xref: /openbmc/qemu/ui/vnc.c (revision 633487df)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev-core.h"
32 #include "sysemu/sysemu.h"
33 #include "sysemu/runstate.h"
34 #include "qemu/error-report.h"
35 #include "qemu/main-loop.h"
36 #include "qemu/module.h"
37 #include "qemu/option.h"
38 #include "qemu/sockets.h"
39 #include "qemu/timer.h"
40 #include "authz/list.h"
41 #include "qemu/config-file.h"
42 #include "qapi/qapi-emit-events.h"
43 #include "qapi/qapi-events-ui.h"
44 #include "qapi/error.h"
45 #include "qapi/qapi-commands-ui.h"
46 #include "ui/input.h"
47 #include "crypto/hash.h"
48 #include "crypto/tlscreds.h"
49 #include "crypto/tlscredsanon.h"
50 #include "crypto/tlscredsx509.h"
51 #include "crypto/random.h"
52 #include "crypto/secret_common.h"
53 #include "qom/object_interfaces.h"
54 #include "qemu/cutils.h"
55 #include "qemu/help_option.h"
56 #include "io/dns-resolver.h"
57 #include "monitor/monitor.h"
58 
59 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
60 #define VNC_REFRESH_INTERVAL_INC  50
61 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
62 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
63 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
64 
65 #include "vnc_keysym.h"
66 #include "crypto/cipher.h"
67 
68 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
69     QTAILQ_HEAD_INITIALIZER(vnc_displays);
70 
71 static int vnc_cursor_define(VncState *vs);
72 static void vnc_update_throttle_offset(VncState *vs);
73 
74 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
75 {
76 #ifdef _VNC_DEBUG
77     static const char *mn[] = {
78         [0]                           = "undefined",
79         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
80         [VNC_SHARE_MODE_SHARED]       = "shared",
81         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
82         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
83     };
84     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
85             vs->ioc, mn[vs->share_mode], mn[mode]);
86 #endif
87 
88     switch (vs->share_mode) {
89     case VNC_SHARE_MODE_CONNECTING:
90         vs->vd->num_connecting--;
91         break;
92     case VNC_SHARE_MODE_SHARED:
93         vs->vd->num_shared--;
94         break;
95     case VNC_SHARE_MODE_EXCLUSIVE:
96         vs->vd->num_exclusive--;
97         break;
98     default:
99         break;
100     }
101 
102     vs->share_mode = mode;
103 
104     switch (vs->share_mode) {
105     case VNC_SHARE_MODE_CONNECTING:
106         vs->vd->num_connecting++;
107         break;
108     case VNC_SHARE_MODE_SHARED:
109         vs->vd->num_shared++;
110         break;
111     case VNC_SHARE_MODE_EXCLUSIVE:
112         vs->vd->num_exclusive++;
113         break;
114     default:
115         break;
116     }
117 }
118 
119 
120 static void vnc_init_basic_info(SocketAddress *addr,
121                                 VncBasicInfo *info,
122                                 Error **errp)
123 {
124     switch (addr->type) {
125     case SOCKET_ADDRESS_TYPE_INET:
126         info->host = g_strdup(addr->u.inet.host);
127         info->service = g_strdup(addr->u.inet.port);
128         if (addr->u.inet.ipv6) {
129             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
130         } else {
131             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
132         }
133         break;
134 
135     case SOCKET_ADDRESS_TYPE_UNIX:
136         info->host = g_strdup("");
137         info->service = g_strdup(addr->u.q_unix.path);
138         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
139         break;
140 
141     case SOCKET_ADDRESS_TYPE_VSOCK:
142     case SOCKET_ADDRESS_TYPE_FD:
143         error_setg(errp, "Unsupported socket address type %s",
144                    SocketAddressType_str(addr->type));
145         break;
146     default:
147         abort();
148     }
149 
150     return;
151 }
152 
153 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
154                                                  VncBasicInfo *info,
155                                                  Error **errp)
156 {
157     SocketAddress *addr = NULL;
158 
159     if (!ioc) {
160         error_setg(errp, "No listener socket available");
161         return;
162     }
163 
164     addr = qio_channel_socket_get_local_address(ioc, errp);
165     if (!addr) {
166         return;
167     }
168 
169     vnc_init_basic_info(addr, info, errp);
170     qapi_free_SocketAddress(addr);
171 }
172 
173 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
174                                                  VncBasicInfo *info,
175                                                  Error **errp)
176 {
177     SocketAddress *addr = NULL;
178 
179     addr = qio_channel_socket_get_remote_address(ioc, errp);
180     if (!addr) {
181         return;
182     }
183 
184     vnc_init_basic_info(addr, info, errp);
185     qapi_free_SocketAddress(addr);
186 }
187 
188 static const char *vnc_auth_name(VncDisplay *vd) {
189     switch (vd->auth) {
190     case VNC_AUTH_INVALID:
191         return "invalid";
192     case VNC_AUTH_NONE:
193         return "none";
194     case VNC_AUTH_VNC:
195         return "vnc";
196     case VNC_AUTH_RA2:
197         return "ra2";
198     case VNC_AUTH_RA2NE:
199         return "ra2ne";
200     case VNC_AUTH_TIGHT:
201         return "tight";
202     case VNC_AUTH_ULTRA:
203         return "ultra";
204     case VNC_AUTH_TLS:
205         return "tls";
206     case VNC_AUTH_VENCRYPT:
207         switch (vd->subauth) {
208         case VNC_AUTH_VENCRYPT_PLAIN:
209             return "vencrypt+plain";
210         case VNC_AUTH_VENCRYPT_TLSNONE:
211             return "vencrypt+tls+none";
212         case VNC_AUTH_VENCRYPT_TLSVNC:
213             return "vencrypt+tls+vnc";
214         case VNC_AUTH_VENCRYPT_TLSPLAIN:
215             return "vencrypt+tls+plain";
216         case VNC_AUTH_VENCRYPT_X509NONE:
217             return "vencrypt+x509+none";
218         case VNC_AUTH_VENCRYPT_X509VNC:
219             return "vencrypt+x509+vnc";
220         case VNC_AUTH_VENCRYPT_X509PLAIN:
221             return "vencrypt+x509+plain";
222         case VNC_AUTH_VENCRYPT_TLSSASL:
223             return "vencrypt+tls+sasl";
224         case VNC_AUTH_VENCRYPT_X509SASL:
225             return "vencrypt+x509+sasl";
226         default:
227             return "vencrypt";
228         }
229     case VNC_AUTH_SASL:
230         return "sasl";
231     }
232     return "unknown";
233 }
234 
235 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
236 {
237     VncServerInfo *info;
238     Error *err = NULL;
239 
240     if (!vd->listener || !vd->listener->nsioc) {
241         return NULL;
242     }
243 
244     info = g_malloc0(sizeof(*info));
245     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
246                                          qapi_VncServerInfo_base(info), &err);
247     info->auth = g_strdup(vnc_auth_name(vd));
248     if (err) {
249         qapi_free_VncServerInfo(info);
250         info = NULL;
251         error_free(err);
252     }
253     return info;
254 }
255 
256 static void vnc_client_cache_auth(VncState *client)
257 {
258     if (!client->info) {
259         return;
260     }
261 
262     if (client->tls) {
263         client->info->x509_dname =
264             qcrypto_tls_session_get_peer_name(client->tls);
265     }
266 #ifdef CONFIG_VNC_SASL
267     if (client->sasl.conn &&
268         client->sasl.username) {
269         client->info->sasl_username = g_strdup(client->sasl.username);
270     }
271 #endif
272 }
273 
274 static void vnc_client_cache_addr(VncState *client)
275 {
276     Error *err = NULL;
277 
278     client->info = g_malloc0(sizeof(*client->info));
279     vnc_init_basic_info_from_remote_addr(client->sioc,
280                                          qapi_VncClientInfo_base(client->info),
281                                          &err);
282     client->info->websocket = client->websocket;
283     if (err) {
284         qapi_free_VncClientInfo(client->info);
285         client->info = NULL;
286         error_free(err);
287     }
288 }
289 
290 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
291 {
292     VncServerInfo *si;
293 
294     if (!vs->info) {
295         return;
296     }
297 
298     si = vnc_server_info_get(vs->vd);
299     if (!si) {
300         return;
301     }
302 
303     switch (event) {
304     case QAPI_EVENT_VNC_CONNECTED:
305         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
306         break;
307     case QAPI_EVENT_VNC_INITIALIZED:
308         qapi_event_send_vnc_initialized(si, vs->info);
309         break;
310     case QAPI_EVENT_VNC_DISCONNECTED:
311         qapi_event_send_vnc_disconnected(si, vs->info);
312         break;
313     default:
314         break;
315     }
316 
317     qapi_free_VncServerInfo(si);
318 }
319 
320 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
321 {
322     VncClientInfo *info;
323     Error *err = NULL;
324 
325     info = g_malloc0(sizeof(*info));
326 
327     vnc_init_basic_info_from_remote_addr(client->sioc,
328                                          qapi_VncClientInfo_base(info),
329                                          &err);
330     if (err) {
331         error_free(err);
332         qapi_free_VncClientInfo(info);
333         return NULL;
334     }
335 
336     info->websocket = client->websocket;
337 
338     if (client->tls) {
339         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
340     }
341 #ifdef CONFIG_VNC_SASL
342     if (client->sasl.conn && client->sasl.username) {
343         info->sasl_username = g_strdup(client->sasl.username);
344     }
345 #endif
346 
347     return info;
348 }
349 
350 static VncDisplay *vnc_display_find(const char *id)
351 {
352     VncDisplay *vd;
353 
354     if (id == NULL) {
355         return QTAILQ_FIRST(&vnc_displays);
356     }
357     QTAILQ_FOREACH(vd, &vnc_displays, next) {
358         if (strcmp(id, vd->id) == 0) {
359             return vd;
360         }
361     }
362     return NULL;
363 }
364 
365 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
366 {
367     VncClientInfoList *prev = NULL;
368     VncState *client;
369 
370     QTAILQ_FOREACH(client, &vd->clients, next) {
371         QAPI_LIST_PREPEND(prev, qmp_query_vnc_client(client));
372     }
373     return prev;
374 }
375 
376 VncInfo *qmp_query_vnc(Error **errp)
377 {
378     VncInfo *info = g_malloc0(sizeof(*info));
379     VncDisplay *vd = vnc_display_find(NULL);
380     SocketAddress *addr = NULL;
381 
382     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
383         info->enabled = false;
384     } else {
385         info->enabled = true;
386 
387         /* for compatibility with the original command */
388         info->has_clients = true;
389         info->clients = qmp_query_client_list(vd);
390 
391         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
392                                                     errp);
393         if (!addr) {
394             goto out_error;
395         }
396 
397         switch (addr->type) {
398         case SOCKET_ADDRESS_TYPE_INET:
399             info->host = g_strdup(addr->u.inet.host);
400             info->service = g_strdup(addr->u.inet.port);
401             if (addr->u.inet.ipv6) {
402                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
403             } else {
404                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
405             }
406             break;
407 
408         case SOCKET_ADDRESS_TYPE_UNIX:
409             info->host = g_strdup("");
410             info->service = g_strdup(addr->u.q_unix.path);
411             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
412             break;
413 
414         case SOCKET_ADDRESS_TYPE_VSOCK:
415         case SOCKET_ADDRESS_TYPE_FD:
416             error_setg(errp, "Unsupported socket address type %s",
417                        SocketAddressType_str(addr->type));
418             goto out_error;
419         default:
420             abort();
421         }
422 
423         info->has_family = true;
424 
425         info->auth = g_strdup(vnc_auth_name(vd));
426     }
427 
428     qapi_free_SocketAddress(addr);
429     return info;
430 
431 out_error:
432     qapi_free_SocketAddress(addr);
433     qapi_free_VncInfo(info);
434     return NULL;
435 }
436 
437 
438 static void qmp_query_auth(int auth, int subauth,
439                            VncPrimaryAuth *qmp_auth,
440                            VncVencryptSubAuth *qmp_vencrypt,
441                            bool *qmp_has_vencrypt);
442 
443 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
444                                                   bool websocket,
445                                                   int auth,
446                                                   int subauth,
447                                                   VncServerInfo2List *prev)
448 {
449     VncServerInfo2 *info;
450     Error *err = NULL;
451     SocketAddress *addr;
452 
453     addr = qio_channel_socket_get_local_address(ioc, NULL);
454     if (!addr) {
455         return prev;
456     }
457 
458     info = g_new0(VncServerInfo2, 1);
459     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
460     qapi_free_SocketAddress(addr);
461     if (err) {
462         qapi_free_VncServerInfo2(info);
463         error_free(err);
464         return prev;
465     }
466     info->websocket = websocket;
467 
468     qmp_query_auth(auth, subauth, &info->auth,
469                    &info->vencrypt, &info->has_vencrypt);
470 
471     QAPI_LIST_PREPEND(prev, info);
472     return prev;
473 }
474 
475 static void qmp_query_auth(int auth, int subauth,
476                            VncPrimaryAuth *qmp_auth,
477                            VncVencryptSubAuth *qmp_vencrypt,
478                            bool *qmp_has_vencrypt)
479 {
480     switch (auth) {
481     case VNC_AUTH_VNC:
482         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
483         break;
484     case VNC_AUTH_RA2:
485         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
486         break;
487     case VNC_AUTH_RA2NE:
488         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
489         break;
490     case VNC_AUTH_TIGHT:
491         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
492         break;
493     case VNC_AUTH_ULTRA:
494         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
495         break;
496     case VNC_AUTH_TLS:
497         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
498         break;
499     case VNC_AUTH_VENCRYPT:
500         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
501         *qmp_has_vencrypt = true;
502         switch (subauth) {
503         case VNC_AUTH_VENCRYPT_PLAIN:
504             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
505             break;
506         case VNC_AUTH_VENCRYPT_TLSNONE:
507             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
508             break;
509         case VNC_AUTH_VENCRYPT_TLSVNC:
510             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
511             break;
512         case VNC_AUTH_VENCRYPT_TLSPLAIN:
513             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
514             break;
515         case VNC_AUTH_VENCRYPT_X509NONE:
516             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
517             break;
518         case VNC_AUTH_VENCRYPT_X509VNC:
519             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
520             break;
521         case VNC_AUTH_VENCRYPT_X509PLAIN:
522             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
523             break;
524         case VNC_AUTH_VENCRYPT_TLSSASL:
525             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
526             break;
527         case VNC_AUTH_VENCRYPT_X509SASL:
528             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
529             break;
530         default:
531             *qmp_has_vencrypt = false;
532             break;
533         }
534         break;
535     case VNC_AUTH_SASL:
536         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
537         break;
538     case VNC_AUTH_NONE:
539     default:
540         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
541         break;
542     }
543 }
544 
545 VncInfo2List *qmp_query_vnc_servers(Error **errp)
546 {
547     VncInfo2List *prev = NULL;
548     VncInfo2 *info;
549     VncDisplay *vd;
550     DeviceState *dev;
551     size_t i;
552 
553     QTAILQ_FOREACH(vd, &vnc_displays, next) {
554         info = g_new0(VncInfo2, 1);
555         info->id = g_strdup(vd->id);
556         info->clients = qmp_query_client_list(vd);
557         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
558                        &info->vencrypt, &info->has_vencrypt);
559         if (vd->dcl.con) {
560             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
561                                                   "device", &error_abort));
562             info->display = g_strdup(dev->id);
563         }
564         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
565             info->server = qmp_query_server_entry(
566                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
567                 info->server);
568         }
569         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
570             info->server = qmp_query_server_entry(
571                 vd->wslistener->sioc[i], true, vd->ws_auth,
572                 vd->ws_subauth, info->server);
573         }
574 
575         QAPI_LIST_PREPEND(prev, info);
576     }
577     return prev;
578 }
579 
580 bool vnc_display_reload_certs(const char *id, Error **errp)
581 {
582     VncDisplay *vd = vnc_display_find(id);
583     QCryptoTLSCredsClass *creds = NULL;
584 
585     if (!vd) {
586         error_setg(errp, "Can not find vnc display");
587         return false;
588     }
589 
590     if (!vd->tlscreds) {
591         error_setg(errp, "vnc tls is not enabled");
592         return false;
593     }
594 
595     creds = QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(vd->tlscreds));
596     if (creds->reload == NULL) {
597         error_setg(errp, "%s doesn't support to reload TLS credential",
598                    object_get_typename(OBJECT(vd->tlscreds)));
599         return false;
600     }
601     if (!creds->reload(vd->tlscreds, errp)) {
602         return false;
603     }
604 
605     return true;
606 }
607 
608 /* TODO
609    1) Get the queue working for IO.
