xref: /openbmc/qemu/ui/vnc.c (revision 7acafcfa)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev-core.h"
32 #include "sysemu/sysemu.h"
33 #include "qemu/error-report.h"
34 #include "qemu/main-loop.h"
35 #include "qemu/module.h"
36 #include "qemu/option.h"
37 #include "qemu/sockets.h"
38 #include "qemu/timer.h"
39 #include "authz/list.h"
40 #include "qemu/config-file.h"
41 #include "qapi/qapi-emit-events.h"
42 #include "qapi/qapi-events-ui.h"
43 #include "qapi/error.h"
44 #include "qapi/qapi-commands-ui.h"
45 #include "ui/input.h"
46 #include "crypto/hash.h"
47 #include "crypto/tlscredsanon.h"
48 #include "crypto/tlscredsx509.h"
49 #include "crypto/random.h"
50 #include "qom/object_interfaces.h"
51 #include "qemu/cutils.h"
52 #include "io/dns-resolver.h"
53 
54 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
55 #define VNC_REFRESH_INTERVAL_INC  50
56 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
57 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
58 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
59 
60 #include "vnc_keysym.h"
61 #include "crypto/cipher.h"
62 
63 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
64     QTAILQ_HEAD_INITIALIZER(vnc_displays);
65 
66 static int vnc_cursor_define(VncState *vs);
67 static void vnc_update_throttle_offset(VncState *vs);
68 
69 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
70 {
71 #ifdef _VNC_DEBUG
72     static const char *mn[] = {
73         [0]                           = "undefined",
74         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
75         [VNC_SHARE_MODE_SHARED]       = "shared",
76         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
77         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
78     };
79     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
80             vs->ioc, mn[vs->share_mode], mn[mode]);
81 #endif
82 
83     switch (vs->share_mode) {
84     case VNC_SHARE_MODE_CONNECTING:
85         vs->vd->num_connecting--;
86         break;
87     case VNC_SHARE_MODE_SHARED:
88         vs->vd->num_shared--;
89         break;
90     case VNC_SHARE_MODE_EXCLUSIVE:
91         vs->vd->num_exclusive--;
92         break;
93     default:
94         break;
95     }
96 
97     vs->share_mode = mode;
98 
99     switch (vs->share_mode) {
100     case VNC_SHARE_MODE_CONNECTING:
101         vs->vd->num_connecting++;
102         break;
103     case VNC_SHARE_MODE_SHARED:
104         vs->vd->num_shared++;
105         break;
106     case VNC_SHARE_MODE_EXCLUSIVE:
107         vs->vd->num_exclusive++;
108         break;
109     default:
110         break;
111     }
112 }
113 
114 
115 static void vnc_init_basic_info(SocketAddress *addr,
116                                 VncBasicInfo *info,
117                                 Error **errp)
118 {
119     switch (addr->type) {
120     case SOCKET_ADDRESS_TYPE_INET:
121         info->host = g_strdup(addr->u.inet.host);
122         info->service = g_strdup(addr->u.inet.port);
123         if (addr->u.inet.ipv6) {
124             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
125         } else {
126             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
127         }
128         break;
129 
130     case SOCKET_ADDRESS_TYPE_UNIX:
131         info->host = g_strdup("");
132         info->service = g_strdup(addr->u.q_unix.path);
133         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
134         break;
135 
136     case SOCKET_ADDRESS_TYPE_VSOCK:
137     case SOCKET_ADDRESS_TYPE_FD:
138         error_setg(errp, "Unsupported socket address type %s",
139                    SocketAddressType_str(addr->type));
140         break;
141     default:
142         abort();
143     }
144 
145     return;
146 }
147 
148 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
149                                                  VncBasicInfo *info,
150                                                  Error **errp)
151 {
152     SocketAddress *addr = NULL;
153 
154     if (!ioc) {
155         error_setg(errp, "No listener socket available");
156         return;
157     }
158 
159     addr = qio_channel_socket_get_local_address(ioc, errp);
160     if (!addr) {
161         return;
162     }
163 
164     vnc_init_basic_info(addr, info, errp);
165     qapi_free_SocketAddress(addr);
166 }
167 
168 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
169                                                  VncBasicInfo *info,
170                                                  Error **errp)
171 {
172     SocketAddress *addr = NULL;
173 
174     addr = qio_channel_socket_get_remote_address(ioc, errp);
175     if (!addr) {
176         return;
177     }
178 
179     vnc_init_basic_info(addr, info, errp);
180     qapi_free_SocketAddress(addr);
181 }
182 
183 static const char *vnc_auth_name(VncDisplay *vd) {
184     switch (vd->auth) {
185     case VNC_AUTH_INVALID:
186         return "invalid";
187     case VNC_AUTH_NONE:
188         return "none";
189     case VNC_AUTH_VNC:
190         return "vnc";
191     case VNC_AUTH_RA2:
192         return "ra2";
193     case VNC_AUTH_RA2NE:
194         return "ra2ne";
195     case VNC_AUTH_TIGHT:
196         return "tight";
197     case VNC_AUTH_ULTRA:
198         return "ultra";
199     case VNC_AUTH_TLS:
200         return "tls";
201     case VNC_AUTH_VENCRYPT:
202         switch (vd->subauth) {
203         case VNC_AUTH_VENCRYPT_PLAIN:
204             return "vencrypt+plain";
205         case VNC_AUTH_VENCRYPT_TLSNONE:
206             return "vencrypt+tls+none";
207         case VNC_AUTH_VENCRYPT_TLSVNC:
208             return "vencrypt+tls+vnc";
209         case VNC_AUTH_VENCRYPT_TLSPLAIN:
210             return "vencrypt+tls+plain";
211         case VNC_AUTH_VENCRYPT_X509NONE:
212             return "vencrypt+x509+none";
213         case VNC_AUTH_VENCRYPT_X509VNC:
214             return "vencrypt+x509+vnc";
215         case VNC_AUTH_VENCRYPT_X509PLAIN:
216             return "vencrypt+x509+plain";
217         case VNC_AUTH_VENCRYPT_TLSSASL:
218             return "vencrypt+tls+sasl";
219         case VNC_AUTH_VENCRYPT_X509SASL:
220             return "vencrypt+x509+sasl";
221         default:
222             return "vencrypt";
223         }
224     case VNC_AUTH_SASL:
225         return "sasl";
226     }
227     return "unknown";
228 }
229 
230 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
231 {
232     VncServerInfo *info;
233     Error *err = NULL;
234 
235     if (!vd->listener || !vd->listener->nsioc) {
236         return NULL;
237     }
238 
239     info = g_malloc0(sizeof(*info));
240     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
241                                          qapi_VncServerInfo_base(info), &err);
242     info->has_auth = true;
243     info->auth = g_strdup(vnc_auth_name(vd));
244     if (err) {
245         qapi_free_VncServerInfo(info);
246         info = NULL;
247         error_free(err);
248     }
249     return info;
250 }
251 
252 static void vnc_client_cache_auth(VncState *client)
253 {
254     if (!client->info) {
255         return;
256     }
257 
258     if (client->tls) {
259         client->info->x509_dname =
260             qcrypto_tls_session_get_peer_name(client->tls);
261         client->info->has_x509_dname =
262             client->info->x509_dname != NULL;
263     }
264 #ifdef CONFIG_VNC_SASL
265     if (client->sasl.conn &&
266         client->sasl.username) {
267         client->info->has_sasl_username = true;
268         client->info->sasl_username = g_strdup(client->sasl.username);
269     }
270 #endif
271 }
272 
273 static void vnc_client_cache_addr(VncState *client)
274 {
275     Error *err = NULL;
276 
277     client->info = g_malloc0(sizeof(*client->info));
278     vnc_init_basic_info_from_remote_addr(client->sioc,
279                                          qapi_VncClientInfo_base(client->info),
280                                          &err);
281     client->info->websocket = client->websocket;
282     if (err) {
283         qapi_free_VncClientInfo(client->info);
284         client->info = NULL;
285         error_free(err);
286     }
287 }
288 
289 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
290 {
291     VncServerInfo *si;
292 
293     if (!vs->info) {
294         return;
295     }
296 
297     si = vnc_server_info_get(vs->vd);
298     if (!si) {
299         return;
300     }
301 
302     switch (event) {
303     case QAPI_EVENT_VNC_CONNECTED:
304         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
305         break;
306     case QAPI_EVENT_VNC_INITIALIZED:
307         qapi_event_send_vnc_initialized(si, vs->info);
308         break;
309     case QAPI_EVENT_VNC_DISCONNECTED:
310         qapi_event_send_vnc_disconnected(si, vs->info);
311         break;
312     default:
313         break;
314     }
315 
316     qapi_free_VncServerInfo(si);
317 }
318 
319 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
320 {
321     VncClientInfo *info;
322     Error *err = NULL;
323 
324     info = g_malloc0(sizeof(*info));
325 
326     vnc_init_basic_info_from_remote_addr(client->sioc,
327                                          qapi_VncClientInfo_base(info),
328                                          &err);
329     if (err) {
330         error_free(err);
331         qapi_free_VncClientInfo(info);
332         return NULL;
333     }
334 
335     info->websocket = client->websocket;
336 
337     if (client->tls) {
338         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
339         info->has_x509_dname = info->x509_dname != NULL;
340     }
341 #ifdef CONFIG_VNC_SASL
342     if (client->sasl.conn && client->sasl.username) {
343         info->has_sasl_username = true;
344         info->sasl_username = g_strdup(client->sasl.username);
345     }
346 #endif
347 
348     return info;
349 }
350 
351 static VncDisplay *vnc_display_find(const char *id)
352 {
353     VncDisplay *vd;
354 
355     if (id == NULL) {
356         return QTAILQ_FIRST(&vnc_displays);
357     }
358     QTAILQ_FOREACH(vd, &vnc_displays, next) {
359         if (strcmp(id, vd->id) == 0) {
360             return vd;
361         }
362     }
363     return NULL;
364 }
365 
366 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
367 {
368     VncClientInfoList *cinfo, *prev = NULL;
369     VncState *client;
370 
371     QTAILQ_FOREACH(client, &vd->clients, next) {
372         cinfo = g_new0(VncClientInfoList, 1);
373         cinfo->value = qmp_query_vnc_client(client);
374         cinfo->next = prev;
375         prev = cinfo;
376     }
377     return prev;
378 }
379 
380 VncInfo *qmp_query_vnc(Error **errp)
381 {
382     VncInfo *info = g_malloc0(sizeof(*info));
383     VncDisplay *vd = vnc_display_find(NULL);
384     SocketAddress *addr = NULL;
385 
386     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
387         info->enabled = false;
388     } else {
389         info->enabled = true;
390 
391         /* for compatibility with the original command */
392         info->has_clients = true;
393         info->clients = qmp_query_client_list(vd);
394 
395         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
396                                                     errp);
397         if (!addr) {
398             goto out_error;
399         }
400 
401         switch (addr->type) {
402         case SOCKET_ADDRESS_TYPE_INET:
403             info->host = g_strdup(addr->u.inet.host);
404             info->service = g_strdup(addr->u.inet.port);
405             if (addr->u.inet.ipv6) {
406                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
407             } else {
408                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
409             }
410             break;
411 
412         case SOCKET_ADDRESS_TYPE_UNIX:
413             info->host = g_strdup("");
414             info->service = g_strdup(addr->u.q_unix.path);
415             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
416             break;
417 
418         case SOCKET_ADDRESS_TYPE_VSOCK:
419         case SOCKET_ADDRESS_TYPE_FD:
420             error_setg(errp, "Unsupported socket address type %s",
421                        SocketAddressType_str(addr->type));
422             goto out_error;
423         default:
424             abort();
425         }
426 
427         info->has_host = true;
428         info->has_service = true;
429         info->has_family = true;
430 
431         info->has_auth = true;
432         info->auth = g_strdup(vnc_auth_name(vd));
433     }
434 
435     qapi_free_SocketAddress(addr);
436     return info;
437 
438 out_error:
439     qapi_free_SocketAddress(addr);
440     qapi_free_VncInfo(info);
441     return NULL;
442 }
443 
444 
445 static void qmp_query_auth(int auth, int subauth,
446                            VncPrimaryAuth *qmp_auth,
447                            VncVencryptSubAuth *qmp_vencrypt,
448                            bool *qmp_has_vencrypt);
449 
450 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
451                                                   bool websocket,
452                                                   int auth,
453                                                   int subauth,
454                                                   VncServerInfo2List *prev)
455 {
456     VncServerInfo2List *list;
457     VncServerInfo2 *info;
458     Error *err = NULL;
459     SocketAddress *addr;
460 
461     addr = qio_channel_socket_get_local_address(ioc, NULL);
462     if (!addr) {
463         return prev;
464     }
465 
466     info = g_new0(VncServerInfo2, 1);
467     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
468     qapi_free_SocketAddress(addr);
469     if (err) {
470         qapi_free_VncServerInfo2(info);
471         error_free(err);
472         return prev;
473     }
474     info->websocket = websocket;
475 
476     qmp_query_auth(auth, subauth, &info->auth,
477                    &info->vencrypt, &info->has_vencrypt);
478 
479     list = g_new0(VncServerInfo2List, 1);
480     list->value = info;
481     list->next = prev;
482     return list;
483 }
484 
485 static void qmp_query_auth(int auth, int subauth,
486                            VncPrimaryAuth *qmp_auth,
487                            VncVencryptSubAuth *qmp_vencrypt,
488                            bool *qmp_has_vencrypt)
489 {
490     switch (auth) {
491     case VNC_AUTH_VNC:
492         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
493         break;
494     case VNC_AUTH_RA2:
495         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
496         break;
497     case VNC_AUTH_RA2NE:
498         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
499         break;
500     case VNC_AUTH_TIGHT:
501         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
502         break;
503     case VNC_AUTH_ULTRA:
504         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
505         break;
506     case VNC_AUTH_TLS:
507         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
508         break;
509     case VNC_AUTH_VENCRYPT:
510         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
511         *qmp_has_vencrypt = true;
512         switch (subauth) {
513         case VNC_AUTH_VENCRYPT_PLAIN:
514             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
515             break;
516         case VNC_AUTH_VENCRYPT_TLSNONE:
517             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
518             break;
519         case VNC_AUTH_VENCRYPT_TLSVNC:
520             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
521             break;
522         case VNC_AUTH_VENCRYPT_TLSPLAIN:
523             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
524             break;
525         case VNC_AUTH_VENCRYPT_X509NONE:
526             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
527             break;
528         case VNC_AUTH_VENCRYPT_X509VNC:
529             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
530             break;
531         case VNC_AUTH_VENCRYPT_X509PLAIN:
532             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
533             break;
534         case VNC_AUTH_VENCRYPT_TLSSASL:
535             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
536             break;
537         case VNC_AUTH_VENCRYPT_X509SASL:
538             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
539             break;
540         default:
541             *qmp_has_vencrypt = false;
542             break;
543         }
544         break;
545     case VNC_AUTH_SASL:
546         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
547         break;
548     case VNC_AUTH_NONE:
549     default:
550         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
551         break;
552     }
553 }
554 
555 VncInfo2List *qmp_query_vnc_servers(Error **errp)
556 {
557     VncInfo2List *item, *prev = NULL;
558     VncInfo2 *info;
559     VncDisplay *vd;
560     DeviceState *dev;
561     size_t i;
562 
563     QTAILQ_FOREACH(vd, &vnc_displays, next) {
564         info = g_new0(VncInfo2, 1);
565         info->id = g_strdup(vd->id);
566         info->clients = qmp_query_client_list(vd);
567         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
568                        &info->vencrypt, &info->has_vencrypt);
569         if (vd->dcl.con) {
570             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
571                                                   "device", &error_abort));
572             info->has_display = true;
573             info->display = g_strdup(dev->id);
574         }
575         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
576             info->server = qmp_query_server_entry(
577                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
578                 info->server);
579         }
580         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
581             info->server = qmp_query_server_entry(
582                 vd->wslistener->sioc[i], true, vd->ws_auth,
583                 vd->ws_subauth, info->server);
584         }
585 
586         item = g_new0(VncInfo2List, 1);
587         item->value = info;
588         item->next = prev;
589         prev = item;
590     }
591     return prev;
592 }
593 
594 /* TODO
595    1) Get the queue working for IO.
