 #endif /* CONFIG_VNC_TLS */
3253 #endif /* CONFIG_VNC_SASL */
3254     } else {
3255 #ifdef CONFIG_VNC_TLS
3256         if (tls) {
3257             vs->auth = VNC_AUTH_VENCRYPT;
3258             if (x509) {
3259                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3260                 vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
3261             } else {
3262                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3263                 vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3264             }
3265         } else {
3266 #endif
3267             VNC_DEBUG("Initializing VNC server with no auth\n");
3268             vs->auth = VNC_AUTH_NONE;
3269 #ifdef CONFIG_VNC_TLS
3270             vs->subauth = VNC_AUTH_INVALID;
3271         }
3272 #endif
3273     }
3274 
3275 #ifdef CONFIG_VNC_SASL
3276     if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
3277         error_setg(errp, "Failed to initialize SASL auth: %s",
3278                    sasl_errstring(saslErr, NULL, NULL));
3279         goto fail;
3280     }
3281 #endif
3282     vs->lock_key_sync = lock_key_sync;
3283 
3284     if (reverse) {
3285         /* connect to viewer */
3286         int csock;
3287         vs->lsock = -1;
3288 #ifdef CONFIG_VNC_WS
3289         vs->lwebsock = -1;
3290 #endif
3291         if (strncmp(display, "unix:", 5) == 0) {
3292             csock = unix_connect(display+5, errp);
3293         } else {
3294             csock = inet_connect(display, errp);
3295         }
3296         if (csock < 0) {
3297             goto fail;
3298         }
3299         vnc_connect(vs, csock, false, false);
3300     } else {
3301         /* listen for connects */
3302         char *dpy;
3303         dpy = g_malloc(256);
3304         if (strncmp(display, "unix:", 5) == 0) {
3305             pstrcpy(dpy, 256, "unix:");
3306             vs->lsock = unix_listen(display+5, dpy+5, 256-5, errp);
3307         } else {
3308             vs->lsock = inet_listen(display, dpy, 256,
3309                                     SOCK_STREAM, 5900, errp);
3310             if (vs->lsock < 0) {
3311                 g_free(dpy);
3312                 goto fail;
3313             }
3314 #ifdef CONFIG_VNC_WS
3315             if (vs->websocket) {
3316                 if (vs->ws_display) {
3317                     vs->lwebsock = inet_listen(vs->ws_display, NULL, 256,
3318                         SOCK_STREAM, 0, errp);
3319                 } else {
3320                     vs->lwebsock = inet_listen(vs->display, NULL, 256,
3321                         SOCK_STREAM, 5700, errp);
3322                 }
3323 
3324                 if (vs->lwebsock < 0) {
3325                     if (vs->lsock) {
3326                         close(vs->lsock);
3327                         vs->lsock = -1;
3328                     }
3329                     g_free(dpy);
3330                     goto fail;
3331                 }
3332             }
3333 #endif /* CONFIG_VNC_WS */
3334         }
3335         g_free(vs->display);
3336         vs->display = dpy;
3337         qemu_set_fd_handler2(vs->lsock, NULL,
3338                 vnc_listen_regular_read, NULL, vs);
3339 #ifdef CONFIG_VNC_WS
3340         if (vs->websocket) {
3341             qemu_set_fd_handler2(vs->lwebsock, NULL,
3342                     vnc_listen_websocket_read, NULL, vs);
3343         }
3344 #endif /* CONFIG_VNC_WS */
3345     }
3346     return;
3347 
3348 fail:
3349     g_free(vs->display);
3350     vs->display = NULL;
3351 #ifdef CONFIG_VNC_WS
3352     g_free(vs->ws_display);
3353     vs->ws_display = NULL;
3354 #endif /* CONFIG_VNC_WS */
3355 }
3356 
3357 void vnc_display_add_client(DisplayState *ds, int csock, bool skipauth)
3358 {
3359     VncDisplay *vs = vnc_display;
3360 
3361     vnc_connect(vs, csock, skipauth, false);
3362 }
3363