xref: /openbmc/qemu/ui/vnc.c (revision 701bff24)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev-core.h"
32 #include "sysemu/sysemu.h"
33 #include "sysemu/runstate.h"
34 #include "qemu/error-report.h"
35 #include "qemu/main-loop.h"
36 #include "qemu/module.h"
37 #include "qemu/option.h"
38 #include "qemu/sockets.h"
39 #include "qemu/timer.h"
40 #include "authz/list.h"
41 #include "qemu/config-file.h"
42 #include "qapi/qapi-emit-events.h"
43 #include "qapi/qapi-events-ui.h"
44 #include "qapi/error.h"
45 #include "qapi/qapi-commands-ui.h"
46 #include "ui/input.h"
47 #include "crypto/hash.h"
48 #include "crypto/tlscreds.h"
49 #include "crypto/tlscredsanon.h"
50 #include "crypto/tlscredsx509.h"
51 #include "crypto/random.h"
52 #include "crypto/secret_common.h"
53 #include "qom/object_interfaces.h"
54 #include "qemu/cutils.h"
55 #include "qemu/help_option.h"
56 #include "io/dns-resolver.h"
57 #include "monitor/monitor.h"
58 
59 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
60 #define VNC_REFRESH_INTERVAL_INC  50
61 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
62 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
63 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
64 
65 #include "vnc_keysym.h"
66 #include "crypto/cipher.h"
67 
68 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
69     QTAILQ_HEAD_INITIALIZER(vnc_displays);
70 
71 static int vnc_cursor_define(VncState *vs);
72 static void vnc_update_throttle_offset(VncState *vs);
73 
74 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
75 {
76 #ifdef _VNC_DEBUG
77     static const char *mn[] = {
78         [0]                           = "undefined",
79         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
80         [VNC_SHARE_MODE_SHARED]       = "shared",
81         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
82         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
83     };
84     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
85             vs->ioc, mn[vs->share_mode], mn[mode]);
86 #endif
87 
88     switch (vs->share_mode) {
89     case VNC_SHARE_MODE_CONNECTING:
90         vs->vd->num_connecting--;
91         break;
92     case VNC_SHARE_MODE_SHARED:
93         vs->vd->num_shared--;
94         break;
95     case VNC_SHARE_MODE_EXCLUSIVE:
96         vs->vd->num_exclusive--;
97         break;
98     default:
99         break;
100     }
101 
102     vs->share_mode = mode;
103 
104     switch (vs->share_mode) {
105     case VNC_SHARE_MODE_CONNECTING:
106         vs->vd->num_connecting++;
107         break;
108     case VNC_SHARE_MODE_SHARED:
109         vs->vd->num_shared++;
110         break;
111     case VNC_SHARE_MODE_EXCLUSIVE:
112         vs->vd->num_exclusive++;
113         break;
114     default:
115         break;
116     }
117 }
118 
119 
120 static void vnc_init_basic_info(SocketAddress *addr,
121                                 VncBasicInfo *info,
122                                 Error **errp)
123 {
124     switch (addr->type) {
125     case SOCKET_ADDRESS_TYPE_INET:
126         info->host = g_strdup(addr->u.inet.host);
127         info->service = g_strdup(addr->u.inet.port);
128         if (addr->u.inet.ipv6) {
129             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
130         } else {
131             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
132         }
133         break;
134 
135     case SOCKET_ADDRESS_TYPE_UNIX:
136         info->host = g_strdup("");
137         info->service = g_strdup(addr->u.q_unix.path);
138         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
139         break;
140 
141     case SOCKET_ADDRESS_TYPE_VSOCK:
142     case SOCKET_ADDRESS_TYPE_FD:
143         error_setg(errp, "Unsupported socket address type %s",
144                    SocketAddressType_str(addr->type));
145         break;
146     default:
147         abort();
148     }
149 
150     return;
151 }
152 
153 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
154                                                  VncBasicInfo *info,
155                                                  Error **errp)
156 {
157     SocketAddress *addr = NULL;
158 
159     if (!ioc) {
160         error_setg(errp, "No listener socket available");
161         return;
162     }
163 
164     addr = qio_channel_socket_get_local_address(ioc, errp);
165     if (!addr) {
166         return;
167     }
168 
169     vnc_init_basic_info(addr, info, errp);
170     qapi_free_SocketAddress(addr);
171 }
172 
173 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
174                                                  VncBasicInfo *info,
175                                                  Error **errp)
176 {
177     SocketAddress *addr = NULL;
178 
179     addr = qio_channel_socket_get_remote_address(ioc, errp);
180     if (!addr) {
181         return;
182     }
183 
184     vnc_init_basic_info(addr, info, errp);
185     qapi_free_SocketAddress(addr);
186 }
187 
188 static const char *vnc_auth_name(VncDisplay *vd) {
189     switch (vd->auth) {
190     case VNC_AUTH_INVALID:
191         return "invalid";
192     case VNC_AUTH_NONE:
193         return "none";
194     case VNC_AUTH_VNC:
195         return "vnc";
196     case VNC_AUTH_RA2:
197         return "ra2";
198     case VNC_AUTH_RA2NE:
199         return "ra2ne";
200     case VNC_AUTH_TIGHT:
201         return "tight";
202     case VNC_AUTH_ULTRA:
203         return "ultra";
204     case VNC_AUTH_TLS:
205         return "tls";
206     case VNC_AUTH_VENCRYPT:
207         switch (vd->subauth) {
208         case VNC_AUTH_VENCRYPT_PLAIN:
209             return "vencrypt+plain";
210         case VNC_AUTH_VENCRYPT_TLSNONE:
211             return "vencrypt+tls+none";
212         case VNC_AUTH_VENCRYPT_TLSVNC:
213             return "vencrypt+tls+vnc";
214         case VNC_AUTH_VENCRYPT_TLSPLAIN:
215             return "vencrypt+tls+plain";
216         case VNC_AUTH_VENCRYPT_X509NONE:
217             return "vencrypt+x509+none";
218         case VNC_AUTH_VENCRYPT_X509VNC:
219             return "vencrypt+x509+vnc";
220         case VNC_AUTH_VENCRYPT_X509PLAIN:
221             return "vencrypt+x509+plain";
222         case VNC_AUTH_VENCRYPT_TLSSASL:
223             return "vencrypt+tls+sasl";
224         case VNC_AUTH_VENCRYPT_X509SASL:
225             return "vencrypt+x509+sasl";
226         default:
227             return "vencrypt";
228         }
229     case VNC_AUTH_SASL:
230         return "sasl";
231     }
232     return "unknown";
233 }
234 
235 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
236 {
237     VncServerInfo *info;
238     Error *err = NULL;
239 
240     if (!vd->listener || !vd->listener->nsioc) {
241         return NULL;
242     }
243 
244     info = g_malloc0(sizeof(*info));
245     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
246                                          qapi_VncServerInfo_base(info), &err);
247     info->has_auth = true;
248     info->auth = g_strdup(vnc_auth_name(vd));
249     if (err) {
250         qapi_free_VncServerInfo(info);
251         info = NULL;
252         error_free(err);
253     }
254     return info;
255 }
256 
257 static void vnc_client_cache_auth(VncState *client)
258 {
259     if (!client->info) {
260         return;
261     }
262 
263     if (client->tls) {
264         client->info->x509_dname =
265             qcrypto_tls_session_get_peer_name(client->tls);
266         client->info->has_x509_dname =
267             client->info->x509_dname != NULL;
268     }
269 #ifdef CONFIG_VNC_SASL
270     if (client->sasl.conn &&
271         client->sasl.username) {
272         client->info->has_sasl_username = true;
273         client->info->sasl_username = g_strdup(client->sasl.username);
274     }
275 #endif
276 }
277 
278 static void vnc_client_cache_addr(VncState *client)
279 {
280     Error *err = NULL;
281 
282     client->info = g_malloc0(sizeof(*client->info));
283     vnc_init_basic_info_from_remote_addr(client->sioc,
284                                          qapi_VncClientInfo_base(client->info),
285                                          &err);
286     client->info->websocket = client->websocket;
287     if (err) {
288         qapi_free_VncClientInfo(client->info);
289         client->info = NULL;
290         error_free(err);
291     }
292 }
293 
294 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
295 {
296     VncServerInfo *si;
297 
298     if (!vs->info) {
299         return;
300     }
301 
302     si = vnc_server_info_get(vs->vd);
303     if (!si) {
304         return;
305     }
306 
307     switch (event) {
308     case QAPI_EVENT_VNC_CONNECTED:
309         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
310         break;
311     case QAPI_EVENT_VNC_INITIALIZED:
312         qapi_event_send_vnc_initialized(si, vs->info);
313         break;
314     case QAPI_EVENT_VNC_DISCONNECTED:
315         qapi_event_send_vnc_disconnected(si, vs->info);
316         break;
317     default:
318         break;
319     }
320 
321     qapi_free_VncServerInfo(si);
322 }
323 
324 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
325 {
326     VncClientInfo *info;
327     Error *err = NULL;
328 
329     info = g_malloc0(sizeof(*info));
330 
331     vnc_init_basic_info_from_remote_addr(client->sioc,
332                                          qapi_VncClientInfo_base(info),
333                                          &err);
334     if (err) {
335         error_free(err);
336         qapi_free_VncClientInfo(info);
337         return NULL;
338     }
339 
340     info->websocket = client->websocket;
341 
342     if (client->tls) {
343         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
344         info->has_x509_dname = info->x509_dname != NULL;
345     }
346 #ifdef CONFIG_VNC_SASL
347     if (client->sasl.conn && client->sasl.username) {
348         info->has_sasl_username = true;
349         info->sasl_username = g_strdup(client->sasl.username);
350     }
351 #endif
352 
353     return info;
354 }
355 
356 static VncDisplay *vnc_display_find(const char *id)
357 {
358     VncDisplay *vd;
359 
360     if (id == NULL) {
361         return QTAILQ_FIRST(&vnc_displays);
362     }
363     QTAILQ_FOREACH(vd, &vnc_displays, next) {
364         if (strcmp(id, vd->id) == 0) {
365             return vd;
366         }
367     }
368     return NULL;
369 }
370 
371 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
372 {
373     VncClientInfoList *prev = NULL;
374     VncState *client;
375 
376     QTAILQ_FOREACH(client, &vd->clients, next) {
377         QAPI_LIST_PREPEND(prev, qmp_query_vnc_client(client));
378     }
379     return prev;
380 }
381 
382 VncInfo *qmp_query_vnc(Error **errp)
383 {
384     VncInfo *info = g_malloc0(sizeof(*info));
385     VncDisplay *vd = vnc_display_find(NULL);
386     SocketAddress *addr = NULL;
387 
388     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
389         info->enabled = false;
390     } else {
391         info->enabled = true;
392 
393         /* for compatibility with the original command */
394         info->has_clients = true;
395         info->clients = qmp_query_client_list(vd);
396 
397         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
398                                                     errp);
399         if (!addr) {
400             goto out_error;
401         }
402 
403         switch (addr->type) {
404         case SOCKET_ADDRESS_TYPE_INET:
405             info->host = g_strdup(addr->u.inet.host);
406             info->service = g_strdup(addr->u.inet.port);
407             if (addr->u.inet.ipv6) {
408                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
409             } else {
410                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
411             }
412             break;
413 
414         case SOCKET_ADDRESS_TYPE_UNIX:
415             info->host = g_strdup("");
416             info->service = g_strdup(addr->u.q_unix.path);
417             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
418             break;
419 
420         case SOCKET_ADDRESS_TYPE_VSOCK:
421         case SOCKET_ADDRESS_TYPE_FD:
422             error_setg(errp, "Unsupported socket address type %s",
423                        SocketAddressType_str(addr->type));
424             goto out_error;
425         default:
426             abort();
427         }
428 
429         info->has_host = true;
430         info->has_service = true;
431         info->has_family = true;
432 
433         info->has_auth = true;
434         info->auth = g_strdup(vnc_auth_name(vd));
435     }
436 
437     qapi_free_SocketAddress(addr);
438     return info;
439 
440 out_error:
441     qapi_free_SocketAddress(addr);
442     qapi_free_VncInfo(info);
443     return NULL;
444 }
445 
446 
447 static void qmp_query_auth(int auth, int subauth,
448                            VncPrimaryAuth *qmp_auth,
449                            VncVencryptSubAuth *qmp_vencrypt,
450                            bool *qmp_has_vencrypt);
451 
452 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
453                                                   bool websocket,
454                                                   int auth,
455                                                   int subauth,
456                                                   VncServerInfo2List *prev)
457 {
458     VncServerInfo2 *info;
459     Error *err = NULL;
460     SocketAddress *addr;
461 
462     addr = qio_channel_socket_get_local_address(ioc, NULL);
463     if (!addr) {
464         return prev;
465     }
466 
467     info = g_new0(VncServerInfo2, 1);
468     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
469     qapi_free_SocketAddress(addr);
470     if (err) {
471         qapi_free_VncServerInfo2(info);
472         error_free(err);
473         return prev;
474     }
475     info->websocket = websocket;
476 
477     qmp_query_auth(auth, subauth, &info->auth,
478                    &info->vencrypt, &info->has_vencrypt);
479 
480     QAPI_LIST_PREPEND(prev, info);
481     return prev;
482 }
483 
484 static void qmp_query_auth(int auth, int subauth,
485                            VncPrimaryAuth *qmp_auth,
486                            VncVencryptSubAuth *qmp_vencrypt,
487                            bool *qmp_has_vencrypt)
488 {
489     switch (auth) {
490     case VNC_AUTH_VNC:
491         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
492         break;
493     case VNC_AUTH_RA2:
494         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
495         break;
496     case VNC_AUTH_RA2NE:
497         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
498         break;
499     case VNC_AUTH_TIGHT:
500         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
501         break;
502     case VNC_AUTH_ULTRA:
503         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
504         break;
505     case VNC_AUTH_TLS:
506         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
507         break;
508     case VNC_AUTH_VENCRYPT:
509         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
510         *qmp_has_vencrypt = true;
511         switch (subauth) {
512         case VNC_AUTH_VENCRYPT_PLAIN:
513             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
514             break;
515         case VNC_AUTH_VENCRYPT_TLSNONE:
516             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
517             break;
518         case VNC_AUTH_VENCRYPT_TLSVNC:
519             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
520             break;
521         case VNC_AUTH_VENCRYPT_TLSPLAIN:
522             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
523             break;
524         case VNC_AUTH_VENCRYPT_X509NONE:
525             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
526             break;
527         case VNC_AUTH_VENCRYPT_X509VNC:
528             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
529             break;
530         case VNC_AUTH_VENCRYPT_X509PLAIN:
531             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
532             break;
533         case VNC_AUTH_VENCRYPT_TLSSASL:
534             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
535             break;
536         case VNC_AUTH_VENCRYPT_X509SASL:
537             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
538             break;
539         default:
540             *qmp_has_vencrypt = false;
541             break;
542         }
543         break;
544     case VNC_AUTH_SASL:
545         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
546         break;
547     case VNC_AUTH_NONE:
548     default:
549         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
550         break;
551     }
552 }
553 
554 VncInfo2List *qmp_query_vnc_servers(Error **errp)
555 {
556     VncInfo2List *prev = NULL;
557     VncInfo2 *info;
558     VncDisplay *vd;
559     DeviceState *dev;
560     size_t i;
561 
562     QTAILQ_FOREACH(vd, &vnc_displays, next) {
563         info = g_new0(VncInfo2, 1);
564         info->id = g_strdup(vd->id);
565         info->clients = qmp_query_client_list(vd);
566         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
567                        &info->vencrypt, &info->has_vencrypt);
568         if (vd->dcl.con) {
569             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
570                                                   "device", &error_abort));
571             info->has_display = true;
572             info->display = g_strdup(dev->id);
573         }
574         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
575             info->server = qmp_query_server_entry(
576                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
577                 info->server);
578         }
579         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
580             info->server = qmp_query_server_entry(
581                 vd->wslistener->sioc[i], true, vd->ws_auth,
582                 vd->ws_subauth, info->server);
583         }
584 
585         QAPI_LIST_PREPEND(prev, info);
586     }
587     return prev;
588 }
589 
590 bool vnc_display_reload_certs(const char *id, Error **errp)
591 {
592     VncDisplay *vd = vnc_display_find(id);
593     QCryptoTLSCredsClass *creds = NULL;
594 
595     if (!vd) {
596         error_setg(errp, "Can not find vnc display");
597         return false;
598     }
599 
600     if (!vd->tlscreds) {
601         error_setg(errp, "vnc tls is not enabled");
602         return false;
603     }
604 
605     creds = QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(vd->tlscreds));
606     if (creds->reload == NULL) {
607         error_setg(errp, "%s doesn't support to reload TLS credential",
608                    object_get_typename(OBJECT(vd->tlscreds)));
609         return false;
610     }
611     if (!creds->reload(vd->tlscreds, errp)) {
612         return false;
613     }
614 
615     return true;
616 }
617 
618 /* TODO
619    1) Get the queue working for IO.