610    2) there is some weirdness when using the -S option (the screen is grey
611       and not totally invalidated
612    3) resolutions > 1024
613 */
614 
615 static int vnc_update_client(VncState *vs, int has_dirty);
616 static void vnc_disconnect_start(VncState *vs);
617 
618 static void vnc_colordepth(VncState *vs);
619 static void framebuffer_update_request(VncState *vs, int incremental,
620                                        int x_position, int y_position,
621                                        int w, int h);
622 static void vnc_refresh(DisplayChangeListener *dcl);
623 static int vnc_refresh_server_surface(VncDisplay *vd);
624 
625 static int vnc_width(VncDisplay *vd)
626 {
627     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
628                                        VNC_DIRTY_PIXELS_PER_BIT));
629 }
630 
631 static int vnc_true_width(VncDisplay *vd)
632 {
633     return MIN(VNC_MAX_WIDTH, surface_width(vd->ds));
634 }
635 
636 static int vnc_height(VncDisplay *vd)
637 {
638     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
639 }
640 
641 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
642                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
643                                VncDisplay *vd,
644                                int x, int y, int w, int h)
645 {
646     int width = vnc_width(vd);
647     int height = vnc_height(vd);
648 
649     /* this is needed this to ensure we updated all affected
650      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
651     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
652     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
653 
654     x = MIN(x, width);
655     y = MIN(y, height);
656     w = MIN(x + w, width) - x;
657     h = MIN(y + h, height);
658 
659     for (; y < h; y++) {
660         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
661                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
662     }
663 }
664 
665 static void vnc_dpy_update(DisplayChangeListener *dcl,
666                            int x, int y, int w, int h)
667 {
668     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
669     struct VncSurface *s = &vd->guest;
670 
671     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
672 }
673 
674 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
675                             int32_t encoding)
676 {
677     vnc_write_u16(vs, x);
678     vnc_write_u16(vs, y);
679     vnc_write_u16(vs, w);
680     vnc_write_u16(vs, h);
681 
682     vnc_write_s32(vs, encoding);
683 }
684 
685 static void vnc_desktop_resize_ext(VncState *vs, int reject_reason)
686 {
687     trace_vnc_msg_server_ext_desktop_resize(
688         vs, vs->ioc, vs->client_width, vs->client_height, reject_reason);
689 
690     vnc_lock_output(vs);
691     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
692     vnc_write_u8(vs, 0);
693     vnc_write_u16(vs, 1); /* number of rects */
694     vnc_framebuffer_update(vs,
695                            reject_reason ? 1 : 0,
696                            reject_reason,
697                            vs->client_width, vs->client_height,
698                            VNC_ENCODING_DESKTOP_RESIZE_EXT);
699     vnc_write_u8(vs, 1);  /* number of screens */
700     vnc_write_u8(vs, 0);  /* padding */
701     vnc_write_u8(vs, 0);  /* padding */
702     vnc_write_u8(vs, 0);  /* padding */
703     vnc_write_u32(vs, 0); /* screen id */
704     vnc_write_u16(vs, 0); /* screen x-pos */
705     vnc_write_u16(vs, 0); /* screen y-pos */
706     vnc_write_u16(vs, vs->client_width);
707     vnc_write_u16(vs, vs->client_height);
708     vnc_write_u32(vs, 0); /* screen flags */
709     vnc_unlock_output(vs);
710     vnc_flush(vs);
711 }
712 
713 static void vnc_desktop_resize(VncState *vs)
714 {
715     if (vs->ioc == NULL || (!vnc_has_feature(vs, VNC_FEATURE_RESIZE) &&
716                             !vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT))) {
717         return;
718     }
719     if (vs->client_width == vs->vd->true_width &&
720         vs->client_height == pixman_image_get_height(vs->vd->server)) {
721         return;
722     }
723 
724     assert(vs->vd->true_width < 65536 &&
725            vs->vd->true_width >= 0);
726     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
727            pixman_image_get_height(vs->vd->server) >= 0);
728     vs->client_width = vs->vd->true_width;
729     vs->client_height = pixman_image_get_height(vs->vd->server);
730 
731     if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
732         vnc_desktop_resize_ext(vs, 0);
733         return;
734     }
735 
736     trace_vnc_msg_server_desktop_resize(
737         vs, vs->ioc, vs->client_width, vs->client_height);
738 
739     vnc_lock_output(vs);
740     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
741     vnc_write_u8(vs, 0);
742     vnc_write_u16(vs, 1); /* number of rects */
743     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
744                            VNC_ENCODING_DESKTOPRESIZE);
745     vnc_unlock_output(vs);
746     vnc_flush(vs);
747 }
748 
749 static void vnc_abort_display_jobs(VncDisplay *vd)
750 {
751     VncState *vs;
752 
753     QTAILQ_FOREACH(vs, &vd->clients, next) {
754         vnc_lock_output(vs);
755         vs->abort = true;
756         vnc_unlock_output(vs);
757     }
758     QTAILQ_FOREACH(vs, &vd->clients, next) {
759         vnc_jobs_join(vs);
760     }
761     QTAILQ_FOREACH(vs, &vd->clients, next) {
762         vnc_lock_output(vs);
763         if (vs->update == VNC_STATE_UPDATE_NONE &&
764             vs->job_update != VNC_STATE_UPDATE_NONE) {
765             /* job aborted before completion */
766             vs->update = vs->job_update;
767             vs->job_update = VNC_STATE_UPDATE_NONE;
768         }
769         vs->abort = false;
770         vnc_unlock_output(vs);
771     }
772 }
773 
774 int vnc_server_fb_stride(VncDisplay *vd)
775 {
776     return pixman_image_get_stride(vd->server);
777 }
778 
779 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
780 {
781     uint8_t *ptr;
782 
783     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
784     ptr += y * vnc_server_fb_stride(vd);
785     ptr += x * VNC_SERVER_FB_BYTES;
786     return ptr;
787 }
788 
789 static void vnc_update_server_surface(VncDisplay *vd)
790 {
791     int width, height;
792 
793     qemu_pixman_image_unref(vd->server);
794     vd->server = NULL;
795 
796     if (QTAILQ_EMPTY(&vd->clients)) {
797         return;
798     }
799 
800     width = vnc_width(vd);
801     height = vnc_height(vd);
802     vd->true_width = vnc_true_width(vd);
803     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
804                                           width, height,
805                                           NULL, 0);
806 
807     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
808     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
809                        width, height);
810 }
811 
812 static bool vnc_check_pageflip(DisplaySurface *s1,
813                                DisplaySurface *s2)
814 {
815     return (s1 != NULL &&
816             s2 != NULL &&
817             surface_width(s1) == surface_width(s2) &&
818             surface_height(s1) == surface_height(s2) &&
819             surface_format(s1) == surface_format(s2));
820 
821 }
822 
823 static void vnc_dpy_switch(DisplayChangeListener *dcl,
824                            DisplaySurface *surface)
825 {
826     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
827     bool pageflip = vnc_check_pageflip(vd->ds, surface);
828     VncState *vs;
829 
830     vnc_abort_display_jobs(vd);
831     vd->ds = surface;
832 
833     /* guest surface */
834     qemu_pixman_image_unref(vd->guest.fb);
835     vd->guest.fb = pixman_image_ref(surface->image);
836     vd->guest.format = surface_format(surface);
837 
838 
839     if (pageflip) {
840         trace_vnc_server_dpy_pageflip(vd,
841                                       surface_width(surface),
842                                       surface_height(surface),
843                                       surface_format(surface));
844         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
845                            surface_width(surface),
846                            surface_height(surface));
847         return;
848     }
849 
850     trace_vnc_server_dpy_recreate(vd,
851                                   surface_width(surface),
852                                   surface_height(surface),
853                                   surface_format(surface));
854     /* server surface */
855     vnc_update_server_surface(vd);
856 
857     QTAILQ_FOREACH(vs, &vd->clients, next) {
858         vnc_colordepth(vs);
859         vnc_desktop_resize(vs);
860         vnc_cursor_define(vs);
861         memset(vs->dirty, 0x00, sizeof(vs->dirty));
862         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
863                            vnc_width(vd),
864                            vnc_height(vd));
865         vnc_update_throttle_offset(vs);
866     }
867 }
868 
869 /* fastest code */
870 static void vnc_write_pixels_copy(VncState *vs,
871                                   void *pixels, int size)
872 {
873     vnc_write(vs, pixels, size);
874 }
875 
876 /* slowest but generic code. */
877 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
878 {
879     uint8_t r, g, b;
880 
881 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
882     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
883     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
884     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
885 #else
886 # error need some bits here if you change VNC_SERVER_FB_FORMAT
887 #endif
888     v = (r << vs->client_pf.rshift) |
889         (g << vs->client_pf.gshift) |
890         (b << vs->client_pf.bshift);
891     switch (vs->client_pf.bytes_per_pixel) {
892     case 1:
893         buf[0] = v;
894         break;
895     case 2:
896         if (vs->client_be) {
897             buf[0] = v >> 8;
898             buf[1] = v;
899         } else {
900             buf[1] = v >> 8;
901             buf[0] = v;
902         }
903         break;
904     default:
905     case 4:
906         if (vs->client_be) {
907             buf[0] = v >> 24;
908             buf[1] = v >> 16;
909             buf[2] = v >> 8;
910             buf[3] = v;
911         } else {
912             buf[3] = v >> 24;
913             buf[2] = v >> 16;
914             buf[1] = v >> 8;
915             buf[0] = v;
916         }
917         break;
918     }
919 }
920 
921 static void vnc_write_pixels_generic(VncState *vs,
922                                      void *pixels1, int size)
923 {
924     uint8_t buf[4];
925 
926     if (VNC_SERVER_FB_BYTES == 4) {
927         uint32_t *pixels = pixels1;
928         int n, i;
929         n = size >> 2;
930         for (i = 0; i < n; i++) {
931             vnc_convert_pixel(vs, buf, pixels[i]);
932             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
933         }
934     }
935 }
936 
937 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
938 {
939     int i;
940     uint8_t *row;
941     VncDisplay *vd = vs->vd;
942 
943     row = vnc_server_fb_ptr(vd, x, y);
944     for (i = 0; i < h; i++) {
945         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
946         row += vnc_server_fb_stride(vd);
947     }
948     return 1;
949 }
950 
951 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
952 {
953     int n = 0;
954 
955     switch(vs->vnc_encoding) {
956         case VNC_ENCODING_ZLIB:
957             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
958             break;
959         case VNC_ENCODING_HEXTILE:
960             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
961             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
962             break;
963         case VNC_ENCODING_TIGHT:
964             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
965             break;
966         case VNC_ENCODING_TIGHT_PNG:
967             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
968             break;
969         case VNC_ENCODING_ZRLE:
970             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
971             break;
972         case VNC_ENCODING_ZYWRLE:
973             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
974             break;
975         default:
976             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
977             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
978             break;
979     }
980     return n;
981 }
982 
983 static void vnc_mouse_set(DisplayChangeListener *dcl,
984                           int x, int y, int visible)
985 {
986     /* can we ask the client(s) to move the pointer ??? */
987 }
988 
989 static int vnc_cursor_define(VncState *vs)
990 {
991     QEMUCursor *c = qemu_console_get_cursor(vs->vd->dcl.con);
992     int isize;
993 
994     if (!c) {
995         return -1;
996     }
997 
998     if (vnc_has_feature(vs, VNC_FEATURE_ALPHA_CURSOR)) {
999         vnc_lock_output(vs);
1000         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1001         vnc_write_u8(vs,  0);  /*  padding     */
1002         vnc_write_u16(vs, 1);  /*  # of rects  */
1003         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1004                                VNC_ENCODING_ALPHA_CURSOR);
1005         vnc_write_s32(vs, VNC_ENCODING_RAW);
1006         vnc_write(vs, c->data, c->width * c->height * 4);
1007         vnc_unlock_output(vs);
1008         return 0;
1009     }
1010     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
1011         vnc_lock_output(vs);
1012         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1013         vnc_write_u8(vs,  0);  /*  padding     */
1014         vnc_write_u16(vs, 1);  /*  # of rects  */
1015         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1016                                VNC_ENCODING_RICH_CURSOR);
1017         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
1018         vnc_write_pixels_generic(vs, c->data, isize);
1019         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
1020         vnc_unlock_output(vs);
1021         return 0;
1022     }
1023     return -1;
1024 }
1025 
1026 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
1027                                   QEMUCursor *c)
1028 {
1029     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
1030     VncState *vs;
1031 
1032     g_free(vd->cursor_mask);
1033     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1034     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1035     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1036 
1037     QTAILQ_FOREACH(vs, &vd->clients, next) {
1038         vnc_cursor_define(vs);
1039     }
1040 }
1041 
1042 static int find_and_clear_dirty_height(VncState *vs,
1043                                        int y, int last_x, int x, int height)
1044 {
1045     int h;
1046 
1047     for (h = 1; h < (height - y); h++) {
1048         if (!test_bit(last_x, vs->dirty[y + h])) {
1049             break;
1050         }
1051         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1052     }
1053 
1054     return h;
1055 }
1056 
1057 /*
1058  * Figure out how much pending data we should allow in the output
1059  * buffer before we throttle incremental display updates, and/or
1060  * drop audio samples.
1061  *
1062  * We allow for equiv of 1 full display's worth of FB updates,
1063  * and 1 second of audio samples. If audio backlog was larger
1064  * than that the client would already suffering awful audio
1065  * glitches, so dropping samples is no worse really).
1066  */
1067 static void vnc_update_throttle_offset(VncState *vs)
1068 {
1069     size_t offset =
1070         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1071 
1072     if (vs->audio_cap) {
1073         int bps;
1074         switch (vs->as.fmt) {
1075         default:
1076         case  AUDIO_FORMAT_U8:
1077         case  AUDIO_FORMAT_S8:
1078             bps = 1;
1079             break;
1080         case  AUDIO_FORMAT_U16:
1081         case  AUDIO_FORMAT_S16:
1082             bps = 2;
1083             break;
1084         case  AUDIO_FORMAT_U32:
1085         case  AUDIO_FORMAT_S32:
1086             bps = 4;
1087             break;
1088         }
1089         offset += vs->as.freq * bps * vs->as.nchannels;
1090     }
1091 
1092     /* Put a floor of 1MB on offset, so that if we have a large pending
1093      * buffer and the display is resized to a small size & back again
1094      * we don't suddenly apply a tiny send limit
1095      */
1096     offset = MAX(offset, 1024 * 1024);
1097 
1098     if (vs->throttle_output_offset != offset) {
1099         trace_vnc_client_throttle_threshold(
1100             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1101             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1102     }
1103 
1104     vs->throttle_output_offset = offset;
1105 }
1106 
1107 static bool vnc_should_update(VncState *vs)
1108 {
1109     switch (vs->update) {
1110     case VNC_STATE_UPDATE_NONE:
1111         break;
1112     case VNC_STATE_UPDATE_INCREMENTAL:
1113         /* Only allow incremental updates if the pending send queue
1114          * is less than the permitted threshold, and the job worker
1115          * is completely idle.
1116          */
1117         if (vs->output.offset < vs->throttle_output_offset &&
1118             vs->job_update == VNC_STATE_UPDATE_NONE) {
1119             return true;
1120         }
1121         trace_vnc_client_throttle_incremental(
1122             vs, vs->ioc, vs->job_update, vs->output.offset);
1123         break;
1124     case VNC_STATE_UPDATE_FORCE:
1125         /* Only allow forced updates if the pending send queue
1126          * does not contain a previous forced update, and the
1127          * job worker is completely idle.
1128          *
1129          * Note this means we'll queue a forced update, even if
1130          * the output buffer size is otherwise over the throttle
1131          * output limit.
1132          */
1133         if (vs->force_update_offset == 0 &&
1134             vs->job_update == VNC_STATE_UPDATE_NONE) {
1135             return true;
1136         }
1137         trace_vnc_client_throttle_forced(
1138             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1139         break;
1140     }
1141     return false;
1142 }
1143 
1144 static int vnc_update_client(VncState *vs, int has_dirty)
1145 {
1146     VncDisplay *vd = vs->vd;
1147     VncJob *job;
1148     int y;
1149     int height, width;
1150     int n = 0;
1151 
1152     if (vs->disconnecting) {
1153         vnc_disconnect_finish(vs);
1154         return 0;
1155     }
1156 
1157     vs->has_dirty += has_dirty;
1158     if (!vnc_should_update(vs)) {
1159         return 0;
1160     }
1161 
1162     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1163         return 0;
1164     }
1165 
1166     /*
1167      * Send screen updates to the vnc client using the server
1168      * surface and server dirty map.  guest surface updates
1169      * happening in parallel don't disturb us, the next pass will
1170      * send them to the client.