596    2) there is some weirdness when using the -S option (the screen is grey
597       and not totally invalidated
598    3) resolutions > 1024
599 */
600 
601 static int vnc_update_client(VncState *vs, int has_dirty);
602 static void vnc_disconnect_start(VncState *vs);
603 
604 static void vnc_colordepth(VncState *vs);
605 static void framebuffer_update_request(VncState *vs, int incremental,
606                                        int x_position, int y_position,
607                                        int w, int h);
608 static void vnc_refresh(DisplayChangeListener *dcl);
609 static int vnc_refresh_server_surface(VncDisplay *vd);
610 
611 static int vnc_width(VncDisplay *vd)
612 {
613     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
614                                        VNC_DIRTY_PIXELS_PER_BIT));
615 }
616 
617 static int vnc_height(VncDisplay *vd)
618 {
619     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
620 }
621 
622 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
623                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
624                                VncDisplay *vd,
625                                int x, int y, int w, int h)
626 {
627     int width = vnc_width(vd);
628     int height = vnc_height(vd);
629 
630     /* this is needed this to ensure we updated all affected
631      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
632     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
633     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
634 
635     x = MIN(x, width);
636     y = MIN(y, height);
637     w = MIN(x + w, width) - x;
638     h = MIN(y + h, height);
639 
640     for (; y < h; y++) {
641         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
642                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
643     }
644 }
645 
646 static void vnc_dpy_update(DisplayChangeListener *dcl,
647                            int x, int y, int w, int h)
648 {
649     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
650     struct VncSurface *s = &vd->guest;
651 
652     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
653 }
654 
655 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
656                             int32_t encoding)
657 {
658     vnc_write_u16(vs, x);
659     vnc_write_u16(vs, y);
660     vnc_write_u16(vs, w);
661     vnc_write_u16(vs, h);
662 
663     vnc_write_s32(vs, encoding);
664 }
665 
666 
667 static void vnc_desktop_resize(VncState *vs)
668 {
669     if (vs->ioc == NULL || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
670         return;
671     }
672     if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
673         vs->client_height == pixman_image_get_height(vs->vd->server)) {
674         return;
675     }
676 
677     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
678            pixman_image_get_width(vs->vd->server) >= 0);
679     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
680            pixman_image_get_height(vs->vd->server) >= 0);
681     vs->client_width = pixman_image_get_width(vs->vd->server);
682     vs->client_height = pixman_image_get_height(vs->vd->server);
683     vnc_lock_output(vs);
684     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
685     vnc_write_u8(vs, 0);
686     vnc_write_u16(vs, 1); /* number of rects */
687     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
688                            VNC_ENCODING_DESKTOPRESIZE);
689     vnc_unlock_output(vs);
690     vnc_flush(vs);
691 }
692 
693 static void vnc_abort_display_jobs(VncDisplay *vd)
694 {
695     VncState *vs;
696 
697     QTAILQ_FOREACH(vs, &vd->clients, next) {
698         vnc_lock_output(vs);
699         vs->abort = true;
700         vnc_unlock_output(vs);
701     }
702     QTAILQ_FOREACH(vs, &vd->clients, next) {
703         vnc_jobs_join(vs);
704     }
705     QTAILQ_FOREACH(vs, &vd->clients, next) {
706         vnc_lock_output(vs);
707         if (vs->update == VNC_STATE_UPDATE_NONE &&
708             vs->job_update != VNC_STATE_UPDATE_NONE) {
709             /* job aborted before completion */
710             vs->update = vs->job_update;
711             vs->job_update = VNC_STATE_UPDATE_NONE;
712         }
713         vs->abort = false;
714         vnc_unlock_output(vs);
715     }
716 }
717 
718 int vnc_server_fb_stride(VncDisplay *vd)
719 {
720     return pixman_image_get_stride(vd->server);
721 }
722 
723 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
724 {
725     uint8_t *ptr;
726 
727     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
728     ptr += y * vnc_server_fb_stride(vd);
729     ptr += x * VNC_SERVER_FB_BYTES;
730     return ptr;
731 }
732 
733 static void vnc_update_server_surface(VncDisplay *vd)
734 {
735     int width, height;
736 
737     qemu_pixman_image_unref(vd->server);
738     vd->server = NULL;
739 
740     if (QTAILQ_EMPTY(&vd->clients)) {
741         return;
742     }
743 
744     width = vnc_width(vd);
745     height = vnc_height(vd);
746     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
747                                           width, height,
748                                           NULL, 0);
749 
750     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
751     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
752                        width, height);
753 }
754 
755 static bool vnc_check_pageflip(DisplaySurface *s1,
756                                DisplaySurface *s2)
757 {
758     return (s1 != NULL &&
759             s2 != NULL &&
760             surface_width(s1) == surface_width(s2) &&
761             surface_height(s1) == surface_height(s2) &&
762             surface_format(s1) == surface_format(s2));
763 
764 }
765 
766 static void vnc_dpy_switch(DisplayChangeListener *dcl,
767                            DisplaySurface *surface)
768 {
769     static const char placeholder_msg[] =
770         "Display output is not active.";
771     static DisplaySurface *placeholder;
772     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
773     bool pageflip = vnc_check_pageflip(vd->ds, surface);
774     VncState *vs;
775 
776     if (surface == NULL) {
777         if (placeholder == NULL) {
778             placeholder = qemu_create_message_surface(640, 480, placeholder_msg);
779         }
780         surface = placeholder;
781     }
782 
783     vnc_abort_display_jobs(vd);
784     vd->ds = surface;
785 
786     /* guest surface */
787     qemu_pixman_image_unref(vd->guest.fb);
788     vd->guest.fb = pixman_image_ref(surface->image);
789     vd->guest.format = surface->format;
790 
791     if (pageflip) {
792         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
793                            surface_width(surface),
794                            surface_height(surface));
795         return;
796     }
797 
798     /* server surface */
799     vnc_update_server_surface(vd);
800 
801     QTAILQ_FOREACH(vs, &vd->clients, next) {
802         vnc_colordepth(vs);
803         vnc_desktop_resize(vs);
804         if (vs->vd->cursor) {
805             vnc_cursor_define(vs);
806         }
807         memset(vs->dirty, 0x00, sizeof(vs->dirty));
808         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
809                            vnc_width(vd),
810                            vnc_height(vd));
811         vnc_update_throttle_offset(vs);
812     }
813 }
814 
815 /* fastest code */
816 static void vnc_write_pixels_copy(VncState *vs,
817                                   void *pixels, int size)
818 {
819     vnc_write(vs, pixels, size);
820 }
821 
822 /* slowest but generic code. */
823 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
824 {
825     uint8_t r, g, b;
826 
827 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
828     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
829     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
830     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
831 #else
832 # error need some bits here if you change VNC_SERVER_FB_FORMAT
833 #endif
834     v = (r << vs->client_pf.rshift) |
835         (g << vs->client_pf.gshift) |
836         (b << vs->client_pf.bshift);
837     switch (vs->client_pf.bytes_per_pixel) {
838     case 1:
839         buf[0] = v;
840         break;
841     case 2:
842         if (vs->client_be) {
843             buf[0] = v >> 8;
844             buf[1] = v;
845         } else {
846             buf[1] = v >> 8;
847             buf[0] = v;
848         }
849         break;
850     default:
851     case 4:
852         if (vs->client_be) {
853             buf[0] = v >> 24;
854             buf[1] = v >> 16;
855             buf[2] = v >> 8;
856             buf[3] = v;
857         } else {
858             buf[3] = v >> 24;
859             buf[2] = v >> 16;
860             buf[1] = v >> 8;
861             buf[0] = v;
862         }
863         break;
864     }
865 }
866 
867 static void vnc_write_pixels_generic(VncState *vs,
868                                      void *pixels1, int size)
869 {
870     uint8_t buf[4];
871 
872     if (VNC_SERVER_FB_BYTES == 4) {
873         uint32_t *pixels = pixels1;
874         int n, i;
875         n = size >> 2;
876         for (i = 0; i < n; i++) {
877             vnc_convert_pixel(vs, buf, pixels[i]);
878             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
879         }
880     }
881 }
882 
883 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
884 {
885     int i;
886     uint8_t *row;
887     VncDisplay *vd = vs->vd;
888 
889     row = vnc_server_fb_ptr(vd, x, y);
890     for (i = 0; i < h; i++) {
891         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
892         row += vnc_server_fb_stride(vd);
893     }
894     return 1;
895 }
896 
897 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
898 {
899     int n = 0;
900 
901     switch(vs->vnc_encoding) {
902         case VNC_ENCODING_ZLIB:
903             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
904             break;
905         case VNC_ENCODING_HEXTILE:
906             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
907             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
908             break;
909         case VNC_ENCODING_TIGHT:
910             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
911             break;
912         case VNC_ENCODING_TIGHT_PNG:
913             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
914             break;
915         case VNC_ENCODING_ZRLE:
916             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
917             break;
918         case VNC_ENCODING_ZYWRLE:
919             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
920             break;
921         default:
922             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
923             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
924             break;
925     }
926     return n;
927 }
928 
929 static void vnc_mouse_set(DisplayChangeListener *dcl,
930                           int x, int y, int visible)
931 {
932     /* can we ask the client(s) to move the pointer ??? */
933 }
934 
935 static int vnc_cursor_define(VncState *vs)
936 {
937     QEMUCursor *c = vs->vd->cursor;
938     int isize;
939 
940     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
941         vnc_lock_output(vs);
942         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
943         vnc_write_u8(vs,  0);  /*  padding     */
944         vnc_write_u16(vs, 1);  /*  # of rects  */
945         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
946                                VNC_ENCODING_RICH_CURSOR);
947         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
948         vnc_write_pixels_generic(vs, c->data, isize);
949         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
950         vnc_unlock_output(vs);
951         return 0;
952     }
953     return -1;
954 }
955 
956 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
957                                   QEMUCursor *c)
958 {
959     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
960     VncState *vs;
961 
962     cursor_put(vd->cursor);
963     g_free(vd->cursor_mask);
964 
965     vd->cursor = c;
966     cursor_get(vd->cursor);
967     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
968     vd->cursor_mask = g_malloc0(vd->cursor_msize);
969     cursor_get_mono_mask(c, 0, vd->cursor_mask);
970 
971     QTAILQ_FOREACH(vs, &vd->clients, next) {
972         vnc_cursor_define(vs);
973     }
974 }
975 
976 static int find_and_clear_dirty_height(VncState *vs,
977                                        int y, int last_x, int x, int height)
978 {
979     int h;
980 
981     for (h = 1; h < (height - y); h++) {
982         if (!test_bit(last_x, vs->dirty[y + h])) {
983             break;
984         }
985         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
986     }
987 
988     return h;
989 }
990 
991 /*
992  * Figure out how much pending data we should allow in the output
993  * buffer before we throttle incremental display updates, and/or
994  * drop audio samples.
995  *
996  * We allow for equiv of 1 full display's worth of FB updates,
997  * and 1 second of audio samples. If audio backlog was larger
998  * than that the client would already suffering awful audio
999  * glitches, so dropping samples is no worse really).
1000  */
1001 static void vnc_update_throttle_offset(VncState *vs)
1002 {
1003     size_t offset =
1004         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1005 
1006     if (vs->audio_cap) {
1007         int bps;
1008         switch (vs->as.fmt) {
1009         default:
1010         case  AUDIO_FORMAT_U8:
1011         case  AUDIO_FORMAT_S8:
1012             bps = 1;
1013             break;
1014         case  AUDIO_FORMAT_U16:
1015         case  AUDIO_FORMAT_S16:
1016             bps = 2;
1017             break;
1018         case  AUDIO_FORMAT_U32:
1019         case  AUDIO_FORMAT_S32:
1020             bps = 4;
1021             break;
1022         }
1023         offset += vs->as.freq * bps * vs->as.nchannels;
1024     }
1025 
1026     /* Put a floor of 1MB on offset, so that if we have a large pending
1027      * buffer and the display is resized to a small size & back again
1028      * we don't suddenly apply a tiny send limit
1029      */
1030     offset = MAX(offset, 1024 * 1024);
1031 
1032     if (vs->throttle_output_offset != offset) {
1033         trace_vnc_client_throttle_threshold(
1034             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1035             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1036     }
1037 
1038     vs->throttle_output_offset = offset;
1039 }
1040 
1041 static bool vnc_should_update(VncState *vs)
1042 {
1043     switch (vs->update) {
1044     case VNC_STATE_UPDATE_NONE:
1045         break;
1046     case VNC_STATE_UPDATE_INCREMENTAL:
1047         /* Only allow incremental updates if the pending send queue
1048          * is less than the permitted threshold, and the job worker
1049          * is completely idle.
1050          */
1051         if (vs->output.offset < vs->throttle_output_offset &&
1052             vs->job_update == VNC_STATE_UPDATE_NONE) {
1053             return true;
1054         }
1055         trace_vnc_client_throttle_incremental(
1056             vs, vs->ioc, vs->job_update, vs->output.offset);
1057         break;
1058     case VNC_STATE_UPDATE_FORCE:
1059         /* Only allow forced updates if the pending send queue
1060          * does not contain a previous forced update, and the
1061          * job worker is completely idle.
1062          *
1063          * Note this means we'll queue a forced update, even if
1064          * the output buffer size is otherwise over the throttle
1065          * output limit.
1066          */
1067         if (vs->force_update_offset == 0 &&
1068             vs->job_update == VNC_STATE_UPDATE_NONE) {
1069             return true;
1070         }
1071         trace_vnc_client_throttle_forced(
1072             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1073         break;
1074     }
1075     return false;
1076 }
1077 
1078 static int vnc_update_client(VncState *vs, int has_dirty)
1079 {
1080     VncDisplay *vd = vs->vd;
1081     VncJob *job;
1082     int y;
1083     int height, width;
1084     int n = 0;
1085 
1086     if (vs->disconnecting) {
1087         vnc_disconnect_finish(vs);
1088         return 0;
1089     }
1090 
1091     vs->has_dirty += has_dirty;
1092     if (!vnc_should_update(vs)) {
1093         return 0;
1094     }
1095 
1096     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1097         return 0;
1098     }
1099 
1100     /*
1101      * Send screen updates to the vnc client using the server
1102      * surface and server dirty map.  guest surface updates
1103      * happening in parallel don't disturb us, the next pass will
1104      * send them to the client.