620    2) there is some weirdness when using the -S option (the screen is grey
621       and not totally invalidated
622    3) resolutions > 1024
623 */
624 
625 static int vnc_update_client(VncState *vs, int has_dirty);
626 static void vnc_disconnect_start(VncState *vs);
627 
628 static void vnc_colordepth(VncState *vs);
629 static void framebuffer_update_request(VncState *vs, int incremental,
630                                        int x_position, int y_position,
631                                        int w, int h);
632 static void vnc_refresh(DisplayChangeListener *dcl);
633 static int vnc_refresh_server_surface(VncDisplay *vd);
634 
635 static int vnc_width(VncDisplay *vd)
636 {
637     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
638                                        VNC_DIRTY_PIXELS_PER_BIT));
639 }
640 
641 static int vnc_true_width(VncDisplay *vd)
642 {
643     return MIN(VNC_MAX_WIDTH, surface_width(vd->ds));
644 }
645 
646 static int vnc_height(VncDisplay *vd)
647 {
648     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
649 }
650 
651 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
652                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
653                                VncDisplay *vd,
654                                int x, int y, int w, int h)
655 {
656     int width = vnc_width(vd);
657     int height = vnc_height(vd);
658 
659     /* this is needed this to ensure we updated all affected
660      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
661     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
662     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
663 
664     x = MIN(x, width);
665     y = MIN(y, height);
666     w = MIN(x + w, width) - x;
667     h = MIN(y + h, height);
668 
669     for (; y < h; y++) {
670         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
671                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
672     }
673 }
674 
675 static void vnc_dpy_update(DisplayChangeListener *dcl,
676                            int x, int y, int w, int h)
677 {
678     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
679     struct VncSurface *s = &vd->guest;
680 
681     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
682 }
683 
684 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
685                             int32_t encoding)
686 {
687     vnc_write_u16(vs, x);
688     vnc_write_u16(vs, y);
689     vnc_write_u16(vs, w);
690     vnc_write_u16(vs, h);
691 
692     vnc_write_s32(vs, encoding);
693 }
694 
695 static void vnc_desktop_resize_ext(VncState *vs, int reject_reason)
696 {
697     trace_vnc_msg_server_ext_desktop_resize(
698         vs, vs->ioc, vs->client_width, vs->client_height, reject_reason);
699 
700     vnc_lock_output(vs);
701     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
702     vnc_write_u8(vs, 0);
703     vnc_write_u16(vs, 1); /* number of rects */
704     vnc_framebuffer_update(vs,
705                            reject_reason ? 1 : 0,
706                            reject_reason,
707                            vs->client_width, vs->client_height,
708                            VNC_ENCODING_DESKTOP_RESIZE_EXT);
709     vnc_write_u8(vs, 1);  /* number of screens */
710     vnc_write_u8(vs, 0);  /* padding */
711     vnc_write_u8(vs, 0);  /* padding */
712     vnc_write_u8(vs, 0);  /* padding */
713     vnc_write_u32(vs, 0); /* screen id */
714     vnc_write_u16(vs, 0); /* screen x-pos */
715     vnc_write_u16(vs, 0); /* screen y-pos */
716     vnc_write_u16(vs, vs->client_width);
717     vnc_write_u16(vs, vs->client_height);
718     vnc_write_u32(vs, 0); /* screen flags */
719     vnc_unlock_output(vs);
720     vnc_flush(vs);
721 }
722 
723 static void vnc_desktop_resize(VncState *vs)
724 {
725     if (vs->ioc == NULL || (!vnc_has_feature(vs, VNC_FEATURE_RESIZE) &&
726                             !vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT))) {
727         return;
728     }
729     if (vs->client_width == vs->vd->true_width &&
730         vs->client_height == pixman_image_get_height(vs->vd->server)) {
731         return;
732     }
733 
734     assert(vs->vd->true_width < 65536 &&
735            vs->vd->true_width >= 0);
736     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
737            pixman_image_get_height(vs->vd->server) >= 0);
738     vs->client_width = vs->vd->true_width;
739     vs->client_height = pixman_image_get_height(vs->vd->server);
740 
741     if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
742         vnc_desktop_resize_ext(vs, 0);
743         return;
744     }
745 
746     trace_vnc_msg_server_desktop_resize(
747         vs, vs->ioc, vs->client_width, vs->client_height);
748 
749     vnc_lock_output(vs);
750     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
751     vnc_write_u8(vs, 0);
752     vnc_write_u16(vs, 1); /* number of rects */
753     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
754                            VNC_ENCODING_DESKTOPRESIZE);
755     vnc_unlock_output(vs);
756     vnc_flush(vs);
757 }
758 
759 static void vnc_abort_display_jobs(VncDisplay *vd)
760 {
761     VncState *vs;
762 
763     QTAILQ_FOREACH(vs, &vd->clients, next) {
764         vnc_lock_output(vs);
765         vs->abort = true;
766         vnc_unlock_output(vs);
767     }
768     QTAILQ_FOREACH(vs, &vd->clients, next) {
769         vnc_jobs_join(vs);
770     }
771     QTAILQ_FOREACH(vs, &vd->clients, next) {
772         vnc_lock_output(vs);
773         if (vs->update == VNC_STATE_UPDATE_NONE &&
774             vs->job_update != VNC_STATE_UPDATE_NONE) {
775             /* job aborted before completion */
776             vs->update = vs->job_update;
777             vs->job_update = VNC_STATE_UPDATE_NONE;
778         }
779         vs->abort = false;
780         vnc_unlock_output(vs);
781     }
782 }
783 
784 int vnc_server_fb_stride(VncDisplay *vd)
785 {
786     return pixman_image_get_stride(vd->server);
787 }
788 
789 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
790 {
791     uint8_t *ptr;
792 
793     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
794     ptr += y * vnc_server_fb_stride(vd);
795     ptr += x * VNC_SERVER_FB_BYTES;
796     return ptr;
797 }
798 
799 static void vnc_update_server_surface(VncDisplay *vd)
800 {
801     int width, height;
802 
803     qemu_pixman_image_unref(vd->server);
804     vd->server = NULL;
805 
806     if (QTAILQ_EMPTY(&vd->clients)) {
807         return;
808     }
809 
810     width = vnc_width(vd);
811     height = vnc_height(vd);
812     vd->true_width = vnc_true_width(vd);
813     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
814                                           width, height,
815                                           NULL, 0);
816 
817     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
818     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
819                        width, height);
820 }
821 
822 static bool vnc_check_pageflip(DisplaySurface *s1,
823                                DisplaySurface *s2)
824 {
825     return (s1 != NULL &&
826             s2 != NULL &&
827             surface_width(s1) == surface_width(s2) &&
828             surface_height(s1) == surface_height(s2) &&
829             surface_format(s1) == surface_format(s2));
830 
831 }
832 
833 static void vnc_dpy_switch(DisplayChangeListener *dcl,
834                            DisplaySurface *surface)
835 {
836     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
837     bool pageflip = vnc_check_pageflip(vd->ds, surface);
838     VncState *vs;
839 
840     vnc_abort_display_jobs(vd);
841     vd->ds = surface;
842 
843     /* guest surface */
844     qemu_pixman_image_unref(vd->guest.fb);
845     vd->guest.fb = pixman_image_ref(surface->image);
846     vd->guest.format = surface->format;
847 
848 
849     if (pageflip) {
850         trace_vnc_server_dpy_pageflip(vd,
851                                       surface_width(surface),
852                                       surface_height(surface),
853                                       surface_format(surface));
854         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
855                            surface_width(surface),
856                            surface_height(surface));
857         return;
858     }
859 
860     trace_vnc_server_dpy_recreate(vd,
861                                   surface_width(surface),
862                                   surface_height(surface),
863                                   surface_format(surface));
864     /* server surface */
865     vnc_update_server_surface(vd);
866 
867     QTAILQ_FOREACH(vs, &vd->clients, next) {
868         vnc_colordepth(vs);
869         vnc_desktop_resize(vs);
870         vnc_cursor_define(vs);
871         memset(vs->dirty, 0x00, sizeof(vs->dirty));
872         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
873                            vnc_width(vd),
874                            vnc_height(vd));
875         vnc_update_throttle_offset(vs);
876     }
877 }
878 
879 /* fastest code */
880 static void vnc_write_pixels_copy(VncState *vs,
881                                   void *pixels, int size)
882 {
883     vnc_write(vs, pixels, size);
884 }
885 
886 /* slowest but generic code. */
887 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
888 {
889     uint8_t r, g, b;
890 
891 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
892     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
893     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
894     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
895 #else
896 # error need some bits here if you change VNC_SERVER_FB_FORMAT
897 #endif
898     v = (r << vs->client_pf.rshift) |
899         (g << vs->client_pf.gshift) |
900         (b << vs->client_pf.bshift);
901     switch (vs->client_pf.bytes_per_pixel) {
902     case 1:
903         buf[0] = v;
904         break;
905     case 2:
906         if (vs->client_be) {
907             buf[0] = v >> 8;
908             buf[1] = v;
909         } else {
910             buf[1] = v >> 8;
911             buf[0] = v;
912         }
913         break;
914     default:
915     case 4:
916         if (vs->client_be) {
917             buf[0] = v >> 24;
918             buf[1] = v >> 16;
919             buf[2] = v >> 8;
920             buf[3] = v;
921         } else {
922             buf[3] = v >> 24;
923             buf[2] = v >> 16;
924             buf[1] = v >> 8;
925             buf[0] = v;
926         }
927         break;
928     }
929 }
930 
931 static void vnc_write_pixels_generic(VncState *vs,
932                                      void *pixels1, int size)
933 {
934     uint8_t buf[4];
935 
936     if (VNC_SERVER_FB_BYTES == 4) {
937         uint32_t *pixels = pixels1;
938         int n, i;
939         n = size >> 2;
940         for (i = 0; i < n; i++) {
941             vnc_convert_pixel(vs, buf, pixels[i]);
942             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
943         }
944     }
945 }
946 
947 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
948 {
949     int i;
950     uint8_t *row;
951     VncDisplay *vd = vs->vd;
952 
953     row = vnc_server_fb_ptr(vd, x, y);
954     for (i = 0; i < h; i++) {
955         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
956         row += vnc_server_fb_stride(vd);
957     }
958     return 1;
959 }
960 
961 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
962 {
963     int n = 0;
964 
965     switch(vs->vnc_encoding) {
966         case VNC_ENCODING_ZLIB:
967             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
968             break;
969         case VNC_ENCODING_HEXTILE:
970             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
971             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
972             break;
973         case VNC_ENCODING_TIGHT:
974             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
975             break;
976         case VNC_ENCODING_TIGHT_PNG:
977             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
978             break;
979         case VNC_ENCODING_ZRLE:
980             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
981             break;
982         case VNC_ENCODING_ZYWRLE:
983             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
984             break;
985         default:
986             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
987             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
988             break;
989     }
990     return n;
991 }
992 
993 static void vnc_mouse_set(DisplayChangeListener *dcl,
994                           int x, int y, int visible)
995 {
996     /* can we ask the client(s) to move the pointer ??? */
997 }
998 
999 static int vnc_cursor_define(VncState *vs)
1000 {
1001     QEMUCursor *c = vs->vd->cursor;
1002     int isize;
1003 
1004     if (!vs->vd->cursor) {
1005         return -1;
1006     }
1007 
1008     if (vnc_has_feature(vs, VNC_FEATURE_ALPHA_CURSOR)) {
1009         vnc_lock_output(vs);
1010         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1011         vnc_write_u8(vs,  0);  /*  padding     */
1012         vnc_write_u16(vs, 1);  /*  # of rects  */
1013         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1014                                VNC_ENCODING_ALPHA_CURSOR);
1015         vnc_write_s32(vs, VNC_ENCODING_RAW);
1016         vnc_write(vs, c->data, c->width * c->height * 4);
1017         vnc_unlock_output(vs);
1018         return 0;
1019     }
1020     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
1021         vnc_lock_output(vs);
1022         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1023         vnc_write_u8(vs,  0);  /*  padding     */
1024         vnc_write_u16(vs, 1);  /*  # of rects  */
1025         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1026                                VNC_ENCODING_RICH_CURSOR);
1027         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
1028         vnc_write_pixels_generic(vs, c->data, isize);
1029         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
1030         vnc_unlock_output(vs);
1031         return 0;
1032     }
1033     return -1;
1034 }
1035 
1036 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
1037                                   QEMUCursor *c)
1038 {
1039     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
1040     VncState *vs;
1041 
1042     cursor_put(vd->cursor);
1043     g_free(vd->cursor_mask);
1044 
1045     vd->cursor = c;
1046     cursor_get(vd->cursor);
1047     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1048     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1049     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1050 
1051     QTAILQ_FOREACH(vs, &vd->clients, next) {
1052         vnc_cursor_define(vs);
1053     }
1054 }
1055 
1056 static int find_and_clear_dirty_height(VncState *vs,
1057                                        int y, int last_x, int x, int height)
1058 {
1059     int h;
1060 
1061     for (h = 1; h < (height - y); h++) {
1062         if (!test_bit(last_x, vs->dirty[y + h])) {
1063             break;
1064         }
1065         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1066     }
1067 
1068     return h;
1069 }
1070 
1071 /*
1072  * Figure out how much pending data we should allow in the output
1073  * buffer before we throttle incremental display updates, and/or
1074  * drop audio samples.
1075  *
1076  * We allow for equiv of 1 full display's worth of FB updates,
1077  * and 1 second of audio samples. If audio backlog was larger
1078  * than that the client would already suffering awful audio
1079  * glitches, so dropping samples is no worse really).
1080  */
1081 static void vnc_update_throttle_offset(VncState *vs)
1082 {
1083     size_t offset =
1084         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1085 
1086     if (vs->audio_cap) {
1087         int bps;
1088         switch (vs->as.fmt) {
1089         default:
1090         case  AUDIO_FORMAT_U8:
1091         case  AUDIO_FORMAT_S8:
1092             bps = 1;
1093             break;
1094         case  AUDIO_FORMAT_U16:
1095         case  AUDIO_FORMAT_S16:
1096             bps = 2;
1097             break;
1098         case  AUDIO_FORMAT_U32:
1099         case  AUDIO_FORMAT_S32:
1100             bps = 4;
1101             break;
1102         }
1103         offset += vs->as.freq * bps * vs->as.nchannels;
1104     }
1105 
1106     /* Put a floor of 1MB on offset, so that if we have a large pending
1107      * buffer and the display is resized to a small size & back again
1108      * we don't suddenly apply a tiny send limit
1109      */
1110     offset = MAX(offset, 1024 * 1024);
1111 
1112     if (vs->throttle_output_offset != offset) {
1113         trace_vnc_client_throttle_threshold(
1114             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1115             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1116     }
1117 
1118     vs->throttle_output_offset = offset;
1119 }
1120 
1121 static bool vnc_should_update(VncState *vs)
1122 {
1123     switch (vs->update) {
1124     case VNC_STATE_UPDATE_NONE:
1125         break;
1126     case VNC_STATE_UPDATE_INCREMENTAL:
1127         /* Only allow incremental updates if the pending send queue
1128          * is less than the permitted threshold, and the job worker
1129          * is completely idle.