1171      */
1172     job = vnc_job_new(vs);
1173 
1174     height = pixman_image_get_height(vd->server);
1175     width = pixman_image_get_width(vd->server);
1176 
1177     y = 0;
1178     for (;;) {
1179         int x, h;
1180         unsigned long x2;
1181         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1182                                              height * VNC_DIRTY_BPL(vs),
1183                                              y * VNC_DIRTY_BPL(vs));
1184         if (offset == height * VNC_DIRTY_BPL(vs)) {
1185             /* no more dirty bits */
1186             break;
1187         }
1188         y = offset / VNC_DIRTY_BPL(vs);
1189         x = offset % VNC_DIRTY_BPL(vs);
1190         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1191                                 VNC_DIRTY_BPL(vs), x);
1192         bitmap_clear(vs->dirty[y], x, x2 - x);
1193         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1194         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1195         if (x2 > x) {
1196             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1197                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1198         }
1199         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1200             y += h;
1201             if (y == height) {
1202                 break;
1203             }
1204         }
1205     }
1206 
1207     vs->job_update = vs->update;
1208     vs->update = VNC_STATE_UPDATE_NONE;
1209     vnc_job_push(job);
1210     vs->has_dirty = 0;
1211     return n;
1212 }
1213 
1214 /* audio */
1215 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1216 {
1217     VncState *vs = opaque;
1218 
1219     assert(vs->magic == VNC_MAGIC);
1220     switch (cmd) {
1221     case AUD_CNOTIFY_DISABLE:
1222         trace_vnc_msg_server_audio_end(vs, vs->ioc);
1223         vnc_lock_output(vs);
1224         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1225         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1226         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1227         vnc_unlock_output(vs);
1228         vnc_flush(vs);
1229         break;
1230 
1231     case AUD_CNOTIFY_ENABLE:
1232         trace_vnc_msg_server_audio_begin(vs, vs->ioc);
1233         vnc_lock_output(vs);
1234         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1235         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1236         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1237         vnc_unlock_output(vs);
1238         vnc_flush(vs);
1239         break;
1240     }
1241 }
1242 
1243 static void audio_capture_destroy(void *opaque)
1244 {
1245 }
1246 
1247 static void audio_capture(void *opaque, const void *buf, int size)
1248 {
1249     VncState *vs = opaque;
1250 
1251     assert(vs->magic == VNC_MAGIC);
1252     trace_vnc_msg_server_audio_data(vs, vs->ioc, buf, size);
1253     vnc_lock_output(vs);
1254     if (vs->output.offset < vs->throttle_output_offset) {
1255         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1256         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1257         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1258         vnc_write_u32(vs, size);
1259         vnc_write(vs, buf, size);
1260     } else {
1261         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1262     }
1263     vnc_unlock_output(vs);
1264     vnc_flush(vs);
1265 }
1266 
1267 static void audio_add(VncState *vs)
1268 {
1269     struct audio_capture_ops ops;
1270 
1271     if (vs->audio_cap) {
1272         error_report("audio already running");
1273         return;
1274     }
1275 
1276     ops.notify = audio_capture_notify;
1277     ops.destroy = audio_capture_destroy;
1278     ops.capture = audio_capture;
1279 
1280     vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1281     if (!vs->audio_cap) {
1282         error_report("Failed to add audio capture");
1283     }
1284 }
1285 
1286 static void audio_del(VncState *vs)
1287 {
1288     if (vs->audio_cap) {
1289         AUD_del_capture(vs->audio_cap, vs);
1290         vs->audio_cap = NULL;
1291     }
1292 }
1293 
1294 static void vnc_disconnect_start(VncState *vs)
1295 {
1296     if (vs->disconnecting) {
1297         return;
1298     }
1299     trace_vnc_client_disconnect_start(vs, vs->ioc);
1300     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1301     if (vs->ioc_tag) {
1302         g_source_remove(vs->ioc_tag);
1303         vs->ioc_tag = 0;
1304     }
1305     qio_channel_close(vs->ioc, NULL);
1306     vs->disconnecting = TRUE;
1307 }
1308 
1309 void vnc_disconnect_finish(VncState *vs)
1310 {
1311     int i;
1312 
1313     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1314 
1315     vnc_jobs_join(vs); /* Wait encoding jobs */
1316 
1317     vnc_lock_output(vs);
1318     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1319 
1320     buffer_free(&vs->input);
1321     buffer_free(&vs->output);
1322 
1323     qapi_free_VncClientInfo(vs->info);
1324 
1325     vnc_zlib_clear(vs);
1326     vnc_tight_clear(vs);
1327     vnc_zrle_clear(vs);
1328 
1329 #ifdef CONFIG_VNC_SASL
1330     vnc_sasl_client_cleanup(vs);
1331 #endif /* CONFIG_VNC_SASL */
1332     audio_del(vs);
1333     qkbd_state_lift_all_keys(vs->vd->kbd);
1334 
1335     if (vs->mouse_mode_notifier.notify != NULL) {
1336         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1337     }
1338     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1339     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1340         /* last client gone */
1341         vnc_update_server_surface(vs->vd);
1342     }
1343     vnc_unlock_output(vs);
1344 
1345     if (vs->cbpeer.notifier.notify) {
1346         qemu_clipboard_peer_unregister(&vs->cbpeer);
1347     }
1348 
1349     qemu_mutex_destroy(&vs->output_mutex);
1350     if (vs->bh != NULL) {
1351         qemu_bh_delete(vs->bh);
1352     }
1353     buffer_free(&vs->jobs_buffer);
1354 
1355     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1356         g_free(vs->lossy_rect[i]);
1357     }
1358     g_free(vs->lossy_rect);
1359 
1360     object_unref(OBJECT(vs->ioc));
1361     vs->ioc = NULL;
1362     object_unref(OBJECT(vs->sioc));
1363     vs->sioc = NULL;
1364     vs->magic = 0;
1365     g_free(vs->zrle);
1366     g_free(vs->tight);
1367     g_free(vs);
1368 }
1369 
1370 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error *err)
1371 {
1372     if (ret <= 0) {
1373         if (ret == 0) {
1374             trace_vnc_client_eof(vs, vs->ioc);
1375             vnc_disconnect_start(vs);
1376         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1377             trace_vnc_client_io_error(vs, vs->ioc,
1378                                       err ? error_get_pretty(err) : "Unknown");
1379             vnc_disconnect_start(vs);
1380         }
1381 
1382         error_free(err);
1383         return 0;
1384     }
1385     return ret;
1386 }
1387 
1388 
1389 void vnc_client_error(VncState *vs)
1390 {
1391     VNC_DEBUG("Closing down client sock: protocol error\n");
1392     vnc_disconnect_start(vs);
1393 }
1394 
1395 
1396 /*
1397  * Called to write a chunk of data to the client socket. The data may
1398  * be the raw data, or may have already been encoded by SASL.
1399  * The data will be written either straight onto the socket, or
1400  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1401  *
1402  * NB, it is theoretically possible to have 2 layers of encryption,
1403  * both SASL, and this TLS layer. It is highly unlikely in practice
1404  * though, since SASL encryption will typically be a no-op if TLS
1405  * is active
1406  *
1407  * Returns the number of bytes written, which may be less than
1408  * the requested 'datalen' if the socket would block. Returns
1409  * 0 on I/O error, and disconnects the client socket.
1410  */
1411 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1412 {
1413     Error *err = NULL;
1414     ssize_t ret;
1415     ret = qio_channel_write(vs->ioc, (const char *)data, datalen, &err);
1416     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1417     return vnc_client_io_error(vs, ret, err);
1418 }
1419 
1420 
1421 /*
1422  * Called to write buffered data to the client socket, when not
1423  * using any SASL SSF encryption layers. Will write as much data
1424  * as possible without blocking. If all buffered data is written,
1425  * will switch the FD poll() handler back to read monitoring.
1426  *
1427  * Returns the number of bytes written, which may be less than
1428  * the buffered output data if the socket would block.  Returns
1429  * 0 on I/O error, and disconnects the client socket.
1430  */
1431 static size_t vnc_client_write_plain(VncState *vs)
1432 {
1433     size_t offset;
1434     size_t ret;
1435 
1436 #ifdef CONFIG_VNC_SASL
1437     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1438               vs->output.buffer, vs->output.capacity, vs->output.offset,
1439               vs->sasl.waitWriteSSF);
1440 
1441     if (vs->sasl.conn &&
1442         vs->sasl.runSSF &&
1443         vs->sasl.waitWriteSSF) {
1444         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1445         if (ret)
1446             vs->sasl.waitWriteSSF -= ret;
1447     } else
1448 #endif /* CONFIG_VNC_SASL */
1449         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1450     if (!ret)
1451         return 0;
1452 
1453     if (ret >= vs->force_update_offset) {
1454         if (vs->force_update_offset != 0) {
1455             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1456         }
1457         vs->force_update_offset = 0;
1458     } else {
1459         vs->force_update_offset -= ret;
1460     }
1461     offset = vs->output.offset;
1462     buffer_advance(&vs->output, ret);
1463     if (offset >= vs->throttle_output_offset &&
1464         vs->output.offset < vs->throttle_output_offset) {
1465         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1466     }
1467 
1468     if (vs->output.offset == 0) {
1469         if (vs->ioc_tag) {
1470             g_source_remove(vs->ioc_tag);
1471         }
1472         vs->ioc_tag = qio_channel_add_watch(
1473             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1474             vnc_client_io, vs, NULL);
1475     }
1476 
1477     return ret;
1478 }
1479 
1480 
1481 /*
1482  * First function called whenever there is data to be written to
1483  * the client socket. Will delegate actual work according to whether
1484  * SASL SSF layers are enabled (thus requiring encryption calls)
1485  */
1486 static void vnc_client_write_locked(VncState *vs)
1487 {
1488 #ifdef CONFIG_VNC_SASL
1489     if (vs->sasl.conn &&
1490         vs->sasl.runSSF &&
1491         !vs->sasl.waitWriteSSF) {
1492         vnc_client_write_sasl(vs);
1493     } else
1494 #endif /* CONFIG_VNC_SASL */
1495     {
1496         vnc_client_write_plain(vs);
1497     }
1498 }
1499 
1500 static void vnc_client_write(VncState *vs)
1501 {
1502     assert(vs->magic == VNC_MAGIC);
1503     vnc_lock_output(vs);
1504     if (vs->output.offset) {
1505         vnc_client_write_locked(vs);
1506     } else if (vs->ioc != NULL) {
1507         if (vs->ioc_tag) {
1508             g_source_remove(vs->ioc_tag);
1509         }
1510         vs->ioc_tag = qio_channel_add_watch(
1511             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1512             vnc_client_io, vs, NULL);
1513     }
1514     vnc_unlock_output(vs);
1515 }
1516 
1517 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1518 {
1519     vs->read_handler = func;
1520     vs->read_handler_expect = expecting;
1521 }
1522 
1523 
1524 /*
1525  * Called to read a chunk of data from the client socket. The data may
1526  * be the raw data, or may need to be further decoded by SASL.
1527  * The data will be read either straight from to the socket, or
1528  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1529  *
1530  * NB, it is theoretically possible to have 2 layers of encryption,
1531  * both SASL, and this TLS layer. It is highly unlikely in practice
1532  * though, since SASL encryption will typically be a no-op if TLS
1533  * is active
1534  *
1535  * Returns the number of bytes read, which may be less than
1536  * the requested 'datalen' if the socket would block. Returns
1537  * 0 on I/O error or EOF, and disconnects the client socket.
1538  */
1539 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1540 {
1541     ssize_t ret;
1542     Error *err = NULL;
1543     ret = qio_channel_read(vs->ioc, (char *)data, datalen, &err);
1544     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1545     return vnc_client_io_error(vs, ret, err);
1546 }
1547 
1548 
1549 /*
1550  * Called to read data from the client socket to the input buffer,
1551  * when not using any SASL SSF encryption layers. Will read as much
1552  * data as possible without blocking.
1553  *
1554  * Returns the number of bytes read, which may be less than
1555  * the requested 'datalen' if the socket would block. Returns
1556  * 0 on I/O error or EOF, and disconnects the client socket.
1557  */
1558 static size_t vnc_client_read_plain(VncState *vs)
1559 {
1560     size_t ret;
1561     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1562               vs->input.buffer, vs->input.capacity, vs->input.offset);
1563     buffer_reserve(&vs->input, 4096);
1564     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1565     if (!ret)
1566         return 0;
1567     vs->input.offset += ret;
1568     return ret;
1569 }
1570 
1571 static void vnc_jobs_bh(void *opaque)
1572 {
1573     VncState *vs = opaque;
1574 
1575     assert(vs->magic == VNC_MAGIC);
1576     vnc_jobs_consume_buffer(vs);
1577 }
1578 
1579 /*
1580  * First function called whenever there is more data to be read from
1581  * the client socket. Will delegate actual work according to whether
1582  * SASL SSF layers are enabled (thus requiring decryption calls)
1583  * Returns 0 on success, -1 if client disconnected
1584  */
1585 static int vnc_client_read(VncState *vs)
1586 {
1587     size_t sz;
1588 
1589 #ifdef CONFIG_VNC_SASL
1590     if (vs->sasl.conn && vs->sasl.runSSF)
1591         sz = vnc_client_read_sasl(vs);
1592     else
1593 #endif /* CONFIG_VNC_SASL */
1594         sz = vnc_client_read_plain(vs);
1595     if (!sz) {
1596         if (vs->disconnecting) {
1597             vnc_disconnect_finish(vs);
1598             return -1;
1599         }
1600         return 0;
1601     }
1602 
1603     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1604         size_t len = vs->read_handler_expect;
1605         int ret;
1606 
1607         ret = vs->read_handler(vs, vs->input.buffer, len);
1608         if (vs->disconnecting) {
1609             vnc_disconnect_finish(vs);
1610             return -1;
1611         }
1612 
1613         if (!ret) {
1614             buffer_advance(&vs->input, len);
1615         } else {
1616             vs->read_handler_expect = ret;
1617         }
1618     }
1619     return 0;
1620 }
1621 
1622 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1623                        GIOCondition condition, void *opaque)
1624 {
1625     VncState *vs = opaque;
1626 
1627     assert(vs->magic == VNC_MAGIC);
1628 
1629     if (condition & (G_IO_HUP | G_IO_ERR)) {
1630         vnc_disconnect_start(vs);
1631         return TRUE;
1632     }
1633 
1634     if (condition & G_IO_IN) {
1635         if (vnc_client_read(vs) < 0) {
1636             /* vs is free()ed here */
1637             return TRUE;
1638         }
1639     }
1640     if (condition & G_IO_OUT) {
1641         vnc_client_write(vs);
1642     }
1643 
1644     if (vs->disconnecting) {
1645         if (vs->ioc_tag != 0) {
1646             g_source_remove(vs->ioc_tag);
1647         }
1648         vs->ioc_tag = 0;
1649     }
1650     return TRUE;
1651 }
1652 
1653 
1654 /*
1655  * Scale factor to apply to vs->throttle_output_offset when checking for
1656  * hard limit. Worst case normal usage could be x2, if we have a complete
1657  * incremental update and complete forced update in the output buffer.
1658  * So x3 should be good enough, but we pick x5 to be conservative and thus
1659  * (hopefully) never trigger incorrectly.
1660  */
1661 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1662 
1663 void vnc_write(VncState *vs, const void *data, size_t len)
1664 {
1665     assert(vs->magic == VNC_MAGIC);
1666     if (vs->disconnecting) {
1667         return;
1668     }
1669     /* Protection against malicious client/guest to prevent our output
1670      * buffer growing without bound if client stops reading data. This
1671      * should rarely trigger, because we have earlier throttling code
1672      * which stops issuing framebuffer updates and drops audio data
1673      * if the throttle_output_offset value is exceeded. So we only reach
1674      * this higher level if a huge number of pseudo-encodings get
1675      * triggered while data can't be sent on the socket.