1105      */
1106     job = vnc_job_new(vs);
1107 
1108     height = pixman_image_get_height(vd->server);
1109     width = pixman_image_get_width(vd->server);
1110 
1111     y = 0;
1112     for (;;) {
1113         int x, h;
1114         unsigned long x2;
1115         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1116                                              height * VNC_DIRTY_BPL(vs),
1117                                              y * VNC_DIRTY_BPL(vs));
1118         if (offset == height * VNC_DIRTY_BPL(vs)) {
1119             /* no more dirty bits */
1120             break;
1121         }
1122         y = offset / VNC_DIRTY_BPL(vs);
1123         x = offset % VNC_DIRTY_BPL(vs);
1124         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1125                                 VNC_DIRTY_BPL(vs), x);
1126         bitmap_clear(vs->dirty[y], x, x2 - x);
1127         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1128         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1129         if (x2 > x) {
1130             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1131                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1132         }
1133         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1134             y += h;
1135             if (y == height) {
1136                 break;
1137             }
1138         }
1139     }
1140 
1141     vs->job_update = vs->update;
1142     vs->update = VNC_STATE_UPDATE_NONE;
1143     vnc_job_push(job);
1144     vs->has_dirty = 0;
1145     return n;
1146 }
1147 
1148 /* audio */
1149 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1150 {
1151     VncState *vs = opaque;
1152 
1153     assert(vs->magic == VNC_MAGIC);
1154     switch (cmd) {
1155     case AUD_CNOTIFY_DISABLE:
1156         vnc_lock_output(vs);
1157         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1158         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1159         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1160         vnc_unlock_output(vs);
1161         vnc_flush(vs);
1162         break;
1163 
1164     case AUD_CNOTIFY_ENABLE:
1165         vnc_lock_output(vs);
1166         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1167         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1168         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1169         vnc_unlock_output(vs);
1170         vnc_flush(vs);
1171         break;
1172     }
1173 }
1174 
1175 static void audio_capture_destroy(void *opaque)
1176 {
1177 }
1178 
1179 static void audio_capture(void *opaque, const void *buf, int size)
1180 {
1181     VncState *vs = opaque;
1182 
1183     assert(vs->magic == VNC_MAGIC);
1184     vnc_lock_output(vs);
1185     if (vs->output.offset < vs->throttle_output_offset) {
1186         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1187         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1188         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1189         vnc_write_u32(vs, size);
1190         vnc_write(vs, buf, size);
1191     } else {
1192         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1193     }
1194     vnc_unlock_output(vs);
1195     vnc_flush(vs);
1196 }
1197 
1198 static void audio_add(VncState *vs)
1199 {
1200     struct audio_capture_ops ops;
1201 
1202     if (vs->audio_cap) {
1203         error_report("audio already running");
1204         return;
1205     }
1206 
1207     ops.notify = audio_capture_notify;
1208     ops.destroy = audio_capture_destroy;
1209     ops.capture = audio_capture;
1210 
1211     vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1212     if (!vs->audio_cap) {
1213         error_report("Failed to add audio capture");
1214     }
1215 }
1216 
1217 static void audio_del(VncState *vs)
1218 {
1219     if (vs->audio_cap) {
1220         AUD_del_capture(vs->audio_cap, vs);
1221         vs->audio_cap = NULL;
1222     }
1223 }
1224 
1225 static void vnc_disconnect_start(VncState *vs)
1226 {
1227     if (vs->disconnecting) {
1228         return;
1229     }
1230     trace_vnc_client_disconnect_start(vs, vs->ioc);
1231     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1232     if (vs->ioc_tag) {
1233         g_source_remove(vs->ioc_tag);
1234         vs->ioc_tag = 0;
1235     }
1236     qio_channel_close(vs->ioc, NULL);
1237     vs->disconnecting = TRUE;
1238 }
1239 
1240 void vnc_disconnect_finish(VncState *vs)
1241 {
1242     int i;
1243 
1244     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1245 
1246     vnc_jobs_join(vs); /* Wait encoding jobs */
1247 
1248     vnc_lock_output(vs);
1249     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1250 
1251     buffer_free(&vs->input);
1252     buffer_free(&vs->output);
1253 
1254     qapi_free_VncClientInfo(vs->info);
1255 
1256     vnc_zlib_clear(vs);
1257     vnc_tight_clear(vs);
1258     vnc_zrle_clear(vs);
1259 
1260 #ifdef CONFIG_VNC_SASL
1261     vnc_sasl_client_cleanup(vs);
1262 #endif /* CONFIG_VNC_SASL */
1263     audio_del(vs);
1264     qkbd_state_lift_all_keys(vs->vd->kbd);
1265 
1266     if (vs->mouse_mode_notifier.notify != NULL) {
1267         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1268     }
1269     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1270     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1271         /* last client gone */
1272         vnc_update_server_surface(vs->vd);
1273     }
1274 
1275     vnc_unlock_output(vs);
1276 
1277     qemu_mutex_destroy(&vs->output_mutex);
1278     if (vs->bh != NULL) {
1279         qemu_bh_delete(vs->bh);
1280     }
1281     buffer_free(&vs->jobs_buffer);
1282 
1283     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1284         g_free(vs->lossy_rect[i]);
1285     }
1286     g_free(vs->lossy_rect);
1287 
1288     object_unref(OBJECT(vs->ioc));
1289     vs->ioc = NULL;
1290     object_unref(OBJECT(vs->sioc));
1291     vs->sioc = NULL;
1292     vs->magic = 0;
1293     g_free(vs->zrle);
1294     g_free(vs->tight);
1295     g_free(vs);
1296 }
1297 
1298 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error *err)
1299 {
1300     if (ret <= 0) {
1301         if (ret == 0) {
1302             trace_vnc_client_eof(vs, vs->ioc);
1303             vnc_disconnect_start(vs);
1304         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1305             trace_vnc_client_io_error(vs, vs->ioc,
1306                                       err ? error_get_pretty(err) : "Unknown");
1307             vnc_disconnect_start(vs);
1308         }
1309 
1310         error_free(err);
1311         return 0;
1312     }
1313     return ret;
1314 }
1315 
1316 
1317 void vnc_client_error(VncState *vs)
1318 {
1319     VNC_DEBUG("Closing down client sock: protocol error\n");
1320     vnc_disconnect_start(vs);
1321 }
1322 
1323 
1324 /*
1325  * Called to write a chunk of data to the client socket. The data may
1326  * be the raw data, or may have already been encoded by SASL.
1327  * The data will be written either straight onto the socket, or
1328  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1329  *
1330  * NB, it is theoretically possible to have 2 layers of encryption,
1331  * both SASL, and this TLS layer. It is highly unlikely in practice
1332  * though, since SASL encryption will typically be a no-op if TLS
1333  * is active
1334  *
1335  * Returns the number of bytes written, which may be less than
1336  * the requested 'datalen' if the socket would block. Returns
1337  * 0 on I/O error, and disconnects the client socket.
1338  */
1339 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1340 {
1341     Error *err = NULL;
1342     ssize_t ret;
1343     ret = qio_channel_write(vs->ioc, (const char *)data, datalen, &err);
1344     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1345     return vnc_client_io_error(vs, ret, err);
1346 }
1347 
1348 
1349 /*
1350  * Called to write buffered data to the client socket, when not
1351  * using any SASL SSF encryption layers. Will write as much data
1352  * as possible without blocking. If all buffered data is written,
1353  * will switch the FD poll() handler back to read monitoring.
1354  *
1355  * Returns the number of bytes written, which may be less than
1356  * the buffered output data if the socket would block.  Returns
1357  * 0 on I/O error, and disconnects the client socket.
1358  */
1359 static size_t vnc_client_write_plain(VncState *vs)
1360 {
1361     size_t offset;
1362     size_t ret;
1363 
1364 #ifdef CONFIG_VNC_SASL
1365     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1366               vs->output.buffer, vs->output.capacity, vs->output.offset,
1367               vs->sasl.waitWriteSSF);
1368 
1369     if (vs->sasl.conn &&
1370         vs->sasl.runSSF &&
1371         vs->sasl.waitWriteSSF) {
1372         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1373         if (ret)
1374             vs->sasl.waitWriteSSF -= ret;
1375     } else
1376 #endif /* CONFIG_VNC_SASL */
1377         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1378     if (!ret)
1379         return 0;
1380 
1381     if (ret >= vs->force_update_offset) {
1382         if (vs->force_update_offset != 0) {
1383             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1384         }
1385         vs->force_update_offset = 0;
1386     } else {
1387         vs->force_update_offset -= ret;
1388     }
1389     offset = vs->output.offset;
1390     buffer_advance(&vs->output, ret);
1391     if (offset >= vs->throttle_output_offset &&
1392         vs->output.offset < vs->throttle_output_offset) {
1393         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1394     }
1395 
1396     if (vs->output.offset == 0) {
1397         if (vs->ioc_tag) {
1398             g_source_remove(vs->ioc_tag);
1399         }
1400         vs->ioc_tag = qio_channel_add_watch(
1401             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1402     }
1403 
1404     return ret;
1405 }
1406 
1407 
1408 /*
1409  * First function called whenever there is data to be written to
1410  * the client socket. Will delegate actual work according to whether
1411  * SASL SSF layers are enabled (thus requiring encryption calls)
1412  */
1413 static void vnc_client_write_locked(VncState *vs)
1414 {
1415 #ifdef CONFIG_VNC_SASL
1416     if (vs->sasl.conn &&
1417         vs->sasl.runSSF &&
1418         !vs->sasl.waitWriteSSF) {
1419         vnc_client_write_sasl(vs);
1420     } else
1421 #endif /* CONFIG_VNC_SASL */
1422     {
1423         vnc_client_write_plain(vs);
1424     }
1425 }
1426 
1427 static void vnc_client_write(VncState *vs)
1428 {
1429     assert(vs->magic == VNC_MAGIC);
1430     vnc_lock_output(vs);
1431     if (vs->output.offset) {
1432         vnc_client_write_locked(vs);
1433     } else if (vs->ioc != NULL) {
1434         if (vs->ioc_tag) {
1435             g_source_remove(vs->ioc_tag);
1436         }
1437         vs->ioc_tag = qio_channel_add_watch(
1438             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1439     }
1440     vnc_unlock_output(vs);
1441 }
1442 
1443 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1444 {
1445     vs->read_handler = func;
1446     vs->read_handler_expect = expecting;
1447 }
1448 
1449 
1450 /*
1451  * Called to read a chunk of data from the client socket. The data may
1452  * be the raw data, or may need to be further decoded by SASL.
1453  * The data will be read either straight from to the socket, or
1454  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1455  *
1456  * NB, it is theoretically possible to have 2 layers of encryption,
1457  * both SASL, and this TLS layer. It is highly unlikely in practice
1458  * though, since SASL encryption will typically be a no-op if TLS
1459  * is active
1460  *
1461  * Returns the number of bytes read, which may be less than
1462  * the requested 'datalen' if the socket would block. Returns
1463  * 0 on I/O error or EOF, and disconnects the client socket.
1464  */
1465 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1466 {
1467     ssize_t ret;
1468     Error *err = NULL;
1469     ret = qio_channel_read(vs->ioc, (char *)data, datalen, &err);
1470     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1471     return vnc_client_io_error(vs, ret, err);
1472 }
1473 
1474 
1475 /*
1476  * Called to read data from the client socket to the input buffer,
1477  * when not using any SASL SSF encryption layers. Will read as much
1478  * data as possible without blocking.
1479  *
1480  * Returns the number of bytes read, which may be less than
1481  * the requested 'datalen' if the socket would block. Returns
1482  * 0 on I/O error or EOF, and disconnects the client socket.
1483  */
1484 static size_t vnc_client_read_plain(VncState *vs)
1485 {
1486     size_t ret;
1487     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1488               vs->input.buffer, vs->input.capacity, vs->input.offset);
1489     buffer_reserve(&vs->input, 4096);
1490     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1491     if (!ret)
1492         return 0;
1493     vs->input.offset += ret;
1494     return ret;
1495 }
1496 
1497 static void vnc_jobs_bh(void *opaque)
1498 {
1499     VncState *vs = opaque;
1500 
1501     assert(vs->magic == VNC_MAGIC);
1502     vnc_jobs_consume_buffer(vs);
1503 }
1504 
1505 /*
1506  * First function called whenever there is more data to be read from
1507  * the client socket. Will delegate actual work according to whether
1508  * SASL SSF layers are enabled (thus requiring decryption calls)
1509  * Returns 0 on success, -1 if client disconnected
1510  */
1511 static int vnc_client_read(VncState *vs)
1512 {
1513     size_t ret;
1514 
1515 #ifdef CONFIG_VNC_SASL
1516     if (vs->sasl.conn && vs->sasl.runSSF)
1517         ret = vnc_client_read_sasl(vs);
1518     else
1519 #endif /* CONFIG_VNC_SASL */
1520         ret = vnc_client_read_plain(vs);
1521     if (!ret) {
1522         if (vs->disconnecting) {
1523             vnc_disconnect_finish(vs);
1524             return -1;
1525         }
1526         return 0;
1527     }
1528 
1529     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1530         size_t len = vs->read_handler_expect;
1531         int ret;
1532 
1533         ret = vs->read_handler(vs, vs->input.buffer, len);
1534         if (vs->disconnecting) {
1535             vnc_disconnect_finish(vs);
1536             return -1;
1537         }
1538 
1539         if (!ret) {
1540             buffer_advance(&vs->input, len);
1541         } else {
1542             vs->read_handler_expect = ret;
1543         }
1544     }
1545     return 0;
1546 }
1547 
1548 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1549                        GIOCondition condition, void *opaque)
1550 {
1551     VncState *vs = opaque;
1552 
1553     assert(vs->magic == VNC_MAGIC);
1554     if (condition & G_IO_IN) {
1555         if (vnc_client_read(vs) < 0) {
1556             /* vs is free()ed here */
1557             return TRUE;
1558         }
1559     }
1560     if (condition & G_IO_OUT) {
1561         vnc_client_write(vs);
1562     }
1563 
1564     if (vs->disconnecting) {
1565         if (vs->ioc_tag != 0) {
1566             g_source_remove(vs->ioc_tag);
1567         }
1568         vs->ioc_tag = 0;
1569     }
1570     return TRUE;
1571 }
1572 
1573 
1574 /*
1575  * Scale factor to apply to vs->throttle_output_offset when checking for
1576  * hard limit. Worst case normal usage could be x2, if we have a complete
1577  * incremental update and complete forced update in the output buffer.
1578  * So x3 should be good enough, but we pick x5 to be conservative and thus
1579  * (hopefully) never trigger incorrectly.
1580  */
1581 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1582 
1583 void vnc_write(VncState *vs, const void *data, size_t len)
1584 {
1585     assert(vs->magic == VNC_MAGIC);
1586     if (vs->disconnecting) {
1587         return;
1588     }
1589     /* Protection against malicious client/guest to prevent our output
1590      * buffer growing without bound if client stops reading data. This
1591      * should rarely trigger, because we have earlier throttling code
1592      * which stops issuing framebuffer updates and drops audio data
1593      * if the throttle_output_offset value is exceeded. So we only reach
1594      * this higher level if a huge number of pseudo-encodings get
1595      * triggered while data can't be sent on the socket.