1130          */
1131         if (vs->output.offset < vs->throttle_output_offset &&
1132             vs->job_update == VNC_STATE_UPDATE_NONE) {
1133             return true;
1134         }
1135         trace_vnc_client_throttle_incremental(
1136             vs, vs->ioc, vs->job_update, vs->output.offset);
1137         break;
1138     case VNC_STATE_UPDATE_FORCE:
1139         /* Only allow forced updates if the pending send queue
1140          * does not contain a previous forced update, and the
1141          * job worker is completely idle.
1142          *
1143          * Note this means we'll queue a forced update, even if
1144          * the output buffer size is otherwise over the throttle
1145          * output limit.
1146          */
1147         if (vs->force_update_offset == 0 &&
1148             vs->job_update == VNC_STATE_UPDATE_NONE) {
1149             return true;
1150         }
1151         trace_vnc_client_throttle_forced(
1152             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1153         break;
1154     }
1155     return false;
1156 }
1157 
1158 static int vnc_update_client(VncState *vs, int has_dirty)
1159 {
1160     VncDisplay *vd = vs->vd;
1161     VncJob *job;
1162     int y;
1163     int height, width;
1164     int n = 0;
1165 
1166     if (vs->disconnecting) {
1167         vnc_disconnect_finish(vs);
1168         return 0;
1169     }
1170 
1171     vs->has_dirty += has_dirty;
1172     if (!vnc_should_update(vs)) {
1173         return 0;
1174     }
1175 
1176     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1177         return 0;
1178     }
1179 
1180     /*
1181      * Send screen updates to the vnc client using the server
1182      * surface and server dirty map.  guest surface updates
1183      * happening in parallel don't disturb us, the next pass will
1184      * send them to the client.
1185      */
1186     job = vnc_job_new(vs);
1187 
1188     height = pixman_image_get_height(vd->server);
1189     width = pixman_image_get_width(vd->server);
1190 
1191     y = 0;
1192     for (;;) {
1193         int x, h;
1194         unsigned long x2;
1195         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1196                                              height * VNC_DIRTY_BPL(vs),
1197                                              y * VNC_DIRTY_BPL(vs));
1198         if (offset == height * VNC_DIRTY_BPL(vs)) {
1199             /* no more dirty bits */
1200             break;
1201         }
1202         y = offset / VNC_DIRTY_BPL(vs);
1203         x = offset % VNC_DIRTY_BPL(vs);
1204         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1205                                 VNC_DIRTY_BPL(vs), x);
1206         bitmap_clear(vs->dirty[y], x, x2 - x);
1207         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1208         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1209         if (x2 > x) {
1210             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1211                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1212         }
1213         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1214             y += h;
1215             if (y == height) {
1216                 break;
1217             }
1218         }
1219     }
1220 
1221     vs->job_update = vs->update;
1222     vs->update = VNC_STATE_UPDATE_NONE;
1223     vnc_job_push(job);
1224     vs->has_dirty = 0;
1225     return n;
1226 }
1227 
1228 /* audio */
1229 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1230 {
1231     VncState *vs = opaque;
1232 
1233     assert(vs->magic == VNC_MAGIC);
1234     switch (cmd) {
1235     case AUD_CNOTIFY_DISABLE:
1236         trace_vnc_msg_server_audio_end(vs, vs->ioc);
1237         vnc_lock_output(vs);
1238         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1239         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1240         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1241         vnc_unlock_output(vs);
1242         vnc_flush(vs);
1243         break;
1244 
1245     case AUD_CNOTIFY_ENABLE:
1246         trace_vnc_msg_server_audio_begin(vs, vs->ioc);
1247         vnc_lock_output(vs);
1248         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1249         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1250         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1251         vnc_unlock_output(vs);
1252         vnc_flush(vs);
1253         break;
1254     }
1255 }
1256 
1257 static void audio_capture_destroy(void *opaque)
1258 {
1259 }
1260 
1261 static void audio_capture(void *opaque, const void *buf, int size)
1262 {
1263     VncState *vs = opaque;
1264 
1265     assert(vs->magic == VNC_MAGIC);
1266     trace_vnc_msg_server_audio_data(vs, vs->ioc, buf, size);
1267     vnc_lock_output(vs);
1268     if (vs->output.offset < vs->throttle_output_offset) {
1269         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1270         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1271         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1272         vnc_write_u32(vs, size);
1273         vnc_write(vs, buf, size);
1274     } else {
1275         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1276     }
1277     vnc_unlock_output(vs);
1278     vnc_flush(vs);
1279 }
1280 
1281 static void audio_add(VncState *vs)
1282 {
1283     struct audio_capture_ops ops;
1284 
1285     if (vs->audio_cap) {
1286         error_report("audio already running");
1287         return;
1288     }
1289 
1290     ops.notify = audio_capture_notify;
1291     ops.destroy = audio_capture_destroy;
1292     ops.capture = audio_capture;
1293 
1294     vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1295     if (!vs->audio_cap) {
1296         error_report("Failed to add audio capture");
1297     }
1298 }
1299 
1300 static void audio_del(VncState *vs)
1301 {
1302     if (vs->audio_cap) {
1303         AUD_del_capture(vs->audio_cap, vs);
1304         vs->audio_cap = NULL;
1305     }
1306 }
1307 
1308 static void vnc_disconnect_start(VncState *vs)
1309 {
1310     if (vs->disconnecting) {
1311         return;
1312     }
1313     trace_vnc_client_disconnect_start(vs, vs->ioc);
1314     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1315     if (vs->ioc_tag) {
1316         g_source_remove(vs->ioc_tag);
1317         vs->ioc_tag = 0;
1318     }
1319     qio_channel_close(vs->ioc, NULL);
1320     vs->disconnecting = TRUE;
1321 }
1322 
1323 void vnc_disconnect_finish(VncState *vs)
1324 {
1325     int i;
1326 
1327     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1328 
1329     vnc_jobs_join(vs); /* Wait encoding jobs */
1330 
1331     vnc_lock_output(vs);
1332     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1333 
1334     buffer_free(&vs->input);
1335     buffer_free(&vs->output);
1336 
1337     qapi_free_VncClientInfo(vs->info);
1338 
1339     vnc_zlib_clear(vs);
1340     vnc_tight_clear(vs);
1341     vnc_zrle_clear(vs);
1342 
1343 #ifdef CONFIG_VNC_SASL
1344     vnc_sasl_client_cleanup(vs);
1345 #endif /* CONFIG_VNC_SASL */
1346     audio_del(vs);
1347     qkbd_state_lift_all_keys(vs->vd->kbd);
1348 
1349     if (vs->mouse_mode_notifier.notify != NULL) {
1350         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1351     }
1352     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1353     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1354         /* last client gone */
1355         vnc_update_server_surface(vs->vd);
1356     }
1357     vnc_unlock_output(vs);
1358 
1359     if (vs->cbpeer.notifier.notify) {
1360         qemu_clipboard_peer_unregister(&vs->cbpeer);
1361     }
1362 
1363     qemu_mutex_destroy(&vs->output_mutex);
1364     if (vs->bh != NULL) {
1365         qemu_bh_delete(vs->bh);
1366     }
1367     buffer_free(&vs->jobs_buffer);
1368 
1369     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1370         g_free(vs->lossy_rect[i]);
1371     }
1372     g_free(vs->lossy_rect);
1373 
1374     object_unref(OBJECT(vs->ioc));
1375     vs->ioc = NULL;
1376     object_unref(OBJECT(vs->sioc));
1377     vs->sioc = NULL;
1378     vs->magic = 0;
1379     g_free(vs->zrle);
1380     g_free(vs->tight);
1381     g_free(vs);
1382 }
1383 
1384 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error *err)
1385 {
1386     if (ret <= 0) {
1387         if (ret == 0) {
1388             trace_vnc_client_eof(vs, vs->ioc);
1389             vnc_disconnect_start(vs);
1390         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1391             trace_vnc_client_io_error(vs, vs->ioc,
1392                                       err ? error_get_pretty(err) : "Unknown");
1393             vnc_disconnect_start(vs);
1394         }
1395 
1396         error_free(err);
1397         return 0;
1398     }
1399     return ret;
1400 }
1401 
1402 
1403 void vnc_client_error(VncState *vs)
1404 {
1405     VNC_DEBUG("Closing down client sock: protocol error\n");
1406     vnc_disconnect_start(vs);
1407 }
1408 
1409 
1410 /*
1411  * Called to write a chunk of data to the client socket. The data may
1412  * be the raw data, or may have already been encoded by SASL.
1413  * The data will be written either straight onto the socket, or
1414  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1415  *
1416  * NB, it is theoretically possible to have 2 layers of encryption,
1417  * both SASL, and this TLS layer. It is highly unlikely in practice
1418  * though, since SASL encryption will typically be a no-op if TLS
1419  * is active
1420  *
1421  * Returns the number of bytes written, which may be less than
1422  * the requested 'datalen' if the socket would block. Returns
1423  * 0 on I/O error, and disconnects the client socket.
1424  */
1425 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1426 {
1427     Error *err = NULL;
1428     ssize_t ret;
1429     ret = qio_channel_write(vs->ioc, (const char *)data, datalen, &err);
1430     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1431     return vnc_client_io_error(vs, ret, err);
1432 }
1433 
1434 
1435 /*
1436  * Called to write buffered data to the client socket, when not
1437  * using any SASL SSF encryption layers. Will write as much data
1438  * as possible without blocking. If all buffered data is written,
1439  * will switch the FD poll() handler back to read monitoring.
1440  *
1441  * Returns the number of bytes written, which may be less than
1442  * the buffered output data if the socket would block.  Returns
1443  * 0 on I/O error, and disconnects the client socket.
1444  */
1445 static size_t vnc_client_write_plain(VncState *vs)
1446 {
1447     size_t offset;
1448     size_t ret;
1449 
1450 #ifdef CONFIG_VNC_SASL
1451     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1452               vs->output.buffer, vs->output.capacity, vs->output.offset,
1453               vs->sasl.waitWriteSSF);
1454 
1455     if (vs->sasl.conn &&
1456         vs->sasl.runSSF &&
1457         vs->sasl.waitWriteSSF) {
1458         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1459         if (ret)
1460             vs->sasl.waitWriteSSF -= ret;
1461     } else
1462 #endif /* CONFIG_VNC_SASL */
1463         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1464     if (!ret)
1465         return 0;
1466 
1467     if (ret >= vs->force_update_offset) {
1468         if (vs->force_update_offset != 0) {
1469             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1470         }
1471         vs->force_update_offset = 0;
1472     } else {
1473         vs->force_update_offset -= ret;
1474     }
1475     offset = vs->output.offset;
1476     buffer_advance(&vs->output, ret);
1477     if (offset >= vs->throttle_output_offset &&
1478         vs->output.offset < vs->throttle_output_offset) {
1479         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1480     }
1481 
1482     if (vs->output.offset == 0) {
1483         if (vs->ioc_tag) {
1484             g_source_remove(vs->ioc_tag);
1485         }
1486         vs->ioc_tag = qio_channel_add_watch(
1487             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1488             vnc_client_io, vs, NULL);
1489     }
1490 
1491     return ret;
1492 }
1493 
1494 
1495 /*
1496  * First function called whenever there is data to be written to
1497  * the client socket. Will delegate actual work according to whether
1498  * SASL SSF layers are enabled (thus requiring encryption calls)
1499  */
1500 static void vnc_client_write_locked(VncState *vs)
1501 {
1502 #ifdef CONFIG_VNC_SASL
1503     if (vs->sasl.conn &&
1504         vs->sasl.runSSF &&
1505         !vs->sasl.waitWriteSSF) {
1506         vnc_client_write_sasl(vs);
1507     } else
1508 #endif /* CONFIG_VNC_SASL */
1509     {
1510         vnc_client_write_plain(vs);
1511     }
1512 }
1513 
1514 static void vnc_client_write(VncState *vs)
1515 {
1516     assert(vs->magic == VNC_MAGIC);
1517     vnc_lock_output(vs);
1518     if (vs->output.offset) {
1519         vnc_client_write_locked(vs);
1520     } else if (vs->ioc != NULL) {
1521         if (vs->ioc_tag) {
1522             g_source_remove(vs->ioc_tag);
1523         }
1524         vs->ioc_tag = qio_channel_add_watch(
1525             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1526             vnc_client_io, vs, NULL);
1527     }
1528     vnc_unlock_output(vs);
1529 }
1530 
1531 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1532 {
1533     vs->read_handler = func;
1534     vs->read_handler_expect = expecting;
1535 }
1536 
1537 
1538 /*
1539  * Called to read a chunk of data from the client socket. The data may
1540  * be the raw data, or may need to be further decoded by SASL.
1541  * The data will be read either straight from to the socket, or
1542  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1543  *
1544  * NB, it is theoretically possible to have 2 layers of encryption,
1545  * both SASL, and this TLS layer. It is highly unlikely in practice
1546  * though, since SASL encryption will typically be a no-op if TLS
1547  * is active
1548  *
1549  * Returns the number of bytes read, which may be less than
1550  * the requested 'datalen' if the socket would block. Returns
1551  * 0 on I/O error or EOF, and disconnects the client socket.
1552  */
1553 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1554 {
1555     ssize_t ret;
1556     Error *err = NULL;
1557     ret = qio_channel_read(vs->ioc, (char *)data, datalen, &err);
1558     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1559     return vnc_client_io_error(vs, ret, err);
1560 }
1561 
1562 
1563 /*
1564  * Called to read data from the client socket to the input buffer,
1565  * when not using any SASL SSF encryption layers. Will read as much
1566  * data as possible without blocking.
1567  *
1568  * Returns the number of bytes read, which may be less than
1569  * the requested 'datalen' if the socket would block. Returns
1570  * 0 on I/O error or EOF, and disconnects the client socket.
1571  */
1572 static size_t vnc_client_read_plain(VncState *vs)
1573 {
1574     size_t ret;
1575     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1576               vs->input.buffer, vs->input.capacity, vs->input.offset);
1577     buffer_reserve(&vs->input, 4096);
1578     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1579     if (!ret)
1580         return 0;
1581     vs->input.offset += ret;
1582     return ret;
1583 }
1584 
1585 static void vnc_jobs_bh(void *opaque)
1586 {
1587     VncState *vs = opaque;
1588 
1589     assert(vs->magic == VNC_MAGIC);
1590     vnc_jobs_consume_buffer(vs);
1591 }
1592 
1593 /*
1594  * First function called whenever there is more data to be read from
1595  * the client socket. Will delegate actual work according to whether
1596  * SASL SSF layers are enabled (thus requiring decryption calls)
1597  * Returns 0 on success, -1 if client disconnected
1598  */
1599 static int vnc_client_read(VncState *vs)
1600 {
1601     size_t ret;
1602 
1603 #ifdef CONFIG_VNC_SASL
1604     if (vs->sasl.conn && vs->sasl.runSSF)
1605         ret = vnc_client_read_sasl(vs);
1606     else
1607 #endif /* CONFIG_VNC_SASL */
1608         ret = vnc_client_read_plain(vs);
1609     if (!ret) {
1610         if (vs->disconnecting) {
1611             vnc_disconnect_finish(vs);
1612             return -1;
1613         }
1614         return 0;
1615     }
1616 
1617     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1618         size_t len = vs->read_handler_expect;
1619         int ret;
1620 
1621         ret = vs->read_handler(vs, vs->input.buffer, len);
1622         if (vs->disconnecting) {
1623             vnc_disconnect_finish(vs);
1624             return -1;
1625         }
1626 
1627         if (!ret) {
1628             buffer_advance(&vs->input, len);
1629         } else {
1630             vs->read_handler_expect = ret;
1631         }
1632     }
1633     return 0;
1634 }
1635 
1636 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1637                        GIOCondition condition, void *opaque)
1638 {
1639     VncState *vs = opaque;
1640 
1641     assert(vs->magic == VNC_MAGIC);
1642 
1643     if (condition & (G_IO_HUP | G_IO_ERR)) {
1644         vnc_disconnect_start(vs);
1645         return TRUE;
1646     }
1647 
1648     if (condition & G_IO_IN) {
1649         if (vnc_client_read(vs) < 0) {
1650             /* vs is free()ed here */
1651             return TRUE;
1652         }
1653     }
1654     if (condition & G_IO_OUT) {
1655         vnc_client_write(vs);
1656     }
1657 
1658     if (vs->disconnecting) {
1659         if (vs->ioc_tag != 0) {
1660             g_source_remove(vs->ioc_tag);
1661         }
1662         vs->ioc_tag = 0;
1663     }
1664     return TRUE;
1665 }
1666 
1667 
1668 /*
1669  * Scale factor to apply to vs->throttle_output_offset when checking for
1670  * hard limit. Worst case normal usage could be x2, if we have a complete
1671  * incremental update and complete forced update in the output buffer.