1676      *
1677      * NB throttle_output_offset can be zero during early protocol
1678      * handshake, or from the job thread's VncState clone
1679      */
1680     if (vs->throttle_output_offset != 0 &&
1681         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1682         vs->throttle_output_offset) {
1683         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1684                                       vs->throttle_output_offset);
1685         vnc_disconnect_start(vs);
1686         return;
1687     }
1688     buffer_reserve(&vs->output, len);
1689 
1690     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1691         if (vs->ioc_tag) {
1692             g_source_remove(vs->ioc_tag);
1693         }
1694         vs->ioc_tag = qio_channel_add_watch(
1695             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
1696             vnc_client_io, vs, NULL);
1697     }
1698 
1699     buffer_append(&vs->output, data, len);
1700 }
1701 
1702 void vnc_write_s32(VncState *vs, int32_t value)
1703 {
1704     vnc_write_u32(vs, *(uint32_t *)&value);
1705 }
1706 
1707 void vnc_write_u32(VncState *vs, uint32_t value)
1708 {
1709     uint8_t buf[4];
1710 
1711     buf[0] = (value >> 24) & 0xFF;
1712     buf[1] = (value >> 16) & 0xFF;
1713     buf[2] = (value >>  8) & 0xFF;
1714     buf[3] = value & 0xFF;
1715 
1716     vnc_write(vs, buf, 4);
1717 }
1718 
1719 void vnc_write_u16(VncState *vs, uint16_t value)
1720 {
1721     uint8_t buf[2];
1722 
1723     buf[0] = (value >> 8) & 0xFF;
1724     buf[1] = value & 0xFF;
1725 
1726     vnc_write(vs, buf, 2);
1727 }
1728 
1729 void vnc_write_u8(VncState *vs, uint8_t value)
1730 {
1731     vnc_write(vs, (char *)&value, 1);
1732 }
1733 
1734 void vnc_flush(VncState *vs)
1735 {
1736     vnc_lock_output(vs);
1737     if (vs->ioc != NULL && vs->output.offset) {
1738         vnc_client_write_locked(vs);
1739     }
1740     if (vs->disconnecting) {
1741         if (vs->ioc_tag != 0) {
1742             g_source_remove(vs->ioc_tag);
1743         }
1744         vs->ioc_tag = 0;
1745     }
1746     vnc_unlock_output(vs);
1747 }
1748 
1749 static uint8_t read_u8(uint8_t *data, size_t offset)
1750 {
1751     return data[offset];
1752 }
1753 
1754 static uint16_t read_u16(uint8_t *data, size_t offset)
1755 {
1756     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1757 }
1758 
1759 static int32_t read_s32(uint8_t *data, size_t offset)
1760 {
1761     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1762                      (data[offset + 2] << 8) | data[offset + 3]);
1763 }
1764 
1765 uint32_t read_u32(uint8_t *data, size_t offset)
1766 {
1767     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1768             (data[offset + 2] << 8) | data[offset + 3]);
1769 }
1770 
1771 static void check_pointer_type_change(Notifier *notifier, void *data)
1772 {
1773     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1774     int absolute = qemu_input_is_absolute(vs->vd->dcl.con);
1775 
1776     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1777         vnc_lock_output(vs);
1778         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1779         vnc_write_u8(vs, 0);
1780         vnc_write_u16(vs, 1);
1781         vnc_framebuffer_update(vs, absolute, 0,
1782                                pixman_image_get_width(vs->vd->server),
1783                                pixman_image_get_height(vs->vd->server),
1784                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1785         vnc_unlock_output(vs);
1786         vnc_flush(vs);
1787     }
1788     vs->absolute = absolute;
1789 }
1790 
1791 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1792 {
1793     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1794         [INPUT_BUTTON_LEFT]       = 0x01,
1795         [INPUT_BUTTON_MIDDLE]     = 0x02,
1796         [INPUT_BUTTON_RIGHT]      = 0x04,
1797         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1798         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1799     };
1800     QemuConsole *con = vs->vd->dcl.con;
1801     int width = pixman_image_get_width(vs->vd->server);
1802     int height = pixman_image_get_height(vs->vd->server);
1803 
1804     if (vs->last_bmask != button_mask) {
1805         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1806         vs->last_bmask = button_mask;
1807     }
1808 
1809     if (vs->absolute) {
1810         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1811         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1812     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1813         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1814         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1815     } else {
1816         if (vs->last_x != -1) {
1817             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1818             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1819         }
1820         vs->last_x = x;
1821         vs->last_y = y;
1822     }
1823     qemu_input_event_sync();
1824 }
1825 
1826 static void press_key(VncState *vs, QKeyCode qcode)
1827 {
1828     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1829     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1830 }
1831 
1832 static void vnc_led_state_change(VncState *vs)
1833 {
1834     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1835         return;
1836     }
1837 
1838     vnc_lock_output(vs);
1839     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1840     vnc_write_u8(vs, 0);
1841     vnc_write_u16(vs, 1);
1842     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1843     vnc_write_u8(vs, vs->vd->ledstate);
1844     vnc_unlock_output(vs);
1845     vnc_flush(vs);
1846 }
1847 
1848 static void kbd_leds(void *opaque, int ledstate)
1849 {
1850     VncDisplay *vd = opaque;
1851     VncState *client;
1852 
1853     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1854                              (ledstate & QEMU_NUM_LOCK_LED),
1855                              (ledstate & QEMU_SCROLL_LOCK_LED));
1856 
1857     if (ledstate == vd->ledstate) {
1858         return;
1859     }
1860 
1861     vd->ledstate = ledstate;
1862 
1863     QTAILQ_FOREACH(client, &vd->clients, next) {
1864         vnc_led_state_change(client);
1865     }
1866 }
1867 
1868 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1869 {
1870     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1871 
1872     /* QEMU console switch */
1873     switch (qcode) {
1874     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1875         if (vs->vd->dcl.con == NULL && down &&
1876             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1877             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1878             /* Reset the modifiers sent to the current console */
1879             qkbd_state_lift_all_keys(vs->vd->kbd);
1880             console_select(qcode - Q_KEY_CODE_1);
1881             return;
1882         }
1883     default:
1884         break;
1885     }
1886 
1887     /* Turn off the lock state sync logic if the client support the led
1888        state extension.
1889     */
1890     if (down && vs->vd->lock_key_sync &&
1891         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1892         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1893         /* If the numlock state needs to change then simulate an additional
1894            keypress before sending this one.  This will happen if the user
1895            toggles numlock away from the VNC window.
1896         */
1897         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1898             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1899                 trace_vnc_key_sync_numlock(true);
1900                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1901             }
1902         } else {
1903             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1904                 trace_vnc_key_sync_numlock(false);
1905                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1906             }
1907         }
1908     }
1909 
1910     if (down && vs->vd->lock_key_sync &&
1911         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1912         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1913         /* If the capslock state needs to change then simulate an additional
1914            keypress before sending this one.  This will happen if the user
1915            toggles capslock away from the VNC window.
1916         */
1917         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1918         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1919         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1920         if (capslock) {
1921             if (uppercase == shift) {
1922                 trace_vnc_key_sync_capslock(false);
1923                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1924             }
1925         } else {
1926             if (uppercase != shift) {
1927                 trace_vnc_key_sync_capslock(true);
1928                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1929             }
1930         }
1931     }
1932 
1933     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1934     if (!qemu_console_is_graphic(NULL)) {
1935         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1936         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1937         /* QEMU console emulation */
1938         if (down) {
1939             switch (keycode) {
1940             case 0x2a:                          /* Left Shift */
1941             case 0x36:                          /* Right Shift */
1942             case 0x1d:                          /* Left CTRL */
1943             case 0x9d:                          /* Right CTRL */
1944             case 0x38:                          /* Left ALT */
1945             case 0xb8:                          /* Right ALT */
1946                 break;
1947             case 0xc8:
1948                 qemu_text_console_put_keysym(NULL, QEMU_KEY_UP);
1949                 break;
1950             case 0xd0:
1951                 qemu_text_console_put_keysym(NULL, QEMU_KEY_DOWN);
1952                 break;
1953             case 0xcb:
1954                 qemu_text_console_put_keysym(NULL, QEMU_KEY_LEFT);
1955                 break;
1956             case 0xcd:
1957                 qemu_text_console_put_keysym(NULL, QEMU_KEY_RIGHT);
1958                 break;
1959             case 0xd3:
1960                 qemu_text_console_put_keysym(NULL, QEMU_KEY_DELETE);
1961                 break;
1962             case 0xc7:
1963                 qemu_text_console_put_keysym(NULL, QEMU_KEY_HOME);
1964                 break;
1965             case 0xcf:
1966                 qemu_text_console_put_keysym(NULL, QEMU_KEY_END);
1967                 break;
1968             case 0xc9:
1969                 qemu_text_console_put_keysym(NULL, QEMU_KEY_PAGEUP);
1970                 break;
1971             case 0xd1:
1972                 qemu_text_console_put_keysym(NULL, QEMU_KEY_PAGEDOWN);
1973                 break;
1974 
1975             case 0x47:
1976                 qemu_text_console_put_keysym(NULL, numlock ? '7' : QEMU_KEY_HOME);
1977                 break;
1978             case 0x48:
1979                 qemu_text_console_put_keysym(NULL, numlock ? '8' : QEMU_KEY_UP);
1980                 break;
1981             case 0x49:
1982                 qemu_text_console_put_keysym(NULL, numlock ? '9' : QEMU_KEY_PAGEUP);
1983                 break;
1984             case 0x4b:
1985                 qemu_text_console_put_keysym(NULL, numlock ? '4' : QEMU_KEY_LEFT);
1986                 break;
1987             case 0x4c:
1988                 qemu_text_console_put_keysym(NULL, '5');
1989                 break;
1990             case 0x4d:
1991                 qemu_text_console_put_keysym(NULL, numlock ? '6' : QEMU_KEY_RIGHT);
1992                 break;
1993             case 0x4f:
1994                 qemu_text_console_put_keysym(NULL, numlock ? '1' : QEMU_KEY_END);
1995                 break;
1996             case 0x50:
1997                 qemu_text_console_put_keysym(NULL, numlock ? '2' : QEMU_KEY_DOWN);
1998                 break;
1999             case 0x51:
2000                 qemu_text_console_put_keysym(NULL, numlock ? '3' : QEMU_KEY_PAGEDOWN);
2001                 break;
2002             case 0x52:
2003                 qemu_text_console_put_keysym(NULL, '0');
2004                 break;
2005             case 0x53:
2006                 qemu_text_console_put_keysym(NULL, numlock ? '.' : QEMU_KEY_DELETE);
2007                 break;
2008 
2009             case 0xb5:
2010                 qemu_text_console_put_keysym(NULL, '/');
2011                 break;
2012             case 0x37:
2013                 qemu_text_console_put_keysym(NULL, '*');
2014                 break;
2015             case 0x4a:
2016                 qemu_text_console_put_keysym(NULL, '-');
2017                 break;
2018             case 0x4e:
2019                 qemu_text_console_put_keysym(NULL, '+');
2020                 break;
2021             case 0x9c:
2022                 qemu_text_console_put_keysym(NULL, '\n');
2023                 break;
2024 
2025             default:
2026                 if (control) {
2027                     qemu_text_console_put_keysym(NULL, sym & 0x1f);
2028                 } else {
2029                     qemu_text_console_put_keysym(NULL, sym);
2030                 }
2031                 break;
2032             }
2033         }
2034     }
2035 }
2036 
2037 static const char *code2name(int keycode)
2038 {
2039     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
2040 }
2041 
2042 static void key_event(VncState *vs, int down, uint32_t sym)
2043 {
2044     int keycode;
2045     int lsym = sym;
2046 
2047     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
2048         lsym = lsym - 'A' + 'a';
2049     }
2050 
2051     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
2052                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
2053     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2054     do_key_event(vs, down, keycode, sym);
2055 }
2056 
2057 static void ext_key_event(VncState *vs, int down,
2058                           uint32_t sym, uint16_t keycode)
2059 {
2060     /* if the user specifies a keyboard layout, always use it */
2061     if (keyboard_layout) {
2062         key_event(vs, down, sym);
2063     } else {
2064         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2065         do_key_event(vs, down, keycode, sym);
2066     }
2067 }
2068 
2069 static void framebuffer_update_request(VncState *vs, int incremental,
2070                                        int x, int y, int w, int h)
2071 {
2072     if (incremental) {
2073         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2074             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2075         }
2076     } else {
2077         vs->update = VNC_STATE_UPDATE_FORCE;
2078         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2079         if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
2080             vnc_desktop_resize_ext(vs, 0);
2081         }
2082     }
2083 }
2084 
2085 static void send_ext_key_event_ack(VncState *vs)
2086 {
2087     vnc_lock_output(vs);
2088     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2089     vnc_write_u8(vs, 0);
2090     vnc_write_u16(vs, 1);
2091     vnc_framebuffer_update(vs, 0, 0,
2092                            pixman_image_get_width(vs->vd->server),
2093                            pixman_image_get_height(vs->vd->server),
2094                            VNC_ENCODING_EXT_KEY_EVENT);
2095     vnc_unlock_output(vs);
2096     vnc_flush(vs);
2097 }
2098 
2099 static void send_ext_audio_ack(VncState *vs)
2100 {
2101     vnc_lock_output(vs);
2102     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2103     vnc_write_u8(vs, 0);
2104     vnc_write_u16(vs, 1);
2105     vnc_framebuffer_update(vs, 0, 0,
2106                            pixman_image_get_width(vs->vd->server),
2107                            pixman_image_get_height(vs->vd->server),
2108                            VNC_ENCODING_AUDIO);
2109     vnc_unlock_output(vs);
2110     vnc_flush(vs);
2111 }
2112 
2113 static void send_xvp_message(VncState *vs, int code)
2114 {
2115     vnc_lock_output(vs);
2116     vnc_write_u8(vs, VNC_MSG_SERVER_XVP);
2117     vnc_write_u8(vs, 0); /* pad */
2118     vnc_write_u8(vs, 1); /* version */
2119     vnc_write_u8(vs, code);
2120     vnc_unlock_output(vs);
2121     vnc_flush(vs);
2122 }
2123 
2124 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2125 {
2126     int i;
2127     unsigned int enc = 0;
2128 
2129     vs->features = 0;
2130     vs->vnc_encoding = 0;
2131     vs->tight->compression = 9;
2132     vs->tight->quality = -1; /* Lossless by default */
2133     vs->absolute = -1;
2134 
2135     /*
2136      * Start from the end because the encodings are sent in order of preference.
2137      * This way the preferred encoding (first encoding defined in the array)
2138      * will be set at the end of the loop.
2139      */
2140     for (i = n_encodings - 1; i >= 0; i--) {
2141         enc = encodings[i];
2142         switch (enc) {
2143         case VNC_ENCODING_RAW:
2144             vs->vnc_encoding = enc;
2145             break;
2146         case VNC_ENCODING_HEXTILE:
2147             vnc_set_feature(vs, VNC_FEATURE_HEXTILE);
2148             vs->vnc_encoding = enc;
2149             break;
2150         case VNC_ENCODING_TIGHT:
2151             vnc_set_feature(vs, VNC_FEATURE_TIGHT);
2152             vs->vnc_encoding = enc;
2153             break;
2154 #ifdef CONFIG_PNG
2155         case VNC_ENCODING_TIGHT_PNG:
2156             vnc_set_feature(vs, VNC_FEATURE_TIGHT_PNG);
2157             vs->vnc_encoding = enc;
2158             break;
2159 #endif
2160         case VNC_ENCODING_ZLIB:
2161             /*
2162              * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB.
2163              * So prioritize ZRLE, even if the client hints that it prefers
2164              * ZLIB.