1596      *
1597      * NB throttle_output_offset can be zero during early protocol
1598      * handshake, or from the job thread's VncState clone
1599      */
1600     if (vs->throttle_output_offset != 0 &&
1601         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1602         vs->throttle_output_offset) {
1603         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1604                                       vs->throttle_output_offset);
1605         vnc_disconnect_start(vs);
1606         return;
1607     }
1608     buffer_reserve(&vs->output, len);
1609 
1610     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1611         if (vs->ioc_tag) {
1612             g_source_remove(vs->ioc_tag);
1613         }
1614         vs->ioc_tag = qio_channel_add_watch(
1615             vs->ioc, G_IO_IN | G_IO_OUT, vnc_client_io, vs, NULL);
1616     }
1617 
1618     buffer_append(&vs->output, data, len);
1619 }
1620 
1621 void vnc_write_s32(VncState *vs, int32_t value)
1622 {
1623     vnc_write_u32(vs, *(uint32_t *)&value);
1624 }
1625 
1626 void vnc_write_u32(VncState *vs, uint32_t value)
1627 {
1628     uint8_t buf[4];
1629 
1630     buf[0] = (value >> 24) & 0xFF;
1631     buf[1] = (value >> 16) & 0xFF;
1632     buf[2] = (value >>  8) & 0xFF;
1633     buf[3] = value & 0xFF;
1634 
1635     vnc_write(vs, buf, 4);
1636 }
1637 
1638 void vnc_write_u16(VncState *vs, uint16_t value)
1639 {
1640     uint8_t buf[2];
1641 
1642     buf[0] = (value >> 8) & 0xFF;
1643     buf[1] = value & 0xFF;
1644 
1645     vnc_write(vs, buf, 2);
1646 }
1647 
1648 void vnc_write_u8(VncState *vs, uint8_t value)
1649 {
1650     vnc_write(vs, (char *)&value, 1);
1651 }
1652 
1653 void vnc_flush(VncState *vs)
1654 {
1655     vnc_lock_output(vs);
1656     if (vs->ioc != NULL && vs->output.offset) {
1657         vnc_client_write_locked(vs);
1658     }
1659     if (vs->disconnecting) {
1660         if (vs->ioc_tag != 0) {
1661             g_source_remove(vs->ioc_tag);
1662         }
1663         vs->ioc_tag = 0;
1664     }
1665     vnc_unlock_output(vs);
1666 }
1667 
1668 static uint8_t read_u8(uint8_t *data, size_t offset)
1669 {
1670     return data[offset];
1671 }
1672 
1673 static uint16_t read_u16(uint8_t *data, size_t offset)
1674 {
1675     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1676 }
1677 
1678 static int32_t read_s32(uint8_t *data, size_t offset)
1679 {
1680     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1681                      (data[offset + 2] << 8) | data[offset + 3]);
1682 }
1683 
1684 uint32_t read_u32(uint8_t *data, size_t offset)
1685 {
1686     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1687             (data[offset + 2] << 8) | data[offset + 3]);
1688 }
1689 
1690 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1691 {
1692 }
1693 
1694 static void check_pointer_type_change(Notifier *notifier, void *data)
1695 {
1696     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1697     int absolute = qemu_input_is_absolute();
1698 
1699     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1700         vnc_lock_output(vs);
1701         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1702         vnc_write_u8(vs, 0);
1703         vnc_write_u16(vs, 1);
1704         vnc_framebuffer_update(vs, absolute, 0,
1705                                pixman_image_get_width(vs->vd->server),
1706                                pixman_image_get_height(vs->vd->server),
1707                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1708         vnc_unlock_output(vs);
1709         vnc_flush(vs);
1710     }
1711     vs->absolute = absolute;
1712 }
1713 
1714 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1715 {
1716     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1717         [INPUT_BUTTON_LEFT]       = 0x01,
1718         [INPUT_BUTTON_MIDDLE]     = 0x02,
1719         [INPUT_BUTTON_RIGHT]      = 0x04,
1720         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1721         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1722     };
1723     QemuConsole *con = vs->vd->dcl.con;
1724     int width = pixman_image_get_width(vs->vd->server);
1725     int height = pixman_image_get_height(vs->vd->server);
1726 
1727     if (vs->last_bmask != button_mask) {
1728         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1729         vs->last_bmask = button_mask;
1730     }
1731 
1732     if (vs->absolute) {
1733         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1734         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1735     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1736         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1737         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1738     } else {
1739         if (vs->last_x != -1) {
1740             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1741             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1742         }
1743         vs->last_x = x;
1744         vs->last_y = y;
1745     }
1746     qemu_input_event_sync();
1747 }
1748 
1749 static void press_key(VncState *vs, QKeyCode qcode)
1750 {
1751     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1752     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1753 }
1754 
1755 static void vnc_led_state_change(VncState *vs)
1756 {
1757     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1758         return;
1759     }
1760 
1761     vnc_lock_output(vs);
1762     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1763     vnc_write_u8(vs, 0);
1764     vnc_write_u16(vs, 1);
1765     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1766     vnc_write_u8(vs, vs->vd->ledstate);
1767     vnc_unlock_output(vs);
1768     vnc_flush(vs);
1769 }
1770 
1771 static void kbd_leds(void *opaque, int ledstate)
1772 {
1773     VncDisplay *vd = opaque;
1774     VncState *client;
1775 
1776     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1777                              (ledstate & QEMU_NUM_LOCK_LED),
1778                              (ledstate & QEMU_SCROLL_LOCK_LED));
1779 
1780     if (ledstate == vd->ledstate) {
1781         return;
1782     }
1783 
1784     vd->ledstate = ledstate;
1785 
1786     QTAILQ_FOREACH(client, &vd->clients, next) {
1787         vnc_led_state_change(client);
1788     }
1789 }
1790 
1791 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1792 {
1793     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1794 
1795     /* QEMU console switch */
1796     switch (qcode) {
1797     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1798         if (vs->vd->dcl.con == NULL && down &&
1799             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1800             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1801             /* Reset the modifiers sent to the current console */
1802             qkbd_state_lift_all_keys(vs->vd->kbd);
1803             console_select(qcode - Q_KEY_CODE_1);
1804             return;
1805         }
1806     default:
1807         break;
1808     }
1809 
1810     /* Turn off the lock state sync logic if the client support the led
1811        state extension.
1812     */
1813     if (down && vs->vd->lock_key_sync &&
1814         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1815         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1816         /* If the numlock state needs to change then simulate an additional
1817            keypress before sending this one.  This will happen if the user
1818            toggles numlock away from the VNC window.
1819         */
1820         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1821             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1822                 trace_vnc_key_sync_numlock(true);
1823                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1824             }
1825         } else {
1826             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1827                 trace_vnc_key_sync_numlock(false);
1828                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1829             }
1830         }
1831     }
1832 
1833     if (down && vs->vd->lock_key_sync &&
1834         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1835         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1836         /* If the capslock state needs to change then simulate an additional
1837            keypress before sending this one.  This will happen if the user
1838            toggles capslock away from the VNC window.
1839         */
1840         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1841         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1842         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1843         if (capslock) {
1844             if (uppercase == shift) {
1845                 trace_vnc_key_sync_capslock(false);
1846                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1847             }
1848         } else {
1849             if (uppercase != shift) {
1850                 trace_vnc_key_sync_capslock(true);
1851                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1852             }
1853         }
1854     }
1855 
1856     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1857     if (!qemu_console_is_graphic(NULL)) {
1858         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1859         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1860         /* QEMU console emulation */
1861         if (down) {
1862             switch (keycode) {
1863             case 0x2a:                          /* Left Shift */
1864             case 0x36:                          /* Right Shift */
1865             case 0x1d:                          /* Left CTRL */
1866             case 0x9d:                          /* Right CTRL */
1867             case 0x38:                          /* Left ALT */
1868             case 0xb8:                          /* Right ALT */
1869                 break;
1870             case 0xc8:
1871                 kbd_put_keysym(QEMU_KEY_UP);
1872                 break;
1873             case 0xd0:
1874                 kbd_put_keysym(QEMU_KEY_DOWN);
1875                 break;
1876             case 0xcb:
1877                 kbd_put_keysym(QEMU_KEY_LEFT);
1878                 break;
1879             case 0xcd:
1880                 kbd_put_keysym(QEMU_KEY_RIGHT);
1881                 break;
1882             case 0xd3:
1883                 kbd_put_keysym(QEMU_KEY_DELETE);
1884                 break;
1885             case 0xc7:
1886                 kbd_put_keysym(QEMU_KEY_HOME);
1887                 break;
1888             case 0xcf:
1889                 kbd_put_keysym(QEMU_KEY_END);
1890                 break;
1891             case 0xc9:
1892                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1893                 break;
1894             case 0xd1:
1895                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1896                 break;
1897 
1898             case 0x47:
1899                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1900                 break;
1901             case 0x48:
1902                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1903                 break;
1904             case 0x49:
1905                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1906                 break;
1907             case 0x4b:
1908                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1909                 break;
1910             case 0x4c:
1911                 kbd_put_keysym('5');
1912                 break;
1913             case 0x4d:
1914                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1915                 break;
1916             case 0x4f:
1917                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1918                 break;
1919             case 0x50:
1920                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1921                 break;
1922             case 0x51:
1923                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1924                 break;
1925             case 0x52:
1926                 kbd_put_keysym('0');
1927                 break;
1928             case 0x53:
1929                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1930                 break;
1931 
1932             case 0xb5:
1933                 kbd_put_keysym('/');
1934                 break;
1935             case 0x37:
1936                 kbd_put_keysym('*');
1937                 break;
1938             case 0x4a:
1939                 kbd_put_keysym('-');
1940                 break;
1941             case 0x4e:
1942                 kbd_put_keysym('+');
1943                 break;
1944             case 0x9c:
1945                 kbd_put_keysym('\n');
1946                 break;
1947 
1948             default:
1949                 if (control) {
1950                     kbd_put_keysym(sym & 0x1f);
1951                 } else {
1952                     kbd_put_keysym(sym);
1953                 }
1954                 break;
1955             }
1956         }
1957     }
1958 }
1959 
1960 static const char *code2name(int keycode)
1961 {
1962     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
1963 }
1964 
1965 static void key_event(VncState *vs, int down, uint32_t sym)
1966 {
1967     int keycode;
1968     int lsym = sym;
1969 
1970     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
1971         lsym = lsym - 'A' + 'a';
1972     }
1973 
1974     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
1975                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
1976     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
1977     do_key_event(vs, down, keycode, sym);
1978 }
1979 
1980 static void ext_key_event(VncState *vs, int down,
1981                           uint32_t sym, uint16_t keycode)
1982 {
1983     /* if the user specifies a keyboard layout, always use it */
1984     if (keyboard_layout) {
1985         key_event(vs, down, sym);
1986     } else {
1987         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
1988         do_key_event(vs, down, keycode, sym);
1989     }
1990 }
1991 
1992 static void framebuffer_update_request(VncState *vs, int incremental,
1993                                        int x, int y, int w, int h)
1994 {
1995     if (incremental) {
1996         if (vs->update != VNC_STATE_UPDATE_FORCE) {
1997             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
1998         }
1999     } else {
2000         vs->update = VNC_STATE_UPDATE_FORCE;
2001         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2002     }
2003 }
2004 
2005 static void send_ext_key_event_ack(VncState *vs)
2006 {
2007     vnc_lock_output(vs);
2008     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2009     vnc_write_u8(vs, 0);
2010     vnc_write_u16(vs, 1);
2011     vnc_framebuffer_update(vs, 0, 0,
2012                            pixman_image_get_width(vs->vd->server),
2013                            pixman_image_get_height(vs->vd->server),
2014                            VNC_ENCODING_EXT_KEY_EVENT);
2015     vnc_unlock_output(vs);
2016     vnc_flush(vs);
2017 }
2018 
2019 static void send_ext_audio_ack(VncState *vs)
2020 {
2021     vnc_lock_output(vs);
2022     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2023     vnc_write_u8(vs, 0);
2024     vnc_write_u16(vs, 1);
2025     vnc_framebuffer_update(vs, 0, 0,
2026                            pixman_image_get_width(vs->vd->server),
2027                            pixman_image_get_height(vs->vd->server),
2028                            VNC_ENCODING_AUDIO);
2029     vnc_unlock_output(vs);
2030     vnc_flush(vs);
2031 }
2032 
2033 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2034 {
2035     int i;
2036     unsigned int enc = 0;
2037 
2038     vs->features = 0;
2039     vs->vnc_encoding = 0;
2040     vs->tight->compression = 9;
2041     vs->tight->quality = -1; /* Lossless by default */
2042     vs->absolute = -1;
2043 
2044     /*
2045      * Start from the end because the encodings are sent in order of preference.
2046      * This way the preferred encoding (first encoding defined in the array)
2047      * will be set at the end of the loop.
2048      */
2049     for (i = n_encodings - 1; i >= 0; i--) {
2050         enc = encodings[i];
2051         switch (enc) {
2052         case VNC_ENCODING_RAW:
2053             vs->vnc_encoding = enc;
2054             break;
2055         case VNC_ENCODING_COPYRECT:
2056             vs->features |= VNC_FEATURE_COPYRECT_MASK;
2057             break;
2058         case VNC_ENCODING_HEXTILE:
2059             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2060             vs->vnc_encoding = enc;
2061             break;
2062         case VNC_ENCODING_TIGHT:
2063             vs->features |= VNC_FEATURE_TIGHT_MASK;
2064             vs->vnc_encoding = enc;
2065             break;
2066 #ifdef CONFIG_VNC_PNG
2067         case VNC_ENCODING_TIGHT_PNG:
2068             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2069             vs->vnc_encoding = enc;
2070             break;
2071 #endif
2072         case VNC_ENCODING_ZLIB:
2073             /*
2074              * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB.
2075              * So prioritize ZRLE, even if the client hints that it prefers
2076              * ZLIB.