1672  * So x3 should be good enough, but we pick x5 to be conservative and thus
1673  * (hopefully) never trigger incorrectly.
1674  */
1675 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1676 
1677 void vnc_write(VncState *vs, const void *data, size_t len)
1678 {
1679     assert(vs->magic == VNC_MAGIC);
1680     if (vs->disconnecting) {
1681         return;
1682     }
1683     /* Protection against malicious client/guest to prevent our output
1684      * buffer growing without bound if client stops reading data. This
1685      * should rarely trigger, because we have earlier throttling code
1686      * which stops issuing framebuffer updates and drops audio data
1687      * if the throttle_output_offset value is exceeded. So we only reach
1688      * this higher level if a huge number of pseudo-encodings get
1689      * triggered while data can't be sent on the socket.
1690      *
1691      * NB throttle_output_offset can be zero during early protocol
1692      * handshake, or from the job thread's VncState clone
1693      */
1694     if (vs->throttle_output_offset != 0 &&
1695         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1696         vs->throttle_output_offset) {
1697         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1698                                       vs->throttle_output_offset);
1699         vnc_disconnect_start(vs);
1700         return;
1701     }
1702     buffer_reserve(&vs->output, len);
1703 
1704     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1705         if (vs->ioc_tag) {
1706             g_source_remove(vs->ioc_tag);
1707         }
1708         vs->ioc_tag = qio_channel_add_watch(
1709             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
1710             vnc_client_io, vs, NULL);
1711     }
1712 
1713     buffer_append(&vs->output, data, len);
1714 }
1715 
1716 void vnc_write_s32(VncState *vs, int32_t value)
1717 {
1718     vnc_write_u32(vs, *(uint32_t *)&value);
1719 }
1720 
1721 void vnc_write_u32(VncState *vs, uint32_t value)
1722 {
1723     uint8_t buf[4];
1724 
1725     buf[0] = (value >> 24) & 0xFF;
1726     buf[1] = (value >> 16) & 0xFF;
1727     buf[2] = (value >>  8) & 0xFF;
1728     buf[3] = value & 0xFF;
1729 
1730     vnc_write(vs, buf, 4);
1731 }
1732 
1733 void vnc_write_u16(VncState *vs, uint16_t value)
1734 {
1735     uint8_t buf[2];
1736 
1737     buf[0] = (value >> 8) & 0xFF;
1738     buf[1] = value & 0xFF;
1739 
1740     vnc_write(vs, buf, 2);
1741 }
1742 
1743 void vnc_write_u8(VncState *vs, uint8_t value)
1744 {
1745     vnc_write(vs, (char *)&value, 1);
1746 }
1747 
1748 void vnc_flush(VncState *vs)
1749 {
1750     vnc_lock_output(vs);
1751     if (vs->ioc != NULL && vs->output.offset) {
1752         vnc_client_write_locked(vs);
1753     }
1754     if (vs->disconnecting) {
1755         if (vs->ioc_tag != 0) {
1756             g_source_remove(vs->ioc_tag);
1757         }
1758         vs->ioc_tag = 0;
1759     }
1760     vnc_unlock_output(vs);
1761 }
1762 
1763 static uint8_t read_u8(uint8_t *data, size_t offset)
1764 {
1765     return data[offset];
1766 }
1767 
1768 static uint16_t read_u16(uint8_t *data, size_t offset)
1769 {
1770     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1771 }
1772 
1773 static int32_t read_s32(uint8_t *data, size_t offset)
1774 {
1775     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1776                      (data[offset + 2] << 8) | data[offset + 3]);
1777 }
1778 
1779 uint32_t read_u32(uint8_t *data, size_t offset)
1780 {
1781     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1782             (data[offset + 2] << 8) | data[offset + 3]);
1783 }
1784 
1785 static void check_pointer_type_change(Notifier *notifier, void *data)
1786 {
1787     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1788     int absolute = qemu_input_is_absolute();
1789 
1790     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1791         vnc_lock_output(vs);
1792         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1793         vnc_write_u8(vs, 0);
1794         vnc_write_u16(vs, 1);
1795         vnc_framebuffer_update(vs, absolute, 0,
1796                                pixman_image_get_width(vs->vd->server),
1797                                pixman_image_get_height(vs->vd->server),
1798                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1799         vnc_unlock_output(vs);
1800         vnc_flush(vs);
1801     }
1802     vs->absolute = absolute;
1803 }
1804 
1805 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1806 {
1807     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1808         [INPUT_BUTTON_LEFT]       = 0x01,
1809         [INPUT_BUTTON_MIDDLE]     = 0x02,
1810         [INPUT_BUTTON_RIGHT]      = 0x04,
1811         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1812         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1813     };
1814     QemuConsole *con = vs->vd->dcl.con;
1815     int width = pixman_image_get_width(vs->vd->server);
1816     int height = pixman_image_get_height(vs->vd->server);
1817 
1818     if (vs->last_bmask != button_mask) {
1819         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1820         vs->last_bmask = button_mask;
1821     }
1822 
1823     if (vs->absolute) {
1824         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1825         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1826     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1827         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1828         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1829     } else {
1830         if (vs->last_x != -1) {
1831             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1832             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1833         }
1834         vs->last_x = x;
1835         vs->last_y = y;
1836     }
1837     qemu_input_event_sync();
1838 }
1839 
1840 static void press_key(VncState *vs, QKeyCode qcode)
1841 {
1842     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1843     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1844 }
1845 
1846 static void vnc_led_state_change(VncState *vs)
1847 {
1848     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1849         return;
1850     }
1851 
1852     vnc_lock_output(vs);
1853     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1854     vnc_write_u8(vs, 0);
1855     vnc_write_u16(vs, 1);
1856     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1857     vnc_write_u8(vs, vs->vd->ledstate);
1858     vnc_unlock_output(vs);
1859     vnc_flush(vs);
1860 }
1861 
1862 static void kbd_leds(void *opaque, int ledstate)
1863 {
1864     VncDisplay *vd = opaque;
1865     VncState *client;
1866 
1867     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1868                              (ledstate & QEMU_NUM_LOCK_LED),
1869                              (ledstate & QEMU_SCROLL_LOCK_LED));
1870 
1871     if (ledstate == vd->ledstate) {
1872         return;
1873     }
1874 
1875     vd->ledstate = ledstate;
1876 
1877     QTAILQ_FOREACH(client, &vd->clients, next) {
1878         vnc_led_state_change(client);
1879     }
1880 }
1881 
1882 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1883 {
1884     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1885 
1886     /* QEMU console switch */
1887     switch (qcode) {
1888     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1889         if (vs->vd->dcl.con == NULL && down &&
1890             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1891             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1892             /* Reset the modifiers sent to the current console */
1893             qkbd_state_lift_all_keys(vs->vd->kbd);
1894             console_select(qcode - Q_KEY_CODE_1);
1895             return;
1896         }
1897     default:
1898         break;
1899     }
1900 
1901     /* Turn off the lock state sync logic if the client support the led
1902        state extension.
1903     */
1904     if (down && vs->vd->lock_key_sync &&
1905         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1906         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1907         /* If the numlock state needs to change then simulate an additional
1908            keypress before sending this one.  This will happen if the user
1909            toggles numlock away from the VNC window.
1910         */
1911         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1912             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1913                 trace_vnc_key_sync_numlock(true);
1914                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1915             }
1916         } else {
1917             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1918                 trace_vnc_key_sync_numlock(false);
1919                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1920             }
1921         }
1922     }
1923 
1924     if (down && vs->vd->lock_key_sync &&
1925         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1926         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1927         /* If the capslock state needs to change then simulate an additional
1928            keypress before sending this one.  This will happen if the user
1929            toggles capslock away from the VNC window.
1930         */
1931         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1932         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1933         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1934         if (capslock) {
1935             if (uppercase == shift) {
1936                 trace_vnc_key_sync_capslock(false);
1937                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1938             }
1939         } else {
1940             if (uppercase != shift) {
1941                 trace_vnc_key_sync_capslock(true);
1942                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1943             }
1944         }
1945     }
1946 
1947     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1948     if (!qemu_console_is_graphic(NULL)) {
1949         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1950         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1951         /* QEMU console emulation */
1952         if (down) {
1953             switch (keycode) {
1954             case 0x2a:                          /* Left Shift */
1955             case 0x36:                          /* Right Shift */
1956             case 0x1d:                          /* Left CTRL */
1957             case 0x9d:                          /* Right CTRL */
1958             case 0x38:                          /* Left ALT */
1959             case 0xb8:                          /* Right ALT */
1960                 break;
1961             case 0xc8:
1962                 kbd_put_keysym(QEMU_KEY_UP);
1963                 break;
1964             case 0xd0:
1965                 kbd_put_keysym(QEMU_KEY_DOWN);
1966                 break;
1967             case 0xcb:
1968                 kbd_put_keysym(QEMU_KEY_LEFT);
1969                 break;
1970             case 0xcd:
1971                 kbd_put_keysym(QEMU_KEY_RIGHT);
1972                 break;
1973             case 0xd3:
1974                 kbd_put_keysym(QEMU_KEY_DELETE);
1975                 break;
1976             case 0xc7:
1977                 kbd_put_keysym(QEMU_KEY_HOME);
1978                 break;
1979             case 0xcf:
1980                 kbd_put_keysym(QEMU_KEY_END);
1981                 break;
1982             case 0xc9:
1983                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1984                 break;
1985             case 0xd1:
1986                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1987                 break;
1988 
1989             case 0x47:
1990                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1991                 break;
1992             case 0x48:
1993                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1994                 break;
1995             case 0x49:
1996                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1997                 break;
1998             case 0x4b:
1999                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
2000                 break;
2001             case 0x4c:
2002                 kbd_put_keysym('5');
2003                 break;
2004             case 0x4d:
2005                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
2006                 break;
2007             case 0x4f:
2008                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
2009                 break;
2010             case 0x50:
2011                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
2012                 break;
2013             case 0x51:
2014                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
2015                 break;
2016             case 0x52:
2017                 kbd_put_keysym('0');
2018                 break;
2019             case 0x53:
2020                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
2021                 break;
2022 
2023             case 0xb5:
2024                 kbd_put_keysym('/');
2025                 break;
2026             case 0x37:
2027                 kbd_put_keysym('*');
2028                 break;
2029             case 0x4a:
2030                 kbd_put_keysym('-');
2031                 break;
2032             case 0x4e:
2033                 kbd_put_keysym('+');
2034                 break;
2035             case 0x9c:
2036                 kbd_put_keysym('\n');
2037                 break;
2038 
2039             default:
2040                 if (control) {
2041                     kbd_put_keysym(sym & 0x1f);
2042                 } else {
2043                     kbd_put_keysym(sym);
2044                 }
2045                 break;
2046             }
2047         }
2048     }
2049 }
2050 
2051 static const char *code2name(int keycode)
2052 {
2053     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
2054 }
2055 
2056 static void key_event(VncState *vs, int down, uint32_t sym)
2057 {
2058     int keycode;
2059     int lsym = sym;
2060 
2061     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
2062         lsym = lsym - 'A' + 'a';
2063     }
2064 
2065     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
2066                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
2067     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2068     do_key_event(vs, down, keycode, sym);
2069 }
2070 
2071 static void ext_key_event(VncState *vs, int down,
2072                           uint32_t sym, uint16_t keycode)
2073 {
2074     /* if the user specifies a keyboard layout, always use it */
2075     if (keyboard_layout) {
2076         key_event(vs, down, sym);
2077     } else {
2078         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2079         do_key_event(vs, down, keycode, sym);
2080     }
2081 }
2082 
2083 static void framebuffer_update_request(VncState *vs, int incremental,
2084                                        int x, int y, int w, int h)
2085 {
2086     if (incremental) {
2087         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2088             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2089         }
2090     } else {
2091         vs->update = VNC_STATE_UPDATE_FORCE;
2092         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2093         if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
2094             vnc_desktop_resize_ext(vs, 0);
2095         }
2096     }
2097 }
2098 
2099 static void send_ext_key_event_ack(VncState *vs)
2100 {
2101     vnc_lock_output(vs);
2102     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2103     vnc_write_u8(vs, 0);
2104     vnc_write_u16(vs, 1);
2105     vnc_framebuffer_update(vs, 0, 0,
2106                            pixman_image_get_width(vs->vd->server),
2107                            pixman_image_get_height(vs->vd->server),
2108                            VNC_ENCODING_EXT_KEY_EVENT);
2109     vnc_unlock_output(vs);
2110     vnc_flush(vs);
2111 }
2112 
2113 static void send_ext_audio_ack(VncState *vs)
2114 {
2115     vnc_lock_output(vs);
2116     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2117     vnc_write_u8(vs, 0);
2118     vnc_write_u16(vs, 1);
2119     vnc_framebuffer_update(vs, 0, 0,
2120                            pixman_image_get_width(vs->vd->server),
2121                            pixman_image_get_height(vs->vd->server),
2122                            VNC_ENCODING_AUDIO);
2123     vnc_unlock_output(vs);
2124     vnc_flush(vs);
2125 }
2126 
2127 static void send_xvp_message(VncState *vs, int code)
2128 {
2129     vnc_lock_output(vs);
2130     vnc_write_u8(vs, VNC_MSG_SERVER_XVP);
2131     vnc_write_u8(vs, 0); /* pad */
2132     vnc_write_u8(vs, 1); /* version */
2133     vnc_write_u8(vs, code);
2134     vnc_unlock_output(vs);
2135     vnc_flush(vs);
2136 }
2137 
2138 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2139 {
2140     int i;
2141     unsigned int enc = 0;
2142 
2143     vs->features = 0;
2144     vs->vnc_encoding = 0;
2145     vs->tight->compression = 9;
2146     vs->tight->quality = -1; /* Lossless by default */
2147     vs->absolute = -1;
2148 
2149     /*
2150      * Start from the end because the encodings are sent in order of preference.
2151      * This way the preferred encoding (first encoding defined in the array)
2152      * will be set at the end of the loop.
2153      */
2154     for (i = n_encodings - 1; i >= 0; i--) {
2155         enc = encodings[i];
2156         switch (enc) {
2157         case VNC_ENCODING_RAW:
2158             vs->vnc_encoding = enc;
2159             break;
2160         case VNC_ENCODING_HEXTILE:
2161             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2162             vs->vnc_encoding = enc;
2163             break;
2164         case VNC_ENCODING_TIGHT:
2165             vs->features |= VNC_FEATURE_TIGHT_MASK;
2166             vs->vnc_encoding = enc;
2167             break;
2168 #ifdef CONFIG_PNG
2169         case VNC_ENCODING_TIGHT_PNG:
2170             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2171             vs->vnc_encoding = enc;
2172             break;
2173 #endif
2174         case VNC_ENCODING_ZLIB:
2175             /*
2176              * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB.
2177              * So prioritize ZRLE, even if the client hints that it prefers
2178              * ZLIB.