2165              */
2166             if (!vnc_has_feature(vs, VNC_FEATURE_ZRLE)) {
2167                 vnc_set_feature(vs, VNC_FEATURE_ZLIB);
2168                 vs->vnc_encoding = enc;
2169             }
2170             break;
2171         case VNC_ENCODING_ZRLE:
2172             vnc_set_feature(vs, VNC_FEATURE_ZRLE);
2173             vs->vnc_encoding = enc;
2174             break;
2175         case VNC_ENCODING_ZYWRLE:
2176             vnc_set_feature(vs, VNC_FEATURE_ZYWRLE);
2177             vs->vnc_encoding = enc;
2178             break;
2179         case VNC_ENCODING_DESKTOPRESIZE:
2180             vnc_set_feature(vs, VNC_FEATURE_RESIZE);
2181             break;
2182         case VNC_ENCODING_DESKTOP_RESIZE_EXT:
2183             vnc_set_feature(vs, VNC_FEATURE_RESIZE_EXT);
2184             break;
2185         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2186             vnc_set_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE);
2187             break;
2188         case VNC_ENCODING_RICH_CURSOR:
2189             vnc_set_feature(vs, VNC_FEATURE_RICH_CURSOR);
2190             break;
2191         case VNC_ENCODING_ALPHA_CURSOR:
2192             vnc_set_feature(vs, VNC_FEATURE_ALPHA_CURSOR);
2193             break;
2194         case VNC_ENCODING_EXT_KEY_EVENT:
2195             send_ext_key_event_ack(vs);
2196             break;
2197         case VNC_ENCODING_AUDIO:
2198             if (vs->vd->audio_state) {
2199                 vnc_set_feature(vs, VNC_FEATURE_AUDIO);
2200                 send_ext_audio_ack(vs);
2201             }
2202             break;
2203         case VNC_ENCODING_WMVi:
2204             vnc_set_feature(vs, VNC_FEATURE_WMVI);
2205             break;
2206         case VNC_ENCODING_LED_STATE:
2207             vnc_set_feature(vs, VNC_FEATURE_LED_STATE);
2208             break;
2209         case VNC_ENCODING_XVP:
2210             if (vs->vd->power_control) {
2211                 vnc_set_feature(vs, VNC_FEATURE_XVP);
2212                 send_xvp_message(vs, VNC_XVP_CODE_INIT);
2213             }
2214             break;
2215         case VNC_ENCODING_CLIPBOARD_EXT:
2216             vnc_set_feature(vs, VNC_FEATURE_CLIPBOARD_EXT);
2217             vnc_server_cut_text_caps(vs);
2218             break;
2219         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2220             vs->tight->compression = (enc & 0x0F);
2221             break;
2222         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2223             if (vs->vd->lossy) {
2224                 vs->tight->quality = (enc & 0x0F);
2225             }
2226             break;
2227         default:
2228             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2229             break;
2230         }
2231     }
2232     vnc_desktop_resize(vs);
2233     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2234     vnc_led_state_change(vs);
2235     vnc_cursor_define(vs);
2236 }
2237 
2238 static void set_pixel_conversion(VncState *vs)
2239 {
2240     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2241 
2242     if (fmt == VNC_SERVER_FB_FORMAT) {
2243         vs->write_pixels = vnc_write_pixels_copy;
2244         vnc_hextile_set_pixel_conversion(vs, 0);
2245     } else {
2246         vs->write_pixels = vnc_write_pixels_generic;
2247         vnc_hextile_set_pixel_conversion(vs, 1);
2248     }
2249 }
2250 
2251 static void send_color_map(VncState *vs)
2252 {
2253     int i;
2254 
2255     vnc_lock_output(vs);
2256     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2257     vnc_write_u8(vs,  0);    /* padding     */
2258     vnc_write_u16(vs, 0);    /* first color */
2259     vnc_write_u16(vs, 256);  /* # of colors */
2260 
2261     for (i = 0; i < 256; i++) {
2262         PixelFormat *pf = &vs->client_pf;
2263 
2264         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2265         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2266         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2267     }
2268     vnc_unlock_output(vs);
2269 }
2270 
2271 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2272                              int big_endian_flag, int true_color_flag,
2273                              int red_max, int green_max, int blue_max,
2274                              int red_shift, int green_shift, int blue_shift)
2275 {
2276     if (!true_color_flag) {
2277         /* Expose a reasonable default 256 color map */
2278         bits_per_pixel = 8;
2279         red_max = 7;
2280         green_max = 7;
2281         blue_max = 3;
2282         red_shift = 0;
2283         green_shift = 3;
2284         blue_shift = 6;
2285     }
2286 
2287     switch (bits_per_pixel) {
2288     case 8:
2289     case 16:
2290     case 32:
2291         break;
2292     default:
2293         vnc_client_error(vs);
2294         return;
2295     }
2296 
2297     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2298     vs->client_pf.rbits = ctpopl(red_max);
2299     vs->client_pf.rshift = red_shift;
2300     vs->client_pf.rmask = red_max << red_shift;
2301     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2302     vs->client_pf.gbits = ctpopl(green_max);
2303     vs->client_pf.gshift = green_shift;
2304     vs->client_pf.gmask = green_max << green_shift;
2305     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2306     vs->client_pf.bbits = ctpopl(blue_max);
2307     vs->client_pf.bshift = blue_shift;
2308     vs->client_pf.bmask = blue_max << blue_shift;
2309     vs->client_pf.bits_per_pixel = bits_per_pixel;
2310     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2311     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2312     vs->client_be = big_endian_flag;
2313 
2314     if (!true_color_flag) {
2315         send_color_map(vs);
2316     }
2317 
2318     set_pixel_conversion(vs);
2319 
2320     graphic_hw_invalidate(vs->vd->dcl.con);
2321     graphic_hw_update(vs->vd->dcl.con);
2322 }
2323 
2324 static void pixel_format_message (VncState *vs) {
2325     char pad[3] = { 0, 0, 0 };
2326 
2327     vs->client_pf = qemu_default_pixelformat(32);
2328 
2329     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2330     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2331 
2332 #if HOST_BIG_ENDIAN
2333     vnc_write_u8(vs, 1);             /* big-endian-flag */
2334 #else
2335     vnc_write_u8(vs, 0);             /* big-endian-flag */
2336 #endif
2337     vnc_write_u8(vs, 1);             /* true-color-flag */
2338     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2339     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2340     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2341     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2342     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2343     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2344     vnc_write(vs, pad, 3);           /* padding */
2345 
2346     vnc_hextile_set_pixel_conversion(vs, 0);
2347     vs->write_pixels = vnc_write_pixels_copy;
2348 }
2349 
2350 static void vnc_colordepth(VncState *vs)
2351 {
2352     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2353         /* Sending a WMVi message to notify the client*/
2354         vnc_lock_output(vs);
2355         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2356         vnc_write_u8(vs, 0);
2357         vnc_write_u16(vs, 1); /* number of rects */
2358         vnc_framebuffer_update(vs, 0, 0,
2359                                vs->client_width,
2360                                vs->client_height,
2361                                VNC_ENCODING_WMVi);
2362         pixel_format_message(vs);
2363         vnc_unlock_output(vs);
2364         vnc_flush(vs);
2365     } else {
2366         set_pixel_conversion(vs);
2367     }
2368 }
2369 
2370 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2371 {
2372     int i;
2373     uint16_t limit;
2374     uint32_t freq;
2375     VncDisplay *vd = vs->vd;
2376 
2377     if (data[0] > 3) {
2378         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2379     }
2380 
2381     switch (data[0]) {
2382     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2383         if (len == 1)
2384             return 20;
2385 
2386         set_pixel_format(vs, read_u8(data, 4),
2387                          read_u8(data, 6), read_u8(data, 7),
2388                          read_u16(data, 8), read_u16(data, 10),
2389                          read_u16(data, 12), read_u8(data, 14),
2390                          read_u8(data, 15), read_u8(data, 16));
2391         break;
2392     case VNC_MSG_CLIENT_SET_ENCODINGS:
2393         if (len == 1)
2394             return 4;
2395 
2396         if (len == 4) {
2397             limit = read_u16(data, 2);
2398             if (limit > 0)
2399                 return 4 + (limit * 4);
2400         } else
2401             limit = read_u16(data, 2);
2402 
2403         for (i = 0; i < limit; i++) {
2404             int32_t val = read_s32(data, 4 + (i * 4));
2405             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2406         }
2407 
2408         set_encodings(vs, (int32_t *)(data + 4), limit);
2409         break;
2410     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2411         if (len == 1)
2412             return 10;
2413 
2414         framebuffer_update_request(vs,
2415                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2416                                    read_u16(data, 6), read_u16(data, 8));
2417         break;
2418     case VNC_MSG_CLIENT_KEY_EVENT:
2419         if (len == 1)
2420             return 8;
2421 
2422         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2423         break;
2424     case VNC_MSG_CLIENT_POINTER_EVENT:
2425         if (len == 1)
2426             return 6;
2427 
2428         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2429         break;
2430     case VNC_MSG_CLIENT_CUT_TEXT:
2431         if (len == 1) {
2432             return 8;
2433         }
2434         uint32_t dlen = abs(read_s32(data, 4));
2435         if (len == 8) {
2436             if (dlen > (1 << 20)) {
2437                 error_report("vnc: client_cut_text msg payload has %u bytes"
2438                              " which exceeds our limit of 1MB.", dlen);
2439                 vnc_client_error(vs);
2440                 break;
2441             }
2442             if (dlen > 0) {
2443                 return 8 + dlen;
2444             }
2445         }
2446 
2447         if (read_s32(data, 4) < 0) {
2448             if (!vnc_has_feature(vs, VNC_FEATURE_CLIPBOARD_EXT)) {
2449                 error_report("vnc: extended clipboard message while disabled");
2450                 vnc_client_error(vs);
2451                 break;
2452             }
2453             if (dlen < 4) {
2454                 error_report("vnc: malformed payload (header less than 4 bytes)"
2455                              " in extended clipboard pseudo-encoding.");
2456                 vnc_client_error(vs);
2457                 break;
2458             }
2459             vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
2460             break;
2461         }
2462         vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
2463         break;
2464     case VNC_MSG_CLIENT_XVP:
2465         if (!vnc_has_feature(vs, VNC_FEATURE_XVP)) {
2466             error_report("vnc: xvp client message while disabled");
2467             vnc_client_error(vs);
2468             break;
2469         }
2470         if (len == 1) {
2471             return 4;
2472         }
2473         if (len == 4) {
2474             uint8_t version = read_u8(data, 2);
2475             uint8_t action = read_u8(data, 3);
2476 
2477             if (version != 1) {
2478                 error_report("vnc: xvp client message version %d != 1",
2479                              version);
2480                 vnc_client_error(vs);
2481                 break;
2482             }
2483 
2484             switch (action) {
2485             case VNC_XVP_ACTION_SHUTDOWN:
2486                 qemu_system_powerdown_request();
2487                 break;
2488             case VNC_XVP_ACTION_REBOOT:
2489                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2490                 break;
2491             case VNC_XVP_ACTION_RESET:
2492                 qemu_system_reset_request(SHUTDOWN_CAUSE_HOST_QMP_SYSTEM_RESET);
2493                 break;
2494             default:
2495                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2496                 break;
2497             }
2498         }
2499         break;
2500     case VNC_MSG_CLIENT_QEMU:
2501         if (len == 1)
2502             return 2;
2503 
2504         switch (read_u8(data, 1)) {
2505         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2506             if (len == 2)
2507                 return 12;
2508 
2509             ext_key_event(vs, read_u16(data, 2),
2510                           read_u32(data, 4), read_u32(data, 8));
2511             break;
2512         case VNC_MSG_CLIENT_QEMU_AUDIO:
2513             if (!vnc_has_feature(vs, VNC_FEATURE_AUDIO)) {
2514                 error_report("Audio message %d with audio disabled", read_u8(data, 2));
2515                 vnc_client_error(vs);
2516                 break;
2517             }
2518 
2519             if (len == 2)
2520                 return 4;
2521 
2522             switch (read_u16 (data, 2)) {
2523             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2524                 trace_vnc_msg_client_audio_enable(vs, vs->ioc);
2525                 audio_add(vs);
2526                 break;
2527             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2528                 trace_vnc_msg_client_audio_disable(vs, vs->ioc);
2529                 audio_del(vs);
2530                 break;
2531             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2532                 if (len == 4)
2533                     return 10;
2534                 switch (read_u8(data, 4)) {
2535                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2536                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2537                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2538                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2539                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2540                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2541                 default:
2542                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2543                     vnc_client_error(vs);
2544                     break;
2545                 }
2546                 vs->as.nchannels = read_u8(data, 5);
2547                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2548                     VNC_DEBUG("Invalid audio channel count %d\n",
2549                               read_u8(data, 5));
2550                     vnc_client_error(vs);
2551                     break;
2552                 }
2553                 freq = read_u32(data, 6);
2554                 /* No official limit for protocol, but 48khz is a sensible
2555                  * upper bound for trustworthy clients, and this limit
2556                  * protects calculations involving 'vs->as.freq' later.
2557                  */
2558                 if (freq > 48000) {
2559                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2560                     vnc_client_error(vs);
2561                     break;
2562                 }
2563                 vs->as.freq = freq;
2564                 trace_vnc_msg_client_audio_format(
2565                     vs, vs->ioc, vs->as.fmt, vs->as.nchannels, vs->as.freq);
2566                 break;
2567             default:
2568                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 2));
2569                 vnc_client_error(vs);
2570                 break;
2571             }
2572             break;
2573 
2574         default:
2575             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2576             vnc_client_error(vs);
2577             break;
2578         }
2579         break;
2580     case VNC_MSG_CLIENT_SET_DESKTOP_SIZE:
2581     {
2582         size_t size;
2583         uint8_t screens;
2584         int w, h;
2585 
2586         if (len < 8) {
2587             return 8;
2588         }
2589 
2590         screens = read_u8(data, 6);
2591         size    = 8 + screens * 16;
2592         if (len < size) {
2593             return size;
2594         }
2595         w = read_u16(data, 2);
2596         h = read_u16(data, 4);
2597 
2598         trace_vnc_msg_client_set_desktop_size(vs, vs->ioc, w, h, screens);
2599         if (dpy_ui_info_supported(vs->vd->dcl.con)) {
2600             QemuUIInfo info;
2601             memset(&info, 0, sizeof(info));
2602             info.width = w;
2603             info.height = h;
2604             dpy_set_ui_info(vs->vd->dcl.con, &info, false);
2605             vnc_desktop_resize_ext(vs, 4 /* Request forwarded */);
2606         } else {
2607             vnc_desktop_resize_ext(vs, 3 /* Invalid screen layout */);
2608         }
2609 
2610         break;
2611     }
2612     default:
2613         VNC_DEBUG("Msg: %d\n", data[0]);
2614         vnc_client_error(vs);
2615         break;
2616     }
2617 
2618     vnc_update_throttle_offset(vs);
2619     vnc_read_when(vs, protocol_client_msg, 1);
2620     return 0;
2621 }
2622 
2623 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2624 {
2625     char buf[1024];
2626     VncShareMode mode;
2627     int size;
2628 
2629     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2630     switch (vs->vd->share_policy) {
2631     case VNC_SHARE_POLICY_IGNORE:
2632         /*
2633          * Ignore the shared flag.  Nothing to do here.
2634          *
2635          * Doesn't conform to the rfb spec but is traditional qemu
2636          * behavior, thus left here as option for compatibility
2637          * reasons.
2638          */
2639         break;
2640     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2641         /*
2642          * Policy: Allow clients ask for exclusive access.
2643          *
2644          * Implementation: When a client asks for exclusive access,
2645          * disconnect all others. Shared connects are allowed as long
2646          * as no exclusive connection exists.
2647          *
2648          * This is how the rfb spec suggests to handle the shared flag.
2649          */
2650         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2651             VncState *client;
2652             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2653                 if (vs == client) {
2654                     continue;
2655                 }
2656                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2657                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2658                     continue;
2659                 }
2660                 vnc_disconnect_start(client);
2661             }
2662         }
2663         if (mode == VNC_SHARE_MODE_SHARED) {
2664             if (vs->vd->num_exclusive > 0) {
2665                 vnc_disconnect_start(vs);
2666                 return 0;
2667             }
2668         }
2669         break;
2670     case VNC_SHARE_POLICY_FORCE_SHARED:
2671         /*
2672          * Policy: Shared connects only.
2673          * Implementation: Disallow clients asking for exclusive access.
2674          *
2675          * Useful for shared desktop sessions where you don't want
2676          * someone forgetting to say -shared when running the vnc
2677          * client disconnect everybody else.