2077              */
2078             if ((vs->features & VNC_FEATURE_ZRLE_MASK) == 0) {
2079                 vs->features |= VNC_FEATURE_ZLIB_MASK;
2080                 vs->vnc_encoding = enc;
2081             }
2082             break;
2083         case VNC_ENCODING_ZRLE:
2084             vs->features |= VNC_FEATURE_ZRLE_MASK;
2085             vs->vnc_encoding = enc;
2086             break;
2087         case VNC_ENCODING_ZYWRLE:
2088             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2089             vs->vnc_encoding = enc;
2090             break;
2091         case VNC_ENCODING_DESKTOPRESIZE:
2092             vs->features |= VNC_FEATURE_RESIZE_MASK;
2093             break;
2094         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2095             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2096             break;
2097         case VNC_ENCODING_RICH_CURSOR:
2098             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2099             if (vs->vd->cursor) {
2100                 vnc_cursor_define(vs);
2101             }
2102             break;
2103         case VNC_ENCODING_EXT_KEY_EVENT:
2104             send_ext_key_event_ack(vs);
2105             break;
2106         case VNC_ENCODING_AUDIO:
2107             send_ext_audio_ack(vs);
2108             break;
2109         case VNC_ENCODING_WMVi:
2110             vs->features |= VNC_FEATURE_WMVI_MASK;
2111             break;
2112         case VNC_ENCODING_LED_STATE:
2113             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2114             break;
2115         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2116             vs->tight->compression = (enc & 0x0F);
2117             break;
2118         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2119             if (vs->vd->lossy) {
2120                 vs->tight->quality = (enc & 0x0F);
2121             }
2122             break;
2123         default:
2124             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2125             break;
2126         }
2127     }
2128     vnc_desktop_resize(vs);
2129     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2130     vnc_led_state_change(vs);
2131 }
2132 
2133 static void set_pixel_conversion(VncState *vs)
2134 {
2135     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2136 
2137     if (fmt == VNC_SERVER_FB_FORMAT) {
2138         vs->write_pixels = vnc_write_pixels_copy;
2139         vnc_hextile_set_pixel_conversion(vs, 0);
2140     } else {
2141         vs->write_pixels = vnc_write_pixels_generic;
2142         vnc_hextile_set_pixel_conversion(vs, 1);
2143     }
2144 }
2145 
2146 static void send_color_map(VncState *vs)
2147 {
2148     int i;
2149 
2150     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2151     vnc_write_u8(vs,  0);    /* padding     */
2152     vnc_write_u16(vs, 0);    /* first color */
2153     vnc_write_u16(vs, 256);  /* # of colors */
2154 
2155     for (i = 0; i < 256; i++) {
2156         PixelFormat *pf = &vs->client_pf;
2157 
2158         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2159         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2160         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2161     }
2162 }
2163 
2164 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2165                              int big_endian_flag, int true_color_flag,
2166                              int red_max, int green_max, int blue_max,
2167                              int red_shift, int green_shift, int blue_shift)
2168 {
2169     if (!true_color_flag) {
2170         /* Expose a reasonable default 256 color map */
2171         bits_per_pixel = 8;
2172         red_max = 7;
2173         green_max = 7;
2174         blue_max = 3;
2175         red_shift = 0;
2176         green_shift = 3;
2177         blue_shift = 6;
2178     }
2179 
2180     switch (bits_per_pixel) {
2181     case 8:
2182     case 16:
2183     case 32:
2184         break;
2185     default:
2186         vnc_client_error(vs);
2187         return;
2188     }
2189 
2190     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2191     vs->client_pf.rbits = ctpopl(red_max);
2192     vs->client_pf.rshift = red_shift;
2193     vs->client_pf.rmask = red_max << red_shift;
2194     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2195     vs->client_pf.gbits = ctpopl(green_max);
2196     vs->client_pf.gshift = green_shift;
2197     vs->client_pf.gmask = green_max << green_shift;
2198     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2199     vs->client_pf.bbits = ctpopl(blue_max);
2200     vs->client_pf.bshift = blue_shift;
2201     vs->client_pf.bmask = blue_max << blue_shift;
2202     vs->client_pf.bits_per_pixel = bits_per_pixel;
2203     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2204     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2205     vs->client_be = big_endian_flag;
2206 
2207     if (!true_color_flag) {
2208         send_color_map(vs);
2209     }
2210 
2211     set_pixel_conversion(vs);
2212 
2213     graphic_hw_invalidate(vs->vd->dcl.con);
2214     graphic_hw_update(vs->vd->dcl.con);
2215 }
2216 
2217 static void pixel_format_message (VncState *vs) {
2218     char pad[3] = { 0, 0, 0 };
2219 
2220     vs->client_pf = qemu_default_pixelformat(32);
2221 
2222     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2223     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2224 
2225 #ifdef HOST_WORDS_BIGENDIAN
2226     vnc_write_u8(vs, 1);             /* big-endian-flag */
2227 #else
2228     vnc_write_u8(vs, 0);             /* big-endian-flag */
2229 #endif
2230     vnc_write_u8(vs, 1);             /* true-color-flag */
2231     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2232     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2233     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2234     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2235     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2236     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2237     vnc_write(vs, pad, 3);           /* padding */
2238 
2239     vnc_hextile_set_pixel_conversion(vs, 0);
2240     vs->write_pixels = vnc_write_pixels_copy;
2241 }
2242 
2243 static void vnc_colordepth(VncState *vs)
2244 {
2245     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2246         /* Sending a WMVi message to notify the client*/
2247         vnc_lock_output(vs);
2248         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2249         vnc_write_u8(vs, 0);
2250         vnc_write_u16(vs, 1); /* number of rects */
2251         vnc_framebuffer_update(vs, 0, 0,
2252                                pixman_image_get_width(vs->vd->server),
2253                                pixman_image_get_height(vs->vd->server),
2254                                VNC_ENCODING_WMVi);
2255         pixel_format_message(vs);
2256         vnc_unlock_output(vs);
2257         vnc_flush(vs);
2258     } else {
2259         set_pixel_conversion(vs);
2260     }
2261 }
2262 
2263 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2264 {
2265     int i;
2266     uint16_t limit;
2267     uint32_t freq;
2268     VncDisplay *vd = vs->vd;
2269 
2270     if (data[0] > 3) {
2271         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2272     }
2273 
2274     switch (data[0]) {
2275     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2276         if (len == 1)
2277             return 20;
2278 
2279         set_pixel_format(vs, read_u8(data, 4),
2280                          read_u8(data, 6), read_u8(data, 7),
2281                          read_u16(data, 8), read_u16(data, 10),
2282                          read_u16(data, 12), read_u8(data, 14),
2283                          read_u8(data, 15), read_u8(data, 16));
2284         break;
2285     case VNC_MSG_CLIENT_SET_ENCODINGS:
2286         if (len == 1)
2287             return 4;
2288 
2289         if (len == 4) {
2290             limit = read_u16(data, 2);
2291             if (limit > 0)
2292                 return 4 + (limit * 4);
2293         } else
2294             limit = read_u16(data, 2);
2295 
2296         for (i = 0; i < limit; i++) {
2297             int32_t val = read_s32(data, 4 + (i * 4));
2298             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2299         }
2300 
2301         set_encodings(vs, (int32_t *)(data + 4), limit);
2302         break;
2303     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2304         if (len == 1)
2305             return 10;
2306 
2307         framebuffer_update_request(vs,
2308                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2309                                    read_u16(data, 6), read_u16(data, 8));
2310         break;
2311     case VNC_MSG_CLIENT_KEY_EVENT:
2312         if (len == 1)
2313             return 8;
2314 
2315         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2316         break;
2317     case VNC_MSG_CLIENT_POINTER_EVENT:
2318         if (len == 1)
2319             return 6;
2320 
2321         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2322         break;
2323     case VNC_MSG_CLIENT_CUT_TEXT:
2324         if (len == 1) {
2325             return 8;
2326         }
2327         if (len == 8) {
2328             uint32_t dlen = read_u32(data, 4);
2329             if (dlen > (1 << 20)) {
2330                 error_report("vnc: client_cut_text msg payload has %u bytes"
2331                              " which exceeds our limit of 1MB.", dlen);
2332                 vnc_client_error(vs);
2333                 break;
2334             }
2335             if (dlen > 0) {
2336                 return 8 + dlen;
2337             }
2338         }
2339 
2340         client_cut_text(vs, read_u32(data, 4), data + 8);
2341         break;
2342     case VNC_MSG_CLIENT_QEMU:
2343         if (len == 1)
2344             return 2;
2345 
2346         switch (read_u8(data, 1)) {
2347         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2348             if (len == 2)
2349                 return 12;
2350 
2351             ext_key_event(vs, read_u16(data, 2),
2352                           read_u32(data, 4), read_u32(data, 8));
2353             break;
2354         case VNC_MSG_CLIENT_QEMU_AUDIO:
2355             if (len == 2)
2356                 return 4;
2357 
2358             switch (read_u16 (data, 2)) {
2359             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2360                 audio_add(vs);
2361                 break;
2362             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2363                 audio_del(vs);
2364                 break;
2365             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2366                 if (len == 4)
2367                     return 10;
2368                 switch (read_u8(data, 4)) {
2369                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2370                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2371                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2372                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2373                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2374                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2375                 default:
2376                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2377                     vnc_client_error(vs);
2378                     break;
2379                 }
2380                 vs->as.nchannels = read_u8(data, 5);
2381                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2382                     VNC_DEBUG("Invalid audio channel count %d\n",
2383                               read_u8(data, 5));
2384                     vnc_client_error(vs);
2385                     break;
2386                 }
2387                 freq = read_u32(data, 6);
2388                 /* No official limit for protocol, but 48khz is a sensible
2389                  * upper bound for trustworthy clients, and this limit
2390                  * protects calculations involving 'vs->as.freq' later.
2391                  */
2392                 if (freq > 48000) {
2393                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2394                     vnc_client_error(vs);
2395                     break;
2396                 }
2397                 vs->as.freq = freq;
2398                 break;
2399             default:
2400                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2401                 vnc_client_error(vs);
2402                 break;
2403             }
2404             break;
2405 
2406         default:
2407             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2408             vnc_client_error(vs);
2409             break;
2410         }
2411         break;
2412     default:
2413         VNC_DEBUG("Msg: %d\n", data[0]);
2414         vnc_client_error(vs);
2415         break;
2416     }
2417 
2418     vnc_update_throttle_offset(vs);
2419     vnc_read_when(vs, protocol_client_msg, 1);
2420     return 0;
2421 }
2422 
2423 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2424 {
2425     char buf[1024];
2426     VncShareMode mode;
2427     int size;
2428 
2429     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2430     switch (vs->vd->share_policy) {
2431     case VNC_SHARE_POLICY_IGNORE:
2432         /*
2433          * Ignore the shared flag.  Nothing to do here.
2434          *
2435          * Doesn't conform to the rfb spec but is traditional qemu
2436          * behavior, thus left here as option for compatibility
2437          * reasons.
2438          */
2439         break;
2440     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2441         /*
2442          * Policy: Allow clients ask for exclusive access.
2443          *
2444          * Implementation: When a client asks for exclusive access,
2445          * disconnect all others. Shared connects are allowed as long
2446          * as no exclusive connection exists.
2447          *
2448          * This is how the rfb spec suggests to handle the shared flag.
2449          */
2450         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2451             VncState *client;
2452             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2453                 if (vs == client) {
2454                     continue;
2455                 }
2456                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2457                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2458                     continue;
2459                 }
2460                 vnc_disconnect_start(client);
2461             }
2462         }
2463         if (mode == VNC_SHARE_MODE_SHARED) {
2464             if (vs->vd->num_exclusive > 0) {
2465                 vnc_disconnect_start(vs);
2466                 return 0;
2467             }
2468         }
2469         break;
2470     case VNC_SHARE_POLICY_FORCE_SHARED:
2471         /*
2472          * Policy: Shared connects only.
2473          * Implementation: Disallow clients asking for exclusive access.
2474          *
2475          * Useful for shared desktop sessions where you don't want
2476          * someone forgetting to say -shared when running the vnc
2477          * client disconnect everybody else.