2179              */
2180             if ((vs->features & VNC_FEATURE_ZRLE_MASK) == 0) {
2181                 vs->features |= VNC_FEATURE_ZLIB_MASK;
2182                 vs->vnc_encoding = enc;
2183             }
2184             break;
2185         case VNC_ENCODING_ZRLE:
2186             vs->features |= VNC_FEATURE_ZRLE_MASK;
2187             vs->vnc_encoding = enc;
2188             break;
2189         case VNC_ENCODING_ZYWRLE:
2190             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2191             vs->vnc_encoding = enc;
2192             break;
2193         case VNC_ENCODING_DESKTOPRESIZE:
2194             vs->features |= VNC_FEATURE_RESIZE_MASK;
2195             break;
2196         case VNC_ENCODING_DESKTOP_RESIZE_EXT:
2197             vs->features |= VNC_FEATURE_RESIZE_EXT_MASK;
2198             break;
2199         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2200             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2201             break;
2202         case VNC_ENCODING_RICH_CURSOR:
2203             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2204             break;
2205         case VNC_ENCODING_ALPHA_CURSOR:
2206             vs->features |= VNC_FEATURE_ALPHA_CURSOR_MASK;
2207             break;
2208         case VNC_ENCODING_EXT_KEY_EVENT:
2209             send_ext_key_event_ack(vs);
2210             break;
2211         case VNC_ENCODING_AUDIO:
2212             send_ext_audio_ack(vs);
2213             break;
2214         case VNC_ENCODING_WMVi:
2215             vs->features |= VNC_FEATURE_WMVI_MASK;
2216             break;
2217         case VNC_ENCODING_LED_STATE:
2218             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2219             break;
2220         case VNC_ENCODING_XVP:
2221             if (vs->vd->power_control) {
2222                 vs->features |= VNC_FEATURE_XVP;
2223                 send_xvp_message(vs, VNC_XVP_CODE_INIT);
2224             }
2225             break;
2226         case VNC_ENCODING_CLIPBOARD_EXT:
2227             vs->features |= VNC_FEATURE_CLIPBOARD_EXT_MASK;
2228             vnc_server_cut_text_caps(vs);
2229             break;
2230         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2231             vs->tight->compression = (enc & 0x0F);
2232             break;
2233         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2234             if (vs->vd->lossy) {
2235                 vs->tight->quality = (enc & 0x0F);
2236             }
2237             break;
2238         default:
2239             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2240             break;
2241         }
2242     }
2243     vnc_desktop_resize(vs);
2244     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2245     vnc_led_state_change(vs);
2246     vnc_cursor_define(vs);
2247 }
2248 
2249 static void set_pixel_conversion(VncState *vs)
2250 {
2251     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2252 
2253     if (fmt == VNC_SERVER_FB_FORMAT) {
2254         vs->write_pixels = vnc_write_pixels_copy;
2255         vnc_hextile_set_pixel_conversion(vs, 0);
2256     } else {
2257         vs->write_pixels = vnc_write_pixels_generic;
2258         vnc_hextile_set_pixel_conversion(vs, 1);
2259     }
2260 }
2261 
2262 static void send_color_map(VncState *vs)
2263 {
2264     int i;
2265 
2266     vnc_lock_output(vs);
2267     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2268     vnc_write_u8(vs,  0);    /* padding     */
2269     vnc_write_u16(vs, 0);    /* first color */
2270     vnc_write_u16(vs, 256);  /* # of colors */
2271 
2272     for (i = 0; i < 256; i++) {
2273         PixelFormat *pf = &vs->client_pf;
2274 
2275         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2276         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2277         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2278     }
2279     vnc_unlock_output(vs);
2280 }
2281 
2282 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2283                              int big_endian_flag, int true_color_flag,
2284                              int red_max, int green_max, int blue_max,
2285                              int red_shift, int green_shift, int blue_shift)
2286 {
2287     if (!true_color_flag) {
2288         /* Expose a reasonable default 256 color map */
2289         bits_per_pixel = 8;
2290         red_max = 7;
2291         green_max = 7;
2292         blue_max = 3;
2293         red_shift = 0;
2294         green_shift = 3;
2295         blue_shift = 6;
2296     }
2297 
2298     switch (bits_per_pixel) {
2299     case 8:
2300     case 16:
2301     case 32:
2302         break;
2303     default:
2304         vnc_client_error(vs);
2305         return;
2306     }
2307 
2308     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2309     vs->client_pf.rbits = ctpopl(red_max);
2310     vs->client_pf.rshift = red_shift;
2311     vs->client_pf.rmask = red_max << red_shift;
2312     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2313     vs->client_pf.gbits = ctpopl(green_max);
2314     vs->client_pf.gshift = green_shift;
2315     vs->client_pf.gmask = green_max << green_shift;
2316     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2317     vs->client_pf.bbits = ctpopl(blue_max);
2318     vs->client_pf.bshift = blue_shift;
2319     vs->client_pf.bmask = blue_max << blue_shift;
2320     vs->client_pf.bits_per_pixel = bits_per_pixel;
2321     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2322     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2323     vs->client_be = big_endian_flag;
2324 
2325     if (!true_color_flag) {
2326         send_color_map(vs);
2327     }
2328 
2329     set_pixel_conversion(vs);
2330 
2331     graphic_hw_invalidate(vs->vd->dcl.con);
2332     graphic_hw_update(vs->vd->dcl.con);
2333 }
2334 
2335 static void pixel_format_message (VncState *vs) {
2336     char pad[3] = { 0, 0, 0 };
2337 
2338     vs->client_pf = qemu_default_pixelformat(32);
2339 
2340     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2341     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2342 
2343 #if HOST_BIG_ENDIAN
2344     vnc_write_u8(vs, 1);             /* big-endian-flag */
2345 #else
2346     vnc_write_u8(vs, 0);             /* big-endian-flag */
2347 #endif
2348     vnc_write_u8(vs, 1);             /* true-color-flag */
2349     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2350     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2351     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2352     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2353     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2354     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2355     vnc_write(vs, pad, 3);           /* padding */
2356 
2357     vnc_hextile_set_pixel_conversion(vs, 0);
2358     vs->write_pixels = vnc_write_pixels_copy;
2359 }
2360 
2361 static void vnc_colordepth(VncState *vs)
2362 {
2363     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2364         /* Sending a WMVi message to notify the client*/
2365         vnc_lock_output(vs);
2366         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2367         vnc_write_u8(vs, 0);
2368         vnc_write_u16(vs, 1); /* number of rects */
2369         vnc_framebuffer_update(vs, 0, 0,
2370                                vs->client_width,
2371                                vs->client_height,
2372                                VNC_ENCODING_WMVi);
2373         pixel_format_message(vs);
2374         vnc_unlock_output(vs);
2375         vnc_flush(vs);
2376     } else {
2377         set_pixel_conversion(vs);
2378     }
2379 }
2380 
2381 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2382 {
2383     int i;
2384     uint16_t limit;
2385     uint32_t freq;
2386     VncDisplay *vd = vs->vd;
2387 
2388     if (data[0] > 3) {
2389         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2390     }
2391 
2392     switch (data[0]) {
2393     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2394         if (len == 1)
2395             return 20;
2396 
2397         set_pixel_format(vs, read_u8(data, 4),
2398                          read_u8(data, 6), read_u8(data, 7),
2399                          read_u16(data, 8), read_u16(data, 10),
2400                          read_u16(data, 12), read_u8(data, 14),
2401                          read_u8(data, 15), read_u8(data, 16));
2402         break;
2403     case VNC_MSG_CLIENT_SET_ENCODINGS:
2404         if (len == 1)
2405             return 4;
2406 
2407         if (len == 4) {
2408             limit = read_u16(data, 2);
2409             if (limit > 0)
2410                 return 4 + (limit * 4);
2411         } else
2412             limit = read_u16(data, 2);
2413 
2414         for (i = 0; i < limit; i++) {
2415             int32_t val = read_s32(data, 4 + (i * 4));
2416             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2417         }
2418 
2419         set_encodings(vs, (int32_t *)(data + 4), limit);
2420         break;
2421     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2422         if (len == 1)
2423             return 10;
2424 
2425         framebuffer_update_request(vs,
2426                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2427                                    read_u16(data, 6), read_u16(data, 8));
2428         break;
2429     case VNC_MSG_CLIENT_KEY_EVENT:
2430         if (len == 1)
2431             return 8;
2432 
2433         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2434         break;
2435     case VNC_MSG_CLIENT_POINTER_EVENT:
2436         if (len == 1)
2437             return 6;
2438 
2439         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2440         break;
2441     case VNC_MSG_CLIENT_CUT_TEXT:
2442         if (len == 1) {
2443             return 8;
2444         }
2445         uint32_t dlen = abs(read_s32(data, 4));
2446         if (len == 8) {
2447             if (dlen > (1 << 20)) {
2448                 error_report("vnc: client_cut_text msg payload has %u bytes"
2449                              " which exceeds our limit of 1MB.", dlen);
2450                 vnc_client_error(vs);
2451                 break;
2452             }
2453             if (dlen > 0) {
2454                 return 8 + dlen;
2455             }
2456         }
2457 
2458         if (read_s32(data, 4) < 0) {
2459             if (dlen < 4) {
2460                 error_report("vnc: malformed payload (header less than 4 bytes)"
2461                              " in extended clipboard pseudo-encoding.");
2462                 vnc_client_error(vs);
2463                 break;
2464             }
2465             vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
2466             break;
2467         }
2468         vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
2469         break;
2470     case VNC_MSG_CLIENT_XVP:
2471         if (!(vs->features & VNC_FEATURE_XVP)) {
2472             error_report("vnc: xvp client message while disabled");
2473             vnc_client_error(vs);
2474             break;
2475         }
2476         if (len == 1) {
2477             return 4;
2478         }
2479         if (len == 4) {
2480             uint8_t version = read_u8(data, 2);
2481             uint8_t action = read_u8(data, 3);
2482 
2483             if (version != 1) {
2484                 error_report("vnc: xvp client message version %d != 1",
2485                              version);
2486                 vnc_client_error(vs);
2487                 break;
2488             }
2489 
2490             switch (action) {
2491             case VNC_XVP_ACTION_SHUTDOWN:
2492                 qemu_system_powerdown_request();
2493                 break;
2494             case VNC_XVP_ACTION_REBOOT:
2495                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2496                 break;
2497             case VNC_XVP_ACTION_RESET:
2498                 qemu_system_reset_request(SHUTDOWN_CAUSE_HOST_QMP_SYSTEM_RESET);
2499                 break;
2500             default:
2501                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2502                 break;
2503             }
2504         }
2505         break;
2506     case VNC_MSG_CLIENT_QEMU:
2507         if (len == 1)
2508             return 2;
2509 
2510         switch (read_u8(data, 1)) {
2511         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2512             if (len == 2)
2513                 return 12;
2514 
2515             ext_key_event(vs, read_u16(data, 2),
2516                           read_u32(data, 4), read_u32(data, 8));
2517             break;
2518         case VNC_MSG_CLIENT_QEMU_AUDIO:
2519             if (len == 2)
2520                 return 4;
2521 
2522             switch (read_u16 (data, 2)) {
2523             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2524                 trace_vnc_msg_client_audio_enable(vs, vs->ioc);
2525                 audio_add(vs);
2526                 break;
2527             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2528                 trace_vnc_msg_client_audio_disable(vs, vs->ioc);
2529                 audio_del(vs);
2530                 break;
2531             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2532                 if (len == 4)
2533                     return 10;
2534                 switch (read_u8(data, 4)) {
2535                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2536                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2537                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2538                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2539                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2540                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2541                 default:
2542                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2543                     vnc_client_error(vs);
2544                     break;
2545                 }
2546                 vs->as.nchannels = read_u8(data, 5);
2547                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2548                     VNC_DEBUG("Invalid audio channel count %d\n",
2549                               read_u8(data, 5));
2550                     vnc_client_error(vs);
2551                     break;
2552                 }
2553                 freq = read_u32(data, 6);
2554                 /* No official limit for protocol, but 48khz is a sensible
2555                  * upper bound for trustworthy clients, and this limit
2556                  * protects calculations involving 'vs->as.freq' later.
2557                  */
2558                 if (freq > 48000) {
2559                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2560                     vnc_client_error(vs);
2561                     break;
2562                 }
2563                 vs->as.freq = freq;
2564                 trace_vnc_msg_client_audio_format(
2565                     vs, vs->ioc, vs->as.fmt, vs->as.nchannels, vs->as.freq);
2566                 break;
2567             default:
2568                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2569                 vnc_client_error(vs);
2570                 break;
2571             }
2572             break;
2573 
2574         default:
2575             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2576             vnc_client_error(vs);
2577             break;
2578         }
2579         break;
2580     case VNC_MSG_CLIENT_SET_DESKTOP_SIZE:
2581     {
2582         size_t size;
2583         uint8_t screens;
2584         int w, h;
2585 
2586         if (len < 8) {
2587             return 8;
2588         }
2589 
2590         screens = read_u8(data, 6);
2591         size    = 8 + screens * 16;
2592         if (len < size) {
2593             return size;
2594         }
2595         w = read_u16(data, 2);
2596         h = read_u16(data, 4);
2597 
2598         trace_vnc_msg_client_set_desktop_size(vs, vs->ioc, w, h, screens);
2599         if (dpy_ui_info_supported(vs->vd->dcl.con)) {
2600             QemuUIInfo info;
2601             memset(&info, 0, sizeof(info));
2602             info.width = w;
2603             info.height = h;
2604             dpy_set_ui_info(vs->vd->dcl.con, &info, false);
2605             vnc_desktop_resize_ext(vs, 4 /* Request forwarded */);
2606         } else {
2607             vnc_desktop_resize_ext(vs, 3 /* Invalid screen layout */);
2608         }
2609 
2610         break;
2611     }
2612     default:
2613         VNC_DEBUG("Msg: %d\n", data[0]);
2614         vnc_client_error(vs);
2615         break;
2616     }
2617 
2618     vnc_update_throttle_offset(vs);
2619     vnc_read_when(vs, protocol_client_msg, 1);
2620     return 0;
2621 }
2622 
2623 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2624 {
2625     char buf[1024];
2626     VncShareMode mode;
2627     int size;
2628 
2629     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2630     switch (vs->vd->share_policy) {
2631     case VNC_SHARE_POLICY_IGNORE:
2632         /*
2633          * Ignore the shared flag.  Nothing to do here.
2634          *
2635          * Doesn't conform to the rfb spec but is traditional qemu
2636          * behavior, thus left here as option for compatibility
2637          * reasons.
2638          */
2639         break;
2640     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2641         /*
2642          * Policy: Allow clients ask for exclusive access.
2643          *
2644          * Implementation: When a client asks for exclusive access,
2645          * disconnect all others. Shared connects are allowed as long
2646          * as no exclusive connection exists.
2647          *
2648          * This is how the rfb spec suggests to handle the shared flag.
2649          */
2650         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2651             VncState *client;
2652             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2653                 if (vs == client) {
2654                     continue;
2655                 }
2656                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2657                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2658                     continue;
2659                 }
2660                 vnc_disconnect_start(client);
2661             }
2662         }
2663         if (mode == VNC_SHARE_MODE_SHARED) {
2664             if (vs->vd->num_exclusive > 0) {
2665                 vnc_disconnect_start(vs);
2666                 return 0;
2667             }
2668         }
2669         break;
2670     case VNC_SHARE_POLICY_FORCE_SHARED:
2671         /*
2672          * Policy: Shared connects only.
2673          * Implementation: Disallow clients asking for exclusive access.
2674          *
2675          * Useful for shared desktop sessions where you don't want
2676          * someone forgetting to say -shared when running the vnc
2677          * client disconnect everybody else.