2678          */
2679         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2680             vnc_disconnect_start(vs);
2681             return 0;
2682         }
2683         break;
2684     }
2685     vnc_set_share_mode(vs, mode);
2686 
2687     if (vs->vd->num_shared > vs->vd->connections_limit) {
2688         vnc_disconnect_start(vs);
2689         return 0;
2690     }
2691 
2692     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2693            pixman_image_get_width(vs->vd->server) >= 0);
2694     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2695            pixman_image_get_height(vs->vd->server) >= 0);
2696     vs->client_width = pixman_image_get_width(vs->vd->server);
2697     vs->client_height = pixman_image_get_height(vs->vd->server);
2698     vnc_write_u16(vs, vs->client_width);
2699     vnc_write_u16(vs, vs->client_height);
2700 
2701     pixel_format_message(vs);
2702 
2703     if (qemu_name) {
2704         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2705         if (size > sizeof(buf)) {
2706             size = sizeof(buf);
2707         }
2708     } else {
2709         size = snprintf(buf, sizeof(buf), "QEMU");
2710     }
2711 
2712     vnc_write_u32(vs, size);
2713     vnc_write(vs, buf, size);
2714     vnc_flush(vs);
2715 
2716     vnc_client_cache_auth(vs);
2717     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2718 
2719     vnc_read_when(vs, protocol_client_msg, 1);
2720 
2721     return 0;
2722 }
2723 
2724 void start_client_init(VncState *vs)
2725 {
2726     vnc_read_when(vs, protocol_client_init, 1);
2727 }
2728 
2729 static void authentication_failed(VncState *vs)
2730 {
2731     vnc_write_u32(vs, 1); /* Reject auth */
2732     if (vs->minor >= 8) {
2733         static const char err[] = "Authentication failed";
2734         vnc_write_u32(vs, sizeof(err));
2735         vnc_write(vs, err, sizeof(err));
2736     }
2737     vnc_flush(vs);
2738     vnc_client_error(vs);
2739 }
2740 
2741 static void
2742 vnc_munge_des_rfb_key(unsigned char *key, size_t nkey)
2743 {
2744     size_t i;
2745     for (i = 0; i < nkey; i++) {
2746         uint8_t r = key[i];
2747         r = (r & 0xf0) >> 4 | (r & 0x0f) << 4;
2748         r = (r & 0xcc) >> 2 | (r & 0x33) << 2;
2749         r = (r & 0xaa) >> 1 | (r & 0x55) << 1;
2750         key[i] = r;
2751     }
2752 }
2753 
2754 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2755 {
2756     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2757     size_t i, pwlen;
2758     unsigned char key[8];
2759     time_t now = time(NULL);
2760     QCryptoCipher *cipher = NULL;
2761     Error *err = NULL;
2762 
2763     if (!vs->vd->password) {
2764         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2765         goto reject;
2766     }
2767     if (vs->vd->expires < now) {
2768         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2769         goto reject;
2770     }
2771 
2772     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2773 
2774     /* Calculate the expected challenge response */
2775     pwlen = strlen(vs->vd->password);
2776     for (i=0; i<sizeof(key); i++)
2777         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2778     vnc_munge_des_rfb_key(key, sizeof(key));
2779 
2780     cipher = qcrypto_cipher_new(
2781         QCRYPTO_CIPHER_ALG_DES,
2782         QCRYPTO_CIPHER_MODE_ECB,
2783         key, G_N_ELEMENTS(key),
2784         &err);
2785     if (!cipher) {
2786         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2787                             error_get_pretty(err));
2788         error_free(err);
2789         goto reject;
2790     }
2791 
2792     if (qcrypto_cipher_encrypt(cipher,
2793                                vs->challenge,
2794                                response,
2795                                VNC_AUTH_CHALLENGE_SIZE,
2796                                &err) < 0) {
2797         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2798                             error_get_pretty(err));
2799         error_free(err);
2800         goto reject;
2801     }
2802 
2803     /* Compare expected vs actual challenge response */
2804     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2805         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2806         goto reject;
2807     } else {
2808         trace_vnc_auth_pass(vs, vs->auth);
2809         vnc_write_u32(vs, 0); /* Accept auth */
2810         vnc_flush(vs);
2811 
2812         start_client_init(vs);
2813     }
2814 
2815     qcrypto_cipher_free(cipher);
2816     return 0;
2817 
2818 reject:
2819     authentication_failed(vs);
2820     qcrypto_cipher_free(cipher);
2821     return 0;
2822 }
2823 
2824 void start_auth_vnc(VncState *vs)
2825 {
2826     Error *err = NULL;
2827 
2828     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2829         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2830                             error_get_pretty(err));
2831         error_free(err);
2832         authentication_failed(vs);
2833         return;
2834     }
2835 
2836     /* Send client a 'random' challenge */
2837     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2838     vnc_flush(vs);
2839 
2840     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2841 }
2842 
2843 
2844 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2845 {
2846     /* We only advertise 1 auth scheme at a time, so client
2847      * must pick the one we sent. Verify this */
2848     if (data[0] != vs->auth) { /* Reject auth */
2849        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2850        authentication_failed(vs);
2851     } else { /* Accept requested auth */
2852        trace_vnc_auth_start(vs, vs->auth);
2853        switch (vs->auth) {
2854        case VNC_AUTH_NONE:
2855            if (vs->minor >= 8) {
2856                vnc_write_u32(vs, 0); /* Accept auth completion */
2857                vnc_flush(vs);
2858            }
2859            trace_vnc_auth_pass(vs, vs->auth);
2860            start_client_init(vs);
2861            break;
2862 
2863        case VNC_AUTH_VNC:
2864            start_auth_vnc(vs);
2865            break;
2866 
2867        case VNC_AUTH_VENCRYPT:
2868            start_auth_vencrypt(vs);
2869            break;
2870 
2871 #ifdef CONFIG_VNC_SASL
2872        case VNC_AUTH_SASL:
2873            start_auth_sasl(vs);
2874            break;
2875 #endif /* CONFIG_VNC_SASL */
2876 
2877        default: /* Should not be possible, but just in case */
2878            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2879            authentication_failed(vs);
2880        }
2881     }
2882     return 0;
2883 }
2884 
2885 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2886 {
2887     char local[13];
2888 
2889     memcpy(local, version, 12);
2890     local[12] = 0;
2891 
2892     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2893         VNC_DEBUG("Malformed protocol version %s\n", local);
2894         vnc_client_error(vs);
2895         return 0;
2896     }
2897     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2898     if (vs->major != 3 ||
2899         (vs->minor != 3 &&
2900          vs->minor != 4 &&
2901          vs->minor != 5 &&
2902          vs->minor != 7 &&
2903          vs->minor != 8)) {
2904         VNC_DEBUG("Unsupported client version\n");
2905         vnc_write_u32(vs, VNC_AUTH_INVALID);
2906         vnc_flush(vs);
2907         vnc_client_error(vs);
2908         return 0;
2909     }
2910     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2911      * as equivalent to v3.3 by servers
2912      */
2913     if (vs->minor == 4 || vs->minor == 5)
2914         vs->minor = 3;
2915 
2916     if (vs->minor == 3) {
2917         trace_vnc_auth_start(vs, vs->auth);
2918         if (vs->auth == VNC_AUTH_NONE) {
2919             vnc_write_u32(vs, vs->auth);
2920             vnc_flush(vs);
2921             trace_vnc_auth_pass(vs, vs->auth);
2922             start_client_init(vs);
2923        } else if (vs->auth == VNC_AUTH_VNC) {
2924             VNC_DEBUG("Tell client VNC auth\n");
2925             vnc_write_u32(vs, vs->auth);
2926             vnc_flush(vs);
2927             start_auth_vnc(vs);
2928        } else {
2929             trace_vnc_auth_fail(vs, vs->auth,
2930                                 "Unsupported auth method for v3.3", "");
2931             vnc_write_u32(vs, VNC_AUTH_INVALID);
2932             vnc_flush(vs);
2933             vnc_client_error(vs);
2934        }
2935     } else {
2936         vnc_write_u8(vs, 1); /* num auth */
2937         vnc_write_u8(vs, vs->auth);
2938         vnc_read_when(vs, protocol_client_auth, 1);
2939         vnc_flush(vs);
2940     }
2941 
2942     return 0;
2943 }
2944 
2945 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2946 {
2947     struct VncSurface *vs = &vd->guest;
2948 
2949     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2950 }
2951 
2952 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2953 {
2954     int i, j;
2955 
2956     w = (x + w) / VNC_STAT_RECT;
2957     h = (y + h) / VNC_STAT_RECT;
2958     x /= VNC_STAT_RECT;
2959     y /= VNC_STAT_RECT;
2960 
2961     for (j = y; j <= h; j++) {
2962         for (i = x; i <= w; i++) {
2963             vs->lossy_rect[j][i] = 1;
2964         }
2965     }
2966 }
2967 
2968 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2969 {
2970     VncState *vs;
2971     int sty = y / VNC_STAT_RECT;
2972     int stx = x / VNC_STAT_RECT;
2973     int has_dirty = 0;
2974 
2975     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2976     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2977 
2978     QTAILQ_FOREACH(vs, &vd->clients, next) {
2979         int j;
2980 
2981         /* kernel send buffers are full -> refresh later */
2982         if (vs->output.offset) {
2983             continue;
2984         }
2985 
2986         if (!vs->lossy_rect[sty][stx]) {
2987             continue;
2988         }
2989 
2990         vs->lossy_rect[sty][stx] = 0;
2991         for (j = 0; j < VNC_STAT_RECT; ++j) {
2992             bitmap_set(vs->dirty[y + j],
2993                        x / VNC_DIRTY_PIXELS_PER_BIT,
2994                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2995         }
2996         has_dirty++;
2997     }
2998 
2999     return has_dirty;
3000 }
3001 
3002 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
3003 {
3004     int width = MIN(pixman_image_get_width(vd->guest.fb),
3005                     pixman_image_get_width(vd->server));
3006     int height = MIN(pixman_image_get_height(vd->guest.fb),
3007                      pixman_image_get_height(vd->server));
3008     int x, y;
3009     struct timeval res;
3010     int has_dirty = 0;
3011 
3012     for (y = 0; y < height; y += VNC_STAT_RECT) {
3013         for (x = 0; x < width; x += VNC_STAT_RECT) {
3014             VncRectStat *rect = vnc_stat_rect(vd, x, y);
3015 
3016             rect->updated = false;
3017         }
3018     }
3019 
3020     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
3021 
3022     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
3023         return has_dirty;
3024     }
3025     vd->guest.last_freq_check = *tv;
3026 
3027     for (y = 0; y < height; y += VNC_STAT_RECT) {
3028         for (x = 0; x < width; x += VNC_STAT_RECT) {
3029             VncRectStat *rect= vnc_stat_rect(vd, x, y);
3030             int count = ARRAY_SIZE(rect->times);
3031             struct timeval min, max;
3032 
3033             if (!timerisset(&rect->times[count - 1])) {
3034                 continue ;
3035             }
3036 
3037             max = rect->times[(rect->idx + count - 1) % count];
3038             qemu_timersub(tv, &max, &res);
3039 
3040             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
3041                 rect->freq = 0;
3042                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
3043                 memset(rect->times, 0, sizeof (rect->times));
3044                 continue ;
3045             }
3046 
3047             min = rect->times[rect->idx];
3048             max = rect->times[(rect->idx + count - 1) % count];
3049             qemu_timersub(&max, &min, &res);
3050 
3051             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
3052             rect->freq /= count;
3053             rect->freq = 1. / rect->freq;
3054         }
3055     }
3056     return has_dirty;
3057 }
3058 
3059 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
3060 {
3061     int i, j;
3062     double total = 0;
3063     int num = 0;
3064 
3065     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
3066     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
3067 
3068     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
3069         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
3070             total += vnc_stat_rect(vs->vd, i, j)->freq;
3071             num++;
3072         }
3073     }
3074 
3075     if (num) {
3076         return total / num;
3077     } else {
3078         return 0;
3079     }
3080 }
3081 
3082 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
3083 {
3084     VncRectStat *rect;
3085 
3086     rect = vnc_stat_rect(vd, x, y);
3087     if (rect->updated) {
3088         return;
3089     }
3090     rect->times[rect->idx] = *tv;
3091     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
3092     rect->updated = true;
3093 }
3094 
3095 static int vnc_refresh_server_surface(VncDisplay *vd)
3096 {
3097     int width = MIN(pixman_image_get_width(vd->guest.fb),
3098                     pixman_image_get_width(vd->server));
3099     int height = MIN(pixman_image_get_height(vd->guest.fb),
3100                      pixman_image_get_height(vd->server));
3101     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
3102     uint8_t *guest_row0 = NULL, *server_row0;
3103     VncState *vs;
3104     int has_dirty = 0;
3105     pixman_image_t *tmpbuf = NULL;
3106     unsigned long offset;
3107     int x;
3108     uint8_t *guest_ptr, *server_ptr;
3109 
3110     struct timeval tv = { 0, 0 };
3111 
3112     if (!vd->non_adaptive) {
3113         gettimeofday(&tv, NULL);
3114         has_dirty = vnc_update_stats(vd, &tv);
3115     }
3116 
3117     offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3118                            height * VNC_DIRTY_BPL(&vd->guest), 0);
3119     if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3120         /* no dirty bits in guest surface */
3121         return has_dirty;
3122     }
3123 
3124     /*
3125      * Walk through the guest dirty map.
3126      * Check and copy modified bits from guest to server surface.
3127      * Update server dirty map.