2478          */
2479         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2480             vnc_disconnect_start(vs);
2481             return 0;
2482         }
2483         break;
2484     }
2485     vnc_set_share_mode(vs, mode);
2486 
2487     if (vs->vd->num_shared > vs->vd->connections_limit) {
2488         vnc_disconnect_start(vs);
2489         return 0;
2490     }
2491 
2492     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2493            pixman_image_get_width(vs->vd->server) >= 0);
2494     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2495            pixman_image_get_height(vs->vd->server) >= 0);
2496     vs->client_width = pixman_image_get_width(vs->vd->server);
2497     vs->client_height = pixman_image_get_height(vs->vd->server);
2498     vnc_write_u16(vs, vs->client_width);
2499     vnc_write_u16(vs, vs->client_height);
2500 
2501     pixel_format_message(vs);
2502 
2503     if (qemu_name) {
2504         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2505         if (size > sizeof(buf)) {
2506             size = sizeof(buf);
2507         }
2508     } else {
2509         size = snprintf(buf, sizeof(buf), "QEMU");
2510     }
2511 
2512     vnc_write_u32(vs, size);
2513     vnc_write(vs, buf, size);
2514     vnc_flush(vs);
2515 
2516     vnc_client_cache_auth(vs);
2517     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2518 
2519     vnc_read_when(vs, protocol_client_msg, 1);
2520 
2521     return 0;
2522 }
2523 
2524 void start_client_init(VncState *vs)
2525 {
2526     vnc_read_when(vs, protocol_client_init, 1);
2527 }
2528 
2529 static void authentication_failed(VncState *vs)
2530 {
2531     vnc_write_u32(vs, 1); /* Reject auth */
2532     if (vs->minor >= 8) {
2533         static const char err[] = "Authentication failed";
2534         vnc_write_u32(vs, sizeof(err));
2535         vnc_write(vs, err, sizeof(err));
2536     }
2537     vnc_flush(vs);
2538     vnc_client_error(vs);
2539 }
2540 
2541 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2542 {
2543     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2544     size_t i, pwlen;
2545     unsigned char key[8];
2546     time_t now = time(NULL);
2547     QCryptoCipher *cipher = NULL;
2548     Error *err = NULL;
2549 
2550     if (!vs->vd->password) {
2551         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2552         goto reject;
2553     }
2554     if (vs->vd->expires < now) {
2555         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2556         goto reject;
2557     }
2558 
2559     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2560 
2561     /* Calculate the expected challenge response */
2562     pwlen = strlen(vs->vd->password);
2563     for (i=0; i<sizeof(key); i++)
2564         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2565 
2566     cipher = qcrypto_cipher_new(
2567         QCRYPTO_CIPHER_ALG_DES_RFB,
2568         QCRYPTO_CIPHER_MODE_ECB,
2569         key, G_N_ELEMENTS(key),
2570         &err);
2571     if (!cipher) {
2572         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2573                             error_get_pretty(err));
2574         error_free(err);
2575         goto reject;
2576     }
2577 
2578     if (qcrypto_cipher_encrypt(cipher,
2579                                vs->challenge,
2580                                response,
2581                                VNC_AUTH_CHALLENGE_SIZE,
2582                                &err) < 0) {
2583         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2584                             error_get_pretty(err));
2585         error_free(err);
2586         goto reject;
2587     }
2588 
2589     /* Compare expected vs actual challenge response */
2590     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2591         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2592         goto reject;
2593     } else {
2594         trace_vnc_auth_pass(vs, vs->auth);
2595         vnc_write_u32(vs, 0); /* Accept auth */
2596         vnc_flush(vs);
2597 
2598         start_client_init(vs);
2599     }
2600 
2601     qcrypto_cipher_free(cipher);
2602     return 0;
2603 
2604 reject:
2605     authentication_failed(vs);
2606     qcrypto_cipher_free(cipher);
2607     return 0;
2608 }
2609 
2610 void start_auth_vnc(VncState *vs)
2611 {
2612     Error *err = NULL;
2613 
2614     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2615         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2616                             error_get_pretty(err));
2617         error_free(err);
2618         authentication_failed(vs);
2619         return;
2620     }
2621 
2622     /* Send client a 'random' challenge */
2623     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2624     vnc_flush(vs);
2625 
2626     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2627 }
2628 
2629 
2630 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2631 {
2632     /* We only advertise 1 auth scheme at a time, so client
2633      * must pick the one we sent. Verify this */
2634     if (data[0] != vs->auth) { /* Reject auth */
2635        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2636        authentication_failed(vs);
2637     } else { /* Accept requested auth */
2638        trace_vnc_auth_start(vs, vs->auth);
2639        switch (vs->auth) {
2640        case VNC_AUTH_NONE:
2641            if (vs->minor >= 8) {
2642                vnc_write_u32(vs, 0); /* Accept auth completion */
2643                vnc_flush(vs);
2644            }
2645            trace_vnc_auth_pass(vs, vs->auth);
2646            start_client_init(vs);
2647            break;
2648 
2649        case VNC_AUTH_VNC:
2650            start_auth_vnc(vs);
2651            break;
2652 
2653        case VNC_AUTH_VENCRYPT:
2654            start_auth_vencrypt(vs);
2655            break;
2656 
2657 #ifdef CONFIG_VNC_SASL
2658        case VNC_AUTH_SASL:
2659            start_auth_sasl(vs);
2660            break;
2661 #endif /* CONFIG_VNC_SASL */
2662 
2663        default: /* Should not be possible, but just in case */
2664            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2665            authentication_failed(vs);
2666        }
2667     }
2668     return 0;
2669 }
2670 
2671 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2672 {
2673     char local[13];
2674 
2675     memcpy(local, version, 12);
2676     local[12] = 0;
2677 
2678     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2679         VNC_DEBUG("Malformed protocol version %s\n", local);
2680         vnc_client_error(vs);
2681         return 0;
2682     }
2683     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2684     if (vs->major != 3 ||
2685         (vs->minor != 3 &&
2686          vs->minor != 4 &&
2687          vs->minor != 5 &&
2688          vs->minor != 7 &&
2689          vs->minor != 8)) {
2690         VNC_DEBUG("Unsupported client version\n");
2691         vnc_write_u32(vs, VNC_AUTH_INVALID);
2692         vnc_flush(vs);
2693         vnc_client_error(vs);
2694         return 0;
2695     }
2696     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2697      * as equivalent to v3.3 by servers
2698      */
2699     if (vs->minor == 4 || vs->minor == 5)
2700         vs->minor = 3;
2701 
2702     if (vs->minor == 3) {
2703         trace_vnc_auth_start(vs, vs->auth);
2704         if (vs->auth == VNC_AUTH_NONE) {
2705             vnc_write_u32(vs, vs->auth);
2706             vnc_flush(vs);
2707             trace_vnc_auth_pass(vs, vs->auth);
2708             start_client_init(vs);
2709        } else if (vs->auth == VNC_AUTH_VNC) {
2710             VNC_DEBUG("Tell client VNC auth\n");
2711             vnc_write_u32(vs, vs->auth);
2712             vnc_flush(vs);
2713             start_auth_vnc(vs);
2714        } else {
2715             trace_vnc_auth_fail(vs, vs->auth,
2716                                 "Unsupported auth method for v3.3", "");
2717             vnc_write_u32(vs, VNC_AUTH_INVALID);
2718             vnc_flush(vs);
2719             vnc_client_error(vs);
2720        }
2721     } else {
2722         vnc_write_u8(vs, 1); /* num auth */
2723         vnc_write_u8(vs, vs->auth);
2724         vnc_read_when(vs, protocol_client_auth, 1);
2725         vnc_flush(vs);
2726     }
2727 
2728     return 0;
2729 }
2730 
2731 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2732 {
2733     struct VncSurface *vs = &vd->guest;
2734 
2735     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2736 }
2737 
2738 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2739 {
2740     int i, j;
2741 
2742     w = (x + w) / VNC_STAT_RECT;
2743     h = (y + h) / VNC_STAT_RECT;
2744     x /= VNC_STAT_RECT;
2745     y /= VNC_STAT_RECT;
2746 
2747     for (j = y; j <= h; j++) {
2748         for (i = x; i <= w; i++) {
2749             vs->lossy_rect[j][i] = 1;
2750         }
2751     }
2752 }
2753 
2754 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2755 {
2756     VncState *vs;
2757     int sty = y / VNC_STAT_RECT;
2758     int stx = x / VNC_STAT_RECT;
2759     int has_dirty = 0;
2760 
2761     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2762     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2763 
2764     QTAILQ_FOREACH(vs, &vd->clients, next) {
2765         int j;
2766 
2767         /* kernel send buffers are full -> refresh later */
2768         if (vs->output.offset) {
2769             continue;
2770         }
2771 
2772         if (!vs->lossy_rect[sty][stx]) {
2773             continue;
2774         }
2775 
2776         vs->lossy_rect[sty][stx] = 0;
2777         for (j = 0; j < VNC_STAT_RECT; ++j) {
2778             bitmap_set(vs->dirty[y + j],
2779                        x / VNC_DIRTY_PIXELS_PER_BIT,
2780                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2781         }
2782         has_dirty++;
2783     }
2784 
2785     return has_dirty;
2786 }
2787 
2788 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2789 {
2790     int width = MIN(pixman_image_get_width(vd->guest.fb),
2791                     pixman_image_get_width(vd->server));
2792     int height = MIN(pixman_image_get_height(vd->guest.fb),
2793                      pixman_image_get_height(vd->server));
2794     int x, y;
2795     struct timeval res;
2796     int has_dirty = 0;
2797 
2798     for (y = 0; y < height; y += VNC_STAT_RECT) {
2799         for (x = 0; x < width; x += VNC_STAT_RECT) {
2800             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2801 
2802             rect->updated = false;
2803         }
2804     }
2805 
2806     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2807 
2808     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2809         return has_dirty;
2810     }
2811     vd->guest.last_freq_check = *tv;
2812 
2813     for (y = 0; y < height; y += VNC_STAT_RECT) {
2814         for (x = 0; x < width; x += VNC_STAT_RECT) {
2815             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2816             int count = ARRAY_SIZE(rect->times);
2817             struct timeval min, max;
2818 
2819             if (!timerisset(&rect->times[count - 1])) {
2820                 continue ;
2821             }
2822 
2823             max = rect->times[(rect->idx + count - 1) % count];
2824             qemu_timersub(tv, &max, &res);
2825 
2826             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2827                 rect->freq = 0;
2828                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2829                 memset(rect->times, 0, sizeof (rect->times));
2830                 continue ;
2831             }
2832 
2833             min = rect->times[rect->idx];
2834             max = rect->times[(rect->idx + count - 1) % count];
2835             qemu_timersub(&max, &min, &res);
2836 
2837             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2838             rect->freq /= count;
2839             rect->freq = 1. / rect->freq;
2840         }
2841     }
2842     return has_dirty;
2843 }
2844 
2845 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2846 {
2847     int i, j;
2848     double total = 0;
2849     int num = 0;
2850 
2851     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2852     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2853 
2854     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2855         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2856             total += vnc_stat_rect(vs->vd, i, j)->freq;
2857             num++;
2858         }
2859     }
2860 
2861     if (num) {
2862         return total / num;
2863     } else {
2864         return 0;
2865     }
2866 }
2867 
2868 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2869 {
2870     VncRectStat *rect;
2871 
2872     rect = vnc_stat_rect(vd, x, y);
2873     if (rect->updated) {
2874         return ;
2875     }
2876     rect->times[rect->idx] = *tv;
2877     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2878     rect->updated = true;
2879 }
2880 
2881 static int vnc_refresh_server_surface(VncDisplay *vd)
2882 {
2883     int width = MIN(pixman_image_get_width(vd->guest.fb),
2884                     pixman_image_get_width(vd->server));
2885     int height = MIN(pixman_image_get_height(vd->guest.fb),
2886                      pixman_image_get_height(vd->server));
2887     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
2888     uint8_t *guest_row0 = NULL, *server_row0;
2889     VncState *vs;
2890     int has_dirty = 0;
2891     pixman_image_t *tmpbuf = NULL;
2892 
2893     struct timeval tv = { 0, 0 };
2894 
2895     if (!vd->non_adaptive) {
2896         gettimeofday(&tv, NULL);
2897         has_dirty = vnc_update_stats(vd, &tv);
2898     }
2899 
2900     /*
2901      * Walk through the guest dirty map.
2902      * Check and copy modified bits from guest to server surface.
2903      * Update server dirty map.
2904      */
2905     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
2906     server_stride = guest_stride = guest_ll =
2907         pixman_image_get_stride(vd->server);
2908     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
2909                     server_stride);
2910     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2911         int width = pixman_image_get_width(vd->server);
2912         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2913     } else {
2914         int guest_bpp =
2915             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
2916         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2917         guest_stride = pixman_image_get_stride(vd->guest.fb);
2918         guest_ll = pixman_image_get_width(vd->guest.fb)
2919                    * DIV_ROUND_UP(guest_bpp, 8);
2920     }
2921     line_bytes = MIN(server_stride, guest_ll);
2922 
2923     for (;;) {
2924         int x;
2925         uint8_t *guest_ptr, *server_ptr;
2926         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
2927                                              height * VNC_DIRTY_BPL(&vd->guest),
2928                                              y * VNC_DIRTY_BPL(&vd->guest));
2929         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
2930             /* no more dirty bits */
2931             break;
2932         }
2933         y = offset / VNC_DIRTY_BPL(&vd->guest);
2934         x = offset % VNC_DIRTY_BPL(&vd->guest);
2935 
2936         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
2937 
2938         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2939             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2940             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2941         } else {
2942             guest_ptr = guest_row0 + y * guest_stride;
2943         }
2944         guest_ptr += x * cmp_bytes;
2945 
2946         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
2947              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2948             int _cmp_bytes = cmp_bytes;
2949             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
2950                 continue;
2951             }
2952             if ((x + 1) * cmp_bytes > line_bytes) {
2953                 _cmp_bytes = line_bytes - x * cmp_bytes;
2954             }
2955             assert(_cmp_bytes >= 0);
2956             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
2957                 continue;
2958             }
2959             memcpy(server_ptr, guest_ptr, _cmp_bytes);
2960             if (!vd->non_adaptive) {
2961                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
2962                                  y, &tv);
2963             }
2964             QTAILQ_FOREACH(vs, &vd->clients, next) {
2965                 set_bit(x, vs->dirty[y]);
2966             }
2967             has_dirty++;
2968         }
2969 
2970         y++;
2971     }
2972     qemu_pixman_image_unref(tmpbuf);
2973     return has_dirty;
2974 }
2975 
2976 static void vnc_refresh(DisplayChangeListener *dcl)
2977 {
2978     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
2979     VncState *vs, *vn;
2980     int has_dirty, rects = 0;
2981 
2982     if (QTAILQ_EMPTY(&vd->clients)) {
2983         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
2984         return;
2985     }
2986 
2987     graphic_hw_update(vd->dcl.con);
2988 
2989     if (vnc_trylock_display(vd)) {
2990         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2991         return;
2992     }
2993 
2994     has_dirty = vnc_refresh_server_surface(vd);
2995     vnc_unlock_display(vd);
2996 
2997     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
2998         rects += vnc_update_client(vs, has_dirty);
2999         /* vs might be free()ed here */
3000     }
3001 
3002     if (has_dirty && rects) {
3003         vd->dcl.update_interval /= 2;
3004         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3005             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3006         }
3007     } else {
3008         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3009         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3010             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3011         }
3012     }
3013 }
3014 
3015 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3016                         bool skipauth, bool websocket)
3017 {
3018     VncState *vs = g_new0(VncState, 1);
3019     bool first_client = QTAILQ_EMPTY(&vd->clients);
3020     int i;
3021 
3022     trace_vnc_client_connect(vs, sioc);
3023     vs->zrle = g_new0(VncZrle, 1);
3024     vs->tight = g_new0(VncTight, 1);
3025     vs->magic = VNC_MAGIC;
3026     vs->sioc = sioc;
3027     object_ref(OBJECT(vs->sioc));
3028     vs->ioc = QIO_CHANNEL(sioc);
3029     object_ref(OBJECT(vs->ioc));
3030     vs->vd = vd;
3031 
3032     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3033     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3034     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3035 