2678          */
2679         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2680             vnc_disconnect_start(vs);
2681             return 0;
2682         }
2683         break;
2684     }
2685     vnc_set_share_mode(vs, mode);
2686 
2687     if (vs->vd->num_shared > vs->vd->connections_limit) {
2688         vnc_disconnect_start(vs);
2689         return 0;
2690     }
2691 
2692     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2693            pixman_image_get_width(vs->vd->server) >= 0);
2694     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2695            pixman_image_get_height(vs->vd->server) >= 0);
2696     vs->client_width = pixman_image_get_width(vs->vd->server);
2697     vs->client_height = pixman_image_get_height(vs->vd->server);
2698     vnc_write_u16(vs, vs->client_width);
2699     vnc_write_u16(vs, vs->client_height);
2700 
2701     pixel_format_message(vs);
2702 
2703     if (qemu_name) {
2704         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2705         if (size > sizeof(buf)) {
2706             size = sizeof(buf);
2707         }
2708     } else {
2709         size = snprintf(buf, sizeof(buf), "QEMU");
2710     }
2711 
2712     vnc_write_u32(vs, size);
2713     vnc_write(vs, buf, size);
2714     vnc_flush(vs);
2715 
2716     vnc_client_cache_auth(vs);
2717     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2718 
2719     vnc_read_when(vs, protocol_client_msg, 1);
2720 
2721     return 0;
2722 }
2723 
2724 void start_client_init(VncState *vs)
2725 {
2726     vnc_read_when(vs, protocol_client_init, 1);
2727 }
2728 
2729 static void authentication_failed(VncState *vs)
2730 {
2731     vnc_write_u32(vs, 1); /* Reject auth */
2732     if (vs->minor >= 8) {
2733         static const char err[] = "Authentication failed";
2734         vnc_write_u32(vs, sizeof(err));
2735         vnc_write(vs, err, sizeof(err));
2736     }
2737     vnc_flush(vs);
2738     vnc_client_error(vs);
2739 }
2740 
2741 static void
2742 vnc_munge_des_rfb_key(unsigned char *key, size_t nkey)
2743 {
2744     size_t i;
2745     for (i = 0; i < nkey; i++) {
2746         uint8_t r = key[i];
2747         r = (r & 0xf0) >> 4 | (r & 0x0f) << 4;
2748         r = (r & 0xcc) >> 2 | (r & 0x33) << 2;
2749         r = (r & 0xaa) >> 1 | (r & 0x55) << 1;
2750         key[i] = r;
2751     }
2752 }
2753 
2754 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2755 {
2756     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2757     size_t i, pwlen;
2758     unsigned char key[8];
2759     time_t now = time(NULL);
2760     QCryptoCipher *cipher = NULL;
2761     Error *err = NULL;
2762 
2763     if (!vs->vd->password) {
2764         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2765         goto reject;
2766     }
2767     if (vs->vd->expires < now) {
2768         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2769         goto reject;
2770     }
2771 
2772     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2773 
2774     /* Calculate the expected challenge response */
2775     pwlen = strlen(vs->vd->password);
2776     for (i=0; i<sizeof(key); i++)
2777         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2778     vnc_munge_des_rfb_key(key, sizeof(key));
2779 
2780     cipher = qcrypto_cipher_new(
2781         QCRYPTO_CIPHER_ALG_DES,
2782         QCRYPTO_CIPHER_MODE_ECB,
2783         key, G_N_ELEMENTS(key),
2784         &err);
2785     if (!cipher) {
2786         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2787                             error_get_pretty(err));
2788         error_free(err);
2789         goto reject;
2790     }
2791 
2792     if (qcrypto_cipher_encrypt(cipher,
2793                                vs->challenge,
2794                                response,
2795                                VNC_AUTH_CHALLENGE_SIZE,
2796                                &err) < 0) {
2797         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2798                             error_get_pretty(err));
2799         error_free(err);
2800         goto reject;
2801     }
2802 
2803     /* Compare expected vs actual challenge response */
2804     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2805         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2806         goto reject;
2807     } else {
2808         trace_vnc_auth_pass(vs, vs->auth);
2809         vnc_write_u32(vs, 0); /* Accept auth */
2810         vnc_flush(vs);
2811 
2812         start_client_init(vs);
2813     }
2814 
2815     qcrypto_cipher_free(cipher);
2816     return 0;
2817 
2818 reject:
2819     authentication_failed(vs);
2820     qcrypto_cipher_free(cipher);
2821     return 0;
2822 }
2823 
2824 void start_auth_vnc(VncState *vs)
2825 {
2826     Error *err = NULL;
2827 
2828     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2829         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2830                             error_get_pretty(err));
2831         error_free(err);
2832         authentication_failed(vs);
2833         return;
2834     }
2835 
2836     /* Send client a 'random' challenge */
2837     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2838     vnc_flush(vs);
2839 
2840     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2841 }
2842 
2843 
2844 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2845 {
2846     /* We only advertise 1 auth scheme at a time, so client
2847      * must pick the one we sent. Verify this */
2848     if (data[0] != vs->auth) { /* Reject auth */
2849        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2850        authentication_failed(vs);
2851     } else { /* Accept requested auth */
2852        trace_vnc_auth_start(vs, vs->auth);
2853        switch (vs->auth) {
2854        case VNC_AUTH_NONE:
2855            if (vs->minor >= 8) {
2856                vnc_write_u32(vs, 0); /* Accept auth completion */
2857                vnc_flush(vs);
2858            }
2859            trace_vnc_auth_pass(vs, vs->auth);
2860            start_client_init(vs);
2861            break;
2862 
2863        case VNC_AUTH_VNC:
2864            start_auth_vnc(vs);
2865            break;
2866 
2867        case VNC_AUTH_VENCRYPT:
2868            start_auth_vencrypt(vs);
2869            break;
2870 
2871 #ifdef CONFIG_VNC_SASL
2872        case VNC_AUTH_SASL:
2873            start_auth_sasl(vs);
2874            break;
2875 #endif /* CONFIG_VNC_SASL */
2876 
2877        default: /* Should not be possible, but just in case */
2878            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2879            authentication_failed(vs);
2880        }
2881     }
2882     return 0;
2883 }
2884 
2885 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2886 {
2887     char local[13];
2888 
2889     memcpy(local, version, 12);
2890     local[12] = 0;
2891 
2892     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2893         VNC_DEBUG("Malformed protocol version %s\n", local);
2894         vnc_client_error(vs);
2895         return 0;
2896     }
2897     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2898     if (vs->major != 3 ||
2899         (vs->minor != 3 &&
2900          vs->minor != 4 &&
2901          vs->minor != 5 &&
2902          vs->minor != 7 &&
2903          vs->minor != 8)) {
2904         VNC_DEBUG("Unsupported client version\n");
2905         vnc_write_u32(vs, VNC_AUTH_INVALID);
2906         vnc_flush(vs);
2907         vnc_client_error(vs);
2908         return 0;
2909     }
2910     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2911      * as equivalent to v3.3 by servers
2912      */
2913     if (vs->minor == 4 || vs->minor == 5)
2914         vs->minor = 3;
2915 
2916     if (vs->minor == 3) {
2917         trace_vnc_auth_start(vs, vs->auth);
2918         if (vs->auth == VNC_AUTH_NONE) {
2919             vnc_write_u32(vs, vs->auth);
2920             vnc_flush(vs);
2921             trace_vnc_auth_pass(vs, vs->auth);
2922             start_client_init(vs);
2923        } else if (vs->auth == VNC_AUTH_VNC) {
2924             VNC_DEBUG("Tell client VNC auth\n");
2925             vnc_write_u32(vs, vs->auth);
2926             vnc_flush(vs);
2927             start_auth_vnc(vs);
2928        } else {
2929             trace_vnc_auth_fail(vs, vs->auth,
2930                                 "Unsupported auth method for v3.3", "");
2931             vnc_write_u32(vs, VNC_AUTH_INVALID);
2932             vnc_flush(vs);
2933             vnc_client_error(vs);
2934        }
2935     } else {
2936         vnc_write_u8(vs, 1); /* num auth */
2937         vnc_write_u8(vs, vs->auth);
2938         vnc_read_when(vs, protocol_client_auth, 1);
2939         vnc_flush(vs);
2940     }
2941 
2942     return 0;
2943 }
2944 
2945 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2946 {
2947     struct VncSurface *vs = &vd->guest;
2948 
2949     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2950 }
2951 
2952 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2953 {
2954     int i, j;
2955 
2956     w = (x + w) / VNC_STAT_RECT;
2957     h = (y + h) / VNC_STAT_RECT;
2958     x /= VNC_STAT_RECT;
2959     y /= VNC_STAT_RECT;
2960 
2961     for (j = y; j <= h; j++) {
2962         for (i = x; i <= w; i++) {
2963             vs->lossy_rect[j][i] = 1;
2964         }
2965     }
2966 }
2967 
2968 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2969 {
2970     VncState *vs;
2971     int sty = y / VNC_STAT_RECT;
2972     int stx = x / VNC_STAT_RECT;
2973     int has_dirty = 0;
2974 
2975     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2976     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2977 
2978     QTAILQ_FOREACH(vs, &vd->clients, next) {
2979         int j;
2980 
2981         /* kernel send buffers are full -> refresh later */
2982         if (vs->output.offset) {
2983             continue;
2984         }
2985 
2986         if (!vs->lossy_rect[sty][stx]) {
2987             continue;
2988         }
2989 
2990         vs->lossy_rect[sty][stx] = 0;
2991         for (j = 0; j < VNC_STAT_RECT; ++j) {
2992             bitmap_set(vs->dirty[y + j],
2993                        x / VNC_DIRTY_PIXELS_PER_BIT,
2994                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2995         }
2996         has_dirty++;
2997     }
2998 
2999     return has_dirty;
3000 }
3001 
3002 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
3003 {
3004     int width = MIN(pixman_image_get_width(vd->guest.fb),
3005                     pixman_image_get_width(vd->server));
3006     int height = MIN(pixman_image_get_height(vd->guest.fb),
3007                      pixman_image_get_height(vd->server));
3008     int x, y;
3009     struct timeval res;
3010     int has_dirty = 0;
3011 
3012     for (y = 0; y < height; y += VNC_STAT_RECT) {
3013         for (x = 0; x < width; x += VNC_STAT_RECT) {
3014             VncRectStat *rect = vnc_stat_rect(vd, x, y);
3015 
3016             rect->updated = false;
3017         }
3018     }
3019 
3020     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
3021 
3022     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
3023         return has_dirty;
3024     }
3025     vd->guest.last_freq_check = *tv;
3026 
3027     for (y = 0; y < height; y += VNC_STAT_RECT) {
3028         for (x = 0; x < width; x += VNC_STAT_RECT) {
3029             VncRectStat *rect= vnc_stat_rect(vd, x, y);
3030             int count = ARRAY_SIZE(rect->times);
3031             struct timeval min, max;
3032 
3033             if (!timerisset(&rect->times[count - 1])) {
3034                 continue ;
3035             }
3036 
3037             max = rect->times[(rect->idx + count - 1) % count];
3038             qemu_timersub(tv, &max, &res);
3039 
3040             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
3041                 rect->freq = 0;
3042                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
3043                 memset(rect->times, 0, sizeof (rect->times));
3044                 continue ;
3045             }
3046 
3047             min = rect->times[rect->idx];
3048             max = rect->times[(rect->idx + count - 1) % count];
3049             qemu_timersub(&max, &min, &res);
3050 
3051             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
3052             rect->freq /= count;
3053             rect->freq = 1. / rect->freq;
3054         }
3055     }
3056     return has_dirty;
3057 }
3058 
3059 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
3060 {
3061     int i, j;
3062     double total = 0;
3063     int num = 0;
3064 
3065     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
3066     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
3067 
3068     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
3069         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
3070             total += vnc_stat_rect(vs->vd, i, j)->freq;
3071             num++;
3072         }
3073     }
3074 
3075     if (num) {
3076         return total / num;
3077     } else {
3078         return 0;
3079     }
3080 }
3081 
3082 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
3083 {
3084     VncRectStat *rect;
3085 
3086     rect = vnc_stat_rect(vd, x, y);
3087     if (rect->updated) {
3088         return;
3089     }
3090     rect->times[rect->idx] = *tv;
3091     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
3092     rect->updated = true;
3093 }
3094 
3095 static int vnc_refresh_server_surface(VncDisplay *vd)
3096 {
3097     int width = MIN(pixman_image_get_width(vd->guest.fb),
3098                     pixman_image_get_width(vd->server));
3099     int height = MIN(pixman_image_get_height(vd->guest.fb),
3100                      pixman_image_get_height(vd->server));
3101     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
3102     uint8_t *guest_row0 = NULL, *server_row0;
3103     VncState *vs;
3104     int has_dirty = 0;
3105     pixman_image_t *tmpbuf = NULL;
3106     unsigned long offset;
3107     int x;
3108     uint8_t *guest_ptr, *server_ptr;
3109 
3110     struct timeval tv = { 0, 0 };
3111 
3112     if (!vd->non_adaptive) {
3113         gettimeofday(&tv, NULL);
3114         has_dirty = vnc_update_stats(vd, &tv);
3115     }
3116 
3117     offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3118                            height * VNC_DIRTY_BPL(&vd->guest), 0);
3119     if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3120         /* no dirty bits in guest surface */
3121         return has_dirty;
3122     }
3123 
3124     /*
3125      * Walk through the guest dirty map.
3126      * Check and copy modified bits from guest to server surface.
3127      * Update server dirty map.