3128      */
3129     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
3130     server_stride = guest_stride = guest_ll =
3131         pixman_image_get_stride(vd->server);
3132     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
3133                     server_stride);
3134     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3135         int w = pixman_image_get_width(vd->server);
3136         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, w);
3137     } else {
3138         int guest_bpp =
3139             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
3140         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
3141         guest_stride = pixman_image_get_stride(vd->guest.fb);
3142         guest_ll = pixman_image_get_width(vd->guest.fb)
3143                    * DIV_ROUND_UP(guest_bpp, 8);
3144     }
3145     line_bytes = MIN(server_stride, guest_ll);
3146 
3147     for (;;) {
3148         y = offset / VNC_DIRTY_BPL(&vd->guest);
3149         x = offset % VNC_DIRTY_BPL(&vd->guest);
3150 
3151         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
3152 
3153         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3154             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
3155             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
3156         } else {
3157             guest_ptr = guest_row0 + y * guest_stride;
3158         }
3159         guest_ptr += x * cmp_bytes;
3160 
3161         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
3162              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
3163             int _cmp_bytes = cmp_bytes;
3164             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
3165                 continue;
3166             }
3167             if ((x + 1) * cmp_bytes > line_bytes) {
3168                 _cmp_bytes = line_bytes - x * cmp_bytes;
3169             }
3170             assert(_cmp_bytes >= 0);
3171             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
3172                 continue;
3173             }
3174             memcpy(server_ptr, guest_ptr, _cmp_bytes);
3175             if (!vd->non_adaptive) {
3176                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
3177                                  y, &tv);
3178             }
3179             QTAILQ_FOREACH(vs, &vd->clients, next) {
3180                 set_bit(x, vs->dirty[y]);
3181             }
3182             has_dirty++;
3183         }
3184 
3185         y++;
3186         offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3187                                height * VNC_DIRTY_BPL(&vd->guest),
3188                                y * VNC_DIRTY_BPL(&vd->guest));
3189         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3190             /* no more dirty bits */
3191             break;
3192         }
3193     }
3194     qemu_pixman_image_unref(tmpbuf);
3195     return has_dirty;
3196 }
3197 
3198 static void vnc_refresh(DisplayChangeListener *dcl)
3199 {
3200     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
3201     VncState *vs, *vn;
3202     int has_dirty, rects = 0;
3203 
3204     if (QTAILQ_EMPTY(&vd->clients)) {
3205         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
3206         return;
3207     }
3208 
3209     graphic_hw_update(vd->dcl.con);
3210 
3211     if (vnc_trylock_display(vd)) {
3212         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3213         return;
3214     }
3215 
3216     has_dirty = vnc_refresh_server_surface(vd);
3217     vnc_unlock_display(vd);
3218 
3219     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3220         rects += vnc_update_client(vs, has_dirty);
3221         /* vs might be free()ed here */
3222     }
3223 
3224     if (has_dirty && rects) {
3225         vd->dcl.update_interval /= 2;
3226         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3227             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3228         }
3229     } else {
3230         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3231         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3232             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3233         }
3234     }
3235 }
3236 
3237 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3238                         bool skipauth, bool websocket)
3239 {
3240     VncState *vs = g_new0(VncState, 1);
3241     bool first_client = QTAILQ_EMPTY(&vd->clients);
3242     int i;
3243 
3244     trace_vnc_client_connect(vs, sioc);
3245     vs->zrle = g_new0(VncZrle, 1);
3246     vs->tight = g_new0(VncTight, 1);
3247     vs->magic = VNC_MAGIC;
3248     vs->sioc = sioc;
3249     object_ref(OBJECT(vs->sioc));
3250     vs->ioc = QIO_CHANNEL(sioc);
3251     object_ref(OBJECT(vs->ioc));
3252     vs->vd = vd;
3253 
3254     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3255     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3256     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3257 
3258     buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3259     buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3260     buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3261 #ifdef CONFIG_VNC_JPEG
3262     buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3263 #endif
3264 #ifdef CONFIG_PNG
3265     buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3266 #endif
3267     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3268     buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3269     buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3270     buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3271 
3272     if (skipauth) {
3273         vs->auth = VNC_AUTH_NONE;
3274         vs->subauth = VNC_AUTH_INVALID;
3275     } else {
3276         if (websocket) {
3277             vs->auth = vd->ws_auth;
3278             vs->subauth = VNC_AUTH_INVALID;
3279         } else {
3280             vs->auth = vd->auth;
3281             vs->subauth = vd->subauth;
3282         }
3283     }
3284     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3285               sioc, websocket, vs->auth, vs->subauth);
3286 
3287     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3288     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3289         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3290     }
3291 
3292     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3293     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3294     qio_channel_set_blocking(vs->ioc, false, NULL);
3295     if (vs->ioc_tag) {
3296         g_source_remove(vs->ioc_tag);
3297     }
3298     if (websocket) {
3299         vs->websocket = 1;
3300         if (vd->tlscreds) {
3301             vs->ioc_tag = qio_channel_add_watch(
3302                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3303                 vncws_tls_handshake_io, vs, NULL);
3304         } else {
3305             vs->ioc_tag = qio_channel_add_watch(
3306                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3307                 vncws_handshake_io, vs, NULL);
3308         }
3309     } else {
3310         vs->ioc_tag = qio_channel_add_watch(
3311             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3312             vnc_client_io, vs, NULL);
3313     }
3314 
3315     vnc_client_cache_addr(vs);
3316     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3317     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3318 
3319     vs->last_x = -1;
3320     vs->last_y = -1;
3321 
3322     vs->as.freq = 44100;
3323     vs->as.nchannels = 2;
3324     vs->as.fmt = AUDIO_FORMAT_S16;
3325     vs->as.endianness = 0;
3326 
3327     qemu_mutex_init(&vs->output_mutex);
3328     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3329 
3330     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3331     if (first_client) {
3332         vnc_update_server_surface(vd);
3333     }
3334 
3335     graphic_hw_update(vd->dcl.con);
3336 
3337     if (!vs->websocket) {
3338         vnc_start_protocol(vs);
3339     }
3340 
3341     if (vd->num_connecting > vd->connections_limit) {
3342         QTAILQ_FOREACH(vs, &vd->clients, next) {
3343             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3344                 vnc_disconnect_start(vs);
3345                 return;
3346             }
3347         }
3348     }
3349 }
3350 
3351 void vnc_start_protocol(VncState *vs)
3352 {
3353     vnc_write(vs, "RFB 003.008\n", 12);
3354     vnc_flush(vs);
3355     vnc_read_when(vs, protocol_version, 12);
3356 
3357     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3358     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3359 }
3360 
3361 static void vnc_listen_io(QIONetListener *listener,
3362                           QIOChannelSocket *cioc,
3363                           void *opaque)
3364 {
3365     VncDisplay *vd = opaque;
3366     bool isWebsock = listener == vd->wslistener;
3367 
3368     qio_channel_set_name(QIO_CHANNEL(cioc),
3369                          isWebsock ? "vnc-ws-server" : "vnc-server");
3370     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3371     vnc_connect(vd, cioc, false, isWebsock);
3372 }
3373 
3374 static const DisplayChangeListenerOps dcl_ops = {
3375     .dpy_name             = "vnc",
3376     .dpy_refresh          = vnc_refresh,
3377     .dpy_gfx_update       = vnc_dpy_update,
3378     .dpy_gfx_switch       = vnc_dpy_switch,
3379     .dpy_gfx_check_format = qemu_pixman_check_format,
3380     .dpy_mouse_set        = vnc_mouse_set,
3381     .dpy_cursor_define    = vnc_dpy_cursor_define,
3382 };
3383 
3384 void vnc_display_init(const char *id, Error **errp)
3385 {
3386     VncDisplay *vd;
3387 
3388     if (vnc_display_find(id) != NULL) {
3389         return;
3390     }
3391     vd = g_malloc0(sizeof(*vd));
3392 
3393     vd->id = strdup(id);
3394     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3395 
3396     QTAILQ_INIT(&vd->clients);
3397     vd->expires = TIME_MAX;
3398 
3399     if (keyboard_layout) {
3400         trace_vnc_key_map_init(keyboard_layout);
3401         vd->kbd_layout = init_keyboard_layout(name2keysym,
3402                                               keyboard_layout, errp);
3403     } else {
3404         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3405     }
3406 
3407     if (!vd->kbd_layout) {
3408         return;
3409     }
3410 
3411     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3412     vd->connections_limit = 32;
3413 
3414     qemu_mutex_init(&vd->mutex);
3415     vnc_start_worker_thread();
3416 
3417     vd->dcl.ops = &dcl_ops;
3418     register_displaychangelistener(&vd->dcl);
3419     vd->kbd = qkbd_state_init(vd->dcl.con);
3420 }
3421 
3422 
3423 static void vnc_display_close(VncDisplay *vd)
3424 {
3425     if (!vd) {
3426         return;
3427     }
3428     vd->is_unix = false;
3429 
3430     if (vd->listener) {
3431         qio_net_listener_disconnect(vd->listener);
3432         object_unref(OBJECT(vd->listener));
3433     }
3434     vd->listener = NULL;
3435 
3436     if (vd->wslistener) {
3437         qio_net_listener_disconnect(vd->wslistener);
3438         object_unref(OBJECT(vd->wslistener));
3439     }
3440     vd->wslistener = NULL;
3441 
3442     vd->auth = VNC_AUTH_INVALID;
3443     vd->subauth = VNC_AUTH_INVALID;
3444     if (vd->tlscreds) {
3445         object_unref(OBJECT(vd->tlscreds));
3446         vd->tlscreds = NULL;
3447     }
3448     if (vd->tlsauthz) {
3449         object_unparent(OBJECT(vd->tlsauthz));
3450         vd->tlsauthz = NULL;
3451     }
3452     g_free(vd->tlsauthzid);
3453     vd->tlsauthzid = NULL;
3454     if (vd->lock_key_sync) {
3455         qemu_remove_led_event_handler(vd->led);
3456         vd->led = NULL;
3457     }
3458 #ifdef CONFIG_VNC_SASL
3459     if (vd->sasl.authz) {
3460         object_unparent(OBJECT(vd->sasl.authz));
3461         vd->sasl.authz = NULL;
3462     }
3463     g_free(vd->sasl.authzid);
3464     vd->sasl.authzid = NULL;
3465 #endif
3466 }
3467 
3468 int vnc_display_password(const char *id, const char *password)
3469 {
3470     VncDisplay *vd = vnc_display_find(id);
3471 
3472     if (!vd) {
3473         return -EINVAL;
3474     }
3475     if (vd->auth == VNC_AUTH_NONE) {
3476         error_printf_unless_qmp("If you want use passwords please enable "
3477                                 "password auth using '-vnc ${dpy},password'.\n");
3478         return -EINVAL;
3479     }
3480 
3481     g_free(vd->password);
3482     vd->password = g_strdup(password);
3483 
3484     return 0;
3485 }
3486 
3487 int vnc_display_pw_expire(const char *id, time_t expires)
3488 {
3489     VncDisplay *vd = vnc_display_find(id);
3490 
3491     if (!vd) {
3492         return -EINVAL;
3493     }
3494 
3495     vd->expires = expires;
3496     return 0;
3497 }
3498 
3499 static void vnc_display_print_local_addr(VncDisplay *vd)
3500 {
3501     SocketAddress *addr;
3502 
3503     if (!vd->listener || !vd->listener->nsioc) {
3504         return;
3505     }
3506 
3507     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], NULL);
3508     if (!addr) {
3509         return;
3510     }
3511 
3512     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3513         qapi_free_SocketAddress(addr);
3514         return;
3515     }
3516     error_printf_unless_qmp("VNC server running on %s:%s\n",
3517                             addr->u.inet.host,
3518                             addr->u.inet.port);
3519     qapi_free_SocketAddress(addr);
3520 }
3521 
3522 static QemuOptsList qemu_vnc_opts = {
3523     .name = "vnc",
3524     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3525     .implied_opt_name = "vnc",
3526     .desc = {
3527         {
3528             .name = "vnc",
3529             .type = QEMU_OPT_STRING,
3530         },{
3531             .name = "websocket",
3532             .type = QEMU_OPT_STRING,
3533         },{
3534             .name = "tls-creds",
3535             .type = QEMU_OPT_STRING,
3536         },{
3537             .name = "share",
3538             .type = QEMU_OPT_STRING,
3539         },{
3540             .name = "display",
3541             .type = QEMU_OPT_STRING,
3542         },{
3543             .name = "head",
3544             .type = QEMU_OPT_NUMBER,
3545         },{
3546             .name = "connections",
3547             .type = QEMU_OPT_NUMBER,
3548         },{
3549             .name = "to",
3550             .type = QEMU_OPT_NUMBER,
3551         },{
3552             .name = "ipv4",
3553             .type = QEMU_OPT_BOOL,
3554         },{
3555             .name = "ipv6",
3556             .type = QEMU_OPT_BOOL,
3557         },{
3558             .name = "password",
3559             .type = QEMU_OPT_BOOL,
3560         },{
3561             .name = "password-secret",
3562             .type = QEMU_OPT_STRING,
3563         },{
3564             .name = "reverse",
3565             .type = QEMU_OPT_BOOL,
3566         },{
3567             .name = "lock-key-sync",
3568             .type = QEMU_OPT_BOOL,
3569         },{
3570             .name = "key-delay-ms",
3571             .type = QEMU_OPT_NUMBER,
3572         },{
3573             .name = "sasl",
3574             .type = QEMU_OPT_BOOL,
3575         },{
3576             .name = "tls-authz",
3577             .type = QEMU_OPT_STRING,
3578         },{
3579             .name = "sasl-authz",
3580             .type = QEMU_OPT_STRING,
3581         },{
3582             .name = "lossy",
3583             .type = QEMU_OPT_BOOL,
3584         },{
3585             .name = "non-adaptive",
3586             .type = QEMU_OPT_BOOL,
3587         },{
3588             .name = "audiodev",
3589             .type = QEMU_OPT_STRING,
3590         },{
3591             .name = "power-control",
3592             .type = QEMU_OPT_BOOL,
3593         },
3594         { /* end of list */ }
3595     },
3596 };
3597 
3598 
3599 static int
3600 vnc_display_setup_auth(int *auth,
3601                        int *subauth,
3602                        QCryptoTLSCreds *tlscreds,
3603                        bool password,
3604                        bool sasl,
3605                        bool websocket,
3606                        Error **errp)
3607 {
3608     /*
3609      * We have a choice of 3 authentication options
3610      *
3611      *   1. none
3612      *   2. vnc
3613      *   3. sasl
3614      *
3615      * The channel can be run in 2 modes
3616      *
3617      *   1. clear
3618      *   2. tls
3619      *
3620      * And TLS can use 2 types of credentials
3621      *
3622      *   1. anon
3623      *   2. x509
3624      *
3625      * We thus have 9 possible logical combinations
3626      *
3627      *   1. clear + none
3628      *   2. clear + vnc
3629      *   3. clear + sasl
3630      *   4. tls + anon + none
3631      *   5. tls + anon + vnc
3632      *   6. tls + anon + sasl
3633      *   7. tls + x509 + none
3634      *   8. tls + x509 + vnc
3635      *   9. tls + x509 + sasl
3636      *
3637      * These need to be mapped into the VNC auth schemes
3638      * in an appropriate manner. In regular VNC, all the
3639      * TLS options get mapped into VNC_AUTH_VENCRYPT
3640      * sub-auth types.
3641      *
3642      * In websockets, the https:// protocol already provides
3643      * TLS support, so there is no need to make use of the
3644      * VeNCrypt extension. Furthermore, websockets browser
3645      * clients could not use VeNCrypt even if they wanted to,
3646      * as they cannot control when the TLS handshake takes
3647      * place. Thus there is no option but to rely on https://,
3648      * meaning combinations 4->6 and 7->9 will be mapped to
3649      * VNC auth schemes in the same way as combos 1->3.
3650      *
3651      * Regardless of fact that we have a different mapping to
3652      * VNC auth mechs for plain VNC vs websockets VNC, the end
3653      * result has the same security characteristics.
3654      */
3655     if (websocket || !tlscreds) {
3656         if (password) {
3657             VNC_DEBUG("Initializing VNC server with password auth\n");
3658             *auth = VNC_AUTH_VNC;
3659         } else if (sasl) {
3660             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3661             *auth = VNC_AUTH_SASL;
3662         } else {
3663             VNC_DEBUG("Initializing VNC server with no auth\n");
3664             *auth = VNC_AUTH_NONE;
3665         }
3666         *subauth = VNC_AUTH_INVALID;
3667     } else {
3668         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3669                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3670         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3671                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3672 
3673         if (!is_x509 && !is_anon) {
3674             error_setg(errp,
3675                        "Unsupported TLS cred type %s",
3676                        object_get_typename(OBJECT(tlscreds)));
3677             return -1;
3678         }
3679         *auth = VNC_AUTH_VENCRYPT;
3680         if (password) {
3681             if (is_x509) {
3682                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3683                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3684             } else {
3685                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3686                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3687             }
3688 
3689         } else if (sasl) {
3690             if (is_x509) {
3691                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3692                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3693             } else {
3694                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3695                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3696             }
3697         } else {
3698             if (is_x509) {
3699                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3700                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3701             } else {
3702                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3703                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3704             }
3705         }
3706     }
3707     return 0;
3708 }
3709 
3710 
3711 static int vnc_display_get_address(const char *addrstr,
3712                                    bool websocket,
3713                                    bool reverse,
3714                                    int displaynum,
3715                                    int to,
3716                                    bool has_ipv4,
3717                                    bool has_ipv6,
3718                                    bool ipv4,
3719                                    bool ipv6,
3720                                    SocketAddress **retaddr,
3721                                    Error **errp)
3722 {
3723     int ret = -1;
3724     SocketAddress *addr = NULL;
3725 
3726     addr = g_new0(SocketAddress, 1);
3727 
3728     if (strncmp(addrstr, "unix:", 5) == 0) {
3729         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3730         addr->u.q_unix.path = g_strdup(addrstr + 5);
3731 
3732         if (websocket) {
3733             error_setg(errp, "UNIX sockets not supported with websock");
3734             goto cleanup;
3735         }
3736 
3737         if (to) {
3738             error_setg(errp, "Port range not support with UNIX socket");
3739             goto cleanup;
3740         }
3741         ret = 0;
3742     } else {
3743         const char *port;
3744         size_t hostlen;
3745         uint64_t baseport = 0;
3746         InetSocketAddress *inet;
3747 
3748         port = strrchr(addrstr, ':');
3749         if (!port) {
3750             if (websocket) {
3751                 hostlen = 0;
3752                 port = addrstr;
3753             } else {
3754                 error_setg(errp, "no vnc port specified");
3755                 goto cleanup;
3756             }
3757         } else {
3758             hostlen = port - addrstr;
3759             port++;
3760             if (*port == '\0') {
3761                 error_setg(errp, "vnc port cannot be empty");
3762                 goto cleanup;
3763             }
3764         }
3765 
3766         addr->type = SOCKET_ADDRESS_TYPE_INET;
3767         inet = &addr->u.inet;
3768         if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3769             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3770         } else {
3771             inet->host = g_strndup(addrstr, hostlen);
3772         }
3773         /* plain VNC port is just an offset, for websocket
3774          * port is absolute */
3775         if (websocket) {
3776             if (g_str_equal(addrstr, "") ||
3777                 g_str_equal(addrstr, "on")) {
3778                 if (displaynum == -1) {
3779                     error_setg(errp, "explicit websocket port is required");
3780                     goto cleanup;
3781                 }
3782                 inet->port = g_strdup_printf(
3783                     "%d", displaynum + 5700);
3784                 if (to) {
3785                     inet->has_to = true;
3786                     inet->to = to + 5700;
3787                 }
3788             } else {
3789                 inet->port = g_strdup(port);
3790             }
3791         } else {
3792             int offset = reverse ? 0 : 5900;
3793             if (parse_uint_full(port, 10, &baseport) < 0) {
3794                 error_setg(errp, "can't convert to a number: %s", port);
3795                 goto cleanup;
3796             }
3797             if (baseport > 65535 ||
3798                 baseport + offset > 65535) {
3799                 error_setg(errp, "port %s out of range", port);
3800                 goto cleanup;
3801             }
3802             inet->port = g_strdup_printf(
3803                 "%d", (int)baseport + offset);
3804 
3805             if (to) {
3806                 inet->has_to = true;
3807                 inet->to = to + offset;
3808             }
3809         }
3810 
3811         inet->ipv4 = ipv4;
3812         inet->has_ipv4 = has_ipv4;
3813         inet->ipv6 = ipv6;
3814         inet->has_ipv6 = has_ipv6;
3815 
3816         ret = baseport;
3817     }
3818 
3819     *retaddr = addr;
3820 
3821  cleanup:
3822     if (ret < 0) {
3823         qapi_free_SocketAddress(addr);
3824     }
3825     return ret;
3826 }
3827 
3828 static int vnc_display_get_addresses(QemuOpts *opts,
3829                                      bool reverse,
3830                                      SocketAddressList **saddr_list_ret,
3831                                      SocketAddressList **wsaddr_list_ret,
3832                                      Error **errp)
3833 {
3834     SocketAddress *saddr = NULL;
3835     SocketAddress *wsaddr = NULL;
3836     g_autoptr(SocketAddressList) saddr_list = NULL;
3837     SocketAddressList **saddr_tail = &saddr_list;
3838     SocketAddress *single_saddr = NULL;
3839     g_autoptr(SocketAddressList) wsaddr_list = NULL;
3840     SocketAddressList **wsaddr_tail = &wsaddr_list;
3841     QemuOptsIter addriter;
3842     const char *addr;
3843     int to = qemu_opt_get_number(opts, "to", 0);
3844     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3845     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3846     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3847     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3848     int displaynum = -1;
3849 
3850     addr = qemu_opt_get(opts, "vnc");
3851     if (addr == NULL || g_str_equal(addr, "none")) {
3852         return 0;
3853     }
3854     if (qemu_opt_get(opts, "websocket") &&
3855         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3856         error_setg(errp,
3857                    "SHA1 hash support is required for websockets");
3858         return -1;
3859     }
3860 
3861     qemu_opt_iter_init(&addriter, opts, "vnc");
3862     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3863         int rv;
3864         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3865                                      has_ipv4, has_ipv6,
3866                                      ipv4, ipv6,
3867                                      &saddr, errp);
3868         if (rv < 0) {
3869             return -1;
3870         }
3871         /* Historical compat - first listen address can be used
3872          * to set the default websocket port
3873          */
3874         if (displaynum == -1) {
3875             displaynum = rv;
3876         }
3877         QAPI_LIST_APPEND(saddr_tail, saddr);
3878     }
3879 
3880     if (saddr_list && !saddr_list->next) {
3881         single_saddr = saddr_list->value;
3882     } else {
3883         /*
3884          * If we had multiple primary displays, we don't do defaults
3885          * for websocket, and require explicit config instead.