3036     buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3037     buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3038     buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3039 #ifdef CONFIG_VNC_JPEG
3040     buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3041 #endif
3042 #ifdef CONFIG_VNC_PNG
3043     buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3044 #endif
3045     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3046     buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3047     buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3048     buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3049 
3050     if (skipauth) {
3051         vs->auth = VNC_AUTH_NONE;
3052         vs->subauth = VNC_AUTH_INVALID;
3053     } else {
3054         if (websocket) {
3055             vs->auth = vd->ws_auth;
3056             vs->subauth = VNC_AUTH_INVALID;
3057         } else {
3058             vs->auth = vd->auth;
3059             vs->subauth = vd->subauth;
3060         }
3061     }
3062     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3063               sioc, websocket, vs->auth, vs->subauth);
3064 
3065     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3066     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3067         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3068     }
3069 
3070     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3071     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3072     qio_channel_set_blocking(vs->ioc, false, NULL);
3073     if (vs->ioc_tag) {
3074         g_source_remove(vs->ioc_tag);
3075     }
3076     if (websocket) {
3077         vs->websocket = 1;
3078         if (vd->tlscreds) {
3079             vs->ioc_tag = qio_channel_add_watch(
3080                 vs->ioc, G_IO_IN, vncws_tls_handshake_io, vs, NULL);
3081         } else {
3082             vs->ioc_tag = qio_channel_add_watch(
3083                 vs->ioc, G_IO_IN, vncws_handshake_io, vs, NULL);
3084         }
3085     } else {
3086         vs->ioc_tag = qio_channel_add_watch(
3087             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
3088     }
3089 
3090     vnc_client_cache_addr(vs);
3091     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3092     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3093 
3094     vs->last_x = -1;
3095     vs->last_y = -1;
3096 
3097     vs->as.freq = 44100;
3098     vs->as.nchannels = 2;
3099     vs->as.fmt = AUDIO_FORMAT_S16;
3100     vs->as.endianness = 0;
3101 
3102     qemu_mutex_init(&vs->output_mutex);
3103     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3104 
3105     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3106     if (first_client) {
3107         vnc_update_server_surface(vd);
3108     }
3109 
3110     graphic_hw_update(vd->dcl.con);
3111 
3112     if (!vs->websocket) {
3113         vnc_start_protocol(vs);
3114     }
3115 
3116     if (vd->num_connecting > vd->connections_limit) {
3117         QTAILQ_FOREACH(vs, &vd->clients, next) {
3118             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3119                 vnc_disconnect_start(vs);
3120                 return;
3121             }
3122         }
3123     }
3124 }
3125 
3126 void vnc_start_protocol(VncState *vs)
3127 {
3128     vnc_write(vs, "RFB 003.008\n", 12);
3129     vnc_flush(vs);
3130     vnc_read_when(vs, protocol_version, 12);
3131 
3132     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3133     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3134 }
3135 
3136 static void vnc_listen_io(QIONetListener *listener,
3137                           QIOChannelSocket *cioc,
3138                           void *opaque)
3139 {
3140     VncDisplay *vd = opaque;
3141     bool isWebsock = listener == vd->wslistener;
3142 
3143     qio_channel_set_name(QIO_CHANNEL(cioc),
3144                          isWebsock ? "vnc-ws-server" : "vnc-server");
3145     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3146     vnc_connect(vd, cioc, false, isWebsock);
3147 }
3148 
3149 static const DisplayChangeListenerOps dcl_ops = {
3150     .dpy_name             = "vnc",
3151     .dpy_refresh          = vnc_refresh,
3152     .dpy_gfx_update       = vnc_dpy_update,
3153     .dpy_gfx_switch       = vnc_dpy_switch,
3154     .dpy_gfx_check_format = qemu_pixman_check_format,
3155     .dpy_mouse_set        = vnc_mouse_set,
3156     .dpy_cursor_define    = vnc_dpy_cursor_define,
3157 };
3158 
3159 void vnc_display_init(const char *id, Error **errp)
3160 {
3161     VncDisplay *vd;
3162 
3163     if (vnc_display_find(id) != NULL) {
3164         return;
3165     }
3166     vd = g_malloc0(sizeof(*vd));
3167 
3168     vd->id = strdup(id);
3169     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3170 
3171     QTAILQ_INIT(&vd->clients);
3172     vd->expires = TIME_MAX;
3173 
3174     if (keyboard_layout) {
3175         trace_vnc_key_map_init(keyboard_layout);
3176         vd->kbd_layout = init_keyboard_layout(name2keysym,
3177                                               keyboard_layout, errp);
3178     } else {
3179         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3180     }
3181 
3182     if (!vd->kbd_layout) {
3183         return;
3184     }
3185 
3186     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3187     vd->connections_limit = 32;
3188 
3189     qemu_mutex_init(&vd->mutex);
3190     vnc_start_worker_thread();
3191 
3192     vd->dcl.ops = &dcl_ops;
3193     register_displaychangelistener(&vd->dcl);
3194     vd->kbd = qkbd_state_init(vd->dcl.con);
3195 }
3196 
3197 
3198 static void vnc_display_close(VncDisplay *vd)
3199 {
3200     if (!vd) {
3201         return;
3202     }
3203     vd->is_unix = false;
3204 
3205     if (vd->listener) {
3206         qio_net_listener_disconnect(vd->listener);
3207         object_unref(OBJECT(vd->listener));
3208     }
3209     vd->listener = NULL;
3210 
3211     if (vd->wslistener) {
3212         qio_net_listener_disconnect(vd->wslistener);
3213         object_unref(OBJECT(vd->wslistener));
3214     }
3215     vd->wslistener = NULL;
3216 
3217     vd->auth = VNC_AUTH_INVALID;
3218     vd->subauth = VNC_AUTH_INVALID;
3219     if (vd->tlscreds) {
3220         object_unparent(OBJECT(vd->tlscreds));
3221         vd->tlscreds = NULL;
3222     }
3223     if (vd->tlsauthz) {
3224         object_unparent(OBJECT(vd->tlsauthz));
3225         vd->tlsauthz = NULL;
3226     }
3227     g_free(vd->tlsauthzid);
3228     vd->tlsauthzid = NULL;
3229     if (vd->lock_key_sync) {
3230         qemu_remove_led_event_handler(vd->led);
3231         vd->led = NULL;
3232     }
3233 #ifdef CONFIG_VNC_SASL
3234     if (vd->sasl.authz) {
3235         object_unparent(OBJECT(vd->sasl.authz));
3236         vd->sasl.authz = NULL;
3237     }
3238     g_free(vd->sasl.authzid);
3239     vd->sasl.authzid = NULL;
3240 #endif
3241 }
3242 
3243 int vnc_display_password(const char *id, const char *password)
3244 {
3245     VncDisplay *vd = vnc_display_find(id);
3246 
3247     if (!vd) {
3248         return -EINVAL;
3249     }
3250     if (vd->auth == VNC_AUTH_NONE) {
3251         error_printf_unless_qmp("If you want use passwords please enable "
3252                                 "password auth using '-vnc ${dpy},password'.\n");
3253         return -EINVAL;
3254     }
3255 
3256     g_free(vd->password);
3257     vd->password = g_strdup(password);
3258 
3259     return 0;
3260 }
3261 
3262 int vnc_display_pw_expire(const char *id, time_t expires)
3263 {
3264     VncDisplay *vd = vnc_display_find(id);
3265 
3266     if (!vd) {
3267         return -EINVAL;
3268     }
3269 
3270     vd->expires = expires;
3271     return 0;
3272 }
3273 
3274 static void vnc_display_print_local_addr(VncDisplay *vd)
3275 {
3276     SocketAddress *addr;
3277 
3278     if (!vd->listener || !vd->listener->nsioc) {
3279         return;
3280     }
3281 
3282     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], NULL);
3283     if (!addr) {
3284         return;
3285     }
3286 
3287     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3288         qapi_free_SocketAddress(addr);
3289         return;
3290     }
3291     error_printf_unless_qmp("VNC server running on %s:%s\n",
3292                             addr->u.inet.host,
3293                             addr->u.inet.port);
3294     qapi_free_SocketAddress(addr);
3295 }
3296 
3297 static QemuOptsList qemu_vnc_opts = {
3298     .name = "vnc",
3299     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3300     .implied_opt_name = "vnc",
3301     .desc = {
3302         {
3303             .name = "vnc",
3304             .type = QEMU_OPT_STRING,
3305         },{
3306             .name = "websocket",
3307             .type = QEMU_OPT_STRING,
3308         },{
3309             .name = "tls-creds",
3310             .type = QEMU_OPT_STRING,
3311         },{
3312             .name = "share",
3313             .type = QEMU_OPT_STRING,
3314         },{
3315             .name = "display",
3316             .type = QEMU_OPT_STRING,
3317         },{
3318             .name = "head",
3319             .type = QEMU_OPT_NUMBER,
3320         },{
3321             .name = "connections",
3322             .type = QEMU_OPT_NUMBER,
3323         },{
3324             .name = "to",
3325             .type = QEMU_OPT_NUMBER,
3326         },{
3327             .name = "ipv4",
3328             .type = QEMU_OPT_BOOL,
3329         },{
3330             .name = "ipv6",
3331             .type = QEMU_OPT_BOOL,
3332         },{
3333             .name = "password",
3334             .type = QEMU_OPT_BOOL,
3335         },{
3336             .name = "reverse",
3337             .type = QEMU_OPT_BOOL,
3338         },{
3339             .name = "lock-key-sync",
3340             .type = QEMU_OPT_BOOL,
3341         },{
3342             .name = "key-delay-ms",
3343             .type = QEMU_OPT_NUMBER,
3344         },{
3345             .name = "sasl",
3346             .type = QEMU_OPT_BOOL,
3347         },{
3348             .name = "acl",
3349             .type = QEMU_OPT_BOOL,
3350         },{
3351             .name = "tls-authz",
3352             .type = QEMU_OPT_STRING,
3353         },{
3354             .name = "sasl-authz",
3355             .type = QEMU_OPT_STRING,
3356         },{
3357             .name = "lossy",
3358             .type = QEMU_OPT_BOOL,
3359         },{
3360             .name = "non-adaptive",
3361             .type = QEMU_OPT_BOOL,
3362         },{
3363             .name = "audiodev",
3364             .type = QEMU_OPT_STRING,
3365         },
3366         { /* end of list */ }
3367     },
3368 };
3369 
3370 
3371 static int
3372 vnc_display_setup_auth(int *auth,
3373                        int *subauth,
3374                        QCryptoTLSCreds *tlscreds,
3375                        bool password,
3376                        bool sasl,
3377                        bool websocket,
3378                        Error **errp)
3379 {
3380     /*
3381      * We have a choice of 3 authentication options
3382      *
3383      *   1. none
3384      *   2. vnc
3385      *   3. sasl
3386      *
3387      * The channel can be run in 2 modes
3388      *
3389      *   1. clear
3390      *   2. tls
3391      *
3392      * And TLS can use 2 types of credentials
3393      *
3394      *   1. anon
3395      *   2. x509
3396      *
3397      * We thus have 9 possible logical combinations
3398      *
3399      *   1. clear + none
3400      *   2. clear + vnc
3401      *   3. clear + sasl
3402      *   4. tls + anon + none
3403      *   5. tls + anon + vnc
3404      *   6. tls + anon + sasl
3405      *   7. tls + x509 + none
3406      *   8. tls + x509 + vnc
3407      *   9. tls + x509 + sasl
3408      *
3409      * These need to be mapped into the VNC auth schemes
3410      * in an appropriate manner. In regular VNC, all the
3411      * TLS options get mapped into VNC_AUTH_VENCRYPT
3412      * sub-auth types.
3413      *
3414      * In websockets, the https:// protocol already provides
3415      * TLS support, so there is no need to make use of the
3416      * VeNCrypt extension. Furthermore, websockets browser
3417      * clients could not use VeNCrypt even if they wanted to,
3418      * as they cannot control when the TLS handshake takes
3419      * place. Thus there is no option but to rely on https://,
3420      * meaning combinations 4->6 and 7->9 will be mapped to
3421      * VNC auth schemes in the same way as combos 1->3.
3422      *
3423      * Regardless of fact that we have a different mapping to
3424      * VNC auth mechs for plain VNC vs websockets VNC, the end
3425      * result has the same security characteristics.
3426      */
3427     if (websocket || !tlscreds) {
3428         if (password) {
3429             VNC_DEBUG("Initializing VNC server with password auth\n");
3430             *auth = VNC_AUTH_VNC;
3431         } else if (sasl) {
3432             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3433             *auth = VNC_AUTH_SASL;
3434         } else {
3435             VNC_DEBUG("Initializing VNC server with no auth\n");
3436             *auth = VNC_AUTH_NONE;
3437         }
3438         *subauth = VNC_AUTH_INVALID;
3439     } else {
3440         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3441                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3442         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3443                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3444 
3445         if (!is_x509 && !is_anon) {
3446             error_setg(errp,
3447                        "Unsupported TLS cred type %s",
3448                        object_get_typename(OBJECT(tlscreds)));
3449             return -1;
3450         }
3451         *auth = VNC_AUTH_VENCRYPT;
3452         if (password) {
3453             if (is_x509) {
3454                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3455                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3456             } else {
3457                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3458                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3459             }
3460 
3461         } else if (sasl) {
3462             if (is_x509) {
3463                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3464                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3465             } else {
3466                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3467                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3468             }
3469         } else {
3470             if (is_x509) {
3471                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3472                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3473             } else {
3474                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3475                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3476             }
3477         }
3478     }
3479     return 0;
3480 }
3481 
3482 
3483 static int vnc_display_get_address(const char *addrstr,
3484                                    bool websocket,
3485                                    bool reverse,
3486                                    int displaynum,
3487                                    int to,
3488                                    bool has_ipv4,
3489                                    bool has_ipv6,
3490                                    bool ipv4,
3491                                    bool ipv6,
3492                                    SocketAddress **retaddr,
3493                                    Error **errp)
3494 {
3495     int ret = -1;
3496     SocketAddress *addr = NULL;
3497 
3498     addr = g_new0(SocketAddress, 1);
3499 
3500     if (strncmp(addrstr, "unix:", 5) == 0) {
3501         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3502         addr->u.q_unix.path = g_strdup(addrstr + 5);
3503 
3504         if (websocket) {
3505             error_setg(errp, "UNIX sockets not supported with websock");
3506             goto cleanup;
3507         }
3508 
3509         if (to) {
3510             error_setg(errp, "Port range not support with UNIX socket");
3511             goto cleanup;
3512         }
3513         ret = 0;
3514     } else {
3515         const char *port;
3516         size_t hostlen;
3517         unsigned long long baseport = 0;
3518         InetSocketAddress *inet;
3519 
3520         port = strrchr(addrstr, ':');
3521         if (!port) {
3522             if (websocket) {
3523                 hostlen = 0;
3524                 port = addrstr;
3525             } else {
3526                 error_setg(errp, "no vnc port specified");
3527                 goto cleanup;
3528             }
3529         } else {
3530             hostlen = port - addrstr;
3531             port++;
3532             if (*port == '\0') {
3533                 error_setg(errp, "vnc port cannot be empty");
3534                 goto cleanup;
3535             }
3536         }
3537 
3538         addr->type = SOCKET_ADDRESS_TYPE_INET;
3539         inet = &addr->u.inet;
3540         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3541             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3542         } else {
3543             inet->host = g_strndup(addrstr, hostlen);
3544         }
3545         /* plain VNC port is just an offset, for websocket
3546          * port is absolute */
3547         if (websocket) {
3548             if (g_str_equal(addrstr, "") ||
3549                 g_str_equal(addrstr, "on")) {
3550                 if (displaynum == -1) {
3551                     error_setg(errp, "explicit websocket port is required");
3552                     goto cleanup;
3553                 }
3554                 inet->port = g_strdup_printf(
3555                     "%d", displaynum + 5700);
3556                 if (to) {
3557                     inet->has_to = true;
3558                     inet->to = to + 5700;
3559                 }
3560             } else {
3561                 inet->port = g_strdup(port);
3562             }
3563         } else {
3564             int offset = reverse ? 0 : 5900;
3565             if (parse_uint_full(port, &baseport, 10) < 0) {
3566                 error_setg(errp, "can't convert to a number: %s", port);
3567                 goto cleanup;
3568             }
3569             if (baseport > 65535 ||
3570                 baseport + offset > 65535) {
3571                 error_setg(errp, "port %s out of range", port);
3572                 goto cleanup;
3573             }
3574             inet->port = g_strdup_printf(
3575                 "%d", (int)baseport + offset);
3576 
3577             if (to) {
3578                 inet->has_to = true;