3128      */
3129     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
3130     server_stride = guest_stride = guest_ll =
3131         pixman_image_get_stride(vd->server);
3132     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
3133                     server_stride);
3134     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3135         int width = pixman_image_get_width(vd->server);
3136         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
3137     } else {
3138         int guest_bpp =
3139             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
3140         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
3141         guest_stride = pixman_image_get_stride(vd->guest.fb);
3142         guest_ll = pixman_image_get_width(vd->guest.fb)
3143                    * DIV_ROUND_UP(guest_bpp, 8);
3144     }
3145     line_bytes = MIN(server_stride, guest_ll);
3146 
3147     for (;;) {
3148         y = offset / VNC_DIRTY_BPL(&vd->guest);
3149         x = offset % VNC_DIRTY_BPL(&vd->guest);
3150 
3151         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
3152 
3153         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3154             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
3155             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
3156         } else {
3157             guest_ptr = guest_row0 + y * guest_stride;
3158         }
3159         guest_ptr += x * cmp_bytes;
3160 
3161         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
3162              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
3163             int _cmp_bytes = cmp_bytes;
3164             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
3165                 continue;
3166             }
3167             if ((x + 1) * cmp_bytes > line_bytes) {
3168                 _cmp_bytes = line_bytes - x * cmp_bytes;
3169             }
3170             assert(_cmp_bytes >= 0);
3171             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
3172                 continue;
3173             }
3174             memcpy(server_ptr, guest_ptr, _cmp_bytes);
3175             if (!vd->non_adaptive) {
3176                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
3177                                  y, &tv);
3178             }
3179             QTAILQ_FOREACH(vs, &vd->clients, next) {
3180                 set_bit(x, vs->dirty[y]);
3181             }
3182             has_dirty++;
3183         }
3184 
3185         y++;
3186         offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3187                                height * VNC_DIRTY_BPL(&vd->guest),
3188                                y * VNC_DIRTY_BPL(&vd->guest));
3189         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3190             /* no more dirty bits */
3191             break;
3192         }
3193     }
3194     qemu_pixman_image_unref(tmpbuf);
3195     return has_dirty;
3196 }
3197 
3198 static void vnc_refresh(DisplayChangeListener *dcl)
3199 {
3200     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
3201     VncState *vs, *vn;
3202     int has_dirty, rects = 0;
3203 
3204     if (QTAILQ_EMPTY(&vd->clients)) {
3205         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
3206         return;
3207     }
3208 
3209     graphic_hw_update(vd->dcl.con);
3210 
3211     if (vnc_trylock_display(vd)) {
3212         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3213         return;
3214     }
3215 
3216     has_dirty = vnc_refresh_server_surface(vd);
3217     vnc_unlock_display(vd);
3218 
3219     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3220         rects += vnc_update_client(vs, has_dirty);
3221         /* vs might be free()ed here */
3222     }
3223 
3224     if (has_dirty && rects) {
3225         vd->dcl.update_interval /= 2;
3226         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3227             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3228         }
3229     } else {
3230         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3231         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3232             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3233         }
3234     }
3235 }
3236 
3237 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3238                         bool skipauth, bool websocket)
3239 {
3240     VncState *vs = g_new0(VncState, 1);
3241     bool first_client = QTAILQ_EMPTY(&vd->clients);
3242     int i;
3243 
3244     trace_vnc_client_connect(vs, sioc);
3245     vs->zrle = g_new0(VncZrle, 1);
3246     vs->tight = g_new0(VncTight, 1);
3247     vs->magic = VNC_MAGIC;
3248     vs->sioc = sioc;
3249     object_ref(OBJECT(vs->sioc));
3250     vs->ioc = QIO_CHANNEL(sioc);
3251     object_ref(OBJECT(vs->ioc));
3252     vs->vd = vd;
3253 
3254     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3255     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3256     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3257 
3258     buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3259     buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3260     buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3261 #ifdef CONFIG_VNC_JPEG
3262     buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3263 #endif
3264 #ifdef CONFIG_PNG
3265     buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3266 #endif
3267     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3268     buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3269     buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3270     buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3271 
3272     if (skipauth) {
3273         vs->auth = VNC_AUTH_NONE;
3274         vs->subauth = VNC_AUTH_INVALID;
3275     } else {
3276         if (websocket) {
3277             vs->auth = vd->ws_auth;
3278             vs->subauth = VNC_AUTH_INVALID;
3279         } else {
3280             vs->auth = vd->auth;
3281             vs->subauth = vd->subauth;
3282         }
3283     }
3284     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3285               sioc, websocket, vs->auth, vs->subauth);
3286 
3287     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3288     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3289         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3290     }
3291 
3292     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3293     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3294     qio_channel_set_blocking(vs->ioc, false, NULL);
3295     if (vs->ioc_tag) {
3296         g_source_remove(vs->ioc_tag);
3297     }
3298     if (websocket) {
3299         vs->websocket = 1;
3300         if (vd->tlscreds) {
3301             vs->ioc_tag = qio_channel_add_watch(
3302                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3303                 vncws_tls_handshake_io, vs, NULL);
3304         } else {
3305             vs->ioc_tag = qio_channel_add_watch(
3306                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3307                 vncws_handshake_io, vs, NULL);
3308         }
3309     } else {
3310         vs->ioc_tag = qio_channel_add_watch(
3311             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3312             vnc_client_io, vs, NULL);
3313     }
3314 
3315     vnc_client_cache_addr(vs);
3316     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3317     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3318 
3319     vs->last_x = -1;
3320     vs->last_y = -1;
3321 
3322     vs->as.freq = 44100;
3323     vs->as.nchannels = 2;
3324     vs->as.fmt = AUDIO_FORMAT_S16;
3325     vs->as.endianness = 0;
3326 
3327     qemu_mutex_init(&vs->output_mutex);
3328     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3329 
3330     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3331     if (first_client) {
3332         vnc_update_server_surface(vd);
3333     }
3334 
3335     graphic_hw_update(vd->dcl.con);
3336 
3337     if (!vs->websocket) {
3338         vnc_start_protocol(vs);
3339     }
3340 
3341     if (vd->num_connecting > vd->connections_limit) {
3342         QTAILQ_FOREACH(vs, &vd->clients, next) {
3343             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3344                 vnc_disconnect_start(vs);
3345                 return;
3346             }
3347         }
3348     }
3349 }
3350 
3351 void vnc_start_protocol(VncState *vs)
3352 {
3353     vnc_write(vs, "RFB 003.008\n", 12);
3354     vnc_flush(vs);
3355     vnc_read_when(vs, protocol_version, 12);
3356 
3357     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3358     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3359 }
3360 
3361 static void vnc_listen_io(QIONetListener *listener,
3362                           QIOChannelSocket *cioc,
3363                           void *opaque)
3364 {
3365     VncDisplay *vd = opaque;
3366     bool isWebsock = listener == vd->wslistener;
3367 
3368     qio_channel_set_name(QIO_CHANNEL(cioc),
3369                          isWebsock ? "vnc-ws-server" : "vnc-server");
3370     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3371     vnc_connect(vd, cioc, false, isWebsock);
3372 }
3373 
3374 static const DisplayChangeListenerOps dcl_ops = {
3375     .dpy_name             = "vnc",
3376     .dpy_refresh          = vnc_refresh,
3377     .dpy_gfx_update       = vnc_dpy_update,
3378     .dpy_gfx_switch       = vnc_dpy_switch,
3379     .dpy_gfx_check_format = qemu_pixman_check_format,
3380     .dpy_mouse_set        = vnc_mouse_set,
3381     .dpy_cursor_define    = vnc_dpy_cursor_define,
3382 };
3383 
3384 void vnc_display_init(const char *id, Error **errp)
3385 {
3386     VncDisplay *vd;
3387 
3388     if (vnc_display_find(id) != NULL) {
3389         return;
3390     }
3391     vd = g_malloc0(sizeof(*vd));
3392 
3393     vd->id = strdup(id);
3394     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3395 
3396     QTAILQ_INIT(&vd->clients);
3397     vd->expires = TIME_MAX;
3398 
3399     if (keyboard_layout) {
3400         trace_vnc_key_map_init(keyboard_layout);
3401         vd->kbd_layout = init_keyboard_layout(name2keysym,
3402                                               keyboard_layout, errp);
3403     } else {
3404         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3405     }
3406 
3407     if (!vd->kbd_layout) {
3408         return;
3409     }
3410 
3411     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3412     vd->connections_limit = 32;
3413 
3414     qemu_mutex_init(&vd->mutex);
3415     vnc_start_worker_thread();
3416 
3417     vd->dcl.ops = &dcl_ops;
3418     register_displaychangelistener(&vd->dcl);
3419     vd->kbd = qkbd_state_init(vd->dcl.con);
3420 }
3421 
3422 
3423 static void vnc_display_close(VncDisplay *vd)
3424 {
3425     if (!vd) {
3426         return;
3427     }
3428     vd->is_unix = false;
3429 
3430     if (vd->listener) {
3431         qio_net_listener_disconnect(vd->listener);
3432         object_unref(OBJECT(vd->listener));
3433     }
3434     vd->listener = NULL;
3435 
3436     if (vd->wslistener) {
3437         qio_net_listener_disconnect(vd->wslistener);
3438         object_unref(OBJECT(vd->wslistener));
3439     }
3440     vd->wslistener = NULL;
3441 
3442     vd->auth = VNC_AUTH_INVALID;
3443     vd->subauth = VNC_AUTH_INVALID;
3444     if (vd->tlscreds) {
3445         object_unref(OBJECT(vd->tlscreds));
3446         vd->tlscreds = NULL;
3447     }
3448     if (vd->tlsauthz) {
3449         object_unparent(OBJECT(vd->tlsauthz));
3450         vd->tlsauthz = NULL;
3451     }
3452     g_free(vd->tlsauthzid);
3453     vd->tlsauthzid = NULL;
3454     if (vd->lock_key_sync) {
3455         qemu_remove_led_event_handler(vd->led);
3456         vd->led = NULL;
3457     }
3458 #ifdef CONFIG_VNC_SASL
3459     if (vd->sasl.authz) {
3460         object_unparent(OBJECT(vd->sasl.authz));
3461         vd->sasl.authz = NULL;
3462     }
3463     g_free(vd->sasl.authzid);
3464     vd->sasl.authzid = NULL;
3465 #endif
3466 }
3467 
3468 int vnc_display_password(const char *id, const char *password)
3469 {
3470     VncDisplay *vd = vnc_display_find(id);
3471 
3472     if (!vd) {
3473         return -EINVAL;
3474     }
3475     if (vd->auth == VNC_AUTH_NONE) {
3476         error_printf_unless_qmp("If you want use passwords please enable "
3477                                 "password auth using '-vnc ${dpy},password'.\n");
3478         return -EINVAL;
3479     }
3480 
3481     g_free(vd->password);
3482     vd->password = g_strdup(password);
3483 
3484     return 0;
3485 }
3486 
3487 int vnc_display_pw_expire(const char *id, time_t expires)
3488 {
3489     VncDisplay *vd = vnc_display_find(id);
3490 
3491     if (!vd) {
3492         return -EINVAL;
3493     }
3494 
3495     vd->expires = expires;
3496     return 0;
3497 }
3498 
3499 static void vnc_display_print_local_addr(VncDisplay *vd)
3500 {
3501     SocketAddress *addr;
3502 
3503     if (!vd->listener || !vd->listener->nsioc) {
3504         return;
3505     }
3506 
3507     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], NULL);
3508     if (!addr) {
3509         return;
3510     }
3511 
3512     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3513         qapi_free_SocketAddress(addr);
3514         return;
3515     }
3516     error_printf_unless_qmp("VNC server running on %s:%s\n",
3517                             addr->u.inet.host,
3518                             addr->u.inet.port);
3519     qapi_free_SocketAddress(addr);
3520 }
3521 
3522 static QemuOptsList qemu_vnc_opts = {
3523     .name = "vnc",
3524     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3525     .implied_opt_name = "vnc",
3526     .desc = {
3527         {
3528             .name = "vnc",
3529             .type = QEMU_OPT_STRING,
3530         },{
3531             .name = "websocket",
3532             .type = QEMU_OPT_STRING,
3533         },{
3534             .name = "tls-creds",
3535             .type = QEMU_OPT_STRING,
3536         },{
3537             .name = "share",
3538             .type = QEMU_OPT_STRING,
3539         },{
3540             .name = "display",
3541             .type = QEMU_OPT_STRING,
3542         },{
3543             .name = "head",
3544             .type = QEMU_OPT_NUMBER,
3545         },{
3546             .name = "connections",
3547             .type = QEMU_OPT_NUMBER,
3548         },{
3549             .name = "to",
3550             .type = QEMU_OPT_NUMBER,
3551         },{
3552             .name = "ipv4",
3553             .type = QEMU_OPT_BOOL,
3554         },{
3555             .name = "ipv6",
3556             .type = QEMU_OPT_BOOL,
3557         },{
3558             .name = "password",
3559             .type = QEMU_OPT_BOOL,
3560         },{
3561             .name = "password-secret",
3562             .type = QEMU_OPT_STRING,
3563         },{
3564             .name = "reverse",
3565             .type = QEMU_OPT_BOOL,
3566         },{
3567             .name = "lock-key-sync",
3568             .type = QEMU_OPT_BOOL,
3569         },{
3570             .name = "key-delay-ms",
3571             .type = QEMU_OPT_NUMBER,
3572         },{
3573             .name = "sasl",
3574             .type = QEMU_OPT_BOOL,
3575         },{
3576             .name = "tls-authz",
3577             .type = QEMU_OPT_STRING,
3578         },{
3579             .name = "sasl-authz",
3580             .type = QEMU_OPT_STRING,
3581         },{
3582             .name = "lossy",
3583             .type = QEMU_OPT_BOOL,
3584         },{
3585             .name = "non-adaptive",
3586             .type = QEMU_OPT_BOOL,
3587         },{
3588             .name = "audiodev",
3589             .type = QEMU_OPT_STRING,
3590         },{
3591             .name = "power-control",
3592             .type = QEMU_OPT_BOOL,
3593         },
3594         { /* end of list */ }
3595     },
3596 };
3597 
3598 
3599 static int
3600 vnc_display_setup_auth(int *auth,
3601                        int *subauth,
3602                        QCryptoTLSCreds *tlscreds,
3603                        bool password,
3604                        bool sasl,
3605                        bool websocket,
3606                        Error **errp)
3607 {
3608     /*
3609      * We have a choice of 3 authentication options
3610      *
3611      *   1. none
3612      *   2. vnc
3613      *   3. sasl
3614      *
3615      * The channel can be run in 2 modes
3616      *
3617      *   1. clear
3618      *   2. tls
3619      *
3620      * And TLS can use 2 types of credentials
3621      *
3622      *   1. anon
3623      *   2. x509
3624      *
3625      * We thus have 9 possible logical combinations
3626      *
3627      *   1. clear + none
3628      *   2. clear + vnc
3629      *   3. clear + sasl
3630      *   4. tls + anon + none
3631      *   5. tls + anon + vnc
3632      *   6. tls + anon + sasl
3633      *   7. tls + x509 + none
3634      *   8. tls + x509 + vnc
3635      *   9. tls + x509 + sasl
3636      *
3637      * These need to be mapped into the VNC auth schemes
3638      * in an appropriate manner. In regular VNC, all the
3639      * TLS options get mapped into VNC_AUTH_VENCRYPT
3640      * sub-auth types.
3641      *
3642      * In websockets, the https:// protocol already provides
3643      * TLS support, so there is no need to make use of the
3644      * VeNCrypt extension. Furthermore, websockets browser
3645      * clients could not use VeNCrypt even if they wanted to,
3646      * as they cannot control when the TLS handshake takes
3647      * place. Thus there is no option but to rely on https://,
3648      * meaning combinations 4->6 and 7->9 will be mapped to
3649      * VNC auth schemes in the same way as combos 1->3.
3650      *
3651      * Regardless of fact that we have a different mapping to
3652      * VNC auth mechs for plain VNC vs websockets VNC, the end
3653      * result has the same security characteristics.
3654      */
3655     if (websocket || !tlscreds) {
3656         if (password) {
3657             VNC_DEBUG("Initializing VNC server with password auth\n");
3658             *auth = VNC_AUTH_VNC;
3659         } else if (sasl) {
3660             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3661             *auth = VNC_AUTH_SASL;
3662         } else {
3663             VNC_DEBUG("Initializing VNC server with no auth\n");
3664             *auth = VNC_AUTH_NONE;
3665         }
3666         *subauth = VNC_AUTH_INVALID;
3667     } else {
3668         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3669                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3670         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3671                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3672 
3673         if (!is_x509 && !is_anon) {
3674             error_setg(errp,
3675                        "Unsupported TLS cred type %s",
3676                        object_get_typename(OBJECT(tlscreds)));
3677             return -1;
3678         }
3679         *auth = VNC_AUTH_VENCRYPT;
3680         if (password) {
3681             if (is_x509) {
3682                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3683                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3684             } else {
3685                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3686                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3687             }
3688 
3689         } else if (sasl) {
3690             if (is_x509) {
3691                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3692                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3693             } else {
3694                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3695                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3696             }
3697         } else {
3698             if (is_x509) {
3699                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3700                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3701             } else {
3702                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3703                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3704             }
3705         }
3706     }
3707     return 0;
3708 }
3709 
3710 
3711 static int vnc_display_get_address(const char *addrstr,
3712                                    bool websocket,
3713                                    bool reverse,
3714                                    int displaynum,
3715                                    int to,
3716                                    bool has_ipv4,
3717                                    bool has_ipv6,
3718                                    bool ipv4,
3719                                    bool ipv6,
3720                                    SocketAddress **retaddr,
3721                                    Error **errp)
3722 {
3723     int ret = -1;
3724     SocketAddress *addr = NULL;
3725 
3726     addr = g_new0(SocketAddress, 1);
3727 
3728     if (strncmp(addrstr, "unix:", 5) == 0) {
3729         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3730         addr->u.q_unix.path = g_strdup(addrstr + 5);
3731 
3732         if (websocket) {
3733             error_setg(errp, "UNIX sockets not supported with websock");
3734             goto cleanup;
3735         }
3736 
3737         if (to) {
3738             error_setg(errp, "Port range not support with UNIX socket");
3739             goto cleanup;
3740         }
3741         ret = 0;
3742     } else {
3743         const char *port;
3744         size_t hostlen;
3745         unsigned long long baseport = 0;
3746         InetSocketAddress *inet;
3747 
3748         port = strrchr(addrstr, ':');
3749         if (!port) {
3750             if (websocket) {
3751                 hostlen = 0;
3752                 port = addrstr;
3753             } else {
3754                 error_setg(errp, "no vnc port specified");
3755                 goto cleanup;
3756             }
3757         } else {
3758             hostlen = port - addrstr;
3759             port++;
3760             if (*port == '\0') {
3761                 error_setg(errp, "vnc port cannot be empty");
3762                 goto cleanup;
3763             }
3764         }
3765 
3766         addr->type = SOCKET_ADDRESS_TYPE_INET;
3767         inet = &addr->u.inet;
3768         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3769             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3770         } else {
3771             inet->host = g_strndup(addrstr, hostlen);
3772         }
3773         /* plain VNC port is just an offset, for websocket
3774          * port is absolute */
3775         if (websocket) {
3776             if (g_str_equal(addrstr, "") ||
3777                 g_str_equal(addrstr, "on")) {
3778                 if (displaynum == -1) {
3779                     error_setg(errp, "explicit websocket port is required");
3780                     goto cleanup;
3781                 }
3782                 inet->port = g_strdup_printf(
3783                     "%d", displaynum + 5700);
3784                 if (to) {
3785                     inet->has_to = true;
3786                     inet->to = to + 5700;
3787                 }
3788             } else {
3789                 inet->port = g_strdup(port);
3790             }
3791         } else {
3792             int offset = reverse ? 0 : 5900;
3793             if (parse_uint_full(port, &baseport, 10) < 0) {
3794                 error_setg(errp, "can't convert to a number: %s", port);
3795                 goto cleanup;
3796             }
3797             if (baseport > 65535 ||
3798                 baseport + offset > 65535) {
3799                 error_setg(errp, "port %s out of range", port);
3800                 goto cleanup;
3801             }
3802             inet->port = g_strdup_printf(
3803                 "%d", (int)baseport + offset);
3804 
3805             if (to) {
3806                 inet->has_to = true;
3807                 inet->to = to + offset;
3808             }
3809         }
3810 
3811         inet->ipv4 = ipv4;
3812         inet->has_ipv4 = has_ipv4;
3813         inet->ipv6 = ipv6;
3814         inet->has_ipv6 = has_ipv6;
3815 
3816         ret = baseport;
3817     }
3818 
3819     *retaddr = addr;
3820 
3821  cleanup:
3822     if (ret < 0) {
3823         qapi_free_SocketAddress(addr);
3824     }
3825     return ret;
3826 }
3827 
3828 static int vnc_display_get_addresses(QemuOpts *opts,
3829                                      bool reverse,
3830                                      SocketAddressList **saddr_list_ret,
3831                                      SocketAddressList **wsaddr_list_ret,
3832                                      Error **errp)
3833 {
3834     SocketAddress *saddr = NULL;
3835     SocketAddress *wsaddr = NULL;
3836     g_autoptr(SocketAddressList) saddr_list = NULL;
3837     SocketAddressList **saddr_tail = &saddr_list;
3838     SocketAddress *single_saddr = NULL;
3839     g_autoptr(SocketAddressList) wsaddr_list = NULL;
3840     SocketAddressList **wsaddr_tail = &wsaddr_list;
3841     QemuOptsIter addriter;
3842     const char *addr;
3843     int to = qemu_opt_get_number(opts, "to", 0);
3844     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3845     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3846     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3847     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3848     int displaynum = -1;
3849 
3850     addr = qemu_opt_get(opts, "vnc");
3851     if (addr == NULL || g_str_equal(addr, "none")) {
3852         return 0;
3853     }
3854     if (qemu_opt_get(opts, "websocket") &&
3855         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3856         error_setg(errp,
3857                    "SHA1 hash support is required for websockets");
3858         return -1;
3859     }
3860 
3861     qemu_opt_iter_init(&addriter, opts, "vnc");
3862     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3863         int rv;
3864         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3865                                      has_ipv4, has_ipv6,
3866                                      ipv4, ipv6,
3867                                      &saddr, errp);
3868         if (rv < 0) {
3869             return -1;
3870         }
3871         /* Historical compat - first listen address can be used
3872          * to set the default websocket port
3873          */
3874         if (displaynum == -1) {
3875             displaynum = rv;
3876         }
3877         QAPI_LIST_APPEND(saddr_tail, saddr);
3878     }
3879 
3880     if (saddr_list && !saddr_list->next) {
3881         single_saddr = saddr_list->value;
3882     } else {
3883         /*
3884          * If we had multiple primary displays, we don't do defaults
3885          * for websocket, and require explicit config instead.