3886          */
3887         displaynum = -1;
3888     }
3889 
3890     qemu_opt_iter_init(&addriter, opts, "websocket");
3891     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3892         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3893                                     has_ipv4, has_ipv6,
3894                                     ipv4, ipv6,
3895                                     &wsaddr, errp) < 0) {
3896             return -1;
3897         }
3898 
3899         /* Historical compat - if only a single listen address was
3900          * provided, then this is used to set the default listen
3901          * address for websocket too
3902          */
3903         if (single_saddr &&
3904             single_saddr->type == SOCKET_ADDRESS_TYPE_INET &&
3905             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3906             g_str_equal(wsaddr->u.inet.host, "") &&
3907             !g_str_equal(single_saddr->u.inet.host, "")) {
3908             g_free(wsaddr->u.inet.host);
3909             wsaddr->u.inet.host = g_strdup(single_saddr->u.inet.host);
3910         }
3911 
3912         QAPI_LIST_APPEND(wsaddr_tail, wsaddr);
3913     }
3914 
3915     *saddr_list_ret = g_steal_pointer(&saddr_list);
3916     *wsaddr_list_ret = g_steal_pointer(&wsaddr_list);
3917     return 0;
3918 }
3919 
3920 static int vnc_display_connect(VncDisplay *vd,
3921                                SocketAddressList *saddr_list,
3922                                SocketAddressList *wsaddr_list,
3923                                Error **errp)
3924 {
3925     /* connect to viewer */
3926     QIOChannelSocket *sioc = NULL;
3927     if (wsaddr_list) {
3928         error_setg(errp, "Cannot use websockets in reverse mode");
3929         return -1;
3930     }
3931     if (!saddr_list || saddr_list->next) {
3932         error_setg(errp, "Expected a single address in reverse mode");
3933         return -1;
3934     }
3935     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3936     vd->is_unix = saddr_list->value->type == SOCKET_ADDRESS_TYPE_UNIX;
3937     sioc = qio_channel_socket_new();
3938     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3939     if (qio_channel_socket_connect_sync(sioc, saddr_list->value, errp) < 0) {
3940         object_unref(OBJECT(sioc));
3941         return -1;
3942     }
3943     vnc_connect(vd, sioc, false, false);
3944     object_unref(OBJECT(sioc));
3945     return 0;
3946 }
3947 
3948 
3949 static int vnc_display_listen(VncDisplay *vd,
3950                               SocketAddressList *saddr_list,
3951                               SocketAddressList *wsaddr_list,
3952                               Error **errp)
3953 {
3954     SocketAddressList *el;
3955 
3956     if (saddr_list) {
3957         vd->listener = qio_net_listener_new();
3958         qio_net_listener_set_name(vd->listener, "vnc-listen");
3959         for (el = saddr_list; el; el = el->next) {
3960             if (qio_net_listener_open_sync(vd->listener,
3961                                            el->value, 1,
3962                                            errp) < 0)  {
3963                 return -1;
3964             }
3965         }
3966 
3967         qio_net_listener_set_client_func(vd->listener,
3968                                          vnc_listen_io, vd, NULL);
3969     }
3970 
3971     if (wsaddr_list) {
3972         vd->wslistener = qio_net_listener_new();
3973         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3974         for (el = wsaddr_list; el; el = el->next) {
3975             if (qio_net_listener_open_sync(vd->wslistener,
3976                                            el->value, 1,
3977                                            errp) < 0)  {
3978                 return -1;
3979             }
3980         }
3981 
3982         qio_net_listener_set_client_func(vd->wslistener,
3983                                          vnc_listen_io, vd, NULL);
3984     }
3985 
3986     return 0;
3987 }
3988 
3989 bool vnc_display_update(DisplayUpdateOptionsVNC *arg, Error **errp)
3990 {
3991     VncDisplay *vd = vnc_display_find(NULL);
3992 
3993     if (!vd) {
3994         error_setg(errp, "Can not find vnc display");
3995         return false;
3996     }
3997 
3998     if (arg->has_addresses) {
3999         if (vd->listener) {
4000             qio_net_listener_disconnect(vd->listener);
4001             object_unref(OBJECT(vd->listener));
4002             vd->listener = NULL;
4003         }
4004 
4005         if (vnc_display_listen(vd, arg->addresses, NULL, errp) < 0) {
4006             return false;
4007         }
4008     }
4009 
4010     return true;
4011 }
4012 
4013 void vnc_display_open(const char *id, Error **errp)
4014 {
4015     VncDisplay *vd = vnc_display_find(id);
4016     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
4017     g_autoptr(SocketAddressList) saddr_list = NULL;
4018     g_autoptr(SocketAddressList) wsaddr_list = NULL;
4019     const char *share, *device_id;
4020     QemuConsole *con;
4021     bool password = false;
4022     bool reverse = false;
4023     const char *credid;
4024     bool sasl = false;
4025     const char *tlsauthz;
4026     const char *saslauthz;
4027     int lock_key_sync = 1;
4028     int key_delay_ms;
4029     const char *audiodev;
4030     const char *passwordSecret;
4031 
4032     if (!vd) {
4033         error_setg(errp, "VNC display not active");
4034         return;
4035     }
4036     vnc_display_close(vd);
4037 
4038     if (!opts) {
4039         return;
4040     }
4041 
4042     reverse = qemu_opt_get_bool(opts, "reverse", false);
4043     if (vnc_display_get_addresses(opts, reverse, &saddr_list, &wsaddr_list,
4044                                   errp) < 0) {
4045         goto fail;
4046     }
4047 
4048 
4049     passwordSecret = qemu_opt_get(opts, "password-secret");
4050     if (passwordSecret) {
4051         if (qemu_opt_get(opts, "password")) {
4052             error_setg(errp,
4053                        "'password' flag is redundant with 'password-secret'");
4054             goto fail;
4055         }
4056         vd->password = qcrypto_secret_lookup_as_utf8(passwordSecret,
4057                                                      errp);
4058         if (!vd->password) {
4059             goto fail;
4060         }
4061         password = true;
4062     } else {
4063         password = qemu_opt_get_bool(opts, "password", false);
4064     }
4065     if (password) {
4066         if (!qcrypto_cipher_supports(
4067                 QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) {
4068             error_setg(errp,
4069                        "Cipher backend does not support DES algorithm");
4070             goto fail;
4071         }
4072     }
4073 
4074     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
4075     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
4076     sasl = qemu_opt_get_bool(opts, "sasl", false);
4077 #ifndef CONFIG_VNC_SASL
4078     if (sasl) {
4079         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
4080         goto fail;
4081     }
4082 #endif /* CONFIG_VNC_SASL */
4083     credid = qemu_opt_get(opts, "tls-creds");
4084     if (credid) {
4085         Object *creds;
4086         creds = object_resolve_path_component(
4087             object_get_objects_root(), credid);
4088         if (!creds) {
4089             error_setg(errp, "No TLS credentials with id '%s'",
4090                        credid);
4091             goto fail;
4092         }
4093         vd->tlscreds = (QCryptoTLSCreds *)
4094             object_dynamic_cast(creds,
4095                                 TYPE_QCRYPTO_TLS_CREDS);
4096         if (!vd->tlscreds) {
4097             error_setg(errp, "Object with id '%s' is not TLS credentials",
4098                        credid);
4099             goto fail;
4100         }
4101         object_ref(OBJECT(vd->tlscreds));
4102 
4103         if (!qcrypto_tls_creds_check_endpoint(vd->tlscreds,
4104                                               QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
4105                                               errp)) {
4106             goto fail;
4107         }
4108     }
4109     tlsauthz = qemu_opt_get(opts, "tls-authz");
4110     if (tlsauthz && !vd->tlscreds) {
4111         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
4112         goto fail;
4113     }
4114 
4115     saslauthz = qemu_opt_get(opts, "sasl-authz");
4116     if (saslauthz && !sasl) {
4117         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
4118         goto fail;
4119     }
4120 
4121     share = qemu_opt_get(opts, "share");
4122     if (share) {
4123         if (strcmp(share, "ignore") == 0) {
4124             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
4125         } else if (strcmp(share, "allow-exclusive") == 0) {
4126             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4127         } else if (strcmp(share, "force-shared") == 0) {
4128             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
4129         } else {
4130             error_setg(errp, "unknown vnc share= option");
4131             goto fail;
4132         }
4133     } else {
4134         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4135     }
4136     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
4137 
4138 #ifdef CONFIG_VNC_JPEG
4139     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
4140 #endif
4141     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
4142     /* adaptive updates are only used with tight encoding and
4143      * if lossy updates are enabled so we can disable all the
4144      * calculations otherwise */
4145     if (!vd->lossy) {
4146         vd->non_adaptive = true;
4147     }
4148 
4149     vd->power_control = qemu_opt_get_bool(opts, "power-control", false);
4150 
4151     if (tlsauthz) {
4152         vd->tlsauthzid = g_strdup(tlsauthz);
4153     }
4154 #ifdef CONFIG_VNC_SASL
4155     if (sasl) {
4156         if (saslauthz) {
4157             vd->sasl.authzid = g_strdup(saslauthz);
4158         }
4159     }
4160 #endif
4161 
4162     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
4163                                vd->tlscreds, password,
4164                                sasl, false, errp) < 0) {
4165         goto fail;
4166     }
4167     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
4168 
4169     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
4170                                vd->tlscreds, password,
4171                                sasl, true, errp) < 0) {
4172         goto fail;
4173     }
4174     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
4175 
4176 #ifdef CONFIG_VNC_SASL
4177     if (sasl && !vnc_sasl_server_init(errp)) {
4178         goto fail;
4179     }
4180 #endif
4181     vd->lock_key_sync = lock_key_sync;
4182     if (lock_key_sync) {
4183         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
4184     }
4185     vd->ledstate = 0;
4186 
4187     audiodev = qemu_opt_get(opts, "audiodev");
4188     if (audiodev) {
4189         vd->audio_state = audio_state_by_name(audiodev, errp);
4190         if (!vd->audio_state) {
4191             goto fail;
4192         }
4193     } else {
4194         vd->audio_state = audio_get_default_audio_state(NULL);
4195     }
4196 
4197     device_id = qemu_opt_get(opts, "display");
4198     if (device_id) {
4199         int head = qemu_opt_get_number(opts, "head", 0);
4200         Error *err = NULL;
4201 
4202         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4203         if (err) {
4204             error_propagate(errp, err);
4205             goto fail;
4206         }
4207     } else {
4208         con = NULL;
4209     }
4210 
4211     if (con != vd->dcl.con) {
4212         qkbd_state_free(vd->kbd);
4213         unregister_displaychangelistener(&vd->dcl);
4214         vd->dcl.con = con;
4215         register_displaychangelistener(&vd->dcl);
4216         vd->kbd = qkbd_state_init(vd->dcl.con);
4217     }
4218     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4219 
4220     if (saddr_list == NULL) {
4221         return;
4222     }
4223 
4224     if (reverse) {
4225         if (vnc_display_connect(vd, saddr_list, wsaddr_list, errp) < 0) {
4226             goto fail;
4227         }
4228     } else {
4229         if (vnc_display_listen(vd, saddr_list, wsaddr_list, errp) < 0) {
4230             goto fail;
4231         }
4232     }
4233 
4234     if (qemu_opt_get(opts, "to")) {
4235         vnc_display_print_local_addr(vd);
4236     }
4237 
4238     /* Success */
4239     return;
4240 
4241 fail:
4242     vnc_display_close(vd);
4243 }
4244 
4245 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4246 {
4247     VncDisplay *vd = vnc_display_find(id);
4248     QIOChannelSocket *sioc;
4249 
4250     if (!vd) {
4251         return;
4252     }
4253 
4254     sioc = qio_channel_socket_new_fd(csock, NULL);
4255     if (sioc) {
4256         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4257         vnc_connect(vd, sioc, skipauth, false);
4258         object_unref(OBJECT(sioc));
4259     }
4260 }
4261 
4262 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4263 {
4264     int i = 2;
4265     char *id;
4266 
4267     id = g_strdup("default");
4268     while (qemu_opts_find(olist, id)) {
4269         g_free(id);
4270         id = g_strdup_printf("vnc%d", i++);
4271     }
4272     qemu_opts_set_id(opts, id);
4273 }
4274 
4275 void vnc_parse(const char *str)
4276 {
4277     QemuOptsList *olist = qemu_find_opts("vnc");
4278     QemuOpts *opts = qemu_opts_parse_noisily(olist, str, !is_help_option(str));
4279     const char *id;
4280 
4281     if (!opts) {
4282         exit(1);
4283     }
4284 
4285     id = qemu_opts_id(opts);
4286     if (!id) {
4287         /* auto-assign id if not present */
4288         vnc_auto_assign_id(olist, opts);
4289     }
4290 }
4291 
4292 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4293 {
4294     Error *local_err = NULL;
4295     char *id = (char *)qemu_opts_id(opts);
4296 
4297     assert(id);
4298     vnc_display_init(id, &local_err);
4299     if (local_err) {
4300         error_propagate(errp, local_err);
4301         return -1;
4302     }
4303     vnc_display_open(id, &local_err);
4304     if (local_err != NULL) {
4305         error_propagate(errp, local_err);
4306         return -1;
4307     }
4308     return 0;
4309 }
4310 
4311 static void vnc_register_config(void)
4312 {
4313     qemu_add_opts(&qemu_vnc_opts);
4314 }
4315 opts_init(vnc_register_config);
4316