3579                 inet->to = to + offset;
3580             }
3581         }
3582 
3583         inet->ipv4 = ipv4;
3584         inet->has_ipv4 = has_ipv4;
3585         inet->ipv6 = ipv6;
3586         inet->has_ipv6 = has_ipv6;
3587 
3588         ret = baseport;
3589     }
3590 
3591     *retaddr = addr;
3592 
3593  cleanup:
3594     if (ret < 0) {
3595         qapi_free_SocketAddress(addr);
3596     }
3597     return ret;
3598 }
3599 
3600 static void vnc_free_addresses(SocketAddress ***retsaddr,
3601                                size_t *retnsaddr)
3602 {
3603     size_t i;
3604 
3605     for (i = 0; i < *retnsaddr; i++) {
3606         qapi_free_SocketAddress((*retsaddr)[i]);
3607     }
3608     g_free(*retsaddr);
3609 
3610     *retsaddr = NULL;
3611     *retnsaddr = 0;
3612 }
3613 
3614 static int vnc_display_get_addresses(QemuOpts *opts,
3615                                      bool reverse,
3616                                      SocketAddress ***retsaddr,
3617                                      size_t *retnsaddr,
3618                                      SocketAddress ***retwsaddr,
3619                                      size_t *retnwsaddr,
3620                                      Error **errp)
3621 {
3622     SocketAddress *saddr = NULL;
3623     SocketAddress *wsaddr = NULL;
3624     QemuOptsIter addriter;
3625     const char *addr;
3626     int to = qemu_opt_get_number(opts, "to", 0);
3627     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3628     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3629     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3630     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3631     int displaynum = -1;
3632     int ret = -1;
3633 
3634     *retsaddr = NULL;
3635     *retnsaddr = 0;
3636     *retwsaddr = NULL;
3637     *retnwsaddr = 0;
3638 
3639     addr = qemu_opt_get(opts, "vnc");
3640     if (addr == NULL || g_str_equal(addr, "none")) {
3641         ret = 0;
3642         goto cleanup;
3643     }
3644     if (qemu_opt_get(opts, "websocket") &&
3645         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3646         error_setg(errp,
3647                    "SHA1 hash support is required for websockets");
3648         goto cleanup;
3649     }
3650 
3651     qemu_opt_iter_init(&addriter, opts, "vnc");
3652     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3653         int rv;
3654         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3655                                      has_ipv4, has_ipv6,
3656                                      ipv4, ipv6,
3657                                      &saddr, errp);
3658         if (rv < 0) {
3659             goto cleanup;
3660         }
3661         /* Historical compat - first listen address can be used
3662          * to set the default websocket port
3663          */
3664         if (displaynum == -1) {
3665             displaynum = rv;
3666         }
3667         *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3668         (*retsaddr)[(*retnsaddr)++] = saddr;
3669     }
3670 
3671     /* If we had multiple primary displays, we don't do defaults
3672      * for websocket, and require explicit config instead. */
3673     if (*retnsaddr > 1) {
3674         displaynum = -1;
3675     }
3676 
3677     qemu_opt_iter_init(&addriter, opts, "websocket");
3678     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3679         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3680                                     has_ipv4, has_ipv6,
3681                                     ipv4, ipv6,
3682                                     &wsaddr, errp) < 0) {
3683             goto cleanup;
3684         }
3685 
3686         /* Historical compat - if only a single listen address was
3687          * provided, then this is used to set the default listen
3688          * address for websocket too
3689          */
3690         if (*retnsaddr == 1 &&
3691             (*retsaddr)[0]->type == SOCKET_ADDRESS_TYPE_INET &&
3692             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3693             g_str_equal(wsaddr->u.inet.host, "") &&
3694             !g_str_equal((*retsaddr)[0]->u.inet.host, "")) {
3695             g_free(wsaddr->u.inet.host);
3696             wsaddr->u.inet.host = g_strdup((*retsaddr)[0]->u.inet.host);
3697         }
3698 
3699         *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3700         (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3701     }
3702 
3703     ret = 0;
3704  cleanup:
3705     if (ret < 0) {
3706         vnc_free_addresses(retsaddr, retnsaddr);
3707         vnc_free_addresses(retwsaddr, retnwsaddr);
3708     }
3709     return ret;
3710 }
3711 
3712 static int vnc_display_connect(VncDisplay *vd,
3713                                SocketAddress **saddr,
3714                                size_t nsaddr,
3715                                SocketAddress **wsaddr,
3716                                size_t nwsaddr,
3717                                Error **errp)
3718 {
3719     /* connect to viewer */
3720     QIOChannelSocket *sioc = NULL;
3721     if (nwsaddr != 0) {
3722         error_setg(errp, "Cannot use websockets in reverse mode");
3723         return -1;
3724     }
3725     if (nsaddr != 1) {
3726         error_setg(errp, "Expected a single address in reverse mode");
3727         return -1;
3728     }
3729     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3730     vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_TYPE_UNIX;
3731     sioc = qio_channel_socket_new();
3732     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3733     if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3734         return -1;
3735     }
3736     vnc_connect(vd, sioc, false, false);
3737     object_unref(OBJECT(sioc));
3738     return 0;
3739 }
3740 
3741 
3742 static int vnc_display_listen(VncDisplay *vd,
3743                               SocketAddress **saddr,
3744                               size_t nsaddr,
3745                               SocketAddress **wsaddr,
3746                               size_t nwsaddr,
3747                               Error **errp)
3748 {
3749     size_t i;
3750 
3751     if (nsaddr) {
3752         vd->listener = qio_net_listener_new();
3753         qio_net_listener_set_name(vd->listener, "vnc-listen");
3754         for (i = 0; i < nsaddr; i++) {
3755             if (qio_net_listener_open_sync(vd->listener,
3756                                            saddr[i], 1,
3757                                            errp) < 0)  {
3758                 return -1;
3759             }
3760         }
3761 
3762         qio_net_listener_set_client_func(vd->listener,
3763                                          vnc_listen_io, vd, NULL);
3764     }
3765 
3766     if (nwsaddr) {
3767         vd->wslistener = qio_net_listener_new();
3768         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3769         for (i = 0; i < nwsaddr; i++) {
3770             if (qio_net_listener_open_sync(vd->wslistener,
3771                                            wsaddr[i], 1,
3772                                            errp) < 0)  {
3773                 return -1;
3774             }
3775         }
3776 
3777         qio_net_listener_set_client_func(vd->wslistener,
3778                                          vnc_listen_io, vd, NULL);
3779     }
3780 
3781     return 0;
3782 }
3783 
3784 
3785 void vnc_display_open(const char *id, Error **errp)
3786 {
3787     VncDisplay *vd = vnc_display_find(id);
3788     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3789     SocketAddress **saddr = NULL, **wsaddr = NULL;
3790     size_t nsaddr, nwsaddr;
3791     const char *share, *device_id;
3792     QemuConsole *con;
3793     bool password = false;
3794     bool reverse = false;
3795     const char *credid;
3796     bool sasl = false;
3797     int acl = 0;
3798     const char *tlsauthz;
3799     const char *saslauthz;
3800     int lock_key_sync = 1;
3801     int key_delay_ms;
3802     const char *audiodev;
3803 
3804     if (!vd) {
3805         error_setg(errp, "VNC display not active");
3806         return;
3807     }
3808     vnc_display_close(vd);
3809 
3810     if (!opts) {
3811         return;
3812     }
3813 
3814     reverse = qemu_opt_get_bool(opts, "reverse", false);
3815     if (vnc_display_get_addresses(opts, reverse, &saddr, &nsaddr,
3816                                   &wsaddr, &nwsaddr, errp) < 0) {
3817         goto fail;
3818     }
3819 
3820     password = qemu_opt_get_bool(opts, "password", false);
3821     if (password) {
3822         if (fips_get_state()) {
3823             error_setg(errp,
3824                        "VNC password auth disabled due to FIPS mode, "
3825                        "consider using the VeNCrypt or SASL authentication "
3826                        "methods as an alternative");
3827             goto fail;
3828         }
3829         if (!qcrypto_cipher_supports(
3830                 QCRYPTO_CIPHER_ALG_DES_RFB, QCRYPTO_CIPHER_MODE_ECB)) {
3831             error_setg(errp,
3832                        "Cipher backend does not support DES RFB algorithm");
3833             goto fail;
3834         }
3835     }
3836 
3837     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
3838     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
3839     sasl = qemu_opt_get_bool(opts, "sasl", false);
3840 #ifndef CONFIG_VNC_SASL
3841     if (sasl) {
3842         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
3843         goto fail;
3844     }
3845 #endif /* CONFIG_VNC_SASL */
3846     credid = qemu_opt_get(opts, "tls-creds");
3847     if (credid) {
3848         Object *creds;
3849         creds = object_resolve_path_component(
3850             object_get_objects_root(), credid);
3851         if (!creds) {
3852             error_setg(errp, "No TLS credentials with id '%s'",
3853                        credid);
3854             goto fail;
3855         }
3856         vd->tlscreds = (QCryptoTLSCreds *)
3857             object_dynamic_cast(creds,
3858                                 TYPE_QCRYPTO_TLS_CREDS);
3859         if (!vd->tlscreds) {
3860             error_setg(errp, "Object with id '%s' is not TLS credentials",
3861                        credid);
3862             goto fail;
3863         }
3864         object_ref(OBJECT(vd->tlscreds));
3865 
3866         if (vd->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
3867             error_setg(errp,
3868                        "Expecting TLS credentials with a server endpoint");
3869             goto fail;
3870         }
3871     }
3872     if (qemu_opt_get(opts, "acl")) {
3873         error_report("The 'acl' option to -vnc is deprecated. "
3874                      "Please use the 'tls-authz' and 'sasl-authz' "
3875                      "options instead");
3876     }
3877     acl = qemu_opt_get_bool(opts, "acl", false);
3878     tlsauthz = qemu_opt_get(opts, "tls-authz");
3879     if (acl && tlsauthz) {
3880         error_setg(errp, "'acl' option is mutually exclusive with the "
3881                    "'tls-authz' option");
3882         goto fail;
3883     }
3884     if (tlsauthz && !vd->tlscreds) {
3885         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
3886         goto fail;
3887     }
3888 
3889     saslauthz = qemu_opt_get(opts, "sasl-authz");
3890     if (acl && saslauthz) {
3891         error_setg(errp, "'acl' option is mutually exclusive with the "
3892                    "'sasl-authz' option");
3893         goto fail;
3894     }
3895     if (saslauthz && !sasl) {
3896         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
3897         goto fail;
3898     }
3899 
3900     share = qemu_opt_get(opts, "share");
3901     if (share) {
3902         if (strcmp(share, "ignore") == 0) {
3903             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
3904         } else if (strcmp(share, "allow-exclusive") == 0) {
3905             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3906         } else if (strcmp(share, "force-shared") == 0) {
3907             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3908         } else {
3909             error_setg(errp, "unknown vnc share= option");
3910             goto fail;
3911         }
3912     } else {
3913         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3914     }
3915     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
3916 
3917 #ifdef CONFIG_VNC_JPEG
3918     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
3919 #endif
3920     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
3921     /* adaptive updates are only used with tight encoding and
3922      * if lossy updates are enabled so we can disable all the
3923      * calculations otherwise */
3924     if (!vd->lossy) {
3925         vd->non_adaptive = true;
3926     }
3927 
3928     if (tlsauthz) {
3929         vd->tlsauthzid = g_strdup(tlsauthz);
3930     } else if (acl) {
3931         if (strcmp(vd->id, "default") == 0) {
3932             vd->tlsauthzid = g_strdup("vnc.x509dname");
3933         } else {
3934             vd->tlsauthzid = g_strdup_printf("vnc.%s.x509dname", vd->id);
3935         }
3936         vd->tlsauthz = QAUTHZ(qauthz_list_new(vd->tlsauthzid,
3937                                               QAUTHZ_LIST_POLICY_DENY,
3938                                               &error_abort));
3939     }
3940 #ifdef CONFIG_VNC_SASL
3941     if (sasl) {
3942         if (saslauthz) {
3943             vd->sasl.authzid = g_strdup(saslauthz);
3944         } else if (acl) {
3945             if (strcmp(vd->id, "default") == 0) {
3946                 vd->sasl.authzid = g_strdup("vnc.username");
3947             } else {
3948                 vd->sasl.authzid = g_strdup_printf("vnc.%s.username", vd->id);
3949             }
3950             vd->sasl.authz = QAUTHZ(qauthz_list_new(vd->sasl.authzid,
3951                                                     QAUTHZ_LIST_POLICY_DENY,
3952                                                     &error_abort));
3953         }
3954     }
3955 #endif
3956 
3957     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
3958                                vd->tlscreds, password,
3959                                sasl, false, errp) < 0) {
3960         goto fail;
3961     }
3962     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
3963 
3964     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
3965                                vd->tlscreds, password,
3966                                sasl, true, errp) < 0) {
3967         goto fail;
3968     }
3969     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
3970 
3971 #ifdef CONFIG_VNC_SASL
3972     if (sasl) {
3973         int saslErr = sasl_server_init(NULL, "qemu");
3974 
3975         if (saslErr != SASL_OK) {
3976             error_setg(errp, "Failed to initialize SASL auth: %s",
3977                        sasl_errstring(saslErr, NULL, NULL));
3978             goto fail;
3979         }
3980     }
3981 #endif
3982     vd->lock_key_sync = lock_key_sync;
3983     if (lock_key_sync) {
3984         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
3985     }
3986     vd->ledstate = 0;
3987 
3988     audiodev = qemu_opt_get(opts, "audiodev");
3989     if (audiodev) {
3990         vd->audio_state = audio_state_by_name(audiodev);
3991         if (!vd->audio_state) {
3992             error_setg(errp, "Audiodev '%s' not found", audiodev);
3993             goto fail;
3994         }
3995     }
3996 
3997     device_id = qemu_opt_get(opts, "display");
3998     if (device_id) {
3999         int head = qemu_opt_get_number(opts, "head", 0);
4000         Error *err = NULL;
4001 
4002         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4003         if (err) {
4004             error_propagate(errp, err);
4005             goto fail;
4006         }
4007     } else {
4008         con = NULL;
4009     }
4010 
4011     if (con != vd->dcl.con) {
4012         qkbd_state_free(vd->kbd);
4013         unregister_displaychangelistener(&vd->dcl);
4014         vd->dcl.con = con;
4015         register_displaychangelistener(&vd->dcl);
4016         vd->kbd = qkbd_state_init(vd->dcl.con);
4017     }
4018     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4019 
4020     if (saddr == NULL) {
4021         goto cleanup;
4022     }
4023 
4024     if (reverse) {
4025         if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4026             goto fail;
4027         }
4028     } else {
4029         if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4030             goto fail;
4031         }
4032     }
4033 
4034     if (qemu_opt_get(opts, "to")) {
4035         vnc_display_print_local_addr(vd);
4036     }
4037 
4038  cleanup:
4039     vnc_free_addresses(&saddr, &nsaddr);
4040     vnc_free_addresses(&wsaddr, &nwsaddr);
4041     return;
4042 
4043 fail:
4044     vnc_display_close(vd);
4045     goto cleanup;
4046 }
4047 
4048 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4049 {
4050     VncDisplay *vd = vnc_display_find(id);
4051     QIOChannelSocket *sioc;
4052 
4053     if (!vd) {
4054         return;
4055     }
4056 
4057     sioc = qio_channel_socket_new_fd(csock, NULL);
4058     if (sioc) {
4059         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4060         vnc_connect(vd, sioc, skipauth, false);
4061         object_unref(OBJECT(sioc));
4062     }
4063 }
4064 
4065 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4066 {
4067     int i = 2;
4068     char *id;
4069 
4070     id = g_strdup("default");
4071     while (qemu_opts_find(olist, id)) {
4072         g_free(id);
4073         id = g_strdup_printf("vnc%d", i++);
4074     }
4075     qemu_opts_set_id(opts, id);
4076 }
4077 
4078 QemuOpts *vnc_parse(const char *str, Error **errp)
4079 {
4080     QemuOptsList *olist = qemu_find_opts("vnc");
4081     QemuOpts *opts = qemu_opts_parse(olist, str, true, errp);
4082     const char *id;
4083 
4084     if (!opts) {
4085         return NULL;
4086     }
4087 
4088     id = qemu_opts_id(opts);
4089     if (!id) {
4090         /* auto-assign id if not present */
4091         vnc_auto_assign_id(olist, opts);
4092     }
4093     return opts;
4094 }
4095 
4096 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4097 {
4098     Error *local_err = NULL;
4099     char *id = (char *)qemu_opts_id(opts);
4100 
4101     assert(id);
4102     vnc_display_init(id, &local_err);
4103     if (local_err) {
4104         error_propagate(errp, local_err);
4105         return -1;
4106     }
4107     vnc_display_open(id, &local_err);
4108     if (local_err != NULL) {
4109         error_propagate(errp, local_err);
4110         return -1;
4111     }
4112     return 0;
4113 }
4114 
4115 static void vnc_register_config(void)
4116 {
4117     qemu_add_opts(&qemu_vnc_opts);
4118 }
4119 opts_init(vnc_register_config);
4120