3886          */
3887         displaynum = -1;
3888     }
3889 
3890     qemu_opt_iter_init(&addriter, opts, "websocket");
3891     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3892         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3893                                     has_ipv4, has_ipv6,
3894                                     ipv4, ipv6,
3895                                     &wsaddr, errp) < 0) {
3896             return -1;
3897         }
3898 
3899         /* Historical compat - if only a single listen address was
3900          * provided, then this is used to set the default listen
3901          * address for websocket too
3902          */
3903         if (single_saddr &&
3904             single_saddr->type == SOCKET_ADDRESS_TYPE_INET &&
3905             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3906             g_str_equal(wsaddr->u.inet.host, "") &&
3907             !g_str_equal(single_saddr->u.inet.host, "")) {
3908             g_free(wsaddr->u.inet.host);
3909             wsaddr->u.inet.host = g_strdup(single_saddr->u.inet.host);
3910         }
3911 
3912         QAPI_LIST_APPEND(wsaddr_tail, wsaddr);
3913     }
3914 
3915     *saddr_list_ret = g_steal_pointer(&saddr_list);
3916     *wsaddr_list_ret = g_steal_pointer(&wsaddr_list);
3917     return 0;
3918 }
3919 
3920 static int vnc_display_connect(VncDisplay *vd,
3921                                SocketAddressList *saddr_list,
3922                                SocketAddressList *wsaddr_list,
3923                                Error **errp)
3924 {
3925     /* connect to viewer */
3926     QIOChannelSocket *sioc = NULL;
3927     if (wsaddr_list) {
3928         error_setg(errp, "Cannot use websockets in reverse mode");
3929         return -1;
3930     }
3931     if (!saddr_list || saddr_list->next) {
3932         error_setg(errp, "Expected a single address in reverse mode");
3933         return -1;
3934     }
3935     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3936     vd->is_unix = saddr_list->value->type == SOCKET_ADDRESS_TYPE_UNIX;
3937     sioc = qio_channel_socket_new();
3938     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3939     if (qio_channel_socket_connect_sync(sioc, saddr_list->value, errp) < 0) {
3940         object_unref(OBJECT(sioc));
3941         return -1;
3942     }
3943     vnc_connect(vd, sioc, false, false);
3944     object_unref(OBJECT(sioc));
3945     return 0;
3946 }
3947 
3948 
3949 static int vnc_display_listen(VncDisplay *vd,
3950                               SocketAddressList *saddr_list,
3951                               SocketAddressList *wsaddr_list,
3952                               Error **errp)
3953 {
3954     SocketAddressList *el;
3955 
3956     if (saddr_list) {
3957         vd->listener = qio_net_listener_new();
3958         qio_net_listener_set_name(vd->listener, "vnc-listen");
3959         for (el = saddr_list; el; el = el->next) {
3960             if (qio_net_listener_open_sync(vd->listener,
3961                                            el->value, 1,
3962                                            errp) < 0)  {
3963                 return -1;
3964             }
3965         }
3966 
3967         qio_net_listener_set_client_func(vd->listener,
3968                                          vnc_listen_io, vd, NULL);
3969     }
3970 
3971     if (wsaddr_list) {
3972         vd->wslistener = qio_net_listener_new();
3973         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3974         for (el = wsaddr_list; el; el = el->next) {
3975             if (qio_net_listener_open_sync(vd->wslistener,
3976                                            el->value, 1,
3977                                            errp) < 0)  {
3978                 return -1;
3979             }
3980         }
3981 
3982         qio_net_listener_set_client_func(vd->wslistener,
3983                                          vnc_listen_io, vd, NULL);
3984     }
3985 
3986     return 0;
3987 }
3988 
3989 bool vnc_display_update(DisplayUpdateOptionsVNC *arg, Error **errp)
3990 {
3991     VncDisplay *vd = vnc_display_find(NULL);
3992 
3993     if (!vd) {
3994         error_setg(errp, "Can not find vnc display");
3995         return false;
3996     }
3997 
3998     if (arg->has_addresses) {
3999         if (vd->listener) {
4000             qio_net_listener_disconnect(vd->listener);
4001             object_unref(OBJECT(vd->listener));
4002             vd->listener = NULL;
4003         }
4004 
4005         if (vnc_display_listen(vd, arg->addresses, NULL, errp) < 0) {
4006             return false;
4007         }
4008     }
4009 
4010     return true;
4011 }
4012 
4013 void vnc_display_open(const char *id, Error **errp)
4014 {
4015     VncDisplay *vd = vnc_display_find(id);
4016     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
4017     g_autoptr(SocketAddressList) saddr_list = NULL;
4018     g_autoptr(SocketAddressList) wsaddr_list = NULL;
4019     const char *share, *device_id;
4020     QemuConsole *con;
4021     bool password = false;
4022     bool reverse = false;
4023     const char *credid;
4024     bool sasl = false;
4025     const char *tlsauthz;
4026     const char *saslauthz;
4027     int lock_key_sync = 1;
4028     int key_delay_ms;
4029     const char *audiodev;
4030     const char *passwordSecret;
4031 
4032     if (!vd) {
4033         error_setg(errp, "VNC display not active");
4034         return;
4035     }
4036     vnc_display_close(vd);
4037 
4038     if (!opts) {
4039         return;
4040     }
4041 
4042     reverse = qemu_opt_get_bool(opts, "reverse", false);
4043     if (vnc_display_get_addresses(opts, reverse, &saddr_list, &wsaddr_list,
4044                                   errp) < 0) {
4045         goto fail;
4046     }
4047 
4048 
4049     passwordSecret = qemu_opt_get(opts, "password-secret");
4050     if (passwordSecret) {
4051         if (qemu_opt_get(opts, "password")) {
4052             error_setg(errp,
4053                        "'password' flag is redundant with 'password-secret'");
4054             goto fail;
4055         }
4056         vd->password = qcrypto_secret_lookup_as_utf8(passwordSecret,
4057                                                      errp);
4058         if (!vd->password) {
4059             goto fail;
4060         }
4061         password = true;
4062     } else {
4063         password = qemu_opt_get_bool(opts, "password", false);
4064     }
4065     if (password) {
4066         if (!qcrypto_cipher_supports(
4067                 QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) {
4068             error_setg(errp,
4069                        "Cipher backend does not support DES algorithm");
4070             goto fail;
4071         }
4072     }
4073 
4074     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
4075     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
4076     sasl = qemu_opt_get_bool(opts, "sasl", false);
4077 #ifndef CONFIG_VNC_SASL
4078     if (sasl) {
4079         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
4080         goto fail;
4081     }
4082 #endif /* CONFIG_VNC_SASL */
4083     credid = qemu_opt_get(opts, "tls-creds");
4084     if (credid) {
4085         Object *creds;
4086         creds = object_resolve_path_component(
4087             object_get_objects_root(), credid);
4088         if (!creds) {
4089             error_setg(errp, "No TLS credentials with id '%s'",
4090                        credid);
4091             goto fail;
4092         }
4093         vd->tlscreds = (QCryptoTLSCreds *)
4094             object_dynamic_cast(creds,
4095                                 TYPE_QCRYPTO_TLS_CREDS);
4096         if (!vd->tlscreds) {
4097             error_setg(errp, "Object with id '%s' is not TLS credentials",
4098                        credid);
4099             goto fail;
4100         }
4101         object_ref(OBJECT(vd->tlscreds));
4102 
4103         if (!qcrypto_tls_creds_check_endpoint(vd->tlscreds,
4104                                               QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
4105                                               errp)) {
4106             goto fail;
4107         }
4108     }
4109     tlsauthz = qemu_opt_get(opts, "tls-authz");
4110     if (tlsauthz && !vd->tlscreds) {
4111         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
4112         goto fail;
4113     }
4114 
4115     saslauthz = qemu_opt_get(opts, "sasl-authz");
4116     if (saslauthz && !sasl) {
4117         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
4118         goto fail;
4119     }
4120 
4121     share = qemu_opt_get(opts, "share");
4122     if (share) {
4123         if (strcmp(share, "ignore") == 0) {
4124             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
4125         } else if (strcmp(share, "allow-exclusive") == 0) {
4126             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4127         } else if (strcmp(share, "force-shared") == 0) {
4128             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
4129         } else {
4130             error_setg(errp, "unknown vnc share= option");
4131             goto fail;
4132         }
4133     } else {
4134         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4135     }
4136     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
4137 
4138 #ifdef CONFIG_VNC_JPEG
4139     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
4140 #endif
4141     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
4142     /* adaptive updates are only used with tight encoding and
4143      * if lossy updates are enabled so we can disable all the
4144      * calculations otherwise */
4145     if (!vd->lossy) {
4146         vd->non_adaptive = true;
4147     }
4148 
4149     vd->power_control = qemu_opt_get_bool(opts, "power-control", false);
4150 
4151     if (tlsauthz) {
4152         vd->tlsauthzid = g_strdup(tlsauthz);
4153     }
4154 #ifdef CONFIG_VNC_SASL
4155     if (sasl) {
4156         if (saslauthz) {
4157             vd->sasl.authzid = g_strdup(saslauthz);
4158         }
4159     }
4160 #endif
4161 
4162     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
4163                                vd->tlscreds, password,
4164                                sasl, false, errp) < 0) {
4165         goto fail;
4166     }
4167     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
4168 
4169     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
4170                                vd->tlscreds, password,
4171                                sasl, true, errp) < 0) {
4172         goto fail;
4173     }
4174     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
4175 
4176 #ifdef CONFIG_VNC_SASL
4177     if (sasl && !vnc_sasl_server_init(errp)) {
4178         goto fail;
4179     }
4180 #endif
4181     vd->lock_key_sync = lock_key_sync;
4182     if (lock_key_sync) {
4183         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
4184     }
4185     vd->ledstate = 0;
4186 
4187     audiodev = qemu_opt_get(opts, "audiodev");
4188     if (audiodev) {
4189         vd->audio_state = audio_state_by_name(audiodev);
4190         if (!vd->audio_state) {
4191             error_setg(errp, "Audiodev '%s' not found", audiodev);
4192             goto fail;
4193         }
4194     }
4195 
4196     device_id = qemu_opt_get(opts, "display");
4197     if (device_id) {
4198         int head = qemu_opt_get_number(opts, "head", 0);
4199         Error *err = NULL;
4200 
4201         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4202         if (err) {
4203             error_propagate(errp, err);
4204             goto fail;
4205         }
4206     } else {
4207         con = NULL;
4208     }
4209 
4210     if (con != vd->dcl.con) {
4211         qkbd_state_free(vd->kbd);
4212         unregister_displaychangelistener(&vd->dcl);
4213         vd->dcl.con = con;
4214         register_displaychangelistener(&vd->dcl);
4215         vd->kbd = qkbd_state_init(vd->dcl.con);
4216     }
4217     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4218 
4219     if (saddr_list == NULL) {
4220         return;
4221     }
4222 
4223     if (reverse) {
4224         if (vnc_display_connect(vd, saddr_list, wsaddr_list, errp) < 0) {
4225             goto fail;
4226         }
4227     } else {
4228         if (vnc_display_listen(vd, saddr_list, wsaddr_list, errp) < 0) {
4229             goto fail;
4230         }
4231     }
4232 
4233     if (qemu_opt_get(opts, "to")) {
4234         vnc_display_print_local_addr(vd);
4235     }
4236 
4237     /* Success */
4238     return;
4239 
4240 fail:
4241     vnc_display_close(vd);
4242 }
4243 
4244 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4245 {
4246     VncDisplay *vd = vnc_display_find(id);
4247     QIOChannelSocket *sioc;
4248 
4249     if (!vd) {
4250         return;
4251     }
4252 
4253     sioc = qio_channel_socket_new_fd(csock, NULL);
4254     if (sioc) {
4255         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4256         vnc_connect(vd, sioc, skipauth, false);
4257         object_unref(OBJECT(sioc));
4258     }
4259 }
4260 
4261 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4262 {
4263     int i = 2;
4264     char *id;
4265 
4266     id = g_strdup("default");
4267     while (qemu_opts_find(olist, id)) {
4268         g_free(id);
4269         id = g_strdup_printf("vnc%d", i++);
4270     }
4271     qemu_opts_set_id(opts, id);
4272 }
4273 
4274 void vnc_parse(const char *str)
4275 {
4276     QemuOptsList *olist = qemu_find_opts("vnc");
4277     QemuOpts *opts = qemu_opts_parse_noisily(olist, str, !is_help_option(str));
4278     const char *id;
4279 
4280     if (!opts) {
4281         exit(1);
4282     }
4283 
4284     id = qemu_opts_id(opts);
4285     if (!id) {
4286         /* auto-assign id if not present */
4287         vnc_auto_assign_id(olist, opts);
4288     }
4289 }
4290 
4291 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4292 {
4293     Error *local_err = NULL;
4294     char *id = (char *)qemu_opts_id(opts);
4295 
4296     assert(id);
4297     vnc_display_init(id, &local_err);
4298     if (local_err) {
4299         error_propagate(errp, local_err);
4300         return -1;
4301     }
4302     vnc_display_open(id, &local_err);
4303     if (local_err != NULL) {
4304         error_propagate(errp, local_err);
4305         return -1;
4306     }
4307     return 0;
4308 }
4309 
4310 static void vnc_register_config(void)
4311 {
4312     qemu_add_opts(&qemu_vnc_opts);
4313 }
4314 opts_init(vnc_register_config);
4315